SlideShare a Scribd company logo

ROM Hacking for Fun, Profit & Infinite Lives

Ulisses Albuquerque
Ulisses Albuquerque

ROM Hacking for Fun, Profit & Infinite lives as presented in Silver Bullet 2012.

Technology
1 of 38
ROM Hacking for Fun, Profit & Infinite Lives Green mushrooms > ASLR bypasses Presented by: Ulisses Albuquerque ualbuquerque@trustwave.com © 2012
Agenda • DISCLAIMER (in capital letters, no less) • Quick Intro • Motivation • Concepts • Old-school architectures • Similarities to embedded systems • Demo • …and the infosec in that is where exactly? • Conclusion © 2012
DISCLAIMER ROM hacking is NOT about Super Mario Bros. 0-day “ROM hacking is the process of modifying a video game ROM image to alter the game's graphics, dialogue, levels, gameplay, or other elements. This is usually done by technically inclined video game fans to breathe new life into a cherished old game, as a creative outlet, or to make essentially new unofficial games using the old game's engine.” http://en.wikipedia.org/wiki/ROM_hacking 3 © 2012
$ finger @urma • Coder/security consultant • Managed security services (full stack) • Trusted [Virtual] Computing • Linux device drivers • Scripting/dynamic language love all around • C whenever static typing is needed – OO is fun, Java/C++ are not • Breaking stuff is fun, building stuff is funnier, building stuff to break stuff is awesome. 4 © 2012
I want to cause chaos, mayhem and global pwnage Now where should I start..? Joseph Leeto 5 © 2012
Motivation • TODO • Buffer overflows – Stack overflows – Heap overflows • Architectures – x86 (32-bits) – X64 (64-bits) – ARM (mobile phones) – MIPS (gotta pwn those access points) • Operating systems – Win32 – Linux – Mac OSX 6 © 2012
Motivation • TODO (cont.) • Shellcode writing – Obfuscation/mutation – Avoiding detection (anti-virus, you know) • Counter-measures – Stack canaries – Address Space Layout Randomization – Non-executable stacks – W^X • Techniques – NOP slides – Return oriented programming – Return-to-libc 7 © 2012
Motivation 8 © 2012
Frustration Finding vulnerabilities in modern software is hard, exploiting it under a modern OS is harder 9 © 2012
Motivation “Eventually, all the buffer overflow work we’ve been doing will become too hard for the amateur to do.” (David Aitel, http://www.youtube.com/watch?v=absXDeRtVq0) 10 © 2012
Hacking Gamification Because every nice talk must have a buzzword™ 11 © 2012
Concepts • Embedded systems • Low-end processors • OS-less code • Memory mapping and types • RAM, ROM, VRAM and everything in between • Tools • Emulators • Debuggers 12 © 2012
Concepts • Embedded systems • Systems designed for a specific function, usually inside a larger system • Hardware/software is restricted to match use case scenarios • Common use of solid state storage • Limited I/O interfaces • Limited to non-existent expandability 13 © 2012
Concepts • Low-end processors • Lack of many modern features – Memory management unit (MMU) – Single core – No superscalar pipeline – Narrow memory address/value buses – Limited number of pins • Limited number of opcodes • Low clock speeds 14 © 2012
Concepts Zilog Z80 • 8,500 transistors • Up to 8MHz initially, up to 50 MHz today • Original packaging contains 40 pins • Nintendo Gameboy • Sega Master System • MSX (Gradiente Expert, Sharp Hotbit) • TRS-80 Model I, III • Sinclair ZX81, ZX Spectrum (TK90X) • Colecovision • Pacman arcade machines 15 © 2012
Concepts MOS 6502 • 3,510 transistors • 1MHz to 2MHz • Original packaging contains 40 pins • Nintendo Entertainment System (NES) • Commodore VIC-20 • Apple I/II • Atari 2600 • BBC Micro 16 © 2012
Concepts Intel Core i7 • 731,000,000 transistors • 1,366 pins • Clock speed starts around 2.6GHz 17 © 2012
Concepts P8X32A-Q44 • Up to 80MHz • 44 pins • 32-bits, 8 “cogs” (processor cores) • 32KiB RAM, 32KiB ROM built-in • Used in the DEFCON20 badge 18 © 2012
Concepts • OS-less code • No abstractions – is_button_pressed() = reading the I/O port, checking bits – Very straightforward mapping between hardware and code that uses it (hint: demo) • No built-in support functions – Memory management – Scheduler/threading – File systems – Device drivers in general 19 © 2012
Concepts • Memory mapping • RAM is used for state only • Typically small on embedded systems • Code can be run directly off [EP]ROM – Only if directly addressable by CPU • Clear separation between behavior (code, read-only) and state (data, read-write) • Video framebuffer sometimes mapped into address space – Updating screen can be as simple as writing to memory • Memory mapped I/O – Reading/writing will trigger I/O on external devices, such as LEDs, sensors and actuators 20 © 2012
Concepts • Emulators • Software simulation of a computer system – No need for similarities between architectures of guest and host systems • Virtual hardware – Hooks for hardware accesses by software running on the guest – State inspection – State snapshot and restore • Performance can be an issue – Not for old-school hardware (8MHz Z80 versus 3GHz Core i7) 21 © 2012
Concepts • Debugger • Stop, resume and restart code execution • Inspect data state – High level state, represented in variables in memory – Low level state, represented by CPU registers, stack and others • Breakpoints – For virtual hardware, the sky is the limit • Change state during execution – “What happens if I increment this value..?” • Create general chaos and havoc 22 © 2012
Case: NES 23 © 2012
Case: NES • 6502-based Ricoh CPU • 1.79MHz RP2A03 for NTSC systems • 1.66MHz RP2A07 for PAL systems • Memory • 2kB onboard RAM (can be expanded by cartridges) • 2kB video RAM (PPU) • 256 bytes of Object Attribute Memory (OAM) • 28 bytes of palette memory • Support for memory mappers for more than 32kB of ROM • Video • 256x240 resolution • 48 colors, 6 gray tones 24 © 2012
Case: Sega Master System 25 © 2012
Case: Sega Master System • Z80-compatible ~4MHz Sharp LH0080A • Memory • 8kB onboard RAM • 16kB of video RAM (TMS9918/9928, not memory mapped) • Video • 256x192 tile-based screen (up to 32x28 tiles) • Each tile is 8x8 in 16 colors 26 © 2012
Your first ROM hack Finally, we get to hack something! Talk is cheap, show me some 6502 opcodes! 27 © 2012
Demo: Easy Mode © 2012
Demo: Easy Mode • Game Genie • Physical proxy between console and cartridge • Intercepts memory accesses through address/data buses • Allows for value freezes with custom parameters – E.g., reading $075A in Super Mario Bros. would always return the same value, writing a value would succeed but the value would remain unchanged • Focus on state (data in RAM) rather than behavior • Can be used to alter opcodes and parameter values in limited ways • Supported by emulators – instead of patching ROM, generate Game Genie code and use it! 29 © 2012
Where’s the infosec in that..? Hacking videogames is fun, but beating Super Mario will not land me a job… © 2012
Where’s the infosec in that..? © 2012
Where’s the infosec in that..? 32 © 2012
Where’s the infosec in that..? • Many embedded systems still use old processors • Legacy vertical systems • Industrial control systems • I/O interfaces will vary wildly • Embedded systems are specialized by design • Use the low pin count and absence of hardware abstraction layers to your advantage • Use the hardware schematics (or trace the data flow in the hardware itself) • Have fun! 33 © 2012
Where’s the infosec in that..? Bus Pirate • US$30 • Support for I2C, SPI, JTAG, KB, UART & more • Always check your voltage levels with a multimeter! 34 © 2012
Where’s the infosec in that..? • How to get modified code into the device? • Official firmware upload mechanisms may use signature checking, hashing or checksums • Most processors support booting from UART, SPI or other buses, or might support JTAG interfaces • Boot into flash utility, load your custom ROM through out-of- band channel and flash it 35 © 2012
Conclusion • Hacking games is fun • Code and data relationship in memory • Hardware is standard and well documented • Debuggers and emulators are your friends • Embedded systems • s/joystick/keypad/ • s/cartridge/eeprom/ • s/Super Mario Bros/Global Thermonuclear War/ • Techniques will be the same, hardware will not • Learn how to use a soldering iron, oscilloscope and buy yourself a Bus Pirate 36 © 2012
Conclusion • Crawl before you run • Tackling Google Chrome running on Windows 7 64-bit is a sure way to frustrate yourself • Simpler stuff is just as fun, and will help you hone your skills before going for bigger prey 37 © 2012
Conclusion 38 © 2012

Recommended

Embedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesEmbedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesNational Cheng Kung University
 
Extending Android with New Devices
Extending Android with New DevicesExtending Android with New Devices
Extending Android with New DevicesShree Kumar
 
Embedded Hypervisor for ARM
Embedded Hypervisor for ARMEmbedded Hypervisor for ARM
Embedded Hypervisor for ARMNational Cheng Kung University
 
make builds groovy
make builds groovymake builds groovy
make builds groovyguest88884d
 
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopWorkshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopDigicomp Academy AG
 
Plan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXPlan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXNational Cheng Kung University
 
Mobile crossplatformchallenges siggraph
Mobile crossplatformchallenges siggraphMobile crossplatformchallenges siggraph
Mobile crossplatformchallenges siggraphJP Lee
 
Faults inside System Software
Faults inside System SoftwareFaults inside System Software
Faults inside System SoftwareNational Cheng Kung University
 

Recommended

Embedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesEmbedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesNational Cheng Kung University
 
Extending Android with New Devices
Extending Android with New DevicesExtending Android with New Devices
Extending Android with New DevicesShree Kumar
 
Embedded Hypervisor for ARM
Embedded Hypervisor for ARMEmbedded Hypervisor for ARM
Embedded Hypervisor for ARMNational Cheng Kung University
 
make builds groovy
make builds groovymake builds groovy
make builds groovyguest88884d
 
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopWorkshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopDigicomp Academy AG
 
Plan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXPlan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXNational Cheng Kung University
 
Mobile crossplatformchallenges siggraph
Mobile crossplatformchallenges siggraphMobile crossplatformchallenges siggraph
Mobile crossplatformchallenges siggraphJP Lee
 
Faults inside System Software
Faults inside System SoftwareFaults inside System Software
Faults inside System SoftwareNational Cheng Kung University
 
Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and RealityNational Cheng Kung University
 
GA1000- Entry level gaming computer
GA1000- Entry level gaming computerGA1000- Entry level gaming computer
GA1000- Entry level gaming computerAEWIN
 
De Re PlayStation Vita
De Re PlayStation VitaDe Re PlayStation Vita
De Re PlayStation VitaSlide_N
 
Track A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, WindriverTrack A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, Windriverchiportal
 
BigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android DevelopmentBigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android DevelopmentJeremy Meiss
 
Capturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV FoundationCapturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV FoundationChris Adamson
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDBNational Cheng Kung University
 
OpenEye IP Video Basics
OpenEye IP Video BasicsOpenEye IP Video Basics
OpenEye IP Video Basicsopeneyevideo
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android InternalsNational Cheng Kung University
 
Keynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM VirtualizationKeynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM VirtualizationThe Linux Foundation
 
Nakajima numa-final
Nakajima numa-finalNakajima numa-final
Nakajima numa-finalThe Linux Foundation
 
e-learning Studio Tools
e-learning Studio Toolse-learning Studio Tools
e-learning Studio ToolsTewodros K
 
XS Oracle 2009 PV USB
XS Oracle 2009 PV USBXS Oracle 2009 PV USB
XS Oracle 2009 PV USBThe Linux Foundation
 
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build SystemsBare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build SystemsOmer Kilic
 
Intro to parallel computing
Intro to parallel computingIntro to parallel computing
Intro to parallel computingPiyush Mittal
 
High-Performance Computing with C++
High-Performance Computing with C++High-Performance Computing with C++
High-Performance Computing with C++JetBrains
 
OSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan PowellOSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan PowellOpenStorageSummit
 
Building a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkBuilding a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkDucas Francis
 
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun DuynsteeSolr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun Duynsteelucenerevolution
 
Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryptionbigendiansmalls
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Emulating With JavaScript
Emulating With JavaScriptEmulating With JavaScript
Emulating With JavaScriptalexanderdickson
 

More Related Content

What's hot

GA1000- Entry level gaming computer
GA1000- Entry level gaming computerGA1000- Entry level gaming computer
GA1000- Entry level gaming computerAEWIN
 
De Re PlayStation Vita
De Re PlayStation VitaDe Re PlayStation Vita
De Re PlayStation VitaSlide_N
 
Track A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, WindriverTrack A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, Windriverchiportal
 
BigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android DevelopmentBigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android DevelopmentJeremy Meiss
 
Capturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV FoundationCapturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV FoundationChris Adamson
 
OpenEye IP Video Basics
OpenEye IP Video BasicsOpenEye IP Video Basics
OpenEye IP Video Basicsopeneyevideo
 
Keynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM VirtualizationKeynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM VirtualizationThe Linux Foundation
 
e-learning Studio Tools
e-learning Studio Toolse-learning Studio Tools
e-learning Studio ToolsTewodros K
 

What's hot (13)

Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and Reality
 
GA1000- Entry level gaming computer
GA1000- Entry level gaming computerGA1000- Entry level gaming computer
GA1000- Entry level gaming computer
 
De Re PlayStation Vita
De Re PlayStation VitaDe Re PlayStation Vita
De Re PlayStation Vita
 
Track A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, WindriverTrack A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, Windriver
 
BigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android DevelopmentBigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android Development
 
Capturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV FoundationCapturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV Foundation
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDB
 
OpenEye IP Video Basics
OpenEye IP Video BasicsOpenEye IP Video Basics
OpenEye IP Video Basics
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android Internals
 
Keynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM VirtualizationKeynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM Virtualization
 
Nakajima numa-final
Nakajima numa-finalNakajima numa-final
Nakajima numa-final
 
e-learning Studio Tools
e-learning Studio Toolse-learning Studio Tools
e-learning Studio Tools
 
XS Oracle 2009 PV USB
XS Oracle 2009 PV USBXS Oracle 2009 PV USB
XS Oracle 2009 PV USB
 

Similar to ROM Hacking for Fun, Profit & Infinite Lives

Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build SystemsBare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build SystemsOmer Kilic
 
Intro to parallel computing
Intro to parallel computingIntro to parallel computing
Intro to parallel computingPiyush Mittal
 
High-Performance Computing with C++
High-Performance Computing with C++High-Performance Computing with C++
High-Performance Computing with C++JetBrains
 
OSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan PowellOSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan PowellOpenStorageSummit
 
Building a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkBuilding a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkDucas Francis
 
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun DuynsteeSolr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun Duynsteelucenerevolution
 
Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryptionbigendiansmalls
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
NVidia CUDA Tutorial - June 15, 2009
NVidia CUDA Tutorial - June 15, 2009NVidia CUDA Tutorial - June 15, 2009
NVidia CUDA Tutorial - June 15, 2009Randall Hand
 
New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionNew York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionAleksandr Yampolskiy
 
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be SlowELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be SlowBenjamin Zores
 
regmap: The power of subsystems and abstractions
regmap: The power of subsystems and abstractionsregmap: The power of subsystems and abstractions
regmap: The power of subsystems and abstractionsMark Brown
 
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...Ceph Community
 
Chap3 Device Technology
Chap3 Device TechnologyChap3 Device Technology
Chap3 Device TechnologyANUSUYA T K
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and PerformanceWSO2
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performancepradeepfn
 
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_heRecon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_heLiang Chen
 
The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)Chris Simmonds
 

Similar to ROM Hacking for Fun, Profit & Infinite Lives (20)

Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build SystemsBare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
 
Intro to parallel computing
Intro to parallel computingIntro to parallel computing
Intro to parallel computing
 
High-Performance Computing with C++
High-Performance Computing with C++High-Performance Computing with C++
High-Performance Computing with C++
 
OSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan PowellOSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan Powell
 
Building a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkBuilding a robot with the .Net Micro Framework
Building a robot with the .Net Micro Framework
 
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun DuynsteeSolr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
 
Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryption
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Emulating With JavaScript
Emulating With JavaScriptEmulating With JavaScript
Emulating With JavaScript
 
NVidia CUDA Tutorial - June 15, 2009
NVidia CUDA Tutorial - June 15, 2009NVidia CUDA Tutorial - June 15, 2009
NVidia CUDA Tutorial - June 15, 2009
 
New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome SessionNew York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome Session
 
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be SlowELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
 
regmap: The power of subsystems and abstractions
regmap: The power of subsystems and abstractionsregmap: The power of subsystems and abstractions
regmap: The power of subsystems and abstractions
 
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
 
Chap3 Device Technology
Chap3 Device TechnologyChap3 Device Technology
Chap3 Device Technology
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performance
 
Linux para iniciantes
Linux para iniciantesLinux para iniciantes
Linux para iniciantes
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performance
 
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_heRecon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
 
The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)
 

More from Ulisses Albuquerque

Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside OutUlisses Albuquerque
 
Speeding Up Secure Software Development
Speeding Up Secure Software DevelopmentSpeeding Up Secure Software Development
Speeding Up Secure Software DevelopmentUlisses Albuquerque
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear PhisherUsing Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear PhisherUlisses Albuquerque
 

More from Ulisses Albuquerque (7)

Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside Out
 
Speeding Up Secure Software Development
Speeding Up Secure Software DevelopmentSpeeding Up Secure Software Development
Speeding Up Secure Software Development
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Better Do What They Told Ya
Better Do What They Told YaBetter Do What They Told Ya
Better Do What They Told Ya
 
Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear PhisherUsing Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher
 
PCI DSS e Metodologias Ágeis
PCI DSS e Metodologias ÁgeisPCI DSS e Metodologias Ágeis
PCI DSS e Metodologias Ágeis
 
SmartTV Security
SmartTV SecuritySmartTV Security
SmartTV Security
 

Recently uploaded

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 

Recently uploaded (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 

ROM Hacking for Fun, Profit & Infinite Lives

  • 1. ROM Hacking for Fun, Profit & Infinite Lives Green mushrooms > ASLR bypasses Presented by: Ulisses Albuquerque ualbuquerque@trustwave.com © 2012
  • 2. Agenda • DISCLAIMER (in capital letters, no less) • Quick Intro • Motivation • Concepts • Old-school architectures • Similarities to embedded systems • Demo • …and the infosec in that is where exactly? • Conclusion © 2012
  • 3. DISCLAIMER ROM hacking is NOT about Super Mario Bros. 0-day “ROM hacking is the process of modifying a video game ROM image to alter the game's graphics, dialogue, levels, gameplay, or other elements. This is usually done by technically inclined video game fans to breathe new life into a cherished old game, as a creative outlet, or to make essentially new unofficial games using the old game's engine.” http://en.wikipedia.org/wiki/ROM_hacking 3 © 2012
  • 4. $ finger @urma • Coder/security consultant • Managed security services (full stack) • Trusted [Virtual] Computing • Linux device drivers • Scripting/dynamic language love all around • C whenever static typing is needed – OO is fun, Java/C++ are not • Breaking stuff is fun, building stuff is funnier, building stuff to break stuff is awesome. 4 © 2012
  • 5. I want to cause chaos, mayhem and global pwnage Now where should I start..? Joseph Leeto 5 © 2012
  • 6. Motivation • TODO • Buffer overflows – Stack overflows – Heap overflows • Architectures – x86 (32-bits) – X64 (64-bits) – ARM (mobile phones) – MIPS (gotta pwn those access points) • Operating systems – Win32 – Linux – Mac OSX 6 © 2012
  • 7. Motivation • TODO (cont.) • Shellcode writing – Obfuscation/mutation – Avoiding detection (anti-virus, you know) • Counter-measures – Stack canaries – Address Space Layout Randomization – Non-executable stacks – W^X • Techniques – NOP slides – Return oriented programming – Return-to-libc 7 © 2012
  • 8. Motivation 8 © 2012
  • 9. Frustration Finding vulnerabilities in modern software is hard, exploiting it under a modern OS is harder 9 © 2012
  • 10. Motivation “Eventually, all the buffer overflow work we’ve been doing will become too hard for the amateur to do.” (David Aitel, http://www.youtube.com/watch?v=absXDeRtVq0) 10 © 2012
  • 11. Hacking Gamification Because every nice talk must have a buzzword™ 11 © 2012
  • 12. Concepts • Embedded systems • Low-end processors • OS-less code • Memory mapping and types • RAM, ROM, VRAM and everything in between • Tools • Emulators • Debuggers 12 © 2012
  • 13. Concepts • Embedded systems • Systems designed for a specific function, usually inside a larger system • Hardware/software is restricted to match use case scenarios • Common use of solid state storage • Limited I/O interfaces • Limited to non-existent expandability 13 © 2012
  • 14. Concepts • Low-end processors • Lack of many modern features – Memory management unit (MMU) – Single core – No superscalar pipeline – Narrow memory address/value buses – Limited number of pins • Limited number of opcodes • Low clock speeds 14 © 2012
  • 15. Concepts Zilog Z80 • 8,500 transistors • Up to 8MHz initially, up to 50 MHz today • Original packaging contains 40 pins • Nintendo Gameboy • Sega Master System • MSX (Gradiente Expert, Sharp Hotbit) • TRS-80 Model I, III • Sinclair ZX81, ZX Spectrum (TK90X) • Colecovision • Pacman arcade machines 15 © 2012
  • 16. Concepts MOS 6502 • 3,510 transistors • 1MHz to 2MHz • Original packaging contains 40 pins • Nintendo Entertainment System (NES) • Commodore VIC-20 • Apple I/II • Atari 2600 • BBC Micro 16 © 2012
  • 17. Concepts Intel Core i7 • 731,000,000 transistors • 1,366 pins • Clock speed starts around 2.6GHz 17 © 2012
  • 18. Concepts P8X32A-Q44 • Up to 80MHz • 44 pins • 32-bits, 8 “cogs” (processor cores) • 32KiB RAM, 32KiB ROM built-in • Used in the DEFCON20 badge 18 © 2012
  • 19. Concepts • OS-less code • No abstractions – is_button_pressed() = reading the I/O port, checking bits – Very straightforward mapping between hardware and code that uses it (hint: demo) • No built-in support functions – Memory management – Scheduler/threading – File systems – Device drivers in general 19 © 2012
  • 20. Concepts • Memory mapping • RAM is used for state only • Typically small on embedded systems • Code can be run directly off [EP]ROM – Only if directly addressable by CPU • Clear separation between behavior (code, read-only) and state (data, read-write) • Video framebuffer sometimes mapped into address space – Updating screen can be as simple as writing to memory • Memory mapped I/O – Reading/writing will trigger I/O on external devices, such as LEDs, sensors and actuators 20 © 2012
  • 21. Concepts • Emulators • Software simulation of a computer system – No need for similarities between architectures of guest and host systems • Virtual hardware – Hooks for hardware accesses by software running on the guest – State inspection – State snapshot and restore • Performance can be an issue – Not for old-school hardware (8MHz Z80 versus 3GHz Core i7) 21 © 2012
  • 22. Concepts • Debugger • Stop, resume and restart code execution • Inspect data state – High level state, represented in variables in memory – Low level state, represented by CPU registers, stack and others • Breakpoints – For virtual hardware, the sky is the limit • Change state during execution – “What happens if I increment this value..?” • Create general chaos and havoc 22 © 2012
  • 23. Case: NES 23 © 2012
  • 24. Case: NES • 6502-based Ricoh CPU • 1.79MHz RP2A03 for NTSC systems • 1.66MHz RP2A07 for PAL systems • Memory • 2kB onboard RAM (can be expanded by cartridges) • 2kB video RAM (PPU) • 256 bytes of Object Attribute Memory (OAM) • 28 bytes of palette memory • Support for memory mappers for more than 32kB of ROM • Video • 256x240 resolution • 48 colors, 6 gray tones 24 © 2012
  • 25. Case: Sega Master System 25 © 2012
  • 26. Case: Sega Master System • Z80-compatible ~4MHz Sharp LH0080A • Memory • 8kB onboard RAM • 16kB of video RAM (TMS9918/9928, not memory mapped) • Video • 256x192 tile-based screen (up to 32x28 tiles) • Each tile is 8x8 in 16 colors 26 © 2012
  • 27. Your first ROM hack Finally, we get to hack something! Talk is cheap, show me some 6502 opcodes! 27 © 2012
  • 28. Demo: Easy Mode © 2012
  • 29. Demo: Easy Mode • Game Genie • Physical proxy between console and cartridge • Intercepts memory accesses through address/data buses • Allows for value freezes with custom parameters – E.g., reading $075A in Super Mario Bros. would always return the same value, writing a value would succeed but the value would remain unchanged • Focus on state (data in RAM) rather than behavior • Can be used to alter opcodes and parameter values in limited ways • Supported by emulators – instead of patching ROM, generate Game Genie code and use it! 29 © 2012
  • 30. Where’s the infosec in that..? Hacking videogames is fun, but beating Super Mario will not land me a job… © 2012
  • 31. Where’s the infosec in that..? © 2012
  • 32. Where’s the infosec in that..? 32 © 2012
  • 33. Where’s the infosec in that..? • Many embedded systems still use old processors • Legacy vertical systems • Industrial control systems • I/O interfaces will vary wildly • Embedded systems are specialized by design • Use the low pin count and absence of hardware abstraction layers to your advantage • Use the hardware schematics (or trace the data flow in the hardware itself) • Have fun! 33 © 2012
  • 34. Where’s the infosec in that..? Bus Pirate • US$30 • Support for I2C, SPI, JTAG, KB, UART & more • Always check your voltage levels with a multimeter! 34 © 2012
  • 35. Where’s the infosec in that..? • How to get modified code into the device? • Official firmware upload mechanisms may use signature checking, hashing or checksums • Most processors support booting from UART, SPI or other buses, or might support JTAG interfaces • Boot into flash utility, load your custom ROM through out-of- band channel and flash it 35 © 2012
  • 36. Conclusion • Hacking games is fun • Code and data relationship in memory • Hardware is standard and well documented • Debuggers and emulators are your friends • Embedded systems • s/joystick/keypad/ • s/cartridge/eeprom/ • s/Super Mario Bros/Global Thermonuclear War/ • Techniques will be the same, hardware will not • Learn how to use a soldering iron, oscilloscope and buy yourself a Bus Pirate 36 © 2012
  • 37. Conclusion • Crawl before you run • Tackling Google Chrome running on Windows 7 64-bit is a sure way to frustrate yourself • Simpler stuff is just as fun, and will help you hone your skills before going for bigger prey 37 © 2012
  • 38. Conclusion 38 © 2012