PHDays 9 ee u dambeeyay waxaanu qabanay tartan lagu jabsaday warshad gaaska - tartan
In kasta oo ay jiraan xaddidaadyo kala duwan oo badbaado ah, halabuurka qalabku wuxuu ahaa isku mid: Siemens Simatic PLC S7-300 taxane; Badhanka degdegga ah iyo qalabka cabbiraadda cadaadiska (ku xidhan agabka dhijitaalka ah ee PLC (DI)); valves ka shaqeeya sicir-bararka iyo deflation hawada (ku xiran wax soo saarka dhijitaalka ah ee PLC (DO)) - eeg sawirka hoose.
PLC, iyada oo ku xidhan akhrinta cadaadiska iyo iyadoo la raacayo barnaamijkeeda, waxay samaysay go'aan ah inay kufto ama ku shubto kubbadda (furtay oo xidhay furayaasha u dhigma). Si kastaba ha ahaatee, dhammaan tarabuunka waxay lahaayeen hab gacanta lagu hago, kaas oo suurtageliyay in la xakameeyo gobollada valves-ka iyada oo aan wax xaddidaad ah lahayn.
Tarabyadu way ku kala duwanaayeen kakanaanta awoodsiinta habkan: istaagida aan la ilaalin way ugu fududayd in tan la sameeyo, halka Amniga Sarena ay ahayd mid aad u adag.
Shan ka mid ah lixdii dhibaato ayaa lagu xaliyay laba maalmood; Ka qaybgalaha kaalinta koowaad wuxuu helay 233 dhibcood (wuxuu ku qaatay hal usbuuc u diyaargarowga tartanka). Saddex guuleyste: Waxaan dhigayaa - a1exdandy, II - Rubikoid, III - Ze.
Si kastaba ha ahaatee, inta lagu guda jiro PHDays, mid ka mid ah ka qaybgalayaasha ma awoodin in uu ka gudbo dhammaan seddexda taribuunka, sidaas darteed waxaan go'aansanay inaan samayno tartan online ah oo aan daabacno hawsha ugu adag horraantii Juun. Ka qaybgalayaashu waxay ku qasbanaadeen inay hawsha ku dhameeyaan muddo bil gudaheed ah, oo ay helaan calanka, oo ay si faahfaahsan iyo hab xiiso leh u qeexaan xalka.
Hoos ka jarista waxaan daabacnay falanqaynta xalka ugu fiican ee hawsha laga soo diray bishii, waxaa helay Alexey Kovrizhnykh (a1exdandy) oo ka socda shirkadda Amniga Dijital ah, kaasoo galay kaalinta XNUMXaad ee tartanka intii lagu jiray PHDays. Hoos waxaan ku soo bandhigaynaa qoraalkiisa iyo faallooyinkayaga.
Falanqaynta hore
Markaa, hawshu waxay ka koobnayd kayd ay ku jiraan faylasha soo socda:
- block_upload_traffic.pcapng
- DB100.bin
- tilmaamo.txt
Faylka hints.txt wuxuu ka kooban yahay macluumaadka lagama maarmaanka ah iyo tilmaamo lagu xalliyo hawsha. Halkan waxa ku jira:
- Petrovich wuxuu ii sheegay shalay inaad ka soo rari karto baloogyada PlcSim galay Step7.
- Siemens Simatic S7-300 taxane PLC ayaa lagu isticmaalay goobta.
- PlcSim waa kombuyuutar PLC ah kaas oo kuu ogolaanaya inaad ku socodsiiso oo aad ka saarto barnaamijyada Siemens S7 PLCs.
Faylka DB100.bin wuxuu u muuqdaa inuu ka kooban yahay DB100 PLC xogta block: 00000000: 0100 0102 6e02 0401 0206 0100 0101 0102 ....n......... 00000010: 1002: 0501 0202 2002. ......... 0501: 0206 0100 0102 00000020 0102 7702 0401 0206a0100 ..w............. ................ 0103: 0102 0 02 00000030 0501 0202 1602a0501 0206 u............... 0100 0104..........0102. 00000040: 7502 0401 0206 0100 0105 0102 0 02 0501 00000050 0202 1602. .. 0501. 0206. 0100. 0106 0102 3402 4 00000060 0401a0206 0100 0107 0102................ 2602a0501: 0202 00000070b 4 02 0501 0206 0100 0108.......F... 0102b3302: 0401 3 00000080c 0206 0100 0109 0102 .. 0c02: 0501d 0202 1602a00000090 0501 0206 0100 010 0102 ................ 3702d0401: 0206 7e 000000 0d0100 010 0102 .... .... 2202e0501: 0202 4602 0501 000000 0 0206 0100 010 ........#...... ..... 0102: 3302 0401 0206 0100 3 000000 0 010 ......%......... 0102: 0 02 0501 0202 1602 0501 . ......&. 0206: 000000 0 0100c010 0102 6 02 ....L......
Sida magacu soo jeediyo, faylka block_upload_traffic.pcapng waxa ku jira qashin qub ah oo la geliyo taraafikada PLC.
Waxaa xusid mudan in goobtan taraafikada ah ee goobta tartanka inta lagu guda jiro shirku ay ahayd mid aad u adag in la helo. Si tan loo sameeyo, waxay ahayd lagama maarmaan in la fahmo qoraalka faylka mashruuca ee TeslaSCADA2. Laga soo bilaabo waxaa suurtagal ah in la fahmo halka qashinka lagu sireeyay iyadoo la adeegsanayo RC4 ay ku taal iyo furaha loo baahan yahay in loo isticmaalo si loo furfuro. Tuulooyinka xogta goobta waxaa lagu heli karaa iyadoo la adeegsanayo macmiilka borotokoolka S7. Tan waxaan u adeegsaday macmiilka demo xirmada Snap7.
Ka soo saarida xannibaadaha farsamaynta calaamadaha ee qashinka taraafigga
Markaad eegto waxa ku jira qashin-qubka, waxaad fahmi kartaa inay ka kooban tahay hab-samaynta calaamadaha OB1, FC1, FC2 iyo FC3:
blockyadan waa in meesha laga saaraa. Tan waxaa lagu samayn karaa, tusaale ahaan, qoraalkan soo socda, iyadoo hore loogu beddelay taraafikada qaabka pcapng una beddelay pcap:
#!/usr/bin/env python2
import struct
from scapy.all import *
packets = rdpcap('block_upload_traffic.pcap')
s7_hdr_struct = '>BBHHHHBB'
s7_hdr_sz = struct.calcsize(s7_hdr_struct)
tpkt_cotp_sz = 7
names = iter(['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin'])
buf = ''
for packet in packets:
if packet.getlayer(IP).src == '10.0.102.11':
tpkt_cotp_s7 = str(packet.getlayer(TCP).payload)
if len(tpkt_cotp_s7) < tpkt_cotp_sz + s7_hdr_sz:
continue
s7 = tpkt_cotp_s7[tpkt_cotp_sz:]
s7_hdr = s7[:s7_hdr_sz]
param_sz = struct.unpack(s7_hdr_struct, s7_hdr)[4]
s7_param = s7[12:12+param_sz]
s7_data = s7[12+param_sz:]
if s7_param in ('x1ex00', 'x1ex01'): # upload
buf += s7_data[4:]
elif s7_param == 'x1f':
with open(next(names), 'wb') as f:
f.write(buf)
buf = ''
Markaad baarto baloogyada soo baxay, waxaad ogaan doontaa inay mar walba ku bilaabaan bytes 70 70 (pp). Hadda waxaad u baahan tahay inaad barato sida loo falanqeeyo. Tilmaamaha meelaynta ayaa soo jeedinaysa inaad u baahan tahay inaad u isticmaasho PlcSim tan.
Helitaanka tilmaamo ay dadku akhriyi karaan blocks
Marka hore, aan isku dayno inaan barnaamijka S7-PlcSim ku dhejino dhowr blocks oo leh tilmaamaha soo noqnoqda (= Q 0.0) iyada oo la adeegsanayo software-ka Simatic Manager, iyo badbaadinta PLC ee laga helay emulatorka faylka example.plc. Markaad eegto waxa ku jira faylka, waxaad si fudud u go'aamin kartaa bilawga baloogyada la soo dejiyey saxiixa 70 70, kaas oo aan horay u ogaanay. Baloogyada ka hor, sida muuqata, cabbirka baloogga waxa loo qoray sidii 4-byte oo ah qiime yar-endian.
Ka dib markii aan helnay macluumaadka ku saabsan qaab dhismeedka faylalka plc, qorshe hawleedka soo socda ayaa u muuqday akhrinta barnaamijyada PLC S7:
- Isticmaalka Maareeyaha Simatic, waxaan ku abuureynaa qaab dhismeed block gudaha S7-PlcSim oo la mid ah kii aan ka helnay qashinka. Cabbirrada xannibaadda waa inay iswaafaqaan (tan waxaa lagu gaaraa buuxinta baloogyada tirada tilmaamaha loo baahan yahay) iyo tilmaameyaashooda (OB1, FC1, FC2, FC3).
- Ku keydi PLC fayl
- Waxaan ku bedelnaa waxyaabaha ku jira baloogyada faylka natiijada ka soo baxay iyadoo la adeegsanayo baloogyada qashinka taraafigga. Bilawga baloogyada waxaa lagu go'aamiyaa saxiixa.
- Waxaan ku shubnaa faylka ka soo baxay S7-PlcSim oo aan eegno waxa ku jira blocks ee Maamulaha Simatic.
Blocks waxa lagu bedeli karaa tusaale ahaan koodka soo socda:
with open('original.plc', 'rb') as f:
plc = f.read()
blocks = []
for fname in ['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin']:
with open(fname, 'rb') as f:
blocks.append(f.read())
i = plc.find(b'pp')
for block in blocks:
plc = plc[:i] + block + plc[i+len(block):]
i = plc.find(b'pp', i + 1)
with open('target.plc', 'wb') as f:
f.write(plc)
Alexey waxa uu qaatay malaha mid aad u adag, balse wali wado sax ah. Waxaan u qaadanay in ka qaybgalayaashu ay isticmaali doonaan barnaamijka NetToPlcSim si PlcSim ay ugu wada xidhiidho shabakadda, u soo geliyaan baloogyada PlcSim iyada oo loo marayo Snap7, ka dibna ay soo dejisan doonaan block-yadan mashruuc ahaan PlcSim iyada oo la adeegsanayo jawiga horumarinta.
Markaad furto faylka ka soo baxay S7-PlcSim, waxaad akhrin kartaa baloogyada la dul-qoray adoo isticmaalaya Maareeyaha Simatic. Hawlaha ugu muhiimsan ee xakamaynta qalabka waxaa lagu duubay block FC1. Xusuus gaar ah ayaa ah doorsoomiyaha #TEMP0, kaas oo marka la shidmo u muuqda inuu dejinayo kontoroolka PLC qaab gacanta oo ku saleysan qiimaha xusuusta M2.2 iyo M2.3. Qiimaha #TEMP0 waxaa dejiyay shaqada FC3.
Si loo xalliyo dhibaatada, waxaad u baahan tahay inaad falanqeyso shaqada FC3 oo aad fahamto waxa loo baahan yahay in la sameeyo si ay u soo noqoto mid macquul ah.
Xirmooyinka calaamadaynta PLC ee ku yaal saldhigga Low Security ee goobta tartanka ayaa loo habeeyey si la mid ah, laakiin si loo dejiyo qiimaha doorsoomiyaha #TEMP0, waxay ku filan tahay in la qoro xariiqa ninja-gayga ee DB1. Hubinta qiimaha block waxay ahayd mid toos ah oo uma baahna aqoon qoto dheer oo ku saabsan luuqada barnaamijka block. Sida iska cad, heerka Amniga Sare, gaaritaanka kantaroolka gacanta ayaa aad u adkaan doonta waxaana lagama maarmaan ah in la fahmo qalafsanaanta luqadda STL (mid ka mid ah siyaabaha loo barnaamijka S7 PLC).
Dib u celi xannibaadda FC3
Nuxurka xannibaadda FC3 ee matalaadda STL:
L B#16#0
T #TEMP13
T #TEMP15
L P#DBX 0.0
T #TEMP4
CLR
= #TEMP14
M015: L #TEMP4
LAR1
OPN DB 100
L DBLG
TAR1
<=D
JC M016
L DW#16#0
T #TEMP0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
M00d: L B [AR1,P#0.0]
T #TEMP5
L W#16#1
==I
JC M007
L #TEMP5
L W#16#2
==I
JC M008
L #TEMP5
L W#16#3
==I
JC M00f
L #TEMP5
L W#16#4
==I
JC M00e
L #TEMP5
L W#16#5
==I
JC M011
L #TEMP5
L W#16#6
==I
JC M012
JU M010
M007: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0]
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0]
JL M003
JU M001
JU M002
JU M004
M003: JU M005
M001: OPN DB 101
L B [AR2,P#0.0]
T #TEMP0
JU M006
M002: OPN DB 101
L B [AR2,P#0.0]
T #TEMP1
JU M006
M004: OPN DB 101
L B [AR2,P#0.0]
T #TEMP2
JU M006
M00f: +AR1 P#1.0
L B [AR1,P#0.0]
L C#8
*I
T #TEMP11
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
TAR1 #TEMP4
OPN DB 101
L P#DBX 0.0
LAR1
L #TEMP11
+AR1
LAR2 #TEMP9
L B [AR2,P#0.0]
T B [AR1,P#0.0]
L #TEMP4
LAR1
JU M006
M008: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU M005
M00b: L #TEMP3
T #TEMP0
JU M006
M00a: L #TEMP3
T #TEMP1
JU M006
M00c: L #TEMP3
T #TEMP2
JU M006
M00e: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M011: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M012: L #TEMP15
INC 1
T #TEMP15
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #TEMP4
L B#16#0
T #TEMP6
JU M006
M014: L #TEMP4
LAR1
L #TEMP13
L L#1
+I
T #TEMP13
JU M006
M006: L #TEMP0
T MB 100
L #TEMP1
T MB 101
L #TEMP2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU M005
M010: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #TEMP4
M005: TAR1 #TEMP4
CLR
= #TEMP16
L #TEMP13
L L#20
==I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M017
L #TEMP13
L L#20
<I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M018
JU M019
M017: SET
= #TEMP14
JU M016
M018: CLR
= #TEMP14
JU M016
M019: CLR
O #TEMP14
= #RET_VAL
JU M015
M016: CLR
O #TEMP14
= #RET_VAL
Koodhku aad buu u dheer yahay waxaana laga yaabaa inuu u ekaado mid adag qof aan aqoon u lahayn STL. Ma jirto wax macno ah oo lagu falanqeynayo tilmaam kasta oo ku jira qaabka qodobkan; tilmaamo faahfaahsan iyo awoodaha luqadda STL waxaa laga heli karaa buug-gacmeedka u dhigma:
Codsi ka dib habaynta]
# ΠΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·Π°ΡΠΈΡ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
L B#16#0
T #CHECK_N # Π‘ΡΠ΅ΡΡΠΈΠΊ ΡΡΠΏΠ΅ΡΠ½ΠΎ ΠΏΡΠΎΠΉΠ΄Π΅Π½Π½ΡΡ
ΠΏΡΠΎΠ²Π΅ΡΠΎΠΊ
T #COUNTER_N # Π‘ΡΠ΅ΡΡΠΈΠΊ ΠΎΠ±ΡΠ΅Π³ΠΎ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²Π° ΠΏΡΠΎΠ²Π΅ΡΠΎΠΊ
L P#DBX 0.0
T #POINTER # Π£ΠΊΠ°Π·Π°ΡΠ΅Π»Ρ Π½Π° ΡΠ΅ΠΊΡΡΡΡ ΠΈΠ½ΡΡΡΡΠΊΡΠΈΡ
CLR
= #PRE_RET_VAL
# ΠΡΠ½ΠΎΠ²Π½ΠΎΠΉ ΡΠΈΠΊΠ» ΡΠ°Π±ΠΎΡΡ ΠΈΠ½ΡΠ΅ΡΠΏΡΠ΅ΡΠ°ΡΠΎΡΠ° Π±Π°ΠΉΡ-ΠΊΠΎΠ΄Π°
LOOP: L #POINTER
LAR1
OPN DB 100
L DBLG
TAR1
<=D # ΠΡΠΎΠ²Π΅ΡΠΊΠ° Π²ΡΡ
ΠΎΠ΄Π° ΡΠΊΠ°Π·Π°ΡΠ΅Π»Ρ Π·Π° ΠΏΡΠ΅Π΄Π΅Π»Ρ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ
JC FINISH
L DW#16#0
T #REG0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
# ΠΠΎΠ½ΡΡΡΡΠΊΡΠΈΡ switch - case Π΄Π»Ρ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΈ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΠΎΠΏΠΊΠΎΠ΄ΠΎΠ²
M00d: L B [AR1,P#0.0]
T #OPCODE
L W#16#1
==I
JC OPCODE_1
L #OPCODE
L W#16#2
==I
JC OPCODE_2
L #OPCODE
L W#16#3
==I
JC OPCODE_3
L #OPCODE
L W#16#4
==I
JC OPCODE_4
L #OPCODE
L W#16#5
==I
JC OPCODE_5
L #OPCODE
L W#16#6
==I
JC OPCODE_6
JU OPCODE_OTHER
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 01: Π·Π°Π³ΡΡΠ·ΠΊΠ° Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΈΠ· DB101[X] Π² ΡΠ΅Π³ΠΈΡΡΡ Y
# OP01(X, Y): REG[Y] = DB101[X]
OPCODE_1: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0] # ΠΠ°Π³ΡΡΠ·ΠΊΠ° Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠ° X (ΠΈΠ½Π΄Π΅ΠΊΡ Π² DB101)
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0] # ΠΠ°Π³ΡΡΠ·ΠΊΠ° Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠ° Y (ΠΈΠ½Π΄Π΅ΠΊΡ ΡΠ΅Π³ΠΈΡΡΡΠ°)
JL M003 # ΠΠ½Π°Π»ΠΎΠ³ switch - case Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ Π·Π½Π°ΡΠ΅Π½ΠΈΡ Y
JU M001 # Π΄Π»Ρ Π²ΡΠ±ΠΎΡΠ° Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎΠ³ΠΎ ΡΠ΅Π³ΠΈΡΡΡΠ° Π΄Π»Ρ Π·Π°ΠΏΠΈΡΠΈ.
JU M002 # ΠΠΎΠ΄ΠΎΠ±Π½ΡΠ΅ ΠΊΠΎΠ½ΡΡΡΡΠΊΡΠΈΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ ΠΈ Π² Π΄ΡΡΠ³ΠΈΡ
JU M004 # ΠΎΠΏΠ΅ΡΠ°ΡΠΈΡΡ
Π½ΠΈΠΆΠ΅ Π΄Π»Ρ Π°Π½Π°Π»ΠΎΠ³ΠΈΡΠ½ΡΡ
ΡΠ΅Π»Π΅ΠΉ
M003: JU LOOPEND
M001: OPN DB 101
L B [AR2,P#0.0]
T #REG0 # ΠΠ°ΠΏΠΈΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ DB101[X] Π² REG[0]
JU PRE_LOOPEND
M002: OPN DB 101
L B [AR2,P#0.0]
T #REG1 # ΠΠ°ΠΏΠΈΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ DB101[X] Π² REG[1]
JU PRE_LOOPEND
M004: OPN DB 101
L B [AR2,P#0.0]
T #REG2 # ΠΠ°ΠΏΠΈΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ DB101[X] Π² REG[2]
JU PRE_LOOPEND
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 02: Π·Π°Π³ΡΡΠ·ΠΊΠ° Π·Π½Π°ΡΠ΅Π½ΠΈΡ X Π² ΡΠ΅Π³ΠΈΡΡΡ Y
# OP02(X, Y): REG[Y] = X
OPCODE_2: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU LOOPEND
M00b: L #TEMP3
T #REG0
JU PRE_LOOPEND
M00a: L #TEMP3
T #REG1
JU PRE_LOOPEND
M00c: L #TEMP3
T #REG2
JU PRE_LOOPEND
# ΠΠΏΠΊΠΎΠ΄ 03 Π½Π΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π² ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ΅, ΠΏΠΎΡΡΠΎΠΌΡ ΠΏΡΠΎΠΏΡΡΡΠΈΠΌ Π΅Π³ΠΎ
...
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 04: ΡΡΠ°Π²Π½Π΅Π½ΠΈΠ΅ ΡΠ΅Π³ΠΈΡΡΡΠΎΠ² X ΠΈ Y
# OP04(X, Y): REG[0] = 0; REG[X] = (REG[X] == REG[Y])
OPCODE_4: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # ΠΏΠ΅ΡΠ²ΡΠΉ Π°ΡΠ³ΡΠΌΠ΅Π½Ρ - X
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[X]
LAR2 #TEMP10 # REG[Y]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12 # ~(REG[Y] & REG[X])
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW # (~(REG[Y] & REG[X])) & (REG[Y] | REG[X]) - Π°Π½Π°Π»ΠΎΠ³ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ Π½Π° ΡΠ°Π²Π΅Π½ΡΡΠ²ΠΎ
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 05: Π²ΡΡΠΈΡΠ°Π½ΠΈΠ΅ ΡΠ΅Π³ΠΈΡΡΡΠ° Y ΠΈΠ· X
# OP05(X, Y): REG[0] = 0; REG[X] = REG[X] - REG[Y]
OPCODE_5: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I # ACCU1 = ACCU2 - ACCU1, REG[X] - REG[Y]
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# ΠΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊ ΠΎΠΏΠΊΠΎΠ΄Π° 06: ΠΈΠ½ΠΊΡΠ΅ΠΌΠ΅Π½Ρ #CHECK_N ΠΏΡΠΈ ΡΠ°Π²Π΅Π½ΡΡΠ²Π΅ ΡΠ΅Π³ΠΈΡΡΡΠΎΠ² X ΠΈ Y
# OP06(X, Y): #CHECK_N += (1 if REG[X] == REG[Y] else 0)
OPCODE_6: L #COUNTER_N
INC 1
T #COUNTER_N
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # REG[X]
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[Y]
LAR2 #TEMP10 # REG[X]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #POINTER
L B#16#0
T #TEMP6
JU PRE_LOOPEND
M014: L #POINTER
LAR1
# ΠΠ½ΠΊΡΠ΅ΠΌΠ΅Π½Ρ Π·Π½Π°ΡΠ΅Π½ΠΈΡ #CHECK_N
L #CHECK_N
L L#1
+I
T #CHECK_N
JU PRE_LOOPEND
PRE_LOOPEND: L #REG0
T MB 100
L #REG1
T MB 101
L #REG2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU LOOPEND
OPCODE_OTHER: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #POINTER
LOOPEND: TAR1 #POINTER
CLR
= #TEMP16
L #CHECK_N
L L#20
==I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
# ΠΡΠ΅ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΠΏΡΠΎΠΉΠ΄Π΅Π½Ρ, Π΅ΡΠ»ΠΈ #CHECK_N == #COUNTER_N == 20
JC GOOD
L #CHECK_N
L L#20
<I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
JC FAIL
JU M019
GOOD: SET
= #PRE_RET_VAL
JU FINISH
FAIL: CLR
= #PRE_RET_VAL
JU FINISH
M019: CLR
O #PRE_RET_VAL
= #RET_VAL
JU LOOP
FINISH: CLR
O #PRE_RET_VAL
= #RET_VAL
Markii aan helnay fikradda tilmaamaha mashiinka farsamada, aan qorno kala-saar yar si aan u kala saarno bytecode ee xannibaadda DB100:
import string
alph = string.ascii_letters + string.digits
with open('DB100.bin', 'rb') as f:
m = f.read()
pc = 0
while pc < len(m):
op = m[pc]
if op == 1:
print('R{} = DB101[{}]'.format(m[pc + 2], m[pc + 1]))
pc += 3
elif op == 2:
c = chr(m[pc + 1])
c = c if c in alph else '?'
print('R{} = {:02x} ({})'.format(m[pc + 2], m[pc + 1], c))
pc += 3
elif op == 4:
print('R0 = 0; R{} = (R{} == R{})'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 5:
print('R0 = 0; R{} = R{} - R{}'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 6:
print('CHECK (R{} == R{})n'.format(
m[pc + 1], m[pc + 2]))
pc += 3
else:
print('unk opcode {}'.format(op))
break
Natiijo ahaan, waxaan helnaa koodka mashiinka farsamada ee soo socda:
Koodhka mashiinka Virtual
R1 = DB101[0]
R2 = 6e (n)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[1]
R2 = 10 (?)
R0 = 0; R1 = R1 - R2
R2 = 20 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[2]
R2 = 77 (w)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[3]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[4]
R2 = 75 (u)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[5]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[6]
R2 = 34 (4)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[7]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[8]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[9]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[10]
R2 = 37 (7)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[11]
R2 = 22 (?)
R0 = 0; R1 = R1 - R2
R2 = 46 (F)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[12]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[13]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[14]
R2 = 6d (m)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[15]
R2 = 11 (?)
R0 = 0; R1 = R1 - R2
R2 = 23 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[16]
R2 = 35 (5)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[17]
R2 = 12 (?)
R0 = 0; R1 = R1 - R2
R2 = 25 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[18]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[19]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
Sida aad arki karto, barnaamijkani wuxuu si fudud u hubinayaa dabeecad kasta oo ka socota DB101 si ay u sinaadaan qiimo gaar ah. Xariiqda ugu dambeysa ee gudbinta dhammaan jeegagga waa: n0w u 4r3 7h3 m4573r. Haddii xariiqan lagu dhejiyo xannibaadda DB101, ka dib kontoroolka PLC ee gacanta ayaa la hawlgelinayaa waxaana suurtogal ah in la qarxiyo ama la furfuro buufinta.β¨
Waa intaas! Alexey wuxuu soo bandhigay aqoon heer sare ah oo u qalma ninja warshadeed :) Waxaan u dirnay abaal-marinno xusuusta ku guuleysta. Mahad badan ayaa leh dhammaan ka qaybgalayaasha!
Source: www.habr.com