Thaum kawg PhDays 9 peb tau muaj kev sib tw txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhim kho cov nroj . Muaj peb qhov chaw nyob ntawm qhov chaw uas muaj kev ruaj ntseg sib txawv (Tsis Muaj Kev Ruaj Ntseg, Tsis Muaj Kev Ruaj Ntseg, Kev Ruaj Ntseg Siab), ua raws li cov txheej txheem kev lag luam tib yam: huab cua nyob rau hauv siab tau muab tso rau hauv lub zais pa (thiab tom qab ntawd tso tawm).
Txawm hais tias muaj qhov sib txawv ntawm kev nyab xeeb, cov khoom siv kho vajtse ntawm cov khoom siv yog tib yam: Siemens Simatic PLC S7-300 series; Thaum muaj xwm ceev deflation khawm thiab ntsuas ntsuas siab (txuas rau PLC cov khoom siv hluav taws xob (DI)); li qub ua haujlwm rau kev nce nqi thiab deflation ntawm huab cua (txuas mus rau cov txiaj ntsig digital ntawm PLC (DO)) - saib daim duab hauv qab no.
Lub PLC, nyob ntawm qhov kev nyeem ntawv siab thiab ua raws li nws txoj haujlwm, tau txiav txim siab kom deflate lossis ua kom lub pob (qhib thiab kaw cov khoom sib xws). Txawm li cas los xij, txhua qhov chaw sawv cev muaj kev tswj hwm kev tswj hwm, uas ua rau nws muaj peev xwm tswj tau lub xeev ntawm cov li qub yam tsis muaj kev txwv.
Cov sawv ntsug sib txawv hauv qhov nyuaj ntawm kev ua kom muaj hom no: ntawm qhov chaw tsis muaj kev tiv thaiv nws yog qhov yooj yim tshaj los ua qhov no, thiab ntawm High Security sawv nws yog qhov nyuaj dua.
Tsib ntawm rau qhov teeb meem tau daws nyob rau hauv ob hnub; Thawj tus neeg tuaj koom tau txais 233 cov ntsiab lus (nws siv sijhawm ib lub lim tiam npaj rau kev sib tw). Peb tus yeej: Kuv qhov chaw - a1exdandy, II - Rubikoid, III - Ze.
Txawm li cas los xij, thaum PHDays, tsis muaj leej twg tuaj yeem kov yeej tag nrho peb qhov chaw, yog li peb tau txiav txim siab los ua kev sib tw hauv online thiab tshaj tawm txoj haujlwm nyuaj tshaj plaws thaum lub Rau Hli. Cov neeg tuaj koom yuav tsum ua kom tiav txoj haujlwm hauv ib hlis, nrhiav tus chij, thiab piav qhia txog kev daws teeb meem kom ntxaws thiab nthuav dav.
Hauv qab qhov kev txiav peb tshaj tawm kev tshuaj xyuas ntawm cov kev daws teeb meem zoo tshaj plaws rau cov haujlwm los ntawm cov neeg xa mus rau lub hli dhau los, nws tau pom los ntawm Alexey Kovrizhnykh (a1exdandy) los ntawm lub tuam txhab Digital Security, uas tau txais qhov thib XNUMX hauv kev sib tw thaum PHDays. Hauv qab no peb nthuav tawm nws cov ntawv nrog peb cov lus pom.
Kev tshuaj xyuas thawj zaug
Yog li, txoj haujlwm muaj ib qho archive nrog cov ntaub ntawv hauv qab no:
- block_upload_traffic.pcapng
- DB100. ib
- lus.txt
Cov ntaub ntawv hints.txt muaj cov ntaub ntawv tsim nyog thiab cov lus qhia los daws cov haujlwm. Nov yog nws cov ntsiab lus:
- Petrovich hais rau kuv nag hmo tias koj tuaj yeem thauj cov blocks los ntawm PlcSim rau hauv Kauj Ruam 7.
- Siemens Simatic S7-300 series PLC tau siv ntawm qhov muag.
- PlcSim yog PLC emulator uas tso cai rau koj khiav thiab debug cov kev pab cuam rau Siemens S7 PLCs.
Cov ntaub ntawv DB100.bin zoo nkaus li muaj DB100 PLC cov ntaub ntawv thaiv: 00000000: 0100 0102 6e02 0401 0206 0100 0101 0102 ....n......... 00000010: 1002 0501 0202: 2002 0501 0206 ib. ..... ......... 0100: 0102 00000020 0102 7702 0401 0206 0100 0103a0102 ..w............. 0: 02 00000030 0501 0202 1602 0501 ................ 0206: 0100 0104 0102 00000040 7502 0401 0206a0100 0105 u............... 0102: 0 02 0501 00000050 0202 1602 0501............0206. 0100: 0106 0102 3402 4 00000060 0401 0206 0100 ..........&..... 0107: 0102c2602 0501 0202 00000070 4 02 .......... : 0501 0206 0100 0108 0102a3302 0401 3 00000080 ................ 0206: 0100 0109 0102 0a 02 0501 0202 1602 .......... . .. 00000090c0501: 0206d 0100 010a0102 3702 0401 0206 7 000000 ................ 0d0100: 010 0102e 2202 0501d0202 4602 0501 .... .... 000000e0: 0206 0100 010 0102 3302 0401 0206 0100 ........#...... 3f000000: 0 010 0102 0 02 0501 ..... ..... 0202: 1602 0501 0206 000000 0 0100 010 0102 ......%......... 6: 02 0401 0206 0100 010 000000 ..... .....&. 0: 0102 1102 0501c0202 2302 0501 0206 ....L......
Raws li lub npe qhia, cov ntaub ntawv block_upload_traffic.pcapng muaj cov pob tseg ntawm thaiv kev thauj mus los rau PLC.
Nws tsim nyog sau cia tias qhov kev sib tw tsheb khiav ntawm qhov chaw sib tw thaum lub rooj sib tham yog qhov nyuaj me ntsis kom tau txais. Txhawm rau ua qhov no, nws yuav tsum nkag siab tsab ntawv los ntawm cov ntaub ntawv project rau TeslaSCADA2. Los ntawm nws nws muaj peev xwm nkag siab qhov twg cov khib nyiab encrypted siv RC4 nyob thiab qhov tseem ceeb uas yuav tsum tau siv los decrypt nws. Dumps ntawm cov ntaub ntawv thaiv ntawm qhov chaw tuaj yeem tau txais siv S7 raws tu qauv tus neeg siv khoom. Rau qhov no kuv siv tus neeg siv khoom demo los ntawm pob Snap7.
Extracting teeb liab ua blocks los ntawm cov tsheb thauj khoom pov tseg
Saib ntawm cov ntsiab lus ntawm cov pob tseg, koj tuaj yeem nkag siab tias nws muaj cov teeb liab ua haujlwm OB1, FC1, FC2 thiab FC3:
Cov blocks no yuav tsum tau muab tshem tawm. Qhov no tuaj yeem ua tau, piv txwv li, nrog cov ntawv hauv qab no, yav dhau los hloov tsheb los ntawm pcapng hom rau pcap:
#!/usr/bin/env python2
import struct
from scapy.all import *
packets = rdpcap('block_upload_traffic.pcap')
s7_hdr_struct = '>BBHHHHBB'
s7_hdr_sz = struct.calcsize(s7_hdr_struct)
tpkt_cotp_sz = 7
names = iter(['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin'])
buf = ''
for packet in packets:
if packet.getlayer(IP).src == '10.0.102.11':
tpkt_cotp_s7 = str(packet.getlayer(TCP).payload)
if len(tpkt_cotp_s7) < tpkt_cotp_sz + s7_hdr_sz:
continue
s7 = tpkt_cotp_s7[tpkt_cotp_sz:]
s7_hdr = s7[:s7_hdr_sz]
param_sz = struct.unpack(s7_hdr_struct, s7_hdr)[4]
s7_param = s7[12:12+param_sz]
s7_data = s7[12+param_sz:]
if s7_param in ('x1ex00', 'x1ex01'): # upload
buf += s7_data[4:]
elif s7_param == 'x1f':
with open(next(names), 'wb') as f:
f.write(buf)
buf = ''Tom qab kuaj xyuas cov txiaj ntsig tau, koj yuav pom tias lawv ib txwm pib nrog bytes 70 70 (pp). Tam sim no koj yuav tsum kawm yuav ua li cas txheeb xyuas lawv. Cov lus qhia ua haujlwm qhia tias koj yuav tsum siv PlcSim rau qhov no.
Tau txais cov lus qhia uas tib neeg nyeem tau los ntawm cov blocks
Ua ntej, cia peb sim ua qhov program S7-PlcSim los ntawm kev thauj khoom ntau qhov thaiv nrog cov lus qhia rov ua dua (= Q 0.0) rau hauv nws siv Simatic Manager software, thiab txuag PLC tau txais hauv emulator rau cov ntaub ntawv example.plc. Los ntawm saib cov ntsiab lus ntawm cov ntaub ntawv, koj tuaj yeem yooj yim txiav txim siab qhov pib ntawm cov blocks rub tawm los ntawm kos npe 70 70, uas peb pom ua ntej. Ua ntej cov blocks, pom tau tias, qhov loj me yog sau ua tus nqi 4-byte me-endian.
Tom qab peb tau txais cov ntaub ntawv hais txog cov qauv ntawm cov ntaub ntawv plc, cov phiaj xwm hauv qab no tau tshwm sim rau kev nyeem PLC S7 cov kev pab cuam:
- Siv Simatic Manager, peb tsim cov qauv thaiv hauv S7-PlcSim zoo ib yam li qhov peb tau txais los ntawm cov pob tseg. Cov block loj yuav tsum sib phim (qhov no yog ua tiav los ntawm kev sau cov blocks nrog cov lus qhia uas yuav tsum tau muaj) thiab lawv cov cim (OB1, FC1, FC2, FC3).
- Txuag lub PLC rau ib daim ntawv.
- Peb hloov cov ntsiab lus ntawm cov blocks hauv cov ntaub ntawv tshwm sim nrog cov blocks los ntawm cov tsheb thauj mus los. Qhov pib ntawm cov blocks yog txiav txim siab los ntawm kos npe.
- Peb thauj cov ntaub ntawv tshwm sim rau hauv S7-PlcSim thiab saib cov ntsiab lus ntawm cov blocks hauv Simatic Manager.
Blocks tuaj yeem hloov tau, piv txwv li, nrog cov cai hauv qab no:
with open('original.plc', 'rb') as f:
plc = f.read()
blocks = []
for fname in ['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin']:
with open(fname, 'rb') as f:
blocks.append(f.read())
i = plc.find(b'pp')
for block in blocks:
plc = plc[:i] + block + plc[i+len(block):]
i = plc.find(b'pp', i + 1)
with open('target.plc', 'wb') as f:
f.write(plc)Alexey coj tej zaum nyuaj dua, tab sis tseem yog txoj hauv kev. Peb xav tias cov neeg koom yuav siv qhov kev pab cuam NetToPlcSim kom PlcSim tuaj yeem sib txuas lus hauv lub network, upload blocks rau PlcSim ntawm Snap7, thiab tom qab ntawd rub tawm cov blocks no ua ib qhov project los ntawm PlcSim siv qhov chaw tsim kho.
Los ntawm kev qhib cov ntaub ntawv tshwm sim hauv S7-PlcSim, koj tuaj yeem nyeem cov ntawv sau dhau los siv Simatic Manager. Cov cuab yeej tseem ceeb tswj kev ua haujlwm tau sau tseg hauv thaiv FC1. Ntawm qhov kev ceeb toom tshwj xeeb yog qhov sib txawv #TEMP0, uas thaum tig rau zoo li teeb tsa PLC tswj rau hom kev qhia raws li M2.2 thiab M2.3 ntsis nco qhov tseem ceeb. Tus nqi #TEMP0 yog teem los ntawm kev ua haujlwm FC3.
Txhawm rau daws qhov teeb meem, koj yuav tsum txheeb xyuas FC3 muaj nuj nqi thiab nkag siab tias yuav tsum tau ua dab tsi kom nws rov qab muaj qhov laj thawj.
PLC teeb liab ua cov blocks ntawm Low Security sawv ntawm qhov chaw sib tw tau teeb tsa hauv txoj hauv kev zoo sib xws, tab sis txhawm rau teeb tsa tus nqi ntawm #TEMP0 hloov pauv, nws txaus los sau cov kab kuv txoj kev ninja rau hauv DB1 thaiv. Kev tshuaj xyuas tus nqi hauv ib qho thaiv tau ncaj qha thiab tsis tas yuav tsum muaj kev paub tob txog kev thaiv cov lus programming. Pom tseeb, ntawm qib Kev Ruaj Ntseg Siab, ua tiav kev tswj hwm kev tswj hwm yuav nyuaj dua thiab nws yog qhov tsim nyog kom nkag siab qhov tsis sib xws ntawm STL lus (ib txoj hauv kev los ua haujlwm rau S7 PLC).
Rov qab thaiv FC3
Cov ntsiab lus ntawm FC3 thaiv hauv STL sawv cev:
L B#16#0
T #TEMP13
T #TEMP15
L P#DBX 0.0
T #TEMP4
CLR
= #TEMP14
M015: L #TEMP4
LAR1
OPN DB 100
L DBLG
TAR1
<=D
JC M016
L DW#16#0
T #TEMP0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
M00d: L B [AR1,P#0.0]
T #TEMP5
L W#16#1
==I
JC M007
L #TEMP5
L W#16#2
==I
JC M008
L #TEMP5
L W#16#3
==I
JC M00f
L #TEMP5
L W#16#4
==I
JC M00e
L #TEMP5
L W#16#5
==I
JC M011
L #TEMP5
L W#16#6
==I
JC M012
JU M010
M007: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0]
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0]
JL M003
JU M001
JU M002
JU M004
M003: JU M005
M001: OPN DB 101
L B [AR2,P#0.0]
T #TEMP0
JU M006
M002: OPN DB 101
L B [AR2,P#0.0]
T #TEMP1
JU M006
M004: OPN DB 101
L B [AR2,P#0.0]
T #TEMP2
JU M006
M00f: +AR1 P#1.0
L B [AR1,P#0.0]
L C#8
*I
T #TEMP11
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
TAR1 #TEMP4
OPN DB 101
L P#DBX 0.0
LAR1
L #TEMP11
+AR1
LAR2 #TEMP9
L B [AR2,P#0.0]
T B [AR1,P#0.0]
L #TEMP4
LAR1
JU M006
M008: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU M005
M00b: L #TEMP3
T #TEMP0
JU M006
M00a: L #TEMP3
T #TEMP1
JU M006
M00c: L #TEMP3
T #TEMP2
JU M006
M00e: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M011: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M012: L #TEMP15
INC 1
T #TEMP15
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #TEMP4
L B#16#0
T #TEMP6
JU M006
M014: L #TEMP4
LAR1
L #TEMP13
L L#1
+I
T #TEMP13
JU M006
M006: L #TEMP0
T MB 100
L #TEMP1
T MB 101
L #TEMP2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU M005
M010: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #TEMP4
M005: TAR1 #TEMP4
CLR
= #TEMP16
L #TEMP13
L L#20
==I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M017
L #TEMP13
L L#20
<I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M018
JU M019
M017: SET
= #TEMP14
JU M016
M018: CLR
= #TEMP14
JU M016
M019: CLR
O #TEMP14
= #RET_VAL
JU M015
M016: CLR
O #TEMP14
= #RET_VALCov cai yog ntev heev thiab tej zaum yuav zoo li nyuaj rau ib tug neeg tsis paub txog STL. Tsis muaj lub ntsiab lus hauv kev tshuaj xyuas txhua qhov kev qhia nyob rau hauv lub moj khaum ntawm tsab xov xwm no; cov lus qhia ntxaws ntxaws thiab muaj peev xwm ntawm cov lus STL tuaj yeem pom hauv phau ntawv qhia: . Ntawm no kuv yuav nthuav tawm tib txoj cai tom qab ua tiav - hloov npe cov ntawv sau thiab hloov pauv thiab ntxiv cov lus piav qhia txog kev ua haujlwm algorithm thiab qee cov lus STL tsim. Cia kuv tam sim ntawd nco ntsoov tias qhov thaiv hauv nqe lus nug muaj lub tshuab virtual uas ua tiav qee qhov bytecode nyob hauv DB100 thaiv, cov ntsiab lus uas peb paub. Cov lus qhia siv tshuab virtual muaj 1 byte ntawm kev khiav hauj lwm code thiab bytes ntawm kev sib cav, ib byte rau txhua qhov kev sib cav. Txhua qhov kev txiav txim siab cov lus qhia muaj ob qhov kev sib cav; Kuv tau xaiv lawv cov txiaj ntsig hauv cov lus pom xws li X thiab Y.
Code tom qab ua tiav]
# ΠΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΡ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
L B#16#0
T #CHECK_N # Π‘ΡΠ΅ΡΡΠΈΠΊ ΡΡΠΏΠ΅ΡΠ½ΠΎ ΠΏΡΠΎΠΉΠ΄Π΅Π½Π½ΡΡ
ΠΏΡΠΎΠ²Π΅ΡΠΎΠΊ
T #COUNTER_N # Π‘ΡΠ΅ΡΡΠΈΠΊ ΠΎΠ±ΡΠ΅Π³ΠΎ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²Π° ΠΏΡΠΎΠ²Π΅ΡΠΎΠΊ
L P#DBX 0.0
T #POINTER # Π£ΠΊΠ°Π·Π°ΡΠ΅Π»Ρ Π½Π° ΡΠ΅ΠΊΡΡΡΡ ΠΈΠ½ΡΡΡΡΠΊΡΠΈΡ
CLR
= #PRE_RET_VAL
# ΠΡΠ½ΠΎΠ²Π½ΠΎΠΉ ΡΠΈΠΊΠ» ΡΠ°Π±ΠΎΡΡ ΠΈΠ½ΡΠ΅ΡΠΏΡΠ΅ΡΠ°ΡΠΎΡΠ° Π±Π°ΠΉΡ-ΠΊΠΎΠ΄Π°
LOOP: L #POINTER
LAR1
OPN DB 100
L DBLG
TAR1
<=D # ΠΡΠΎΠ²Π΅ΡΠΊΠ° Π²ΡΡ
ΠΎΠ΄Π° ΡΠΊΠ°Π·Π°ΡΠ΅Π»Ρ Π·Π° ΠΏΡΠ΅Π΄Π΅Π»Ρ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ
JC FINISH
L DW#16#0
T #REG0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
# ΠΠΎΠ½ΡΡΡΡΠΊΡΠΈΡ switch - case Π΄Π»Ρ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΈ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΠΎΠΏΠΊΠΎΠ΄ΠΎΠ²
M00d: L B [AR1,P#0.0]
T #OPCODE
L W#16#1
==I
JC OPCODE_1
L #OPCODE
L W#16#2
==I
JC OPCODE_2
L #OPCODE
L W#16#3
==I
JC OPCODE_3
L #OPCODE
L W#16#4
==I
JC OPCODE_4
L #OPCODE
L W#16#5
==I
JC OPCODE_5
L #OPCODE
L W#16#6
==I
JC OPCODE_6
JU OPCODE_OTHER
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 01: Π·Π°Π³ΡΡΠ·ΠΊΠ° Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΈΠ· DB101[X] Π² ΡΠ΅Π³ΠΈΡΡΡ Y
# OP01(X, Y): REG[Y] = DB101[X]
OPCODE_1: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0] # ΠΠ°Π³ΡΡΠ·ΠΊΠ° Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠ° X (ΠΈΠ½Π΄Π΅ΠΊΡ Π² DB101)
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0] # ΠΠ°Π³ΡΡΠ·ΠΊΠ° Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠ° Y (ΠΈΠ½Π΄Π΅ΠΊΡ ΡΠ΅Π³ΠΈΡΡΡΠ°)
JL M003 # ΠΠ½Π°Π»ΠΎΠ³ switch - case Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ Π·Π½Π°ΡΠ΅Π½ΠΈΡ Y
JU M001 # Π΄Π»Ρ Π²ΡΠ±ΠΎΡΠ° Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎΠ³ΠΎ ΡΠ΅Π³ΠΈΡΡΡΠ° Π΄Π»Ρ Π·Π°ΠΏΠΈΡΠΈ.
JU M002 # ΠΠΎΠ΄ΠΎΠ±Π½ΡΠ΅ ΠΊΠΎΠ½ΡΡΡΡΠΊΡΠΈΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ ΠΈ Π² Π΄ΡΡΠ³ΠΈΡ
JU M004 # ΠΎΠΏΠ΅ΡΠ°ΡΠΈΡΡ
Π½ΠΈΠΆΠ΅ Π΄Π»Ρ Π°Π½Π°Π»ΠΎΠ³ΠΈΡΠ½ΡΡ
ΡΠ΅Π»Π΅ΠΉ
M003: JU LOOPEND
M001: OPN DB 101
L B [AR2,P#0.0]
T #REG0 # ΠΠ°ΠΏΠΈΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ DB101[X] Π² REG[0]
JU PRE_LOOPEND
M002: OPN DB 101
L B [AR2,P#0.0]
T #REG1 # ΠΠ°ΠΏΠΈΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ DB101[X] Π² REG[1]
JU PRE_LOOPEND
M004: OPN DB 101
L B [AR2,P#0.0]
T #REG2 # ΠΠ°ΠΏΠΈΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ DB101[X] Π² REG[2]
JU PRE_LOOPEND
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 02: Π·Π°Π³ΡΡΠ·ΠΊΠ° Π·Π½Π°ΡΠ΅Π½ΠΈΡ X Π² ΡΠ΅Π³ΠΈΡΡΡ Y
# OP02(X, Y): REG[Y] = X
OPCODE_2: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU LOOPEND
M00b: L #TEMP3
T #REG0
JU PRE_LOOPEND
M00a: L #TEMP3
T #REG1
JU PRE_LOOPEND
M00c: L #TEMP3
T #REG2
JU PRE_LOOPEND
# ΠΠΏΠΊΠΎΠ΄ 03 Π½Π΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π² ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ΅, ΠΏΠΎΡΡΠΎΠΌΡ ΠΏΡΠΎΠΏΡΡΡΠΈΠΌ Π΅Π³ΠΎ
...
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 04: ΡΡΠ°Π²Π½Π΅Π½ΠΈΠ΅ ΡΠ΅Π³ΠΈΡΡΡΠΎΠ² X ΠΈ Y
# OP04(X, Y): REG[0] = 0; REG[X] = (REG[X] == REG[Y])
OPCODE_4: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # ΠΏΠ΅ΡΠ²ΡΠΉ Π°ΡΠ³ΡΠΌΠ΅Π½Ρ - X
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[X]
LAR2 #TEMP10 # REG[Y]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12 # ~(REG[Y] & REG[X])
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW # (~(REG[Y] & REG[X])) & (REG[Y] | REG[X]) - Π°Π½Π°Π»ΠΎΠ³ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ Π½Π° ΡΠ°Π²Π΅Π½ΡΡΠ²ΠΎ
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 05: Π²ΡΡΠΈΡΠ°Π½ΠΈΠ΅ ΡΠ΅Π³ΠΈΡΡΡΠ° Y ΠΈΠ· X
# OP05(X, Y): REG[0] = 0; REG[X] = REG[X] - REG[Y]
OPCODE_5: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I # ACCU1 = ACCU2 - ACCU1, REG[X] - REG[Y]
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 06: ΠΈΠ½ΠΊΡΠ΅ΠΌΠ΅Π½Ρ #CHECK_N ΠΏΡΠΈ ΡΠ°Π²Π΅Π½ΡΡΠ²Π΅ ΡΠ΅Π³ΠΈΡΡΡΠΎΠ² X ΠΈ Y
# OP06(X, Y): #CHECK_N += (1 if REG[X] == REG[Y] else 0)
OPCODE_6: L #COUNTER_N
INC 1
T #COUNTER_N
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # REG[X]
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[Y]
LAR2 #TEMP10 # REG[X]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #POINTER
L B#16#0
T #TEMP6
JU PRE_LOOPEND
M014: L #POINTER
LAR1
# ΠΠ½ΠΊΡΠ΅ΠΌΠ΅Π½Ρ Π·Π½Π°ΡΠ΅Π½ΠΈΡ #CHECK_N
L #CHECK_N
L L#1
+I
T #CHECK_N
JU PRE_LOOPEND
PRE_LOOPEND: L #REG0
T MB 100
L #REG1
T MB 101
L #REG2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU LOOPEND
OPCODE_OTHER: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #POINTER
LOOPEND: TAR1 #POINTER
CLR
= #TEMP16
L #CHECK_N
L L#20
==I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
# ΠΡΠ΅ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΠΏΡΠΎΠΉΠ΄Π΅Π½Ρ, Π΅ΡΠ»ΠΈ #CHECK_N == #COUNTER_N == 20
JC GOOD
L #CHECK_N
L L#20
<I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
JC FAIL
JU M019
GOOD: SET
= #PRE_RET_VAL
JU FINISH
FAIL: CLR
= #PRE_RET_VAL
JU FINISH
M019: CLR
O #PRE_RET_VAL
= #RET_VAL
JU LOOP
FINISH: CLR
O #PRE_RET_VAL
= #RET_VALTau txais ib lub tswv yim ntawm lub tshuab virtual cov lus qhia, cia peb sau ib qho me me disassembler los txheeb xyuas cov bytecode hauv DB100 thaiv:
import string
alph = string.ascii_letters + string.digits
with open('DB100.bin', 'rb') as f:
m = f.read()
pc = 0
while pc < len(m):
op = m[pc]
if op == 1:
print('R{} = DB101[{}]'.format(m[pc + 2], m[pc + 1]))
pc += 3
elif op == 2:
c = chr(m[pc + 1])
c = c if c in alph else '?'
print('R{} = {:02x} ({})'.format(m[pc + 2], m[pc + 1], c))
pc += 3
elif op == 4:
print('R0 = 0; R{} = (R{} == R{})'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 5:
print('R0 = 0; R{} = R{} - R{}'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 6:
print('CHECK (R{} == R{})n'.format(
m[pc + 1], m[pc + 2]))
pc += 3
else:
print('unk opcode {}'.format(op))
breakYog li ntawd, peb tau txais cov lej tshuab virtual hauv qab no:
Virtual tshuab code
R1 = DB101[0]
R2 = 6e (n)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[1]
R2 = 10 (?)
R0 = 0; R1 = R1 - R2
R2 = 20 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[2]
R2 = 77 (w)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[3]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[4]
R2 = 75 (u)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[5]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[6]
R2 = 34 (4)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[7]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[8]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[9]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[10]
R2 = 37 (7)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[11]
R2 = 22 (?)
R0 = 0; R1 = R1 - R2
R2 = 46 (F)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[12]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[13]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[14]
R2 = 6d (m)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[15]
R2 = 11 (?)
R0 = 0; R1 = R1 - R2
R2 = 23 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[16]
R2 = 35 (5)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[17]
R2 = 12 (?)
R0 = 0; R1 = R1 - R2
R2 = 25 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[18]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[19]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)Raws li koj tuaj yeem pom, qhov program no tsuas yog kuaj xyuas txhua tus cim los ntawm DB101 rau kev sib npaug rau qee tus nqi. Cov kab kawg kom dhau tag nrho cov tshev yog: n0w u 4r3 7h3 m4573r. Yog tias cov kab no tau muab tso rau hauv thaiv DB101, ces phau ntawv PLC tswj tau qhib thiab nws yuav tuaj yeem tawg lossis deflate lub zais pa.β¨
Yog tag nrho! Alexey ua qauv qhia qib siab ntawm kev paub tsim nyog ntawm kev lag luam ninja :) Peb xa khoom plig nco txog rau tus yeej. Ua tsaug ntau rau txhua tus tuaj koom!
Tau qhov twg los: www.hab.com