Jump to content

Trace vector decoder

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 108.160.246.146 (talk) at 05:25, 28 August 2020 (Added references). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

A Trace Vector Decoder (TVD) is a system that uses a microprocessor's trace facility to decode encrypted instruction opcodes just-in-time prior to execution and possibly re-encrypting them afterwards. It can be used to hinder reverse engineering, useful when attempting to prevent software cracking as part of an overall copy protection strategy.

Tracing with the Motorola 68000

The Motorola 68000 has an instruction-by-instruction tracing facility.[1] When its trace state is enabled, the processor automatically forces a trace exception after each (non-exception) instruction is executed. The intended use of this facility is for a debugging program to monitor the execution of the program under test.

It is possible to leverage this facility to install a trace vector decoder exception handler that decodes the upcoming instruction outside the exception as well as re-encoding the previously decoded instruction.

The following code snippet is an example of a program initializing a trace exception handler. 

	MOVEM.L	Stack,D0-D7/A0-A6      ; Initialize registers
	MOVE.L	#$4E730000,-(SP)       ; Push trace exception handler on to stack
	MOVE.L	#$00000010,-(SP)
	MOVE.L	#$0004DDB9,-(SP)
	MOVE.L	#$BD96BDAE,-(SP)
	MOVE.L	#$B386B586,-(SP)
	MOVE.L	#$D046D246,-(SP)
	MOVE.L	#$0246A71F,-(SP)
	MOVE.L	#$00023C17,-(SP)
	MOVE.W	#$2C6F,-(SP)
	MOVE.L	SP,($24).W             ; Set trace exception handler vector
	ORI.W	#$A71F,SR              ; Enable trace state
        NOP                            ; CPU generates a trace exception after executing this NOP
        ;------------------------
        ...                            ; Code from this line would be encrypted

The following is a disassembly of the above trace exception handler loaded on the stack. The purpose of this handler is to obfuscate any traced encrypted code. Its decryption process is affected by the contents of the condition code register (CCR). For example, an arithmetic operation in the main program having the 0 number as a result, will cause zero flag bit to be set in CCR. This will cause the value in (SP) to be changed in the trace exception handler. 

TraceCode:
	MOVE.L	(2,SP),A6              ; Load return address from supervisor stack
	MOVE.W	(SP),D6                ; Load condition codes of the main program
	AND.W	#$A71F,D6
	ADD.W	D6,D0
	ADD.W	D6,D1
	EOR.L	D1,D6
	EOR.L	D2,D6
	EOR.L	D6,(A6)                ; Decrypt 8 bytes ahead in main
	EOR.L	D6,(4,A6)
	RTE                            ; Return from exception

Examples

The Rob Northen Copylock system implemented on the Amiga, Atari ST and IBM PC platforms includes a TVD. It is one of the primary techniques used to obfuscate the code that access and validates the copy protected disk.[2][3]

References

  1. ^ "MC68000 16-Bit Microprocessor Advance Information" (PDF). Motorola Inc.
  2. ^ Kerr, Wayne (May 2004). "Amiga cracking – A look at basic TVD's". Flashtro. Retrieved 28 August 2020.
  3. ^ Sevalliu, Patrik. "Rainbow Islands". Computer Archeology. Retrieved 28 August 2020.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Trace_vector_decoder&oldid=975378253"