αα PHDays 9 α α»αααααα ααΎαααΆααααα αααΆαααααα½ααααααααα½αααΎααααΈ hack αααα αααααΌαα§ααααα - ααΆαααααα½ααααααα . ααΆαααααααααα ααα½αααΈαα ααΎααα ααααααααααΆααααΆαααΆαααααααα»ααααα·ααΆαααααααααααΆ (ααααΆαααααα·αα»α αα»ααααα·ααΆαααΆα αα»ααααα·ααΆαααααα) αααααααΆααααΆαααααΎαααΆαα§ααααΆα ααααααΌα ααααΆα αααααααααααααααΆαααααΌαααΆαααΌαα αΌααα αααα»ααααααααααα½α (α αΎααααααΆαααααααα αα)α
αααααΈααΆααΆααααΆαααΆαααααααα»ααααα·ααΆααα»ααααααΆααααα αααΆαααΆααααααααΉαααααααααααααΊααΌα ααααΆα αααααΈ Siemens Simatic PLC S7-300; αααΌαα»αααα·αααααααΆαααααααααααααΆαα αα·αα§αααααααΆαααααααΆα (ααααΆααααΆαα½αααΆαα»αααα αΌαααΈααΈαα PLC (DI)); αααΆαααααααααΎαααΆααααααΆααα’αα·ααααΆ αα·αααα·αααααααΆααααααα (ααααΆαααα ααΉαααααααααΈααΈαααα PLC (DO)) - ααΌαααΎαααΌαααΆααααααα
PLC α’αΆαααααααΎααΆαα’αΆααααααΆα αα·αα’αα»αααααΆααααααα·ααΈααααααΆ ααΆαααααΎααΆααααααα
α
α·αααααΎααααΈααααΎα±ααααΌα
α¬ααααααααΆαα (ααΎα αα·ααα·ααααΆαααααααααΌαααααΆ)α ααααααΆαααΆααααα ααΈααΆααααΆααα’ααααΆααααααααααααααααααα αααααααΎα±ααααΆα’αΆα
αααααααααααααΆαααΆαααααααααα·αααΎαααΆααααααααΆαααΆαααΉααααααΉαααΆαα½αα‘αΎαα
ααααααααααΆαααΆααα»αααααΆαααα»αααΆααααα»αααααΆαααααΆαααΎααααααααα αα ααΈααΆααααααα·αααΆαααΆαααΆαααΆα ααΆααΆααααα½ααααα»ααααα»αααΆαααααΎααΆ α αΎααα ααΈααΆαααα»ααααα·ααΆαααααα ααΆααΆαααΆαααααΆαααΆαα
αααα αΆααααΆααααα»αα ααααααααΆααα½αααααΌαααΆααααααααΆααααα»αααααααααΈααααα; α’αααα αΌααα½αα αααΆααααααΆααααα 233 ααα½αααΆα 1 αα·αααα» (ααΆααααΆαα αααΆαααααα½ααααααΆα ααααα ααααααΆααααΆαααααα½α) α α’αααααααααΈααΆααα αααα»αααΆαα - aXNUMXexdandy, II - Rubikoid, III - Ze α
αααααΆαααΆαααΆααααα αααα»αα’αα‘α»αααα PHDays ααααΆαα’αααα αΌααα½αααΆααααΆααα’αΆα ααααααααΎααα αααΆααααΈααΆααα ααΌα ααααα αΎαααΎαααΆααααααα α α·ααααααααΎαααΆαααααα½αααααααααΆαα’ααΈαααΊαα·α α αΎααααααααΆααα·α αα ααΆαααααααΆααααα»ααα ααΎααααα·αα»ααΆα α’αααα αΌααα½αααααΌααααααααΆααα·α αα αααα»ααααααααα½ααα ααααααααααααΆαα· αα·ααααααΆα’αααΈαααααααααΆααααΆααααα’α·α αα·αααΆααααααα½αα±ααα αΆααα’αΆααααααα
ααΆααααααααΆαααΆααααα ααΎαααααα»αααααααΆαααΆααα·ααΆααααααααααααΆαααααα’αααα»αα αααααα·α αα ααΆαααΈα’ααααααααΆαααααΎαααα»ααααααααα½ααα ααΆααααΌαααΆαααααΎαααα Alexey Kovrizhnykh (a1exdandy) ααααΈαααα»αα αα»α Digital Security αααααΆααααααΎαα αααΆααααααΆααααα XNUMX αααα»αααΆαααααα½ααααααααααα»αα’αα‘α»αααα PHDays α ααΆααααααααα ααΎααααα αΆαα’αααααααααααΆααΆαα½αααΉαααα·αααααααααααΎαα
ααΆααα·ααΆαααα
ααΌα αααα αα·α αα ααΆαααΆαααααααΆααααααΆαα―αααΆαααΌα ααΆααααααα
- block_upload_traffic.pcapng
- DB100.bin
- ααααααΆααααα½α.txt
α―αααΆα hints.txt ααΆαααααααΆαα αΆαααΆα α αα·αααααααΆααααα½αααΎααααΈαααααααΆααα·α αα ααΆαα αααααΆααααΉαααΆαααααααΆα
- Petrovich ααΆαααααΆαααααα»αααΆαααΈαααα·ααα·αααΆα’αααα’αΆα αααα»ααααα»αααΈ PlcSim α αΌααα αααα»αααα αΆαααΈ 7 α
- Siemens Simatic S7-300 αααααΈ PLC ααααΌαααΆαααααΎαα ααααααααα
- PlcSim ααΊααΆαααααα·ααΈααααΆααααΆα PLC αααα’αα»ααααΆαα±ααα’αααααααΎαααΆα αα·αααααΆααααα α»ααααααα·ααΈαααααΆαα Siemens S7 PLCs α
α―αααΆα DB100.bin α αΆααααΌα ααΆααΆααααα»ααα·αααααα DB100 PLCα 00000000: 0100 0102 6e02 0401 0206 0100 0101 0102 ....n......... 00000010: 1002 0501 0202 α α‘α α’. ..... ......... 2002: 0501 0206 0100 0102 00000020 0102 7702 0401a0206 ..w............. 0100: 0103 0102 0 02 00000030 0501 ................ 0202: 1602 0501 0206 0100 0104 0102 00000040a7502 0401 u............... 0206: 0100 0105 0102 0 02 0501 α α‘α α’ α£α€α α’............α€. 00000050: 0202 1602 0501 0206 0100 0106 0102 3402 ............&..... 4: 00000060c0401 0206 0100 0107 0102 2602 ...... : 0501 0202 00000070 4 02a0501 0206 0100 0108 ................ 0102: 3302 0401 3 00000080a 0206 0100 0109 0102 .......... α§. 0a02: 0501 0202b 1602 00000090 0501 0206 0100 010......".....F... 0102b3702: 0401 0206 7c........ 000000 0 0100.... .. 010c0102: 2202d 0501 0202a4602 0501 000000 0 0206 0100 ................ 010d0102: 3302 0401e 0206 0100d3 000000 0 ...... .... 010e0102: 0 02 0501 0202 1602 0501 0206 000000 ........#...... 0f0100: 010 0102 6 02 0401 0206..... ..... 0100: 010 000000 0 0102 1102 0501 0202 2302......%......... 0501: 0206 0100 000000 0 0110 0102 ..... .....&.3502:0401 0206 0100c0111 0102 5 00000100 ....L......
ααΌα ααααααααααΆααααα αΆα α―αααΆα block_upload_traffic.pcapng αααα»αααΌαα ααΆα ααααααα»αα‘αΎααααα»ααα PLC α
αα½αααααααααΆααααΆααΆαα ααα ααΆα αααααα ααααααααααα½ααααααααααα»αα’αα‘α»ααααααααα·ααΈαααΊαα·ααΆαααΆαααααα·α αααα»αααΆαααα½αααΆαα ααΎααααΈααααΎααΌα ααααααΆα α αΆαααΆα αααααΌααααα’αααΈααααααΈαααΈα―αααΆααααααααααααΆαα TeslaSCADA2α ααΈααΆα’αΆα αααααΆαααΆαααααααααα αααααααΆαα’αα·αααααΈααααααααΎ RC4 ααΆαααΈααΆαααα αα·αα’αααΈαααααααΌαααΆαααααΎααααΎααααΈαα·ααααΈαααΆα ααΆααααα αααααα»ααα·αααααααα ααΎααα αααααα’αΆα ααα½αααΆααααααααΎαααΆαααΈαααααααα·ααΈααΆα S7 α αααααΆααααΏαααα αααα»αααΆαααααΎαααΆαααΈααααααααΆαααααααΈαααα αα Snap7 α
ααΆαααΆααααααα»αααααΎαααΆααααααΆα ααααΈααααααα αΆααααααΆα
αααα‘ααααΎαααααΉαααΆαααααααααα αΆααααααΆα α’αααα’αΆα αααααΆαααΆααΆααΆααααα»αααααΎαααΆααααααΆ OB1, FC1, FC2 αα·α FC3α
αααα»αααΆαααααααααΌαααααα
ααα αααα’αΆα
ααααΌαααΆαααααΎ ααΆα§ααΆα ααα ααΆαα½αααΉαααααααΈαααΆαααααα αααααΆααααααααα
ααΆα
αααΈαααααα pcapng αα
ααΆ pcap ααΈαα»αα
#!/usr/bin/env python2
import struct
from scapy.all import *
packets = rdpcap('block_upload_traffic.pcap')
s7_hdr_struct = '>BBHHHHBB'
s7_hdr_sz = struct.calcsize(s7_hdr_struct)
tpkt_cotp_sz = 7
names = iter(['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin'])
buf = ''
for packet in packets:
if packet.getlayer(IP).src == '10.0.102.11':
tpkt_cotp_s7 = str(packet.getlayer(TCP).payload)
if len(tpkt_cotp_s7) < tpkt_cotp_sz + s7_hdr_sz:
continue
s7 = tpkt_cotp_s7[tpkt_cotp_sz:]
s7_hdr = s7[:s7_hdr_sz]
param_sz = struct.unpack(s7_hdr_struct, s7_hdr)[4]
s7_param = s7[12:12+param_sz]
s7_data = s7[12+param_sz:]
if s7_param in ('x1ex00', 'x1ex01'): # upload
buf += s7_data[4:]
elif s7_param == 'x1f':
with open(next(names), 'wb') as f:
f.write(buf)
buf = ''αααααΆααα·αα·αααααΎααααα»ααααααα α’αααααΉααααααΆααααΎαααΆαα½αααΆαααααα αΆααααααΎαααααα 70 70 (pp)α α₯α‘αΌαα’αααααααΌααααααΈαααααα·ααΆααα½αααα ααΆαααααΆαα’αααΈαα·α αα ααΆαααααΆαααΆα’αααααααΌαααααΎ PlcSim αααααΆααααΏααααα
ααα½αααΆαααΆαααααΆααααα’αΆα α’αΆαααΆαααααααα»αααααΈαααα»α
ααΆααααΌα ααΎαααααΆααΆαααααααααααα·ααΈ S7-PlcSim ααααααα»ααααα»αααΆα αααΎαααΆαα½αααΉαααΆαααααΆαααααα (= Q 0.0) αα αααα»αααΆαααααααΎαααααα·ααΈααααααααα Simmatic α αΎααααααΆαα»α PLC αααααα½αααΆααααα»ααααααα·ααΈααααΆααααΆααα α―αααΆα example.plc α αααααΎαααΎααααΉαααΆαααα―αααΆα α’αααα’αΆα αααααααΆααααΆαααΆααααα½αααΌαααΆαα αΆααααααΎααααααα»ααααααΆαααΆααααααα αααααααΆ 70 70 αααααΎαααΆαααααΎααα»αα αα»αααΉααααα»α ααΆααααααα ααα ααααα»αααααΌαααΆααααααααΆααααα 4-byte little-endian α
αααααΆααααΈααΎαααΆαααα½αααααααΆαα’αααΈαα
ααΆααααααααααα―αααΆαααΈα’α·ααααΈ αααααΆααααααααΆαααΆααααααααΆαααα
α‘αΎααααααΆααααΆαα’αΆααααααα·ααΈ PLC S7α
- αααααααΎαααααα·ααΈααααααααα Simatic ααΎααααααΎααα ααΆαααααααααααα»ααα αααα»α S7-PlcSim ααααααααΉαα’αααΈαααααΎαααΆαααα½αααΈααααααα αΆααααααΆαα ααα ααααα»αααααΌαααααααΌαααα (αααααααΌαααΆααααααα αααααΆαααααααααα»αααΆαα½αααΉαα ααα½αααΆαααααΆααααααααΌαααΆα) αα·αααΆααααααα’ααααααααΆααααααα½ααα (OB1, FC1, FC2, FC3) α
- αααααΆαα»α PLC αα αααα»αα―αααΆααα½αα
- ααΎααααα½αααΆαα·ααΆαααααα»ααα αααα»αα―αααΆαααααααααΆαα½αααΉααααα»αααΈααααααα αΆααααααΆαα ααΆαα αΆααααααΎααααααα»αααααΌαααΆαααααααααα αααααααΆα
- ααΎααααα»αα―αααΆααααααααα αααα»α S7-PlcSim α αΎαααΎαααΆαα·ααΆαααααα»ααα αααα»ααααααα·ααΈααααααααααααΈαα·αα
αααα»αα’αΆα ααααΌαααΆααααα½αα§ααΆα αααααααααααΌαααΆααααααα
with open('original.plc', 'rb') as f:
plc = f.read()
blocks = []
for fname in ['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin']:
with open(fname, 'rb') as f:
blocks.append(f.read())
i = plc.find(b'pp')
for block in blocks:
plc = plc[:i] + block + plc[i+len(block):]
i = plc.find(b'pp', i + 1)
with open('target.plc', 'wb') as f:
f.write(plc)Alexey ααΆαααααααΌααα·ααΆαααΆα ααα»αααααα ααααααΉαααααΌα ααΎαααααααααΆα’αααα αΌααα½αααΉαααααΎαααααα·ααΈ NetToPlcSim ααΌα αααα PlcSim α’αΆα ααααΆααααααααΆααααααΆα αααα αααααα»ααα PlcSim ααΆαααα Snap7 α αΎααααααΆααααααΆααααααα»αααΆαααααααΆααααααααΈ PlcSim αααααααΎααα·ααΆααΆαα’αα·ααααααα
αααααΆαααΎαα―αααΆααααααααα αααα»α S7-PlcSim α’αααα’αΆα α’αΆααααα»αααααααααααΆααααΎαααααααΎαααααα·ααΈααααααααααααΈαα·αα αα»αααΆααααααααααα§αααααααααΆαααααααΌαααΆααααααααΆαα αααα»ααααα»α FC1 α α αααΆααα·αααααΊα’ααα #TEMP0 ααααα αααααΎαα αΆααααΌα ααΆαααααααΆαααααααααα PLC αα ααΆααααααααααααααα’ααααΎαααααα’αααα αα αΆα M2.2 αα·α M2.3 αααΈαα ααααα #TEMP0 ααααΌαααΆαααααααααα’αα»αααα FC3α
ααΎααααΈαααααααΆααααα αΆ α’αααααααΌααα·ααΆααα»αααΆα FC3 α αΎααααααΈα’αααΈαααααααΌαααααΎ ααΎααααΈα±ααααΆαααα‘ααααΆα‘αΌααΈααα
αααα»αααααΎαααΆααααααΆ PLC αα ααΈααΆαα Low Security αα ααααααααααα½αααααααααααΌαααΆααααα αααΆαααααααααααααααΆ ααα»ααααααΎααααΈααααααααααααα’ααα #TEMP0 ααΆαααααααααΆααα αΎααααα»αααΆαααααααααααΆαααα·ααΈ Ninja αααααααα»ααα αααα»ααααα»α DB1α ααΆααα·αα·αααααΎαααααααα αααα»ααααα»αααΊαααααα αΎααα·αααΆαααΆαα ααααααΉααααα ααααααααΆααΆααααααααααα·ααΈαααα»αααα ααΆααααααα αα ααααα·ααα»ααααα·ααΆαααααα ααΆααααααα ααΆαααΌαααΆαααααααααααααααααΉααα·ααΆαααΆα α αΎαααΆα αΆαααΆα ααααα»αααΆαααααααααααΈααΆααααα»αααααααΆαααααΆααΆ STL (αα·ααΈαα½ααααα»αα αααααα·ααΈααΎααααΈααααααααααα·ααΈ S7 PLC) α
αααα»ααααα αααΆα FC3
ααααΉαααΆααααααα»α FC3 αααα»αααααΆα STLα
L B#16#0
T #TEMP13
T #TEMP15
L P#DBX 0.0
T #TEMP4
CLR
= #TEMP14
M015: L #TEMP4
LAR1
OPN DB 100
L DBLG
TAR1
<=D
JC M016
L DW#16#0
T #TEMP0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
M00d: L B [AR1,P#0.0]
T #TEMP5
L W#16#1
==I
JC M007
L #TEMP5
L W#16#2
==I
JC M008
L #TEMP5
L W#16#3
==I
JC M00f
L #TEMP5
L W#16#4
==I
JC M00e
L #TEMP5
L W#16#5
==I
JC M011
L #TEMP5
L W#16#6
==I
JC M012
JU M010
M007: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0]
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0]
JL M003
JU M001
JU M002
JU M004
M003: JU M005
M001: OPN DB 101
L B [AR2,P#0.0]
T #TEMP0
JU M006
M002: OPN DB 101
L B [AR2,P#0.0]
T #TEMP1
JU M006
M004: OPN DB 101
L B [AR2,P#0.0]
T #TEMP2
JU M006
M00f: +AR1 P#1.0
L B [AR1,P#0.0]
L C#8
*I
T #TEMP11
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
TAR1 #TEMP4
OPN DB 101
L P#DBX 0.0
LAR1
L #TEMP11
+AR1
LAR2 #TEMP9
L B [AR2,P#0.0]
T B [AR1,P#0.0]
L #TEMP4
LAR1
JU M006
M008: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU M005
M00b: L #TEMP3
T #TEMP0
JU M006
M00a: L #TEMP3
T #TEMP1
JU M006
M00c: L #TEMP3
T #TEMP2
JU M006
M00e: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M011: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M012: L #TEMP15
INC 1
T #TEMP15
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #TEMP4
L B#16#0
T #TEMP6
JU M006
M014: L #TEMP4
LAR1
L #TEMP13
L L#1
+I
T #TEMP13
JU M006
M006: L #TEMP0
T MB 100
L #TEMP1
T MB 101
L #TEMP2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU M005
M010: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #TEMP4
M005: TAR1 #TEMP4
CLR
= #TEMP16
L #TEMP13
L L#20
==I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M017
L #TEMP13
L L#20
<I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M018
JU M019
M017: SET
= #TEMP14
JU M016
M018: CLR
= #TEMP14
JU M016
M019: CLR
O #TEMP14
= #RET_VAL
JU M015
M016: CLR
O #TEMP14
= #RET_VALααΌαβαααβααΆαβααααααβαααβααΆαα α αΎαβα αΆααβααΌα βααΆβαααα»αααααΆαβα ααααβα’αααβαααβαα·αβααααΆαα STLα αα·αααΆαα ααα»α ααΆαα½ααααα»αααΆααα·ααΆαααΆαααααΆαααΈαα½αααααα»ααααααααααααα’αααααααααα ααΆαααααΆααααα’α·α αα·ααααααααΆαααααΆααΆ STL α’αΆα ααααΌαααΆαααααΎααα αααα»αααααα ααααΆααααααααΌαααααΆα . αα ααΈααααααα»αααΉααααα αΆαααΌαααΌα ααααΆαααααΆααααΈααααΎαααΆα - ααααΌααααααααααΆα αα·αα’ααα αα·αααααααααα·αααααααααα·αααααΆα’αααΈαααα½ααααααααΆαααααα·ααααα·ααΆα αα·ααα ααΆααααααααααΆααΆ STL αα½αα ααα½αα α’αα»ααααΆαα±αααααα»αααααααααΆααααααΆααααΆαααα»ααα αααα»ααααα½αααΆααααΆαααΈααα·αααα·ααααααααα·ααααα·ααΌααααα½αα ααα½ααααααΆαααΈααΆαααα αααα»α DB100 αααααΆααααΉαααΆααααααΎαααΉαα ααΆαααααΆααααααααΆαααΈααα·αααα·αααΆα 1 ααααααΌαααααα·ααααα·ααΆα αα·αααααα’αΆαα»ααααα αα½ααααααααΆααα’αΆαα»αααααααΈαα½ααα ααΆαααααΆααααααΆααα·α αΆαααΆααΆααα’ααααΆαα’αΆαα»αααααααΈα αααα»αααΆααααααααααααααααα½ααααα αααα»αααα·αααααααΆ X αα·α Y α
ααΌααααααΆααααΈααααΎαααΆα]
# ΠΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΡ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
L B#16#0
T #CHECK_N # Π‘ΡΠ΅ΡΡΠΈΠΊ ΡΡΠΏΠ΅ΡΠ½ΠΎ ΠΏΡΠΎΠΉΠ΄Π΅Π½Π½ΡΡ
ΠΏΡΠΎΠ²Π΅ΡΠΎΠΊ
T #COUNTER_N # Π‘ΡΠ΅ΡΡΠΈΠΊ ΠΎΠ±ΡΠ΅Π³ΠΎ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²Π° ΠΏΡΠΎΠ²Π΅ΡΠΎΠΊ
L P#DBX 0.0
T #POINTER # Π£ΠΊΠ°Π·Π°ΡΠ΅Π»Ρ Π½Π° ΡΠ΅ΠΊΡΡΡΡ ΠΈΠ½ΡΡΡΡΠΊΡΠΈΡ
CLR
= #PRE_RET_VAL
# ΠΡΠ½ΠΎΠ²Π½ΠΎΠΉ ΡΠΈΠΊΠ» ΡΠ°Π±ΠΎΡΡ ΠΈΠ½ΡΠ΅ΡΠΏΡΠ΅ΡΠ°ΡΠΎΡΠ° Π±Π°ΠΉΡ-ΠΊΠΎΠ΄Π°
LOOP: L #POINTER
LAR1
OPN DB 100
L DBLG
TAR1
<=D # ΠΡΠΎΠ²Π΅ΡΠΊΠ° Π²ΡΡ
ΠΎΠ΄Π° ΡΠΊΠ°Π·Π°ΡΠ΅Π»Ρ Π·Π° ΠΏΡΠ΅Π΄Π΅Π»Ρ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ
JC FINISH
L DW#16#0
T #REG0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
# ΠΠΎΠ½ΡΡΡΡΠΊΡΠΈΡ switch - case Π΄Π»Ρ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΈ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΠΎΠΏΠΊΠΎΠ΄ΠΎΠ²
M00d: L B [AR1,P#0.0]
T #OPCODE
L W#16#1
==I
JC OPCODE_1
L #OPCODE
L W#16#2
==I
JC OPCODE_2
L #OPCODE
L W#16#3
==I
JC OPCODE_3
L #OPCODE
L W#16#4
==I
JC OPCODE_4
L #OPCODE
L W#16#5
==I
JC OPCODE_5
L #OPCODE
L W#16#6
==I
JC OPCODE_6
JU OPCODE_OTHER
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 01: Π·Π°Π³ΡΡΠ·ΠΊΠ° Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΈΠ· DB101[X] Π² ΡΠ΅Π³ΠΈΡΡΡ Y
# OP01(X, Y): REG[Y] = DB101[X]
OPCODE_1: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0] # ΠΠ°Π³ΡΡΠ·ΠΊΠ° Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠ° X (ΠΈΠ½Π΄Π΅ΠΊΡ Π² DB101)
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0] # ΠΠ°Π³ΡΡΠ·ΠΊΠ° Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠ° Y (ΠΈΠ½Π΄Π΅ΠΊΡ ΡΠ΅Π³ΠΈΡΡΡΠ°)
JL M003 # ΠΠ½Π°Π»ΠΎΠ³ switch - case Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ Π·Π½Π°ΡΠ΅Π½ΠΈΡ Y
JU M001 # Π΄Π»Ρ Π²ΡΠ±ΠΎΡΠ° Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎΠ³ΠΎ ΡΠ΅Π³ΠΈΡΡΡΠ° Π΄Π»Ρ Π·Π°ΠΏΠΈΡΠΈ.
JU M002 # ΠΠΎΠ΄ΠΎΠ±Π½ΡΠ΅ ΠΊΠΎΠ½ΡΡΡΡΠΊΡΠΈΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ ΠΈ Π² Π΄ΡΡΠ³ΠΈΡ
JU M004 # ΠΎΠΏΠ΅ΡΠ°ΡΠΈΡΡ
Π½ΠΈΠΆΠ΅ Π΄Π»Ρ Π°Π½Π°Π»ΠΎΠ³ΠΈΡΠ½ΡΡ
ΡΠ΅Π»Π΅ΠΉ
M003: JU LOOPEND
M001: OPN DB 101
L B [AR2,P#0.0]
T #REG0 # ΠΠ°ΠΏΠΈΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ DB101[X] Π² REG[0]
JU PRE_LOOPEND
M002: OPN DB 101
L B [AR2,P#0.0]
T #REG1 # ΠΠ°ΠΏΠΈΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ DB101[X] Π² REG[1]
JU PRE_LOOPEND
M004: OPN DB 101
L B [AR2,P#0.0]
T #REG2 # ΠΠ°ΠΏΠΈΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ DB101[X] Π² REG[2]
JU PRE_LOOPEND
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 02: Π·Π°Π³ΡΡΠ·ΠΊΠ° Π·Π½Π°ΡΠ΅Π½ΠΈΡ X Π² ΡΠ΅Π³ΠΈΡΡΡ Y
# OP02(X, Y): REG[Y] = X
OPCODE_2: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU LOOPEND
M00b: L #TEMP3
T #REG0
JU PRE_LOOPEND
M00a: L #TEMP3
T #REG1
JU PRE_LOOPEND
M00c: L #TEMP3
T #REG2
JU PRE_LOOPEND
# ΠΠΏΠΊΠΎΠ΄ 03 Π½Π΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π² ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ΅, ΠΏΠΎΡΡΠΎΠΌΡ ΠΏΡΠΎΠΏΡΡΡΠΈΠΌ Π΅Π³ΠΎ
...
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 04: ΡΡΠ°Π²Π½Π΅Π½ΠΈΠ΅ ΡΠ΅Π³ΠΈΡΡΡΠΎΠ² X ΠΈ Y
# OP04(X, Y): REG[0] = 0; REG[X] = (REG[X] == REG[Y])
OPCODE_4: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # ΠΏΠ΅ΡΠ²ΡΠΉ Π°ΡΠ³ΡΠΌΠ΅Π½Ρ - X
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[X]
LAR2 #TEMP10 # REG[Y]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12 # ~(REG[Y] & REG[X])
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW # (~(REG[Y] & REG[X])) & (REG[Y] | REG[X]) - Π°Π½Π°Π»ΠΎΠ³ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ Π½Π° ΡΠ°Π²Π΅Π½ΡΡΠ²ΠΎ
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 05: Π²ΡΡΠΈΡΠ°Π½ΠΈΠ΅ ΡΠ΅Π³ΠΈΡΡΡΠ° Y ΠΈΠ· X
# OP05(X, Y): REG[0] = 0; REG[X] = REG[X] - REG[Y]
OPCODE_5: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I # ACCU1 = ACCU2 - ACCU1, REG[X] - REG[Y]
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 06: ΠΈΠ½ΠΊΡΠ΅ΠΌΠ΅Π½Ρ #CHECK_N ΠΏΡΠΈ ΡΠ°Π²Π΅Π½ΡΡΠ²Π΅ ΡΠ΅Π³ΠΈΡΡΡΠΎΠ² X ΠΈ Y
# OP06(X, Y): #CHECK_N += (1 if REG[X] == REG[Y] else 0)
OPCODE_6: L #COUNTER_N
INC 1
T #COUNTER_N
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # REG[X]
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[Y]
LAR2 #TEMP10 # REG[X]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #POINTER
L B#16#0
T #TEMP6
JU PRE_LOOPEND
M014: L #POINTER
LAR1
# ΠΠ½ΠΊΡΠ΅ΠΌΠ΅Π½Ρ Π·Π½Π°ΡΠ΅Π½ΠΈΡ #CHECK_N
L #CHECK_N
L L#1
+I
T #CHECK_N
JU PRE_LOOPEND
PRE_LOOPEND: L #REG0
T MB 100
L #REG1
T MB 101
L #REG2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU LOOPEND
OPCODE_OTHER: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #POINTER
LOOPEND: TAR1 #POINTER
CLR
= #TEMP16
L #CHECK_N
L L#20
==I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
# ΠΡΠ΅ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΠΏΡΠΎΠΉΠ΄Π΅Π½Ρ, Π΅ΡΠ»ΠΈ #CHECK_N == #COUNTER_N == 20
JC GOOD
L #CHECK_N
L L#20
<I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
JC FAIL
JU M019
GOOD: SET
= #PRE_RET_VAL
JU FINISH
FAIL: CLR
= #PRE_RET_VAL
JU FINISH
M019: CLR
O #PRE_RET_VAL
= #RET_VAL
JU LOOP
FINISH: CLR
O #PRE_RET_VAL
= #RET_VALαααααα½αααΆααααα·αααααΆαααααΆααααααααΆαααΈααα·αααα·α ααΌααααααα§ααααααααααααΌα αα½αααΎααααΈααα bytecode αα αααα»ααααα»α DB100α
import string
alph = string.ascii_letters + string.digits
with open('DB100.bin', 'rb') as f:
m = f.read()
pc = 0
while pc < len(m):
op = m[pc]
if op == 1:
print('R{} = DB101[{}]'.format(m[pc + 2], m[pc + 1]))
pc += 3
elif op == 2:
c = chr(m[pc + 1])
c = c if c in alph else '?'
print('R{} = {:02x} ({})'.format(m[pc + 2], m[pc + 1], c))
pc += 3
elif op == 4:
print('R0 = 0; R{} = (R{} == R{})'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 5:
print('R0 = 0; R{} = R{} - R{}'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 6:
print('CHECK (R{} == R{})n'.format(
m[pc + 1], m[pc + 2]))
pc += 3
else:
print('unk opcode {}'.format(op))
breakααΆαααααα ααΎαααα½αααΆαααΌααααΆαααΈααα·αααα·αααΌα ααΆααααααα
ααΌααααΆαααΈααα·αααα·α
R1 = DB101[0]
R2 = 6e (n)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[1]
R2 = 10 (?)
R0 = 0; R1 = R1 - R2
R2 = 20 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[2]
R2 = 77 (w)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[3]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[4]
R2 = 75 (u)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[5]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[6]
R2 = 34 (4)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[7]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[8]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[9]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[10]
R2 = 37 (7)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[11]
R2 = 22 (?)
R0 = 0; R1 = R1 - R2
R2 = 46 (F)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[12]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[13]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[14]
R2 = 6d (m)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[15]
R2 = 11 (?)
R0 = 0; R1 = R1 - R2
R2 = 23 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[16]
R2 = 35 (5)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[17]
R2 = 12 (?)
R0 = 0; R1 = R1 - R2
R2 = 25 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[18]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[19]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)ααΌα αααα’αααα’αΆα ααΎααααααα·ααΈαααααααΆαααααα·αα·αααααΎααα½α’ααααααΈαα½ααααΈ DB101 αααααΆααααΆαααααΎααααΆαα ααΉααααααααΆααααΆαααα½αα αααααΆααα α»αααααααααααΆααααΆαααααααΆααααΆααααα½ααα·αα·αααααΆααα’ααααΊ: n0w u 4r3 7h3 m4573r α ααααα·αααΎαααααααααααΌαααΆαααΆαααααα»ααααα»α DB101 αααααΆαααααααααα PLC αααααααααΌαααΆαααααΎα±ααααααα α αΎαααΆααΉαα’αΆα αααα»α α¬ααααΎα±ααααααααααααΆααβ¨
α’ααα αΎα! Alexey ααΆααααα αΆαααΈααααα·ααααααααα
ααααααΉααααααααα·ααααΆ Ninja α§ααααΆα αααα :) ααΎαααΆαααααΎαααααΆααααααα·αα’αΆα
ααααααα
ααΆααααα’αααααααα α’ααα»αα
αααΎαα
ααααα’αααα
αΌααα½αααΆααα’αα!
ααααα: www.habr.com