Reprogramming Super Mario World from Inside The Game

[SethBling] recently set a world record speed run of the classic Super Nintendo game Super Mario World on the original SNES hardware. He managed to beat the game in five minutes and 59.6 seconds. How is this possible? He actually reprogrammed the game by moving specific objects to very specific places and then executing a glitch. This method of beating the game was originally discovered by Twitch user [Jeffw356] but it was performed on an emulator. [SethBling] was able to prove that this “credits warp” glitch works on the original hardware.

If you watch the video below, you’ll see [SethBling] visit one of the first available levels in the game. He then proceeds to move certain objects in the game to very specific places. What he’s doing here is manipulating the game’s X coordinate table for the sprites. By moving objects to specific places, he’s manipulating a section of the game’s memory to hold specific values and a specific order. It’s a meticulous process that likely took a lot of practice to get right.

Once the table was setup properly, [SethBling] needed a way to get the SNES to execute the X table as CPU instructions. In Super Mario World, there are special items that Mario can obtain that act as a power up. For example, the mushroom will make him grow in size. Each sprite in the game has a flag to tell the SNES that the item is able to act as a power up. Mario can either collect the power up by himself, or he can use his friendly dinosaur Yoshi to eat the power up, which will also apply the item’s effects to Mario.

The next part of the speed run involves something called the item swap glitch. In the game, Mario can collect coins himself, or Yoshi can also collect them by eating them. A glitch exists where Yoshi can start eating a coin, but Mario jumps off of Yoshi and collects the coin himself simultaneously. The result is that the game knows there is something inside of Yoshi’s mouth but it doesn’t know what. So he ends up holding an empty sprite with no properties. The game just knows that it’s whatever sprite is in sprite slot X.

Now comes the actual item swap. There is an enemy in the game called Chargin’ Chuck. This sprite happens to have the flag set as though it’s a power up. Normally this doesn’t matter because it also has a set flag to tell the game that it cannot be eaten by Yoshi. Also, Chuck is an enemy so it actually hurts Mario rather than act as a power up. So under normal circumstances, this sprite will never actually act as a power up. The developers never programmed the game to properly handle this scenario, because it was supposed to be impossible.

If the coin glitch is performed in a specific location within the level, a Chargin’ Chuck will spawn just after the coin is collected. When the Chuck spawns, it will take that empty sprite slot and suddenly the game believes that Yoshi is holding the Chuck in his mouth. This triggers the power up condition, which as we already know was never programmed into the game. The code ends up jumping to an area of memory that doesn’t contain normal game instructions.

The result of all of this manipulation and glitching is that all of the values in the sprite X coordinate table are executed as CPU instructions. [SethBling] setup this table to hold values that tell the game to jump to the end credits. The console executes them and does as commanded, and the game is over just a few minutes after it began. The video below shows the speed run but doesn’t get too far into the technical details, but you can read more about it here.

This isn’t the first time we’ve seen this type of hack. Speed runs have been performed on Pokemon with very similar techniques. Another hacker managed to program and execute a version of single player pong all from within Pokemon Blue. We can’t wait to see what these game hackers come up with next. Continue reading “Reprogramming Super Mario World from Inside The Game”

Tearing Apart an Android Password Manager

With all of the various web applications we use nowadays, it can be daunting to remember all of those passwords. Many people turn to password management software to help with this. Rather than remembering 20 passwords, you can store them all in a (presumably) secure database that’s protected by a single strong password. It’s a good idea in theory, but only if the software is actually secure. [Matteo] was recently poking around an Android password management software and made some disturbing discoveries.

The app claimed to be using DES encryption, but [Matteo] wanted to put this claim to the test. He first decompiled the app to get a look at the code. The developer used some kind of code obfuscation software but it really didn’t help very much. [Matteo] first located the password decryption routine.

He first noticed that the software was using DES in ECB mode, which has known issues and really shouldn’t be used for this type of thing. Second, the software simply uses an eight digit PIN as the encryption key. This only gives up to 100 million possible combinations. It may sound like a lot, but to a computer that’s nothing. The third problem was that if the PIN is less than eight characters, the same digits are always padded to the end to fill in the blanks. Since most people tend to use four digit pins, this can possibly lower the total number of combinations to just ten thousand.

As if that wasn’t bad enough, it actually gets worse. [Matteo] found a function that actually stores the PIN in a plain text file upon generation. When it comes time to decrypt a password, the application will check the PIN you enter with the one stored in the plain-text file. So really, you don’t have to crack the encryption at all. You can simply open the file and reveal the PIN.

[Matteo] doesn’t name the specific app he was testing, but he did say in the Reddit thread that the developer was supposedly pushing out a patch to fix these issues. Regardless, it goes to show that before choosing a password manager you should really do some research and make sure the developer can be trusted, lest your secrets fall into the wrongs hands.

[via Reddit]

Hacking PayPal Accounts With CSRF

The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time.

Paypal is a huge player in the payment processing world, but that doesn’t mean they aren’t without their flaws. Sometimes the bigger the target, the more difficult it is to find problems. [Yasser] wanted to experiment with a cross-site request forgery attack. This type of attack typically requires the attacker to trick the victim into clicking a malicious link. The link would then impersonate the victim and make requests on the victim’s behalf. This is only made possible if the victim is logged into the target website.

PayPal has protection mechanisms in place to prevent this kind of thing, but [Yasser] found a loophole. When a user logs in to make a request, PayPal gives them an authentication token. This token is supposed to be valid for one user and one request only. Through experimentation, [Yasser] discovered a way to obtain a sort of “skeleton key” auth token. The attacker can attempt to initiate a payment transfer without first logging in to any PayPal account. Once the transfer is attempted, PayPal will request the user to authenticate. This process produces an auth token that apparently works for multiple requests from any user. It renders the authentication token almost entirely ineffective.

Once the attacker has a “universal auth token”, he can trick the victim into visiting a malicious web page. If the user is logged into their PayPal account at the time, the attacker’s webpage can use the universal auth token to trick the victim’s computer into making many different PayPal requests. Examples include adding email addresses to the account, changing the answers to security questions, and more. All of this can be done simply by tricking the user into clicking on a single link. Pretty scary.

[Yasser] was responsible with his disclosure, of course. He reported the bug to PayPal and reports that it was fixed promptly. It’s always great to see big companies like PayPal promoting responsible disclosure and rewarding it rather than calling the lawyers. Be sure to catch a video demonstration of the hack below. Continue reading “Hacking PayPal Accounts With CSRF”

Ask Hackaday: Hacking lingo fails

header

Ah, CSI. What other television show could present digital forensics with such two-bit dialogue?

It’s time once again to put on your hacker hats – a red fedora, we guess – and tell us the worst hacker dialogue you’ve seen in movies or TV. We’ve seen a ton of shows and movies where writers and directors spend zero time doing any sort of research in whatever technology they’d like to show off in the story they’re trying to convey. Usually this results in lines like, “I’ll create a GUI interface using Visual Basic. See if I can track an IP address.” It’s technobabble at its best, and horribly misinformed at its worst.

We’re wondering what you, the readers of Hackaday, think are the worst examples of hacker lingo fails. Anything from, ‘Enhance!’ to the frightening real-life quote, “the Internet is not a big truck. It’s a series of tubes.”

We’ll compile your suggestions in a later post, but I’m betting something from Star Trek: Voyager will make the #1 technobabble/hacking lingo fails. There’s just too much in that show that isn’t internally consistent and doesn’t pay any heed to the laws of (fictional) physics. Warp 10, I’m looking at you. Of course there was the wonderful Habbo reference in last week’s Doctor Who, but I’m betting that was intentional as [Moffat] seems pretty up to speed on the tropes and memes of the Interwebs.

About a month ago, we asked you for your take on the worst hacking scenes ever shown on TV or film. The results made for good viewing, albeit with a surprising absence of Lawnmower Man. Now we want some dialogue to go with these horrendous hacking scenes. So, what say you, Hackaday? What are the worst hacking lingo fails you’ve seen or heard? Please be specific about what movie/TV show you’re referencing. Last time some good stuff probably slipped by because people just said a few words without context assuming we’d know exactly what they were referring to.

Ask Hackaday: What movies have the best/worst hacking scenes

best-and-worst-movie-hacking

It’s time to do your best impression of [Comic Book Guy] as you make your case for trash or triumph in big screen hacking scenes. We watch a lot of movies, and it’s hard not to groan when the filmmakers cut corners by doing zero research into what using a computer actually looks like. But then once in a great while you have a team that does its due diligence and puts up a scene that makes sense to those of us in the know. So we’re wondering, what movies do you think have the best hacking scenes, and which ones are the worst offenders? Leave your opinion on the topic in the comments section.

We realize that you can come up with tons of poorly done ones, what we would really like to hear about is who did it right. We’ll get you started with a couple of examples. The image on the upper left is a scene from Tron: Legacy which we think did a fantastic job of portraying actual computer usage. You can read more about the huge amount of work that went into it in this article (via Reddit).

In the lower right is one of the most shady movies scenes that comes to mind. [Hugh Jackman] is compelled to do some ‘hacking’ by [John Travolta] in the movie Swordfish. The caption at the top of the screen is “COMPILER”, and who the heck knows what the rest of that is supposed to be?

On the hardware hacking side, it gets a little more difficult, we would LOVE some examples of hardware hacks or mods done right.

Announcing: International Hack Day, August 11th.

There is no single and definitive definition of what hacking is. We all have different versions of similar ideas in our head, but depending on your background and area of enthusiasm, hacking means something different. While dictionary.com has many definitions of the word itself, none seem to cover what we see on a daily basis.

We set out to define “hacking” ourselves. We tossed around words like “modify”, “kludge”, “explore”, and “create”. Each time we committed an increasingly vague definition onto the page, we decided it was too narrow and tossed it in the proverbial trash. The variations were just too many.

What we do know is that “hacking” seems to breed advancement and innovation. Much like mutations in an evolutionary chain, each hack pushes the topic in a slightly new direction, inspiring others and thereby perpretuating the evolutary event. In a very short time we’ve witnessed hacking bring forth the evolution of wagons to cars, kites to airplanes, and the creation of the computer.

We at Hackaday would like to declaire August 11th to be “International Hack Day”. A day to celebrate hacking in all of its diverse forms. From soldering to sewing, coding to carbonating, knitting to knurling, we want you to keep on hacking. Take August 11th as a day to show pride in your hacking. Waive your hacker flag high and educate those around you.

We have asked many of our friends to contribute their personal definition of hacking. Here they are, in the order they were received.

Continue reading “Announcing: International Hack Day, August 11th.”

Book Review: The Dangers of Computer Hacking

Years and years ago, someone gave me this book as a gift. [John Knittel], a co-author thought I might find it amusing. The book, titled The Dangers of Computer Hacking, is a grade school level breakdown of, well, computer hacking and the dangers thereof. At the time, I thought it was rather fun and amusing. Since then, it has sat on my shelf without much action.

Last weekend, however, my 8 year old son was building perfectly spaced shapes for his slinky (new plastic slinkies suck) and found this book. I snatched it up and read through it real quick. The realization came to me that though this is somewhat tongue-in-cheek(check the topics on the back cover), this book is actually a fantastic reference for the un-initiated.

Continue reading “Book Review: The Dangers of Computer Hacking”