Want early access to new videos and some behind the scenes content? Consider becoming a channel member kzbin.info/door/QvW_89l7f-hCMP1pzGm4xwjoin Other videos you might enjoy: kzbin.info/www/bejne/f328aKePma6GaLs kzbin.info/www/bejne/lWOqgJWZp9eKp5o

Someone send this man a PS2 devkit

Great video and explanation on such an iconic hack! Glad we were able to help!

This video is awesome. I can see you've put a lot of effort into it mate.

I knew the EULA would appear only in the multiplayer menu 😅, as it would be weird for a console game of that generation to show an eula in the main mode. Small detail: audio level is low

I've read somewhere about some other (pc) game doing that, but it was either changelog or MOTD (message of the day) being exploited. Can't remember what game it was. Apparently they got so good at it that they've eventually managed to write a legit updater onto people's machines at roughly the same time they've started shipping real patcher in the installer of that game.

the irony is that eula probably said you can't hack the game

5:29 as a Cybersecurity guy, this one tickled me pink. Incredibly novel use for a very standard part of a hacker's toolkit

Have you seen the developers (Tony Garcia and Mike Stout) let's play with their commentary on that game? It's up on youtube and full of interesting info about how they've made all of this run on a PS2 hardware. Love it just as much as your video, it's fascinating just how many little tricks Insomniac had and their technical knowledge is truly underrated.

The crazy part of all this is that these games actually do have a way to patch themselves but apparently this was just something Sony had kept to themselves. Any game that used medius and also included DNAS (I say this because the only games that seem to have these packet handlers all had DNAS while the ones that didn't (socom 1, twisted metal black) don't) had the ability to read and write memory from the server. Sucks that they had to go through these sorts of hoops when sony already had the tools available for situations like this. Dan uses this functionality for his patch and we use it for our patches for SOCOM 2 and Combined Assault.

DNA Workshop. Poor Dan.

Hope your feeling better! Glad you completed this project it came out quite well. Never even thought about how a dev could use a vulnerability they really only have access to in order to send patches… crazy.

Awesome video! I'm still really curious how the developers bridged the gap from the EULA buffer to the target function they were trying to overwrite without crashing the game. I would love a followup.

Dude this stuff is amazing - thank you for showing others how people like us think through these systems. Seriously, the biggest thing I enjoy about your videos is how it logics through abstractness. This is an art form, my friend, and one that isn’t taught in school…we learned from guys like you, just in different ways (forums, IRC, more) - so thank you for carrying on the torch to keep others digging behind the code too!

This was one of the best videos I've seen in a long time. Nice work dude. Nothing to suggest you as sollution, you went way deeper than I could've been. Good luck :) Post an update once you have!

I wanna do a channel like yours some time, or a blog, to explain a weird zip-like format I found on a series of games... It took me ages to understand because I also stumbled upon lots of problems like you do... But also years have passed and I've forgotten some of the wrong paths I had taken.

well that brings back some memories! - good job Nathan! - and a great video!

You're quickly becoming my favorite channel on KZbin man

So in rare instances, two wrongs DO make a right? Oops, game has a major flaw. Oops, we left a massive security vulnerability. Let's use one to fix the other.

I once patched Tenchu: Fatal Shadows to swap the function pointer of the options menu callback to a debug model previewer left inside the retail game. Pretty nifty. Very cool dev trick from y2k. I always knew insomniac devs were based.

I was going to get a membership the other day, but I forgot. This video made me laugh a bit though, and you definitely deserve it. Keep up the great work, I absolutely love coming home from work and watching your videos

We need to keep this old games alive. Modern gaming is absolute trash.

Glad this was suggested. I heard about this ratchet and clank update before, but there wasn't much info on it. Cool to see a video about it

Have you tried using the emulator's own debugging tools rather than Ghidra? You're probably feeding the emulator's RAM back to the game, not the game's RAM. The payload needs to maintain a stable game state up until the vulnerable point that can run the exploit.

I grow up playing r&c3. It's quite surreal to now see some of the underlying code that made my childhood and understand it. Amazing video, thank you!

One of my favorite game series. So awesome to learn about such a unique scenario that occurred with this one!! Thank you!

Seeing the COP0 instruction in the disassemby output near the end of the video reminded me that the PS2 was MIPS-based...

so that's how they're able to play custom maps and game mods ! that's awesome!

i find it hilarious that the beta swears at you

From what I could understand of the Game Developer article, it seems to me that they utilized the EULA itself to patch the game. I visualize this as follows: 1. They replaced (parts of) the EULA with patch code (which would at this step be processed as mere text), and overfilled it past the brim. This overflow would eventually reach a variable that contained an address. 2. They replaced this address for an address within the EULA buffer, meaning the later function callback that used that variable would send the pointer back to the EULA. 3. The pointer would then process the patch code in the EULA as instructions, leaving them free to do as they liked (as long as their patch code didn't ruin the function callback).

I can vouch for Nath. I saw him copying his PS2 BIOS from my bathroom window.

My favorite developer among nauhgtydog with their technical skills they used and went with consoles of those era.

Haven't a clue what any of this means but still good to watch

The patch they implemented was like 6 megs too and it was stored on your memory card. Your 8 meg memory card. Seriously though, UYA online was so fun!

Out of interest, what was the cheat / hack that players used on the game prior to patching?

glad he has a "Legit" bios

It's possible the game crashes only if the second packet doesn't arrive quickly enough. They might had even done something fancy and packed both command packets into the same IP packet so that there is minimal delay between the two events.

Look at that! So if they never used original C "bad" strcpy, they probably would never be able to patch their game or would have more difficulty. A unsafe C function, was the key for their success! C "do whatever you want, even shoot yourself in the foot" philosophy, that many critic, apparently was what helped them in the end.

I want more video of this kind!

Please do more videos like this, especially on how to reverse engineer programs written in different type of languages and architectures.

LETS GO DAN dan the man with the plan

I played UYA for a little bit in 2007 while the servers were still active; I don't know how much memory would you need to overwrite for the buffer to overflow, but it couldn't have been that much, right? Otherwise it would have taken forever for the lobby to load on slow connections back then, and while my DSL wasn't the worst, I don't remember much waiting between the EULA and lobby screens.

could it be that the emulators heap allocator is just different from the original? Maybe it does a better job if defragging / hole filling, so some important stuff gets allocated in between the buffer and pointer, whereas on the original device that wasn't the case. The defragging may also be more volatile so whatever gets allocated in there may effectively be random or at least not exactly the same every run hence why it still crashes when you fill the packet with the same memory. It would be cool to analyse all heap allocations in that memory region.

Understood nothing of it but really enjoyed the video nonetheless! I hope you can figure it out later on

Reminds me of how AIM exploited an RCE in their own DLLs to try and keep out third parties (particularly MSN)

Program at work, come home watch some nathanbaggs, program even more, sleep, repeat

2:59 I'm sure someone with your technical skills would never borrow a PS2 BIOS from someone else, right? :3

I mean, we are literally asking developers to simulate the real world AND to run it optimized on all sorts of hardware. If that isn't what "making games" is all about then I don't know what is. It's the reason why technology has developed so quickly.

I would imagine it is something related to the emulator. They do a check somewhere or other for a valid memory which was not happening on the real hardware

This is an amazing story!

Amazing stuff

DAN IS THE GOAT PUT SOME RESPECT ON HIS NAMEEE

Did you consider asking the game developers for more info?

I wonder if that EULA trick could be used to install freemcboot

9:00 LMAO it's DNA Workshop but your pronunciation was way better

I wonder if that Dan is the SnowDan.

Also a question here Why did they even bother ? I mean the game released , sold well and i don't think sony had them contracted to do any sort of post release updates (which they couldn't do easily ) So what purpose outside of some sort of pride did they do this for

I believe his screen name is pronounced "DNA Workshop".

Commenting for algorithm, this is a cool vid

chaotic good

That was cool 👍

Finally, a EULA I want to read 😂

Ratchet deadlocked the best one, going commando 2nd best one don't @ me

definitely legal copies

Really interesting

Hello 😊

words: "legit" actions: ( ͡° ͜ʖ ͡°)

Well, assuming there was no https or packet validation from server back then, and game code leaked IP's (assuming some p2p in chat/voice/server code) you could crash other people with this exploit in hand. Thinking similiar situation happening in COD lobbies of that time would be a huge impact. Glad we were limited to ratchet & clank

Game Development hasn't been hard for a decade. Just sayin. It may be hard to do it well, but overall, since the market is flooded with mountains of trash "product", it can't be that hard, can it? For every "difficult" game there's a thousand trash titles that were churned out over a few weekends. The illusion of difficulty in game development is nothing but a marketing ploy designed to embellish the value of any given product as it relates to the absolute Ocean of products they are meant to "rise above". You're not wrong, it is all smoke and mirrors. But you didn't notice all the mirrors on the way in.

Now the next step is to get a reverse shell on the target's machine 🫠