Notes on Bitblt =============== General purpose ROP compiler ---------------------------- Given a ternary ROP is there anyway to know if it needs a pattern? Does it needs a source? How many times does it use the destination? Think of a polynomial that can express all possible ROP operations: 1) a + a D + a S + a P + a SD + a DP + a SP + a DSP 0 d s p sd dp sp dsp Also note that a is from the set of binary digits {0, 1} A ROP is currently expressed by taking a bit pattern for the Pattern, Source and Destination and applying the bitwise operations (and, or, xor, not) to the values. All math is done modulo 256. 2) P = 240 (11110000), S = 204 (11001100), D = 170 (10101010) An example ROP for taking the bitwise or of the Source and Pattern, anding it with the destination and taking the bitwise not would be: ~((P | S) & D) ~((240 | 204) & 170) ~((11110000 | 11001100) & 10101010) ~(252 & 170) ~(11111100 & 10101010) ~168 ~10101000 87 01010111 The ROP would therefore be 87. Now we have to map the bits in the ROP to the terms of the polynomial. Think of the bits in the ROP as a vector. The a terms in the polynomial as another vector. A matrix can be found to map one vector to the other. 3) [ ] [ ] [ ] b 1 0 0 0 0 0 0 0 a 0 0 b 1 1 0 0 0 0 0 0 a 1 d b 1 0 1 0 0 0 0 0 a 2 s b 1 1 1 0 1 0 0 0 a 3 X = p b 1 0 0 1 0 0 0 0 a 4 ds b 1 1 0 1 0 1 0 0 a 5 dp b 1 0 1 1 0 0 1 0 a 6 sp b 1 1 1 1 1 1 1 1 a [ 7 ] [ ] [ dsp ] From this formulas for the dependency of bits in the ROP can be found for the terms of the polynomial. 4) a = b 0 0 a = b + b d 0 1 a = b + b s 0 2 a = b + b p 0 4 a = b + b + b + b ds 0 1 2 3 a = b + b + b + b dp 0 1 4 5 a = b + b + b + b sp 0 2 4 6 a = b + b + b + b + b + b + b + b dsp 0 1 2 3 4 5 6 7 Dependency on a term can be tested with a parity test, if an odd number of the bits are true, the term needs to be evaluated. For example, any odd ROP will have to have the a term evaluated. The 0 operations for each of terms is as follows: 5) a ~ 0 a ^ DST d a ^ SRC s a ^ PAT p a ^ (DST & SRC) ds a ^ (DST & PAT) dp a ^ (SRC & PAT) sp a ^ (DST & SRC & PAT) dsp Take for example the ROP 87 (01010111) the expression for it would be: ~0 ^ (DST & SRC) ^ (DST & PAT) ^ (DST & SRC & PAT) Some other common ROP codes: ROP RPN Compiled 00 0 0 0F Pn ~0 ^ PAT 11 DSon ~0 ^ DST ^ SRC ^ (DST & SRC) 33 Sn ~0 ^ SRC 44 SDna 0 ^ SRC ^ (DST & SRC) 66 DSx 0 ^ SRC ^ DST 88 DSa 0 ^ (SRC & DST) AA D 0 ^ DST BB DSno ~0 ^ SRC ^ (DST & SRC) C0 PSa 0 ^ (SRC & PAT) CC S 0 ^ SRC EE DSo 0 ^ SRC ^ DST ^ (DST & SRC) F0 P 0 ^ PAT FB DPSnoo ~0 ^ SRC ^ (DST & SRC) ^ (SRC & PAT) ^ (DST & SRC & PAT) FF 1 ~0 Some simple constant folding can be done to eliminate the 0 from most of these expressions, since 0 ^ N always gives N.