PROJEKT: OVERFLOW

2023-09-29 09:25:35

PROJEKT: OVERFLOW

PROJEKT: OVERFLOW
RISC-V meeting board recreation

hack the planet

THE GAME

I made this recreation to show my daughter how buffer overflows work. Taking a look at applications as one thing you possibly can play with, and poke and twist and make it do one thing else, is my favorite a part of trendy computing. I suppose its the appropriate manner to have a look at applications. When your microwave oven will get an replace and begins crashing, you possibly can hack it. Or when your keyboard controller’s firmware is unhealthy, you possibly can hack it (taking a look at you vortex pok3r). She is 12 yo now however her assembler abilities are getting higher and higher, hopefully at some point she’s going to have the ability to hack her personal keyboard 🙂

The sport is about making a small shellcode in reminiscence by copying current directions after which exploiting a buffer overflow to leap into it, in an effort to overwrite your opponent’s return handle to pressure them to go to the game_over() perform.There are different mechanics as nicely and extra layers of technique (like setting the exception handler or monkeypatching).

All gamers share the identical reminiscence, and execute the identical program, whereas time sharing the identical processor operating preemptive scheduling os, so every flip the participant executes 10 directions, after that the method is interrupted by the working system, and its the opposite participant’s flip. Every participant’s stack pointer begins at a unique location. There isn’t a digital reminiscence.

The way it seems after we play the sport:

The code is compiled with riscv64-unknown-elf-gcc -fomit-frame-pointer -fno-inline-small-functions -mno-shorten-memrefs -march=rv32g -mabi=ilp32 -ffreestanding -nostdlib -nostartfiles -T code/hyperlink.ld -O0 -fverbose-asm -g -o recreation recreation.c, the linker script hyperlink.ld has simply offsets for the precise capabilities so the match properly on the board. The no optimization -O0 makes the machine code fairly verbose, but in addition straight ahead. Then I take advantage of riscv64-unknown-elf-objdump -S -l -fd recreation, parse it and repair the ▲ and ✎ directions, convert the soar offset from hex to dec and clear the meeting a bit, then match it with the supply code and generate a svg which is then covnerted to a pdf with inkscape.

PRINT

Board Preview:

Tabletop Necessities

Printer: A3 ideally, A4 works as nicely however its a bit small
Pawns: 1 pawn for the free nop instruction, one pawn for the entice handle, and a couple of pawns per participant are wanted, one for this system counter and one for the stack pointer, I take advantage of capacitors with their legs lower off or bicycle tire valve caps
Pencil and eraser

Recreation Guidelines

✱ Board Setup:

Each gamers begin with all registers set to zero, aside from the return handle register (ra), which begins at 1000.
Participant 1’s stack pointer (sp) is initialized at handle 2244.
Participant 2’s stack pointer (sp) is initialized at handle 3844.
The nop instruction pawn isn’t initially positioned on the board.
Each gamers’ program counters (computer) begin at handle 1000, which is the start of the primary perform.
Place the entice pawn at handle 1000.
All reminiscence addresses are set to zero, aside from the pre-loaded program.

✱ Gameplay:

Strikes per Flip: Gamers are required to execute 10 directions throughout their flip.
Execute Directions: Gamers should comply with this system counter and execute both 10 directions or an collected quantity as much as 20. All jumps (jal, beq, and many others.) should be adopted.
Droop Execution: Gamers can choose to droop their flip after executing no less than one instruction, saving the remaining directions for his or her subsequent flip. A most of 20 directions could be collected.
Monkeypatch: In the beginning of every flip, gamers can transfer a nop instruction pawn to any legitimate handle throughout the program reminiscence, starting from 128 to 1188. When this system counter reaches this handle, the instruction will act as a no-operation (nop). Transferring the nop pawn prices the participant their present and subsequent flip, permitting the opponent to execute as much as 20 directions on their subsequent flip. Gamers can not place the nop pawn instantly after it was positioned by the opponent.

◉ Successful Circumstances [HARD MODE]:

Recreation Over: The sport ends when one participant efficiently hacks their opponent to name the game_over() perform.
Draw: It’s attainable that you simply get the sport in a state the place no one can pressure the opposite participant into game_over(), on this case the sport is a draw.

⦿ Successful Circumstances [MEDIUM MODE]:

Stack Overflow: Whoever overflows their stack first wins. Participant 1’s stack ends at 2120 and Participant 2’s finish at 3720.

⊙ Successful Circumstances [EASY MODE]:

Break Free: The winner is the primary participant that leaves the primary loop (executing ret in principal).

✱ Particular Symbols:

✎: This image permits gamers to decide on any 12-bit quantity (0 to 4095) because the speedy worth within the li instruction.
▲: This image permits gamers to decide on a price for the load instruction that’s inside ±128 bytes of their stack pointer. For instance, in case your sp is 2180, you possibly can select a price between 2052 and 2308.

✱ Guidelines and Constraints:

Unlawful Actions: Overwriting a reminiscence handle under 1192, or doing unaligned learn or write (learn or write to handle not a number of of 4), or executing an unlawful instruction will crash your program.
Exception Dealing with: A crash invokes the exception handler, which jumps to the entice handle, initially set to 1000 however you possibly can overwrite it from the set_trap() perform. As soon as an exception occur this system counter and the return handle to the precise worth and also you proceed execution. Your stack pointer is reset to preliminary place. (In actuality solely this system counter will soar to the entice handler, after which it’s going to most likely retailer the registers state deeper on the stack and name some perform to cope with the exception, however in our case we additionally reset the return handle and the stack pointer so the sport state isn’t utterly corrupted)
Dishonest/Errors: If a participant cheats or makes a mistake and is caught, their program state, together with reminiscence and registers, is reset.

Prolonged Guidelines for Extra Gamers:

Participant 3’s stack pointer (sp) register is ready to 2116.
Participant 4’s stack pointer (sp) register is ready to 3716.
▲ image now permits you to write solely -128 bytes away out of your stack pointer.
The sport will probably be fairly unstable with greater than 2 gamers, and will probably be corrupted fairly quick. Will probably be more durable to get to a profitable situation, however the gameplay will probably be extra enjoyable and chaotic.

Hints and Methods:

Offensive Crashes: Make the most of crashes as an offensive technique to disrupt your opponent’s gameplay.
Entice Handler Modification: Alter the entice handler to level to the game_over perform, making the primary participant to crash the loser of the sport. Beware: the nop pawn is extraordinarily highly effective software if the entice is ready to game_over, necause you possibly can put it on high of the ret within the perform that your opponent is presently executing and they’ll lose.
Overwriting Return Handle: Make the most of the bug() perform to overwrite your opponent’s return handle by overflowing the index with a price of 400 or -400, permitting you to entry the opposite participant’s stack. As an example, to transition from handle 3784 (buffer[0] with stack pointer 3780) to handle 2184, an index of -400 is required, calculated as (3784 – 2184) / 4 = 400.
Shellcode Creation: Make use of the copy() perform to copy particular directions and formulate a concise shellcode in your reminiscence, enabling arbitrary writes. Exploit the buffer overflow within the bug() perform to leap to this shellcode. An instance of a easy shellcode for arbitrary write is as follows:
- li a4, ✎ (copy from addr 256, 268)
- li a5, ✎ (out there at addr 136, 144, 1016, and many others.)
- sw a4, 0(a5) (out there at addr 264, 272)
- ret (out there at addr 272, 200, 1060, and many others.)
Copying the ret instruction will result in an infinite loop because the return handle will probably be set to the beginning of the shellcode if you soar into it, inflicting steady execution.
Leaping to Reminiscence: To leap to your reminiscence, exploit the buffer overflow within the bug() perform. By setting the index variable to six, you possibly can write the worth variable on high of the saved return handle on the stack (28(sp)). Upon getting back from bug(), this system copies from 28(sp) into the return handle register. Place the handle of the shellcode you created within the worth variable.

Word:

All jumps are relative to the present program counter, even when they seem as absolute addresses within the disassembler, so jal a4, 0 (machine code 1903) is definitely an infinite loop when executed.

Record of all recreation legitimate directions with machine code 0 to 4095 (RV32 JRI working on a0,a4,a5,sp,ra)

0x00000013 (19) addi zero, zero, 0
0x00000033 (51) add zero, zero, zero
0x00000067 (103) jalr zero, zero, 0
0x0000006f (111) jal zero, 0
0x00000093 (147) addi ra, zero, 0
0x000000b3 (179) add ra, zero, zero
0x000000e7 (231) jalr ra, zero, 0
0x000000ef (239) jal ra, 0
0x00000113 (275) addi sp, zero, 0
0x00000133 (307) add sp, zero, zero
0x00000167 (359) jalr sp, zero, 0
0x0000016f (367) jal sp, 0
0x00000513 (1299) addi a0, zero, 0
0x00000533 (1331) add a0, zero, zero
0x00000567 (1383) jalr a0, zero, 0
0x0000056f (1391) jal a0, 0
0x00000593 (1427) addi a1, zero, 0
0x000005b3 (1459) add a1, zero, zero
0x000005e7 (1511) jalr a1, zero, 0
0x000005ef (1519) jal a1, 0
0x00000613 (1555) addi a2, zero, 0
0x00000633 (1587) add a2, zero, zero
0x00000667 (1639) jalr a2, zero, 0
0x0000066f (1647) jal a2, 0
0x00000713 (1811) addi a4, zero, 0
0x00000733 (1843) add a4, zero, zero
0x00000767 (1895) jalr a4, zero, 0
0x0000076f (1903) jal a4, 0
0x00000793 (1939) addi a5, zero, 0
0x000007b3 (1971) add a5, zero, zero
0x000007e7 (2023) jalr a5, zero, 0
0x000007ef (2031) jal a5, 0

SIMILAR PROJECTS

We made few card video games that you simply may discover helpful, the C recreation and the machine code recreation significantly helped with understainding meeting higher.

Programming Time, which is a recreation to show python and a few extra elementary algorithms, from hash tables to RSA

The C Pointer Game – Pointers, Arrays and Strings, a recreation to show youngsters to have a look at the pc reminiscence and perceive references and values

4917, a recreation to show youngsters machine code and the way the CPU works with reminiscence and registers

The Unix Pipes Game, a recreation to show youngsters to make use of fundamental UNIX instructions: cat, type, grep, head, tail, wc, uniq

The Unix Pipes Game – Process Substitution, an growth of the Unix Pipes Recreation to show course of substitution and in addition: paste, tr, lower, bc

RunLength Encoding for Kids, small playing cards “recreation” to clarify runlength encoding

PUNK0 – The Function Composition Card Game, use playing cards to control a listing and use its values to win the sport

Programming for kids, a log of my journey of instructing my daughter the best way to code

SYMBOLS

The the squares on the left/proper are ascii encoded binary message, you possibly can attempt to decypher it, the white squares are 1, and black on black squares are 0, use the spacing to determine the place the 0’s go.

The colours are minimal, so individuals can print it cheaply, and additionally it is clear on a3 and a4 black and white printers, the one colours used are purple (255,0,0), blue(0,0,255), black (0,0,0) and white (255,255,255).

I’m not a designer, however the present design is possibly twentieth iteration or so, and it got here out after listening to Ghost In The Shell’s Making of a Cyborg for five hours.

The undertaking brand symbolizes the overflow, and it’s randomly generated, the present random seed made me really feel a bit uneasey, so I left it like that.

Spacing on the emblem and {the japanese} textual content is a bit off, that is so as to have the ability to fold the A3 paper in half and never undergo any textual content.

{The japanese} textual content is from the final phrases of The Pirate King, Gol D. Roger: Inherited Will, The Future of the Age, and The Goals of the Individuals. So long as individuals proceed to pursue the which means of Freedom, these items won’t ever stop to be!

No syntax highlighting. I dont use syntax highlighting, and in addition I dont train my daughter to make use of it. I dont have robust choice, nevertheless it simply forces me to suppose that sure issues in code are extra essential than others (relying on the theme). With out highlighting I can do my very own judgement, and may easilly deal with what I feel issues.

CREDITS and THANKS

I want to thank Peter, William, Shantanu, Rares and my daughter who performed 50 completely different variations of the sport, all of which have been fairly unhealthy 🙂 however they didnt hand over. And due to tn1 who helped me lots with the design, significantly telling me what isn’t good.

Additionally large thanks to the individuals engaged on the Terminus Font which is absolute magnificence.

Particular due to OpenMachine’s tinyfive emulator which I used to check the sport, till I wrote my very own for the online model.

Due to gamesounds.xyz for the .wav information I bought for the online model, and in addition Karl Casey @ White Bat Audio for the background music

And naturally many due to the individuals engaged on RISC-V it’s tremendous enjoyable to work with it.

mail: jackdoe@fastmail.com

If in case you have an thought a couple of completely different board or guidelines, otherwise you discover a bug within the board or the web model please ship me an electronic mail, additionally seems I can play this recreation with my daughter and like 2 individuals in my complete contact checklist ????, so if in case you have enjoyable enjoying it I’d love to listen to about it.

ASSEMBLY GUIDE

You’ll find many RISCV meeting guides equivalent to: https://riscv-programming.org/ or riscv-asm-manual , and plenty of interpreters like: cs3410 riscv interpreter, or decoders like luplab’s rvcodecjs which is a good instruction decoder e.g. enter 0x13 (the nop instruction) there and see the way it decodes. In case you are struggling you can even search youtube for ‘risc v meeting tutorial’ and there are lots of actually good movies, sadly I’m not positive which one will give you the results you want, so do not get discouraged and simply strive few of them.

I made some workout routines for my daughter, every day I printed few memory templates and few of the code examples under and she or he simply executed the directions, Some days I modified the code on the fly, or spent extra time explaining casting and buildings for instance. However the fundamental RISC-V meeting she was in a position to perceive fairly quick.

The hangman model is identical as the conventional pdf, however few of the meeting directions are lacking and you must fill them in:

If you should step up your C recreation, we use Beej’s C information: Beej’s Guide to C Programming, significantly the primary 7-8 chapters. However there are lots of superb sources. You can even use the next meeting examples to brush up in your C, a great instance is that this pointer exercise: