$24
Lab2: Bomb Lab Solution
Agenda
Bomb Lab Overview
Assembly Refresher
Introduction to GDB
Unix Refresher
Bomb Lab Demo
Downloading Your Bomb
Please read the writeup. Please read the writeup. Please Read The Writeup.
Your bomb is unique to you. Dr. Evil has created one million billion bombs, and can distribute as many new ones as he pleases.
Bombs have six phases which get progressively harder more fun to use.
Bombs can only run on the shark clusters. They will blow up if you attempt to run them locally.
Exploding Your Bomb
Blowing up your bomb notifies Autolab.
Dr. Evil takes 0.5 of your points each time.
Inputting the right string moves you to the next phase.
Jumping between phases detonates the bomb
Examining Your Bomb
You get:
An executable
A readme
A heavily redacted source file
Source file just makes fun of you.
Outsmart Dr. Evil by examining the executable
x64 Assembly: Registers
Return
Arg 4
Arg 3
Arg 2
Arg 1
Stack ptr
%rax %eax
%rbx %ebx
%rcx %ecx
%rdx %edx
%rsi %esi
%rdi %edi
%rsp %esp
%rbp %ebp
%r8 %r8d %r9 %r9d %r10 %r10d %r11 %r11d %r12 %r12d %r13 %r13d %r14 %r14d %r15 %r15d
Arg 5
Arg 6
x64 Assembly: Operands
Type
Syntax
Example
Notes
Constants
Start with $
$-42
Don’t mix up
decimal and hex
$0x15213b
Registers
Start with %
%esi
Can store values
or addresses
%rax
Memory
Parentheses
(%rbx)
Parentheses
Locations
around a register
0x1c(%rax)
dereference.
or an addressing
0x4(%rcx, %rdi, 0x1)
Look up
mode
addressing
modes!
x64 Assembly: Arithmetic Operations
Instruction
mov %rbx, %rdx add (%rdx), %r8 mul $3, %r8 sub $1, %r8
lea (%rdx,%rbx,2), %rdx
Effect
rdx = rbx
r8 += value at rdx
r8 *= 3
r8--
rdx = rdx + rbx*2
Doesn’t dereference
x64 Assembly: Comparisons
Comparison, cmp, compares two values
Result determines next conditional jump instruction
cmp b,a computes a-b, test b,a computes a&b
Pay attention to operand order
cmpl %r9, %r10
If %r10 %r9,
then jump to
jg 8675309
8675309
x64 Assembly: Jumps
Instruction
Effect
Instruction
Effect
jmp
Always jump
ja
Jump if above (unsigned )
je/jz
Jump if eq / zero
jae
Jump if above / equal
jne/jnz
Jump if !eq / !zero
jb
Jump if below (unsigned <)
jg
Jump if greater
jbe
Jump if below / equal
jge
Jump if greater / eq
js
Jump if sign bit is 1 (neg)
jl
Jump if less
jns
Jump if sign bit is 0 (pos)
jle
Jump if less / eq
x64 Assembly: A Quick Drill
cmp $0x15213, %r12 jge deadbeef
cmp %rax, %rdi jae 15213b
test %r8, %r8 jnz (%rsi)
If , jump to addr
0xdeadbeef
If , jump to addr
0x15213b
If , jump to .
x64 Assembly: A Quick Drill
cmp $0x15213, %r12 jge deadbeef
If %r12 = 0x15213, jump to 0xdeadbeef
cmp %rax, %rdi
jae 15213b
test %r8, %r8
jnz (%rsi)
x64 Assembly: A Quick Drill
cmp $0x15213, %r12
jge deadbeef
cmp
%rax, %rdi
If the unsigned value of
jae
15213b
%rdi is at or above the
test %r8, %r8
unsigned value of %rax,
jump to
.
0x15213b
jnz (%rsi)
x64 Assembly: A Quick Drill
cmp $0x15213, %r12
jge deadbeef
cmp %rax, %rdi
jae 15213b
test %r8, %r8
If %r8 & %r8 is not zero,
jnz (%rsi)
jump to the address
stored in %rsi.
Diffusing Your Bomb
objdump -t bomb examines the symbol table
objdump -d bomb disassembles all bomb code
strings bomb prints all printable strings
gdb bomb will open up the GNU Debugger
Examine while stepping through your program
▪
▪
▪
▪
registers
the stack
contents of program memory instruction stream
Using gdb
break <location
Stop execution at function name or address
Reset breakpoints when restarting gdb
run <args
Run program with args <args
Convenient for specifying text file with answers
disas <fun, but not dis
stepi / nexti
Steps / does not step through function calls
Using gdb
info registers
Print hex values in every register
print (/x or /d) $eax - Yes, use $
Print hex or decimal contents of %eax
x $register, x 0xaddress
Prints what’s in the register / at the given address
By default, prints one word (4 bytes)
Specify format: /s, /[num][size][format]
x/8a 0x15213
x/4wd 0xdeadbeef
sscanf
Bomb uses sscanf for reading strings
Figure out what phase expects for input
Check out man sscanf for formatting string details
