I nga PHDDay 9 kua pahure ake nei i whakahaerea he whakataetae ki te tarai i tetahi tipu whakangao hau - whakataetae . E toru nga turanga i runga i te waahi me nga tawhā haumarutanga rereke (Kaore he Haumarutanga, Haumarutanga iti, Haumarutanga Teitei), e whai ana i te tukanga ahumahi ano: ka pupuhihia te hau i raro i te pehanga ki roto i te poihau (ka tukuna).
Ahakoa te rereke o nga tawhā haumaru, he rite tonu te hanganga taputapu o nga turanga: Siemens Simatic PLC S7-300 raupapa; te paatene whakaheke ohorere me te taputapu ine pehanga (hono ki nga whakaurunga mamati PLC (DI)); marere e mahi ana mo te pikinga me te whakaheke o te hau (e hono ana ki nga putanga mamati o te PLC (DO)) - tirohia te ahua i raro nei.
Ko te PLC, i runga i nga panui pehanga me te rite ki tana kaupapa, i whakatau ki te whakaheke, ki te pupuhi ranei i te poi (whakatuwherahia me te kati i nga waapa e rite ana). Heoi, ko nga tuunga katoa he aratau whakahaere a-ringa, na reira ka taea te whakahaere i nga ahuatanga o nga marere kaore he here.
He rereke nga tuunga i te uaua o te whakaahei i tenei aratau: i te tuunga karekau he ngawari ki te mahi i tenei, a i te tuunga Haumarutanga he uaua ake.
E rima o nga rapanga e ono i whakatauhia i roto i nga ra e rua; E 233 nga piro i riro i te kaiuru tuatahi (he wiki i whakapaua e ia mo te whakataetae). Tokotoru nga toa: I tuu ahau - a1exdandy, II - Rubikoid, III - Ze.
Heoi, i roto i nga PHDays, karekau tetahi o nga kaiuru i kaha ki te wikitoria i nga tuunga e toru, no reira i whakatau matou ki te mahi whakataetae ipurangi me te whakaputa i te mahi tino uaua i te timatanga o Pipiri. Me whakaoti e nga kaiuru te mahi i roto i te marama kotahi, ka kimihia te haki, ka whakaahua i te otinga i roto i nga taipitopito me te ahua whakamere.
I raro i te tapahi ka whakaputahia e matou he tātaritanga o te otinga pai ki te mahi mai i te hunga i tukuna mai i te marama, i kitea e Alexey Kovrizhnykh (a1exdandy) mai i te kamupene Haumaru Mamati, nana i tango te waahi tuatahi i roto i te whakataetae i nga PHDays. Kei raro nei ka whakaatuhia e matou tana tuhinga me o maatau korero.
Te tātari tuatahi
Na, kei roto i te mahi he puranga me nga konae e whai ake nei:
- block_upload_traffic.pcapng
- DB100.bin
- hints.txt
Kei roto i te kōnae hints.txt nga korero me nga tohu hei whakaoti i te mahi. Anei nga korero o roto:
- I kii mai a Petrovich ki ahau inanahi ka taea e koe te uta poraka mai i PlcSim ki Step7.
- Ko te Siemens Simatic S7-300 raupapa PLC i whakamahia i te turanga.
- Ko PlcSim he emulator PLC ka taea e koe te whakahaere me te patuiro i nga kaupapa mo nga PLC Siemens S7.
Ko te ahua o te kōnae DB100.bin kei roto te paraka raraunga DB100 PLC: 00000000: 0100 0102 6e02 0401 0206 0100 0101 0102 ....n......... 00000010: 1002 0501 0202e2002 0501 0206 0100 0102 00000020 ....n......... 0102: 7702 0401 0206e0100 0103 0102 0 02 00000030 ....n......... 0501: 0202 1602 0501 0206 0100 0104 0102 . ..... ......... 00000040: 7502 0401 0206 0100 0105 0102 0 02a0501 ..w............. 00000050: 0202 1602 0501 0206 0100 0106 0102 3402 4 ................ 00000060: 0401 0206 0100 0107 0102 2602 0501a0202 00000070 u............... 4: 02 0501 0206 0100 0108 0102 3302 0401............3. 00000080: 0206 0100 0109 0102 0 02 0501 0202 .........&..... 1602: 00000090c0501 0206 0100 010 0102 3702 .0401 .0206 .7 .000000 . : 0 0100 010 0102 2202a0501 0202 4602 0501 ................ 000000: 0 0206 0100 010a 0102 3302 0401 0206 .........0100. 3a000000: 0 010b 0102 0 02 0501 0202 1602 ......".....F... 0501b0206: 000000 0 0100c 010 0102 6 .......02 0401 ........ .. 0206c0100: 010d 000000 0a0102 1102 0501 0202 2302 0501 ................ 0206d0100: 000000 0e 0110 0102d3502 0401 0206 .. .. .... 0100e0111: 0102 5 00000100 1202 0501 0202 2502 0501 ........#...... 0206f0100: 0112 00000110 0102 3302 0401 0206 ..... ..... 0100: 0113 0102 2602 3 00000120 0501 0202 4 ......%......... 02: 0501 0206 0100 XNUMX XNUMX XNUMX .. .....&. XNUMX: XNUMX XNUMX XNUMXcXNUMX XNUMX XNUMX XNUMX ....L......
E ai ki te ingoa, kei roto i te konae block_upload_traffic.pcapng he putunga o nga waka tukuake poraka ki te PLC.
He mea tika kia mohio ko tenei tuunga waka i te waahi whakataetae i te wa o te huihuinga he uaua ake te whiwhi. Ki te mahi i tenei, me maarama te tuhinga mai i te konae kaupapa mo TeslaSCADA2. Mai i reira ka taea te mohio kei hea te putunga whakamunatia ma te whakamahi i te RC4 me te aha te matua hei whakamahi hei wetemuna. Ka taea te tango i nga paraka raraunga i runga i te waahi ma te whakamahi i te kiritaki kawa S7. Mo tenei i whakamahia e ahau te kaihoko demo mai i te kete Snap7.
Te tango i nga poraka tukatuka tohu mai i te putunga waka
Ma te titiro ki nga ihirangi o te putunga, ka mohio koe kei roto nga poraka tukatuka tohu OB1, FC1, FC2 me FC3:
Me tango enei poraka. Ka taea tenei, hei tauira, me te tuhinga e whai ake nei, kua huri i mua i te hokohoko mai i te whakatakotoranga pcapng ki te pcap:
#!/usr/bin/env python2
import struct
from scapy.all import *
packets = rdpcap('block_upload_traffic.pcap')
s7_hdr_struct = '>BBHHHHBB'
s7_hdr_sz = struct.calcsize(s7_hdr_struct)
tpkt_cotp_sz = 7
names = iter(['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin'])
buf = ''
for packet in packets:
if packet.getlayer(IP).src == '10.0.102.11':
tpkt_cotp_s7 = str(packet.getlayer(TCP).payload)
if len(tpkt_cotp_s7) < tpkt_cotp_sz + s7_hdr_sz:
continue
s7 = tpkt_cotp_s7[tpkt_cotp_sz:]
s7_hdr = s7[:s7_hdr_sz]
param_sz = struct.unpack(s7_hdr_struct, s7_hdr)[4]
s7_param = s7[12:12+param_sz]
s7_data = s7[12+param_sz:]
if s7_param in ('x1ex00', 'x1ex01'): # upload
buf += s7_data[4:]
elif s7_param == 'x1f':
with open(next(names), 'wb') as f:
f.write(buf)
buf = ''I muri i te tirotiro i nga poraka ka puta, ka kite koe ka timata tonu ki nga paita 70 70 (pp). Inaianei me ako koe ki te wetewete i a raatau. Ko te tohu tohu tohu me whakamahi koe i te PlcSim mo tenei.
Te tiki tohutohu ka taea e te tangata te panui mai i nga poraka
Tuatahi, me ngana ki te hotaka S7-PlcSim ma te uta i etahi poraka me nga tohutohu tukurua (= Q 0.0) ki roto ma te whakamahi i te rorohiko Simatic Manager, me te penapena i te PLC kua riro mai i te emulator ki te konae example.plc. Ma te titiro ki nga ihirangi o te konae, ka taea e koe te whakatau i te timatanga o nga poraka kua tangohia ma te hainatanga 70 70, i kitea e matou i mua. I mua i nga poraka, ko te ahua, ka tuhia te rahi o te poraka hei 4-paita iti-endian uara.
I muri mai i a maatau korero mo te hanganga o nga konae plc, ka puta te mahere mahi e whai ake nei mo te panui i nga kaupapa PLC S7:
- Ma te whakamahi i te Kaiwhakahaere Simatic, ka hangaia e matou he hanganga poraka i roto i te S7-PlcSim rite ki te mea i riro mai i a matou i te putunga. Me rite nga rahi poraka (ka tutuki tenei ma te whakakii i nga poraka ki te maha o nga tohutohu) me o raatau tohu (OB1, FC1, FC2, FC3).
- Tiakina te PLC ki te konae.
- Ka whakakapihia e matou nga ihirangi o nga poraka i roto i te konae ka puta me nga poraka mai i te putunga waka. Ko te timatanga o nga poraka ka whakatauhia e te hainatanga.
- Ka utaina e matou te konae ka puta ki te S7-PlcSim ka titiro ki nga ihirangi o nga poraka kei te Kaiwhakahaere Simatic.
Ka taea te whakakapi i nga poraka, hei tauira, me te waehere e whai ake nei:
with open('original.plc', 'rb') as f:
plc = f.read()
blocks = []
for fname in ['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin']:
with open(fname, 'rb') as f:
blocks.append(f.read())
i = plc.find(b'pp')
for block in blocks:
plc = plc[:i] + block + plc[i+len(block):]
i = plc.find(b'pp', i + 1)
with open('target.plc', 'wb') as f:
f.write(plc)Ko Alexey he huarahi uaua ake, engari he tika tonu. I whakaaro matou ka whakamahi nga kaiuru i te kaupapa NetToPlcSim kia taea ai e PlcSim te whakawhitiwhiti korero i runga i te whatunga, te tuku poraka ki PlcSim ma Snap7, katahi ka tango i enei poraka hei kaupapa mai i te PlcSim ma te whakamahi i te taiao whanaketanga.
Ma te whakatuwhera i te konae hua i roto i te S7-PlcSim, ka taea e koe te panui i nga poraka tuhirua ma te whakamahi i te Kaiwhakahaere Simatic. Ko nga mahi whakahaere taputapu matua ka tuhia ki te poraka FC1. Ko te mea nui ko te taurangi #TEMP0, ka huri ka puta ki te tautuhi i te mana PLC ki te aratau a-ringa i runga i nga uara mahara moka M2.2 me M2.3. Ko te uara #TEMP0 kua tautuhia e te mahi FC3.
Hei whakatau i te rapanga, me tātari koe i te mahi FC3 me te mohio ki nga mahi me mahi kia hoki mai ai he mahi arorau.
Ko nga poraka tukatuka tohu tohu PLC i te waahi Haumarutanga iti i te waahi whakataetae i whakaritea i roto i te ahua rite, engari ki te tautuhi i te uara o te taurangi #TEMP0, he nui ki te tuhi i te raina taku ara ninja ki te poraka DB1. Ko te arowhai i te uara i roto i te poraka he mea ngawari, a, kaore i hiahiatia he matauranga hohonu mo te reo papatono poraka. Ma te mohio, i te taumata Haumarutanga Nui, ka nui ake te uaua ki te whakatutuki i te mana whakahaere a-ringa, me te mohio ki nga ahuatanga o te reo STL (tetahi o nga huarahi ki te whakarite i te S7 PLC).
Paraka whakamuri FC3
Nga ihirangi o te paraka FC3 i roto i te whakaaturanga STL:
L B#16#0
T #TEMP13
T #TEMP15
L P#DBX 0.0
T #TEMP4
CLR
= #TEMP14
M015: L #TEMP4
LAR1
OPN DB 100
L DBLG
TAR1
<=D
JC M016
L DW#16#0
T #TEMP0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
M00d: L B [AR1,P#0.0]
T #TEMP5
L W#16#1
==I
JC M007
L #TEMP5
L W#16#2
==I
JC M008
L #TEMP5
L W#16#3
==I
JC M00f
L #TEMP5
L W#16#4
==I
JC M00e
L #TEMP5
L W#16#5
==I
JC M011
L #TEMP5
L W#16#6
==I
JC M012
JU M010
M007: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0]
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0]
JL M003
JU M001
JU M002
JU M004
M003: JU M005
M001: OPN DB 101
L B [AR2,P#0.0]
T #TEMP0
JU M006
M002: OPN DB 101
L B [AR2,P#0.0]
T #TEMP1
JU M006
M004: OPN DB 101
L B [AR2,P#0.0]
T #TEMP2
JU M006
M00f: +AR1 P#1.0
L B [AR1,P#0.0]
L C#8
*I
T #TEMP11
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
TAR1 #TEMP4
OPN DB 101
L P#DBX 0.0
LAR1
L #TEMP11
+AR1
LAR2 #TEMP9
L B [AR2,P#0.0]
T B [AR1,P#0.0]
L #TEMP4
LAR1
JU M006
M008: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU M005
M00b: L #TEMP3
T #TEMP0
JU M006
M00a: L #TEMP3
T #TEMP1
JU M006
M00c: L #TEMP3
T #TEMP2
JU M006
M00e: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M011: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M012: L #TEMP15
INC 1
T #TEMP15
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #TEMP4
L B#16#0
T #TEMP6
JU M006
M014: L #TEMP4
LAR1
L #TEMP13
L L#1
+I
T #TEMP13
JU M006
M006: L #TEMP0
T MB 100
L #TEMP1
T MB 101
L #TEMP2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU M005
M010: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #TEMP4
M005: TAR1 #TEMP4
CLR
= #TEMP16
L #TEMP13
L L#20
==I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M017
L #TEMP13
L L#20
<I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M018
JU M019
M017: SET
= #TEMP14
JU M016
M018: CLR
= #TEMP14
JU M016
M019: CLR
O #TEMP14
= #RET_VAL
JU M015
M016: CLR
O #TEMP14
= #RET_VALHe roa rawa te waehere, he uaua pea ki te tangata tauhou ki te STL. Kare he take ki te wetewete i ia tohutohu i roto i te anga o tenei tuhinga; ka kitea nga tohutohu me nga kaha o te reo STL i roto i te pukapuka e pa ana: . I konei ka whakaatu ahau i te waehere kotahi i muri i te tukatuka - whakaingoa ano i nga tapanga me nga taurangi me te taapiri i nga korero e whakaahua ana i te mahinga algorithm me etahi hanganga reo STL. Kia mahara tonu ahau kei roto i te poraka e patai ana he miihini mariko e mahi ana i etahi bytecode kei roto i te poraka DB100, ko nga mea e mohio ana matou. Ko nga tohutohu miihini mariko he 1 te paita o te waehere whakahaere me nga paita o nga tohenga, kotahi te paita mo ia tohenga. Ko nga tohutohu katoa e whakaarohia ana e rua nga tautohetohe; I tohua e au o raatau uara i roto i nga korero ko X me Y.
Waehere i muri i te tukatuka]
# Инициализация различных переменных
L B#16#0
T #CHECK_N # Счетчик успешно пройденных проверок
T #COUNTER_N # Счетчик общего количества проверок
L P#DBX 0.0
T #POINTER # Указатель на текущую инструкцию
CLR
= #PRE_RET_VAL
# Основной цикл работы интерпретатора байт-кода
LOOP: L #POINTER
LAR1
OPN DB 100
L DBLG
TAR1
<=D # Проверка выхода указателя за пределы программы
JC FINISH
L DW#16#0
T #REG0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
# Конструкция switch - case для обработки различных опкодов
M00d: L B [AR1,P#0.0]
T #OPCODE
L W#16#1
==I
JC OPCODE_1
L #OPCODE
L W#16#2
==I
JC OPCODE_2
L #OPCODE
L W#16#3
==I
JC OPCODE_3
L #OPCODE
L W#16#4
==I
JC OPCODE_4
L #OPCODE
L W#16#5
==I
JC OPCODE_5
L #OPCODE
L W#16#6
==I
JC OPCODE_6
JU OPCODE_OTHER
# Обработчик опкода 01: загрузка значения из DB101[X] в регистр Y
# OP01(X, Y): REG[Y] = DB101[X]
OPCODE_1: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0] # Загрузка аргумента X (индекс в DB101)
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0] # Загрузка аргумента Y (индекс регистра)
JL M003 # Аналог switch - case на основе значения Y
JU M001 # для выбора необходимого регистра для записи.
JU M002 # Подобные конструкции используются и в других
JU M004 # операциях ниже для аналогичных целей
M003: JU LOOPEND
M001: OPN DB 101
L B [AR2,P#0.0]
T #REG0 # Запись значения DB101[X] в REG[0]
JU PRE_LOOPEND
M002: OPN DB 101
L B [AR2,P#0.0]
T #REG1 # Запись значения DB101[X] в REG[1]
JU PRE_LOOPEND
M004: OPN DB 101
L B [AR2,P#0.0]
T #REG2 # Запись значения DB101[X] в REG[2]
JU PRE_LOOPEND
# Обработчик опкода 02: загрузка значения X в регистр Y
# OP02(X, Y): REG[Y] = X
OPCODE_2: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU LOOPEND
M00b: L #TEMP3
T #REG0
JU PRE_LOOPEND
M00a: L #TEMP3
T #REG1
JU PRE_LOOPEND
M00c: L #TEMP3
T #REG2
JU PRE_LOOPEND
# Опкод 03 не используется в программе, поэтому пропустим его
...
# Обработчик опкода 04: сравнение регистров X и Y
# OP04(X, Y): REG[0] = 0; REG[X] = (REG[X] == REG[Y])
OPCODE_4: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # первый аргумент - X
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[X]
LAR2 #TEMP10 # REG[Y]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12 # ~(REG[Y] & REG[X])
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW # (~(REG[Y] & REG[X])) & (REG[Y] | REG[X]) - аналог проверки на равенство
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# Обработчик опкода 05: вычитание регистра Y из X
# OP05(X, Y): REG[0] = 0; REG[X] = REG[X] - REG[Y]
OPCODE_5: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I # ACCU1 = ACCU2 - ACCU1, REG[X] - REG[Y]
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# Обработчик опкода 06: инкремент #CHECK_N при равенстве регистров X и Y
# OP06(X, Y): #CHECK_N += (1 if REG[X] == REG[Y] else 0)
OPCODE_6: L #COUNTER_N
INC 1
T #COUNTER_N
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # REG[X]
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[Y]
LAR2 #TEMP10 # REG[X]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #POINTER
L B#16#0
T #TEMP6
JU PRE_LOOPEND
M014: L #POINTER
LAR1
# Инкремент значения #CHECK_N
L #CHECK_N
L L#1
+I
T #CHECK_N
JU PRE_LOOPEND
PRE_LOOPEND: L #REG0
T MB 100
L #REG1
T MB 101
L #REG2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU LOOPEND
OPCODE_OTHER: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #POINTER
LOOPEND: TAR1 #POINTER
CLR
= #TEMP16
L #CHECK_N
L L#20
==I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
# Все проверки пройдены, если #CHECK_N == #COUNTER_N == 20
JC GOOD
L #CHECK_N
L L#20
<I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
JC FAIL
JU M019
GOOD: SET
= #PRE_RET_VAL
JU FINISH
FAIL: CLR
= #PRE_RET_VAL
JU FINISH
M019: CLR
O #PRE_RET_VAL
= #RET_VAL
JU LOOP
FINISH: CLR
O #PRE_RET_VAL
= #RET_VALI te whai whakaaro mo nga tohutohu miihini mariko, me tuhi he kaitahuri iti hei tarai i te bytecode i te poraka DB100:
import string
alph = string.ascii_letters + string.digits
with open('DB100.bin', 'rb') as f:
m = f.read()
pc = 0
while pc < len(m):
op = m[pc]
if op == 1:
print('R{} = DB101[{}]'.format(m[pc + 2], m[pc + 1]))
pc += 3
elif op == 2:
c = chr(m[pc + 1])
c = c if c in alph else '?'
print('R{} = {:02x} ({})'.format(m[pc + 2], m[pc + 1], c))
pc += 3
elif op == 4:
print('R0 = 0; R{} = (R{} == R{})'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 5:
print('R0 = 0; R{} = R{} - R{}'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 6:
print('CHECK (R{} == R{})n'.format(
m[pc + 1], m[pc + 2]))
pc += 3
else:
print('unk opcode {}'.format(op))
breakKo te mutunga, ka whiwhi tatou i te waehere miihini mariko e whai ake nei:
Waehere miihini mariko
R1 = DB101[0]
R2 = 6e (n)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[1]
R2 = 10 (?)
R0 = 0; R1 = R1 - R2
R2 = 20 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[2]
R2 = 77 (w)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[3]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[4]
R2 = 75 (u)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[5]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[6]
R2 = 34 (4)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[7]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[8]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[9]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[10]
R2 = 37 (7)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[11]
R2 = 22 (?)
R0 = 0; R1 = R1 - R2
R2 = 46 (F)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[12]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[13]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[14]
R2 = 6d (m)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[15]
R2 = 11 (?)
R0 = 0; R1 = R1 - R2
R2 = 23 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[16]
R2 = 35 (5)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[17]
R2 = 12 (?)
R0 = 0; R1 = R1 - R2
R2 = 25 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[18]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[19]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)Ka kite koe, ka tirohia noa e tenei papatono nga ahuatanga mai i te DB101 mo te taurite ki tetahi uara. Ko te rarangi whakamutunga mo te tuku i nga haki katoa ko: n0w u 4r3 7h3 m4573r. Mena ka whakauruhia tenei raina ki te poraka DB101, ka whakahohehia te mana PLC a-ringa ka taea te pupuhi, te whakaheke ranei i te poihau.
Heoi ano! I whakaatu a Alexey i te taumata teitei o te matauranga e tika ana mo te ninja ahumahi :) I tukuna e matou he taonga maumahara ki te toa. Nga mihi nui ki nga kaiuru katoa!
Source: will.com