Re: WG: getting help running unsigned code ...

Thanks for the response, but I don't see how this changes my view.

Basical you're saying that the execution format and the way the 
executables are loaded and run are completly diferrent, which is obvious 
clear.

The point I tried to make is that the source of the software will be
mostly identical (eg a bink decoder) and therefore will contain the same 
problems. Therefore the realy executed opcodes will mostlikely be the 
same and therfore be as vulnarable to stack trashing or stringbuffer 
overflows.

As far as I seen, you  can't protect against that kind of attack by just 
decrypting on the fly like the xbox is doing. More even, that way you
don't need to find the secret. The bugs we 're looking for cause stack
crashes. These can fearly easy be exploited to execute careful selected 
input as code.

kind regards,
red.

p.s.
 1) nice page , hope to see It in the standard documantion soon :-)
 2) tell me If you still think I'm overlooking something

Lehner Franz wrote:
> hy.
>
> nobody reacted, this is clear.
> the xbox software differs compleatly from the pc windows2000.
>
> the encryption is very simple, you only have to find the secret 2048 bit RSA
> key. !!!
> maybe, you take a look to
>
> http://fp2linux.caos.at/xbesecurity.htm
>
> if the document is ready, maybe we will release to the xboxlinux project
> page.
>
> franz
>
> -----Ursprungliche Nachricht-----
> Von: xbox-linux-devel-admin@xxxxxxxxxxxxxxxxxxxxx
> [mailto:xbox-linux-devel-admin@xxxxxxxxxxxxxxxxxxxxx]Im Auftrag von Red
> Zebra
> Gesendet: Samstag, 23. November 2002 18:00
> An: xbox-linux-devel@xxxxxxxxxxxxxxxxxxxxx
> Betreff: [Xbox-linux] getting help running unsigned code ...
>
>
> I ran through most proposals for trying to run unsigned code and it
> seems to me that trying to smash the stack of signed code might be your
> best chance. I ain't got an X-box but I supose that much code running on
> x-box has its counterpart running on PC, I'm thinking specificly third
> party software , dll's , codecs whatever...
>
> If you guys could start making a list/identify of code which has a
> normal windows version counterpart, chances are big that holes/bugs
> available in the pc version are also existing in the xbox version.
>
> I think this could give this thing a boost.
> advantages :
>   - not specialized user could help in reporting files
>   - testing and identifying holes could be much easier and faster done
> on a standard pc version in first phase.
>   - security holes in common software reported by other hackers / which
> don't have or use x-box could be much more easly identified and chance
> is that they already have some nice exploit code for it which just needs
> adaptation.
>
>
> red.
>
>
>
>
>
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Xbox-linux-devel mailing list
> Xbox-linux-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/xbox-linux-devel





-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en