Technical Analysis of XBox Save Game Hack

DJPenguin writes "There is an excellent article at the XBox Linux Project that describes exactly how the XBox savegame hack works. It details how the author went to great lengths to hide exactly what was going on. It turns out the exploit code is hidden within an image of Tux himself!" An enlightening read, to say the least.

Hidden code?

[SharpFang]

See IOCCC for true masters of making the code unreadable!

what?

[ieatfood]

Karma whore what does that have to do with anything. All i know is that when xbox becomes 5 years old, Im putting linux on mine.

Re:what?

[36526542DD]

Why wait?

Re:what?

[ieatfood]

cause i wanna play xbox live and xbox live bans your account once it finds out you modded your xbox in any way, obviously.

Re:what?

[Golias]

True, although all the X-Box Live games suck, except maybe Mechwarrior.

Were it not for HALO, DOA3 and DOAX, my X-Box would already be in my server closet running apache right now. In fact, I'm considering buying a second X-Box for just that... and maybe even a third one for a stand-alone firewall box. I've seen used X-Boxen around town for about $150 each. Thanks to the 007 hack which saves the trouble of mod-chipping, it's the best deal out there for a lightweight server.

I will never understand this.

"we just have to add 0xAD9 to 0x5EF (The starting offset of the code above) to find the offset of the real entry point in the hack, which is therefore 0x10C8"

So... 0xAD9 + 0x5EF = 0x10C8? What a country!

Re:I will never understand this.

[3.1415926535]

It sure does.

Python 2.2.2 (#1, Dec 9 2002, 18:20:25)
[GCC 3.2.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> "%x"%(0xAD9+0x5EF)
'10c8'

Re:I will never understand this.

Yet another reason why linux isn't ready for the desktop. You have togo into a command line just to run a fucking CALCULATOR! python is to calc.exe as hurd is to msdos.

Re:I will never understand this.

Python droolz, Perl rulz

Re:I will never understand this.

Can calc.exe add two pairs of hex octets? Can you call it from a script? Running it from windows scripting host doesn't count, either. Although you may be able to use Jscript math objects to add the hex numbers.

Re:I will never understand this.

[msh104]

how about kcalc?

Re:I will never understand this.

[Jmstuckman]

"Can calc.exe add two pairs of hex octets?"

Yes.

Re:I will never understand this.

Kcalc sucks too, its support for numbers above +E10 sucks, its decimal precision sucks, its colour scheme sucks.

Re:I will never understand this.

YHBT

Re:I will never understand this.

[msh104]

kcalc can do hex. it can even translate 10C8 to 1000011001000 ( binairy ) or 4296 ( decimal ) so we DO have a nice gui calc proggy in linux. and it IS better than the windows thingy

Re:I will never understand this.

[msh104]

the colour scheme can be changed to whatever you like, so that should not bother anyone.

Re:I will never understand this.

Chill, nig.

It's kinda hard to post a screenshot of calc.exe in /. ya know.

Personally I have a Mac and a linux box with plenty of GUI calculators (plus NeoCAL on my Zaurus which is NICE) but I almost always use "dc" at the command line. Python is overkill but whatever.

In dc the command is:

dc -e '16dio AD9 5EF +p'

Quick 'n' easy! I even added a couple spaces for the folks that aren't hardcore dc addicts.

Re:I will never understand this.

[3.1415926535]

Who said I had to use Python? Grow a pair of neurons.

Re:I will never understand this.

Windows calc can do that too, actually, although kcalc might still be better for other reasons. And note that I did run calc.exe through wine.

Re:I will never understand this.

You could also type

C:\>set /a 0xAD9 + 0x5EF
4296

at the Windows command prompt. Works on WinXP, not sure about others. I'm also not sure how to get hexadecimal output for the answer.

Re:I will never understand this.

[GiMP]

There are plenty of graphical calculators for Linux.. personally, I use python like the parent or for very simple integer calculations, bc or dc.

Re:I will never understand this.

[dschuetz]

>>> "%x"%(0xAD9+0x5EF)
'10c8'

Python. Ptuii!

% dc
16o16iAD9 5EF+p
10C8
^D

Re:I will never understand this.

[CustomDesigned]

For hex addition, I sometimes use a chinese abacus. The chinese style has two top beads and 5 bottom beads (as opposed to the Japanese style which has 1 top bead and 4 bottom beads). One of the top beads and one of the bottom beads on a chinese abacus are never used for decimal addition (they are used for carries when multiplying). However, if you count each top bead as 5 and each bottom bead as 1, they add up to 15 - which works perfectly for addition in base 16 (just as the 1 top and 4 bottom add up to 9 for decimal addition). The beauty of adding on an abacus is that the answer appears as you "key" in the operands. No wasted keystrokes to type "+" or ENTER.

Re:I will never understand this.

[fishbowl]

"if you count each top bead as 5 and each bottom bead as 1, they add up to 15"

What's interesting about that to me is, that's the way I learned abacus, and I've never considered any other representation of the beads... but until I read your post, I never made the connection between hexidecimal and the abacus.

Once upon a time, I knew division and multiplication algorithms for abacus. Now I'm going to have to dust off those memories and see if I can figure out rotate, shift, xor...

Re:I will never understand this.

perl -Mbignum -le 'print +(0xAD9+0x5EF)->as_hex()'
0x10c8

HTH HAND :-)

(Yeah, I like to anger the python crowd with bignum :)

Geez

[craigtay]

From the looks of this article, they could probably make an entire course at a univeristy devoted to modding the xbox.

Re:Geez

[fearlessrogue]

I will sign up for that course.

Re:Geez

Me too. But I'd expect them to explain the techniques to find your own way, not just how they did it.

Stego or not?

[robogun]

The code was "hidden" in the jfif header, therefore does not qualify as steganography in my opinion. But I bet MS jumps all over this and gets stego banned.

Re:Stego or not?

[AdEbh]

I think it could. Steganography means hidden/covered writing from it's Greek roots. The term is older than computers so I think the distinction between the body or header of an image file is a bit fine.

<p>- Alex

Re:Stego or not?

terrorists use stegonography!!! its evil!!! no one should be able to hide anything in a picture!! it should be banned!! god bless america!! [ sarcasm ]

Re:Stego or not?

[tuxtomas]

How about Stego banged?

Re:Stego or not?

make it HTML formatted, and close your fucking p's please. Let me guess, you generated that comment in FrontPage

Re:Stego or not?

How does this qualify as insightful? The guy didn't even bother to strain himself enough to write "steganography."

Besides that, he disproves his own point immediately after making it. The data was "hidden" in the image. If that doesn't qualify as steganography, what does? Does the hiding need to be more insidious or clever to you in order for it to "qualify?"

Re:Stego or not?

[RevAaron]

I think I'd say I agree with the parent- the distiction isn't overly fine, IMHO. That is, that's like saying it's stenography to type out some "hidden text" in plaintext on the cover page of a document, leaving the rest of the document with no information encoded, and doing nothing to really hide the illicit data.

Unless this data in the image header is really hidden, but if its in the header, it's probably in the comment...

Re:Stego or not?

[Theatetus]

Let me guess, you generated that comment in FrontPage

Hmmmm... no, I don't see the 300 Kb of useless XML... not generated by an MS product.

Re:Stego or not?

[robogun]

Well, if any data hidden in an image qualifies as stego, your common digital camera, which imprints EXIF and /or IPTC data on each photo taken, is suddenly a subversive tool.

Your sekrit message will be much more difficult to identify if it is hidden somehow among the image data, not just set in the header. Most image display programs will show it.

I suspect the author did not use "true" stego to hide the code because a) hidden like that, the code would not execute without some kind of wrapper to pull it out and b) he wanted to avoid being accused of potentially subversive acts such as steganography.

But I bet Microsoft will grab at any straw to protect the xbox fron Linux, even if it includes redefining stego to include that. And sorry if my offhand comment offends you. You really should stop worrying about what other people think about other people's posts. Even your argument is weak as stego is a common abbreviation for steganography. Do you ever use the word photo to describe a photograph or do you go through life insisting people say the entire word photography?

Re:Stego or not?

[dspeyer]

Personally, I would regard group sex with three ton lizards as a bad thing but, hey, if it turns you on, it's your funeral.

Re:Stego or not?

[AdEbh]

No, generated by my own hast. I forgot to change the HTML formated and skipped the preview.

I closed my fucking p's this time :)

- Alex

Re:Stego or not?

"Well, if any data hidden in an image qualifies as stego, your common digital camera, which imprints EXIF and /or IPTC data on each photo taken, is suddenly a subversive tool."

But, we seem to be moving closer to a situation where, if a *corporation* does something, it's somehow okay even if it's a crime for an individual. One fear that the anti-corporation folks have, even if they are not very articulate at expressing it, is that corporations acquire rights and privileges that individuals lack, simply because of the privileged position they have by virtue of being a fundamental part of government.
I wish they'd go ahead and write these privileges explicitly into law, so that the people can get outraged enough to force the revolution already.

Re:Stego or not?

[prockcore]

But I bet MS jumps all over this and gets stego banned.

What would be the point in that? If they know you're using stego, then it kind of defeats the whole purpose, doesn't it? Banning it would be meaningless, since the entire concept of stego is to hide the very fact that you're using it from the authorities.

Re:Stego or not?

[vrmlguy]

IIRC, stego was invented by the ancient Persians, and consisted of shaving a slaves head, tatooing the message onto his scalp, waiting for his hair to grow back, and sending him to the recepient.

So, using the header of a file is obviously very much in the spirit of the original concept.

Re:Stego or not?

actually, it there was an early incarnation, a prior art: the persians used to tatto the message in the asscrack of the messenger. it took them not too long to figure out that this was, surprise surprise, the FIRST place arabs go after nabbing a captive.

i'm not making this up.

back in my room i

[msh104]

continue praying... thank you holy tux, you defeated evil xbox with nothing more than a blink of your image. if possible reveal thy self in thy full glory and microsoft will treamble in your pressence.

Pikers! Use Perl!

C coders need a doggone contest for this?

Umm someone explain!

The article made little sense to me. Can someone please explain 1. How hacking is usually done 2. And what this article was trying to tell us.

Re:Umm someone explain!

[Gyorg_Lavode]

I'm no programmer, but it seems they overflow a buffer used in loading saved games to mount the saved game as the d drive and then run a program off of it. This can then copy the modified files used to boot linux on an unmodified xbox to the hard drive.

Re:Hidden code? (x1488)

This is not what the forum was meant to be. It was supposed to foster discussion about the topic at hand. The obfuscation in the hack came not intentionally, but because it was disassembled, and decrypted.

What, they accidentally embedded the code in the header of a JPEG image and included a bogus decryptor that implies that this is not the case? Damn I'd love to see some of your code if you do stuff like that by accident.

I don't understand.

[Civil_Disobedient]

Sorry for my ignorance, but why hide the code? If a true linux fanatic wants to spread the good word, so to speak, why bother with the whole encryption routine and fake JMP's? Why not just make the hack completely transparent so anyone can do it?

Re:I don't understand.

[borgdows]

to pass the Microsoft Quality Assurance Lab... I believe the game would not have passed the test if they have had seen an unencrypted Tux.jpg on the disc! ;)

Re:I don't understand.

[AdEbh]

I don't think that the Tux image was in the game executable, rather the save game file. This is a hack that uses a weakness in 007, not a back door placed in by someone working on 007.

- Alex

Re:I don't understand.

[kc8kgu]

Not that I would ever waste my time trying to hack an X box, but I can imagine a couple of reasons why the hacker might what to hide how it worked.

The big one is that the more cryptic and obfusicaed the hack is, the less likely the vulnerabitly will be fixed in a future version because its less likely to be found and understood the the engineers trying close it. From the article, it seems as if the game already has four versions that have this hole.

But to contridict myself, the article seems to indicate the big hole is a simple buffer overflow. Easily noticed and fixed. If there are other relatively unknown hacks inside the encrypted payload, it may extend their availability and usefulness.

On the other hand, the hacker my be simply trying to hide his identity, changing her code so it doesn't seem like its in her personal style. To explain, people who write software for long enough in any arbitrary language begin to develop their own consistant style. Don't get me wrong, they do use the language's idiom to a certain extent, but usually have their own bit of flair to add to them.

Lets consider the c/c++ for loop. Here are a few ways to write it - all pretty standard.

/* first example */
int i;
for (i=0; i < FOO_COUNT; i++)
DoItTo(myfoos[i]);

/* second example */
for (int index=0; index < FOO_COUNT; index++)
{
DoItTo(myfoos[index]);
}

/* third example, assume ok to change myfoos */
for (myfoos; myfoos != NULL; myfoos++)
DoItTo(*myfoos);

Given a large enough sample of a persons code (say the did it for a living and their employer used cvs or similar), its pretty easy to tell who wrote. After about 15-20 lines of code, I can pretty well tell which of my coworker are to blame for the latest bug. Its not a finger print, but you just need a glove size to narrow down the search.

Or, I could be completely off base. Its happened before... Once ;-)

Just my $0.02

(ps, I realize that the guys fixing the hole wouldn't have the source to look at, but i would wager that enough flair gets through to the machine language)

Re:I don't understand.

[Homology]

This is a hack that uses a weakness in 007, not a back door placed in by someone working on 007.

Can't wait for the next sequel! Will we see James Bond in the next Matrix movie? Perhaps allied with a Tux? I'm sure Batman will have a few words to tell 007 of his bad choice of companions.

Re:I don't understand.

[MikeCamel]

A fair enough point, but (as I'm sure kc8kgu knew), once things are compiled, it becomes much less simple to identify a hacker's signature. A decent compiler will compile all the above examples to the same code. I don't buy "enough flair gets through to the machine language" for short code fragments, I'm afraid. A good optimising compiler is a good obfuscator, too. I wonder if anyone's done any studies on exactly how much personal style you need to exert in order for it to turn up at a) the assembler level or b) the machine code level?

Re:I don't understand.

[Jmstuckman]

Your first and second example would compile to the exact same machine language. With the thousands of people who could have done this hack, I doubt that the machine language would fingerprint them enough to catch them.

Re:I don't understand.

No compiler would produce the same code for all three examples. In particular, use of the postfix unary increment in the for loop guarantees that. If the C++ code was written with a prefix unary increment (i.e. I'm saying using ++myFoos instead of myFoos++) then maybe it would be the same. The compiler is forced to call the copy constructor for myFoos in the third example, and no amount of optimization can avoid that.
However, I totally agree with you point -- the programming style of a higher-level language does not carry through to machine code in any real way.
I also highly doubt the hack author would have written the hack in anything other than assembly anyway.

Re:I don't understand.

And possibly, the third too (strength reduction). I would rather have written it differently btw :

for(;myfoos;++myfoos)
DoItTo(*myfoos);

I always use the preincrement because the postincrement has an overhead, especially when using STL.

Re:I don't understand.

[Tackhead]

> A fair enough point, but (as I'm sure kc8kgu knew), once things are compiled, it becomes much less simple to identify a hacker's signature. A decent compiler will compile all the above examples to the same code. I don't buy "enough flair gets through to the machine language" for short code fragments, I'm afraid.

You're assuming the code in question was compiled. Glancing at it, I'd lay good odds that it was handcrafted.

Besides, with the risk of being DMCA'd into his or her component atoms (regardless of where our mystery hacker lives), this isn't the kind of hack you can do in 15 minutes, slap your name on it, and get your ego gratification by having worldwide bragging rights.

That leaves only one other route to ego gratification - spend a few hours, make it perfect, and get your ego gratification by presenting a beautiful gift to geeks and hackers around the world... and by leaving the world's DMCA types puzzle they'll never figure out.

Win-win, as I see it. And artful as all fuck. Call it the Faberge' egg of hackerdom.

"Who was that masked man?"
"Nobody knows, ma'am. Folks 'round here call 'im the Lone Ranger."
"Artful fucker, ain't he?"
"Yes ma'am. Maddest props to him."

Re:I don't understand.

[kc8kgu]

A few points:

As others have noted, and I agree, It most certainly was written in assembler.

And I'm sure there isn't a whole lot of personal style that makes it through from the source to the machine language - but I *guarentee* there are cases when it does.

Consider:

* The fact that it more then likely was written in assembler makes my original proposition all the more valid. It won't go through a compiler and get "standardized". Any and all little nuances will end up being in the code that everyone sees.

* It was just an silly little example it C - I could think of a dozen cases off the top of my head that would affect the machine language - preference for reversed loops, a love of function pointers, defensive bounds checks or lack thereof, always maximizing for speed, always maximizing for size, preference for an obscure factoring optimization, ad nauseum.

QED

Re:I don't understand.

>I doubt that the machine language would
>fingerprint them enough to catch them.

Your use of the phrase "catch them" implies that you think there is some wrongdoing here. Presumption of guilt is not cool. There is no law against me changing the tubes in my guitar amp, and there's no law against me changing the chips in my xbox. DMCA may be written into the law of the land in the US, but that does not make it valid. And even if you believe the law is valid, it does NOT carry any weight outside the US borders.

Re:I don't understand.

[Tony-A]

And I'm sure there isn't a whole lot of personal style that makes it through from the source to the machine language - but I *guarentee* there are cases when it does.
It is possible to identify people just from the way they walk.
The compiler will do a good job of muddling the distinctions among programmers, but most of the organizational proclivities of the programmers will still get through into the machine code. For the exact same partial order implied by the algorithm and the data, the programmers will repeatedly choose a distinctive linear order. Oddly enough, if the programmers are good enough, and there is a determinable optimum linear order or a cannonical linear order, two programmers can produce identical programs down to the exact spelling of the comments.

Re:I don't understand.

wow amusingly drawn analogy. except the 007 actually refers the the james bond 007 game.

Stop these immoral actions!

[henriksh]

Why are you guys constantly trying to work against the hard-working software publishers at Microsoft?

Come on, guys - you know it's not right. Don't copy that floppy!

Re:Stop these immoral actions!

[fishbowl]

Come on, indeed.

Does it harm the ketchup industry if I put mayonaise on my burger? Should I support the ketchup people if they try to put the mayonaise people out of business?

Re:Hidden code? (x1488)

What's the point in posting anonymously and then foeing someone that has no freaks (except you)? Just curious.

Why did the hacker try to hide how he did it?

[Martin+Marvinski]

If anyone knows it would be intresting to hear the reason why.

Re:Why did the hacker try to hide how he did it?

[rusty0101]

My suspicion would be that the hacker involved works at a game company that created the game that he found a way to include the method of bypassing the security for.

If that is the case, he would want to hide the fact that the exploit exists, as well as hiding the fact that he installed the exploit.

He would then have to make sure that the exploit made it through QA, and the game made it to the market. Next he has to verify for himself that he can take advantage of the exploit in the wild, then he can make others aware that the exploit is possible, preferably without revealing his identity.

But that's just one possibility. Maybe he did it just to see how obtuse he could make an exploit.

Disclaimer, the above are mearly ideas, I don't work at a game company, or for any company that I know has production involvement with any computer games, or any Microsoft products related to gaming.

-Rusty

Re:Why did the hacker try to hide how he did it?

Habibi wanted only Linux to run on the Xbox, not pirated games. I don't know why someone would pity Microsoft, but I guess he thought the Xbox and the "Xbox Scene" would go down the crapper if piracy was software only.

Re:Why did the hacker try to hide how he did it?

[lkaos]

Nah, this is still just a buffer overflow. I doubt he "put" it in there.

I think that any programmer can appreciate why he went to such lengths to hide the code. It's a hell of a cool thing to do.

In this world of script kiddies, it's very important to disguinish between kiddies and people who are true hackers. Mad props to him for showing that hacking is most certainly an art.

The modification of the public key to make is divisible by 3 was just beautiful.

Re:Why did the hacker try to hide how he did it?

[Martin+Marvinski]

I think that any programmer can appreciate why he went to such lengths to hide the code. It's a hell of a cool thing to do.

In this world of script kiddies, it's very important to disguinish between kiddies and people who are true hackers. Mad props to him for showing that hacking is most certainly an art.

But isn't the whole philosophy behind linux to be open and clear?

Re:Why did the hacker try to hide how he did it?

Crackers can't claim fame with their original name, so there is little protection against copycats stealing the show. Obfuscation creates a delay during which the original crack becomes famous. This kind of crack also limits full flexibility to knowledgeable people. It is a tool for script-kiddies only with its default functionality. Other possible uses are delayed until the code is deobfuscated _and_ some "data" is found. Notice how the explanation still doesn't provide all information required to get a modified crack working. It leaves out two things: The signature of the save game and the private key for signing the target executable. It provides a roadmap, but you still have to understand it to find the way.

Re:Why did the hacker try to hide how he did it?

So what? This isn't about Linux. It's the cracking of the most vigorously defended game console to date. It's a spy vs spy type of game with an appreciable side effect.

Re:Why did the hacker try to hide how he did it?

[Troed]

Uhm. Go hack the Gamecube. Xbox was easy.

Re:Why did the hacker try to hide how he did it?

[the+gnat]

In this world of script kiddies, it's very important to disguinish between kiddies and people who are true hackers. Mad props to him for showing that hacking is most certainly an art.

Um, that's not a very good distinction: you need to be clear what meaning of "hacker" you're using. Someone who r00ts my box and types "rm -rf /*" is not an artist, he's a criminal who should have his nuts ripped off - no matter how 1337 his 5ki11z are. Although the legality of hacking the X-Box is questionable, it's in a different world entirely from the vandalism associated with computer break-ins, and the community is doing this to a product they paid for and own.

By confusing the illicit modding and the website defacing, you're making it all the harder to defend against future DMCAs. Many of the big corporate lobbyists and lawyers we so love to bash on Slashdot would love for the public and politicians to view hobbyists and crackers as the same thing.

Re:Why did the hacker try to hide how he did it?

[Rick.C]

But isn't the whole philosophy behind linux to be open and clear?

After reading /. for a year or two, I sort of deduced that the whole philosophy behind linux was to be cool.

Re:Why did the hacker try to hide how he did it?

[silas_moeckel]

Hackers traditionaly hold to the ethic of do no harm. It's one thing to get into a box poke around get some evidence that you were there and not damamge anything besides covering your tracks (and thats a bit of a new thing due to the excessive laws against it) A script kiddie is just that a script kiddie lets try to not confuse the two. If they call themselves a hacker thats fine it dosent make it true. The hackers of the world know who they are and how to tell there own.

Re:Why did the hacker try to hide how he did it?

[Penguin2212]

Someone who r00ts my box and types "rm -rf /*" is not an artist, he's a criminal who should have his nuts ripped off - no matter how 1337 his 5ki11z are.

I would assume that by "Script Kitty" he meant somebody who does that kind of shit. However, there is a distinction between knowing how to so something like that, and actually doing it. A person who knows how to "r00t" your box and erase your entine root partition, but chooses not to and rather decides to help to solve that problem would most certianly not be a script kitty. Just because somebody has "1337 5ki11z" doesn't mean that they have to use them for evil.

Re:Why did the hacker try to hide how he did it?

[Patrick13]

If anyone knows it would be intresting to hear the reason why.

Isn't there a fair sum of money up for grabs for the person who creates a non-modded linux Xbox hack?

Re:Why did the hacker try to hide how he did it?

[Arrepiadd]

Um, that's not a very good distinction: you need to be clear what meaning of "hacker" you're using. Someone who r00ts my box and types "rm -rf /*" is not an artist, he's a criminal who should have his nuts ripped off

That's why there are hackers... and crackers!

Although people tend not to use the term crackers, it exists and it refers to what you call as a bad hacker.

Re:Why did the hacker try to hide how he did it?

You said that

By confusing the illicit modding and the website defacing, you're making it all the harder to defend against future DMCAs. Many of the big corporate lobbyists and lawyers we so love to bash on Slashdot would love for the public and politicians to view hobbyists and crackers as the same thing.

Are you trying to say that this was illicit modding? Let's look at it, this is using the hardware they sold you for what you want to do. You don't have to sign an agreement with MS to buy x many games. If they want that, then they should handle it the say way that Columbia House et al do.

There is nothing that says I can buy a PS2, that I must buy games for it. What if I just buy one, and that is the only one I wanted. Maybe in 2 years, I go and buy a discount game somewhere, or some used games. That is not breaking the law, I can do whatever I want with it.

If I choose to not buy any games for my game machine, that is their problem, not mine. They take that risk when they make the game machine, they hope that it will make a profit, but they are not guaranteed.

This is not illicit modding, it would only be illicit if people were modding them and then selling those as original boxes.

Re:Why did the hacker try to hide how he did it?

[S.Lemmon]

I'm sure the reason was to make it harder for others to use the same hack to play copied games.

Remember, they've already gone out of their way to stress it's use for a legitimate purpose (running Linux) and not for piracy. This is just one more example of that. It shows a good faith effort by the authors to insure the hack can't as easily be exploited for other purposes.

Re:Why did the hacker try to hide how he did it?

[TeknoHog]

After reading /. for a year or two, I sort of deduced that the whole philosophy behind linux was to be cool.

I second that. Why else would it have a power animal from the Antarctica? Also, it did originate in Finland where it's pretty bloody cold during most of the year.

Re:Why did the hacker try to hide how he did it?

[miu]

Hackers traditionaly hold to the ethic of do no harm. It's one thing to get into a box poke around get some evidence that you were there and not damamge anything besides covering your tracks

What you are describing is still a system cracker. The "do no harm" philosophy is pure ignorance. Someone breaking into a machine and covering his tracks can do a lot of unintentional harm.

Those who hack the XBox don't have to worry about causing harm because they are working entirely on their own equipment.

Re:Why did the hacker try to hide how he did it?

[dash2]

The hackers of the world know... how to tell there own.

Yeah, and so do I: by their bad spelling and grammar.

Re:Why did the hacker try to hide how he did it?

Actually, the "ethic" seems to be "do no harm unless you have a personal axe to grind with your current target."

At any rate, far too flexible for someone to actually trust in.

Re:Why did the hacker try to hide how he did it?

[the+gnat]

What you are describing is still a system cracker. The "do no harm" philosophy is pure ignorance. Someone breaking into a machine and covering his tracks can do a lot of unintentional harm.

Standard operating procedure for dealing with a break-in where I work: nuke the system and restore from backups. I guess we could avoid this, if we instead spent several days auditing the system. Unfortunately, one must always assume the worst- there's no way to tell how badly the system has been compromised, so all breakins must be treated as complete losses. As for unintentional damage, the last few hacks I witness involved no data loss whatsoever, but the root-granting exploit caused the system to become unstable over time and we had to endure repeated crashes before we finally realized what had happened.

I'd be willing to bet that none of the people who defend "ethical" crackers have ever had to professionally admin a server.

Re:Why did the hacker try to hide how he did it?

[the+gnat]

A person who knows how to "r00t" your box and erase your entine root partition, but chooses not to and rather decides to help to solve that problem

If they break in, as far as I'm concerned it's just as bad, because we can't assume anything about their intentions. Unless they're specifically employed to police our boxes/network, they have no business and no right to gain unauthorized access to our systems, and I'll assume that any breakin is malicious.

Re:Why did the hacker try to hide how he did it?

[the+gnat]

Are you trying to say that this was illicit modding?

Illicit, not illegal. I think the project is actually quite cool. My point is that it's (necessarily) very of secretive, definitely not what the manufacturer intended, and possibly illegal under the current fucked-up technology laws we have. It's just enough of a gray area that Microsoft (or the MPAA, etc.) will take any chance they get to lump it in with breakins and piracy. But I don't think it's wrong: that was the point.

Re:Why did the hacker try to hide how he did it?

No, the system (xbox) just doesn't properly guard against misbehaving software (007 save system). Par for the course.

Re:Why did the hacker try to hide how he did it?

Unauthorized?

Unless they're specifically employed to police our boxes/network

Then they're authorized, aren't they?

Re:Why did the hacker try to hide how he did it?

[Cruciform]

That's it. Hand in your geek card and membership kit.

Re:Why did the hacker try to hide how he did it?

[silas_moeckel]

Your talking about 20 years of difference in society. Hackers breaking into computers was something that happened 20 years ago because they were there. I would hazard to say that those same people today arent breaking into other peoples systems without consent anymore. Remember its a term about 30 years from before the days of home computers when unless you worked for or went to school someplace that had proccessing power you didn't have any means of using a computer with any apreciable power legaly.

And as a past system admin (back long long ago :), yes any signs of break should illicit a complete restore there are to many places to leave a nasty bit of code. In th modern age if you dont design your systems as pretty disposable you are realy engineering yourself into a corner.

Re:Why did the hacker try to hide how he did it?

[itzdandy]

this is a "cracker" , this is willfull distruction of anothers property and is against "hacker" ethics. "hackers" are all about freedom of information and will gladly break into a system and take data, but not destroy it.

Re:Why did the hacker try to hide how he did it?

[n6mod]

From what I've read, the buffer overflow is in an XDK call. In other words, it's Microsoft that blew it.

Re:Why did the hacker try to hide how he did it?

[fishbowl]

>But isn't the whole philosophy behind linux to
>be open and clear?

You are not allowed to be "open and clear" when you reside in a Federal prison. And it's really hard to be of any use to the community when you are locked up in a Federal prison which happens to be on the communist island nation of Cuba.

[I'm still appalled, that I have never heard anyone question the existence of a US prison in Cuba.]

Re:Why did the hacker try to hide how he did it?

[Lectrik]

Hackers traditionaly hold to the ethic of do no harm. It's one thing to get into a box poke around get some evidence that you were there and not damamge anything besides covering your tracks (and thats a bit of a new thing due to the excessive laws against it) A script kiddie is just that a script kiddie lets try to not confuse the two. If they call themselves a hacker thats fine it dosent make it true. The hackers of the world know who they are and how to tell there own.

If I had to define the term "Hacker", I think I'd go with; Someone who finds unintended ways to do cool things with hardware/software that was never intended by it's creators.

Re:Why did the hacker try to hide how he did it?

You don't live in the UK then. We are meant to be the US's strongest ally. Except we are applaud by your countries actions. That prison is the sort of thing that sadam would have.

Freedom indeed.

Re:Why did the hacker try to hide how he did it?

The art in a case like this isn't in what comes of its use. The art is in what is done with the code that is written. It doesn't matter if it was a hack done to a program and has an illegal use or if it was a completely separate program that was written with more than the functioning of that program in mind. That is where the art lies, you're analyzing the wrong part. The ethics only work in a certain frame of mind. Maybe once you get thrown in jail, you wake up to the "real world". But if a job and a car and a place in society aren't motivations then jail will only keep you from performing these actions until you're free again.
In this particular matter will this attitude result in more laws being passed against the distinction of hobbyist versus the already criminal criminal? Perhaps, but the two approaches seem to be reaching for the same result, except that with this philosophy, the laws don't matter.

Re:Why did the hacker try to hide how he did it?

This is why: Because he could, because he has mad ninja skillz.

I did the easy-factor xor mod (I used 5) back in 1996 (and was astonished to find something using an entire 512-bit RSA key).

More often than not it's completely replaced or the checking routine is simply nobbled (you'd be amazed how many copy protections' "strong crypto" has ended in a conditional branch over the years).

I even wrote an analysis tool for self-modifying code, and I still have goosepimples about the 68000 virus I disassembled once that didn't have enough room in the bootsector, so copied itself at the end, but bitshifted and xored - incredibly, the mangled opcodes not only ran, but contained the other third or so of the code. She may have been a psychotic suicidal lunatic but damn she could write code.

Re:Why did the hacker try to hide how he did it?

[Tokerat]

In the context of the X-Box hack, however, I think "hacker" means something more like "dreams in x86 assembler", or "impresses Carmack", or perhaps "pwnz L1NUS!!!11"

Well, maybe not that last one...

Re:Why did the hacker try to hide how he did it?

[gezerk]

>> She may have been a psychotic suicidal lunatic but damn she could write code.

Sounds like a GREAT first line for a book!

Brilliant!

[1010011010]

The code is just brilliant. A lot of care was taken in the construction of this hack. No script kiddie is he.

It looks like it retrives the private key. That's interesting.

Re:Brilliant!

And this got modded up, why?

Re:Brilliant!

[ignoramus]

It looks like it retrives the private key. That's interesting.

I agree that it's interesting but the exploit doesn't retrieve or recreate the private key - it does something I've been fretting about recently: it simply modifies the public key - thereby creating it's own (new and weak) key pair.

From the article:Once you modify the public key this way, you end up with a public key that is easily factorable. It is now divisible by 3!

Anyone here bright enough to suggest a good way to protect from this? My first thought was to sign the public key with another, use an X.509 certificate or something but the problem is that you can always patch the signature/certificate/checksum/whatever verification mechanism... So what is the solution?

Re:Brilliant!

It does not retrieve the original private key. By modifying the public key in memory, the exploit effectively creates a new key pair. Read the complete article.

Re:Brilliant!

[Dthoma]

"My first thought was to sign the public key with another, use an X.509 certificate or something but the problem is that you can always patch the signature/certificate/checksum/whatever verification mechanism... So what is the solution?"

There is no solution. If someone's got physical access to hardware, all bets are off and there's nothing you can do. The only solution to the problem would be a physical one, such as using superglue to hold the case shut.

Re:Brilliant!

[3.1415926535]

So what is the solution?

I'll give you a hint: There isn't one!

As somebody who's name escapes me at the moment said, "There ain't no such puppy as a trusted client."

Re:Brilliant!

[bucky0]

Something that isn't as effective but worked well is the 'Suicide' function in some arcade game boards.

Here is a description of what it is Basically, the decryption key is stored in a battery backed up RAM. If you toy with the board(trying to dump the rom and whatnot), The key gets lost and the board becomes unusable.

Re:Brilliant!

[circusnews]

Correct me if I am wrong, but does this not show that trusted computing will be DOA once some one uses such a method on a trusted system?

I guess my question is not so much "what is the solution", but are we looking at the right problem?

Re:Brilliant!

[SiliconEntity]

nyone here bright enough to suggest a good way to protect from this? My first thought was to sign the public key with another, use an X.509 certificate or something but the problem is that you can always patch the signature/certificate/checksum/whatever verification mechanism... So what is the solution?

You'd have to put the key and the checking code into tamper-resistant hardware which then had the power to shut down the game and refuse to play it if the signature was bad. Ideally the hardware would be integral to the operation of the system so you couldn't just disable it.

Re:Brilliant!

[Cylix]

This was defeated.

I believe capcom uses this technique on their boards. The problem is, batteries tend to die over time and at some point the key is lost due to age. (3 years?) The manufacturer will generally fix the system.

However, this encryption method was eventually defeated. The guys were originally doing it to get the old capcom rom's off, but found out they could decrypt the newer games too.

At the time, they decided not to release their findings, as they were a classic rom shop and didn't want to destroy the technique for newer arcades.

I believe the group was decrypting the roms and released those, but eventually someone gave out the material.

I gave up following the story when they said they cracked it, but ethical reasons kept them from giving away the information.

Anyhow, with battery backed up stuff, the trick is to provide power before disconnecting the battery.

Re:Brilliant!

[bucky0]

Reading the link I sent you makes it seem like their encryption has gone through revisions and current stuff is looking difficult to crack...

Regardless, if that type of crazy encryption can people hackers at bay for 5 years, that's great considering most consoles have a lifetime of 5 years.

Re:Brilliant!

There is no solution to modifying keys in the device if user can get his paws on it. Only a d/l of a key externally can do it. A USB key could be a feasable commercial solution; if distributors took responsibility for PKI infrastructure after the point of sale.

Re:Brilliant!

[hbo]

Don't publish no durn code with buffer overruns. 8)

Even Palladium won't protect you if you have one of those, providing the vulnerability occurs after the application has authenticated to the hardware. Unless you do something like challenge the app periodically to prove it has an intact copy of the secret key. Does Palladium do that? I don't know. Anti-stack crashing kernels combined with a crypto enabled platform could help too. But the whole game is complex as hell. And it has some of the best minds on the planet working on both sides, so the whole thing is an arms race. I'm nowhere near brilliant enough to predict what attacks those clever folks will mount on such a platform, or to predict their chances of success.

Re:Brilliant!

[JazFresh]

Anyhow, with battery backed up stuff, the trick is to provide power before disconnecting the battery.

As George found to his chagrin in the Seinfeld episode "The Frogger".

Re:Brilliant!

[fishbowl]

"A USB key could be a feasable commercial solution; if distributors took responsibility for PKI infrastructure after the point of sale."

But the scale of the problem must prevent that.

One of my MSDN subscriptions failed to activate, because the activation key was already taken. My guess is that someone registered it along with a wide swath of other keys, perhaps using a generator or just guessing. They aren't afraid of any consequences -- why should they? They are less than a needle in a haystack.

Meanwhile, I, the paying customer (or the customer's agent/admin/manager/whateverIam), am shut out of the product I purchased.

The whole thing would be better without the copy protection in the first place -- the "protection" didn't protect either the customer or the vendor, nor did it prevent the unauthorized use. On the other hand, it did create an inconvenience and an expense for everyone involved: the customer, the vendor, and the unauthorized user.

Re:Brilliant!

It can still be emulated - accurately to a remote user, if you can snarf the keys in any way. And believe me, with oracle attacks, power analysis attacks and timing attacks, there's a lot you can do ;)

Holy Shit! These guys are assembly gurus!

This is an amazing account of reverse engineering!

The original programmer really knows his shit to want to hide everything, but the guy who reversed it is even better!

It's almost like watching two dueling programmers!

Let's all toast them with a glass of Martini-Wodka (use only Moskovskaja: non-russian Wodkas are appalling)

+ORC (the old red cracker)

Re:FP

The fact that you actually used the correct versions of "your" and "you're" in the right places leads me to believe that this is a true statement.

Hexadecimal.

[aussersterne]

Many calculations in computing are done in base 16 because it's convenient (each circuit is either on or off, two possibilities; 16 is 2 to the 4th power, while 10 is not an even power of two).

In base 16 notation, the digits usually are:

0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f

So, 15 in decimal (base 10, what you're used to) is f in hexadecimal (base 16, more convenient for computing due to on/off nature of electricity, since 16 is an even power of 2).

And just as 9 + 1 = 10 (reach the highest digit? carry the one and begin with a zero again in the next column) f + 1 = 10 (reach the highest digit, carry the one and begin with a zero again in the next column).

Other basic hex math for example:

9 + 1 = a

9 + 2 = b

f0 + 1 = f1

ff + 1 = 100

a + 1 = b

b + 2 = d

And so on.

The 0x is a holdover from C programming, prefixing a value in c by 0x indicates that it is a hexidecimal (base 16) number and not a decimal (base 10) number.

Re:Hexadecimal.

[smeenz]

It's a sad sad day when someone gets modded up for explaining how hexadecimal works on slashdot.org

Come on.. are we geeks or mice here ?

Re:Hexadecimal.

[Dthoma]

"Come on.. are we geeks or mice here ?"

Squeak!

Re:Hexadecimal.

it's what happens when you give script kiddies mod points

Re:Hexadecimal.

Well aren't we the karma whore? ;)

Re:Hexadecimal.

Even though you got modded back down, I appreciate the honest response. Not all of us are programmers here.

Don't Copy that Floppy

[Altheus]

Don't Copy That Floppy

Re:Don't Copy that Floppy

[efishta]

I thought it was interesting that the Rap song sounded like it was from the early 90s, and the games looked like they were from that era (Oregon Trail 1??) but the programmer was talking about Neverwinter Nights. Has NWN really been in production that long?

Re:Don't Copy that Floppy

[Echnin]

He was talking about the original Neverwinter Nights.

Re:Don't Copy that Floppy

[Echnin]

Oops, should have previewed; messed up a link tag. Here's the site I was trying to link to: The original Neverwinter Nights.

Re:Don't Copy that Floppy

[The-Perl-CD-Bookshel]

I think that it is great that they show Tetris in that video because the guy who was responsible for all of the math behind Tetris was getting swindled out of his money by the developers for years. So kids: stick to copying other people's ideas, please!

Re:Don't Copy that Floppy

Thanks for the link, now my ears are bleeding.

You know your a geek...

[Realistic_Dragon]

...when you can skim that article and not need to look anything up.

Re:You know your a geek...

I know you're a geek, when you cannot differentiate your and you're.

Re:You know your a geek...

[nathanh]

...when you can skim that article and not need to look anything up.

You really know you're a geek when you can read the opcodes without referring to the assembly.

What does this hack let you do?

I don't get it. I read the article, but I don't quite get what is being hacked or what is activating it. Is it a hack to hack your saved games? Or is it a way to modify your save game through an editor, which when loaded will overwrite your operating system in some what that lets you hack it? And what does it have to do with Linux - doesn't the xbox run something else? How could someone design a saved game for the xbox which hacks a Linux kernel?

Re:What does this hack let you do?

[redwoodtree]

I wish someone would answer this question too. I have to idea what the heck it's all about either.

Re:What does this hack let you do?

[Ho-Lee-Chow]

What does this hack let you do?

Well, how about running the code of your choice an Xbox? How does that sound? (Hint: it used to be impossible without doing a hardware mod.)

Disclaimer: Since I don't own an Xbox, some of these details are a little sketchy and may be incorrect.

This hack lets you load unsigned software, such as Linux, of your choice onto an XBox, without using a mod-chip or making any hardware mods. Previously, you could only run software that is signed by Microsoft on an Xbox, unless you voided the warranty and made Xbox Live impossible by installing a mod-chip or flashing the BIOS.

You need a copy of 007: Agent of Fire. You load the "unsigned" (*) code, such as Linux, and a specially hacked 007: AUF savegame onto a special kind of memory card that connects to your PC.

You then fire up 007: AUF, and load the hacked savegame, which takes advantage of the buffer overflow exploit in order to load your "unsigned" code. This "unsigned" code could be Xbox Linux, XboxMediaPlayer, or any of the other homebrew projects out there for Xbox.

If you haven't heard of the open-source XboxMediaPlayer, it looks pretty sweet. It can play all kinds of audio and video files from your Xbox's hard drive or a streaming server, such as: WMV, ASF, WMA, VCD, SVCD, MPEG, JPEG, GIF, BMP, DivX, XVid, etc. It basically turns your Xbox into a cheap Media Centre PC (except for the TV recording part).

(*) Actually, according to the article, you have to sign the code yourself, but it's easy in this case, because of the way the exploit works.

Re:What does this hack let you do?

Some things in the parent not quite clear, will clarify for him.

A special kind of memory card that connects to your PC: Mega X-Key or (if you prefer) Action Replay Xbox.

The appropriate thing to do with this is to use it to upload the Free-X font overflow (Bert & Ernie, or ideally a derivative like Bert Cheats On Ernie/Snuffleupagus - be VERY careful about kernel versions, we don't have addresses for everything yet!).

The source code for

[Pinguu]

Windows XP is stored in tux

XBOX is evil

microsoft takes the open PC standard, cripples it, makes it so that you can't upgrade it, you cant WRITE code for it without paying them royalties, you cant RUN code on it without paying them, and puts their logo on the front. If you even try to open this crippled PC, your warranty is void, if you open up and play around with this crippled PC that you payed for and you own ("hack") you are breaking the law. Dont even think about selling modifications to this crippled PC. You will be put in prison with all the rapists and murderers and other menaces to society.

The scariest part? Is that in 10 years, we wont be talking about a console. This is the future of the PC.

Re:XBOX is evil

what i dont understand is why every other hardware company DOES NOT see that M$ is a threat to them, and not a "partner." I mean, oracle, apple, aol, and sun know M$ is a threat, but why dont dell, hp-compaq, gateway, and all the other boxmakers see this? are they so short-sighted? they are already slaves to microsoft. their business depends on windows. every box they sell must have windows or they will go out of business. if there was a good desktop alternative to windows, M$ would have competition and wouldnt have the boxmakers by the balls. isnt it in EVERYONES best interests to support opensource??

Re:XBOX is evil

[bucky0]

I should'nt feed the troll, but here goes:

1)Making it upgradable would increase cost, they wanted the cheapest box for the performance they could make (sockets cost money)

2)If you don't like the idea of not being able to write your own code for it, then don't buy it.

3)puts their logo on the front...in that case is Dell also evil?

4)If you even try to open this crippled PC, your warranty is void....why does microsoft have to warranty actions on the XBOX that it's not designed for? That's like me saying that AMD should still warranty my processors even if I'm running them out of spec

5)...you are breaking the law. Despite what the spindoctors say, as long as you aren't hacking your xbox to play copied games, they can't touch you if your putting your own software on there (that said, if a side effect of your little hack causes someone to be able to play burned games, then theyre gonna come after you (which sucks for fair use...).

6)The scariest part? Is that in 10 years, we wont be talking about a console. This is the future of the PC.That is the scary part though. Even though 'the powers that be' keep claiming that people will be able to run unsigned content on TCPA hardware. I can't imagine that it would 'accidentally' cripple things like linux and BSD that hurt the bottom line

Re:XBOX is evil

if you open up and play around with this crippled PC that you payed for and you own ("hack") you are breaking the law

If you modify and use this viral source code (GPL) that you downloaded and you own you are breaking the law.

Re:XBOX is evil

So stop whining about it and don't buy the god damned thing. Christ on a stick already! Will you STFU already and get a clue? If people WANT to do the things you are talking about, but the market isn't supplying it to them, then START YOUR OWN FUCKING COMPANY and fulfill the need and make a huge profit while you're at it.

Like this calculator I have. It's a scaled down computer which has been crippled so that I can't upgrade it. I can't write code for it either. And I can't run code on it. And the fucking bastards -- their Casio LOGO is on the front! If I even try to open up my calculator (nothing more than a crippled computer) my warranty is void.

Sweet screaming Jesus... oh, and learn to fucking type. Your grammar is atrocious.

Re:XBOX is evil

I think you missed the point. The point was that Microsoft is in a position to do all that crippling and controlling that was mentioned to the PC. Casio isn't. Casio does not have 95% of the desktop OS market. Casio isn't making a box with almost "off the shelf" PC parts. Casio isn't (as far as I know) one of the founders of TCPA.

Re:XBOX is evil

3)puts their logo on the front...in that case is Dell also evil?

Dell PCs are still open. They use standard parts. You can open them. You can upgrade them. You can format and install Linux on them.

Re:XBOX is evil

I think you missed the point. The point was that Microsoft is in a position to do all that crippling and controlling that was mentioned to the PC. Casio isn't. Casio does not have 95% of the desktop OS market. Casio isn't making a box with almost "off the shelf" PC parts. Casio isn't (as far as I know) one of the founders of TCPA.

Who cares what Microsoft is or isn't a founder of. If Microsoft starts making devices that nobody really wants (due to lack of expandability, whatever) then people aren't going to buy them. Thus, someone else will step up to the plate with a computer that people DO want (because it is expandable, whatever) and people will buy them.

So if Microsoft cripples Windows so that it will only run on lame devices, then Windows no longer becomes relevant. Period. People will start buying Macs or generic Linux boxes.

Could a rival console maker be behind this?

[Martin+Marvinski]

You might be right about this being a spy vs. spy thing because the stakes are so huge. This could mean that rival Console makers are actually hacking the X-box to diminish it's threat. That could be a reason why this hack was so well done!

You brought up an excellent point!

Spell check

I'm still curious as to what "deceipt" is.

Re:Spell check

[OpCode42]

Its like a receipt, but a deceipt is proof that you didn't purchase something.

Whoever figured this out originally...

[still_sick]

... Should go down in the hall of fame right next to the guy who figured out Whippits (sp?). To misquote Dennis Leary, these kids should be working for the Space Program!

Does M$ have a fetish

[pair-a-noyd]

for buffer overflows or what??

Seems that's the number one way to whack an M$ system...

Re:Does M$ have a fetish

[damiam]

It's the number-one way to whack any system, Microsoft or not. And no, saying 'M$' instead of 'MS' doesn't make you look cool.

Re:Does M$ have a fetish

[pair-a-noyd]

"And no, saying 'M$' instead of 'MS' doesn't make you look cool."

Um, excuse me, I'm not trying to look cool when I say "M$".
I use that out of PURE DISRESPECT for a company and a thought process that I utterly despise with the most prejudice and malcontempt that I can muster.

You stand corrected.

Re:Does M$ have a fetish

[damiam]

If the most prejudice and malcontempt you can muster is the immature replacement of a S with a $, than you have some severe issues. It's no more mature or effective than referring to open source software as "open sores" or to Linux as "Lunix".

Re:Does M$ have a fetish

[IIRCAFAIKIANAL]

From my parent's basement, I stab at thee!

Re:Does M$ have a fetish

[ceejayoz]

Nice reference!

Re:Does M$ have a fetish

[wcbarksdale]

To be more precise, it's the number-one way to whack a system written in C.

Re:Does M$ have a fetish

[tc]

To be even more precise, it's the number-one way to whack a system written in C running on a machine with a downwards-growing stack.

I've always wondered about this. Why do stacks grow downwards? It seems to me that it wouldn't be any less efficient for them to grow upwards, and growing upwards would have the handy side-effect that buffer overflows would be less likely to be exploitable. Of course, it's a bit late to change how the most popular processors in the world work now...

Re:Does M$ have a fetish

[Tazzy531]

I don't remember specificly, [it's been over 2 years since Comp Architecture class].. But i thought program code grow downwards and data/memory space grows upwards. That way you have plenty of room for each...but not really sure...

Re:Does M$ have a fetish

[tc]

I guess that might be the historical reason, but in these days of virtual memory and separately allocated stacks, it wouldn't make any difference.

Seems like it would be a security win to switch to upwards-growing stacks in future. Or am I missing something?

Re:Does M$ have a fetish

[grimani]

It's the #1 way to whack anysystem...

Re:Does M$ have a fetish

[NintenDoctor]

This is a 007: Agent Under Fire exploit, not an exploit inherent to the Xbox. Agent Under Fire was made by EA, not Microsoft. Blame the right company.

If this was analyzing the MechAssault hack, then you might have a point.

Re:Does M$ have a fetish

[pair-a-noyd]

My point is that Windows, which the Xbox runs, is so rife with security flaws that there is little wonder that a simple buffer overflow did it.

Windows is the O$ with insecurity built in..

Re:Does M$ have a fetish

[Felinoid]

Short answer, No. Unix and security experts have a buffer overflow feddish as to crackers.
This is an easy mistake to make so it happends to nearly everyone once and it's a preticularly nasty mistake as well.
There are programs for Linux and Unix to deal with this sort of defect to actually crash programs that behave this way and the 386 (onward) trys to prevent this sort of behavure.

Some of my early games had this defect (you could run off the screen into system memory.. like tron.. and wrek havok on the system.. Opps)

Using this defect you could edit system memory and overwite parts of the os and all you have to do to enable this mistake is not keep track of your data to be sure your not putting more data into memory than you've requested from the os.

So why dose it happen to Microsoft more than anyone else?

Three important reasons.

1. Open source and micro kernel. You can fix the problem by replacing the defective part of the system. Like recovering moldy chease by cutting off the bad parts.
With open source you find the bad code and fix it. With micro kernel you find the defective file the code in contained in and rewite, patch or replace that segment.
Closed source monolythic is like swiss chease. The mold or defect is so burried into the product you'll never cut it out.

2. Learn from your mustakes.
Microsoft dosen't reguard most defects as sereous and just ignores them. Including buffer overflows. As such they don't learn from mistakes.
Unix people can isolate the culprit and point fingers.. and they do.
Linux people are the same only much worse.

3. Alterntives: Windows people don't have easy alterntives Unix and Linux people do.

Re:Does M$ have a fetish

2. Learn from your mustakes.

I cromulently agree.

Oh, and great post. You are a very fart smeller^H^H^H^ [...] smart feller. :-)

Re:Does M$ have a fetish

[bucky0]

If the Xbox ran linux, the same exploit would work. It's a by product of the x86 architechture and the writers of the exploitable save programs, not Microsoft.

Re:Does M$ have a fetish

[pair-a-noyd]

I simply don't believe that.
If I took a copy of Xbox linux source code and built it from scratch on two boxes,one being an xbox and one being say a ppc based box then ran the same exploit on both boxes that are now running xbox Linux that is compiled for THAT cpu, that the xbox would crack and the ppc box would not, simply because of the CPU??

Re:Does M$ have a fetish

[bucky0]

It depends on how the CPU handles the stack. When I said it was a fault of the x86 architechture, I didn't mean that only the x86 was vulnerable, there are other CPUs which are just as vulnerable to that attack. I was just saying that it's a hardware problem and not a software one

Returning to your example..if you rewrote the exploit in PPC assembler(most exploits like that are hand coded) and PPC was vulnerable, it would work.

Re:Does M$ have a fetish

[Fizzl]

Yeah. M$ is so 90's ;)

Re:Does M$ have a fetish

[dvdeug]

[buffer overflows are] the number-one way to whack any system, Microsoft or not.

Any system that's written in a language that's vulnerable to buffer overflows, like C or Assembly. Trying to hack a Lisp machine via a buffer overflow is probably pretty futile.

Re:Does M$ have a fetish

The difference being that "open sores" is kinda funny.

OMG That was so worth downloading.

[ovapositor]

I just loved that. I think the kids were using and Apple GS. I mean can I say that here?
This is interesting in that is predates the major wave of open source that we can freely copy.

Re:OMG That was so worth downloading.

That computer is a Mac LC circa '92 (found in some schools at the time). The video was made in 1992. So the open source movement already began on the internet ... (like linux) but average person didn't have a good internet connection, so linux has grown with the net. If I was on the net way back then, I would have been a linux user a whole lot sooner.

Re:OMG That was so worth downloading.

If I was on the net way back then, I would have been a linux user a whole lot sooner.

Ditto. And because Linux is verry well historically preserved, I downloaded Linux .01 to Linux 1.0 and read every improvment to learn. Linus Torvalds is quite terrific and I thank him for much of my technical education on computers. I finished homes-chooling, and I would've finished sooner had it not been for my interests in learning all about Linux which in-turn led me to read the entire history of Unix and cross-platform computing nostalgia etc. It's such a great time to learn, although I feel sad about all the IT companies. Sucks to be them, but still a good time to watch their software sucess. If I was a Linux user at the beginning, would I have finished home-schooling? *Shutter*

Re:Hidden code? (x1488)

[SharpFang]

You say putting program code in contents of jpeg (despite the fact it could work quite elsewhere just as well) is just a common practice?

I understood enough to understand ...

[MickLinux]

... that I didn't understand.

I didn't have to look anything up, though...

I know Assembly, and 80x8n assembly, especially. So that was no problem. I could follow the basic plot; I didn't bother to try to read most of the code, but when I did, it wasn't hard to read. The article was pretty good that way.

But it looks to me like the article really didn't tell how the 007 Save Game was hacked. Rather, the article says "yeah it was hacked, and here's the neat part." But that's where it stops.

There isn't enough info here to reproduce it, unless you already are into hacking the XBox.

But that said, I wonder why [and maybe someone who does understand this hack can explain] the XBox-Linux people at sourceforge don't rewrite their install CDs, and give instructions, to allow a person to use this weakness to install Linux from a single CD.

Could it be that this hack really isn't "out there" yet? That the "Free the XBox" hackers are actually still in negotiations with Microsoft [or with their concrete boots at the bottom of the river]?

Re:I understood enough to understand ...

[Jo+Owen]

This hack was actualy discoverd a while ago, its only the breakdown of it thats new.

Could it be that this hack really isn't "out there" yet? That the "Free the XBox" hackers are actually still in negotiations with Microsoft

The hack has been repoduced, however it requires a copy of 007, and so afaik, it cannot claim the prize, so the contest continues...

Re:I understood enough to understand ...

[smeenz]

The hack is essentially just an exploit of a buffer overflow in the game load code of the game 'Agent Under Fire' (AUF).

Once the buffer overflow was found, it was a relatively simple matter of creating a doctored save game that caused the xbox to boot off the hard drive when you try and 'load' that saved game file.

So to boot into linux, you have to buy AUF, obtain the doctored save game and get it onto the machine (I'm not sure how you go about that part.. perhaps the xbox has some removable media), then boot into AUF, go through the menu system, load your doctored save game, and behold, your xbox will boot into linux.

Re:I understood enough to understand ...

[TCM]

I'm not into this and not too interested anyway. Just one question: Once you have done it, do you still need to do the save game trick every time you want to boot Linux? Or is it a one-time thing and from then on you can boot Linux straight from power-on?

Re:I understood enough to understand ...

[smeenz]

The exploit we're talking about here is the legally 'clean' way of running linux on an xbox, because it doesn't require you to open the box or modify the ROM code

If you want to automatically load linux (or anything other than microsoft's kernel) on startup, then you must modify that bootup code somehow, which breaks the license agreement you have with microsoft, and obviosly any warranty on the xbox.

Re:I understood enough to understand ...

[dknj]

1. Exploit AUF buffer overflow which loads a minimal version of linux with an ftp server
2. Upload modifed dashboard
3. Restart system
4. ???
5. LINUX!@$#

-dk

Re:Hidden code? (x1488)

You're going on my ever growing list of foes--people too immature to be of any interest. ...As one of over 150? Wooow! Exquisite!

Mad props seconded

[lucas_gonze]

The modification of the public key to make it divisible by three was absolutely beautiful. Huge props to the unknown hacker.

XBox sales show this is NOT the future.

[Viewsonic]

So don't worry about it. As far as consoles go, XBox is terrible. It has about 2-3 games worth buying that aren't on the PC, and pretty soon they'll be on the PC regardless.

Conoles will stay consoles. They will be made to play purely games and nothing else. This is what people want to buy, and they're showing it with their pocketbooks right now. Look at how many dedicated gaming devices Sony and Nintendo have sold compared to Microsofts try-and-do-everything Box. The numbers speak for themselves.

Re:XBox sales show this is NOT the future.

But what if microsoft decides to make the PC its own personal console? This is potentially what TCPA could do. XBox sales are irrelevant. Think of it as a test run or a beta of microsoft's future proprietary PC.

Re:XBox sales show this is NOT the future.

[atari2600]

Are you talking out of your ass? Halo for the PC is coming out next month since Microsoft wants it to happen. Microsoft is releasing Halo2 soon sir - the sequel to a game for which people bought the XBOX - for one game!.

If you stop talking thrash and find out for yourself, the XBOX is a pretty powerful console and there are console gamers out there who swear by the XBOX. Sure /. is cool and linux is cooler and MS is evil - that doesn't make the XBOX any less popular. Sure MS is losing money on the XBOX - because MS wants to lose money on the XBOX - hasn't the IE vs Netscape taught you anything?

Go ahead and comment what you wish to on this post but i just spoke the truth - the bottomline: if the cool games for the XBOX have to be out on the PC, MS has to say YES

Re:XBox sales show this is NOT the future.

[cabra771]

Damn, I'll say it. I bought an xbox just for Halo. Am I ashamed? No. Do I have any other games for xbox? Only two others. Do I regret my purchase? No. Halo is one of the only games that I can still play after more than a year and not be sick of one bit. Do I have mine modded? No. Why? I have two pc's in my apartment, why do I need to mod my game console to do something that my one of my cpu's can already do. Why the flying fu#k do I need to run Linux on my xbox when I have a much better machine already running it. Rant? Finished.

Re:XBox sales show this is NOT the future.

[DeadScreenSky]

Look at how many dedicated gaming devices Sony and Nintendo have sold compared to Microsofts try-and-do-everything Box.

Sony I will give you, but I don't think this strategy is actually working for Nintendo too well. Nintendo will win Japan, granted, but Europe, Australia, and America are probably lost at this point. Too bad that the Japanese (non-cellphone) game market is shrinking so much, too.

And if you really think the Xbox has only 2-3 worthwhile games, I am really curious what kind of games you play. Project Gotham, DOA3, Amped, Panzer Dragoon Orta, Shenmue II, JSRF, etc. are all pretty cool, and not available for PC or other systems (at least in the US in the case of Shenmue II). Likewise, how can you defend the GC's smaller library, which also has less variety?

By all means, enjoy any console you like, but it seems stupid to complain about how terrible a console is that many people seriously do enjoy, with sales numbers to prove it.

And what does the Xbox try and do that Sony hasn't tried with the PS2 (which is dominating)?

Re:XBox sales show this is NOT the future.

[scot4875]

Likewise, how can you defend the GC's smaller library, which also has less variety?

Care to back up this statement? The Gamecube has over 200 games out for it. The only genre that it really lacks is RPGs, and -- oops! the XBox doesn't have many of those either.

If you count the Gameboy Player, the 'Cube can play over 1500 games.

but it seems stupid to complain about how terrible a console is that many people seriously do enjoy, with sales numbers to prove it.

Likewise, it seems stupid to complain about how talentless Britney Spears is, since many people enjoy the music she performs, and the RIAA has sales numbers to prove it.

--Jeremy

DMCA relevant section

[Jim+Hall]

The article says:

This explanation is for the sole purpose of writing interoperable software under Sect. 1201 (f) Reverse Engineering exception of the DMCA. So here is the explanation you have all been waiting for.

But you may not know the actual section he's referring to. Here it is:

(f) REVERSE ENGINEERING- (1) Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.

And (a)(1)(A) is the bit that everyone calls to mind when they think of the DMCA:

(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title. The prohibition contained in the preceding sentence shall take effect at the end of the 2-year period beginning on the date of the enactment of this chapter.

(full text of DMCA)

IANAL, but I think this means that if you crack the protection on something simply so you can understand (and document) the program so it will work with other programs and files, then that's not considered a violation of the DMCA.

-jh

Re:DMCA relevant section

As it stands, nope. IANAL (BIPOO/.) but if my memory serves me, there was a pesky case that we all call the DeCSS case. In this case, the defense made the above argument.. That DeCSS was created for interoprerability and that it has significant non-infringing uses.

The judge still ruled against them. Now, the Supreme's might change their minds if the case ever gets that far, but it does not look like it will. And that means, at least for now, that there's a precedent in the 9th circuit that flies in the face of the law. Not that the whole DMCA flies in the face of the Constitution or anything...

Mod Parent UP!

[mekkab]

Excellent analysis...

Such obfuscated code could only be the prodcut of
A: a paranoid mind
B: someone on a mission to prevent their code from being exploited
C: both.

Re:FP

That, and the fact that I filmed it

Re:WTF?

sheesh, the dude were replying to a question about hex math

Online cheating

[mark_space2001]

For me the main issue is online play and cheating. The Xbox has a security key on only allow certain programs (i.e., licensed developers) run programs. This really reduces the chances of online cheating. Cheating online has all but ruined SOCOM's online play for the PS2, I don't want that to happen to Xbox games as well.

Eventually, I think all game consoles will have security keys like the Xbox.

Linux is cool, but not every computing device in the world needs to run it. Unlike servers and desktop PCs, game consoles are not mission critical for anything. These Linux hackers should leave the Xbox alone and devote some time to improving X performance on the desktop, or something else useful.

Re:Online cheating

[ocelotbob]

These Linux hackers should leave the Xbox alone and devote some time to improving X performance on the desktop, or something else useful.

I totally disagree. Hacking a console and writing a graphics rendering system are pretty much non-orthagonal processes. There's a lot of different programming skills that don't easily cross over. The xbox hack scene is, by and large, dominated by college students, part time security folks, and other hobbyists, who don't really have the skills to work on something as complex as you mentioned.

As far as your complaints as to cheating and the xbox, maybe you need to complain to Microsoft. Ask them why a third party can't set up a server for xbox games, so lan partiers, etc, can use their own server and control who plays and who doesn't. End-user authentication is still an important security tool, why is microsoft leaving it out of the loop?

You know you're a slashdot reader ...

[j2demelo]

when you say "You know your a geek..."

Re:Holy Shit! These guys are assembly gurus!

[cheekyboy]

Oh what about polish vodka?

the private key is not there to retrieve

Each Xbox contains the public key. The private key is hidden somewhere at Microsoft.

Besides, the entire ROM of the Xbox has already been dumped by modchip users. If the private key were there it would already be out of the bag and we wouldn't need hacks.

Re:Holy Shit! These guys are assembly gurus!

It's almost like watching two dueling programmers!

Korahmatah......
Korah rahtahmah....

Korah rahtamah!
Yoodhah korah!
Korah syahdho!
Rahtahmah daanyah!
Korah... keelah... daanyah!
Nyohah! Keelah! Korah! Rahtahmah!
Syadho! Keelah! Korah! Rahtahmah!
(etc)

Process of Discovery, not how it works...

[grimani]

The interesting bit should be how the dude discovered the overflow...not how it works.

Discovering an overflow in a controlled environment such as a console is no easy task. Console games don't usually crash - what indicated an overflow was present for exploiting?

After that, exploiting an overflow is really just a menial task. There really are only a few issues to differentiate each case - how long can the exploit string be before it overwrites something critical? Are certain characters not allowed in the string?

Beyond that, exploiting it is simple...

So, anybody know how that particular overflow was discovered?

Re:Process of Discovery, not how it works...

this breakdown was not written by the person who created it, I doubt they even have any connection whatsoever to the author.. how could you read it and not realize that?

'exploiting an overflow is really just a menial task . There really are only a few issues to differentiate each case - how long can the exploit string be before it overwrites something critical? Are certain characters not allowed in the string?'

good lord, I'm glad everyone on slashdot always throws in a line or two that screams 'I HAVE NO IDEA WHAT I'M FUCKING TALKING ABOUT'

Re:Process of Discovery, not how it works...

Oh, you think that's fun, wait until you see this neat saved game that I've got that writes a neat test message on all models of the PlayStation2 upon booting with the memory card in...

This overflow was probably discovered either by discovering that a corrupted save crashed 007, or more likely by disassembling/analysing the xbes and looking for something that looked rewtable.

Re:Process of Discovery, not how it works...

[achurch]

I don't know the details of this particular case, but once you have access to the save data it's easy to tweak things that look like they could cause problems. (Put yourself in the developers' shoes, and ask yourself "if I was rushed to get this out the door, where would I be likely to cut corners?") Text strings are obvious things to play with; some games compress their saved data, so you could create a bogus compressed file that expanded to some huge number of bytes and see if it crashes the game; et cetera. The "1% inspiration and 99% perspiration" quote probably applies to finding the overflow just as much as writing the actual exploit.

my first post on /.

[Grimlen]

woooohooooo i finally registered confucious says: "man who goes through airport door sideways , going to Bangkok."

Re:my first post on /.

Me too! And it is my first "Me Too"

Obviously....

The particular versions of 007 and MechWarrior or whatever games have the exploit, will soon become as sought-after as H-cards were, series 1 Tivos are, and chippable playstations etc., or the modchips themselves. I'd bet the games are already "fixed" to break this exploit, and looking forward the xbox linux folks haven't really moved ahead in the arms race at all.

Now, it appears to me that there might actually be grounds for a lawsuit on the basis of the company's anticompetitive actions, but a few emails to Microsoft and a fax to the attorney general don't amount to anything, and I'm not surprised at the lack of response.

The letter to the antitrust folks would be a good start, if it were revised into a more literate, more polite, and more appropriate form, and then sent via traditional means to carefully selected individuals. But in its current state, and particularly only faxed, it's no surprise at all that the letter was ignored.

There might really be a case here. Possibly a stronger case than the original antitrust issues against Microsoft. But it won't be considered unless someone actually makes an effort to press the matter.

For all the talk about how expensive justice is, I'm having a hard time sympathizing with someone who can't even bother to pay the price of a certified letter with a return envelope, nor the political sense to have the same request sent on their behalf by an individual who has the ear of a politician.

The system -- you get no more out of it than you put in.

Re:Obviously....

Actually... retail versions, including the Xbox Classics version of 007 AUF, are still vulnerable. Recent Xboxes have different absolute addresses to use, but as soon as those are figured out they, too, are vulnerable. MS can't upgrade the BIOS under you due to the TSOP write protect in hardware, although they can upgrade the dash - well, except for the stealth patches under development (with those they won't even be able to see bert and ernie, snuffleupagus, or kermit, and if they look they will see only the dash they want to write).

This hack is hardcore, and here to stay. Just do everyone a favour and don't cheat on Xbox Live, people. Your right to mod ends when you're online and not on a level playing field with the other real players...

Re:WTF?

Ouch - glad I posted anonymously now - the parent post was beneath my threshold and I didn't notice. Sorry, great-grandparent post.

And this is why Microsoft isn't 'evil'.

"and the community is doing this to a product they paid for and own."

You may have paid for your X-Box. You may have paid for a game. You may be paying your subscription for X-Box Online and whatnot.

Are you paying for everyone else's?

Cheating in single player games, offline, is fine and dandy. Cheating in multiplayer games, online, forces your modifications onto someone else - thereby modding something that you certainly did not pay for.

As much as I'd like to call Microsoft evil for attempting to prevent X-Box hacking any way they can, well.. Years of dealing with pathetic morons in online games has me cheering for Microsoft on this one.

In the end, it's a question of who you want taking your rights away from you. I'd rather have Microsoft attempting to do it as opposed to Joe Noskillz out in Backwater, Kansas.

A different world? The only difference is the depth of damages. "rm -rf /*" may be a bit more dangerous than some n00b with spiked models, but in the end, the asshole who just wiped your root directory is no different than the asshole who just forcibly changed the rules of the game you're playing. They're both modifying something you've paid for, without your permission.

Re:Holy Shit! These guys are assembly gurus!

That isn't really you, is it +ORC?

In case it is: Mad props for the great drink recipe - although I'd been cracking for five years before I ever saw your tutorials, I couldn't mix a drink to save my life. ;)