Slashdot Mirror

← Back to Stories (view on slashdot.org)

Technical Analysis of XBox Save Game Hack

Posted by CowboyNeal on from the picking-it-apart dept.

DJPenguin writes "There is an excellent article at the XBox Linux Project that describes exactly how the XBox savegame hack works. It details how the author went to great lengths to hide exactly what was going on. It turns out the exploit code is hidden within an image of Tux himself!" An enlightening read, to say the least.

6 of 242 comments (clear)

  1. I don't understand. by Civil_Disobedient · · Score: 5, Interesting

    Sorry for my ignorance, but why hide the code? If a true linux fanatic wants to spread the good word, so to speak, why bother with the whole encryption routine and fake JMP's? Why not just make the hack completely transparent so anyone can do it?

    1. Re:I don't understand. by MikeCamel · · Score: 4, Interesting

      A fair enough point, but (as I'm sure kc8kgu knew), once things are compiled, it becomes much less simple to identify a hacker's signature. A decent compiler will compile all the above examples to the same code. I don't buy "enough flair gets through to the machine language" for short code fragments, I'm afraid. A good optimising compiler is a good obfuscator, too. I wonder if anyone's done any studies on exactly how much personal style you need to exert in order for it to turn up at a) the assembler level or b) the machine code level?

  2. Why did the hacker try to hide how he did it? by Martin+Marvinski · · Score: 4, Interesting

    If anyone knows it would be intresting to hear the reason why.

    1. Re:Why did the hacker try to hide how he did it? by rusty0101 · · Score: 4, Interesting

      My suspicion would be that the hacker involved works at a game company that created the game that he found a way to include the method of bypassing the security for.

      If that is the case, he would want to hide the fact that the exploit exists, as well as hiding the fact that he installed the exploit.

      He would then have to make sure that the exploit made it through QA, and the game made it to the market. Next he has to verify for himself that he can take advantage of the exploit in the wild, then he can make others aware that the exploit is possible, preferably without revealing his identity.

      But that's just one possibility. Maybe he did it just to see how obtuse he could make an exploit.

      Disclaimer, the above are mearly ideas, I don't work at a game company, or for any company that I know has production involvement with any computer games, or any Microsoft products related to gaming.

      -Rusty

      --
      You never know...
  3. Re:Brilliant! by ignoramus · · Score: 5, Interesting

    It looks like it retrives the private key. That's interesting.

    I agree that it's interesting but the exploit doesn't retrieve or recreate the private key - it does something I've been fretting about recently: it simply modifies the public key - thereby creating it's own (new and weak) key pair.

    From the article:Once you modify the public key this way, you end up with a public key that is easily factorable. It is now divisible by 3!

    Anyone here bright enough to suggest a good way to protect from this? My first thought was to sign the public key with another, use an X.509 certificate or something but the problem is that you can always patch the signature/certificate/checksum/whatever verification mechanism... So what is the solution?

  4. DMCA relevant section by Jim+Hall · · Score: 5, Interesting

    The article says:

    This explanation is for the sole purpose of writing interoperable software under Sect. 1201 (f) Reverse Engineering exception of the DMCA. So here is the explanation you have all been waiting for.

    But you may not know the actual section he's referring to. Here it is:

    (f) REVERSE ENGINEERING- (1) Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.

    And (a)(1)(A) is the bit that everyone calls to mind when they think of the DMCA:

    (a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title. The prohibition contained in the preceding sentence shall take effect at the end of the 2-year period beginning on the date of the enactment of this chapter.

    (full text of DMCA)

    IANAL, but I think this means that if you crack the protection on something simply so you can understand (and document) the program so it will work with other programs and files, then that's not considered a violation of the DMCA.

    -jh