ROM Hacking for Fun, Profit & Infinite Lives

868 views
646 views

Published on

ROM Hacking for Fun, Profit & Infinite lives as presented in Silver Bullet 2012.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
868
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

ROM Hacking for Fun, Profit & Infinite Lives

  1. 1. ROM Hacking for Fun, Profit& Infinite LivesGreen mushrooms > ASLR bypasses Presented by: Ulisses Albuquerque ualbuquerque@trustwave.com © 2012
  2. 2. Agenda• DISCLAIMER (in capital letters, no less)• Quick Intro• Motivation• Concepts• Old-school architectures• Similarities to embedded systems• Demo• …and the infosec in that is where exactly?• Conclusion © 2012
  3. 3. DISCLAIMERROM hacking is NOT about Super Mario Bros. 0-day“ROM hacking is the process of modifying a video gameROM image to alter the gamesgraphics, dialogue, levels, gameplay, or other elements.This is usually done by technically inclined video game fans tobreathe new life into a cherished old game, as a creativeoutlet, or to make essentially new unofficial games using the oldgames engine.” http://en.wikipedia.org/wiki/ROM_hacking 3 © 2012
  4. 4. $ finger @urma• Coder/security consultant • Managed security services (full stack) • Trusted [Virtual] Computing • Linux device drivers • Scripting/dynamic language love all around • C whenever static typing is needed – OO is fun, Java/C++ are not• Breaking stuff is fun, building stuff is funnier, building stuff to break stuff is awesome. 4 © 2012
  5. 5. I want to causechaos, mayhemand global pwnageNow where should I start..? Joseph Leeto 5 © 2012
  6. 6. Motivation• TODO • Buffer overflows – Stack overflows – Heap overflows • Architectures – x86 (32-bits) – X64 (64-bits) – ARM (mobile phones) – MIPS (gotta pwn those access points) • Operating systems – Win32 – Linux – Mac OSX 6 © 2012
  7. 7. Motivation• TODO (cont.) • Shellcode writing – Obfuscation/mutation – Avoiding detection (anti-virus, you know) • Counter-measures – Stack canaries – Address Space Layout Randomization – Non-executable stacks – W^X • Techniques – NOP slides – Return oriented programming – Return-to-libc 7 © 2012
  8. 8. Motivation 8 © 2012
  9. 9. FrustrationFinding vulnerabilities in modern software ishard, exploiting it under a modern OS is harder 9 © 2012
  10. 10. Motivation “Eventually, all the buffer overflow work we’ve been doing will become too hard for the amateur to do.”(David Aitel, http://www.youtube.com/watch?v=absXDeRtVq0) 10 © 2012
  11. 11. Hacking GamificationBecause every nice talk must have a buzzword™ 11 © 2012
  12. 12. Concepts• Embedded systems• Low-end processors• OS-less code• Memory mapping and types • RAM, ROM, VRAM and everything in between• Tools • Emulators • Debuggers 12 © 2012
  13. 13. Concepts• Embedded systems • Systems designed for a specific function, usually inside a larger system • Hardware/software is restricted to match use case scenarios • Common use of solid state storage • Limited I/O interfaces • Limited to non-existent expandability 13 © 2012
  14. 14. Concepts• Low-end processors • Lack of many modern features – Memory management unit (MMU) – Single core – No superscalar pipeline – Narrow memory address/value buses – Limited number of pins • Limited number of opcodes • Low clock speeds 14 © 2012
  15. 15. Concepts Zilog Z80 • 8,500 transistors • Up to 8MHz initially, up to 50 MHz today • Original packaging contains 40 pins • Nintendo Gameboy • Sega Master System • MSX (Gradiente Expert, Sharp Hotbit) • TRS-80 Model I, III • Sinclair ZX81, ZX Spectrum (TK90X) • Colecovision • Pacman arcade machines 15 © 2012
  16. 16. Concepts MOS 6502 • 3,510 transistors • 1MHz to 2MHz • Original packaging contains 40 pins • Nintendo Entertainment System (NES) • Commodore VIC-20 • Apple I/II • Atari 2600 • BBC Micro 16 © 2012
  17. 17. Concepts Intel Core i7 • 731,000,000 transistors • 1,366 pins • Clock speed starts around 2.6GHz 17 © 2012
  18. 18. Concepts P8X32A-Q44 • Up to 80MHz • 44 pins • 32-bits, 8 “cogs” (processor cores) • 32KiB RAM, 32KiB ROM built-in • Used in the DEFCON20 badge 18 © 2012
  19. 19. Concepts• OS-less code • No abstractions – is_button_pressed() = reading the I/O port, checking bits – Very straightforward mapping between hardware and code that uses it (hint: demo) • No built-in support functions – Memory management – Scheduler/threading – File systems – Device drivers in general 19 © 2012
  20. 20. Concepts• Memory mapping • RAM is used for state only • Typically small on embedded systems • Code can be run directly off [EP]ROM – Only if directly addressable by CPU • Clear separation between behavior (code, read-only) and state (data, read-write) • Video framebuffer sometimes mapped into address space – Updating screen can be as simple as writing to memory • Memory mapped I/O – Reading/writing will trigger I/O on external devices, such as LEDs, sensors and actuators 20 © 2012
  21. 21. Concepts• Emulators • Software simulation of a computer system – No need for similarities between architectures of guest and host systems • Virtual hardware – Hooks for hardware accesses by software running on the guest – State inspection – State snapshot and restore • Performance can be an issue – Not for old-school hardware (8MHz Z80 versus 3GHz Core i7) 21 © 2012
  22. 22. Concepts• Debugger • Stop, resume and restart code execution • Inspect data state – High level state, represented in variables in memory – Low level state, represented by CPU registers, stack and others • Breakpoints – For virtual hardware, the sky is the limit • Change state during execution – “What happens if I increment this value..?” • Create general chaos and havoc 22 © 2012
  23. 23. Case: NES 23 © 2012
  24. 24. Case: NES• 6502-based Ricoh CPU • 1.79MHz RP2A03 for NTSC systems • 1.66MHz RP2A07 for PAL systems• Memory • 2kB onboard RAM (can be expanded by cartridges) • 2kB video RAM (PPU) • 256 bytes of Object Attribute Memory (OAM) • 28 bytes of palette memory • Support for memory mappers for more than 32kB of ROM• Video • 256x240 resolution • 48 colors, 6 gray tones 24 © 2012
  25. 25. Case: Sega Master System 25 © 2012
  26. 26. Case: Sega Master System• Z80-compatible ~4MHz Sharp LH0080A• Memory • 8kB onboard RAM • 16kB of video RAM (TMS9918/9928, not memory mapped)• Video • 256x192 tile-based screen (up to 32x28 tiles) • Each tile is 8x8 in 16 colors 26 © 2012
  27. 27. Your first ROM hackFinally, we get to hack something!Talk is cheap, show me some 6502 opcodes! 27 © 2012
  28. 28. Demo: Easy Mode © 2012
  29. 29. Demo: Easy Mode• Game Genie • Physical proxy between console and cartridge • Intercepts memory accesses through address/data buses • Allows for value freezes with custom parameters – E.g., reading $075A in Super Mario Bros. would always return the same value, writing a value would succeed but the value would remain unchanged • Focus on state (data in RAM) rather than behavior • Can be used to alter opcodes and parameter values in limited ways • Supported by emulators – instead of patching ROM, generate Game Genie code and use it! 29 © 2012
  30. 30. Where’s the infosec inthat..?Hacking videogames is fun, but beating Super Mariowill not land me a job… © 2012
  31. 31. Where’s the infosec in that..? © 2012
  32. 32. Where’s the infosec in that..? 32 © 2012
  33. 33. Where’s the infosec in that..?• Many embedded systems still use old processors • Legacy vertical systems • Industrial control systems• I/O interfaces will vary wildly • Embedded systems are specialized by design • Use the low pin count and absence of hardware abstraction layers to your advantage • Use the hardware schematics (or trace the data flow in the hardware itself)• Have fun! 33 © 2012
  34. 34. Where’s the infosec in that..? Bus Pirate • US$30 • Support for I2C, SPI, JTAG, KB, UART & more • Always check your voltage levels with a multimeter! 34 © 2012
  35. 35. Where’s the infosec in that..?• How to get modified code into the device? • Official firmware upload mechanisms may use signature checking, hashing or checksums • Most processors support booting from UART, SPI or other buses, or might support JTAG interfaces • Boot into flash utility, load your custom ROM through out-of- band channel and flash it 35 © 2012
  36. 36. Conclusion• Hacking games is fun • Code and data relationship in memory • Hardware is standard and well documented • Debuggers and emulators are your friends• Embedded systems • s/joystick/keypad/ • s/cartridge/eeprom/ • s/Super Mario Bros/Global Thermonuclear War/ • Techniques will be the same, hardware will not • Learn how to use a soldering iron, oscilloscope and buy yourself a Bus Pirate 36 © 2012
  37. 37. Conclusion• Crawl before you run • Tackling Google Chrome running on Windows 7 64-bit is a sure way to frustrate yourself • Simpler stuff is just as fun, and will help you hone your skills before going for bigger prey 37 © 2012
  38. 38. Conclusion 38 © 2012

×