Difference between revisions of "Exploits"
m (→Savegames: Added the Frogger exploit (as seen in presentations) and recent addition THPS4 (grimdoomers work)) |
m (→Tony Hawk's Pro Skater 4: added grimdoomers exploit (also chat snippet I had from him.)) |
||
Line 66: | Line 66: | ||
=== [[Tom Clancy's Splinter Cell]] === | === [[Tom Clancy's Splinter Cell]] === | ||
=== [[Tony Hawk's Pro Skater 4]] === | === [[Tony Hawk's Pro Skater 4]] === | ||
− | [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310] | + | Grimdoomer found a savedgame exloit and shared it on Discord and later with Rocky5 for his softmod installer. |
+ | [https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)] | ||
+ | |||
+ | ''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' grimdoomer | ||
+ | |||
+ | another website talking about his exploit. | ||
+ | [https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk] | ||
== Notes == | == Notes == |
Revision as of 07:43, 3 July 2017
Contents
MCPX
LDT (Hypertransport) bus tap
See bunnie's adventures hacking the Xbox.
Visor hack
Exploits incorrect rollover of memory address.
MIST hack
Exploits error in xcode interpreter security check. There are at least 2 variations of this hack.
A20M# hack
Uses a legacy x86 feature.
RC4 attack (MCPX 1.0 only)
Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects.
This can be used to take over the 2BL entry point.
When the attack happens, the MCPX ROM is still visible, making this a very powerful attack.
This attack is described by Michael Steil in his Google talk.
TEA attack (MCPX 1.1 only)
TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [1][2]. And yet, Microsoft used it that way.
The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are E9 83 01 00 00
.
This is jmp 0xffffd588
(which is a jump within the flash region).
When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: E9 83 01 80 00
.
This is jmp 0x7fd588
(which is a jump into the RAM region).
For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped.
The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken.
As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM.
When the attack happens, the MCPX ROM is still visible, making this a very powerful attack.
The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).
Dashboard
Audio hacks
Font hacks
Easter-egg exploit
Savegames
007: Agent Under Fire
Frogger Beyond
MechAssault
Tom Clancy's Splinter Cell
Tony Hawk's Pro Skater 4
Grimdoomer found a savedgame exloit and shared it on Discord and later with Rocky5 for his softmod installer. a video demonstrating the game trigger (custom skatepark)
10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow grimdoomer
another website talking about his exploit. xbmc4xbox.org.uk