vm.c - www.canyoucrackit.co.uk - part #3

1. // by petter wahlman, http://www.twitter.com/badeip
2. // solution to part 3 of canyoucrackit.co.uk
3. //
4. // hex.h is available here: http://pastebin.com/yj3xsZLW
5.  
6. #include <stdio.h>
7. #include <stdlib.h>
8. #include <string.h>
9. #include <unistd.h>
10. #include <termios.h>
11. #include <fcntl.h>
12. #include <sys/types.h>
13. #include <sys/stat.h>
14. #include <stdint.h>
15.  
16. #include "hex.h"
17.  
18. uint8_t mem[] = {
19.     0x31, 0x04, 0x33, 0xaa, 0x40, 0x02, 0x80, 0x03, 0x52, 0x00, 0x72, 0x01, 0x73, 0x01, 0xb2, 0x50,
20.     0x30, 0x14, 0xc0, 0x01, 0x80, 0x00, 0x10, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
21.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
23.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
24.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
25.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
26.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
27.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
31.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
32.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
33.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
34.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
35.    
36.     0x98, 0xab, 0xd9, 0xa1, 0x9f, 0xa7, 0x83, 0x83, 0xf2, 0xb1, 0x34, 0xb6, 0xe4, 0xb7, 0xca, 0xb8,
37.     0xc9, 0xb8, 0x0e, 0xbd, 0x7d, 0x0f, 0xc0, 0xf1, 0xd9, 0x03, 0xc5, 0x3a, 0xc6, 0xc7, 0xc8, 0xc9,
38.     0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9,
39.     0xda, 0xdb, 0xa9, 0xcd, 0xdf, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9,
40.     0x26, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9,
41.     0x7d, 0x1f, 0x15, 0x60, 0x4d, 0x4d, 0x52, 0x7d, 0x0e, 0x27, 0x6d, 0x10, 0x6d, 0x5a, 0x06, 0x56,
42.     0x47, 0x14, 0x42, 0x0e, 0xb6, 0xb2, 0xb2, 0xe6, 0xeb, 0xb4, 0x83, 0x8e, 0xd7, 0xe5, 0xd4, 0xd9,
43.     0xc3, 0xf0, 0x80, 0x95, 0xf1, 0x82, 0x82, 0x9a, 0xbd, 0x95, 0xa4, 0x8d, 0x9a, 0x2b, 0x30, 0x69,
44.     0x4a, 0x69, 0x65, 0x55, 0x1c, 0x7b, 0x69, 0x1c, 0x6e, 0x04, 0x74, 0x35, 0x21, 0x26, 0x2f, 0x60,
45.     0x03, 0x4e, 0x37, 0x1e, 0x33, 0x54, 0x39, 0xe6, 0xba, 0xb4, 0xa2, 0xad, 0xa4, 0xc5, 0x95, 0xc8,
46.     0xc1, 0xe4, 0x8a, 0xec, 0xe7, 0x92, 0x8b, 0xe8, 0x81, 0xf0, 0xad, 0x98, 0xa4, 0xd0, 0xc0, 0x8d,
47.     0xac, 0x22, 0x52, 0x65, 0x7e, 0x27, 0x2b, 0x5a, 0x12, 0x61, 0x0a, 0x01, 0x7a, 0x6b, 0x1d, 0x67,
48.     0x75, 0x70, 0x6c, 0x1b, 0x11, 0x25, 0x25, 0x70, 0x7f, 0x7e, 0x67, 0x63, 0x30, 0x3c, 0x6d, 0x6a,
49.     0x01, 0x51, 0x59, 0x5f, 0x56, 0x13, 0x10, 0x43, 0x19, 0x18, 0xe5, 0xe0, 0xbe, 0xbf, 0xbd, 0xe9,
50.     0xf0, 0xf1, 0xf9, 0xfa, 0xab, 0x8f, 0xc1, 0xdf, 0xcf, 0x8d, 0xf8, 0xe7, 0xe2, 0xe9, 0x93, 0x8e,
51.     0xec, 0xf5, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
52.    
53.     0x37, 0x7a, 0x07, 0x11, 0x1f, 0x1d, 0x68, 0x25, 0x32, 0x77, 0x1e, 0x62, 0x23, 0x5b, 0x47, 0x55,
54.     0x53, 0x30, 0x11, 0x42, 0xf6, 0xf1, 0xb1, 0xe6, 0xc3, 0xcc, 0xf8, 0xc5, 0xe4, 0xcc, 0xc0, 0xd3,
55.     0x85, 0xfd, 0x9a, 0xe3, 0xe6, 0x81, 0xb5, 0xbb, 0xd7, 0xcd, 0x87, 0xa3, 0xd3, 0x6b, 0x36, 0x6f,
56.     0x6f, 0x66, 0x55, 0x30, 0x16, 0x45, 0x5e, 0x09, 0x74, 0x5c, 0x3f, 0x29, 0x2b, 0x66, 0x3d, 0x0d,
57.     0x02, 0x30, 0x28, 0x35, 0x15, 0x09, 0x15, 0xdd, 0xec, 0xb8, 0xe2, 0xfb, 0xd8, 0xcb, 0xd8, 0xd1,
58.     0x8b, 0xd5, 0x82, 0xd9, 0x9a, 0xf1, 0x92, 0xab, 0xe8, 0xa6, 0xd6, 0xd0, 0x8c, 0xaa, 0xd2, 0x94,
59.     0xcf, 0x45, 0x46, 0x67, 0x20, 0x7d, 0x44, 0x14, 0x6b, 0x45, 0x6d, 0x54, 0x03, 0x17, 0x60, 0x62,
60.     0x55, 0x5a, 0x4a, 0x66, 0x61, 0x11, 0x57, 0x68, 0x75, 0x05, 0x62, 0x36, 0x7d, 0x02, 0x10, 0x4b,
61.     0x08, 0x22, 0x42, 0x32, 0xba, 0xe2, 0xb9, 0xe2, 0xd6, 0xb9, 0xff, 0xc3, 0xe9, 0x8a, 0x8f, 0xc1,
62.     0x8f, 0xe1, 0xb8, 0xa4, 0x96, 0xf1, 0x8f, 0x81, 0xb1, 0x8d, 0x89, 0xcc, 0xd4, 0x78, 0x76, 0x61,
63.     0x72, 0x3e, 0x37, 0x23, 0x56, 0x73, 0x71, 0x79, 0x63, 0x7c, 0x08, 0x11, 0x20, 0x69, 0x7a, 0x14,
64.     0x68, 0x05, 0x21, 0x1e, 0x32, 0x27, 0x59, 0xb7, 0xcf, 0xab, 0xdd, 0xd5, 0xcc, 0x97, 0x93, 0xf2,
65.     0xe7, 0xc0, 0xeb, 0xff, 0xe9, 0xa3, 0xbf, 0xa1, 0xab, 0x8b, 0xbb, 0x9e, 0x9e, 0x8c, 0xa0, 0xc1,
66.     0x9b, 0x5a, 0x2f, 0x2f, 0x4e, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
67.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
68.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
69. };
70.  
71. #define R0 0
72. #define R1 1
73. #define R2 2
74. #define R3 3
75. #define CS 4
76. #define DS 5
77. #define FL 6
78. #define IP 7
79.  
80. struct insn {
81.     union {
82.         uint8_t value;
83.         struct {
84.             uint8_t oper1 : 4;
85.             uint8_t mod   : 1;
86.             uint8_t opcode: 3;
87.         };
88.     };
89.     uint8_t oper2;
90. };
91.  
92. struct vm {
93.     uint16_t r[8];
94.     uint8_t *mem;
95.     struct insn *insn;
96. };
97.  
98. void print_insn(struct vm *);
99.  
100. void jmp(struct vm *);
101. void movr(struct vm *);
102. void movm(struct vm *);
103. void add(struct vm *);
104. void xor(struct vm *);
105. void cmp(struct vm *);
106. void jmpe(struct vm *);
107. void hlt(struct vm *);
108.  
109.  
110. enum { R00, IR0, SR0, RR0, RI0, RSR, SRR, NA0 };
111. struct {
112.     uint8_t opcode;
113.     uint8_t w1, w2;
114.     const char *name;
115.     uint8_t fmt1, fmt2;
116.     void (*dispatch)(struct vm *vm);
117. } mnemonic[] = {
118.     { 0, 0, 2, "jmp ", R00, IR0, jmp  },
119.     { 1, 2, 2, "movr", RR0, RI0, movr },
120.     { 2, 2, 2, "movm", RSR, SRR, movm },
121.     { 3, 2, 2, "add ", RR0, RI0, add  },
122.     { 4, 2, 2, "xor ", RR0, RI0, xor  },
123.     { 5, 2, 2, "cmp ", RR0, RI0, cmp  },
124.     { 6, 1, 2, "jmpe", R00, SR0, jmpe },
125.     { 7, 1, 1, "hlt ", NA0, NA0, hlt  }
126. };
127.  
128.  
129. void print_insn(struct vm *vm)
130. {
131.     struct insn *insn = vm->insn;
132.     int type;
133.     const char *reg[] = {
134.         "r0", "r1", "r2", "r3", "cs", "ds", "fl", "ip"
135.     };
136.     const char *fmt[] = {
137. /* 0: R00 */   "%02X:%02X:  %02X       %s  %s            ",
138. /* 1: IR0 */   "%02X:%02X:  %02X %02X    %s  %02X:%s         ",
139. /* 1: SR0 */   "%02X:%02X:  %02X %02X    %s  %s:%s         ",
140. /* 2: RR0 */   "%02X:%02X:  %02X %02X    %s  %s, %s        ",
141. /* 3: RI0 */   "%02X:%02X:  %02X %02X    %s  %s, %02X        ",
142. /* 4: RSR */   "%02X:%02X:  %02X %02X    %s  %s, [%s:%s]   ",
143. /* 5: SRR */   "%02X:%02X:  %02X %02X    %s  [%s:%s], %s   ",
144. /* 6: NA0 */   "%02X:%02X:  %02X       %s  N/A             ",
145.     };
146.  
147.     type = insn->mod ? mnemonic[insn->opcode].fmt2 : mnemonic[insn->opcode].fmt1;
148.     switch(type) {
149.         case R00:
150.             printf(fmt[type], vm->r[CS], vm->r[IP], vm->mem[vm->r[IP]], mnemonic[insn->opcode].name, reg[insn->oper1]);
151.             break;
152.         case IR0:
153.             printf(fmt[type], vm->r[CS], vm->r[IP], vm->mem[vm->r[IP]], vm->mem[vm->r[IP]+1], mnemonic[insn->opcode].name, insn->oper2, reg[insn->oper1]);
154.             break;
155.         case SR0:
156.             printf(fmt[type], vm->r[CS], vm->r[IP], vm->mem[vm->r[IP]], vm->mem[vm->r[IP]+1], mnemonic[insn->opcode].name, reg[insn->oper1], reg[insn->oper2]);
157.             break;
158.         case RR0:
159.             printf(fmt[type], vm->r[CS], vm->r[IP], vm->mem[vm->r[IP]], vm->mem[vm->r[IP]+1], mnemonic[insn->opcode].name, reg[insn->oper1], reg[insn->oper2]);
160.             break;
161.         case RI0:
162.             printf(fmt[type], vm->r[CS], vm->r[IP], vm->mem[vm->r[IP]], vm->mem[vm->r[IP]+1], mnemonic[insn->opcode].name, reg[insn->oper1], insn->oper2);
163.             break;
164.         case RSR:
165.             printf(fmt[type], vm->r[CS], vm->r[IP], vm->mem[vm->r[IP]], vm->mem[vm->r[IP]+1], mnemonic[insn->opcode].name, reg[insn->oper1], reg[DS], reg[insn->oper2]);
166.             break;
167.         case SRR:
168.             printf(fmt[type], vm->r[CS], vm->r[IP], vm->mem[vm->r[IP]], vm->mem[vm->r[IP]+1], mnemonic[insn->opcode].name, reg[DS], reg[insn->oper1], reg[insn->oper2]);
169.             break;
170.         case NA0:
171.             printf(fmt[type], vm->r[CS], vm->r[IP], vm->mem[vm->r[IP]], mnemonic[insn->opcode].name);
172.             break;
173.         default:
174.             printf("FUCKED\n");
175.     }
176.     fflush(stdout);
177. }
178.  
179. void jmp(struct vm *vm)
180. {
181.     struct insn *insn = vm->insn;
182.  
183.     if (!insn->mod) // r1
184.         vm->r[IP] = vm->r[insn->oper1];
185.     else {          // r2:r1
186.         vm->r[CS] = insn->oper2;
187.         vm->r[IP] = vm->r[insn->oper1];
188.     }
189. }
190.  
191. void movr(struct vm *vm)
192. {
193.     struct insn *insn = vm->insn;
194.  
195.     if (!insn->mod) // r1, r2
196.         vm->r[insn->oper1] = vm->r[insn->oper2];
197.     else            // rx,   imm
198.         vm->r[insn->oper1] = insn->oper2;
199.  
200.     vm->r[IP] += 2;
201. }
202.  
203. void movm(struct vm *vm)
204. {
205.     struct insn *insn = vm->insn;
206.  
207.     if (!insn->mod)
208.         vm->r[insn->oper1] = vm->mem[(vm->r[DS] << 4) + vm->r[insn->oper2]];
209.     else
210.         vm->mem[(vm->r[DS] << 4) + vm->r[insn->oper1]] = vm->r[insn->oper2];
211.  
212.     vm->r[IP] += 2;
213. }
214.  
215. void add(struct vm *vm)
216. {
217.     struct insn *insn = vm->insn;
218.  
219.     if (!insn->mod) // r1, r2
220.         vm->r[insn->oper1] += vm->r[insn->oper2];
221.     else            // r1, imm
222.         vm->r[insn->oper1] += vm->insn->oper2;
223.  
224.     vm->r[IP] += 2;
225. }
226.  
227. void xor(struct vm *vm)
228. {
229.     struct insn *insn = vm->insn;
230.  
231.     if (!insn->mod) // r1, r2
232.         vm->r[insn->oper1] ^= vm->r[insn->oper2];
233.     else            // r1, imm
234.         vm->r[insn->oper1] ^= vm->insn->oper2;
235.  
236.     vm->r[IP] += 2;
237. }
238.  
239. void cmp(struct vm *vm)
240. {
241.     struct insn *insn = vm->insn;
242.  
243.     if (!insn->mod) { // r1, r2
244.         if (vm->r[insn->oper1] == vm->r[insn->oper2])
245.             vm->r[FL] = 0;
246.         else if (vm->r[insn->oper1] < vm->r[insn->oper2])
247.             vm->r[FL] = 0xff;
248.         else
249.             vm->r[FL] = 1;
250.     } else {          // r1, imm
251.         if (vm->r[insn->oper1] == vm->insn->oper2)
252.             vm->r[FL] = 0;
253.         else if (vm->r[insn->oper1] < vm->insn->oper2)
254.             vm->r[FL] = 0xff;
255.         else
256.             vm->r[FL] = 1;
257.     }
258.     vm->r[IP] += 2;
259. }
260.  
261. void jmpe(struct vm *vm)
262. {
263.     struct insn *insn = vm->insn;
264.  
265.     if (!vm->r[FL]) {
266.         if (!insn->mod) { // r1
267.             vm->r[IP] = vm->r[insn->oper1];
268.         } else {          // r2:r1
269.             vm->r[CS] = insn->oper2;
270.             vm->r[IP] = (vm->r[CS] << 4) + vm->r[insn->oper1];
271.         }
272.     } else {
273.         vm->r[IP]++; // nop
274.     }
275. }
276.  
277. void hlt(struct vm *vm)
278. {
279.     printf("\nmem:\n");
280.     print_hex(vm->mem, sizeof(mem), 20);
281.     exit(0);
282. }
283.  
284. static struct termios oldt;
285.  
286. void stdin_restore(void)
287. {
288.     tcsetattr(0, TCSANOW, &oldt);
289. }
290.  
291. void stdin_nowait(void)
292. {
293.     struct termios newt;
294.  
295.     tcgetattr(0, &oldt);
296.     newt = oldt;
297.     newt.c_lflag &= ~(ICANON | ECHO);
298.     tcsetattr(0, TCSANOW, &newt);
299.     atexit(stdin_restore);
300. }
301.  
302. int main(int argc, char **argv)
303. {
304.     uint8_t interactive = 0;
305.     uint8_t dump_mem = 0;
306.     uint8_t verbose = 0;
307.     uint32_t i;
308.     struct vm vm;
309.  
310.     system("clear");
311.     for (i = 1; i < argc; i++) {
312.         if (!strncmp(argv[i], "-m", 2))
313.             dump_mem = 1;
314.         else if (!strncmp(argv[i], "-v", 2))
315.             verbose = 1;
316.         else if (!strncmp(argv[i], "-i", 2)) {
317.             interactive = 1;
318.             stdin_nowait();
319.         }
320.     }
321.  
322.     memset(&vm, 0, sizeof(vm));
323.     vm.mem = mem;
324.     vm.r[DS] = 0x10;
325.     while (1) {
326.         uint8_t c;
327.         vm.insn = (struct insn * )&mem[(vm.r[CS] << 4) + vm.r[IP]];
328.  
329.         print_insn(&vm);
330.         if (verbose)
331.             printf("  - m:%d [ r0:%02X  r1:%02X  r2:%02X  r3:%02X  cs:%02X  ds:%02X  fl:%02X ]\n",
332.                 vm.insn->mod, vm.r[R0], vm.r[R1], vm.r[R2], vm.r[R3], vm.r[CS], vm.r[DS], vm.r[FL]);
333.         else
334.             putchar('\n');
335.  
336.         mnemonic[vm.insn->opcode].dispatch(&vm);
337.  
338.         if (dump_mem)
339.             print_hex(mem + 256, 512, 0);
340.  
341.         if (interactive) {
342.             c = getchar();
343.             switch(c) {
344.                 case 'm': print_hex(mem, sizeof(mem), 0); break;
345.                 case 'c': interactive = 0; break;
346.                 case 'q': goto out;
347.             }
348.         }
349.     }
350. out:
351.     print_hex(mem, sizeof(mem), 0);
352.  
353.     return 0;
354. }