Hacking Want to learn how to find exploit

[delicator]

Yes, I know, it's a bit large

But, I'm a dev, I'm curius, and I want to learn.

I read wiki and topic in here.

I search precise info about method to search somethink like save exploit, like zelda for 3ds, or even old one like Zelda on wii, or some lego game.

Have you some link or ressources ?

Thanks


edit : reading now http://3dbrew.org/wiki/Savegames
http://dsibrew.org/wiki/DSiWare_VulnList

 

[Shadow#1]

LOL

 

[CIAwesome526]

It's not that simple. Maybe you can start by finding different ways to crash your 3DS, but you'll have to modify something first. Maybe d what gateway did and modify some saves, spider exploit is done and patched, so no servers made to crash your ds. It's not easy, or else everyone would do it.

 

[Duo8]

"Find an exploit" is too broad. You'll at least want to devise some feasible attack vector first, then try to follow it.

 

[Shadow#1]

hes a "dev" so i work for "Nintendo"

 

[CIAwesome526]

hes a "dev" so i work for "Nintendo"

In that case, he should slip a little code into the update before release, which will launch the gateway menu when you scan a QR code in the mii maker.

 

[delicator]

hes a "dev" so i work for "Nintendo"

I have trouble to understand your post, and your point here, Yes I'm a dev, I learn c/c++ year's ago, php mostly, and other stuff in my pro life
Why are you so agressiv ?

 

[delicator]

"Find an exploit" is too broad. You'll at least want to devise some feasible attack vector first, then try to follow it.

Yes,
I will like search in forged save type of attack

In the cubic ninja, it's by QRcode, so I imagine, some function decode and parse the QR, with a vulnerability in memory managment or similar

 

[delicator]

It's not that simple. Maybe you can start by finding different ways to crash your 3DS, but you'll have to modify something first. Maybe d what gateway did and modify some saves, spider exploit is done and patched, so no servers made to crash your ds. It's not easy, or else everyone would do it.

I think about modify amiibo data (I read it with my phone to see what inside ^^), but amiboo are read only in game, and I don't have retail game using amiibo on 3ds. And why not see what it can be done with custom theme for n3ds

 

[CIAwesome526]

I think about modify amiibo data (I read it with my phone to see what inside ^^), but amiboo are read only in game, and I don't have retail game using amiibo on 3ds. And why not see what it can be done with custom theme for n3ds

amiibo data is encrypted

 

[Duo8]

Yes,
I will like search in forged save type of attack

In the cubic ninja, it's by QRcode, so I imagine, some function decode and parse the QR, with a vulnerability in memory managment or similar

If you want to exploit saves remember that only old games (pre 2.x) can have its save decrypted and reencrypted. And you can only inject a ROP chain.
I suggest disassembling the game's binary to see how the save is read, since we don't have a complete emulator yet.

As for ninjhax, the QR code is also a ROP chain.

 

[delicator]

amiibo data is encrypted

I have 5 fields : type of tag, techno available, serial number, ATQA and SAK, when I tried to read memory, the app I'm using can support this type of tag.
But, it's mostly by curiosity, it's my child link amiibo for smash bros, I can't damage it ^^

I'll be reading about save game, it's good start I think

 

[Duo8]

I have 5 fields : type of tag, techno available, serial number, ATQA and SAK, when I tried to read memory, the app I'm using can support this type of tag.
But, it's mostly by curiosity, it's my child link amiibo for smash bros, I can't damage it ^^

I'll be reading about save game, it's good start I think

Amiibo data is encrypted, signed and write protected (varies between pages).
Someone disassembled the amiibo module: https://www.reddit.com/r/amiibros/comments/328hqz/amiibo_encryption_reverseengineering/

 

[delicator]

If you want to exploit saves remember that only old games (pre 2.x) can have its save decrypted and reencrypted. And you can only inject a ROP chain.
I suggest disassembling the game's binary to see how the save is read, since we don't have a complete emulator yet.

As for ninjhax, the QR code is also a ROP chain.

For the other reader of the thread (and me of course ^^) http://en.wikipedia.org/wiki/Return-oriented_programming

For the old game, what changed ? The signature/cryting method ?
Can I find a list of before/after game ?

 

[Duo8]

For the other reader of the thread (and me of course ^^) http://en.wikipedia.org/wiki/Return-oriented_programming

For the old game, what changed ? The signature/cryting method ?
Can I find a list of before/after game ?

Very old 3DS games have a flaw that allows you to calculate the decrypted data. More info here http://3dbrew.org/wiki/Savegames#Repeating_CTR_Fail
Those may or may not have the data signed. I don't remember. If they do then you need a hacked 3DS to sign the save.
As for the version, your best bet is to check the game's SDK version.