{"id":213,"date":"2011-12-02T17:23:00","date_gmt":"2011-12-02T16:23:00","guid":{"rendered":"http:\/\/blog.pi3.com.pl\/?p=213"},"modified":"2012-02-26T02:19:34","modified_gmt":"2012-02-26T01:19:34","slug":"can-you-crack-it-interesting-challenge","status":"publish","type":"post","link":"https:\/\/blog.pi3.com.pl\/?p=213","title":{"rendered":"Can you crack it – interesting challenge :)"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Yesterday I read in one of the polish portal (with news) an\u00a0 information about interesting challenge organized by the Government Communications Headquarters<\/strong> (GCHQ<\/strong>)<\/a>. This\u00a0is a British intelligence agency responsible for providing signals intelligence (SIGINT) and information assurance to the UK government and armed forces. Based in Cheltenham, it operates under the guidance of the Joint Intelligence Committee. CESG (originally Communications-Electronics Security Group) is the branch of GCHQ which works to secure the communications and information systems of the government and critical parts of UK national infrastructure.<\/p>\n

GCHQ, is aiming to attract the next generation of web-savvy spies by running an ad campaign that challenges computer hackers to crack a code to get an interview.<\/p>\n

Ok so let’s look at it closer \ud83d\ude42<\/p>\n

 <\/p>\n

First level<\/h2>\n

I will not analyze the security of webpage and server. I will try to discuss about pure challenge. OK so first question is what does this hexcode means? Let’s look it closer:<\/p>\n

0xeb 0x04<\/span> 0xaf 0xc2 0xbf 0xa3 0x81 0xec\u00a0\u00a0 0x00 0x01 0x00 0x00 0x31 0xc9 0x88 0x0c\r\n0x0c 0xfe 0xc1 0x75<\/span> 0xf9 0x31 0xc0 0xba\u00a0\u00a0 0xef 0xbe 0xad 0xde<\/span> 0x02 0x04 0x0c 0x00\r\n0xd0 0xc1 0xca 0x08 0x8a 0x1c 0x0c 0x8a\u00a0\u00a0 0x3c 0x04 0x88 0x1c 0x04 0x88 0x3c 0x0c\r\n0xfe 0xc1 0x75<\/span> 0xe8 0xe9 0x5c 0x00 0x00\u00a0\u00a0 0x00 0x89 0xe3 0x81 0xc3 0x04 0x00 0x00\r\n0x00 0x5c 0x58 0x3d 0x41 0x41 0x41 0x41<\/span>\u00a0\u00a0 0x75 0x43 0x58 0x3d 0x42 0x42 0x42 0x42<\/span>\r\n0x75 0x3b 0x5a 0x89 0xd1 0x89 0xe6 0x89\u00a0\u00a0 0xdf 0x29 0xcf 0xf3 0xa4 0x89 0xde 0x89\r\n0xd1 0x89 0xdf 0x29 0xcf 0x31 0xc0 0x31\u00a0\u00a0 0xdb 0x31 0xd2 0xfe 0xc0 0x02 0x1c 0x06\r\n0x8a 0x14 0x06 0x8a 0x34 0x1e 0x88 0x34\u00a0\u00a0 0x06 0x88 0x14 0x1e 0x00 0xf2 0x30 0xf6\r\n0x8a 0x1c 0x16 0x8a 0x17 0x30 0xda 0x88\u00a0\u00a0 0x17 0x47 0x49 0x75 0xde 0x31 0xdb 0x89\r\n0xd8 0xfe 0xc0 0xcd 0x80<\/span> 0x90 0x90<\/span> 0xe8\u00a0\u00a0 0x9d 0xff 0xff 0xff 0x41 0x41 0x41 0x41<\/span><\/pre>\n
For the first quick view we can say there is some interesting bytes. With red color I sign this bytes which can be a dump of x86 assembler instructions (of course there is more but this can be typical for shellcodes) and with the blue color I sign interesting bytes for me \ud83d\ude42 – 0x41414141 and 0x424242 for me always will be connected with exploiting \ud83d\ude09<\/p>\n
OK so let’s try to analyze this bytes as x86 instructions:<\/p>\n
\u00a0\u00a0 0x0804a040 <+0>:\u00a0\u00a0 \u00a0jmp\u00a0\u00a0\u00a0 0x804a046 <shellcode+6>\r\n\u00a0\u00a0 0x0804a042 <+2>:\u00a0\u00a0 \u00a0scas\u00a0\u00a0 %es:(%edi),%eax\r\n\u00a0\u00a0 0x0804a043 <+3>:\u00a0\u00a0 \u00a0ret\u00a0\u00a0\u00a0 $0xa3bf\r\n\u00a0\u00a0 0x0804a046 <+6>:\u00a0\u00a0 \u00a0sub\u00a0\u00a0\u00a0 $0x100,%esp\r\n\u00a0\u00a0 0x0804a04c <+12>:\u00a0\u00a0 \u00a0xor\u00a0\u00a0\u00a0 %ecx,%ecx\r\n\u00a0\u00a0 0x0804a04e <+14>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %cl,(%esp,%ecx,1)\r\n\u00a0\u00a0 0x0804a051 <+17>:\u00a0\u00a0 \u00a0inc\u00a0\u00a0\u00a0 %cl\r\n\u00a0\u00a0 0x0804a053 <+19>:\u00a0\u00a0 \u00a0jne\u00a0\u00a0\u00a0 0x804a04e <shellcode+14>\r\n\u00a0\u00a0 0x0804a055 <+21>:\u00a0\u00a0 \u00a0xor\u00a0\u00a0\u00a0 %eax,%eax\r\n\u00a0\u00a0 0x0804a057 <+23>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 $0xdeadbeef,%edx\r\n\u00a0\u00a0 0x0804a05c <+28>:\u00a0\u00a0 \u00a0add\u00a0\u00a0\u00a0 (%esp,%ecx,1),%al\r\n\u00a0\u00a0 0x0804a05f <+31>:\u00a0\u00a0 \u00a0add\u00a0\u00a0\u00a0 %dl,%al\r\n\u00a0\u00a0 0x0804a061 <+33>:\u00a0\u00a0 \u00a0ror\u00a0\u00a0\u00a0 $0x8,%edx\r\n\u00a0\u00a0 0x0804a064 <+36>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 (%esp,%ecx,1),%bl\r\n\u00a0\u00a0 0x0804a067 <+39>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 (%esp,%eax,1),%bh\r\n\u00a0\u00a0 0x0804a06a <+42>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %bl,(%esp,%eax,1)\r\n\u00a0\u00a0 0x0804a06d <+45>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %bh,(%esp,%ecx,1)\r\n\u00a0\u00a0 0x0804a070 <+48>:\u00a0\u00a0 \u00a0inc\u00a0\u00a0\u00a0 %cl\r\n\u00a0\u00a0 0x0804a072 <+50>:\u00a0\u00a0 \u00a0jne\u00a0\u00a0\u00a0 0x804a05c <shellcode+28>\r\n\u00a0\u00a0 0x0804a074 <+52>:\u00a0\u00a0 \u00a0jmp\u00a0\u00a0\u00a0 0x804a0d5 <shellcode+149><\/span>\r\n\u00a0\u00a0 0x0804a079 <+57>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %esp,%ebx\r\n\u00a0\u00a0 0x0804a07b <+59>:\u00a0\u00a0 \u00a0add\u00a0\u00a0\u00a0 $0x4,%ebx\r\n\u00a0\u00a0 0x0804a081 <+65>:\u00a0\u00a0 \u00a0pop\u00a0\u00a0\u00a0 %esp\r\n\u00a0\u00a0 0x0804a082 <+66>:\u00a0\u00a0 \u00a0pop\u00a0\u00a0\u00a0 %eax\r\n\u00a0\u00a0 0x0804a083 <+67>:\u00a0\u00a0 \u00a0cmp\u00a0\u00a0\u00a0 $0x41414141,%eax<\/span>\r\n\u00a0\u00a0 0x0804a088 <+72>:\u00a0\u00a0 \u00a0jne\u00a0\u00a0\u00a0 0x804a0cd <shellcode+141><\/span>\r\n\u00a0\u00a0 0x0804a08a <+74>:\u00a0\u00a0 \u00a0dec\u00a0\u00a0\u00a0 %eax<\/span>\r\n\u00a0\u00a0 0x0804a08b <+75>:\u00a0\u00a0 \u00a0cmp\u00a0\u00a0\u00a0 $0x42424242,%eax<\/span>\r\n\u00a0\u00a0 0x0804a090 <+80>:\u00a0\u00a0 \u00a0jne\u00a0\u00a0\u00a0 0x804a0cd <shellcode+141><\/span>\r\n\u00a0\u00a0 0x0804a092 <+82>:\u00a0\u00a0 \u00a0pop\u00a0\u00a0\u00a0 %edx\r\n\u00a0\u00a0 0x0804a093 <+83>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %edx,%ecx\r\n\u00a0\u00a0 0x0804a095 <+85>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %esp,%esi\r\n\u00a0\u00a0 0x0804a097 <+87>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %ebx,%edi\r\n\u00a0\u00a0 0x0804a099 <+89>:\u00a0\u00a0 \u00a0sub\u00a0\u00a0\u00a0 %ecx,%edi\r\n\u00a0\u00a0 0x0804a09b <+91>:\u00a0\u00a0 \u00a0rep movsb %ds:(%esi),%es:(%edi)\r\n\u00a0\u00a0 0x0804a09d <+93>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %ebx,%esi\r\n\u00a0\u00a0 0x0804a09f <+95>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %edx,%ecx\r\n\u00a0\u00a0 0x0804a0a1 <+97>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %ebx,%edi\r\n\u00a0\u00a0 0x0804a0a3 <+99>:\u00a0\u00a0 \u00a0sub\u00a0\u00a0\u00a0 %ecx,%edi\r\n\u00a0\u00a0 0x0804a0a5 <+101>:\u00a0\u00a0 \u00a0xor\u00a0\u00a0\u00a0 %eax,%eax\r\n\u00a0\u00a0 0x0804a0a7 <+103>:\u00a0\u00a0 \u00a0xor\u00a0\u00a0\u00a0 %ebx,%ebx\r\n\u00a0\u00a0 0x0804a0a9 <+105>:\u00a0\u00a0 \u00a0xor\u00a0\u00a0\u00a0 %edx,%edx\r\n\u00a0\u00a0 0x0804a0ab <+107>:\u00a0\u00a0 \u00a0inc\u00a0\u00a0\u00a0 %al\r\n\u00a0\u00a0 0x0804a0ad <+109>:\u00a0\u00a0 \u00a0add\u00a0\u00a0\u00a0 (%esi,%eax,1),%bl\r\n\u00a0\u00a0 0x0804a0b0 <+112>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 (%esi,%eax,1),%dl\r\n\u00a0\u00a0 0x0804a0b3 <+115>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 (%esi,%ebx,1),%dh\r\n\u00a0\u00a0 0x0804a0b6 <+118>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %dh,(%esi,%eax,1)\r\n\u00a0\u00a0 0x0804a0b9 <+121>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %dl,(%esi,%ebx,1)\r\n\u00a0\u00a0 0x0804a0bc <+124>:\u00a0\u00a0 \u00a0add\u00a0\u00a0\u00a0 %dh,%dl\r\n\u00a0\u00a0 0x0804a0be <+126>:\u00a0\u00a0 \u00a0xor\u00a0\u00a0\u00a0 %dh,%dh\r\n\u00a0\u00a0 0x0804a0c0 <+128>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 (%esi,%edx,1),%bl\r\n\u00a0\u00a0 0x0804a0c3 <+131>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 (%edi),%dl\r\n\u00a0\u00a0 0x0804a0c5 <+133>:\u00a0\u00a0 \u00a0xor\u00a0\u00a0\u00a0 %bl,%dl\r\n\u00a0\u00a0 0x0804a0c7 <+135>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %dl,(%edi)\r\n\u00a0\u00a0 0x0804a0c9 <+137>:\u00a0\u00a0 \u00a0inc\u00a0\u00a0\u00a0 %edi\r\n\u00a0\u00a0 0x0804a0ca <+138>:\u00a0\u00a0 \u00a0dec\u00a0\u00a0\u00a0 %ecx\r\n\u00a0\u00a0 0x0804a0cb <+139>:\u00a0\u00a0 \u00a0jne\u00a0\u00a0\u00a0 0x804a0ab <shellcode+107>\r\n\u00a0\u00a0 0x0804a0cd <+141>:\u00a0\u00a0 \u00a0xor\u00a0\u00a0\u00a0 %ebx,%ebx\r\n\u00a0\u00a0 0x0804a0cf <+143>:\u00a0\u00a0 \u00a0mov\u00a0\u00a0\u00a0 %ebx,%eax\r\n\u00a0\u00a0 0x0804a0d1 <+145>:\u00a0\u00a0 \u00a0inc\u00a0\u00a0\u00a0 %al\r\n\u00a0\u00a0 0x0804a0d3 <+147>:\u00a0\u00a0 \u00a0int\u00a0\u00a0\u00a0 $0x80\r\n\u00a0\u00a0 0x0804a0d5 <+149>:\u00a0\u00a0 \u00a0nop<\/span>\r\n\u00a0\u00a0 0x0804a0d6 <+150>:\u00a0\u00a0 \u00a0nop<\/span>\r\n\u00a0\u00a0 0x0804a0d7 <+151>:\u00a0\u00a0 \u00a0call\u00a0\u00a0 0x804a079 <shellcode+57><\/span>\r\n\u00a0\u00a0 0x0804a0dc <+156>:\u00a0\u00a0 \u00a0inc\u00a0\u00a0\u00a0 %ecx\r\n\u00a0\u00a0 0x0804a0dd <+157>:\u00a0\u00a0 \u00a0inc\u00a0\u00a0\u00a0 %ecx\r\n\u00a0\u00a0 0x0804a0de <+158>:\u00a0\u00a0 \u00a0inc\u00a0\u00a0\u00a0 %ecx\r\n\u00a0\u00a0 0x0804a0df <+159>:\u00a0\u00a0 \u00a0inc\u00a0\u00a0\u00a0 %ecx\r\n\u00a0\u00a0 0x0804a0e0 <+160>:\u00a0\u00a0 \u00a0add\u00a0\u00a0\u00a0 %al,(%eax)<\/pre>\n
So this is it. This code make sense and this was good way of analyzing. I sign by read color this instruction which always cause exit() syscall and half of the code won’t be executed (as we will see further even more). But first, at the beginning this code jump over 2 next instruction (so they are never executed) and than allocate memory which is filled by natural numbers. Next they are converted to some more interested values and finally there is static jump to the code which cause syscall exit() – red colour. That’s all, so what next? As we can see directly after jump instruction, the program tries to get the new value for the stack pointer exactly from the stack. It gaves us an information that smth should be changed there \ud83d\ude09 Also as we can see further (blue colour) from the stack is popped also value for %%eax register and compared with the 0x41414141 value. Next this value is decremented by one and again compared but now with the 0x42424242 value. Logically it makes no sense. If first compare will be true than next will be bad – 0x41414141 – 1 = 0x41414140 so it will never be 0x42424242. If we want to pass all this checks and executed further code we must change a lot \ud83d\ude09<\/p>\n
First change<\/h3>\n
Ok let’s come back to the syscall exit(). We don’t want to stop the execution flow but continue, and we know that further code expect the new stack pointer in the stack. Also we know that after this operation program tries to get new value for %%eax register from the new stack and compare with the value 0x414141. As we can see in the end of the shellcode we have instructions:<\/p>\n
\u00a0\u00a0 0x0804a0dc <+156>:\u00a0\u00a0 \u00a0inc\u00a0\u00a0\u00a0 %ecx\r\n\u00a0\u00a0 0x0804a0dd <+157>:\u00a0\u00a0 \u00a0inc\u00a0\u00a0\u00a0 %ecx\r\n\u00a0\u00a0 0x0804a0de <+158>:\u00a0\u00a0 \u00a0inc\u00a0\u00a0\u00a0 %ecx\r\n\u00a0\u00a0 0x0804a0df <+159>:\u00a0\u00a0 \u00a0inc\u00a0\u00a0\u00a0 %ecx<\/pre>\n
this is exactly the value 0x414141:<\/p>\n
(gdb) x\/x 0x0804a0dc\r\n0x804a0dc <shellcode+156>:\u00a0\u00a0 \u00a00x41414141\r\n(gdb)<\/pre>\n
so here we go with answer \ud83d\ude09 Like in the oldschool technique of getting current stack pointer used in viruses – let’s change syscall exit() to the call which gave us back the flow to the shellcode. Old code:<\/p>\n
\u00a0\u00a0 0x0804a0d5 <+149>:\u00a0\u00a0 \u00a0nop\r\n\u00a0\u00a0 0x0804a0d6 <+150>:\u00a0\u00a0 \u00a0nop\r\n\u00a0\u00a0 0x0804a0d7 <+151>:\u00a0\u00a0 \u00a0call\u00a0\u00a0 0x804a079 <shellcode+57> # value: 0x80cd<\/pre>\n
New code:<\/p>\n
\u00a0\u00a0 0x804c095:\u00a0\u00a0 \u00a0nop\r\n\u00a0\u00a0 0x804c096:\u00a0\u00a0 \u00a0nop\r\n\u00a0\u00a0 0x804c097:\u00a0\u00a0 \u00a0call\u00a0\u00a0 0x804c039 # value: 0x45eb<\/pre>\n
OK – works. First compare is passed but of course second is not and again game over. But If we think again about it, decrementing instruction can be also overwrite to ours and as we know the new stack pointer is now _after_ the shellcode. We are able to add new bytes after this shellcode and change the assembler instruction which decrements value in register %%eax to pop new value from the stack \ud83d\ude42 This is in fact the answer \ud83d\ude09<\/p>\n
Second change<\/h3>\n
Old instruction:<\/p>\n
\u00a0\u00a0 0x0804a08a <+74>:\u00a0\u00a0 \u00a0dec\u00a0\u00a0\u00a0 %eax\u00a0 # byte: 0x48<\/pre>\n
New instruction:<\/p>\n
\u00a0\u00a0 0x804c04a:\u00a0\u00a0 \u00a0pop\u00a0\u00a0\u00a0 %eax\u00a0 # byte: 0x58<\/pre>\n
Perfect. Now we have another problem – which data should be added in the end of shellcode? We can manually add 0x42424242 value to pass the compare check but what about further code? Maybe this 0x42424242\u00a0 is a tip? In further code the value for %%edx register is also popped from the stack. And next bytes are used to copy in temporary place and manipulate them. So of course all of this is a tip. Lets come back again to the main page of the crack site. Bytes which we used to create shellcode are not in the site as text but as image. We were frustrating to rewrite them manually not just simply copying. But wait a minute why this is an image?<\/p>\n
\"\"<\/a><\/p>\n
Steganography<\/h3>\n
Analyzing image can be hard \ud83d\ude09 But I’m lazy buster and usually before I move to real hard job like analyze or full RE I try to get as much information as I can in as simple way as it can be. So let’s run strings command \ud83d\ude09 There is 983 lines (not small image) but one line from the top is very interesting:<\/p>\n
$ strings cyber.png |head\r\nIHDR\r\nsRGB\r\n\u00a0\u00a0 \u00a0pHYs\r\ntIME\r\n]iTXtComment\r\nQkJCQjIAAACR2PFtcCA6q2eaC8SR+8dmD\/zNzLQC+td3tFQ4qx8O447TDeuZw5P+0SsbEcYR<\/span>\r\n78jKLw==2<\/span>\r\nIDATx\r\n.^cwuW\r\n$<\/pre>\n
Here you go \ud83d\ude09 First impression is – this is base64. Let’s check in one of the online sites if there is logic in this string. After decoding to the ASCII we see that hexdump should be done _but_ look for the first 4 bytes in this string:<\/p>\n
BBBB<\/span>2\u2205\u2205\u2205\u00d8\u00f1mp :\u00abg\u00c4\u00fb\u00c7f\u00fc\u00cd\u00cc\u00b4\u00fa\u00d7w\u00b4T8\r\n\u00eb\u00c3\u00fe\u00d1+\u00c6\u00ef\u00c8\u00ca\/?\u00ff\u00d8\u2205\u2205<\/pre>\n
Yes, this is exactly 0x42424242 value.\u00a0 So probably this is what we need \ud83d\ude09 After adding this hex in the end of the shellcode and all of our changes and adding the code for dumping the memory after whole process of executing shellcode (this dump function write by yourself) we will see this beautiful message from the memory:<\/p>\n
GET \/15b436de1f9107f3778aad525e5d0b20.js HTTP\/1.1<\/pre>\n
Interesting, isn’t it? \ud83d\ude42 Yep the first level is done.<\/p>\n
 <\/p>\n
Second level<\/h2>\n
What does this link have?<\/p>\n
\/\/--------------------------------------------------------------------------------------------------\r\n\/\/\r\n\/\/ stage 2 of 3\r\n\/\/\r\n\/\/ challenge:\r\n\/\/   reveal the solution within VM.mem\r\n\/\/\r\n\/\/ disclaimer:\r\n\/\/   tested in ie 9, firefox 6, chrome 14 and v8 shell (http:\/\/code.google.com\/apis\/v8\/build.html),\r\n\/\/   other javascript implementations may or may not work.\r\n\/\/\r\n\/\/--------------------------------------------------------------------------------------------------\r\n\r\nvar VM = {\r\n\r\n  cpu: {\r\n    ip: 0x00,\r\n\r\n    r0: 0x00,\r\n    r1: 0x00,\r\n    r2: 0x00,\r\n    r3: 0x00,\r\n\r\n    cs: 0x00,\r\n    ds: 0x10,\r\n\r\n    fl: 0x00,\r\n\r\n    firmware: [0xd2ab1f05, 0xda13f110]\r\n  },\r\n\r\n  mem: [\r\n    0x31, 0x04, 0x33, 0xaa, 0x40, 0x02, 0x80, 0x03, 0x52, 0x00, 0x72, 0x01, 0x73, 0x01, 0xb2, 0x50,\r\n    0x30, 0x14, 0xc0, 0x01, 0x80, 0x00, 0x10, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n\r\n    0x98, 0xab, 0xd9, 0xa1, 0x9f, 0xa7, 0x83, 0x83, 0xf2, 0xb1, 0x34, 0xb6, 0xe4, 0xb7, 0xca, 0xb8,\r\n    0xc9, 0xb8, 0x0e, 0xbd, 0x7d, 0x0f, 0xc0, 0xf1, 0xd9, 0x03, 0xc5, 0x3a, 0xc6, 0xc7, 0xc8, 0xc9,\r\n    0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9,\r\n    0xda, 0xdb, 0xa9, 0xcd, 0xdf, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9,\r\n    0x26, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9,\r\n    0x7d, 0x1f, 0x15, 0x60, 0x4d, 0x4d, 0x52, 0x7d, 0x0e, 0x27, 0x6d, 0x10, 0x6d, 0x5a, 0x06, 0x56,\r\n    0x47, 0x14, 0x42, 0x0e, 0xb6, 0xb2, 0xb2, 0xe6, 0xeb, 0xb4, 0x83, 0x8e, 0xd7, 0xe5, 0xd4, 0xd9,\r\n    0xc3, 0xf0, 0x80, 0x95, 0xf1, 0x82, 0x82, 0x9a, 0xbd, 0x95, 0xa4, 0x8d, 0x9a, 0x2b, 0x30, 0x69,\r\n    0x4a, 0x69, 0x65, 0x55, 0x1c, 0x7b, 0x69, 0x1c, 0x6e, 0x04, 0x74, 0x35, 0x21, 0x26, 0x2f, 0x60,\r\n    0x03, 0x4e, 0x37, 0x1e, 0x33, 0x54, 0x39, 0xe6, 0xba, 0xb4, 0xa2, 0xad, 0xa4, 0xc5, 0x95, 0xc8,\r\n    0xc1, 0xe4, 0x8a, 0xec, 0xe7, 0x92, 0x8b, 0xe8, 0x81, 0xf0, 0xad, 0x98, 0xa4, 0xd0, 0xc0, 0x8d,\r\n    0xac, 0x22, 0x52, 0x65, 0x7e, 0x27, 0x2b, 0x5a, 0x12, 0x61, 0x0a, 0x01, 0x7a, 0x6b, 0x1d, 0x67,\r\n    0x75, 0x70, 0x6c, 0x1b, 0x11, 0x25, 0x25, 0x70, 0x7f, 0x7e, 0x67, 0x63, 0x30, 0x3c, 0x6d, 0x6a,\r\n    0x01, 0x51, 0x59, 0x5f, 0x56, 0x13, 0x10, 0x43, 0x19, 0x18, 0xe5, 0xe0, 0xbe, 0xbf, 0xbd, 0xe9,\r\n    0xf0, 0xf1, 0xf9, 0xfa, 0xab, 0x8f, 0xc1, 0xdf, 0xcf, 0x8d, 0xf8, 0xe7, 0xe2, 0xe9, 0x93, 0x8e,\r\n    0xec, 0xf5, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n\r\n    0x37, 0x7a, 0x07, 0x11, 0x1f, 0x1d, 0x68, 0x25, 0x32, 0x77, 0x1e, 0x62, 0x23, 0x5b, 0x47, 0x55,\r\n    0x53, 0x30, 0x11, 0x42, 0xf6, 0xf1, 0xb1, 0xe6, 0xc3, 0xcc, 0xf8, 0xc5, 0xe4, 0xcc, 0xc0, 0xd3,\r\n    0x85, 0xfd, 0x9a, 0xe3, 0xe6, 0x81, 0xb5, 0xbb, 0xd7, 0xcd, 0x87, 0xa3, 0xd3, 0x6b, 0x36, 0x6f,\r\n    0x6f, 0x66, 0x55, 0x30, 0x16, 0x45, 0x5e, 0x09, 0x74, 0x5c, 0x3f, 0x29, 0x2b, 0x66, 0x3d, 0x0d,\r\n    0x02, 0x30, 0x28, 0x35, 0x15, 0x09, 0x15, 0xdd, 0xec, 0xb8, 0xe2, 0xfb, 0xd8, 0xcb, 0xd8, 0xd1,\r\n    0x8b, 0xd5, 0x82, 0xd9, 0x9a, 0xf1, 0x92, 0xab, 0xe8, 0xa6, 0xd6, 0xd0, 0x8c, 0xaa, 0xd2, 0x94,\r\n    0xcf, 0x45, 0x46, 0x67, 0x20, 0x7d, 0x44, 0x14, 0x6b, 0x45, 0x6d, 0x54, 0x03, 0x17, 0x60, 0x62,\r\n    0x55, 0x5a, 0x4a, 0x66, 0x61, 0x11, 0x57, 0x68, 0x75, 0x05, 0x62, 0x36, 0x7d, 0x02, 0x10, 0x4b,\r\n    0x08, 0x22, 0x42, 0x32, 0xba, 0xe2, 0xb9, 0xe2, 0xd6, 0xb9, 0xff, 0xc3, 0xe9, 0x8a, 0x8f, 0xc1,\r\n    0x8f, 0xe1, 0xb8, 0xa4, 0x96, 0xf1, 0x8f, 0x81, 0xb1, 0x8d, 0x89, 0xcc, 0xd4, 0x78, 0x76, 0x61,\r\n    0x72, 0x3e, 0x37, 0x23, 0x56, 0x73, 0x71, 0x79, 0x63, 0x7c, 0x08, 0x11, 0x20, 0x69, 0x7a, 0x14,\r\n    0x68, 0x05, 0x21, 0x1e, 0x32, 0x27, 0x59, 0xb7, 0xcf, 0xab, 0xdd, 0xd5, 0xcc, 0x97, 0x93, 0xf2,\r\n    0xe7, 0xc0, 0xeb, 0xff, 0xe9, 0xa3, 0xbf, 0xa1, 0xab, 0x8b, 0xbb, 0x9e, 0x9e, 0x8c, 0xa0, 0xc1,\r\n    0x9b, 0x5a, 0x2f, 0x2f, 0x4e, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00\r\n  ],\r\n\r\n  exec: function()\r\n  {\r\n    \/\/ virtual machine architecture\r\n    \/\/ ++++++++++++++++++++++++++++\r\n    \/\/\r\n    \/\/ segmented memory model with 16-byte segment size (notation seg:offset)\r\n    \/\/\r\n    \/\/ 4 general-purpose registers (r0-r3)\r\n    \/\/ 2 segment registers (cs, ds equiv. to r4, r5)\r\n    \/\/ 1 flags register (fl)\r\n    \/\/\r\n    \/\/ instruction encoding\r\n    \/\/ ++++++++++++++++++++\r\n    \/\/\r\n    \/\/           byte 1               byte 2 (optional)\r\n    \/\/ bits      [ 7 6 5 4 3 2 1 0 ]  [ 7 6 5 4 3 2 1 0 ]\r\n    \/\/ opcode      - - -\r\n    \/\/ mod               -\r\n    \/\/ operand1            - - - -\r\n    \/\/ operand2                         - - - - - - - -\r\n    \/\/\r\n    \/\/ operand1 is always a register index\r\n    \/\/ operand2 is optional, depending upon the instruction set specified below\r\n    \/\/ the value of mod alters the meaning of any operand2\r\n    \/\/   0: operand2 = reg ix\r\n    \/\/   1: operand2 = fixed immediate value or target segment (depending on instruction)\r\n    \/\/\r\n    \/\/ instruction set\r\n    \/\/ +++++++++++++++\r\n    \/\/\r\n    \/\/ Notes:\r\n    \/\/   * r1, r2 => operand 1 is register 1, operand 2 is register 2\r\n    \/\/   * movr r1, r2 => move contents of register r2 into register r1\r\n    \/\/\r\n    \/\/ opcode | instruction | operands (mod 0) | operands (mod 1)\r\n    \/\/ -------+-------------+------------------+-----------------\r\n    \/\/ 0x00   | jmp         | r1               | r2:r1\r\n    \/\/ 0x01   | movr        | r1, r2           | rx,   imm\r\n    \/\/ 0x02   | movm        | r1, [ds:r2]      | [ds:r1], r2\r\n    \/\/ 0x03   | add         | r1, r2           | r1,   imm\r\n    \/\/ 0x04   | xor         | r1, r2           | r1,   imm\r\n    \/\/ 0x05   | cmp         | r1, r2           | r1,   imm\r\n    \/\/ 0x06   | jmpe        | r1               | r2:r1\r\n    \/\/ 0x07   | hlt         | N\/A              | N\/A\r\n    \/\/\r\n    \/\/ flags\r\n    \/\/ +++++\r\n    \/\/\r\n    \/\/ cmp r1, r2 instruction results in:\r\n    \/\/   r1 == r2 => fl = 0\r\n    \/\/   r1 < r2  => fl = 0xff\r\n    \/\/   r1 > r2  => fl = 1\r\n    \/\/\r\n    \/\/ jmpe r1\r\n    \/\/   => if (fl == 0) jmp r1\r\n    \/\/      else nop\r\n\r\n    throw \"VM.exec not yet implemented\";\r\n  }\r\n\r\n};\r\n\r\n\/\/--------------------------------------------------------------------------------------------------\r\n\r\ntry\r\n{\r\n  VM.exec();\r\n}\r\ncatch(e)\r\n{\r\n  alert('\\nError: ' + e + '\\n');\r\n}\r\n\r\n\/\/--------------------------------------------------------------------------------------------------<\/pre>\n
As we can read this level is completely different from the previous \ud83d\ude42 Short overview:<\/p>\n