N'ime PHDays 9 ikpeazụ anyị mere asọmpi iji mebie ụlọ ọrụ na-agbapụta gas - asọmpi . Enwere ntọala atọ na saịtị ahụ nwere oke nchekwa dị iche iche (Ọ nweghị nchekwa, nchekwa dị ala, nchekwa dị elu), na-eṅomi otu usoro mmepụta ihe: a na-agbanye ikuku n'okpuru nrụgide n'ime balloon (ma hapụzie ya).
N'agbanyeghị dị iche iche nchekwa parameters, ngwaike mejupụtara nke nkwụnye bụ otu: Siemens Simatic PLC S7-300 usoro; Bọtịnụ mbelata ihe mberede na ngwaọrụ nlele nrụgide (jikọrọ na ntinye dijitalụ PLC (DI)); valves na-arụ ọrụ maka onu oriri na nkwụsị nke ikuku (jikọrọ na ntinye dijitalụ nke PLC (DO)) - lee foto dị n'okpuru ebe a.
PLC, dabere na ngụgụ nrụgide na dị ka mmemme ya si dị, mere mkpebi imebi ma ọ bụ ịgbanye bọl (meghere ma mechie valves kwekọrọ). Otú ọ dị, ihe nkwụnye niile nwere usoro njikwa akwụkwọ ntuziaka, nke mere ka o kwe omume ijikwa steeti nke valves na-enweghị ihe mgbochi ọ bụla.
Ihe nkwụnye ahụ dị iche na mgbagwoju anya nke na-enyere ọnọdụ a aka: na nkwụsị na-enweghị nchebe ọ kachasị mfe ime nke a, na n'Ebe Elu Nchekwa, ọ bụ ihe siri ike karị.
A doziri ise n'ime nsogbu isii ahụ n'ime ụbọchị abụọ; Onye sonyere na mbụ nwetara isi 233 (ọ nọrọ otu izu na-akwadebe maka asọmpi). Ndị mmeri atọ: M na-etinye - a1exdandy, II - Rubikoid, III - Ze.
Otú ọ dị, n'oge PHDays, ọ dịghị onye ọ bụla n'ime ndị sonyere nwere ike imeri nguzo atọ ahụ, ya mere anyị kpebiri ime asọmpi ịntanetị ma bipụta ọrụ kachasị ike na mbido June. Ndị sonyere ga-arụcha ọrụ ahụ n'ime otu ọnwa, chọta ọkọlọtọ, ma kọwaa azịza ya n'ụzọ zuru ezu na n'ụzọ na-adọrọ mmasị.
N'okpuru ịkpụ anyị na-ebipụta nyocha nke ngwọta kachasị mma maka ọrụ ahụ sitere n'aka ndị ezitere na ọnwa, Alexey Kovrizhnykh (a1exdandy) sitere na ụlọ ọrụ Digital Security, bụ onye weere ọnọdụ XNUMXst na asọmpi n'oge PHDays. N'okpuru ebe a anyị na-ewetara ya ederede na anyị kwuru.
Nyocha mbụ
Yabụ, ọrụ ahụ nwere ebe nchekwa nwere faịlụ ndị a:
- ngọngọ_upload_traffic.pcapng
- DB100.bin
- ndumodu.txt
Faịlụ hints.txt nwere ozi dị mkpa na ndụmọdụ iji dozie ọrụ ahụ. Nke a bụ ihe dị n'ime ya:
- Petrovich gwara m ụnyaahụ na ị nwere ike ibu ihe mgbochi si PlcSim n'ime Step7.
- Ejiri Siemens Simatic S7-300 usoro PLC mee ihe na nkwụnye.
- PlcSim bụ emulator PLC nke na-enye gị ohere ịmegharị ma dezie mmemme maka Siemens S7 PLC.
Faịlụ DB100.bin dị ka ọ nwere ngọngọ data DB100 PLC: 00000000: 0100 0102 6e02 0401 0206 0100 0101 0102 ....n......... 00000010: 1002 0501. 0202 . ......... .. 2002: 0501 0206 0100 0102 00000020 0102 7702 0401a0206 ..w............. 0100: 0103 0102 0 02 00000030 ................ 0501: 0202 1602 0501 0206 0100 0104 0102a00000040 7502 u............... 0401: 0206 0100 0105 0102 0 02 0501 00000050..........0202. 1602: 0501 0206 0100 0106 0102 3402 4 00000060 0401 0206 L ........... 0100. .. 0107 : 0102 2602 0501 0202 00000070a4 02 0501 0206 ................ 0100: 0108 0102 3302 0401a 3 00000080 0206 0100 ......... 0109a0102: 0 02b 0501 0202 1602 00000090 0501 0206 ......".....F... 0100b010: 0102 3702 0401c 0206 7 000000 0 .. 0100c010: 0102d 2202 0501a0202 4602 0501 000000 0 0206 ................ 0100d010: 0102 3302e 0401 0206d0100 3 000000 ... .... 0e010: 0102 0 02 0501 0202 1602 0501 0206 ........#...... 000000f0: 0100 010 0102 6 02 0401 ....... ..... 0206: 0100 010 000000 0 0102 1102 0501 0202 ......... ......... 2302: 0501 0206 0100 000000 0 0110 ..... ......&. 0102: 3502 0401 0206c0100 0111 0102 5 ....L......
Dị ka aha ahụ na-atụ aro, faịlụ block_upload_traffic.pcapng nwere mkpofu nke ngọngọ bulite okporo ụzọ na PLC.
Ọ dị mma ịmara na nkwụsị okporo ụzọ a na saịtị asọmpi n'oge ogbako ahụ siri ike inweta. Iji mee nke a, ọ dị mkpa ịghọta edemede sitere na faịlụ ọrụ maka TeslaSCADA2. Site na ya, enwere ike ịghọta ebe mkpofu ezoro ezo site na iji RC4 yana igodo dị mkpa iji mebie ya. Enwere ike nweta mkpofu nke ngọngọ data na saịtị site na iji onye ahịa protocol S7. Maka nke a, ejiri m onye ahịa ngosi ngosi site na ngwugwu Snap7.
Ịwepụ ngọngọ nhazi mgbaama site na mkpofu okporo ụzọ
N'ileghachi anya na ọdịnaya nke mkpofu ahụ, ị nwere ike ịghọta na ọ nwere ihe mgbochi nhazi mgbaàmà OB1, FC1, FC2 na FC3:
A ghaghị iwepụ ihe mgbochi ndị a. Enwere ike ime nke a, dịka ọmụmaatụ, site na iji edemede na-esonụ, ebe ị tụgharịrị okporo ụzọ site na pcapng usoro ka ọ bụrụ pcap:
#!/usr/bin/env python2
import struct
from scapy.all import *
packets = rdpcap('block_upload_traffic.pcap')
s7_hdr_struct = '>BBHHHHBB'
s7_hdr_sz = struct.calcsize(s7_hdr_struct)
tpkt_cotp_sz = 7
names = iter(['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin'])
buf = ''
for packet in packets:
if packet.getlayer(IP).src == '10.0.102.11':
tpkt_cotp_s7 = str(packet.getlayer(TCP).payload)
if len(tpkt_cotp_s7) < tpkt_cotp_sz + s7_hdr_sz:
continue
s7 = tpkt_cotp_s7[tpkt_cotp_sz:]
s7_hdr = s7[:s7_hdr_sz]
param_sz = struct.unpack(s7_hdr_struct, s7_hdr)[4]
s7_param = s7[12:12+param_sz]
s7_data = s7[12+param_sz:]
if s7_param in ('x1ex00', 'x1ex01'): # upload
buf += s7_data[4:]
elif s7_param == 'x1f':
with open(next(names), 'wb') as f:
f.write(buf)
buf = ''N'ịbụ onye nyochachara ihe mgbochi ndị ahụ, ị ga-achọpụta na ha na-amalite mgbe ọ bụla site na bytes 70 70 (pp). Ugbu a, i kwesịrị ịmụta otú e si enyocha ha. Atụmatụ ọrụ na-egosi na ị ga-eji PlcSim maka nke a.
Inweta ntuziaka mmadụ nwere ike ịgụ site na ngọngọ
Mbụ, ka anyị gbalịa ime ihe S7-PlcSim site na iji ntuziaka na-emegharị ugboro ugboro (= Q 0.0) n'ime ya site na iji ngwanrọ Simatic Manager, na ịchekwa PLC nwetara na emulator na faịlụ example.plc. Site na ilele ọdịnaya nke faịlụ ahụ, ị nwere ike ikpebi mmalite nke ngọngọ ebudatara site na mbinye aka 70 70, nke anyị chọpụtara na mbụ. Tupu blocks, o doro anya, a na-ede nha ngọngọ dị ka uru 4-byte obere-endian.
Mgbe anyị nwetasịrị ozi gbasara nhazi faịlụ plc, atụmatụ mmemme a pụtara maka ịgụ mmemme PLC S7:
- Iji Simatic Manager, anyị na-emepụta ihe mgbochi na S7-PlcSim yiri nke anyị nwetara site na mkpofu. Nha ngọngọ ga-adakọrịrị (nke a na-enweta site n'imeju ngọngọ na ọnụọgụ ntuziaka achọrọ) yana njirimara ha (OB1, FC1, FC2, FC3).
- Chekwaa PLC na faịlụ.
- Anyị na-edochi ọdịnaya nke ngọngọ na faịlụ na-akpata ya na ihe mgbochi si na nkwụsị okporo ụzọ. A na-ekpebi mmalite nke ngọngọ site na mbinye aka.
- Anyị na-ebufe faịlụ na-esi na ya pụta na S7-PlcSim wee lelee ọdịnaya nke ngọngọ na Simatic Manager.
Enwere ike iji koodu ndị a dochie ihe mgbochi, dịka ọmụmaatụ,
with open('original.plc', 'rb') as f:
plc = f.read()
blocks = []
for fname in ['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin']:
with open(fname, 'rb') as f:
blocks.append(f.read())
i = plc.find(b'pp')
for block in blocks:
plc = plc[:i] + block + plc[i+len(block):]
i = plc.find(b'pp', i + 1)
with open('target.plc', 'wb') as f:
f.write(plc)Alexey weere ụzọ siri ike karị, mana ọ ka bụ ụzọ ziri ezi. Anyị chere na ndị sonyere ga-eji mmemme NetToPlcSim ka PlcSim nwee ike ịkparịta ụka na netwọkụ, bulite blocks na PlcSim site na Snap7, wee budata ngọngọ ndị a dị ka ọrụ sitere na PlcSim site na iji gburugburu mmepe.
Site na imepe faịlụ na-esi na ya pụta na S7-PlcSim, ị nwere ike ịgụ ngọngọ ndị edegharịrị site na iji Simatic Manager. A na-edekọ ọrụ njikwa ngwaọrụ isi na ngọngọ FC1. Otu ihe edeturu bụ mgbanwe #TEMP0, nke mgbe agbanyere na-egosi na ọ na-edozi njikwa PLC na ọnọdụ ntuziaka dabere na ụkpụrụ ebe nchekwa M2.2 na M2.3. A na-ahazi uru #TEMP0 site na ọrụ FC3.
Iji dozie nsogbu ahụ, ịkwesịrị nyochaa ọrụ FC3 wee ghọta ihe a ga-eme ka ọ laghachi azụ nke ezi uche dị na ya.
A haziri ihe mgbochi nhazi mgbaàmà PLC na obere nchekwa nchekwa na saịtị asọmpi ahụ n'ụzọ yiri nke ahụ, mana iji tọọ uru nke mgbanwe #TEMP0, o zuru iji dee ahịrị ninja m n'ime ngọngọ DB1. Nyochaa uru dị na ngọngọ kwụ ọtọ ma ọ chọghị ihe ọmụma miri emi nke asụsụ mmemme ngọngọ. N'ụzọ doro anya, na ọkwa nchekwa dị elu, ịnweta njikwa akwụkwọ ntuziaka ga-esikwu ike ma ọ dị mkpa ịghọta mgbagwoju anya nke asụsụ STL (otu n'ime ụzọ isi mee ihe S7 PLC).
Weghachite ngọngọ FC3
Ọdịnaya nke ngọngọ FC3 na nnọchite STL:
L B#16#0
T #TEMP13
T #TEMP15
L P#DBX 0.0
T #TEMP4
CLR
= #TEMP14
M015: L #TEMP4
LAR1
OPN DB 100
L DBLG
TAR1
<=D
JC M016
L DW#16#0
T #TEMP0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
M00d: L B [AR1,P#0.0]
T #TEMP5
L W#16#1
==I
JC M007
L #TEMP5
L W#16#2
==I
JC M008
L #TEMP5
L W#16#3
==I
JC M00f
L #TEMP5
L W#16#4
==I
JC M00e
L #TEMP5
L W#16#5
==I
JC M011
L #TEMP5
L W#16#6
==I
JC M012
JU M010
M007: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0]
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0]
JL M003
JU M001
JU M002
JU M004
M003: JU M005
M001: OPN DB 101
L B [AR2,P#0.0]
T #TEMP0
JU M006
M002: OPN DB 101
L B [AR2,P#0.0]
T #TEMP1
JU M006
M004: OPN DB 101
L B [AR2,P#0.0]
T #TEMP2
JU M006
M00f: +AR1 P#1.0
L B [AR1,P#0.0]
L C#8
*I
T #TEMP11
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
TAR1 #TEMP4
OPN DB 101
L P#DBX 0.0
LAR1
L #TEMP11
+AR1
LAR2 #TEMP9
L B [AR2,P#0.0]
T B [AR1,P#0.0]
L #TEMP4
LAR1
JU M006
M008: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU M005
M00b: L #TEMP3
T #TEMP0
JU M006
M00a: L #TEMP3
T #TEMP1
JU M006
M00c: L #TEMP3
T #TEMP2
JU M006
M00e: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M011: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M012: L #TEMP15
INC 1
T #TEMP15
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #TEMP4
L B#16#0
T #TEMP6
JU M006
M014: L #TEMP4
LAR1
L #TEMP13
L L#1
+I
T #TEMP13
JU M006
M006: L #TEMP0
T MB 100
L #TEMP1
T MB 101
L #TEMP2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU M005
M010: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #TEMP4
M005: TAR1 #TEMP4
CLR
= #TEMP16
L #TEMP13
L L#20
==I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M017
L #TEMP13
L L#20
<I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M018
JU M019
M017: SET
= #TEMP14
JU M016
M018: CLR
= #TEMP14
JU M016
M019: CLR
O #TEMP14
= #RET_VAL
JU M015
M016: CLR
O #TEMP14
= #RET_VALKoodu ahụ toro ogologo ma nwee ike ịdị mgbagwoju anya nye onye na-amaghị STL. Ọ baghị uru n'ịtụle ntụziaka ọ bụla n'ime usoro nke isiokwu a; Enwere ike ịchọta ntụziaka zuru ezu na ike nke asụsụ STL na akwụkwọ ntuziaka kwekọrọ: . N'ebe a, m ga-eweta otu koodu ahụ mgbe nhazichara - na-edegharị aha aha na mgbanwe dị iche iche na ịgbakwunye nkọwa na-akọwa algọridim ọrụ na ụfọdụ asụsụ STL na-ewu. Ka m mara ozugbo na ngọngọ a jụrụ ajụjụ nwere igwe mebere nke na-eme ụfọdụ bytecode dị na ngọngọ DB100, ọdịnaya nke anyị maara. Ntuziaka igwe mebere nwere 1 byte nke koodu arụ ọrụ na bytes nke arụmụka, otu byte maka arụmụka ọ bụla. Ntuziaka niile a tụlere nwere arụmụka abụọ; Edepụtara m ụkpụrụ ha na nkwupụta dị ka X na Y.
Koodu mgbe nhazichara]
# Инициализация различных переменных
L B#16#0
T #CHECK_N # Счетчик успешно пройденных проверок
T #COUNTER_N # Счетчик общего количества проверок
L P#DBX 0.0
T #POINTER # Указатель на текущую инструкцию
CLR
= #PRE_RET_VAL
# Основной цикл работы интерпретатора байт-кода
LOOP: L #POINTER
LAR1
OPN DB 100
L DBLG
TAR1
<=D # Проверка выхода указателя за пределы программы
JC FINISH
L DW#16#0
T #REG0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
# Конструкция switch - case для обработки различных опкодов
M00d: L B [AR1,P#0.0]
T #OPCODE
L W#16#1
==I
JC OPCODE_1
L #OPCODE
L W#16#2
==I
JC OPCODE_2
L #OPCODE
L W#16#3
==I
JC OPCODE_3
L #OPCODE
L W#16#4
==I
JC OPCODE_4
L #OPCODE
L W#16#5
==I
JC OPCODE_5
L #OPCODE
L W#16#6
==I
JC OPCODE_6
JU OPCODE_OTHER
# Обработчик опкода 01: загрузка значения из DB101[X] в регистр Y
# OP01(X, Y): REG[Y] = DB101[X]
OPCODE_1: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0] # Загрузка аргумента X (индекс в DB101)
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0] # Загрузка аргумента Y (индекс регистра)
JL M003 # Аналог switch - case на основе значения Y
JU M001 # для выбора необходимого регистра для записи.
JU M002 # Подобные конструкции используются и в других
JU M004 # операциях ниже для аналогичных целей
M003: JU LOOPEND
M001: OPN DB 101
L B [AR2,P#0.0]
T #REG0 # Запись значения DB101[X] в REG[0]
JU PRE_LOOPEND
M002: OPN DB 101
L B [AR2,P#0.0]
T #REG1 # Запись значения DB101[X] в REG[1]
JU PRE_LOOPEND
M004: OPN DB 101
L B [AR2,P#0.0]
T #REG2 # Запись значения DB101[X] в REG[2]
JU PRE_LOOPEND
# Обработчик опкода 02: загрузка значения X в регистр Y
# OP02(X, Y): REG[Y] = X
OPCODE_2: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU LOOPEND
M00b: L #TEMP3
T #REG0
JU PRE_LOOPEND
M00a: L #TEMP3
T #REG1
JU PRE_LOOPEND
M00c: L #TEMP3
T #REG2
JU PRE_LOOPEND
# Опкод 03 не используется в программе, поэтому пропустим его
...
# Обработчик опкода 04: сравнение регистров X и Y
# OP04(X, Y): REG[0] = 0; REG[X] = (REG[X] == REG[Y])
OPCODE_4: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # первый аргумент - X
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[X]
LAR2 #TEMP10 # REG[Y]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12 # ~(REG[Y] & REG[X])
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW # (~(REG[Y] & REG[X])) & (REG[Y] | REG[X]) - аналог проверки на равенство
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# Обработчик опкода 05: вычитание регистра Y из X
# OP05(X, Y): REG[0] = 0; REG[X] = REG[X] - REG[Y]
OPCODE_5: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I # ACCU1 = ACCU2 - ACCU1, REG[X] - REG[Y]
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# Обработчик опкода 06: инкремент #CHECK_N при равенстве регистров X и Y
# OP06(X, Y): #CHECK_N += (1 if REG[X] == REG[Y] else 0)
OPCODE_6: L #COUNTER_N
INC 1
T #COUNTER_N
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # REG[X]
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[Y]
LAR2 #TEMP10 # REG[X]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #POINTER
L B#16#0
T #TEMP6
JU PRE_LOOPEND
M014: L #POINTER
LAR1
# Инкремент значения #CHECK_N
L #CHECK_N
L L#1
+I
T #CHECK_N
JU PRE_LOOPEND
PRE_LOOPEND: L #REG0
T MB 100
L #REG1
T MB 101
L #REG2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU LOOPEND
OPCODE_OTHER: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #POINTER
LOOPEND: TAR1 #POINTER
CLR
= #TEMP16
L #CHECK_N
L L#20
==I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
# Все проверки пройдены, если #CHECK_N == #COUNTER_N == 20
JC GOOD
L #CHECK_N
L L#20
<I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
JC FAIL
JU M019
GOOD: SET
= #PRE_RET_VAL
JU FINISH
FAIL: CLR
= #PRE_RET_VAL
JU FINISH
M019: CLR
O #PRE_RET_VAL
= #RET_VAL
JU LOOP
FINISH: CLR
O #PRE_RET_VAL
= #RET_VALN'inweta echiche nke ntuziaka igwe mebere, ka anyị dee obere disssembler iji kpachapụta bytecode na ngọngọ DB100:
import string
alph = string.ascii_letters + string.digits
with open('DB100.bin', 'rb') as f:
m = f.read()
pc = 0
while pc < len(m):
op = m[pc]
if op == 1:
print('R{} = DB101[{}]'.format(m[pc + 2], m[pc + 1]))
pc += 3
elif op == 2:
c = chr(m[pc + 1])
c = c if c in alph else '?'
print('R{} = {:02x} ({})'.format(m[pc + 2], m[pc + 1], c))
pc += 3
elif op == 4:
print('R0 = 0; R{} = (R{} == R{})'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 5:
print('R0 = 0; R{} = R{} - R{}'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 6:
print('CHECK (R{} == R{})n'.format(
m[pc + 1], m[pc + 2]))
pc += 3
else:
print('unk opcode {}'.format(op))
breakN'ihi ya, anyị na-enweta nke a virtual igwe koodu:
Koodu igwe mebere
R1 = DB101[0]
R2 = 6e (n)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[1]
R2 = 10 (?)
R0 = 0; R1 = R1 - R2
R2 = 20 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[2]
R2 = 77 (w)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[3]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[4]
R2 = 75 (u)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[5]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[6]
R2 = 34 (4)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[7]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[8]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[9]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[10]
R2 = 37 (7)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[11]
R2 = 22 (?)
R0 = 0; R1 = R1 - R2
R2 = 46 (F)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[12]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[13]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[14]
R2 = 6d (m)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[15]
R2 = 11 (?)
R0 = 0; R1 = R1 - R2
R2 = 23 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[16]
R2 = 35 (5)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[17]
R2 = 12 (?)
R0 = 0; R1 = R1 - R2
R2 = 25 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[18]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[19]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)Dịka ị na-ahụ, mmemme a na-enyocha agwa ọ bụla site na DB101 maka nha anya na uru ụfọdụ. Ahịrị ikpeazụ maka ịgafe akwụkwọ ndenye ego niile bụ: n0w u 4r3 7h3 m4573r. Ọ bụrụ na etinyere ahịrị a na ngọngọ DB101, mgbe ahụ, njikwa PLC ga-arụ ọrụ ma ọ ga-ekwe omume ịgbawa ma ọ bụ mebie balloon.
Ọ gwụla! Alexey gosipụtara ọkwa dị elu nke ihe ọmụma kwesịrị ekwesị maka ninja ụlọ ọrụ mmepụta ihe :) Anyị zigara onye meriri ihe nrite na-echefu echefu. Ọtụtụ ekele nye ndị niile sonyere!
isi: www.habr.com