Presentation is loading. Please wait.

Presentation is loading. Please wait.

15-213 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.

Published byAnn Woods Modified over 8 years ago

Similar presentations

Presentation on theme: "15-213 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya."— Presentation transcript:

1 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya

2 Agenda Bomb Lab Overview Assembly Refresher Introduction to GDB
Unix Refresher Bomb Lab Demo

3 Downloading Your Bomb Please read the writeup. Please read the writeup. Please Read The Writeup. Your bomb is unique to you. Dr. Evil has created one million billion bombs, and can distribute as many new ones as he pleases. Bombs have six phases which get progressively harder more fun to solve. Bombs can only run on the shark clusters. They will blow up if you attempt to run them locally.

4 Exploding Your Bomb Blowing up your bomb notifies Autolab.
Dr. Evil takes 0.5 of your points each time. Inputting the right string moves you to the next phase. Jumping between phases detonates the bomb

5 Examining Your Bomb You get: An executable A readme
A heavily redacted source file Source file just makes fun of you. Outsmart Dr. Evil by examining the executable

6 x64 Assembly: Registers %rax %r8 %rbx %r9 %rcx %r10 %rdx %r11 %rsi
Return %rax %eax %r8 %r8d Arg 5 %rbx %ebx %r9 %r9d Arg 6 Arg 4 %rcx %ecx %r10 %r10d Arg 3 %rdx %edx %r11 %r11d Arg 2 %rsi %esi %r12 %r12d Arg 1 %rdi %edi %r13 %r13d Stack ptr %rsp %esp %r14 %r14d %rbp %ebp %r15 %r15d

7 x64 Assembly: Operands Constants $-42 $0x15213b Registers %esi %rax
Type Syntax Example Notes Constants Start with $ $-42 $0x15213b Don’t mix up decimal and hex Registers Start with % %esi %rax Can store values or addresses Memory Locations Parentheses around a register or an addressing mode (%rbx) 0x1c(%rax) 0x4(%rcx, %rdi, 0x1) Parentheses dereference. Equivalent to “*” in C. Look up different addressing modes!

8 Representing Addresses
Parenthesis Usage: Most of the time parenthesis means dereference. Example of usage: (%eax) - contents of memory at address stored in %eax (%ebx, %ecx) – contents of memory stored at address obtained after addition of %ebx + %ecx. (%ebx, %ecx, 8) – contents of memory at address = %ebx+8*%ecx 4(%ebx, %ecx, 8) – Contents of memory stored at address = %ebx + 8*%ecx + 4

9 x64 Assembly: Arithmetic Operations
Instruction Effect x64 Assembly: Arithmetic Operations mov %rbx, %rdx add (%rdx), %r8 mul $3, %r8 sub $1, %r8 lea (%rdx,%rbx,2), %rdx rdx = rbx r8 += value at address rdx r8 *= 3 r8-- rdx = rdx + rbx*2 Doesn’t dereference

10 x64 Assembly: Calling Convention
Instruction Effect x64 Assembly: Calling Convention call foo push %eax pop %eax ret nop Push return address, jump to label foo Push value in %eax onto stack Pop value off of stack into %eax Pop value off of stack into instruction pointer, return value stored in %eax Does absolutely nothing.

11 x64 Assembly: Comparisons
Comparison, cmp, compares two values Result determines next conditional jump instruction cmp b,a computes a-b. test b,a computes a&b Pay attention to operand order If %r10 > %r9, then jump to 0x cmpl %r9, %r10 jg 0x

12 x64 Assembly: Jumps Instruction Effect jmp Always jump ja
Jump if above (unsigned >) je/jz Jump if eq / zero jae Jump if above / equal jne/jnz Jump if !eq / !zero jb Jump if below (unsigned <) jg Jump if greater (signed >) jbe Jump if below / equal jge Jump if greater / eq js Jump if sign bit is 1 (neg) jl Jump if less jns Jump if sign bit is 0 (pos) jle Jump if less / eq

13 x64 Assembly: A Quick Drill
cmp $0x15213, %r12 jge deadbeef cmp %rax, %rdi jae 15213b test %r8, %r8 jnz (%rsi) If , jump to addr 0xdeadbeef If , jump to addr 0x15213b If , jump to

14 x64 Assembly: A Quick Drill
cmp $0x15213, %r12 jge deadbeef cmp %rax, %rdi jae 15213b test %r8, %r8 jnz (%rsi) If %r12 >= 0x15213, jump to 0xdeadbeef

15 x64 Assembly: A Quick Drill
cmp $0x15213, %r12 jge deadbeef cmp %rax, %rdi jae 15213b test %r8, %r8 jnz (%rsi) If the unsigned value of %rdi is at or above the unsigned value of %rax, jump to 0x15213b.

16 x64 Assembly: A Quick Drill
cmp $0x15213, %r12 jge deadbeef cmp %rax, %rdi jae 15213b test %r8, %r8 jnz (%rsi) If %r8 & %r8 is not zero, jump to the address stored in %rsi.

17 Diffusing Your Bomb objdump -t bomb examines the symbol table
objdump -d bomb disassembles all bomb code strings bomb prints all printable strings gdb bomb will open up the GNU Debugger Examine while stepping through your program registers the stack contents of program memory instruction stream

18 Using gdb break <location>
Stop execution at function name or address Reset breakpoints when restarting gdb run <args> Run program with args <args> Convenient for specifying text file with answers disas <fun>, but not dis stepi / nexti Step through instructions. Use * when mentioning address in break Delete – delete all breakpoints Delete 1 – delete breakpoint 1 Disas address (no * required). Stepi 4 – Execute 4 instructions at a time. Step – Execute 1 C line at a time.

19 Using gdb info registers Print hex values in every register
print (/x or /d) $eax - Yes, use $ Print hex or decimal contents of %eax x $register, x 0xaddress Prints what’s in the register / at the given address By default, prints one word (4 bytes) Specify format: /s, /[num][size][format] x/4wd 0xdeadbeef x/s 0xdeadbeef Download gdbnotes from

20 sscanf Bomb uses sscanf for reading strings
Figure out what phase expects for input Check out man sscanf for formatting string details

21 Unix Refresher You should know cd, ls, scp, ssh, tar, and chmod by now. Use man <command> for help. <Control-C> exits your current program.

22 Bomb Lab Demo...

23 Phase 1 Solution !! secret:   .byte 0x34   .byte 0x35 phase_1:   callq <strlen>   cmpl $0x8,%eax   jne .L1   movl  4(%rdi), %esi   cmpl   (%rdi), %esi   jne .L1   movw  $secret, %si   cmpw (%rdi), %si   jne .L1   xor   %eax, %eax   jmp .L2 .L1:   callq <explode_bomb> .L2:   retq

24 Step 1 : secret:   .byte 0x34   .byte 0x35 phase_1:   callq <strlen>   cmpl $0x8,%eax   jne .L1   movl  4(%rdi), %esi   cmpl   (%rdi), %esi   jne .L1   movw  secret, %si   cmpw (%rdi), %si   jne .L1   xor   %eax, %eax   jmp .L2 gdb>break explode_bomb .L1:   callq <explode_bomb> .L2:   retq

25 Step 2 : Size of string entered must be 8
secret:   .byte 0x34   .byte 0x35 phase_1:   callq <strlen>   cmpl $0x8,%eax   jne .L1   movl  4(%rdi), %esi   cmpl   (%rdi), %esi   jne .L1   movw  secret, %si   cmpw (%rdi), %si   jne .L1   xor   %eax, %eax   jmp .L2 gdb>break explode_bomb .L1:   callq <explode_bomb> .L2:   retq Size of string entered must be 8

26 Step 3 : secret:   .byte 0x34   .byte 0x35 phase_1:   callq <strlen>   cmpl $0x8,%eax   jne .L1   movl  4(%rdi), %esi   cmpl   (%rdi), %esi   jne .L1   movw  secret, %si   cmpw (%rdi), %si   jne .L1   xor   %eax, %eax   jmp .L2 gdb>break explode_bomb .L1:   callq <explode_bomb> .L2:   retq First 4 letters of the string must be equal to last 4 letters.

27 Step 3 : secret:   .byte 0x34   .byte 0x35 phase_1:   callq <strlen>   cmpl $0x8,%eax   jne .L1   movl  4(%rdi), %esi   cmpl   (%rdi), %esi   jne .L1   movw  secret, %si   cmpw (%rdi), %si   jne .L1   xor   %eax, %eax   jmp .L2 gdb>break explode_bomb .L1:   callq <explode_bomb> .L2:   retq Testing if first 2 bytes of input string is equal to value stored in secret which is 0x3534 Little endian – least sig bits in least address

28 Step 4 : secret:   .byte 0x34   .byte 0x35 phase_1:   callq <strlen>   cmpl $0x8,%eax   jne .L1   movl  4(%rdi), %esi   cmpl   (%rdi), %esi   jne .L1   movw  secret, %si   cmpw (%rdi), %si   jne .L1   xor   %eax, %eax   jmp .L2 gdb>break explode_bomb .L1:   callq <explode_bomb> .L2:   retq To sum up :- Length of entered string must be = 8. First 4 letters must be = last 4 letters. First 2 bytes of input string is equal to value stored in “secret” which is 0x3534. So, in ASCII the value would be “45” (small endian). Answer :- 45xy45xy where x and y can be any character.

29 Step 5 : $ 45ab45ab Phase 1 defused. How about the next one?

30 If you get stuck Please read the writeup. Please read the writeup. Please Read The Writeup. CS:APP Chapter 3 View lecture notes and course FAQ at Office hours Sun - Thu 5:30-8:30PM in GHC 5208 man gdb, man sscanf, man objdump

31 Questions ?

Download ppt "15-213 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya."

Similar presentations

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.

University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.
Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
15-213 Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo

Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo
Gnu Debugger (GDB) Topics Overview Quick Reference Card Readings: Quick Reference Card February 7, 2012 CSCE 212Honors Computer Organization.

Gnu Debugger (GDB) Topics Overview Quick Reference Card Readings: Quick Reference Card February 7, 2012 CSCE 212Honors Computer Organization.
%rax %eax %rbx %ebx %rdx %edx %rcx %ecx %rsi %esi %rdi %edi %rbp %ebp %rsp %esp %r8 %r8d %r9 %r9d %r11 %r11d %r10 %r10d %r12 %r12d %r13 %r13d.

%rax %eax %rbx %ebx %rdx %edx %rcx %ecx %rsi %esi %rdi %edi %rbp %ebp %rsp %esp %r8 %r8d %r9 %r9d %r11 %r11d %r10 %r10d %r12 %r12d %r13 %r13d.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.

Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.
Recitation 2: Assembly & gdb Andrew Faulring 15213 Section A 16 September 2002.

Recitation 2: Assembly & gdb Andrew Faulring Section A 16 September 2002.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Carnegie Mellon Introduction to Computer Systems 15-213/18-243, spring 2009 Recitation, Jan. 14 th.

Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.
Assembly Questions תרגול 12.

Assembly Questions תרגול 12.
1 Carnegie Mellon Stacks 15-213: Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.

1 Carnegie Mellon Stacks : Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.
64-Bit Architectures Topics 64-bit data New registers and instructions Calling conventions CS 105 “Tour of the Black Holes of Computing!”

64-Bit Architectures Topics 64-bit data New registers and instructions Calling conventions CS 105 “Tour of the Black Holes of Computing!”
University of Washington Today More on procedures, stack etc. Lab 2 due today!  We hope it was fun! What is a stack?  And how about a stack frame? 1.

University of Washington Today More on procedures, stack etc. Lab 2 due today!  We hope it was fun! What is a stack?  And how about a stack frame? 1.
Goals: To gain an understanding of assembly To get your hands dirty in GDB.

Goals: To gain an understanding of assembly To get your hands dirty in GDB.

Similar presentations

Ads by Google