I AM NOT SAYING IN ANY WAY THAT THERE IS A DEFINITE EXPLOIT.
Okay, now that I got that out of the way, allow me to explain myself.
Back in the VVVVVV exploit release thread, someone mentioned about other Nicalis games possibly containing exploits (as a joke, I assume) so I decided that for my first very technical 3DS project I'd try to pick apart one of the games and see if they could actually be exploited.
CaveStory, I think, can be. But I don't really know, because I've come to a slight roadstop. Allow me to explain my case thus far.
CaveStory's save slots contain a date and time that the slot was updated. This is stored in plaintext within the save file.
There seemed to be no save protection or checksum at all upon inspecting multiple files, so for kicks and giggles, I edited the date to be something... not a date. To my surprise:
IT WORKED! So, considering that the date and time is a string, and that the end of this string seems to be symbolized by a $00 hexadecimal character, there already seemed to be a clear overflow at hand here. Upon continually lengthening the string, the game did crash. However, here is my roadblock...
I'm just starting off, so I've got no idea of any good way that I can debug the game and see what is happening in real time order to pinpoint things and be able to formulate proper ROP (if at all possible in this case).
I understand the basic concept of an exploit (getting a way to manipulate the stack, using ROP gadgets to load our code, and then running it) but, once again, I don't know of the right tools to get this off of the ground and allow me to continue what little research I've put into CaveStory.
Any help would be greatly appreciated here. Thank you!
inb4 "another one of these threads hur hur"
Okay, now that I got that out of the way, allow me to explain myself.
Back in the VVVVVV exploit release thread, someone mentioned about other Nicalis games possibly containing exploits (as a joke, I assume) so I decided that for my first very technical 3DS project I'd try to pick apart one of the games and see if they could actually be exploited.
CaveStory, I think, can be. But I don't really know, because I've come to a slight roadstop. Allow me to explain my case thus far.
CaveStory's save slots contain a date and time that the slot was updated. This is stored in plaintext within the save file.
There seemed to be no save protection or checksum at all upon inspecting multiple files, so for kicks and giggles, I edited the date to be something... not a date. To my surprise:
IT WORKED! So, considering that the date and time is a string, and that the end of this string seems to be symbolized by a $00 hexadecimal character, there already seemed to be a clear overflow at hand here. Upon continually lengthening the string, the game did crash. However, here is my roadblock...
I understand the basic concept of an exploit (getting a way to manipulate the stack, using ROP gadgets to load our code, and then running it) but, once again, I don't know of the right tools to get this off of the ground and allow me to continue what little research I've put into CaveStory.
Any help would be greatly appreciated here. Thank you!
inb4 "another one of these threads hur hur"
