News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Binary Bomb (don't panic!)

Started by aw27, February 22, 2018, 11:02:43 PM

Previous topic - Next topic

aw27

The Binary Bomb (Copyright R. Bryant and D. O'Hallaron) is a College assignment whose purpose is:
"The Bomb Lab teaches students principles of machine-level programs, as well as general debugger and reverse
engineering skills."

Some Links:
http://csapp.cs.cmu.edu/2e/README-bomblab
https://www.scribd.com/document/314102482/Defusing-a-binary-bomb-with-gdb
http://zpalexander.com/binary-bomb-lab-set-up/

Till now there was no Windows Binary Bomb, and no source code either, so it took me a few days to completely reverse one binary bomb with the help of links 2 and 3 above (mostly 2). There are many other links in the web but I did not find they would add much more.

I built two executables, 1 for x86 and the other for x64, so people can use either - the solutions will be exactly the same.

The purpose of the program is to defuse a binary bomb across 6 stages of increasing difficulty. There is also a hidden seventh stage, called secret stage, which will give you extra credits. Of course, I don't expect much people to come even close to stage 6 - the assignment is though.

In order to help a bit, I include the initial source, which is actually almost the same, including comments, that is distributed with the Linux variations.

Good work!  :biggrin:

PS: The executables were not optimized for speed or size, I kept the frame pointers for x64, removed exception handling, and linked without dynamic load addresses, otherwise the challenges would be even harder.

aw27

Difficulties were expected  :biggrin: , so here is the full ASM of the winbomb, including the .data section were the solutions can be snooped.
The ASM was obtained straight from the C build and was re-assembled producing a small 7 KB executable.
If nobody solves, well.... well... I will post the solutions in a couple of weeks.  :t

aw27

At this point I must tell you that I have followed the algorithms of the original bomb, just changed some constants.
As Carlos found:
Part 1: Its purpose is to compare the input string with another string in .data
Part 2: Is a progressive sequence of numbers
Part 3: Is a switch statement. There is more than 1 possible solution.
Part 4: It is a small recursive exercise.
Part 5: It is a basic signature validation. There is more than 1 possible solution.
Part 6: It is a singly list. The nice thing with this singly is that it is not built at runtime as we are used to see in textbooks.
Part 7 (secret phase): It is a binary tree. It is also not built at runtime.
Looks easy then.  :eusa_naughty:

:idea: Another feature you might have not noticed is that you can enter the solutions in a text file which will be invoked on the command line, one solution per line (in order). For instance, if the file has the first 3 lines with correct solutions, you will just be prompted for the solution of Part 4. If you have 6 lines (or may be 7, counting the secret phase) with correct solutions in order you will be warmly  :eusa_clap: :eusa_clap:  :eusa_clap:  congratulated in the end.

aw27

Nobody presented a solution, but the contest was indeed difficult.  :dazzled: .

One solution of the regular six phases challenge is this:

Everything has its beauty but not everyone sees it.
32 16 8 4 2 1
5 -787
13 31
MMMMEI
5 6 1 4 3 2

Access to the hidden stage happens when you add drEvil to the 4th phase.
So a solution for the 7 stages solutions would be:

Everything has its beauty but not everyone sees it.
32 16 8 4 2 1
5 -787
13 31 DrEvil
MMMMEI
5 6 1 4 3 2
99

That's all folks.

anunitu

Real world example of a software bomb, Happened where I worked,a system programmer put one in the main frame. it checked the employee list on his birthday,and if he had been canned it would crash the system,any ideas know this the guy got caught and did jail time for it.  one part was a memory nibbler,that would allocate bits of memory,until it hit an out of memory fault. remember this was a mainframe,and the "BOMB" was done in mainframe(IBM) assembler.