Technical Analysis of XBox Save Game Hack

DJPenguin writes "There is an excellent article at the XBox Linux Project that describes exactly how the XBox savegame hack works. It details how the author went to great lengths to hide exactly what was going on. It turns out the exploit code is hidden within an image of Tux himself!" An enlightening read, to say the least.

Geez

[craigtay]

From the looks of this article, they could probably make an entire course at a univeristy devoted to modding the xbox.

Stego or not?

[robogun]

The code was "hidden" in the jfif header, therefore does not qualify as steganography in my opinion. But I bet MS jumps all over this and gets stego banned.

Re:Stego or not?

[AdEbh]

I think it could. Steganography means hidden/covered writing from it's Greek roots. The term is older than computers so I think the distinction between the body or header of an image file is a bit fine.

<p>- Alex

I don't understand.

[Civil_Disobedient]

Sorry for my ignorance, but why hide the code? If a true linux fanatic wants to spread the good word, so to speak, why bother with the whole encryption routine and fake JMP's? Why not just make the hack completely transparent so anyone can do it?

Re:I don't understand.

[AdEbh]

I don't think that the Tux image was in the game executable, rather the save game file. This is a hack that uses a weakness in 007, not a back door placed in by someone working on 007.

- Alex

Re:I don't understand.

[kc8kgu]

Not that I would ever waste my time trying to hack an X box, but I can imagine a couple of reasons why the hacker might what to hide how it worked.

The big one is that the more cryptic and obfusicaed the hack is, the less likely the vulnerabitly will be fixed in a future version because its less likely to be found and understood the the engineers trying close it. From the article, it seems as if the game already has four versions that have this hole.

But to contridict myself, the article seems to indicate the big hole is a simple buffer overflow. Easily noticed and fixed. If there are other relatively unknown hacks inside the encrypted payload, it may extend their availability and usefulness.

On the other hand, the hacker my be simply trying to hide his identity, changing her code so it doesn't seem like its in her personal style. To explain, people who write software for long enough in any arbitrary language begin to develop their own consistant style. Don't get me wrong, they do use the language's idiom to a certain extent, but usually have their own bit of flair to add to them.

Lets consider the c/c++ for loop. Here are a few ways to write it - all pretty standard.

/* first example */
int i;
for (i=0; i < FOO_COUNT; i++)
DoItTo(myfoos[i]);

/* second example */
for (int index=0; index < FOO_COUNT; index++)
{
DoItTo(myfoos[index]);
}

/* third example, assume ok to change myfoos */
for (myfoos; myfoos != NULL; myfoos++)
DoItTo(*myfoos);

Given a large enough sample of a persons code (say the did it for a living and their employer used cvs or similar), its pretty easy to tell who wrote. After about 15-20 lines of code, I can pretty well tell which of my coworker are to blame for the latest bug. Its not a finger print, but you just need a glove size to narrow down the search.

Or, I could be completely off base. Its happened before... Once ;-)

Just my $0.02

(ps, I realize that the guys fixing the hole wouldn't have the source to look at, but i would wager that enough flair gets through to the machine language)

Re:I don't understand.

[MikeCamel]

A fair enough point, but (as I'm sure kc8kgu knew), once things are compiled, it becomes much less simple to identify a hacker's signature. A decent compiler will compile all the above examples to the same code. I don't buy "enough flair gets through to the machine language" for short code fragments, I'm afraid. A good optimising compiler is a good obfuscator, too. I wonder if anyone's done any studies on exactly how much personal style you need to exert in order for it to turn up at a) the assembler level or b) the machine code level?

Stop these immoral actions!

[henriksh]

Why are you guys constantly trying to work against the hard-working software publishers at Microsoft?

Come on, guys - you know it's not right. Don't copy that floppy!

Why did the hacker try to hide how he did it?

[Martin+Marvinski]

If anyone knows it would be intresting to hear the reason why.

Re:Why did the hacker try to hide how he did it?

[rusty0101]

My suspicion would be that the hacker involved works at a game company that created the game that he found a way to include the method of bypassing the security for.

If that is the case, he would want to hide the fact that the exploit exists, as well as hiding the fact that he installed the exploit.

He would then have to make sure that the exploit made it through QA, and the game made it to the market. Next he has to verify for himself that he can take advantage of the exploit in the wild, then he can make others aware that the exploit is possible, preferably without revealing his identity.

But that's just one possibility. Maybe he did it just to see how obtuse he could make an exploit.

Disclaimer, the above are mearly ideas, I don't work at a game company, or for any company that I know has production involvement with any computer games, or any Microsoft products related to gaming.

-Rusty

Re:Why did the hacker try to hide how he did it?

[lkaos]

Nah, this is still just a buffer overflow. I doubt he "put" it in there.

I think that any programmer can appreciate why he went to such lengths to hide the code. It's a hell of a cool thing to do.

In this world of script kiddies, it's very important to disguinish between kiddies and people who are true hackers. Mad props to him for showing that hacking is most certainly an art.

The modification of the public key to make is divisible by 3 was just beautiful.

Re:Why did the hacker try to hide how he did it?

[the+gnat]

In this world of script kiddies, it's very important to disguinish between kiddies and people who are true hackers. Mad props to him for showing that hacking is most certainly an art.

Um, that's not a very good distinction: you need to be clear what meaning of "hacker" you're using. Someone who r00ts my box and types "rm -rf /*" is not an artist, he's a criminal who should have his nuts ripped off - no matter how 1337 his 5ki11z are. Although the legality of hacking the X-Box is questionable, it's in a different world entirely from the vandalism associated with computer break-ins, and the community is doing this to a product they paid for and own.

By confusing the illicit modding and the website defacing, you're making it all the harder to defend against future DMCAs. Many of the big corporate lobbyists and lawyers we so love to bash on Slashdot would love for the public and politicians to view hobbyists and crackers as the same thing.

Re:Why did the hacker try to hide how he did it?

[S.Lemmon]

I'm sure the reason was to make it harder for others to use the same hack to play copied games.

Remember, they've already gone out of their way to stress it's use for a legitimate purpose (running Linux) and not for piracy. This is just one more example of that. It shows a good faith effort by the authors to insure the hack can't as easily be exploited for other purposes.

Re:Why did the hacker try to hide how he did it?

[TeknoHog]

After reading /. for a year or two, I sort of deduced that the whole philosophy behind linux was to be cool.

I second that. Why else would it have a power animal from the Antarctica? Also, it did originate in Finland where it's pretty bloody cold during most of the year.

Brilliant!

[1010011010]

The code is just brilliant. A lot of care was taken in the construction of this hack. No script kiddie is he.

It looks like it retrives the private key. That's interesting.

Re:Brilliant!

[ignoramus]

It looks like it retrives the private key. That's interesting.

I agree that it's interesting but the exploit doesn't retrieve or recreate the private key - it does something I've been fretting about recently: it simply modifies the public key - thereby creating it's own (new and weak) key pair.

From the article:Once you modify the public key this way, you end up with a public key that is easily factorable. It is now divisible by 3!

Anyone here bright enough to suggest a good way to protect from this? My first thought was to sign the public key with another, use an X.509 certificate or something but the problem is that you can always patch the signature/certificate/checksum/whatever verification mechanism... So what is the solution?

Don't Copy that Floppy

[Altheus]

Don't Copy That Floppy

You know your a geek...

[Realistic_Dragon]

...when you can skim that article and not need to look anything up.

Re:Umm someone explain!

[Gyorg_Lavode]

I'm no programmer, but it seems they overflow a buffer used in loading saved games to mount the saved game as the d drive and then run a program off of it. This can then copy the modified files used to boot linux on an unmodified xbox to the hard drive.

XBox sales show this is NOT the future.

[Viewsonic]

So don't worry about it. As far as consoles go, XBox is terrible. It has about 2-3 games worth buying that aren't on the PC, and pretty soon they'll be on the PC regardless.

Conoles will stay consoles. They will be made to play purely games and nothing else. This is what people want to buy, and they're showing it with their pocketbooks right now. Look at how many dedicated gaming devices Sony and Nintendo have sold compared to Microsofts try-and-do-everything Box. The numbers speak for themselves.

DMCA relevant section

[Jim+Hall]

The article says:

This explanation is for the sole purpose of writing interoperable software under Sect. 1201 (f) Reverse Engineering exception of the DMCA. So here is the explanation you have all been waiting for.

But you may not know the actual section he's referring to. Here it is:

(f) REVERSE ENGINEERING- (1) Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.

And (a)(1)(A) is the bit that everyone calls to mind when they think of the DMCA:

(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title. The prohibition contained in the preceding sentence shall take effect at the end of the 2-year period beginning on the date of the enactment of this chapter.

(full text of DMCA)

IANAL, but I think this means that if you crack the protection on something simply so you can understand (and document) the program so it will work with other programs and files, then that's not considered a violation of the DMCA.

-jh

Re:Does M$ have a fetish

[ceejayoz]

Nice reference!