issuhub.com

Reverse Engineering for Beginners

(avery) #1

CHAPTER 83. DEMOS CHAPTER 83. DEMOS


That is what Peter Ferrie and Andrey “herm1t” Baranovich did (11 and 10 bytes)^4 :


Listing 83.1: Andrey “herm1t” Baranovich: 11 bytes

00000000: B05C mov al,05C ;'\'
; read AL byte from random place of memory
00000002: AE scasb
; PF = parity(AL - random_memory_byte) = parity(5Ch - random_memory_byte)
00000003: 7A02 jp 000000007
00000005: B02F mov al,02F ;'/'
00000007: CD29 int 029 ; output AL to screen
00000009: EBF5 jmp 000000000 ; loop endlessly


SCASBalso uses the value in theALregister, it subtract a random memory byte’s value from the5Chvalue inAL.JPis a rare
instruction, here it used for checking the parity flag (PF), which is generated by the formulae in the listing. As a consequence,
the output character is determined not by some bit in a random memory byte, but by a sum of bits, this (hopefully) makes
the result more distributed.


It is possible to make this even shorter by using the undocumented x86 instructionSALC(AKASETALC) (“Set AL CF”). It was
introduced in the NEC V20CPUand setsALto0xFFifCFis 1 or to 0 if otherwise.


Listing 83.2: Peter Ferrie: 10 bytes

; AL is random at this point
00000000: AE scasb
; CF is set according subtracting random memory byte from AL.
; so it is somewhat random at this point
00000001: D6 setalc
; AL is set to 0xFF if CF=1 or to 0 if otherwise
00000002: 242D and al,02D ;'-'
; AL here is 0x2D or 0
00000004: 042F add al,02F ;'/'
; AL here is 0x5C or 0x2F
00000006: CD29 int 029 ; output AL to screen
00000008: EBF6 jmps 000000000 ; loop endlessly


So it is possible to get rid of conditional jumps at all. TheASCIIcode of backslash (“\”) is0x5Cand0x2Ffor slash (“/”). So
we need to convert one (pseudo-random) bit in theCFflag to a value of0x5Cor0x2F.


This is done easily: byAND-ing all bits inAL(where all 8 bits are set or cleared) with0x2Dwe have just 0 or0x2D. By
adding0x2Fto this value, we get0x5Cor0x2F. Then we just output it to the screen.


83.1.4 Conclusion.


It is also worth mentioning that the result may be different in DOSBox,Windows NTand even MS-DOS, due to different
conditions: the timer chip can be emulated differently and the initial register contents may be different as well.


(^4) http://go.yurichev.com/17087

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.