Homebrew RAM editing glitch on any 3DS, might lead to an exploit?

T

Trinitro21

Well-Known Member
OP
Member
Level 2
Joined
Oct 14, 2015
Messages
133
Trophies
0
Location
Userland
XP
206
Country
United States
TL;DR there's an oversight in SmileBASIC that leads to RAM viewing and editing on any 3DS, hacked or unhacked. It could lead to a primary exploit, but it probably won't. I don't know for sure though, so I'm posting it here to see what comes of it.

In the SmileBASIC interpreter, there's a bug with the BGSCREEN command, which resizes the background layer. The area of the background layer isn't supposed to exceed 16383, but the checks the interpreter performs on the parameters are insufficient and can be bypassed with large enough numbers.

The game will crash if the area is too large; however, there's a window where the game doesn't crash and the BG layer occupies sizes never meant to be possible. Because of this, it contains memory allocated for other purposes by the interpreter, like variable and function storage and the current program's code.

With the BG commands, this area of memory can be edited by any 3DS, hacked or unhacked.

All that is needed to trigger this glitch is this one line of code:
Code: 
BGSCREEN 0,134217728,16

Could a primary exploit be made with this bug?

It is an area of RAM allocated for the interpreter, so it's probably not executable and so likely not exploitable. However I know that there are pointers in the memory that can be edited, as well as many unknown segments of memory. Perhaps a variable's pointer could be edited to use executable memory or some other attack could be developed that could lead to an exploit?

EDIT: I'm stupid and forgot to give credit.
This glitch was found by a group of users at smilebasicsource.com, including slackerSnail, 12Me21, and incvoid.
I was somewhat part of it.
 
Last edited by Trinitro21,
  • Like
Reactions: marc00077, iVcU, imadeanaccountjustforthis and 31 others
proflayton123

proflayton123

The Temp Loaf'
Member
Level 12
Joined
Jan 11, 2016
Messages
6,032
Trophies
1
Age
24
Location
日本
Website
www.facebook.com
XP
3,212
Country
Japan
Trinitro21 said:
TL;DR there's an oversight in SmileBASIC that leads to RAM viewing and editing on any 3DS, hacked or unhacked. It could lead to a primary exploit, but it probably won't. I don't know for sure though, so I'm posting it here to see what comes of it.

In the SmileBASIC interpreter, there's a bug with the BGSCREEN command, which resizes the background layer. The area of the background layer isn't supposed to exceed 16383, but the checks the interpreter performs on the parameters are insufficient and can be bypassed with large enough numbers.

The game will crash if the area is too large; however, there's a window where the game doesn't crash and the BG layer occupies sizes never meant to be possible. Because of this, it contains memory allocated for other purposes by the interpreter, like variable and function storage and the current program's code.

With the BG commands, this area of memory can be edited by any 3DS, hacked or unhacked.

All that is needed to trigger this glitch is this one line of code:
Code: 
BGSCREEN 0,134217728,16

Could a primary exploit be made with this bug?

It is an area of RAM allocated for the interpreter, so it's probably not executable and so likely not exploitable. However I know that there are pointers in the memory that can be edited, as well as many unknown segments of memory. Perhaps a variable's pointer could be edited to use executable memory or some other attack could be developed that could lead to an exploit?
Click to expand...

Finally, a thread with a theory of possible hax with good explanation with it
 
  • Like
Reactions: marc00077, DarkFlare69, imadeanaccountjustforthis and 18 others
S

seijinshu

...
Member
Level 3
Joined
Jan 6, 2016
Messages
483
Trophies
0
Location
...
XP
248
Country
United States
Trinitro21 said:
TL;DR there's an oversight in SmileBASIC that leads to RAM viewing and editing on any 3DS, hacked or unhacked. It could lead to a primary exploit, but it probably won't. I don't know for sure though, so I'm posting it here to see what comes of it.

In the SmileBASIC interpreter, there's a bug with the BGSCREEN command, which resizes the background layer. The area of the background layer isn't supposed to exceed 16383, but the checks the interpreter performs on the parameters are insufficient and can be bypassed with large enough numbers.

The game will crash if the area is too large; however, there's a window where the game doesn't crash and the BG layer occupies sizes never meant to be possible. Because of this, it contains memory allocated for other purposes by the interpreter, like variable and function storage and the current program's code.

With the BG commands, this area of memory can be edited by any 3DS, hacked or unhacked.

All that is needed to trigger this glitch is this one line of code:
Code: 
BGSCREEN 0,134217728,16

Could a primary exploit be made with this bug?

It is an area of RAM allocated for the interpreter, so it's probably not executable and so likely not exploitable. However I know that there are pointers in the memory that can be edited, as well as many unknown segments of memory. Perhaps a variable's pointer could be edited to use executable memory or some other attack could be developed that could lead to an exploit?
Click to expand...

Excellent. I think one of these games would be better for hacking than my theory with FE:Fates.
 
  • Like
Reactions: zezzo, Deleted User, Justinde75 and 3 others
PF2M

PF2M

Ex-Miiverse Hacker
Member
Level 7
Joined
Sep 8, 2015
Messages
552
Trophies
0
Age
23
Location
Ohio
XP
1,000
Country
United States
Just tested the crashing version of it and it worked. Reminds me of that one line of Petit Computer code that crashed the game. My question is, how can the line of code you provided be used to edit the RAM? Is there other commands you can type in to do so?
 
  • Like
Reactions: imadeanaccountjustforthis
T

Trinitro21

Well-Known Member
OP
Member
Level 2
Joined
Oct 14, 2015
Messages
133
Trophies
0
Location
Userland
XP
206
Country
United States
PF2M said:
Just tested the crashing version of it and it worked. Reminds me of that one line of Petit Computer code that crashed the game. My question is, how can the line of code you provided be used to edit the RAM? Is there other commands you can type in to do so?
Click to expand...
BGGET can be used to get the two bytes at each tile and BGPUT can be used to write a new value.
RAM editors have already been made, but aren't on the SmileBASIC servers for secrecy. One can be downloaded here and injected into your extdata to be used.
 
T

Trinitro21

Well-Known Member
OP
Member
Level 2
Joined
Oct 14, 2015
Messages
133
Trophies
0
Location
Userland
XP
206
Country
United States
Thee_BaBs said:
You mentioned ram viewing was possible, how is that done?
Click to expand...
The glitch makes the background layer data extend into the rest of the RAM, so simply triggering it and offsetting the background layer is enough to view the RAM. The data can also be retrieved with the BGGET command.
 
S

seijinshu

...
Member
Level 3
Joined
Jan 6, 2016
Messages
483
Trophies
0
Location
...
XP
248
Country
United States
Trinitro21 said:
The glitch makes the background layer data extend into the rest of the RAM, so simply triggering it and offsetting the background layer is enough to view the RAM. The data can also be retrieved with the BGGET command.
Click to expand...
Hmm. This would actually work with more investigating. Getting the ability to edit RAM would be such an excellent approach. If I successfully get my exploit working, we might be able to do a dual release kinda similar to IronHax/TubeHax.
 
proflayton123

proflayton123

The Temp Loaf'
Member
Level 12
Joined
Jan 11, 2016
Messages
6,032
Trophies
1
Age
24
Location
日本
Website
www.facebook.com
XP
3,212
Country
Japan
seijinshu said:
Hmm. This would actually work with more investigating. Getting the ability to edit RAM would be such an excellent approach. If I successfully get my exploit working, we might be able to do a dual release kinda similar to IronHax/TubeHax.
Click to expand...

.-.


Sent from my iPhone using Tapatalk
 
  • Like
Reactions: Deleted User
Damon_girl

Damon_girl

Well-Known Member
Member
Level 4
Joined
Oct 27, 2015
Messages
961
Trophies
0
Age
31
XP
553
Country
United States
Can this RAM editing be used for games too? Like on SSB or Hyrule Warriors Legends to make it play better on the old 3DS?
 
KaduPSE

KaduPSE

Revolution and cake
Member
Level 4
Joined
Dec 26, 2015
Messages
260
Trophies
0
XP
408
Country
Brazil
Damon_girl said:
Can this RAM editing be used for games too? Like on SSB or Hyrule Warriors Legends to make it play better on the old 3DS?
Click to expand...
RAM editing means changing the code/values stored on RAM. The goal would be to replace them with exploitable code. It's not related to performance at all. RAM editing could be used to cheat on games, but since in this case the RAM is filled with data for this title it wouldn't be possible.
 
Mrrraou

Mrrraou

Well-Known Member
Member
Level 11
Joined
Oct 17, 2015
Messages
1,873
Trophies
0
XP
2,374
Country
France
not possible because of memory mapping: you can sure read executable memory but not write into it
you need a rop or a way to be even able to use gspwn
 
  • Like
Reactions: Ricken
Clector

Clector

Well-Known Member
Member
Level 4
Joined
Mar 15, 2016
Messages
1,078
Trophies
0
Location
Not here
XP
459
Country
Bangladesh
Well I was going to buy it, but because some things I wanted to buy before I will buy a eShop card this Thursday, but if there"s going to be an exploit it will be better to know so then I will buy it before since we know what Nintendo uses to do whit 3rd Party exploitable games.
 
Last edited by Clector,

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Hardware  Why does my 3DS take so long to turn off?

Translation Project  DQM2SP translation

General chit-chat
Help Users
  • HiradeGirl @ HiradeGirl:
    Too bad, they already drank it.
  • HiradeGirl @ HiradeGirl:
    He is now fishy.
  • K3Nv2 @ K3Nv2:
    Sak is a fishy pineapple
  • HiradeGirl @ HiradeGirl:
    :discuss:
  • HiradeGirl @ HiradeGirl:
    Have a good night everyone.
  • HiradeGirl @ HiradeGirl:
    i'm getting sleepy.
  • HiradeGirl @ HiradeGirl:
    So much drinking from @K3Nv2
  • HiradeGirl @ HiradeGirl:
    Have a nice day. Life. Week. Month. year.
  • K3Nv2 @ K3Nv2:
    10 tabs open on chrome and no slow downs suck it low ram plebs lol
  • Veho @ Veho:
    Firefox users be like "look at what they have to do to mimic a fraction of our power."
  • K3Nv2 @ K3Nv2:
    they be like which lite firefox exe pls
  • Veho @ Veho:
    Wut.
  • Maximumbeans @ Maximumbeans:
    GM all
  • K3Nv2 @ K3Nv2:
    butt
  • Maximumbeans @ Maximumbeans:
    butte
  • SylverReZ @ SylverReZ:
    douche
  • Veho @ Veho:
    Touché.
  • SylverReZ @ SylverReZ:
    https://www.youtube.com/watch?v=vCadcBR95oU
  • SylverReZ @ SylverReZ:
    Push it :creep:
  • Veho @ Veho:
    https://i.imgur.com/T0X6JND.jpg
  • Veho @ Veho:
    Talk about propaganda.
  • Veho @ Veho:
    Illinois is working to ban toxic food additives that have been banned for decades in other countries; additives that can be replaced and all those countries still have Skittles and Mountain Dew. Title of the piece: GUBMINT WANTS TO TAKE AWAY YOUR CANDY
  • Veho @ Veho:
    Gee, I wonder if the author is biased?
  • SylverReZ @ SylverReZ:
    @Veho, Sounds and smells like bullshit. They don't give you cancer, and California should know that. I don't get why they stick labels that say "may or may not cause reproductive harm or cancer".
  • Veho @ Veho:
    Arsenic doesn't give you cancer either.
    Veho @ Veho: Arsenic doesn't give you cancer either.