CSAPP Labs Walkthrough

The writer's first language is NOT English. Pardon me for grammar and spelling mistakes.

Data Lab

Todo...

Bomb Lab

Like most people, I use Windows for most time, but this lab require a Linux environment. Therefore, WSL2 is recommend here.

If you haven't try it, follow this article to install WSL2 on you machine.

To easily reed code and disassemble them, you need to install VSCode and IDA on your host system.

Now, we need to download the lab file...

wget http://csapp.cs.cmu.edu/3e/bomb.tar
tar -xvf bomb.tar && cd bomb

And install dependencies for the lab.

sudo apt-get install build-essential gcc-multilib gdb

If you are not familiar with gdb, gdbgui could be a good choice.

Now, copy the executable file to your desktop, using IDA to open it, and I'm sure you are ready to solve it. :)

Phase 1

IDA Assembel View

Now, tap the magical "Tab" button.

IDA C-Style View

// local variable allocation has failed, the output may be wrong!
int __cdecl main(int argc, const char **argv, const char **envp)
{
  const char **v3; // rbx
  __int64 line; // rax
  __int64 v5; // rax
  __int64 v6; // rax
  __int64 v7; // rax
  __int64 v8; // rax
  __int64 v9; // rdi

  if ( argc == 1 )
  {
    infile = (FILE *)stdin;
  }
  else
  {
    v3 = argv;
    if ( argc != 2 )
    {
      __printf_chk(1LL, "Usage: %s [<input_file>]\n", *argv);
      exit(8);
    }
    *(_QWORD *)&argc = argv[1];
    argv = (const char **)"r";
    infile = fopen(*(const char **)&argc, "r");
    if ( !infile )
    {
      __printf_chk(1LL, "%s: Error: Couldn't open %s\n", *v3, v3[1]);
      exit(8);
    }
  }
  initialize_bomb(*(_QWORD *)&argc, argv, envp);
  puts("Welcome to my fiendish little bomb. You have 6 phases with");
  puts("which to blow yourself up. Have a nice day!");
  line = read_line();
  phase_1(line);
  phase_defused();
  puts("Phase 1 defused. How about the next one?");
  v5 = read_line();
  phase_2(v5);
  phase_defused();
  puts("That's number 2.  Keep going!");
  v6 = read_line();
  phase_3(v6);
  phase_defused();
  puts("Halfway there!");
  v7 = read_line();
  phase_4(v7);
  phase_defused();
  puts("So you got that one.  Try this one.");
  v8 = read_line();
  phase_5(v8);
  phase_defused();
  puts("Good work!  On to the next...");
  v9 = read_line();
  phase_6(v9);
  phase_defused();
  return 0;
}

This is more like it.

Step into the phase_1() function.

phase 1 disassemble

"Border relations with Canada have never been better."

Phase 2

Move in to function phase_2.

__int64 __fastcall phase_2(__int64 a1)
{
  __int64 result; // rax
  char *v2; // rbx
  int v3; // [rsp+0h] [rbp-38h] BYREF
  char v4; // [rsp+4h] [rbp-34h] BYREF
  char v5; // [rsp+18h] [rbp-20h] BYREF

  read_six_numbers(a1, &v3);
  if ( v3 != 1 )
    explode_bomb();
  v2 = &v4;
  do
  {
    result = (unsigned int)(2 * *((_DWORD *)v2 - 1));
    if ( *(_DWORD *)v2 != (_DWORD)result )
      explode_bomb();
    v2 += 4;
  }
  while ( v2 != &v5 );
  return result;
}

NOTE: The type of a1 is obviously not _int64 , it should be a char* as it refers to the user input string.

From the IDA giving information, v3 should be a stack allocated int array, and we could reasonably assume that the function read_six_numbers will read six numbers and store them in array v3.