Topic: Idea For Softmod Exploit? (Read 448 times)

eX_Do0mY · « **Reply #30 on:** July 10, 2006, 02:48:00 PM »

QUOTE(Tomobobo @ Jul 5 2006, 07:07 AM)

I mean, please don't rip into me because I have very very little knowledge of programing, but, does the .xbe that we're trying to launch necessarily need to be embedded within the .map file? Couldn't you in someway, write a .map that just says "hey launch this over here" just by making the box try to load that particular map? That was what my understanding of how this was going to work, of course, I probably misunderstood and overestemated the possibilities and limits of creating some sort of hacked map file.

Nope, that still shouldn't work unless the XBE was signed. It should go like this.

1. Load Halo 2.
2. Load modified maps with injected XBE/launcher code.
3. Map will say "Execute this unsigned XBE code.
4. Hypervisor/kernel will say "No, it's not signed with the proper code."

This post has been edited by eX_Do0mY: Jul 10 2006, 09:50 PM

FrEaKsHoW12390 · « **Reply #31 on:** July 25, 2006, 10:35:00 PM »

ok how does this work i read the first post and is this xbox or xbox 360 im confused or do i need both i have a 360 thats it my 2 xboxs broke

jameswalter · « **Reply #32 on:** July 26, 2006, 08:16:00 AM »

QUOTE(Zombiekenny @ Jul 10 2006, 04:04 AM)

it could work with the 360 dont knock it tell you try it

You think that MS would allow a softmod like they did on the xbox? They learned from there mistakes on the xbox, the DVD drive hacking that is now being done wasn't done on the xbox previously, so they couldn't forsee it. Loading an xbe is impossible unless it is signed, the hypervisor oversees all code execution. Please don't come in here thinking you have great ideas, if they are unresearched.

dutch nelson · « **Reply #33 on:** July 26, 2006, 12:50:00 PM »

Ps to the guy that sayd he tested it a few posts ago.

With injecting a code i don't mean renaming a .xbe to .map
I mean injecting a code IN the map.

not replacing the map , lol.

CamdogXIII · « **Reply #34 on:** July 28, 2006, 03:03:00 PM »

you do know that all xbe's that run on the 360 need an emulator profile to tell the hardware how to "talk" to the software correctly (ati chip talking like an nvidia chip) now how would the loader you are describing load if it doesn't have an emulator profile? (and currently the xbox 360 development kit is not public, so you can't make an .xex either)

MasterChief1517 · « **Reply #35 on:** September 14, 2006, 04:10:00 PM »

I know this sounds stupid, but couldn't you try creating a file that causes the hypervisor to crash by creating an overflow of code? It would probably destroy your 360 before it worked anyways. Maybe the USB devises don't have as much security as the rest, try to make an exploit that uses the USB devises to allow you to run homebrew launchers.

geoffmac · « **Reply #36 on:** October 02, 2006, 08:18:00 AM »

lmao

Some people say the stupidest things

Methadon · « **Reply #37 on:** October 10, 2006, 09:48:00 PM »

This is a wonderful idea to explore for an exploit, but I can't help but think that we could find some sort of exploit through authoring a DVD-Video. Since the 360 will run burned DVD's out of the box (as well as burned CDs, which is another possibility to explore), we may have a backdoor here somewhere.

I have a DVD that I know has a structural error that creates an infinite loop. The only question would then be: if a security hole is present from a DVD or CD playback related error, then how could something then be executed to modify anything from that point? Still, I can't help but think that that would be the area with the least security to deal with.

xbox7887 · « **Reply #38 on:** October 22, 2006, 05:47:00 PM »

QUOTE(dutch nelson @ Jul 26 2006, 01:21 PM)

Ps to the guy that sayd he tested it a few posts ago.

With injecting a code i don't mean renaming a .xbe to .map
I mean injecting a code IN the map.

not replacing the map , lol.

I've taken a look at the map loading code for I was going to do a similar hack with the regular xbox, embedding custom code into the mapfiles. Everything I've seen has proper bounds checking..all map strings and header data are properly checked for length before being fully read on the stack.

header-check portion of the map loading code...
(IMG:http://img233.imageshack.us/img233/6663/loadmaptj6.jpg)

However, the possibility of any type of buffer overflow exploit being ran on the xbox 360 is entirely out of the question if you were to read up on the hypervisor and how it works. I've spent alot of time contemplating a way in from the software side...it all comes back to the hypervisor. I'm afraid the only way you'll ever get to run unsigned code on a 360 is through a hardware hack which I don't forsee any time soon :X

This post has been edited by xbox7887: Oct 23 2006, 12:58 AM

OpticNurv · « **Reply #39 on:** October 26, 2006, 01:01:00 PM »

a hunch says you shouldn't be looking for an overflow, instead, you should check the ram banks...

but then again, it's just a hunch

xbox7887 · « **Reply #40 on:** October 27, 2006, 08:37:00 PM »

QUOTE(OpticNurv @ Oct 26 2006, 01:08 PM)

a hunch says you shouldn't be looking for an overflow, instead, you should check the ram banks...

but then again, it's just a hunch

I'm not quite sure what you mean by "ram banks" but you've just gave me another idea which may or may not be related ;P

xbox7887 · « **Reply #41 on:** October 27, 2006, 09:24:00 PM »

Nevermind...that didn't work either. So far I've looked at the map header, hud messages, map strings, and my last idea which was to see if the data referenced by map pointers was loaded directly onto on the stack...all which have failed miserably. I've basically done everything you can to attempt to break a map without it segfaulting, if you have anything else to add about your supposed "ram banks", please feel free to do so but I can't think of any other immediate way of gaining access without performing an overflow that overwrites the return address...

OpticNurv · « **Reply #42 on:** October 28, 2006, 11:00:00 AM »

QUOTE(xbox7887 @ Oct 27 2006, 08:31 PM)

Nevermind...that didn't work either. So far I've looked at the map header, hud messages, map strings, and my last idea which was to see if the data referenced by map pointers was loaded directly onto on the stack...all which have failed miserably. I've basically done everything you can to attempt to break a map without it segfaulting, if you have anything else to add about your supposed "ram banks", please feel free to do so but I can't think of any other immediate way of gaining access without performing an overflow that overwrites the return address...

i'm not too technically advanced, but, it's common sense to check the ram banks because every file in use should be loaded onto the ram chips if it's anything like ram for a PC, that's how i came across that conclusion, if you can tap the ram and extract the files, i'm pretty confident that it will atleast be a start in the right direction.

i hope that helps explain where i got my hunch.

OpticNurv · « **Reply #43 on:** October 28, 2006, 04:21:00 PM »

QUOTE(xbox7887 @ Oct 28 2006, 02:23 PM)

Um...not quite sure how to say this but you're hunch is nowhere close to being correct ;P

no matter, just trying to help dish out ideas to help with the homebrew movement

Ozy · « **Reply #44 on:** October 30, 2006, 11:10:00 AM »

Glad to see some people care about homebrew, I thought this place was turning in to a pirate zone.

Anyway, are there any xbox 1 games that are not as strict about map signing? It would have to be a live game. Halo 2 should be abandoned. Perhaps some of the first gen LIVE games that had downloadable content.

Anything spring to mind?

Anyhow there are 2 people on this forum (at least) who have access to an XDK for the x360. Not that they would do anthing like this as I do believe they would be raped by M$, put in prison and raped again, lose their job and get fined loads.

Author Topic: Idea For Softmod Exploit? (Read 448 times)