where hacking meets demoscene
play

Where Hacking Meets Demoscene Abusing Kiddie-Hardware for the - PowerPoint PPT Presentation

Feb 24, 2024 •248 likes •668 views

Where Hacking Meets Demoscene Abusing Kiddie-Hardware for the Greater Good Breakpoint 2008 Felix tmbinc Domke <tmbinc@elitedvb.net> True 64bit architecture 3 Dual-Thread cores, 3.2 Ghz each GB RAM Fast DVD-drive o

  1. Where Hacking Meets Demoscene Abusing Kiddie-Hardware for the Greater Good Breakpoint 2008 Felix “tmbinc” Domke <tmbinc@elitedvb.net>

  2. • True 64bit architecture • 3 Dual-Thread cores, 3.2 Ghz each • ½ GB RAM • Fast DVD-drive o m • Large and fast SATA HDD e d • Full-HD and VGA output t c e f • Wireless controller support r e ? p e • 80W idle, 120W full load n e i h h T c • R600-class GPU with embedded a m highspeed memory and Linux support starting at $199! available NOW!

  3. The perfect demoscene machine? • (Official) developers get “development kits” for big money (and big NDAs) • Those systems execute “unsigned” (or self-signed) code • Full toolchain/libs/docs included.

  4. • On Retail machines, security mechanisms ensure that only “signed” code can be executed • Gaming Consoles vendors are afraid of • piracy • cheating • non-licensed developers • So they don’t let you use their products (except for very limited exceptions: commercial games).

  5. Why do they spoil our fun?! • Hardware is often subsidized (you don’t really believe $199 MSRP is enough for such a hardware, don’t you?) • Money comes from the games. • Vendors have absolutely no interest in selling hardware for demosceners

  6. “Just some obfuscation”? • State-of-the-art security schemes, including memory encryption, memory hashing, secure bootloaders, e-Fuses / on-chip non- volatile memory, on-chip RAM/ROM, NX, hypervisors. • Quite a lot of effort these days will be put into security.

  7. Should that stop us? • Of course not! (Since when do we listen to vendors?!) • Hackers so far always found ways around their security systems, allowing own code to be executed on retail systems.

  8. Nintendo Wii • “Gamecube 1.5”, but still: • 729 MHz PowerPC CPU (IBM 750CL) • EDTV (480p) graphics • 24MB+64MB RAM • Bluetooth, WiFi, USB, Gamecube legacy interfaces • 250 € MSRP

  9. Savegame Exploit • Easiest way: • called “T wilight Hack” by Team Twiizers. • Uses “Zelda: Twilight Princess”, a top- selling first-party game. • Allows you to execute own, self-written code in Wii-mode.

  10. So what do we need? • Wii • Zelda: Twilight Princess • SD-Card • That’s it!

  11. Wii, Security? • Security scheme is interesting, but totally broken once you disassemble it. • Their RSA implementation is broken. • No protection against stack overflows in games (savegame exploits FTW). • “Security processor” firmware has many obvious, exploitable bugs (once you’re in, you own it. Completely.).

  12. “T wilight Hack” • Savegame exploit: Giving Link’s horse an overlong name crashes the game. • Exploiting that can run code. • You can restore savegames from SD card. • Running Z:TP after that will run the exploit. • So, let’s do that!

  14. How to write Code? • Using the official SDK? • Illegal! • Fully functional. • ...but soooo boring.

  15. Free Software FTW! • libOGC • open-source library • originally written for the gamecube • (but also supporting Wii-specific features) • comes together with a precompiled cross- toolchain... • ... and sample code, like that spinning cube.

  16. The Wii Architecture EFB TexCache (~2.1MB) (1MB) Hollywood MMIO GPU CPU Commands RAM XFB Textures TV OUT

  17. Hello, Cube! • Rendering first happen into the internal GPU RAM (eFB) • Data then gets copied into main RAM (XFB), then output to the TV • For details, look at the “acube” libogc demo. • http://sourceforge.net/projects/devkitpro/

  18. Xbox 360 • A beast: • 3 SMT -cores with 3.2 GHz each • 512 MB RAM • GPU: • Superset of Shader Model 3.0 • Very strong fill rate, thanks to embedded RAM (again)

  19. So, let’s hack it, and have some fun. • Quite advanced security: essentially forbits that any user (=game) software can write executable code into memory • Microsoft - yes - really learned their lessons from original Xbox. • Buffer overflows in a game doesn’t help at all (keywords: encrypted memory, NX, Hypervisor) • To make a long story short: Yes, there is a hack.

  20. “King Kong Shader Hack” • You need: • An Xbox 360 with a specific kernel version, • a modified DVD-ROM Firmware, • a modified game.

  21. “King Kong Shader Hack” • You gain: • Arbitrary code execution in hypervisor context (something that’s not possible with an official SDK) • Fully functional Linux, if you want • Full hardware access

  22. (DEMO)

  23. Hello, world! • Let’s write a winnerdemo! • Let’s display a spinning cube!

  24. Hello, Cube! • We have a GPU driver based on reverse- engineering. • GPU doesn’t have fixed-function pipeline. • We need to compile shaders. • Microsoft offers XNA (“Use C# code to write games”), which includes a shader compiler we can use.

  25. Xbox 360 GPU architecture eDRAM (10 MB) Xenos MMIO GPU resolve CPU Shader Commands (Xenon) RAM Framebuffer Textures Ana (TV Out)

  26. Xenos Features • eDRAM (10MB) is “intelligent” RAM which handles Blending, Z-Compare, AA and Format-Conversion • Huge bandwidth • No textures etc. • Rendering happens directly into eDRAM • “Resolve”-Operation copies into FB

  27. Xenos Features • SM 3.0+ • Memory Export: Shaders can write to memory (multipass-geometry) • 32-bit float textures, 16-bit float framebuffer (per channel, of course), if you want

  28. Hello, Cube! • Init Hardware (Map Memory, upload Microcodes) • Load Shader • For each frame: • Setup Material (Renderstates, Textures, Shaders) • Draw Primitive • “Resolve” eDRAM into Framebuffer

  29. Our Xe_-API • GPU was developed with Direct3D in mind. • Hardware more or less matches what D3D exposes to the user (most enum even match exactly!) • Direct3D-like API, just a bit more low-level. • No unneccessary indirections / wrappers. • So things get very very complicated, right? • I’ll try it anyway.

  30. Initialize Hardware struct XenosDevice _xe, *xe; xe = &_xe; /* initialize the GPU */ Xe_Init(xe); • Library will memory map MMIO registers and physical memory to use • Hardware register will be re-initialized (they were left in an uncertain state after the KK-exploit)

  31. Define Render Target /* create a render target (the framebuffer) */ struct XenosSurface *fb = Xe_GetFramebufferSurface(xe); Xe_SetRenderTarget(xe, fb); • Basically just some pointers are set. • Viewport Scaling is set. • Now, let’s display something!

  32. /* let's define a vertex buffer format */ Our Cube! static const struct XenosVBFFormat vbf = { 5, { {XE_USAGE_POSITION, 0, XE_TYPE_FLOAT3}, {XE_USAGE_NORMAL, 0, XE_TYPE_FLOAT3}, {XE_USAGE_TANGENT, 0, XE_TYPE_FLOAT3}, {XE_USAGE_COLOR, 0, XE_TYPE_UBYTE4}, {XE_USAGE_TEXCOORD, 0, XE_TYPE_FLOAT2} } (actual size) }; /* a cube */ float cube[] = { // POSITION | NORMAL | TANGENT | COL | U V | -0.5000 , -0.5000 , -0.5000 , +0.0000 , +0.0000 , -1.0000 , +1.0000 , +0.0000 , +0.0000 , +0.0000 , +1.0000 , +1.0000, -0.5000 , +0.5000 , -0.5000 , +0.0000 , +0.0000 , -1.0000 , +1.0000 , +0.0000 , +0.0000 , +0.0000 , +1.0000 , +0.0000, +0.5000 , +0.5000 , -0.5000 , +0.0000 , +0.0000 , -1.0000 , +1.0000 , +0.0000 , +0.0000 , +0.0000 , +2.0000 , +0.0000, +0.5000 , -0.5000 , -0.5000 , +0.0000 , +0.0000 , -1.0000 , +1.0000 , +0.0000 , +0.0000 , +0.0000 , +2.0000 , +1.0000, ... +0.5000 , -0.5000 , +0.5000 , +0.0000 , -1.0000 , +0.0000 , -1.0000 , +0.0000 , +0.0000 , +0.0000 , +0.0000 , +0.0000, -0.5000 , -0.5000 , +0.5000 , +0.0000 , -1.0000 , +0.0000 , -1.0000 , +0.0000 , +0.0000 , +0.0000 , +1.0000 , +0.0000, -0.5000 , -0.5000 , -0.5000 , +0.0000 , -1.0000 , +0.0000 , -1.0000 , +0.0000 , +0.0000 , +0.0000 , +1.0000 , +1.0000, }; unsigned short cube_indices[] = { 0, 1, 2, 0, 2, 3, 4, 5, 6, 4, 6, 7, 8, 9, 10, 8, 10, 11, 12, 13, 14, 12, 14, 15, 16, 17, 18, 16, 18, 19, 20, 21, 22, 20, 22, 23};

  33. Put Geometry into Physical Memory /* create and fill vertex buffer */ struct XenosVertexBuffer *vb = Xe_CreateVertexBuffer(xe, sizeof(cube)); void *v = Xe_VB_Lock(xe, vb, 0, sizeof(cube), 0); memcpy(v, cube, sizeof(cube)); Xe_VB_Unlock(xe, vb); /* create and fill index buffer */ struct XenosIndexBuffer *ib = Xe_CreateIndexBuffer(xe, sizeof(cube_indices), XE_FMT_INDEX16); unsigned short *i = Xe_IB_Lock(xe, ib, 0, sizeof(cube_indices), 0); memcpy(i, cube_indices, sizeof(cube_indices)); Xe_IB_Unlock(xe, ib);

  34. Load Shaders /* load pixel shader */ struct XenosShader *sh_ps, *sh_vs; sh_ps = Xe_LoadShader(xe, "ps.psu"); Xe_InstantiateShader(xe, sh_ps, 0); /* load vertex shader */ sh_vs = Xe_LoadShader(xe, "vs.vsu"); Xe_InstantiateShader(xe, sh_vs, 0); Xe_ShaderApplyVFetchPatches(xe, sh_vs, 0, &vbf); Refers to the used Vertex Buffer Format

  35. Vertex Shader float4x4 modelView: register (c0); Output main(Input input) float4x3 modelWorld: register (c4); { Output output; struct Input output.oPos = { mul(transpose(modelView), input.vPos); float4 vPos: POSITION; output.oNormal = float3 vNormal: NORMAL; mul(transpose(modelWorld), input.vNormal); float4 vUV: TEXCOORD0; output.oUV = input.vUV; }; return output; } struct Output { float4 oPos: POSITION; float3 oNormal: NORMAL; float4 oUV: TEXCOORD0; } Transform Position and Normal, Passthru UV

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation &amp; privilege escalation 4. Maintaining access &amp; covering tracks

960 views • 62 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits &amp; Demos Q&amp;A Why? Wrights Law

485 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
where where the the old old fronti frontier meets meets the the new fronti new frontier LFC

where where the the old old fronti frontier meets meets the the new fronti new frontier LFC

where where the the old old fronti frontier meets meets the the new fronti new frontier LFC STATUS BRIEFING JULY 13, 2011 Christine Anderson Executive Director New Mexico Spaceport Authority 1 Agenda Overview Capital Budget

682 views • 39 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach &amp; Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
QCD Meets Gravity 2019 Welcome! If you have any question please ask me or Cristina. QCD Meets

QCD Meets Gravity 2019 Welcome! If you have any question please ask me or Cristina. QCD Meets

QCD Meets Gravity 2019 Welcome! If you have any question please ask me or Cristina. QCD Meets Gravity 2019 5 th in the series! Each year it grows. Developments: Reformulation of GR via double copy to make progress on various topics.

437 views • 5 slides
ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING TOOLKIT FREE, OPEN-SOURCE WHAT IS ZIGDIGGITY??? + = RaspBee radio + Raspberry Pi ZigDiggity - GitHub Code http://zigdiggity.com BISHOPFOX

617 views • 23 slides
Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020 HACKING C# - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET

481 views • 37 slides
Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi From Myself Associate Professor at UiO Teaching Ethical Hacking since 2012 Lecturer of the IN5290 Ethical Hacking at UiO Leader

878 views • 66 slides
Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

CLIMATE CHANGE IN HELTHCARE : Driving Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking engelen GIB DE MEDEIROS, PH.D. Digital Hospital Transformation Forum at HIC 2017 Brisbane, Australia HACKING

644 views • 27 slides
Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking Telco equipment: The HLR/HSS Laurent Ghigonis P1 Security 2014, Hackito Ergo Sum - Security Conference What are we talking about ? A mobile

724 views • 59 slides
Where eco-tourism meets business park.. Where economic opportunity meets people! Westmead

Where eco-tourism meets business park.. Where economic opportunity meets people! Westmead

Where Inner West meets Outer West.. Where eco-tourism meets business park.. Where economic opportunity meets people! Westmead Industrial Area Tshelimnyama Tshelimnyama Extension of Giba Business Estate Informal Settlement Area GIBA

489 views • 35 slides
Dismantling droids for breakfast - The current state of app reverse engineering Siegfried

Dismantling droids for breakfast - The current state of app reverse engineering Siegfried

Dismantling droids for breakfast - The current state of app reverse engineering Siegfried Rasthofer SECURE SOFTWARE ENGINEERING GROUP #whoami 3rd year PhD-Student at Secure Software Engineering Group Darmstadt, Germany (Prof. Dr.

458 views • 22 slides
HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from &quot;Hardware Protection

HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from &quot;Hardware Protection

HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from &quot;Hardware Protection thr Obfuscation) Circuit modification techniques designed to conceal or lock the functionality and/or circuit structure The modifications are designed

157 views • 11 slides
Traditional Commercial Software Development Open Source Development Producing consumer-oriented

Traditional Commercial Software Development Open Source Development Producing consumer-oriented

Traditional Commercial Software Development Open Source Development Producing consumer-oriented software is often done in much the same way as for tangible mass-produced Dr. James A. Bednar products, such as furniture or cars. E.g., a company:

526 views • 5 slides
Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda

Deobfuscation and beyond Vasily Bukasov and Dmitry Schelkunov https://re-crypt.com Agenda We'll speak about obfuscation techniques which commercial (and not only) obfuscators use and how symbolic equation systems could help to

612 views • 50 slides
Advanced SOHO Router Exploitation Lyon Yang / @l0Op3r

Advanced SOHO Router Exploitation Lyon Yang / @l0Op3r

Advanced SOHO Router Exploitation Lyon Yang / @l0Op3r www.vantagepoint.sg | office@vantagepoint.sg Hi everyone my name is Lyon Yang I hack IoT and embedded systems. I live in sunny Singapore. Spoke @

846 views • 47 slides
KING WEST SOHO. New York City SOHO of Toronto The mix of new modern urban buildings within the

KING WEST SOHO. New York City SOHO of Toronto The mix of new modern urban buildings within the

KING WEST SOHO. New York City SOHO of Toronto The mix of new modern urban buildings within the existing Victorian style architecture surroundings offers a charming and trendy atmosphere that is unique and beloved by many. King West has been

326 views • 3 slides
Real World Cryptography 2015 London, UK, 7-9 January 2015

Real World Cryptography 2015 London, UK, 7-9 January 2015

Real World Cryptography 2015 London, UK, 7-9 January 2015 www.realworldcrypto.com/rwc2015 #realworldcrypto Welcoming Remarks Fire safety Lightning talks

338 views • 8 slides
Supplemental Information Third Quarter Earnings Call 2011 Market &amp; Financial Overview

Supplemental Information Third Quarter Earnings Call 2011 Market &amp; Financial Overview

Supplemental Information Third Quarter Earnings Call 2011 Market &amp; Financial Overview Capital Values $ $

584 views • 19 slides

More recommend