Tony Hawk's Pro Strcpy
Ryan Miceli details his exploit development journey on the original Xbox through Tony Hawk’s Pro Skater 4, uncovering vulnerabilities and methods to execute arbitrary code, highlighting educational insights from older consoles.
Read original article
In a detailed exploration of exploit development, Ryan Miceli recounts his journey into hacking the original Xbox through the game Tony Hawk’s Pro Skater 4. He began by analyzing game save files, particularly focusing on the "Create-A-Park" feature, which allowed players to name gaps in their custom skate parks. Miceli discovered that the game used the unsafe strcpy function to copy these names, leading to potential buffer overflow vulnerabilities. By crafting a malicious save file with an overly long gap name, he was able to crash the console and manipulate the return address in the stack, gaining control over the execution flow. He further devised a method to execute arbitrary code by embedding a shell code copy stub in the save file's header, which would be executed upon loading the save. This approach allowed him to bypass signature enforcement on the Xbox, enabling the launch of unsigned executables. Miceli also discusses the "habibi" key, an RSA key used by early Xbox Linux hackers to facilitate running custom code without enabling piracy. His exploration highlights the vulnerabilities in older gaming consoles and the potential for learning about exploit development through them.
- Ryan Miceli explores exploit development on the original Xbox using Tony Hawk’s Pro Skater 4.
- He identifies a buffer overflow vulnerability in the game’s save file handling.
- A crafted save file allows him to gain control over the console's execution flow.
- The "habibi" key is discussed as a method to bypass signature enforcement for running unsigned code.
- The article emphasizes the educational value of older gaming consoles in understanding computer security.
Related
Programming Like It's 1977
The article explores programming games on the Atari VCS, a pioneering hardware platform from the 1970s with constraints that inspired creativity. Coding in 6502 assembly language offers a retro experience. The Atari 2600+ release supports old hardware for modern gaming. Learning on the Atari VCS reveals early programmers' challenges and solutions, fostering creativity.
The good, the bad, and the weird (2018)
Trail of Bits delves into "weird machines" in software exploitation, complex code snippets evading security measures. Techniques like Hoare triples and dynamic_casts aid in identifying and preventing exploitation, crucial in evolving security landscapes.
Modifying the OG Xbox to have 256M of RAM [video]
The video discusses upgrading original Xbox memory to 256MB through reverse engineering, hardware development, and software hacking. It explores Xbox chip addressing, cfg1 register adjustments, RAM corruption bug fixes, and performance enhancements. Hardware limitations restricted upgrades to 9 kbits.
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.
New SLUBStick Attack Makes Linux Kernel Vulnerabilities More Dangerous
Researchers from Graz University of Technology developed SLUBStick, a technique that exploits Linux kernel heap vulnerabilities with over 99% success, enabling privilege escalation and container escapes against modern defenses.
- Many commenters express awe at the complexity and significance of the exploit, particularly in relation to the Tony Hawk game.
- There is a discussion about the technical aspects of the habibi key and its implications for security vulnerabilities.
- Some users lament the lack of updates or fixes for existing mods, highlighting the challenges in maintaining older games.
- Several comments touch on the broader implications of console security and the mindset of developers during that era.
- Humor and nostalgia are present, with playful references to Tony Hawk's legacy and the gaming culture surrounding the franchise.
17 commentsA random 2048-bit integer has a moderate chance of being trivially factorizeable (I don't know the precise odds but we can infer that it's roughly on the order of 2^-32 (for some definition of trivial) without doing any real math). Presumably, they wrote code that did something like this:
while true:
randomly tweak/increment 4 bytes of the public modulus
spend 1 millisecond trying to factor it
did it work? if yes, we're done here.
else, try again.
Xbox 360...._softmod_.... via the park name on a Tony Hawk game.
24 segment ROP chain :')
His rightful lamentation for the hypervisor, concise functional write up, and immediate thoughts of an x360 botnet make this the greatest xbox 360 nostalgia gut-punch of all time.
kudos++
it really ought to have been strncpy, I'm sure Tony Hawk who's lauded for his advocacy of safety gear would prefer to be associated with safer string copying
The mod itself is over 10 years old now, and I think the original developers are gone, explaining why no one was interested in fixing it when Ryan reported it. But this means that now the mod is unusable, no one is going to want to risk a full privilege exploit taking over their PC.
Hopefully this article reaches someone who's a bit more interested in patching the mod.
A question I have is where/when/how the corresponding private habibi key was released/leaked, if the story about it being used exclusively by the linux console group to prevent pirated content from being used is true. OP clearly was able to patch the four byte difference between the MS key and the habibi key to then run "unsigned" (but, actually, signed with the habibi private key) executables, so they clearly got their hands on it.
I've been doing some PSX decompiling and there are lots of similar things there as well. Interestingly, something like `memmove` is linked in using an SDK library[0], but `strcpy` is a function provided by the BIOS. Later version of the SDK could patch that out for a library version, but as late as 1997 it hadn't been.
0 - https://github.com/Xeeynamo/sotn-decomp/blob/master/src/main...
Great article!
(Completely separate from that, consoles shouldn't be treating users as the adversary, but given that they do, games are failing to have a security mindset consistent with that stance.)
Related
Programming Like It's 1977
The article explores programming games on the Atari VCS, a pioneering hardware platform from the 1970s with constraints that inspired creativity. Coding in 6502 assembly language offers a retro experience. The Atari 2600+ release supports old hardware for modern gaming. Learning on the Atari VCS reveals early programmers' challenges and solutions, fostering creativity.
The good, the bad, and the weird (2018)
Trail of Bits delves into "weird machines" in software exploitation, complex code snippets evading security measures. Techniques like Hoare triples and dynamic_casts aid in identifying and preventing exploitation, crucial in evolving security landscapes.
Modifying the OG Xbox to have 256M of RAM [video]
The video discusses upgrading original Xbox memory to 256MB through reverse engineering, hardware development, and software hacking. It explores Xbox chip addressing, cfg1 register adjustments, RAM corruption bug fixes, and performance enhancements. Hardware limitations restricted upgrades to 9 kbits.
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.
New SLUBStick Attack Makes Linux Kernel Vulnerabilities More Dangerous
Researchers from Graz University of Technology developed SLUBStick, a technique that exploits Linux kernel heap vulnerabilities with over 99% success, enabling privilege escalation and container escapes against modern defenses.