ROM Hacking for Fun, Profit& Infinite LivesGreen mushrooms > ASLR bypasses                                                ...
Agenda•   DISCLAIMER (in capital letters, no less)•   Quick Intro•   Motivation•   Concepts•   Old-school architectures•  ...
DISCLAIMERROM hacking is NOT about Super Mario Bros. 0-day“ROM hacking is the process of modifying a video gameROM image t...
$ finger @urma• Coder/security consultant     •    Managed security services (full stack)     •    Trusted [Virtual] Compu...
I want to causechaos, mayhemand global pwnageNow where should I start..?                              Joseph Leeto        ...
Motivation• TODO   • Buffer overflows    – Stack overflows    – Heap overflows   • Architectures    –    x86 (32-bits)    ...
Motivation• TODO (cont.)    • Shellcode writing     – Obfuscation/mutation     – Avoiding detection (anti-virus, you know)...
Motivation             8                 © 2012
FrustrationFinding vulnerabilities in modern software ishard, exploiting it under a modern OS is harder                   ...
Motivation  “Eventually, all the buffer overflow work we’ve been doing will become too hard for            the amateur to ...
Hacking GamificationBecause every nice talk must have a buzzword™                                                 11      ...
Concepts•   Embedded systems•   Low-end processors•   OS-less code•   Memory mapping and types     • RAM, ROM, VRAM and ev...
Concepts• Embedded systems    • Systems designed for a specific function, usually inside a      larger system    • Hardwar...
Concepts• Low-end processors    • Lack of many modern features     –   Memory management unit (MMU)     –   Single core   ...
Concepts                Zilog Z80                • 8,500 transistors                • Up to 8MHz                   initial...
Concepts                MOS 6502                • 3,510 transistors                • 1MHz to 2MHz                • Origina...
Concepts                Intel Core i7                • 731,000,000 transistors                • 1,366 pins                ...
Concepts                P8X32A-Q44                • Up to 80MHz                • 44 pins                • 32-bits, 8 “cogs...
Concepts• OS-less code    • No abstractions      – is_button_pressed() = reading the I/O port, checking bits      – Very s...
Concepts• Memory mapping    • RAM is used for state only    • Typically small on embedded systems    • Code can be run dir...
Concepts• Emulators    • Software simulation of a computer system     – No need for similarities between architectures of ...
Concepts• Debugger    • Stop, resume and restart code execution    • Inspect data state     – High level state, represente...
Case: NES            23                 © 2012
Case: NES• 6502-based Ricoh CPU    • 1.79MHz RP2A03 for NTSC systems    • 1.66MHz RP2A07 for PAL systems• Memory    •   2k...
Case: Sega Master System              25                           © 2012
Case: Sega Master System• Z80-compatible ~4MHz Sharp LH0080A• Memory    • 8kB onboard RAM    • 16kB of video RAM (TMS9918/...
Your first ROM hackFinally, we get to hack something!Talk is cheap, show me some 6502 opcodes!                            ...
Demo: Easy Mode                  © 2012
Demo: Easy Mode• Game Genie    • Physical proxy between console and cartridge    • Intercepts memory accesses through addr...
Where’s the infosec inthat..?Hacking videogames is fun, but beating Super Mariowill not land me a job…                    ...
Where’s the infosec in that..?                                 © 2012
Where’s the infosec in that..?                32                                 © 2012
Where’s the infosec in that..?• Many embedded systems still use old processors     • Legacy vertical systems     • Industr...
Where’s the infosec in that..?                     Bus Pirate                     • US$30                     • Support fo...
Where’s the infosec in that..?• How to get modified code into the device?    • Official firmware upload mechanisms may use...
Conclusion• Hacking games is fun    • Code and data relationship in memory    • Hardware is standard and well documented  ...
Conclusion• Crawl before you run    • Tackling Google Chrome running on Windows 7 64-bit is a      sure way to frustrate y...
Conclusion             38                  © 2012
Upcoming SlideShare
Loading in...5
×

ROM Hacking for Fun, Profit & Infinite Lives

459

Published on

ROM Hacking for Fun, Profit & Infinite lives as presented in Silver Bullet 2012.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
459
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "ROM Hacking for Fun, Profit & Infinite Lives"

  1. 1. ROM Hacking for Fun, Profit& Infinite LivesGreen mushrooms > ASLR bypasses Presented by: Ulisses Albuquerque ualbuquerque@trustwave.com © 2012
  2. 2. Agenda• DISCLAIMER (in capital letters, no less)• Quick Intro• Motivation• Concepts• Old-school architectures• Similarities to embedded systems• Demo• …and the infosec in that is where exactly?• Conclusion © 2012
  3. 3. DISCLAIMERROM hacking is NOT about Super Mario Bros. 0-day“ROM hacking is the process of modifying a video gameROM image to alter the gamesgraphics, dialogue, levels, gameplay, or other elements.This is usually done by technically inclined video game fans tobreathe new life into a cherished old game, as a creativeoutlet, or to make essentially new unofficial games using the oldgames engine.” http://en.wikipedia.org/wiki/ROM_hacking 3 © 2012
  4. 4. $ finger @urma• Coder/security consultant • Managed security services (full stack) • Trusted [Virtual] Computing • Linux device drivers • Scripting/dynamic language love all around • C whenever static typing is needed – OO is fun, Java/C++ are not• Breaking stuff is fun, building stuff is funnier, building stuff to break stuff is awesome. 4 © 2012
  5. 5. I want to causechaos, mayhemand global pwnageNow where should I start..? Joseph Leeto 5 © 2012
  6. 6. Motivation• TODO • Buffer overflows – Stack overflows – Heap overflows • Architectures – x86 (32-bits) – X64 (64-bits) – ARM (mobile phones) – MIPS (gotta pwn those access points) • Operating systems – Win32 – Linux – Mac OSX 6 © 2012
  7. 7. Motivation• TODO (cont.) • Shellcode writing – Obfuscation/mutation – Avoiding detection (anti-virus, you know) • Counter-measures – Stack canaries – Address Space Layout Randomization – Non-executable stacks – W^X • Techniques – NOP slides – Return oriented programming – Return-to-libc 7 © 2012
  8. 8. Motivation 8 © 2012
  9. 9. FrustrationFinding vulnerabilities in modern software ishard, exploiting it under a modern OS is harder 9 © 2012
  10. 10. Motivation “Eventually, all the buffer overflow work we’ve been doing will become too hard for the amateur to do.”(David Aitel, http://www.youtube.com/watch?v=absXDeRtVq0) 10 © 2012
  11. 11. Hacking GamificationBecause every nice talk must have a buzzword™ 11 © 2012
  12. 12. Concepts• Embedded systems• Low-end processors• OS-less code• Memory mapping and types • RAM, ROM, VRAM and everything in between• Tools • Emulators • Debuggers 12 © 2012
  13. 13. Concepts• Embedded systems • Systems designed for a specific function, usually inside a larger system • Hardware/software is restricted to match use case scenarios • Common use of solid state storage • Limited I/O interfaces • Limited to non-existent expandability 13 © 2012
  14. 14. Concepts• Low-end processors • Lack of many modern features – Memory management unit (MMU) – Single core – No superscalar pipeline – Narrow memory address/value buses – Limited number of pins • Limited number of opcodes • Low clock speeds 14 © 2012
  15. 15. Concepts Zilog Z80 • 8,500 transistors • Up to 8MHz initially, up to 50 MHz today • Original packaging contains 40 pins • Nintendo Gameboy • Sega Master System • MSX (Gradiente Expert, Sharp Hotbit) • TRS-80 Model I, III • Sinclair ZX81, ZX Spectrum (TK90X) • Colecovision • Pacman arcade machines 15 © 2012
  16. 16. Concepts MOS 6502 • 3,510 transistors • 1MHz to 2MHz • Original packaging contains 40 pins • Nintendo Entertainment System (NES) • Commodore VIC-20 • Apple I/II • Atari 2600 • BBC Micro 16 © 2012
  17. 17. Concepts Intel Core i7 • 731,000,000 transistors • 1,366 pins • Clock speed starts around 2.6GHz 17 © 2012
  18. 18. Concepts P8X32A-Q44 • Up to 80MHz • 44 pins • 32-bits, 8 “cogs” (processor cores) • 32KiB RAM, 32KiB ROM built-in • Used in the DEFCON20 badge 18 © 2012
  19. 19. Concepts• OS-less code • No abstractions – is_button_pressed() = reading the I/O port, checking bits – Very straightforward mapping between hardware and code that uses it (hint: demo) • No built-in support functions – Memory management – Scheduler/threading – File systems – Device drivers in general 19 © 2012
  20. 20. Concepts• Memory mapping • RAM is used for state only • Typically small on embedded systems • Code can be run directly off [EP]ROM – Only if directly addressable by CPU • Clear separation between behavior (code, read-only) and state (data, read-write) • Video framebuffer sometimes mapped into address space – Updating screen can be as simple as writing to memory • Memory mapped I/O – Reading/writing will trigger I/O on external devices, such as LEDs, sensors and actuators 20 © 2012
  21. 21. Concepts• Emulators • Software simulation of a computer system – No need for similarities between architectures of guest and host systems • Virtual hardware – Hooks for hardware accesses by software running on the guest – State inspection – State snapshot and restore • Performance can be an issue – Not for old-school hardware (8MHz Z80 versus 3GHz Core i7) 21 © 2012
  22. 22. Concepts• Debugger • Stop, resume and restart code execution • Inspect data state – High level state, represented in variables in memory – Low level state, represented by CPU registers, stack and others • Breakpoints – For virtual hardware, the sky is the limit • Change state during execution – “What happens if I increment this value..?” • Create general chaos and havoc 22 © 2012
  23. 23. Case: NES 23 © 2012
  24. 24. Case: NES• 6502-based Ricoh CPU • 1.79MHz RP2A03 for NTSC systems • 1.66MHz RP2A07 for PAL systems• Memory • 2kB onboard RAM (can be expanded by cartridges) • 2kB video RAM (PPU) • 256 bytes of Object Attribute Memory (OAM) • 28 bytes of palette memory • Support for memory mappers for more than 32kB of ROM• Video • 256x240 resolution • 48 colors, 6 gray tones 24 © 2012
  25. 25. Case: Sega Master System 25 © 2012
  26. 26. Case: Sega Master System• Z80-compatible ~4MHz Sharp LH0080A• Memory • 8kB onboard RAM • 16kB of video RAM (TMS9918/9928, not memory mapped)• Video • 256x192 tile-based screen (up to 32x28 tiles) • Each tile is 8x8 in 16 colors 26 © 2012
  27. 27. Your first ROM hackFinally, we get to hack something!Talk is cheap, show me some 6502 opcodes! 27 © 2012
  28. 28. Demo: Easy Mode © 2012
  29. 29. Demo: Easy Mode• Game Genie • Physical proxy between console and cartridge • Intercepts memory accesses through address/data buses • Allows for value freezes with custom parameters – E.g., reading $075A in Super Mario Bros. would always return the same value, writing a value would succeed but the value would remain unchanged • Focus on state (data in RAM) rather than behavior • Can be used to alter opcodes and parameter values in limited ways • Supported by emulators – instead of patching ROM, generate Game Genie code and use it! 29 © 2012
  30. 30. Where’s the infosec inthat..?Hacking videogames is fun, but beating Super Mariowill not land me a job… © 2012
  31. 31. Where’s the infosec in that..? © 2012
  32. 32. Where’s the infosec in that..? 32 © 2012
  33. 33. Where’s the infosec in that..?• Many embedded systems still use old processors • Legacy vertical systems • Industrial control systems• I/O interfaces will vary wildly • Embedded systems are specialized by design • Use the low pin count and absence of hardware abstraction layers to your advantage • Use the hardware schematics (or trace the data flow in the hardware itself)• Have fun! 33 © 2012
  34. 34. Where’s the infosec in that..? Bus Pirate • US$30 • Support for I2C, SPI, JTAG, KB, UART & more • Always check your voltage levels with a multimeter! 34 © 2012
  35. 35. Where’s the infosec in that..?• How to get modified code into the device? • Official firmware upload mechanisms may use signature checking, hashing or checksums • Most processors support booting from UART, SPI or other buses, or might support JTAG interfaces • Boot into flash utility, load your custom ROM through out-of- band channel and flash it 35 © 2012
  36. 36. Conclusion• Hacking games is fun • Code and data relationship in memory • Hardware is standard and well documented • Debuggers and emulators are your friends• Embedded systems • s/joystick/keypad/ • s/cartridge/eeprom/ • s/Super Mario Bros/Global Thermonuclear War/ • Techniques will be the same, hardware will not • Learn how to use a soldering iron, oscilloscope and buy yourself a Bus Pirate 36 © 2012
  37. 37. Conclusion• Crawl before you run • Tackling Google Chrome running on Windows 7 64-bit is a sure way to frustrate yourself • Simpler stuff is just as fun, and will help you hone your skills before going for bigger prey 37 © 2012
  38. 38. Conclusion 38 © 2012

×