Technical Analysis of XBox Save Game Hack

DJPenguin writes "There is an excellent article at the XBox Linux Project that describes exactly how the XBox savegame hack works. It details how the author went to great lengths to hide exactly what was going on. It turns out the exploit code is hidden within an image of Tux himself!" An enlightening read, to say the least.

Re:Stego or not?

[AdEbh]

I think it could. Steganography means hidden/covered writing from it's Greek roots. The term is older than computers so I think the distinction between the body or header of an image file is a bit fine.

<p>- Alex

Re:I don't understand.

[AdEbh]

I don't think that the Tux image was in the game executable, rather the save game file. This is a hack that uses a weakness in 007, not a back door placed in by someone working on 007.

- Alex

Hexadecimal.

[aussersterne]

Many calculations in computing are done in base 16 because it's convenient (each circuit is either on or off, two possibilities; 16 is 2 to the 4th power, while 10 is not an even power of two).

In base 16 notation, the digits usually are:

0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f

So, 15 in decimal (base 10, what you're used to) is f in hexadecimal (base 16, more convenient for computing due to on/off nature of electricity, since 16 is an even power of 2).

And just as 9 + 1 = 10 (reach the highest digit? carry the one and begin with a zero again in the next column) f + 1 = 10 (reach the highest digit, carry the one and begin with a zero again in the next column).

Other basic hex math for example:

9 + 1 = a

9 + 2 = b

f0 + 1 = f1

ff + 1 = 100

a + 1 = b

b + 2 = d

And so on.

The 0x is a holdover from C programming, prefixing a value in c by 0x indicates that it is a hexidecimal (base 16) number and not a decimal (base 10) number.

Re:Brilliant!

It does not retrieve the original private key. By modifying the public key in memory, the exploit effectively creates a new key pair. Read the complete article.

Re:Brilliant!

[3.1415926535]

So what is the solution?

I'll give you a hint: There isn't one!

As somebody who's name escapes me at the moment said, "There ain't no such puppy as a trusted client."

Re:I don't understand.

[kc8kgu]

Not that I would ever waste my time trying to hack an X box, but I can imagine a couple of reasons why the hacker might what to hide how it worked.

The big one is that the more cryptic and obfusicaed the hack is, the less likely the vulnerabitly will be fixed in a future version because its less likely to be found and understood the the engineers trying close it. From the article, it seems as if the game already has four versions that have this hole.

But to contridict myself, the article seems to indicate the big hole is a simple buffer overflow. Easily noticed and fixed. If there are other relatively unknown hacks inside the encrypted payload, it may extend their availability and usefulness.

On the other hand, the hacker my be simply trying to hide his identity, changing her code so it doesn't seem like its in her personal style. To explain, people who write software for long enough in any arbitrary language begin to develop their own consistant style. Don't get me wrong, they do use the language's idiom to a certain extent, but usually have their own bit of flair to add to them.

Lets consider the c/c++ for loop. Here are a few ways to write it - all pretty standard.

/* first example */
int i;
for (i=0; i < FOO_COUNT; i++)
DoItTo(myfoos[i]);

/* second example */
for (int index=0; index < FOO_COUNT; index++)
{
DoItTo(myfoos[index]);
}

/* third example, assume ok to change myfoos */
for (myfoos; myfoos != NULL; myfoos++)
DoItTo(*myfoos);

Given a large enough sample of a persons code (say the did it for a living and their employer used cvs or similar), its pretty easy to tell who wrote. After about 15-20 lines of code, I can pretty well tell which of my coworker are to blame for the latest bug. Its not a finger print, but you just need a glove size to narrow down the search.

Or, I could be completely off base. Its happened before... Once ;-)

Just my $0.02

(ps, I realize that the guys fixing the hole wouldn't have the source to look at, but i would wager that enough flair gets through to the machine language)

Re:Umm someone explain!

[Gyorg_Lavode]

I'm no programmer, but it seems they overflow a buffer used in loading saved games to mount the saved game as the d drive and then run a program off of it. This can then copy the modified files used to boot linux on an unmodified xbox to the hard drive.

Re:I understood enough to understand ...

[smeenz]

The hack is essentially just an exploit of a buffer overflow in the game load code of the game 'Agent Under Fire' (AUF).

Once the buffer overflow was found, it was a relatively simple matter of creating a doctored save game that caused the xbox to boot off the hard drive when you try and 'load' that saved game file.

So to boot into linux, you have to buy AUF, obtain the doctored save game and get it onto the machine (I'm not sure how you go about that part.. perhaps the xbox has some removable media), then boot into AUF, go through the menu system, load your doctored save game, and behold, your xbox will boot into linux.

Re:I will never understand this.

[CustomDesigned]

For hex addition, I sometimes use a chinese abacus. The chinese style has two top beads and 5 bottom beads (as opposed to the Japanese style which has 1 top bead and 4 bottom beads). One of the top beads and one of the bottom beads on a chinese abacus are never used for decimal addition (they are used for carries when multiplying). However, if you count each top bead as 5 and each bottom bead as 1, they add up to 15 - which works perfectly for addition in base 16 (just as the 1 top and 4 bottom add up to 9 for decimal addition). The beauty of adding on an abacus is that the answer appears as you "key" in the operands. No wasted keystrokes to type "+" or ENTER.