- Assigned: Sep. 28
- Due: Oct. 12
Note: Keshav Kini ([email protected]) is the lead TA for this lab assignment.
This is an individual project. You may not share your work on lab assignments with other students, but do feel free to ask instructors for help if you are stuck, for example during office hours or a discussion section.
The lab involves “defusing a bomb”. The more phases of the bomb you defuse, the more points you will receive. The maximum possible score for the lab is 70 points. Every time the bomb “explodes”, you will lose half a point, up to a maximum of 20 points!
There is nothing to turn in for this lab. Like the previous lab, there is an online scoreboard – unlike the previous lab, this time the scoreboard actually displays your real grade.
Any clarifications and corrections for this lab will be posted on Canvas and Piazza.
The nefarious Dr. Evil has planted a slew of “binary bombs” on
UTCS’s beloved Seven Servers. A binary bomb is a program that
consists of a sequence of phases. Each phase expects you to type a
particular string on stdin
. If you type the correct string, then
the phase is defused and the bomb proceeds to the next phase.
Otherwise, the bomb explodes by printing “BOOM!!!” and then
terminating. The bomb is defused when every phase has been defused.
There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad!
You can obtain your bomb by pointing your Web browser at
http://52.8.245.166:42902, our bomb squad coordination website. This
will display a binary bomb request form for you to fill out. Enter
your UTEID and email address, and hit the Submit button. The server
will select one of Dr. Evil’s bombs for you and return it to your
browser in a tar
file called bombk.tar
, where k is the unique
number of the bomb that has been assigned to you.
Upload your bomb tar file to somewhere safe – i.e., not visible to other students – in your UTCS home directory. Then extract the tar file. You should see that three files have been extracted:
bomb
, the bombbomb.c
, partial source code of the bomb which Dr. Evil forgot to delete (may contain important clues!)README
, a small file containing information about which bomb this is and who has been assigned to defuse it (presumably you)
Your job for this lab is to defuse your bomb.
Dr. Evil has targeted our seven brand new remote-login UTCS servers, which just came into service less than a month ago. These are the servers, which are named after characters from the 1960s TV show “Gilligan’s Island”:
gilligan.cs.utexas.edu
skipper.cs.utexas.edu
thurston-howell-iii.cs.utexas.edu
lovey.cs.utexas.edu
ginger.cs.utexas.edu
the-professor.cs.utexas.edu
mary-ann.cs.utexas.edu
You must do your work of defusing the bomb on these machines. (It doesn’t have to always be the same machine for the whole duration of the lab.) There is a rumor that Dr. Evil is so evil that the bomb might even be designed to blow up instantaneously on any machine other than these seven! There are several other tamper-proofing devices built into the bomb as well, or so we hear…
You can use many tools to help you defuse your bomb. Please look at
the Hints section for some tips and ideas. The best way is to use a
debugger, such as gdb
, to step through the disassembled binary,
though there may be other ways.
Each time your bomb explodes, it notifies our bomb squad coordination server, and you will lose half a point (up to a maximum loss of 20 points) in the final score for the lab. So there are consequences to exploding the bomb. A good bomb squad member must be careful!
The first four phases are worth 10 points each. Phases 5 and 6 are a little more difficult, so they are worth 15 points each. So the maximum score you can get is 70 points.
Although the phases get progressively harder to defuse, the expertise you gain as you move from phase to phase should offset this difficulty. However, the last phase will challenge even the best students, so please don’t wait until the last minute to start.
The bomb ignores blank input lines. If you run your bomb with a command line argument, for example,
$ ./bomb psol.txt
then the bomb will read the input lines from psol.txt
until it
reaches EOF (end of file), and then switch over to stdin
. In a rare
moment of weakness, Dr. Evil decided to add this feature so that you
wouldn’t have to keep retyping the solutions to phases you had already
defused.
To avoid accidentally detonating the bomb, you will need to learn how to single-step through the assembly code and how to set breakpoints. You will also need to learn how to inspect both the registers and the memory states. One of the nice side-effects of doing the lab is that you will become very good at using a debugger. This is a crucial skill that will pay big dividends the rest of your career.
Go to http://52.8.245.166:42902/scoreboard to see the progress that our bomb squad has made so far on Dr. Evil’s bombs. The bombs are listed by their ID number, so look for your bomb’s ID number in the table to find out what your grade so far is. This will be your grade for the lab.
There are many ways of defusing your bomb. You can examine it in great detail without ever running the program, and figure out exactly what it does. This is a useful technique, but it is not always easy to do. You can also run the bomb under a debugger, watch what it does step by step, and use this information to defuse it. This is probably the fastest way of defusing it.
We do make one request: please do not use brute force! You could write a program that will try every possible password to find the right ones. But this is not good for several reasons:
- You will very quickly lose 20 points (out of 70) due to your bomb exploding many many times.
- Every time you guess wrong, a message is sent to the bomb squad coordination server. You might quickly saturate the server’s incoming bandwidth with these messages, and cause problems for other students. A good bomb squad member doesn’t DoS the coordination server!
- You don’t know how long the passwords are, or what characters might be in them. Even if you made the (incorrect) assumptions that they are all less than 80 characters long and only contain letters, then you will have 26^80 guesses for each phase! This will take a very very long time to run, and you will not get the answer before the lab is due.
There are many tools which are designed to help you figure out both how programs work, and what is wrong when they don’t work. Here is a list of some of the tools you may find useful in analyzing your bomb, and hints on how to use them.
gdb
The GNU debugger. This is a command line debugger tool available on virtually every platform. With
gdb
, you can trace through a program line by line, examine memory and registers, look at both the source code and assembly code (we are not giving you the source code for most of your bomb), set breakpoints, set memory watch points, write scripts, and more.The CS:APP website has a very handy single-page
gdb
summary that you can print out and use as a reference. Here are some other tips for usinggdb
.- To keep the bomb from blowing up every time you type in a wrong input, you’ll want to learn how to set breakpoints.
- For live documentation, type
help
at thegdb
command prompt, or typeman gdb
orinfo gdb
in a terminal.
objdump -t
This will print out the bomb’s full symbol table. The symbol table includes the names of all functions and global variables in the bomb, the names of all the functions the bomb calls, and their addresses. You may learn something by looking at the function names!
objdump -d
Use this to disassemble all of the code in the bomb. You can also just look at individual functions. Reading the assembler code can tell you how the bomb works.
Although
objdump -d
gives you a lot of information, it doesn’t tell you the whole story. Calls to system-level functions are displayed in a cryptic form. For example, a call tosscanf
might appear as:8048c36: e8 99 fc ff ff call 80488d4 <_init+0x1a0>
To determine that the call was to
sscanf
, it would be easier to disassemble withingdb
.strings
This utility will find and display what it thinks are possibly string constants stored in the bomb executable. Maybe you can use this to find some of the passwords?
Looking for a particular tool? How about documentation? Don’t
forget, the commands apropos
, man
, and info
are your friends.
In particular, man ascii
might come in handy. info gas
will give
you more than you ever wanted to know about the GNU Assembler. Also,
the web may be a treasure trove of information. If you feel stumped,
feel free to ask your instructor for help!