Slashdot Mirror

← Back to Stories (view on slashdot.org)

Technical Analysis of XBox Save Game Hack

Posted by CowboyNeal on from the picking-it-apart dept.

DJPenguin writes "There is an excellent article at the XBox Linux Project that describes exactly how the XBox savegame hack works. It details how the author went to great lengths to hide exactly what was going on. It turns out the exploit code is hidden within an image of Tux himself!" An enlightening read, to say the least.

14 of 242 comments (clear)

  1. I don't understand. by Civil_Disobedient · · Score: 5, Interesting

    Sorry for my ignorance, but why hide the code? If a true linux fanatic wants to spread the good word, so to speak, why bother with the whole encryption routine and fake JMP's? Why not just make the hack completely transparent so anyone can do it?

    1. Re:I don't understand. by MikeCamel · · Score: 4, Interesting

      A fair enough point, but (as I'm sure kc8kgu knew), once things are compiled, it becomes much less simple to identify a hacker's signature. A decent compiler will compile all the above examples to the same code. I don't buy "enough flair gets through to the machine language" for short code fragments, I'm afraid. A good optimising compiler is a good obfuscator, too. I wonder if anyone's done any studies on exactly how much personal style you need to exert in order for it to turn up at a) the assembler level or b) the machine code level?

    2. Re:I don't understand. by Anonymous Coward · · Score: 2, Interesting

      No compiler would produce the same code for all three examples. In particular, use of the postfix unary increment in the for loop guarantees that. If the C++ code was written with a prefix unary increment (i.e. I'm saying using ++myFoos instead of myFoos++) then maybe it would be the same. The compiler is forced to call the copy constructor for myFoos in the third example, and no amount of optimization can avoid that.
      However, I totally agree with you point -- the programming style of a higher-level language does not carry through to machine code in any real way.
      I also highly doubt the hack author would have written the hack in anything other than assembly anyway.

  2. Why did the hacker try to hide how he did it? by Martin+Marvinski · · Score: 4, Interesting

    If anyone knows it would be intresting to hear the reason why.

    1. Re:Why did the hacker try to hide how he did it? by rusty0101 · · Score: 4, Interesting

      My suspicion would be that the hacker involved works at a game company that created the game that he found a way to include the method of bypassing the security for.

      If that is the case, he would want to hide the fact that the exploit exists, as well as hiding the fact that he installed the exploit.

      He would then have to make sure that the exploit made it through QA, and the game made it to the market. Next he has to verify for himself that he can take advantage of the exploit in the wild, then he can make others aware that the exploit is possible, preferably without revealing his identity.

      But that's just one possibility. Maybe he did it just to see how obtuse he could make an exploit.

      Disclaimer, the above are mearly ideas, I don't work at a game company, or for any company that I know has production involvement with any computer games, or any Microsoft products related to gaming.

      -Rusty

      --
      You never know...
    2. Re:Why did the hacker try to hide how he did it? by Martin+Marvinski · · Score: 3, Interesting

      I think that any programmer can appreciate why he went to such lengths to hide the code. It's a hell of a cool thing to do.

      In this world of script kiddies, it's very important to disguinish between kiddies and people who are true hackers. Mad props to him for showing that hacking is most certainly an art.

      But isn't the whole philosophy behind linux to be open and clear?

    3. Re:Why did the hacker try to hide how he did it? by Anonymous Coward · · Score: 1, Interesting

      So what? This isn't about Linux. It's the cracking of the most vigorously defended game console to date. It's a spy vs spy type of game with an appreciable side effect.

  3. Re:Brilliant! by ignoramus · · Score: 5, Interesting

    It looks like it retrives the private key. That's interesting.

    I agree that it's interesting but the exploit doesn't retrieve or recreate the private key - it does something I've been fretting about recently: it simply modifies the public key - thereby creating it's own (new and weak) key pair.

    From the article:Once you modify the public key this way, you end up with a public key that is easily factorable. It is now divisible by 3!

    Anyone here bright enough to suggest a good way to protect from this? My first thought was to sign the public key with another, use an X.509 certificate or something but the problem is that you can always patch the signature/certificate/checksum/whatever verification mechanism... So what is the solution?

  4. XBOX is evil by Anonymous Coward · · Score: 3, Interesting

    microsoft takes the open PC standard, cripples it, makes it so that you can't upgrade it, you cant WRITE code for it without paying them royalties, you cant RUN code on it without paying them, and puts their logo on the front. If you even try to open this crippled PC, your warranty is void, if you open up and play around with this crippled PC that you payed for and you own ("hack") you are breaking the law. Dont even think about selling modifications to this crippled PC. You will be put in prison with all the rapists and murderers and other menaces to society.

    The scariest part? Is that in 10 years, we wont be talking about a console. This is the future of the PC.

  5. Re:Brilliant! by bucky0 · · Score: 3, Interesting

    Something that isn't as effective but worked well is the 'Suicide' function in some arcade game boards.

    Here is a description of what it is Basically, the decryption key is stored in a battery backed up RAM. If you toy with the board(trying to dump the rom and whatnot), The key gets lost and the board becomes unusable.

    --

    -Bucky
  6. DMCA relevant section by Jim+Hall · · Score: 5, Interesting

    The article says:

    This explanation is for the sole purpose of writing interoperable software under Sect. 1201 (f) Reverse Engineering exception of the DMCA. So here is the explanation you have all been waiting for.

    But you may not know the actual section he's referring to. Here it is:

    (f) REVERSE ENGINEERING- (1) Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.

    And (a)(1)(A) is the bit that everyone calls to mind when they think of the DMCA:

    (a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title. The prohibition contained in the preceding sentence shall take effect at the end of the 2-year period beginning on the date of the enactment of this chapter.

    (full text of DMCA)

    IANAL, but I think this means that if you crack the protection on something simply so you can understand (and document) the program so it will work with other programs and files, then that's not considered a violation of the DMCA.

    -jh

  7. Re:Brilliant! by Cylix · · Score: 3, Interesting

    This was defeated.

    I believe capcom uses this technique on their boards. The problem is, batteries tend to die over time and at some point the key is lost due to age. (3 years?) The manufacturer will generally fix the system.

    However, this encryption method was eventually defeated. The guys were originally doing it to get the old capcom rom's off, but found out they could decrypt the newer games too.

    At the time, they decided not to release their findings, as they were a classic rom shop and didn't want to destroy the technique for newer arcades.

    I believe the group was decrypting the roms and released those, but eventually someone gave out the material.

    I gave up following the story when they said they cracked it, but ethical reasons kept them from giving away the information.

    Anyhow, with battery backed up stuff, the trick is to provide power before disconnecting the battery.

    --
    "You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
  8. Re:Does M$ have a fetish by NintenDoctor · · Score: 2, Interesting

    This is a 007: Agent Under Fire exploit, not an exploit inherent to the Xbox. Agent Under Fire was made by EA, not Microsoft. Blame the right company.

    If this was analyzing the MechAssault hack, then you might have a point.

    --
    I've moved on.
  9. Process of Discovery, not how it works... by grimani · · Score: 2, Interesting

    The interesting bit should be how the dude discovered the overflow...not how it works.

    Discovering an overflow in a controlled environment such as a console is no easy task. Console games don't usually crash - what indicated an overflow was present for exploiting?

    After that, exploiting an overflow is really just a menial task. There really are only a few issues to differentiate each case - how long can the exploit string be before it overwrites something critical? Are certain characters not allowed in the string?

    Beyond that, exploiting it is simple...

    So, anybody know how that particular overflow was discovered?