Homebrew RAM editing glitch on any 3DS, might lead to an exploit?

Mrrraou

Mrrraou

Well-Known Member
Member
Level 11
Joined
Oct 17, 2015
Messages
1,873
Trophies
0
XP
2,374
Country
France
Mrrraou said:
not possible because of memory mapping: you can sure read executable memory but not write into it
you need a rop or a way to be even able to use gspwn
Click to expand...
fucking read this
this is a bit "more educated" than most of the things i've seen (like prohax/fateshaxx/this has qrcode pls exploit), but this won't lead to anything
the op doesn't even know what part of the ram is loaded, why, and how
and it's unlikely to be code, too; it could just be sprites, music or something
anyway, this won't lead to an exploit.
 
  • Like
Reactions: zoogie
shinyquagsire23

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Level 13
Joined
Nov 18, 2012
Messages
1,977
Trophies
2
Age
26
Location
Las Vegas
XP
3,765
Country
United States
Mrrraou said:
fucking read this
this is a bit "more educated" than most of the things i've seen (like prohax/fateshaxx/this has qrcode pls exploit), but this won't lead to anything
the op doesn't even know what part of the ram is loaded, why, and how
and it's unlikely to be code, too; it could just be sprites, music or something
anyway, this won't lead to an exploit.
Click to expand...
If you can edit memory, the only thing you need to know is what the memory *is*. It's very well possible that there's values out there which could be useful. It's also possible that it's just VRAM allocations and not exploitable at all.

sweis12 said:
Yeah. Shinyquagsire was doing something but I don't think that it is an exploit.
https://twitter.com/ShinyQuagsire/status/745627215006556160
Click to expand...
When you can shove random data into a QR and it actually interprets it without crashing, it's probably not exploitable, and that was my point there.
 
Last edited by shinyquagsire23,
  • Like
Reactions: Shadowfied, Deleted User, Quantumcat and 2 others
Mrrraou

Mrrraou

Well-Known Member
Member
Level 11
Joined
Oct 17, 2015
Messages
1,873
Trophies
0
XP
2,374
Country
France
shinyquagsire23 said:
If you can edit memory, the only thing you need to know is what the memory *is*. It's very well possible that there's values out there which could be useful. It's also possible that it's just VRAM allocations and not exploitable at all.
Click to expand...
however, if it's code, isn't code rx mapped ? i'm sure that some values could be edited and overflowed to lead to something, but these would still have to be exploitable
the issue here is that i doubt there is a way to edit that ram using smilebasic
 
Roomsaver

Roomsaver

Well-Known Member
Member
Level 4
Joined
Sep 7, 2015
Messages
951
Trophies
0
Location
garfield kart grand prix
XP
479
Country
United States
Mrrraou said:
however, if it's code, isn't code rx mapped ? i'm sure that some values could be edited and overflowed to lead to something, but these would still have to be exploitable
the issue here is that i doubt there is a way to edit that ram using smilebasic
Click to expand...
Can't you edit RAM with NTR? I think I saw some plugin but I forget where.
 
Seedbon

Seedbon

Member
Newcomer
Level 1
Joined
Jun 24, 2016
Messages
20
Trophies
0
Age
29
XP
68
Country
United States
Mrrraou said:
however, if it's code, isn't code rx mapped ? i'm sure that some values could be edited and overflowed to lead to something, but these would still have to be exploitable
the issue here is that i doubt there is a way to edit that ram using smilebasic
Click to expand...
Trinitro21 said:
BGGET can be used to get the two bytes at each tile and BGPUT can be used to write a new value.
RAM editors have already been made, but aren't on the SmileBASIC servers for secrecy. One can be downloaded here and injected into your extdata to be used.
Click to expand...
I'm doubtful, but that was stated earlier, I do believe.
 
T

Trinitro21

Well-Known Member
OP
Member
Level 2
Joined
Oct 14, 2015
Messages
133
Trophies
0
Location
Userland
XP
206
Country
United States
Using NTR Debugger, I found that the accessible memory with this glitch extends from 0x087E8CEC to 0x0CAF8D20 in process 0x29. Does that help in any way?
 
  • Like
Reactions: PF2M
D

Deleted User

Guest
Trinitro21 said:
Using NTR Debugger, I found that the accessible memory with this glitch extends from 0x087E8CEC to 0x0CAF8D20 in process 0x29. Does that help in any way?
Click to expand...
If you can arbitrarily write on this region, you have to find what are the datas stored there. But that's a pretty big extension.
 
Last edited by ,
  • Like
Reactions: Mrrraou and Seedbon
T

Trinitro21

Well-Known Member
OP
Member
Level 2
Joined
Oct 14, 2015
Messages
133
Trophies
0
Location
Userland
XP
206
Country
United States
The only interesting portion that I know of starts at 0x08812FEC. This is where all the functions, variables, labels, and string values seem to be stored, along with any information associated with them, like lengths and what I assume are pointers.
Both pointers and lengths are signed 32-bit integers that don't seem to be checked. Altering pointers or lengths and then using the variables they're associated with in a way that would try to alter the memory in a place where it can't be altered (like calling CLEAR after changing a pointer to 0xFFFFFFFF) crashes the game.
 
D

Deleted User

Guest
Trinitro21 said:
The only interesting portion that I know of starts at 0x08812FEC. This is where all the functions, variables, labels, and string values seem to be stored, along with any information associated with them, like lengths and what I assume are pointers.
Both pointers and lengths are signed 32-bit integers that don't seem to be checked. Altering pointers or lengths and then using the variables they're associated with in a way that would try to alter the memory in a place where it can't be altered (like calling CLEAR after changing a pointer to 0xFFFFFFFF) crashes the game.
Click to expand...
You could try to edit a pointer and write on the stack.
 
Pokéidiot

Pokéidiot

Well-Known Member
Member
Level 2
Joined
Dec 6, 2015
Messages
244
Trophies
0
Location
\n?
XP
209
Country
Brazil
If someone get do discover where PC points to when some basic function is called, the final thing to do is run arbitrary code from there. So we get homebrew launcher (or another thing) along with a fresh keksploit, since we can write in readonly portions of RAM.
 
The Real Jdbye

The Real Jdbye

*is birb*
Member
Level 23
Joined
Mar 17, 2010
Messages
23,377
Trophies
4
Location
Space
XP
13,994
Country
Norway
Pokéidiot said:
If someone get do discover where PC points to when some basic function is called, the final thing to do is run arbitrary code from there. So we get homebrew launcher (or another thing) along with a fresh keksploit, since we can write in readonly portions of RAM.
Click to expand...
You can't write to read only portions of RAM without already having a kernel exploit.
I can see this glitch being useful for ROP which could lead to another userland entrypoint, but we won't be able to directly overwrite code with it.
 
  • Like
Reactions: dark_samus3
Swiftloke

Swiftloke

Hwaaaa!
Member
Level 8
Joined
Jan 26, 2015
Messages
1,772
Trophies
1
Location
Nowhere
XP
1,508
Country
United States
Trinitro21 said:
The only interesting portion that I know of starts at 0x08812FEC. This is where all the functions, variables, labels, and string values seem to be stored, along with any information associated with them, like lengths and what I assume are pointers.
Both pointers and lengths are signed 32-bit integers that don't seem to be checked. Altering pointers or lengths and then using the variables they're associated with in a way that would try to alter the memory in a place where it can't be altered (like calling CLEAR after changing a pointer to 0xFFFFFFFF) crashes the game.
Click to expand...
Oooh! What if we modified the function of some code in our program, then returned to it? But it's read only isn't it...
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Hardware  New Nintendo 3DS XL Louvre

What's the best 3DS emulator (especially after Citra's shutdown)?

So what's the current state of hacking and freeshop?

Hacking Homebrew  Animal Crossing New Leaf (ACNL) help: data corrupt??

Hacking  Can you install a legit cia and keep the game? + Question about 3ds modding

Pokemon Ultra Sun/Moon from piracy site doesn't work

Accidentally snapped sd card in half, what to do now?

Hacking Homebrew  3DS System Transfer Questions

General chit-chat
Help Users
  • Veho @ Veho:
    It's not a Nintendo / iQue official product, it's a 3rd party custom.
     +1
  • Veho @ Veho:
    Nothing special about it other than it's more comfortable than the Lite
    for people with beefy hands.
     +1
  • Jayro @ Jayro:
    I have yaoi anime hands, very lorge but slender.
  • Jayro @ Jayro:
    I'm Slenderman.
  • Veho @ Veho:
    I have hands.
  • Veho @ Veho:
    king-shark-hand.gif
    +1
  • BakerMan @ BakerMan:
    imagine not having hands, cringe
     +1
  • AncientBoi @ AncientBoi:
    ESPECIALLY for things I do to myself :sad:.. :tpi::rofl2: Or others :shy::blush::evil:
     +1
  • The Real Jdbye @ The Real Jdbye:
    @SylverReZ if you could find a v5 DS ML you would have the best of both worlds since the v5 units had the same backlight brightness levels as the DS Lite unlockable with flashme
  • The Real Jdbye @ The Real Jdbye:
    but that's a long shot
  • The Real Jdbye @ The Real Jdbye:
    i think only the red mario kart edition phat was v5
  • BigOnYa @ BigOnYa:
    A woman with no arms and no legs was sitting on a beach. A man comes along and the woman says, "I've never been hugged before." So the man feels bad and hugs her. She says "Well i've also never been kissed before." So he gives her a kiss on the cheek. She says "Well I've also never been fucked before." So the man picks her up, and throws her in the ocean and says "Now you're fucked."
     +2
  • AncientBoi @ AncientBoi:
    :O:ohnoes::lol::rofl::rofl2:
  • BakerMan @ BakerMan:
    lmao
  • BakerMan @ BakerMan:
    anyways, we need to re-normalize physical media

    if i didn't want my games to be permanent, then i'd rent them
     +1
  • BigOnYa @ BigOnYa:
    Agreed, that why I try to buy all my games on disc, Xbox anyways. Switch games (which I pirate tbh) don't matter much, I stay offline 24/7 anyways.
  • AncientBoi @ AncientBoi:
    I don't pirate them, I Use Them :mellow:. Like I do @BigOnYa 's couch :tpi::evil::rofl2:
     +1
  • cearp @ cearp:
    @BakerMan - you can still "own" digital media, arguably easier and better than physical since you can make copies and backups, as much as you like.

    The issue is DRM
  • cearp @ cearp:
    You can buy drm free games / music / ebooks, and if you keep backups of your data (like documents and family photos etc), then you shouldn't lose the game. but with a disk, your toddler could put it in the toaster and there goes your $60

    :rofl2:
  • cearp @ cearp:
    still, I agree physical media is nice to have. just pointing out the issue is drm
  • rqkaiju2 @ rqkaiju2:
    i like physical media because it actually feels like you own it. thats why i plan on burning music to cds
  • cearp @ cearp:
    It's nice to not have to have a lot of physical things though, saves space
     +1
  • AncientBoi @ AncientBoi:
    Nor clothes 🤮 . Saves on time, soap, water and money having to wash them. :D
  • SylverReZ @ SylverReZ:
    @rqkaiju2, Physical media is a great source for archiving your data, none of that cloud storage shiz.
     +1
  • AncientBoi @ AncientBoi:
    [squeezes @SylverReZ onto a physical media, then archives you in my old stuff box] :tpi::rofl2::tpi:
     +1
    AncientBoi @ AncientBoi: [squeezes @SylverReZ onto a physical media, then archives you in my old stuff box]... +1