Trace vector decoder: Difference between revisions
imported>Carolyn linkage |
add |
||
| Line 1: | Line 1: | ||
A '''Trace Vector Decoder''' ('''TVD''') is computer [[Software|software]] that uses the [[Software:Tracing|trace]] facility of its underlying [[Engineering:Microprocessor|microprocessor]] to decode encrypted instruction [[Opcode|opcode]]s just-in-time prior to execution and possibly re-encode them afterwards. It can be used to hinder [[Reverse engineering|reverse engineering]] when attempting to prevent [[Software cracking|software cracking]] as part of an overall [[Copy protection|copy protection]] strategy. | A '''Trace Vector Decoder''' ('''TVD''') is computer [[Software|software]] that uses the [[Software:Tracing|trace]] facility of its underlying [[Engineering:Microprocessor|microprocessor]] to decode encrypted instruction [[Opcode|opcode]]s just-in-time prior to execution and possibly re-encode them afterwards. It can be used to hinder [[Reverse engineering|reverse engineering]] when attempting to prevent [[Software cracking|software cracking]] as part of an overall [[Copy protection|copy protection]] strategy. | ||
==Microprocessor tracing== | ==Microprocessor tracing== | ||
Certain microprocessor families (e.g. 680x0, x86) provide the capability to trace instructions to aid in program development. A [[Debugger|debugger]] might use this capability to single step through a program, providing the means for a programmer to monitor the execution of the program under test. | Certain microprocessor families (e.g. 680x0, x86) provide the capability to trace instructions to aid in program development. A [[Debugger|debugger]] might use this capability to single step through a program, providing the means for a programmer to monitor the execution of the program under test. | ||
| Line 8: | Line 9: | ||
===Motorola 680x0=== | ===Motorola 680x0=== | ||
The [[Engineering:Motorola 68000|Motorola 68000]] has an instruction-by-instruction tracing facility.<ref>{{cite web |title=MC68000 16-Bit Microprocessor Advance Information |url=http://bitsavers.informatik.uni-stuttgart.de/components/motorola/68000/68000_16-Bit_Microprocessor_Apr83.pdf |publisher=Motorola Inc. |language=English}}</ref> When its trace state is enabled, the processor automatically forces a trace exception after each (non-exception) instruction is executed. The following [[Assembly language|assembly]] code snippet is an example of a program initializing a trace exception handler on a 68000 system. | The [[Engineering:Motorola 68000|Motorola 68000]] has an instruction-by-instruction tracing facility.<ref>{{cite web |title=MC68000 16-Bit Microprocessor Advance Information |url=http://bitsavers.informatik.uni-stuttgart.de/components/motorola/68000/68000_16-Bit_Microprocessor_Apr83.pdf |publisher=Motorola Inc. |language=English}}</ref> When its trace state is enabled, the processor automatically forces a trace exception after each (non-exception) instruction is executed. The following [[Assembly language|assembly]] code snippet is an example of a program initializing a trace exception handler on a 68000 system. | ||
< | <syntaxhighlight lang="tasm"> | ||
InstallHandler: MOVE.L #$4E730000,-(SP) ; Push trace exception handler on to stack | InstallHandler: MOVE.L #$4E730000,-(SP) ; Push trace exception handler on to stack | ||
MOVE.L #$00000010,-(SP) | MOVE.L #$00000010,-(SP) | ||
| Line 23: | Line 24: | ||
;------------------------ | ;------------------------ | ||
... ; Code from this line would be encrypted | ... ; Code from this line would be encrypted | ||
</ | </syntaxhighlight> | ||
The following is a disassembly of the above trace exception handler loaded on the stack. The purpose of this handler is to obfuscate any traced encrypted code. Its decryption process is affected by the contents of the condition code register (CCR). For example, an arithmetic operation in the main program having the '''0''' number as a result, will cause zero flag bit to be set in CCR. This will cause the value in (SP) to be changed in the trace exception handler. | The following is a disassembly of the above trace exception handler loaded on the stack. The purpose of this handler is to obfuscate any traced encrypted code. Its decryption process is affected by the contents of the condition code register (CCR). For example, an arithmetic operation in the main program having the '''0''' number as a result, will cause zero flag bit to be set in CCR. This will cause the value in (SP) to be changed in the trace exception handler. | ||
< | <syntaxhighlight lang="tasm"> | ||
TraceHandler: MOVE.L (2,SP),A6 ; Load return address from supervisor stack | TraceHandler: MOVE.L (2,SP),A6 ; Load return address from supervisor stack | ||
MOVE.W (SP),D6 ; Load condition codes of the main program | MOVE.W (SP),D6 ; Load condition codes of the main program | ||
| Line 38: | Line 39: | ||
EOR.L D6,(4,A6) | EOR.L D6,(4,A6) | ||
RTE ; Return from exception | RTE ; Return from exception | ||
</ | </syntaxhighlight> | ||
===Intel x86=== | ===Intel x86=== | ||
The [[X86|x86]] CPUs provide a trace flag that generates an interrupt after the execution of each instruction. The following [[Assembly language|assembly]] code is an example of how this might be implemented on an 8086 system. | The [[X86|x86]] CPUs provide a trace flag that generates an interrupt after the execution of each instruction. The following [[Assembly language|assembly]] code is an example of how this might be implemented on an 8086 system. | ||
< | <syntaxhighlight lang="tasm"> | ||
; Start by setting a trace handler | ; Start by setting a trace handler | ||
InstallHandler: xor bx, bx ; clear bx (faster than mov 0 into it) | InstallHandler: xor bx, bx ; clear bx (faster than mov 0 into it) | ||
| Line 60: | Line 61: | ||
;------------------------ | ;------------------------ | ||
... ; Code from this line would be encrypted | ... ; Code from this line would be encrypted | ||
</ | </syntaxhighlight> | ||
The following is a disassembly of an associated trace interrupt handler. | The following is a disassembly of an associated trace interrupt handler. | ||
< | <syntaxhighlight lang="tasm"> | ||
TraceHandler: push bp | TraceHandler: push bp | ||
mov bp, sp ; Gain access to return address | mov bp, sp ; Gain access to return address | ||
| Line 79: | Line 80: | ||
pop bp | pop bp | ||
iret ; Return from interrupt | iret ; Return from interrupt | ||
</ | </syntaxhighlight> | ||
==Examples== | ==Examples== | ||
Latest revision as of 06:02, 23 May 2026
A Trace Vector Decoder (TVD) is computer software that uses the trace facility of its underlying microprocessor to decode encrypted instruction opcodes just-in-time prior to execution and possibly re-encode them afterwards. It can be used to hinder reverse engineering when attempting to prevent software cracking as part of an overall copy protection strategy.
Microprocessor tracing
Certain microprocessor families (e.g. 680x0, x86) provide the capability to trace instructions to aid in program development. A debugger might use this capability to single step through a program, providing the means for a programmer to monitor the execution of the program under test.
By installing a custom handler for the trace exception, it is possible to gain control of the microprocessor between the execution of normal program flow instructions. A typical trace vector decoder exception handler decodes the upcoming instruction located outside the exception, as well as re-encoding the previously decoded instruction.
Implementations
Motorola 680x0
The Motorola 68000 has an instruction-by-instruction tracing facility.[1] When its trace state is enabled, the processor automatically forces a trace exception after each (non-exception) instruction is executed. The following assembly code snippet is an example of a program initializing a trace exception handler on a 68000 system.
InstallHandler: MOVE.L #$4E730000,-(SP) ; Push trace exception handler on to stack
MOVE.L #$00000010,-(SP)
MOVE.L #$0004DDB9,-(SP)
MOVE.L #$BD96BDAE,-(SP)
MOVE.L #$B386B586,-(SP)
MOVE.L #$D046D246,-(SP)
MOVE.L #$0246A71F,-(SP)
MOVE.L #$00023C17,-(SP)
MOVE.W #$2C6F,-(SP)
MOVE.L SP,($24).W ; Set trace exception handler vector
ORI.W #$A71F,SR ; Enable trace state
NOP ; CPU generates a trace exception after executing this NOP
;------------------------
... ; Code from this line would be encrypted
The following is a disassembly of the above trace exception handler loaded on the stack. The purpose of this handler is to obfuscate any traced encrypted code. Its decryption process is affected by the contents of the condition code register (CCR). For example, an arithmetic operation in the main program having the 0 number as a result, will cause zero flag bit to be set in CCR. This will cause the value in (SP) to be changed in the trace exception handler.
TraceHandler: MOVE.L (2,SP),A6 ; Load return address from supervisor stack
MOVE.W (SP),D6 ; Load condition codes of the main program
AND.W #$A71F,D6
ADD.W D6,D0
ADD.W D6,D1
EOR.L D1,D6
EOR.L D2,D6
EOR.L D6,(A6) ; Decode 8 bytes ahead in main
EOR.L D6,(4,A6)
RTE ; Return from exception
Intel x86
The x86 CPUs provide a trace flag that generates an interrupt after the execution of each instruction. The following assembly code is an example of how this might be implemented on an 8086 system.
; Start by setting a trace handler
InstallHandler: xor bx, bx ; clear bx (faster than mov 0 into it)
mov es, bx ; now ES start is at 0x00000
mov word ptr es:[1*4], offset TraceHandler ; write handler's address offset to IVT entry 1
mov word ptr es:[1*4 + 2], cs ; write current code segment to IVT entry 1
; Turn on the trace trap
pushf ; push FLAGS onto stack
pop ax ; pop previously read FLAGS into AX
or ah, 1 ; set bit 0 by ORing with 1
push ax ; push modified flags back onto stack
popf ; now we have set trace flag in FLAGS
nop
;------------------------
... ; Code from this line would be encrypted
The following is a disassembly of an associated trace interrupt handler.
TraceHandler: push bp
mov bp, sp ; Gain access to return address
push bx
push ds ; Return address in DS:BX
lds bx, 2[bp] ; Pointer to opcode of next instruction
mov bx, [bx] ; Get current instruction's opcode
... ; Decode the opcode
pop ds
pop bx
pop bp
iret ; Return from interrupt
Examples
Copylock
The Rob Northen Copylock system implemented on the Amiga,[2] Atari ST[3] and IBM PC[4] platforms includes a TVD. In addition to its general software encryption, the Copylock TVD obfuscates the code that accesses and validates the copy protected diskette.
Demoscene
A TVD was included in the Voyage demo, written for the 680x0-based Commodore Amiga by Razor 1911.[5]
References
- ↑ "MC68000 16-Bit Microprocessor Advance Information" (in English). Motorola Inc.. http://bitsavers.informatik.uni-stuttgart.de/components/motorola/68000/68000_16-Bit_Microprocessor_Apr83.pdf.
- ↑ Sevalliu, Patrik. "Rainbow Islands". https://www.computerarcheology.com/Amiga/Rainbow/.
- ↑ Kerr, Wayne (May 2004). "Amiga cracking – A look at basic TVD's". https://flashtro.com/basic-tvd-cracking/.
- ↑ Furlough, Fabulous (6 August 2008). "Rob Northen's Copylock". http://fabulousfurlough.blogspot.com/2008/08/rob-northens-copylock.html.
- ↑ Various. "Vogage Demo". http://www.pouet.net/prod.php?which=3521.
 |  |
