Topic: My Find For Xbox Originals! (Read 322 times)

lordvader129 · « **on:** December 18, 2005, 12:21:00 PM »

QUOTE

Also a quick quesrtion was I playing off the game back up or was the game just in the memory??

you were just playing off the harddrive cache, youd get the same results if you took the game out and left the drive empty, or put a different game in its place

crosseye · « **Reply #1 on:** December 18, 2005, 12:38:00 PM »

yep, just playing off the cache.

crosseye · « **Reply #2 on:** December 18, 2005, 03:29:00 PM »

no problem. At least you tested what we said and found out for yourself. Other people lately just want to argue a point they know nothing about. Keep searching for stuff, you may accidentally stumble across something. After all, most of mans great discoveries are just accidents.

Monoxboogie · « **Reply #3 on:** December 18, 2005, 04:27:00 PM »

QUOTE(Anubis-MG @ Dec 18 2005, 09:18 PM)

Shit yeah your right I just tried and was able to play for the same amount of time with out a game in and the same

thing happens with the error code when going to the next area.

Oh well I thought I was on to something good

How were these dumps created? If the backups you used were created using a method that doesn't yield an exact copy of the disc, then that could be the problem. If, for example, the backup didn't include the track that has the "This DVD must be played in an Xbox 360" movie, then when it tries to seek to the proper section, it will fail.

Also, for shits and giggles, have you tried doing so in an area prior to a media load. Play the game, find a place where an FMV loads. Get to that spot again. Let the screen dark. Switch. Play more; load media. Perhaps upon removal of the disk, you're killing the alignment of the laser. And perhaps the "seek" needed to get to the media would realign it, and allow you to play the backup.

Keep us posted. It's a long shot, but you have got guts; removing the top of the drive and all. I admire your bravery.

lordvader129 · « **Reply #4 on:** December 18, 2005, 06:08:00 PM »

QUOTE(Anubis-MG @ Dec 18 2005, 02:18 PM)

Shit yeah your right I just tried and was able to play for the same amount of time with out a game in and the same

thing happens with the error code when going to the next area.

Oh well I thought I was on to something good

yeah, this may not have worked, but at least when you had an idea you gave it a try yourself and posted results, thats what we need in this forum, less talkers more doers

QUOTE

How were these dumps created? If the backups you used were created using a method that doesn't yield an exact copy of the disc, then that could be the problem. If, for example, the backup didn't include the track that has the "This DVD must be played in an Xbox 360" movie, then when it tries to seek to the proper section, it will fail.

Also, for shits and giggles, have you tried doing so in an area prior to a media load. Play the game, find a place where an FMV loads. Get to that spot again. Let the screen dark. Switch. Play more; load media. Perhaps upon removal of the disk, you're killing the alignment of the laser. And perhaps the "seek" needed to get to the media would realign it, and allow you to play the backup.

Keep us posted. It's a long shot, but you have got guts; removing the top of the drive and all. I admire your bravery.

hmm, its possible, but i dont think it would be worth much on the topic of playing backups (having to swap with your orignal each time would cause more handling of the discs and probably more scratches, defeating the purpose of the backup, lol)

also, for games that use multiple xbes (liek 007:EON) when it switches from one xbe to the other the media check would fail

either way its worth giving a try, might lead to soemthing else

CattyKid · « **Reply #5 on:** December 18, 2005, 07:46:00 PM »

Man, I can at least say that I respect you. Way to get your hands dirty.
Trying never hurt anybody.

Monoxboogie · « **Reply #6 on:** December 18, 2005, 09:34:00 PM »

QUOTE(lordvader129 @ Dec 19 2005, 02:15 AM)

yeah, this may not have worked, but at least when you had an idea you gave it a try yourself and posted results, thats what we need in this forum, less talkers more doers
hmm, its possible, but i dont think it would be worth much on the topic of playing backups (having to swap with your orignal each time would cause more handling of the discs and probably more scratches, defeating the purpose of the backup, lol)

also, for games that use multiple xbes (liek 007:EON) when it switches from one xbe to the other the media check would fail

either way its worth giving a try, might lead to soemthing else

My thought is currently that if we can make it do this switch, we won't play backups, but perhaps create a dummy DVD with a VERY similar TOC and file structure...but a malformed media file. When it loads, buffer overflow, or some other nasty thing, and code execution. I'm aware that MS has stepped up buffer overflow protection, but my hope is that MS let its guard down on media within a game (not save files). I mean, how is a user to make the information on a legitimate DVD bad? ;-)

Of course, I lack a 360 as of yet. If anybody would like to sell me one at cost...(Yes; I suppose I'm a comedian), then I'll gladly take my hand at it.

bowser22 · « **Reply #7 on:** December 23, 2005, 01:44:00 PM »

You cannot do a buffer overflow on the 360 it is nearly impossible because satck memory is non-executable

InterestedHacker · « **Reply #8 on:** December 23, 2005, 03:58:00 PM »

Sounds like a good idea, until you read the hundreds of posts explaining how the boot process works.

Here are my results:-

Inserted original disk, once game started I swapped it with a copy, which doesn't contain the original media check, and doesn't have any of the security place holders, and the XBOX then told me to STFU and read the bloody forums posts first.

Monoxboogie · « **Reply #9 on:** December 23, 2005, 08:09:00 PM »

QUOTE(bowser22 @ Dec 23 2005, 09:51 PM)

You cannot do a buffer overflow on the 360 it is nearly impossible because satck memory is non-executable

As we all know, MS has had a large amount of success in thwarting these attacks.

http://www.securitea...5OP0W00EKW.html

Even with the NX bit on the processors, and DEP, computers are still vulnerable to the same old style exploits. It's very likely that some exploits like this may be able to be found.

And Mr. InterestedHacker needs to read the fucking post. I didn't suggest doing this *AT* boot. I suggested doing this after the boot process has taken place. A hot swap is the removal media without allowing the device to know that the media has been switched. This means that the power stays on, and the host device is not made aware of the fact that the drive tray has been ejected, or the media has been removed.

DaBiscuit · « **Reply #10 on:** December 23, 2005, 08:48:00 PM »

Is there any point to trying this with an old XBox1 backup? If any kind of non-original media can be played, it's a start, and we do at least know how to reproduce working copies of the XBox1 disks. I can't try it myself, since the XBox360 aren't in stock in my area, and I can't get one. Still, it's something to try.

EDIT: Oh, nevermind, you were using XBox1 Backups. If the game was continuing from the HDD cache, how about removing the HDD first? How about trying it with a backup copy of a 360 game, now that the dumps are out there? I really wish I could get my hands dirty right now, this is the fun part, even if there are no results.

InterestedHacker · « **Reply #11 on:** December 24, 2005, 03:57:00 AM »

QUOTE(Monoxboogie @ Dec 24 2005, 05:16 AM)

As we all know, MS has had a large amount of success in thwarting these attacks.

http://www.securitea...5OP0W00EKW.html

Even with the NX bit on the processors, and DEP, computers are still vulnerable to the same old style exploits. It's very likely that some exploits like this may be able to be found.

And Mr. InterestedHacker needs to read the fucking post. I didn't suggest doing this *AT* boot. I suggested doing this after the boot process has taken place. A hot swap is the removal media without allowing the device to know that the media has been switched. This means that the power stays on, and the host device is not made aware of the fact that the drive tray has been ejected, or the media has been removed.

It's FACT that the media checks happen more than once! Due to the way in which the security works, you would likely need the original disk (for that game) to boot from every time, so that kinda makes the whole thing pointless! Sorry for being sharp, just fed up of reading the same posts over and over.

It rotates like this:-

1) Why can't we use a buffer over flow.
2) Why can't we hot swap the discs.
3) Why can't we FTP. (This one REALLY winds me up no end)
4) Why can't someone hack MCE so I can watch DivX movies.

It's good to suggest things, but this has been suggested before, and before, and before.

Monoxboogie · « **Reply #12 on:** December 24, 2005, 08:47:00 AM »

QUOTE(InterestedHacker @ Dec 24 2005, 12:04 PM)

It's FACT that the media checks happen more than once! Due to the way in which the security works, you would likely need the original disk (for that game) to boot from every time, so that kinda makes the whole thing pointless! Sorry for being sharp, just fed up of reading the same posts over and over.

It rotates like this:-

1) Why can't we use a buffer over flow.
2) Why can't we hot swap the discs.
3) Why can't we FTP. (This one REALLY winds me up no end)
4) Why can't someone hack MCE so I can watch DivX movies.
It's good to suggest things, but this has been suggested before, and before, and before.

I agree with you on several points. I'm tired of answering most of the questions. But I'm also tired of seeing ideas shot down or misunderstood.

"Hey, can we use the save game from..." No. But I don't think that necessarily means the end of buffer overflows. Just as the securiteam article I linked to detailed, even with hardware support and special attention to buffer overflow exploits, they couldn't thwart it in x86. There's a chance for the exploitation opportunities to exist in the 360 yet. MS left the door open for this one though. They do have a "safe C library", which replaced strcpy and family with safer versions of it. No; I'm not talking about strncpy; they have a strcpy function which they claim to be safer. However, chances are they didn't include it in the 360 toolchain. In a document once linked on the Xbox scene homepage about how developers without a dev kit could get ready for writing code for the 360, they had a note about only using strcpy in cases where they *absolutely* needed the performance (because with 3 cores at 3.2 GHz, you're hurting for those vital picoseconds. ;-) ). This precaution seems to allude to the fact that MS may be aware that though they've tried, buffer overflow just may be a method of exploitation we may be able to leverage. Though the old ways of doing it are probably rendered useless...we'll have to do something other than a save game. The problem with the question though, is that the people asking it only know of a "buffer overflow" from reading the Xbox 1 "How does the game save hack work?" document. Most have no clue the mechanics behind such a hack. Fewer have actually ever written one. Still fewer can manage to write one for a program which they do not have the source for.

When I say hotswap; I'm not talking about a PS2 style hotswap. I don't expect to be able to insert PD0 and a backup Condemned, and be able to play the backup. I do, however, think that there may be a method of exploitation through *a* hotswap. But I'm going to shut up until I get my 360 and can poke at it myself.

And yeah; the FTP and MCE questions are just retarded. If we could get our code on the Xbox to open the FTP server, we wouldn't have any of the other problems in running our own code. ;-) And Xbox 360 may be incredible; but MS is still working on the whole "making little endian, x86, 32 bit codecs work on a big endian, PPC, 64 bit architecture." ;-). I like it. That's sig.

Author Topic: My Find For Xbox Originals! (Read 322 times)