PoC or GTFO, Volume 2
Page 43
5 If the SGB BIOS does not find the special codes in the DMG game header that indicate it’s an SGB-enabled game ($146 equal to $03), it locks up the command channel until the game is reset, rendering any SGB based exploitation impossible. See http://gbdev.gg8.se/wiki/articles/The_Cartridge_Header for more details.
6 unzip -j pocorgtfo10.pdf pokemon_plays_twitch/pokered-master.zip
7 The term “bot” was originally used because it’s as if you have a robot playing the game for you; DwangoAC later attached one of these replay devices to a R.O.B. robot as shown in Figure 10.1 and after presenting Pong and Snake on SMW, the name TASBot came to be associated with the combination as described at http://tasvideos.org/TASBot.
8 A way of crowdsourcing gameplay by parsing commands sent over IRC.
9 As with many exploits, the seed for this came from Bortreb’s Pokémon Yellow exploit, which itself came from earlier discoveries of others. Masterjun adapted the exploit for Pokémon Red using the BizHawk DMG emulator and DwangoAC took this information and made the Stage 0 and Stage 1 movie file in LSNES.
10 The same values can be found in the GBWRAM region at an offset of -0xC000, so the value for 0xD163 in GBBUS (which isn’t visible in the LSNES memory editor) can instead be found at 0x1163 in GBWRAM. GBBUS addressing is used throughout for consistency with existing resources such as the pokered disassembly.
11 This means the Pokémon data now extends past end of WRAM, and in fact the WRAM should in effect loop around, although this isn’t used.
12 The swap where j. is swapped with j. involves the pairs 00 00 and 00 F4, but they turn into 00 63 and 00 91 because we abuse the fact that the game assumes a quantity of 00 is the same as FF and you can only have ninety-nine of any given item in one slot. This results in FF + F4 = 1F3 which is larger than the sum mod 255, at which point the game stores 63 in one item and 190 mod FF = 91 is stored as the remainder in the other.
13 There is no working way to ADD the two reads because we can’t write that opcode. Due to byte restrictions, we can’t use JP either, but CALL is close enough. See page 159.
14 This has implications even outside of TAS’ing: If you hold a button for a single frame you risk that input being lost (if the previous frame had no buttons being pressed, that single frame’s press could be overwritten with the no buttons pressed frame from before) or your buttons could be held for an extra frame (even though you let go, you hit right before the skew so your buttons are sent for an additional frame). Both of these behaviors could cause a talented realtime player to question their abilities as they wouldn’t have any idea that the console had been the cause of their input being wrong.
15 The movie we used was 2(prologue) + 5(banksetting) + 6(packetsend) + 5(packetsend) + 1(nop-for-slip) + 2(hang) + 11(packet1) + 7(packet2) + 2(unused) + 2(epilogue) = 43 bytes. We later discovered a different method where the smallest possible extended payload would have been 2(prologue) + 5(banksetting) + 6(packetsend) + 2(hang) + 13(packet) + 2(epilogue) = 30 bytes which is still too much to input without a slip due to our data rate being restricted to one nybble at a time, although the packet data’s 0x00 portion could potentially be used for this purpose.
16 It could be possible to use just one, by putting the NMI routine in a memory-mapped SGB packet register, but we decided not to, as we would need full exploit abilities just to test if this method actually works because the emulator isn’t accurate enough to test with.
17 Each blind test took five minutes, as we had to play back the entire movie before reaching the point where we could determine if it worked and we weren’t entirely certain it would work at all, but eventually we discovered the correct offset.
18 Based on the setting of a flags register bit that selects between an 8-bit and 16-bit A registers.
19 We considered putting the NMI code into the SGB packet receive buffer, which is a memory-mapped I/O register (and presumably can be executed by the CPU). We decided against this since the SGB emulation in BSNES is quite questionable and we didn’t know if it would work, largely due to the difficulty of testing it.
20 It’s not a surprise that it behaves differently in the emulator, as the SGB emulation accuracy in BSNES is questionable in a lot of places; it’s possible that the emulator is triggered on a different edge of the clock than real hardware or something similar. Regardless, on real hardware the DMG eventually crashes in a way that makes it stop producing sound and while it’s about the equivalent of driving a car into a brick wall instead of hitting the brakes it at least gets the job done.
21 git clone https://github.com/TheAxeMan301/PptIrcBot
22 Pokémon Plays Twitch: How a Robot got IRC Running on an Unmodified SNES by Kyle Orland.
23 http://tasvideos.org/4947S.html
24 unzip -j pocorgtfo10.pdf pokemon_plays_twitch/sgbhowto.pdf
25 unzip pocorgtfo10.zip esp8266-arm-swd.zip
26 git clone https://github.com/scanlime/esp8266-arm-swd/
27 The mutant fish baby thing is kind of true according to developmental biology, but that’s not really our focus today.
28 unzip pocorgtfo10.pdf pregpatent.pdf
29 http://pferrie.host22.com/misc/lowlevel14.htm, PoC‖GTFO 4:4.
30 http://pferrie.host22.com/misc/lowlevel15.htm
31 http://pferrie.host22.com/misc/lowlevel16.htm
32 http://www.hackzapple.com/phpBB2/viewtopic.php?t=952
33 https://archive.org/details/apple_ii_library_4am
34 http://infocom.elsewhere.org/gallery/starcross/starcross-map.gif
35 http://gallery.guetech.org/spellbreaker/spellbreaker.html
36 http://infodoc.plover.net/manuals/temp/borderzo.pdf
37 This is why the minimum instruction execution time is two cycles: one for the instruction itself, one for the prefetch.
38 The Shugart SA400 on which the Disk ][ controller is based does have this capability via index detector circuits, but that feature was removed from the Disk ][ controller to reduce the cost to manufacture it.
39 This is a requirement if the data field can be written independently of its address field. Since the write is not guaranteed to begin on a byte boundary, the self-synchronizing values are required for the controller to synchronize itself when reading the data again.
40 As opposed to reading the sectors in sequential order, and then writing the entire track—that would only make it a sector-copier with a faster write routine.
41 A sector-copier can use the collection of sectors as a basic track length; the bit-copier has no such luxury. Instead, it is left to “guess,” and might be forced to discard or insert additional data to reconstruct a track of the same length. The difference occurs when the rotation speed of the drive that is being used to make the copy is not the same as that of the drive that was used to make the original.
42 See John’s comment at September 3rd, 2015 12:12 pm on http://www.bigmessowires.com/2015/08/27/apple-ii-copy-protection/
43 It also ignores the address field checksum and volume number.
44 This would be the equivalent of about 18.5 256-byte sectors in 6-and-2 encoding. Using 19 sectors is possible, if the full range of values from the first figure is used, but it introduces a problem to identify the start of the sector, since there are no single values that can be reserved exclusively. One possible solution is to find a sequence which cannot appear in user-data due to particular characteristics of the decoding process. Just because it is possible, it doesn’t mean that it’s easy.
45 The same is true for the track number, and Jumble Jet has multiple tracks which claim to be track zero.
46 The same is true for the track number. That is, a number which is not in the range of zero to 34.
47 That is, it polls the QA switch of the Data Register while the top bit is clear, stores the fetched value, and then resumes polling.
48 Interestingly, one title from Thunder Mountain and released in the same year is known to use the regular version. It is entirely possible that the alternative versio
n was developed in-house to avoid paying royalties to protect other products.
49 http://pferrie.host22.com/misc/0boot.zip
50 http://pferrie.host22.com/misc/qboot.zip
51 Personal communication
52 FFA was founded by the co-founder of Automated Simulations, whose last name begins with “Free,” and a programmer whose last name ends with “Fall.”
53 Personal communication
54 This was claimed by a cracker whose crack-screens were displayed only by pressing a particular key-sequence during the boot. They were known as “Hidden Pages.” (Imagine that—a cracker who didn’t want to brag openly!) Both of the programs Captain Goodnight and Where In The World Is Carmen Sandiego (first release) use alternating quarter-tracks the same technique as in the program Championship Lode Runner. (The former two were released within a year of the latter one.) The sectors are placed in a N/S/E/W orientation on the first two tracks, a NW/SE/NE/SW orientation on the next two tracks, and then back to the N/S/E/W orientation on the next two tracks, and so on. The loader will allow an entire revolution to pass, if necessary, in order to find the requested sector. The tracks are synchronized, however, because they must be to avoid cross-talk. (§10:7.3.)
55 http://pferrie.host22.com/misc/aplibunp.zip
56 http://pferrie.host22.com/misc/lz4unp.zip
57 git clone https://github.com/fadden/fhpack
58 This is true only when the full warm-start vector is not #$00 #$E0 #$45 ($E000 and #$45). If the vector is $E000 and #$45, then the cold-start handler will change it to $E003, and resume execution from $E000. This behavior could have been used as an indirect transfer of control on the Apple ][+, by jumping back to the cold-start handler, which would look like an infinite loop, but it would actually resume execution from $E003.
59 Pre-Autostart ROMs simply dumped the register values to the screen, then dropped to the monitor prompt.
60 #from Proceedings of the 20th Usenix Security Symposium in 2011 unzip pocorgtfo10.pdf p25sec.pdf
61 The folks at Connect Systems are nice and neighborly, so please buy a radio from them.
62 In particular, I used r543 of the old SVN repository from 4 July 2012.
63 See PoC‖GTFO 2:5.
64 Transfers this large work on Mac but not Linux.
65 The MD5 of my bootloader image is 721df1f98425b66954da8be58c7e5d55, but you might have a different one in your radio.
66 Confusingly enough, this is the third implementation of DFU for this project! The radio application, the recovery bootloader, and the ROM bootloader all implement different variants of DFU. Take care not to confuse the them.
67 unzip pocorgtfo10.pdf hrc5000.pdf
68 ETSI TS 102 361, Parts 1 to 4.
69 In assembly, this looks like LSLS r0, r0, #8; LSRS r0, r0, #8.
70 Two days of scanning presented nothing more interesting than a damaged elevator and an undergrad too drunk to remember his dorm room keys. Almost gives me some sympathy for those poor bastards who have to listen to wiretaps.
11 Welcoming Shores of the Great Unknown
1 If you RTFP, you’ll note that the Apple batteries have a separate BQ29312 Analog Frontend (AFE) to protect against such nonsense, as well as a Matsushita MU092X in case the BQ29312 isn’t sufficient.
2 One time, my Studebaker ran out of gas on the highway. Maybe we should start a support group?
3 unzip pocorgtfo11.pdf batteryfirmware.pdf
4 unzip pocorgtfo11.pdf sluu225.pdf
5 unzip pocorgtfo11.pdf bq20z80.py
6 Remember, though, that redemption is for everyone, and that one day you may find a strange and radiant machine you will treasure for the cleverness of its mechanisms, no matter if others call it junk. On that day we will welcome you back in the spirit of PoC!
7 git clone https://github.com/osresearch/vst unzip pocorgtfo11.pdf vst.tar.bz2
8 unzip pocorgtfo11.pdf tronsolitare.zip
9 Thumb2 instructions run from Thumb mode. The only thing new about them is that they can be longer than 16 bits, so your disassembler might be slightly confused about their starting position.
10 git clone https://github.com/radare/radare2
11 Here are the rules: Increment by two if registers r0 or r1, or if r4-r15 are used with a .W (2-byte) operand. Increment by 1 if r4 to r15 are used with a .B operand.
12 Global disable is done by clearing the GIE bit of the status register, r2.
13 If not, use a command like msp430-objcopy -I ihex -O elf32-msp430 dump.hex dump.msp430 to convert from Intel Hex.
14 Page 23 of http://www.ti.com/lit/ds/symlink/msp430f1611.pdf
15 https://pdfium.googlesource.com/pdfium/
12 Collecting Bottles of Broken Things
1 Cf. Paul Erhlich, “The Population Bomb,” 1968, p. xi, which begins with “The battle to feed all of humanity is over. In the 1970s hundreds of millions of people will starve to death in spite of any crash programs embarked upon now. At this late date nothing can prevent a substantial increase in the world death rate. . . ” The 1975 edition amended “the 1970s” to “the 1970s and 1980s,” but—as the newer and more fashionable kinds of school math teach us—never mind the numbers, the idea is the important thing!
2 Oops, that one was a quote, too. No wonder that story was a best-seller!
3 Ibid., p. xiii.
4 If you think that the “non-renewable computation” argument makes no sense, you are absolutely right! But, do the arguments for “golden keys” in cryptography or for “regulating exploits” make any more sense? No, and they sound just as scientific to those inclined to believe that actual experts have, in fact, been consulted. And sometimes they even have been, for a certain definition of experts.
5 unzip pocorgtfo12.pdf zwave.tar.bz2
6 MSDN, MIME Type Detection in Windows Internet Explorer
7 Chris Evans, Generic Cross-browser Cross-domain Theft
8 Filedescriptor, Cross-origin CSS Attacks Revisited (feat. UTF-16)
9 OWASP, Secure Headers Project
10 HTML5 Standard
11 Michele Spagnuolo, Abusing JSONP with Rosetta Flash, PoC‖GTFO 5:11.
12 Gábor Molnár, Bypassing Same Origin Policy With JSONP APIs and Flash
13 Alex Inführ @insertscript, PoC for the FormCalc content exfiltration
14 unzip pocorgtfo12.pdf CommaChameleon/CrossSiteContentHijacking
15 Soroush Dalili, JS-instrumented content exfiltration PoC
16 Adobe, Cross-scripting PDF content in an Adobe AIR application
17 Adobe, JavaScript for Acrobat API Reference
18 unzip pocorgtfo12.pdf CommaChameleon/xfa.zip
19 John Brinkman, Calling FormCalc Functions From JavaScript
20 unzip pocorgtfo12.pdf CommaChameleon
21 Chromium Blog, The Final Countdown for NPAPI
22 Mozilla Security Blog, Putting Users in Control of Plugins
23 Adobe, Portable Document Format ISO standard, Section 12.7.7
24 Adobe, XML Forms Data Format Specification
25 Adobe, Acrobat Application Security Guide, 4.5.1
26 Vladimir Vorontsov, SDRF Vulnerability in Web Applications and Browsers
27 Alex Inführ, PDF—Mess With the Web
28 git clone https://github.com/angea/corkami
29 Perhaps it is necessary to specify, Turing-complete architecture.
30 See The Page-Fault Weird Machine: Lessons in Instruction-less Computation by Julian Bangert et al., USENIX WOOT’13 or the 29C3 talk “The Page Fault Liberation Army or Gained in Translation” by Bangert & Bratus
31 movcc -Wf–no-mov-loop program.c -o program
32 git clone https://github.com/xoreaxeaxeax/reducto
33 unzip pocorgtfol2.pdf reducto.tgz
34 Mainframe experts, this is a very high level discussion. Please don’t beat me up about various dataset types!
MAINTENANCE ROOM
THIS IS WHAT APPEARS TO HAVE BEEN THE MAINTENANCE ROOM FOR FLOOD CONTROL DAM #3. APPARENTLY,
THIS ROOM HAS BEEN RANSACKED RECENTLY, FOR MOST OF THE VALUABLE EQUIPMENT IS GONE. ON THE WALL IN FRONT OF YOU IS A GROUP OF BUTTONS, WHICH ARE LABELLED IN EBCDIC.
35 http://www.tutorialspoint.com/jcl/jcl_job_statement.htm
36 See page 189 of has2a620.pdf.
37 See page 13 of has2a620.pdf.
38 See page 194 of has2a620.pdf.
39 See page 111 of has2a620.pdf.
40 See page 119 of has2a620.pdf.
41 See page 122 of has2a620.pdf.
42 See page 124 of has2a620.pdf.
43 See page 125 of has2a620.pdf.
44 See page 123 of has2a620.pdf.
45 See page 102 of has2a620.pdf.
46 See page 19 of has2a620.pdf.
47 See page 38 of has2a620.pdf.
48 https://nmap.org/nsedoc/scripts/nje-node-brute.html unzip pocorgtfo12.pdf nje-node-brute.nse
49 git clone https://github.com/zedsec390/NJElib
50 You will note this is irrelevant, due to the nature of wait any.
51 This is especially hard on Windows 8.1, and even harder on Windows 10.
52 Windows lists are circular, not null terminated.
53 unzip pocorgtfol2.pdf vimmmex.tar.gz git clone https://github.com/xoreaxeaxeax/vimmmex
54 This has been solved in time for the electronic release. Use the Force to unravel its secrets. . . You may even propagate it neighbourly by Near Force Communication, in which case Padawans have first to accept APKs from unknown sources.
13 Stones from the Ivory Tower, Only as Ballast
1 Geoff was the first to discover Aaron R. Reynolds’ “AARD” code from the beta release of Windows 3.1 that intentionally broke compatibility with DR-DOS. He also has a delightful article on exactly how AOL exploited a buffer overflow in their own AOL Instant Messenger client to distinguish it from Microsoft’s clone, MSN Messenger.