November 2009

You are currently browsing the monthly archive for November 2009.

PSP Exploits – finding crashes with Fuzzing  

November 8, 2009 in security | 15 comments

I’ve said it numerous times, finding crashes is the first step to finding exploits on the PSP (and on other devices as well, by the way. It is just easier on the PSP since we already have lots of tools to help us).

Crashes are usually the result of luck (bad luck if you were playing a game and forgot to save),  but there are ways to “force” your luck. One of them is called Fuzzing. I recently found an MP3 crash (which happened to be non exploitable) through this technique, and I was actually very proud of this “revolutionary” method of finding crashes, until I was told that this was a known technique in software testing :P .

Wikipedia tells us:

Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program.

Well that’s pretty clear. The idea is to feed our program with random data and see if it crashes. In my case, the “program” was the PSP mp3 Player, and the random data was a series of broken mp3 files.

This is all very good, but the main issue is that you’d need to be extremely lucky in order to find a crash this way. Except… that the PSP mp3 player allows us to test thousands of files extremely quickly with the usage of playlists.

Here’s what I did for the mp3 file: I first created a very short mp3 file with Audacity. I use audacity because it’s open source, but any audio manipulation software will do. I then created thousands of copies of this file, with only one bit changed for each of those files. I of course didn’t do this by hand, I used a script. I went with ruby, but here again, any scripting language will do (perl, php, python…I’m sure you can do it in Linux shell, or even in C/C++ if you like pain). Here’s what my script looks like (fe4r my Ruby skillz):

ruby

What this script tells is the following: open the file “a.mp3″ (my “source” regular mp3 created with audacity), and for i in 0..200, change the byte at position i with a value j, j varying between 0 and 255. In other words, I’m trying all the possible values for each single byte in the file. This generates thousands of files. For each value of i, I’m creating a new directory, so each folder will have 255 files. Note that I’m only doing this with the 200 first bytes because my 1GB memory stick got filled with those files, but nothing prevents us to actually create more (although I’d need to check if the mp3 player allows to have more than 255 subfolders in the mp3 directory). What I ended up doing is “sessions of 200″. I first tested the 200 first bytes, then 201 to 400, etc…

files

Once this was done, I copied all the generated files (still in their respective folders, the psp mp3 player doesn’t allow more than 999 mp3 files per folder anyways) on my psp, and started playing everything.

This takes time, but not mine: I don’t need to be around when the psp plays the mp3 files. if, when I come back, the PSP is off, it means a crash occured. I can then remove half of the files and try again, until I find the “culprit” through dichotomy.

That’s pretty much all there is to know about this technique. It worked for mp3s, and it would work for video files, as well as image files (through the slideshow feature), although I’m not sure how these two applications deal with playlists (let me know the outcome if you try it!). The whole point of this technique is to be able to test a very large number of files in a short amount of time. Even by testing thousands of files (my mp3 was 2048btes long, so thats 2048×255 = half a million files), we only test a very small percentage of all the combinations that could be fed to the software (what if I start changing 2bytes instead of 1 in my file? What if I use a different audio file as my source ? A wma maybe ? etc…). Well it’s good because everyone can try different combinations, but of course don’t expect too much results if the player only allows you to play 10 files in a row or something like that.

There are of course lots of other techniques to look for exploits in a system, but this one has several good points (when it is applicable!): it doesn’t require to be too clever (al you need is a little script, no specific knowledge about MP3s was required for my crash, at least for the first steps), and it takes very little time (as long as the system is nice enough to allow you to feed it thousands of inputs very fast).

I’m actually surprised I found a bug in the mp3 library of the PSP through this technique…One would think Sony use that kind of testing method on their firmwares.

I hope this will give inspiration to both people trying to secure their software, and those trying to free the world from the evil forces of DRMs :) Have fun hacking!

Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program.


Wagic Unofficial 0.9.2, French Patch, Italian Translation update, and other stuff  

November 1, 2009 in release, Wagic | 1 comment

We released Wagic 0.9.1 a couple days ago and got lots of feedback. There are a few issues that seem to bother lots of people, so I’ll attempt to give you solutions to the most common problems.

I’ll start with translation updates:

.

Translation Updates

Wagic 0.9 en Français/ Wagic French version

Here is a patch to translate wagic into French. Explanations on how to apply the patch are in the README.txt (in french, obviously)

Voici un patch pour traduire Wagic en Français. Lisez le README inclus dans le zip pour l’installation

Italian Translation Update

Icarus updated his Italian translation file. You can get it here. Then copy it in WTH/Res/lang/ and rename it “_lang.txt”

Wagic 0.9.2 (for people who need translations)

Wagic 0.9.1 has a problem with translations in the option menu. If you want your options in a different language than english, you can download Wagic 0.9.2 here (just rename it as EBOOT.PBP and overwrite the 0.9.1 EBOOT.PBP file). This update only fixes the translation issue and is not useful for people who play with the English version of Wagic. Moreover, it is not officially supported, so don’t report bugs for it. It is just here as a convenience for our international users :)

This version is included in the French patch so French users don’t need to download it, but people who want the game in Italian, Spanish, German might want to download this eboot.

Common issues in Wagic 0.9.1 (and how to solve them)

Purple Screen

If you get a screen that looks like this at startup (minus the text maybe):

This is a known issue. We didn’t find the root cause for this, and decided to release with the issue.

The easiest solution is to restart the game. In most cases, it should work after a few attempts. Another solution is to try to replace your EBOOT.PBP with the file included in Wagic 0.9.1 called “alternate.PBP”. If you still have issues, come and discuss on the forum

I can’t play during my opponent’s turn

Add the following line to your Res/settings/options.txt file:

interruptEndTurn=1

Alternatively, you can try one of the following keywords. Their meaning is generally obvious:

“interruptBeforeBegin”,
“interruptUntap”,
“interruptUpkeep”,
“interruptDraw”,
“interruptFirstMain”,
“interruptBeginCombat”,
“interruptAttackers”,
“interruptBlockers”,
“interruptDamage”,
“interruptEndCombat”,
“interruptSecondMain”,
“interruptEndTurn”,
“interruptCleanup”,
“interruptAfterEnd”

Hypnotic Specter doesn’t work anymore

It happens. We sometimes break cards. We try not to, we have systems that warn us when it happens. But it still happens, when you have more than 3500 cards to handle, some of them, even the most famous ones, can end up broken. I’m personally pissed about that. I love Hypnotic Specter, but hey, he’ll be back in next release…

Meanwhile you can fix it yourself. For example for the 10E edition of Hypnotic Specter, open the file Res/Sets/10E/_cards.dat with a text editor, and look for Hypnotic Specter.

It should look like:

[card]
text=Flying (This creature can’t be blocked except by creatures with flying or reach.)  Whenever Hypnotic Specter deals damage to an opponent, that player discards a card at random.
abilities=flying
id=129600
alias=1165
name=Hypnotic Specter
rarity=R
type=Creature
mana={1}{B}{B}
power=2
subtype=Specter
toughness=2
[/card]

Simply add the following line and save the file:

auto=@damaged(player) from(this):discard:1 opponent

So it should now look like:

[card]
text=Flying (This creature can’t be blocked except by creatures with flying or reach.)  Whenever Hypnotic Specter deals damage to an opponent, that player discards a card at random.
abilities=flying
id=129600
alias=1165
name=Hypnotic Specter
rarity=R
type=Creature
mana={1}{B}{B}
power=2
subtype=Specter
toughness=2
auto=@damaged(player) from(this):discard:1 opponent
[/card]

Note that this is not entirely how Hypnotic specter is supposed to work, but unless someone has the hypnotic Specter deal damage to its controller, it will do for now.

I hope this answers most of the important questions we got so far. Thanks for your support and have fun with Wagic :)

Newer entries »