This page is for a prior offering of CS 3330. It is not up-to-date.
A Mad Programmer got really mad and planted a slew of binary bombs
on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin
. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!"
and then terminating. The bomb is defused when every phase has been defused.
There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad!
For full credit in lab, diffuse phase 1. A homework will follow in which you should diffuse phases 2 and 3. A small amount of extra credit will be awarded if you diffuse more phases than that.
If you defuse phase 1 in lab, feel free to start on the homework.
You can see your grade for this lab and homework are at the gradebook, with approximately a 1-hour delay.
For phase 1, anything goes. Being a lab, you can work together as much as you want.
For phases 2 and beyond, it is homework so more restrictions apply. You are welcome to discuss with one another the process and tools you use, but please do not look at or describe one another’s code.
This lab only works on 64-bit Linux machines. The lab machines qualify; see lab 0.0 if you need help accessing them remotely.
You can obtain your bomb by pointing your Web browser at:
This will display a binary bomb request form for you to fill in. Enter your computing ID and email address and hit the Submit button. The server will build your bomb and return it to your browser in a tar
file called bombk.tar
, where k
is the unique number of your bomb.
Save the bombk.tar
file to a (protected) directory in which you plan to do your work. Then give the command: tar -xvf bombk.tar
. This will create a directory called ./bombk
with the following files:
README
: Identifies the bomb and its owners.
bomb
: The executable binary bomb.
bomb.c
: Source file with the bomb’s main routine and a mad greeting from the Mad Mad Programmer.
If for some reason you request multiple bombs, this is not a problem. Choose one bomb to work on and delete the rest.
If you are trying to do the lab without phyiscal access to the machine being used, try the following:
curl "http://archimedes.cs.virginia.edu:15213/?username=$USER&usermail=$USER@virginia.edu&submit=Submit" > bomb.tar
mv bomb.tar $(head -1 bomb.tar | cut -d'/' -f1).tar
Note, this might fail if the remote machine you run it on is not a lab machine because $USER
might not be set correctly by other machines. Replace $USER
with your computing ID if you are running this command e.g. in cloud9, koding, or codio.
Please look at the Getting Started and Hints sections for some tips and ideas. The best way is to use your favorite debugger to step through the disassembled binary. Almost no students succeed without using a debugger like gdb or lldb.
Your job for this lab is to defuse your bomb. Each has a few tamper-proofing elements. You can use many tools to help you defuse your bomb. Each time your bomb explodes it notifies the bomblab server. If you get to 20 explosions we’ll start removing points.
Although phases get progressively harder to defuse, the expertise you gain as you move from phase to phase should offset this difficulty. The last phase will challenge even the best students.
The bomb ignores blank input lines.
If you run your bomb with a command line argument, for example,
linux> ./bomb psol.txt
then it will read the input lines from psol.txt
until it reaches EOF (end of file), and then switch over to stdin
. This will keep you from having re-type solutions.
To avoid accidentally detonating the bomb, you will need to learn how to single-step through the assembly code and how to set breakpoints. You will also need to learn how to inspect both the registers and the memory states. THe experience reaching assembly will help you with the later parts of this course; the experience using a debugger will probably help you for the rest of your career.
Try running objdump -t bomb
. This will show you the symbols in the executable, including the names of all methods. Look for one that looks dangerous, as well as some that looks like interesting methods (perhaps something like Phase 1
).
Run bomb from a debugger like gdb instead of running it directly. The debugger will allow you to stop the bomb before it detonates.
For example, if I ran
linux> gdb bomb
(gdb) b methodName
(gdb) run
(gdb) kill
this will start gdb
, set a breakpoint at methodName
, and run the code. The code will halt before it runs methodName
; calling kill
will stop the bomb and exit the current debugging session without methodName
running.
Use step
and stepi
to examine this function. step
runs your code one line of source code at a time. stepi
runs your code one line of machine instruction at a time. This allows you to run phase_1()
piece by piece.
Use this to step carefully through phase_1()
to see if you can find the passphrase.
linux> gdb bomb
(gdb) b lineNumberForPhase1Call
(gdb) run
input test passphrase here
(gdb) stepi
(gdb) info locals
(gdb) info registers
Generally some parameters are local variables and some are stored in registers. You should see your test passphrase here. Note the hex value of your input
(gdb) stepi
keep stepi
ing until you see strings_not_equal
method (a suspicious name that might be checking your passphrase)
(gdb) info locals
(gdb) info registers
Which one holds your passphase? Try examining
that and others…
Some useful gdb
commands:
(gdb) info locals
(gdb) info registers
(gdb) x/20b 0x...
(gdb) x/x $someRegister
(gdb) x/s $someRegister
(gdb) print expr
call (void) puts (0x...)
puts
with the given char *
(as a memory address). See man puts
for more.
(gdb) disas methodName
(gdb) set disassembly-flavor intel
(gdb) set disassembly-flavor att
(gdb) b *0x...
(gdb) help
The textbook also has a nice summary of useful gdb commands on page 280 (or 255 of the 2nd edition). You can also find sources like http://csapp.cs.cmu.edu/2e/docs/gdbnotes-x86-64.txt that list and describe other useful gdb commands.
Reviewing the x86-64 calling convention (Figure 3.28) may be helpful, especially combined with the names of functions being called.
Each phase uses a different code pattern. You’ll probably not only step through code and examine values but also inspect disassembled code if you want to understand all the phases.
The phases include at least the following:
scanf
(which is much like a backwards version of printf
; try man scanf
for more)switch
statementsThere are many ways of defusing your bomb. You can examine it in great detail without ever running the program, and figure out exactly what it does. This is a useful technique, but it not always easy to do.
You can also run it under a debugger, watch what it does step by step, and use this information to defuse it. This is probably the fastest way of defusing it.
We do make one request, please do not use brute force! You could write a program that will try every possible key to find the right one. But this is no good for several reasons:
You lose points if you have too many bomb explosions.
Every time you guess wrong, a message is sent to the bomblab server. You could very quickly saturate the network with these messages, and cause the system administrators to revoke your computer access.
We haven’t told you how long the strings are, nor have we told you what characters are in them. Even if you made the (incorrect) assumptions that they all are less than 80 characters long and only contain letters, then you will have 2680 guesses for each phase. This will take a very long time to run, and you will not get the answer before the assignment is due.
There are many tools which are designed to help you figure out both how programs work, and what is wrong when they don’t work. Here is a list of some of the tools you may find useful in analyzing your bomb, and hints on how to use them.
gdb
The GNU debugger, this is a command line debugger tool available on virtually every platform. See the Getting Started section for more.
objdump -t
This will print out the bomb’s symbol table. The symbol table includes the names of all functions and global variables in the bomb, the names of all the functions the bomb calls, and their addresses. You may learn something by looking at the function names!
objdump -d
Use this to disassemble all of the code in the bomb. You can also just look at individual functions. Reading the assembler code can tell you how the bomb works.
Although objdump -d
gives you a lot of information, it doesn’t tell you the whole story. Calls to system-level functions are displayed in a cryptic form. For example, a call to sscanf
might appear as:
8048c36: e8 99 fc ff ff call 80488d4 <.init+0x1a0>
To determine that the call was to sscanf
, you would need to disassemble within gdb
.
If you prefer to get Intel syntax disassembly from objdump
, you can use objdump -M intel -d
.
strings
This utility will display the printable strings in your bomb.
Looking for a particular tool? How about documentation? The commands apropos
, man
, and info
are your friends. In particular, man ascii
might come in useful. info gas
will give you more than you ever wanted to know about the GNU Assembler. Also, the web has lots of information on it. If you get stumped, feel free to ask course staff for help.
There is no explicit submission. The bomb will notify your instructor automatically about your progress as you work on it. You can keep track of how you are doing by looking at the class scoreboard at:
This web page is updated every minute to show the progress for each bomb. It also shows a score
based on how many phases are diffused and how many explosions you’ve had. This score is not how we grade your submission; your grade will be
Your computed score should appear in the gradebook with a roughly one-hour delay, assuming our servers are running properly.