Matsatsing a 9 a ho qetela a PHDays re ile ra tšoara tlholisano ea ho senya setsi sa ho pompa khase - tlhōlisano . Ho ne ho e-na le litepisi tse tharo setšeng se nang le mekhahlelo e fapaneng ea ts'ireletso (Ha ho Tšireletso, Tšireletso e Tlaase, Tšireletso e Phahameng), e etsisang ts'ebetso e tšoanang ea indasteri: moea o tlas'a khatello o ile oa kenngoa ka balune (ebe o lokolloa).
Ho sa tsotellehe litekanyo tse fapaneng tsa tšireletso, sebopeho sa hardware sa li-stand se ne se tšoana: letoto la Siemens Simatic PLC S7-300; konopo ea deflation ea tšohanyetso le sesebelisoa sa ho lekanya khatello (e amanang le lisebelisoa tsa digital tsa PLC (DI)); li-valve tse sebetsang bakeng sa inflation le deflation ea moea (e amanang le liphello tsa digital tsa PLC (DO)) - bona setšoantšo se ka tlase.
PLC, ho itšetlehile ka likhatello tsa khatello le ho ea ka lenaneo la eona, e entse qeto ea ho senya kapa ho kenya bolo (e bula le ho koala li-valve tse tsamaellanang). Leha ho le joalo, litulo tsohle li ne li e-na le mokhoa oa ho laola mokhoa oa ho laola, o neng o etsa hore ho khonehe ho laola linaha tsa li-valve ntle le lithibelo leha e le life.
Maemo a ne a fapane ka mokhoa o rarahaneng oa ho nolofalletsa mokhoa ona: boemong bo sa sireletsoeng ho ne ho le bonolo ho etsa sena, 'me sebakeng sa Tšireletso e Phahameng ho ne ho le thata le ho feta.
Mathata a mahlano ho a tšeletseng a ile a rarolloa ka matsatsi a mabeli; Motho ea nkang sebaka sa pele o fumane lintlha tse 233 (o qetile beke a itokisetsa tlholisano). Bahlōli ba bararo: Ke beha - a1exdandy, II - Rubikoid, III - Ze.
Leha ho le joalo, nakong ea PHDays, ha ho le ea mong oa barupeluoa ea ileng a khona ho hlōla litulo tsohle tse tharo, kahoo re ile ra etsa qeto ea ho etsa tlhōlisano ea inthaneteng mme ra phatlalatsa mosebetsi o boima ka ho fetisisa mathoasong a June. Barupeluoa ba ne ba tlameha ho qeta mosebetsi pele ho khoeli, ho fumana folakha, le ho hlalosa tharollo ka botlalo le ka tsela e thahasellisang.
Ka tlase ho sehiloeng re phatlalatsa tlhahlobo ea tharollo e molemo ka ho fetisisa ea mosebetsi ho tsoa ho ba rometsoeng ka khoeli, e ile ea fumanoa ke Alexey Kovrizhnykh (a1exdandy) ho tloha k'hamphani ea Digital Security, ea ileng a nka sebaka sa XNUMXst tlhōlisanong nakong ea PHDays. Ka tlase re hlahisa temana ea eona ka maikutlo a rona.
Tlhahlobo ea pele
Kahoo, mosebetsi o ne o e-na le archive e nang le lifaele tse latelang:
- block_upload_traffic.pcapng
- DB100.bin
- litlhahiso.txt
Faele ea hints.txt e na le lintlha tse hlokahalang le malebela ho rarolla mosebetsi. Litaba tsa eona ke tsena:
- Petrovich o mpoleletse maobane hore o ka kenya li-blocks ho tloha PlcSim ho ea Step7.
- Letoto la Siemens Simatic S7-300 PLC le sebelisitsoe setulong.
- PlcSim ke emulator ea PLC e u lumellang hore u tsamaise le ho lokisa mananeo a Siemens S7 PLCs.
Faele ea DB100.bin e bonahala e na le thipa ea data ea DB100 PLC: 00000000: 0100 0102 6e02 0401 0206 0100 0101 0102 ....n......... 00000010: 1002 0501 0202 2002 0501 0206 0100 0102 00000020 0102 . ..... ......... 7702: 0401 0206 0100 0103 0102 0 02 00000030a0501 ..w............. 0202: 1602 0501 0206 0100 0104 0102 00000040 ................ 7502: 0401 0206 0100 0105 0102 0 02a0501 00000050 u............... 0202: 1602 0501 0206 0100 0106 0102 3402 4..........00000060. 0401: 0206 0100 0107 0102 2602 0501 0202 00000070 .........&..... 4: 02c0501 0206 0100 0108 0102 3302 0401 .........&..... 3: 00000080c0206 0100 0109 0102 0 02 0501 0202. ......... : 1602 00000090 0501 0206 0100a010 0102 3702 0401 ................ 0206: 7 000000 0 0100a 010 0102 2202 0501 ............ 0202a4602: 0501 000000b 0 0206 0100 010 0102 3302 ......".....F... 0401b0206: 0100 3 000000c 0 010 0102 ...... .. 0c02: 0501d 0202 1602a0501 0206 000000 0 0100 010 ................ 0102d6: 02 0401e 0206 0100d010 000000 0 ......0102 . .... 1102e0501: 0202 2302 0501 0206 0100 000000 0 0110 ........#...... 0102f3502: 0401 0206 0100 0111 0102 5 .....00000100 ... 1202 ..... ..... 0501: 0202 2502 0501 0206 0100 0112 00000110 0102 ......%......... 3302: 0401 0206 0100 0113 0102 2602 ..... 3 . .....&. 00000120: 0501 0202 4c02 0501 0206 0100 ....L......
Joalo ka ha lebitso le fana ka maikutlo, faele ea block_upload_traffic.pcapng e na le thotobolo ea sephethephethe sa ho kenya li-block ho PLC.
Ke habohlokoa ho hlokomela hore sebaka sena sa ho lahla sephethephethe sebakeng sa tlhōlisano nakong ea kopano ho ne ho le thata ho fumana. Ho etsa sena, ho ne ho hlokahala ho utloisisa script ho tsoa faeleng ea morero bakeng sa TeslaSCADA2. Ho tsoa ho eona ho ne ho ka khoneha ho utloisisa hore na thotobolo e kentsoeng ka mokhoa o sireletsehileng ka ho sebelisa RC4 e ne e le hokae le hore na ke senotlolo sefe se lokelang ho sebelisoa ho e hlakola. Ho ka fumanoa li-block tsa data sebakeng sa marang-rang ho sebelisoa moreki oa protocol oa S7. Bakeng sa sena ke sebelisitse moreki oa demo ho tsoa sephutheloana sa Snap7.
Ho ntša li-blocks tsa tšebetso ea mats'oao thotobolong ea sephethephethe
Ha u sheba litaba tsa thotobolo, u ka utloisisa hore e na le li-block tsa OB1, FC1, FC2 le FC3:
Li-block tsena li tlameha ho tlosoa. Sena se ka etsoa, ho etsa mohlala, ka mongolo o latelang, ha o se o fetotse sephethephethe ho tloha ho sebopeho sa pcapng ho ea ho pcap:
#!/usr/bin/env python2
import struct
from scapy.all import *
packets = rdpcap('block_upload_traffic.pcap')
s7_hdr_struct = '>BBHHHHBB'
s7_hdr_sz = struct.calcsize(s7_hdr_struct)
tpkt_cotp_sz = 7
names = iter(['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin'])
buf = ''
for packet in packets:
if packet.getlayer(IP).src == '10.0.102.11':
tpkt_cotp_s7 = str(packet.getlayer(TCP).payload)
if len(tpkt_cotp_s7) < tpkt_cotp_sz + s7_hdr_sz:
continue
s7 = tpkt_cotp_s7[tpkt_cotp_sz:]
s7_hdr = s7[:s7_hdr_sz]
param_sz = struct.unpack(s7_hdr_struct, s7_hdr)[4]
s7_param = s7[12:12+param_sz]
s7_data = s7[12+param_sz:]
if s7_param in ('x1ex00', 'x1ex01'): # upload
buf += s7_data[4:]
elif s7_param == 'x1f':
with open(next(names), 'wb') as f:
f.write(buf)
buf = ''Ha u se u hlahlobile li-blocks tse hlahisitsoeng, u tla hlokomela hore li lula li qala ka li-byte 70 70 (leq). Hona joale o hloka ho ithuta ho li sekaseka. Tlhahiso ea kabelo e fana ka maikutlo a hore u hloka ho sebelisa PlcSim bakeng sa sena.
Ho fumana litaelo tse baloang ke batho ho tsoa libolokong
Taba ea pele, a re lekeng ho hlophisa S7-PlcSim ka ho kenya li-blocks tse 'maloa ka litaelo tse pheta-phetoang (= Q 0.0) ho eona re sebelisa Simatic Manager software, le ho boloka PLC e fumanoeng ho emulator ho faele ea mohlala.plc. Ka ho sheba litaba tsa faele, o ka tseba habonolo qalo ea li-blocks tse jarollotsoeng ka ho saena 70 70, eo re e fumaneng pejana. Pele ho li-blocks, ho hlakile hore boholo ba li-block bo ngotsoe e le boleng ba 4-byte little-endian.
Kamora hore re fumane leseli mabapi le sebopeho sa lifaele tsa plc, ho ile ha hlaha leano le latelang la ts'ebetso bakeng sa ho bala mananeo a PLC S7:
- Re sebelisa Simatic Manager, re theha sebopeho sa block ho S7-PlcSim se ts'oanang le seo re se fumaneng thotobolong. Bongata ba boloko bo tlameha ho ts'oana (sena se fihleloa ka ho tlatsa liboloko ka palo e hlokahalang ea litaelo) le li-identifiers (OB1, FC1, FC2, FC3).
- Boloka PLC faeleng.
- Re nkela lintho tse ka hare ho li-blocks faeleng e hlahisoang ka li-blocks tse tsoang thotobolong ea sephethephethe. Tšimoloho ea li-blocks e khethoa ke ho saena.
- Re kenya faele e hlahisoang ho S7-PlcSim ebe re sheba litaba tsa li-block ho Simatic Manager.
Li-block li ka nkeloa sebaka, mohlala, ka khoutu e latelang:
with open('original.plc', 'rb') as f:
plc = f.read()
blocks = []
for fname in ['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin']:
with open(fname, 'rb') as f:
blocks.append(f.read())
i = plc.find(b'pp')
for block in blocks:
plc = plc[:i] + block + plc[i+len(block):]
i = plc.find(b'pp', i + 1)
with open('target.plc', 'wb') as f:
f.write(plc)Alexey o ile a nka tsela e thata le ho feta, empa e ntse e nepahetse. Re ne re nahana hore barupeluoa ba tla sebelisa lenaneo la NetToPlcSim e le hore PlcSim e ka buisana ka marang-rang, ea kenya li-blocks ho PlcSim ka Snap7, ebe e khoasolla li-blocks e le morero ho tsoa PlcSim e sebelisa tikoloho ea nts'etsopele.
Ka ho bula faele e hlahisitsoeng ho S7-PlcSim, u ka bala li-blocks tse ngotsoeng ka ho sebelisa Simatic Manager. Mesebetsi ea mantlha ea taolo ea lisebelisoa e tlalehiloe ho block FC1. Ntho ea bohlokoa ka ho fetisisa ke ho fetoha ha #TEMP0, eo ha e buletsoe e hlahang e beha taolo ea PLC ho mokhoa oa matsoho o thehiloeng ho M2.2 le M2.3 bit memory values. Boleng ba #TEMP0 bo behiloe ke tšebetso FC3.
Ho rarolla bothata, o hloka ho sekaseka tšebetso ea FC3 le ho utloisisa se lokelang ho etsoa e le hore e khutlisetse e utloahalang.
Li-block tsa PLC tsa ts'ebetso ea matšoao sebakeng sa Low Security setšeng sa tlhōlisano li ne li hlophisitsoe ka tsela e ts'oanang, empa ho beha boleng ba #TEMP0 e feto-fetohang, ho ne ho lekane ho ngola mohala tsela ea ka ea ninja ho ea DB1 thibela. Ho hlahloba boleng bo thibelang ho ne ho otlolohile 'me ho ne ho sa hloke tsebo e tebileng ea puo ea lenaneo thibela. Ho hlakile hore boemong ba Tšireletso e Phahameng, ho finyella taolo ea matsoho ho tla ba thata haholo 'me hoa hlokahala ho utloisisa mekhoa e rarahaneng ea puo ea STL (e' ngoe ea litsela tsa ho hlophisa S7 PLC).
Reverse block FC3
Litaba tsa boloko ba FC3 boemeling ba STL:
L B#16#0
T #TEMP13
T #TEMP15
L P#DBX 0.0
T #TEMP4
CLR
= #TEMP14
M015: L #TEMP4
LAR1
OPN DB 100
L DBLG
TAR1
<=D
JC M016
L DW#16#0
T #TEMP0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
M00d: L B [AR1,P#0.0]
T #TEMP5
L W#16#1
==I
JC M007
L #TEMP5
L W#16#2
==I
JC M008
L #TEMP5
L W#16#3
==I
JC M00f
L #TEMP5
L W#16#4
==I
JC M00e
L #TEMP5
L W#16#5
==I
JC M011
L #TEMP5
L W#16#6
==I
JC M012
JU M010
M007: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0]
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0]
JL M003
JU M001
JU M002
JU M004
M003: JU M005
M001: OPN DB 101
L B [AR2,P#0.0]
T #TEMP0
JU M006
M002: OPN DB 101
L B [AR2,P#0.0]
T #TEMP1
JU M006
M004: OPN DB 101
L B [AR2,P#0.0]
T #TEMP2
JU M006
M00f: +AR1 P#1.0
L B [AR1,P#0.0]
L C#8
*I
T #TEMP11
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
TAR1 #TEMP4
OPN DB 101
L P#DBX 0.0
LAR1
L #TEMP11
+AR1
LAR2 #TEMP9
L B [AR2,P#0.0]
T B [AR1,P#0.0]
L #TEMP4
LAR1
JU M006
M008: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU M005
M00b: L #TEMP3
T #TEMP0
JU M006
M00a: L #TEMP3
T #TEMP1
JU M006
M00c: L #TEMP3
T #TEMP2
JU M006
M00e: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M011: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I
T B [AR1,P#0.0]
L DW#16#0
T #TEMP0
L MB 101
T #TEMP1
L MB 102
T #TEMP2
L #TEMP4
LAR1
JU M006
M012: L #TEMP15
INC 1
T #TEMP15
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10
TAR1 #TEMP4
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #TEMP4
L B#16#0
T #TEMP6
JU M006
M014: L #TEMP4
LAR1
L #TEMP13
L L#1
+I
T #TEMP13
JU M006
M006: L #TEMP0
T MB 100
L #TEMP1
T MB 101
L #TEMP2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU M005
M010: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #TEMP4
M005: TAR1 #TEMP4
CLR
= #TEMP16
L #TEMP13
L L#20
==I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M017
L #TEMP13
L L#20
<I
S #TEMP16
L #TEMP15
==I
A #TEMP16
JC M018
JU M019
M017: SET
= #TEMP14
JU M016
M018: CLR
= #TEMP14
JU M016
M019: CLR
O #TEMP14
= #RET_VAL
JU M015
M016: CLR
O #TEMP14
= #RET_VALKhoutu e telele haholo mme e ka bonahala e rarahane ho motho ea sa tsebeng STL. Ha ho na lebaka la ho sekaseka taeo e 'ngoe le e' ngoe ka har'a moralo oa sengoloa sena; litaelo tse qaqileng le bokhoni ba puo ea STL li ka fumanoa bukeng e tsamaisanang le eona: . Mona ke tla hlahisa khoutu e ts'oanang ka mor'a ho sebetsa - ho reha mabitso le mefuta e fapaneng le ho eketsa litlhaloso tse hlalosang algorithm ea ts'ebetso le lipuo tse ling tsa STL. E-re ke hlokomele hang-hang hore boloko boo ho buuoang ka bona bo na le mochini o sebetsang o sebelisang li-bytecode tse fumanehang sebakeng sa DB100, seo re se tsebang. Litaelo tsa mochini oa Virtual li na le li-byte tse 1 tsa khoutu ea ts'ebetso le li-byte tsa likhang, byte e le 'ngoe bakeng sa khang ka 'ngoe. Litaelo tsohle tse nkiloeng li na le likhang tse peli; Ke hlalositse boleng ba bona litlhalosong joalo ka X le Y.
Khoutu ka mor'a ho sebetsa]
# Инициализация различных переменных
L B#16#0
T #CHECK_N # Счетчик успешно пройденных проверок
T #COUNTER_N # Счетчик общего количества проверок
L P#DBX 0.0
T #POINTER # Указатель на текущую инструкцию
CLR
= #PRE_RET_VAL
# Основной цикл работы интерпретатора байт-кода
LOOP: L #POINTER
LAR1
OPN DB 100
L DBLG
TAR1
<=D # Проверка выхода указателя за пределы программы
JC FINISH
L DW#16#0
T #REG0
L #TEMP6
L W#16#0
<>I
JC M00d
L P#DBX 0.0
LAR1
# Конструкция switch - case для обработки различных опкодов
M00d: L B [AR1,P#0.0]
T #OPCODE
L W#16#1
==I
JC OPCODE_1
L #OPCODE
L W#16#2
==I
JC OPCODE_2
L #OPCODE
L W#16#3
==I
JC OPCODE_3
L #OPCODE
L W#16#4
==I
JC OPCODE_4
L #OPCODE
L W#16#5
==I
JC OPCODE_5
L #OPCODE
L W#16#6
==I
JC OPCODE_6
JU OPCODE_OTHER
# Обработчик опкода 01: загрузка значения из DB101[X] в регистр Y
# OP01(X, Y): REG[Y] = DB101[X]
OPCODE_1: +AR1 P#1.0
L P#DBX 0.0
LAR2
L B [AR1,P#0.0] # Загрузка аргумента X (индекс в DB101)
L C#8
*I
+AR2
+AR1 P#1.0
L B [AR1,P#0.0] # Загрузка аргумента Y (индекс регистра)
JL M003 # Аналог switch - case на основе значения Y
JU M001 # для выбора необходимого регистра для записи.
JU M002 # Подобные конструкции используются и в других
JU M004 # операциях ниже для аналогичных целей
M003: JU LOOPEND
M001: OPN DB 101
L B [AR2,P#0.0]
T #REG0 # Запись значения DB101[X] в REG[0]
JU PRE_LOOPEND
M002: OPN DB 101
L B [AR2,P#0.0]
T #REG1 # Запись значения DB101[X] в REG[1]
JU PRE_LOOPEND
M004: OPN DB 101
L B [AR2,P#0.0]
T #REG2 # Запись значения DB101[X] в REG[2]
JU PRE_LOOPEND
# Обработчик опкода 02: загрузка значения X в регистр Y
# OP02(X, Y): REG[Y] = X
OPCODE_2: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP3
+AR1 P#1.0
L B [AR1,P#0.0]
JL M009
JU M00b
JU M00a
JU M00c
M009: JU LOOPEND
M00b: L #TEMP3
T #REG0
JU PRE_LOOPEND
M00a: L #TEMP3
T #REG1
JU PRE_LOOPEND
M00c: L #TEMP3
T #REG2
JU PRE_LOOPEND
# Опкод 03 не используется в программе, поэтому пропустим его
...
# Обработчик опкода 04: сравнение регистров X и Y
# OP04(X, Y): REG[0] = 0; REG[X] = (REG[X] == REG[Y])
OPCODE_4: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # первый аргумент - X
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[X]
LAR2 #TEMP10 # REG[Y]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
AW
INVI
T #TEMP12 # ~(REG[Y] & REG[X])
L B [AR1,P#0.0]
L B [AR2,P#0.0]
OW
L #TEMP12
AW # (~(REG[Y] & REG[X])) & (REG[Y] | REG[X]) - аналог проверки на равенство
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# Обработчик опкода 05: вычитание регистра Y из X
# OP05(X, Y): REG[0] = 0; REG[X] = REG[X] - REG[Y]
OPCODE_5: +AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9
LAR2 #TEMP10
L B [AR1,P#0.0]
L B [AR2,P#0.0]
-I # ACCU1 = ACCU2 - ACCU1, REG[X] - REG[Y]
T B [AR1,P#0.0]
L DW#16#0
T #REG0
L MB 101
T #REG1
L MB 102
T #REG2
L #POINTER
LAR1
JU PRE_LOOPEND
# Обработчик опкода 06: инкремент #CHECK_N при равенстве регистров X и Y
# OP06(X, Y): #CHECK_N += (1 if REG[X] == REG[Y] else 0)
OPCODE_6: L #COUNTER_N
INC 1
T #COUNTER_N
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP7 # REG[X]
L P#M 100.0
LAR2
L #TEMP7
L C#8
*I
+AR2
TAR2 #TEMP9 # REG[X]
+AR1 P#1.0
L B [AR1,P#0.0]
T #TEMP8
L P#M 100.0
LAR2
L #TEMP8
L C#8
*I
+AR2
TAR2 #TEMP10 # REG[Y]
TAR1 #POINTER
LAR1 #TEMP9 # REG[Y]
LAR2 #TEMP10 # REG[X]
L B [AR1,P#0.0]
L B [AR2,P#0.0]
==I
JCN M013
JU M014
M013: L P#DBX 0.0
LAR1
T #POINTER
L B#16#0
T #TEMP6
JU PRE_LOOPEND
M014: L #POINTER
LAR1
# Инкремент значения #CHECK_N
L #CHECK_N
L L#1
+I
T #CHECK_N
JU PRE_LOOPEND
PRE_LOOPEND: L #REG0
T MB 100
L #REG1
T MB 101
L #REG2
T MB 102
+AR1 P#1.0
L #TEMP6
+ 1
T #TEMP6
JU LOOPEND
OPCODE_OTHER: L P#DBX 0.0
LAR1
L 0
T #TEMP6
TAR1 #POINTER
LOOPEND: TAR1 #POINTER
CLR
= #TEMP16
L #CHECK_N
L L#20
==I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
# Все проверки пройдены, если #CHECK_N == #COUNTER_N == 20
JC GOOD
L #CHECK_N
L L#20
<I
S #TEMP16
L #COUNTER_N
==I
A #TEMP16
JC FAIL
JU M019
GOOD: SET
= #PRE_RET_VAL
JU FINISH
FAIL: CLR
= #PRE_RET_VAL
JU FINISH
M019: CLR
O #PRE_RET_VAL
= #RET_VAL
JU LOOP
FINISH: CLR
O #PRE_RET_VAL
= #RET_VALHa re se re na le mohopolo oa litaelo tsa mochini o hlakileng, ha re ngoleng disassembler e nyane ho fetisa bytecode ho DB100 block:
import string
alph = string.ascii_letters + string.digits
with open('DB100.bin', 'rb') as f:
m = f.read()
pc = 0
while pc < len(m):
op = m[pc]
if op == 1:
print('R{} = DB101[{}]'.format(m[pc + 2], m[pc + 1]))
pc += 3
elif op == 2:
c = chr(m[pc + 1])
c = c if c in alph else '?'
print('R{} = {:02x} ({})'.format(m[pc + 2], m[pc + 1], c))
pc += 3
elif op == 4:
print('R0 = 0; R{} = (R{} == R{})'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 5:
print('R0 = 0; R{} = R{} - R{}'.format(
m[pc + 1], m[pc + 1], m[pc + 2]))
pc += 3
elif op == 6:
print('CHECK (R{} == R{})n'.format(
m[pc + 1], m[pc + 2]))
pc += 3
else:
print('unk opcode {}'.format(op))
breakKa lebaka leo, re fumana khoutu e latelang ea mochini:
Khoutu ea mochini oa Virtual
R1 = DB101[0]
R2 = 6e (n)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[1]
R2 = 10 (?)
R0 = 0; R1 = R1 - R2
R2 = 20 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[2]
R2 = 77 (w)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[3]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[4]
R2 = 75 (u)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[5]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[6]
R2 = 34 (4)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[7]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[8]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[9]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[10]
R2 = 37 (7)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[11]
R2 = 22 (?)
R0 = 0; R1 = R1 - R2
R2 = 46 (F)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[12]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[13]
R2 = 0a (?)
R0 = 0; R1 = R1 - R2
R2 = 16 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[14]
R2 = 6d (m)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[15]
R2 = 11 (?)
R0 = 0; R1 = R1 - R2
R2 = 23 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[16]
R2 = 35 (5)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[17]
R2 = 12 (?)
R0 = 0; R1 = R1 - R2
R2 = 25 (?)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)
R1 = DB101[18]
R2 = 33 (3)
R0 = 0; R1 = (R1 == R2)
CHECK (R1 == R0)
R1 = DB101[19]
R2 = 26 (?)
R0 = 0; R1 = R1 - R2
R2 = 4c (L)
R0 = 0; R1 = R1 - R2
CHECK (R1 == R0)Joalokaha u bona, lenaneo lena le sheba feela sebapali se seng le se seng ho tloha DB101 bakeng sa tekano ho boleng bo itseng. Mohala oa ho qetela oa ho fetisa licheke tsohle ke: n0w u 4r3 7h3 m4573r. Haeba mohala ona o behiloe ho block DB101, joale taolo ea PLC ea letsoho e kentsoe tšebetsong 'me ho tla khonahala ho phatloha kapa ho senya balune.
Ke phetho! Alexey o bontšitse tsebo e phahameng ea tsebo e tšoaneloang ke ninja ea indasteri :) Re rometse meputso e sa lebaleheng ho ea hapileng. Re leboha bankakarolo bohle!
Source: www.habr.com