Hacking ninjhax reverse engineering?

Deleted member 282441

AKA ZeroTheSavior
OP
Member
Joined
Aug 7, 2011
Messages
320
Trophies
0
Location
Gensokyo
XP
326
Country
United States
Since all the copies of cubic ninja are gone, would it be possible to reverse engineer this and make a hack for another game?

Well, there's some problems with this first:
1. The exploit is highly specific, since 3DS FW comes into play (and it seems updating it will break it)
2. Not many games with such a huge QR image scanner
3. I have no idea what I'm doing

But aside from that, can it be done in a timely manner or would it take a tremendous amount of time to do?
 
  • Like
Reactions: Margen67

Vappy

Well-Known Member
Member
Joined
May 23, 2012
Messages
1,508
Trophies
2
XP
2,613
Country
It'll be open source once the exploit gets patched. If you can hang on until then, someone will most likely try porting it to another game.
 

Zanoab

Well-Known Member
Member
Joined
Dec 4, 2009
Messages
127
Trophies
1
XP
616
Country
United States
The QR code probably takes advantage of how Cubic Ninja handles unexpected data (like Twilight Princess not expecting names to be longer than they should be). Odds are that it can't be reused in other games that use QR codes (like Pushmo) unless it is a QR reading exploit.

The only way you are going to reverse-engineer it is if you reverse-engineer normal Cubic Ninja QR codes first so you can figure out how it breaks.
 
  • Like
Reactions: Fpsrussia117

Relys

^(Software | Hardware) Exploit? Development.$
Member
Joined
Jan 5, 2007
Messages
878
Trophies
1
XP
1,239
Country
United States
Use my NCCH decryptor to decrypt Cubic Ninja .3DS and ctrtool to extract the .code portion from the ExeFS.bin Then load up the extracted code.bin in IDA and find the functions that handle the QR loading. From there it's just understanding how the overflow works. Then you can piece together the payload and reverse the ROP chain. To determine how the rop gadgets work you will have to have the binaries from which they are called from. :) This means you will have to have RAM dumps (kernel access) or the title keys to decrypt from the CDN for the firmware version you're targeting.
 

Lord M

Well-Known Member
Member
Joined
Oct 31, 2014
Messages
1,075
Trophies
0
Age
31
XP
502
Country
Italy
informational purposes only, my curiosity: smea exploit is kernel patched (only usermode), but he said time ago, that he exploit could actually do anything and he put OF HIS WILL a protection to kernel for avoid piracy; so this mean at the begin his exploit has full? Can someone hack/remove the protection made by smea and in this way get a full kernel exploit?
 

Duo8

Well-Known Member
Member
Joined
Jul 16, 2013
Messages
3,613
Trophies
2
XP
3,008
Country
Vietnam
informational purposes only, my curiosity: smea exploit is kernel patched (only usermode), but he said time ago, that he exploit could actually do anything and he put OF HIS WILL a protection to kernel for avoid piracy; so this mean at the begin his exploit has full? Can someone hack/remove the protection made by smea and in this way get a full kernel exploit?

More like he release only a usermode exp OF HIS WILL.
 
  • Like
Reactions: Margen67

Areseru

Member
Newcomer
Joined
Aug 17, 2013
Messages
20
Trophies
0
Age
29
XP
125
Country
Italy
informational purposes only, my curiosity: smea exploit is kernel patched (only usermode), but he said time ago, that he exploit could actually do anything and he put OF HIS WILL a protection to kernel for avoid piracy; so this mean at the begin his exploit has full? Can someone hack/remove the protection made by smea and in this way get a full kernel exploit?

More like he release only a usermode exp OF HIS WILL.

Yes, actually his first exploit was SSSpwn (which I believe gives full kernel mode access). Moreover, I think that this "QR exploit" it's just one of a (few) exploits list "they" (him and the other 3DS devs) came through by now on the new versions
 

mathieulh

Well-Known Member
Member
Joined
Feb 28, 2008
Messages
378
Trophies
0
Website
keybase.io
XP
897
Country
France
Yes, actually his first exploit was SSSpwn (which I believe gives full kernel mode access). Moreover, I think that this "QR exploit" it's just one of a (few) exploits list "they" (him and the other 3DS devs) came through by now on the new versions

It's not just a "QR exploit", just saying....
 

Areseru

Member
Newcomer
Joined
Aug 17, 2013
Messages
20
Trophies
0
Age
29
XP
125
Country
Italy
It's not just a "QR exploit", just saying....

Yeah probably, I haven't seen in depth yet how it works, just a "label" for non-technical users...
I saw from the gitHub repo that HBC works even without a SD inserted in the 3DS, which means that the QR must contain the executable code and maybe a ROP toolchain for the exec, am I wrong?
 

Duo8

Well-Known Member
Member
Joined
Jul 16, 2013
Messages
3,613
Trophies
2
XP
3,008
Country
Vietnam
Yeah probably, I haven't seen in depth yet how it works, just a "label" for non-technical users...
I saw from the gitHub repo that HBC works even without a SD inserted in the 3DS, which means that the QR must contain the executable code and maybe a ROP toolchain for the exec, am I wrong?

That's way too much for a QR code. You can't easily fit a hb loader in it.
 

mathieulh

Well-Known Member
Member
Joined
Feb 28, 2008
Messages
378
Trophies
0
Website
keybase.io
XP
897
Country
France
Yeah probably, I haven't seen in depth yet how it works, just a "label" for non-technical users...
I saw from the gitHub repo that HBC works even without a SD inserted in the 3DS, which means that the QR must contain the executable code and maybe a ROP toolchain for the exec, am I wrong?

Let's just say the QR part is just the initial step (you don't actually need to use QR or Cubic Ninja for this step, any proper game exploit would have done the work as an entrypoint).
I've seen (mostly) how it works but I am not giving any details, I rather let smea do it should he ever want to, I am pretty sure he doesn't want people to do more with this than running homebrews so I am threading with fire here and I will just avoid speaking further about this.
 

gamesquest1

Nabnut
Former Staff
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,237
Yeah probably, I haven't seen in depth yet how it works, just a "label" for non-technical users...
I saw from the gitHub repo that HBC works even without a SD inserted in the 3DS, which means that the QR must contain the executable code and maybe a ROP toolchain for the exec, am I wrong?
i would imagine the QR triggers the boot.3dsx, and give you the option to install it to the games save chip....so after the initial install(which would require the boot.3dsx on the SD, it may just be stored inside the save chip for loading without the SD present.....idk very heavy speculation, but i doubt the actual QR code would be enough to store the actual loader
 

Aurora Wright

Well-Known Member
Member
Joined
Aug 13, 2006
Messages
1,550
Trophies
3
XP
4,468
Country
Italy
It's not just a "QR exploit", just saying....
It seems people forgot how it's trigger able from multiple software (even from mset hack for example) and the 3ds has "execute never" so you can't just load binaries... So the qr exploit would only allow rop chains, and another exploit is used, triggered with rop (the flaw named "ssspwn"). So this will be fixed on the next update, no doubt about it.
 
  • Like
Reactions: mathieulh

Areseru

Member
Newcomer
Joined
Aug 17, 2013
Messages
20
Trophies
0
Age
29
XP
125
Country
Italy
That's way too much for a QR code. You can't easily fit a hb loader in it.

Let's just say the QR part is just the initial step.
I've seen (mostly) how it works but I am not giving any details, I rather let smea do it should he ever want to, I am pretty sure he doesn't want people to do more with this than running homebrews so I am threading with fire here and I will just avoid speaking further about this.

Thanks for the clarifications guys, I will surely give a look-in-depth to the whole thing
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: Did you pee in the water