have fun with video games
play

Have fun with video games Introduction Vuln Exploitation Samuel - PowerPoint PPT Presentation

Feb 13, 2023 •331 likes •659 views

Have fun with video games Samuel Chevet / Clement Rouault Presentation Have fun with video games Introduction Vuln Exploitation Samuel Chevet / Clement Rouault w4kfu@lse.epita.fr / hakril@lse.epita.fr http://www.lse.epita.fr 12 February

  1. Have fun with video games Samuel Chevet / Clement Rouault Presentation Have fun with video games Introduction Vuln Exploitation Samuel Chevet / Clement Rouault w4kfu@lse.epita.fr / hakril@lse.epita.fr http://www.lse.epita.fr 12 February 2013

  2. This talk Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln Divide in two presentation Exploitation 1 : Research the vuln 2 : The exploitation

  3. Vulnerability Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Mutiple attack vector Vuln Browser Exploitation Java PDF, DOC, XLS, . . . Is there any other attack vector ?

  4. Video games Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Large community over internet Vuln Lan Party Exploitation Multi Platform (PC, Console, . . . ) Not only video games Voice over IP

  5. How to start Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln Study with unpacked version Exploitation Cipher algorithm Compression method

  6. Find the switch Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln Exploitation

  7. Heroes of Might and Magic 3 Have fun with video games Samuel Chevet / Clement Rouault .text:004977D6 .text:004977D6 loc_4977D6: ; unsigned int Presentation .text:004977D6 push 10Ch Introduction .text:004977DB call ??2@YAPAXI@Z ; operator new(uint) Vuln Exploitation 00000000 HeroesIIISession struc ; (sizeof=0x10C) 00000000 dwFlags dd ? 00000004 guidInstance BFID ? 00000014 guidApplication BFID ? 00000024 dwMaxPlayers dd ? 00000028 dwCurrentPlayers dd ? 0000002C lpszSessionName db 128 dup(?) 000000AC lpszPassword db 80 dup(?) 000000FC dwUser1 dd ? 00000100 dwUser2 dd ? 00000104 dwUser3 dd ? 00000108 dwUser4 dd ? 0000010C HeroesIIISession ends

  8. Heroes of Might and Magic 3 Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction .text:00497876 repne scasb Vuln .text:00497878 not ecx .text:0049787A sub edi, ecx Exploitation .text:0049787C mov eax, ecx .text:0049787E mov esi, edi .text:00497880 mov edi, [ebp+dwFlags] .text:00497883 shr ecx, 2 .text:00497886 rep movsd .text:00497888 mov ecx, eax .text:0049788A and ecx, 3 .text:0049788D rep movsb

  9. Heroes of Might and Magic 3 Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln Exploitation Case 0x301: .text:00588D5F push ecx .text:00588D60 push eax ; Args .text:00588D61 push offset aSS_6 ; "%s: %s" .text:00588D66 push offset dword_69D7B0 ; int .text:00588D6B call WrapperVsprintf

  10. Heroes of Might and Magic 5 Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln Size of packet stored into header Exploitation Use this size for everything Lot of Null-Pointer dereference <value=MessageText>

  11. Age of Empire III Have fun with video games Object of Type CPacket (0x434) stored on the stack Samuel Chevet / Fill this object with block of 0x10 Clement Rouault Presentation Pseudo Code Introduction if (CPacket->Nb_block > 0) Vuln Exploitation { ptr = &Cpacket->Field_21C; do { CopyFromBuffer(ptr - 0x200, Buf, 0x10); CopyFromBuffer(ptr, Buf, 0x10); count++; ptr += 0x10; } while (count < Cpacket->Nb_block); }

  12. Age of Empire III Have fun with video games Samuel Chevet / // TYPE MESSAGE Clement Rouault buf[0] = 0x16; Presentation // NB BLOCK OF 0x10 Introduction *(DWORD*)(buf + 1) = 0x0000FFFF; Vuln Exploitation // First overwrite *(DWORD*)(buf + 5 + (65 * 0x10)) = 0x0000FFFF; // SEH overwrite *(DWORD*)(buf + 0xE54 + 5) = 0x42424242; *(DWORD*)(buf + 0xE54 + 5 + 4) = 0x43434343; // Second overwrite *(DWORD*)(buf + 5 + (64 * 2 * 0x10)) = 0x00000090;

  13. Command and Conquer 3 Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln Fuzzing ? Exploitation No ... You have to study first the entire protocol Cypher algorithm CRC

  14. Command and Conquer 3 Have fun with video games Samuel Chevet / Clement Rouault Presentation + 0x00 : CRC Introduction + 0x04 : Type Message Vuln Exploitation + 0x08 : . . . dwCrc = 0; for (i = 0; i < dwLenBuf; i++) dwCrc = (dwCrc >> 31) + Buf[i] + 2 * dwCrc;

  15. Command and Conquer 3 Have fun with video games Samuel Chevet / Clement Rouault Not only CRC ! Presentation Weak Cipher (sometimes) Introduction Vuln Exploitation dwKey = 0x38D9B7D4; for (i = 0 ; i < dwLenBuf; i += 4) { *(DWORD*)(Buf + i) = htonl(dwKey ^ *(DWORD*)(Buf + i)); dwKey -= 0x7F39C50E; }

  16. Moare ! Have fun with video games File Format study Samuel Chevet / Clement Rouault Client can download your map Presentation .map Introduction Vuln Compression Exploitation 3 Control characters How many characters of plain text must be read How many characters from the already decoded text Where to read the characters from the already decoded text Finally after digging on google, it is Wing Commander / Xan Video Decoder And the vulnerability discover can start ¨ ⌣

  17. Basic Protections Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln Exploitation DEP : Don’t jump on my data What is ROP ? Finding ASLR : Add some randomness to data and libs Assembling gadget

  18. Solution : ROP Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln Using the application’s code Exploitation What is ROP ? Heavily use gadget of type "* ; ret" Finding Assembling gadget Chaining gadgets using "ret"

  19. ROP Rules Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln The flow is controlled by the stack Exploitation What is ROP ? Register can be fill by static values using pop Finding Assembling gadget You can’t rely on any fixed address for data

  20. 2 steps for ROP Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln Exploitation Find gadgets What is ROP ? Finding Assemble them Assembling gadget

  21. Finding the good gadget Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln some gadgets are hidden Exploitation What is ROP ? "or ebp, 80h" => 81 CD 80 00 00 00 Finding Assembling gadget CD 80 => "int 0x80"

  22. How RopMount find gadgets Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln Exploitation Stop on interesting opcode (0xC3, 0xC2) What is ROP ? Finding Trace back from this point to find valid disassembly Assembling gadget

  23. Example Have fun with video games Samuel Chevet / Clement Rouault Presentation 83 C4 54 C3 => "add esp, 0x54" Introduction Vuln Steps Exploitation What is ROP ? C3 => ret Finding Assembling gadget 54 C3 => push esp; ret C4 54 C3 => ??? 83 C4 54 C3 => add esp, 0x54

  24. RopMount Dumper Syntax Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Simple x86 intel syntax Vuln REG32 : any 32bits register Exploitation CONST : any immediat What is ROP ? Finding Assembling gadget ANY : any instruction ROP : any instruction that would not break a ROP {min,max} before an instruction to repeat it

  25. Example Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction "{1,} pop REG32; ret" Vuln Exploitation Matches What is ROP ? Finding Assembling gadget pop eax, ret pop edi; pop esi; pop ebp; pop ebx; pop ecx; ret

  26. File Format ? Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction ELF Vuln Exploitation Windows PE What is ROP ? Finding Just need 2 functions to handle new filetype Assembling gadget One that return a list of executable ’segments’ One that return o ff set in file of a vaddr

  27. Why Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Some actions are often used in shellcode Vuln Exploitation Assign value to register What is ROP ? mov Finding Assembling gadget strcpy The goal is to find the best way to do these actions.

  28. How Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln Creating a set of instruction Exploitation Each instruction can use the finder and the others What is ROP ? Finding instructions Assembling gadget Keep some registers coherence through the execution

  29. The no_ registers Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction "mov eax, edi" Vuln mov esi, edi; ret; Exploitation mov ecx, esi; ret; What is ROP ? mov eax, ecx; ret Finding Assembling gadget "mov eax, edi!esi" mov ecx, edi; pop ebx; pop edx; ret; mov eax, ecx; ret

  30. Some instruction from the set Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln strstore Exploitation What is ROP ? clean Finding Assembling gadget (pe)call

  31. Questions ? Have fun with video games Samuel Chevet / Clement Rouault Presentation Introduction Vuln Exploitation Thank you for your attention What is ROP ? Finding Assembling gadget

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Digital Games An Introduction What are Digital Games? Commonly referred to as video games

Digital Games An Introduction What are Digital Games? Commonly referred to as video games

Digital Games An Introduction What are Digital Games? Commonly referred to as video games People who play video games are called gamers Rapidly growing industry Generated close to USD 100 billion in revenue in 2015

706 views • 45 slides
Video Games Written and Researched by: Patrick Kania First Video Game The first Video Game made

Video Games Written and Researched by: Patrick Kania First Video Game The first Video Game made

Video Games Written and Researched by: Patrick Kania First Video Game The first Video Game made was in the early 1940-1950s. Also the most popular video game back then was Cathode Ray Tube. Video Game Research. Video Games are sometimes

419 views • 11 slides
Race, Sexuality, and Disability in Games By: Karen, Rachel, and Waylon Race in Video Games

Race, Sexuality, and Disability in Games By: Karen, Rachel, and Waylon Race in Video Games

Race, Sexuality, and Disability in Games By: Karen, Rachel, and Waylon Race in Video Games -Popular video games often play on racial stereotypes -Often playing into the prison industrial complex and systemic poverty -Maintaining color lines and

217 views • 19 slides
Video Games The Most Complicated Waste of Time Ever! Crystal Shaw Jacob King Kyle Hwang

Video Games The Most Complicated Waste of Time Ever! Crystal Shaw Jacob King Kyle Hwang

Video Games The Most Complicated Waste of Time Ever! Crystal Shaw Jacob King Kyle Hwang What are Video Games ? Video Games are electronic games in which a user interacts with the game using an input device and receives

685 views • 29 slides
Information Architecture and Games Patricia Evans Overview IA in Video Games Menus

Information Architecture and Games Patricia Evans Overview IA in Video Games Menus

Information Architecture and Games Patricia Evans Overview IA in Video Games Menus Loading Screens Tab Screens Questions? References IA in Video Games Gaming is an escape from reality User Interface Needs to

656 views • 17 slides
Digital Games People who play video games are called gamers An Introduction Rapidly growing

Digital Games People who play video games are called gamers An Introduction Rapidly growing

27/04/18 What are Digital Games? Commonly referred to as video games Digital Games People who play video games are called gamers An Introduction Rapidly growing industry Generated close to USD 100 billion in revenue in 2015

434 views • 12 slides
Introduction to Artificial Intelligence Video Games and AI Planning Janyl Jumadinova November 7,

Introduction to Artificial Intelligence Video Games and AI Planning Janyl Jumadinova November 7,

Introduction to Artificial Intelligence Video Games and AI Planning Janyl Jumadinova November 7, 2016 AI in (commercial) video games 2/15 AI in (commercial) video games Path finding Realistic motion Models of emotion Decision

167 views • 16 slides
Using Video Games for Workplace Safety Training Pennsylvania Governors Occupational Safety and

Using Video Games for Workplace Safety Training Pennsylvania Governors Occupational Safety and

Using Video Games for Workplace Safety Training Pennsylvania Governors Occupational Safety and Health Conference, October 2018 Ken Smith, Simcoach Games How I came to believe in using Video Games 25 year career in workforce management

974 views • 8 slides
Overview this Week Perspective: Film/Movie are more successful than video games, but do you

Overview this Week Perspective: Film/Movie are more successful than video games, but do you

Overview this Week Perspective: Film/Movie are more successful than video games, but do you think this will change? What are extremely successful games right now? Today: Reflect on the history of video games: We will do a Time Line

223 views • 11 slides
Overview Entertainment: Films/movies are more successful than video games, or have games

Overview Entertainment: Films/movies are more successful than video games, or have games

Overview Entertainment: Films/movies are more successful than video games, or have games eclipsed the movie industri? A Brief History of Video Games What are successful games right now? What are /were successful movies? Some PPT

359 views • 12 slides
Violence In Gaming By: Vamsi Garghi What Is Violence In Video Games Definition of violence from

Violence In Gaming By: Vamsi Garghi What Is Violence In Video Games Definition of violence from

Violence In Gaming By: Vamsi Garghi What Is Violence In Video Games Definition of violence from Merriam-Webster Dictionary: The use of physical force so as to injure, abuse, damage, or destroy. Violence in video games have been a factor

477 views • 14 slides
Video Games: Designing and Coding Oliver Bonham-Carter and Janyl Jumadinova Dept. of Computer

Video Games: Designing and Coding Oliver Bonham-Carter and Janyl Jumadinova Dept. of Computer

Video Games: Designing and Coding Oliver Bonham-Carter and Janyl Jumadinova Dept. of Computer Science 27 July, 2017 Please log into your computer at this time UserLogin: Password: What is a Video Game? What Kinds of Video Games?

485 views • 9 slides
Well Played Video Games, Value, and Meaning Drew Davidson About Me ETC Press First

Well Played Video Games, Value, and Meaning Drew Davidson About Me ETC Press First

Well Played Video Games, Value, and Meaning Drew Davidson About Me ETC Press First Publication in 2008 Experimental, Academic, Open Source Entertainment Technologies Across Fields Books, Journals, Proceedings, Games

406 views • 36 slides
BFI Research and Statistics Unit BFI Video Games Day In partnership with Creative Scotland and

BFI Research and Statistics Unit BFI Video Games Day In partnership with Creative Scotland and

BFI Research and Statistics Unit BFI Video Games Day In partnership with Creative Scotland and the University of Glasgow, 14 June 2018 BFI Research and Statistics Unit Overview Consumption of video games Certification and

888 views • 23 slides
Bacon Brains: Video Games for Teaching the Science of Addiction Joel Epstein Presentation

Bacon Brains: Video Games for Teaching the Science of Addiction Joel Epstein Presentation

Bacon Brains: Video Games for Teaching the Science of Addiction Joel Epstein Presentation Overview Substance Use in Adolescence Prevalence and Benefits of Gaming Health Games Substance Abuse Education Games Gender Differences

648 views • 52 slides
DiGRA 2005 Canadian Content in Video Games Leonard Paul of Vancouver Film School Vancouver,

DiGRA 2005 Canadian Content in Video Games Leonard Paul of Vancouver Film School Vancouver,

DiGRA 2005 Canadian Content in Video Games Leonard Paul of Vancouver Film School Vancouver, Canada Canadian Content in Video Games Leonard Paul Vancouver Film School Digital Research in Games Conference 2005 Introduction Video Games

425 views • 20 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (Feb. 9, 2002) I E S R C E O

UMBC A B M A L T F O U M B C I M Y O R T 1 (Feb. 9, 2002) I E S R C E O

Systems Design &amp; Programming 80x86 Assembly II CMPE 310 Data Addressing Modes Base-Plus-Index addressing: Effective address computed as: seg_base + base + index. Base registers: Holds starting location of an array. ebp (stack) ebx

682 views • 8 slides
National Committee on Vital and Health Statistics (NCVHS) Subcommittee on Standards Hearing on

National Committee on Vital and Health Statistics (NCVHS) Subcommittee on Standards Hearing on

National Committee on Vital and Health Statistics (NCVHS) Subcommittee on Standards Hearing on HIPAA and ACA Administrative Simplification Attachment Standards Testimony by Don St Jacques, Senior Vice President Jopari Solutions, Inc. Feb 16,

271 views • 12 slides
Standard bodies: who does what? Cristina Mussinelli (cristina.mussinelli@aie.it) Publishing and

Standard bodies: who does what? Cristina Mussinelli (cristina.mussinelli@aie.it) Publishing and

Standard bodies: who does what? Cristina Mussinelli (cristina.mussinelli@aie.it) Publishing and the Open Web Platform September 16th and 17th, Centre Pompidou, Paris Book distribution = information Information flow Identifiers and metadata

514 views • 13 slides
Solid Sands 1 Selection of our Customers 2 The Seventies - CISC 68000 6502 6800 8086 Z80

Solid Sands 1 Selection of our Customers 2 The Seventies - CISC 68000 6502 6800 8086 Z80

Compiler Verification, More Necessary than Ever Marcel Beemster, CTO Solid Sands 1 Selection of our Customers 2 The Seventies - CISC 68000 6502 6800 8086 Z80 8080 8051 Intel 4004 1981 1970 1975 1980 3 The Eighties - RISC TMS320

433 views • 21 slides
Mining Malware Secrets Paul Black Arun Lakhotia Federation University University of Louisiana

Mining Malware Secrets Paul Black Arun Lakhotia Federation University University of Louisiana

Mining Malware Secrets Paul Black Arun Lakhotia Federation University University of Louisiana at Lafayette Introductions Paul Black Arun Lakhotia Malware Analyst 5 years Professor of Computer Science CEO, Cythereal,

754 views • 32 slides
Equity, Diversity and Inclusion The Department of Chemistry promotes a safe, respectful and

Equity, Diversity and Inclusion The Department of Chemistry promotes a safe, respectful and

Equity, Diversity and Inclusion The Department of Chemistry promotes a safe, respectful and inclusive learning and working environment for all members of our community and strives to be a place that is free of discrimination and harassment,

73 views • 4 slides
Controlling Program Flow Conditionals (If-statement) Loops (while, do-while, for-loops)

Controlling Program Flow Conditionals (If-statement) Loops (while, do-while, for-loops)

Controlling Program Flow Conditionals (If-statement) Loops (while, do-while, for-loops) Switch Statements New Instructions JMP CMP Conditional jumps (branches) Conditional MOV instruction 1 Conditional statements 2

678 views • 44 slides
FSPA Report UEC Meeting Aug. 10, 2018 1 Badminton Tournament Held a successful badminton

FSPA Report UEC Meeting Aug. 10, 2018 1 Badminton Tournament Held a successful badminton

FSPA Report UEC Meeting Aug. 10, 2018 1 Badminton Tournament Held a successful badminton tournament on July 14th BBQ after tournament Attended by &gt; 20 people Prizes and certificates were distributed 2 Career Week: Industry

352 views • 9 slides

More recommend