walk12288
Newbie
Posts: 7
|
 |
« on: September 02, 2006, 09:53:36 PM » |
|
I had a question to ask about the XNA framework. From the way it sounds, you code your game using the libraries. You pay $99 subscription and download the game to your harddrive. It's already been signed so it's able to run? Is the game checked by Microsoft beforehand? Could it be possible to run an exploit using the XNA framework? It would be expensive to mod your xbox ($99 a job), but it'd be worth it in the long run. Open to suggestions NOT flames....
|
|
|
|
|
Logged
|
|
|
|
|
Pringle
|
|
« Reply #1 on: September 03, 2006, 03:57:22 AM » |
|
There is always a probability factor, in this case i think is below 2 out of 10... ms is stupid, but not crazy..
|
|
|
|
|
Logged
|
|
|
|
|
tser
|
|
« Reply #2 on: September 03, 2006, 05:49:28 AM » |
|
There are allways flaws in software , but the .Net sandbox has been pretty good in the past.
However, With .net Framework1.1, you where sometimes able to crash the ieexec.exe process, when running smart clients.
|
|
|
|
|
Logged
|
|
|
|
|
Pringle
|
|
« Reply #3 on: September 03, 2006, 09:54:19 AM » |
|
ok that's true
Guess "homebrew" will be played on the emulator then...
|
|
|
|
|
Logged
|
|
|
|
Prachanda
Newbie
Posts: 1
|
|
« Reply #4 on: September 03, 2006, 12:49:55 PM » |
|
My real question is will we be able to find a way to get the XNA running for free.
I don't really think the XNA will be a big point of exploitability though, seeing as how it will still be running within the framework of the hypervisor.
|
|
|
|
|
Logged
|
|
|
|
walk12288
Newbie
Posts: 7
|
|
« Reply #5 on: September 04, 2006, 01:07:26 PM » |
|
Still comes back to that damned hypervisor. There MUST be someway to exploit it [the hypervisor]. I just haven't thought of anything yet. So there is NO possible way to overflow a buffer because it is there? The hypervisor is a program. Couldn't there be a way to overwrite it? If you wanna flame, post elsewhere, I'm just picking up information.
|
|
|
|
|
Logged
|
|
|
|
|
Mjrweed
|
|
« Reply #6 on: September 06, 2006, 05:22:12 PM » |
|
ok that's true
Guess "homebrew" will be played on the emulator then...
I will ask a lamer question, please no flaming  If the emulator is in some way hacked to use xbmc and other stuff, will it then be able to play hdtv content? OR will it be restricted to xb1 "power" ? Xbmc now cant play any hdtv clips, it just freezes up. |
|
|
|
|
Logged
|
|
|
|
|
Arakon
|
|
« Reply #7 on: September 06, 2006, 11:39:31 PM » |
|
actually the emulator will likely run it even SLOWER rather than faster, cause it's emulated afterall,and the emulation itself eats up a load of CPU power.
|
|
|
|
|
Logged
|
I do NOT give support by email, PM, ICQ or whatever. Anyone annoying me that way will have his balls removed. With a rusty butterknife. Slowly. And I'll enjoy doing it.
|
|
|
walk12288
Newbie
Posts: 7
|
|
« Reply #8 on: September 08, 2006, 04:45:16 PM » |
|
It was said one time that it takes about 4 times the power of a system to emulate it at full speed. I don't know how true this is, but if so, it would be choking pretty badly under emulation. One thing about it though, once we get homebrew on it, we can then work on ways to achieve kernel mode, which will allow for NO emulation...
|
|
|
|
|
Logged
|
|
|
|
|
elitedev
|
|
« Reply #9 on: September 09, 2006, 08:05:09 AM » |
|
Last time I checked, the Xbox 360 had more then 4 times the CPU power of the Xbox. I think it would have no problem emulating at full speed. I'd even imagine they would have cycles left over for oddles of other stuff as well.
|
|
|
|
|
Logged
|
|
|
|
|
Arakon
|
|
« Reply #10 on: September 09, 2006, 09:15:42 AM » |
|
it depends on the complexity and how different the CPUs are. in the 360/xbox case, 10x the power required is easily possible because of the entirely different CPU structure.
|
|
|
|
|
Logged
|
I do NOT give support by email, PM, ICQ or whatever. Anyone annoying me that way will have his balls removed. With a rusty butterknife. Slowly. And I'll enjoy doing it.
|
|
|
|
TheSpecialist
|
|
« Reply #11 on: September 09, 2006, 01:57:14 PM » |
|
Thix XNA framework sounds very interesting. Can somebody clarify how it works, from a security point of view ? I mean, do I understand correctly that it will be some kind of VB 'shell' ? I mean, the program you code with it, obviously aren't 'real' exes (that need a signature) but compile on runtime ?
|
|
|
|
|
Logged
|
|
|
|
|
elitedev
|
|
« Reply #12 on: September 09, 2006, 08:45:54 PM » |
|
The program functionality (i.e., the program code) is converted into MSIL tokens, which will be interpreted by the runtime engine. As various required data -- such as strings etc. -- is placed in different parts of the file and not directly combined with the code, the parsing is not trivial. (That said, it is not nearly as complicated as parsing Visual Basic for Applications pcode structures.) The MSIL tokens themselves can be only found within a file if a so-called meta data header (later also referred to as "#~" section) is completely analyzed. Furthermore there is certain additional information within the .NET related parts of the file, such as security related permission tables. I really don't think there will be much that we could use from this, it will still be running under the hypervisor limiting potential attacks. When this MSIL code is loaded in the framework, it should then be compiled on the fly into executable code.
|
|
|
|
|
Logged
|
|
|
|
|
TheSpecialist
|
|
« Reply #13 on: September 10, 2006, 07:51:04 PM » |
|
Ah, ok. There will probably also be some extra security in the compiler itself, then. It would be easy to add some boundary checks on memory access etc. So the compiler itself will probably contain another layer of protection. But nevertheless, will be interesting to poke around with it  |
|
|
|
|
Logged
|
|
|
|
|
elitedev
|
|
« Reply #14 on: September 11, 2006, 07:22:33 AM » |
|
Well the framework kinda acts like the hypervisor, it prevents buffer overflows and other dangerous code execution. Not only that, but the framework on the Xbox 360 will be run under the hypervisor as well. So I don't think there will be much that we could exploit in there. I think the best idea for attacking this would be to find a clever programmer to find ways to use the code that Microsoft never thought possible, like using the framework to build a custom loader to load MSIL code directly from a storage device allowing you to run an application without having to use Visual Studio to execute it on the Xbox. I'm sure Microsoft has given us access to storage because it's not really much of a game if you can't save. Perhaps this will allow us to find out more information about the workings of the machine.
|
|
|
|
|
Logged
|
|
|
|
walk12288
Newbie
Posts: 7
|
|
« Reply #15 on: September 30, 2006, 09:17:11 PM » |
|
Sorry for the delay, I've been...busy....Well, I agree, it would be interesting. The only thing you could possibly do with the framework is exploit what microsoft never intended. I don't think they are going to give us much freedom though....
|
|
|
|
|
Logged
|
|
|
|
|
tser
|
|
« Reply #16 on: August 25, 2007, 02:36:10 PM » |
|
The only thing you could possibly do with the framework is exploit use some parts what microsoft never intended.
Below here is a very simple, but usefull Pixel /vertex shader based upon the XNA Framework. You could use this code to compile shaders into byte code,and use them For example for some cool 3d effects in the new xbox 360 Linux 3d Driver they are working on.
/* The R 360 XNA Shader Compiler */
/* This Compiler generates binary code out of text shader code, using the effect of the XNA Frameworks */
/* Note, the compiler is inside mapped to extern @
* "X":\Program Files\Common Files\microsoft shared\XNA\Framework\v1.0X\XNANative1.dll
* Which Hosts functions like CompileEffectForXbox
/* This allows you to easely precompile binary shader code and use it with other xbox360 projects (like Linux , XBMC) */
/* History 25-08-22 Creation, Tser */
/* How to Compile this */
/* - Install the XNA FrameWork */
/* - Create a new Windows Console Application */
/* - Add reference to Microsoft.XNA.FrameWork */
/* - Replace your program.cs with this program.cs :) */
using System;
using System.Collections.Generic;
using System.Text;
using Microsoft.Xna.Framework;
using Microsoft.Xna.Framework.Graphics;
namespace rshadercompiler
{
class Program
{
static void Main(string[] args)
{
try
{
Console.WriteLine("R 360 XNA Shader / Effect Compiler");
if (args.Length < 3)
{
if (args.Length == 1 && args[0] == "/test")
{
SelfTest();
return;
}
Console.WriteLine("usage: rshadercompiler Input.fx output.bin /type NameOfMainFunction");
Console.WriteLine(" where /type is /ps for xbox pixelshader ");
Console.WriteLine(" /vs for xbox Vertexshader");
Console.WriteLine(" /xvs for Asm based xbox Vertexshader");
Console.WriteLine(" /xps for asm basef xbox pixel shader");
Console.WriteLine(" /effect for effects");
Console.WriteLine(" if you use /vs or /ps supply NameOfMainFunction");
}
else
{
switch (args[2])
{
case "/ps":
shaderCompiler(args[0], args[1], ShaderProfile.PS_3_0, false, args[3]);
break;
case "/vs":
shaderCompiler(args[0], args[1], ShaderProfile.VS_3_0, false, args[3]);
break;
case "/xps":
shaderCompiler(args[0], args[1], ShaderProfile.XPS_3_0, true, string.Empty );
break;
case "/xvs":
shaderCompiler(args[0], args[1], ShaderProfile.XVS_3_0, true, string.Empty );
break;
case "/effect":
EffectParser(args[0], args[1]);
break;
default:
Console.WriteLine(" I have no clue whatsoever how to handle " + args[2]);
break;
}
}
}
catch (Exception ex)
{
Console.WriteLine("We encoutered an undocumented feature\n" + ex.Message.ToString());
Console.WriteLine(ex.StackTrace.ToString()); // main stack
}
}
static void shaderCompiler(string inputfile, string outputfile, ShaderProfile shaderProfile, bool isASM, string entryname)
{
Console.WriteLine(String.Format("- Parsing {0}\n- into {1}", inputfile, outputfile));
CompilerMacro[] macroArray = null;
macroArray = new CompilerMacro[2];
macroArray[0].Name = "XBOX";
macroArray[1].Name = "XBOX360";
CompiledShader compiledShader;
if (isASM)
{
compiledShader = Microsoft.Xna.Framework.Graphics.ShaderCompiler.AssembleFromFile(inputfile, macroArray, null, CompilerOptions.None, TargetPlatform.Xbox360);
}
else
{
compiledShader = Microsoft.Xna.Framework.Graphics.ShaderCompiler.CompileFromFile(inputfile, macroArray, null, CompilerOptions.None , entryname, shaderProfile, TargetPlatform.Xbox360);
}
Console.WriteLine(compiledShader.ErrorsAndWarnings);
if (compiledShader.Success)
{
Console.WriteLine("- Compiled! ");
System.IO.File.WriteAllBytes(outputfile, compiledShader.GetShaderCode ());
Console.WriteLine(String.Format("- bytecode stored into {0}", outputfile));
}
else
{
Console.WriteLine("- Errors Compiling File");
}
//string test= Microsoft.Xna.Framework.Graphics.ShaderCompiler.Disassemble(compiledShader.GetShaderCode(), false, inputfile);
}
static void EffectParser(string inputfile, string outputfile)
{
Console.WriteLine(String.Format("- Parsing {0}\n- into {1}",inputfile,outputfile));
CompilerMacro[] macroArray = null;
macroArray = new CompilerMacro[2];
macroArray[0].Name = "XBOX";
macroArray[1].Name = "XBOX360";
CompiledEffect compiledEffect = Microsoft.Xna.Framework.Graphics.Effect.CompileEffectFromFile(inputfile, macroArray, null, CompilerOptions.None, TargetPlatform.Xbox360);
Console.WriteLine(compiledEffect.ErrorsAndWarnings);
if (compiledEffect.Success)
{
Console.WriteLine("- Compiled! ");
System.IO.File.WriteAllBytes(outputfile, compiledEffect.GetEffectCode());
Console.WriteLine(String.Format("- Parsing {0}\n- into {1}", inputfile, outputfile));
}
else
{
Console.WriteLine("- Errors Compiling File");
}
}
static void SelfTest()
{
const string Folder="D:\\code\\360 loader\\rshadercompiler\\";
string []testVertexShader = { Folder + "vs.hlsl", Folder + "vs.bin", "/vs", "main"};
string[] testPixelShader = { Folder + "ps.hlsl", Folder + "ps.bin", "/ps", "PSTest" };
string []testEffect = { Folder + "Effectje.fx", Folder + "effectje.bin", "/effect" };
// string[] testAsmPixelShader = { Folder + "xps.asm", Folder + "xps.bin", "/xps", };
Main(testVertexShader);
Main(testPixelShader);
// Main(testAsmPixelShader);
Main(testEffect);
Console.ReadKey();
}
}
}
download at http://tser.org/r3.rar but download it only if you are going to use it.. my site isn't that fast. |
|
|
|
|
Logged
|
|
|
|
|
uberfry
|
|
« Reply #17 on: August 25, 2007, 02:58:39 PM » |
|
I believe XNA doesn't need a valid drivekey and runs on 4532(?!)
Anyone think it's possible to do the shader exploit in an XNA application?
|
|
|
|
|
Logged
|
|
|
|
|
tser
|
|
« Reply #18 on: August 25, 2007, 05:13:34 PM » |
|
I believe XNA doesn't need a valid drivekey and runs on 4532(?!)
Anyone think it's possible to do the shader exploit in an XNA application?
It works without a dvd drive.. but.. The XNA Launcer disconnects if you are not connected to Xbox Live. and you cannot Connect to xbox live if you have Kernel 4532 So that's an chicken-egg issue. which can only be resolved if we are able to spoof a 4532 into a 5766. the xna launcher is also account / xbox locked it seems. On my "brand new original-just-returned" the behavoir is different then on my offline xbox . It complains about not beeing connected to live on my original, and just quits on the other. ( So My brand new one is exactly matched to my previous 3 lights of dead one.) |
|
|
|
« Last Edit: August 25, 2007, 05:30:13 PM by tser »
|
Logged
|
|
|
|
|
4cc3ss
|
|
« Reply #19 on: February 22, 2010, 10:40:21 PM » |
|
There was interest with xna studio connect getting it to execute without the aid of Xboxlive connection, since
the last post development for the 360 has greatly increased been able to run unsigned code, would it still not
be possible in the right hands to exploit xna without the aid of xboxlive connection.
But on the other hand, homebrew is on the move and programs like libSDLx360 i surppose it won't be much call for xna
to get hacked.
|
|
|
|
« Last Edit: February 23, 2010, 12:48:57 PM by 4cc3ss »
|
Logged
|
|
|
|
|
Dilber MC Theme by HarzeM