SlideShare uma empresa Scribd logo

How "mov

•Transferir como PPTX, PDF•
•
Y
yeokm1

This document summarizes a research paper that shows the x86 instruction set mov can be Turing complete. It explains how a Turing machine works and what it means for an instruction set to be Turing complete. It then analyzes the mov instruction and outlines how memory, registers and the transition state table would need to be designed to fulfill the requirements of a Turing machine using only mov instructions. This involves representing the tape as memory locations, using registers to track state and symbols, and implementing logic to read/write symbols, consult the transition table and move the head based on the table.

Software
1 de 44
mov is Turing-complete Authored by: Stephen Dolan (PhD Candidate) 19 July 2013 Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf Practical implementation by: Chris Domas Papers We Love #14 (26 Oct 2015) By: Yeo Kheng Meng (yeokm1@gmail.com) https://github.com/yeokm1/mov-is-turing-complete1
This presentation is best viewed with the animations. 2
How did I know of this paper? Hacker News: June 21 Link to: https://github.com/xoreaxeaxeax/movfuscator Inspired by mov is Turing-complete 3
Schedule of presentation • 2 parts in this presentation 1. Purely theoretical talk about the paper (~40mins) 2. How things work in practice? (~15 mins) • Short demo using Chris Domas implementation • Challenges of a practical implementation 4
Motivation • x86 instruction set is bloated • 500 – 1000 instructions depending on sources • Is it possible to reduce everything to one instruction? • Initially a thought experiment by Stephen Dolan • Actual implementation by Chris Domas’s Movfuscator • https://github.com/xoreaxeaxeax/movfuscator 5
Some disclaimers by the paper • Not purely mov-only • A single “jmp” instruction is used to loop back to the beginning • Solved by Chris Domas’s implementation • Invalid memory address 0 to halt execution • No other forms of circumventing the rules • No self-modifying code • No runtime code generation 6
Scope of the problem Title: mov is Turing-complete 1. What is a Turing machine? 2. What it means to be Turing-complete? 3. What is “mov”? 4. What it takes for “mov” to be Turing Complete? 7
1. What is a Turing machine? Source: http://stackoverflow.com/a/236022 Theoretical Finite State Machine (FSM) model Characteristics Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Head (Scanner) • Reads/Writes to cells • Can move left/right to next cell State register • Remember current state of FSM Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table8
2. What it means to be Turing-complete? A programming language must be able to compute any problem a Turing machine can. -> Have the same characteristics as a Turing machine Characteristics Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Head (Scanner) • Reads/Writes to cells • Can move left/right to next cell State register • Remember current state of FSM Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table 9
3. What is mov? • x86 assembly instruction to move contents from one location to another. • General syntax : mov destination, source • Copies (not cut) from source to destination • Comes in 5 forms Syntax Explanation mov Rdest, Rsrc Register <- Register mov Rdest, c Register <- Constant mov [Rsrc + Roffset], c Memory <- Constant mov Rdest, [Rsrc + Roffset] Register <- Memory mov [Rdest + Roffset], Rsrc Memory <- Register Square[x] brackets means memory access at location index specified by x. 10
4. What it takes for “mov” to be Turing Complete? Turing Machine Characteristics In context of mov-only instruction Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet ??? Head (Scanner) • Reads/Writes to cells • Can move left/right to next cell Read/Write to memory at multiple locations • mov State register • Remember current state of FSM Just reserve one register to remember state Transition state table • Lookup next state & symbol, tape direction based on current state & symbol ???? Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table ???   11
What we have to do? Unfulfilled Turing characteristics Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table 12
Building our Turing machine 13
Designing the tape Unfulfilled Turing characteristic Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Current Symbol | Null Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Left Symbol 3 | Point to Left symbol 4 Left Symbol 4 | Point to Left symbol 5 Right Symbol 3 | Point to Right symbol 4 Right Symbol 4 | Point to Right symbol 5 Left Stack Right Stack • Current symbol • Left/Right stack to hold everything • Each symbol cell holds 2 things 1. Pointer to symbol value 2. Pointer to next cell <= Move tape to the left <= Current symbol goes left : : Left Symbol 0 | Point to Left symbol 1 Current Symbol | Null 14
Designing the tape Unfulfilled Turing characteristic Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Current Symbol | Null Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Left Symbol 3 | Point to Left symbol 4 Left Symbol 4 | Point to Left symbol 5 Right Symbol 3 | Point to Right symbol 4 Right Symbol 4 | Point to Right symbol 5 Left Stack Right Stack • Current symbol • Left/Right stack to hold everything • Each symbol cell holds 2 things 1. Pointer to symbol value 2. Pointer to next cell => Move tape right => Current symbol goes right : : Right Symbol 0 | Point to Right symbol 1 Current Symbol | Null 15
Designing the transition state table • Table of linked cells, easier for mov to use • Each cell contains a value and points to next cell • N: Dummy pointer indicating end of list Unfulfilled Turing characteristic Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Current State Qx Points to Trigger symbol of possible transition | Point to alternative transition cell Trigger symbol | Point to new symbol cell New symbol | Point to direction cell Direction | Point to next state cell Next State | End of list State Q0 State Q1 16
Now to the mov stuff 17
Equality checking (Problem) • We want to check if Ri == Rj? • Output result of comparison 0/1 register Rk 18
Equality checking (Example 1) • Assume both are equal at Ri = Rj = 6 • We want to check if Ri == Rj. • Expected output at register Rk = 1 • mov [Ri], 0 -> mov [6], 0 • mov [Rj], 1 -> mov [6], 1 • mov Rk, [Ri] -> mov Rk, [6] Mem Address 0 1 2 3 4 5 6 7 8 Contents - - - - - - - - Register Contents Rk (Result) Ri 6 Rj 6 … … 01 Memory address range of the machine 1 - 19
Equality checking (Example 2) • Assume both are NOT equal at Ri = 5, Rj = 2 • We want to check if Ri == Rj. • Expected output at register Rk = 0 • mov [Ri], 0 -> mov [5], 0 • mov [Rj], 1 -> mov [2], 1 • mov Rk, [Ri] -> mov Rk, [5] Mem Address 0 1 2 3 4 5 6 7 8 Contents - - - - - - - Register Contents Rk (Result) Ri 5 Rj 2 … … 01 Memory address range of the machine 0 - - 20
Value selection • Given Rc being 0 or 1, pick either value Ra or Rb • Put result in Rd • We can use Rlookup as start index of “lookup-table” • mov [Rlookup], Ra • mov [Rlookup + 1], Rb • mov Rd, [Rlookup + Rc] // Rc is 0 or 1 • If Rc == 0 : Rd = Ra • Else: Rd = Rb Lookup Addresses Rlookup Rlookup + 1 Contents Lookup table - -Ra Rb 21
Our architecture so far Setting aside some registers Register Purpose SYMBOL Pointer to current symbol read from tape LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested (First word of transition points to trigger symbol) LOOKUP Points to lookup table (scratch space) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table 22
Logic Process Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL Pointer to current symbol read from tape LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) … … … … … … … … Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table 23
Logic Process (Step: 1 & 2) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL Pointer to current symbol read from tape LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) … … Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Consult transition state table • Retrieve current symbol, compare with trigger symbol • Extra temporary registers X, Y & M • mov X, [SYMBOL] // get current symbol • mov Y, [CTRANS] // get pointer to trigger symbol • mov Y, [Y] // get trigger symbol • mov [X], 0 //Put 0 inside memory using Y as index • mov [Y], 1 //Put 1 inside memory using X as index • mov M, [X] //M gets 0/1 depending on equality Pointer to trigger symbolTrigger symbol Current symbolX (Temp) Y (Temp) 1 if equal, 0 otherwiseM (Result) 24
Logic Process (Step: 3) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Modify the symbol • M from Step 2. Extra temporary registers X, Y, Z. • Choose between current/new symbol -> write symbol • mov X, [CTRANS] // get pointer to trigger symbol • mov X, [X + 1] // Load pointer to new symbol by skipping trigger symbol • mov X, [X] // load new symbol • mov Y, [SYMBOL] // load old symbol • mov [LOOKUP], Y //determine new symbol == X/Y? • mov [LOOKUP + 1], X • mov Z, [LOOKUP + M] • mov [SYMBOL], Z //write the selected symbol back Pointer to trigger symbol Old symbol X (Temp) Y (Temp) Pointer to new symbolNew symbol Result 0/1 of transition comparison from Step 2M (Match) Z (Temp) Y X Selected new symbol value from X or Y Pointer to current symbol read from tape 25
Logic Process (Step: 4.1) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Load tape direction of transition, regardless of transition matching • M from Step 2. Result register D to choose direction. • mov D, [CTRANS] // get pointer to trigger symbol • mov D, [D+1] // load new symbol pointer • mov D, [D+1] //load direction pointer • mov D, [D] // load direction Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 D (Result) Pointer to trigger symbolPointer to new symbolPointer to directionDirection value 0/1 26
Current Symbol | Point to Left/Right symbol 1 Logic Process (Step: 4.2) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Depending on tape direction, push current symbol cell into stack • M from Step 2, D from Step 4.1, Temporary Register X. • //Get the first cell from left/right stack as next cell for current symbol • mov [LOOKUP], LEFT • mov [LOOKUP + 1], RIGHT • mov X, [LOOKUP + D] • mov [SYMBOL + 1], X //Point the current symbol’s next pointer to the next cell • //Select new value for first symbol LEFT • mov [LOOKUP], SYMBOL • mov [LOOKUP + 1], LEFT • mov LEFT, [LOOKUP + D] • //Select new value for first symbol RIGHT • mov [LOOKUP], RIGHT • mov [LOOKUP +1] , SYMBOL • mov RIGHT, [LOOKUP + D] Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 D (Result) Direction value 0/1 from Step 4.1 X (Temp) Pointer to first cell of left/right stack Left RightSymbol LeftRight Symbol 27
Current Symbol | Point to Left/Right symbol 1 Logic Process (Step: 4.3) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Preparation to pop stack • Invert Register D if no movement is actually required i.e. M == 0 • M from Step 2, D from Step 4.1, Temporary Register X. • //Put negation of D into X • mov [LOOKUP], 1 //Reverse order of selection • mov [LOOKUP + 1], 0 //Reverse order of selection • mov X, [LOOKUP + D] • //Use M to select between D or X (D-negation) • mov [LOOKUP], X • mov [LOOKUP +1], D • mov D, [LOOKUP + M] Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 D (Result) Direction value 0/1 from Step 4.1 X (Temp) Negation of D 1 0X (D-negation) D Direction value to determine pop decision 28
Left symbol 0 | Point to Left symbol 1 Logic Process (Step: 4.4) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • We need a new current symbol, pop a cell from one side based on D • D from Step 4.3, Temporary Register X. • //Select new value for SYMBOL from either LEFT or RIGHT stack • mov [LOOKUP], RIGHT • mov [LOOKUP + 1], LEFT • mov SYMBOL, [LOOKUP + D] • mov X, [SYMBOL + 1] //Find new top of stack • //Find new top value for LEFT • mov [LOOKUP], LEFT • mov [LOOKUP + 1], X • mov LEFT, [LOOKUP + D] //If D == 1, we just popped the left stack, set X to LEFT • //Find new value for RIGHT • mov [LOOKUP], X • mov [LOOKUP + 1], RIGHT • mov RIGHT, [LOOKUP + D] //If D == 0, we just popped the right stack, set X to RIGHT Pointer to current symbol read from tape D (Result) X (Temp) Direction value to determine pop decision Right symbol 0 | Point to Right symbol 1 Top value of stack we popped from Right Left Current Symbol | Point to Left/Right symbol 1 Left XX Right 29
Logic Process (Step: 5) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Find next transition • M from Step 2, Temporary Registers X & Y. • If current transition matches, go to first transition of next state, • else, go to next transition of current state • //get next transition of current state • mov X, [CTRANS + 1] • //get first transition of next state • mov Y, [CTRANS] //get current transition • mov Y, [Y + 1] //skip trigger symbol • mov Y, [Y + 1] //skip new symbol • mov Y, [Y + 1] //skip direction • mov Y, [Y] //Select next transition • mov [LOOKUP], X • mov [LOOKUP + 1], Y • mov CTRANS, [LOOKUP + M] Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 X (Temp) Y (Temp) Pointer to next transition of current state Pointer to first transition of next state X Y 30
Logic Process (Extra Step 6) Halting the machine Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Halt machine if CTRANS is N • Assume load from address 0 halts machine • Temporary register H, X • //Set H = 1 if CTRANS is N (end of state list or no outgoing transitions) • mov [N], 0 • mov [CTRANS], 1 • mov H, [N] • //select between 0 and N depending on H value • mov [LOOKUP], 0 • mov [LOOKUP + 1], N • mov X, [LOOKUP + H] • mov X, [X] // load from 0 or end of list. Program will terminate here if X is 0 • jmp start //Go back to top of program Pointer to current symbol read from tape H (Temp) Whether to halt? 0:No, 1:Yes 0 N X (Temp) To test whether machine to halt 31
Practical time 32
Chris Domas’s movfuscator • https://github.com/xoreaxeaxeax/movfuscator • C compiler that compiles into mov instructions • Uses LCC as frontend 33
Why is it called movfuscator? • To defeat reverse-engineering • Disassembled output: GCC movfuscator 34
Why is called movfuscator? • Control flow graph generated by disassemblers vs Source Slide 109-110: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf Typical mov-only 35
Quick demo 36
Our hello world program GCC (hwgcc.sh) Movcc (hwmov.sh) Compile program and run gcc -g hw.c -o hw-gcc.out && ./hw-gcc.out movcc -g hw.c -o hw-movcc.out && ./hw-movcc.out Disassemble program & output to file objdump -M intel -S -l hw-gcc.out > hw-gcc.asm objdump -M intel -S -l hw-movcc.out > hw-movcc.asm Open in sublime subl hw-gcc.asm subl hw-movcc.asm 37
Enhancement: Remove jmp at the end • mov cs, ax //Illegal mov instruction cannot modify code segment register • Solution concept: • OS raises SIGILL (illegal instruction signal) • Code to capture SIGILL signal • Call sigaction() to tell OS we have handled the instruction • Reload the stack (Go back to top) Source Slide 101: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf 38
Problem 1 : Branching • Issue: All mov instructions always execute • Use dummy data if mov instructions must be ignored • start: • 0x1000 mov … • 0x1004 mov … • 0x1008 mov … • 0x100c mov … • 0x1010 mov … • 0x1014 mov … • 0x1018 mov … • 0x101c mov … • 0x1020 mov … • 0x1024 mov … • 0x1028 mov … • 0x102c mov … • 0x1030 jmp start <- Branch from here <- to here Destination: 0x1010 Step 1: Store address 0x1010 somewhere Step 2: Switch memory pointers to dummy data Step 3: Proceed and loop around if needed Step 4: Check if this block is meant to be executed Step 5: Switch to real data and continue execution 39
Problem 2: Arithmetic • For eg: add32 Source Slide 133: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf Macro expansion 40
Problem 2: Arithmetic • For division >7000 mov instructions!!! (with the help of macros) Source Slide 141: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf 41
Problem 3: Speed • Unsolvable • Many mov instructions for a single instruction 42
Our Fibonacci program GCC (fibgcc.sh) Movcc (fibmov.sh) Compile program gcc fib.c -o fib-gcc.out movcc fib.c -o fib-movcc.out Run ./fib-gcc.out ./fib-movcc.out 43
The End/References • http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf • http://www.gwern.net/Turing-complete • https://github.com/xoreaxeaxeax/movfuscator • https://www.youtube.com/watch?v=R7EEoWg6Ekk 44

Recomendados

「日本語LaTeX」が多すぎる件について
「日本語LaTeX」が多すぎる件について「日本語LaTeX」が多すぎる件について
「日本語LaTeX」が多すぎる件についてTakayuki Yato
 
バージョン管理システム比較資料
バージョン管理システム比較資料バージョン管理システム比較資料
バージョン管理システム比較資料suzzsegv
 
よくわかるHopscotch hashing
よくわかるHopscotch hashingよくわかるHopscotch hashing
よくわかるHopscotch hashingKumazaki Hiroki
 
RSA鍵生成脆弱性ROCAの紹介
RSA鍵生成脆弱性ROCAの紹介RSA鍵生成脆弱性ROCAの紹介
RSA鍵生成脆弱性ROCAの紹介MITSUNARI Shigeo
 
ローマと道に関するいくつかの問題とその解決
ローマと道に関するいくつかの問題とその解決ローマと道に関するいくつかの問題とその解決
ローマと道に関するいくつかの問題とその解決at_akada
 
すごい配列楽しく学ぼう
すごい配列楽しく学ぼうすごい配列楽しく学ぼう
すごい配列楽しく学ぼうxenophobia__
 
Rolling Hashを殺す話
Rolling Hashを殺す話Rolling Hashを殺す話
Rolling Hashを殺す話Nagisa Eto
 
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~Takuya Akiba
 

Recomendados

「日本語LaTeX」が多すぎる件について
「日本語LaTeX」が多すぎる件について「日本語LaTeX」が多すぎる件について
「日本語LaTeX」が多すぎる件についてTakayuki Yato
 
バージョン管理システム比較資料
バージョン管理システム比較資料バージョン管理システム比較資料
バージョン管理システム比較資料suzzsegv
 
よくわかるHopscotch hashing
よくわかるHopscotch hashingよくわかるHopscotch hashing
よくわかるHopscotch hashingKumazaki Hiroki
 
RSA鍵生成脆弱性ROCAの紹介
RSA鍵生成脆弱性ROCAの紹介RSA鍵生成脆弱性ROCAの紹介
RSA鍵生成脆弱性ROCAの紹介MITSUNARI Shigeo
 
ローマと道に関するいくつかの問題とその解決
ローマと道に関するいくつかの問題とその解決ローマと道に関するいくつかの問題とその解決
ローマと道に関するいくつかの問題とその解決at_akada
 
すごい配列楽しく学ぼう
すごい配列楽しく学ぼうすごい配列楽しく学ぼう
すごい配列楽しく学ぼうxenophobia__
 
Rolling Hashを殺す話
Rolling Hashを殺す話Rolling Hashを殺す話
Rolling Hashを殺す話Nagisa Eto
 
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~
プログラミングコンテストでのデータ構造 2 ~平衡二分探索木編~Takuya Akiba
 
Convex optimization
Convex optimization Convex optimization
Convex optimization Simossyi Funabashi
 
170420 東工大授業「ロボット技術」資料
170420 東工大授業「ロボット技術」資料170420 東工大授業「ロボット技術」資料
170420 東工大授業「ロボット技術」資料openrtm
 
幾何コンテスト2013
幾何コンテスト2013幾何コンテスト2013
幾何コンテスト2013Naoto Mizuno
 
C# 8.0 null許容参照型
C# 8.0 null許容参照型C# 8.0 null許容参照型
C# 8.0 null許容参照型信之 岩永
 
クックパッド春の超絶技巧パンまつり 超絶技巧プログラミング編 資料
クックパッド春の超絶技巧パンまつり 超絶技巧プログラミング編 資料クックパッド春の超絶技巧パンまつり 超絶技巧プログラミング編 資料
クックパッド春の超絶技巧パンまつり 超絶技巧プログラミング編 資料mametter
 
Rpn and forth 超入門
Rpn and forth 超入門Rpn and forth 超入門
Rpn and forth 超入門Yoshitaka Seo
 
双対性
双対性双対性
双対性Yoichi Iwata
 
Linuxのsemaphoreとmutexを見る 
Linuxのsemaphoreとmutexを見る Linuxのsemaphoreとmutexを見る 
Linuxのsemaphoreとmutexを見る wata2ki
 
MCC CTF講習会 pwn編
MCC CTF講習会 pwn編MCC CTF講習会 pwn編
MCC CTF講習会 pwn編hama7230
 
ChatGPT は高階層の意味理解にはほど遠い?
ChatGPT は高階層の意味理解にはほど遠い?ChatGPT は高階層の意味理解にはほど遠い?
ChatGPT は高階層の意味理解にはほど遠い?Hide Koba
 
Newman アルゴリズムによるソーシャルグラフのクラスタリング
Newman アルゴリズムによるソーシャルグラフのクラスタリングNewman アルゴリズムによるソーシャルグラフのクラスタリング
Newman アルゴリズムによるソーシャルグラフのクラスタリングAtsushi KOMIYA
 
はじめてのパターン認識 第6章 後半
はじめてのパターン認識 第6章 後半はじめてのパターン認識 第6章 後半
はじめてのパターン認識 第6章 後半Prunus 1350
 
レベル2準同型暗号の平文バイナリ制約を与えるコンパクトな非対話ゼロ知識証明
レベル2準同型暗号の平文バイナリ制約を与えるコンパクトな非対話ゼロ知識証明レベル2準同型暗号の平文バイナリ制約を与えるコンパクトな非対話ゼロ知識証明
レベル2準同型暗号の平文バイナリ制約を与えるコンパクトな非対話ゼロ知識証明MITSUNARI Shigeo
 
明日使えないすごいビット演算
明日使えないすごいビット演算明日使えないすごいビット演算
明日使えないすごいビット演算京大 マイコンクラブ
 
ナイーブベイズによる言語判定
ナイーブベイズによる言語判定ナイーブベイズによる言語判定
ナイーブベイズによる言語判定Shuyo Nakatani
 
PRML_2.3.1~2.3.3
PRML_2.3.1~2.3.3PRML_2.3.1~2.3.3
PRML_2.3.1~2.3.3Kohta Ishikawa
 
power-assert in JavaScript
power-assert in JavaScriptpower-assert in JavaScript
power-assert in JavaScriptTakuto Wada
 
MariaDBとMroongaで作る全言語対応超高速全文検索システム
MariaDBとMroongaで作る全言語対応超高速全文検索システムMariaDBとMroongaで作る全言語対応超高速全文検索システム
MariaDBとMroongaで作る全言語対応超高速全文検索システムKouhei Sutou
 
PRML 2.3.2-2.3.4 ガウス分布
PRML 2.3.2-2.3.4 ガウス分布PRML 2.3.2-2.3.4 ガウス分布
PRML 2.3.2-2.3.4 ガウス分布Akihiro Nitta
 
AVX-512(フォーマット)詳解
AVX-512(フォーマット)詳解AVX-512(フォーマット)詳解
AVX-512(フォーマット)詳解MITSUNARI Shigeo
 
Lecture 12 Bottom-UP Parsing.pptx
Lecture 12 Bottom-UP Parsing.pptxLecture 12 Bottom-UP Parsing.pptx
Lecture 12 Bottom-UP Parsing.pptxYusra11491
 
Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator ajay singh
 

Mais conteĂşdo relacionado

Mais procurados

170420 東工大授業「ロボット技術」資料
170420 東工大授業「ロボット技術」資料170420 東工大授業「ロボット技術」資料
170420 東工大授業「ロボット技術」資料openrtm
 
幾何コンテスト2013
幾何コンテスト2013幾何コンテスト2013
幾何コンテスト2013Naoto Mizuno
 
C# 8.0 null許容参照型
C# 8.0 null許容参照型C# 8.0 null許容参照型
C# 8.0 null許容参照型信之 岩永
 
クックパッド春の超絶技巧パンまつり 超絶技巧プログラミング編 資料
クックパッド春の超絶技巧パンまつり 超絶技巧プログラミング編 資料クックパッド春の超絶技巧パンまつり 超絶技巧プログラミング編 資料
クックパッド春の超絶技巧パンまつり 超絶技巧プログラミング編 資料mametter
 
Rpn and forth 超入門
Rpn and forth 超入門Rpn and forth 超入門
Rpn and forth 超入門Yoshitaka Seo
 
双対性
双対性双対性
双対性Yoichi Iwata
 
Linuxのsemaphoreとmutexを見る 
Linuxのsemaphoreとmutexを見る Linuxのsemaphoreとmutexを見る 
Linuxのsemaphoreとmutexを見る wata2ki
 
MCC CTF講習会 pwn編
MCC CTF講習会 pwn編MCC CTF講習会 pwn編
MCC CTF講習会 pwn編hama7230
 
ChatGPT は高階層の意味理解にはほど遠い?
ChatGPT は高階層の意味理解にはほど遠い?ChatGPT は高階層の意味理解にはほど遠い?
ChatGPT は高階層の意味理解にはほど遠い?Hide Koba
 
Newman アルゴリズムによるソーシャルグラフのクラスタリング
Newman アルゴリズムによるソーシャルグラフのクラスタリングNewman アルゴリズムによるソーシャルグラフのクラスタリング
Newman アルゴリズムによるソーシャルグラフのクラスタリングAtsushi KOMIYA
 
はじめてのパターン認識 第6章 後半
はじめてのパターン認識 第6章 後半はじめてのパターン認識 第6章 後半
はじめてのパターン認識 第6章 後半Prunus 1350
 
レベル2準同型暗号の平文バイナリ制約を与えるコンパクトな非対話ゼロ知識証明
レベル2準同型暗号の平文バイナリ制約を与えるコンパクトな非対話ゼロ知識証明レベル2準同型暗号の平文バイナリ制約を与えるコンパクトな非対話ゼロ知識証明
レベル2準同型暗号の平文バイナリ制約を与えるコンパクトな非対話ゼロ知識証明MITSUNARI Shigeo
 
ナイーブベイズによる言語判定
ナイーブベイズによる言語判定ナイーブベイズによる言語判定
ナイーブベイズによる言語判定Shuyo Nakatani
 
PRML_2.3.1~2.3.3
PRML_2.3.1~2.3.3PRML_2.3.1~2.3.3
PRML_2.3.1~2.3.3Kohta Ishikawa
 
power-assert in JavaScript
power-assert in JavaScriptpower-assert in JavaScript
power-assert in JavaScriptTakuto Wada
 
MariaDBとMroongaで作る全言語対応超高速全文検索システム
MariaDBとMroongaで作る全言語対応超高速全文検索システムMariaDBとMroongaで作る全言語対応超高速全文検索システム
MariaDBとMroongaで作る全言語対応超高速全文検索システムKouhei Sutou
 
PRML 2.3.2-2.3.4 ガウス分布
PRML 2.3.2-2.3.4 ガウス分布PRML 2.3.2-2.3.4 ガウス分布
PRML 2.3.2-2.3.4 ガウス分布Akihiro Nitta
 
AVX-512(フォーマット)詳解
AVX-512(フォーマット)詳解AVX-512(フォーマット)詳解
AVX-512(フォーマット)詳解MITSUNARI Shigeo
 

Mais procurados (20)

Convex optimization
Convex optimization Convex optimization
Convex optimization
 
170420 東工大授業「ロボット技術」資料
170420 東工大授業「ロボット技術」資料170420 東工大授業「ロボット技術」資料
170420 東工大授業「ロボット技術」資料
 
幾何コンテスト2013
幾何コンテスト2013幾何コンテスト2013
幾何コンテスト2013
 
C# 8.0 null許容参照型
C# 8.0 null許容参照型C# 8.0 null許容参照型
C# 8.0 null許容参照型
 
クックパッド春の超絶技巧パンまつり 超絶技巧プログラミング編 資料
クックパッド春の超絶技巧パンまつり 超絶技巧プログラミング編 資料クックパッド春の超絶技巧パンまつり 超絶技巧プログラミング編 資料
クックパッド春の超絶技巧パンまつり 超絶技巧プログラミング編 資料
 
Rpn and forth 超入門
Rpn and forth 超入門Rpn and forth 超入門
Rpn and forth 超入門
 
双対性
双対性双対性
双対性
 
Linuxのsemaphoreとmutexを見る 
Linuxのsemaphoreとmutexを見る Linuxのsemaphoreとmutexを見る 
Linuxのsemaphoreとmutexを見る 
 
MCC CTF講習会 pwn編
MCC CTF講習会 pwn編MCC CTF講習会 pwn編
MCC CTF講習会 pwn編
 
ChatGPT は高階層の意味理解にはほど遠い?
ChatGPT は高階層の意味理解にはほど遠い?ChatGPT は高階層の意味理解にはほど遠い?
ChatGPT は高階層の意味理解にはほど遠い?
 
Newman アルゴリズムによるソーシャルグラフのクラスタリング
Newman アルゴリズムによるソーシャルグラフのクラスタリングNewman アルゴリズムによるソーシャルグラフのクラスタリング
Newman アルゴリズムによるソーシャルグラフのクラスタリング
 
はじめてのパターン認識 第6章 後半
はじめてのパターン認識 第6章 後半はじめてのパターン認識 第6章 後半
はじめてのパターン認識 第6章 後半
 
レベル2準同型暗号の平文バイナリ制約を与えるコンパクトな非対話ゼロ知識証明
レベル2準同型暗号の平文バイナリ制約を与えるコンパクトな非対話ゼロ知識証明レベル2準同型暗号の平文バイナリ制約を与えるコンパクトな非対話ゼロ知識証明
レベル2準同型暗号の平文バイナリ制約を与えるコンパクトな非対話ゼロ知識証明
 
明日使えないすごいビット演算
明日使えないすごいビット演算明日使えないすごいビット演算
明日使えないすごいビット演算
 
ナイーブベイズによる言語判定
ナイーブベイズによる言語判定ナイーブベイズによる言語判定
ナイーブベイズによる言語判定
 
PRML_2.3.1~2.3.3
PRML_2.3.1~2.3.3PRML_2.3.1~2.3.3
PRML_2.3.1~2.3.3
 
power-assert in JavaScript
power-assert in JavaScriptpower-assert in JavaScript
power-assert in JavaScript
 
MariaDBとMroongaで作る全言語対応超高速全文検索システム
MariaDBとMroongaで作る全言語対応超高速全文検索システムMariaDBとMroongaで作る全言語対応超高速全文検索システム
MariaDBとMroongaで作る全言語対応超高速全文検索システム
 
PRML 2.3.2-2.3.4 ガウス分布
PRML 2.3.2-2.3.4 ガウス分布PRML 2.3.2-2.3.4 ガウス分布
PRML 2.3.2-2.3.4 ガウス分布
 
AVX-512(フォーマット)詳解
AVX-512(フォーマット)詳解AVX-512(フォーマット)詳解
AVX-512(フォーマット)詳解
 

Semelhante a How "mov

Lecture 12 Bottom-UP Parsing.pptx
Lecture 12 Bottom-UP Parsing.pptxLecture 12 Bottom-UP Parsing.pptx
Lecture 12 Bottom-UP Parsing.pptxYusra11491
 
Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator ajay singh
 
PRBS generation
PRBS generationPRBS generation
PRBS generationajay singh
 
Operators loops conditional and statements
Operators loops conditional and statementsOperators loops conditional and statements
Operators loops conditional and statementsVladislav Hadzhiyski
 
C language
C languageC language
C languageRobo India
 
Q-Step_WS_02102019_Practical_introduction_to_Python.pdf
Q-Step_WS_02102019_Practical_introduction_to_Python.pdfQ-Step_WS_02102019_Practical_introduction_to_Python.pdf
Q-Step_WS_02102019_Practical_introduction_to_Python.pdfMichpice
 
Bottom - Up Parsing
Bottom - Up ParsingBottom - Up Parsing
Bottom - Up Parsingkunj desai
 
Central processing unit
Central processing unitCentral processing unit
Central processing unitHeman Pathak
 
Data Structures 6
Data Structures 6Data Structures 6
Data Structures 6Dr.Umadevi V
 
PDA and Turing Machine (1).ppt
PDA and Turing Machine (1).pptPDA and Turing Machine (1).ppt
PDA and Turing Machine (1).pptAayushSingh233965
 
[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2
[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2
[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2Yo Halb
 
Data structures and algorithms
Data structures and algorithmsData structures and algorithms
Data structures and algorithmsJulie Iskander
 
Implementation of lexical analyser
Implementation of lexical analyserImplementation of lexical analyser
Implementation of lexical analyserArchana Gopinath
 
Circular link list.ppt
Circular link list.pptCircular link list.ppt
Circular link list.pptTirthika Bandi
 
Basics in algorithms and data structure
Basics in algorithms and data structure Basics in algorithms and data structure
Basics in algorithms and data structure Eman magdy
 
Optimizing Set-Similarity Join and Search with Different Prefix Schemes
Optimizing Set-Similarity Join and Search with Different Prefix SchemesOptimizing Set-Similarity Join and Search with Different Prefix Schemes
Optimizing Set-Similarity Join and Search with Different Prefix SchemesHPCC Systems
 
Lexical analysis, syntax analysis, semantic analysis. Ppt
Lexical analysis, syntax analysis, semantic analysis. PptLexical analysis, syntax analysis, semantic analysis. Ppt
Lexical analysis, syntax analysis, semantic analysis. Pptovidlivi91
 
Cache aware hybrid sorter
Cache aware hybrid sorterCache aware hybrid sorter
Cache aware hybrid sorterManchor Ko
 

Semelhante a How "mov (20)

Lecture 12 Bottom-UP Parsing.pptx
Lecture 12 Bottom-UP Parsing.pptxLecture 12 Bottom-UP Parsing.pptx
Lecture 12 Bottom-UP Parsing.pptx
 
Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator Pseudo Random Bit Sequence Generator
Pseudo Random Bit Sequence Generator
 
PRBS generation
PRBS generationPRBS generation
PRBS generation
 
Operators loops conditional and statements
Operators loops conditional and statementsOperators loops conditional and statements
Operators loops conditional and statements
 
C language
C languageC language
C language
 
Q-Step_WS_02102019_Practical_introduction_to_Python.pdf
Q-Step_WS_02102019_Practical_introduction_to_Python.pdfQ-Step_WS_02102019_Practical_introduction_to_Python.pdf
Q-Step_WS_02102019_Practical_introduction_to_Python.pdf
 
Bottom - Up Parsing
Bottom - Up ParsingBottom - Up Parsing
Bottom - Up Parsing
 
Instruction types
Instruction typesInstruction types
Instruction types
 
Central processing unit
Central processing unitCentral processing unit
Central processing unit
 
Data Structures 6
Data Structures 6Data Structures 6
Data Structures 6
 
PDA and Turing Machine (1).ppt
PDA and Turing Machine (1).pptPDA and Turing Machine (1).ppt
PDA and Turing Machine (1).ppt
 
[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2
[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2
[YIDLUG] Programming Languages Differences, The Underlying Implementation 1 of 2
 
Data structures and algorithms
Data structures and algorithmsData structures and algorithms
Data structures and algorithms
 
Implementation of lexical analyser
Implementation of lexical analyserImplementation of lexical analyser
Implementation of lexical analyser
 
Circular link list.ppt
Circular link list.pptCircular link list.ppt
Circular link list.ppt
 
Basics in algorithms and data structure
Basics in algorithms and data structure Basics in algorithms and data structure
Basics in algorithms and data structure
 
sorting_part1.ppt
sorting_part1.pptsorting_part1.ppt
sorting_part1.ppt
 
Optimizing Set-Similarity Join and Search with Different Prefix Schemes
Optimizing Set-Similarity Join and Search with Different Prefix SchemesOptimizing Set-Similarity Join and Search with Different Prefix Schemes
Optimizing Set-Similarity Join and Search with Different Prefix Schemes
 
Lexical analysis, syntax analysis, semantic analysis. Ppt
Lexical analysis, syntax analysis, semantic analysis. PptLexical analysis, syntax analysis, semantic analysis. Ppt
Lexical analysis, syntax analysis, semantic analysis. Ppt
 
Cache aware hybrid sorter
Cache aware hybrid sorterCache aware hybrid sorter
Cache aware hybrid sorter
 

Mais de yeokm1

I became a Private Pilot and this is my story
I became a Private Pilot and this is my storyI became a Private Pilot and this is my story
I became a Private Pilot and this is my storyyeokm1
 
What's inside a Cessna 172 and flying a light plane
What's inside a Cessna 172 and flying a light planeWhat's inside a Cessna 172 and flying a light plane
What's inside a Cessna 172 and flying a light planeyeokm1
 
Speaking at Tech meetups/conferences for Junior Devs
Speaking at Tech meetups/conferences for Junior DevsSpeaking at Tech meetups/conferences for Junior Devs
Speaking at Tech meetups/conferences for Junior Devsyeokm1
 
Reflections on Trusting Trust for Go
Reflections on Trusting Trust for GoReflections on Trusting Trust for Go
Reflections on Trusting Trust for Goyeokm1
 
Meltdown and Spectre
Meltdown and SpectreMeltdown and Spectre
Meltdown and Spectreyeokm1
 
Gentoo on a 486
Gentoo on a 486Gentoo on a 486
Gentoo on a 486yeokm1
 
BLE Localiser (Full) for iOS Dev Scout
BLE Localiser (Full) for iOS Dev ScoutBLE Localiser (Full) for iOS Dev Scout
BLE Localiser (Full) for iOS Dev Scoutyeokm1
 
BLE Localiser for iOS Conf SG 2017
BLE Localiser for iOS Conf SG 2017BLE Localiser for iOS Conf SG 2017
BLE Localiser for iOS Conf SG 2017yeokm1
 
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiteryeokm1
 
PCB Business Card (Singapore Power)
PCB Business Card (Singapore Power)PCB Business Card (Singapore Power)
PCB Business Card (Singapore Power)yeokm1
 
SP Auto Door Unlocker
SP Auto Door UnlockerSP Auto Door Unlocker
SP Auto Door Unlockeryeokm1
 
SP IoT Doorbell
SP IoT DoorbellSP IoT Doorbell
SP IoT Doorbellyeokm1
 
Distance Machine Locker
Distance Machine LockerDistance Machine Locker
Distance Machine Lockeryeokm1
 
A Science Project: Building a sound card based on the Covox Speech Thing
A Science Project: Building a sound card based on the Covox Speech ThingA Science Project: Building a sound card based on the Covox Speech Thing
A Science Project: Building a sound card based on the Covox Speech Thingyeokm1
 
A Science Project: Swift Serial Chat
A Science Project: Swift Serial ChatA Science Project: Swift Serial Chat
A Science Project: Swift Serial Chatyeokm1
 
The slide rule
The slide ruleThe slide rule
The slide ruleyeokm1
 
Windows 3.1 (WFW) on vintage and modern hardware
Windows 3.1 (WFW) on vintage and modern hardwareWindows 3.1 (WFW) on vintage and modern hardware
Windows 3.1 (WFW) on vintage and modern hardwareyeokm1
 
Repair Kopitiam Circuit Breaker Training
Repair Kopitiam Circuit Breaker TrainingRepair Kopitiam Circuit Breaker Training
Repair Kopitiam Circuit Breaker Trainingyeokm1
 
A2: Analog Malicious Hardware
A2: Analog Malicious HardwareA2: Analog Malicious Hardware
A2: Analog Malicious Hardwareyeokm1
 
Getting Started with Raspberry Pi
Getting Started with Raspberry PiGetting Started with Raspberry Pi
Getting Started with Raspberry Piyeokm1
 

Mais de yeokm1 (20)

I became a Private Pilot and this is my story
I became a Private Pilot and this is my storyI became a Private Pilot and this is my story
I became a Private Pilot and this is my story
 
What's inside a Cessna 172 and flying a light plane
What's inside a Cessna 172 and flying a light planeWhat's inside a Cessna 172 and flying a light plane
What's inside a Cessna 172 and flying a light plane
 
Speaking at Tech meetups/conferences for Junior Devs
Speaking at Tech meetups/conferences for Junior DevsSpeaking at Tech meetups/conferences for Junior Devs
Speaking at Tech meetups/conferences for Junior Devs
 
Reflections on Trusting Trust for Go
Reflections on Trusting Trust for GoReflections on Trusting Trust for Go
Reflections on Trusting Trust for Go
 
Meltdown and Spectre
Meltdown and SpectreMeltdown and Spectre
Meltdown and Spectre
 
Gentoo on a 486
Gentoo on a 486Gentoo on a 486
Gentoo on a 486
 
BLE Localiser (Full) for iOS Dev Scout
BLE Localiser (Full) for iOS Dev ScoutBLE Localiser (Full) for iOS Dev Scout
BLE Localiser (Full) for iOS Dev Scout
 
BLE Localiser for iOS Conf SG 2017
BLE Localiser for iOS Conf SG 2017BLE Localiser for iOS Conf SG 2017
BLE Localiser for iOS Conf SG 2017
 
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter
Repair Kopitiam Specialty Tools (Part 2): Short Circuit Limiter
 
PCB Business Card (Singapore Power)
PCB Business Card (Singapore Power)PCB Business Card (Singapore Power)
PCB Business Card (Singapore Power)
 
SP Auto Door Unlocker
SP Auto Door UnlockerSP Auto Door Unlocker
SP Auto Door Unlocker
 
SP IoT Doorbell
SP IoT DoorbellSP IoT Doorbell
SP IoT Doorbell
 
Distance Machine Locker
Distance Machine LockerDistance Machine Locker
Distance Machine Locker
 
A Science Project: Building a sound card based on the Covox Speech Thing
A Science Project: Building a sound card based on the Covox Speech ThingA Science Project: Building a sound card based on the Covox Speech Thing
A Science Project: Building a sound card based on the Covox Speech Thing
 
A Science Project: Swift Serial Chat
A Science Project: Swift Serial ChatA Science Project: Swift Serial Chat
A Science Project: Swift Serial Chat
 
The slide rule
The slide ruleThe slide rule
The slide rule
 
Windows 3.1 (WFW) on vintage and modern hardware
Windows 3.1 (WFW) on vintage and modern hardwareWindows 3.1 (WFW) on vintage and modern hardware
Windows 3.1 (WFW) on vintage and modern hardware
 
Repair Kopitiam Circuit Breaker Training
Repair Kopitiam Circuit Breaker TrainingRepair Kopitiam Circuit Breaker Training
Repair Kopitiam Circuit Breaker Training
 
A2: Analog Malicious Hardware
A2: Analog Malicious HardwareA2: Analog Malicious Hardware
A2: Analog Malicious Hardware
 
Getting Started with Raspberry Pi
Getting Started with Raspberry PiGetting Started with Raspberry Pi
Getting Started with Raspberry Pi
 

Último

Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfWilly Marroquin (WillyDevNET)
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 

Último (20)

Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 

How "mov

  • 1. mov is Turing-complete Authored by: Stephen Dolan (PhD Candidate) 19 July 2013 Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf Practical implementation by: Chris Domas Papers We Love #14 (26 Oct 2015) By: Yeo Kheng Meng (yeokm1@gmail.com) https://github.com/yeokm1/mov-is-turing-complete1
  • 2. This presentation is best viewed with the animations. 2
  • 3. How did I know of this paper? Hacker News: June 21 Link to: https://github.com/xoreaxeaxeax/movfuscator Inspired by mov is Turing-complete 3
  • 4. Schedule of presentation • 2 parts in this presentation 1. Purely theoretical talk about the paper (~40mins) 2. How things work in practice? (~15 mins) • Short demo using Chris Domas implementation • Challenges of a practical implementation 4
  • 5. Motivation • x86 instruction set is bloated • 500 – 1000 instructions depending on sources • Is it possible to reduce everything to one instruction? • Initially a thought experiment by Stephen Dolan • Actual implementation by Chris Domas’s Movfuscator • https://github.com/xoreaxeaxeax/movfuscator 5
  • 6. Some disclaimers by the paper • Not purely mov-only • A single “jmp” instruction is used to loop back to the beginning • Solved by Chris Domas’s implementation • Invalid memory address 0 to halt execution • No other forms of circumventing the rules • No self-modifying code • No runtime code generation 6
  • 7. Scope of the problem Title: mov is Turing-complete 1. What is a Turing machine? 2. What it means to be Turing-complete? 3. What is “mov”? 4. What it takes for “mov” to be Turing Complete? 7
  • 8. 1. What is a Turing machine? Source: http://stackoverflow.com/a/236022 Theoretical Finite State Machine (FSM) model Characteristics Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Head (Scanner) • Reads/Writes to cells • Can move left/right to next cell State register • Remember current state of FSM Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table8
  • 9. 2. What it means to be Turing-complete? A programming language must be able to compute any problem a Turing machine can. -> Have the same characteristics as a Turing machine Characteristics Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Head (Scanner) • Reads/Writes to cells • Can move left/right to next cell State register • Remember current state of FSM Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table 9
  • 10. 3. What is mov? • x86 assembly instruction to move contents from one location to another. • General syntax : mov destination, source • Copies (not cut) from source to destination • Comes in 5 forms Syntax Explanation mov Rdest, Rsrc Register <- Register mov Rdest, c Register <- Constant mov [Rsrc + Roffset], c Memory <- Constant mov Rdest, [Rsrc + Roffset] Register <- Memory mov [Rdest + Roffset], Rsrc Memory <- Register Square[x] brackets means memory access at location index specified by x. 10
  • 11. 4. What it takes for “mov” to be Turing Complete? Turing Machine Characteristics In context of mov-only instruction Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet ??? Head (Scanner) • Reads/Writes to cells • Can move left/right to next cell Read/Write to memory at multiple locations • mov State register • Remember current state of FSM Just reserve one register to remember state Transition state table • Lookup next state & symbol, tape direction based on current state & symbol ???? Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table ???   11
  • 12. What we have to do? Unfulfilled Turing characteristics Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table 12
  • 13. Building our Turing machine 13
  • 14. Designing the tape Unfulfilled Turing characteristic Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Current Symbol | Null Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Left Symbol 3 | Point to Left symbol 4 Left Symbol 4 | Point to Left symbol 5 Right Symbol 3 | Point to Right symbol 4 Right Symbol 4 | Point to Right symbol 5 Left Stack Right Stack • Current symbol • Left/Right stack to hold everything • Each symbol cell holds 2 things 1. Pointer to symbol value 2. Pointer to next cell <= Move tape to the left <= Current symbol goes left : : Left Symbol 0 | Point to Left symbol 1 Current Symbol | Null 14
  • 15. Designing the tape Unfulfilled Turing characteristic Operates on tape • Finite length • Divided into cells • Each cell contains symbol of finite alphabet Current Symbol | Null Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Left Symbol 3 | Point to Left symbol 4 Left Symbol 4 | Point to Left symbol 5 Right Symbol 3 | Point to Right symbol 4 Right Symbol 4 | Point to Right symbol 5 Left Stack Right Stack • Current symbol • Left/Right stack to hold everything • Each symbol cell holds 2 things 1. Pointer to symbol value 2. Pointer to next cell => Move tape right => Current symbol goes right : : Right Symbol 0 | Point to Right symbol 1 Current Symbol | Null 15
  • 16. Designing the transition state table • Table of linked cells, easier for mov to use • Each cell contains a value and points to next cell • N: Dummy pointer indicating end of list Unfulfilled Turing characteristic Transition state table • Lookup next state & symbol, tape direction based on current state & symbol Current State Qx Points to Trigger symbol of possible transition | Point to alternative transition cell Trigger symbol | Point to new symbol cell New symbol | Point to direction cell Direction | Point to next state cell Next State | End of list State Q0 State Q1 16
  • 17. Now to the mov stuff 17
  • 18. Equality checking (Problem) • We want to check if Ri == Rj? • Output result of comparison 0/1 register Rk 18
  • 19. Equality checking (Example 1) • Assume both are equal at Ri = Rj = 6 • We want to check if Ri == Rj. • Expected output at register Rk = 1 • mov [Ri], 0 -> mov [6], 0 • mov [Rj], 1 -> mov [6], 1 • mov Rk, [Ri] -> mov Rk, [6] Mem Address 0 1 2 3 4 5 6 7 8 Contents - - - - - - - - Register Contents Rk (Result) Ri 6 Rj 6 … … 01 Memory address range of the machine 1 - 19
  • 20. Equality checking (Example 2) • Assume both are NOT equal at Ri = 5, Rj = 2 • We want to check if Ri == Rj. • Expected output at register Rk = 0 • mov [Ri], 0 -> mov [5], 0 • mov [Rj], 1 -> mov [2], 1 • mov Rk, [Ri] -> mov Rk, [5] Mem Address 0 1 2 3 4 5 6 7 8 Contents - - - - - - - Register Contents Rk (Result) Ri 5 Rj 2 … … 01 Memory address range of the machine 0 - - 20
  • 21. Value selection • Given Rc being 0 or 1, pick either value Ra or Rb • Put result in Rd • We can use Rlookup as start index of “lookup-table” • mov [Rlookup], Ra • mov [Rlookup + 1], Rb • mov Rd, [Rlookup + Rc] // Rc is 0 or 1 • If Rc == 0 : Rd = Ra • Else: Rd = Rb Lookup Addresses Rlookup Rlookup + 1 Contents Lookup table - -Ra Rb 21
  • 22. Our architecture so far Setting aside some registers Register Purpose SYMBOL Pointer to current symbol read from tape LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested (First word of transition points to trigger symbol) LOOKUP Points to lookup table (scratch space) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table 22
  • 23. Logic Process Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL Pointer to current symbol read from tape LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) … … … … … … … … Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table 23
  • 24. Logic Process (Step: 1 & 2) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL Pointer to current symbol read from tape LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) … … Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Consult transition state table • Retrieve current symbol, compare with trigger symbol • Extra temporary registers X, Y & M • mov X, [SYMBOL] // get current symbol • mov Y, [CTRANS] // get pointer to trigger symbol • mov Y, [Y] // get trigger symbol • mov [X], 0 //Put 0 inside memory using Y as index • mov [Y], 1 //Put 1 inside memory using X as index • mov M, [X] //M gets 0/1 depending on equality Pointer to trigger symbolTrigger symbol Current symbolX (Temp) Y (Temp) 1 if equal, 0 otherwiseM (Result) 24
  • 25. Logic Process (Step: 3) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Modify the symbol • M from Step 2. Extra temporary registers X, Y, Z. • Choose between current/new symbol -> write symbol • mov X, [CTRANS] // get pointer to trigger symbol • mov X, [X + 1] // Load pointer to new symbol by skipping trigger symbol • mov X, [X] // load new symbol • mov Y, [SYMBOL] // load old symbol • mov [LOOKUP], Y //determine new symbol == X/Y? • mov [LOOKUP + 1], X • mov Z, [LOOKUP + M] • mov [SYMBOL], Z //write the selected symbol back Pointer to trigger symbol Old symbol X (Temp) Y (Temp) Pointer to new symbolNew symbol Result 0/1 of transition comparison from Step 2M (Match) Z (Temp) Y X Selected new symbol value from X or Y Pointer to current symbol read from tape 25
  • 26. Logic Process (Step: 4.1) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Load tape direction of transition, regardless of transition matching • M from Step 2. Result register D to choose direction. • mov D, [CTRANS] // get pointer to trigger symbol • mov D, [D+1] // load new symbol pointer • mov D, [D+1] //load direction pointer • mov D, [D] // load direction Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 D (Result) Pointer to trigger symbolPointer to new symbolPointer to directionDirection value 0/1 26
  • 27. Current Symbol | Point to Left/Right symbol 1 Logic Process (Step: 4.2) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Depending on tape direction, push current symbol cell into stack • M from Step 2, D from Step 4.1, Temporary Register X. • //Get the first cell from left/right stack as next cell for current symbol • mov [LOOKUP], LEFT • mov [LOOKUP + 1], RIGHT • mov X, [LOOKUP + D] • mov [SYMBOL + 1], X //Point the current symbol’s next pointer to the next cell • //Select new value for first symbol LEFT • mov [LOOKUP], SYMBOL • mov [LOOKUP + 1], LEFT • mov LEFT, [LOOKUP + D] • //Select new value for first symbol RIGHT • mov [LOOKUP], RIGHT • mov [LOOKUP +1] , SYMBOL • mov RIGHT, [LOOKUP + D] Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 D (Result) Direction value 0/1 from Step 4.1 X (Temp) Pointer to first cell of left/right stack Left RightSymbol LeftRight Symbol 27
  • 28. Current Symbol | Point to Left/Right symbol 1 Logic Process (Step: 4.3) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Preparation to pop stack • Invert Register D if no movement is actually required i.e. M == 0 • M from Step 2, D from Step 4.1, Temporary Register X. • //Put negation of D into X • mov [LOOKUP], 1 //Reverse order of selection • mov [LOOKUP + 1], 0 //Reverse order of selection • mov X, [LOOKUP + D] • //Use M to select between D or X (D-negation) • mov [LOOKUP], X • mov [LOOKUP +1], D • mov D, [LOOKUP + M] Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 D (Result) Direction value 0/1 from Step 4.1 X (Temp) Negation of D 1 0X (D-negation) D Direction value to determine pop decision 28
  • 29. Left symbol 0 | Point to Left symbol 1 Logic Process (Step: 4.4) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • We need a new current symbol, pop a cell from one side based on D • D from Step 4.3, Temporary Register X. • //Select new value for SYMBOL from either LEFT or RIGHT stack • mov [LOOKUP], RIGHT • mov [LOOKUP + 1], LEFT • mov SYMBOL, [LOOKUP + D] • mov X, [SYMBOL + 1] //Find new top of stack • //Find new top value for LEFT • mov [LOOKUP], LEFT • mov [LOOKUP + 1], X • mov LEFT, [LOOKUP + D] //If D == 1, we just popped the left stack, set X to LEFT • //Find new value for RIGHT • mov [LOOKUP], X • mov [LOOKUP + 1], RIGHT • mov RIGHT, [LOOKUP + D] //If D == 0, we just popped the right stack, set X to RIGHT Pointer to current symbol read from tape D (Result) X (Temp) Direction value to determine pop decision Right symbol 0 | Point to Right symbol 1 Top value of stack we popped from Right Left Current Symbol | Point to Left/Right symbol 1 Left XX Right 29
  • 30. Logic Process (Step: 5) Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Find next transition • M from Step 2, Temporary Registers X & Y. • If current transition matches, go to first transition of next state, • else, go to next transition of current state • //get next transition of current state • mov X, [CTRANS + 1] • //get first transition of next state • mov Y, [CTRANS] //get current transition • mov Y, [Y + 1] //skip trigger symbol • mov Y, [Y + 1] //skip new symbol • mov Y, [Y + 1] //skip direction • mov Y, [Y] //Select next transition • mov [LOOKUP], X • mov [LOOKUP + 1], Y • mov CTRANS, [LOOKUP + M] Pointer to current symbol read from tape M (Match) Result 0/1 of transition comparison from Step 2 X (Temp) Y (Temp) Pointer to next transition of current state Pointer to first transition of next state X Y 30
  • 31. Logic Process (Extra Step 6) Halting the machine Current State Trigger Symbol New Symbol Tape Direction Next State Mem Address LOOKUP LOOKUP + 1 Contents Right Symbol 1 | Point to Right symbol 2 Left Symbol 1 | Point to Left symbol 2 Left Symbol 2 | Point to Left symbol 3 Right Symbol 2 | Point to Right symbol 3 Current Symbol | Null Left Symbol 3 | Point to Left symbol 4 Right Symbol 3 | Point to Right symbol 4 Tape (Left/Right Stack) Transition State Table Lookup table Register Purpose/Contents SYMBOL LEFT Pointer to first symbol on the left stack RIGHT Pointer to first symbol on the right stack CTRANS Pointer to transition to be tested LOOKUP Points to lookup table (scratch space) Logic Process 1. Read current symbol from tape 2. Consult transition state table 3. Modify the symbol 4. Move the head left/right/stay 5. Stay/Go to another state based on state table • Halt machine if CTRANS is N • Assume load from address 0 halts machine • Temporary register H, X • //Set H = 1 if CTRANS is N (end of state list or no outgoing transitions) • mov [N], 0 • mov [CTRANS], 1 • mov H, [N] • //select between 0 and N depending on H value • mov [LOOKUP], 0 • mov [LOOKUP + 1], N • mov X, [LOOKUP + H] • mov X, [X] // load from 0 or end of list. Program will terminate here if X is 0 • jmp start //Go back to top of program Pointer to current symbol read from tape H (Temp) Whether to halt? 0:No, 1:Yes 0 N X (Temp) To test whether machine to halt 31
  • 33. Chris Domas’s movfuscator • https://github.com/xoreaxeaxeax/movfuscator • C compiler that compiles into mov instructions • Uses LCC as frontend 33
  • 34. Why is it called movfuscator? • To defeat reverse-engineering • Disassembled output: GCC movfuscator 34
  • 35. Why is called movfuscator? • Control flow graph generated by disassemblers vs Source Slide 109-110: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf Typical mov-only 35
  • 37. Our hello world program GCC (hwgcc.sh) Movcc (hwmov.sh) Compile program and run gcc -g hw.c -o hw-gcc.out && ./hw-gcc.out movcc -g hw.c -o hw-movcc.out && ./hw-movcc.out Disassemble program & output to file objdump -M intel -S -l hw-gcc.out > hw-gcc.asm objdump -M intel -S -l hw-movcc.out > hw-movcc.asm Open in sublime subl hw-gcc.asm subl hw-movcc.asm 37
  • 38. Enhancement: Remove jmp at the end • mov cs, ax //Illegal mov instruction cannot modify code segment register • Solution concept: • OS raises SIGILL (illegal instruction signal) • Code to capture SIGILL signal • Call sigaction() to tell OS we have handled the instruction • Reload the stack (Go back to top) Source Slide 101: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf 38
  • 39. Problem 1 : Branching • Issue: All mov instructions always execute • Use dummy data if mov instructions must be ignored • start: • 0x1000 mov … • 0x1004 mov … • 0x1008 mov … • 0x100c mov … • 0x1010 mov … • 0x1014 mov … • 0x1018 mov … • 0x101c mov … • 0x1020 mov … • 0x1024 mov … • 0x1028 mov … • 0x102c mov … • 0x1030 jmp start <- Branch from here <- to here Destination: 0x1010 Step 1: Store address 0x1010 somewhere Step 2: Switch memory pointers to dummy data Step 3: Proceed and loop around if needed Step 4: Check if this block is meant to be executed Step 5: Switch to real data and continue execution 39
  • 40. Problem 2: Arithmetic • For eg: add32 Source Slide 133: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf Macro expansion 40
  • 41. Problem 2: Arithmetic • For division >7000 mov instructions!!! (with the help of macros) Source Slide 141: https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf 41
  • 42. Problem 3: Speed • Unsolvable • Many mov instructions for a single instruction 42
  • 43. Our Fibonacci program GCC (fibgcc.sh) Movcc (fibmov.sh) Compile program gcc fib.c -o fib-gcc.out movcc fib.c -o fib-movcc.out Run ./fib-gcc.out ./fib-movcc.out 43
  • 44. The End/References • http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf • http://www.gwern.net/Turing-complete • https://github.com/xoreaxeaxeax/movfuscator • https://www.youtube.com/watch?v=R7EEoWg6Ekk 44