Presentation is loading. Please wait.

Presentation is loading. Please wait.

What is MGO? ●Metal Gear o A bipedal nuclear-equipped tank ●Online o Controlled by or connected to a network. ●Metal Gear Online o A bipedal nuclear tank.

Published byTabitha Nelson Modified over 8 years ago

Similar presentations

Presentation on theme: "What is MGO? ●Metal Gear o A bipedal nuclear-equipped tank ●Online o Controlled by or connected to a network. ●Metal Gear Online o A bipedal nuclear tank."— Presentation transcript:

1 What is MGO? ●Metal Gear o A bipedal nuclear-equipped tank ●Online o Controlled by or connected to a network. ●Metal Gear Online o A bipedal nuclear tank controlled by the internet

2 Cyber Necromancy: Reverse Engineering Dead Protocols

3 ●Matthew Halchyshak o Security Technician for Security Innovation

4 Warning ●Not development ●Not exploitation ●Just a cool project to revive a video game

5 Problems ●Servers are down o Minimal Packet Capture o No LAN Play ●PS2 (mips32) o No debugging interface o PCSX2 Memory Dumps ●PS3 (Cell BE) o Removed with official update o Requires a custom firmware

6 High-level Overview 1.Redirect traffic to our controlled server 2.Implement handlers for known protocols o HTTP o STUN o etc. 3.Implement unknown game protocol

7 Traffic Redirection ●Patching o Distribution? ●Buy the domains o Still owned ●Custom DNS

8 Dynamic Network Authentication ●Prevent cheating and piracy online o Bypass for piracy is old o Bypass for games no longer online is not ●Google is your friend o Sony SDK o DNAS Documentation

9 Dynamic Network Authentication ●Failure o Never managed to recreate DNAS ●“NewDNASConnect” o Found this string, lead to a function o What happens when you return 0 from it?

10 Dynamic Network Authentication ●Binary Patching o Reproduction and distribution? o Packed binaries ●Cheat Devices o Inject a small bit of code into a game  Code allows overwriting 4 bytes of memory at a time o Less than ideal but it works  Other games have not needed this

11 “Cheats” ●C1322414 00007474 ●2036b1e8 24020000 ●2036b1ec 03e00008 ●2036b1f0 00000000

12 “Cheats” ●Format o First Character represented the type of cheat  Caaaaaaa bbbbbbbb ●if 0x8aaaaaaa == 0xbbbbbbbb  2aaaaaaa bbbbbbbb ●Overwrite 0x8aaaaaaa o Many types of codes

13 Reversing the Protocol

14 ●Packets! Packets! Packets! ●Cannot get packets if the server is dead ●Examine and compare everything

15 Client Packets

16

17

18

19

20 Reversing the Protocol ●No NULL bytes ●..Zp comes up often

21 And it’s XOR…

22

23

24 Reversing the Protocol ●c022b8e51bd997c3baf6a587ba395d8f ●f252244cd1f91de6baffa2ad93f4a1f8 ●7eb97a668342081d5685c0c100dfa3c7 ●f252244cd1f91de6baffa2ad93f4a1f8 ●Look familiar? o MD5 (Header + Payload)

25 Reversing the Protocol ●Header (8 bytes) o Command Identifier (2 bytes) o Payload Length (2 bytes) o Sequence (4 bytes) ●Hash (16 bytes) ●Payload?

26 Response Payloads

27 The Ideal Way ●Packet Captures o Replay and experiment o Matter of determining transformation

28

29

30 Experimentation ●Changed visible names ●Changed IPs and setup listeners ●Changed Unknown value to [A-E] o Hopefully its visible in some way

31

32 That was easy

33 The Harder Way ●No packet capture

34 Determining the Payloads ●Are there are commonalities that run through the payloads. o Is there are structure to the payloads?  XML? JSON? SOAP? Custom? o Cryptography  https://kerckhoffs.googlecode.com/files/Groebert- Automatic.Identification.of.Cryptographic.Primitiv es.in.Software.pdf https://kerckhoffs.googlecode.com/files/Groebert- Automatic.Identification.of.Cryptographic.Primitiv es.in.Software.pdf

35 Determining the Payloads ●Experimentation o First 4 bytes are a result code  0x00000000 = Success (normally)  Anything else is displayed back to user o Error only display IFF Command id is correct o Server’s response is usually +1 of request

36 Determining the Payloads ●Guess Work o Blank  User Settings o NULL (0x00)  Create Game - first half o ‘0’ (0x30)  HTTP API o Success (0x00000000)  ‘Worked’ but doesn’t do what it should o Something else?

37 Exploring Items 00 00 00 00 21 00 00 00 01

38 Exploring Items 00 00 00 01 21 00 00 00 01

39 Exploring Items 00 00 00 01 21 00 00 00 03

40 Exploring Items 00 00 00 01 21 00 00 00 07

41 Exploring Items 00 00 00 00 21 00 00 00 01

42 Exploring Items 00 00 00 01 21 00 00 00 07

43 Exploring Items

44 ●Slow and tedious but not too difficult

45 Complex Payloads ●Packets? Nope. ●Easily Guessable? Nope.

46 Friends List ●Exhausted simple cases ●Random payloads revealed nothing

47

48 Join Game ●Packets? No. Easily Guessable? Nope. ●Anything similar? Nope.

49

50 Join Game ●Step 1 o 0x4113 - Game Data o Same request is made for ‘Host Information’  Used Host Information to determine response

51

52 Join Game ●Step 2 o 0x4102 - Player Stats  Requests information about the host’s ingame stats

53 Join Game ●Static Analysis o ELF is packed o No official debugging functionality  Emulator memory dump

54 Join Game ●Finding the code path o Nearby strings  None o Magic Numbers  0x4103  XOR Code

55 Join Game

56 ●Function has several calls of the form o jal -- function call o bne v0 0 -- branch if return not 0  Repeat about 15 times

57 Join Game ●Two Options o Follow code path and determine where it fails  NOP the check (Patch)  Determine what data would make it pass ●Complicated payloads o Expects data for 0x4104 and 0x4105 ●Ultimately patched

58 Join Game ●Past Requests o Game Information o Player Information o Host Stats -- patched o now 0x4320?

59 Join Game ●External Resources o Google is your friend o Other online games  Pro Evolution Soccer  Metal Gear Online 2 ● Had this particular packet

60 Join Game ●Client sends data over UDP to Host ●Unexpectedly host sends 0x4340

61 0x4340 ●No error message o Host stops responding to client UDP ●Request Payload o Joining Player Id

62 0x4340

63

64 ●Found 4341 handler in memory dump ●Function makes a lot of calls but doesn’t check return values o Only reads 4 bytes from payload

65 0x4340

66 0x4341 ●Structure o Success Code - 4 bytes o Player Id - 4 bytes

67 Success!

68 What’s next?

69

70 Conclusion

71 Warnings ●A lot of work o Protocol and Server emulation took about 10 months o More than 80 commands. o Headaches and frustration o Not a lot of existing reference material ●People are crazy o Trolls and complaints about not being done yet ●Copyrights and DMCA o DMCA exception for interoperability o Terms of Service

72 Credits ●GhzGangster (Derrik Touve) ●Zak o http://obsvr.com http://obsvr.com ●Mohamed Saher o http://twitter.com/halsten http://twitter.com/halsten o http://halsten.info http://halsten.info ●Wtfareuthinking1 ●Jayveer

73 Useful tools ●Used public IDA scripts to parse PS3 ELF ○https://github.com/kakaroto/ps3idahttps://github.com/kakaroto/ps3ida ○Revealed SDK functions and references ○More analysis in general than PS2

74 Questions? ●Matthew Halchyshak o matthew@0x0539.net matthew@0x0539.net o @iamcuri0us ●Joseph Tartaro o joseph.tartaro@gmail.com joseph.tartaro@gmail.com o @droogie1xp

Download ppt "What is MGO? ●Metal Gear o A bipedal nuclear-equipped tank ●Online o Controlled by or connected to a network. ●Metal Gear Online o A bipedal nuclear tank."

Similar presentations

Chapter 6 Server-side Programming: Java Servlets

Chapter 6 Server-side Programming: Java Servlets
Sockets and Services CS-480b Dick Steflik. Evaluating Socket Based Services How complex is the service? How might the service be abused? What information.

Sockets and Services CS-480b Dick Steflik. Evaluating Socket Based Services How complex is the service? How might the service be abused? What information.
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
PPPoE Last Update 2011.07.21 1.4.0 Copyright 2000-2011 Kenneth M. Chipps Ph.D. www.chipps.com 1.

PPPoE Last Update Copyright Kenneth M. Chipps Ph.D. 1.
Reverse Engineering Dead Protocols

Reverse Engineering Dead Protocols
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
An Engineering Approach to Computer Networking

An Engineering Approach to Computer Networking
CSCI 4550/8556 Computer Networks Comer, Chapter 3: Network Programming and Applications.

CSCI 4550/8556 Computer Networks Comer, Chapter 3: Network Programming and Applications.
Georgy Melamed Eran Stiller

Georgy Melamed Eran Stiller
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
Ch. 31 Q and A CS332 Spring 2014. Network management more than just Ethernet Q: Comer mentions that network managers need to be able to account for different.

Ch. 31 Q and A CS332 Spring Network management more than just Ethernet Q: Comer mentions that network managers need to be able to account for different.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
 It defines the format of the frame to be exchanged between devices.  It defines how two devices can negotiate the establishment of the link and the.

 It defines the format of the frame to be exchanged between devices.  It defines how two devices can negotiate the establishment of the link and the.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 9 Internet Control Message.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 9 Internet Control Message.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.

Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.

Similar presentations

Ads by Google