Old non-x86 Architectures

http://www.visual6502.org/images/pages/Motorola_68000.html

by Javantea
Oct 2-Nov 8, 2017
Batman's Kitchen Meeting
Nov 8, 2017
Paper: https://www.altsci.com/old_non-x86/
Slides || Talk video
Software: old_non-x86-0.6.tar.xz [sig]

The x86 is a major architecture

• Popularity
• 32-bit and 64-bit versions with some backward compatibility to 16-bit
• Von Neumann
• Cheap
• Monoculture
• Cheap to break out

Old Non-x86 Architectures are too hard!

Qemu supports

aarch64 alpha arm cris i386 lm32 m68k microblaze microblazeel mips mips64 mips64el mipsel moxie nios2 or1k ppc ppc64 ppcemb s390x sh4 sh4eb sparc sparc64 tricore unicore32 x86_64 xtensa xtensaeb

MAME supports many old architectures!

CTF Challenges use your bias against you!*

Aside #1: Don't Let Computers

Computers are an easy excuse to not socialize, don't use it!

What is the goal?

Outline

• 6502 -- NES
• M68k -- Sega Genesis
• Z80 -- Pacman
• 8051 -- Ruleta RE-900, coastermelt
• 6809 -- Robotron: 2084
• 8086 -- Boot sector

1. Write a Program.
2. Emulate it.
3. Debug it.
4. Disassemble it.
5. Reverse it.

If you want a real game or a console, I recommend Pink Gorilla in the U-district or in the Intl-district. They have knowledgeable staff and excellent selection and prices.

6507 (6502 architecture)

6502

Systems that feature 6502 architecture:

• NES
• SNES
• TurboGrafx-16
• Apple II
• Atari 2600
• Atari 800
• Tamagotchi
• Commodore 64
• Too many arcade systems
• A lot of chips use this architecture and are not named 6502.

                          6502
                           |
        +------+--------+--+--+-------+-------+
        |      |        |     |       |       |
      6510   deco16   6504   6509   n2a03   65c02
        |                                     |
  +-----+-----+                            r65c02
  |     |     |                               |
6510t  7501  8502                         +---+---+
                                          |       |
                                       65ce02   65sc02
                                          |
                                        4510

Common Pitfalls

• The program you write isn't exactly the assembly the compiler generates (compiler bugs).
• The compiler wasn't designed for the architecture you're compiling for (compiler bugs).
• The assembly you write isn't exactly the machine code the assembler generates (assembler bugs).
• The machine code the assembler generates isn't exactly the machine code the linker writes (linker bugs).
• The machine code the emulator executes isn't the same as the machine code that you give it (emulator bugs).
  • sub-instruction accuracy
• The hardware the emulator is emulating isn't the same as the hardware that you are targeting (emulator bugs).
• System ROM might not be correct for all systems.
• Compiling someone else's code for a new architecture can be fraught!
• Endianness, Von Neumann, stack size, dependencies, colors, int size, floating point, speed, ROM
• Think you can compress your executable with gzip? Only if you have enough space in RAM and you can exec there!
• Yes, you can compress assets if you have enough program ROM.
• Ask me why I wrote these roms from scratch besides init.

http://docs.mamedev.org/techspecs/m6502.html

CC65

CC65 is a C compiler and assembler targets multiple systems that use 6502 architecture. What is a C compiler? A simple C compiler needs to take any valid C program:

    int main()
    {
        int i;
        char buf[10];
        for(i = 0; i < 10; ++i) {
             buf[i] = i;
        }
        return 0;
    }
  

and turn it into a valid assembly program for a certain architecture.
libc!
int i;
So that's step 1: Write a program.*

* Use volatile and learn what it does. Trust me.

libc

• _start libc_start_main
• stdio.h: printf open read write printf
• unistd.h: memcpy memcmp
• stdlib.h: malloc free
• string.h: strcpy strncpy strcat strncat
• socket.h: socket bind htons ptoa itoa getaddrinfo
• ...

What would happen when you decide to turn off libc?

Mednafen vs. MAME

Mednafen has a debugger and is nice.
MAME has a featureful debugger with file output and a scripting language (Lua).
MAME's scripting language made significant improvements in a recent version in regards to automated debugging.
Both Mednafen and MAME give you step 2 and 3.

2. Emulate it.
3. Debug it.

Radare2

Radare2 supports a large set of non-x86 architectures. But Radare2 has bugs. It can help you reverse a lot, but only if it works. There are bugs in many old versions.

  r2 -e asm.arch=6502 file.nes
  r2 -e asm=m68k file.md
  r2 -e asm.arch=8051 ihex://harvard1.ihx
  r2 -e asm=z80 file.bin

  aaa
  pdf

  # write disassembly to a file
  pd >harvard1.dis
  # Visual mode
  V
  p
  # Graph mode
  V
  # If it complains, define a function
  df
  # go to the top of anything
  g
  # go to the bottom of anything
  G
  # It's trying to be vim D=
  

6502

• Uses cprintf(const char *format, ...) from cc65 neslib
• Uses joy_read from cc65 neslib
• Uses APU from cc65 nes.h
• Uses clock from cc65 neslib

Examples of 6502 in CTF:
Pwn Adventure Z from CSAW
Compromising a Linux desktop using... 6502 processor opcodes on the NES?!
Hacking Time from CSAW CTF 2015 [.kr]
Juniors CTF 2016 - Joy500 Oldschool NES Rom Write Up

M68k aka M68000

• puts(const char *data) in 68k assembly
• music_init(void), play_note(uint16_t freq), stop_music(void) in C
• sleep(void), clearScreen(void), WaitVBlankStart(void), WaitVBlankEnd(void), btohex(char *dst, uint8_t src) in C

M68k aka M68000

Systems that feature M68k architecture:

• Sega Genesis
• Atari Jaguar
• Apple Macintosh
• Neo Geo
• Amiga
• Atari ST
• TI-89
• SUN workstation
• Too many arcade systems

Examples of M68k in CTF:

8051 aka Intel MCS-51

• Popular in arcade and embedded applications
• 8-bit
• Harvard

Systems that feature 8051 architecture:

• re900
• barata
• HENRY (https://www.garoa.net.br/wiki/HENRY)
• MT1939 coastermelt (https://youtu.be/U7MTnbXXyVY)

8051 aka Intel MCS-51

Zilog Z80

• _start, sleep(int dt)
• no puts
• Shell script creates random palette
• Python script converts png with font to tile rom (same font as Genesis)

Zilog Z80

Systems that feature Z80 architecture:

• Sega Genesis (sound coprocessor*)
• Sega Master System
• Sega *1000
• Pacman, Donkey Kong
• Too many arcade systems

Examples of Z80 in CTF:
Let's Disassemble from SECCON CTF 2014

Zilog Z80

Writing a Pacman ROM in 10 hours:
Video RAM picks tiles. (1024 bytes)
Color RAM picks two palettes per tile. (1024 bytes)
Tile ROM is a weird packing of bits. (4096 bytes == 256 tiles)
Palette ROM is a list of colors. (32 bytes)
Program ROM is your code (4096 bytes * 4 == 16kB)
Sound ROM is where you put your music and sfx (?)
ASCII tiles is inefficient, but useful.

Z80

If arcade programming excites you, but you'd like to look at real hardware, check this out:
http://arcadehacker.blogspot.com.au/2014/11/capcom-kabuki-cpu-intro.html

Gameboy

Gameboy is a combination of Z80 and 8080, so it's a bit special. SDCC supports Gameboy, but I decided to skip this architecture for now.
Examples of Gameboy in CTF:
gameboy from Plaid CTF 2017
At Gunpoint from hack.lu 2014

M6809

Systems that feature 6809 architecture:

• Williams Arcade
• Robotron
• TRS-80

So you want to implement a new architecture in MAME?

Examples of Robotron in CTF:
Church of Robotron at Toorcamp! http://churchofrobotron.com/

Aside #2: Computers are Wonderful

Computers are able to do things you didn't expect. https://exploitee.rs/

8086

Is 8086 an x86 architecture? Technically, yes. But it's antiquated and pre-32-bit x86!

• x86 boots into real-mode. 8086 16-bit.
• You can't go back to 8086 after you switch to protected-mode.
• You can emulate 8086 with Qemu.
• You can debug 8086 poorly with Qemu and gdb. Good luck!
• Demoscene
• Boot sector (MBR)
• BIOS
• DOS
• PC98

• NASM
• puts()-alike function using INT 10h
• bad sleep() function
• PIT PC speaker

Check out osdev.org wiki for a new insight into your computer's boot process.
Qemu Advent Calendar
Boot sector viruses,
SECT CTF 2017 PWN300 The gibson [b64]
ForbiddenBITS CTF 2013 – Old 50
dosfun4u
dosfun4u round 2
Honorable mentions:
dos attack ghost in the shellcode 2014

Questions?

My paper with downloads and links
https://www.altsci.com/old_non-x86/
https://sono.us/mame

Radare2 is open source, free, and supported.
You might have missed Portland Retro Gaming Expo, but remember it for next year.
JRSFuzz is open source, free, and supported.

jvoss@altsci.com

Small Wide World

JavRE is open source and free.
JavRE

The State of the World

We have the opportunity to do things that I originally thought were fantasy. This will repeat, let us be clear, more times than you will wish. Don't let that be your excuse to not write code. Find something that benefits you or someone else and take a look from the perspective of: this is possible by means of effort.