Trace vector decoder

Last updated

A Trace Vector Decoder (TVD) is computer software that uses the trace facility of its underlying microprocessor to decode encrypted instruction opcodes just-in-time prior to execution and possibly re-encode them afterwards. It can be used to hinder reverse engineering when attempting to prevent software cracking as part of an overall copy protection strategy.

Contents

Microprocessor tracing

Certain microprocessor families (e.g. 680x0, x86) provide the capability to trace instructions to aid in program development. A debugger might use this capability to single step through a program, providing the means for a programmer to monitor the execution of the program under test.

By installing a custom handler for the trace exception, it is possible to gain control of the microprocessor between the execution of normal program flow instructions. A typical trace vector decoder exception handler decodes the upcoming instruction located outside the exception, as well as re-encoding the previously decoded instruction.

Implementations

Motorola 680x0

The Motorola 68000 has an instruction-by-instruction tracing facility. [1] When its trace state is enabled, the processor automatically forces a trace exception after each (non-exception) instruction is executed. The following assembly code snippet is an example of a program initializing a trace exception handler on a 68000 system.

InstallHandler:MOVE.L#$4E730000,-(SP); Push trace exception handler on to stackMOVE.L#$00000010,-(SP)MOVE.L#$0004DDB9,-(SP)MOVE.L#$BD96BDAE,-(SP)MOVE.L#$B386B586,-(SP)MOVE.L#$D046D246,-(SP)MOVE.L#$0246A71F,-(SP)MOVE.L#$00023C17,-(SP)MOVE.W#$2C6F,-(SP)MOVE.LSP,($24).W; Set trace exception handler vectorORI.W#$A71F,SR; Enable trace stateNOP; CPU generates a trace exception after executing this NOP;------------------------...; Code from this line would be encrypted

The following is a disassembly of the above trace exception handler loaded on the stack. The purpose of this handler is to obfuscate any traced encrypted code. Its decryption process is affected by the contents of the condition code register (CCR). For example, an arithmetic operation in the main program having the 0 number as a result, will cause zero flag bit to be set in CCR. This will cause the value in (SP) to be changed in the trace exception handler.

TraceHandler:MOVE.L(2,SP),A6; Load return address from supervisor stackMOVE.W(SP),D6; Load condition codes of the main programAND.W#$A71F,D6ADD.WD6,D0ADD.WD6,D1EOR.LD1,D6EOR.LD2,D6EOR.LD6,(A6); Decode 8 bytes ahead in mainEOR.LD6,(4,A6)RTE; Return from exception

Intel x86

The x86 CPUs provide a trace flag that generates an interrupt after the execution of each instruction. The following assembly code is an example of how this might be implemented on an 8086 system.

; Start by setting a trace handlerInstallHandler:xorbx,bx; clear bx (faster than mov 0 into it)moves,bx; now ES start is at 0x00000movwordptres:[1*4],offsetTraceHandler; write handler's address offset to IVT entry 1movwordptres:[1*4+2],cs; write current code segment to IVT entry 1; Turn on the trace trappushf; push FLAGS onto stackpopax; pop previously read FLAGS into AXorah,1; set bit 0 by ORing with 1pushax; push modified flags back onto stack popf; now we have set trace flag in FLAGSnop;------------------------...; Code from this line would be encrypted

The following is a disassembly of an associated trace interrupt handler.

TraceHandler:pushbpmovbp,sp; Gain access to return addresspushbxpushds; Return address in DS:BXldsbx,2[bp]; Pointer to opcode of next instructionmovbx,[bx]; Get current instruction's opcode...; Decode the opcodepopdspopbxpopbpiret; Return from interrupt

Examples

Copylock

The Rob Northen Copylock system implemented on the Amiga, [2] Atari ST [3] and IBM PC [4] platforms includes a TVD. In addition to its general software encryption, the Copylock TVD obfuscates the code that accesses and validates the copy protected diskette.

Demoscene

A TVD was included in the Voyage demo, written for the 680x0-based Commodore Amiga by Razor 1911. [5]

Related Research Articles

Intel 8080 8-bit microprocessor

The Intel 8080 ("eighty-eighty") is the second 8-bit microprocessor designed and manufactured by Intel. It first appeared in April 1974 and is an extended and enhanced variant of the earlier 8008 design, although without binary compatibility. The initial specified clock rate or frequency limit was 2 MHz, with common instructions using 4, 5, 7, 10, or 11 cycles. As a result, the processor is able to execute several hundred thousand instructions per second. Two faster variants, the 8080A-1 and 8080A-2, became available later with clock frequency limits of 3.125 MHz and 2.63 MHz respectively. The 8080 needs two support chips to function in most applications: the i8224 clock generator/driver and the i8228 bus controller. It is implemented in N-type metal-oxide-semiconductor logic (NMOS) using non-saturated enhancement mode transistors as loads thus demanding a +12 V and a −5 V voltage in addition to the main transistor–transistor logic (TTL) compatible +5 V.

Motorola 68000 Microprocessor

The Motorola 68000 is a 16/32-bit complex instruction set computer (CISC) microprocessor, introduced in 1979 by Motorola Semiconductor Products Sector.

x86 Family of instruction set architectures

x86 is a family of instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its 8088 variant. The 8086 was introduced in 1978 as a fully 16-bit extension of Intel's 8-bit 8080 microprocessor, with memory segmentation as a solution for addressing more memory than can be covered by a plain 16-bit address. The term "x86" came into being because the names of several successors to Intel's 8086 processor end in "86", including the 80186, 80286, 80386 and 80486 processors.

Motorola 68010

The Motorola MC68010 processor is a 16/32-bit microprocessor from Motorola, released in 1982 as the successor to the Motorola 68000. It fixes several small flaws in the 68000, and adds a few features.

In computer science, threaded code is a programming technique where the code has a form that essentially consists entirely of calls to subroutines. It is often used in compilers, which may generate code in that form or be implemented in that form themselves. The code may be processed by an interpreter or it may simply be a sequence of machine code call instructions.

In computer science, an instruction set architecture (ISA), also called computer architecture, is an abstract model of a computer. A device that executes instructions described by that ISA, such as a central processing unit (CPU), is called an implementation.

The Motorola 68000 series is a family of 32-bit complex instruction set computer (CISC) microprocessors. During the 1980s and early 1990s, they were popular in personal computers and workstations and were the primary competitors of Intel's x86 microprocessors. They were best known as the processors used in the early Apple Macintosh, the Sharp X68000, the Commodore Amiga, the Sinclair QL, the Atari ST, the Sega Genesis, the Capcom System I (Arcade), the AT&T Unix PC, the Tandy Model 16/16B/6000, the Sun Microsystems Sun-1, Sun-2 and Sun-3, the NeXT Computer, NeXTcube, NeXTstation, and NeXTcube Turbo, the Texas Instruments TI-89/TI-92 calculators, the Palm Pilot and the Space Shuttle. Although no modern desktop computers are based on processors in the 680x0 series, derivative processors are still widely used in embedded systems.

Intel 8085

The Intel 8085 ("eighty-eighty-five") is an 8-bit microprocessor produced by Intel and introduced in March 1976. It is a software-binary compatible with the more-famous Intel 8080 with only two minor instructions added to support its added interrupt and serial input/output features. However, it requires less support circuitry, allowing simpler and less expensive microcomputer systems to be built.

x86 assembly language is a family of backward-compatible assembly languages, which provide some level of compatibility all the way back to the Intel 8008 introduced in April 1972. x86 assembly languages are used to produce object code for the x86 class of processors. Like all assembly languages, it uses short mnemonics to represent the fundamental instructions that the CPU in a computer can understand and follow. Compilers sometimes produce assembly code as an intermediate step when translating a high level program into machine code. Regarded as a programming language, assembly coding is machine-specific and low level. Assembly languages are more typically used for detailed and time critical applications such as small real-time embedded systems or operating system kernels and device drivers.

In computer science, a NOP, no-op, or NOOP is a machine language instruction and its assembly language mnemonic, programming language statement, or computer protocol command that does nothing.

Fetching the instruction opcodes from program memory well in advance is known as prefetching and it is served by using prefetch input queue (PIQ).The pre-fetched instructions are stored in data structure - namely a queue. The fetching of opcodes well in advance, prior to their need for execution increases the overall efficiency of the processor boosting its speed. The processor no longer has to wait for the memory access operations for the subsequent instruction opcode to complete. This architecture was prominently used in the Intel 8086 microprocessor.

In computer science, computer engineering and programming language implementations, a stack machine is a computer processor or a virtual machine in which the primary interaction is moving short-lived temporary values to and from a push down stack. In the case of a hardware processor, a hardware stack is used. The use of a stack significantly reduces the required number of processor registers. Stack machines extend push-down automaton with additional load/store operations or multiple stacks and hence are Turing-complete.

The x86 instruction set refers to the set of instructions that x86-compatible microprocessors support. The instructions are usually part of an executable program, often stored as a computer file and executed on the processor.

Jazelle DBX is an extension that allows some ARM processors to execute Java bytecode in hardware as a third execution state alongside the existing ARM and Thumb modes. Jazelle functionality was specified in the ARMv5TEJ architecture and the first processor with Jazelle technology was the ARM926EJ-S. Jazelle is denoted by a "J" appended to the CPU name, except for post-v5 cores where it is required for architecture conformance.

Illegal opcode Undocumented CPU instruction that has an effect

An illegal opcode, also called an illegal operation code, unintended opcode or undocumented instruction, is an instruction to a CPU that is not mentioned in any official documentation released by the CPU's designer or manufacturer, which nevertheless has an effect. Illegal opcodes were common on older CPUs designed during the 1970s, such as the MOS Technology 6502, Intel 8086, and the Zilog Z80. On these older processors, many exist as a side effect of the wiring of transistors in the CPU, and usually combine functions of the CPU that were not intended to be combined. On old and modern processors, there are also instructions intentionally included in the processor by the manufacturer, but that are not documented in any official specification.

The 65xx family of microprocessors, consisting of the MOS Technology 6502 and its derivatives, the WDC 65C02, WDC 65C802 and WDC 65C816, and CSG 65CE02, all handle interrupts in a similar fashion. There are three hardware interrupt signals common to all 65xx processors and one software interrupt, the BRK instruction. The WDC 65C816 adds a fourth hardware interrupt—ABORT, useful for implementing virtual memory architectures—and the COP software interrupt instruction, intended for use in a system with a coprocessor of some type.

TI-990

The TI-990 was a series of 16-bit minicomputers sold by Texas Instruments (TI) in the 1970s and 1980s. The TI-990 was a replacement for TI's earlier minicomputer systems, the TI-960 and the TI-980. It had several unique features, and was easier to program than its predecessors. Among its core concepts was the ability to easily support multiprogramming using a software-switchable set of processor registers that allowed it to perform rapid context switches between programs.

GNUSim8085

GNUSim8085 is a graphical simulator, assembler and debugger for the Intel 8085 microprocessor in Linux and Windows. It is among the 20 winners of the FOSS India Awards announced on February, 2008. GNUSim8085 was originally written by Sridhar Ratnakumar in fall 2003 when he realized that no proper simulators existed for Linux. Several patches, bug fixes and software packaging have been contributed by the GNUSim8085 community. GNUSim8085 users are encouraged to contribute to the simulator through coding, documenting, testing, translating and porting the simulator.

General Instrument CP1600

The CP1600 is a 16-bit microprocessor created in a partnership between General Instrument and Honeywell in 1975. It was among the first single-chip 16-bit processors; only the Texas Instruments TMS9900 is close in introduction date.

A trap flag permits operation of a processor in single-step mode. If such a flag is available, debuggers can use it to step through the execution of a computer program.

References

  1. "MC68000 16-Bit Microprocessor Advance Information" (PDF). Motorola Inc.
  2. Sevalliu, Patrik. "Rainbow Islands". Computer Archeology.
  3. Kerr, Wayne (May 2004). "Amiga cracking – A look at basic TVD's". Flashtro.
  4. Furlough, Fabulous (6 August 2008). "Rob Northen's Copylock". My life behind the patch.
  5. Various. "Vogage Demo". Pouet.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.