A few questions on exploits

So I've dabbled with libOGC and had some SDL fun with my console. Great. Now I'm curious about how we got there at all.

I've been reading up on the exploits that were/are used to install the homebrew channel and such. I find this stuff fascinating and would love to learn more. I downloaded the zelda/indiana pwns source but I've hit a few snags....

To be honest, I have no idea what I'm looking at. Is this supposed to be a PC app to generate the savefiles? Any tips on compiling? (I'm not such an experienced programmer, I'll admit. Reading makefiles and such is a bit beyond me at the moment)

I understand that the exploit works using a stack overflow of the epona name field (at least it did anyway) to inject some code to the machine. How is this *actually* done? What kind of code is it? How do you craft it?

Basically, I want to learn more about how all these exploits work and how they're created. Please don't be annoyed by the questions, I would love to learn more about the whole thing.

The exploit sources are mainly ASM (assembly language), the lowest level language properly readable by humans (only thing lower is pure binary). ASM is slightly different depending on the processor by my understanding, and what you're looking at is PPC ASM. The savefiles are generated using segher's tools AFAIK, and that's handled by the makefile I think. The actual code is an ELF/DOL loader, written in ASM. This is then inserted to the save at a particular postion. When the save is loaded, this code is loaded into memory at a set location. When the buffer overflow occurs, one or more of many variables the game has (known as "registers") is under the control of the hacker who engineered the exploited save. The game attempts to jump to the address in one of the controlled registers, thinking this will help it recover from the crash, but because the hacker has manipulated the register, the game instead jumps to the location the hacker chose i.e. where the ELF/DOL loader is loaded in memory.

I hope this helps explain it, this is a fairly rough, basic explanation, but I think the gist of it is correct.

I've actually been working on developing some exploits for the Wii via savegame. It's a very interesting process which boils down to:

1)Reverse the main.dol of a Wii ISO into PPC asm
2)Reverse the checksum used to save data
3)Apply the checksum to an unencrypted savefile (you can get unencrypted savefiles by extracting them from with Wii with a tool like my Savegame Manager MOD) via a hex editor
4)Exploit the save data
5)Write code into the save to handle the exception (crash) and run a boot.dol/.elf file in the root of the SD Card
6)Apply the checksum back to the savegame via a hex editor
7)Reinstall the savegame onto the Wii
8)You know have a working exploit

The only truly difficult part is finding a game with exploitable data. You can only do this by guessing, you wont really know until you apply the checksum to the unencrypted savegame.

Edit: I'm still learning as I go along, anyone feel free to point out any inaccuracies in this.



Edited 1 time(s). Last edit at 09/10/2010 12:53AM by Arikado.

Using USB Gecko with WiiRD will help you to test exploits before you start to dig into checksumms.
You may put a break point into desired address and then inject code through debugger. If it will work, then you may proceed to reverse-engineering of checksumms and generate loadable savegame :)

Thanks guys. Awesome responses so far. Lets dig deeper...

Quote
Arikado
1)Reverse the main.dol of a Wii ISO into PPC asm
2)Reverse the checksum used to save data
3)Apply the checksum to an unencrypted savefile (you can get unencrypted savefiles by extracting them from with Wii with a tool like my Savegame Manager MOD) via a hex editor

I want to see a working example of this. For starters, what tools do I use to turn the ISOs into assembly? Would it be reasonable to do this with twilight princess since presumably someone can point out the exact spot where the exploit is?

I've been reading up a bit on these exploits in general. So basically the code I need to inject is a simplified shell that will allow me to manipulate whatever I need to manipulate, right? This alone seems like a tall order. Any links to basic assembly programming and shell programming? My experience with assembly is VERY limited (some completely basic PIC programming a long time ago)

I just started reading through this.
[www.acm.uiuc.edu]

Any other links on the subject you can share will be most welcome. Articles, books, tutorials, tool recommendations, etc.
Thanks =)

Use a tool such as WiiScrubber to extract the DOL from the ISO (the DOL is of course the executable file).

You can then use IDA Pro to disassemble this (i.e. turn it to ASM). This costs a lot of money though. A free (but much less powerful/useful I believe) alternative is objdump-arm-eabi, part of the GNU Debugger Tools and included with devkitPro.

This is generally how I do it:

First I rip the ISO from the game disc I wish to hack. There are tons of tools for Wii homebrew that can do this for you. However, most of them also let you play pirated copies of games so I'm going to have to ask you to google for one (unless someone else knows of one). Actually, this just popped up right after I posted. Use this: [wiibrew.org]

After I have the ISO on my computer I open it up with WiiScrubber and extract the main.dol from it.

Once I have the main.dol, I use megazig's tools ( [github.com] ) to get detailed output on the main.dol . Usually it will tell me right where the checksum is calculated.

Then I'll use IDA Pro (you need some plugins in IDA Pro to do this - I'll edit my post with links to download them from later as they're really had to find) to open up the main.dol in assembler and find where the checksum is calculated.

After I reverse the algorithm used to calculate the checksum, I proceed with the steps I listed above.

As for reading on the subject, your best bet is to learn as much PPC assembler as you possibly can. It will prove to be invaluable to you.



Edited 1 time(s). Last edit at 09/13/2010 04:32PM by Arikado.

Quote
Arikado
This is generally how I do it:
...
As for reading on the subject, your best bet is to learn as much PPC assembler as you possibly can. It will prove to be invaluable to you.

Yes, I've been reading up quite a bit on the subject of reverse engineering these past few days. I managed to get the dol into IDA Pro after some googling turned up the required plugins. I'm still competely lost looking at the assembly. I guess I'll be needing to do more reading before I touch the stuff. This is great though, the picture is starting to clear up. If you have any reading materials for PPC assembly I'll gladly click them ;)

Quote
Arikado
First I rip the ISO from the game disc I wish to hack. There are tons of tools for Wii homebrew that can do this for you. However, most of them also let you play pirated copies of games so I'm going to have to ask you to google for one (unless someone else knows of one). Actually, this just popped up right after I posted. Use this: [wiibrew.org]

After I have the ISO on my computer I open it up with WiiScrubber and extract the main.dol from it.

Just a little note: It may be quicker to use WiiXplorer, which can browse Wii game DVDs and dump individual files (e.g. the main .DOL) to SD/USB/FTP/whatever, rather than dumping the whole game, and then extracting the one file you actually want.

I can't find any books on PPC assembly. I'm gonna start reading up on Intel assembly and go from there. Or do you have any other suggestions?