Download presentation
Presentation is loading. Please wait.
Published byTabitha Nelson Modified over 8 years ago
1
What is MGO? ●Metal Gear o A bipedal nuclear-equipped tank ●Online o Controlled by or connected to a network. ●Metal Gear Online o A bipedal nuclear tank controlled by the internet
2
Cyber Necromancy: Reverse Engineering Dead Protocols
3
●Matthew Halchyshak o Security Technician for Security Innovation
4
Warning ●Not development ●Not exploitation ●Just a cool project to revive a video game
5
Problems ●Servers are down o Minimal Packet Capture o No LAN Play ●PS2 (mips32) o No debugging interface o PCSX2 Memory Dumps ●PS3 (Cell BE) o Removed with official update o Requires a custom firmware
6
High-level Overview 1.Redirect traffic to our controlled server 2.Implement handlers for known protocols o HTTP o STUN o etc. 3.Implement unknown game protocol
7
Traffic Redirection ●Patching o Distribution? ●Buy the domains o Still owned ●Custom DNS
8
Dynamic Network Authentication ●Prevent cheating and piracy online o Bypass for piracy is old o Bypass for games no longer online is not ●Google is your friend o Sony SDK o DNAS Documentation
9
Dynamic Network Authentication ●Failure o Never managed to recreate DNAS ●“NewDNASConnect” o Found this string, lead to a function o What happens when you return 0 from it?
10
Dynamic Network Authentication ●Binary Patching o Reproduction and distribution? o Packed binaries ●Cheat Devices o Inject a small bit of code into a game Code allows overwriting 4 bytes of memory at a time o Less than ideal but it works Other games have not needed this
11
“Cheats” ●C1322414 00007474 ●2036b1e8 24020000 ●2036b1ec 03e00008 ●2036b1f0 00000000
12
“Cheats” ●Format o First Character represented the type of cheat Caaaaaaa bbbbbbbb ●if 0x8aaaaaaa == 0xbbbbbbbb 2aaaaaaa bbbbbbbb ●Overwrite 0x8aaaaaaa o Many types of codes
13
Reversing the Protocol
14
●Packets! Packets! Packets! ●Cannot get packets if the server is dead ●Examine and compare everything
15
Client Packets
20
Reversing the Protocol ●No NULL bytes ●..Zp comes up often
21
And it’s XOR…
24
Reversing the Protocol ●c022b8e51bd997c3baf6a587ba395d8f ●f252244cd1f91de6baffa2ad93f4a1f8 ●7eb97a668342081d5685c0c100dfa3c7 ●f252244cd1f91de6baffa2ad93f4a1f8 ●Look familiar? o MD5 (Header + Payload)
25
Reversing the Protocol ●Header (8 bytes) o Command Identifier (2 bytes) o Payload Length (2 bytes) o Sequence (4 bytes) ●Hash (16 bytes) ●Payload?
26
Response Payloads
27
The Ideal Way ●Packet Captures o Replay and experiment o Matter of determining transformation
30
Experimentation ●Changed visible names ●Changed IPs and setup listeners ●Changed Unknown value to [A-E] o Hopefully its visible in some way
32
That was easy
33
The Harder Way ●No packet capture
34
Determining the Payloads ●Are there are commonalities that run through the payloads. o Is there are structure to the payloads? XML? JSON? SOAP? Custom? o Cryptography https://kerckhoffs.googlecode.com/files/Groebert- Automatic.Identification.of.Cryptographic.Primitiv es.in.Software.pdf https://kerckhoffs.googlecode.com/files/Groebert- Automatic.Identification.of.Cryptographic.Primitiv es.in.Software.pdf
35
Determining the Payloads ●Experimentation o First 4 bytes are a result code 0x00000000 = Success (normally) Anything else is displayed back to user o Error only display IFF Command id is correct o Server’s response is usually +1 of request
36
Determining the Payloads ●Guess Work o Blank User Settings o NULL (0x00) Create Game - first half o ‘0’ (0x30) HTTP API o Success (0x00000000) ‘Worked’ but doesn’t do what it should o Something else?
37
Exploring Items 00 00 00 00 21 00 00 00 01
38
Exploring Items 00 00 00 01 21 00 00 00 01
39
Exploring Items 00 00 00 01 21 00 00 00 03
40
Exploring Items 00 00 00 01 21 00 00 00 07
41
Exploring Items 00 00 00 00 21 00 00 00 01
42
Exploring Items 00 00 00 01 21 00 00 00 07
43
Exploring Items
44
●Slow and tedious but not too difficult
45
Complex Payloads ●Packets? Nope. ●Easily Guessable? Nope.
46
Friends List ●Exhausted simple cases ●Random payloads revealed nothing
48
Join Game ●Packets? No. Easily Guessable? Nope. ●Anything similar? Nope.
50
Join Game ●Step 1 o 0x4113 - Game Data o Same request is made for ‘Host Information’ Used Host Information to determine response
52
Join Game ●Step 2 o 0x4102 - Player Stats Requests information about the host’s ingame stats
53
Join Game ●Static Analysis o ELF is packed o No official debugging functionality Emulator memory dump
54
Join Game ●Finding the code path o Nearby strings None o Magic Numbers 0x4103 XOR Code
55
Join Game
56
●Function has several calls of the form o jal -- function call o bne v0 0 -- branch if return not 0 Repeat about 15 times
57
Join Game ●Two Options o Follow code path and determine where it fails NOP the check (Patch) Determine what data would make it pass ●Complicated payloads o Expects data for 0x4104 and 0x4105 ●Ultimately patched
58
Join Game ●Past Requests o Game Information o Player Information o Host Stats -- patched o now 0x4320?
59
Join Game ●External Resources o Google is your friend o Other online games Pro Evolution Soccer Metal Gear Online 2 ● Had this particular packet
60
Join Game ●Client sends data over UDP to Host ●Unexpectedly host sends 0x4340
61
0x4340 ●No error message o Host stops responding to client UDP ●Request Payload o Joining Player Id
62
0x4340
64
●Found 4341 handler in memory dump ●Function makes a lot of calls but doesn’t check return values o Only reads 4 bytes from payload
65
0x4340
66
0x4341 ●Structure o Success Code - 4 bytes o Player Id - 4 bytes
67
Success!
68
What’s next?
70
Conclusion
71
Warnings ●A lot of work o Protocol and Server emulation took about 10 months o More than 80 commands. o Headaches and frustration o Not a lot of existing reference material ●People are crazy o Trolls and complaints about not being done yet ●Copyrights and DMCA o DMCA exception for interoperability o Terms of Service
72
Credits ●GhzGangster (Derrik Touve) ●Zak o http://obsvr.com http://obsvr.com ●Mohamed Saher o http://twitter.com/halsten http://twitter.com/halsten o http://halsten.info http://halsten.info ●Wtfareuthinking1 ●Jayveer
73
Useful tools ●Used public IDA scripts to parse PS3 ELF ○https://github.com/kakaroto/ps3idahttps://github.com/kakaroto/ps3ida ○Revealed SDK functions and references ○More analysis in general than PS2
74
Questions? ●Matthew Halchyshak o matthew@0x0539.net matthew@0x0539.net o @iamcuri0us ●Joseph Tartaro o joseph.tartaro@gmail.com joseph.tartaro@gmail.com o @droogie1xp
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.