What's new
Status
Not open for further replies.

Finisterre

Professional
Joined
May 31, 2018
Messages
646
Reaction score
654
Location
Midwest
%x and %n had interesting results when used as a ROM name or display string. I'm not sure if this is useful or not, but it certainly is 1999 style love!

Df9BumXV4AAmSUH.jpg


%n seemed to leave funny artifacts on the screen indicating to me that perhaps it was actually writing to arbitrary memory addresses.
Df8_KaBU0AEhmq-.jpg

Add a few too many and Naomi goes blue and locks up. =]

Df9A5BlVQAE7EZb.jpg
 

Attachments

  • Df8-ugqVMAUIbSl.jpg
    Df8-ugqVMAUIbSl.jpg
    263.3 KB · Views: 75
  • Df8-ugtU0AAz9GW.jpg
    Df8-ugtU0AAz9GW.jpg
    100.4 KB · Views: 60
These shots show the memory addresses a bit better. I used %x.%x.%x.%x to help with the visualization.
Df9ExJeU8AAUdMO.jpg
 

Attachments

  • Df9HC07UcAA84GA.jpg
    Df9HC07UcAA84GA.jpg
    127 KB · Views: 45
Last edited:
As I said "I'm not sure if this is useful or not"...

It looks like potential arbitrary write access to memory locations inside the running Test Menu, or inside a Running ROM.
At this point sans extra context, I am personally not entirely sure.

I assume you folks are familiar with format string issues, and how they are exploited for memory corruption ultimately influencing process flow?

At the very least if handled *similarly* in an emulator this could mean someone that passes you an arbitrary rom file may be able to execute code on your machine in the context of the process running the emulator. I'll have to look at it a bit more.
 
At the very least if handled *similarly* in an emulator this could mean someone that passes you an arbitrary rom file may be able to execute code on your machine in the context of the process running the emulator.
8o you had good weed
 
@Finisterre that looks like you change the type of some variables so now they show text where should be a number or something like that.

It would be helpful for some people debugging that wanted to show some text on the screen, I guess. But those people will have their own display routines more customimzed. I did it in the past and that was what I used.
 
@Darksoft "change the type of some variables so now they show text where should be a number"
pretty much this.

If you are not familiar with format strings, here is how they work. In essence a number of functions accept 'format specifiers', printf() being one we can use for an example. They help format how the resulting text is displayed to the screen, one such function is likely being used by Naomi Test menu, and the DIMM firmware that I was modifying. The developer was accepting the specifier in what is in essence user controlled input for lack of better term.

usually proper practice would dictate that the developer specify the format string on their own, rather than ingesting it from untrusted input vectors. As a result an "attacker" can supply their own format specifier if they can control the input, as you can in this specific case (because the rom is editable).

Common format specifiers are:
%s for string
s
If no l modifier is present: The const char * argument is expected to be a pointer to an array of character type (pointer to a string). Characters from the array are written up to (but not including) a terminating null byte ('\0'); if a precision is specified, no more than the number specified are written. If a precision is given, no null byte need be present; if the precision is not specified, or is greater than the size of the array, the array must contain a terminating null byte.

%x for unsigned hex
o, u, x, X
The unsigned int argument is converted to unsigned octal (o), unsigned decimal (u), or unsigned hexadecimal (x and X) notation. The letters abcdef are used for x conversions; the letters ABCDEFare used for X conversions. The precision, if any, gives the minimum number of digits that must appear; if the converted value requires fewer digits, it is padded on the left with zeros. The default precision is 1. When 0 is printed with an explicit precision 0, the output is empty.
More detail on the exact specifiers available can be found here:
https://linux.die.net/man/3/printf

There is a very special specifier called %n, in which you can rather than *read* memory, you can *write* to it.
n
The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.

Being able to write to memory actually allows you to influence process control. You can ultimately get to a point in which you can control the address being referenced by the format specifier, and as such you end up with a "what / where" constant in which you can write any bytes you want anywhere in memory. There are of course nuances and techniques to make this happen in certain contexts.

These are some examples of exploitation of format strings issues to provide root on an OSX machine. I wrote the detail many many years ago! Over a decade at this point.

http://www.digitalmunition.com/DMA[2006-0628a].txt
https://www.exploit-db.com/papers/13179/

"It would be helpful for some people debugging that wanted to show some text on the screen"
yes at this point probably not much use to you folks, but years ago before all the memory locations were known, and details on the memory layout of the system this could indeed have been used to debug certain aspects of the system.

In theory, this could very likely be used to modify the memory of a NetDIMM, to massage bits of the OS in place to allow login to the underlying vxworks OS. Again... probably not of much use, but fun for folks that enjoy mental gymnastics.
 
In theory, this could very likely be used to modify the memory of a NetDIMM, to massage bits of the OS in place to allow login to the underlying vxworks OS. Again... probably not of much use,
but why ? there is no protection in NAOMI software. there is no protection in DIMM firmware (except CRC validation, but I cant call this "protection").
there is no any need to be l33t h4xor to run whatever code on NAOMI or DIMM, but regular software developer / coder - develop some code, put it in game rom or DIMM firmware update and it will be run. that's it, no cool tricks needed.

probably not of much use, but fun for folks that enjoy mental gymnastics.
pure mental masturbation, yes ;)
 
Don't forget some folks are here for fun... what you find fun may not be fun for anyone else. As an example the vxworks WDB stuff that is enabled on the NetDIMM is well known in the security circles that I come from. And seeing *real* examples of it are always interesting. A decade ago, had you all not found another way to obtain NetDIMM firmware images, it would have been a path to do so. Seems easy to discount its utility now.

Re: "but why" with a specific example, I know folks around here were not particularly impressed with me using WDB to dump the DIMM memory, for me however that was actually *fun*. It was nice to find yet another system in the thread of things touched by the awful WDB bug.

First time Naomi Owner, coming from 1979 Gottlieb Pinball repair

I've noticed you guys get hung up on the "why" aspect frequently.

vxworks systems are quite common in flight critical systems that I've messed with for work, so I happen to enjoy them in all forms, regardless of the context to you folks here in video game land. This is a talk I gave recently to some folks at the FAA regarding keeping the systems on planes more secure vs historic missteps. Vxworks was featured...

https://prezi.com/view/4L3GEmF1yQz5DSapozau

Trust me, much of what you folk are doing here falls under "pure mental masturbation" just the same! You all live in a world in which I don't, please don't let that twist your views on how other folks may chose to have fun, tease their brains.

"develop some code, put it in game rom"... maybe I'm more interested in a /bin/sh shell on the Vxworks subsystem and the various ways to get at one.
maybe playing with the innards of the system are more *fun* for me than playing a game, or seeking to emulate the system so I can play a game?

*salute*
 
vxworks systems are quite common in flight critical systems that I've messed with for work
Now that's useful information which probably explains your approach. I think it will be better if you could provide an example of something that can already be used in existing games, like i.e. a way to change region or avoid needing to use a pic, etc.

I'm closing this thread for now as I dont want this to escalate. @Mitsurugi-w
 
A decade ago, had you all not found another way to obtain NetDIMM firmware images, it would have been a path to do so. Seems easy to discount its utility now.
Would you like to know how the netdimm firmware was dumped orignally?

I've noticed you guys get hung up on the "why" aspect frequently.
It is because we want to understand what you're trying to communicate with everyone here. You make a post with a bunch of screenshots but no explanation; then get upset when we ask what you're trying to share?

Maybe if you pre-faced your first post with some of the details in post #10, we wouldn't be scratching our heads.
 
Status
Not open for further replies.
Back
Top