Homebrew Exploit Devolopment?

WeedZ

WeedZ

Possibly an Enlightened Being
Global Moderator
Level 16
Joined
Jan 13, 2015
Messages
3,825
Trophies
1
Location
The State of Denial
Website
gbatemp.net
XP
5,666
Country
United States
I recall smea posting pics of this weird pcboard contraption he made that he had soldered to the internals of the ds, so he could push commands, get ram info, not really sure. You want to talk to like smea, yellows8, yifanlu.. those dudes. They're the 733t h4x0rs.
 
WulfyStylez

WulfyStylez

SALT/Bemani Princess
Member
Level 12
Joined
Nov 3, 2013
Messages
1,149
Trophies
0
XP
2,867
Country
United States
gudenaurock said:
Lets say I have a crash, and it just happens to lead to ROP. How would I go about finding gadgets, how would I get a dump; or make one from the cia/3ds?
Click to expand...
You'd need a bug that specifically writes user-controlled data onto the stack in order to overwrite the return address for the function you're in and gain execution. Once you've pinpointed exactly where your data is getting written to, you'll know how to generally format your ROP. Knowing how much space to have between the beginning of whatever data you're dealing with and the start of your ROP can be a pain.
Before finding gadgets, you'll need to know the functions you're dealing with for your exploit. gspwn for basic code execution will work with GSP funcs, for example. You need functions to pop the registers needed for your goals (search for pop {whatever you need} and use that address) and occasionally memory load/store funcs (find regs being loaded from/stored to immediately before the return). When jumping to a full-blown function, make sure you're jumping after the function prologue, or you'll ruin the stack. Also keep an eye on thumb vs arm addresses. For stuff ending in bx lr instead of pop {pc}, you'll need to find a gadget/set of gadgets for setting lr first.
From there, ROP is pretty much just "writing the stack." You're doing some kinda-weird asm, basically.
 
  • Like
Reactions: marc00077
gudenau

gudenau

Largely ignored
OP
Member
Level 16
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,379
Country
United States
WulfyStylez said:
You'd need a bug that specifically writes user-controlled data onto the stack in order to overwrite the return address for the function you're in and gain execution. Once you've pinpointed exactly where your data is getting written to, you'll know how to generally format your ROP. Knowing how much space to have between the beginning of whatever data you're dealing with and the start of your ROP can be a pain.
Before finding gadgets, you'll need to know the functions you're dealing with for your exploit. gspwn for basic code execution will work with GSP funcs, for example. You need functions to pop the registers needed for your goals (search for pop {whatever you need} and use that address) and occasionally memory load/store funcs (find regs being loaded from/stored to immediately before the return). When jumping to a full-blown function, make sure you're jumping after the function prologue, or you'll ruin the stack. Also keep an eye on thumb vs arm addresses. For stuff ending in bx lr instead of pop {pc}, you'll need to find a gadget/set of gadgets for setting lr first.
From there, ROP is pretty much just "writing the stack." You're doing some kinda-weird asm, basically.
Click to expand...
But how do I get memory for finding the gadgets?
 
hippy dave

hippy dave

BBMB
Member
Level 33
Joined
Apr 30, 2012
Messages
9,871
Trophies
2
XP
29,162
Country
United Kingdom
WulfyStylez said:
You'd need a bug that specifically writes user-controlled data onto the stack in order to overwrite the return address for the function you're in and gain execution. Once you've pinpointed exactly where your data is getting written to, you'll know how to generally format your ROP. Knowing how much space to have between the beginning of whatever data you're dealing with and the start of your ROP can be a pain.
Before finding gadgets, you'll need to know the functions you're dealing with for your exploit. gspwn for basic code execution will work with GSP funcs, for example. You need functions to pop the registers needed for your goals (search for pop {whatever you need} and use that address) and occasionally memory load/store funcs (find regs being loaded from/stored to immediately before the return). When jumping to a full-blown function, make sure you're jumping after the function prologue, or you'll ruin the stack. Also keep an eye on thumb vs arm addresses. For stuff ending in bx lr instead of pop {pc}, you'll need to find a gadget/set of gadgets for setting lr first.
From there, ROP is pretty much just "writing the stack." You're doing some kinda-weird asm, basically.
Click to expand...
So basically just keep hammering buttons until something happens, right?
 
  • Like
Reactions: AlbertoSONIC, gudenau, WeedZ and 1 other person

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hardware  Why does my 3DS take so long to turn off?

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Translation Project  DQM2SP translation

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: Like for micro