Carnegie Mellon x64 Assembly: Bomb Lab Overview and Execution
15-213 Recitation: Bomb Lab
21 Sep 2015
Monil Shah, Shelton D’Souza
Agenda
■
Bomb Lab Overview
■
Assembly Refresher
■
Introduction to GDB
■
Unix Refresher
■
Bomb Lab Demo
Downloading Your Bomb
■
P
l
e
a
s
e
r
e
a
d
t
h
e
w
r
i
t
e
u
p
.
P
l
e
a
s
e
r
e
a
d
t
h
e
w
r
i
t
e
u
p
.
P
l
e
a
s
e
R
e
a
d
T
h
e
W
r
i
t
e
u
p
.
■
Y
o
u
r
b
o
m
b
i
s
u
n
i
q
u
e
t
o
y
o
u
.
D
r
.
E
v
i
l
h
a
s
c
r
e
a
t
e
d
o
n
e
m
i
l
l
i
o
n
b
i
l
l
i
o
n
b
o
m
b
s
,
a
n
d
c
a
n
d
i
s
t
r
i
b
u
t
e
a
s
m
a
n
y
n
e
w
o
n
e
s
a
s
h
e
p
l
e
a
s
e
s
.
■
Bombs have six phases which get progressively
harder
more fun to use.
■
Bombs can only run on the shark clusters. They will
blow up if you attempt to run them locally.
Exploding Your Bomb
■
Blowing up your bomb notifies Autolab.
■
D
r
.
E
v
i
l
t
a
k
e
s
0
.
5
o
f
y
o
u
r
p
o
i
n
t
s
e
a
c
h
t
i
m
e
.
■
Inputting the right string moves you to the next phase.
■
Jumping between phases detonates the bomb
Examining Your Bomb
■
You get:
■
An executable
■
A readme
■
A heavily redacted source file
■
Source file just makes fun of you.
■
Outsmart Dr. Evil by examining the executable
x64 Assembly: Registers
%rax
%eax
%rbx
%ebx
%rdx
%edx
%rcx
%ecx
%rsi
%esi
%rdi
%edi
%rbp
%ebp
%rsp
%esp
%r8
%r8d
%r9
%r9d
%r11
%r11d
%r10
%r10d
%r12
%r12d
%r13
%r13d
%r15
%r15d
%r14
%r14d
R
e
t
u
r
n
A
r
g
4
A
r
g
3
A
r
g
2
A
r
g
1
S
t
a
c
k
p
t
r
A
r
g
5
A
r
g
6
x64 Assembly: Operands
x64 Assembly: Arithmetic Operations
I
n
s
t
r
u
c
t
i
o
n
mov %rbx, %rdx
add (%rdx), %r8
mul $3, %r8
sub $1, %r8
lea (%rdx,%rbx,2), %rdx
E
f
f
e
c
t
rdx = rbx
r8 += value at rdx
r8 *= 3
r8--
rdx = rdx + rbx*2
■
Doesn’t dereference
x64 Assembly: Comparisons
■
Comparison,
cmp
, compares two values
■
Result determines next conditional jump instruction
■
cmp b,a
computes
a-b
,
test b,a
computes
a&b
■
P
a
y
a
t
t
e
n
t
i
o
n
t
o
o
p
e
r
a
n
d
o
r
d
e
r
cmpl %r9, %r10
jg 8675309
If
%r10 > %r9
,
then jump to
8675309
x64 Assembly: Jumps
x64 Assembly: A Quick Drill
cmp $0x15213, %r12
jge deadbeef
cmp %rax, %rdi
jae 15213b
test %r8, %r8
jnz (%rsi)
If
, jump to addr
0xdeadbeef
If
, jump to addr
0x15213b
If
, jump to
.
x64 Assembly: A Quick Drill
cmp $0x15213, %r12
jge deadbeef
cmp %rax, %rdi
jae 15213b
test %r8, %r8
jnz (%rsi)
If
%r12 >= 0x15213
,
jump to
0xdeadbeef
x64 Assembly: A Quick Drill
cmp $0x15213, %r12
jge deadbeef
cmp %rax, %rdi
jae 15213b
test %r8, %r8
jnz (%rsi)
If the unsigned value of
%rdi
is at or above the
unsigned value of
%rax
,
jump to
0x15213b
.
x64 Assembly: A Quick Drill
cmp $0x15213, %r12
jge deadbeef
cmp %rax, %rdi
jae 15213b
test %r8, %r8
jnz (%rsi)
If
%r8 & %r8
is not zero,
jump to the address
stored in
%rsi
.
Diffusing Your Bomb
■
objdump -t bomb
examines the symbol table
■
objdump -d bomb
disassembles all bomb code
■
strings bomb
prints all printable strings
■
g
d
b
b
o
m
b
w
i
l
l
o
p
e
n
u
p
t
h
e
G
N
U
D
e
b
u
g
g
e
r
■
Examine while stepping through your program
▪
registers
▪
the stack
▪
contents of program memory
▪
instruction stream
Using
gdb
■
break <location>
■
Stop execution at function name or address
■
Reset breakpoints when restarting
gdb
■
run <args>
■
Run program with args
<args>
■
Convenient for specifying text file with answers
■
d
i
s
a
s
<
f
u
n
>
,
b
u
t
n
o
t
d
i
s
■
stepi / nexti
■
Steps / does not step through function calls
Using
gdb
■
info registers
■
Print hex values in every register
■
(
/x
or
/d
)
$eax
- Yes, use
$
■
Print hex or decimal contents of
%eax
■
x $register, x 0xaddress
■
Prints what’s in the register / at the given address
■
By default, prints one word (4 bytes)
■
Specify format: /s, /[num][size][format]
▪
x/8a 0x15213
▪
x/4wd 0xdeadbeef
sscanf
■
Bomb uses
sscanf
for reading strings
■
Figure out what phase expects for input
■
Check out
man sscanf
for formatting string details
If you get stuck
■
P
l
e
a
s
e
r
e
a
d
t
h
e
w
r
i
t
e
u
p
.
P
l
e
a
s
e
r
e
a
d
t
h
e
w
r
i
t
e
u
p
.
P
l
e
a
s
e
R
e
a
d
T
h
e
W
r
i
t
e
u
p
.
■
CS:APP Chapter 3
■
View lecture notes and course FAQ at
http://cs.cmu.edu/~213
■
Office hours Sun - Thu 6:00-9:00PM in WeH 5207
■
man gdb, man sscanf, man objdump
Unix Refresher – This Saturday - 9/19/2015
You should know
cd, ls, scp, ssh, tar,
and
chmod
by now. Use
man <command>
for help.
<Control-C>
exits your current program.
B
o
m
b
L
a
b
D
e
m
o
.
.
.
Delve into the intricacies of the Carnegie Mellon Bomb Lab, a unique challenge designed by Dr. Evil. Explore phases, detonations, and how to examine and execute your bomb. Unravel x64 assembly registers, operands, arithmetic operations, and comparisons to outsmart Dr. Evil and progress through the lab successfully.
Uploaded on Sep 17, 2024 | 0 Views
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Carnegie Mellon 15-213 Recitation: Bomb Lab 21 Sep 2015 Monil Shah, Shelton D Souza
Carnegie Mellon Agenda Bomb Lab Overview Assembly Refresher Introduction to GDB Unix Refresher Bomb Lab Demo
Carnegie Mellon Downloading Your Bomb Please read the writeup. Please read the writeup. Please Read The Writeup. Your bomb is unique to you. Dr. Evil has created one million billion bombs, and can distribute as many new ones as he pleases. Bombs have six phases which get progressively harder more fun to use. Bombs can only run on the shark clusters. They will blow up if you attempt to run them locally.
Carnegie Mellon Exploding Your Bomb Blowing up your bomb notifies Autolab. Dr. Evil takes 0.5 of your points each time. Inputting the right string moves you to the next phase. Jumping between phases detonates the bomb
Carnegie Mellon Examining Your Bomb You get: An executable A readme A heavily redacted source file Source file just makes fun of you. Outsmart Dr. Evil by examining the executable
Carnegie Mellon x64 Assembly: Registers %rax %rbx %rcx %r8 %r9 %r10 %eax %r8d Return Arg 5 %ebx %r9d Arg 6 %ecx %r10d Arg 4 %rdx %rsi %rdi %rsp %r11 %r12 %r13 %r14 %edx %r11d Arg 3 %esi %r12d Arg 2 %edi %r13d Arg 1 %esp %r14d Stack ptr %rbp %r15 %ebp %r15d
Carnegie Mellon x64 Assembly: Operands Syntax Example Notes Type Start with $ Constants $-42 $0x15213b Don t mix up decimal and hex Start with % Can store values or addresses Registers %esi %rax Parentheses around a register or an addressing mode Parentheses dereference. Look up addressing modes! Memory Locations (%rbx) 0x1c(%rax) 0x4(%rcx, %rdi, 0x1)
Carnegie Mellon x64 Assembly: Arithmetic Operations Instruction Effect rdx = rbx r8 += value at rdx r8 *= 3 r8-- rdx = rdx + rbx*2 Doesn t dereference mov %rbx, %rdx add (%rdx), %r8 mul $3, %r8 sub $1, %r8 lea (%rdx,%rbx,2), %rdx
Carnegie Mellon x64 Assembly: Comparisons Comparison, cmp, compares two values Result determines next conditional jump instruction cmp b,a computes a-b, test b,a computes a&b Pay attention to operand order If %r10 > %r9, then jump to 8675309 cmpl %r9, %r10 jg 8675309
Carnegie Mellon x64 Assembly: Jumps Instruction Effect Instruction Effect Always jump Jump if above (unsigned >) jmp ja Jump if eq / zero Jump if above / equal je/jz jae Jump if !eq / !zero Jump if below (unsigned <) jne/jnz jb Jump if greater Jump if below / equal jg jbe Jump if greater / eq Jump if sign bit is 1 (neg) jge js Jump if less Jump if sign bit is 0 (pos) jl jns Jump if less / eq jle
Carnegie Mellon x64 Assembly: A Quick Drill If 0xdeadbeef , jump to addr cmp $0x15213, %r12 jge deadbeef cmp %rax, %rdi jae 15213b If 0x15213b , jump to addr test %r8, %r8 jnz (%rsi) If , jump to .
Carnegie Mellon x64 Assembly: A Quick Drill If %r12 >= 0x15213, jump to 0xdeadbeef cmp $0x15213, %r12 jge deadbeef cmp %rax, %rdi jae 15213b test %r8, %r8 jnz (%rsi)
Carnegie Mellon x64 Assembly: A Quick Drill cmp $0x15213, %r12 jge deadbeef If the unsigned value of %rdi is at or above the unsigned value of %rax, jump to 0x15213b. cmp %rax, %rdi jae 15213b test %r8, %r8 jnz (%rsi)
Carnegie Mellon x64 Assembly: A Quick Drill cmp $0x15213, %r12 jge deadbeef cmp %rax, %rdi jae 15213b test %r8, %r8 jnz (%rsi) If %r8 & %r8 is not zero, jump to the address stored in %rsi.
Carnegie Mellon Diffusing Your Bomb objdump -t bomb examines the symbol table objdump -d bomb disassembles all bomb code strings bomb prints all printable strings gdb bomb will open up the GNU Debugger Examine while stepping through your program registers the stack contents of program memory instruction stream
Carnegie Mellon Using gdb break <location> Stop execution at function name or address Reset breakpoints when restarting gdb run <args> Run program with args <args> Convenient for specifying text file with answers disas <fun>, but not dis stepi / nexti Steps / does not step through function calls
Carnegie Mellon Using gdb info registers Print hex values in every register print (/x or /d) $eax - Yes, use $ Print hex or decimal contents of %eax x $register, x 0xaddress Prints what s in the register / at the given address By default, prints one word (4 bytes) Specify format: /s, /[num][size][format] x/8a 0x15213 x/4wd 0xdeadbeef
Carnegie Mellon sscanf Bomb uses sscanf for reading strings Figure out what phase expects for input Check out man sscanf for formatting string details
Carnegie Mellon If you get stuck Please read the writeup. Please read the writeup. Please Read The Writeup. CS:APP Chapter 3 View lecture notes and course FAQ at http://cs.cmu.edu/~213 Office hours Sun - Thu 6:00-9:00PM in WeH 5207 man gdb, man sscanf, man objdump
Carnegie Mellon Unix Refresher This Saturday - 9/19/2015 You should know cd, ls, scp, ssh, tar, and chmod by now. Use man <command> for help. <Control-C> exits your current program.
Carnegie Mellon Bomb Lab Demo...
