the bomb will read lines from input. txt until it reaches EOF end of file , and then switch over to reading from the console. This feature allows you to store inputs for solved levels in input. txt and avoid retyping them each time. Explosions can be triggered when executing at the shell or within gdb. However, gdb offers you tools you can use to intercept explosions, so your safest choice is to work under gdb and employ protective measures.

There is one important restriction: Do not use brute force! You could write a program to try every possible input to find a solution. But this is trouble for several reasons:. The readme. txt file contains a set of questions for you to answer, one about explosions and a level-specific question for each level. The level questions are a mix of reversing tasks and short answer questions. You are to edit the readme to include your answers to these questions and submit it with your defused bomb.

For one of the levels, we ask you to reverse a assembly sequence back into C code. Given an if statement, does it include an else, is there a sequence of if statements that are nested or cascading? Given a loop, where does it start and stop?

How does increment? Can you tell if the loop is a for, while, or do-while? Is there any use of break or continue in the loop body? For function calls, what are the parameters being passed? The requirement for the readme file is not intended to be onerous. Strunk and White famously say "vigorous writing is concise" and we couldn't agree more. The short answer questions are intended be answered in just a few sentences.

Excess verbiage can weaken an otherwise correct explanation, so you're best off sticking the facts! The starter project contains your compiled binary bomb, the C source for bomb.

c including the main function, two text files, and a. gdbinit file. Check out a copy of your cs repository with the command:. Do not start by running the bomb to "see what it will do Your first task should be to put your kid gloves on and carefully poke around.

Once you figure how to set up appropriate protection against explosions, you will then be free to experiment with the levels without any nail-biting anxiety about setting off the bomb. As you solve successive levels, add the necessary input to the input.

txt file and answer the level-specific question in the readme. txt file. Be sure to regularly commit your changes to these files. The committed version of input. txt should contain the strings that correctly defuse the levels that you solved and readme.

txt should contain the answers to the questions. When grading, we will run your bomb on your input. txt to verify which levels you have successfully defused. Malformed entries in your input. txt or wrong line-endings see FAQ at end of advice page will cause grading failures.

To avoid surprises, be sure that you have verified your input. txt in the same way we will in grading i. bomb input. When finished, you must submit to send your files for grading. If needed, review our late policy.

Toggle navigation CS Spring Archived. The problem Those nefarious Cal students have broken into our myth machines and planted some mysterious executables we are calling "binary bombs.

Logistics Our counter-intelligence efforts been able to confirm a few things about how the bombs operate: If you start the bomb with no command-line argument, it reads input typed at the console. If you give an argument to the bomb:. txt the bomb will read lines from input. We can prove this by examining the values in memory of offsets other than 0x This means the first digit of this password must be 1. Now if we restart the bomb and use this new knowledge, we can bypass the first comparison and make it to the second one.

The second comparison is slightly more complicated and depends on the result of a signed multiplication. In our case it gives us the following:. Now we meet the second comparison statement. The right hand side is simply an index to the current element of our input. If this comparison is not-equal, then the bomb will explode.

Since the value of eax is 2, this means that the second digit of our input should be 2. This time instead of re-running the program, we can just set the value directly in memory. Doing this one more iteration reveals that the program expects the first 4 digits of the 6 digit password to have values 1 2 6 These are not arbitrary numbers. The pattern looks like increasing factorial digits. Notice that 1 2 6 24 is 1! Based on the function name, we can make the guess that the required password is just 6 numbers, and each one is the factorial of its 1-based index.

This would be 1! Then I entered an initial guess for phase 3 of try one try. If we examine the arguments passed to this function, then we can figure out the input format of the password. Notice that our input string and a format string was passed into sscanf. So now I restarted the application with a better guess.

So far so good. In order to beat this comparison, we can restart the app again with the following input:. Notice that in the second highlighted segment our input value is passed into the function func4 , and the result of this function is compared against 0x37 55 in decimal.

Otherwise, the function steps into section C which will call func4 recursively, passing in the original input decremented by one.

This is followed by another call to func4 , passing in the original input decremented by two. Now we know that our input string must contain exactly 6 characters. Looking down to the location of the jump, we have the following block of code that forms a loop. Each character from our input string is binary AND ed with 0xf. This code checks to see if the result of the logic above is equal to the string stored at 0xb. Now we know that the transformed version of our input string must equal giants.

All we need to do is reverse engineer an input string that ends up as giants in the algorithm. Therefore we must find a character that when AND ed with 0xf will result in 15 decimal which is also 0xf hex.

This type of operation is called a bitwise mask. To succeed here, we need to find a character that has as the least significant 4 bits. For example, the hex ASCII value for the letter o is 6F , which has a binary value of , so it fits our requirement. My solution was the string opekmq , but there are many solutions for this phase. Notice the function call on the last line of the excerpt above reads six numbers from standard input, so now we know the first requirement of the password for this phase.

Notice that in the above block of code we have a loop. While iterating through all numbers, the function ensures that each number is less than 5. Notice that this comparison uses the jbe command, which does not test for the sign of the number.

Keeping this in mind, this process can be summarized as the second requirement: Each of the six numbers must be between 1 and 6 inclusive. Essentially this code is ensuring that the password consists of unique numbers The next restriction is the most complicated. This part seems complicated initially. But looking at what is given above we can gain some intuition about it.

I recently discovered a popular reverse engineering assignment in many university CS programs called the Binary Bomb. The binary bomb is a simple command line program that asks you to enter a particular secret string. If type the incorrect string, the program explodes by printing out BOOM!!! and terminating. If you enter the correct string, the program proceeds to the next phase, which expects another particular string.

In a typical classroom setup, each explosion will automatically notify your professor and deduct a small percentage from your final assignment grade. The goal is to use a debugger to reverse engineer the executable in order to find the expected string for each phase and prevent the bomb from blowing up.

I completed the project over a few days, and have written a detailed walkthrough below. Make sure you are running the executable on a bit Linux box or VM. Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Secret Phase. I fired up gdb , added some breakpoints before and after the first input string required for the bomb. So we would have to do this jump every time. There will likely be a string comparison in there that will reveal the string for this phase.

In this way we can simply type in the string to beat phase 1 and go into phase 2 in the expected way. This tells us that these registers are used as function arguments. Note that we are looking for the value of the register esi , which is stored at 0xb In this case, esi points to which is what I typed in for my attempt for this phase.

Examining the memory location reveals that the value is 0. After some trial and error I discovered that this is the first number of my attempted password We can prove this by examining the values in memory of offsets other than 0x This means the first digit of this password must be 1. Now if we restart the bomb and use this new knowledge, we can bypass the first comparison and make it to the second one. The second comparison is slightly more complicated and depends on the result of a signed multiplication.

In our case it gives us the following:. Now we meet the second comparison statement. The right hand side is simply an index to the current element of our input. If this comparison is not-equal, then the bomb will explode.

Since the value of eax is 2, this means that the second digit of our input should be 2. This time instead of re-running the program, we can just set the value directly in memory. Doing this one more iteration reveals that the program expects the first 4 digits of the 6 digit password to have values 1 2 6 These are not arbitrary numbers. The pattern looks like increasing factorial digits.

Notice that 1 2 6 24 is 1! Based on the function name, we can make the guess that the required password is just 6 numbers, and each one is the factorial of its 1-based index. This would be 1! Then I entered an initial guess for phase 3 of try one try. If we examine the arguments passed to this function, then we can figure out the input format of the password.

Notice that our input string and a format string was passed into sscanf. So now I restarted the application with a better guess. So far so good. In order to beat this comparison, we can restart the app again with the following input:.

Notice that in the second highlighted segment our input value is passed into the function func4 , and the result of this function is compared against 0x37 55 in decimal.

Otherwise, the function steps into section C which will call func4 recursively, passing in the original input decremented by one. This is followed by another call to func4 , passing in the original input decremented by two. Now we know that our input string must contain exactly 6 characters. Looking down to the location of the jump, we have the following block of code that forms a loop.

Each character from our input string is binary AND ed with 0xf. This code checks to see if the result of the logic above is equal to the string stored at 0xb.

Now we know that the transformed version of our input string must equal giants. All we need to do is reverse engineer an input string that ends up as giants in the algorithm. Therefore we must find a character that when AND ed with 0xf will result in 15 decimal which is also 0xf hex. This type of operation is called a bitwise mask.

To succeed here, we need to find a character that has as the least significant 4 bits. For example, the hex ASCII value for the letter o is 6F , which has a binary value of , so it fits our requirement. My solution was the string opekmq , but there are many solutions for this phase. Notice the function call on the last line of the excerpt above reads six numbers from standard input, so now we know the first requirement of the password for this phase. Notice that in the above block of code we have a loop.

While iterating through all numbers, the function ensures that each number is less than 5. Notice that this comparison uses the jbe command, which does not test for the sign of the number. Keeping this in mind, this process can be summarized as the second requirement: Each of the six numbers must be between 1 and 6 inclusive. Essentially this code is ensuring that the password consists of unique numbers The next restriction is the most complicated.

This part seems complicated initially. But looking at what is given above we can gain some intuition about it. Some trial and error of input reveals two things. The first and second values in the above screenshot are identical for any order of input. So node1 will always have a first value of 0xfd and a second value of 0x1 , node2 of 0x2d5 and 0x2 , and so on.

The only thing that changes is the pointer to the next node, which depends on the order of input values. So we have the following nodes and associated X values:. More generally, we need to sort the numbers in decreasing order with respect to their X values. Now the nodes are sorted in order of decreasing X value. We can use the node indices as the password for this phase.

The analogy here is deciding whether to bash down a door and risk destroying anything behind it, or picking the lock and entering safely. The first input to this sscanf call is the string 9 , which we know is is the correct password for phase 4.

The second part of the format string expects a string input. But what should this string be? Now we know that to get into the secret phase, we need to add austinpowers to the end of the password for phase 4. The secret phase takes a string input, converts it to an integer and checks that this integer is less than or equal to 0x3e9. If this is true, then it calls fun7 and expects the return value to be 7. Since 0x3e9 is decimal, I entered as my first guess for the secret phase password.

Amazingly, this was the correct answer to the secret phase. Be that as it may, this bomb has now been defused, and the world is safe once more. If you are interested in the details of how fun7 works, I found a great write up by someone with more patience than me.

Table of Contents Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Secret Phase Phase 1 I fired up gdb , added some breakpoints before and after the first input string required for the bomb.

In our case it gives us the following: Now we meet the second comparison statement. or 1 2 6 24 Success! This code checks to see if the result of the logic above is equal to the string stored at 0xb Now we know that the transformed version of our input string must equal giants.

This phase uses the common linked list data structure. Like before, there are two ways to jump to this function call. Thanks for reading along!

In order to beat this comparison, we can restart the app again with the following input:. MSB to LSB. This code checks to see if the result of the logic above is equal to the string stored at 0xb. i only look for a maximum of 8 trades in the European session and 8 trades in the Us session. n,void r 1 :! push o ,W. For instance, to add 3 to column 2 0 , you need to add 1 to column 2 1.

Categories:

• Binary Options online
• Binary Options
• Forex Bitcoin
• Forex Brokers
• Forex