Hackers obtain PS3 private cryptography key due to epic programming fail? (update)

On viernes, 31 de diciembre de 2010 0 comentarios

The 27th annual Chaos Communication Conference already hacked encrypted GSM calls with a $15 cellphone, but there was a second surprise in store this morn -- the souls who unlocked the Nintendo Wii's homebrew potential (and defended it time and again) claim to have broken into the PlayStation 3 as well. Last we left the black monolith, Sony had won a round, forcing the community to downgrade their firmware for any hope at hacking into the console. Well, the newly formed fail0verflow hacking squad says that won't be a problem any longer, because they've found a way to get the PS3 to reveal its own private cryptography key -- the magic password that could let the community sign its very own code.

So far, the team hasn't provided any proof that the deed's been done, but they have provided quite an extensive explanation of how they managed the feat: apparently, Sony didn't bother generating any random numbers to secure the blasted thing. (We don't really know how it works, but we have it on good authority that dead cryptography professors are rapidly spinning in their graves.) The group intends to generate a proof-of-concept video tomorrow, and release the tools sometime next month, which they claim should eventually enable the installation of Linux on every PS3 ever sold. Catch the whole presentation after the break in video form, or skip to 33:00 for the good stuff.

Update: The proof-of-concept vid is a bit underwhelming -- fail0verflow had to SSH into a PS3 over ethernet -- but it's here nonetheless. See it after the break, and find the team's full set of presentation slides at our more coverage link. [Thanks, Paolo S.]

 

Read more ...»

Subidas las primeras "tools" publicadas para aprovechar el failoverflow

On 0 comentarios

Cuando se hizo público el video del team overflow sobre un nuevo método para meter linux en PS3 y obtener la posibilidad de firmado y cifrado de keys originales de Sony, hoy el team geohot a lanzado una aplicacion denominada dePKG que es un "firmware pakage decryter".





Unas aplicaciones que permiten desencriptar el firmware de ps3 usando linux, tal como nos mostraron en el video de ayer. No se sabe de donde la han conseguido pero, ya están publicadas las aplicaciones.La noticia original es la siguiente:

Geohot Releases dePKG - Firmware Package Decrypter


The famous Geohot resurfaced today, to release a useful app called dePKG. The app is very useful for devs that are planning to look into Sony's official firmware files. dePKG is a linux app that will decrypt PKG files (not to be confused with PSN PKG files) that are within PS3UPDAT.PUP files. This will allow devs to take a look at files such as CORE_OS_PACKAGE.pkg, from the convenience of their PC. Previously, the only way to take a look at these files was via graf_chokolo's method which utilized the PS3. Geohot's app is ready to be compiled and includes necessary decryption keys.

A continuación los links del paquete de aplicaciones necesarias:

ADVERTENCIA :ES SOLO PARA DESARROLLADORES


PUPXtractor_v0.3_by_Ac_K -----> MEGAUPLOAD - The leading online storage and file delivery service
depkg_win32_vtx ---------------> MEGAUPLOAD - The leading online storage and file delivery service
pastie-1419148 ----------------> MEGAUPLOAD - The leading online storage and file delivery service
depkg -------------------------> MEGAUPLOAD - The leading online storage and file delivery service

Parte de la metodologia


Extracting dev_flash and dev_flash3


extract and compile depkg.c (linux/osx/windows+cygwin):

gcc ./depkg.c -o depkg -lz -lssl

then extract PS3UPDAT.PUP with pup unpacker, find File_7.tar in extracted folder, untar it to new folder, you will get a lot of pkgs there and dev_flash files.

enter dir with extracted files, copy compiled depkg to it and run this bash script:

for i in `ls dev_flash*`; do ./depkg $i $i.tar ; tar -xvf ./$i.tar ; rm $i.tar; done

after it you will get content of dev_flash and dev_flash3 of firmware you choosed.
That was about it


La utilidad de estas herramientas son para poder extraer un archivo .self, que es el que trae la firma.Con esto se podría extraer,ponerle una firma original y luego volverlo a compilar.

SON APLICACIONES PARA EXTRAER EL ARCHIVO QUE LLEVA LA FIRMA DE SONY PARA LUEGO CAMBIÁRSELA Y VOLVER A COMPILAR EL ARCHIVO ORIGINAL YA FIRMADO POR "NOSOTROS". SON HERRAMIENTAS DIRIGIDAS A DESARROLLADORES DE SCENE.


Fuente: PS3sos.com
Read more ...»

FailOverFlow, la piratería a ps3 vuelve.

On 0 comentarios


Si hay una consola que ha superado todos los records de antipiratería, esta es la Playstation 3, si señor, aparte de que los juegos son caros, no se puede piratear. Todo sea por hacer el trabajo bien en las oficinas de Sony, claro está.
Pero no todo es un camino de rosas, y si no, pregúntenselo a alguien de Sony, que llevamos unos meses que no paran de salir noticias sobre Jailbreak, que si hace unos meses atras, Geohot estuvo manipulando también… Vamos, que todos los hackers parecían querer piratear la negrita de Sony.
Para colmo, ésto nos fue afectando a los usuarios, ya que excusando que era contra la piratería y cementar fallos de seguridad en el sistema de Ps3, Sony nos fue quitando prestaciones de nuestra consola, prestaciones por las cuales pagamos en su momento, ¿no?. Si, hablo del OtherOS, que fue el más criticado por los usuarios, y no es para menos, ya que muchos de nosotros teníamos alguna Distro de Linux en nuestras Ps3.
Luego salió lo del PSJailbreak, que por su culpa quitaron funciones en los puertos USB, quedando inhabilitados muchos periféricos que no eran marca Sony, vamos, que no fueran ni Dualshock ni Sixaxis… y eso tambíen cabreo a muchos usuarios que tenían mandos de Ardistel o headsets de Madcatz…
Pero ahora parece que la cosa es mas grave (para Sony, claro) que las antes mencionadas. En el día de hoy ha habido una conferencia de Hackers en el que se ha montado el revuelo. Ha sido el mismo equipo que en su momento creó el canal de homebrew para la Wii el que ha salido a la carga para anunciar que habían conseguido dar un paso muy importante en la liberación del sistema. Han conseguido una Key o clave privada de Sony, que sirve para autorizar el código que tiene que ejecutarse en los sistemas PS3. Para los que no entendáis lo que digo, cualquier persona con una ps3 y sin autorización puede tener total acceso al sistema de la consola.
Explicarán más detalles cuando cuelguen toda la información en internet e incluso lanzarán una demostración de cómo funciona el sistema que han ideado. Y según comentan, la intención no es la de ejecutar juegos piratas en la consola, sino la de habilitar otra vez el OtherOs, sea cual sea el Firmware que esté instalado en la consola.
Según parece, al exploit le han modificado el nombre por el de Failoverflow y tambien han comentado que dentro de mas o menos 1 mes, liberaran toda la informacion al público.
Dicho todo esto, solo nos queda esperar a que esta gente cuelgue el vídeo en cuestión para verificar que están en lo cierto, o es solo un mero intento por conseguir lo que nadie de momento ha conseguido, piratear a la consola más impenetrable que hay en estos momentos.
Read more ...»

PS3 - FailOverflow - Exploit de firmado - Actualización

On 0 comentarios


Asi es señores, ¡se ha desvelado el misterio de la Hacker Conference! Al parecer se trata de un nuevo exploit que les ha permitido obtener la tan ansiada masterkey (si, habeis leido bien, masterkey). Segun palabras textuales de uno de los conferenciantes:
"With Private Keys you can SIGN THINGS"
Al parecer, gracias a este grandísimo avance, podrían firmar todo tipo de contenido para poder ejecutarlo en cualquier PS3.
Han llamado este exploit FailOverflow y según han comentado, mañana lanzarán un vídeo con una demostración "práctica" en vivo con una PS3. También han comentado que dentro de más o menos 1 mes, liberarán toda la información al público.
Ya se ha hecho la demostración, a continuación os dejamos con el vídeo, cortesía de PSGroove
 
Read more ...»

Sony's PS3 Security is Epic Fail - Videos Within

On 0 comentarios

This morning was the big unveil at the Chaos Communication Congress in Berlin, and it did not disappoint. Here is a brief synopsis for those that missed it.



The first few minutes of the conference were spent explaining the state of security on other consoles (Wii, 360, etc). Following this, the group went on to explain the current state of affairs on the PS3. First, explaining Geohot's memory line glitching exploit from earlier this year. The team then went on to explain the current PS3 security bypasses, such as jailbreaking and service mode/downgrading.

Approximately a half hour in, the team revealed their new PS3 secrets, the moment we all were waiting for. One of the major highlights here was, dongle-less jailbreaking by overwriting the bootup NOR flash, giving complete control over the system. The other major feat, was calculating the public private keys (due to botched security), giving users the ability to sign their own SELFs Following this, the team declared Sony's security to be EPIC FAIL!

The recent advent of these new exploits means current firmware is vulnerable, v3.55 and possibly beyond. It will be very difficult for Sony to fix the described exploits.

The team then displayed the website http://fail0verflow.com/, where we assume they will host examples of the new exploits and further details. They stated, that easy to use tools would be coming next month.

Stay tuned to this article and PSGroove.com we will be updating it as more info is availble. Also for those that missed the stream we will be posting links for you to download the entire stream.


Download Presentation Slides: 1780_27c3_console_hacking_2010.rar (1.43 MB)
Read more ...»

PS3 Epic Fail: revelados los nuevos exploits

On 0 comentarios

La esperada conferencia sobre la seguridad de PS3 acaba de concluir, y las revelaciones han superado las expectativas. Todavía no conocemos los detalles, pero Marcan y su equipo de hackers han revelado dos importantes vulnerabilidades: jailbreak sin necesidad de dispositivo USB y firmado de ejecutables.

Sin duda después de estos hacks volverá a haber un antes y un después en la scene de PS3, como lo hubo en Wii tras el bug trucha. Y por supuesto, afecta a todos los firmwares actuales (incluido v3.55). Tenéis más información en PSGroove y el hilo oficial de la conferencia.
Read more ...»

Alemania: hackers aseguraron haber decodificado el PlayStation 3

On 0 comentarios


Alemania: hackers aseguraron haber decodificado el PlayStation 3


La noticia se difundió en la reunión anual de tecnología en Berlín, donde participaron más de 3.000 personas para también hablar del caso Wikileaks
Imagen
(pe.playstation.com)
Berlín (EFE). El grupo de “hackers” denominados “failOverflow” afirma que descodificó la consola PlayStation 3 de Sony, según informaciones difundidas al término de la reunión anual del Chaos Computer Club (CCC), en Berlín.
Los piratas informáticos habrían logrado descifrar prácticamente todos los códigos de seguridad de las consolas domésticas, lo que permitiría el acceso a gran parte de su sistema.
La noticia fue difundida por “failOverflow” y rápidamente reproducida por otros miembros del CCC, la mayor asociación de “hackers” de Europa, que celebraron esta semana su reunión anual en Berlín.
El congreso de los “hackers” se abrió bajo la proclama de “venimos en son de paz” y el acceso estaba restringido a miembros previamente acreditados.
Se trataba de su vigésimo sexto congreso anual, con más de 3.000 participantes y la parte central de los debates estuvo enmarcada en el fenómeno Wikileaks y la figura de su fundador, Julian Assange.
Entre los “logros” expuestos en estos días de congreso, se presentaron las tesis de dos informáticos de la Universidad Técnica de Berlín, según los cuales la mayoría de los teléfonos móviles de las grandes marcas pueden ser bloqueados con un mensaje de texto.
Un simple mensaje de teléfono puede dejar inutilizados, momentánea o definitivamente, aparatos de las principales marcas, como Nokia, SonyEricsson o Samsung.
Read more ...»

GameGuard related

On miércoles, 29 de diciembre de 2010 0 comentarios

-=[ GameGuard related ]=-

npgg_runtime.rar - - Allows for running GameGuard/GameMon without a game client.

nProtectDec.rar - - decodes and output strings from nProtect binaries.

rebootme.rar - - some simple code, instantly reboots system if GameGuard is running.

rev_1467.txt - - GameMon: Revision 1467 - decrypted strings
save_wmimmc.rar - - some driver code to prevent deletion of dump_wmimmc.sys
Read more ...»

Rohan Gameguard bypass

On 0 comentarios

Read more ...»

[Share/Tutorial] TRose.exe v149 without gameguard

On 0 comentarios

Hi again, seems like new clients appears more offen than i visit the toilet these days.
So i'll write a complete guide and share my latest TRose.exe v149 without gameguard.

I thought i'd do a better release this time around, last time was a real patchjob.
Firstly, what you need todo this time, is to remove gameguard from ever loading.
For you who know programming, you use CreateProcessA to make a new application appear from your own application. This is also possible in Delphi with ShellExecute or the normal WinAPI Run.

Which case, what we want todo this time around is to make gameguard not to load.
And then remove the check which will check if gameguard has been loaded.
Because normally, if gameguard has not been loaded, TRose.exe will close.

Removing gameguard.des from loading:

You want to find this line:
  1. .text:0058F90E                 test    eax, eax        ; Logical Compare
  2. .text:0058F910                 jle     short loc_58F93C ; Jump if Less or Equal
  3. .text:0058F912                 mov     edi, [esp+30h+Buffer]
  4. .text:0058F916                 mov     [esp+30h+var_14], eax
  5.  

and change it to
  1. .text:0058F90E                 test    eax, eax        ; Logical Compare
  2. .text:0058F910                 jge     short loc_58F93C ; Jump if Greater or Equal
  3. .text:0058F912                 mov     edi, [esp+30h+Buffer]
  4. .text:0058F916                 mov     [esp+30h+var_14], eax
  5.  


Why, am i doing this?

Because at the address 0058F93C the coding for launching gameguard.des exists.
We do not want that to load. The value being compared, is always less than the the compare value.
Hence it will jump when the value is less or equal than the eax-value.
AHA! So that means if we change it to jump if greater or equal, the jump will never take place right?
Thats totaly correct. The value will never be greater than the value compared, and when we change jle to jge, the jump will never be made. Cool huh?
This is how the CreateProcessA code-section looks like:

  1. .text:0058F93C loc_58F93C:                             ; CODE XREF: sub_58EDC0+B50 j
  2. .text:0058F93C                 lea     ecx, [esp+30h+CommandLine] ; Load Effective Address
  3. .text:0058F943                 mov     byte ptr [esi], 0
  4. .text:0058F946                 push    ecx             ; int
  5. .text:0058F947                 push    offset dword_6BE460 ; int
  6. .text:0058F94C                 push    ebp             ; NumberOfBytesWritten
  7. .text:0058F94D                 call    sub_5907D0      ; Call Procedure
  8. .text:0058F952                 add     esp, 0Ch        ; Add
  9. .text:0058F955                 lea     edx, [esp+30h+hThread] ; Load Effective Address
  10. .text:0058F959                 lea     eax, [esp+30h+StartupInfo] ; Load Effective Address
  11. .text:0058F95D                 lea     ecx, [esp+30h+CommandLine] ; Load Effective Address
  12. .text:0058F964                 push    edx             ; lpProcessInformation
  13. .text:0058F965                 push    eax             ; lpStartupInfo
  14. .text:0058F966                 push    0               ; lpCurrentDirectory
  15. .text:0058F968                 push    0               ; lpEnvironment
  16. .text:0058F96A                 push    0               ; dwCreationFlags
  17. .text:0058F96C                 push    1               ; bInheritHandles
  18. .text:0058F96E                 push    0               ; lpThreadAttributes
  19. .text:0058F970                 push    0               ; lpProcessAttributes
  20. .text:0058F972                 lea     edx, [esp+50h+Filename] ; Load Effective Address
  21. .text:0058F979                 push    ecx             ; lpCommandLine
  22. .text:0058F97A                 push    edx             ; lpApplicationName
  23. .text:0058F97B                 call    ds:CreateProcessA ; Indirect Call Near Procedure
  24. .text:0058F981                 test    eax, eax        ; Logical Compare
  25. .text:0058F983                 jnz     short loc_58F9C5 ; Jump if Not Zero (ZF=0)
  26. .text:0058F985                 lea     eax, [esp+30h+String] ; Load Effective Address
  27. .text:0058F98C                 push    eax             ; int
  28. .text:0058F98D                 call    ds:GetLastError ; Indirect Call Near Procedure
  29. .text:0058F993                 lea     ecx, [esp+34h+Filename] ; Load Effective Address
  30. .text:0058F99A                 push    eax             ; int
  31. .text:0058F99B                 push    ecx             ; int
  32. .text:0058F99C                 push    offset dword_6BE438
  33. .text:0058F9A1                 call    sub_596250      ; Call Procedure
  34. .text:0058F9A6                 add     esp, 4          ; Add
  35. .text:0058F9A9                 push    eax             ; int
  36. .text:0058F9AA                 push    ebp             ; NumberOfBytesWritten
  37. .text:0058F9AB                 call    sub_5907D0      ; Call Procedure
  38. .text:0058F9B0                 add     esp, 14h        ; Add
  39. .text:0058F9B3                 mov     eax, 0AAh
  40. .text:0058F9B8                 pop     edi
  41. .text:0058F9B9                 pop     esi
  42. .text:0058F9BA                 pop     ebp
  43. .text:0058F9BB                 pop     ebx
  44. .text:0058F9BC                 add     esp, 10B4h      ; Add
  45. .text:0058F9C2                 retn    4               ; int
  46.  


Removing the gameguard.des check:

You want to find this line:
  1. .text:005331D9                 cmp     ds:dword_6D4CDC, 1 ; Compare Two Operands
  2. .text:005331E0                 jnz     short loc_5331E7 ; Jump if Not Zero
  3. .text:005331E2                 call    sub_539B48      ; Call Procedure
  4. .text:0053320C
  5. .text:0053320C loc_53320C:                             ; CODE XREF: .text:00533205 j
  6. .text:0053320C                 push    dword ptr [esp+4]
  7. .text:00533210                 call    sub_5399A7      ; Call Procedure
  8. .text:00533215                 push    0FFh
  9. .text:0053321A                 call    sub_535605      ; Call Procedure
  10.  

and change it to
  1. .text:005331D9                 cmp     ds:dword_6D4CDC, 1 ; Compare Two Operands
  2. .text:00533205                 jz     short loc_53320C ; Jump if Zero
  3. .text:005331E2                 call    sub_539B48      ; Call Procedure
  4. .text:0053320C
  5. .text:0053320C loc_53320C:                             ; CODE XREF: .text:00533205 j
  6. .text:0053320C                 push    dword ptr [esp+4]
  7. .text:00533210                 call    sub_5399A7      ; Call Procedure
  8. .text:00533215                 push    0FFh
  9. .text:0053321A                 call    sub_535605      ; Call Procedure
  10.  


Why, am i doing this?
Well simply put. At call sub_535605 it jumps to ExitProcess. We do not want the process to Exit.
Hence we change the code never to get to the place where the call is made.
Meaning this place:
  1. .text:005331D9                 cmp     ds:dword_6D4CDC, 1 ; Compare Two Operands
  2. text:00533205                 jnz     short loc_53320C ; Jump if Not Zero


If it turns out that the compare equals 1 it will jump and exit the process.
We just change the jnz to jz because we know, it always will be 1.
And when Jump Zero never gets a 0 compare value, the jump never will be made.

You could of course also change the cmp ds:dword_6D4CDC, 1 ; to cmp ds:dword_6D4CDC, 0 ;
I just changed the actual jump because, that's what i felt like :P

Removing the check for which controls if gameguard.des exists

We'll probably have to remove the check, which controls if gameguard.dex exists right?
Along with all those other weird checks which will appear when something is wrong with gameguard.

Find: jz short loc_52F507
  1. .text:0052F4E7                 cmp     edx, ds:dword_67CEE8 ; Compare Two Operands
  2. .text:0052F4ED                 jz      short loc_52F507 ; Jump if Zero
  3. .text:0052F4EF                 mov     [ebx+4], esi
  4. .text:0052F4F2                 mov     eax, esi
  5.  

replace with:
  1. .text:0052F4E7                 cmp     edx, ds:dword_67CEE8 ; Compare Two Operands
  2. .text:0052F4ED                 jnz      short loc_52F507 ; Jump if Not Zero
  3. .text:0052F4EF                 mov     [ebx+4], esi
  4. .text:0052F4F2                 mov     eax, esi
  5.  


Here you once again just change the jump offset never to take place.
dword_67CEE8 holds the value 755h(Something you recognize perhaps?)
Yes thats the Gameguard Is Valid number. Edx in the compare function does in this case hold 262
which is the not valid number in Gameguard. Meaning, in this case edx since we do not have gameguard, edx will get loaded with 262. And when it does a compare with 755 it will notice they are not the same and flag us with diffrent warning messages. Since the value is not the same, the result will be 0, and JZ (Jump if Zero) will take place. We simply change the Jump to jump if not zero
meaning the jump will never take place since it will always be Zero.

You could use JE(Jump Equal) but the result will be the same.
You could also change cmp edx, ds:dword_67CEE8
to cmp edx, 262h instead. Because then, it would also make sure the jump is never taken.

But, how do i change?
Either you use OllyDBG, or a hex editor.
Im quite sure some of you will have no clue still what im talking about.
It will require some minior hexing knowledge.
And if you use Ollydbg you can simple use the Menu alternative: Assemble
to rewrite the new function.

And from Olly save the changes directly.


Enjoy!

Nevyn
Read more ...»

Video Tutorial - Memory Pattern Scanning

On lunes, 27 de diciembre de 2010 0 comentarios

by P47R!CK

This is my video tutorial on scanning memory patterns to find addresses in memory that change during recompilation.
Click here for the tutorial!
The pattern scanning function:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask=='x' && *pData!=*bMask )
            return false;
    return (*szMask) == NULL;
}
 
DWORD dwFindPattern(DWORD dwAddress,DWORD dwLen, BYTE *bMask, char * szMask) {
    for(DWORD i=0;i
        if( bDataCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
            return (DWORD)(dwAddress+i);
    return NULL;
}
SigMaker 0.3 by P47R!CK
Enjoy.
Read more ...»

Video Tutorial - Function Hooking

On 0 comentarios

This is my video tutorial on function hooking.
Click here for the tutorial!
The hooking function:
1
2
3
4
5
6
7
8
void WriteJMP(byte* location, byte* newFunction)
{
DWORD dwOldProtection;
VirtualProtect(location, 5, PAGE_EXECUTE_READWRITE, dwOldProtection);
location[0] = 0xE9;
 *((dword*)(location + 1)) = (dword)(newFunction - location) - 5;
VirtualProtect(location, 5, dwOldProtection, &dwOldProtection);
}
Complete Source:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include
 
typedef unsigned char byte;
typedef unsigned short word;
typedef unsigned int dword;
 
byte countSwitch = 0;
 
DWORD UpdateTimeCall = 0x01001D6C; //This call calls the UpdateTime function
DWORD UpdateTimeRetn = 0x01001D71; //This is the place where we will return     0x01001D6C + 0x05
DWORD UpdateTimeFunc = 0x01002FE0; //This is the updateTime function
 
void WriteJMP(byte* location, byte* newFunction){
    DWORD dwOldProtection;
    VirtualProtect(location, 5, PAGE_EXECUTE_READWRITE, &dwOldProtection);
        location[0] = 0xE9;
        *((dword*)(location + 1)) = (dword)(newFunction - location) - 5;
    VirtualProtect(location, 5, dwOldProtection, &dwOldProtection);
}
 
void _declspec(naked) hTimeFunc(){
 
    if(countSwitch == 0)
    {
        countSwitch = 1;
 
        _asm
        {
            JMP UpdateTimeRetn
        }
    }
    else
    {
        countSwitch = 0;
 
        _asm
        {
            CALL UpdateTimeFunc
            JMP UpdateTimeRetn
        }
 
    }
 
}
 
void initHooks(){
    WriteJMP((byte*)UpdateTimeCall,(byte*)hTimeFunc); //Writes a jump from the original call to our custom function
 
}
 
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        initHooks();
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
Enjoy.
Read more ...»

Video Tutorial - Structures in Memory

On 0 comentarios

by Patrickssj6
 
This is my video tutorial on structures in memory. We are going to focus on player structures which can be found in many commercial games and how to reverse them

Click here for the tutorial!
Click here for the program and source code!
Enjoy.
Read more ...»

Lightweight Detours

On 0 comentarios

Lightweight Detours

While working on my toolkit library I did some work on detours and I think I made something interesting.

I made 2 'code patching' hook classes. One is a good old detour to hook functions. The other is far more interesting, it basically allows you to 'wiretap' any function any where in its body.

A quick review:
PHP Code:
#ifndef _TOOLKIT_DETOURS_HGUARD
#define _TOOLKIT_DETOURS_HGUARD

// ----------------------------------------------------------------
// Toolkit: Detours
// ----------------------------------------------------------------
// Classes to allow easy modifying of the target code in order to hook functions.
namespace toolkit {


    
// ------------------------------------------------
    // Class: Detour
    // ------------------------------------------------
    // Detours a function using the standard [jmp xxxx] method.
    
class Detour
    
{
    public:
        
Detourvoidfuncvoidhookuint bytes );
        ~
Detour();

        
void Unhook();
        
void Rehook();

        
// Call the original function ( without unhooking )
        
templatetypename Fn >
        
inline Fn Orig() { return reinterpret_cast<Fn>( _stub ); }

    private:
        
void*    _func;
        
void*    _hook;
        
void*    _stub;
        
uint    _bytes;
        
bool    _hooked;
    };



    
    
// ----------------------------------------------------------------
    // Class: Wiretap
    // ----------------------------------------------------------------
    // Run your hook code in the middle of a function.
    // It'll continue execution after your hook returns.
    //
    // The function will get redirected to a small stub which does this:
    //
    
class Wiretap
    
{
    public:
        
// Stores the result of a pushad instruction
        
struct context32_t
        
{
            
types::dword ediesiebpespebxedxecxeax;
            
// Get the arguments (as a struct) of a function with a stack frame
            
templatetypename T inline Targs() { return reinterpret_cast<T*>( ebp 0x8 ); }
            
// Get the return address
            
inline void*& retaddr() { return *reinterpret_cast<void**>( ebp 0x4 ); }
        };
        
typedef context32_t context_t;

        
// Access the function arguments manually trough esp or ebp.
        // Modifying this context will modify the ACTUAL registers when the function continues.
        
typedef void (__stdcall *HookFn)( context_tctx );
        
typedef void (__cdecl *HookFn2)( context_tctx );

        
WiretapvoidplaceHookFn hookuint bytes );
        
WiretapvoidplaceHookFn2 hookuint bytes );
        ~
Wiretap();

        
void Unhook();
        
void Rehook();


    private:
        
void*    _place;
        
void*    _stub;
        
uint    _bytes;
        
bool    _hooked;
    };

    
};
#endif // !_TOOLKIT_DETOURS_HGUARD 

















































 
The Wiretap stub looks like this, the context32_t struct basically mimics the structure of stack after a pushad
Code:
stub:
 pushad
 push esp
 call hook
 ;add esp, 0x4 ; When constructor is called where the hook has a __cdecl calling convention
 popad
 [ Overwritten bytes go here ]
 jmp continue


Comparison of my implementation of Detour and Wiretap:

Advantages of Detour:
  • Can hook any function and prevent it from running
  • Easily read and modify the stack arguments
Disadvantages of Detour:
  • Cannot hook in the middle of a function
  • Easy to detect if a function has been hooked (just check the first few bytes for a jmp or other known codes)
  • Can be annoying to read arguments passed via registers

Advantages of Wiretap:
  • Can hook in any function anywhere in its body
  • Easily read and modify the registers
  • Harder to detect (both will fail a checksum though)
Disadvantages of Wiretap:
  • Cannot prevent the original function from running
  • Reading and modifying arguments passed via the stack is more cumbersome, especially if the function doesn't have a stack frame (using ebp)



Example usage:

PHP Code:
    // ----------------------------------------------------------------
    // Testing Detours
    // ----------------------------------------------------------------
    

    // This function will be hooked with Detour
    
__declspec(noinline)
    
int Magicint x )
    {
        return 
x;
    }
    
// This function will be hooked with Wiretap
    
__declspec(noinline)
    
int Magic2int aint bint c )
    {
        return 
5;
    }


    
int __cdecl Hooked_Magicint x )
    {
        return -
x;
    }
    
typedef int (__cdeclMagicFn)( int );

    
void Wiretap_Magic2Wiretap::context_tctx )
    {
        
struct args_t
        
{
            
int a;
            
int b;
            
int c;
        };
        
args_tpArgs ctx->args<args_t>();
        
pArgs->+= 1;
        
pArgs->+= 2;
        
pArgs->+= 3;
    }

    
bool TestDetours()
    {
#ifdef NDEBUG
        // Does not work in Debug mode because the compiler adds an indirection to function calls. (Possible to allow edit&continue).
        // The operator& doesn't get the correct pointer.
        
Detour hook( &Magic, &Hooked_Magic);
        
Wiretap hook2make_ptr<void*>( (void*)&Magic20x3 ), &Wiretap_Magic2);

        
// Call them
        
if ( Magic) != -) return false;
        if ( 
hook.Orig<MagicFn>()( ) != ) return false;

        if ( 
Magic211) != ) return false; #endif // NDEBUG

        
return true;
    } 


























I apologize for the dependencies, It's just how I've organized my toolkit library.
The memory.h is something I quickly slapped together for pooling read/write/exec memory. I also experimented with generating stub functions using templates (but dropped it in favor of VirtualAlloc).

Atm it's pretty much Windows x86 only (because that's all I need atm). Get me the opcodes for x64 and I'll make it work for x64 (although I can't test it due to running Vista x86).



http://www.ziddu.com/download/13158196/detours.zip.html
Attached Files
Read more ...»

Punkbuster "Unknown API" Kick Bypass

On 0 comentarios

Punkbuster "Unknown API" Kick Bypass

Use this as you will, it's simply a proof of conept PB still sux IMO.

I see a lot of people having issues and here's something to get you started.

Basically I was doing some Breakpointing in PB and stumbled upon this lovely buffer outside the code area of pbcl. It seems they are still only using pbcl to do certain things and the service APPEARS to scan simply d3d and the game itself.

For those of you wanting to get rid of teh PB kick "Unknown API" here's the code how.

Simply setup a global buffer:

Code:
char    *Strings;
Setup the function Hook itself:
Code:
void ( *orig_API_Scanner )( );
void __declspec( naked ) API_Scanner( )
{
    _asm
    {
        //Grab Strings From The Stack
        mov Strings, eax

        //Preserve the stack
        pushad
    }

    Log( "API String: [ %s ]", Strings );

    _asm
    {
        //Preserve the stack
        popad

        //Push the strings back to PB now we've edited
        mov eax, Strings

        //Return the original :)
        jmp [ orig_API_Scanner ]
    }
}



You will need to hook inside pbcl.dll itself, so do it via a hwbp to avoid detection. As far as i'm aware PBCL DOESN'T scan outside it's own code area but that could change anytime So don't blame me if you get busted!

Hook with my fantastic pattern i've made you below ( Yes this works with ALL pb games tested to date )

Code:
DWORD dwApiScan  = FindPattern( ( DWORD )GetModuleHandle( "pbcl.dll" ), 0xFFFFFFF, ( BYTE* )"\x6A\x00\x50\x50\x33\xF1\xFF\x55\xC8\x59\x40\x50\xFF\x75\x08", "xxxxxxxxxxxxxxx" );

orig_API_Scanner = (void (__cdecl *)(void))DetourFunction((PBYTE)dwApiScan, (PBYTE)API_Scanner );
Now go ingame and log. Make sure there are no hooks but this one, it's very important as your need to log clean untouched values!! It may take several minutes before any log appears, this is normal. Once loged your see all the api's with original / clean MD5's. save this log file. below i'll give you an example of bypassing the scan itself.

Code:
void ( *orig_API_Scanner )( );
void __declspec( naked ) API_Scanner( )
{
    _asm
    {
        //Grab Strings From The Stack
        mov Strings, eax

        //Preserve the stack
        pushad
    }

    //Bypass Direct3DCreate9 Hook
    if( strstr( Strings, "Bmd Direct3DCreate9 5" ) )
    {
        strcpy( Strings, "Bmd Direct3DCreate9 5 c9c9c9c9c9 8bff558bec81ec08010000a120c2f54f" );
    }

    _asm
    {
        //Preserve the stack
        popad

        //Push the strings back to PB now we've edited
        mov eax, Strings

        //Return the original :)
        jmp [ orig_API_Scanner ]
    }
}





Simple eh? Only check a little of the wording then give the cleanly logged string in return. Now you can hook that API and PB will pass you as clear . Each game differs in the MD5 value it checks for, so you will need to log each game seperately to bypass.

The main issue you might get is withe the size of the module in the pattern. I use a function I didn't post which returns the size of the module as they do vary. Either just change the size in the pattern of the module, or put a stupidly high search size like 0xFFFFFFFF.

Also the asm shouldn't matter as it's a naked hook with no stack code unless you do a HWWBP then you will need to add a single line to the asm. And also you could always add more to the pattern to guarentee the right one everytime.

Another thing is to also go to the offset and set some breakpoints on some other areas around it, you might find some other usefull things there
Read more ...»

Punkbuster Hardware Viewer

On 0 comentarios

Punkbuster Hardware Viewer

/*
Just a Simple Program written to load the pb driver externally (Got Debug?)
- PizzaPan / Game-Deception! (www.gamedeception.net)

Credits: Tetsuo, RunningBon, panzer, Xen, h1web, Sparten, Kosire, Google!
*/

/*

Remember These Simple Rules of Coding to Make the Source Code Work!
1.) Remember to rename any voids, and remove any traces of _asm!
2.) static const char *[1000] Couch = { (Couch = leet) }; YEAH BOI!
3.) No on one's own account releases of hacks released by eliteCoders!
4.) Use lots of 0xglDisable!

*/

For lack of a better Title, i called this Hardware Viewer, really all it does is load the driver standalone, and decrypt the result, showing your hardware hash's
i use this method to debug the driver, as its a lot easier.

It includes 2 Examples, BF2 and AAO (a v7, and a v71 Game)

MAKE SURE YOU FOLLOW DIRECTIONS

1.) CLICK LOAD DRIVER
2.) VIEW YOUR HARDWARE HASH'S
3.) CLOSE MESSAGE BOX
4.) CLICK UNLOAD DRIVER
5.) CLOSE THE PROGRAM

If you dont, expect a bsod.
Attached Files
Read more ...»

Punkbuster Debugger Detection Bypass

On 0 comentarios

Punkbuster Debugger Detection Bypass

/*
Anti-PB Plugin (Fixes ZwQueryObject Detection)

Credits:
CDetour: Tetsuo/LanceVorgin (also check CDetour.cpp)
Bits & Bats: RunningBon/panzer/Xen/Sparten/Kosire
Volcano Master: h1web
EngRish Lessons: Pansemuckl!


Remember These Simple Rules of Coding to Make the Source Code Work!
1.) Remember to rename any voids, and remove any traces of _asm!
2.) static const char *[1000] Couch = { (Couch = leet) }; YEAH BOI!
3.) No on one's own account releases of hacks released by eliteCoders!
4.) Use lots of 0xglDisable!!

*/


This is something i wrote up a while ago (Detect.zip) it is based from a unseen at the time debugger detection from Punkbuster, a lot of people at netcoders were wondering why their games crashed while debuggin, upon futher investigation by my self, it turned out to be a debugger check.

My friend Peter[Pan] later posted the info at a Reverse Engineering Board (www.exetools.com/forum) and thus we had a technical explination.

Quote Originally Posted by Opc0de
When you create/attach a program inside the debugger, the debug api will call a native function called "NtCreateDebugObject" that will create a DebugObject and set the EPROCESS->DebugPort = DebugObject.
Anyways its found in some games, i saw it in COD 1, ET, AAO and it seems to work best on WinXP Based OS'S, patching it was easy enough but this becomes boring to patch everytime manually, so i wrote a quick plugin to inject, which can easily fix using CDetour by Tetsuo & LanceVorgin.

Attached is Detect.zip (Standalone Detection) & Anti-PB.zip (DLL to be Injected to Fix the Detection)

-PizzaPan
Attached Files
Read more ...»

IDA plugin to grab encrypted debug strings.

On 0 comentarios

A plugin to grab encrypted debug strings.

Made tonight, cost me a bottle of coca'cola ^^ i hope u'll enjoy it.
Not really spent a lot of time to clean the code so :/ sorry ?
the plw is in attachment here : dcp.rar
Code:
/*
    IDA plugin for PnkBstr

    Copyright 2010 (ThiSpawn on gamedeception.com) - All Rights Reserved

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see .
*/

#include 

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#include 

#define MAX_FUNC_SIZE 0xFFFF

char g_func_buf[MAX_FUNC_SIZE + 1];
char g_masks[19];
bool g_fixed = 0;
bool g_errors = 0;

//----------------------------------------------
//  FUNCTION : get_crefs
//  fill vector with cref_to addresses
//----------------------------------------------
bool get_crefs(std::vector& vea, ea_t ea)
{
 xrefblk_t xb;
 func_t *last;

 if (!xb.first_to(ea, XREF_ALL))
 {
  msg("no ref\n");
  return false;
 }
 if (get_func(xb.from)){
  vea.push_back(xb.from);
  last = get_func(xb.from);
 }
 else
 {
  msg("please fix sub at ea : %08X\n", xb.from);
  g_errors = 1;
 }
 while (xb.next_to()) {
  if (get_func(xb.from) && last != get_func(xb.from))
  {
   vea.push_back(xb.from);
   last = get_func(xb.from);
  }
  else if (!get_func(xb.from))
  {
   msg("please fix sub at ea : %08X\n", xb.from);
   g_errors = 1;
  }
 }

 return true;
}

FILE* ask_out_file()
{
    char* filename;
    FILE* file;
    filename = askfile_c(1, "*.txt", "Enter the name of the out file:");
    file = qfopen(filename, "w");
    if ( !file ) {
        warning("Could not open %s for writing!\n", filename);
    } else {
        msg("Using: %s\n", filename);
    }
    return file;
}

char g_decrypted[0x100];

char* decrypt(func_t *func)
{
 func_tail_iterator_t tail_iter(func);
 asize_t size = 0;
 ea_t ea, max_ea;
 char *pcur = g_func_buf;
 bool first_done1 = false;
 bool first_done2 = false;
 uval_t buf_adr;
 uval_t msk_adr;
 char *p_center_mask = &g_masks[10];

 do
 {
  size += tail_iter.chunk().size();
 } while (tail_iter.next());
 
 if (size > MAX_FUNC_SIZE)
 {
  msg("function too long\n");
  return g_decrypted;
 }

 tail_iter.main();
 do
 {
  ea = tail_iter.chunk().startEA;
  max_ea = tail_iter.chunk().endEA;
  while (ea < max_ea)
  {
   decode_insn(ea);
   asize_t cmd_size = cmd.size;
   get_many_bytes(ea, pcur, cmd_size);
   // leave func if other things than string decryption
   if ((cmd.itype != NN_push) &&
    (cmd.itype != NN_pop) &&
    (cmd.itype != NN_leave) &&
    (cmd.itype != NN_retn) &&
    (cmd.itype != NN_mov) &&
    (cmd.itype != NN_xor))
   {
    msg("sub complex at ea : %08X\n", func->startEA);
    return g_decrypted;
   }
   //-------------------------------
   // to replace buf adresses ------
   if ((cmd.itype == NN_mov) && (cmd.Operands[0].type == o_mem))
   {
    uval_t val = cmd.Operands[0].addr;
    //msg("ea:%08X type:%d\n", ea, cmd.Operands[0].type);
    if (!first_done1)
    {
     first_done1 = true;
     buf_adr = val;
     //msg("haaaaaa : %08x\n", buf_adr);
    }
    *(DWORD*)(pcur + cmd.Operands[0].offb) = (DWORD)((uval_t)g_decrypted + val - buf_adr);
   }
   //-----------------------------
   // to replace used values ------
   if ((cmd.itype == NN_mov) && (cmd.Operands[0].type == o_reg) && (cmd.Operands[1].type == o_mem))
   {
    uval_t val = cmd.Operands[1].addr;
    //msg("ea:%08X offb:%d\n", ea, cmd.Operands[1].offb);
    if (!first_done2)
    {
     first_done2 = true;
     msk_adr = val;
     //msg("hoooooo : %08x\n", msk_adr);
    }
    *(DWORD*)(pcur + cmd.Operands[1].offb) = (DWORD)(p_center_mask + val - msk_adr);
    *(char*)(p_center_mask + val - msk_adr) = get_byte(val);
   }
   //----------------------------
   ea += cmd_size;
   pcur += cmd_size;
  }
 } while (tail_iter.next());

 //it's time to execute it
 DWORD pfaddr = (DWORD)g_func_buf ;
 ((char* (__cdecl*)())pfaddr)();
 //msg("%s\n", g_decrypted);
 if (g_fixed)
  add_long_cmt(func->startEA, 0, "%s", g_decrypted);

 return g_decrypted;
}

void decrypt_all() // modify addr of the masks base
{
 std::vector callers;
 std::vector::iterator it;
 ea_t ea;
 
 if (askbuttons_c(NULL,NULL,"format",0,"Have you selected the first byte mask for decryption ?\n If NOT please clic \"no\" then find a decrypt function\n then jump to one of the bytes used as masks.\nFinally select the first one. I coded the plugin to use refs on the five firsts.") < 1)
  return;

 FILE *out_file = ask_out_file();
 if (!out_file)
  return;

 DWORD base = get_screen_ea();

 for (int i = 0; i < 5; i++)
 {
  qfprintf(out_file, "mask %d :\n", i + 1);
  msg("mask %d :\n", i + 1);
  get_crefs(callers, base + i);
  for (it = callers.begin(); it < callers.end(); it++)
  {
   ea = *it;
   func_t *func = get_func(ea);
   qfprintf(out_file, "%08X : %s\n", func->startEA, decrypt(func));
  }
  callers.clear();
 }
}

//----------------------------------------------
//  PLUG-IN FUNCTIONS
//----------------------------------------------

int IDAP_init()
{
 if (inf.filetype != f_PE)
  return PLUGIN_SKIP;

 return PLUGIN_KEEP;
}

void IDAP_term()
{
 // nothing to clear
}

void IDAP_run(int arg)
{ 
 //func_t *func = get_func(get_screen_ea());
 //decrypt(func);
 info("comments will be added to function during analysis if\n you've done a prior analysis WITHOUT ANY MORE fix to do !!!");
 g_errors = 0;
 decrypt_all();
 if (!g_errors)
  g_fixed = 1;
}

char IDAP_comment[] = "PnkBstr hidden string DeCrypter";
char IDAP_help[] = "";
char IDAP_name[] = "PB DeCrypter";
char IDAP_hotkey[] = "Alt-W";

plugin_t PLUGIN =
{
 IDP_INTERFACE_VERSION, 
 0,
 IDAP_init,
 IDAP_term,
 IDAP_run,
 IDAP_comment,
 IDAP_help,
 IDAP_name,
 IDAP_hotkey
};

//----------------------------------------------

Read more ...»