Professional Documents
Culture Documents
P
r
o
o
f
C
o
n
c
e
p
t
G
e
t
T
h
e
F
u
c
k
O
u
t
Heidelberg, Baden-W
urttemberg
Funded by our famous Single Malt Waterfall and
Pastor Laphroaigs Gospel Choir,
to be Freely Distributed to all Good Readers, and
to be Freely Copied by all Good Bookleggers.
. Denn was man Schwarz auf Wei besitzt, kann man getrost nach Hause tragen.
0, $0 USD, 0, 0 RSD, 0 SEK, $50 CAD. pocorgtfo11.pdf. March 17, 2016.
1
Legal Note: Sony relies on the unsubstantiated residency of the unnamed defendant Bushing as a basis
for California being the best forum. However, Bushing has not been identified, named, served, or connected
with Mr. Hotz in any way that could warrant bringing the only identifiable defendant out to California. If
Bushing does exist and can be ascertained at a later date, Sony would have to amend the complaint
to properly name him/her which has not occurred. Thus, New Jersey is an alternative forum that exists
to provide Sony with adequate relief. If Sony can obtain jurisdiction by merely including a hypothetical
defendant by the name of Bushing that may live in California, then any Plaintiff can file suit in California
and obtain jurisdiction by adding Bushing as a defendant.
Reprints: Bitrot will burn libraries with merciless indignity that even Pets Dot Com didnt deserve. Please
mirrordont merely link!pocorgtfo11.pdf and our other issues far and wide, so our articles can help fight
the coming robot apocalypse. We like the following mirrors.
https://unpack.debug.su/pocorgtfo/
https://pocorgtfo.hacke.rs/
https://www.alchemistowl.org/pocorgtfo/
http://www.sultanik.com/pocorgtfo/
Technical Note: Thanks to a Funky File Format Fire Sale, the file named pocorgtfo11.pdf is a polyglot
in HTML, PDF, ZIP, and Ruby that executes as a quine over HTTP.
laphroaig% ruby pocorgtfo11.pdf
Printing Instructions: Pirate print runs of this journal are most welcome! PoCkGTFO is to be printed
duplex, then folded and stapled in the center. Print on A3 paper in Europe and Tabloid (11 x 17) paper
in Samland. Secret government labs in Canada may use P3 (280 mm x 430 mm) if they like, but even the
Americans on our staff will laugh at the use of awkward standards of measure. The outermost sheet should
be on thicker paper to form a cover.
# This is how to convert an issue for duplex printing.
sudo apt-get install pdfjam
pdfbook --short-edge --vanilla --paper a3paper pocorgtfo11.pdf -o pocorgtfo11-book.pdf
Preacherman
Manul Laphroaig
Editor of Last Resort
Melilot
TEXnician
Evan Sultanik
Editorial Whipping Boy
Jacob Torrey
Funky File Supervisor
Ange Albertini
Assistant Scenic Designer Philippe Teuwen
and sundry others
On page 15, Peter Ferrie describes his work toward a universal bypass for the E7 protection mode
used on a number of Apple ][ disks. This is a follow
up to his encyclopedic coverage of protection modes
for this platform in PoCkGTFO 10:7.
Ryan Speers and Travis Goodspeed have begun
a series of tourist guides, intended to quickly introduce reverse engineers to a new platform. Page 20
provides a lightning-fast introduction to ARMs
Cortex M series, which youll find in modern devices
with a megabyte or less of Flash memory. Page 28
contains similar notes for the Texas Instruments
MSP430, MSP430X, and MSP430X2 architectures,
a 16-bit competitor to the PIC and AVR.
At this journal, we generally frown upon defense,
not because it is easy, but because it is so damned
hard to describe properly. On page 24, Jeffrey Crowell presents a poor mans method of patching 32-bit
x86 binaries to enforce the control flow graph. With
examples in Radare2 and legible C, youll be itching
to write your own generic patchers for large binaries
this weekend.
Page 33 describes how Evan Sultanik made this
PDFthe one that youre readinginto a poyglot
webserver quine in Ruby with its own
PoCkGTFO mirror.
It is with great sadness that we dedicate this release to the memory of our neighbor Ben Byer, the
hypothetical defendant by the name of Bushing
who inspired many of us to put pwnage before politics, to keep on hacking. Were gonna miss him.
Our first example today is from everyones favorite doctor in a track suit, Charlie Miller. If you
have the misfortune of reading about his work in
the lay press, you might have heard that he could
blow up laptop batteries by software,1 or that he was
recklessly irresponsible by disabling the power train
of a car with a reporter inside.2 That is to say, from
the lay press articles, you wouldnt know a damned
thing about what mechanism he experimented with.
So please, read the fucking paper, the battery
hacking paper,3 and ignore what CNN has to say
on the subject. Read about how the Smart Battery
Charger (SBC) is responsible for charging the battery even when the host is unresponsive, and con1 If
you RTFP, youll note that the Apple batteries have a separate BQ29312 Analog Frontend (AFE) to protect against such
nonsense, as well as a Matsushita MU092X in case the BQ29312 isnt sufficient.
2 One time, my Studebaker ran out of gas on the highway. Maybe we should start a support group?
3 unzip pocorgtfo11.pdf batteryfirmware.pdf
4 unzip pocorgtfo11.pdf sluu225.pdf
5 unzip pocorgtfo11.pdf bq20z80.py
So given just one byte of maneuverability, Natalie tried each value, discovering that a switch()
statement had no default case, so values above
0x20 would cause a reboot, while really high values, above 0xD8, would sometimes jump the game
to a valid screen.
At this point she had a good idea that she was
running off the end of a jump table, but as is common in the best junk hacking, she had no copy
of the code and needed an exploit to extract the
code. She did, however, know from die photographs
and datasheets that the chip was a GeneralPlus
GPLB52X with a 6502 instruction set. So she came
up with the clever trick of making a background picture that, when loaded into LCD RAM, would form
a NOP sled into shellcode that dumped memory out
of an I/O port.
By reverse engineering that memory dump, she
was able to replace her hail-Mary of a NOP sled
with perfectly placed, efficient shellcode containing
any number of fancy new features. You can even
send your Tamagotchi to 30C3, if you like.
And this is the crux of the matter, dear neighbors. We become jaded by so much garbage on TV,
so much crap in the news, and so many attempts
to straight-jacket the narrative of security research
by the mistaken belief that it must involve security.
But the very best security research doesnt involve
security! The very best research has no CVE, demands no patch, and has no direct relation to anything from your grandmothers credit card number
to your servers shadow file.
The very best research is that which teaches you
something new about the mechanism by which a machine functions. It teaches you how to build something, how to break something, or how to take something apart, but most of all it teaches you how the
hell that thing really works.
So to hell with the target and to hell with the
reporters. Teach me how a thing works, and teach
me the techniques that you needed to do something
clever with it. But if you casually dismiss the clever
tricks learned from hacking an Apple ][, a battery,
or a Tamagotchi, Im afraid that Ill have to ask you
politely, but firmly, to get the fuck out.6
6 Remember, though, that redemption is for everyone, and that one day you may find a strange and radiant machine you
will treasure for the cleverness of its mechanisms, no matter if others call it junk. On that day we will welcome you back in the
spirit of PoC!
3.1
There were two common ways to generate the analog voltages to steer the electron beam in the vector
monitor. Most early Atari games used the Digital
Voltage Generator, which used dual 10-bit DACs
that directly output -2.5 to +2.5 volt signals. Starwars, however, used the Analog Voltage Generator, in which the DACs generated the slope of the
line, and opamps integrated the values to produce
the output voltage. This is significantly more complex to emulate, and modern DACs and microcontrollers make it fairly easy to generate the analog
voltages to drive the displays with resolution exceeding the precision of the old opamps.
3.2
3.3
Gameplay
Displays
Two inexpensive vector displays are the Tektronix 1720 vectorscope, a piece of analog NTSC
video test equipment from a television studio, and
the Vectrex, one of the only home vector console
systems. The Tek uses an Electrostatic deflection
CRT, which gives it very high bandwidth and almost instant transits between points, but at the
cost of a very small deflection angle that results in
a tiny screen and a very deep tube. The Vectrex
has a magnetic deflection CRT, which allows it to
be much shallower and significantly larger, but it requires many microseconds for the beam to stabilize
in a new position. As a result, the DAC needs to
take into account the inertia of the beam and wait
for it to catch up.
MSB
D9
D8
D7
D6
D5
D4
D3
D2
D1
D0
LOAD
Up/Down
Clock
D9
D8
D7
D6
D5
D4
D3
D2
D1
D0
LOAD
U/D
Clk
Q9
Q8
Q7
Q6
Q5
Q4
Q3
Q2
Q1
Q0
B1
B2
B3
B4
B5
B6
B7
B8
B9
B10
DAC
Vmax/2
SW
VOUT
-512 to 511 =
Buffer -Vmax/2 to Vmax/2
S/H
Counter
I also took a few opportunities to use selfmodifying code to save on space. No longer do I
have to manually hex hack the w bit in the rwx attribute in the .text section of an ELF header; real
mode trusts me to do all of the bad things that
dev hipsters rage at me about. So the rest of this
article will be about these hacks.
As the pixel streak moves around on the gameboard, the player gets one point per character movement. When the player collects a bonus item of
any value, this one-point-per gets three added to it,
becoming a four-points-per. If another additional
bonus item is collected, it would be up to 7 points.
The code to add one point is selfmodify: add ax,
1. When a bonus item is collected, the routine
for doing bonus points also has this line add byte
[selfmodify + 2], 3. The +2 offset to our add
ax, 1 instruction is the byte where the 1 operand
was located, allowing us to directly modify it.
10
I hope these tricks are handy for you when writing your own 512-byte game, and also that youll
share your game with the rest of us. Complete code
and prebuilt binaries are available in the ZIP portion
of this release.8
8 unzip
pocorgtfo11.pdf tronsolitare.zip
11
83
sub bx ,
mov ax ,
; p r o g r e s s i v e ) game
; b x = 4 (0 3)
; g e t i t i n t o ax
ax
bx
85
87
89
91
93
mov bx ,
add bx ,
[ 0 x046C ] ; Get t i m e r s t a t e
ax
; Wait 14 t i c k s ( p r o g r e s s i v e
; difficulty )
; add bx , 8
; u n p r o g r e s s i v e l y slow cheat
;#CHEAT ( comment a b o v e l i n e o u t and uncomment
; this line )
delay :
cmp [ 0 x046C ] , bx
jne d e l a y
95
97
99
; Get k e y b o a r d
mov ah , 1
i n t 0 x16
jz persisted
state
; i f no k e y p r e s s , jump t o
; p e r s i s t i n g move s t a t e
101
1
3
5
; Tron S o l i t a r e
;
T h i s i s a PoC b o o t s e c t o r ( <512 b y t e s ) game
;
C o n t r o l s t o move a r e j u s t up /down/ l e f t / r i g h t
;
Avoid t o u c h i n g y o u r s e l f , b l u e b o r d e r , and t h e
; unlucky red 7
[ORG 0 x 7 c 0 0 ]
LEFT EQU 75
9 RIGHT EQU 77
UP
EQU 72
11 DOWN EQU 80
13
15
17
19
; add
to
25
113
mov s s ,
mov sp ,
ax
0 x9c00
; stack s t a r t s at 0
; 200 h p a s t c o d e s t a r t
mov ax ,
mov es ,
0 xb800
ax
; t e x t v i d e o memory
; ES=0xB800
33
35
37
39
41
47
; Some BIOS c r a s h
without
this
49
51
53
rep stosw
cmp di , 0 x 0 e f e
55
jne
57
59
; i n i t the score
mov di , 0 x 0 f 0 2
mov ax , 0 x 0 1 0 0
61
stosw
63
65
fillin
; P l a c e t h e game
mov di , 0 x07d0
mov ax , 0 x 2 f 2 0
stosw
141
143
145
; A d j u s t f o r n e x t l i n e and column
; i n n e r 78 columns ( e x c l u d e s i d e
; borders )
; p u s h t o v i d e o memory
; Is i t the l a s t col of l a s t l i n e
; we want?
; I f not , l o o p t o n e x t l i n e
69
71
73
75
77
79
81
; Wait Loop
; Get s p e e d
push d i
mov di ,
mov ax ,
pop d i
and ax ,
shr ax ,
mov bx ,
147
149
151
153
155
initial
161
163
piece in s t a r t i n g p o s i t i o n
; starting position
; char to d i s p l a y
165
167
169
; Maybe
place
an i t e m on
screen
171
173
( b a s e d on game/ s c o r e
; Check f o r d i r e c t i o n a l
cmp ah , LEFT
je l e f t
cmp ah , RIGHT
je right
cmp ah , UP
j e up
cmp ah , DOWN
j e down
jmp m a i n l o o p
; O t h e r w i s e , move i n
persisted :
cmp cx , LEFT
je l e f t
cmp cx , RIGHT
je right
cmp cx , UP
j e up
cmp cx , DOWN
j e down
pushes
direction
and
take
last
action
chosen
progress )
0 x0f02
[ es : di ]
; set coordinate
; read data at c o o r d i n a t e
0 xf000
14
4
; g e t most s i g n i f i c a n t n i b b l e
; now v a l u e 03
;#CHEAT, d e f a u l t i s 4 ; make
; amount h i g h e r f o r o v e r a l l
; slower ( but s t i l l
; This w i l l o n l y
jmp m a i n l o o p
happen
before
first
keypress
left :
mov cx , LEFT
; for persistenc
sub di , 4
; coordinate o f f s e t
c a l l movement_overhead
jmp m a i n l o o p
right :
mov cx , RIGHT
c a l l movement_overhead
jmp m a i n l o o p
up :
mov cx , UP
sub di , 1 6 2
c a l l movement_overhead
jmp m a i n l o o p
down :
mov cx , DOWN
add di , 1 5 8
c a l l movement_overhead
jmp m a i n l o o p
correction
movement_overhead :
call collision_check
mov ax , 0 x 2 f 2 0
stosw
call score
ret
157
159
67
mainloop :
c a l l random
135
139
b l a c k e x c e p t f o r remaining b l u e edges
; Almost 2 nd row 2nd column ( need
; t o add 4 )
0 x0020
; s p a c e c h a r on b l a c k on b l a c k
4
78
123
137
; f i l l in a l l
mov di , 1 5 8
ax ,
in :
di ,
cx ,
121
133
; Draw Border
; F i l l in a l l blue
xor di , d i
mov cx , 0 x07d0
; whole s c r e e n s worth
mov ax , 0 x 1 f 2 0
; empty b l u e b a c k g r o u n d
rep stosw
; p u s h i t t o v i d e o memory
mov
fill
add
mov
119
131
43
45
117
129
31
a l , 0 x03
ch , 0 x26
ah
0 x10
buffer
127
mov a l , 0 x03
xor ah , ah
i n t 0 x10
mov
mov
inc
int
115
125
27
29
107
111
; I n i t t h e environment
;
i n i t data segment
;
i n i t s t a c k s e g m e n t a l l o c a t e a r e a o f mem
;
i n i t E/ v i d e o s e g m e n t and a l l o c a t e a r e a o f mem
;
S e t t o 0 x03 /80 x25 t e x t mode
;
Hide t h e c u r s o r
xor ax , ax
; make i t z e r o
mov ds , ax
; DS=0
; C l e a r Keyboard
xor ah , ah
i n t 0 x16
105
109
offsets
21
23
103
175
collision_check :
mov bx , d i
mov ax , [ e s : bx ]
; c u r r e n t l o c a t i o n on s c r e e n
; grab video b u f f e r + current
; location
; Did we Lose?
;#CHEAT: comment o u t a l l 4 o f t h e s e c h e c k s
; (8 i n s t r u c t i o n s ) to be i n v i n c i b l e
cmp ax , 0 x 2 f 2 0
; d i d we l a n d on g r e e n
; ( s e l f )?
j e gameover
cmp ax , 0 x 1 f 2 0
; d i d we l a n d on b l u e
; ( border )?
j e gameover
cmp bx , 0 x 0 f 0 2
; d i d we l a n d i n s c o r e
; coordinate?
j e gameover
cmp ax , 0 x c f 3 7
; magic r e d 7
j e gameover
177
179
181
183
12
; S c o r e Changes
push ax
and ax , 0 x f 0 0 0
cmp ax , 0 x a 0 0 0
j e bonus
cmp ax , 0 x c 0 0 0
; s a v e c o p y o f ax / i t e m
; mask b a c k g r o u n d
; add t o s c o r e
; subtract
from
score
je penalty
pop ax
185
285
; restore
ax
ret
287
; Are we c l o b b e r i n g
cmp dx , 0 x 0 f 0 2
je redo
other data?
; Is the p i x e l the score?
; Get a d i f f e r e n t v a l u e
187
189
bonus :
mov byte
289
[ math ] ,
191
193
195
0 x01
; make i t e m s t u f f :
; add o p c o d e
routine
use
call itemstuff
stosw
; put data back in
mov di , bx
; restore coordinate
add byte [ s e l f m o d i f y + 2 ] , 3
push d i
mov di , dx
mov ax , [ e s : d i ]
pop d i
cmp ax , 0 x 2 f 2 0
je redo
cmp ax , 0 x 1 f 2 0
je redo
291
293
295
; store
coord
; read data at c o o r d i n a t e
; r e s t o r e coord
; Are we on t h e s n a k e ?
; Are we on
the
border?
297
197
199
ret
penalty :
mov byte
299
[ math ] ,
201
203
205
207
call itemstuff
cmp ax , 0 x e 0 0 0
ja underflow
stosw
mov di , bx
ret
0 x29
; make i t e m s t u f f :
; sub opcode
routine
use
for
integer
305
307
309
209
211
213
underflow :
mov ax ,
stosw
mov di ,
ret
311
0 x0100
313
219
221
itemstuff :
pop dx
pop ax
and ax , 0 x 0 0 0 f
i n c ax
s h l ax , 8
push ax
315
225
di
0 x0f02
[ es : di ]
227
229
231
or
pop cx
math :
add ax , cx
push dx
ret
stosw
pop d i
; display
; restore
it
coordinate
317
; store
return
pop cx
; restore
cx
319
; 18 i n s t e a d o f 07
; m u l t i p l y v a l u e b y 256
; store the value
321
;
;
;
;
325
323
223
mov bx ,
mov di ,
mov ax ,
; D e c i d e on itemt y p e and v a l u e
powerup :
rdtsc
; random
and ax , 0 x 0 0 0 7
; g e t random 8 v a l u e s
mov cx , ax
; c x h a s rand v a l u e
add cx , 0 x 5 f 3 0
; baseline
rdtsc
; random
; b a c k g r o u n d e i t h e r A o r C ( l i g h t g r e e n
; red )
and ax , 0 x 2 0 0 0
; k e e p b i t 13
add ax , 0 x 5 0 0 0
; t u r n b i t 14 and 12 on
add ax , cx
; itemt y p e + v a l u e
bx
215
217
pixel
; save current coordinate
; p u t rand c o o r d i n c u r r e n t
301
303
; s a n i t y check
; underflow
; D i s p l a y random
push d i
mov di , dx
save coordinate
set coordinate
read data at c o o r d i n a t e
s u b t r a c t from s c o r e
and
327
329
; add i s j u s t a
; restore return
suggestion...
331
333
undo :
ret
gameover :
i n t 0 x19
; Reboot t h e
; t h e game.
; L e g a c y gameover ,
; red screen
; xor di , d i
; mov cx , 8025
; mov ax , 0 x 4 f 2 0
; rep stosw
; jmp gameover
doesn t
s y s t e m and
reboot ,
just
restart
ends
with
233
235
237
239
241
243
245
247
249
251
253
255
257
259
261
263
265
score :
push d i
mov di , 0 x 0 f 0 2
; set coordinate
mov ax , [ e s : d i ]
; read data at c o o r d i n a t e
; f o r e a c h mov o f c h a r a c t e r , add n t o s c o r e
; t h i s s o u r c e shows add ax , 1 , however , e a c h
; b o n u s i t e m t h a t i s p i c k e d up i n c r e m e n t s t h i s
; v a l u e b y 3 e a c h t i m e an i t e m i s p i c k e d u p .
; Yes , t h i s i s s e l f m o d i f y i n g code , w h i c h i s
; why t h e l a b l e s e l f m o d i f y : i s s e e n a b o v e , t o
; b e c o n v e n i e n t l y u s e d a s an a d d r e s s t o p i v o t
; o f f o f i n an add b y t e [ s e l f m o d i f y + o f f s e t t o
; 1 ] , 3 instruction
s e l f m o d i f y : add ax , 1 ; i n c r e m e n t c h a r a c t e r i n
; coordinate
stosw
; put data back in
pop d i
; Why 0 x f 6 0 0 a s s c o r e c e i l i n g :
; i f i t was s o m e t h i n g l i k e 0 x f f f f , a s c o r e from
; 0 x f f f e would l i k l e y i n t e g e r o v e r f l o w t o a low
; r a n g e ( due t o t h e p r o g r e s s i v e ) s c o r i n g .
; 0 x f 6 0 0 g i v e s a good amount o f s l a c k f o r t h i s .
; However , i t s s t i l l " t e c h n i c a l l y " p o s s i b l e t o
; o v e r f l o w ; f o r example , h i t t i n g a 7 b o n u s
; i t e m a f t e r a l r e a d y g e t t i n g more t h a n 171
; b o n u s i t e m s ( 2 0 4 8 p o i n t s f o r bonus , 514
; p o i n t s p e r move ) w o u l d make t h e s c o r e go from
; 0 x f 5 f f to 0 x0001.
cmp ax , 0 x f 6 0 0
; i s t h e s c o r e h i g h enough t o
; win ;#CHEAT
j a win
ret
335
339
341
269
271
random :
; Decide whether t o
rdtsc
and ax , 0 x 0 0 0 f
cmp ax , 0 x 0 0 0 7
j n e undo
place
bonus / t r a p
345
347
349
351
353
355
357
359
361
363
365
369
371
; save
cx
375
275
277
279
281
283
timer
state
mov di , 0
mov cx , 0 x07d0
; enough f o r f u l l s c r e e n
winbg : mov ax , 0 x 0 1 0 0
; x o r ax , ax wont work , n e e d s
; b e t h i s machinec o d e f o r m a t
rep stosw
; commit t o v i d e o memory
; G e t t i n g random p i x e l
redo :
rdtsc
; random
xor ax , dx
; x o r i t up a l i t t l e
xor dx , dx
; c l e a r dx
add ax , [ 0 x046C ] ; moar randomness
mov cx , 0 x07d0
; Amount o f p i x e l s on s c r e e n
div cx
; dx now h a s random v a l
s h l dx , 1
; a d j u s t f o r even p i x e l v a l u e s
winmessage :
db 0 x02 , 0 x20
dq 0 x 2 1 4 e 4 9 5 7 2 0 5 5 4 f 5 9
;YOU WIN!
db 0 x21 , 0 x21 , 0 x20 , 0 x02
; BIOS s i g and p a d d i n g
t i m e s 510 ( $$$ ) db 0
dw 0xAA55
377
379
13
to
mov di , 0 x 0 7 c 4
; c o o r d t o s t a r t YOU WIN! m es sa ge
xor c l , c l
; c l e a r counter r e g i s t e r
w i n l o o p : mov a l , [ w i n m e s s a g e ]
; g e t win m e s s a g e p o i n t e r
mov ah , 0 x 0 f
; w h i t e t e x t on b l a c k b a c k g r o u n d
stosw
; commit c h a r t o v i d e o memory
i n c byte [ w i n l o o p + 0 x01 ]
; next character
cmp di , 0 x 0 7 e 0
; i s i t the l a s t character?
jne winloop
i n c word [ winbg + 0 x01 ]
; incrememnt f i l l c h a r / f g / b g
; ( whichever i s next )
sub byte [ w i n l o o p + 0 x01 ] , 14
; b a c k t o f i r s t c h a r a c t e r upon
; next f u l l loop
jmp win
373
273
push cx
screen
343
367
267
win :
; clear
337
; Pad t o f l o p p y d i s k .
; t i m e s ( 1 4 4 0 1 0 2 4 ) ( $ $$ )
db 0
14
normal start
E7
E7
normal start
E7
E7
E7
11100111011100111001110011111100111
XX
5.1
EE
E7
E7
E7
E7
11100111111001111110011111100111
FC
XX
FC
FC
FC
delayed start
delayed start
original stream
stream copy
Introduction
READNIB,X*
NIB1
DEY
BEQ
FAIL
CMP
BNE
#$D5
NIB1
LDY
NIB2
LDA
BPL
#0
READNIB,X
NIB2
DEY
BEQ
FAIL
CMP
BNE
#$E7
NIB2
NIB3
LDA
BPL
CMP
BNE
READNIB,X
NIB3
#$E7
FAIL
NIB4
LDA
BPL
CMP
BNE
READNIB,X
NIB4
#$E7
FAIL
LDA
RSTLATCH,X
desynch
LDY
#$10
BIT
NIB5
LDA
BPL
15
#0
$06
READNIB,X
NIB5
DEY
BEQ
FAIL
CMP
BNE
#$EE
NIB5
X = BootSlot << 4
skipped
11100 11101110 0 11100111 00 11111100 11101110
EE
E7
FC
EE
0 11100111 00 11111100 11101110 0 11101110 0 11111100 111...
E7
FC
EE
EE
FC
Interestingly, the bit $06 instruction is a misdirection. It exists only for the purpose of consuming
some cycles. Any other instruction of equal duration
could have been used, and it might be considered a
watermark. While it is the value that exists most
commonly, some titles changed the value of the address to 80 or FF, and these versions were spread,
too.
In the most common implementation of the
E7 protection, the stream on disk appears as
D5 E7 E7 E7 E7 E7 E7 E7 E7 E7 E7 E7 E7 with
some harmless zero-bits in between. So from where
do the other values come? The magic is in the timing of the reads, and timing is everything, so we
must count the cycles!
LDA
BPL
CMP
BNE
READNIB,X
NIB4
#$E7
FAIL
2 cycles
2 cycles
2 cycles
LDA
RSTLATCH,X
4 cycles
LDY
#$10
2 cycles
BIT
$06
3 cycles
5.2
Well-Groomed Data
15 cycles
One bit is shifted in every four CPU cycles, so
a delay of 15 CPU cycles is enough for three bits
to be shifted in. Those bits are discarded. However, since the CPU and the Disk ][ system are not
synchronized, then depending on exactly when the
initial read began, there can be up to two additional
cycles in the total count. That puts us in the 16 cycle range, which is sufficient for a fourth bit to be
shifted in and then discarded. In any case, the hardware sees it like this, due to a slip of three (or four)
bits:
D5 E7 E7 E7 [slip] EE E7 FC EE E7 FC EE
EE FC
In binary, the stream looks like this, with the
seemingly redundant zero-bits in bold.
5.3
11010101 11100111
11100111 11100111
D5
E7
E7
E7
11100111 0 11100111 00 11100111 11100111 0 11100111 00
E7
E7
E7
E7
E7
11100111 11100111 0 11100111 0 11100111 11100111
E7
E7
E7
E7
E7
16
5.4
5.5
Totally Rad
17
In binary, its:
11101111 11111111 11111111 11111111
After the bit-slip (and our extra zero-bit), the
hardware sees:
...11111111 11111111 11111111 1111
As above, we must make those last four bits disappear, in order to align our pattern later. As above,
we turn the four bits into zeroes and distribute them
within the stream, while adhering to the rule of not
more than two consecutive zeroes. Lets try this:
...0 11111111 00 11111111 0 11111111
The hardware reads this as FF FF FF. Then we
prepend one-bits and a zero-bit to the first (partial)
nibble again, like this:
[1110]011111111 00 11111111 0 11111111
After realigning the stream, we have this:
11100111 11111001 11111110 11111111
On disk, it appears as:
E7 F9 FE FF
That final FF is redundant, so we remove it.
Then we append our complete pattern without any
consideration for bit-slip. Our stream looks like this:
E7 F9 FE EE E7 FC EE E7 FC EE EE FC
The final step is to pad the sector as we did previously. Using the aesthetic choice again, we zero
the running value and then fill the rest of the sector
with 96s. A quick lookup in the nibble translation
table shows us that the needed value is FB, so our
whole stream appears as:
D5 AA AD E7 E7 E7 E7 F9 FE EE E7 FC EE
E7 FC EE EE FC FB 96 96 ... DE AA
We have a regular sector that works on hardware
and AppleWin at the same time.
5.6
11110011
11110011
11110011
11110011
11111100
11111100
11111100
11111100
[ 1 1 1 0 ] 0 11111111 00 11111111 0x . . .
V>>>>>^
18
5.7
Success!
First Blood Part II (a pure text adventure!), Summer/Winter/World Games, The Ancient Art of War
[at Sea], Tetris, and Xevious
03
00
00
00
00
00
03
00
00
00
00
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
02
00
00
00
00
03
00
00
00
00
00
00
00
00
00
00
01
00
00
00
00
02
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
02
00
00
00
00
00
03
00
00
00
00
03
00
00
00
00
02
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
01
00
00
00
00
00
01
00
00
00
00
03
00
00
00
00
00
00
00
00
00
00
02
00
00
00
00
03
00
00
00
00
01
00
00
00
00
00
01
00
00
00
00
01
00
00
00
00
01
00
00
00
00
00
02
00
00
00
00
02
00
00
00
00
03
00
00
00
00
00
01
00
00
00
00
02
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
01
00
00
00
00
00
02
00
00
00
00
01
00
00
00
00
00
00
00
00
00
00
02
00
00
00
00
02
00
00
00
00
01
00
00
00
00
00
AlgebraCVolumeC3Cv3x8|
AliceCinCWonderland|AnimalC
Kingdom|BankCStreetCStorybook|
Bannercatch|Batman|BumbleCPlotC3xH|
CaliforniaCGames|ChampionshipCWrestling|
ColorMe|Deathsword|Destroyer|DigCDugC(ThunderC
MountainT|Dinosaurs|DiveCBomber|FractionCAction|
GxIxCJoe|GalaxianC(ThunderCMountainT|GertrudewsC
PuzzlesC3xH|GertrudewsCSecrets|GertrudewsCSecretsC3x-|
HouseJaJFire|ImpossibleCMissionCII|JamesCBondCzz8CinCAC
ViewCToCACKill|JumpingCMathCFlash|LxAxCCrackdown|MagicalC
Myths|MathCShop|MathematicsCProblemCSolvingCSoftwareCLevelC
3JHJ-|MathematicsCToday|MicrozineC3HJ3-J36J38J3N|MoptownC
HotelC3xH|MoptownCHotelC3x-|MurderCbyCtheCDozen|NumberC
Bowling|PacJManC(ThunderCMountainT|Paperboy|PitstopCII|
Quations|RaceCCarCwRithmetic|Racter|RadCWarrior|RamboCFirstC
BloodCPartCII|RiddleCMagic|ScienceCVolumeCHCJCGeology|
ScienceCVolumeC-|ScienceCVolumeC0CJCSpace|Spiderbot|StarC
MazeC(ScottICForesmanCandCCompanyT|StreetCSportsC
Basketball|StreetCSportsCSoccer|SuccessCwithCTyping|
SuperPrint|SurveyCTaker|TenCLittleCRobots|Tetris|TheC
AdventuresCofCSinbad|TheCAmericanCChallenge|TheC
AncientCArtCofCWar|TheCHalleyCProject|TheCMist|
TheCMovieCMonsterCGame|TheCNotableCPhantom|
TheCPerfectCCollege|TheCPerfectCScore|TheC
Playroom|TheCSportingCNewsCBaseball|
TheCWorldwsCGreatestCBaseballC
Game|TinkwsCAdventure|
Xevious
00
00
00
00
00
02
00
00
00
00
02
00
00
00
00
00
This can be applied wherever the E7 sequence is the regular pattern. For other patterns, such as those used by Thunder Mountains
Dig Dug (E7 EE EE EE E7 E7 EE E7 EE EE EE
E7 EE E7 EE EE), Sunbursts 1-2-3 Sequence Me
(BB F9 Fx), and MCEs The 4th R - Reasoning (EB B6 EF 9A DB B7 ED F9 D7 BF BD A7 B3
FF B3 BA), just place the proper pattern after the
EF F3 FC sequence, pad the sector as you like,
and then fix the sector checksum.
5.8
Final Words
19
6.1
At a Glance
Common Models
STM32, EFM32
6.3
Architecture
32-bit registers
16-bit and 32-bit Thumb(2) instructions
Registers
R15: Program Counter
R14: Link Register
R13: Stack Pointer
R0 to R12: General Use
6.2
9 Thumb2 instructions run from Thumb mode. The only thing new about them is that they can be longer than 16 bits, so
your disassembler might be slightly confused about their starting position.
20
STM32F40xxx
MEMORY MAP
Reserved
CORTEX-M4 internal peripherals
Reserved
AHB3
0Xe010
0Xe000
0Xa000
0Xa000
0X6000 0000
0X5006 0c00 - 0X5fff ffff
0X5006 0bff
Reserved
AHB2
0Xffff ffff
FSMC registers
0X8000 0000
0X7fff ffff
0X6000 0000
0X5fff ffff
0X4000 0000
0X3fff ffff
0X2000 0000
0X1fff ffff
0X0000 0000
512-Mbyte
block 4
FSMC bank3
& bank4
512-Mbyte
block 3
FSMC bank1
& bank2
512-Mbyte
block 1
SRAM
512-Mbyte
block 0
Code
NE
E
SE
SW
0X5000 0000
0X4008 0000 - 0X4fff ffff
0X4007 7fff
Reserved
AHB1
0X4002 0000
0X4001 5800 - 0X4001 ffff
0X4001 5fff
Reserved
APB2
512-Mbyte
block 2
Peripherals
NW
s
l
a
pe
ri p
0Xa000 0000
0X9fff ffff
he
r
0Xc000
0Xbfff
FS
0Xe000
0Xdfff
512-Mbyte
block 7
Cortex-M4s
internal
0000 peripherals
ffff
512-Mbyte
block 6
Not used
0000
ffff
512-Mbyte
block 5
cortex
arm
flash
interrupt
radare
Reserved
SRAM (16 Kb aliased
by bit-handling)
SRAM (112 Kb aliased
by bit-handling)
Reserved
Option Bytes
Reserved
System memory + OTP
Reserved
CCM data RAM
(64 KB data SRAM)
Reserved
Flash
Reserved
Aliased to Flash, system
memory or SRAM depending
on the BOOT pins
pastor
Reserved
0X4001 0000
0X4000 7800 - 0X4000 ffff
0X4000 7fff
c008
c000
7a10
0000
0000
0X1fff
0X1fff
0X1fff
0X1fff
0X1ffe
ffff
c007
7fff
7a0f
ffff
APB1
21
6.4
Memory Map
6.5
6.6
Lets take a look at the interrupt table from the beginning of a Cortex M firmware image. These are
32-bit little endian addresses, which are to be read
backwards.
0000000 30
39
0000010 41
4
49
0000020 00
6
00
0000030 4d
8
55
0000040 . . .
2
14
57
57
57
00
00
57
57
00
00
00
00
00
00
00
00
20
08
08
08
00
00
08
08
21
3d
45
00
00
51
00
59
41
57
57
00
00
57
00
57
00
00
00
00
00
00
00
00
08
08
08
00
00
08
00
08
6.7
6.8
\
\
\
This means that USART2s data structure is located at 0x40004400. From the USART_TypeDef
structure, we know that data is received from USART2 by reading 0x40004424 and written to USART2 by writing to 0x40004428! Searching for
these addresses ought to easily find us the read and
write functions for that port.
6.9
Other Oddities
Please note that this guide has left out some features
unique to the STM32 series, and that each chip has
its own little quirks. Youll find different memory
maps on each implementation, and anything that
looks confusing is likely worth spending more time
to understand.
For example, some ARM devices offer CoreCoupled Memory (CCM), which is SRAM thats
wired directly to the CPUs internal data bus rather
than to the main memory bus of the chip. This
makes fetches lightning fast, but has the complications that the memory is unusable for DMA or code
fetches. Care for a non-executable stack, anyone?
Another quirk is that many devices map the
same physical memory to multiple virtual locations.
In some high-performance code, the use of both
cached and uncached memory can allow for more
efficient operation.
Additionally, address zero often contains a duplicate of the boot memory, which is usually Flash but
might be executable SRAM. Presumably this was
done to allow for code that has compatible immediate addresses when booting from either memory,
but PoCkGTFO 10:8 describes a nifty little jailbreak
that relies on dumping the 48K recovery bootloader
of an STM32F405 chip out of Flash through a nullpointer read.
We hope that youve enjoyed this friendly little guide to the Cortex M3, and that youll keep it
handy when reverse engineering firmware from that
platform.
1 // A b b r e v i a t e d USART r e g i s t e r s t r u c t .
typedef struct {
3
__IO u i n t 3 2 _ t CR1 ;
//+0x00
__IO u i n t 3 2 _ t CR2 ;
5
__IO u i n t 3 2 _ t CR3 ;
__IO u i n t 1 6 _ t BRR;
7
u i n t 1 6 _ t RESERVED1;
__IO u i n t 1 6 _ t GTPR;
9
u i n t 1 6 _ t RESERVED2;
__IO u i n t 3 2 _ t RTOR;
11
__IO u i n t 1 6 _ t RQR;
u i n t 1 6 _ t RESERVED3;
13
__IO u i n t 3 2 _ t ISR ;
__IO u i n t 3 2 _ t ICR ;
15
__IO u i n t 1 6 _ t RDR;
//+0x24 RX Data Reg
u i n t 1 6 _ t RESERVED4;
17
__IO u i n t 1 6 _ t TDR;
//+0x28 TX Data Reg
u i n t 1 6 _ t RESERVED5;
19 } USART_TypeDef ;
21 //USART l o c a t i o n d e f i n i t i o n s .
#define USART2
\
23
( ( USART_TypeDef ) USART2_BASE)
23
1
3
1
3
5
7
9
11
1 pop ecx ; p u t s t h e r e t u r n a d d r e s s t o e c x
jmp ecx ; jumps t o t h e r e t u r n a d d r e s s
}
13 i n t c ( ) { return a ( ) + b ( ) + 1 ; }
24
25
; [ 0 x8 : 4 ] = 0
; [ 0 x1 : 4 ] = 0 x1464c45
; [ 0 xc : 4 ] = 0
smashme :
2 push ebp
mov ebp , esp
4 sub esp , 0 x28
mov eax , dword [ ebp + 8 ]
6 mov dword [ esp + 4 ] , eax
l e a eax , [ ebp 0 x18 ]
8 mov dword [ esp ] , eax
jmp p a r a s i t e
10
parasite :
12 c a l l s y m . i m p . s t r c p y
leave
14 pop ecx
cmp ecx , 0 x08048456
16 jne 0 x41414141
jmp ecx
26
27
Howdy, yall!
Welcome to another installment of our series of
quick-start guides for reverse engineering embedded
systems. Our goal here is to get you situated with
the MSP430 architecture as quickly as possible, with
a minimum of fuss and formality.
Those of you who have already used an MSP430
might find this to be a useful reference, while those
of you new to the architecture will find that it isnt
really all that strange. If youve already reverse engineered binaries for any platform, even x86, we hope
that youll soon feel right at home.
8.1
The Landscape
Architecture
Von Neumann
16-bit words
8.3
Registers
R0: Program Counter
R1: Stack Pointer
R2: Status Register
R3: Constant Generator
R4-R15: General Use
Address Space
16-bit (MSP430)
20-bit (MSP430X, X2)
8.2
Memory Map
clone https://github.com/radare/radare2
11 http://mspgcc.sourceforge.net/assemble.html
28
Start
0x0000
0x0010
0x0100
0x0200
0x0C00
0x1000
0x1100
End
0x000F
0x00FF
0x01FF
0x09FF
0x0FFF
0x10FF
Size
16
240
255
1024
256
0xFFFF
0x10000
Use
Interrupt Control Registers
8-bit Peripherals
16-bit Peripherals
Low RAM (Mirrored at 0x1100)
BootStrap Loader (BSL ROM)
Info Flash
High RAM
Flash
Extended Flash
8.4
12 Here are the rules: Increment by two if registers r0 or r1, or if r4-r15 are used with a .W (2-byte) operand. Increment by
1 if r4 to r15 are used with a .B operand.
29
8.5
8.6
We look at 0xFFFE for the reset interrupt address, which is 0x3100 in this image. Thats our
entry point into the program, and you can see how
it nicely lines up in the disassembly:
00003100 <. s e c 1 >:
3 1 0 0 : 31 40 00 31
3 1 0 4 : 15 42 20 01
3 1 0 8 : 75 f 3
13 Global
14 If
mov
#12544 , r 1
mov
&0x0120 , r 5
and . b #1,
r5
disable is done by clearing the GIE bit of the status register, r2.
not, use a command like msp430-objcopy -I ihex -O elf32-msp430 dump.hex dump.msp430 to convert into one.
30
8.7
Maybe we want to look at some specific functionality that is triggered by an interrupt, for example
incoming serial data. Looking in the MSP430F1611
data sheet, we find that USART1 receive is a maskable interrupt at 0xFFE6. If we look at the notated
IVT in an example program (e.g., TinyOSs Printf
program compiled for TelosB), we see addresses (in
little endian) as shown here:
0000 f f e 0
ffe0
ffe2
ffe4
ffe6
ffe8
ffea
ffec
ffee
fff0
fff2
fff4
fff6
fff8
fffa
fffc
fffe
15 Page
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
<__ivtbl_16 >:
52 44
52 44
56 56
d0 55
52 44
94 4 f
76 4 f
52 44
52 44
52 44
52 44
52 44
d8 4 f
ba 4 f
52 44
00 40
dac /dma
i / o p2
u s a r t 1 tx
u s a r t 1 rx
i / o p1
t i m e r a3
t i m e r a3
adc12
u s a r t 0 tx
u s a r t 0 rx
watchdog t i m e r
compartor a
t i m e r b7
t i m e r b7
nmi/ e t c
reset
23 of http://www.ti.com/lit/ds/symlink/msp430f1611.pdf
31
Configure . . . > :
As you can see, working backwards from the addresses located in the peripheral file map can help
you quickly find functions of interest.
mov . b r14 ,
&0x0078
mov . b &0x1104 ,&0 x0079
mov . b &0x1105 ,&0 x007a
mov
mov . b
swpb
mov . b
mov . b
mov . b
This guide is neither complete nor perfectly accurate. We told a few lies-to-children as all teachers do, and we omitted a dozen nifty examples that
wouldve fit. Still, we hope that this will whet your
appetite for working with the MSP430 architecture,
and that, when you begin to work on the 430s, you
can get your bearings quickly, jumping into the fun
part of the journey with less hassle.
&0x1100 , r 1 4
r14 ,
&0x007c
r14
r14 ,
r14
r14 ,
&0x007d
&0x1102 ,&0 x007b
32
Please rise and open your hymnal for the recitation of PoCkGTFO 7:6.
A file has no intrinsic meaning. The meaning of a fileits type, its validity, its contentscan be
different for each parser or interpreter.
33
10
12
14 end
__END__
34
require socket
2 =begin
%PDF1.5
4 9999 0 o b j
<<
6 / Length INSERT_#
_REMAINING_RUBY_AND_HTML_BYTES_HERE
>>
8 stream
=end
10 INSERT REMAINING RUBY CODE HERE
__END__
12 INSERT HTML HERE
<!
14 endstream
endobj
16 INSERT RAW PDF HERE WITH LEADING %. . . HEADER
REMOVED
>
16 https://pdfium.googlesource.com/pdfium/
35
Ruby
HTML
require statements
=begin
Multiline
Comment
PDF Header
9999 0 obj
<<
/Length ?
>>
<head>.
stream
ZIP
=end
Ruby Webserver
Parses the HTML
from DATA and calls
Replace ? with
the number of
bytes here
(i.e., between
stream and
endstream)
unzip on itself to
extract the ZIP content
__END__
Everything after
__END__ is
accessible from
Rubys special
DATA object
HTML
Javascript to
remove
everything
between
require. . . and
__END__
from the DOM, if
necessary
<!-endstream
endobj
PDF Content
obj/stream
ZIP Content
as usual
(cf. PoCkGTFO 1:5
and 9:12)
Central Directory
Archive Comment
endstream/endobj
PDF Footer
-->
Figure 5 Anatomy of the Ruby/HTML/PDF/ZIP polyglot. Green portions contain the main content of
their respective filetypes. White portions are for context and to illustrate modifications necessary to make
the polyglot work. Gray portions are not interpreted by their respective filetypes.
36
37
10
Ben Byer
19802016
We are deeply saddened by the news that our member, colleague, and friend Ben
bushing Byer passed away of natural causes on Monday, February 8th.
Many of you knew him as one of the public faces of our group, fail0verflow, and
before that, Team Twiizers and the iPhone Dev Team.
Outspoken but never confrontational, he was proof that even in the competitive
and often aggressive hacking scene, there is a place for both a sharp mind and a kind
heart.
To us he was, of course, much more. He brought us together, as a group and in
spirit. Without him, we as a team would not exist. He was a mentor to many, and
an inspiration to us all.
Yet above anything, he was our friend. He will be dearly missed.
Our thoughts go out to his wife and family.
Keep hacking. Its what bushing would have wanted.
38
39
11
Howdy, neighbor!
A man came to me, and he said, Forgive me,
Preacher, for I have sinned. I play piano in a
brothel.
I laughed, That aint no sin, neighbor. Folks
need their music. Go now in peace.
But the man was worried, he said, No, Preacher,
Ive really sinned. I need your forgiveness.
So I laughed again, Go now, you are forgiven!
Stop wasting my time.
But Preacher, I teach children to use PHP!
Why would you lie to me about your profession
like that?
Oh, you try confessing an occupation like that!
Im glad I dont have to, I said while finishing
my drink, cause until today I didnt believe there
was any fate I feared more than hell.
40