Trucha Bug
Posted by WaxyPumpkin72
|
Trucha Bug June 23, 2009 11:41PM | Registered: 14 years ago Posts: 2,691 |
|
Re: Trucha Bug June 24, 2009 02:37AM | Registered: 15 years ago Posts: 1,012 |
It's the scene's name for a bug in the signature check, present in many IOS and boot1
Before data is executed or copied to the Wii, a mathematical function returns a rather unique and very large number, it's hash. That number is then stored in memory and will be compared to another number in the signature that comes along with the data.
For reasons that would take a lot of text to explain just consider the second number to be secure.
Both numbers are now present, and the Wii compares them. If they are equal, it will it to be executed or copied, or whatever.
Though it is not known what the real source code looks like, it is very likely, that the programmer responsible for the signature check used the c library function "strncmp", instead of "memcmp".
Both compare memory areas, byte for byte, but strcmp does handle the memory as a string (str).
Strings usually contain printable bytes and can have any length.
In many implementations a byte filled with zeros is considered to mark the end of a string, that's called a "null terminated string".
If the function "strncmp" finds a byte full of zeros, it will consider it to be the end of a string.
If the part before the zero byte is equal, both strings are considered equal, or at least the code found on the wii does.
An exception is the first byte, it has to be a match. A byte on the Wii can have 256 differnet values.
A fake signature can be created easily by testing all 256 combinations for the first byte, on will be a match, and setting the second byte to 0.
This takes just about a second.
If the bug were not present, we would have to try a lot more combinations: a 15 with 47 zeros behind.
Edited 2 time(s). Last edit at 06/24/2009 02:58AM by daniel_c_w.
Before data is executed or copied to the Wii, a mathematical function returns a rather unique and very large number, it's hash. That number is then stored in memory and will be compared to another number in the signature that comes along with the data.
For reasons that would take a lot of text to explain just consider the second number to be secure.
Both numbers are now present, and the Wii compares them. If they are equal, it will it to be executed or copied, or whatever.
Though it is not known what the real source code looks like, it is very likely, that the programmer responsible for the signature check used the c library function "strncmp", instead of "memcmp".
Both compare memory areas, byte for byte, but strcmp does handle the memory as a string (str).
Strings usually contain printable bytes and can have any length.
In many implementations a byte filled with zeros is considered to mark the end of a string, that's called a "null terminated string".
If the function "strncmp" finds a byte full of zeros, it will consider it to be the end of a string.
If the part before the zero byte is equal, both strings are considered equal, or at least the code found on the wii does.
An exception is the first byte, it has to be a match. A byte on the Wii can have 256 differnet values.
A fake signature can be created easily by testing all 256 combinations for the first byte, on will be a match, and setting the second byte to 0.
This takes just about a second.
If the bug were not present, we would have to try a lot more combinations: a 15 with 47 zeros behind.
Edited 2 time(s). Last edit at 06/24/2009 02:58AM by daniel_c_w.
|
Re: Trucha Bug June 24, 2009 02:50AM | Registered: 14 years ago Posts: 276 |
|
Re: Trucha Bug June 24, 2009 02:55AM | Registered: 15 years ago Posts: 1,012 |
Quote
Kage52124
Sorry to be picky, but isn't it actually not 0, but /0 ?
The byte has a value of 0.
"\0" is just a way to write that that in C.
(I assume you meant "\0" not "/0")
Be as picky as you can, please. A complex topic like this requires that.
Is anything not clear?
Edited 1 time(s). Last edit at 06/24/2009 02:56AM by daniel_c_w.
|
Re: Trucha Bug June 24, 2009 03:07AM | Registered: 15 years ago Posts: 1,012 |
Here is the wiibrew entry:
[wiibrew.org]
I did not find it half a hour ago and now I stumbled upon it while reading about Datel's freeloader.
If I found it earlier I could have saved me from writing a wall of text :D
At least I learned something in the process :D
[wiibrew.org]
I did not find it half a hour ago and now I stumbled upon it while reading about Datel's freeloader.
If I found it earlier I could have saved me from writing a wall of text :D
At least I learned something in the process :D
|
Re: Trucha Bug June 24, 2009 03:16AM | Registered: 14 years ago Posts: 276 |
|
Re: Trucha Bug June 24, 2009 06:36AM | Registered: 14 years ago Posts: 2,691 |
|
Re: Trucha Bug June 24, 2009 07:26AM | Registered: 14 years ago Posts: 303 |
It also gets explained by Bushing & Marcan with a nice, albeit problematic (you'll see), slide show.
http://www.youtube.com/watch?v=lyVuY_S5VcI&feature=PlayList&p=72658A55B19C8634&index=0
Unfortunately, I forget how far into the video(s) it is. Either way, this should practically be considered "required reading" if you are wanting to start to learn.
Enjoy!
http://www.youtube.com/watch?v=lyVuY_S5VcI&feature=PlayList&p=72658A55B19C8634&index=0
Unfortunately, I forget how far into the video(s) it is. Either way, this should practically be considered "required reading" if you are wanting to start to learn.
Enjoy!
|
Re: Trucha Bug June 24, 2009 08:15PM | Registered: 14 years ago Posts: 276 |
Sorry, only registered users may post in this forum.