- This topic has 2 תגובות, 2 משתתפים, and was last updated לפני 13 שנים by
.
-
תגובות
-
Hello everybody.
It’s great to see that the competition this year was very tight. Congratulations to all winners. I’m sorry I couldn’t come, because I was in BAHAD 1 (it’s far in the Negev).
For those who wondered: “how did FSM win?”
I made a survivor that can gain control of any other survivor. This means instead of killing other survivors, it captures them (makes them slaves) and uses their CPU time for its own purposes. This method was used before by using int 87h, but this way you can capture only the zombie. I will show now how to do it for any opponent.
The main challenge was to synchronize the slave with the master, since the slave might be in many different CPU states. The main problem here is that I can’t know what was the slave’s original extra segment. My solution includes running the slave and the master on the same code.FSM1:
@start:
add ax,@loop-@start ; ax -> @loop
stosw ; send information to FSM2
xchg ax,bp ; bp -> @loopmov dx,2c2dh ; 2d 2c 2d 2c 2d … =
mov ax,dx ; opcode of sub ax,2d2ch
mov di,200h-2h ; sub al,2dh sub al,2dh …int 86h
int 86hstd
lea si, [bp+@end-@loop-2] ; si -> @end-2
mov cx,(@end-@slave)/4
rep ; copy code of @slave…@end
movsw ; to end of extra segment
cldmov di,cs
push es
pop ds ; ds = es
mov es,di ; es = cs
mov ss,di ; ss = csmov si,bp ; si -> @loop
lea di,[si+@end-@loop-0c00h+4h]
lea sp,[si-800h+4h]
mov si,0a5f3h ; 0a5f3h = opcode of rep movsw
push sp ; protection from int 87h
push si
push sp
pop sp
mov bx,-0c00h
mov dx,-800h+2h
mov bp,-400h+4h
mov ax,0815eh ; ax is a clock
mov si,4h
mov cx,200h-2hjmp sp ; here the initialization ends
nop
@slave: ; this code is run by a slave (zombie)nop
nop
nop
nop
cldmov bp,cs ; in case cs != 1000h
mov cl,04 ; we have to fix it
shl bp,clmov cl,0bh
shl ax,cl ; ax = random number
xchg ax,di
mov sp,dimov cx,1dh
@wait:
loop @waitmov bx,1000h
mov ss,bx
mov es,bx
mov ds,bxcall @here
@here:pop si ; si -> @here
lea si,[bp+si+@location_after_retf-@here]
push bx
push siretf ; cs = 1000h
@location_after_retf:lea sp,[si+@end-@location_after_retf] ; sp -> @end
mov bx,di ; bx = random number
mov cx,200h-2hpop ax ; ax is a clock
and ah,3h ; cut time from it
dec axpop sp
pop bp
mov dx,bp
sub bp, 400h-2hmov si,sp
add si,@end-@loop-400h+4h
xor di,sijmp sp
dw 0deadh
@loop: ; this is the main code
rep
movswstosw ; ***
add sp,dx
push [si+@loop-@end] ; i.e. push 0a5f3h
push dx ; ***xchg ax,sp
stosw ; *** these commands are meant to
xchg ax,sp ; send information to the slavepop dx
add di,bx
add si,bp
mov cx,200h-2hdec ax ; promote clock
; if zero commit suicide
db 75h ; opcode of jnz -1 byte
jmp sp@end:
@zombie_copy: ; this is a copy of the zombie
; so that stuxnet can't use int 87h on it
xchg bx,ax@zombie_loop:
mov ah,[4743h]
mov al,0bdh
mul bx
mov [0ed0dh],ax
jmp @zombie_loopFSM2:
@start:
xchg ax,bp ; bp -> @startmov dx,2c2dh ; 2d 2c 2d 2c 2d … =
mov ax,dx ; opcode of sub ax,2d2ch
mov di,2 ; sub al,2dh sub al,2dh …int 86h
int 86hstd
lea si,[bp+@end-@start-2-2*((@end-@slave)/4)]
mov di,400h-2-2*((@end-@slave)/4)
mov cx,(@end-@slave+1)/2-(@end-@slave)/4
rep ; copy code of @slave…@end
movsw ; to end of extra segment
cldmov di,cs
push es
pop ds ; ds = es
mov es,di ; es = cs
mov ss,di ; ss = csmov si,[bx] ; si -> @loop of FSM1
and bp,0f800h ; bp = random number
add si,bp
lea di,[si+@end-@loop-800h+4h]
lea sp,[si-400h+4h]
mov si,0a5f3h ; 0a5f3h = opcode of rep movsw
push sp ; protection from int 87h
push si
push sp
pop sp
mov bx,-0c00h
mov dx,-800h+2h
mov bp,-400h+4h
mov ax,0815eh ; ax is a clock
mov si,4h
mov cx,200h-2hjmp sp ; here the initialization ends
nop
@slave: ; this code is run by a slave (zombie)
; from here it's exactly like FSM1
nop
nop
nop
nop
cldmov bp,cs ; in case cs != 1000h
mov cl,04 ; we have to fix it
shl bp,clmov cl,0bh
shl ax,cl ; ax = random number
xchg ax,di
mov sp,dimov cx,1dh
@wait:
loop @waitmov bx,1000h
mov ss,bx
mov es,bx
mov ds,bxcall @here
@here:pop si ; si -> @here
lea si,[bp+si+@location_after_retf-@here]
push bx
push siretf ; cs = 1000h
@location_after_retf:lea sp,[si+@end-@location_after_retf] ; sp -> @end
mov bx,di ; bx = random number
mov cx,200h-2hpop ax ; ax is a clock
and ah,3h ; cut time from it
dec axpop sp
pop bp
mov dx,bp
sub bp, 400h-2hmov si,sp
add si,@end-@loop-400h+4h
xor di,sijmp sp
dw 0deadh
@loop: ; this is the main code
rep
movswstosw ; ***
add sp,dx
push [si+@loop-@end] ; i.e. push 0a5f3h
push dx ; ***xchg ax,sp
stosw ; *** these commands are meant to
xchg ax,sp ; send information to the slavepop dx
add di,bx
add si,bp
mov cx,200h-2hdec ax ; promote clock
; if zero commit suicide
db 75h ; opcode of jnz -1 byte
jmp sp@end:
@zombie_copy: ; this is a copy of the zombie
; so that stuxnet can't use int 87h on it
xchg bx,ax@zombie_loop:
mov ah,[4743h]
mov al,0bdh
mul bx
mov [0ed0dh],ax
jmp @zombie_loopI want to explane the last line: FSM end with 75 FF E4. 75 FF means jnz one byte back. i.e. if ax != 0 execute FF E4 which is jmp sp. Otherwise execute E4, which is in al, i.e. commit suicide.
I will apritiate if other people post their survivors too.החלק הזה מאוד מבלבל, תוכל להסביר מה הוא עושה?
lea di,[si+@end-@loop-0c00h+4h]
lea sp,[si-800h+4h]
mov si,0a5f3h ; 0a5f3h = opcode of rep movsw
push sp ; protection from int 87h
push si
push sp
pop sp
mov bx,-0c00h
mov dx,-800h+2h
mov bp,-400h+4h
mov ax,0815eh ; ax is a clock
mov si,4h
mov cx,200h-2h
This is the initialization part. After this part the survivor will jump to the main loop, which is pointed by sp.
The main loop contains of 2 bytes: F3 A5
which is:rep
movswAt the end of this code the values of the registers are:
sp – pointer to the loop
di – the destination of the "movsw", which is a bit more than (sp – 400h)
si – the source of the "movsw", which is in the beginning of the survivor's private memory
cx – the length of the loop: 1feh iterationsDuring the loop, the code from @loop…@end is copied upon the running code, and will run right when the loop ends.
In that code, the survivor changes location, and therefore changes the registers: sp, di, si, cx. The offsets of these registers are saved in dx, bx, bp respectively.The last register is ax, which holds a clock. When the countdown gets to zero, the slaves are being slaughtered.
I hope it was helpfull.
- יש להתחבר למערכת על מנת להגיב.