Ad extremum PHDays 9 certamen habuimus ut gas flare plantam - competition . Tres erant in situ inter parametri securitatis (Nos Securitatis, Low Securitatis, High Securitatis), aemulantes eundem processum industrialem: aerem cogente in tollit (tum dimissum).
Quamvis diversa parametri salus, ferramentarium statorum compositio eadem erat: series Siemens Simatic PLC S7-300; subitis deflation puga et pressionis fabrica mensurans (connexa PLC digitalis inputs (DI)); valvulae operantes ad inflationem et deflationem aeris (connexis cum outputis digitalibus PLC (DO)) β vide figuram infra.
PLC, secundum impressionem lectionum et secundum suum propositum, consilium dedit pilam deflate vel inflare (valvis respondentibus apertis et clausis). Nihilominus omnia stata potestatem manualem habebant modum, quo effecit ut status valvularum sine restrictionibus moderaretur.
Diversa stat in multiplicitate qua hunc modum efficiendi: in nuda stare facillimum erat hoc facere, et apud Maximum Securitatem stare difficilior erat correspondenter.
Quinque sex problemata duobus diebus solvuntur; Primus locus particeps puncta meruit 233 (hebdomadam praeparans ad certamen egit). Tres victores: Place - a1exdandy, II - Rubikoid, III - Ze.
Nihilominus, in PHDays, nemo participantium omnia tria signa superare potuit, ergo certamen online facere decrevimus et negotium difficillimum in primo Iunio ediderunt. Participes negotium intra mensem complere debebant, vexillum invenire, solutionem singillatim ac modo iucundam describere.
Infra cutem evulgamus analysin optimae solutionis negotii ab his qui per mensem mittuntur, ab Alexey Kovrizhnykh (a1exdandy) ex societatis Digitalis Securitatis, qui primum in certatione PHDays locum suscepit. Infra textum eius cum commentis nostris exhibemus.
Initialis analysis
Negotium itaque archivum cum sequentibus fasciculis continebat:
- block_upload_traffic.pcapng
- DB100.bin
- hints.txt
Inscriptiones.txt fasciculus continet res necessarias notitias et ambages ad negotium solvendum. Hic sunt contenta;
- Heri mihi dixit Petrovich te stipites a PlcSim onerare posse in Step7.
- Siemens Simaticarum S7-300 series PLC ad standum adhibita est.
- PlcSim aemulator est PLC qui te permittit currere et debug programmata Siemens S7 PLCs.
Fasciculus DB100.bin videtur continere DB100 PLC notitia scandalum: 00000000: 0100 0102 6e02 0401 0206 0100 0101 0102 ....n......... 00000010: 1002 0501 0202 2002 0501 0206 0100 0102 00000020. ..... ......... 0102: 7702 0401 0206 0100 0103 0102 0 02a00000030 ..w.............. 0501: 0202 1602 0501 0206 0100 0104 0102 00000040 ................ 7502: 0401 0206 0100 0105 0102 0 02a0501 00000050 u............... 0202: 1602 0501 0206 0100 0106 0102 3402 4............00000060. 0401: 0206 0100 0107 0102 2602 0501 0202 00000070 .........&..... 4: 02c0501 0206 0100 0108 0102 3302 0401 3 L.........00000080. .. 0206 : 0100 0109 0102 0 02a0501 0202 1602 00000090 ................ 0501: 0206 0100 010 0102a 3702 0401 0206 7 .........000000. ... . 0a0100: 010 0102b 2202 0501 0202 4602 0501 000000 ......".....F... 0b0206: 0100 010 0102c 3302 0401 0206 0100 3 . .. . .... 000000e0: 010 0102 0 02 0501 0202 1602 0501 ........... 0206f000000: 0 0100 010 0102 6 02 0401 0206 ....0100. ..... ..... 010: 000000 0 0102 1102 0501 0202 2302 0501 ......%. .
Ut nomen sonat, scandalum_upload_traffic.pcapng fasciculi TUBER stipes onerationis ad PLC continet.
Notatu dignum est hoc commercium dump in colloquio situm in colloquio paulo difficilius esse. Ad hoc faciendum, necesse erat ut scripturam e lima pro TeslaSCADA2 cognosceret. Ex eo intellegere potuit ubi TUBER encryptatus RC4 utens situm erat et quid clavis ad minutum adhibendum opus esset. Dumps notitiarum caudices in situ obtineri posset utendo cliente S7 protocollo. Hoc enim usus sum clienti demo ex sarcina Snap7.
Eiciendis signum processus cuneos ex negotiationis TUBER
Respicitis contenta TUBER, intelligere potes signa processus cuneos OB1, FC1, FC2 et FC3 continere;
Has impedit oporteat ex. Quod fieri potest, exempli gratia, cum sequenti scriptione, antea commercium ex pcapng forma ad pcap convertisse;
#!/usr/bin/env python2
import struct
from scapy.all import *
packets = rdpcap('block_upload_traffic.pcap')
s7_hdr_struct = '>BBHHHHBB'
s7_hdr_sz = struct.calcsize(s7_hdr_struct)
tpkt_cotp_sz = 7
names = iter(['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin'])
buf = ''
for packet in packets:
if packet.getlayer(IP).src == '10.0.102.11':
tpkt_cotp_s7 = str(packet.getlayer(TCP).payload)
if len(tpkt_cotp_s7) < tpkt_cotp_sz + s7_hdr_sz:
continue
s7 = tpkt_cotp_s7[tpkt_cotp_sz:]
s7_hdr = s7[:s7_hdr_sz]
param_sz = struct.unpack(s7_hdr_struct, s7_hdr)[4]
s7_param = s7[12:12+param_sz]
s7_data = s7[12+param_sz:]
if s7_param in ('x1ex00', 'x1ex01'): # upload
buf += s7_data[4:]
elif s7_param == 'x1f':
with open(next(names), 'wb') as f:
f.write(buf)
buf = ''Exspectato consequenti caudice, videbis eos semper ab bytes 70 70 (pp). Nunc discere debes quomodo eas resolvere. assignatio admonitus innuit te PlcSim ad hoc uti opus esse.
Questus homo, ex cuneos readable instructiones
Primum, ad rationem S7-PlcSim conemur, oneratisque caudices aliquot cum mandatis repetendis (= Q 0.0) in eam utendo programmate Simatico Procuratoris, et servato PLC in aemulo ad exemplum.plc obtinendum. Tabularii contenta inspiciendo, initium caudices receptae scriptionis 70 70, quod antea invenimus, facile determinare potes. Ante cuneos, ut videtur, magnitudo scandali scripta est ut valoris 4-byte minimi-endiani.
Postquam notitias de fabrica plc imaginum percepimus, sequens consilium agendi apparuit ad programmata PLC S7 legendi:
- Procurator Simaticus utentes, truncum in S7-PlcSim similem ei e TUBER recepimus. Truncus magnitudinum aequare debet (hoc fit implendo cuneos numero mandatorum requisito) et eorum identificatores (OB1, FC1, FC2, FC3).
- Servo PLC ad limam.
- Nos contenta caudices in lima proveniente inde cum stipitibus e dump negotiationis substituimus. Initium caudicis subscriptione determinatur.
- Fasciculum consequens in S7-PlcSim oneratis et contenta in caudices in Procuratore Simatico spectamus.
Caudices reponi possunt, exempli gratia cum codice sequenti;
with open('original.plc', 'rb') as f:
plc = f.read()
blocks = []
for fname in ['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin']:
with open(fname, 'rb') as f:
blocks.append(f.read())
i = plc.find(b'pp')
for block in blocks:
plc = plc[:i] + block + plc[i+len(block):]
i = plc.find(b'pp', i + 1)
with open('target.plc', 'wb') as f:
f.write(plc)Alexey arripuit fortasse difficiliorem, sed tamen rectam viam. Posuimus participes programmatis NetToPlcSim uterentur ut PlcSim communicare posset per retiaculis, stipitibus onerariis ad PlcSim per Snap7, ac deinde has caudices depone ut consilium a PlcSim utendo evolutionis ambitu.
Fasciculi inde in S7-PlcSim aperientes, caudices overscriptos legere potes Procurator Simaticus. Praecipua fabrica functionum functionum in obstructionum FC1 conscripta sunt. Nota notula particularis est #TEMP0 variabilis, quae in versa PLC imperium ad modum manualem in M2.2 et M2.3 bis valoribus memoriae fundatum videtur. #TEMP0 valor functionis FC3 est constitutus.
Ad problema solvendum, munus FC3 resolvere debes et intellegere quid fieri oporteat ut ad logicam redeat.
PLC signum processus caudices apud Low Securitatis stant in situs competitionis simili modo dispositae, sed ut valor #TEMP0 variabilis, satis erat lineam meam ninja in scandalum DB1 scribere. Repressio valoris in trunco ββdirectus fuit et altam cognitionem linguae programmandi obstructionum non requirebat. Patet, in gradu Securitatis High, imperium manuale assequendum multo difficilius erit et necesse est subtilitates linguae STL intelligere (unus viae S7 PLC programma).
Reverse FC3 obstructionum
Contenta FC3 inusitationis STL repraesentationis:
L B#16#0
T #TEMP13
T #TEMP15
L P#DBX 0.0
T #TEMP4
CLR
= #TEMP14
M015: L #TEMP4
LAR1
OPN DB 100
L DBLG
TAR1
<=D
JC M016
L DW#16#0
T #TEMP0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
M00d: L B [AR1,P#0.0]
T #TEMP5
L W#16#1
==I
JC M007
L #TEMP5
L W#16#2
==I
JC M008
L #TEMP5
L W#16#3
==I
JC M00f
L #TEMP5
L W#16#4
==I
JC M00e
L #TEMP5
L W#16#5
==I
JC M011
L #TEMP5
L W#16#6
==I
JC M012
JU M010
M007: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0]
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0]
JL M003
JU M001
JU M002
JU M004
M003: JU M005
M001: OPN DB 101
L B [AR2,P#0.0]
T #TEMP0
JU M006
M002: OPN DB 101
L B [AR2,P#0.0]
T #TEMP1
JU M006
M004: OPN DB 101
L B [AR2,P#0.0]
T #TEMP2
JU M006
M00f: +AR1 P#1.0
L B [AR1,P#0.0]
L C#8
*I
T #TEMP11
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
TAR1 #TEMP4
OPN DB 101
L P#DBX 0.0
LAR1
L #TEMP11
+AR1
LAR2 #TEMP9
L B [AR2,P#0.0]
T B [AR1,P#0.0]
L #TEMP4
LAR1
JU M006
M008: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU M005
M00b: L #TEMP3
T #TEMP0
JU M006
M00a: L #TEMP3
T #TEMP1
JU M006
M00c: L #TEMP3
T #TEMP2
JU M006
M00e: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M011: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M012: L #TEMP15
INC 1
T #TEMP15
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #TEMP4
L B#16#0
T #TEMP6
JU M006
M014: L #TEMP4
LAR1
L #TEMP13
L L#1
+I
T #TEMP13
JU M006
M006: L #TEMP0
T MB 100
L #TEMP1
T MB 101
L #TEMP2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU M005
M010: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #TEMP4
M005: TAR1 #TEMP4
CLR
= #TEMP16
L #TEMP13
L L#20
==I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M017
L #TEMP13
L L#20
<I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M018
JU M019
M017: SET
= #TEMP14
JU M016
M018: CLR
= #TEMP14
JU M016
M019: CLR
O #TEMP14
= #RET_VAL
JU M015
M016: CLR
O #TEMP14
= #RET_VALCodex admodum longus est et alicui insueto cum STL complicatus videri potest. Nulla res est in analysi singulas instructiones intra compage huius articuli, accuratae instructiones et facultates linguae STL in correspondentibus manualibus inveniri possunt: . Eundem codicem hic exhibebo postquam pittacia et variabiles renascentis et variabiles commentarios addens, de operatione algorithm et quibusdam STL linguae constructis describendis. Statim notandum sit quod scandalum quaestionis virtualem machinam continet quae aliquem bytecode in DB100 trunco ββsitam exercet, quorum contenta scimus. Apparatus virtualis instructiones ex 1 byte de codice operandi et argumentorum byte, unum byte pro quolibet argumento. Omnes instructiones perpensis duas habent rationes, earumque bona in commentationibus XY et XY designavi.
Code post dispensando]
# ΠΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΡ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
L B#16#0
T #CHECK_N # Π‘ΡΠ΅ΡΡΠΈΠΊ ΡΡΠΏΠ΅ΡΠ½ΠΎ ΠΏΡΠΎΠΉΠ΄Π΅Π½Π½ΡΡ
ΠΏΡΠΎΠ²Π΅ΡΠΎΠΊ
T #COUNTER_N # Π‘ΡΠ΅ΡΡΠΈΠΊ ΠΎΠ±ΡΠ΅Π³ΠΎ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²Π° ΠΏΡΠΎΠ²Π΅ΡΠΎΠΊ
L P#DBX 0.0
T #POINTER # Π£ΠΊΠ°Π·Π°ΡΠ΅Π»Ρ Π½Π° ΡΠ΅ΠΊΡΡΡΡ ΠΈΠ½ΡΡΡΡΠΊΡΠΈΡ
CLR
= #PRE_RET_VAL
# ΠΡΠ½ΠΎΠ²Π½ΠΎΠΉ ΡΠΈΠΊΠ» ΡΠ°Π±ΠΎΡΡ ΠΈΠ½ΡΠ΅ΡΠΏΡΠ΅ΡΠ°ΡΠΎΡΠ° Π±Π°ΠΉΡ-ΠΊΠΎΠ΄Π°
LOOP: L #POINTER
LAR1
OPN DB 100
L DBLG
TAR1
<=D # ΠΡΠΎΠ²Π΅ΡΠΊΠ° Π²ΡΡ
ΠΎΠ΄Π° ΡΠΊΠ°Π·Π°ΡΠ΅Π»Ρ Π·Π° ΠΏΡΠ΅Π΄Π΅Π»Ρ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ
JC FINISH
L DW#16#0
T #REG0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
# ΠΠΎΠ½ΡΡΡΡΠΊΡΠΈΡ switch - case Π΄Π»Ρ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΈ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΠΎΠΏΠΊΠΎΠ΄ΠΎΠ²
M00d: L B [AR1,P#0.0]
T #OPCODE
L W#16#1
==I
JC OPCODE_1
L #OPCODE
L W#16#2
==I
JC OPCODE_2
L #OPCODE
L W#16#3
==I
JC OPCODE_3
L #OPCODE
L W#16#4
==I
JC OPCODE_4
L #OPCODE
L W#16#5
==I
JC OPCODE_5
L #OPCODE
L W#16#6
==I
JC OPCODE_6
JU OPCODE_OTHER
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 01: Π·Π°Π³ΡΡΠ·ΠΊΠ° Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΈΠ· DB101[X] Π² ΡΠ΅Π³ΠΈΡΡΡ Y
# OP01(X, Y): REG[Y] = DB101[X]
OPCODE_1: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0] # ΠΠ°Π³ΡΡΠ·ΠΊΠ° Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠ° X (ΠΈΠ½Π΄Π΅ΠΊΡ Π² DB101)
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0] # ΠΠ°Π³ΡΡΠ·ΠΊΠ° Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠ° Y (ΠΈΠ½Π΄Π΅ΠΊΡ ΡΠ΅Π³ΠΈΡΡΡΠ°)
JL M003 # ΠΠ½Π°Π»ΠΎΠ³ switch - case Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ Π·Π½Π°ΡΠ΅Π½ΠΈΡ Y
JU M001 # Π΄Π»Ρ Π²ΡΠ±ΠΎΡΠ° Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎΠ³ΠΎ ΡΠ΅Π³ΠΈΡΡΡΠ° Π΄Π»Ρ Π·Π°ΠΏΠΈΡΠΈ.
JU M002 # ΠΠΎΠ΄ΠΎΠ±Π½ΡΠ΅ ΠΊΠΎΠ½ΡΡΡΡΠΊΡΠΈΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ ΠΈ Π² Π΄ΡΡΠ³ΠΈΡ
JU M004 # ΠΎΠΏΠ΅ΡΠ°ΡΠΈΡΡ
Π½ΠΈΠΆΠ΅ Π΄Π»Ρ Π°Π½Π°Π»ΠΎΠ³ΠΈΡΠ½ΡΡ
ΡΠ΅Π»Π΅ΠΉ
M003: JU LOOPEND
M001: OPN DB 101
L B [AR2,P#0.0]
T #REG0 # ΠΠ°ΠΏΠΈΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ DB101[X] Π² REG[0]
JU PRE_LOOPEND
M002: OPN DB 101
L B [AR2,P#0.0]
T #REG1 # ΠΠ°ΠΏΠΈΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ DB101[X] Π² REG[1]
JU PRE_LOOPEND
M004: OPN DB 101
L B [AR2,P#0.0]
T #REG2 # ΠΠ°ΠΏΠΈΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ DB101[X] Π² REG[2]
JU PRE_LOOPEND
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 02: Π·Π°Π³ΡΡΠ·ΠΊΠ° Π·Π½Π°ΡΠ΅Π½ΠΈΡ X Π² ΡΠ΅Π³ΠΈΡΡΡ Y
# OP02(X, Y): REG[Y] = X
OPCODE_2: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU LOOPEND
M00b: L #TEMP3
T #REG0
JU PRE_LOOPEND
M00a: L #TEMP3
T #REG1
JU PRE_LOOPEND
M00c: L #TEMP3
T #REG2
JU PRE_LOOPEND
# ΠΠΏΠΊΠΎΠ΄ 03 Π½Π΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π² ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ΅, ΠΏΠΎΡΡΠΎΠΌΡ ΠΏΡΠΎΠΏΡΡΡΠΈΠΌ Π΅Π³ΠΎ
...
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 04: ΡΡΠ°Π²Π½Π΅Π½ΠΈΠ΅ ΡΠ΅Π³ΠΈΡΡΡΠΎΠ² X ΠΈ Y
# OP04(X, Y): REG[0] = 0; REG[X] = (REG[X] == REG[Y])
OPCODE_4: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # ΠΏΠ΅ΡΠ²ΡΠΉ Π°ΡΠ³ΡΠΌΠ΅Π½Ρ - X
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[X]
LAR2 #TEMP10 # REG[Y]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12 # ~(REG[Y] & REG[X])
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW # (~(REG[Y] & REG[X])) & (REG[Y] | REG[X]) - Π°Π½Π°Π»ΠΎΠ³ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ Π½Π° ΡΠ°Π²Π΅Π½ΡΡΠ²ΠΎ
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 05: Π²ΡΡΠΈΡΠ°Π½ΠΈΠ΅ ΡΠ΅Π³ΠΈΡΡΡΠ° Y ΠΈΠ· X
# OP05(X, Y): REG[0] = 0; REG[X] = REG[X] - REG[Y]
OPCODE_5: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I # ACCU1 = ACCU2 - ACCU1, REG[X] - REG[Y]
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 06: ΠΈΠ½ΠΊΡΠ΅ΠΌΠ΅Π½Ρ #CHECK_N ΠΏΡΠΈ ΡΠ°Π²Π΅Π½ΡΡΠ²Π΅ ΡΠ΅Π³ΠΈΡΡΡΠΎΠ² X ΠΈ Y
# OP06(X, Y): #CHECK_N += (1 if REG[X] == REG[Y] else 0)
OPCODE_6: L #COUNTER_N
INC 1
T #COUNTER_N
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # REG[X]
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[Y]
LAR2 #TEMP10 # REG[X]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #POINTER
L B#16#0
T #TEMP6
JU PRE_LOOPEND
M014: L #POINTER
LAR1
# ΠΠ½ΠΊΡΠ΅ΠΌΠ΅Π½Ρ Π·Π½Π°ΡΠ΅Π½ΠΈΡ #CHECK_N
L #CHECK_N
L L#1
+I
T #CHECK_N
JU PRE_LOOPEND
PRE_LOOPEND: L #REG0
T MB 100
L #REG1
T MB 101
L #REG2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU LOOPEND
OPCODE_OTHER: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #POINTER
LOOPEND: TAR1 #POINTER
CLR
= #TEMP16
L #CHECK_N
L L#20
==I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
# ΠΡΠ΅ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΠΏΡΠΎΠΉΠ΄Π΅Π½Ρ, Π΅ΡΠ»ΠΈ #CHECK_N == #COUNTER_N == 20
JC GOOD
L #CHECK_N
L L#20
<I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
JC FAIL
JU M019
GOOD: SET
= #PRE_RET_VAL
JU FINISH
FAIL: CLR
= #PRE_RET_VAL
JU FINISH
M019: CLR
O #PRE_RET_VAL
= #RET_VAL
JU LOOP
FINISH: CLR
O #PRE_RET_VAL
= #RET_VALCum ideam de instructionibus machinae virtualis nactus, scribamus disassemble parvum ut bytecode in DB100 clausurae parse;
import string
alph = string.ascii_letters + string.digits
with open('DB100.bin', 'rb') as f:
m = f.read()
pc = 0
while pc < len(m):
op = m[pc]
if op == 1:
print('R{} = DB101[{}]'.format(m[pc + 2], m[pc + 1]))
pc += 3
elif op == 2:
c = chr(m[pc + 1])
c = c if c in alph else '?'
print('R{} = {:02x} ({})'.format(m[pc + 2], m[pc + 1], c))
pc += 3
elif op == 4:
print('R0 = 0; R{} = (R{} == R{})'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 5:
print('R0 = 0; R{} = R{} - R{}'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 6:
print('CHECK (R{} == R{})n'.format(
m[pc + 1], m[pc + 2]))
pc += 3
else:
print('unk opcode {}'.format(op))
breakQuam ob rem sequentis virtualis apparatus codicem consequimur:
Rectum apparatus code
R1 = DB101[0]
R2 = 6e (n)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[1]
R2 = 10 (?)
R0 = 0; R1 = R1 - R2
R2 = 20 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[2]
R2 = 77 (w)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[3]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[4]
R2 = 75 (u)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[5]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[6]
R2 = 34 (4)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[7]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[8]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[9]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[10]
R2 = 37 (7)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[11]
R2 = 22 (?)
R0 = 0; R1 = R1 - R2
R2 = 46 (F)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[12]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[13]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[14]
R2 = 6d (m)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[15]
R2 = 11 (?)
R0 = 0; R1 = R1 - R2
R2 = 23 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[16]
R2 = 35 (5)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[17]
R2 = 12 (?)
R0 = 0; R1 = R1 - R2
R2 = 25 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[18]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[19]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)Ut videre potes, haec progressio ab DB101 aequalitate ad certum valorem unumquemque tantum indolem coercet. Postrema linea obiter omnes compescit is est: n0w u 4r3 7h3 m4573r. Si haec linea in scandalum DB101 posita est, tunc manus PLC manualis reducitur et in Balloon explodere vel deflate poterit.β¨
Ita est! Alexey demonstravit altam scientiam industriae ninja dignam :) Praemia memorabilia victori misimus. Multi omnes participes gratias!
Source: www.habr.com