SlideShare a Scribd company logo

Don't Give Credit: Hacking Arcade Machines

Michael Scovetta, profile picture
Michael Scovetta

The document discusses hacking arcade machines by exploiting vulnerabilities in how game profiles are loaded and signed from USB drives. Specifically, it finds that the game In The Groove 2 does not properly check if profile data is from an arcade machine or personal computer, allowing injected Lua code. It then details how to sign a rogue profile with the private keys, which are shared between arcade machines, and use it to run arbitrary code covertly by inserting a malicious USB drive.

Entertainment & HumorTechnology
Related topics:
Information Security
1 of 60
Downloaded 27 times
1
2
3
4
5
6
7
8
9
Most read
10
Most read
11
12
13
14
15
16
17
Most read
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Don't Give Credit: Hacking Arcade Machines
Who am I? ● Ronald Huizer ● Senior Security Researcher, Immunity, Inc. ● ronald@immunityinc.com ● I enjoy computer science, toying with hardware, go, a whole lot of japanese cartoons and computer games.
Who am I? ● Ronald Huizer ● Senior Security Researcher, Immunity, Inc. ● ronald@immunityinc.com ● I enjoy computer science, toying with hardware, go, a whole lot of japanese cartoons and computer games. Who I am
Who am I? ● Ronald Huizer ● Senior Security Researcher, Immunity, Inc. ● ronald@immunityinc.com ● I enjoy computer science, toying with hardware, go, a whole lot of japanese cartoons and computer games. Who I am Whom I'd like to be.
Attacking Arcade Machines ● Why attack arcade machines? ● Fun and free plays. ● Not so much profit, unless you play a lot. ● Living one of my childhood dreams. ● Both the vulnerability and the talk are quite simple. ● This is meant to be fun and practical.
Attack Surface (1) ● Almost all attacks will need physical access. ● We need to make a distinction ● Obvious attacks such as opening the machine, or attaching odd peripherals and rebooting it. ● Non-obvious attacks that resemble normal use. These are probably impossible on many older arcade machines.
Attack Surface (2) ● The obvious attacks won't work, as we'll get kicked out of the arcade or worse. ● We want to be less conspicuous than this:
Attack Surface (3) ● Modern arcade machines often allow for transferable profiles stored on portable devices. ● Magnetic cards ● Konami e-AMUSEMENT smart card ● USB dongles ● Probably more schemes, especially in Japan. ● This gives us more attack surface using either malicious hardware devices, or by malicious data on official devices.
Attack Surface (4) ● We pick the easiest attack surface. ● Consider game profiles loaded from and stored to USB dongle. ● If profile handling is done wrong, we can simply insert a USB dongle with malicious payload. ● Very covert: inserting a dongle is a common task performed by many players, and won't attract unwanted attention.
Attack Surface (4) ● We pick the easiest attack surface. ● Consider game profiles loaded from and stored to USB dongle. ● If profile handling is done wrong, we can simply insert a USB dongle with malicious payload. ● Very covert: inserting a dongle is a common task performed by many players, and won't attract unwanted attention. Attack here.
Attack Surface (4) ● We pick the easiest attack surface. ● Consider game profiles loaded from and stored to USB dongle. ● If profile handling is done wrong, we can simply insert a USB dongle with malicious payload. ● Very covert: inserting a dongle is a common task performed by many players, and won't attract unwanted attention. Not here. Attack here.
What are we attacking? ● In The Groove 2 ● Dancing simulator made by RoXoR games. ● Uses USB dongles to store profiles.
What are we attacking? ● In The Groove 2 ● Dancing simulator made by RoXoR games. ● Uses USB dongles to store profiles. ● Allows geeks to dance like Michael Jackson.
What do we know? (1) ● There is a PC as well as an arcade version. ● We'll use ITG2PC and ITG2AC for these versions. ● We can tinker with the PC version easily and test our ideas. ● After testing them on ITG2PC, we try ITG2AC. ● ITG2AC is running on x86-32 Linux. ● Most of us will be in our comfort zone.
What do we know? (2) ● ITG2 software based on a modified version of StepMania, an open source dancing simulator. ● Allows for easier reverse engineering. ● There is an open source project dedicated to reimplementing the game. ● OpenITG did an excellent job at reversing and reimplementing parts of the game.
What is on the USB stick? ● Edits of existing songs on the machine. ● Custom songs (needs to be enabled). ● Signed screenshots (to prove scores). ● Signed score profile and backups. ● Stats.xml / Stats.xml.sig / DontShare.sig ● Song catalogues, preferences, etc. ● ITG2AC and ITG2PC sticks are not portable ● Because the signing keys differ.
Stats.xml: user profile data ● XML formatted file. <?xml version="1.0" encoding="UTF-8" ?> <?xml-stylesheet type="text/xsl" href="Stats.xsl"?> <Stats> <CalorieData> <CaloriesBurned Date='2005-02-26' >468.587524</CaloriesBurned> </CalorieData> <CategoryScores/> ... <Data> local tab1 = { } return tab1 </Data> ...
Stats.xml: user profile data ● XML formatted file. <?xml version="1.0" encoding="UTF-8" ?> <?xml-stylesheet type="text/xsl" href="Stats.xsl"?> <Stats> <CalorieData> <CaloriesBurned Date='2005-02-26' >468.587524</CaloriesBurned> What reading XML does to people. </CalorieData> <CategoryScores/> ... <Data> local tab1 = { } return tab1 </Data> ...
XML parser flaws ● XNode::LoadAttributes() has issues. ● It will scan past 0-byte if there is a double or single quote character before it. ● tcsskip() and tcsechr() are scary, as they always return a non-NULL pointer. ● Lots of over-indexed reads, but hard to find over-indexed writes. ● Need a better bug.
XML parser flaws ● XNode::LoadAttributes() has issues. ● It will scan past 0-byte if there is a double or single quote character before it. ● tcsskip() and tcsechr() are scary, as they always return a non-NULL pointer. ● Lots of over-indexed reads, but hard to find over-indexed writes. This is not a good bug. ● Need a better bug.
User profile loading flaws (1) ● Profile::LoadGeneralDataFromNode() reads XML data from the XML tree, and deserializes. ● Lot of uninteresting numeric and string entries. ● The <Data> tag seems interesting, as it contains embedded LUA data. ● It is only handled for IsMachine() profiles, which are stored on the arcade machine itself.
User profile loading flaws (1) ● Profile::LoadGeneralDataFromNode() reads XML data from the XML tree, and deserializes. ● Lot of uninteresting numeric and string entries. ● The <Data> tag seems interesting, as it contains embedded LUA data. ● It is only handled for IsMachine() profiles, which are stored on the arcade machine itself. ● Are they really?
User profile loading flaws (2) ● In OpenITG there is an IsMachine() check. ● Not so in R21 and R23! v29 = GetChildValue(a3, "Data"); if ( v29 ) { string_constructor(v29, &sData); LoadFromString(a2 + 5000, (int)&sData); if ( GetLuaType(a2 + 5000) != LUA_TTABLE ) { Warn((int)LOG, "Profile data did not evaluate to a table"); sub_84C3C80(*(_DWORD *)LuaHelpers); sub_81C2870(a2 + 5000); } }
Creating a rogue profile ● We have found a way to inject LUA code. ● There's still more work to be done: ● Signing profiles with malicious LUA code. – This requires the signing keys. ● Finding out what LUA code we can use. – Is there a LUA sandbox? – Can we escalate to root on the machine? – Do we actually need to? What can we do otherwise?
Signing profiles (1) ● Profile signing is done using RSA and SHA1. ● Original implementation using crypto++. ● Signing: S(k-, p) = E(k-, h(p)) ● Verification: D(k+, S(k-, p)) should be h(p). ● Reimplemented this using OpenSSL, as crypto++ is complicated to use. ● Command line OpenSSL also works.
Signing profiles (2) ● What is signed? ● Stats.xml with the result in Stats.xml.sig ● Stats.xml.sig with the result in DontShare.sig ● This double signature is done so people can share verified (machine signed) scores, without their profile being copied. ● You would share Stats.xml and Stats.xml.sig but not DontShare.sig
Signing profiles (3) ● We obviously want the private key. ● ITG2 signs profiles every time someone plays. ● Private key needs to be known to the program. ● Profiles need to be transferable. ● So the signing keys are shared! ● No revocation scheme in place. ● Once we leak one key, we're set!
OpenSSL signing / verifying ● openssl dgst -keyform DER -sign private.rsa -out Stats.xml.sig Stats.xml openssl dgst -keyform DER -sign private.rsa -out DontShare.sig Stats.xml.sig ● openssl dgst -keyform DER -verify public.rsa -signature DontShare.sig Stats.xml.sig openssl dgst -keyform DER -verify public.rsa -signature Stats.xml.sig Stats.xml
OpenSSL DER to PEM ● Private key is in PKCS8 DER form. openssl pkcs8 -in private.rsa -inform DER -outform PEM -out private.pem -nocrypt ● Public key is in RSA DER form. openssl rsa -in public.rsa -inform DER -pubin -pubout -outform PEM -out public.pem
ITG2PC ● The private keys are simply installed. ● They obviously differ from the ITG2AC keys. ● Look for the *.rsa files. ● They come in PKCS #1 / PKCS #8 forms. A key!
ITG2AC ● Dumping the private keys more complicated. ● We need to crack open the machine first. ● Attach USB keyboard and Linux disk. ● Rebooting the machine. ● Enter + configure BIOS to boot from disk. ● Mount the ITG2 XFS filesystem and have at it. ● Will not work on R23, as it rewrites the BIOS password using nvram.ko
ITG2AC (2) ● We were unable to find the keys on disk. ● /itgdata contains several crypted blobs: data0.zip through data4.zip and patch.zip. ● The keys are most likely in there, as well as the songs and so on. ● We need a way to decrypt those files.
ITG2AC file encryption ● The core algorithm uses SHA-512 and AES- 192 in CBC mode. ● The AES keys are managed in two ways. ● Patch files use a static key, probably because it is easier to deliver patches. ● The core data files all have unique keys, which differ on all arcade machines. These are managed by a hardware security dongle.
Encrypted file header (1) struct itg2_file_header { char magic[2]; uint32_t file_size; uint32_t subkey_size; uint8_t *subkey; uint8_t verify_block[16]; };
Encrypted file header (2) ● Magic will be :| for data files and 8O for patch files. ● file_size is the size of the decrypted file, so that padding to blocksize can be ignored. ● subkey_size is the size of the subkey. ● subkey is the size of subkey data. ● verify_block is a block of encrypted static data to determine if a valid key was provided.
File decryption algorithm (1) ● AES-192 keying is used. How these keys are derived we will see later. ● Remember that AES works on 16 byte blocks. ● File is partitioned in blocks of 255 AES blocks. ● Each of these blocks is encrypted using AES in CBC mode. ● The IV is manipulated before every encryption, by subtracting 0 through 16 from IV elements.
File decryption algorithm (2) ● Why does it work like this? ● CBC mode is quirky for file encryption. ● If we encrypt the full file in CBC mode, a single corruption in the worst case will ruin the entire file. ● When partitioning in blocks a single corruption in the worst case ruins the block. 奇々怪界 : This game is underrated.
File decryption algorithm (3) ● We get IV repetition per block of 255 blocks. This is a slight weakness, but not fatal for CBC. ● Why they modify the IV is unclear to me. ● It causes some additional confusion, and it does not introduce additional duplicates, so it is probably alright.
AES key recovery (1) ● The AES key for patch files is created running a function similar to SHA512-HMAC. ● It is not a real HMAC, as there is no ipad/opad or key compression performed, but simply does: SHA512(m || k) ● The message is the subkey from the file header. ● The key can be recovered by reverse engineering (or reading the OpenITG code).
AES key recovery (2) ● The AES keys to the data files are stored on an security dongle. ● The dongle is an iButton DS1963S which is used as a SHA-512 HMAC co-processor to deliver the AES keys. ● We don't need the DS1963S secret keys: we can recover the AES key for specific data files. Fu fu fu, enough crypto already.
DS1963S architecture ● The dongle is connected to the RS232 port of the machine. ● It communicates through a bus protocol called 1-Wire so that the master can communicate with multiple slaves. ● There is a public domain kit available to communicate with the dongle.
DS1963S memory ● There are 16 256-bit data pages. ● There are 2 pages holding 4 64-bit secrets each. These are writable, but not readable. ● Reading the secret pages would break DS1963S security, but we do not need to do this for decrypting the data files. ● There is a 256-bit scratch pad used for reliable transfers from master to slave memory.
DS1963S registers ● TA1 and TA2 hold the LSB and MSB of the target address used in many operations. ● E/S is a read-only counter and status register ● Bits[0..4]: The ending offset; it holds the last offset into the scratch pad that was written to. ● Bits[5]: The partial flag (PF); set to 1 when the bits sent by the master are not a multiple of 8. ● Bits[6]: Unused; should be 0. ● Bits[7]: Authorization Accepted (AA); set to 1 when the scratchpad has been copied to memory.
DS1963S reliable write (1) ● [0xC3] [TA1] [TA2] Erase the scratchpad, filling it with 0xFF. TA is ignored. Clear HIDE flag. ● [0x0F] [TA1] [TA2] [DATA ...] [CRC16] Write data to the scratchpad, from the byte offset to the ending offset. If the ending offset is 0x1F, the slave sends back the CRC16 of data read. ● [0xAA] Read scratchpad. Slave sends back the byte offset, the ending offset, and the scratchpad area for those, and ~CRC16.
DS1963S reliable write (2) ● Comparing the data written to the data read guarantees (almost) no distortions. ● From scratchpad we can then write into data pages and secrets pages. ● All this is performed by the public domain API function WriteDataPageSHA18().
DS1963S SHA functions ● There are multiple SHA functions. ● We will only look at the one relevant to ITG2AC. ● [0x33] [0xC3] SHA-1 sign data. ● Signs data page 0 or 8 with the secret number 0 or 8, and data from the scratchpad. ● This is used to generate the AES key from the subkey data in the file header.
DS1963S security (1) ● Secret page security demonstrated broken by Christian Brandt at CCC 2010 through faulting. ● Using real crypto does not make devices secure.
DS1963S security (1) ● Secret page security demonstrated broken by Christian Brandt at CCC 2010 through faulting. ● Using real crypto does not make devices secure. Would you rather attack SHA-1?
DS1963S security (1) ● Secret page security demonstrated broken by Christian Brandt at CCC 2010 through faulting. ● Using real crypto does not make devices secure. Would you rather attack SHA-1? Or the DS1963S protocols?
DS1963S security (2) ● An untested idea to dump secrets. ● The scratchpad and memory do not have to be written in 32-byte blocks. – We can write smaller quantities, like 1 or 2 bytes. ● The Copy Scratchpad command can write secret pages directly. – We just can't read secret pages. ● Partial secret overwrite may be possible? – Use Sign data page (SDP) with original secret. – Now overwrite 1 byte, and SDP again until correct byte has been found. – Repeat: complexity now O(256*8) instead of O(256**8).
DS1963S demonstration
DS1963S demonstration This octopus is funnier than Cthulhu.
File decryption ● We can now use the DS1963S keys to decrypt the encrypted files. ● This opens the door for unauthorized copying of the game content... ● Keep in mind that ITG2PC had no DRM whatsoever, so it is of minimal concern. ● It also allows us to use the original files portably in other projects. Think of OpenITG.
Signing key recovery ● We can now find the profile signing key by decrypting and unpacking data4.zip. ● The keys are in Data/private.rsa and Data/public.rsa.
Using LUA ● So we can get LUA code executed by signing profiles with embedded code. ● The LUA environment is sandboxed, there is no support for the os module and so on. ● This means we cannot execute arbitrary code on the machine. ● We can execute the LUA bindings the game provides, and change game state. ● This is what we want anyway really.
LUA game commands ● A brief stepmania reference can be found online at: http://www.stepmania.com/wiki/Lua_scripting_and_Actor_commands ● It differs from the commands in R21, and R23, but there are many similarities. ● GameState.cpp implements ApplyGameCommand() which has some interesting primitives. ● GameCommand.cpp implements these primitives.
LUA game commands (2) ● The one I was looking for as a kid: GAMESTATE:ApplyGameCommand('insertcredit') ● Signing a profile using this command and using it indeed leads to a free credit. ● The profile loader needs to be invoked, so we need to use one credit to get the rest for free.
Further escalation ● We would need to break the LUA sandbox. ● We have several flaws, but they are complicated. ● What more do we want anyway? – We can play for free. – We can unlock songs. – We can transfer scores to the machine. – We do not want to mess it up: the sandbox is nice.
Demonstration
Questions? Kupo?

More Related Content

PPTX
Pursuit of happiness in Islam
Mohammad Yunus, MD, FACP
 
PPT
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...
annehelmond
 
PDF
Amazon as Issue Engine: Islands of Weird
annehelmond
 
PPT
E-diasporas Atlas
TIC-Migrations
 
PDF
Cross-platform game engine development with SDL 2.0
Leszek Godlewski
 
PDF
Beat Your Mom At Solitaire—Reverse Engineering of Computer Games
Christoph Matthies
 
PDF
Hyper Island - 2012
Detectify
 
PDF
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 
Pursuit of happiness in Islam
Mohammad Yunus, MD, FACP
 
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...
annehelmond
 
Amazon as Issue Engine: Islands of Weird
annehelmond
 
E-diasporas Atlas
TIC-Migrations
 
Cross-platform game engine development with SDL 2.0
Leszek Godlewski
 
Beat Your Mom At Solitaire—Reverse Engineering of Computer Games
Christoph Matthies
 
Hyper Island - 2012
Detectify
 
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 

Similar to Don't Give Credit: Hacking Arcade Machines (20)

PDF
Hardware hacking
Tavish Naruka
 
PDF
Building Trojan Hardware at Home
E Hacking
 
PDF
My talk from PgConf.Russia 2016
Alex Chistyakov
 
PPT
Computer Games Inner Workings - I. Loukeris AIT
AIT_Communications
 
PPTX
Pen Testing Development
CTruncer
 
PDF
Taking the hard out of hardware
Ronald McCollam
 
PDF
DEF CON 23 - Phil Polstra - one device to pwn them all
Felipe Prado
 
PDF
James Forshaw, elevator action
PacSecJP
 
PPTX
The internet of $h1t
Amit Serper
 
PDF
DEF CON 27- JISKA FABIAN - vacuum cleaning security
Felipe Prado
 
PDF
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
Linaro
 
PDF
Infecting the Embedded Supply Chain
Priyanka Aash
 
PDF
Castle Game Engine and the joy of making and using a custom game engine
Michalis Kamburelis
 
PPTX
Ple18 web-security-david-busby
David Busby, CISSP
 
PDF
Yocto and IoT - a retrospective
Open-RnD
 
PDF
Killer Bugs From Outer Space
Jérôme Petazzoni
 
ODP
Advanced Linux Game Programming
Leszek Godlewski
 
PDF
High performance json- postgre sql vs. mongodb
Wei Shan Ang
 
PDF
Developing games and graphic visualizations in Pascal
Michalis Kamburelis
 
PDF
Linux as a gaming platform - Errata
Leszek Godlewski
 
Hardware hacking
Tavish Naruka
 
Building Trojan Hardware at Home
E Hacking
 
My talk from PgConf.Russia 2016
Alex Chistyakov
 
Computer Games Inner Workings - I. Loukeris AIT
AIT_Communications
 
Pen Testing Development
CTruncer
 
Taking the hard out of hardware
Ronald McCollam
 
DEF CON 23 - Phil Polstra - one device to pwn them all
Felipe Prado
 
James Forshaw, elevator action
PacSecJP
 
The internet of $h1t
Amit Serper
 
DEF CON 27- JISKA FABIAN - vacuum cleaning security
Felipe Prado
 
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
Linaro
 
Infecting the Embedded Supply Chain
Priyanka Aash
 
Castle Game Engine and the joy of making and using a custom game engine
Michalis Kamburelis
 
Ple18 web-security-david-busby
David Busby, CISSP
 
Yocto and IoT - a retrospective
Open-RnD
 
Killer Bugs From Outer Space
Jérôme Petazzoni
 
Advanced Linux Game Programming
Leszek Godlewski
 
High performance json- postgre sql vs. mongodb
Wei Shan Ang
 
Developing games and graphic visualizations in Pascal
Michalis Kamburelis
 
Linux as a gaming platform - Errata
Leszek Godlewski
 

More from Michael Scovetta (20)

PDF
Peter Norvig - NYC Machine Learning 2013
Michael Scovetta
 
PDF
Android Attacks
Michael Scovetta
 
PDF
Strategic Surprise
Michael Scovetta
 
PDF
Stackjacking
Michael Scovetta
 
PDF
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
PDF
Exploitation and State Machines
Michael Scovetta
 
PDF
Attacking the WebKit Heap
Michael Scovetta
 
PDF
The Listening: Email Client Backdoor
Michael Scovetta
 
PDF
Smooth CoffeeScript
Michael Scovetta
 
PDF
DEFCON 18- These Aren't the Permissions You're Looking For
Michael Scovetta
 
PDF
Systematic Detection of Capability Leaks in Stock Android Smartphones
Michael Scovetta
 
PDF
Consumer Password Worst Practices
Michael Scovetta
 
PDF
HTML5 Web Security
Michael Scovetta
 
PDF
A collection of examples of 64 bit errors in real programs
Michael Scovetta
 
PDF
If You Don't Like the Game, Hack the Playbook... (Zatko)
Michael Scovetta
 
PDF
Scaling Cyberwarfare (Roelker)
Michael Scovetta
 
PDF
High Assurance Systems (Fisher)
Michael Scovetta
 
PDF
PROCEED and Crowd-Sourced Formal Verification
Michael Scovetta
 
PDF
National Cyber Range (Ranka)
Michael Scovetta
 
PDF
Beyond Passwords (Guidorizzi)
Michael Scovetta
 
Peter Norvig - NYC Machine Learning 2013
Michael Scovetta
 
Android Attacks
Michael Scovetta
 
Strategic Surprise
Michael Scovetta
 
Stackjacking
Michael Scovetta
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
Exploitation and State Machines
Michael Scovetta
 
Attacking the WebKit Heap
Michael Scovetta
 
The Listening: Email Client Backdoor
Michael Scovetta
 
Smooth CoffeeScript
Michael Scovetta
 
DEFCON 18- These Aren't the Permissions You're Looking For
Michael Scovetta
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Michael Scovetta
 
Consumer Password Worst Practices
Michael Scovetta
 
HTML5 Web Security
Michael Scovetta
 
A collection of examples of 64 bit errors in real programs
Michael Scovetta
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
Michael Scovetta
 
Scaling Cyberwarfare (Roelker)
Michael Scovetta
 
High Assurance Systems (Fisher)
Michael Scovetta
 
PROCEED and Crowd-Sourced Formal Verification
Michael Scovetta
 
National Cyber Range (Ranka)
Michael Scovetta
 
Beyond Passwords (Guidorizzi)
Michael Scovetta
 

Recently uploaded (20)

PPTX
SPARSH-SVNITs-Annual-Cultural-Fest presentation for orientation
2004vks
 
PDF
Commercial arboriculture Commercial Tree consultant Essex, Kent, Thaxted.pdf
Treecology Arboriculture
 
PDF
oppenheimer and the story of the atomic bomb
mohammadasemthaher
 
PDF
Download FL Studio Crack Latest version 2025
malikyahyah1122
 
PPTX
The Pearl - project of Advanced Reading course
2357011035
 
PPTX
Other Dance Forms - G10 MAPEH Reporting.pptx
Katsuki3
 
PDF
MAGNET STORY- Coaster Sequence (Rough Version 2).pdf
Mike Pelensky
 
PPTX
BULAN K3 NASIONAL PowerPt Templates.pptx
ehszjbrk
 
PDF
Songlyrics.net-website for lyrics song download
songlyrics.net
 
PDF
Watch Eddington (2025) – A Town Torn in Two
Afdah Movies
 
DOCX
Elisabeth de Pot, the Witch of Flanders .
JaimeLavid
 
PDF
Western Pop Music: From Classics to Chart-Toppers
rajlaxmibangera
 
PDF
EVs U-5 ONE SHOT Notes_c49f9e68-5eac-4201-bf86-b314ef5930ba.pdf
tyagihariom729
 
PPTX
the-solar-system.pptxxxxxxxxxxxxxxxxxxxx
fate01496
 
PDF
WKA #29: "FALLING FOR CUPID" TRANSCRIPT.pdf
Optimistic18
 
PDF
WKA #29: "FALLING FOR CUPID" TRANSCRIPT.pdf
Optimistic18
 
DOC
NSCAD毕业证学历认证,温哥华岛大学毕业证国外证书制作申请
ucyqekd
 
PDF
Best IPTV Service Providers in the UK (2025) – Honest Reviews & Top Picks
AmrGamal133847
 
PDF
WKA? #29.5: "HELLO NURSE" TRANSCRIPT.pdf
Optimistic18
 
PDF
TAIPANQQ SITUS MUDAH MENANG DAN MUDAH MAXWIN SEGERA DAFTAR DI TAIPANQQ DAN RA...
TAIPANQQ GACOR
 
SPARSH-SVNITs-Annual-Cultural-Fest presentation for orientation
2004vks
 
Commercial arboriculture Commercial Tree consultant Essex, Kent, Thaxted.pdf
Treecology Arboriculture
 
oppenheimer and the story of the atomic bomb
mohammadasemthaher
 
Download FL Studio Crack Latest version 2025
malikyahyah1122
 
The Pearl - project of Advanced Reading course
2357011035
 
Other Dance Forms - G10 MAPEH Reporting.pptx
Katsuki3
 
MAGNET STORY- Coaster Sequence (Rough Version 2).pdf
Mike Pelensky
 
BULAN K3 NASIONAL PowerPt Templates.pptx
ehszjbrk
 
Songlyrics.net-website for lyrics song download
songlyrics.net
 
Watch Eddington (2025) – A Town Torn in Two
Afdah Movies
 
Elisabeth de Pot, the Witch of Flanders .
JaimeLavid
 
Western Pop Music: From Classics to Chart-Toppers
rajlaxmibangera
 
EVs U-5 ONE SHOT Notes_c49f9e68-5eac-4201-bf86-b314ef5930ba.pdf
tyagihariom729
 
the-solar-system.pptxxxxxxxxxxxxxxxxxxxx
fate01496
 
WKA #29: "FALLING FOR CUPID" TRANSCRIPT.pdf
Optimistic18
 
WKA #29: "FALLING FOR CUPID" TRANSCRIPT.pdf
Optimistic18
 
NSCAD毕业证学历认证,温哥华岛大学毕业证国外证书制作申请
ucyqekd
 
Best IPTV Service Providers in the UK (2025) – Honest Reviews & Top Picks
AmrGamal133847
 
WKA? #29.5: "HELLO NURSE" TRANSCRIPT.pdf
Optimistic18
 
TAIPANQQ SITUS MUDAH MENANG DAN MUDAH MAXWIN SEGERA DAFTAR DI TAIPANQQ DAN RA...
TAIPANQQ GACOR
 

Don't Give Credit: Hacking Arcade Machines

  • 1. Don't Give Credit: Hacking Arcade Machines
  • 2. Who am I? ● Ronald Huizer ● Senior Security Researcher, Immunity, Inc. ● ronald@immunityinc.com ● I enjoy computer science, toying with hardware, go, a whole lot of japanese cartoons and computer games.
  • 3. Who am I? ● Ronald Huizer ● Senior Security Researcher, Immunity, Inc. ● ronald@immunityinc.com ● I enjoy computer science, toying with hardware, go, a whole lot of japanese cartoons and computer games. Who I am
  • 4. Who am I? ● Ronald Huizer ● Senior Security Researcher, Immunity, Inc. ● ronald@immunityinc.com ● I enjoy computer science, toying with hardware, go, a whole lot of japanese cartoons and computer games. Who I am Whom I'd like to be.
  • 5. Attacking Arcade Machines ● Why attack arcade machines? ● Fun and free plays. ● Not so much profit, unless you play a lot. ● Living one of my childhood dreams. ● Both the vulnerability and the talk are quite simple. ● This is meant to be fun and practical.
  • 6. Attack Surface (1) ● Almost all attacks will need physical access. ● We need to make a distinction ● Obvious attacks such as opening the machine, or attaching odd peripherals and rebooting it. ● Non-obvious attacks that resemble normal use. These are probably impossible on many older arcade machines.
  • 7. Attack Surface (2) ● The obvious attacks won't work, as we'll get kicked out of the arcade or worse. ● We want to be less conspicuous than this:
  • 8. Attack Surface (3) ● Modern arcade machines often allow for transferable profiles stored on portable devices. ● Magnetic cards ● Konami e-AMUSEMENT smart card ● USB dongles ● Probably more schemes, especially in Japan. ● This gives us more attack surface using either malicious hardware devices, or by malicious data on official devices.
  • 9. Attack Surface (4) ● We pick the easiest attack surface. ● Consider game profiles loaded from and stored to USB dongle. ● If profile handling is done wrong, we can simply insert a USB dongle with malicious payload. ● Very covert: inserting a dongle is a common task performed by many players, and won't attract unwanted attention.
  • 10. Attack Surface (4) ● We pick the easiest attack surface. ● Consider game profiles loaded from and stored to USB dongle. ● If profile handling is done wrong, we can simply insert a USB dongle with malicious payload. ● Very covert: inserting a dongle is a common task performed by many players, and won't attract unwanted attention. Attack here.
  • 11. Attack Surface (4) ● We pick the easiest attack surface. ● Consider game profiles loaded from and stored to USB dongle. ● If profile handling is done wrong, we can simply insert a USB dongle with malicious payload. ● Very covert: inserting a dongle is a common task performed by many players, and won't attract unwanted attention. Not here. Attack here.
  • 12. What are we attacking? ● In The Groove 2 ● Dancing simulator made by RoXoR games. ● Uses USB dongles to store profiles.
  • 13. What are we attacking? ● In The Groove 2 ● Dancing simulator made by RoXoR games. ● Uses USB dongles to store profiles. ● Allows geeks to dance like Michael Jackson.
  • 14. What do we know? (1) ● There is a PC as well as an arcade version. ● We'll use ITG2PC and ITG2AC for these versions. ● We can tinker with the PC version easily and test our ideas. ● After testing them on ITG2PC, we try ITG2AC. ● ITG2AC is running on x86-32 Linux. ● Most of us will be in our comfort zone.
  • 15. What do we know? (2) ● ITG2 software based on a modified version of StepMania, an open source dancing simulator. ● Allows for easier reverse engineering. ● There is an open source project dedicated to reimplementing the game. ● OpenITG did an excellent job at reversing and reimplementing parts of the game.
  • 16. What is on the USB stick? ● Edits of existing songs on the machine. ● Custom songs (needs to be enabled). ● Signed screenshots (to prove scores). ● Signed score profile and backups. ● Stats.xml / Stats.xml.sig / DontShare.sig ● Song catalogues, preferences, etc. ● ITG2AC and ITG2PC sticks are not portable ● Because the signing keys differ.
  • 17. Stats.xml: user profile data ● XML formatted file. <?xml version="1.0" encoding="UTF-8" ?> <?xml-stylesheet type="text/xsl" href="Stats.xsl"?> <Stats> <CalorieData> <CaloriesBurned Date='2005-02-26' >468.587524</CaloriesBurned> </CalorieData> <CategoryScores/> ... <Data> local tab1 = { } return tab1 </Data> ...
  • 18. Stats.xml: user profile data ● XML formatted file. <?xml version="1.0" encoding="UTF-8" ?> <?xml-stylesheet type="text/xsl" href="Stats.xsl"?> <Stats> <CalorieData> <CaloriesBurned Date='2005-02-26' >468.587524</CaloriesBurned> What reading XML does to people. </CalorieData> <CategoryScores/> ... <Data> local tab1 = { } return tab1 </Data> ...
  • 19. XML parser flaws ● XNode::LoadAttributes() has issues. ● It will scan past 0-byte if there is a double or single quote character before it. ● tcsskip() and tcsechr() are scary, as they always return a non-NULL pointer. ● Lots of over-indexed reads, but hard to find over-indexed writes. ● Need a better bug.
  • 20. XML parser flaws ● XNode::LoadAttributes() has issues. ● It will scan past 0-byte if there is a double or single quote character before it. ● tcsskip() and tcsechr() are scary, as they always return a non-NULL pointer. ● Lots of over-indexed reads, but hard to find over-indexed writes. This is not a good bug. ● Need a better bug.
  • 21. User profile loading flaws (1) ● Profile::LoadGeneralDataFromNode() reads XML data from the XML tree, and deserializes. ● Lot of uninteresting numeric and string entries. ● The <Data> tag seems interesting, as it contains embedded LUA data. ● It is only handled for IsMachine() profiles, which are stored on the arcade machine itself.
  • 22. User profile loading flaws (1) ● Profile::LoadGeneralDataFromNode() reads XML data from the XML tree, and deserializes. ● Lot of uninteresting numeric and string entries. ● The <Data> tag seems interesting, as it contains embedded LUA data. ● It is only handled for IsMachine() profiles, which are stored on the arcade machine itself. ● Are they really?
  • 23. User profile loading flaws (2) ● In OpenITG there is an IsMachine() check. ● Not so in R21 and R23! v29 = GetChildValue(a3, "Data"); if ( v29 ) { string_constructor(v29, &sData); LoadFromString(a2 + 5000, (int)&sData); if ( GetLuaType(a2 + 5000) != LUA_TTABLE ) { Warn((int)LOG, "Profile data did not evaluate to a table"); sub_84C3C80(*(_DWORD *)LuaHelpers); sub_81C2870(a2 + 5000); } }
  • 24. Creating a rogue profile ● We have found a way to inject LUA code. ● There's still more work to be done: ● Signing profiles with malicious LUA code. – This requires the signing keys. ● Finding out what LUA code we can use. – Is there a LUA sandbox? – Can we escalate to root on the machine? – Do we actually need to? What can we do otherwise?
  • 25. Signing profiles (1) ● Profile signing is done using RSA and SHA1. ● Original implementation using crypto++. ● Signing: S(k-, p) = E(k-, h(p)) ● Verification: D(k+, S(k-, p)) should be h(p). ● Reimplemented this using OpenSSL, as crypto++ is complicated to use. ● Command line OpenSSL also works.
  • 26. Signing profiles (2) ● What is signed? ● Stats.xml with the result in Stats.xml.sig ● Stats.xml.sig with the result in DontShare.sig ● This double signature is done so people can share verified (machine signed) scores, without their profile being copied. ● You would share Stats.xml and Stats.xml.sig but not DontShare.sig
  • 27. Signing profiles (3) ● We obviously want the private key. ● ITG2 signs profiles every time someone plays. ● Private key needs to be known to the program. ● Profiles need to be transferable. ● So the signing keys are shared! ● No revocation scheme in place. ● Once we leak one key, we're set!
  • 28. OpenSSL signing / verifying ● openssl dgst -keyform DER -sign private.rsa -out Stats.xml.sig Stats.xml openssl dgst -keyform DER -sign private.rsa -out DontShare.sig Stats.xml.sig ● openssl dgst -keyform DER -verify public.rsa -signature DontShare.sig Stats.xml.sig openssl dgst -keyform DER -verify public.rsa -signature Stats.xml.sig Stats.xml
  • 29. OpenSSL DER to PEM ● Private key is in PKCS8 DER form. openssl pkcs8 -in private.rsa -inform DER -outform PEM -out private.pem -nocrypt ● Public key is in RSA DER form. openssl rsa -in public.rsa -inform DER -pubin -pubout -outform PEM -out public.pem
  • 30. ITG2PC ● The private keys are simply installed. ● They obviously differ from the ITG2AC keys. ● Look for the *.rsa files. ● They come in PKCS #1 / PKCS #8 forms. A key!
  • 31. ITG2AC ● Dumping the private keys more complicated. ● We need to crack open the machine first. ● Attach USB keyboard and Linux disk. ● Rebooting the machine. ● Enter + configure BIOS to boot from disk. ● Mount the ITG2 XFS filesystem and have at it. ● Will not work on R23, as it rewrites the BIOS password using nvram.ko
  • 32. ITG2AC (2) ● We were unable to find the keys on disk. ● /itgdata contains several crypted blobs: data0.zip through data4.zip and patch.zip. ● The keys are most likely in there, as well as the songs and so on. ● We need a way to decrypt those files.
  • 33. ITG2AC file encryption ● The core algorithm uses SHA-512 and AES- 192 in CBC mode. ● The AES keys are managed in two ways. ● Patch files use a static key, probably because it is easier to deliver patches. ● The core data files all have unique keys, which differ on all arcade machines. These are managed by a hardware security dongle.
  • 34. Encrypted file header (1) struct itg2_file_header { char magic[2]; uint32_t file_size; uint32_t subkey_size; uint8_t *subkey; uint8_t verify_block[16]; };
  • 35. Encrypted file header (2) ● Magic will be :| for data files and 8O for patch files. ● file_size is the size of the decrypted file, so that padding to blocksize can be ignored. ● subkey_size is the size of the subkey. ● subkey is the size of subkey data. ● verify_block is a block of encrypted static data to determine if a valid key was provided.
  • 36. File decryption algorithm (1) ● AES-192 keying is used. How these keys are derived we will see later. ● Remember that AES works on 16 byte blocks. ● File is partitioned in blocks of 255 AES blocks. ● Each of these blocks is encrypted using AES in CBC mode. ● The IV is manipulated before every encryption, by subtracting 0 through 16 from IV elements.
  • 37. File decryption algorithm (2) ● Why does it work like this? ● CBC mode is quirky for file encryption. ● If we encrypt the full file in CBC mode, a single corruption in the worst case will ruin the entire file. ● When partitioning in blocks a single corruption in the worst case ruins the block. 奇々怪界 : This game is underrated.
  • 38. File decryption algorithm (3) ● We get IV repetition per block of 255 blocks. This is a slight weakness, but not fatal for CBC. ● Why they modify the IV is unclear to me. ● It causes some additional confusion, and it does not introduce additional duplicates, so it is probably alright.
  • 39. AES key recovery (1) ● The AES key for patch files is created running a function similar to SHA512-HMAC. ● It is not a real HMAC, as there is no ipad/opad or key compression performed, but simply does: SHA512(m || k) ● The message is the subkey from the file header. ● The key can be recovered by reverse engineering (or reading the OpenITG code).
  • 40. AES key recovery (2) ● The AES keys to the data files are stored on an security dongle. ● The dongle is an iButton DS1963S which is used as a SHA-512 HMAC co-processor to deliver the AES keys. ● We don't need the DS1963S secret keys: we can recover the AES key for specific data files. Fu fu fu, enough crypto already.
  • 41. DS1963S architecture ● The dongle is connected to the RS232 port of the machine. ● It communicates through a bus protocol called 1-Wire so that the master can communicate with multiple slaves. ● There is a public domain kit available to communicate with the dongle.
  • 42. DS1963S memory ● There are 16 256-bit data pages. ● There are 2 pages holding 4 64-bit secrets each. These are writable, but not readable. ● Reading the secret pages would break DS1963S security, but we do not need to do this for decrypting the data files. ● There is a 256-bit scratch pad used for reliable transfers from master to slave memory.
  • 43. DS1963S registers ● TA1 and TA2 hold the LSB and MSB of the target address used in many operations. ● E/S is a read-only counter and status register ● Bits[0..4]: The ending offset; it holds the last offset into the scratch pad that was written to. ● Bits[5]: The partial flag (PF); set to 1 when the bits sent by the master are not a multiple of 8. ● Bits[6]: Unused; should be 0. ● Bits[7]: Authorization Accepted (AA); set to 1 when the scratchpad has been copied to memory.
  • 44. DS1963S reliable write (1) ● [0xC3] [TA1] [TA2] Erase the scratchpad, filling it with 0xFF. TA is ignored. Clear HIDE flag. ● [0x0F] [TA1] [TA2] [DATA ...] [CRC16] Write data to the scratchpad, from the byte offset to the ending offset. If the ending offset is 0x1F, the slave sends back the CRC16 of data read. ● [0xAA] Read scratchpad. Slave sends back the byte offset, the ending offset, and the scratchpad area for those, and ~CRC16.
  • 45. DS1963S reliable write (2) ● Comparing the data written to the data read guarantees (almost) no distortions. ● From scratchpad we can then write into data pages and secrets pages. ● All this is performed by the public domain API function WriteDataPageSHA18().
  • 46. DS1963S SHA functions ● There are multiple SHA functions. ● We will only look at the one relevant to ITG2AC. ● [0x33] [0xC3] SHA-1 sign data. ● Signs data page 0 or 8 with the secret number 0 or 8, and data from the scratchpad. ● This is used to generate the AES key from the subkey data in the file header.
  • 47. DS1963S security (1) ● Secret page security demonstrated broken by Christian Brandt at CCC 2010 through faulting. ● Using real crypto does not make devices secure.
  • 48. DS1963S security (1) ● Secret page security demonstrated broken by Christian Brandt at CCC 2010 through faulting. ● Using real crypto does not make devices secure. Would you rather attack SHA-1?
  • 49. DS1963S security (1) ● Secret page security demonstrated broken by Christian Brandt at CCC 2010 through faulting. ● Using real crypto does not make devices secure. Would you rather attack SHA-1? Or the DS1963S protocols?
  • 50. DS1963S security (2) ● An untested idea to dump secrets. ● The scratchpad and memory do not have to be written in 32-byte blocks. – We can write smaller quantities, like 1 or 2 bytes. ● The Copy Scratchpad command can write secret pages directly. – We just can't read secret pages. ● Partial secret overwrite may be possible? – Use Sign data page (SDP) with original secret. – Now overwrite 1 byte, and SDP again until correct byte has been found. – Repeat: complexity now O(256*8) instead of O(256**8).
  • 52. DS1963S demonstration This octopus is funnier than Cthulhu.
  • 53. File decryption ● We can now use the DS1963S keys to decrypt the encrypted files. ● This opens the door for unauthorized copying of the game content... ● Keep in mind that ITG2PC had no DRM whatsoever, so it is of minimal concern. ● It also allows us to use the original files portably in other projects. Think of OpenITG.
  • 54. Signing key recovery ● We can now find the profile signing key by decrypting and unpacking data4.zip. ● The keys are in Data/private.rsa and Data/public.rsa.
  • 55. Using LUA ● So we can get LUA code executed by signing profiles with embedded code. ● The LUA environment is sandboxed, there is no support for the os module and so on. ● This means we cannot execute arbitrary code on the machine. ● We can execute the LUA bindings the game provides, and change game state. ● This is what we want anyway really.
  • 56. LUA game commands ● A brief stepmania reference can be found online at: http://www.stepmania.com/wiki/Lua_scripting_and_Actor_commands ● It differs from the commands in R21, and R23, but there are many similarities. ● GameState.cpp implements ApplyGameCommand() which has some interesting primitives. ● GameCommand.cpp implements these primitives.
  • 57. LUA game commands (2) ● The one I was looking for as a kid: GAMESTATE:ApplyGameCommand('insertcredit') ● Signing a profile using this command and using it indeed leads to a free credit. ● The profile loader needs to be invoked, so we need to use one credit to get the rest for free.
  • 58. Further escalation ● We would need to break the LUA sandbox. ● We have several flaws, but they are complicated. ● What more do we want anyway? – We can play for free. – We can unlock songs. – We can transfer scores to the machine. – We do not want to mess it up: the sandbox is nice.