Movfuscator: A single-instruction C compiler

Back in the time of FIDO, I&#x27;ve accepted the challenge to crack a program (find a correct password) that more or less consisted of a loop to simulate three-address MOV instruction.<p>The loop jump address sometimes changed for some effectful operations like printing or for optimizations like executing addition.<p>It took me about four hours to find the correct password. In the course of there three hours I wrote 1) an executor that used i386 debug registers to look for current MOV addresses, 2) a tracer that produced a trace and 3) a compactor which identified common instruction sequences and presented them as some macrocommand. It turned out the original source code has used macros in the opposite way. The final challenge was to write brute force password finder, which is not that hard at all (for 32-bit checksum).<p>All in x86 assembler. I guess it was about 1995-96, somewhere there.<p>Now I&#x27;d use the same technique, but on higher level. Instead of peephole compacting I&#x27;d use graph analysis, but that&#x27;s about it. You can get pretty much everything from the program trace, I think this way you can get even more information than from disassembly.<p>So in my opinion, it is one hell of a cool experiment. But try not to use it as a real obfuscation device.

I suggest taking a look at the slides, which show how much trickery is involved: <a href="https:&#x2F;&#x2F;github.com&#x2F;xoreaxeaxeax&#x2F;movfuscator&#x2F;raw&#x2F;master&#x2F;slides&#x2F;the_movfuscator_recon_2015.pdf" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;xoreaxeaxeax&#x2F;movfuscator&#x2F;raw&#x2F;master&#x2F;slide...</a>

The Maxim Integrated MAXQ is is one commercial processor that uses a MOV based instruction set. <a href="http:&#x2F;&#x2F;www.maximintegrated.com&#x2F;en&#x2F;app-notes&#x2F;index.mvp&#x2F;id&#x2F;3222" rel="nofollow">http:&#x2F;&#x2F;www.maximintegrated.com&#x2F;en&#x2F;app-notes&#x2F;index.mvp&#x2F;id&#x2F;322...</a><p>I&#x27;ve always felt these were more of a trick in being single instruction set because you are using some of the addressing bits to encode an opcode.

The x86 is actually Turing-complete without even executing a single instruction. Page faulting is enough: <a href="https:&#x2F;&#x2F;github.com&#x2F;jbangert&#x2F;trapcc" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jbangert&#x2F;trapcc</a>

Author is the same person who published epic X86 vulnerability <a href="https:&#x2F;&#x2F;github.com&#x2F;xoreaxeaxeax&#x2F;sinkhole" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;xoreaxeaxeax&#x2F;sinkhole</a>

Exact dupe:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9751312" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9751312</a>

Previously: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9751312" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9751312</a> <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6309631" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6309631</a>

Write your program using the nearly Turing-complete C preprocessor and compile into mov.

Is ARMv7 mov turing complete?