Publication date: July 22, 2019

The Way of the Industrial Ninja: PLC hacking at PHDays 9

This year's PHDays 9 included Industrial Ninja—a contest of skill at hacking a gas pumping facility. At the PHDays venue, we created three stands that, at different levels of difficulty (No Security, Low Security, High Security), emulated the same industrial process: pressurized air was pumped to inflate, and then deflate, a balloon.

No matter the security level, the hardware in each of the stands was identical: an S7-300 Siemens Simatic PLC; emergency deflation button and pressure sensor (connected to the PLC's digital inputs); and intake and outlet valves (connected to the PLC's digital outputs). You can see these components in the following picture:

The PLC was programmed to deflate or inflate the balloon by closing or opening valves based on pressure readings. But all the stands included a manual override mode, which allowed controlling valve status without any restrictions.

For competitors, the trick was to find a way to enable this mode. Doing so on the High Security stand, needless to say, was not for the faint-hearted.

During the two-day contest, the contestants found solutions to five of the six tasks. The first-place winner (who had spent a week preparing) garnered 233 points. The top scorers were a1exdandy in first place, Rubikoid in second place, and Ze in third place.

Because nobody was able to conquer all three stands at PHDays, we decided to take the contest online. In early June we published the most difficult task for all to try. We gave competitors a month to complete the task, find the flag, and give an interesting description of the steps they took.

The bulk of the text that follows is courtesy of Alexey Kovrizhnykh (a1exdandy) from the company Digital Security. He took first place in the contest at PHDays and also wrote the best solution of those we received. In places we have added our own comments as well.

Initial analysis

The task came with an archive, which contained several files:

  • block_upload_traffic.pcapng
  • DB100.bin
  • hints.txt

The file hints.txt provides the following information to get started:

  1. Word has it that it's possible to upload blocks from PlcSim to Step7.
  2. The PLC in question is a Siemens Simatic S7-300.

PlcSim is a PLC emulator for running and debugging programs written for the Siemens S7.

The file DB100.bin contains the DB100 PLC data block:

00000000: 0100 0102 6e02 0401 0206 0100 0101 0102  ....n...........
00000010: 1002 0501 0202 2002 0501 0206 0100 0102  ...... .........
00000020: 0102 7702 0401 0206 0100 0103 0102 0a02  ..w.............
00000030: 0501 0202 1602 0501 0206 0100 0104 0102  ................
00000040: 7502 0401 0206 0100 0105 0102 0a02 0501  u...............
00000050: 0202 1602 0501 0206 0100 0106 0102 3402  ..............4.
00000060: 0401 0206 0100 0107 0102 2602 0501 0202  ..........&.....
00000070: 4c02 0501 0206 0100 0108 0102 3302 0401  L...........3...
00000080: 0206 0100 0109 0102 0a02 0501 0202 1602  ................
00000090: 0501 0206 0100 010a 0102 3702 0401 0206  ..........7.....
000000a0: 0100 010b 0102 2202 0501 0202 4602 0501  ......".....F...
000000b0: 0206 0100 010c 0102 3302 0401 0206 0100  ........3.......
000000c0: 010d 0102 0a02 0501 0202 1602 0501 0206  ................
000000d0: 0100 010e 0102 6d02 0401 0206 0100 010f  ......m.........
000000e0: 0102 1102 0501 0202 2302 0501 0206 0100  ........#.......
000000f0: 0110 0102 3502 0401 0206 0100 0111 0102  ....5...........
00000100: 1202 0501 0202 2502 0501 0206 0100 0112  ......%.........
00000110: 0102 3302 0401 0206 0100 0113 0102 2602  ..3...........&.
00000120: 0501 0202 4c02 0501 0206 0100            ....L.......
    

As its name suggests, the file block_upload_traffic.pcapng contains a traffic dump from uploading of blocks to the PLC.

Note that getting this traffic dump on-site at PHDays would have been a bit more difficult. There you needed to delve into a script from the project file for TeslaSCADA2. The script had the information needed to find the dump (encrypted with RC4) and the decryption key for it. To get the block dumps at PHDays, you needed to use a client for the S7 protocol. For this, I used the demo client from the Snap7 package.

Extracting signal processing blocks from traffic dump

The contents of the dump make clear that we have several signal processing blocks, specifically OB1, FC1, FC2, and FC3:

How can we extract these blocks? One way is to convert the traffic from pcapng to pcap and then run the following script:

#!/usr/bin/env python2

import struct
from scapy.all import *

packets = rdpcap('block_upload_traffic.pcap')
s7_hdr_struct = '>BBHHHHBB'
s7_hdr_sz = struct.calcsize(s7_hdr_struct)
tpkt_cotp_sz = 7
names = iter(['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin'])
buf = ''

for packet in packets:
    if packet.getlayer(IP).src == '10.0.102.11':
        tpkt_cotp_s7 = str(packet.getlayer(TCP).payload)
        if len(tpkt_cotp_s7) < tpkt_cotp_sz + s7_hdr_sz:
            continue
        s7 = tpkt_cotp_s7[tpkt_cotp_sz:]
        s7_hdr = s7[:s7_hdr_sz]
        param_sz = struct.unpack(s7_hdr_struct, s7_hdr)[4]
        s7_param = s7[12:12+param_sz]
        s7_data = s7[12+param_sz:]
        if s7_param in ('\x1e\x00', '\x1e\x01'):  # upload
            buf += s7_data[4:]
        elif s7_param == '\x1f':
            with open(next(names), 'wb') as f:
                f.write(buf)
            buf = ''        
    

This yields a number of blocks, which always start with the bytes 70 70 (pp). Now we need to figure out how to analyze them. The task hint makes one think about using PlcSim for this purpose.

Obtaining human-readable instructions from the blocks

To start, we can try to program S7-PlcSim: first we upload several blocks to it with repeating instructions (= Q 0.0) with the help of the Simatic Manager software.  Then we save the emulator-generated PLC to the file example.plc. Looking at the file contents, we easily spot the start of these uploaded blocks based on the 70 70 signature we noticed already. Prior to the blocks, it seems that the block size is written as a 4-byte little-endian value.

After figuring out the structure of the plc files, here was the plan for reading PLC S7 programs:

  1. Use Simatic Manager to create a block structure in S7-PlcSim that would be equivalent to the block structure we saw in the dump. Blocks should match in terms of both size (by making sure they contain the right amount of instructions) and identifiers (OB1, FC1, FC2, FC3).
  2. Save the PLC to a file.
  3. Swap out the content of the blocks from that file, inserting the blocks from the traffic dump. Find block start based on the signature.
  4. Upload the modified file to S7-PlcSim and look at the block contents in Simatic Manager.

To swap out the blocks, we can use the following code:

    with open('original.plc', 'rb') as f:
        plc = f.read()
    blocks = []
    for fname in ['OB1.bin', 'FC1.bin', 'FC2.bin', 'FC3.bin']:
        with open(fname, 'rb') as f:
            blocks.append(f.read())
    
    i = plc.find(b'pp')
    for block in blocks:
        plc = plc[:i] + block + plc[i+len(block):]
        i = plc.find(b'pp', i + 1)
    
    with open('target.plc', 'wb') as f:
        f.write(plc)
    

Alexey took a path that was probably more difficult, but nonetheless correct. We had originally anticipated that contestants would choose NetToPlcSim in order to use PlcSim over the network, upload blocks to PlcSim via Snap7, and then download these blocks as a project from PlcSim with the help of the developer tools.

Open the file in S7-PlcSim, so now we can read the overwritten blocks in Simatic Manager. Main functions for device management are located in block FC1. Of special note is the variable #TEMP0: when it is set to true, PLC control switches to manual override mode based on the bit memory values M2.2 and M2.3. The value of #TEMP0 is set by function FC3.

To solve the task, we need to analyze function FC3 and determine what we need to do for the function to return a value of 1.

Signaling processing blocks on the PLC of the Low Security contest stand worked similarly, but were easier to trick. To set the value of #TEMP0, all you had to do was write the string my ninja way to block DB1. Value checking in the block worked in a simple way that did not require a deep understanding of the block programming language. Naturally, the bar was much higher for the High Security stand: getting manual control required getting one's hands dirty with the STL language (one of the ways for S7 PLC programming).

Reverse-engineering block FC3

Here are the contents of block FC3 in STL form:

        L     B#16#0
        T     #TEMP13
        T     #TEMP15
        L     P#DBX 0.0
        T     #TEMP4
        CLR   
        =     #TEMP14
  M015: L     #TEMP4
        LAR1  
        OPN   DB   100
        L     DBLG
        TAR1  
        <=D   
        JC    M016
        L     DW#16#0
        T     #TEMP0
        L     #TEMP6
        L     W#16#0
        <>I   
        JC    M00d
        L     P#DBX 0.0
        LAR1  
  M00d: L     B [AR1,P#0.0]
        T     #TEMP5
        L     W#16#1
        ==I   
        JC    M007
        L     #TEMP5
        L     W#16#2
        ==I   
        JC    M008
        L     #TEMP5
        L     W#16#3
        ==I   
        JC    M00f
        L     #TEMP5
        L     W#16#4
        ==I   
        JC    M00e
        L     #TEMP5
        L     W#16#5
        ==I   
        JC    M011
        L     #TEMP5
        L     W#16#6
        ==I   
        JC    M012
        JU    M010
  M007: +AR1  P#1.0
        L     P#DBX 0.0
        LAR2  
        L     B [AR1,P#0.0]
        L     C#8
        *I    
        +AR2  
        +AR1  P#1.0
        L     B [AR1,P#0.0]
        JL    M003
        JU    M001
        JU    M002
        JU    M004
  M003: JU    M005
  M001: OPN   DB   101
        L     B [AR2,P#0.0]
        T     #TEMP0
        JU    M006
  M002: OPN   DB   101
        L     B [AR2,P#0.0]
        T     #TEMP1
        JU    M006
  M004: OPN   DB   101
        L     B [AR2,P#0.0]
        T     #TEMP2
        JU    M006
  M00f: +AR1  P#1.0
        L     B [AR1,P#0.0]
        L     C#8
        *I    
        T     #TEMP11
        +AR1  P#1.0
        L     B [AR1,P#0.0]
        T     #TEMP7
        L     P#M 100.0
        LAR2  
        L     #TEMP7
        L     C#8
        *I    
        +AR2  
        TAR2  #TEMP9
        TAR1  #TEMP4
        OPN   DB   101
        L     P#DBX 0.0
        LAR1  
        L     #TEMP11
        +AR1  
        LAR2  #TEMP9
        L     B [AR2,P#0.0]
        T     B [AR1,P#0.0]
        L     #TEMP4
        LAR1  
        JU    M006
  M008: +AR1  P#1.0
        L     B [AR1,P#0.0]
        T     #TEMP3
        +AR1  P#1.0
        L     B [AR1,P#0.0]
        JL    M009
        JU    M00b
        JU    M00a
        JU    M00c
  M009: JU    M005
  M00b: L     #TEMP3
        T     #TEMP0
        JU    M006
  M00a: L     #TEMP3
        T     #TEMP1
        JU    M006
  M00c: L     #TEMP3
        T     #TEMP2
        JU    M006
  M00e: +AR1  P#1.0
        L     B [AR1,P#0.0]
        T     #TEMP7
        L     P#M 100.0
        LAR2  
        L     #TEMP7
        L     C#8
        *I    
        +AR2  
        TAR2  #TEMP9
        +AR1  P#1.0
        L     B [AR1,P#0.0]
        T     #TEMP8
        L     P#M 100.0
        LAR2  
        L     #TEMP8
        L     C#8
        *I    
        +AR2  
        TAR2  #TEMP10
        TAR1  #TEMP4
        LAR1  #TEMP9
        LAR2  #TEMP10
        L     B [AR1,P#0.0]
        L     B [AR2,P#0.0]
        AW    
        INVI  
        T     #TEMP12
        L     B [AR1,P#0.0]
        L     B [AR2,P#0.0]
        OW    
        L     #TEMP12
        AW    
        T     B [AR1,P#0.0]
        L     DW#16#0
        T     #TEMP0
        L     MB   101
        T     #TEMP1
        L     MB   102
        T     #TEMP2
        L     #TEMP4
        LAR1  
        JU    M006
  M011: +AR1  P#1.0
        L     B [AR1,P#0.0]
        T     #TEMP7
        L     P#M 100.0
        LAR2  
        L     #TEMP7
        L     C#8
        *I    
        +AR2  
        TAR2  #TEMP9
        +AR1  P#1.0
        L     B [AR1,P#0.0]
        T     #TEMP8
        L     P#M 100.0
        LAR2  
        L     #TEMP8
        L     C#8
        *I    
        +AR2  
        TAR2  #TEMP10
        TAR1  #TEMP4
        LAR1  #TEMP9
        LAR2  #TEMP10
        L     B [AR1,P#0.0]
        L     B [AR2,P#0.0]
        -I    
        T     B [AR1,P#0.0]
        L     DW#16#0
        T     #TEMP0
        L     MB   101
        T     #TEMP1
        L     MB   102
        T     #TEMP2
        L     #TEMP4
        LAR1  
        JU    M006
  M012: L     #TEMP15
        INC   1
        T     #TEMP15
        +AR1  P#1.0
        L     B [AR1,P#0.0]
        T     #TEMP7
        L     P#M 100.0
        LAR2  
        L     #TEMP7
        L     C#8
        *I    
        +AR2  
        TAR2  #TEMP9
        +AR1  P#1.0
        L     B [AR1,P#0.0]
        T     #TEMP8
        L     P#M 100.0
        LAR2  
        L     #TEMP8
        L     C#8
        *I    
        +AR2  
        TAR2  #TEMP10
        TAR1  #TEMP4
        LAR1  #TEMP9
        LAR2  #TEMP10
        L     B [AR1,P#0.0]
        L     B [AR2,P#0.0]
        ==I   
        JCN   M013
        JU    M014
  M013: L     P#DBX 0.0
        LAR1  
        T     #TEMP4
        L     B#16#0
        T     #TEMP6
        JU    M006
  M014: L     #TEMP4
        LAR1  
        L     #TEMP13
        L     L#1
        +I    
        T     #TEMP13
        JU    M006
  M006: L     #TEMP0
        T     MB   100
        L     #TEMP1
        T     MB   101
        L     #TEMP2
        T     MB   102
        +AR1  P#1.0
        L     #TEMP6
        +     1
        T     #TEMP6
        JU    M005
  M010: L     P#DBX 0.0
        LAR1  
        L     0
        T     #TEMP6
        TAR1  #TEMP4
  M005: TAR1  #TEMP4
        CLR   
        =     #TEMP16
        L     #TEMP13
        L     L#20
        ==I   
        S     #TEMP16
        L     #TEMP15
        ==I   
        A     #TEMP16
        JC    M017
        L     #TEMP13
        L     L#20
        <I    
        S     #TEMP16
        L     #TEMP15
        ==I   
        A     #TEMP16
        JC    M018
        JU    M019
  M017: SET   
        =     #TEMP14
        JU    M016
  M018: CLR   
        =     #TEMP14
        JU    M016
  M019: CLR   
        O     #TEMP14
        =     #RET_VAL
        JU    M015
  M016: CLR   
        O     #TEMP14
        =     #RET_VAL
  
    

The code is long and, to a person unfamiliar with STL, perhaps intimidating. Instead of analyzing each and every instruction, we recommend checking out the manufacturer's reference for the STL language: Statement List (STL) for S7-300 and S7-400 Programming. What follows is the same code after some reworking: tags and variables have been renamed, with comments added to describe the flow and certain STL constructs. The block in question implements a virtual machine that runs bytecode in block DB100 (whose contents we know). The virtual machine instructions are 1 byte of opcode and argument bytes, one byte per argument. All the instructions have two arguments each. In the comments, their values are referred to as X and Y, respectively.

            # Initialize variables
            L     B#16#0
            T     #CHECK_N        # Number of checks completed successfully
            T     #COUNTER_N      # Total number of checks
            L     P#DBX 0.0
            T     #POINTER        # Pointer to current instruction
            CLR   
            =     #PRE_RET_VAL
      
      # Main loop for bytecode interpreter
      LOOP: L     #POINTER
            LAR1  
            OPN   DB   100
            L     DBLG
            TAR1  
            <=D                   # Check to see if pointer outside program bounds
            JC    FINISH
            L     DW#16#0
            T     #REG0
            L     #TEMP6
            L     W#16#0
            <>I   
            JC    M00d
            L     P#DBX 0.0
            LAR1  
      
      # Switch -- cases for handling various opcodes
      M00d: L     B [AR1,P#0.0]
            T     #OPCODE
            L     W#16#1
            ==I   
            JC    OPCODE_1
            L     #OPCODE
            L     W#16#2
            ==I   
            JC    OPCODE_2
            L     #OPCODE
            L     W#16#3
            ==I   
            JC    OPCODE_3
            L     #OPCODE
            L     W#16#4
            ==I   
            JC    OPCODE_4
            L     #OPCODE
            L     W#16#5
            ==I   
            JC    OPCODE_5
            L     #OPCODE
            L     W#16#6
            ==I   
            JC    OPCODE_6
            JU    OPCODE_OTHER
      
      # Handler for opcode01: load value from DB101[X] to register Y
      # OP01(X, Y): REG[Y] = DB101[X]
      OPCODE_1: +AR1  P#1.0
            L     P#DBX 0.0
            LAR2  
            L     B [AR1,P#0.0]   # Load argument X (index DB101)
            L     C#8
            *I    
            +AR2  
            +AR1  P#1.0
            L     B [AR1,P#0.0]   # Load argument Y (register index)
            JL    M003            # Equivalent to switch case based on value Y
            JU    M001            # for selecting register to write to.
            JU    M002            # Similar constructs are used in operations 
            JU    M004            # below for similar purposes
      M003: JU    LOOPEND
      M001: OPN   DB   101
            L     B [AR2,P#0.0]
            T     #REG0           # Write value DB101[X] to REG[0]
            JU    PRE_LOOPEND
      M002: OPN   DB   101
            L     B [AR2,P#0.0]
            T     #REG1           # Write value DB101[X] to REG[1]
            JU    PRE_LOOPEND
      M004: OPN   DB   101
            L     B [AR2,P#0.0]
            T     #REG2           # Write value DB101[X] to REG[2]
            JU    PRE_LOOPEND
      
      # Handler for opcode02: load value X to register Y
      # OP02(X, Y): REG[Y] = X
      OPCODE_2: +AR1  P#1.0
            L     B [AR1,P#0.0]
            T     #TEMP3
            +AR1  P#1.0
            L     B [AR1,P#0.0]
            JL    M009
            JU    M00b
            JU    M00a
            JU    M00c
      M009: JU    LOOPEND
      M00b: L     #TEMP3
            T     #REG0
            JU    PRE_LOOPEND
      M00a: L     #TEMP3
            T     #REG1
            JU    PRE_LOOPEND
      M00c: L     #TEMP3
            T     #REG2
            JU    PRE_LOOPEND
      
      # Opcode03 is not used in the program, so we'll skip it
      ...
      
      # Handler for opcode04: compare registers X and Y
      # OP04(X, Y): REG[0] = 0; REG[X] = (REG[X] == REG[Y])
      OPCODE_4: +AR1  P#1.0
            L     B [AR1,P#0.0]
            T     #TEMP7          # first argument - X
            L     P#M 100.0
            LAR2  
            L     #TEMP7
            L     C#8
            *I    
            +AR2  
            TAR2  #TEMP9          # REG[X]
            +AR1  P#1.0
            L     B [AR1,P#0.0]
            T     #TEMP8
            L     P#M 100.0
            LAR2  
            L     #TEMP8
            L     C#8
            *I    
            +AR2  
            TAR2  #TEMP10         # REG[Y]
            TAR1  #POINTER
            LAR1  #TEMP9          # REG[X]
            LAR2  #TEMP10         # REG[Y]
            L     B [AR1,P#0.0]
            L     B [AR2,P#0.0]
            AW    
            INVI  
            T     #TEMP12         # ~(REG[Y] & REG[X])
            L     B [AR1,P#0.0]
            L     B [AR2,P#0.0]
            OW    
            L     #TEMP12
            AW                    # (~(REG[Y] & REG[X])) & (REG[Y] | REG[X]) – equivalent to equality check
            T     B [AR1,P#0.0]
            L     DW#16#0
            T     #REG0
            L     MB   101
            T     #REG1
            L     MB   102
            T     #REG2
            L     #POINTER
            LAR1  
            JU    PRE_LOOPEND
      
      # Handler for opcode05: subtract register Y from X
      # OP05(X, Y): REG[0] = 0; REG[X] = REG[X] - REG[Y]
      OPCODE_5: +AR1  P#1.0
            L     B [AR1,P#0.0]
            T     #TEMP7
            L     P#M 100.0
            LAR2  
            L     #TEMP7
            L     C#8
            *I    
            +AR2  
            TAR2  #TEMP9          # REG[X]
            +AR1  P#1.0
            L     B [AR1,P#0.0]
            T     #TEMP8
            L     P#M 100.0
            LAR2  
            L     #TEMP8
            L     C#8
            *I    
            +AR2  
            TAR2  #TEMP10         # REG[Y]
            TAR1  #POINTER
            LAR1  #TEMP9
            LAR2  #TEMP10
            L     B [AR1,P#0.0]
            L     B [AR2,P#0.0]
            -I                    # ACCU1 = ACCU2 - ACCU1, REG[X] - REG[Y]
            T     B [AR1,P#0.0]
            L     DW#16#0
            T     #REG0
            L     MB   101
            T     #REG1
            L     MB   102
            T     #REG2
            L     #POINTER
            LAR1  
            JU    PRE_LOOPEND
      
      # Handler for opcode06: increment #CHECK_N if registers X and Y are equal
      # OP06(X, Y): #CHECK_N += (1 if REG[X] == REG[Y] else 0)
      OPCODE_6: L     #COUNTER_N
            INC   1
            T     #COUNTER_N
            +AR1  P#1.0
            L     B [AR1,P#0.0]
            T     #TEMP7          #  REG[X]     
            L     P#M 100.0
            LAR2  
            L     #TEMP7
            L     C#8
            *I    
            +AR2  
            TAR2  #TEMP9          #  REG[X]  
            +AR1  P#1.0
            L     B [AR1,P#0.0]
            T     #TEMP8
            L     P#M 100.0
            LAR2  
            L     #TEMP8
            L     C#8
            *I    
            +AR2  
            TAR2  #TEMP10         # REG[Y]
            TAR1  #POINTER
            LAR1  #TEMP9          # REG[Y]
            LAR2  #TEMP10         # REG[X]
            L     B [AR1,P#0.0]
            L     B [AR2,P#0.0]
            ==I   
            JCN   M013
            JU    M014
      M013: L     P#DBX 0.0
            LAR1  
            T     #POINTER
            L     B#16#0
            T     #TEMP6
            JU    PRE_LOOPEND
      M014: L     #POINTER
            LAR1  
      # Increment value of #CHECK_N
            L     #CHECK_N
            L     L#1
            +I    
            T     #CHECK_N
            JU    PRE_LOOPEND
      
      PRE_LOOPEND: L     #REG0
            T     MB   100
            L     #REG1
            T     MB   101
            L     #REG2
            T     MB   102
            +AR1  P#1.0
            L     #TEMP6
            +     1
            T     #TEMP6
            JU    LOOPEND
      
      OPCODE_OTHER: L     P#DBX 0.0
            LAR1  
            L     0
            T     #TEMP6
            TAR1  #POINTER
      
      LOOPEND: TAR1  #POINTER
            CLR   
            =     #TEMP16
            L     #CHECK_N
            L     L#20
            ==I   
            S     #TEMP16
            L     #COUNTER_N
            ==I   
            A     #TEMP16
      # All checks passed if #CHECK_N == #COUNTER_N == 20
            JC    GOOD
            L     #CHECK_N
            L     L#20
            <I    
            S     #TEMP16
            L     #COUNTER_N
            ==I   
            A     #TEMP16
            JC    FAIL
            JU    M019
      GOOD: SET   
            =     #PRE_RET_VAL
            JU    FINISH
      FAIL: CLR   
            =     #PRE_RET_VAL
            JU    FINISH
      M019: CLR   
            O     #PRE_RET_VAL
            =     #RET_VAL
            JU    LOOP
      FINISH: CLR   
            O     #PRE_RET_VAL
            =     #RET_VAL
      
    

Armed with this information about the virtual machine instructions, we can write a small disassembler to parse the bytecode in block DB100:

import string
alph = string.ascii_letters + string.digits

with open('DB100.bin', 'rb') as f:
    m = f.read()

pc = 0

while pc < len(m):
    op = m[pc]
    if op == 1:
        print('R{} = DB101[{}]'.format(m[pc + 2], m[pc + 1]))
        pc += 3
    elif op == 2:
        c = chr(m[pc + 1])
        c = c if c in alph else '?'
        print('R{} = {:02x} ({})'.format(m[pc + 2], m[pc + 1], c))
        pc += 3
    elif op == 4:
        print('R0 = 0; R{} = (R{} == R{})'.format(
            m[pc + 1], m[pc + 1], m[pc + 2]))
        pc += 3
    elif op == 5:
        print('R0 = 0; R{} = R{} - R{}'.format(
            m[pc + 1], m[pc + 1], m[pc + 2]))
        pc += 3
    elif op == 6:
        print('CHECK (R{} == R{})\n'.format(
            m[pc + 1], m[pc + 2]))
        pc += 3
    else:
        print('unk opcode {}'.format(op))
        break
    

And now we get the following virtual machine code:

        R1 = DB101[0]
        R2 = 6e (n)
        R0 = 0; R1 = (R1 == R2)
        CHECK (R1 == R0)
        
        R1 = DB101[1]
        R2 = 10 (?)
        R0 = 0; R1 = R1 - R2
        R2 = 20 (?)
        R0 = 0; R1 = R1 - R2
        CHECK (R1 == R0)
        
        R1 = DB101[2]
        R2 = 77 (w)
        R0 = 0; R1 = (R1 == R2)
        CHECK (R1 == R0)
        
        R1 = DB101[3]
        R2 = 0a (?)
        R0 = 0; R1 = R1 - R2
        R2 = 16 (?)
        R0 = 0; R1 = R1 - R2
        CHECK (R1 == R0)
        
        R1 = DB101[4]
        R2 = 75 (u)
        R0 = 0; R1 = (R1 == R2)
        CHECK (R1 == R0)
        
        R1 = DB101[5]
        R2 = 0a (?)
        R0 = 0; R1 = R1 - R2
        R2 = 16 (?)
        R0 = 0; R1 = R1 - R2
        CHECK (R1 == R0)
        
        R1 = DB101[6]
        R2 = 34 (4)
        R0 = 0; R1 = (R1 == R2)
        CHECK (R1 == R0)
        
        R1 = DB101[7]
        R2 = 26 (?)
        R0 = 0; R1 = R1 - R2
        R2 = 4c (L)
        R0 = 0; R1 = R1 - R2
        CHECK (R1 == R0)
        
        R1 = DB101[8]
        R2 = 33 (3)
        R0 = 0; R1 = (R1 == R2)
        CHECK (R1 == R0)
        
        R1 = DB101[9]
        R2 = 0a (?)
        R0 = 0; R1 = R1 - R2
        R2 = 16 (?)
        R0 = 0; R1 = R1 - R2
        CHECK (R1 == R0)
        
        R1 = DB101[10]
        R2 = 37 (7)
        R0 = 0; R1 = (R1 == R2)
        CHECK (R1 == R0)
        
        R1 = DB101[11]
        R2 = 22 (?)
        R0 = 0; R1 = R1 - R2
        R2 = 46 (F)
        R0 = 0; R1 = R1 - R2
        CHECK (R1 == R0)
        
        R1 = DB101[12]
        R2 = 33 (3)
        R0 = 0; R1 = (R1 == R2)
        CHECK (R1 == R0)
        
        R1 = DB101[13]
        R2 = 0a (?)
        R0 = 0; R1 = R1 - R2
        R2 = 16 (?)
        R0 = 0; R1 = R1 - R2
        CHECK (R1 == R0)
        
        R1 = DB101[14]
        R2 = 6d (m)
        R0 = 0; R1 = (R1 == R2)
        CHECK (R1 == R0)
        
        R1 = DB101[15]
        R2 = 11 (?)
        R0 = 0; R1 = R1 - R2
        R2 = 23 (?)
        R0 = 0; R1 = R1 - R2
        CHECK (R1 == R0)
        
        R1 = DB101[16]
        R2 = 35 (5)
        R0 = 0; R1 = (R1 == R2)
        CHECK (R1 == R0)
        
        R1 = DB101[17]
        R2 = 12 (?)
        R0 = 0; R1 = R1 - R2
        R2 = 25 (?)
        R0 = 0; R1 = R1 - R2
        CHECK (R1 == R0)
        
        R1 = DB101[18]
        R2 = 33 (3)
        R0 = 0; R1 = (R1 == R2)
        CHECK (R1 == R0)
        
        R1 = DB101[19]
        R2 = 26 (?)
        R0 = 0; R1 = R1 - R2
        R2 = 4c (L)
        R0 = 0; R1 = R1 - R2
        CHECK (R1 == R0)        
    

As you can see, this program simply checks each character from DB101 for equality with a certain value. The string to pass all the checks was as follows: n0w u 4r3 7h3 m4573r. Placing this string in block DB101 would activate manual PLC control, allowing the contestant to inflate or deflate the balloon at will.

So there you have it! Alexey displayed an exemplary level of knowledge worthy of an Industrial Ninja. Fun prizes are on the way to their winner. Thank you to everyone who participated!

All news