158 lines
4.5 KiB
Plaintext
158 lines
4.5 KiB
Plaintext
Notes on Bitblt
|
|
===============
|
|
|
|
General purpose ROP compiler
|
|
----------------------------
|
|
|
|
Given a ternary ROP is there anyway to know if it needs a pattern?
|
|
|
|
Does it needs a source? How many times does it use the destination?
|
|
|
|
Think of a polynomial that can express all possible ROP operations:
|
|
|
|
|
|
1) a + a D + a S + a P + a SD + a DP + a SP + a DSP
|
|
0 d s p sd dp sp dsp
|
|
|
|
|
|
Also note that a is from the set of binary digits {0, 1}
|
|
|
|
A ROP is currently expressed by taking a bit pattern for the Pattern,
|
|
|
|
Source and Destination and applying the bitwise operations (and, or,
|
|
|
|
xor, not) to the values. All math is done modulo 256.
|
|
|
|
|
|
2) P = 240 (11110000), S = 204 (11001100), D = 170 (10101010)
|
|
|
|
|
|
An example ROP for taking the bitwise or of the Source and Pattern,
|
|
|
|
anding it with the destination and taking the bitwise not would be:
|
|
|
|
~((P | S) & D)
|
|
~((240 | 204) & 170) ~((11110000 | 11001100) & 10101010)
|
|
~(252 & 170) ~(11111100 & 10101010)
|
|
~168 ~10101000
|
|
87 01010111
|
|
|
|
The ROP would therefore be 87. Now we have to map the bits in the
|
|
|
|
ROP to the terms of the polynomial. Think of the bits in the ROP
|
|
|
|
as a vector. The a terms in the polynomial as another vector. A
|
|
|
|
matrix can be found to map one vector to the other.
|
|
|
|
|
|
3) [ ] [ ] [ ]
|
|
b 1 0 0 0 0 0 0 0 a
|
|
0 0
|
|
b 1 1 0 0 0 0 0 0 a
|
|
1 d
|
|
b 1 0 1 0 0 0 0 0 a
|
|
2 s
|
|
b 1 1 1 0 1 0 0 0 a
|
|
3 X = p
|
|
b 1 0 0 1 0 0 0 0 a
|
|
4 ds
|
|
b 1 1 0 1 0 1 0 0 a
|
|
5 dp
|
|
b 1 0 1 1 0 0 1 0 a
|
|
6 sp
|
|
b 1 1 1 1 1 1 1 1 a
|
|
[ 7 ] [ ] [ dsp ]
|
|
|
|
|
|
From this formulas for the dependency of bits in the ROP can be found
|
|
|
|
for the terms of the polynomial.
|
|
|
|
|
|
4) a = b
|
|
0 0
|
|
|
|
a = b + b
|
|
d 0 1
|
|
|
|
a = b + b
|
|
s 0 2
|
|
|
|
a = b + b
|
|
p 0 4
|
|
|
|
a = b + b + b + b
|
|
ds 0 1 2 3
|
|
|
|
a = b + b + b + b
|
|
dp 0 1 4 5
|
|
|
|
a = b + b + b + b
|
|
sp 0 2 4 6
|
|
|
|
a = b + b + b + b + b + b + b + b
|
|
dsp 0 1 2 3 4 5 6 7
|
|
|
|
|
|
Dependency on a term can be tested with a parity test, if an odd
|
|
|
|
number of the bits are true, the term needs to be evaluated. For
|
|
|
|
example, any odd ROP will have to have the a term evaluated. The
|
|
0
|
|
operations for each of terms is as follows:
|
|
|
|
|
|
5) a ~
|
|
0
|
|
|
|
a ^ DST
|
|
d
|
|
|
|
a ^ SRC
|
|
s
|
|
|
|
a ^ PAT
|
|
p
|
|
|
|
a ^ (DST & SRC)
|
|
ds
|
|
|
|
a ^ (DST & PAT)
|
|
dp
|
|
|
|
a ^ (SRC & PAT)
|
|
sp
|
|
|
|
a ^ (DST & SRC & PAT)
|
|
dsp
|
|
|
|
|
|
Take for example the ROP 87 (01010111) the expression for it would be:
|
|
|
|
~0 ^ (DST & SRC) ^ (DST & PAT) ^ (DST & SRC & PAT)
|
|
|
|
Some other common ROP codes:
|
|
|
|
ROP RPN Compiled
|
|
|
|
00 0 0
|
|
0F Pn ~0 ^ PAT
|
|
11 DSon ~0 ^ DST ^ SRC ^ (DST & SRC)
|
|
33 Sn ~0 ^ SRC
|
|
44 SDna 0 ^ SRC ^ (DST & SRC)
|
|
66 DSx 0 ^ SRC ^ DST
|
|
88 DSa 0 ^ (SRC & DST)
|
|
AA D 0 ^ DST
|
|
BB DSno ~0 ^ SRC ^ (DST & SRC)
|
|
C0 PSa 0 ^ (SRC & PAT)
|
|
CC S 0 ^ SRC
|
|
EE DSo 0 ^ SRC ^ DST ^ (DST & SRC)
|
|
F0 P 0 ^ PAT
|
|
FB DPSnoo ~0 ^ SRC ^ (DST & SRC) ^ (SRC & PAT) ^ (DST & SRC & PAT)
|
|
FF 1 ~0
|
|
|
|
Some simple constant folding can be done to eliminate the 0 from most of
|
|
these expressions, since 0 ^ N always gives N.
|