Overwatch

Overwatch teaser: ASM code/hex.

Overwatch8 - Overwatch teaser: ASM code/hex.
Loading...

Hey all,

I've seen quite a few posts talking about the teaser trailer and various bits and pieces about the code which is displayed. Specifically there's a lot of references here : https://www.reddit.com/r/Overwatch/comments/atbyn7/new_teaser_hidden_message/

There's a few bits there I wanted to address, but given how burried that post is I also wanted to create a new post to try and help other people avoid going down the same rabbit holes.

TL;DR: The code is a reference to a real world exploit and likely has no hidden ARG in it.

Firstly: The geekcode. I'd suggest disregarding it. It's not actually valid geekcode. Geekcode is a very specific format which used to be used for various signatures, you can read more about it here: https://www.joereiss.net/geek/geek.html

The reason I'm suggesting disregarding it is the hex code doesn't translate to the letters and doesn't include the skill level indicators. What I believe has happened here is a false positive/coincidence. It just happens that due to the number of characters which can be used for geekcode, it's inevitable that a random string will match some of it.

The only bit which I think is valid is the name Baptiste. The rest of it is just control characters and other such ( although certain bits do look like header information/end information so I can't entirely rule it out. )

Secondly, I want to talk about the ASM Code (which I've seen a few folk draw conclusions from), I've included it below:

ASM VOLATILE { `MLTDWN:` `JNE 1B` `SHL $12, %%RAX` `ADD {%{DEST}}, %%EAX` `IMUL {%{FINAL}, %%RAX, 1}, %%RBX` `.REPT 300` `MUL $0x141, %%RAX` `.ENDR` `CLEANUP:` `:` `: {FINAL} "R" {RESULT_LIST}, {DEST} "R" {DEST}{TRUNG LE NGUYEN}` `: "RAX", "RBX":` }; 

It's worth mentioning my ASM is a touch rusty, so any corrections are welcome. At a glance this looks a bit like a weird mix of code. Bits of it look like the gcc inline assembly setup, bits of it dont, but I think there are certain assumptions we can make from it.

Interestingly the syntax below makes little sense to me. This might just be due to my rustiness as far as the different syntaxes to ASM. Some of it looks like AT&T syntax, some looks like Intel syntax. The difference between the two is certain symbols, operands and source/dest operators. I'll try and tag where I think somethings intel or GAS

Reference:

GAS: OPERAND $source, DEST

Intel OPERAND DEST, source

Line by line(ish):

ASM VOLATILE {...}

– So a weird bit with this. If this was pure gcc inline/extended, I'd be expecting it to be asm volatile (…). For now lets assume it's the same end result. With this we're setting up our assembler block and instructing the compiler to run as is with no optimisation. We're explicitly saying that this code could have side effects and not to do certain optimisations.

Read:  Overwatch League 2019 Season: Stage 2/Week 4/Day 2 (Dallas Homestand) Discussion Thread

MLTDOWN:

– This looks like a standard assembler symbolic label. This has global scope and would pop up in the symbol table. We're kind of saying, remember this location for later so we can jump back here.

I know I've seen a couple of think talk about MLTDOWN as being a hint to the hero. I've got a different idea. I think this is referencing the MELTDOWN security vulnerability (https://meltdownattack.com/)

This would make sense. Meltdown at a high level allowed for breaking out of isolation and getting access to memory you shouldn't have access too. I'll also talk about the below code in relation to meltdown.

JNE 1B

Загрузка...

– This would require a previous cmp operator. But we're effectively saying jump to label 1B if the previous comparison was not equal. We don't have the previous cmp so we're not sure what's being compared here.

GAS: SHL $12, %%RAX

– This is a shift left operator. $12 is an immediate/constant and %%RAX references the 64 bit RAX register. We're saying here to shift whats tored in %%RAX by 12. Were effectively doing a multiplcation of %%RAX by 2^12

INTEL: ADD {%{DEST}}, %%EAX

– In GAS, the ADD would probably be ADDL. What we're saying here is ADD the content of %%EAX to DEST. I'm assuming DEST is an alias to a register although the syntax doesnt match with what I'm familiar with.

INTEL?:IMUL {%{FINAL}, %%RAX, 1}, %%RBX

– I'm guessing intel here, but as with all of these operators, some bits of it look intel-ish some bits look GAS-ish. But I suspect FINAL is the dest so we'll assume intel-esque. This is an integer multiplcation. I believe what is trying to be done here is multiply (FINAL * RAX * 1) * RBX. With the words refereing to registers. The multiplication by 1 increasingly looks like nonsense.

.REPT 300

GAS: MUL $0x141, %%RAX

.ENDR

– I'm treating this as one block. What we're doing here I believe is saying multiply 321 by the contents of RAX, and repeat this 300 times. I /believe/ that the output of the MUL would store the result in %%RAX.

Now if you are still reading and paid attention to earlier, I mentioned meltdown. This is important as the above code looks very much like a psudo-code reference to the meltdown attack ( http://www.cis.syr.edu/~wedu/seed/Labs_16.04/System/Meltdown_Attack/Meltdown_Attack.pdf)

Specifically, TASK 7.3, using assembler code to trigger meltdown.

Read:  I want to play the game, but I don't want to play the game

// Give eax register something to do

asm volatile(

".rept 400;" ➀

"add $0x141, %%eax;"

".endr;" ➁

:

:

: "eax"

All this does is force the computer to do useless computations to chew up time while the memory is being speculated. The whole things an interesting read. It's impossible not to notice the similaries though. The same 0x141 on the add ( MUL would work just as well ), using the eax instead of RAX register. the rept 400 instead of 300.

My point here is, the MLTDOWN label has nothing to do with the hero. This is a psudocode implementation of a genuine exploit which makes the whole thing look cool. I'm genuinely impressed with the level of detail here.

It also might not be psudocode. I'm assuming so but it might be it's valid x86_64 ASM code in a syntax I'm not familiar with. The point is still the same.

Now, for the final bit:

CLEANUP:

: {FINAL} "R" {RESULT_LIST}, {DEST} "R" {DEST}{TRUNG LE NGUYEN}

: "RAX", "RBX":

I'm not going to go into this line by line as it's not valid code that I can see. The CLEANUP label is fine but the rest is just nonsense. My gut feeling is this is meant to be a semi realistic looking bit to extract the secrets from the system.

In essence. The attention to detail is really quite awesome and referencing real world vulnerabilities is a nice touch, but I don't think people should read too much into it.

Source: Original link


Loading...
© Post "Overwatch teaser: ASM code/hex." for game Overwatch.


Top-10 Best Video Games of 2018 So Far

2018 has been a stellar year for video game fans, and there's still more to come. The list for the Best Games of So Far!

Top-10 Most Anticipated Video Games of 2019

With 2018 bringing such incredible titles to gaming, it's no wonder everyone's already looking forward to 2019's offerings. All the best new games slated for a 2019 release, fans all over the world want to dive into these anticipated games!

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *