2-bomblab

Note: This article is a speedrun version of the bomb experiment. Since the bomb experiment is so popular, there are detailed answers to the bomb on the Internet. The author has done this experiment several times, so I don’t want to use gdb to debug slowly when writing writeup (￣▽￣). This article uses ida speed pass, suitable for friends who just want to score points, and want to slowly experience the various wonderful details of the experiment, it is recommended to turn to Zhihu to teach you how to dismantle CSAPP's bomb laboratory BombLab - Zhihu (zhihu.com)

Welcome to visit my personal blog sakuraの色梨衣, if you need experimental materials, you can go to my github warehouse

1 Brief analysis

Purpose of experiment: Familiar with assembly code, executable file debugging and stack frame.

Workspace: Executable bomb

Experiment content: As can be seen from the source code of bomb, there are 7 levels (one hidden level). Each level has an input and enters the level. Our task is to analyze what each level does.

experimental method:

Dynamic debugging: just set a breakpoint, then start gdb to directly debug the file, execute it step by step, and always pay attention to the changes of the stack frame, and dynamically analyze what each level is doing

Static analysis: It is to directly look at the assembly code and understand the logic of each level. This method is very elegant, but it may be a bit of a torture when the function is called recursively.

The method of this article: IDA Dafa, direct reverse engineering, disassembly into C language, can also be regarded as a cheating static analysis

2 concrete implementation

2.0 bomb source code

Analysis: You can see a total of seven levels (one level is hidden), each level has an input

$[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-7x2WJulc-1690941746965) (D:\VSCode\web\blog\static\article\csapp\csapp2-1. png)]$

2.1 Level 1

Analysis: IDA Second Solution

$[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-V2kO9l5A-1690941746966) (D:\VSCode\web\blog\static\article\csapp\csapp2-2. png)]$

解答：Border relations with Canada have never been better.

2.2 Level 2

analyze:

You can see that 6 integer numbers need to be read in

Level 2 first checks whether the first number is 1, and finally loops to determine whether the previous number is twice the next number

$[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-p1imARaX-1690941746966) (D:\VSCode\web\blog\static\article\csapp\csapp2-3. png)]$

Answer: 1 2 4 8 16 32

2.3 Level 3

Analysis: read in two integers, the former number is used as the switch index, just choose one at random, and then the latter number needs to be equal to the number corresponding to the index

$[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-ViLmi4aR-1690941746966) (D:\VSCode\web\blog\static\article\csapp\csapp2-4. png)]$

Answer: 0 207 (or several other groups are fine)

2.4 Level 4

Analysis: It can be seen that two numbers v3, v4, and v3 need to be less than or equal to 14, and then enter the function func4.

$[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-zw8w5ykc-1690941746967) (D:\VSCode\web\blog\static\article\csapp\csapp2-5. png)]$

In func4, you can see that the input is a1=v3, a2=0, a3=14, then v3=(14 + 0)/2=7 in func4, if the first number is equal to 7, result=0, Return directly, and input 7, 0, 14 to func, func4 returns 0. So we can directly input 7, 0 and func4 correspond

$[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-Tsave98V-1690941746967) (D:\VSCode\web\blog\static\article\csapp\csapp2-6. png)]$

Answer: 7 0

2.5 Level 5

Analysis: You can see that you need to input six characters, and then take the lower four bits of each character as an index, and take out six characters in this array_3449 array, and the six characters after taking it need to be equal to flyers.

$[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-5skdyLAO-1690941746967) (D:\VSCode\web\blog\static\article\csapp\csapp2-7. png)]$

Seen in the array_3449 array: the corresponding index is f: 9 (1001), l: 15 (1111), y: 14 (1110), e: 5 (0101), r: 6 (0110), s: 7 (0111 ). Therefore, compare the following ASCII code binary table, take the lower four digits as 1001, ..., 0111, and ionefg

$[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-UaIKjFxv-1690941746968) (D:\VSCode\web\blog\static\article\csapp\csapp2-8. png)]$

$[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-IqbqnLr8-1690941746968) (D:\VSCode\web\blog\static\article\csapp\csapp2-9. png)]$

Answer: ionefg

2.6 Level 6

Analysis: It can be seen that six numbers are also read in, and these six numbers are stored in the array array.

The first cycle: judge whether each number -1 is greater than 5, if it is, it will explode, so these six numbers need to be less than or equal to 6, and greater than or equal to 1, because if it is equal to 0, it will be converted to unsigned, and subtracting 1 will overflow , must be greater than 5. Then it is to judge whether the numbers are the same in pairs, and if they are the same, they will explode, so the six numbers should be different. Therefore, the six numbers are permutations and combinations of 1, 2, 3, 4, 5, and 6

$[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-losQsiQk-1690941746968) (D:\VSCode\web\blog\static\article\csapp\csapp2-10. png)]$

The second loop: Subtract the six numbers from 7, and array[i] = 7 - array[i]

$[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-ASgqLYOX-1690941746969) (D:\VSCode\web\blog\static\article\csapp\csapp2-11. png)]$

The third cycle: You can see that this node should be a linked list, each linked list has 16 bytes, considering that the linked list char * type needs 8 bytes, and there are 8 bytes left, and an int type is 4 bytes, so there should be two int values in each node, one char * points to the next node, you can see that the values of node1 to node6 are 14Ch=332, 0A8h=168, 39Ch=924, 2B3h =691, 1DDh=477, 1BBh=443. There is an int value left, the value is stored in the order of nodes, and the value is stored in 13, then the node is the third node.

$[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-g81TKugf-1690941746969) (D:\VSCode\web\blog\static\article\csapp\csapp2-12. png)]$

$[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-wI3Eudos-1690941746969) (D:\VSCode\web\blog\static\article\csapp\csapp2-13. png)]$

The fourth loop: You can see that the values are taken out in sequence according to the order of the nodes, and compared with the next node. If it is smaller than the value of the next node, it will explode. Then you can know that the third loop needs to change the nodes 1 to 6 according to the order from large to large. Arranged in the smallest order, according to the size of the value in the node, the order should be 3, 4, 5, 6, 1, 2. According to this order, in the third step, the sequential writing should be 3, 4, 5, 6, 1, 2, and after the second and second steps are reversed, it should be 4, 3, 2, 1, 6, 5

$[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-F2iBb802-1690941746970) (D:\VSCode\web\blog\static\article\csapp\csapp2-14. png)]$

Answer: 4, 3, 2, 1, 6, 5

hidden level

analyze:

You can see that there is a phase_defused() function behind each level, click to see

$[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-gwZ0jZPg-1690941746970) (D:\VSCode\web\blog\static\article\csapp\csapp2-15. png)]$

It is found that there is one input 2 digits, followed by a DrEvil string, you can enter the hidden level

$[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-sFH7XLuR-1690941746970) (D:\VSCode\web\blog\static\article\csapp\csapp2-16. png)]$

Then how to enter this, you can see that secret_phase() calls func7, in the previous level, only the fourth level calls a func4, which is quite special, it is a hint, and then we found that the fourth level does need to input two number, so try to add a DrEvil after the fourth level, and you will enter the hidden level

$[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-3SrqpMoW-1690941746970) (D:\VSCode\web\blog\static\article\csapp\csapp2-17. png)]$

The hidden gate reads a number, then calls func7, and gives two parameters, n1 and the number we input, this n1 is another node nodding on the stack, because it should be a linked list or tree, etc. Seeing that there are 32 bytes in each node, and there are two 8-byte char * type things, then we can guess that it is a binary tree. Finally secret_phase() needs func7 to return 2

$[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-5cbTxA05-1690941746971) (D:\VSCode\web\blog\static\article\csapp\csapp2-18. png)]$

$[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-0PIfRGNu-1690941746971) (D:\VSCode\web\blog\static\article\csapp\csapp2-19. png)]$

Look at func7, in fact, func7 is the following code

int func(a, b)
{
	if (a == 0)
	{
		return -1;
	}
	if (a->value > b)
	{
		return 2*func7(a->left_node, b);
	}
	if (a->value != b)
	{
		return 2*func7(a->right_node, b);
	}
	else
	{
		return 0;
	}
}

$[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-i6pAF6wV-1690941746971) (D:\VSCode\web\blog\static\article\csapp\csapp2-20. png)]$

Combining the value of each node in the a binary tree, reverse deduction can get the input needs to be 22

Answer: 22

csapp experiment 2-bomblab experiment detailed explanation - speed pass version

2-bomblab

1 Brief analysis

2 concrete implementation

Guess you like