SlideShare a Scribd company logo

ROM Hacking for Fun, Profit & Infinite Lives

Ulisses Albuquerque
Ulisses Albuquerque

ROM Hacking for Fun, Profit & Infinite lives as presented in Silver Bullet 2012.

Technology
1 of 38
ROM Hacking for Fun, Profit & Infinite Lives Green mushrooms > ASLR bypasses Presented by: Ulisses Albuquerque ualbuquerque@trustwave.com © 2012
Agenda • DISCLAIMER (in capital letters, no less) • Quick Intro • Motivation • Concepts • Old-school architectures • Similarities to embedded systems • Demo • …and the infosec in that is where exactly? • Conclusion © 2012
DISCLAIMER ROM hacking is NOT about Super Mario Bros. 0-day “ROM hacking is the process of modifying a video game ROM image to alter the game's graphics, dialogue, levels, gameplay, or other elements. This is usually done by technically inclined video game fans to breathe new life into a cherished old game, as a creative outlet, or to make essentially new unofficial games using the old game's engine.” http://en.wikipedia.org/wiki/ROM_hacking 3 © 2012
$ finger @urma • Coder/security consultant • Managed security services (full stack) • Trusted [Virtual] Computing • Linux device drivers • Scripting/dynamic language love all around • C whenever static typing is needed – OO is fun, Java/C++ are not • Breaking stuff is fun, building stuff is funnier, building stuff to break stuff is awesome. 4 © 2012
I want to cause chaos, mayhem and global pwnage Now where should I start..? Joseph Leeto 5 © 2012
Motivation • TODO • Buffer overflows – Stack overflows – Heap overflows • Architectures – x86 (32-bits) – X64 (64-bits) – ARM (mobile phones) – MIPS (gotta pwn those access points) • Operating systems – Win32 – Linux – Mac OSX 6 © 2012
Motivation • TODO (cont.) • Shellcode writing – Obfuscation/mutation – Avoiding detection (anti-virus, you know) • Counter-measures – Stack canaries – Address Space Layout Randomization – Non-executable stacks – W^X • Techniques – NOP slides – Return oriented programming – Return-to-libc 7 © 2012
Motivation 8 © 2012
Frustration Finding vulnerabilities in modern software is hard, exploiting it under a modern OS is harder 9 © 2012
Motivation “Eventually, all the buffer overflow work we’ve been doing will become too hard for the amateur to do.” (David Aitel, http://www.youtube.com/watch?v=absXDeRtVq0) 10 © 2012
Hacking Gamification Because every nice talk must have a buzzword™ 11 © 2012
Concepts • Embedded systems • Low-end processors • OS-less code • Memory mapping and types • RAM, ROM, VRAM and everything in between • Tools • Emulators • Debuggers 12 © 2012
Concepts • Embedded systems • Systems designed for a specific function, usually inside a larger system • Hardware/software is restricted to match use case scenarios • Common use of solid state storage • Limited I/O interfaces • Limited to non-existent expandability 13 © 2012
Concepts • Low-end processors • Lack of many modern features – Memory management unit (MMU) – Single core – No superscalar pipeline – Narrow memory address/value buses – Limited number of pins • Limited number of opcodes • Low clock speeds 14 © 2012
Concepts Zilog Z80 • 8,500 transistors • Up to 8MHz initially, up to 50 MHz today • Original packaging contains 40 pins • Nintendo Gameboy • Sega Master System • MSX (Gradiente Expert, Sharp Hotbit) • TRS-80 Model I, III • Sinclair ZX81, ZX Spectrum (TK90X) • Colecovision • Pacman arcade machines 15 © 2012
Concepts MOS 6502 • 3,510 transistors • 1MHz to 2MHz • Original packaging contains 40 pins • Nintendo Entertainment System (NES) • Commodore VIC-20 • Apple I/II • Atari 2600 • BBC Micro 16 © 2012
Concepts Intel Core i7 • 731,000,000 transistors • 1,366 pins • Clock speed starts around 2.6GHz 17 © 2012
Concepts P8X32A-Q44 • Up to 80MHz • 44 pins • 32-bits, 8 “cogs” (processor cores) • 32KiB RAM, 32KiB ROM built-in • Used in the DEFCON20 badge 18 © 2012
Concepts • OS-less code • No abstractions – is_button_pressed() = reading the I/O port, checking bits – Very straightforward mapping between hardware and code that uses it (hint: demo) • No built-in support functions – Memory management – Scheduler/threading – File systems – Device drivers in general 19 © 2012
Concepts • Memory mapping • RAM is used for state only • Typically small on embedded systems • Code can be run directly off [EP]ROM – Only if directly addressable by CPU • Clear separation between behavior (code, read-only) and state (data, read-write) • Video framebuffer sometimes mapped into address space – Updating screen can be as simple as writing to memory • Memory mapped I/O – Reading/writing will trigger I/O on external devices, such as LEDs, sensors and actuators 20 © 2012
Concepts • Emulators • Software simulation of a computer system – No need for similarities between architectures of guest and host systems • Virtual hardware – Hooks for hardware accesses by software running on the guest – State inspection – State snapshot and restore • Performance can be an issue – Not for old-school hardware (8MHz Z80 versus 3GHz Core i7) 21 © 2012
Concepts • Debugger • Stop, resume and restart code execution • Inspect data state – High level state, represented in variables in memory – Low level state, represented by CPU registers, stack and others • Breakpoints – For virtual hardware, the sky is the limit • Change state during execution – “What happens if I increment this value..?” • Create general chaos and havoc 22 © 2012
Case: NES 23 © 2012
Case: NES • 6502-based Ricoh CPU • 1.79MHz RP2A03 for NTSC systems • 1.66MHz RP2A07 for PAL systems • Memory • 2kB onboard RAM (can be expanded by cartridges) • 2kB video RAM (PPU) • 256 bytes of Object Attribute Memory (OAM) • 28 bytes of palette memory • Support for memory mappers for more than 32kB of ROM • Video • 256x240 resolution • 48 colors, 6 gray tones 24 © 2012
Case: Sega Master System 25 © 2012
Case: Sega Master System • Z80-compatible ~4MHz Sharp LH0080A • Memory • 8kB onboard RAM • 16kB of video RAM (TMS9918/9928, not memory mapped) • Video • 256x192 tile-based screen (up to 32x28 tiles) • Each tile is 8x8 in 16 colors 26 © 2012
Your first ROM hack Finally, we get to hack something! Talk is cheap, show me some 6502 opcodes! 27 © 2012
Demo: Easy Mode © 2012
Demo: Easy Mode • Game Genie • Physical proxy between console and cartridge • Intercepts memory accesses through address/data buses • Allows for value freezes with custom parameters – E.g., reading $075A in Super Mario Bros. would always return the same value, writing a value would succeed but the value would remain unchanged • Focus on state (data in RAM) rather than behavior • Can be used to alter opcodes and parameter values in limited ways • Supported by emulators – instead of patching ROM, generate Game Genie code and use it! 29 © 2012
Where’s the infosec in that..? Hacking videogames is fun, but beating Super Mario will not land me a job… © 2012
Where’s the infosec in that..? © 2012
Where’s the infosec in that..? 32 © 2012
Where’s the infosec in that..? • Many embedded systems still use old processors • Legacy vertical systems • Industrial control systems • I/O interfaces will vary wildly • Embedded systems are specialized by design • Use the low pin count and absence of hardware abstraction layers to your advantage • Use the hardware schematics (or trace the data flow in the hardware itself) • Have fun! 33 © 2012
Where’s the infosec in that..? Bus Pirate • US$30 • Support for I2C, SPI, JTAG, KB, UART & more • Always check your voltage levels with a multimeter! 34 © 2012
Where’s the infosec in that..? • How to get modified code into the device? • Official firmware upload mechanisms may use signature checking, hashing or checksums • Most processors support booting from UART, SPI or other buses, or might support JTAG interfaces • Boot into flash utility, load your custom ROM through out-of- band channel and flash it 35 © 2012
Conclusion • Hacking games is fun • Code and data relationship in memory • Hardware is standard and well documented • Debuggers and emulators are your friends • Embedded systems • s/joystick/keypad/ • s/cartridge/eeprom/ • s/Super Mario Bros/Global Thermonuclear War/ • Techniques will be the same, hardware will not • Learn how to use a soldering iron, oscilloscope and buy yourself a Bus Pirate 36 © 2012
Conclusion • Crawl before you run • Tackling Google Chrome running on Windows 7 64-bit is a sure way to frustrate yourself • Simpler stuff is just as fun, and will help you hone your skills before going for bigger prey 37 © 2012
Conclusion 38 © 2012

Recommended

Embedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesEmbedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesNational Cheng Kung University
 
Extending Android with New Devices
Extending Android with New DevicesExtending Android with New Devices
Extending Android with New DevicesShree Kumar
 
Embedded Hypervisor for ARM
Embedded Hypervisor for ARMEmbedded Hypervisor for ARM
Embedded Hypervisor for ARMNational Cheng Kung University
 
make builds groovy
make builds groovymake builds groovy
make builds groovyguest88884d
 
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopWorkshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopDigicomp Academy AG
 
Plan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXPlan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXNational Cheng Kung University
 
Mobile crossplatformchallenges siggraph
Mobile crossplatformchallenges siggraphMobile crossplatformchallenges siggraph
Mobile crossplatformchallenges siggraphJP Lee
 
Faults inside System Software
Faults inside System SoftwareFaults inside System Software
Faults inside System SoftwareNational Cheng Kung University
 

Recommended

Embedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesEmbedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesNational Cheng Kung University
 
Extending Android with New Devices
Extending Android with New DevicesExtending Android with New Devices
Extending Android with New DevicesShree Kumar
 
Embedded Hypervisor for ARM
Embedded Hypervisor for ARMEmbedded Hypervisor for ARM
Embedded Hypervisor for ARMNational Cheng Kung University
 
make builds groovy
make builds groovymake builds groovy
make builds groovyguest88884d
 
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopWorkshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopDigicomp Academy AG
 
Plan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXPlan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXNational Cheng Kung University
 
Mobile crossplatformchallenges siggraph
Mobile crossplatformchallenges siggraphMobile crossplatformchallenges siggraph
Mobile crossplatformchallenges siggraphJP Lee
 
Faults inside System Software
Faults inside System SoftwareFaults inside System Software
Faults inside System SoftwareNational Cheng Kung University
 
Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and RealityNational Cheng Kung University
 
GA1000- Entry level gaming computer
GA1000- Entry level gaming computerGA1000- Entry level gaming computer
GA1000- Entry level gaming computerAEWIN
 
De Re PlayStation Vita
De Re PlayStation VitaDe Re PlayStation Vita
De Re PlayStation VitaSlide_N
 
Track A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, WindriverTrack A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, Windriverchiportal
 
BigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android DevelopmentBigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android DevelopmentJeremy Meiss
 
Capturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV FoundationCapturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV FoundationChris Adamson
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDBNational Cheng Kung University
 
OpenEye IP Video Basics
OpenEye IP Video BasicsOpenEye IP Video Basics
OpenEye IP Video Basicsopeneyevideo
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android InternalsNational Cheng Kung University
 
Keynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM VirtualizationKeynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM VirtualizationThe Linux Foundation
 
Nakajima numa-final
Nakajima numa-finalNakajima numa-final
Nakajima numa-finalThe Linux Foundation
 
e-learning Studio Tools
e-learning Studio Toolse-learning Studio Tools
e-learning Studio ToolsTewodros K
 
XS Oracle 2009 PV USB
XS Oracle 2009 PV USBXS Oracle 2009 PV USB
XS Oracle 2009 PV USBThe Linux Foundation
 
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build SystemsBare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build SystemsOmer Kilic
 
Intro to parallel computing
Intro to parallel computingIntro to parallel computing
Intro to parallel computingPiyush Mittal
 
High-Performance Computing with C++
High-Performance Computing with C++High-Performance Computing with C++
High-Performance Computing with C++JetBrains
 
OSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan PowellOSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan PowellOpenStorageSummit
 
Building a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkBuilding a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkDucas Francis
 
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun DuynsteeSolr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun Duynsteelucenerevolution
 
Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryptionbigendiansmalls
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Emulating With JavaScript
Emulating With JavaScriptEmulating With JavaScript
Emulating With JavaScriptalexanderdickson
 

More Related Content

What's hot

GA1000- Entry level gaming computer
GA1000- Entry level gaming computerGA1000- Entry level gaming computer
GA1000- Entry level gaming computerAEWIN
 
De Re PlayStation Vita
De Re PlayStation VitaDe Re PlayStation Vita
De Re PlayStation VitaSlide_N
 
Track A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, WindriverTrack A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, Windriverchiportal
 
BigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android DevelopmentBigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android DevelopmentJeremy Meiss
 
Capturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV FoundationCapturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV FoundationChris Adamson
 
OpenEye IP Video Basics
OpenEye IP Video BasicsOpenEye IP Video Basics
OpenEye IP Video Basicsopeneyevideo
 
Keynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM VirtualizationKeynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM VirtualizationThe Linux Foundation
 
e-learning Studio Tools
e-learning Studio Toolse-learning Studio Tools
e-learning Studio ToolsTewodros K
 

What's hot (13)

Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and Reality
 
GA1000- Entry level gaming computer
GA1000- Entry level gaming computerGA1000- Entry level gaming computer
GA1000- Entry level gaming computer
 
De Re PlayStation Vita
De Re PlayStation VitaDe Re PlayStation Vita
De Re PlayStation Vita
 
Track A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, WindriverTrack A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, Windriver
 
BigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android DevelopmentBigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android Development
 
Capturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV FoundationCapturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV Foundation
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDB
 
OpenEye IP Video Basics
OpenEye IP Video BasicsOpenEye IP Video Basics
OpenEye IP Video Basics
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android Internals
 
Keynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM VirtualizationKeynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM Virtualization
 
Nakajima numa-final
Nakajima numa-finalNakajima numa-final
Nakajima numa-final
 
e-learning Studio Tools
e-learning Studio Toolse-learning Studio Tools
e-learning Studio Tools
 
XS Oracle 2009 PV USB
XS Oracle 2009 PV USBXS Oracle 2009 PV USB
XS Oracle 2009 PV USB
 

Similar to ROM Hacking for Fun, Profit & Infinite Lives

Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build SystemsBare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build SystemsOmer Kilic
 
Intro to parallel computing
Intro to parallel computingIntro to parallel computing
Intro to parallel computingPiyush Mittal
 
High-Performance Computing with C++
High-Performance Computing with C++High-Performance Computing with C++
High-Performance Computing with C++JetBrains
 
OSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan PowellOSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan PowellOpenStorageSummit
 
Building a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkBuilding a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkDucas Francis
 
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun DuynsteeSolr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun Duynsteelucenerevolution
 
Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryptionbigendiansmalls
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
NVidia CUDA Tutorial - June 15, 2009
NVidia CUDA Tutorial - June 15, 2009NVidia CUDA Tutorial - June 15, 2009
NVidia CUDA Tutorial - June 15, 2009Randall Hand
 
New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionNew York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionAleksandr Yampolskiy
 
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be SlowELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be SlowBenjamin Zores
 
regmap: The power of subsystems and abstractions
regmap: The power of subsystems and abstractionsregmap: The power of subsystems and abstractions
regmap: The power of subsystems and abstractionsMark Brown
 
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...Ceph Community
 
Chap3 Device Technology
Chap3 Device TechnologyChap3 Device Technology
Chap3 Device TechnologyANUSUYA T K
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and PerformanceWSO2
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performancepradeepfn
 
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_heRecon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_heLiang Chen
 
The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)Chris Simmonds
 

Similar to ROM Hacking for Fun, Profit & Infinite Lives (20)

Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build SystemsBare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
 
Intro to parallel computing
Intro to parallel computingIntro to parallel computing
Intro to parallel computing
 
High-Performance Computing with C++
High-Performance Computing with C++High-Performance Computing with C++
High-Performance Computing with C++
 
OSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan PowellOSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan Powell
 
Building a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkBuilding a robot with the .Net Micro Framework
Building a robot with the .Net Micro Framework
 
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun DuynsteeSolr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
 
Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryption
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Emulating With JavaScript
Emulating With JavaScriptEmulating With JavaScript
Emulating With JavaScript
 
NVidia CUDA Tutorial - June 15, 2009
NVidia CUDA Tutorial - June 15, 2009NVidia CUDA Tutorial - June 15, 2009
NVidia CUDA Tutorial - June 15, 2009
 
New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionNew York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome Session
 
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be SlowELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
 
regmap: The power of subsystems and abstractions
regmap: The power of subsystems and abstractionsregmap: The power of subsystems and abstractions
regmap: The power of subsystems and abstractions
 
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
 
Chap3 Device Technology
Chap3 Device TechnologyChap3 Device Technology
Chap3 Device Technology
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performance
 
Linux para iniciantes
Linux para iniciantesLinux para iniciantes
Linux para iniciantes
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performance
 
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_heRecon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
 
The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)
 

More from Ulisses Albuquerque

Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside OutUlisses Albuquerque
 
Speeding Up Secure Software Development
Speeding Up Secure Software DevelopmentSpeeding Up Secure Software Development
Speeding Up Secure Software DevelopmentUlisses Albuquerque
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear PhisherUsing Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear PhisherUlisses Albuquerque
 

More from Ulisses Albuquerque (7)

Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside Out
 
Speeding Up Secure Software Development
Speeding Up Secure Software DevelopmentSpeeding Up Secure Software Development
Speeding Up Secure Software Development
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Better Do What They Told Ya
Better Do What They Told YaBetter Do What They Told Ya
Better Do What They Told Ya
 
Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear PhisherUsing Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher
 
PCI DSS e Metodologias Ágeis
PCI DSS e Metodologias ÁgeisPCI DSS e Metodologias Ágeis
PCI DSS e Metodologias Ágeis
 
SmartTV Security
SmartTV SecuritySmartTV Security
SmartTV Security
 

Recently uploaded

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 

Recently uploaded (20)

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 

ROM Hacking for Fun, Profit & Infinite Lives

  • 1. ROM Hacking for Fun, Profit & Infinite Lives Green mushrooms > ASLR bypasses Presented by: Ulisses Albuquerque ualbuquerque@trustwave.com © 2012
  • 2. Agenda • DISCLAIMER (in capital letters, no less) • Quick Intro • Motivation • Concepts • Old-school architectures • Similarities to embedded systems • Demo • …and the infosec in that is where exactly? • Conclusion © 2012
  • 3. DISCLAIMER ROM hacking is NOT about Super Mario Bros. 0-day “ROM hacking is the process of modifying a video game ROM image to alter the game's graphics, dialogue, levels, gameplay, or other elements. This is usually done by technically inclined video game fans to breathe new life into a cherished old game, as a creative outlet, or to make essentially new unofficial games using the old game's engine.” http://en.wikipedia.org/wiki/ROM_hacking 3 © 2012
  • 4. $ finger @urma • Coder/security consultant • Managed security services (full stack) • Trusted [Virtual] Computing • Linux device drivers • Scripting/dynamic language love all around • C whenever static typing is needed – OO is fun, Java/C++ are not • Breaking stuff is fun, building stuff is funnier, building stuff to break stuff is awesome. 4 © 2012
  • 5. I want to cause chaos, mayhem and global pwnage Now where should I start..? Joseph Leeto 5 © 2012
  • 6. Motivation • TODO • Buffer overflows – Stack overflows – Heap overflows • Architectures – x86 (32-bits) – X64 (64-bits) – ARM (mobile phones) – MIPS (gotta pwn those access points) • Operating systems – Win32 – Linux – Mac OSX 6 © 2012
  • 7. Motivation • TODO (cont.) • Shellcode writing – Obfuscation/mutation – Avoiding detection (anti-virus, you know) • Counter-measures – Stack canaries – Address Space Layout Randomization – Non-executable stacks – W^X • Techniques – NOP slides – Return oriented programming – Return-to-libc 7 © 2012
  • 8. Motivation 8 © 2012
  • 9. Frustration Finding vulnerabilities in modern software is hard, exploiting it under a modern OS is harder 9 © 2012
  • 10. Motivation “Eventually, all the buffer overflow work we’ve been doing will become too hard for the amateur to do.” (David Aitel, http://www.youtube.com/watch?v=absXDeRtVq0) 10 © 2012
  • 11. Hacking Gamification Because every nice talk must have a buzzword™ 11 © 2012
  • 12. Concepts • Embedded systems • Low-end processors • OS-less code • Memory mapping and types • RAM, ROM, VRAM and everything in between • Tools • Emulators • Debuggers 12 © 2012
  • 13. Concepts • Embedded systems • Systems designed for a specific function, usually inside a larger system • Hardware/software is restricted to match use case scenarios • Common use of solid state storage • Limited I/O interfaces • Limited to non-existent expandability 13 © 2012
  • 14. Concepts • Low-end processors • Lack of many modern features – Memory management unit (MMU) – Single core – No superscalar pipeline – Narrow memory address/value buses – Limited number of pins • Limited number of opcodes • Low clock speeds 14 © 2012
  • 15. Concepts Zilog Z80 • 8,500 transistors • Up to 8MHz initially, up to 50 MHz today • Original packaging contains 40 pins • Nintendo Gameboy • Sega Master System • MSX (Gradiente Expert, Sharp Hotbit) • TRS-80 Model I, III • Sinclair ZX81, ZX Spectrum (TK90X) • Colecovision • Pacman arcade machines 15 © 2012
  • 16. Concepts MOS 6502 • 3,510 transistors • 1MHz to 2MHz • Original packaging contains 40 pins • Nintendo Entertainment System (NES) • Commodore VIC-20 • Apple I/II • Atari 2600 • BBC Micro 16 © 2012
  • 17. Concepts Intel Core i7 • 731,000,000 transistors • 1,366 pins • Clock speed starts around 2.6GHz 17 © 2012
  • 18. Concepts P8X32A-Q44 • Up to 80MHz • 44 pins • 32-bits, 8 “cogs” (processor cores) • 32KiB RAM, 32KiB ROM built-in • Used in the DEFCON20 badge 18 © 2012
  • 19. Concepts • OS-less code • No abstractions – is_button_pressed() = reading the I/O port, checking bits – Very straightforward mapping between hardware and code that uses it (hint: demo) • No built-in support functions – Memory management – Scheduler/threading – File systems – Device drivers in general 19 © 2012
  • 20. Concepts • Memory mapping • RAM is used for state only • Typically small on embedded systems • Code can be run directly off [EP]ROM – Only if directly addressable by CPU • Clear separation between behavior (code, read-only) and state (data, read-write) • Video framebuffer sometimes mapped into address space – Updating screen can be as simple as writing to memory • Memory mapped I/O – Reading/writing will trigger I/O on external devices, such as LEDs, sensors and actuators 20 © 2012
  • 21. Concepts • Emulators • Software simulation of a computer system – No need for similarities between architectures of guest and host systems • Virtual hardware – Hooks for hardware accesses by software running on the guest – State inspection – State snapshot and restore • Performance can be an issue – Not for old-school hardware (8MHz Z80 versus 3GHz Core i7) 21 © 2012
  • 22. Concepts • Debugger • Stop, resume and restart code execution • Inspect data state – High level state, represented in variables in memory – Low level state, represented by CPU registers, stack and others • Breakpoints – For virtual hardware, the sky is the limit • Change state during execution – “What happens if I increment this value..?” • Create general chaos and havoc 22 © 2012
  • 23. Case: NES 23 © 2012
  • 24. Case: NES • 6502-based Ricoh CPU • 1.79MHz RP2A03 for NTSC systems • 1.66MHz RP2A07 for PAL systems • Memory • 2kB onboard RAM (can be expanded by cartridges) • 2kB video RAM (PPU) • 256 bytes of Object Attribute Memory (OAM) • 28 bytes of palette memory • Support for memory mappers for more than 32kB of ROM • Video • 256x240 resolution • 48 colors, 6 gray tones 24 © 2012
  • 25. Case: Sega Master System 25 © 2012
  • 26. Case: Sega Master System • Z80-compatible ~4MHz Sharp LH0080A • Memory • 8kB onboard RAM • 16kB of video RAM (TMS9918/9928, not memory mapped) • Video • 256x192 tile-based screen (up to 32x28 tiles) • Each tile is 8x8 in 16 colors 26 © 2012
  • 27. Your first ROM hack Finally, we get to hack something! Talk is cheap, show me some 6502 opcodes! 27 © 2012
  • 28. Demo: Easy Mode © 2012
  • 29. Demo: Easy Mode • Game Genie • Physical proxy between console and cartridge • Intercepts memory accesses through address/data buses • Allows for value freezes with custom parameters – E.g., reading $075A in Super Mario Bros. would always return the same value, writing a value would succeed but the value would remain unchanged • Focus on state (data in RAM) rather than behavior • Can be used to alter opcodes and parameter values in limited ways • Supported by emulators – instead of patching ROM, generate Game Genie code and use it! 29 © 2012
  • 30. Where’s the infosec in that..? Hacking videogames is fun, but beating Super Mario will not land me a job… © 2012
  • 31. Where’s the infosec in that..? © 2012
  • 32. Where’s the infosec in that..? 32 © 2012
  • 33. Where’s the infosec in that..? • Many embedded systems still use old processors • Legacy vertical systems • Industrial control systems • I/O interfaces will vary wildly • Embedded systems are specialized by design • Use the low pin count and absence of hardware abstraction layers to your advantage • Use the hardware schematics (or trace the data flow in the hardware itself) • Have fun! 33 © 2012
  • 34. Where’s the infosec in that..? Bus Pirate • US$30 • Support for I2C, SPI, JTAG, KB, UART & more • Always check your voltage levels with a multimeter! 34 © 2012
  • 35. Where’s the infosec in that..? • How to get modified code into the device? • Official firmware upload mechanisms may use signature checking, hashing or checksums • Most processors support booting from UART, SPI or other buses, or might support JTAG interfaces • Boot into flash utility, load your custom ROM through out-of- band channel and flash it 35 © 2012
  • 36. Conclusion • Hacking games is fun • Code and data relationship in memory • Hardware is standard and well documented • Debuggers and emulators are your friends • Embedded systems • s/joystick/keypad/ • s/cartridge/eeprom/ • s/Super Mario Bros/Global Thermonuclear War/ • Techniques will be the same, hardware will not • Learn how to use a soldering iron, oscilloscope and buy yourself a Bus Pirate 36 © 2012
  • 37. Conclusion • Crawl before you run • Tackling Google Chrome running on Windows 7 64-bit is a sure way to frustrate yourself • Simpler stuff is just as fun, and will help you hone your skills before going for bigger prey 37 © 2012
  • 38. Conclusion 38 © 2012