| CompOrg Fall 2003 Homework #3 |
| Course Syllabus | CompOrg Home | Assignment | Getting your bomb | How to submit | Grading | Hints | HW3 FAQ |
| Assignment |
You have been selected to be a member of an elite group of cyber-techno-digi-gurus who are needed to defuse some binary bombs. Your have been selected due to your expertise in IA32 assmembly language, your knowledge of data representation and computer arithmetic, and your extensive knowledge of how to read an ASCII reference chart.
You will be given a "binary bomb" which you must defuse. If you are not capable of defusing the bomb, one of two possible things will happen:
I can't remember which will actually happen... feel free to use whichever one provides you with more motivation.
| Binary Bomb |
A binary bomb is an executable program (FreeBSD executable) that consists of six phases. Each phases expects the user to enter a particular string (via stdin). If the expected string is entered, the phase has been defused and the progam moves on to the next phase. If the expected string is not entered, the program explodes (prints "BOOM" and quits). Your job is to defuse as many phases as possible.
Each phase tests a different aspect of machine language programs:
| Phase 1: | comparison |
|---|---|
| Phase 2: | loops |
| Phase 3: | conditionals/switches |
| Phase 4: | recursive calls and the stack discipline |
| Phase 5: | pointers |
| Phase 6: | linked lists/pointers/structs |
There is also a challenging "secret phase"... (but it's a secret)
Each student will get a unique bomb, the solution to your bomb (the sequence of expected strings) is different than everyone else's. Feel free to help each other with general concepts (you can work together), but you are not allowed to submit solutions to your bomb unless you determined the solutions. In other words - if you need help, feel free to ask Dave or the TAs or anyone else to help you get started, but you must have a complete understanding of how to figure out what the solution is (you will certainly need this ability on a test!).
The phases are ordered in increasing difficulty, and phase 1 is pretty easy. Don't underestimate the project just because you can solve the first phase - the subsequent phases get harder!
| How to get your bomb |
Bombs are available on the web, all you need to do is click on the link below and save the file to your computer. It is expected that you move the bomb to your CS account and use freebsd.remote.cs.rpi.edu to work on the bomb.
Your bomb will be sent in a zip file that includes:
The actual executable program named bomb .
A file named ID that identifies your bomb. When
you submit your solutions you will need to send back this file (it
identifies your bomb so we can verify that your solutions are
correct!). Your bomb ID must be unique, it is not acceptable for
multiple people to submit solutions to the same bomb!
A file named bomb.c. This is the actual C code
for the main program. You don't really need this, but it may be
helpful to understand what the main program is doing. You don't get
the C code for the actual phases, the point of this assignment is
that you need to determine what they are doing just by looking at
the assembly language code (which you can get by disassembling the
executable program).
We assume that you can handle a zip file! Under Windows you can use
WinZip (available at www.winzip.com).
Under Unix you can use unzip to unzip a zip file.
NOTE: The "bomb server" that sends you a binary bomb (when you click on one of the above icons) will make sure that your bomb is not available to anyone else! It is not acceptable that two students submit the same bomb ID - everyone needs to download a unique bomb (with a unique solution!). Each student needs only one bomb, so please don't download lots of them (there are a fixed number of bombs pre-made, and if the server runs out this will inconvience other students who have not yet received one bomb!). Although every bomb is different, they are all comparable in difficulty, so there is no reason to get more than one bomb.
| How to submit |
Submission of your homework is to Webct (webct.rpi.edu), the general idea is to submit a file containing the strings that defuse your bomb, and to submit your bomb ID file (that you got from the bomb server).
Your submission must include the following:
A file named "solution.txt" that contains the solution (the sequence of strings required to defuse your bomb). This file should contain one line of text for each phase you completed, and sending the bomb this file (via redirection of STDIN) should prove that your solutions are correct:
./bomb < solution.txt Welcome to my bomb. You have 6 phases with which to blow yourself up. Have a nice day! Phase 1 defused. How about the next one? That's number 2. Keep going! Halfway there! So you got that one. Try this one. Good work! On to the next... Curses, you've found the secret phase! But finding it and solving it are quite different... Wow! You've defused the secret stage! Congratulations! You've defused the bomb!
If you don't get all the phases solved, but you do understand part of what is required for some of the unsolved phases, tell us about the phases you did not solve in another file and you may receive partial credit.
A file named "ID" that identifies your bomb. You are given this file when you download your bomb - you must send it back with your submission.
Don't send your bomb program in your submission! These programs are dangerous and we certainly don't want to be messing with them (that's why we have you experts handing things...).
| Grading |
Grades will be determined by the number of phases you are able to solve:
It is possible to get partial credit for a phase (up to 1/2 the points). To get extra credit you need to include a description of how far you got figuring out the phase (show us the assembly code and describe what you think is happening, etc). Partial credit points will not be awarded if we can't understand your description (you need to make sure that you convince us that you have some understanding of what is happening in the code for the phase).
| HINTS: |
There are lots of helpful tools available on Unix:
strings command.objdump command.gdb (the GNU debugger).emacs (actually emacs probably won't help, but I like it so
much I wanted to include it)The book describes how to use objdump and
gdb to dissasemble code and (in the case of gdb) debug
assembly language programs. Complete documentation on gdb
is available online at
http://sources.redhat.com/gdb/current/onlinedocs/. There is also a downloadable PDF version
of the manual and a quick reference card (all available via the same link).
Below are some example GDB commands to get you started (Dave will demonstrate these commands in class):
Printing a register (%edx): print $edx (note that you need to use '$', not '%').
Display a register (automatically prints out the value of the register after every instruction):
display $edx
Step one instruction: stepi or si
Tell GDB to display the next instruction each time it executes an instruction:
display/i $eip (very useful!)
eip is the register that holds the address of the next instruction to be executed.
Examine memory at an asolute memory address: x/4x
0xbfbff0d4c will display 4 words (as hex) starting at address
0xbfbff0d4c, x/s $edx will display the string (ASCII chars
terminated by a null) starting at the address in register %edx.
Disassemble an entire subroutine: disas subname. For example you
could disassemble main like this: disas main.
print information about the current stack frame: info frame
Print information about all currently active stack frames: backtrace
You may find that you need to look up ASCII character values, here is an ASCII reference table that shows hex values and corresponding ASCII characters:
| 00 nul| 01 soh| 02 stx| 03 etx| 04 eot| 05 enq| 06 ack| 07 bel|
| 08 bs | 09 ht | 0a nl | 0b vt | 0c np | 0d cr | 0e so | 0f si |
| 10 dle| 11 dc1| 12 dc2| 13 dc3| 14 dc4| 15 nak| 16 syn| 17 etb|
| 18 can| 19 em | 1a sub| 1b esc| 1c fs | 1d gs | 1e rs | 1f us |
| 20 sp | 21 ! | 22 " | 23 # | 24 $ | 25 % | 26 & | 27 ' |
| 28 ( | 29 ) | 2a * | 2b + | 2c , | 2d - | 2e . | 2f / |
| 30 0 | 31 1 | 32 2 | 33 3 | 34 4 | 35 5 | 36 6 | 37 7 |
| 38 8 | 39 9 | 3a : | 3b ; | 3c < | 3d = | 3e > | 3f ? |
| 40 @ | 41 A | 42 B | 43 C | 44 D | 45 E | 46 F | 47 G |
| 48 H | 49 I | 4a J | 4b K | 4c L | 4d M | 4e N | 4f O |
| 50 P | 51 Q | 52 R | 53 S | 54 T | 55 U | 56 V | 57 W |
| 58 X | 59 Y | 5a Z | 5b [ | 5c \ | 5d ] | 5e ^ | 5f _ |
| 60 ` | 61 a | 62 b | 63 c | 64 d | 65 e | 66 f | 67 g |
| 68 h | 69 i | 6a j | 6b k | 6c l | 6d m | 6e n | 6f o |
| 70 p | 71 q | 72 r | 73 s | 74 t | 75 u | 76 v | 77 w |
| 78 x | 79 y | 7a z | 7b { | 7c | | 7d } | 7e ~ | 7f del|