SlideShare uma empresa Scribd logo

How "mov

Transferir como PPTX, PDF
Y
yeokm1

This document summarizes a research paper that shows the x86 instruction set mov can be Turing complete. It explains how a Turing machine works and what it means for an instruction set to be Turing complete. It then analyzes the mov instruction and outlines how memory, registers and the transition state table would need to be designed to fulfill the requirements of a Turing machine using only mov instructions. This involves representing the tape as memory locations, using registers to track state and symbols, and implementing logic to read/write symbols, consult the transition table and move the head based on the table.

Software
1 de 44
mov is Turing-complete Authored by: Stephen Dolan (PhD Candidate) 19 July 2013 Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf Practical implementation by: Chris Domas Papers We Love #14 (26 Oct 2015) By: Yeo Kheng Meng (yeokm1@gmail.com) https://github.com/yeokm1/mov-is-turing-complete1
This presentation is best viewed with the animations. 2
How did I know of this paper? Hacker News: June 21 Link to: https://github.com/xoreaxeaxeax/movfuscator Inspired by mov is Turing-complete 3
Schedule of presentation • 2 parts in this presentation 1. Purely theoretical talk about the paper (~40mins) 2. How things work in practice? (~15 mins) • Short demo using Chris Domas implementation • Challenges of a practical implementation 4
Motivation • x86 instruction set is bloated • 500 – 1000 instructions depending on sources • Is it possible to reduce everything to one instruction? • Initially a thought experiment by Stephen Dolan • Actual implementation by Chris Domas’s Movfuscator • https://github.com/xoreaxeaxeax/movfuscator 5
Some disclaimers by the paper • Not purely mov-only • A single “jmp” instruction is used to loop back to the beginning • Solved by Chris Domas’s implementation • Invalid memory address 0 to halt execution • No other forms of circumventing the rules • No self-modifying code • No runtime code generation 6
Scope of the problem Title: mov is Turing-complete 1. What is a Turing machine? 2. What it means to be Turing-complete? 3. What is “mov”? 4. What it takes for “mov” to be Turing Complete? 7
1. What is a Turing machine? Source: http://stackoverflow.com/a/236022 Theoretical Finite State Machine (FSM) model Characteristics Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Head (Scanner) • Reads/Writes to cells • Can move left/right to next cell State register • Remember current state of FSM Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table8
2. What it means to be Turing-complete? A programming language must be able to compute any problem a Turing machine can. -> Have the same characteristics as a Turing machine Characteristics Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Head (Scanner) • Reads/Writes to cells • Can move left/right to next cell State register • Remember current state of FSM Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table 9
3. What is mov? • x86 assembly instruction to move contents from one location to another. • General syntax : mov destination, source • Copies (not cut) from source to destination • Comes in 5 forms Syntax Explanation mov Rdest, Rsrc Register <- Register mov Rdest, c Register <- Constant mov [Rsrc + Roffset], c Memory <- Constant mov Rdest, [Rsrc + Roffset] Register <- Memory mov [Rdest + Roffset], Rsrc Memory <- Register Square[x] brackets means memory access at location index specified by x. 10
4. What it takes for “mov” to be Turing Complete? Turing Machine Characteristics In context of mov-only instruction Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet ??? Head (Scanner) • Reads/Writes to cells • Can move left/right to next cell Read/Write to memory at multiple locations • mov State register • Remember current state of FSM Just reserve one register to remember state Transition state table • Lookup next state & symbol, tape direction based on current state & symbol ???? Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table ???   11
What we have to do? Unfulfilled Turing characteristics Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table 12
Building our Turing machine 13
Designing the tape Unfulfilled Turing characteristic Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Current Symbol | Null Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Left Symbol 3 | Point to Left symbol 4 Left Symbol 4 | Point to Left symbol 5 Right Symbol 3 | Point to Right symbol 4 Right Symbol 4 | Point to Right symbol 5 Left Stack Right Stack • Current symbol • Left/Right stack to hold everything • Each symbol cell holds 2 things 1. Pointer to symbol value 2. Pointer to next cell <= Move tape to the left <= Current symbol goes left : : Left Symbol 0 | Point to Left symbol 1 Current Symbol | Null 14
Designing the tape Unfulfilled Turing characteristic Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Current Symbol | Null Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Left Symbol 3 | Point to Left symbol 4 Left Symbol 4 | Point to Left symbol 5 Right Symbol 3 | Point to Right symbol 4 Right Symbol 4 | Point to Right symbol 5 Left Stack Right Stack • Current symbol • Left/Right stack to hold everything • Each symbol cell holds 2 things 1. Pointer to symbol value 2. Pointer to next cell => Move tape right => Current symbol goes right : : Right Symbol 0 | Point to Right symbol 1 Current Symbol | Null 15
Designing the transition state table • Table of linked cells, easier for mov to use • Each cell contains a value and points to next cell • N: Dummy pointer indicating end of list Unfulfilled Turing characteristic Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Current State Qx Points to Trigger symbol of possible transition | Point to alternative transition cell Trigger symbol | Point to new symbol cell New symbol | Point to direction cell Direction | Point to next state cell Next State | End of list State Q0 State Q1 16
Now to the mov stuff 17
Equality checking (Problem) • We want to check if Ri == Rj? • Output result of comparison 0/1 register Rk 18
Equality checking (Example 1) • Assume both are equal at Ri = Rj = 6 • We want to check if Ri == Rj. • Expected output at register Rk = 1 • mov [Ri], 0 -> mov [6], 0 • mov [Rj], 1 -> mov [6], 1 • mov Rk, [Ri] -> mov Rk, [6] Mem Address 0 1 2 3 4 5 6 7 8 Contents - - - - - - - - Register Contents Rk (Result) Ri 6 Rj 6 … … 01 Memory address range of the machine 1 - 19
Equality checking (Example 2) • Assume both are NOT equal at Ri = 5, Rj = 2 • We want to check if Ri == Rj. • Expected output at register Rk = 0 • mov [Ri], 0 -> mov [5], 0 • mov [Rj], 1 -> mov [2], 1 • mov Rk, [Ri] -> mov Rk, [5] Mem Address 0 1 2 3 4 5 6 7 8 Contents - - - - - - - Register Contents Rk (Result) Ri 5 Rj 2 … … 01 Memory address range of the machine 0 - - 20
Value selection • Given Rc being 0 or 1, pick either value Ra or Rb • Put result in Rd • We can use Rlookup as start index of “lookup-table” • mov [Rlookup], Ra • mov [Rlookup + 1], Rb • mov Rd, [Rlookup + Rc] // Rc is 0 or 1 • If Rc == 0 : Rd = Ra • Else: Rd = Rb Lookup Addresses Rlookup Rlookup + 1 Contents Lookup table - -Ra Rb 21
Our architecture so far Setting aside some registers Register Purpose SYMBOL Pointer to current symbol read from tape LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested (First word of transition points to trigger symbol) LOOKUP Points to lookup table (scratch space) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table 22
Logic Process Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL Pointer to current symbol read from tape LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) … … … … … … … … Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table 23
Logic Process (Step: 1 & 2) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL Pointer to current symbol read from tape LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) … … Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Consult transition state table • Retrieve current symbol, compare with trigger symbol • Extra temporary registers X, Y & M • mov X, [SYMBOL] // get current symbol • mov Y, [CTRANS] // get pointer to trigger symbol • mov Y, [Y] // get trigger symbol • mov [X], 0 //Put 0 inside memory using Y as index • mov [Y], 1 //Put 1 inside memory using X as index • mov M, [X] //M gets 0/1 depending on equality Pointer to trigger symbolTrigger symbol Current symbolX (Temp) Y (Temp) 1 if equal, 0 otherwiseM (Result) 24
Logic Process (Step: 3) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Modify the symbol • M from Step 2. Extra temporary registers X, Y, Z. • Choose between current/new symbol -> write symbol • mov X, [CTRANS] // get pointer to trigger symbol • mov X, [X + 1] // Load pointer to new symbol by skipping trigger symbol • mov X, [X] // load new symbol • mov Y, [SYMBOL] // load old symbol • mov [LOOKUP], Y //determine new symbol == X/Y? • mov [LOOKUP + 1], X • mov Z, [LOOKUP + M] • mov [SYMBOL], Z //write the selected symbol back Pointer to trigger symbol Old symbol X (Temp) Y (Temp) Pointer to new symbolNew symbol Result 0/1 of transition comparison from Step 2M (Match) Z (Temp) Y X Selected new symbol value from X or Y Pointer to current symbol read from tape 25
Logic Process (Step: 4.1) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Load tape direction of transition, regardless of transition matching • M from Step 2. Result register D to choose direction. • mov D, [CTRANS] // get pointer to trigger symbol • mov D, [D+1] // load new symbol pointer • mov D, [D+1] //load direction pointer • mov D, [D] // load direction Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 D (Result) Pointer to trigger symbolPointer to new symbolPointer to directionDirection value 0/1 26
Current Symbol | Point to Left/Right symbol 1 Logic Process (Step: 4.2) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Depending on tape direction, push current symbol cell into stack • M from Step 2, D from Step 4.1, Temporary Register X. • //Get the first cell from left/right stack as next cell for current symbol • mov [LOOKUP], LEFT • mov [LOOKUP + 1], RIGHT • mov X, [LOOKUP + D] • mov [SYMBOL + 1], X //Point the current symbol’s next pointer to the next cell • //Select new value for first symbol LEFT • mov [LOOKUP], SYMBOL • mov [LOOKUP + 1], LEFT • mov LEFT, [LOOKUP + D] • //Select new value for first symbol RIGHT • mov [LOOKUP], RIGHT • mov [LOOKUP +1] , SYMBOL • mov RIGHT, [LOOKUP + D] Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 D (Result) Direction value 0/1 from Step 4.1 X (Temp) Pointer to first cell of left/right stack Left RightSymbol LeftRight Symbol 27
Current Symbol | Point to Left/Right symbol 1 Logic Process (Step: 4.3) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Preparation to pop stack • Invert Register D if no movement is actually required i.e. M == 0 • M from Step 2, D from Step 4.1, Temporary Register X. • //Put negation of D into X • mov [LOOKUP], 1 //Reverse order of selection • mov [LOOKUP + 1], 0 //Reverse order of selection • mov X, [LOOKUP + D] • //Use M to select between D or X (D-negation) • mov [LOOKUP], X • mov [LOOKUP +1], D • mov D, [LOOKUP + M] Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 D (Result) Direction value 0/1 from Step 4.1 X (Temp) Negation of D 1 0X (D-negation) D Direction value to determine pop decision 28
Left symbol 0 | Point to Left symbol 1 Logic Process (Step: 4.4) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • We need a new current symbol, pop a cell from one side based on D • D from Step 4.3, Temporary Register X. • //Select new value for SYMBOL from either LEFT or RIGHT stack • mov [LOOKUP], RIGHT • mov [LOOKUP + 1], LEFT • mov SYMBOL, [LOOKUP + D] • mov X, [SYMBOL + 1] //Find new top of stack • //Find new top value for LEFT • mov [LOOKUP], LEFT • mov [LOOKUP + 1], X • mov LEFT, [LOOKUP + D] //If D == 1, we just popped the left stack, set X to LEFT • //Find new value for RIGHT • mov [LOOKUP], X • mov [LOOKUP + 1], RIGHT • mov RIGHT, [LOOKUP + D] //If D == 0, we just popped the right stack, set X to RIGHT Pointer to current symbol read from tape D (Result) X (Temp) Direction value to determine pop decision Right symbol 0 | Point to Right symbol 1 Top value of stack we popped from Right Left Current Symbol | Point to Left/Right symbol 1 Left XX Right 29
Logic Process (Step: 5) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Find next transition • M from Step 2, Temporary Registers X & Y. • If current transition matches, go to first transition of next state, • else, go to next transition of current state • //get next transition of current state • mov X, [CTRANS + 1] • //get first transition of next state • mov Y, [CTRANS] //get current transition • mov Y, [Y + 1] //skip trigger symbol • mov Y, [Y + 1] //skip new symbol • mov Y, [Y + 1] //skip direction • mov Y, [Y] //Select next transition • mov [LOOKUP], X • mov [LOOKUP + 1], Y • mov CTRANS, [LOOKUP + M] Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 X (Temp) Y (Temp) Pointer to next transition of current state Pointer to first transition of next state X Y 30
Logic Process (Extra Step 6) Halting the machine Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Halt machine if CTRANS is N • Assume load from address 0 halts machine • Temporary register H, X • //Set H = 1 if CTRANS is N (end of state list or no outgoing transitions) • mov [N], 0 • mov [CTRANS], 1 • mov H, [N] • //select between 0 and N depending on H value • mov [LOOKUP], 0 • mov [LOOKUP + 1], N • mov X, [LOOKUP + H] • mov X, [X] // load from 0 or end of list. Program will terminate here if X is 0 • jmp start //Go back to top of program Pointer to current symbol read from tape H (Temp) Whether to halt? 0:No, 1:Yes 0 N X (Temp) To test whether machine to halt 31
Practical time 32
Chris Domas’s movfuscator • https://github.com/xoreaxeaxeax/movfuscator • C compiler that compiles into mov instructions • Uses LCC as frontend 33
Why is it called movfuscator? • To defeat reverse-engineering • Disassembled output: GCC movfuscator 34
Why is called movfuscator? • Control flow graph generated by disassemblers vs Source Slide 109-110: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf Typical mov-only 35
Quick demo 36
Our hello world program GCC (hwgcc.sh) Movcc (hwmov.sh) Compile program and run gcc -g hw.c -o hw-gcc.out && ./hw-gcc.out movcc -g hw.c -o hw-movcc.out && ./hw-movcc.out Disassemble program & output to file objdump -M intel -S -l hw-gcc.out > hw-gcc.asm objdump -M intel -S -l hw-movcc.out > hw-movcc.asm Open in sublime subl hw-gcc.asm subl hw-movcc.asm 37
Enhancement: Remove jmp at the end • mov cs, ax //Illegal mov instruction cannot modify code segment register • Solution concept: • OS raises SIGILL (illegal instruction signal) • Code to capture SIGILL signal • Call sigaction() to tell OS we have handled the instruction • Reload the stack (Go back to top) Source Slide 101: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf 38
Problem 1 : Branching • Issue: All mov instructions always execute • Use dummy data if mov instructions must be ignored • start: • 0x1000 mov … • 0x1004 mov … • 0x1008 mov … • 0x100c mov … • 0x1010 mov … • 0x1014 mov … • 0x1018 mov … • 0x101c mov … • 0x1020 mov … • 0x1024 mov … • 0x1028 mov … • 0x102c mov … • 0x1030 jmp start <- Branch from here <- to here Destination: 0x1010 Step 1: Store address 0x1010 somewhere Step 2: Switch memory pointers to dummy data Step 3: Proceed and loop around if needed Step 4: Check if this block is meant to be executed Step 5: Switch to real data and continue execution 39
Problem 2: Arithmetic • For eg: add32 Source Slide 133: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf Macro expansion 40
Problem 2: Arithmetic • For division >7000 mov instructions!!! (with the help of macros) Source Slide 141: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf 41
Problem 3: Speed • Unsolvable • Many mov instructions for a single instruction 42
Our Fibonacci program GCC (fibgcc.sh) Movcc (fibmov.sh) Compile program gcc fib.c -o fib-gcc.out movcc fib.c -o fib-movcc.out Run ./fib-gcc.out ./fib-movcc.out 43
The End/References • http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf • http://www.gwern.net/Turing-complete • https://github.com/xoreaxeaxeax/movfuscator • https://www.youtube.com/watch?v=R7EEoWg6Ekk 44

Recomendados

Glibc malloc internal
Glibc malloc internalGlibc malloc internal
Glibc malloc internalMotohiro KOSAKI
 
明日使えないすごいビット演算
明日使えないすごいビット演算明日使えないすごいビット演算
明日使えないすごいビット演算京大 マイコンクラブ
 
DSIRNLP #3 LZ4 の速さの秘密に迫ってみる
DSIRNLP #3 LZ4 の速さの秘密に迫ってみるDSIRNLP #3 LZ4 の速さの秘密に迫ってみる
DSIRNLP #3 LZ4 の速さの秘密に迫ってみるAtsushi KOMIYA
 
Intro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみたIntro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみたMITSUNARI Shigeo
 
プログラムを高速化する話
プログラムを高速化する話プログラムを高速化する話
プログラムを高速化する話京大 マイコンクラブ
 
Xbyakの紹介とその周辺
Xbyakの紹介とその周辺Xbyakの紹介とその周辺
Xbyakの紹介とその周辺MITSUNARI Shigeo
 
競技プログラミングにおけるコードの書き方とその利便性
競技プログラミングにおけるコードの書き方とその利便性競技プログラミングにおけるコードの書き方とその利便性
競技プログラミングにおけるコードの書き方とその利便性Hibiki Yamashiro
 
llvm入門
llvm入門llvm入門
llvm入門MITSUNARI Shigeo
 

Recomendados

Glibc malloc internal
Glibc malloc internalGlibc malloc internal
Glibc malloc internalMotohiro KOSAKI
 
明日使えないすごいビット演算
明日使えないすごいビット演算明日使えないすごいビット演算
明日使えないすごいビット演算京大 マイコンクラブ
 
DSIRNLP #3 LZ4 の速さの秘密に迫ってみる
DSIRNLP #3 LZ4 の速さの秘密に迫ってみるDSIRNLP #3 LZ4 の速さの秘密に迫ってみる
DSIRNLP #3 LZ4 の速さの秘密に迫ってみるAtsushi KOMIYA
 
Intro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみたIntro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみたMITSUNARI Shigeo
 
プログラムを高速化する話
プログラムを高速化する話プログラムを高速化する話
プログラムを高速化する話京大 マイコンクラブ
 
Xbyakの紹介とその周辺
Xbyakの紹介とその周辺Xbyakの紹介とその周辺
Xbyakの紹介とその周辺MITSUNARI Shigeo
 
競技プログラミングにおけるコードの書き方とその利便性
競技プログラミングにおけるコードの書き方とその利便性競技プログラミングにおけるコードの書き方とその利便性
競技プログラミングにおけるコードの書き方とその利便性Hibiki Yamashiro
 
llvm入門
llvm入門llvm入門
llvm入門MITSUNARI Shigeo
 
いまさら聞けないarmを使ったNEONの基礎と活用事例
いまさら聞けないarmを使ったNEONの基礎と活用事例いまさら聞けないarmを使ったNEONの基礎と活用事例
いまさら聞けないarmを使ったNEONの基礎と活用事例Fixstars Corporation
 
AVX-512(フォーマット)詳解
AVX-512(フォーマット)詳解AVX-512(フォーマット)詳解
AVX-512(フォーマット)詳解MITSUNARI Shigeo
 
Java8でRDBMS作ったよ
Java8でRDBMS作ったよJava8でRDBMS作ったよ
Java8でRDBMS作ったよなおき きしだ
 
組み込み関数(intrinsic)によるSIMD入門
組み込み関数(intrinsic)によるSIMD入門組み込み関数(intrinsic)によるSIMD入門
組み込み関数(intrinsic)によるSIMD入門Norishige Fukushima
 
Where狙いのキー、order by狙いのキー
Where狙いのキー、order by狙いのキーWhere狙いのキー、order by狙いのキー
Where狙いのキー、order by狙いのキーyoku0825
 
Map
MapMap
Mapkikairoya
 
CRC-32
CRC-32CRC-32
CRC-327shi
 
競技プログラミングのためのC++入門
競技プログラミングのためのC++入門競技プログラミングのためのC++入門
競技プログラミングのためのC++入門natrium11321
 
プログラミングコンテストでのデータ構造
プログラミングコンテストでのデータ構造プログラミングコンテストでのデータ構造
プログラミングコンテストでのデータ構造Takuya Akiba
 
USB3.0ドライバ開発の道
USB3.0ドライバ開発の道USB3.0ドライバ開発の道
USB3.0ドライバ開発の道uchan_nos
 
C/C++プログラマのための開発ツール
C/C++プログラマのための開発ツールC/C++プログラマのための開発ツール
C/C++プログラマのための開発ツールMITSUNARI Shigeo
 
Dalvik仮想マシンのアーキテクチャ 改訂版
Dalvik仮想マシンのアーキテクチャ 改訂版Dalvik仮想マシンのアーキテクチャ 改訂版
Dalvik仮想マシンのアーキテクチャ 改訂版Takuya Matsunaga
 
様々な全域木問題
様々な全域木問題様々な全域木問題
様々な全域木問題tmaehara
 
Redisの特徴と活用方法について
Redisの特徴と活用方法についてRedisの特徴と活用方法について
Redisの特徴と活用方法についてYuji Otani
 
目grep入門 +解説
目grep入門 +解説目grep入門 +解説
目grep入門 +解説murachue
 
Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409稔 小林
 
ネットワークOS野郎 ~ インフラ野郎Night 20160414
ネットワークOS野郎 ~ インフラ野郎Night 20160414ネットワークOS野郎 ~ インフラ野郎Night 20160414
ネットワークOS野郎 ~ インフラ野郎Night 20160414Kentaro Ebisawa
 
こわくない Git
こわくない Gitこわくない Git
こわくない GitKota Saito
 
TRICK 2022 Results
TRICK 2022 ResultsTRICK 2022 Results
TRICK 2022 Resultsmametter
 
SDL2の紹介
SDL2の紹介SDL2の紹介
SDL2の紹介nyaocat
 
Lecture 12 Bottom-UP Parsing.pptx
Lecture 12 Bottom-UP Parsing.pptxLecture 12 Bottom-UP Parsing.pptx
Lecture 12 Bottom-UP Parsing.pptxYusra11491
 
Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator ajay singh
 

Mais conteúdo relacionado

Mais procurados

いまさら聞けないarmを使ったNEONの基礎と活用事例
いまさら聞けないarmを使ったNEONの基礎と活用事例いまさら聞けないarmを使ったNEONの基礎と活用事例
いまさら聞けないarmを使ったNEONの基礎と活用事例Fixstars Corporation
 
AVX-512(フォーマット)詳解
AVX-512(フォーマット)詳解AVX-512(フォーマット)詳解
AVX-512(フォーマット)詳解MITSUNARI Shigeo
 
組み込み関数(intrinsic)によるSIMD入門
組み込み関数(intrinsic)によるSIMD入門組み込み関数(intrinsic)によるSIMD入門
組み込み関数(intrinsic)によるSIMD入門Norishige Fukushima
 
Where狙いのキー、order by狙いのキー
Where狙いのキー、order by狙いのキーWhere狙いのキー、order by狙いのキー
Where狙いのキー、order by狙いのキーyoku0825
 
CRC-32
CRC-32CRC-32
CRC-327shi
 
競技プログラミングのためのC++入門
競技プログラミングのためのC++入門競技プログラミングのためのC++入門
競技プログラミングのためのC++入門natrium11321
 
プログラミングコンテストでのデータ構造
プログラミングコンテストでのデータ構造プログラミングコンテストでのデータ構造
プログラミングコンテストでのデータ構造Takuya Akiba
 
USB3.0ドライバ開発の道
USB3.0ドライバ開発の道USB3.0ドライバ開発の道
USB3.0ドライバ開発の道uchan_nos
 
C/C++プログラマのための開発ツール
C/C++プログラマのための開発ツールC/C++プログラマのための開発ツール
C/C++プログラマのための開発ツールMITSUNARI Shigeo
 
Dalvik仮想マシンのアーキテクチャ 改訂版
Dalvik仮想マシンのアーキテクチャ 改訂版Dalvik仮想マシンのアーキテクチャ 改訂版
Dalvik仮想マシンのアーキテクチャ 改訂版Takuya Matsunaga
 
様々な全域木問題
様々な全域木問題様々な全域木問題
様々な全域木問題tmaehara
 
Redisの特徴と活用方法について
Redisの特徴と活用方法についてRedisの特徴と活用方法について
Redisの特徴と活用方法についてYuji Otani
 
目grep入門 +解説
目grep入門 +解説目grep入門 +解説
目grep入門 +解説murachue
 
Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409稔 小林
 
ネットワークOS野郎 ~ インフラ野郎Night 20160414
ネットワークOS野郎 ~ インフラ野郎Night 20160414ネットワークOS野郎 ~ インフラ野郎Night 20160414
ネットワークOS野郎 ~ インフラ野郎Night 20160414Kentaro Ebisawa
 
こわくない Git
こわくない Gitこわくない Git
こわくない GitKota Saito
 
TRICK 2022 Results
TRICK 2022 ResultsTRICK 2022 Results
TRICK 2022 Resultsmametter
 
SDL2の紹介
SDL2の紹介SDL2の紹介
SDL2の紹介nyaocat
 

Mais procurados (20)

いまさら聞けないarmを使ったNEONの基礎と活用事例
いまさら聞けないarmを使ったNEONの基礎と活用事例いまさら聞けないarmを使ったNEONの基礎と活用事例
いまさら聞けないarmを使ったNEONの基礎と活用事例
 
AVX-512(フォーマット)詳解
AVX-512(フォーマット)詳解AVX-512(フォーマット)詳解
AVX-512(フォーマット)詳解
 
Java8でRDBMS作ったよ
Java8でRDBMS作ったよJava8でRDBMS作ったよ
Java8でRDBMS作ったよ
 
組み込み関数(intrinsic)によるSIMD入門
組み込み関数(intrinsic)によるSIMD入門組み込み関数(intrinsic)によるSIMD入門
組み込み関数(intrinsic)によるSIMD入門
 
Where狙いのキー、order by狙いのキー
Where狙いのキー、order by狙いのキーWhere狙いのキー、order by狙いのキー
Where狙いのキー、order by狙いのキー
 
Map
MapMap
Map
 
CRC-32
CRC-32CRC-32
CRC-32
 
競技プログラミングのためのC++入門
競技プログラミングのためのC++入門競技プログラミングのためのC++入門
競技プログラミングのためのC++入門
 
プログラミングコンテストでのデータ構造
プログラミングコンテストでのデータ構造プログラミングコンテストでのデータ構造
プログラミングコンテストでのデータ構造
 
USB3.0ドライバ開発の道
USB3.0ドライバ開発の道USB3.0ドライバ開発の道
USB3.0ドライバ開発の道
 
C/C++プログラマのための開発ツール
C/C++プログラマのための開発ツールC/C++プログラマのための開発ツール
C/C++プログラマのための開発ツール
 
Dalvik仮想マシンのアーキテクチャ 改訂版
Dalvik仮想マシンのアーキテクチャ 改訂版Dalvik仮想マシンのアーキテクチャ 改訂版
Dalvik仮想マシンのアーキテクチャ 改訂版
 
様々な全域木問題
様々な全域木問題様々な全域木問題
様々な全域木問題
 
Redisの特徴と活用方法について
Redisの特徴と活用方法についてRedisの特徴と活用方法について
Redisの特徴と活用方法について
 
目grep入門 +解説
目grep入門 +解説目grep入門 +解説
目grep入門 +解説
 
Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409
 
ネットワークOS野郎 ~ インフラ野郎Night 20160414
ネットワークOS野郎 ~ インフラ野郎Night 20160414ネットワークOS野郎 ~ インフラ野郎Night 20160414
ネットワークOS野郎 ~ インフラ野郎Night 20160414
 
こわくない Git
こわくない Gitこわくない Git
こわくない Git
 
TRICK 2022 Results
TRICK 2022 ResultsTRICK 2022 Results
TRICK 2022 Results
 
SDL2の紹介
SDL2の紹介SDL2の紹介
SDL2の紹介
 

Semelhante a How "mov

Lecture 12 Bottom-UP Parsing.pptx
Lecture 12 Bottom-UP Parsing.pptxLecture 12 Bottom-UP Parsing.pptx
Lecture 12 Bottom-UP Parsing.pptxYusra11491
 
Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator ajay singh
 
PRBS generation
PRBS generationPRBS generation
PRBS generationajay singh
 
Operators loops conditional and statements
Operators loops conditional and statementsOperators loops conditional and statements
Operators loops conditional and statementsVladislav Hadzhiyski
 
Q-Step_WS_02102019_Practical_introduction_to_Python.pdf
Q-Step_WS_02102019_Practical_introduction_to_Python.pdfQ-Step_WS_02102019_Practical_introduction_to_Python.pdf
Q-Step_WS_02102019_Practical_introduction_to_Python.pdfMichpice
 
Bottom - Up Parsing
Bottom - Up ParsingBottom - Up Parsing
Bottom - Up Parsingkunj desai
 
Central processing unit
Central processing unitCentral processing unit
Central processing unitHeman Pathak
 
PDA and Turing Machine (1).ppt
PDA and Turing Machine (1).pptPDA and Turing Machine (1).ppt
PDA and Turing Machine (1).pptAayushSingh233965
 
[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2
[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2
[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2Yo Halb
 
Data structures and algorithms
Data structures and algorithmsData structures and algorithms
Data structures and algorithmsJulie Iskander
 
Implementation of lexical analyser
Implementation of lexical analyserImplementation of lexical analyser
Implementation of lexical analyserArchana Gopinath
 
Circular link list.ppt
Circular link list.pptCircular link list.ppt
Circular link list.pptTirthika Bandi
 
Basics in algorithms and data structure
Basics in algorithms and data structure Basics in algorithms and data structure
Basics in algorithms and data structure Eman magdy
 
Optimizing Set-Similarity Join and Search with Different Prefix Schemes
Optimizing Set-Similarity Join and Search with Different Prefix SchemesOptimizing Set-Similarity Join and Search with Different Prefix Schemes
Optimizing Set-Similarity Join and Search with Different Prefix SchemesHPCC Systems
 
Lexical analysis, syntax analysis, semantic analysis. Ppt
Lexical analysis, syntax analysis, semantic analysis. PptLexical analysis, syntax analysis, semantic analysis. Ppt
Lexical analysis, syntax analysis, semantic analysis. Pptovidlivi91
 
Cache aware hybrid sorter
Cache aware hybrid sorterCache aware hybrid sorter
Cache aware hybrid sorterManchor Ko
 

Semelhante a How "mov (20)

Lecture 12 Bottom-UP Parsing.pptx
Lecture 12 Bottom-UP Parsing.pptxLecture 12 Bottom-UP Parsing.pptx
Lecture 12 Bottom-UP Parsing.pptx
 
Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator
 
PRBS generation
PRBS generationPRBS generation
PRBS generation
 
Operators loops conditional and statements
Operators loops conditional and statementsOperators loops conditional and statements
Operators loops conditional and statements
 
C language
C languageC language
C language
 
Q-Step_WS_02102019_Practical_introduction_to_Python.pdf
Q-Step_WS_02102019_Practical_introduction_to_Python.pdfQ-Step_WS_02102019_Practical_introduction_to_Python.pdf
Q-Step_WS_02102019_Practical_introduction_to_Python.pdf
 
Bottom - Up Parsing
Bottom - Up ParsingBottom - Up Parsing
Bottom - Up Parsing
 
Instruction types
Instruction typesInstruction types
Instruction types
 
Central processing unit
Central processing unitCentral processing unit
Central processing unit
 
Data Structures 6
Data Structures 6Data Structures 6
Data Structures 6
 
PDA and Turing Machine (1).ppt
PDA and Turing Machine (1).pptPDA and Turing Machine (1).ppt
PDA and Turing Machine (1).ppt
 
[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2
[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2
[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2
 
Data structures and algorithms
Data structures and algorithmsData structures and algorithms
Data structures and algorithms
 
Implementation of lexical analyser
Implementation of lexical analyserImplementation of lexical analyser
Implementation of lexical analyser
 
Circular link list.ppt
Circular link list.pptCircular link list.ppt
Circular link list.ppt
 
Basics in algorithms and data structure
Basics in algorithms and data structure Basics in algorithms and data structure
Basics in algorithms and data structure
 
sorting_part1.ppt
sorting_part1.pptsorting_part1.ppt
sorting_part1.ppt
 
Optimizing Set-Similarity Join and Search with Different Prefix Schemes
Optimizing Set-Similarity Join and Search with Different Prefix SchemesOptimizing Set-Similarity Join and Search with Different Prefix Schemes
Optimizing Set-Similarity Join and Search with Different Prefix Schemes
 
Lexical analysis, syntax analysis, semantic analysis. Ppt
Lexical analysis, syntax analysis, semantic analysis. PptLexical analysis, syntax analysis, semantic analysis. Ppt
Lexical analysis, syntax analysis, semantic analysis. Ppt
 
Cache aware hybrid sorter
Cache aware hybrid sorterCache aware hybrid sorter
Cache aware hybrid sorter
 

Mais de yeokm1

I became a Private Pilot and this is my story
I became a Private Pilot and this is my storyI became a Private Pilot and this is my story
I became a Private Pilot and this is my storyyeokm1
 
What's inside a Cessna 172 and flying a light plane
What's inside a Cessna 172 and flying a light planeWhat's inside a Cessna 172 and flying a light plane
What's inside a Cessna 172 and flying a light planeyeokm1
 
Speaking at Tech meetups/conferences for Junior Devs
Speaking at Tech meetups/conferences for Junior DevsSpeaking at Tech meetups/conferences for Junior Devs
Speaking at Tech meetups/conferences for Junior Devsyeokm1
 
Reflections on Trusting Trust for Go
Reflections on Trusting Trust for GoReflections on Trusting Trust for Go
Reflections on Trusting Trust for Goyeokm1
 
Meltdown and Spectre
Meltdown and SpectreMeltdown and Spectre
Meltdown and Spectreyeokm1
 
Gentoo on a 486
Gentoo on a 486Gentoo on a 486
Gentoo on a 486yeokm1
 
BLE Localiser (Full) for iOS Dev Scout
BLE Localiser (Full) for iOS Dev ScoutBLE Localiser (Full) for iOS Dev Scout
BLE Localiser (Full) for iOS Dev Scoutyeokm1
 
BLE Localiser for iOS Conf SG 2017
BLE Localiser for iOS Conf SG 2017BLE Localiser for iOS Conf SG 2017
BLE Localiser for iOS Conf SG 2017yeokm1
 
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiteryeokm1
 
PCB Business Card (Singapore Power)
PCB Business Card (Singapore Power)PCB Business Card (Singapore Power)
PCB Business Card (Singapore Power)yeokm1
 
SP Auto Door Unlocker
SP Auto Door UnlockerSP Auto Door Unlocker
SP Auto Door Unlockeryeokm1
 
SP IoT Doorbell
SP IoT DoorbellSP IoT Doorbell
SP IoT Doorbellyeokm1
 
Distance Machine Locker
Distance Machine LockerDistance Machine Locker
Distance Machine Lockeryeokm1
 
A Science Project: Building a sound card based on the Covox Speech Thing
A Science Project: Building a sound card based on the Covox Speech ThingA Science Project: Building a sound card based on the Covox Speech Thing
A Science Project: Building a sound card based on the Covox Speech Thingyeokm1
 
A Science Project: Swift Serial Chat
A Science Project: Swift Serial ChatA Science Project: Swift Serial Chat
A Science Project: Swift Serial Chatyeokm1
 
The slide rule
The slide ruleThe slide rule
The slide ruleyeokm1
 
Windows 3.1 (WFW) on vintage and modern hardware
Windows 3.1 (WFW) on vintage and modern hardwareWindows 3.1 (WFW) on vintage and modern hardware
Windows 3.1 (WFW) on vintage and modern hardwareyeokm1
 
Repair Kopitiam Circuit Breaker Training
Repair Kopitiam Circuit Breaker TrainingRepair Kopitiam Circuit Breaker Training
Repair Kopitiam Circuit Breaker Trainingyeokm1
 
A2: Analog Malicious Hardware
A2: Analog Malicious HardwareA2: Analog Malicious Hardware
A2: Analog Malicious Hardwareyeokm1
 
Getting Started with Raspberry Pi
Getting Started with Raspberry PiGetting Started with Raspberry Pi
Getting Started with Raspberry Piyeokm1
 

Mais de yeokm1 (20)

I became a Private Pilot and this is my story
I became a Private Pilot and this is my storyI became a Private Pilot and this is my story
I became a Private Pilot and this is my story
 
What's inside a Cessna 172 and flying a light plane
What's inside a Cessna 172 and flying a light planeWhat's inside a Cessna 172 and flying a light plane
What's inside a Cessna 172 and flying a light plane
 
Speaking at Tech meetups/conferences for Junior Devs
Speaking at Tech meetups/conferences for Junior DevsSpeaking at Tech meetups/conferences for Junior Devs
Speaking at Tech meetups/conferences for Junior Devs
 
Reflections on Trusting Trust for Go
Reflections on Trusting Trust for GoReflections on Trusting Trust for Go
Reflections on Trusting Trust for Go
 
Meltdown and Spectre
Meltdown and SpectreMeltdown and Spectre
Meltdown and Spectre
 
Gentoo on a 486
Gentoo on a 486Gentoo on a 486
Gentoo on a 486
 
BLE Localiser (Full) for iOS Dev Scout
BLE Localiser (Full) for iOS Dev ScoutBLE Localiser (Full) for iOS Dev Scout
BLE Localiser (Full) for iOS Dev Scout
 
BLE Localiser for iOS Conf SG 2017
BLE Localiser for iOS Conf SG 2017BLE Localiser for iOS Conf SG 2017
BLE Localiser for iOS Conf SG 2017
 
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter
 
PCB Business Card (Singapore Power)
PCB Business Card (Singapore Power)PCB Business Card (Singapore Power)
PCB Business Card (Singapore Power)
 
SP Auto Door Unlocker
SP Auto Door UnlockerSP Auto Door Unlocker
SP Auto Door Unlocker
 
SP IoT Doorbell
SP IoT DoorbellSP IoT Doorbell
SP IoT Doorbell
 
Distance Machine Locker
Distance Machine LockerDistance Machine Locker
Distance Machine Locker
 
A Science Project: Building a sound card based on the Covox Speech Thing
A Science Project: Building a sound card based on the Covox Speech ThingA Science Project: Building a sound card based on the Covox Speech Thing
A Science Project: Building a sound card based on the Covox Speech Thing
 
A Science Project: Swift Serial Chat
A Science Project: Swift Serial ChatA Science Project: Swift Serial Chat
A Science Project: Swift Serial Chat
 
The slide rule
The slide ruleThe slide rule
The slide rule
 
Windows 3.1 (WFW) on vintage and modern hardware
Windows 3.1 (WFW) on vintage and modern hardwareWindows 3.1 (WFW) on vintage and modern hardware
Windows 3.1 (WFW) on vintage and modern hardware
 
Repair Kopitiam Circuit Breaker Training
Repair Kopitiam Circuit Breaker TrainingRepair Kopitiam Circuit Breaker Training
Repair Kopitiam Circuit Breaker Training
 
A2: Analog Malicious Hardware
A2: Analog Malicious HardwareA2: Analog Malicious Hardware
A2: Analog Malicious Hardware
 
Getting Started with Raspberry Pi
Getting Started with Raspberry PiGetting Started with Raspberry Pi
Getting Started with Raspberry Pi
 

Último

Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 

Último (20)

Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 

How "mov

  • 1. mov is Turing-complete Authored by: Stephen Dolan (PhD Candidate) 19 July 2013 Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf Practical implementation by: Chris Domas Papers We Love #14 (26 Oct 2015) By: Yeo Kheng Meng (yeokm1@gmail.com) https://github.com/yeokm1/mov-is-turing-complete1
  • 2. This presentation is best viewed with the animations. 2
  • 3. How did I know of this paper? Hacker News: June 21 Link to: https://github.com/xoreaxeaxeax/movfuscator Inspired by mov is Turing-complete 3
  • 4. Schedule of presentation • 2 parts in this presentation 1. Purely theoretical talk about the paper (~40mins) 2. How things work in practice? (~15 mins) • Short demo using Chris Domas implementation • Challenges of a practical implementation 4
  • 5. Motivation • x86 instruction set is bloated • 500 – 1000 instructions depending on sources • Is it possible to reduce everything to one instruction? • Initially a thought experiment by Stephen Dolan • Actual implementation by Chris Domas’s Movfuscator • https://github.com/xoreaxeaxeax/movfuscator 5
  • 6. Some disclaimers by the paper • Not purely mov-only • A single “jmp” instruction is used to loop back to the beginning • Solved by Chris Domas’s implementation • Invalid memory address 0 to halt execution • No other forms of circumventing the rules • No self-modifying code • No runtime code generation 6
  • 7. Scope of the problem Title: mov is Turing-complete 1. What is a Turing machine? 2. What it means to be Turing-complete? 3. What is “mov”? 4. What it takes for “mov” to be Turing Complete? 7
  • 8. 1. What is a Turing machine? Source: http://stackoverflow.com/a/236022 Theoretical Finite State Machine (FSM) model Characteristics Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Head (Scanner) • Reads/Writes to cells • Can move left/right to next cell State register • Remember current state of FSM Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table8
  • 9. 2. What it means to be Turing-complete? A programming language must be able to compute any problem a Turing machine can. -> Have the same characteristics as a Turing machine Characteristics Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Head (Scanner) • Reads/Writes to cells • Can move left/right to next cell State register • Remember current state of FSM Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table 9
  • 10. 3. What is mov? • x86 assembly instruction to move contents from one location to another. • General syntax : mov destination, source • Copies (not cut) from source to destination • Comes in 5 forms Syntax Explanation mov Rdest, Rsrc Register <- Register mov Rdest, c Register <- Constant mov [Rsrc + Roffset], c Memory <- Constant mov Rdest, [Rsrc + Roffset] Register <- Memory mov [Rdest + Roffset], Rsrc Memory <- Register Square[x] brackets means memory access at location index specified by x. 10
  • 11. 4. What it takes for “mov” to be Turing Complete? Turing Machine Characteristics In context of mov-only instruction Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet ??? Head (Scanner) • Reads/Writes to cells • Can move left/right to next cell Read/Write to memory at multiple locations • mov State register • Remember current state of FSM Just reserve one register to remember state Transition state table • Lookup next state & symbol, tape direction based on current state & symbol ???? Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table ???   11
  • 12. What we have to do? Unfulfilled Turing characteristics Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table 12
  • 13. Building our Turing machine 13
  • 14. Designing the tape Unfulfilled Turing characteristic Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Current Symbol | Null Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Left Symbol 3 | Point to Left symbol 4 Left Symbol 4 | Point to Left symbol 5 Right Symbol 3 | Point to Right symbol 4 Right Symbol 4 | Point to Right symbol 5 Left Stack Right Stack • Current symbol • Left/Right stack to hold everything • Each symbol cell holds 2 things 1. Pointer to symbol value 2. Pointer to next cell <= Move tape to the left <= Current symbol goes left : : Left Symbol 0 | Point to Left symbol 1 Current Symbol | Null 14
  • 15. Designing the tape Unfulfilled Turing characteristic Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Current Symbol | Null Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Left Symbol 3 | Point to Left symbol 4 Left Symbol 4 | Point to Left symbol 5 Right Symbol 3 | Point to Right symbol 4 Right Symbol 4 | Point to Right symbol 5 Left Stack Right Stack • Current symbol • Left/Right stack to hold everything • Each symbol cell holds 2 things 1. Pointer to symbol value 2. Pointer to next cell => Move tape right => Current symbol goes right : : Right Symbol 0 | Point to Right symbol 1 Current Symbol | Null 15
  • 16. Designing the transition state table • Table of linked cells, easier for mov to use • Each cell contains a value and points to next cell • N: Dummy pointer indicating end of list Unfulfilled Turing characteristic Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Current State Qx Points to Trigger symbol of possible transition | Point to alternative transition cell Trigger symbol | Point to new symbol cell New symbol | Point to direction cell Direction | Point to next state cell Next State | End of list State Q0 State Q1 16
  • 17. Now to the mov stuff 17
  • 18. Equality checking (Problem) • We want to check if Ri == Rj? • Output result of comparison 0/1 register Rk 18
  • 19. Equality checking (Example 1) • Assume both are equal at Ri = Rj = 6 • We want to check if Ri == Rj. • Expected output at register Rk = 1 • mov [Ri], 0 -> mov [6], 0 • mov [Rj], 1 -> mov [6], 1 • mov Rk, [Ri] -> mov Rk, [6] Mem Address 0 1 2 3 4 5 6 7 8 Contents - - - - - - - - Register Contents Rk (Result) Ri 6 Rj 6 … … 01 Memory address range of the machine 1 - 19
  • 20. Equality checking (Example 2) • Assume both are NOT equal at Ri = 5, Rj = 2 • We want to check if Ri == Rj. • Expected output at register Rk = 0 • mov [Ri], 0 -> mov [5], 0 • mov [Rj], 1 -> mov [2], 1 • mov Rk, [Ri] -> mov Rk, [5] Mem Address 0 1 2 3 4 5 6 7 8 Contents - - - - - - - Register Contents Rk (Result) Ri 5 Rj 2 … … 01 Memory address range of the machine 0 - - 20
  • 21. Value selection • Given Rc being 0 or 1, pick either value Ra or Rb • Put result in Rd • We can use Rlookup as start index of “lookup-table” • mov [Rlookup], Ra • mov [Rlookup + 1], Rb • mov Rd, [Rlookup + Rc] // Rc is 0 or 1 • If Rc == 0 : Rd = Ra • Else: Rd = Rb Lookup Addresses Rlookup Rlookup + 1 Contents Lookup table - -Ra Rb 21
  • 22. Our architecture so far Setting aside some registers Register Purpose SYMBOL Pointer to current symbol read from tape LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested (First word of transition points to trigger symbol) LOOKUP Points to lookup table (scratch space) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table 22
  • 23. Logic Process Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL Pointer to current symbol read from tape LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) … … … … … … … … Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table 23
  • 24. Logic Process (Step: 1 & 2) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL Pointer to current symbol read from tape LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) … … Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Consult transition state table • Retrieve current symbol, compare with trigger symbol • Extra temporary registers X, Y & M • mov X, [SYMBOL] // get current symbol • mov Y, [CTRANS] // get pointer to trigger symbol • mov Y, [Y] // get trigger symbol • mov [X], 0 //Put 0 inside memory using Y as index • mov [Y], 1 //Put 1 inside memory using X as index • mov M, [X] //M gets 0/1 depending on equality Pointer to trigger symbolTrigger symbol Current symbolX (Temp) Y (Temp) 1 if equal, 0 otherwiseM (Result) 24
  • 25. Logic Process (Step: 3) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Modify the symbol • M from Step 2. Extra temporary registers X, Y, Z. • Choose between current/new symbol -> write symbol • mov X, [CTRANS] // get pointer to trigger symbol • mov X, [X + 1] // Load pointer to new symbol by skipping trigger symbol • mov X, [X] // load new symbol • mov Y, [SYMBOL] // load old symbol • mov [LOOKUP], Y //determine new symbol == X/Y? • mov [LOOKUP + 1], X • mov Z, [LOOKUP + M] • mov [SYMBOL], Z //write the selected symbol back Pointer to trigger symbol Old symbol X (Temp) Y (Temp) Pointer to new symbolNew symbol Result 0/1 of transition comparison from Step 2M (Match) Z (Temp) Y X Selected new symbol value from X or Y Pointer to current symbol read from tape 25
  • 26. Logic Process (Step: 4.1) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Load tape direction of transition, regardless of transition matching • M from Step 2. Result register D to choose direction. • mov D, [CTRANS] // get pointer to trigger symbol • mov D, [D+1] // load new symbol pointer • mov D, [D+1] //load direction pointer • mov D, [D] // load direction Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 D (Result) Pointer to trigger symbolPointer to new symbolPointer to directionDirection value 0/1 26
  • 27. Current Symbol | Point to Left/Right symbol 1 Logic Process (Step: 4.2) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Depending on tape direction, push current symbol cell into stack • M from Step 2, D from Step 4.1, Temporary Register X. • //Get the first cell from left/right stack as next cell for current symbol • mov [LOOKUP], LEFT • mov [LOOKUP + 1], RIGHT • mov X, [LOOKUP + D] • mov [SYMBOL + 1], X //Point the current symbol’s next pointer to the next cell • //Select new value for first symbol LEFT • mov [LOOKUP], SYMBOL • mov [LOOKUP + 1], LEFT • mov LEFT, [LOOKUP + D] • //Select new value for first symbol RIGHT • mov [LOOKUP], RIGHT • mov [LOOKUP +1] , SYMBOL • mov RIGHT, [LOOKUP + D] Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 D (Result) Direction value 0/1 from Step 4.1 X (Temp) Pointer to first cell of left/right stack Left RightSymbol LeftRight Symbol 27
  • 28. Current Symbol | Point to Left/Right symbol 1 Logic Process (Step: 4.3) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Preparation to pop stack • Invert Register D if no movement is actually required i.e. M == 0 • M from Step 2, D from Step 4.1, Temporary Register X. • //Put negation of D into X • mov [LOOKUP], 1 //Reverse order of selection • mov [LOOKUP + 1], 0 //Reverse order of selection • mov X, [LOOKUP + D] • //Use M to select between D or X (D-negation) • mov [LOOKUP], X • mov [LOOKUP +1], D • mov D, [LOOKUP + M] Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 D (Result) Direction value 0/1 from Step 4.1 X (Temp) Negation of D 1 0X (D-negation) D Direction value to determine pop decision 28
  • 29. Left symbol 0 | Point to Left symbol 1 Logic Process (Step: 4.4) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • We need a new current symbol, pop a cell from one side based on D • D from Step 4.3, Temporary Register X. • //Select new value for SYMBOL from either LEFT or RIGHT stack • mov [LOOKUP], RIGHT • mov [LOOKUP + 1], LEFT • mov SYMBOL, [LOOKUP + D] • mov X, [SYMBOL + 1] //Find new top of stack • //Find new top value for LEFT • mov [LOOKUP], LEFT • mov [LOOKUP + 1], X • mov LEFT, [LOOKUP + D] //If D == 1, we just popped the left stack, set X to LEFT • //Find new value for RIGHT • mov [LOOKUP], X • mov [LOOKUP + 1], RIGHT • mov RIGHT, [LOOKUP + D] //If D == 0, we just popped the right stack, set X to RIGHT Pointer to current symbol read from tape D (Result) X (Temp) Direction value to determine pop decision Right symbol 0 | Point to Right symbol 1 Top value of stack we popped from Right Left Current Symbol | Point to Left/Right symbol 1 Left XX Right 29
  • 30. Logic Process (Step: 5) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Find next transition • M from Step 2, Temporary Registers X & Y. • If current transition matches, go to first transition of next state, • else, go to next transition of current state • //get next transition of current state • mov X, [CTRANS + 1] • //get first transition of next state • mov Y, [CTRANS] //get current transition • mov Y, [Y + 1] //skip trigger symbol • mov Y, [Y + 1] //skip new symbol • mov Y, [Y + 1] //skip direction • mov Y, [Y] //Select next transition • mov [LOOKUP], X • mov [LOOKUP + 1], Y • mov CTRANS, [LOOKUP + M] Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 X (Temp) Y (Temp) Pointer to next transition of current state Pointer to first transition of next state X Y 30
  • 31. Logic Process (Extra Step 6) Halting the machine Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Halt machine if CTRANS is N • Assume load from address 0 halts machine • Temporary register H, X • //Set H = 1 if CTRANS is N (end of state list or no outgoing transitions) • mov [N], 0 • mov [CTRANS], 1 • mov H, [N] • //select between 0 and N depending on H value • mov [LOOKUP], 0 • mov [LOOKUP + 1], N • mov X, [LOOKUP + H] • mov X, [X] // load from 0 or end of list. Program will terminate here if X is 0 • jmp start //Go back to top of program Pointer to current symbol read from tape H (Temp) Whether to halt? 0:No, 1:Yes 0 N X (Temp) To test whether machine to halt 31
  • 33. Chris Domas’s movfuscator • https://github.com/xoreaxeaxeax/movfuscator • C compiler that compiles into mov instructions • Uses LCC as frontend 33
  • 34. Why is it called movfuscator? • To defeat reverse-engineering • Disassembled output: GCC movfuscator 34
  • 35. Why is called movfuscator? • Control flow graph generated by disassemblers vs Source Slide 109-110: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf Typical mov-only 35
  • 37. Our hello world program GCC (hwgcc.sh) Movcc (hwmov.sh) Compile program and run gcc -g hw.c -o hw-gcc.out && ./hw-gcc.out movcc -g hw.c -o hw-movcc.out && ./hw-movcc.out Disassemble program & output to file objdump -M intel -S -l hw-gcc.out > hw-gcc.asm objdump -M intel -S -l hw-movcc.out > hw-movcc.asm Open in sublime subl hw-gcc.asm subl hw-movcc.asm 37
  • 38. Enhancement: Remove jmp at the end • mov cs, ax //Illegal mov instruction cannot modify code segment register • Solution concept: • OS raises SIGILL (illegal instruction signal) • Code to capture SIGILL signal • Call sigaction() to tell OS we have handled the instruction • Reload the stack (Go back to top) Source Slide 101: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf 38
  • 39. Problem 1 : Branching • Issue: All mov instructions always execute • Use dummy data if mov instructions must be ignored • start: • 0x1000 mov … • 0x1004 mov … • 0x1008 mov … • 0x100c mov … • 0x1010 mov … • 0x1014 mov … • 0x1018 mov … • 0x101c mov … • 0x1020 mov … • 0x1024 mov … • 0x1028 mov … • 0x102c mov … • 0x1030 jmp start <- Branch from here <- to here Destination: 0x1010 Step 1: Store address 0x1010 somewhere Step 2: Switch memory pointers to dummy data Step 3: Proceed and loop around if needed Step 4: Check if this block is meant to be executed Step 5: Switch to real data and continue execution 39
  • 40. Problem 2: Arithmetic • For eg: add32 Source Slide 133: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf Macro expansion 40
  • 41. Problem 2: Arithmetic • For division >7000 mov instructions!!! (with the help of macros) Source Slide 141: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf 41
  • 42. Problem 3: Speed • Unsolvable • Many mov instructions for a single instruction 42
  • 43. Our Fibonacci program GCC (fibgcc.sh) Movcc (fibmov.sh) Compile program gcc fib.c -o fib-gcc.out movcc fib.c -o fib-movcc.out Run ./fib-gcc.out ./fib-movcc.out 43
  • 44. The End/References • http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf • http://www.gwern.net/Turing-complete • https://github.com/xoreaxeaxeax/movfuscator • https://www.youtube.com/watch?v=R7EEoWg6Ekk 44