TOP SECRET CONFIDENTIAL 1 TOP SECRET WITCHCRAFT SECRETS - - PowerPoint PPT Presentation

top secret confidential
SMART_READER_LITE
LIVE PREVIEW

TOP SECRET CONFIDENTIAL 1 TOP SECRET WITCHCRAFT SECRETS - - PowerPoint PPT Presentation

Jan 31, 2023 671 likes •1.24k views

TOP SECRET CONFIDENTIAL 1 TOP SECRET WITCHCRAFT SECRETS CONFIDENTIAL 2 Witchcraft Secrets ...from a reverse-engineer Alyssa Rosenzweig Starswirls First Law Magic can neither be created nor destroyed 4 Starswirls First Law

slide-1
SLIDE 1

1

TOP SECRET CONFIDENTIAL

slide-2
SLIDE 2

2

TOP SECRET

WITCHCRAFT SECRETS

CONFIDENTIAL

slide-3
SLIDE 3

Witchcraft Secrets

...from a reverse-engineer

Alyssa Rosenzweig

slide-4
SLIDE 4

4

Starswirl’s First Law

Magic can neither be created nor destroyed…

slide-5
SLIDE 5

5

Starswirl’s First Law

Magic can neither be created nor destroyed… ….only transformed.

slide-6
SLIDE 6

6

Starswirl’s First Law

slide-7
SLIDE 7

7

Starswirl’s First Law

slide-8
SLIDE 8

8

Starswirl’s First Law

slide-9
SLIDE 9

9

Witchcraft

slide-10
SLIDE 10

10

OPEN SORCERY

slide-11
SLIDE 11

11

STEPS

slide-12
SLIDE 12

12

Steps - trivial

  • Write a test
  • Trace baseline input
  • Trace with single “interesting” change
  • Difg the traces
  • Single change? Lucky.
slide-13
SLIDE 13

13

Spelling convention

slide-14
SLIDE 14

14

Steps - nontrivial

  • Write a test
  • Trace many inputs
  • Record results
  • Find a pattern
  • Deduce f
  • Rewrite for
slide-15
SLIDE 15

15

Steps - nontrivial

  • Write a test
  • Trace many inputs
  • Record results
  • Find a pattern
  • Deduce f
  • Rewrite for
slide-16
SLIDE 16

16

TRACING

slide-17
SLIDE 17

17

slide-18
SLIDE 18

18

slide-19
SLIDE 19

19

Steps - nontrivial

  • Write a test
  • Trace many inputs
  • Record results
  • Find a pattern
  • Deduce f
  • Rewrite for
slide-20
SLIDE 20

20

TECHNIQUES

slide-21
SLIDE 21

21

Waiting

  • Cuss on IRC.
  • Wait for a draconequus to whisper f to you.

Works 20% of the time

slide-22
SLIDE 22

22

Law of Parsimaney

  • Simple f are more likely than complex f.
  • Simple for the hardware, not for you!
  • Think like a hardware designer (gate count).
slide-23
SLIDE 23

23

Properties

  • Alignment?
  • Monotonicity?
  • Linear? Almost linear?
  • Bitwise complements?
  • Powers of two?
slide-24
SLIDE 24

24

Information entropy

  • Input entropy vs output bit count
  • Equal entropy: just shuffming
  • More in input: incomplete encoding (pigeonhole)
  • More in output: incomplete input (Occam's Razor)
slide-25
SLIDE 25

25

Graphs

slide-26
SLIDE 26

26

Calculus

  • Discrete derivatives (backwards difgerencing)
  • Sometimes modeling f’ is easier than f.
  • Integrate f’ to recover f (summation)

Useful for near-linear f

slide-27
SLIDE 27

27

Classes of f

  • What kind of function could satisfy the properties?
  • Closed-form algebraic?
  • Bitwise manipulation?
  • Try some.
slide-28
SLIDE 28

28

Purpose

  • Every fjeld has a reason for being.
  • Your job: fjgure out why.
slide-29
SLIDE 29

29

Purpose

struct texture { unsigned width; unsigned unknown; unsigned depth; ...

slide-30
SLIDE 30

30

Purpose

struct texture { unsigned width; unsigned height; unsigned depth; ...

slide-31
SLIDE 31

31

Purpose

Proximate fjelds have proximate purposes.

slide-32
SLIDE 32

32

Info drops

  • Know the hardware, know the purpose.
  • Conference slides.
  • Vendor blogs.
  • Code drops (kernel)
  • Google is your friend.
slide-33
SLIDE 33

33

XDC Hallway Track

[redacted]

slide-34
SLIDE 34

34

If all else fails...

  • Move on.
  • Lots of seaponies in the sea.
slide-35
SLIDE 35

35

EXAMPLE

slide-36
SLIDE 36

36

1

if (vColor.x < 0.5) discard; flt r31.w, r0.x, #0.5 br.discard.true

slide-37
SLIDE 37

37

2 - AND

if (vColor.x < 0.5 && vColor.y < 0.75) discard; flt r31.w, r0.y, #0.75 flt r31.w, r0.x, #0.5 brx.discard.unk8888

slide-38
SLIDE 38

38

2 - OR

if (vColor.x < 0.5 || vColor.y < 0.75) discard; flt r31.w, r0.y, #0.75 flt r31.w, r0.x, #0.5 brx.discard.unkEEEE

slide-39
SLIDE 39

39

2 - NAND

if (!(vColor.x < 0.5 && vColor.y < 0.75)) discard; flt r31.w, r0.y, #0.75 flt r31.w, r0.x, #0.5 brx.discard.unk1111

slide-40
SLIDE 40

40

2 - NOR

if (!(vColor.x < 0.5 || vColor.y < 0.75)) discard; flt r31.w, r0.y, #0.75 flt r31.w, r0.x, #0.5 brx.discard.unk7777

slide-41
SLIDE 41

41

Expression Code

(A && B) 8888 (A || B) EEEE !(A && B) 7777 !(A || B) 1111

slide-42
SLIDE 42

42

3?

if (vColor.x < 0.5 && vColor.y < 0.75 && vColor.z == 1.0) discard; flt r31.x, r0.y, #0.75 feq r31.w, r0.z, #1 flt r31.w, r0.x, #0.5 brx.discard.unk8080

slide-43
SLIDE 43

43

4?

if (vColor.x < 0.5 && vColor.y < 0.75 && vColor.z == 1.0 && vColor.w == 0.0) discard; feq r31.w, r0.z, #1 feq r31.w, r0.w, #0 flt r31.x, r0.y, #0.75 flt r31.w, r0.x, #0.5 brx.discard.unk8000

slide-44
SLIDE 44

44

5?

if (vColor.x < 0.5 && vColor.y < 0.75 && vColor.z == 1.0 && vColor.w == 0.0 && vColor.x > vColor.y) discard; ... iand r31.w, r0.z, r0.w brx.discard.unk8000

slide-45
SLIDE 45

45

Expression Code

(A && B) 8888 (A || B) EEEE !(A && B) 7777 !(A || B) 1111 (A && B) && C 8080 (A && B) && C && D 8000

slide-46
SLIDE 46

46

Mathemagics

slide-47
SLIDE 47

47

Expression Code

(A && B)

8888

(A || B)

EEEE

!(A && B)

7777

!(A || B)

1111

(A && B) && C

8080

(A && B) && C && D

8000

slide-48
SLIDE 48

48

Expression Code

(A && B)

8888

!(A && B)

7777

(A || B)

EEEE

!(A || B)

1111

slide-49
SLIDE 49

49

Expression Code

(A && B)

8888

!(A && B)

7777

(A || B)

EEEE

!(A || B)

1111 FFFF FFFF

slide-50
SLIDE 50

50

Expression Code

(A && B) && C && D

8000 . . . 1 . . . 1

slide-51
SLIDE 51

51

Expression Code

(A && B)

8888

(A || B)

EEEE

!(A && B)

7777

!(A || B)

1111

(A && B) && C

8080

(A && B) && C && D

8000

slide-52
SLIDE 52

52

LUT

slide-53
SLIDE 53

53

Thank you!

slide-54
SLIDE 54

54

TOP SECRET CONFIDENTIAL