Move #03 15 марта 1997

Программирование

XOR'em ALL - Ksorka with the team LDIR, Inverse ksorki.

                 KSORKI

(C) Mastsoft


   Hi everyone! In this article, I decided to continue the 
theme of ksorki that in the previous issue began to discuss the 
ARS. And in this article, I just make some additions

and discuss some new methods of protection. Here we go!

   First, and perhaps the most interesting technique is 
associated with all known command LDIR. I'll start with the 
features of this team. What makes the command processor when it 
encounters LDIR?


 1. The processor reads the instruction code.
 2. Taken from the register HL bytes.
 3. Byte is written into the register DE.
 4. Increases the register HL (HL = HL +1)
 5. Increases register DE (DE = DE +1)
 6. Decreases register BC (BC = BC-1)

   This continues until, as BC will
0.


   The most important thing in this sequence
teams is that the CPU ALWAYS read the ID TEAM LDIR.

   What happens if HL climb on
command code LDIR?. I think you hint
understood. After experimenting with this command, you can 
achieve interesting results. 


   Now I will talk about primitive ksorki binding to a specific 
area of ​​memory. 

   For example, the primitive ksorka:


        JR START
STACK POP DE

        PUSH DE

        RET
START

        XOR A

        LD R, A

        LD HL, BEG_DATA

        LD BC, the length in bytes.
LOOP LD A, R

        XOR (HL)

        XOR H

        XOR L

        CALL STACK

        XOR E

        XOR D

        LD (HL), A

        INC HL

        DEC BC

        LD A, B

        OR C

        JR NZ, LOOP
BEG_DATA ...............


   When the command is executed on stack CALL
set the address that was directly behind the CALL. Procedure 
STACK removes the address in DE. After the command

CALL is XOR E, XOR D. It turns out that
if an attacker ksorku transfer to another
place in the register of DE will be a different value
and promotion ksorki happen correctly.


   CHECK KSORKI.

   In recent years, there are many so-
called inverse KSOROK. Unlike the simple inverse ksorki that 
rasksorivanie does not start from the beginning rasksorivaemogo 
block and at the end. 

   For example:

START DI

        XOR A

        LD R, A

        LD HL, END_DATA

        LD BC, the length in bytes.
LOOP LD A, R

        XOR (HL)

        XOR H

        XOR L

        LD (HL), A

        DEC HL

        DEC BC

        LD A, B

        OR C

        JR NZ, LOOP

        ***
 END_DATA ...............



   The advantage of this easy to ksorki
that does not put a full stop
stop (conventional means). We have to trace from beginning to 
ksorku end. Agree, pretty boring

occupation.

   And finally, I give the original back ksorku:


        DI

        XOR A

        LD R, A

        LD IX, END_DATA

        LD HL, LOOP
 LOOP LD A, R

        XOR (IX +0)

        LD (IX +0), A

        DEC IX

        JP (HL)

        ***
END_DATA ..............



   Is not it beautiful? I think guess how it works does not make
Bolm labor.