Homebrew 3DS Reverse Engineering and ROP

TheToaster · Feb 20, 2016

Hello,

I wanted to get started into reverse engineering and exploitaton (personally, I have an old 3DS XL). I have previous experience in C++, and I want to begin to learn ARM assembly. However, I couldnt find many books online that dealt with ARM exploitaton and reverse engineering. I have only found these books so far:

http://www.federaljack.com/ebooks/Computers - Informatin Technology/Assembly , reverse engeniering and Computer Architecture books/Reverse Engeniering/2005/Wiley/Reversing - Secrets of Reverse Engineering.pdf

This book looks nice and teaches some stuff about reverse engineering and ROP, but it focuses on IA-32 processors, so I don't think it would be useful for ARM exploitation (??????)

Here is the next one:

http://www.amazon.com/gp/aw/d/11187...0_QL65&keywords=arm+assembly+embedded+systems

This teaches ARM assembly language. I couldnt find a PDF of it. Is this a good introduction to ARM assembly?

Practical Reverse Engineering

This book looks like a good introduction to reverse engineering ARM. Will it be if any use?

Operating Systems

A book that teaches how modern operating systems work.

In the CCC 2015 video, smealum and his group did a talk about 3DS hacking. I learned about Data Execution Prevention and ASLR. I could not find any books about this topic or similar topics (mostly because I didn't know what to look up.) Could anyone give me a book to learn about these things in more detail?

These are all the books that I have found, and I do not know where to start. Should I learn ARM first, and then learn about Operating Systems, and then Reverse engineering? If anyone could help me with this and also link a few books ( and which order to read them in) I would be very grateful.

Thanks.

TR_mahmutpek · Feb 20, 2016

Good luck

Coto · Feb 20, 2016

read the ARM exception handling book, ARM THUMB mode and ARM ARM mode (yes) instruction books. full stack descending full stack ascending , endianness, memory mapping through arm's memory protection unit and interrupts

TheToaster · Feb 20, 2016

Coto said:
read the ARM exception handling book, ARM THUMB mode and ARM ARM mode (yes) instruction books. full stack descending full stack ascending , endianness, memory mapping through arm's memory protection unit and interrupts

Thanks. But are there any books explaining reverse engineering of ARM? Also an introduction to ROP (buffer overflows and race conditions etc.) would be nice. I also want to learn about Data Execution Prevention (DEP) and ASLR. Any ideas?

Coto · Feb 20, 2016

you wont probably get anywhere if you dont understand these concepts first

TheToaster · Feb 20, 2016

Coto said:
you wont probably get anywhere if you dont understand these concepts first

OK. So I have to learn from the ARM exception handling book, the ARM THUMB mode instruction book, and the ARM ARM mode instruction book? Would THIS book also teach me the concepts you listed?

Another question: once I have thoroughly learned ARM assembly, then I can read the "Operating Systems" book in the OP, then I read about "Reverse Engineering"?

orly3 · Feb 20, 2016

TheToaster said:
Another question: once I have thoroughly learned ARM assembly, then I can read the "Operating Systems" book in the OP, then I read about "Reverse Engineering"?

If you'd like to learn about how to actually exploit something, cturt has a very informative, easy to follow guide for nds game exploits: https://cturt.github.io/DS-exploit-finding.html
Good luck with your research

Raffle · Feb 20, 2016

good to see people really wanting to learn not just thinking tha all happens with magic

TheToaster · Feb 20, 2016

luhkius said:
If you'd like to learn about how to actually exploit something, cturt has a very informative, easy to follow guide for nds game exploits: https://cturt.github.io/DS-exploit-finding.html
Good luck with your research

Thanks, I took a look at that. Does it only apply to NDS?

Anywho, it is a good guide to stack-smashing. Do you have any books or links that I can learn about DEP, ASLR, and how to bypass these kinds of restrictions?

Myria · Feb 20, 2016

TheToaster said:
Thanks, I took a look at that. Does it only apply to NDS?

Anywho, it is a good guide to stack-smashing. Do you have any books or links that I can learn about DEP, ASLR, and how to bypass these kinds of restrictions?

3DS has no ASLR, so don't worry about that =^-^=

To get around NX/DEP, the standard approach on 3DS is to call GPU API functions to trigger a texture DMA that overwrites existing memory that's already marked executable. This technique on 3DS is known as "gspwn".

The reason you want to know both ARM and Thumb is because you can switch between them just by changing the low bit of the program counter (ARM=0, Thumb=1). You can put a return address as either ARM or Thumb in your ROP chain stack, and the CPU will switch modes. This is very powerful in ROP on ARM, because it allows you to reinterpret ARM opcodes as Thumb and vice versa, allowing you to use ROP gadgets that you wouldn't have otherwise. (This is very similar to how ROP on x86 can potentially get access to additional gadgets by jumping to the middle of existing instructions. Specifically that doesn't work on ARM CPUs, but reinterpreting as the wrong instruction set gives similar benefits.)

TheToaster · Feb 20, 2016

Myria said:
3DS has no ASLR, so don't worry about that =^-^=

To get around NX/DEP, the standard approach on 3DS is to call GPU API functions to trigger a texture DMA that overwrites existing memory that's already marked executable. This technique on 3DS is known as "gspwn".

The reason you want to know both ARM and Thumb is because you can switch between them just by changing the low bit of the program counter (ARM=0, Thumb=1). You can put a return address as either ARM or Thumb in your ROP chain stack, and the CPU will switch modes. This is very powerful in ROP on ARM, because it allows you to reinterpret ARM opcodes as Thumb and vice versa, allowing you to use ROP gadgets that you wouldn't have otherwise. (This is very similar to how ROP on x86 can potentially get access to additional gadgets by jumping to the middle of existing instructions. Specifically that doesn't work on ARM CPUs, but reinterpreting as the wrong instruction set gives similar benefits.)

Yea, I kinda figured that the 3DS had no ASLR (I just saw it in CCC 2015). Thanks for your reply! It is very useful.

Roboman · Feb 20, 2016

Check this out:
http://smealum.net/?p=517

It's a good read with plenty of 3ds specific exloitation information.

gallymimu · Feb 20, 2016

HA,

What OP needs to understand is that there is a lot of learning that has to go on before the pathway to exploitation will open. He needs to learn ARM assembly. He needs to learn about OSes. He needs to learn about memory mapped memory and peripherals and how video memory is incorporated. He needs to learn about the 3DS architecture both high level and low level and it's OS long before any practical exploitation can be explored.

It's a bit like saying "I want to learn to cheat at Nascar so I can win a race, where do I find a book on that" Well... first ya gotta learn to drive, then you gotta learn about cars, then you gotta learn about racing, then you gotta learn the rules of Nascar, then ya probably gotta get good at Nascar racing, Then you gotta understand the things that make the racers win or lose, THEN you might start seeing ways to bend or cheat the rules to modify your car in a way that won't get caught and see if you can sneak by the authorities and win the race

.

All the pieces and background and expertise must be in place before you can start to see the opportunities to win at a game like this.

TheToaster · Feb 20, 2016

gallymimu said:
HA,

What OP needs to understand is that there is a lot of learning that has to go on before the pathway to exploitation will open. He needs to learn ARM assembly. He needs to learn about OSes. He needs to learn about memory mapped memory and peripherals and how video memory is incorporated. He needs to learn about the 3DS architecture both high level and low level and it's OS long before any practical exploitation can be explored.

It's a bit like saying "I want to learn to cheat at Nascar so I can win a race, where do I find a book on that" Well... first ya gotta learn to drive, then you gotta learn about cars, then you gotta learn about racing, then you gotta learn the rules of Nascar, then ya probably gotta get good at Nascar racing, Then you gotta understand the things that make the racers win or lose, THEN you might start seeing ways to bend or cheat the rules to modify your car in a way that won't get caught and see if you can sneak by the authorities and win the race .

All the pieces and background and expertise must be in place before you can start to see the opportunities to win at a game like this.

Yes, I understand that. I am currently learning ARM assembly. I am not an idiot to think exploitation is a simple thing to do: I understand the effort that goes into exploiting and reverse engineering and I have also gained an appreciation for the amazing hackers on the 3DS scene for being able to come so far.

Nowhere in my post did I ever state that exploitation was easy [emoji6]
I just wanted some advice on getting started and what steps to take after I have got a firm grasp on these concepts.

gallymimu · Feb 20, 2016

TheToaster said:
Yes, I understand that. I am currently learning ARM assembly. I am not an idiot to think exploitation is a simple thing to do: I understand the effort that goes into exploiting and reverse engineering and I have also gained an appreciation for the amazing hackers on the 3DS scene for being able to come so far.

Nowhere in my post did I ever state that exploitation was easy [emoji6]
I just wanted some advice on getting started and what steps to take after I have got a firm grasp on these concepts.

I wasn't implying that you thought it was easy, but rather, that you thought there was a clear step by step direction (i.e. book) toward your goal which likely doesn't exist, as I said, you goal is a culmination of puzzle pieces.

Sorry if it came across as indicating you were dumb, that wasn't the intent and I applaud your for digging in instead of being like most of the lazy ass hats on this forum!

TheToaster · Feb 20, 2016

gallymimu said:
I wasn't implying that you thought it was easy, but rather, that you thought there was a clear step by step direction (i.e. book) toward your goal which likely doesn't exist, as I said, you goal is a culmination of puzzle pieces.

Sorry if it came across as indicating you were dumb, that wasn't the intent and I applaud your for digging in instead of being like most of the lazy ass hats on this forum!

So do you think the book on "Operating Systems" in my post might be useful in any way?

shinyquagsire23 · Feb 20, 2016

TheToaster said:
So do you think the book on "Operating Systems" in my post might be useful in any way?

I honestly think you'd get somewhere sooner just doing straight reverse engineering, ie look into how some game or app does X specifically. Learn to read, write, and hack ARM assembly. Once you fully understand how ARM works and how the stack works, that's when you can actually start working on exploitation. You'll also want to know how the 3DS specifically works, how processes/services communicate with each other, permissions with those services, etc.

Homebrew 3DS Reverse Engineering and ROP

Kishore

medic

-

Kishore

-

Kishore

Well-Known Member

Active Member

Kishore

Well-Known Member

Kishore

Well-Known Member

EE Expert

Kishore

EE Expert

Kishore

SALT/Sm4sh Leak Guy

Similar threads

Popular threads in this forum