Here are some details for those who have decrypted Stuxnet code and can’t make sense out of it. The recorder function for recording inputs is located in FC 6069, which is called at the beginning of FC 6070, which is called from FC 6082 in states 2, 3, 4, 5, and 6. (Ok, this gives everybody a feeling of the code complexity we’re talking about.) Here’s what FC 6069, the recorder, looks like in STL:
Even on a 417, that takes so much time that the attackers needed to turn of the cycle time alarm. Here’s a pseudo-coded translation of the above STL code that makes it easier to understand what’s going on:
Now let’s look at the replay part, which is implemented in FC 6079. Rather than the STL code which is fairly long, we only provide pseudo-code. As you can see, the function is also only performed in states 2, 3, 4, 5, and 6.