Homebrew How do game exploits work?

[mashers]

I've always been fascinated by this. What actually happens when a game save exploit (or QR code exploit in the case of ninjhax) is initiated? How do they bypass the system's security and allow the payload to execute? And how to people find the exploits?! I'm sure the answers to these questions is more complicated than I could possibly realise, but I'm hoping somebody can shed some light.

 

[julian20]

http://smealum.net/
i hope this helps you. I am trying to learn/understand it too. (8

 

[TheCruel]

Some answers here: https://gbatemp.net/threads/how-do-people-find-exploits-on-consoles-like-3ds.389594/

The most common exploit entry points tend to be stack smashing (both ninjhax and mset use it): overflowing a buffer that doesn't properly check data sizes so that you can access memory locations that weren't intended for modification. Then it's just a matter of examining memory and trying to trace execution so you can figure out what needs to be changed to get the call stack to go where you want. This typically isn't enough to get full control over a console, and exploits tend to chain multiple exploits, called stages.

 

[mashers]

Thank you both for the information and links. Time for some reading

 

[atkfromabove]

Some answers here: https://gbatemp.net/threads/how-do-people-find-exploits-on-consoles-like-3ds.389594/

The most common exploit entry points tend to be stack smashing (both ninjhax and mset use it): overflowing a buffer that doesn't properly check data sizes so that you can access memory locations that weren't intended for modification. Then it's just a matter of examining memory and trying to trace execution so you can figure out what needs to be changed to get the call stack to go where you want. This typically isn't enough to get full control over a console, and exploits tend to chain multiple exploits, called stages.

I like the way you explained that

 

[mashers]

So, if the exploits rely on overflows within a particular piece of software, how does a system firmware update patch this? Does it include a patch for that particular piece of software, or does it improve memory management so overflows are not possible at all any more? Put another way, is it still possible for further exploits to be found in >9.2?

 

[FAST6191]

Overflows are not the only means by which to do things but they are popular and a common thing that the C programming language, the one favoured for low level work, can cause to happen if the programmer is not paying attention.
Firmware updates fix things in various ways. The Wii twilight princess hacks at first were fixed by the system menu attempting to detect the specific thing used by the exploit, which promptly could be changed for another and the hack was back, another time I think it was that they detected it but neglected to get rid of it properly. Until the last fix they were generally considered the bad way of doing it.
If it is an updateable menu rather than the not so updateable wii game then they probably figured out how the exploit worked (they can download it too and they have better debug options a lot of the time) and fix the issue there. If they were doing it well then they could also check the rest of the firmware at the same time to see if there are any others. Improving memory mangement so overflows are not possible is not really a thing, there are more memory safe (and possibly slower) versions of C like http://www.seclab.cs.sunysb.edu/mscc/ but few people use them.

There are always possibilities for bugs that lead to exploits in complex software. To that end post 9.2 things could be found. Not to mention 3ds hackers have not even touched upon hardware methods yet beyond nand dumping/reflashing.

You might also like the following

 

[mashers]

Thank you @FAST6191, that was interesting to read. I'll have a look at the video too. Damn, I wish I hadn't updated to 9.8

 

[zoogie]

Thank you @FAST6191, that was interesting to read. I'll have a look at the video too. Damn, I wish I hadn't updated to 9.8

There's still exploits left on that firmware so hold tight.
http://hackinformer.com/2015/05/07/3ds-ninjhax-2-0-definite-possibility/

 

[mashers]

Oh wow, I had no idea! Thanks buddy!

 

[mrbits]

There's still exploits left on that firmware so hold tight.
http://hackinformer.com/2015/05/07/3ds-ninjhax-2-0-definite-possibility/

Could that possibly lead to a gateway update to allow 9.8 support?

 

[zoogie]

Could that possibly lead to a gateway update to allow 9.8 support?

It's an entry point so yeah it might help them. RegionFour already provides that though.
With only about 20K Cubic Ninja's out there they might want to consider a new entry point. (maybe subbing the blue card for a one-off CN clone cart, I dunno)

Even then, they still need a new arm9 exploit, and those are hard to find now.

 

[loco365]

How do they work? Very carefully. No joke.

The code that goes into an exploit usually exposes flaws and loopholes within code, such as a stack or some kind of pointer, or even code that isn't checked properly by the game. By prying those flaws and loopholes open and playing with the system in just the right way (Like the ROP chains that were once used for loading DAT files on the 3DS), you can eventually get to the point where you have complete control over the system.

 

[StriderVM]

The most non programmer friendly explanation of an "exploit" that I could think of is like this :

An exploit is basically like being able to access a house you aren't supposed to. The system is the house, the security is the lock(s), and the exploit is a way to get into the house without doing it the normal way (Using a key to unlock and gain access to the house.)

 

[ghjfdtg]

More like the owners of the house failed to secure it properly before they were away and you can open the door with a credit card.

 

[dubbz82]

The most non programmer friendly explanation of an "exploit" that I could think of is like this :

An exploit is basically like being able to access a house you aren't supposed to. The system is the house, the security is the lock(s), and the exploit is a way to get into the house without doing it the normal way (Using a key to unlock and gain access to the house.)

More like digging a hole underneath the house to access the basement...with a toothpick. At least usually.

 

[gamesquest1]

i think most people who have played games have done something that's spiritually the same principles as hacking, which would be glitches and exploits in games, such as using items piled up to access an area that should technically be inaccessible, finding out that jumping through a bunch of hoops in some weird order causes some obscure result that was not originally intended, finding out that there is a little hole in the map and you can shoot a portal through and skip 90% of the level.........fundamentally its all the same thing, which is bypassing the normal restrictions to access what is normally inaccessible, poking holes in the design that provide enough leeway for you to slip through the cracks of control essentially giving you much more freedom than the developers intended

yeah hacking a system is a much more complicated process, but its fairly similar in how you would go about it, its all just about assessing something, drawing up a map of where you need to get to, mapping out the pitfalls, exploring all the behavior of the security implementations and trying to spot some way to either take control of that security or sneak past it without setting off any tripwires, sometimes you will get 90% to your destination before finding out that there is some impossible wall standing between you and what you needed, and then you have to backtrack and find an alternate route, essentially becoming the number 1 coding grammar nazi, looking for,finding and exploiting any mistake or oversight you can find in how the system behaves, and finding a error is only a small part of the process the actual hard work is figuring a way to use that mistake to your advantage....its all good saying "oh if i open 5 tabs on the browser then go to youtube the 3DS crashes".....but how can you use that to your advantage?, WHY does it crash?, does it result in anything at all exploitable? how far can you take this mistake?, can it get you to somewhere else where you can surf a chain of exploits to never never land? or is it just dropping you off at useless crashed system city?