Carnegie Mellon Bomb Lab Overview and Assembly Exam

carnegie mellon n.w
1 / 31
Embed
Share

Explore the challenges of the Bomb Lab at Carnegie Mellon University, where students must navigate through phases of increasing difficulty to defuse unique bombs created by Dr. Evil. Learn about examining executables, x64 assembly operations, operand syntax, representing memory addresses, and more. Enhance your problem-solving skills and master the art of disarming virtual bombs in this hands-on learning experience.

  • Carnegie Mellon
  • Bomb Lab
  • Assembly
  • x64
  • Exam
rayaanacharya
hil_el Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Carnegie Mellon 15-213 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya

  2. Carnegie Mellon Agenda Bomb Lab Overview Assembly Refresher Introduction to GDB Unix Refresher Bomb Lab Demo

  3. Carnegie Mellon Downloading Your Bomb Please read the writeup. Please read the writeup. Please Read The Writeup. Your bomb is unique to you. Dr. Evil has created one million billion bombs, and can distribute as many new ones as he pleases. Bombs have six phases which get progressively harder more fun to solve. Bombs can only run on the shark clusters. They will blow up if you attempt to run them locally.

  4. Carnegie Mellon Exploding Your Bomb Blowing up your bomb notifies Autolab. Dr. Evil takes 0.5 of your points each time. Inputting the right string moves you to the next phase. Jumping between phases detonates the bomb

  5. Carnegie Mellon Examining Your Bomb You get: An executable A readme A heavily redacted source file Source file just makes fun of you. Outsmart Dr. Evil by examining the executable

  6. Carnegie Mellon x64 Assembly: Registers %rax %rbx %rcx %r8 %r9 %r10 %eax %r8d Arg 5 Return %ebx %r9d Arg 6 %ecx %r10d Arg 4 %rdx %rsi %rdi %rsp %r11 %r12 %r13 %r14 %edx %r11d Arg 3 %esi %r12d Arg 2 %edi %r13d Arg 1 %esp %r14d Stack ptr %rbp %r15 %ebp %r15d

  7. Carnegie Mellon x64 Assembly: Operands Type Syntax Example Notes Start with $ Constants $-42 $0x15213b Don t mix up decimal and hex Start with % Can store values or addresses Registers %esi %rax Parentheses around a register or an addressing mode (%rbx) 0x1c(%rax) 0x4(%rcx, %rdi, 0x1) Parentheses dereference. Equivalent to * in C. Look up different addressing modes! Memory Locations

  8. Carnegie Mellon Representing Addresses Parenthesis Usage: Most of the time parenthesis means dereference. Example of usage: (%eax) - contents of memory at address stored in %eax (%ebx, %ecx) contents of memory stored at address obtained after addition of %ebx + %ecx. (%ebx, %ecx, 8) contents of memory at address = %ebx+8*%ecx 4(%ebx, %ecx, 8) Contents of memory stored at address = %ebx + 8*%ecx + 4

  9. Carnegie Mellon x64 Assembly: Arithmetic Operations Instruction Effect rdx = rbx r8 += value at address rdx r8 *= 3 r8-- rdx = rdx + rbx*2 Doesn t dereference mov %rbx, %rdx add (%rdx), %r8 mul $3, %r8 sub $1, %r8 lea (%rdx,%rbx,2), %rdx

  10. Carnegie Mellon x64 Assembly: Calling Convention Instruction Effect Push return address, jump to label foo Push value in %eax onto stack Pop value off of stack into %eax Pop value off of stack into instruction pointer, return value stored in %eax Does absolutely nothing. call foo push %eax pop %eax ret nop

  11. Carnegie Mellon x64 Assembly: Comparisons Comparison, cmp, compares two values Result determines next conditional jump instruction cmp b,a computes a-b. test b,a computes a&b Pay attention to operand order If %r10 > %r9, then jump to 0x8675309 cmpl %r9, %r10 jg 0x8675309

  12. Carnegie Mellon x64 Assembly: Jumps Instruction Effect Instruction Effect jmp Always jump ja Jump if above (unsigned >) je/jz Jump if eq / zero jae Jump if above / equal jne/jnz Jump if !eq / !zero jb Jump if below (unsigned <) jg Jump if greater (signed >) jbe Jump if below / equal jge Jump if greater / eq js Jump if sign bit is 1 (neg) jl Jump if less jns Jump if sign bit is 0 (pos) jle Jump if less / eq

  13. Carnegie Mellon x64 Assembly: A Quick Drill If 0xdeadbeef , jump to addr cmp $0x15213, %r12 jge deadbeef cmp %rax, %rdi jae 15213b If 0x15213b , jump to addr test %r8, %r8 jnz (%rsi) If , jump to .

  14. Carnegie Mellon x64 Assembly: A Quick Drill If %r12 >= 0x15213, jump to 0xdeadbeef cmp $0x15213, %r12 jge deadbeef cmp %rax, %rdi jae 15213b test %r8, %r8 jnz (%rsi)

  15. Carnegie Mellon x64 Assembly: A Quick Drill cmp $0x15213, %r12 jge deadbeef If the unsigned value of %rdi is at or above the unsigned value of %rax, jump to 0x15213b. cmp %rax, %rdi jae 15213b test %r8, %r8 jnz (%rsi)

  16. Carnegie Mellon x64 Assembly: A Quick Drill cmp $0x15213, %r12 jge deadbeef cmp %rax, %rdi jae 15213b If %r8 & %r8 is not zero, jump to the address stored in %rsi. test %r8, %r8 jnz (%rsi)

  17. Carnegie Mellon Diffusing Your Bomb objdump -t bomb examines the symbol table objdump -d bomb disassembles all bomb code strings bomb prints all printable strings gdb bomb will open up the GNU Debugger Examine while stepping through your program registers the stack contents of program memory instruction stream

  18. Carnegie Mellon Using gdb break <location> Stop execution at function name or address Reset breakpoints when restarting gdb run <args> Run program with args <args> Convenient for specifying text file with answers disas <fun>, but not dis stepi / nexti Step through instructions.

  19. Carnegie Mellon Using gdb info registers Print hex values in every register print (/x or /d) $eax - Yes, use $ Print hex or decimal contents of %eax x $register, x 0xaddress Prints what s in the register / at the given address By default, prints one word (4 bytes) Specify format: /s, /[num][size][format] x/4wd 0xdeadbeef x/s 0xdeadbeef Download gdbnotes from http://csapp.cs.cmu.edu/2e/docs/gdbnotes-x86-64.pdf

  20. Carnegie Mellon sscanf Bomb uses sscanf for reading strings Figure out what phase expects for input Check out man sscanf for formatting string details

  21. Carnegie Mellon Unix Refresher You should know cd, ls, scp, ssh, tar, and chmod by now. Use man <command> for help. <Control-C> exits your current program.

  22. Carnegie Mellon Bomb Lab Demo...

  23. Carnegie Mellon Phase 1 Solution !! secret: .byte 0x34 .byte 0x35 .L1: callq <explode_bomb> .L2: retq phase_1: callq <strlen> cmpl $0x8,%eax jne .L1 movl 4(%rdi), %esi cmpl (%rdi), %esi jne .L1 movw $secret, %si cmpw (%rdi), %si jne .L1 xor %eax, %eax jmp .L2

  24. Carnegie Mellon Step 1 : secret: .byte 0x34 .byte 0x35 gdb>break explode_bomb .L1: callq <explode_bomb> .L2: retq phase_1: callq <strlen> cmpl $0x8,%eax jne .L1 movl 4(%rdi), %esi cmpl (%rdi), %esi jne .L1 movw secret, %si cmpw (%rdi), %si jne .L1 xor %eax, %eax jmp .L2

  25. Carnegie Mellon Step 2 : secret: .byte 0x34 .byte 0x35 gdb>break explode_bomb .L1: callq <explode_bomb> .L2: retq phase_1: callq <strlen> cmpl $0x8,%eax jne .L1 movl 4(%rdi), %esi cmpl (%rdi), %esi jne .L1 movw secret, %si cmpw (%rdi), %si jne .L1 xor %eax, %eax jmp .L2 Size of string entered must be 8

  26. Carnegie Mellon Step 3 : secret: .byte 0x34 .byte 0x35 gdb>break explode_bomb .L1: callq <explode_bomb> .L2: retq phase_1: callq <strlen> cmpl $0x8,%eax jne .L1 movl 4(%rdi), %esi cmpl (%rdi), %esi jne .L1 movw secret, %si cmpw (%rdi), %si jne .L1 xor %eax, %eax jmp .L2 First 4 letters of the string must be equal to last 4 letters.

  27. Carnegie Mellon Step 3 : secret: .byte 0x34 .byte 0x35 gdb>break explode_bomb .L1: callq <explode_bomb> .L2: retq phase_1: callq <strlen> cmpl $0x8,%eax jne .L1 movl 4(%rdi), %esi cmpl (%rdi), %esi jne .L1 movw secret, %si cmpw (%rdi), %si jne .L1 xor %eax, %eax jmp .L2 Testing if first 2 bytes of input string is equal to value stored in secret which is 0x3534

  28. Carnegie Mellon Step 4 : secret: .byte 0x34 .byte 0x35 gdb>break explode_bomb .L1: callq <explode_bomb> .L2: retq To sum up :- phase_1: callq <strlen> cmpl $0x8,%eax jne .L1 movl 4(%rdi), %esi cmpl (%rdi), %esi jne .L1 movw secret, %si cmpw (%rdi), %si jne .L1 xor %eax, %eax jmp .L2 Length of entered string must be = 8. First 4 letters must be = last 4 letters. First 2 bytes of input string is equal to value stored in secret which is 0x3534. So, in ASCII the value would be 45 (small endian). Answer :- 45xy45xy where x and y can be any character.

  29. Carnegie Mellon Step 5 : $ 45ab45ab Phase 1 defused. How about the next one?

  30. Carnegie Mellon If you get stuck Please read the writeup. Please read the writeup. Please Read The Writeup. CS:APP Chapter 3 View lecture notes and course FAQ at http://cs.cmu.edu/~213 Office hours Sun - Thu 5:30-8:30PM in GHC 5208 man gdb, man sscanf, man objdump

  31. Carnegie Mellon Questions ?

Related


No related presentations.

More Related Content