 good morning all right so I'm gonna be talking about video game stuff today so as was already announced I am Ron Bose I'll have my contact information in the last slide if anybody wants to find me later I'm originally from Winnipeg I'm Canadian I live in Seattle and I come to Montreal for vacation I come here to practice my French which it turns out is really bad but I try I don't really try but I took 10 years of French in school you would think I'd be good by now but nope so I spend my days working for counter hack we make a bunch of different hacking games net wars is one of them cyber city and all that stuff it's all different sans products outside of work I do DS cat to which is a DNS tunnel and kind of how I got introduced to Montreal hackers even to begin with and I love reverse engineering taking apart tools I just it's a firmware reverse engineering for work a couple months ago and fuzzing firmware and finding violence and stuff it's it's pretty cool but I originally got information security via game hacking back in the early 2000s which is where this talks gonna sort of focus so we talked about video games and what we can learn from them some hacks cheats whatever as I said I did video game hacking before I did real real security and I think that gives me some kind of unique insight and some interest interest I think to talk about and you know as a kid my dad always told me you're wasting your time with these stupid games but here I am so take that so there's not really good there's not gonna be a whole lot of new and unique research there's gonna be a lot of history things that are never documented I try to find a lot of information about some of the balance of hacking and stuff like that from that and there's nothing online anymore it's all lost the history so I'll be talking about some of those things that nobody probably knows of it anymore you'll give it give you guys some knowledge some new things to think about hopefully I do that but in reality I just want to watch YouTube all day and then call it research so let's talk about the motivation of game hacking so fun education and that's kind of what I got into it I was in high school I was bored I want to do better video games so I learned how to write cheats I'm sure anyone who's played Mario World as a kid has probably gotten stuck in a wall at some point or whatever and some people take that and figure out how they can use it to either be levels faster or get code execution or something it's also a great place to learn hacking skills sort of safely if you're trying to like learn hacking by hacking websites or whatever you're obviously getting in trouble or your school sites is even worse but video game stuff as long as it's on your own machine it's pretty safe no one's gonna get mad at you for it so it's a good place to learn a little bit of reverse engineering and how do you how do you edit your save file to give yourself more lives or how do you whatever there's also speedrunning which is a huge thing I have a little video here that's probably not gonna work because I put my phone in airplane mode and I was tethered to it but doesn't matter I could do a whole talk on speedrunning and I was actually planning on doing a lot more about speedrunning but turns out that standing here and talking about about video game like video game speedrunning in slide is really boring so I decided not to do that but a lot of glitches I will talk about are ways to be games faster and I'll have a bunch of links throughout to different different things I think are worth looking at this one for example a Mario 64 speedrun speedrun is often almost exclusively used built-in features so they look for things that are in the game and the example I have here which might work on my other tab is in Mario 64 when you jump you gain speed but they don't want you to go too fast so they subtract speed from you they subtract velocity from your speed but if you jump backwards they still subtract velocity and therefore you can go infinitely fast backwards and let me just see if this actually load in the other tab I don't know how far it'll play but I only want the first 30 seconds anyway this looks okay the projectors right I guess yeah so you'll see him going to an edge and jumping backwards and by doing that they gain infinite speed and can jump to walls so it's kind of like misusing a feature of the game so presenting again I've also got a breath of the wild the airplane mode just because hopefully doesn't interfere too much so yeah breath of the wild just this week somebody discovered a glitch where I don't know if you guys have played as a new Zelda game but if you freeze something with a stasis gun and whack it a bunch and jump on it you can go flying around the world and people found new and interesting ways to do that and that link there I'll I'll give you my slides afterwards but that link there's a really cool demonstration of that another big thing about game hacking is interoperability which is you know writing clients that weren't intended to be written so I cut my teeth as I said on battlenet hacking Starcraft Warcraft 2, Diablo 1, Diablo 2 a little bit the really old balance stuff used to have a huge community of players tens thousands millions of players and the games all have pregame chat rooms where you could find people meet people stuff like that but there are very limited operations in the sense of banning users muting users all the new stuff you get with Slack and even IRC and stuff but the problem is the person who got the ability to moderate channels was the first person there so if you disconnect and close the game somebody else takes over your channel and bans everybody and that's not great so people wrote bots initially these bots use a chat gateway where you tell net to us east dot bell dot net on port six one or two and you type a key so we can say I forget control D or something and then you can chat with people just like normal just plain text chat the problem is that this very quickly became a source of spam people would write spam bots they would log into this protocol and just make noise and stuff so Blizzard to fix the spam problem just prevented these guys from doing anything now now suddenly everyone who wrote these bots that was moderate channels and stuff couldn't use it anymore for those purposes so instead people started writing bots that would emulate the game clients so we would reverse engineer the starcraft game and say how does the login work it connects to the server it gets updates it verified your CD key it hashes your password with with Shaw one ish not quite Shaw one ish all one with a bug I guess is how it works and yeah that was fun to reverse engineer but there's a whole bunch of stuff and then as as the spam bots took over Blizzard would add new things for example when you were logging into the game it would take a screenshot hash the screenshot and send it which prevents you from using a bot unless you just take a screenshot yourself which everyone just did there's a whole bunch of really cool stuff like that and a topic about net that's talking to pirate clients a little bit and that was a big deal and I'll talk a little bit more about that later but it was also pirate servers so in warcraft 3 came out there was a big beta where everyone be part of the work of 3 beta but they only picked like x thousand users or whatever and they gave them beta access to the world to the real work of 3 servers the problem was everyone wanted to play so people were setting up their own servers with their own worlds or their own matchmaking services and stuff being at the I think was one and there's lots of others but basically Blizzard wanted to prevent people from using it so they added an encryption thing which I'll talk about shortly of course they made a mistake in the encryption thing and that made it possible to still do it so I think that's the next thing to talk about actually one funny little note Belnet back in those days you would log in you ascended like hey I want to connect and they will send you back a chunk of code to run and say run this code to verify your version this is not a signed connection it's not encrypted it says plain text code on the network sent to you this is 2001 security and then the last motivation is profit world of warcraft farming when it came out running bots that will go collect gold and then sell gold could literally to actual money there's also pirating games I'm gonna talk a little bit about bypassing CD key checks and stuff a little bit later and you know this is where it gets into legal great well not really great territory black territory but pirating games was it was a big thing still probably is a big thing and and then speedrunning I talked about already people who are really really good at speedrunning can make a lot of money there's twitch sponsorships is always things but there are two very famous speedrunners Billy Mitchell and Todd Rogers who just this year had like 30 year old records revoked for cheating and it was very obvious to everyone in the community that they had cheated for these records but the official like one wasn't Guinness one had a documentary made about him the king of Kong about these very well-known cheaters and they finally were actually revoked had the records revoked and stuff this year so the two links at the bottom if you watch them later they're really really interesting kind of 10 50 minute backstories on how they cheated one used like fake arcade cabinets one just said he got a low record and no one verified it it's the dragster speed record it's very famous if you look it up yeah anyway let's talk about bugs so I just started with something really simple if anybody here has played a Deus Ex games a big part of the games is the fact that you can take multiple paths to everything you do one path is to take your guns out blazing and shoot everything and break in blow of doors and a lot the other one is to look for people leave notes all over the place with passwords on them and this is very much like real security this text is really small but it says okay I'm ready at my end if you can't get it if there's any Arizona console login using CLOD 04 SF blah blah blah this is in a game it lets you log into the system in real life that's exactly what happens people leave their passwords every which place so that was just a really nice simple little intro to this the first thing we talk about in a more detailed way is bad crypto so this famous x a CD you know we need millions of dollars a hardware practice password over a $5 wrench so we're gonna talk about that again because that's what I like talking about so it turns out cryptography as I'm sure you guys know it's really really really hard to get right I wrote a whole talk about it and gave it a shmucon in 2013 five years ago which is a little bit scary but crypto was used all over the place in browsers and applications in games it's used for pro cop protection password hashing to verify clients aren't hacked or aren't modded or whatever it's used to verify servers are sending you evil code it's used for a million things the example I start with plays off the warcraft 3 pirate servers I was talking about a minute ago so as I said when Blizzard released warcraft 3 it came with a very exclusive beta that wasn't available to most of the players naturally people want to make their pirate servers so they did however Blizzard really wanted to prevent this from happening so they added in security checks so I used to have like five slides about this with all the math but it's really boring when the user connects to a server the server encrypts its IP address and sends it to the client the client decrypts the IP address and verifies it that's how it verifies is connecting to the right the real server because nobody else has the encryption key to encrypt their IP address the first mistake encryption is not integrity they're used if they want to use encryption for integrity they need to sign it with an ace Mac or something similar but if they had a smack they wouldn't need the encryption the first place because all they want is integrity there's no secret about the IP address so why they use encryption rather than signing it's a mystery the second mistake is when they validated the IP address they would take the IP address which is four bytes this predates IPv6 everything predates IPv6 but they would take the four bytes they would pad it with a thousand and twenty bytes they would encrypt it send it to the client the client would decrypt it and verify the first four bytes are the IP address and then stop that means that an attacker could generate a valid sync a valid encrypted block in less than two to thirty two tries or two to thirty one tries on average so they made a classic RSA mistake which is they did not verify the padding so here's my implementation of it which I wrote in Java op at Ballant operations bot this horse code is at the bottom there but the way I implemented it was I took I took a length of the result and I filled the rest with the proper padding BB BB BB and then I verified it the problem like I was running this talk and saying okay Blizzard screwed it up here's their stupid thing I did it right here's my thing but as I'm running these slides I look and go this has a bug in it too because if you look at byte correct result equals new byte result dot length result is attacker controlled so I create my byte array the same size as the attacker wants me to so I had a vulnerability my code to just goes to show encryption is really hard to get right so lessons from this section are crypto is really really hard and RSA is ridiculously fragile there's very few people in the world who know RSA well enough to actually use it for proper encryption and not have vulnerabilities I tweeted about this yesterday thinking it's kind of funny that my code had a long bill unit and my friend replied with a really great quote which is RSA is harder than RC for you everyone here hates RC for but everyone seems to like RSA and it's a mystery why so yeah the lesson here is don't use raw encryption basically let's talk about encoding bugs if anybody's ever written code that uses unit code or UTF-8 or UTF-16 or other languages I guess having the French language set here probably run into this more than I would then coding is really hard and we're gonna talk about a few issues so as some of you here know who know me I always talk about DNS I do talks because I like DNS a lot and as I said earlier the reason I'm here is probably because of DNS so we're gonna talk about an infinite recursion bug that's very common in DNS and then how this sort of bug led to a remote code execution in a really really popular DNS server so I had like 10 slides explaining DNS compression that realizes I had to compress my compression talk so this is my one slide explaining it basically in DNS I'm assuming you guys know the the basis of DNS which is that you want to know the IP address of a server you send it the server's name and it's indeed back to IP address the problem is when the server replies with the IP address they reply you say what's the IP address of Google.com and they reply you ask the IP address of Google.com Google.com has the following 10 IP addresses Google.com is at x Google.com is at y they say the same thing over and over and over in a packet DNS RFC 1035 was invented back in the 80s and as a result those extra 30 40 50 100 bytes in the packet are a really big deal so they added a thing called compression if you read RFC 1035 you'll read all about this but the essence is when you encode a name I use my own domain as an example it takes each piece of name WWW skull security org it prefixes the length and then sends that if the length starts with two one bits which is C0 usually but it could be C1 C2 C whatever it's treated as a pointer so for example if I have hex characters three WWW then C0 0 C that tells the parser look at offset 0 C for the rest of this message or the rest of this name rather but what if we put C0 0 C at 0 C it's gonna jump to 0 C and say oh I got jumped to 0 C oh I'm gonna jump to 0 C and so on I know if you'll recurse there they were especially the older days there were a lot of parsers vulnerable to this the end map DNS library was vulnerable to this originally and lots of others where I'm sure but what's interesting is I was reviewing DNS mask at a previous job and DS mask is used by about a billion different devices most routers most servers most everything Ubuntu Debian all come with DS mask pre-installed and running I was looking for vulnerabilities in this with a fuzzer for a project at work and I found I was able to crash it with using weird pointers when I actually investigated this vulnerability I discovered that there was a limit 10 24 jumps so if you have a 0 0 C C 0 C 0 0 C and offset 0 C it would jump 10 24 times you would get dot dot dot dot dot dot then it would stop and say this is an indel name go away the problem is if you look at this code here the very first line is surface too small but the very first line is name name length plus equals length so it keeps track of how long the name is it's doing that to make sure we don't overflow a buffer the buffer is 1200 bytes long something like that and name length plus equals L is checked against max D name which is 1200 to make sure we are overflowing the heap buffer the problem is lower on we see that this loop this for loop at the bottom loops L times which is the length of the things I mean so WWW it will loop three times and add each one to the to the answer then the bottom loop it has a period that period is not tracked anywhere which means if you have WWW google.com it thinks there's three plus six plus three which is 12 bytes but because it's two period it's actually 14 bytes because the buffer is longer than DS packet this is not exploitable directly because you can't but the problem but with the recursion you could have a very specific recursion such that it adds a hundred bytes then loops 10 24 times and therefore it adds a million bytes to the packet and therefore you can overfill a heap so very indirectly this encoding bug and this length bug whatever you want call it led to a stack overflow so that's kind of a really neat vulnerability with encoding in the real world then let's look at one in games so in a very very similar bug the original StarCraft I hadn't actually intended this talk to be all about StarCraft but it turns out that's why I hacked when I was a kid so that's what we get so StarCraft has a has a low esky characters available where you can send color codes you can send alignment you can send line feeds all the stuff you could do this in messages and names we'll get to more of that later when we talk about other things but there was one low esky character 0c coincidentally which when the client rendered it it would because it was never used for anything no one ever tested this and it would parse a character but it wouldn't increment the pointer so it parsing over and over again and lock up any game client that saw it so if you were to send people message saying hey my name is 0c it would if I loop it and the person would get basically have to kill their game control delete and kill the game client so of course as a young hacker we use these things to make people leave games when we were sick of them a funny side no on this is if you send a message to somebody else you crash yourself to because you see your own messages so you have to have a little filter string which is the bottom here to filter out any character and we'll talk about how with colors and line feeds can do fun stuff when we talk about client-side security hey client-side security so I was sitting yesterday morning in Starbucks trying to put funny pictures on my slides I'm thinking how do I explain client-side trust in the picture that looks like up a Starbucks and had the wrong name on it my name is Ron not Rob I'm like hey client-side trust they just trust my name so I thought that was kind of a funny way of introducing this so back to StarCraft StarCraft has two modes when you log in to Ballonet I talked about this already you send your CD key you send your password using all the stuff and all whatever that's stuff you you log into with a chat server and it's a matchmaking server nothing else when you're actually playing a game Ballonet only knows that you entered a game at some point in the future you left the game but in between it doesn't know what's going on so I found this little diagram of a peer-to-peer network basically I love most modern games are the first the left side here there is a server which all the clients send stuff to in a server multicasts and and holds the game state everything but in StarCraft there's no server in the middle it's entirely peer-to-peer multicast style so when you join a game here's just one of many many many examples of what you can do when you join a game of StarCraft you send it everybody hey my username is Ron or I use Yago back then and stuff it's like hey my username is Yago that's the username is registered with Ballonet it's got a password it's got all the stuff but when you actually enter a game nothing verifies that there's nothing stopping me from saying everybody like hey my name is my friend's idea my name is Blizzard staff my name is computer and you'll join the game everyone say hey computer just joined the game or hey Blizzard staff just when they join the game imagine being like a seven-year-old gamer able to join games as Blizzard staff just think of all the heavy you can cause and we kind of did this was literally my first introduction to any sort of hacking whatsoever was the scbs nix woofer basically it would run it was a vb6 app there's a link to it at the bottom there I'm so happy at this point I kept on my code from 20 years ago but this is literally my friend wrote this tool which would log in which would read restart cast memory finds your username and replace it with anything you wanted it was a super simple app but I was like mesmerized like how do you do this kind of thing and he would he actually sent me the code for it and I got to learn how like the windows reprocess memory and write process memory works and those is like literally my first introduction to any kind of hacking and I went with that so as I mentioned low ASCII characters or color codes you could set your username to OC so you join a game everyone's clients crash and that's hilarious but it doesn't really do much fun what's more interesting is to make your name for example blue blizzard staff or yellow computer and suddenly you're doing really weird things and nobody would ever expect and you can really mess with people for example if you send 10 line feeds it hides your name and then center and then white and a nuclear launch detected everyone the game would take a nuclear launch detected you can send uploading virus you can send computer has entered the game or left the game you can send Ron has left the game and then stay in the game you do all kinds of really neat things as far as no I was the first person to do this on down that I use the exact same thing that the Yoshi's next buffer did for the previous slide I would read memory I would look for a key character I would type ABCD or something when when the program read the memory it would replace that with whatever I wanted really small text here but slash nuke would send nuclear she detected slash she was then cheat enabled slash leave would say your name has left the game and so on so on so on it was really really really entertaining back then yeah another thing about this because there's no authority of server every single game client in Starcraft is this a little mini authority it knows a game state of itself and of everyone else that means map hacking I mentioned in the slides but being able to see the entire map it has to be possible because there's nothing every client has no every other clients doing so there's no secrecy if you have the right tools but what this also means because every single person has state if one person has a wrong state they desynchronize and they get kicked to the game you can you can make sure people of the wrong state by just saying on the wrong message so the easiest way to do this the protocol for games I don't get that at all in this but it's just you broadcast messages on UDP and there's a little checksum and then data and a bunch of other they basically influence TCP over UDP for some reason but all you have to do is just remove the data and update the checksum and then suddenly you start telling one player doing nothing and everyone else thinks you're doing everything before you know what they have a different game state and they kick to the game and then you know if they're beating you now they're not then finally for this little section post-game shenanigans so you the matchmaking service of Valnet puts you together into a game you play the game you can do anything you want because it's all synchronized and by the way this organization means you can't do like you can't spot units you can't update your your resources stuff like that because then you're synced you get kicked out as soon as you say as soon as you spend money you don't have you get kicked out so you can't do a lot of things like that but you can do a lot of stuff but after the game every client exits the game and then says to the bound that matchmaking service hey I won and this person lost there's nothing stopping you from saying hey I always win this person always loses so you leave a game and that we did this we would make sure that everybody said that I always say that I won if I say I won and everyone else is I lost I get disconnect which is just it's not it's not a win but it's not a loss so you could very easily have a record of like 10,000 wins zero losses and a lot of disconnects do so it's kind of cool that they just trust the client is valid and there's nothing making sure you're valid as a little bonus of the bomb here if you do say your name to like computer and yellow or blizzard and blue or whatever when the other players send back results blizzard goes that's a illegal name after the game and then kicks them up bound that for an hour so it's a little bit rude to do that but it was kind of funny too so I mentioned emulation bots earlier when you emulate the game client you can do things like I'm gonna log in with my account eight times and then I got to join a game an eight player game with myself eight times I'm gonna play the game for the minimum time which is two minutes then I gotta leave the game and say hey everybody won and then you have eight wins at your record a friend a friend of mine Skywing he works at Microsoft now he wrote like to a hero that he made a count called win bot which literally went online played against itself restarted over and over again till he had record of 1 million wins and zero losses and then one day we woke up and he had 1 million losses zero wins I guess somebody had blizzard caught on and thought they'd be funny I really really wish I had a screenshot of this I I emailed him no one has any screenshots left I found people talking about this online that couldn't find anybody with a screenshot which is really unfortunate so that's the game side of client-side trust let's talk about a couple of real-world client-side trust issues I'm gonna talk about two project I worked on at a job from a million years ago maybe my first second infosec job so these screenshots are from a presentation I gave like in 2005 so there's gonna be really bad calling screenshots but anyway we had I really have an introduction side to this but basically we have security camera that was monitoring a location and we want to make sure that the web interface for the security camera was was secure you know application security or jobs so keep in mind when I'm explaining this this is 2004 or 2005 in there somewhere no maybe 2007 in any case I get to a login form I type admitted men because that works 90% of time and I get login failed too bad the what I noticed immediately was that the login failed dialogue had absolutely no leg which told me that the authentication is happening on the client side not the server so what do we do let's look at how this works I'm sure most of you think in JavaScript issues but this was before JavaScript exists well that's not true this is before JavaScript was popular so I dig down and it's an active X template the severe probably too young to remember active X but here's how it worked in essence the website would give you a DLL file that you would load into the process memory of Internet Explorer it would run machine code in your browser and then do stuff that's what security was like 10 years ago literally code running your browser and how was how was everybody not hacked back then anyway so I opened a deal file Ida this isn't the real software anymore I made my own my own like imitation of it to make sure I didn't reveal anything that shouldn't have but in essence I would look at the strings window I would see a login failed please enter a different username password the first thing you always do is search for error messages or search for log messages or search for whatever so you jump to that you find a security check it does a comparison it does a jump blah blah I don't want to go too much into assembly code right now you replace the jump which is seven five OE and memory we'll talk about machine code later with nine zero nine zero which is not not basically remove the security check and then log with a minimum login successful and yeah there's your camera this literally worked we were actually able to log into a security camera like this and see all the cameras control them move them laugh at people walking around all that kind of stuff so we report us the vendor and the better said that's way too advanced nobody's actually to do this so they didn't fix it yeah speaking of bad vendors this is another project from the same company I worked at and this has been like a nemesis of mine because I went back and forth with the company so much because it was a sense of application that had sequel injection all over and it was just awful awful this was another one where it was running service hide binaries with stacker flows it's like literally stacker flows in a web app like security in this days were was hilarious so last week I went to the site again to see if it still exists and it does exist and when I looked at the disclaimer it said I just had to put this in because it's funny they had a thing called computer viruses in the you letter whatever every reasonable effort has been made to assure that the information provided on website does not contain viruses however secure yourself basically saying we're not gonna give you a virus we promise like that's kind of funny anyway so this is the real login form now it was a lot different back then but I don't permission to test this anymore so obviously I didn't do anything with it but basically back in those days I would put quotation mark test the username or in the password field and you get sequel error and you can do seek rejection to the username or the password field sorry for this to the vendor who made this application and they said this is not exploitable because you limit the username and password fields to eight characters first of all I don't even know where to start so I looked I looked at this site last week and now it's 15 characters so it's eighty seven point five percent more vulnerable by my math so yeah where do you begin you begin by changing the max max length field in the HTML to a hundred like and even though it's a server side check you can still do you know shut down is only eight characters so you can still do things like that there's like a million examples of client-side security issues these are just a couple I thought were kind of funny from a long time ago I've never I very barely talked about these in the past 15 years of doing talks so I thought I'd kind of bring them up and talk about that let's talk about some injection attacks so I was looking looking for a picture for this slide I've you know I spent yesterday putting pictures on slides and then a coworker was laughing this in this picture at the bottom the middle guy is the governor of Delaware which is a state I'm told and my coworker Tom Hessman happened to have his name on a chalkboard behind him so he injected his own name into the governor's picture Tom Hessman photo bomb so we talked about injection a little bit already injections basically we'll get to injection is after but being able to enter colors in your name is injection vulnerability you're putting far many characters in a place where none are expected the message spoofing is a vulnerable injection vulnerability you're putting format things where they shouldn't be stuff like that so just a few examples of injection then I'll get to some hard examples I said message spoofing a sequence actually talked about that's a form of injection cross-site scripting stack overflows and so on so on so on so I use the example I give next is not really injection but I wanted to talk about first how code and data as far as machines are concerned are the same thing I showed you how you knock out the jump in the earlier slide let's look at more deals and how that works so there's this game I played as a kid and I've since bought it so you know don't worry I says well whatever but I won't name it because I'm on camera but basically there's no shame or a game where it would pop up a boxing register this copy so you you download the game or you get a floppy disks floppy discs for the kids in the audience are these devices you buy at stores so you would get this game you would install it and it would say you can play the first three levels and the next ten levels are not available because you haven't paid for the game yet when you pay for the game you fill a form and you mail it in an envelope to the to this company and they may be back to the code use so it when you when you click on please register it says here's your code 18153 is the one I got when I made this last week so it will give you a code and you have to enter your key which another five-digit number so what what do you want to do we're gonna talk about how you would bypass this check obviously so you go to source code you search for the word registration or sorry the disassembled code the assembly code and I don't want to talk too much detail on how you do all this stuff that this is a whole talk on its own but essentially you go into the assembly code you search for strings like your registration code and you find it so you I see your registration code is presented the that's a C string formatting character then you figure out where that's used and what you see is I named it I'm named things on this just to make it more obvious but you see a little function this is assembly code doesn't matter how it works basically it takes a generate code it passes to a function that compares to what you typed in so if you register was one two three four five it takes that it passes into a function the function return value is say five or three two one then it compares that to the thing you typed in after the same yeah you can play all of the whole game the easy way bypass this obviously is to change the jump to say no matter what I enter just play the game but that's not that interesting I want to talk about how this code works so what we do is we go into the function that generates the code it takes in the code they give you and pops out the code that you need so you open up the function and on the left here you see machine code bytes these bytes are no different from data bytes when you run the executable it loads the memory it it takes these bytes it runs them it gives you the output so what we can do is copy and paste these bytes into our own program which is what I did right here so I just did made a character string I just literally took the assembly code from them copied it pasted it and made a function pointer I ran it it gave me a code the code worked this is the reason I talk about this is to show you how like the the the code you see here which tells us the CPU to do stuff is the same code you see in a string so when you do a stack overflow you're just saying a bunch of bytes and tricking the machine to running them data encoder the same thing that's sort of lesson with that yeah that's what the site says if you if you're interested in learning stack overflows or memory access bugs or anything like that this is the first thing to know is how code and data interchangeable so we'll see if this video works but this is essentially what happens with some of the Super Mario World glitches and this is kind of a really cool one I think I have it open in another tab so basically this is the world record attempt at Super Mario World which is the Super NES game from way back when and this particular attack was done many many times using a computer using a tool assistant speedrun it has or whatever this is the first time he would ever did it I'll explain how this works afterwards but he creates a game timer starts he goes through dialogue blah blah blah blah there we go so he starts the first level you can see he does a bunch of really weird things and we'll talk about why in a minute but essentially he's putting all these different sprites at the right offsets he the the x value the left right value of each sprite is interpreted as code later so the fact that he's eating things blowing things up all that stuff what he's doing is making sure the sprites load into the right slots to let their x values are in the right order and everything and show you what that means after and he won the game in 47 seconds so there you go so I think I'm getting close to the end and I have lots of time so I'll show you the explanation video I think the next slide here is just yeah so effectively what he's doing and this is a bit of a one this is a mushroom rather than the whatever he did but same idea he's telling Yoshi to grab the mushroom then he jumps off Yoshi and gets the mushroom himself what happens is because there's no longer a mushroom on there the sprite slot becomes empty and there's nothing to be eaten so the next thing I loads which happens to be the football guy Chuck he just happens to be next thing to load so he gets put in the same slot and Yoshi eats a thing that's never supposed to be eaten as a result it calls code and memory that doesn't exist and therefore does arbitrary weird things this is a time of use bug which means when Yoshi grabs the thing it says is Yoshi allowed to eat this yeah it's a mushroom then when it gets replaced by the Chuck sprite nothing ever checks if you can eat the Chuck sprite because he's already passed that check this is a race condition basically so this is going to be an explanation of it should be open in this tab yeah so you see the left here are the various sprites that are loaded so right now you have zero through nine which have nothing loaded the 10 11 are special slots what he what he's doing in this is making sure that everything loads in the right order so you'll see as he plays a level as sprites load they load different slots you will see the X and Y coordinates the X coordinates are what matters more so he's going to kill various things to make sure that they stop moving so the X corners are 10 3c 5a 90 and so on so on he basically has 10 bytes the right code with these so he does that by keeping track of where everything is when you destroy a sprite the slot state keeps the X values so he's destroying things to make sure that they don't move basically skip around a bit so you'll see at this point level this again towards the end the X values have all been set a 9 1c 9 2 7 5 and so on this is the code he needs for for magically happen I should mention it's a lot more complicated than all this but this is kind of a brief explanation of it I've a link to the video in this in the slides if you want to see the whole thing he explains it really really well skip skip skip now he's gonna do here is break this block the position of the four blocks that pop out are basically where in memory it gets jumped to so you have to make sure that the blocks despawn go off the screen at the exact right time in order for it to to work then he does other things skip skip skip so that block right there is you'll notice that when he hits the block he goes off screen he moves the camera as soon as he goes off screen the furlough block fragments despawn and therefore their memory address has stayed the same you'll see at the the right side of screen the right side of screen it's easy row for the first block and 0 0 for the second and that's where it's gonna jump in memory basically so he despawns the chalk by going to left slow motion yeah this is the same thing as slow motion so he despawns the block fragments and has to be east something okay and I don't want to go through all this but this way just ran out of buffer but this is effective what's happening is it's now interpreting the x-coordinates as I should say the block fragments where it jumps and the x-coordinates is where it runs code so he thought to be just mixing up code and data which is kind of the summary here so that links at the bottom and I highly recommend watching the whole thing I learned a lot and he explains it way better than I did so one more injection I added that said last minute obviously e-fail this it was the big PGP bug from last week where basically it was a it's basically cross scripting email you send an open an open image and it would interpret the rest of the email as the image and decrypted and send it in you know big deal anyway that's pretty much the end so there's a lot of things I didn't talk about there's a lot of things in game hacking that I think are really interesting and really cool to learn as I said at the beginning games are a great way to learn about real-world vulnerabilities we talked about client side security we talked about crypto we talked about all these things these are all things that apply in games and they're all things that apply in real hacking so I think this is a great way to learn things and yeah lately speed running and gaming and streaming all these things are getting really really really popular with twitch with YouTube video whatever it's called with all these things it's a big deal these days and learning how to do these things is really there's lots of reasons to do it so this is my contact information my email address pretty much everywhere online I'm yago xa6 the URL here is to the talk north side video games is a link to the talk so feel free to grab my slides I'll tweet a link out later and yeah that's pretty much my presentation we have time for questions