flat assembler
Message board for the users of flat assembler.

Index > Heap > Hexa competition :)

Author
Thread Post new topic Reply to topic
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
I've just collected 13 unique single-instruction opcodes for clearing any of 32-bit general register. Who knows more?
You have to find new opcode or modr/m or sib byte, otherwise it is counted out Smile

BTW, there are some other opcodes for clearing 16-bit registers, but it could be another competition Wink

Code:
-removed-
    


Very Happy Have fun

_________________
x86asm.net


Last edited by MazeGen on 12 Dec 2005, 13:40; edited 1 time in total
Post 15 Apr 2005, 10:18
View user's profile Send private message Visit poster's website Reply with quote
tom tobias



Joined: 09 Sep 2003
Posts: 1320
Location: usa
tom tobias
Thank you MazeGen for this excellent submission, which, in my opinion, ought to be relocated to a section of the forum somewhat more distinguished, and more noble, than HEAP. Next steps, inevitably, are to (1) time these various instructions, and (2) to exlore the most efficient method available to time each of them. One note of caution to the would be timers of this world, please do not use LOOPS to increase the iterations, but rather use the editor and create VERY LARGE files of instructions, in order to prolong the execution to a measureable time. Then, of course, if one gets into the millisecond range, after thousands of iterations, one runs into other software conflicts, interrupts etc, so, ideally, the timing will be done on a cpu with no other software, firmware, PCI cards, or eprom's generating interrupts. For accuracy, one needs to include a counter in the routine, rather than relying upon inspection of the text before FASM'ing it. Further, there should be some meaningful activity using the registers, prior to reclearing them at each iteration. Then, of course, the meaningful activity component will need to be executed, separately, WITHOUT the clearing of the register, to measure its time, and subtact that time from the total. Apart from the timing provocation, your excellent post also illustrates, graphically, (thanks) the SIZE of each of these instructions. Forty years ago, a decision on which instruction to use, when one required twice as much memory as another, would have been instinctive. In those days, everything was code. The concept of readability was alien. Your submission gets my nomination for best post of 2005, notwithstanding your victory in the earlier bags competition. Smile
Post 15 Apr 2005, 12:09
View user's profile Send private message Reply with quote
MCD



Joined: 21 Aug 2004
Posts: 604
Location: Germany
MCD
I guess you forgot those
Code:
;C1E020          shl eax,32;wrong
;C1E820          shr eax,32;wrong

E2FE            loop $-2;This will zero out ecx, but may take a while to execute
    


Last edited by MCD on 19 Apr 2005, 15:14; edited 1 time in total
Post 19 Apr 2005, 08:19
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
Quote:

shl eax,32
shr eax,32


Doesn't work: The shift count is masked to 5 bits!
Post 19 Apr 2005, 09:45
View user's profile Send private message Visit poster's website Reply with quote
MCD



Joined: 21 Aug 2004
Posts: 604
Location: Germany
MCD
revolution wrote:
Quote:

shl eax,32
shr eax,32


Doesn't work: The shift count is masked to 5 bits!

Uoosps, forget those ahhh
Post 19 Apr 2005, 15:13
View user's profile Send private message Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
Oh tom, you say I've posted it to HEAP in the fasmforum?! Damn, I have had to make some mistake, I've wanted to post it to http://forum.nobelprize.org/ingeniousthoughts! (temporarily unavailable)

> Your submission gets my nomination for best post of 2005

You bet! I'd expect that, of course.

> notwithstanding your victory in the earlier bags competition

I won? Really? Yahoo! Where are my bags, MCD?

OK, now seriously Wink

Finding those opcodes is not so strange as it may seem. I'm personally playing with them by reason of thinking about code watermarking - steganography. Say you need to hide something in your code, some password, for example. Your project consist of 100,000 instructions and there are 0,1 % of instructions clearing any of 32-bit general registers. Now, we have 13 opcodes for clearing such register, it means you can encode, in theory, 1300 bits only in those instructions, and it is pretty interesting.

_________________
x86asm.net
Post 26 Apr 2005, 10:34
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
** sorry others, this is private **

mazegen: takze tvoj obfuskator bude tajne schovavat data do kodu tym ako bude vyberat nulovacie instrukcie? Smile Za 10 rokov sa tak mozno budu pasovat warezy, pri tych rychlostiach.
Post 26 Apr 2005, 10:52
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
It seems that previous competition is finished, so I'm starting new: the same guidelines, but it can be also clearing of fixed registers (MCD already posted LOOP $-2) and 16-bit and 8-bit registers.

Code:
-removed-
    


Last edited by MazeGen on 12 Dec 2005, 13:40; edited 2 times in total
Post 26 Apr 2005, 10:52
View user's profile Send private message Visit poster's website Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
vid: check your Inbox
Post 26 Apr 2005, 12:02
View user's profile Send private message Visit poster's website Reply with quote
MCD



Joined: 21 Aug 2004
Posts: 604
Location: Germany
MCD
MazeGen wrote:
Code:
D2E9          SHR CL,CL      ; I really like this Smile
    

This one is difficult to understand, but really works! since it's = [CL/2^CL]

[] are meant to be Gaussian floor brackets

_________________
MCD - the inevitable return of the Mad Computer Doggy

-||__/
.|+-~
.|| ||
Post 26 Apr 2005, 12:14
View user's profile Send private message Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
Ou, I don't like that one anymore Rolling Eyes

Thanks for the proof, MCD, but I also forgot about the masking. The following code does NOT clear CL:

Code:
 mov cl, NOT 11111b      ; 0E0h
 shr cl, cl
    


BTW, did I really win the plastic bag or tom was just joking? Cool

_________________
x86asm.net
Post 26 Apr 2005, 17:24
View user's profile Send private message Visit poster's website Reply with quote
tom tobias



Joined: 09 Sep 2003
Posts: 1320
Location: usa
tom tobias
MazeGen wrote:
Ou, I don't like that one anymore Rolling Eyes

Thanks for the proof, MCD, but I also forgot about the masking. The following code does NOT clear CL:

Code:
 mov cl, NOT 11111b      ; 0E0h
 shr cl, cl
    


BTW, did I really win the plastic bag or tom was just joking? Cool


Well, yeah, I was joking about your having been the winner of the bag contest, because as far as I know, the prize remains unclaimed!!! But I was not joking about your submission, I think it very useful, and important, and I believe it does belong in a more suitable place than heap.
I too am interested in the general problem of security, and identity, but I am thinking of a separate private memory embedded on the motherboard (hide in plain site), inaccessible for WRITING by the main cpu, but accessible for reading. Imagine a palm computer, with an encrypted program. Well, probably in Europe there are not such a huge number of crooks around, as here in USA, but I can easily envision a situation, in these days of WiFi internet access, where someone is accused of (for example) setting off remotely some nefarious device, and, though innocent of the accusation, brought to trial with his/her palm computer as evidence. What prevents the government (a gang of crooks if ever there were some) from modifying the eeprom on the palm based computer to give an independent judiciary the impression that the accused really is the (remote) trigger source for the terrorist activity? What is needed is a separate, secret mechanism for copying the activities of the palm onto a separate small piece of memory, which can exonerate the accused. How could the USA deny murdering that Italian security guard in Iraq? And these same people control the whole world, threatening nuclear annhiliation...sad state of affairs....If we didn't have the plastic bag contest, despair would definitely rule!! Smile
Post 26 Apr 2005, 18:28
View user's profile Send private message Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
tom tobias wrote:
But I was not joking about your submission, I think it very useful, and important, and I believe it does belong in a more suitable place than heap.

I've just reread your original post and it really seems you weren't joking, sorry. But why do you want to time the instructions? MOV is always the most fastest.

tom tobias wrote:
I too am interested in the general problem of security, and identity, but I am thinking of a separate private memory embedded on the motherboard (hide in plain site), inaccessible for WRITING by the main cpu, but accessible for reading...

Interesting, but I assume you are not a hardware manufacturer, so how do you want to push it through?
IIRC Intel wanted to put unique serial number to each of its processors in order to make each computer unique, but he hits a snag - I don't know who says it is violation of privacy and Intel had to disable that feature, AFAIK. It seems your idea is a kind of similar.

tom tobias wrote:
If we didn't have the plastic bag contest, despair would definitely rule!!


Laughing Very Happy

_________________
x86asm.net
Post 26 Apr 2005, 19:05
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
IF you are interested in watermarking you may want to see the 'a86' assembler from Eric Isaccson (I think). He used similar opcodes in both function and length to do watermarking.

Example:

Code:
31 C3 xor eax,ebx
33 D8 xor eax,ebx
    



BTW: 'E2 FE loop $' NOT 'E2 FE loop $-2'
Post 27 Apr 2005, 01:25
View user's profile Send private message Visit poster's website Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
revolution wrote:
IF you are interested in watermarking you may want to see the 'a86' assembler from Eric Isaccson (I think). He used similar opcodes in both function and length to do watermarking.

Example:

Code:
31 C3 xor eax,ebx
33 D8 xor eax,ebx
    

Yea, I'm aware of that trick with the Direction bit.
There's a lot more possibilities, let's consider LEA, for instance:

Code:
mov eax,ebx  <-> lea eax,[ebx]
mov eax,1234 <-> lea eax,[1234]
add eax,ebx  <-> lea eax,[eax+ebx]
add eax,4321 <-> lea eax,[eax+4321]
movzx ebx,bx <-> lea ebx,[bx]    

revolution wrote:
BTW: 'E2 FE loop $' NOT 'E2 FE loop $-2'

You're right.

_________________
x86asm.net
Post 27 Apr 2005, 07:45
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
Some of your LEA examples are not equivalent. Some are functionally different because the flags are not updated. Some are different in the number of opcode bytes to encode the instruction.

But there are many such examples that are the same in both length and function. add, adc, sub, sbb, cmp, xor, and, or, mov. For watermarking I think it is more useful to use these alternative codings since most assemblers/compilers would not generate different variants of the same instructionss without special modification.

In 16-bit mode there are a few more possibilities with sign extended byte immediates and word immediates also fulfilling the function and length restriction.
Post 27 Apr 2005, 09:24
View user's profile Send private message Visit poster's website Reply with quote
MCD



Joined: 21 Aug 2004
Posts: 604
Location: Germany
MCD
Quote:
BTW, did I really win the plastic bag or tom was just joking?
The clue about the contest is that's impossible to win it! so it will be very easy for me to send someone plastic bags Cool

Quote:
revolution wrote:
BTW: 'E2 FE loop $' NOT 'E2 FE loop $-2'
missed that again
Post 27 Apr 2005, 11:13
View user's profile Send private message Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
revolution: I have in mind an external tool, which disassembles the code, adds the watermark, and reassembles the code. I'm not thinking about some compiler or so.

revolution wrote:
Some of your LEA examples are not equivalent. Some are functionally different because the flags are not updated. Some are different in the number of opcode bytes to encode the instruction.

I don't see any problem with the opcode length.
As for substitution with instruction performing different operation, the external tool analyzes the code flow first and replaces the original instruction only when there will be no conflicts. For instance, ADD updates the flags, but in most cases the flags are not tested (i.e. they are updated with some of next instruction), so it can be replaced with LEA.

revolution wrote:
But there are many such examples that are the same in both length and function. add, adc, sub, sbb, cmp, xor, and, or, mov. For watermarking I think it is more useful to use these alternative codings since most assemblers/compilers would not generate different variants of the same instructionss without special modification.

You're right, e.g. MASM AFAIK doesn't allow you to choose the encoding at all.

revolution wrote:
In 16-bit mode there are a few more possibilities with sign extended byte immediates and word immediates also fulfilling the function and length restriction.

I wonder what possibilities? When you extend byte, you always extend also the opcode length.
MCD wrote:
Quote:
BTW, did I really win the plastic bag or tom was just joking?
The clue about the contest is that's impossible to win it! so it will be very easy for me to send someone plastic bags Cool

I didn't get it! Embarassed Confused

_________________
x86asm.net
Post 27 Apr 2005, 11:48
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
Quote:

I wonder what possibilities? When you extend byte, you always extend also the opcode length.

Code:
050100 add ax,1
83C001 add ax,1
    
Post 28 Apr 2005, 01:19
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.