Technical Analysis of XBox Save Game Hack

DJPenguin writes "There is an excellent article at the XBox Linux Project that describes exactly how the XBox savegame hack works. It details how the author went to great lengths to hide exactly what was going on. It turns out the exploit code is hidden within an image of Tux himself!" An enlightening read, to say the least.

Hidden code?

[SharpFang]

See IOCCC for true masters of making the code unreadable!

Geez

[craigtay]

From the looks of this article, they could probably make an entire course at a univeristy devoted to modding the xbox.

Stego or not?

[robogun]

The code was "hidden" in the jfif header, therefore does not qualify as steganography in my opinion. But I bet MS jumps all over this and gets stego banned.

Re:Stego or not?

[AdEbh]

I think it could. Steganography means hidden/covered writing from it's Greek roots. The term is older than computers so I think the distinction between the body or header of an image file is a bit fine.

<p>- Alex

Re:Stego or not?

[dspeyer]

Personally, I would regard group sex with three ton lizards as a bad thing but, hey, if it turns you on, it's your funeral.

back in my room i

[msh104]

continue praying... thank you holy tux, you defeated evil xbox with nothing more than a blink of your image. if possible reveal thy self in thy full glory and microsoft will treamble in your pressence.

Re:I will never understand this.

[3.1415926535]

It sure does.

Python 2.2.2 (#1, Dec 9 2002, 18:20:25)
[GCC 3.2.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> "%x"%(0xAD9+0x5EF)
'10c8'

I don't understand.

[Civil_Disobedient]

Sorry for my ignorance, but why hide the code? If a true linux fanatic wants to spread the good word, so to speak, why bother with the whole encryption routine and fake JMP's? Why not just make the hack completely transparent so anyone can do it?

Re:I don't understand.

[AdEbh]

I don't think that the Tux image was in the game executable, rather the save game file. This is a hack that uses a weakness in 007, not a back door placed in by someone working on 007.

- Alex

Re:I don't understand.

[kc8kgu]

Not that I would ever waste my time trying to hack an X box, but I can imagine a couple of reasons why the hacker might what to hide how it worked.

The big one is that the more cryptic and obfusicaed the hack is, the less likely the vulnerabitly will be fixed in a future version because its less likely to be found and understood the the engineers trying close it. From the article, it seems as if the game already has four versions that have this hole.

But to contridict myself, the article seems to indicate the big hole is a simple buffer overflow. Easily noticed and fixed. If there are other relatively unknown hacks inside the encrypted payload, it may extend their availability and usefulness.

On the other hand, the hacker my be simply trying to hide his identity, changing her code so it doesn't seem like its in her personal style. To explain, people who write software for long enough in any arbitrary language begin to develop their own consistant style. Don't get me wrong, they do use the language's idiom to a certain extent, but usually have their own bit of flair to add to them.

Lets consider the c/c++ for loop. Here are a few ways to write it - all pretty standard.

/* first example */
int i;
for (i=0; i < FOO_COUNT; i++)
DoItTo(myfoos[i]);

/* second example */
for (int index=0; index < FOO_COUNT; index++)
{
DoItTo(myfoos[index]);
}

/* third example, assume ok to change myfoos */
for (myfoos; myfoos != NULL; myfoos++)
DoItTo(*myfoos);

Given a large enough sample of a persons code (say the did it for a living and their employer used cvs or similar), its pretty easy to tell who wrote. After about 15-20 lines of code, I can pretty well tell which of my coworker are to blame for the latest bug. Its not a finger print, but you just need a glove size to narrow down the search.

Or, I could be completely off base. Its happened before... Once ;-)

Just my $0.02

(ps, I realize that the guys fixing the hole wouldn't have the source to look at, but i would wager that enough flair gets through to the machine language)

Re:I don't understand.

[MikeCamel]

A fair enough point, but (as I'm sure kc8kgu knew), once things are compiled, it becomes much less simple to identify a hacker's signature. A decent compiler will compile all the above examples to the same code. I don't buy "enough flair gets through to the machine language" for short code fragments, I'm afraid. A good optimising compiler is a good obfuscator, too. I wonder if anyone's done any studies on exactly how much personal style you need to exert in order for it to turn up at a) the assembler level or b) the machine code level?

Re:I don't understand.

[Jmstuckman]

Your first and second example would compile to the exact same machine language. With the thousands of people who could have done this hack, I doubt that the machine language would fingerprint them enough to catch them.

Re:I don't understand.

No compiler would produce the same code for all three examples. In particular, use of the postfix unary increment in the for loop guarantees that. If the C++ code was written with a prefix unary increment (i.e. I'm saying using ++myFoos instead of myFoos++) then maybe it would be the same. The compiler is forced to call the copy constructor for myFoos in the third example, and no amount of optimization can avoid that.
However, I totally agree with you point -- the programming style of a higher-level language does not carry through to machine code in any real way.
I also highly doubt the hack author would have written the hack in anything other than assembly anyway.

Re:I don't understand.

[Tackhead]

> A fair enough point, but (as I'm sure kc8kgu knew), once things are compiled, it becomes much less simple to identify a hacker's signature. A decent compiler will compile all the above examples to the same code. I don't buy "enough flair gets through to the machine language" for short code fragments, I'm afraid.

You're assuming the code in question was compiled. Glancing at it, I'd lay good odds that it was handcrafted.

Besides, with the risk of being DMCA'd into his or her component atoms (regardless of where our mystery hacker lives), this isn't the kind of hack you can do in 15 minutes, slap your name on it, and get your ego gratification by having worldwide bragging rights.

That leaves only one other route to ego gratification - spend a few hours, make it perfect, and get your ego gratification by presenting a beautiful gift to geeks and hackers around the world... and by leaving the world's DMCA types puzzle they'll never figure out.

Win-win, as I see it. And artful as all fuck. Call it the Faberge' egg of hackerdom.

"Who was that masked man?"
"Nobody knows, ma'am. Folks 'round here call 'im the Lone Ranger."
"Artful fucker, ain't he?"
"Yes ma'am. Maddest props to him."

Stop these immoral actions!

[henriksh]

Why are you guys constantly trying to work against the hard-working software publishers at Microsoft?

Come on, guys - you know it's not right. Don't copy that floppy!

Why did the hacker try to hide how he did it?

[Martin+Marvinski]

If anyone knows it would be intresting to hear the reason why.

Re:Why did the hacker try to hide how he did it?

[rusty0101]

My suspicion would be that the hacker involved works at a game company that created the game that he found a way to include the method of bypassing the security for.

If that is the case, he would want to hide the fact that the exploit exists, as well as hiding the fact that he installed the exploit.

He would then have to make sure that the exploit made it through QA, and the game made it to the market. Next he has to verify for himself that he can take advantage of the exploit in the wild, then he can make others aware that the exploit is possible, preferably without revealing his identity.

But that's just one possibility. Maybe he did it just to see how obtuse he could make an exploit.

Disclaimer, the above are mearly ideas, I don't work at a game company, or for any company that I know has production involvement with any computer games, or any Microsoft products related to gaming.

-Rusty

Re:Why did the hacker try to hide how he did it?

[lkaos]

Nah, this is still just a buffer overflow. I doubt he "put" it in there.

I think that any programmer can appreciate why he went to such lengths to hide the code. It's a hell of a cool thing to do.

In this world of script kiddies, it's very important to disguinish between kiddies and people who are true hackers. Mad props to him for showing that hacking is most certainly an art.

The modification of the public key to make is divisible by 3 was just beautiful.

Re:Why did the hacker try to hide how he did it?

[Martin+Marvinski]

I think that any programmer can appreciate why he went to such lengths to hide the code. It's a hell of a cool thing to do.

In this world of script kiddies, it's very important to disguinish between kiddies and people who are true hackers. Mad props to him for showing that hacking is most certainly an art.

But isn't the whole philosophy behind linux to be open and clear?

Re:Why did the hacker try to hide how he did it?

[the+gnat]

In this world of script kiddies, it's very important to disguinish between kiddies and people who are true hackers. Mad props to him for showing that hacking is most certainly an art.

Um, that's not a very good distinction: you need to be clear what meaning of "hacker" you're using. Someone who r00ts my box and types "rm -rf /*" is not an artist, he's a criminal who should have his nuts ripped off - no matter how 1337 his 5ki11z are. Although the legality of hacking the X-Box is questionable, it's in a different world entirely from the vandalism associated with computer break-ins, and the community is doing this to a product they paid for and own.

By confusing the illicit modding and the website defacing, you're making it all the harder to defend against future DMCAs. Many of the big corporate lobbyists and lawyers we so love to bash on Slashdot would love for the public and politicians to view hobbyists and crackers as the same thing.

Re:Why did the hacker try to hide how he did it?

[Rick.C]

But isn't the whole philosophy behind linux to be open and clear?

After reading /. for a year or two, I sort of deduced that the whole philosophy behind linux was to be cool.

Re:Why did the hacker try to hide how he did it?

[silas_moeckel]

Hackers traditionaly hold to the ethic of do no harm. It's one thing to get into a box poke around get some evidence that you were there and not damamge anything besides covering your tracks (and thats a bit of a new thing due to the excessive laws against it) A script kiddie is just that a script kiddie lets try to not confuse the two. If they call themselves a hacker thats fine it dosent make it true. The hackers of the world know who they are and how to tell there own.

Re:Why did the hacker try to hide how he did it?

You said that

By confusing the illicit modding and the website defacing, you're making it all the harder to defend against future DMCAs. Many of the big corporate lobbyists and lawyers we so love to bash on Slashdot would love for the public and politicians to view hobbyists and crackers as the same thing.

Are you trying to say that this was illicit modding? Let's look at it, this is using the hardware they sold you for what you want to do. You don't have to sign an agreement with MS to buy x many games. If they want that, then they should handle it the say way that Columbia House et al do.

There is nothing that says I can buy a PS2, that I must buy games for it. What if I just buy one, and that is the only one I wanted. Maybe in 2 years, I go and buy a discount game somewhere, or some used games. That is not breaking the law, I can do whatever I want with it.

If I choose to not buy any games for my game machine, that is their problem, not mine. They take that risk when they make the game machine, they hope that it will make a profit, but they are not guaranteed.

This is not illicit modding, it would only be illicit if people were modding them and then selling those as original boxes.

Re:Why did the hacker try to hide how he did it?

[S.Lemmon]

I'm sure the reason was to make it harder for others to use the same hack to play copied games.

Remember, they've already gone out of their way to stress it's use for a legitimate purpose (running Linux) and not for piracy. This is just one more example of that. It shows a good faith effort by the authors to insure the hack can't as easily be exploited for other purposes.

Re:Why did the hacker try to hide how he did it?

[TeknoHog]

After reading /. for a year or two, I sort of deduced that the whole philosophy behind linux was to be cool.

I second that. Why else would it have a power animal from the Antarctica? Also, it did originate in Finland where it's pretty bloody cold during most of the year.

Re:Why did the hacker try to hide how he did it?

[miu]

Hackers traditionaly hold to the ethic of do no harm. It's one thing to get into a box poke around get some evidence that you were there and not damamge anything besides covering your tracks

What you are describing is still a system cracker. The "do no harm" philosophy is pure ignorance. Someone breaking into a machine and covering his tracks can do a lot of unintentional harm.

Those who hack the XBox don't have to worry about causing harm because they are working entirely on their own equipment.

Re:Why did the hacker try to hide how he did it?

[Cruciform]

That's it. Hand in your geek card and membership kit.

Brilliant!

[1010011010]

The code is just brilliant. A lot of care was taken in the construction of this hack. No script kiddie is he.

It looks like it retrives the private key. That's interesting.

Re:Brilliant!

[ignoramus]

It looks like it retrives the private key. That's interesting.

I agree that it's interesting but the exploit doesn't retrieve or recreate the private key - it does something I've been fretting about recently: it simply modifies the public key - thereby creating it's own (new and weak) key pair.

From the article:Once you modify the public key this way, you end up with a public key that is easily factorable. It is now divisible by 3!

Anyone here bright enough to suggest a good way to protect from this? My first thought was to sign the public key with another, use an X.509 certificate or something but the problem is that you can always patch the signature/certificate/checksum/whatever verification mechanism... So what is the solution?

Re:Brilliant!

It does not retrieve the original private key. By modifying the public key in memory, the exploit effectively creates a new key pair. Read the complete article.

Re:Brilliant!

[Dthoma]

"My first thought was to sign the public key with another, use an X.509 certificate or something but the problem is that you can always patch the signature/certificate/checksum/whatever verification mechanism... So what is the solution?"

There is no solution. If someone's got physical access to hardware, all bets are off and there's nothing you can do. The only solution to the problem would be a physical one, such as using superglue to hold the case shut.

Re:Brilliant!

[3.1415926535]

So what is the solution?

I'll give you a hint: There isn't one!

As somebody who's name escapes me at the moment said, "There ain't no such puppy as a trusted client."

Re:Brilliant!

[bucky0]

Something that isn't as effective but worked well is the 'Suicide' function in some arcade game boards.

Here is a description of what it is Basically, the decryption key is stored in a battery backed up RAM. If you toy with the board(trying to dump the rom and whatnot), The key gets lost and the board becomes unusable.

Re:Brilliant!

[Cylix]

This was defeated.

I believe capcom uses this technique on their boards. The problem is, batteries tend to die over time and at some point the key is lost due to age. (3 years?) The manufacturer will generally fix the system.

However, this encryption method was eventually defeated. The guys were originally doing it to get the old capcom rom's off, but found out they could decrypt the newer games too.

At the time, they decided not to release their findings, as they were a classic rom shop and didn't want to destroy the technique for newer arcades.

I believe the group was decrypting the roms and released those, but eventually someone gave out the material.

I gave up following the story when they said they cracked it, but ethical reasons kept them from giving away the information.

Anyhow, with battery backed up stuff, the trick is to provide power before disconnecting the battery.

Re:Brilliant!

[hbo]

Don't publish no durn code with buffer overruns. 8)

Even Palladium won't protect you if you have one of those, providing the vulnerability occurs after the application has authenticated to the hardware. Unless you do something like challenge the app periodically to prove it has an intact copy of the secret key. Does Palladium do that? I don't know. Anti-stack crashing kernels combined with a crypto enabled platform could help too. But the whole game is complex as hell. And it has some of the best minds on the planet working on both sides, so the whole thing is an arms race. I'm nowhere near brilliant enough to predict what attacks those clever folks will mount on such a platform, or to predict their chances of success.

Don't Copy that Floppy

[Altheus]

Don't Copy That Floppy

You know your a geek...

[Realistic_Dragon]

...when you can skim that article and not need to look anything up.

XBOX is evil

microsoft takes the open PC standard, cripples it, makes it so that you can't upgrade it, you cant WRITE code for it without paying them royalties, you cant RUN code on it without paying them, and puts their logo on the front. If you even try to open this crippled PC, your warranty is void, if you open up and play around with this crippled PC that you payed for and you own ("hack") you are breaking the law. Dont even think about selling modifications to this crippled PC. You will be put in prison with all the rapists and murderers and other menaces to society.

The scariest part? Is that in 10 years, we wont be talking about a console. This is the future of the PC.

Re:XBOX is evil

[bucky0]

I should'nt feed the troll, but here goes:

1)Making it upgradable would increase cost, they wanted the cheapest box for the performance they could make (sockets cost money)

2)If you don't like the idea of not being able to write your own code for it, then don't buy it.

3)puts their logo on the front...in that case is Dell also evil?

4)If you even try to open this crippled PC, your warranty is void....why does microsoft have to warranty actions on the XBOX that it's not designed for? That's like me saying that AMD should still warranty my processors even if I'm running them out of spec

5)...you are breaking the law. Despite what the spindoctors say, as long as you aren't hacking your xbox to play copied games, they can't touch you if your putting your own software on there (that said, if a side effect of your little hack causes someone to be able to play burned games, then theyre gonna come after you (which sucks for fair use...).

6)The scariest part? Is that in 10 years, we wont be talking about a console. This is the future of the PC.That is the scary part though. Even though 'the powers that be' keep claiming that people will be able to run unsigned content on TCPA hardware. I can't imagine that it would 'accidentally' cripple things like linux and BSD that hurt the bottom line

Could a rival console maker be behind this?

[Martin+Marvinski]

You might be right about this being a spy vs. spy thing because the stakes are so huge. This could mean that rival Console makers are actually hacking the X-box to diminish it's threat. That could be a reason why this hack was so well done!

You brought up an excellent point!

Does M$ have a fetish

[pair-a-noyd]

for buffer overflows or what??

Seems that's the number one way to whack an M$ system...

Re:Does M$ have a fetish

[damiam]

It's the number-one way to whack any system, Microsoft or not. And no, saying 'M$' instead of 'MS' doesn't make you look cool.

Re:Does M$ have a fetish

[IIRCAFAIKIANAL]

From my parent's basement, I stab at thee!

Re:Does M$ have a fetish

[ceejayoz]

Nice reference!

Re:Does M$ have a fetish

[NintenDoctor]

This is a 007: Agent Under Fire exploit, not an exploit inherent to the Xbox. Agent Under Fire was made by EA, not Microsoft. Blame the right company.

If this was analyzing the MechAssault hack, then you might have a point.

Re:Spell check

[OpCode42]

Its like a receipt, but a deceipt is proof that you didn't purchase something.

Re:Umm someone explain!

[Gyorg_Lavode]

I'm no programmer, but it seems they overflow a buffer used in loading saved games to mount the saved game as the d drive and then run a program off of it. This can then copy the modified files used to boot linux on an unmodified xbox to the hard drive.

I understood enough to understand ...

[MickLinux]

... that I didn't understand.

I didn't have to look anything up, though...

I know Assembly, and 80x8n assembly, especially. So that was no problem. I could follow the basic plot; I didn't bother to try to read most of the code, but when I did, it wasn't hard to read. The article was pretty good that way.

But it looks to me like the article really didn't tell how the 007 Save Game was hacked. Rather, the article says "yeah it was hacked, and here's the neat part." But that's where it stops.

There isn't enough info here to reproduce it, unless you already are into hacking the XBox.

But that said, I wonder why [and maybe someone who does understand this hack can explain] the XBox-Linux people at sourceforge don't rewrite their install CDs, and give instructions, to allow a person to use this weakness to install Linux from a single CD.

Could it be that this hack really isn't "out there" yet? That the "Free the XBox" hackers are actually still in negotiations with Microsoft [or with their concrete boots at the bottom of the river]?

Re:I understood enough to understand ...

[smeenz]

The hack is essentially just an exploit of a buffer overflow in the game load code of the game 'Agent Under Fire' (AUF).

Once the buffer overflow was found, it was a relatively simple matter of creating a doctored save game that caused the xbox to boot off the hard drive when you try and 'load' that saved game file.

So to boot into linux, you have to buy AUF, obtain the doctored save game and get it onto the machine (I'm not sure how you go about that part.. perhaps the xbox has some removable media), then boot into AUF, go through the menu system, load your doctored save game, and behold, your xbox will boot into linux.

Re:I will never understand this.

[GiMP]

There are plenty of graphical calculators for Linux.. personally, I use python like the parent or for very simple integer calculations, bc or dc.

XBox sales show this is NOT the future.

[Viewsonic]

So don't worry about it. As far as consoles go, XBox is terrible. It has about 2-3 games worth buying that aren't on the PC, and pretty soon they'll be on the PC regardless.

Conoles will stay consoles. They will be made to play purely games and nothing else. This is what people want to buy, and they're showing it with their pocketbooks right now. Look at how many dedicated gaming devices Sony and Nintendo have sold compared to Microsofts try-and-do-everything Box. The numbers speak for themselves.

DMCA relevant section

[Jim+Hall]

The article says:

This explanation is for the sole purpose of writing interoperable software under Sect. 1201 (f) Reverse Engineering exception of the DMCA. So here is the explanation you have all been waiting for.

But you may not know the actual section he's referring to. Here it is:

(f) REVERSE ENGINEERING- (1) Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.

And (a)(1)(A) is the bit that everyone calls to mind when they think of the DMCA:

(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title. The prohibition contained in the preceding sentence shall take effect at the end of the 2-year period beginning on the date of the enactment of this chapter.

(full text of DMCA)

IANAL, but I think this means that if you crack the protection on something simply so you can understand (and document) the program so it will work with other programs and files, then that's not considered a violation of the DMCA.

-jh

Re:Hexadecimal.

[smeenz]

It's a sad sad day when someone gets modded up for explaining how hexadecimal works on slashdot.org

Come on.. are we geeks or mice here ?

Online cheating

[mark_space2001]

For me the main issue is online play and cheating. The Xbox has a security key on only allow certain programs (i.e., licensed developers) run programs. This really reduces the chances of online cheating. Cheating online has all but ruined SOCOM's online play for the PS2, I don't want that to happen to Xbox games as well.

Eventually, I think all game consoles will have security keys like the Xbox.

Linux is cool, but not every computing device in the world needs to run it. Unlike servers and desktop PCs, game consoles are not mission critical for anything. These Linux hackers should leave the Xbox alone and devote some time to improving X performance on the desktop, or something else useful.

Re:I will never understand this.

[CustomDesigned]

For hex addition, I sometimes use a chinese abacus. The chinese style has two top beads and 5 bottom beads (as opposed to the Japanese style which has 1 top bead and 4 bottom beads). One of the top beads and one of the bottom beads on a chinese abacus are never used for decimal addition (they are used for carries when multiplying). However, if you count each top bead as 5 and each bottom bead as 1, they add up to 15 - which works perfectly for addition in base 16 (just as the 1 top and 4 bottom add up to 9 for decimal addition). The beauty of adding on an abacus is that the answer appears as you "key" in the operands. No wasted keystrokes to type "+" or ENTER.

You know you're a slashdot reader ...

[j2demelo]

when you say "You know your a geek..."

Re:What does this hack let you do?

[Ho-Lee-Chow]

What does this hack let you do?

Well, how about running the code of your choice an Xbox? How does that sound? (Hint: it used to be impossible without doing a hardware mod.)

Disclaimer: Since I don't own an Xbox, some of these details are a little sketchy and may be incorrect.

This hack lets you load unsigned software, such as Linux, of your choice onto an XBox, without using a mod-chip or making any hardware mods. Previously, you could only run software that is signed by Microsoft on an Xbox, unless you voided the warranty and made Xbox Live impossible by installing a mod-chip or flashing the BIOS.

You need a copy of 007: Agent of Fire. You load the "unsigned" (*) code, such as Linux, and a specially hacked 007: AUF savegame onto a special kind of memory card that connects to your PC.

You then fire up 007: AUF, and load the hacked savegame, which takes advantage of the buffer overflow exploit in order to load your "unsigned" code. This "unsigned" code could be Xbox Linux, XboxMediaPlayer, or any of the other homebrew projects out there for Xbox.

If you haven't heard of the open-source XboxMediaPlayer, it looks pretty sweet. It can play all kinds of audio and video files from your Xbox's hard drive or a streaming server, such as: WMV, ASF, WMA, VCD, SVCD, MPEG, JPEG, GIF, BMP, DivX, XVid, etc. It basically turns your Xbox into a cheap Media Centre PC (except for the TV recording part).

(*) Actually, according to the article, you have to sign the code yourself, but it's easy in this case, because of the way the exploit works.

Process of Discovery, not how it works...

[grimani]

The interesting bit should be how the dude discovered the overflow...not how it works.

Discovering an overflow in a controlled environment such as a console is no easy task. Console games don't usually crash - what indicated an overflow was present for exploiting?

After that, exploiting an overflow is really just a menial task. There really are only a few issues to differentiate each case - how long can the exploit string be before it overwrites something critical? Are certain characters not allowed in the string?

Beyond that, exploiting it is simple...

So, anybody know how that particular overflow was discovered?