Topic: Possible New Exploit? (Read 128 times)

krayzie · « **Reply #15 on:** January 14, 2005, 11:15:00 PM »

If I'm not mistaken this disc was allready looked at by the real deal people. The disc has boundaries set on all situations so overflows don't seem directly possible. Guess M$ learnt from there mistakes. Also since this disc has the ROE flag off you can put in a copy after it has allreay loaded and the copy will work since the kernel check was allready done at the initial bootup. This also created possibilities since we can now alter the disc but yet no discoveries are made.

The_Truth · « **Reply #16 on:** January 15, 2005, 02:49:00 PM »

QUOTE

Also since this disc has the ROE flag off you can put in a copy after it has allreay loaded and the copy will work since the kernel check was allready done at the initial bootup. This also created possibilities since we can now alter the disc but yet no discoveries are made.

so are we saying that it can just be stuck in, removed, and a backup will play?
what about .xbe signing? it seems music mixer may boot something, but when i load music mixer, then swap disks... to a real game, it wont run... just goes to black screen and sits.
also. if you load music mixer, then insert a dvd... it reboots back to msdash to play the dvd.

DaddyJ · « **Reply #17 on:** January 15, 2005, 02:56:00 PM »

He was refering to a copy of the original disk in question.

The_Truth · « **Reply #18 on:** January 15, 2005, 03:16:00 PM »

it also tries to boot other games... but it just goes to a black screen. can a modified version of the .xbe for the MM disk be run? or does it still check signing?
there has got to be some flaw in this disk... it's by wild tangent!

wow... i just cant believe that they actually thought of preventing a buffer overflow on a file format! that's unusual because that means they thought 1 step ahead!

PedrosPad · « **Reply #19 on:** January 15, 2005, 05:10:00 PM »

While using the XBMM (XBox Music Mixer), it is possible to eject the XBMM application DVD, insert an audio CD from which to rip a sound sample, then pop in the XBMM DVD and continue mixing. The XBMM XBE remains running in memory, and has obviously already passed all its signature and media checks. The APILogger utility was developed to help work out how XBMM determined then the audio CD was removed, and the XBMM application DVD reinserted. The working theory was that the program sensed this by checking for the existence of a file on the XBMM media. The hope was that an alternative DVD could be inserted after the audio CD was removed, and the XBMM XBE tricked into reading in a file containing an exploit.

IIRC XBMM makes extensive use of the XBOX cache drives, and limits what it reads from the application DVD once running. IIRC I never figured out how to force it to read from the alternative DVD after it was inserted. That said I'm not at all familiar with the program, and spent not much more than a single night on this whole investigation. It was very quickly shelved in favour of more promising ideas, with a mental note to return to it when time allowed.

The_Truth · « **Reply #20 on:** January 15, 2005, 07:04:00 PM »

lol... ok, first off.. does time now allow?
ok, i understand that it was examined for the possibility of a disk swap... but was it also examined for an overflow attack due to media sent from computer? i just want to know, what has been explored on this disk so as to not waste mine, or anyone else's time.

PedrosPad · « **Reply #21 on:** January 16, 2005, 01:28:00 AM »

QUOTE(The_Truth @ Jan 16 2005, 03:35 AM)

ok, i understand that it was examined for the possibility of a disk swap... but was it also examined for an overflow attack due to media sent from computer?

Flame2k · « **Reply #22 on:** January 16, 2005, 06:58:00 AM »

sounds interesting.

surely there must be a way to inject code if the roe flag is off and signatures have already been checked.

EthanHunt_IMF · « **Reply #23 on:** January 16, 2005, 09:34:00 AM »

QUOTE(The_Truth @ Jan 15 2005, 05:47 PM)

there has got to be some flaw in this disk... it's by wild tangent!

PedrosPad · « **Reply #24 on:** January 16, 2005, 10:39:00 AM »

QUOTE(EthanHunt_IMF @ Jan 16 2005, 06:05 PM)

Doesn't everything go to MS first for testing before it gets signed and sent off to the presses. I bet they check for stuff that might be exploitable.

total_ass · « **Reply #25 on:** January 16, 2005, 10:50:00 AM »

exactly, all of the mods that we are using are based on simple human errors

DaddyJ · « **Reply #26 on:** January 16, 2005, 01:22:00 PM »

People make mistakes, and we thrive off of them.

The_Truth · « **Reply #27 on:** January 16, 2005, 07:43:00 PM »

damn straight we do. I dont doubt one bit that MS may have patched "most" of the previous ways in... but for some reason...(rmenhal or pedrospad please feel free to smack me) i dont think they patched the code for .mp3 and .jpg!

The_Truth · « **Reply #28 on:** January 16, 2005, 10:45:00 PM »

better question... how do you look at the code for exploits? is there a disasembler usable with .xbe's? lol, im trying my hardest to learn a little bit of asm for this purpose... it's a real challenge! those of you that do it... i say.... WOW... hats off to you!

PedrosPad · « **Reply #29 on:** January 17, 2005, 12:45:00 AM »

QUOTE(The_Truth @ Jan 17 2005, 07:16 AM)

better question... how do you look at the code for exploits? is there a disasembler usable with .xbe's?

Author Topic: Possible New Exploit? (Read 128 times)