SlideShare a Scribd company logo
1 of 60
Download to read offline
Don't Give Credit:
Hacking Arcade Machines
Who am I?
●   Ronald Huizer
    ●   Senior Security Researcher, Immunity, Inc.
    ●   ronald@immunityinc.com
    ●   I enjoy computer science, toying with
        hardware, go, a whole lot of japanese
        cartoons and computer games.
Who am I?
●   Ronald Huizer
    ●   Senior Security Researcher, Immunity, Inc.
    ●   ronald@immunityinc.com
    ●   I enjoy computer science, toying with
        hardware, go, a whole lot of japanese
        cartoons and computer games.

         Who I am
Who am I?
●   Ronald Huizer
    ●   Senior Security Researcher, Immunity, Inc.
    ●   ronald@immunityinc.com
    ●   I enjoy computer science, toying with
        hardware, go, a whole lot of japanese
        cartoons and computer games.

         Who I am                        Whom I'd like to be.
Attacking Arcade Machines
●   Why attack arcade machines?
●   Fun and free plays.
●   Not so much profit, unless you play a lot.
●   Living one of my childhood dreams.
●   Both the vulnerability and the talk are quite
    simple.
●   This is meant to be fun and practical.
Attack Surface (1)
●   Almost all attacks will need physical access.
●   We need to make a distinction
    ●   Obvious attacks such as opening the machine, or
        attaching odd peripherals and rebooting it.
    ●   Non-obvious attacks that resemble normal use.
        These are probably impossible on many older
        arcade machines.
Attack Surface (2)
●   The obvious attacks won't work, as we'll get
    kicked out of the arcade or worse.
●   We want to be less conspicuous than this:
Attack Surface (3)
●   Modern arcade machines often allow for
    transferable profiles stored on portable devices.
    ●   Magnetic cards
    ●   Konami e-AMUSEMENT smart card
    ●   USB dongles
    ●   Probably more schemes, especially in Japan.
●   This gives us more attack surface using either
    malicious hardware devices, or by malicious
    data on official devices.
Attack Surface (4)
●   We pick the easiest attack surface.
●   Consider game profiles loaded from and stored
    to USB dongle.
    ●   If profile handling is done wrong, we can simply
        insert a USB dongle with malicious payload.
    ●   Very covert: inserting a dongle is a common task
        performed by many players, and won't attract
        unwanted attention.
Attack Surface (4)
●   We pick the easiest attack surface.
●   Consider game profiles loaded from and stored
    to USB dongle.
    ●   If profile handling is done wrong, we can simply
        insert a USB dongle with malicious payload.
    ●   Very covert: inserting a dongle is a common task
        performed by many players, and won't attract
        unwanted attention.
                                         Attack here.
Attack Surface (4)
●   We pick the easiest attack surface.
●   Consider game profiles loaded from and stored
    to USB dongle.
    ●   If profile handling is done wrong, we can simply
        insert a USB dongle with malicious payload.
    ●   Very covert: inserting a dongle is a common task
        performed by many players, and won't attract
        unwanted attention.

        Not here.                        Attack here.
What are we attacking?
●   In The Groove 2
●   Dancing simulator made
    by RoXoR games.
●   Uses USB dongles to
    store profiles.
What are we attacking?
●   In The Groove 2
●   Dancing simulator made
    by RoXoR games.
●   Uses USB dongles to
    store profiles.
●   Allows geeks to dance
    like Michael Jackson.
What do we know? (1)
●   There is a PC as well as an arcade version.
    ●   We'll use ITG2PC and ITG2AC for these versions.
    ●   We can tinker with the PC version easily and test
        our ideas.
    ●   After testing them on ITG2PC, we try ITG2AC.
●   ITG2AC is running on x86-32 Linux.
    ●   Most of us will be in our comfort zone.
What do we know? (2)
●   ITG2 software based on a modified version of
    StepMania, an open source dancing simulator.
    ●   Allows for easier reverse engineering.
●   There is an open source project dedicated to
    reimplementing the game.
    ●   OpenITG did an excellent job at reversing and
        reimplementing parts of the game.
What is on the USB stick?
●   Edits of existing songs on the machine.
●   Custom songs (needs to be enabled).
●   Signed screenshots (to prove scores).
●   Signed score profile and backups.
    ●   Stats.xml / Stats.xml.sig / DontShare.sig
●   Song catalogues, preferences, etc.
●   ITG2AC and ITG2PC sticks are not portable
    ●   Because the signing keys differ.
Stats.xml: user profile data
●   XML formatted file.
    <?xml version="1.0" encoding="UTF-8" ?>
    <?xml-stylesheet type="text/xsl" href="Stats.xsl"?>

    <Stats>
    <CalorieData>
    <CaloriesBurned Date='2005-02-26'
    >468.587524</CaloriesBurned>
    </CalorieData>
    <CategoryScores/>
    ...
    <Data>
    local tab1 = { }
    return tab1
    </Data>
    ...
Stats.xml: user profile data
●   XML formatted file.
    <?xml version="1.0" encoding="UTF-8" ?>
    <?xml-stylesheet type="text/xsl" href="Stats.xsl"?>

    <Stats>
    <CalorieData>
    <CaloriesBurned Date='2005-02-26'
    >468.587524</CaloriesBurned>      What reading XML does to people.
    </CalorieData>
    <CategoryScores/>
    ...
    <Data>
    local tab1 = { }
    return tab1
    </Data>
    ...
XML parser flaws
●   XNode::LoadAttributes() has issues.
●   It will scan past 0-byte if there is a double or
    single quote character before it.
●   tcsskip() and tcsechr() are scary, as they
    always return a non-NULL pointer.
●   Lots of over-indexed reads, but hard to find
    over-indexed writes.
●   Need a better bug.
XML parser flaws
●   XNode::LoadAttributes() has issues.
●   It will scan past 0-byte if there is a double or
    single quote character before it.
●   tcsskip() and tcsechr() are scary, as they
    always return a non-NULL pointer.
●   Lots of over-indexed reads, but hard to find
    over-indexed writes.
                                     This is not a good bug.
●   Need a better bug.
User profile loading flaws (1)
●   Profile::LoadGeneralDataFromNode() reads
    XML data from the XML tree, and deserializes.
●   Lot of uninteresting numeric and string entries.
●   The <Data> tag seems interesting, as it
    contains embedded LUA data.
●   It is only handled for IsMachine() profiles, which
    are stored on the arcade machine itself.
User profile loading flaws (1)
●   Profile::LoadGeneralDataFromNode() reads
    XML data from the XML tree, and deserializes.
●   Lot of uninteresting numeric and string entries.
●   The <Data> tag seems interesting, as it
    contains embedded LUA data.
●   It is only handled for IsMachine() profiles, which
    are stored on the arcade machine itself.
●   Are they really?
User profile loading flaws (2)
●   In OpenITG there is an IsMachine() check.
●   Not so in R21 and R23!
    v29 = GetChildValue(a3, "Data");
    if ( v29 )
    {
      string_constructor(v29, &sData);
      LoadFromString(a2 + 5000, (int)&sData);
      if ( GetLuaType(a2 + 5000) != LUA_TTABLE )
      {
        Warn((int)LOG, "Profile data did not evaluate to a table");
        sub_84C3C80(*(_DWORD *)LuaHelpers);
        sub_81C2870(a2 + 5000);
      }
    }
Creating a rogue profile
●   We have found a way to inject LUA code.
●   There's still more work to be done:
    ●   Signing profiles with malicious LUA code.
        –   This requires the signing keys.
    ●   Finding out what LUA code we can use.
        –   Is there a LUA sandbox?
        –   Can we escalate to root on the machine?
        –   Do we actually need to? What can we do otherwise?
Signing profiles (1)
●   Profile signing is done using RSA and SHA1.
●   Original implementation using crypto++.
●   Signing: S(k-, p) = E(k-, h(p))
●   Verification: D(k+, S(k-, p)) should be h(p).
●   Reimplemented this using OpenSSL, as
    crypto++ is complicated to use.
●   Command line OpenSSL also works.
Signing profiles (2)
●   What is signed?
    ●   Stats.xml with the result in Stats.xml.sig
    ●   Stats.xml.sig with the result in DontShare.sig
●   This double signature is done so people can
    share verified (machine signed) scores, without
    their profile being copied.
●   You would share Stats.xml and Stats.xml.sig
    but not DontShare.sig
Signing profiles (3)
●   We obviously want the private key.
●   ITG2 signs profiles every time someone plays.
●   Private key needs to be known to the program.
●   Profiles need to be transferable.
    ●   So the signing keys are shared!
●   No revocation scheme in place.
    ●   Once we leak one key, we're set!
OpenSSL signing / verifying
●   openssl dgst -keyform DER -sign private.rsa -out
    Stats.xml.sig Stats.xml
    openssl dgst -keyform DER -sign private.rsa -out
    DontShare.sig Stats.xml.sig
●   openssl dgst -keyform DER -verify public.rsa
    -signature DontShare.sig Stats.xml.sig
    openssl dgst -keyform DER -verify public.rsa
    -signature Stats.xml.sig Stats.xml
OpenSSL DER to PEM
●   Private key is in PKCS8 DER form.
    openssl pkcs8 -in private.rsa -inform DER -outform
    PEM -out private.pem -nocrypt
●   Public key is in RSA DER form.
    openssl rsa -in public.rsa -inform DER -pubin -pubout
    -outform PEM -out public.pem
ITG2PC
●   The private keys are simply installed.
●   They obviously differ from the ITG2AC keys.
●   Look for the *.rsa files.
●   They come in PKCS #1 / PKCS #8 forms.

                          A key!
ITG2AC
●   Dumping the private keys more complicated.
●   We need to crack open the machine first.
    ●   Attach USB keyboard and Linux disk.
    ●   Rebooting the machine.
    ●   Enter + configure BIOS to boot from disk.
    ●   Mount the ITG2 XFS filesystem and have at it.
    ●   Will not work on R23, as it rewrites the BIOS
        password using nvram.ko
ITG2AC (2)
●   We were unable to find the keys on disk.
●   /itgdata contains several crypted blobs:
    data0.zip through data4.zip and patch.zip.
●   The keys are most likely in there, as well as the
    songs and so on.
●   We need a way to decrypt those files.
ITG2AC file encryption
●   The core algorithm uses SHA-512 and AES-
    192 in CBC mode.
●   The AES keys are managed in two ways.
    ●   Patch files use a static key, probably because it is
        easier to deliver patches.
    ●   The core data files all have unique keys, which
        differ on all arcade machines. These are managed
        by a hardware security dongle.
Encrypted file header (1)
struct itg2_file_header
{
       char          magic[2];
       uint32_t      file_size;
       uint32_t      subkey_size;
       uint8_t       *subkey;
       uint8_t       verify_block[16];
};
Encrypted file header (2)
●   Magic will be :| for data files and 8O for patch
    files.
●   file_size is the size of the decrypted file, so that
    padding to blocksize can be ignored.
●   subkey_size is the size of the subkey.
●   subkey is the size of subkey data.
●   verify_block is a block of encrypted static data
    to determine if a valid key was provided.
File decryption algorithm (1)
●   AES-192 keying is used. How these keys are
    derived we will see later.
●   Remember that AES works on 16 byte blocks.
●   File is partitioned in blocks of 255 AES blocks.
●   Each of these blocks is encrypted using AES in
    CBC mode.
●   The IV is manipulated before every encryption,
    by subtracting 0 through 16 from IV elements.
File decryption algorithm (2)
●   Why does it work like this?
●   CBC mode is quirky for file encryption.
●   If we encrypt the full file in CBC mode, a single
    corruption in the worst case will ruin the entire
    file.
●   When partitioning in blocks a single corruption
    in the worst case ruins the block.
                      奇々怪界 : This game is underrated.
File decryption algorithm (3)
●   We get IV repetition per block of 255 blocks.
    This is a slight weakness, but not fatal for CBC.
●   Why they modify the IV is unclear to me.
●   It causes some additional confusion, and it
    does not introduce additional duplicates, so it is
    probably alright.
AES key recovery (1)
●   The AES key for patch files is created running a
    function similar to SHA512-HMAC.
●   It is not a real HMAC, as there is no ipad/opad
    or key compression performed, but simply
    does: SHA512(m || k)
●   The message is the subkey from the file
    header.
●   The key can be recovered by reverse
    engineering (or reading the OpenITG code).
AES key recovery (2)
●   The AES keys to the data files are stored on an
    security dongle.
●   The dongle is an iButton DS1963S which is
    used as a SHA-512 HMAC co-processor to
    deliver the AES keys.
●   We don't need the DS1963S secret keys: we
    can recover the AES key for specific data files.
          Fu fu fu, enough crypto already.
DS1963S architecture
●   The dongle is connected to the RS232 port of
    the machine.
●   It communicates through a bus protocol called
    1-Wire so that the master can communicate
    with multiple slaves.
●   There is a public domain kit available to
    communicate with the dongle.
DS1963S memory
●   There are 16 256-bit data pages.
●   There are 2 pages holding 4 64-bit secrets
    each. These are writable, but not readable.
    ●   Reading the secret pages would break DS1963S
        security, but we do not need to do this for
        decrypting the data files.
●   There is a 256-bit scratch pad used for reliable
    transfers from master to slave memory.
DS1963S registers
●   TA1 and TA2 hold the LSB and MSB of the
    target address used in many operations.
●   E/S is a read-only counter and status register
    ●   Bits[0..4]: The ending offset; it holds the last offset
        into the scratch pad that was written to.
    ●   Bits[5]: The partial flag (PF); set to 1 when the bits
        sent by the master are not a multiple of 8.
    ●   Bits[6]: Unused; should be 0.
    ●   Bits[7]: Authorization Accepted (AA); set to 1 when
        the scratchpad has been copied to memory.
DS1963S reliable write (1)
●   [0xC3] [TA1] [TA2]
      Erase the scratchpad, filling it with 0xFF. TA is
      ignored. Clear HIDE flag.
●   [0x0F] [TA1] [TA2] [DATA ...] [CRC16]
      Write data to the scratchpad, from the byte offset to
      the ending offset. If the ending offset is 0x1F, the
      slave sends back the CRC16 of data read.
●   [0xAA]
      Read scratchpad. Slave sends back the byte offset,
      the ending offset, and the scratchpad area for
      those, and ~CRC16.
DS1963S reliable write (2)
●   Comparing the data written to the data read
    guarantees (almost) no distortions.
●   From scratchpad we can then write into data
    pages and secrets pages.
●   All this is performed by the public domain API
    function WriteDataPageSHA18().
DS1963S SHA functions
●   There are multiple SHA functions.
●   We will only look at the one relevant to
    ITG2AC.
●   [0x33] [0xC3] SHA-1 sign data.
    ●   Signs data page 0 or 8 with the secret number 0 or
        8, and data from the scratchpad.
    ●   This is used to generate the AES key from the
        subkey data in the file header.
DS1963S security (1)
●   Secret page security demonstrated broken by
    Christian Brandt at CCC 2010 through faulting.
●   Using real crypto does not make devices
    secure.
DS1963S security (1)
●    Secret page security demonstrated broken by
     Christian Brandt at CCC 2010 through faulting.
●    Using real crypto does not make devices
     secure.
    Would you rather attack SHA-1?
DS1963S security (1)
●    Secret page security demonstrated broken by
     Christian Brandt at CCC 2010 through faulting.
●    Using real crypto does not make devices
     secure.
    Would you rather attack SHA-1?



                                     Or the DS1963S protocols?
DS1963S security (2)
●   An untested idea to dump secrets.
    ●   The scratchpad and memory do not have to be
        written in 32-byte blocks.
        –   We can write smaller quantities, like 1 or 2 bytes.
    ●   The Copy Scratchpad command can write secret
        pages directly.
        –   We just can't read secret pages.
    ●   Partial secret overwrite may be possible?
        –   Use Sign data page (SDP) with original secret.
        –   Now overwrite 1 byte, and SDP again until correct byte
            has been found.
        –   Repeat: complexity now O(256*8) instead of O(256**8).
DS1963S demonstration
DS1963S demonstration




                This octopus is funnier than Cthulhu.
File decryption
●   We can now use the DS1963S keys to decrypt
    the encrypted files.
●   This opens the door for unauthorized copying of
    the game content...
    ●   Keep in mind that ITG2PC had no DRM
        whatsoever, so it is of minimal concern.
●   It also allows us to use the original files portably
    in other projects. Think of OpenITG.
Signing key recovery
●   We can now find the profile signing key by
    decrypting and unpacking data4.zip.
●   The keys are in Data/private.rsa and
    Data/public.rsa.
Using LUA
●   So we can get LUA code executed by signing
    profiles with embedded code.
●   The LUA environment is sandboxed, there is no
    support for the os module and so on.
●   This means we cannot execute arbitrary code
    on the machine.
●   We can execute the LUA bindings the game
    provides, and change game state.
●   This is what we want anyway really.
LUA game commands
●   A brief stepmania reference can be found
    online at:
    http://www.stepmania.com/wiki/Lua_scripting_and_Actor_commands
●   It differs from the commands in R21, and R23,
    but there are many similarities.
●   GameState.cpp implements
    ApplyGameCommand() which has some
    interesting primitives.
●   GameCommand.cpp implements these
    primitives.
LUA game commands (2)
●   The one I was looking for as a kid:
    GAMESTATE:ApplyGameCommand('insertcredit')
●   Signing a profile using this command and using
    it indeed leads to a free credit.
●   The profile loader needs to be invoked, so we
    need to use one credit to get the rest for free.
Further escalation
●   We would need to break the LUA sandbox.
    ●   We have several flaws, but they are complicated.
    ●   What more do we want anyway?
        –   We can play for free.
        –   We can unlock songs.
        –   We can transfer scores to the machine.
        –   We do not want to mess it up: the sandbox is nice.
Demonstration
Questions? Kupo?

More Related Content

What's hot

Creative tourism into
Creative tourism intoCreative tourism into
Creative tourism intoGreg Richards
 
Variables of tourism and hospitality
Variables of tourism and hospitalityVariables of tourism and hospitality
Variables of tourism and hospitalityVyncentMaferdFundale1
 
COMPANY PROFILE AND CARTRIDGE SERVICES
COMPANY PROFILE AND CARTRIDGE SERVICESCOMPANY PROFILE AND CARTRIDGE SERVICES
COMPANY PROFILE AND CARTRIDGE SERVICESfinal destination
 
Information technology act 2000.avi
Information technology act 2000.aviInformation technology act 2000.avi
Information technology act 2000.aviavinashmsy
 
Conceptual Models
Conceptual ModelsConceptual Models
Conceptual ModelsFreddy San
 
E commerce in Tourism
E commerce in TourismE commerce in Tourism
E commerce in TourismAnil Bilgihan
 
Privacy Enhanced RTP Conferencing with WebRTC - PERC
Privacy Enhanced RTP Conferencing with WebRTC - PERCPrivacy Enhanced RTP Conferencing with WebRTC - PERC
Privacy Enhanced RTP Conferencing with WebRTC - PERCArnaud BUDKIEWICZ
 
Mod. 4: The Development of Ski Resorts
Mod. 4: The Development of Ski ResortsMod. 4: The Development of Ski Resorts
Mod. 4: The Development of Ski ResortsRaul Revuelta
 

What's hot (10)

Creative tourism into
Creative tourism intoCreative tourism into
Creative tourism into
 
Variables of tourism and hospitality
Variables of tourism and hospitalityVariables of tourism and hospitality
Variables of tourism and hospitality
 
COMPANY PROFILE AND CARTRIDGE SERVICES
COMPANY PROFILE AND CARTRIDGE SERVICESCOMPANY PROFILE AND CARTRIDGE SERVICES
COMPANY PROFILE AND CARTRIDGE SERVICES
 
Information technology act 2000.avi
Information technology act 2000.aviInformation technology act 2000.avi
Information technology act 2000.avi
 
IT Act,2000 - Law
IT Act,2000 - LawIT Act,2000 - Law
IT Act,2000 - Law
 
Conceptual Models
Conceptual ModelsConceptual Models
Conceptual Models
 
E commerce in Tourism
E commerce in TourismE commerce in Tourism
E commerce in Tourism
 
Privacy Enhanced RTP Conferencing with WebRTC - PERC
Privacy Enhanced RTP Conferencing with WebRTC - PERCPrivacy Enhanced RTP Conferencing with WebRTC - PERC
Privacy Enhanced RTP Conferencing with WebRTC - PERC
 
Mod. 4: The Development of Ski Resorts
Mod. 4: The Development of Ski ResortsMod. 4: The Development of Ski Resorts
Mod. 4: The Development of Ski Resorts
 
Human Computer Interaction of an Information System
Human Computer Interaction of an Information SystemHuman Computer Interaction of an Information System
Human Computer Interaction of an Information System
 

Similar to Don't Give Credit: Hacking Arcade Machines

Cross-platform game engine development with SDL 2.0
Cross-platform game engine development with SDL 2.0Cross-platform game engine development with SDL 2.0
Cross-platform game engine development with SDL 2.0Leszek Godlewski
 
Beat Your Mom At Solitaire—Reverse Engineering of Computer Games
Beat Your Mom At Solitaire—Reverse Engineering of Computer GamesBeat Your Mom At Solitaire—Reverse Engineering of Computer Games
Beat Your Mom At Solitaire—Reverse Engineering of Computer GamesChristoph Matthies
 
Hyper Island - 2012
Hyper Island - 2012Hyper Island - 2012
Hyper Island - 2012Detectify
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
Building Trojan Hardware at Home
Building Trojan Hardware at HomeBuilding Trojan Hardware at Home
Building Trojan Hardware at HomeE Hacking
 
My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016Alex Chistyakov
 
Computer Games Inner Workings - I. Loukeris AIT
Computer Games Inner Workings - I. Loukeris AITComputer Games Inner Workings - I. Loukeris AIT
Computer Games Inner Workings - I. Loukeris AITAIT_Communications
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Taking the hard out of hardware
Taking the hard out of hardwareTaking the hard out of hardware
Taking the hard out of hardwareRonald McCollam
 
DEF CON 23 - Phil Polstra - one device to pwn them all
DEF CON 23 - Phil Polstra - one device to pwn them allDEF CON 23 - Phil Polstra - one device to pwn them all
DEF CON 23 - Phil Polstra - one device to pwn them allFelipe Prado
 
James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator actionPacSecJP
 
The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1tAmit Serper
 
DEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityDEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityFelipe Prado
 
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressBKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressLinaro
 
Infecting the Embedded Supply Chain
 Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply ChainPriyanka Aash
 
Castle Game Engine and the joy of making and using a custom game engine
Castle Game Engine and the joy  of making and using a custom game engineCastle Game Engine and the joy  of making and using a custom game engine
Castle Game Engine and the joy of making and using a custom game engineMichalis Kamburelis
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busbyDavid Busby, CISSP
 
Yocto and IoT - a retrospective
Yocto and IoT - a retrospectiveYocto and IoT - a retrospective
Yocto and IoT - a retrospectiveOpen-RnD
 

Similar to Don't Give Credit: Hacking Arcade Machines (20)

Cross-platform game engine development with SDL 2.0
Cross-platform game engine development with SDL 2.0Cross-platform game engine development with SDL 2.0
Cross-platform game engine development with SDL 2.0
 
Beat Your Mom At Solitaire—Reverse Engineering of Computer Games
Beat Your Mom At Solitaire—Reverse Engineering of Computer GamesBeat Your Mom At Solitaire—Reverse Engineering of Computer Games
Beat Your Mom At Solitaire—Reverse Engineering of Computer Games
 
Hyper Island - 2012
Hyper Island - 2012Hyper Island - 2012
Hyper Island - 2012
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 
Hardware hacking
Hardware hackingHardware hacking
Hardware hacking
 
Building Trojan Hardware at Home
Building Trojan Hardware at HomeBuilding Trojan Hardware at Home
Building Trojan Hardware at Home
 
My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016My talk from PgConf.Russia 2016
My talk from PgConf.Russia 2016
 
Computer Games Inner Workings - I. Loukeris AIT
Computer Games Inner Workings - I. Loukeris AITComputer Games Inner Workings - I. Loukeris AIT
Computer Games Inner Workings - I. Loukeris AIT
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Taking the hard out of hardware
Taking the hard out of hardwareTaking the hard out of hardware
Taking the hard out of hardware
 
DEF CON 23 - Phil Polstra - one device to pwn them all
DEF CON 23 - Phil Polstra - one device to pwn them allDEF CON 23 - Phil Polstra - one device to pwn them all
DEF CON 23 - Phil Polstra - one device to pwn them all
 
James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator action
 
The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1t
 
DEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityDEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning security
 
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressBKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
 
Infecting the Embedded Supply Chain
 Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain
 
Castle Game Engine and the joy of making and using a custom game engine
Castle Game Engine and the joy  of making and using a custom game engineCastle Game Engine and the joy  of making and using a custom game engine
Castle Game Engine and the joy of making and using a custom game engine
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busby
 
Yocto and IoT - a retrospective
Yocto and IoT - a retrospectiveYocto and IoT - a retrospective
Yocto and IoT - a retrospective
 
Killer Bugs From Outer Space
Killer Bugs From Outer SpaceKiller Bugs From Outer Space
Killer Bugs From Outer Space
 

More from Michael Scovetta

Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Michael Scovetta
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client BackdoorMichael Scovetta
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForMichael Scovetta
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesSystematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesMichael Scovetta
 
Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst PracticesMichael Scovetta
 
A collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsA collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsMichael Scovetta
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)Michael Scovetta
 
Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Michael Scovetta
 
High Assurance Systems (Fisher)
High Assurance Systems (Fisher)High Assurance Systems (Fisher)
High Assurance Systems (Fisher)Michael Scovetta
 
PROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationPROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationMichael Scovetta
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)Michael Scovetta
 
Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Michael Scovetta
 

More from Michael Scovetta (20)

Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
Strategic Surprise
Strategic SurpriseStrategic Surprise
Strategic Surprise
 
Stackjacking
StackjackingStackjacking
Stackjacking
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State Machines
 
Attacking the WebKit Heap
Attacking the WebKit HeapAttacking the WebKit Heap
Attacking the WebKit Heap
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
 
Smooth CoffeeScript
Smooth CoffeeScriptSmooth CoffeeScript
Smooth CoffeeScript
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking For
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesSystematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android Smartphones
 
Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst Practices
 
HTML5 Web Security
HTML5 Web SecurityHTML5 Web Security
HTML5 Web Security
 
A collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsA collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programs
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)
 
Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)
 
High Assurance Systems (Fisher)
High Assurance Systems (Fisher)High Assurance Systems (Fisher)
High Assurance Systems (Fisher)
 
PROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationPROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal Verification
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)
 
Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)
 

Recently uploaded

What Life Would Be Like From A Different Perspective (saltyvixenstories.com)
What Life Would Be Like From A Different Perspective (saltyvixenstories.com)What Life Would Be Like From A Different Perspective (saltyvixenstories.com)
What Life Would Be Like From A Different Perspective (saltyvixenstories.com)Salty Vixen Stories & More
 
Dubai Call Girls O525547819 Face Full Beautiful Call Girls Dubai
Dubai Call Girls O525547819 Face Full Beautiful Call Girls DubaiDubai Call Girls O525547819 Face Full Beautiful Call Girls Dubai
Dubai Call Girls O525547819 Face Full Beautiful Call Girls Dubaikojalkojal131
 
11-Intro-to-Philo-AS-v1.0.pdf Philippine pppppppppppppppppppppppppp
11-Intro-to-Philo-AS-v1.0.pdf Philippine pppppppppppppppppppppppppp11-Intro-to-Philo-AS-v1.0.pdf Philippine pppppppppppppppppppppppppp
11-Intro-to-Philo-AS-v1.0.pdf Philippine ppppppppppppppppppppppppppJosephCagape
 
Mince Pies, a story for entertainment.docx
Mince Pies, a story for entertainment.docxMince Pies, a story for entertainment.docx
Mince Pies, a story for entertainment.docxazuremorn
 
TREE VOLANOES, A STORY FOR ENTERTAINMENT
TREE VOLANOES, A STORY FOR ENTERTAINMENTTREE VOLANOES, A STORY FOR ENTERTAINMENT
TREE VOLANOES, A STORY FOR ENTERTAINMENTazuremorn
 
The Old Man and the Earthquake, a story for entertainment
The Old Man and the Earthquake, a story for entertainmentThe Old Man and the Earthquake, a story for entertainment
The Old Man and the Earthquake, a story for entertainmentazuremorn
 
Transform Your Space with Poster Memorabilia's Collection
Transform Your Space with Poster Memorabilia's CollectionTransform Your Space with Poster Memorabilia's Collection
Transform Your Space with Poster Memorabilia's CollectionPoster Memorabilia Reviews
 
Bald Philosopher, a story for entertainment.docx
Bald Philosopher, a story for entertainment.docxBald Philosopher, a story for entertainment.docx
Bald Philosopher, a story for entertainment.docxazuremorn
 
THE MEDIC, A STORY for entertainment.docx
THE MEDIC, A STORY for entertainment.docxTHE MEDIC, A STORY for entertainment.docx
THE MEDIC, A STORY for entertainment.docxazuremorn
 
Green minimalist professional Business Proposal Presentation.pdf
Green minimalist professional Business Proposal Presentation.pdfGreen minimalist professional Business Proposal Presentation.pdf
Green minimalist professional Business Proposal Presentation.pdfrudkiaman0001
 
karaoke songs customise for portable 2.docx
karaoke songs customise for portable  2.docxkaraoke songs customise for portable  2.docx
karaoke songs customise for portable 2.docxPOPCOMTABUKCITY
 
The lady in Surtout, an old story that happened in our neighbourhood
The lady in Surtout, an old story  that happened in our neighbourhoodThe lady in Surtout, an old story  that happened in our neighbourhood
The lady in Surtout, an old story that happened in our neighbourhoodazuremorn
 
ECOLUXE pre-ESPYS Ultimate Sports Lounge 2024
ECOLUXE pre-ESPYS Ultimate Sports Lounge 2024ECOLUXE pre-ESPYS Ultimate Sports Lounge 2024
ECOLUXE pre-ESPYS Ultimate Sports Lounge 2024Durkin Entertainment LLC
 
Instructions for Dancing by Nicola Yoon.pdf
Instructions for Dancing by Nicola Yoon.pdfInstructions for Dancing by Nicola Yoon.pdf
Instructions for Dancing by Nicola Yoon.pdfSitemile WebDesign
 
Fight Scene Storyboard (Action/Adventure Animation)
Fight Scene Storyboard (Action/Adventure Animation)Fight Scene Storyboard (Action/Adventure Animation)
Fight Scene Storyboard (Action/Adventure Animation)finlaygoodall2
 
WWW - World Wide Web presentation.pptx
WWW - World Wide Web   presentation.pptxWWW - World Wide Web   presentation.pptx
WWW - World Wide Web presentation.pptxdomainkillerlinux
 
Flying Avocado Cat Cryptocurrency Created, Coded, Generated and Named by Grok...
Flying Avocado Cat Cryptocurrency Created, Coded, Generated and Named by Grok...Flying Avocado Cat Cryptocurrency Created, Coded, Generated and Named by Grok...
Flying Avocado Cat Cryptocurrency Created, Coded, Generated and Named by Grok...TeslaStakeHolder
 
A Spotlight on Darla Leigh Pittman Rodgers: Aaron Rodgers' Mother
A Spotlight on Darla Leigh Pittman Rodgers: Aaron Rodgers' MotherA Spotlight on Darla Leigh Pittman Rodgers: Aaron Rodgers' Mother
A Spotlight on Darla Leigh Pittman Rodgers: Aaron Rodgers' Motherget joys
 

Recently uploaded (20)

What Life Would Be Like From A Different Perspective (saltyvixenstories.com)
What Life Would Be Like From A Different Perspective (saltyvixenstories.com)What Life Would Be Like From A Different Perspective (saltyvixenstories.com)
What Life Would Be Like From A Different Perspective (saltyvixenstories.com)
 
Dubai Call Girls O525547819 Face Full Beautiful Call Girls Dubai
Dubai Call Girls O525547819 Face Full Beautiful Call Girls DubaiDubai Call Girls O525547819 Face Full Beautiful Call Girls Dubai
Dubai Call Girls O525547819 Face Full Beautiful Call Girls Dubai
 
11-Intro-to-Philo-AS-v1.0.pdf Philippine pppppppppppppppppppppppppp
11-Intro-to-Philo-AS-v1.0.pdf Philippine pppppppppppppppppppppppppp11-Intro-to-Philo-AS-v1.0.pdf Philippine pppppppppppppppppppppppppp
11-Intro-to-Philo-AS-v1.0.pdf Philippine pppppppppppppppppppppppppp
 
Sincerely, The Friday Club - Farewell Quiz-Finals.pptx
Sincerely, The Friday Club - Farewell Quiz-Finals.pptxSincerely, The Friday Club - Farewell Quiz-Finals.pptx
Sincerely, The Friday Club - Farewell Quiz-Finals.pptx
 
Moveable Feast_Travel-Lifestyle-Culture Quiz.pptx
Moveable Feast_Travel-Lifestyle-Culture Quiz.pptxMoveable Feast_Travel-Lifestyle-Culture Quiz.pptx
Moveable Feast_Travel-Lifestyle-Culture Quiz.pptx
 
Mince Pies, a story for entertainment.docx
Mince Pies, a story for entertainment.docxMince Pies, a story for entertainment.docx
Mince Pies, a story for entertainment.docx
 
TREE VOLANOES, A STORY FOR ENTERTAINMENT
TREE VOLANOES, A STORY FOR ENTERTAINMENTTREE VOLANOES, A STORY FOR ENTERTAINMENT
TREE VOLANOES, A STORY FOR ENTERTAINMENT
 
The Old Man and the Earthquake, a story for entertainment
The Old Man and the Earthquake, a story for entertainmentThe Old Man and the Earthquake, a story for entertainment
The Old Man and the Earthquake, a story for entertainment
 
Transform Your Space with Poster Memorabilia's Collection
Transform Your Space with Poster Memorabilia's CollectionTransform Your Space with Poster Memorabilia's Collection
Transform Your Space with Poster Memorabilia's Collection
 
Bald Philosopher, a story for entertainment.docx
Bald Philosopher, a story for entertainment.docxBald Philosopher, a story for entertainment.docx
Bald Philosopher, a story for entertainment.docx
 
THE MEDIC, A STORY for entertainment.docx
THE MEDIC, A STORY for entertainment.docxTHE MEDIC, A STORY for entertainment.docx
THE MEDIC, A STORY for entertainment.docx
 
Green minimalist professional Business Proposal Presentation.pdf
Green minimalist professional Business Proposal Presentation.pdfGreen minimalist professional Business Proposal Presentation.pdf
Green minimalist professional Business Proposal Presentation.pdf
 
karaoke songs customise for portable 2.docx
karaoke songs customise for portable  2.docxkaraoke songs customise for portable  2.docx
karaoke songs customise for portable 2.docx
 
The lady in Surtout, an old story that happened in our neighbourhood
The lady in Surtout, an old story  that happened in our neighbourhoodThe lady in Surtout, an old story  that happened in our neighbourhood
The lady in Surtout, an old story that happened in our neighbourhood
 
ECOLUXE pre-ESPYS Ultimate Sports Lounge 2024
ECOLUXE pre-ESPYS Ultimate Sports Lounge 2024ECOLUXE pre-ESPYS Ultimate Sports Lounge 2024
ECOLUXE pre-ESPYS Ultimate Sports Lounge 2024
 
Instructions for Dancing by Nicola Yoon.pdf
Instructions for Dancing by Nicola Yoon.pdfInstructions for Dancing by Nicola Yoon.pdf
Instructions for Dancing by Nicola Yoon.pdf
 
Fight Scene Storyboard (Action/Adventure Animation)
Fight Scene Storyboard (Action/Adventure Animation)Fight Scene Storyboard (Action/Adventure Animation)
Fight Scene Storyboard (Action/Adventure Animation)
 
WWW - World Wide Web presentation.pptx
WWW - World Wide Web   presentation.pptxWWW - World Wide Web   presentation.pptx
WWW - World Wide Web presentation.pptx
 
Flying Avocado Cat Cryptocurrency Created, Coded, Generated and Named by Grok...
Flying Avocado Cat Cryptocurrency Created, Coded, Generated and Named by Grok...Flying Avocado Cat Cryptocurrency Created, Coded, Generated and Named by Grok...
Flying Avocado Cat Cryptocurrency Created, Coded, Generated and Named by Grok...
 
A Spotlight on Darla Leigh Pittman Rodgers: Aaron Rodgers' Mother
A Spotlight on Darla Leigh Pittman Rodgers: Aaron Rodgers' MotherA Spotlight on Darla Leigh Pittman Rodgers: Aaron Rodgers' Mother
A Spotlight on Darla Leigh Pittman Rodgers: Aaron Rodgers' Mother
 

Don't Give Credit: Hacking Arcade Machines

  • 1. Don't Give Credit: Hacking Arcade Machines
  • 2. Who am I? ● Ronald Huizer ● Senior Security Researcher, Immunity, Inc. ● ronald@immunityinc.com ● I enjoy computer science, toying with hardware, go, a whole lot of japanese cartoons and computer games.
  • 3. Who am I? ● Ronald Huizer ● Senior Security Researcher, Immunity, Inc. ● ronald@immunityinc.com ● I enjoy computer science, toying with hardware, go, a whole lot of japanese cartoons and computer games. Who I am
  • 4. Who am I? ● Ronald Huizer ● Senior Security Researcher, Immunity, Inc. ● ronald@immunityinc.com ● I enjoy computer science, toying with hardware, go, a whole lot of japanese cartoons and computer games. Who I am Whom I'd like to be.
  • 5. Attacking Arcade Machines ● Why attack arcade machines? ● Fun and free plays. ● Not so much profit, unless you play a lot. ● Living one of my childhood dreams. ● Both the vulnerability and the talk are quite simple. ● This is meant to be fun and practical.
  • 6. Attack Surface (1) ● Almost all attacks will need physical access. ● We need to make a distinction ● Obvious attacks such as opening the machine, or attaching odd peripherals and rebooting it. ● Non-obvious attacks that resemble normal use. These are probably impossible on many older arcade machines.
  • 7. Attack Surface (2) ● The obvious attacks won't work, as we'll get kicked out of the arcade or worse. ● We want to be less conspicuous than this:
  • 8. Attack Surface (3) ● Modern arcade machines often allow for transferable profiles stored on portable devices. ● Magnetic cards ● Konami e-AMUSEMENT smart card ● USB dongles ● Probably more schemes, especially in Japan. ● This gives us more attack surface using either malicious hardware devices, or by malicious data on official devices.
  • 9. Attack Surface (4) ● We pick the easiest attack surface. ● Consider game profiles loaded from and stored to USB dongle. ● If profile handling is done wrong, we can simply insert a USB dongle with malicious payload. ● Very covert: inserting a dongle is a common task performed by many players, and won't attract unwanted attention.
  • 10. Attack Surface (4) ● We pick the easiest attack surface. ● Consider game profiles loaded from and stored to USB dongle. ● If profile handling is done wrong, we can simply insert a USB dongle with malicious payload. ● Very covert: inserting a dongle is a common task performed by many players, and won't attract unwanted attention. Attack here.
  • 11. Attack Surface (4) ● We pick the easiest attack surface. ● Consider game profiles loaded from and stored to USB dongle. ● If profile handling is done wrong, we can simply insert a USB dongle with malicious payload. ● Very covert: inserting a dongle is a common task performed by many players, and won't attract unwanted attention. Not here. Attack here.
  • 12. What are we attacking? ● In The Groove 2 ● Dancing simulator made by RoXoR games. ● Uses USB dongles to store profiles.
  • 13. What are we attacking? ● In The Groove 2 ● Dancing simulator made by RoXoR games. ● Uses USB dongles to store profiles. ● Allows geeks to dance like Michael Jackson.
  • 14. What do we know? (1) ● There is a PC as well as an arcade version. ● We'll use ITG2PC and ITG2AC for these versions. ● We can tinker with the PC version easily and test our ideas. ● After testing them on ITG2PC, we try ITG2AC. ● ITG2AC is running on x86-32 Linux. ● Most of us will be in our comfort zone.
  • 15. What do we know? (2) ● ITG2 software based on a modified version of StepMania, an open source dancing simulator. ● Allows for easier reverse engineering. ● There is an open source project dedicated to reimplementing the game. ● OpenITG did an excellent job at reversing and reimplementing parts of the game.
  • 16. What is on the USB stick? ● Edits of existing songs on the machine. ● Custom songs (needs to be enabled). ● Signed screenshots (to prove scores). ● Signed score profile and backups. ● Stats.xml / Stats.xml.sig / DontShare.sig ● Song catalogues, preferences, etc. ● ITG2AC and ITG2PC sticks are not portable ● Because the signing keys differ.
  • 17. Stats.xml: user profile data ● XML formatted file. <?xml version="1.0" encoding="UTF-8" ?> <?xml-stylesheet type="text/xsl" href="Stats.xsl"?> <Stats> <CalorieData> <CaloriesBurned Date='2005-02-26' >468.587524</CaloriesBurned> </CalorieData> <CategoryScores/> ... <Data> local tab1 = { } return tab1 </Data> ...
  • 18. Stats.xml: user profile data ● XML formatted file. <?xml version="1.0" encoding="UTF-8" ?> <?xml-stylesheet type="text/xsl" href="Stats.xsl"?> <Stats> <CalorieData> <CaloriesBurned Date='2005-02-26' >468.587524</CaloriesBurned> What reading XML does to people. </CalorieData> <CategoryScores/> ... <Data> local tab1 = { } return tab1 </Data> ...
  • 19. XML parser flaws ● XNode::LoadAttributes() has issues. ● It will scan past 0-byte if there is a double or single quote character before it. ● tcsskip() and tcsechr() are scary, as they always return a non-NULL pointer. ● Lots of over-indexed reads, but hard to find over-indexed writes. ● Need a better bug.
  • 20. XML parser flaws ● XNode::LoadAttributes() has issues. ● It will scan past 0-byte if there is a double or single quote character before it. ● tcsskip() and tcsechr() are scary, as they always return a non-NULL pointer. ● Lots of over-indexed reads, but hard to find over-indexed writes. This is not a good bug. ● Need a better bug.
  • 21. User profile loading flaws (1) ● Profile::LoadGeneralDataFromNode() reads XML data from the XML tree, and deserializes. ● Lot of uninteresting numeric and string entries. ● The <Data> tag seems interesting, as it contains embedded LUA data. ● It is only handled for IsMachine() profiles, which are stored on the arcade machine itself.
  • 22. User profile loading flaws (1) ● Profile::LoadGeneralDataFromNode() reads XML data from the XML tree, and deserializes. ● Lot of uninteresting numeric and string entries. ● The <Data> tag seems interesting, as it contains embedded LUA data. ● It is only handled for IsMachine() profiles, which are stored on the arcade machine itself. ● Are they really?
  • 23. User profile loading flaws (2) ● In OpenITG there is an IsMachine() check. ● Not so in R21 and R23! v29 = GetChildValue(a3, "Data"); if ( v29 ) { string_constructor(v29, &sData); LoadFromString(a2 + 5000, (int)&sData); if ( GetLuaType(a2 + 5000) != LUA_TTABLE ) { Warn((int)LOG, "Profile data did not evaluate to a table"); sub_84C3C80(*(_DWORD *)LuaHelpers); sub_81C2870(a2 + 5000); } }
  • 24. Creating a rogue profile ● We have found a way to inject LUA code. ● There's still more work to be done: ● Signing profiles with malicious LUA code. – This requires the signing keys. ● Finding out what LUA code we can use. – Is there a LUA sandbox? – Can we escalate to root on the machine? – Do we actually need to? What can we do otherwise?
  • 25. Signing profiles (1) ● Profile signing is done using RSA and SHA1. ● Original implementation using crypto++. ● Signing: S(k-, p) = E(k-, h(p)) ● Verification: D(k+, S(k-, p)) should be h(p). ● Reimplemented this using OpenSSL, as crypto++ is complicated to use. ● Command line OpenSSL also works.
  • 26. Signing profiles (2) ● What is signed? ● Stats.xml with the result in Stats.xml.sig ● Stats.xml.sig with the result in DontShare.sig ● This double signature is done so people can share verified (machine signed) scores, without their profile being copied. ● You would share Stats.xml and Stats.xml.sig but not DontShare.sig
  • 27. Signing profiles (3) ● We obviously want the private key. ● ITG2 signs profiles every time someone plays. ● Private key needs to be known to the program. ● Profiles need to be transferable. ● So the signing keys are shared! ● No revocation scheme in place. ● Once we leak one key, we're set!
  • 28. OpenSSL signing / verifying ● openssl dgst -keyform DER -sign private.rsa -out Stats.xml.sig Stats.xml openssl dgst -keyform DER -sign private.rsa -out DontShare.sig Stats.xml.sig ● openssl dgst -keyform DER -verify public.rsa -signature DontShare.sig Stats.xml.sig openssl dgst -keyform DER -verify public.rsa -signature Stats.xml.sig Stats.xml
  • 29. OpenSSL DER to PEM ● Private key is in PKCS8 DER form. openssl pkcs8 -in private.rsa -inform DER -outform PEM -out private.pem -nocrypt ● Public key is in RSA DER form. openssl rsa -in public.rsa -inform DER -pubin -pubout -outform PEM -out public.pem
  • 30. ITG2PC ● The private keys are simply installed. ● They obviously differ from the ITG2AC keys. ● Look for the *.rsa files. ● They come in PKCS #1 / PKCS #8 forms. A key!
  • 31. ITG2AC ● Dumping the private keys more complicated. ● We need to crack open the machine first. ● Attach USB keyboard and Linux disk. ● Rebooting the machine. ● Enter + configure BIOS to boot from disk. ● Mount the ITG2 XFS filesystem and have at it. ● Will not work on R23, as it rewrites the BIOS password using nvram.ko
  • 32. ITG2AC (2) ● We were unable to find the keys on disk. ● /itgdata contains several crypted blobs: data0.zip through data4.zip and patch.zip. ● The keys are most likely in there, as well as the songs and so on. ● We need a way to decrypt those files.
  • 33. ITG2AC file encryption ● The core algorithm uses SHA-512 and AES- 192 in CBC mode. ● The AES keys are managed in two ways. ● Patch files use a static key, probably because it is easier to deliver patches. ● The core data files all have unique keys, which differ on all arcade machines. These are managed by a hardware security dongle.
  • 34. Encrypted file header (1) struct itg2_file_header { char magic[2]; uint32_t file_size; uint32_t subkey_size; uint8_t *subkey; uint8_t verify_block[16]; };
  • 35. Encrypted file header (2) ● Magic will be :| for data files and 8O for patch files. ● file_size is the size of the decrypted file, so that padding to blocksize can be ignored. ● subkey_size is the size of the subkey. ● subkey is the size of subkey data. ● verify_block is a block of encrypted static data to determine if a valid key was provided.
  • 36. File decryption algorithm (1) ● AES-192 keying is used. How these keys are derived we will see later. ● Remember that AES works on 16 byte blocks. ● File is partitioned in blocks of 255 AES blocks. ● Each of these blocks is encrypted using AES in CBC mode. ● The IV is manipulated before every encryption, by subtracting 0 through 16 from IV elements.
  • 37. File decryption algorithm (2) ● Why does it work like this? ● CBC mode is quirky for file encryption. ● If we encrypt the full file in CBC mode, a single corruption in the worst case will ruin the entire file. ● When partitioning in blocks a single corruption in the worst case ruins the block. 奇々怪界 : This game is underrated.
  • 38. File decryption algorithm (3) ● We get IV repetition per block of 255 blocks. This is a slight weakness, but not fatal for CBC. ● Why they modify the IV is unclear to me. ● It causes some additional confusion, and it does not introduce additional duplicates, so it is probably alright.
  • 39. AES key recovery (1) ● The AES key for patch files is created running a function similar to SHA512-HMAC. ● It is not a real HMAC, as there is no ipad/opad or key compression performed, but simply does: SHA512(m || k) ● The message is the subkey from the file header. ● The key can be recovered by reverse engineering (or reading the OpenITG code).
  • 40. AES key recovery (2) ● The AES keys to the data files are stored on an security dongle. ● The dongle is an iButton DS1963S which is used as a SHA-512 HMAC co-processor to deliver the AES keys. ● We don't need the DS1963S secret keys: we can recover the AES key for specific data files. Fu fu fu, enough crypto already.
  • 41. DS1963S architecture ● The dongle is connected to the RS232 port of the machine. ● It communicates through a bus protocol called 1-Wire so that the master can communicate with multiple slaves. ● There is a public domain kit available to communicate with the dongle.
  • 42. DS1963S memory ● There are 16 256-bit data pages. ● There are 2 pages holding 4 64-bit secrets each. These are writable, but not readable. ● Reading the secret pages would break DS1963S security, but we do not need to do this for decrypting the data files. ● There is a 256-bit scratch pad used for reliable transfers from master to slave memory.
  • 43. DS1963S registers ● TA1 and TA2 hold the LSB and MSB of the target address used in many operations. ● E/S is a read-only counter and status register ● Bits[0..4]: The ending offset; it holds the last offset into the scratch pad that was written to. ● Bits[5]: The partial flag (PF); set to 1 when the bits sent by the master are not a multiple of 8. ● Bits[6]: Unused; should be 0. ● Bits[7]: Authorization Accepted (AA); set to 1 when the scratchpad has been copied to memory.
  • 44. DS1963S reliable write (1) ● [0xC3] [TA1] [TA2] Erase the scratchpad, filling it with 0xFF. TA is ignored. Clear HIDE flag. ● [0x0F] [TA1] [TA2] [DATA ...] [CRC16] Write data to the scratchpad, from the byte offset to the ending offset. If the ending offset is 0x1F, the slave sends back the CRC16 of data read. ● [0xAA] Read scratchpad. Slave sends back the byte offset, the ending offset, and the scratchpad area for those, and ~CRC16.
  • 45. DS1963S reliable write (2) ● Comparing the data written to the data read guarantees (almost) no distortions. ● From scratchpad we can then write into data pages and secrets pages. ● All this is performed by the public domain API function WriteDataPageSHA18().
  • 46. DS1963S SHA functions ● There are multiple SHA functions. ● We will only look at the one relevant to ITG2AC. ● [0x33] [0xC3] SHA-1 sign data. ● Signs data page 0 or 8 with the secret number 0 or 8, and data from the scratchpad. ● This is used to generate the AES key from the subkey data in the file header.
  • 47. DS1963S security (1) ● Secret page security demonstrated broken by Christian Brandt at CCC 2010 through faulting. ● Using real crypto does not make devices secure.
  • 48. DS1963S security (1) ● Secret page security demonstrated broken by Christian Brandt at CCC 2010 through faulting. ● Using real crypto does not make devices secure. Would you rather attack SHA-1?
  • 49. DS1963S security (1) ● Secret page security demonstrated broken by Christian Brandt at CCC 2010 through faulting. ● Using real crypto does not make devices secure. Would you rather attack SHA-1? Or the DS1963S protocols?
  • 50. DS1963S security (2) ● An untested idea to dump secrets. ● The scratchpad and memory do not have to be written in 32-byte blocks. – We can write smaller quantities, like 1 or 2 bytes. ● The Copy Scratchpad command can write secret pages directly. – We just can't read secret pages. ● Partial secret overwrite may be possible? – Use Sign data page (SDP) with original secret. – Now overwrite 1 byte, and SDP again until correct byte has been found. – Repeat: complexity now O(256*8) instead of O(256**8).
  • 52. DS1963S demonstration This octopus is funnier than Cthulhu.
  • 53. File decryption ● We can now use the DS1963S keys to decrypt the encrypted files. ● This opens the door for unauthorized copying of the game content... ● Keep in mind that ITG2PC had no DRM whatsoever, so it is of minimal concern. ● It also allows us to use the original files portably in other projects. Think of OpenITG.
  • 54. Signing key recovery ● We can now find the profile signing key by decrypting and unpacking data4.zip. ● The keys are in Data/private.rsa and Data/public.rsa.
  • 55. Using LUA ● So we can get LUA code executed by signing profiles with embedded code. ● The LUA environment is sandboxed, there is no support for the os module and so on. ● This means we cannot execute arbitrary code on the machine. ● We can execute the LUA bindings the game provides, and change game state. ● This is what we want anyway really.
  • 56. LUA game commands ● A brief stepmania reference can be found online at: http://www.stepmania.com/wiki/Lua_scripting_and_Actor_commands ● It differs from the commands in R21, and R23, but there are many similarities. ● GameState.cpp implements ApplyGameCommand() which has some interesting primitives. ● GameCommand.cpp implements these primitives.
  • 57. LUA game commands (2) ● The one I was looking for as a kid: GAMESTATE:ApplyGameCommand('insertcredit') ● Signing a profile using this command and using it indeed leads to a free credit. ● The profile loader needs to be invoked, so we need to use one credit to get the rest for free.
  • 58. Further escalation ● We would need to break the LUA sandbox. ● We have several flaws, but they are complicated. ● What more do we want anyway? – We can play for free. – We can unlock songs. – We can transfer scores to the machine. – We do not want to mess it up: the sandbox is nice.