3DS Reverse Engineering and ROP

Discussion in '3DS - Homebrew Development and Emulators' started by TheToaster, Feb 20, 2016.

  1. TheToaster
    OP

    TheToaster Warrior of the Toast

    Member
    430
    163
    Aug 11, 2015
    United States
    USA
    Hello,

    I wanted to get started into reverse engineering and exploitaton (personally, I have an old 3DS XL). I have previous experience in C++, and I want to begin to learn ARM assembly. However, I couldnt find many books online that dealt with ARM exploitaton and reverse engineering. I have only found these books so far:

    http://www.federaljack.com/ebooks/Computers - Informatin Technology/Assembly , reverse engeniering and Computer Architecture books/Reverse Engeniering/2005/Wiley/Reversing - Secrets of Reverse Engineering.pdf

    This book looks nice and teaches some stuff about reverse engineering and ROP, but it focuses on IA-32 processors, so I don't think it would be useful for ARM exploitation (??????)

    Here is the next one:

    http://www.amazon.com/gp/aw/d/11187...0_QL65&keywords=arm+assembly+embedded+systems

    This teaches ARM assembly language. I couldnt find a PDF of it. Is this a good introduction to ARM assembly?

    Practical Reverse Engineering

    This book looks like a good introduction to reverse engineering ARM. Will it be if any use?

    Operating Systems

    A book that teaches how modern operating systems work.

    In the CCC 2015 video, smealum and his group did a talk about 3DS hacking. I learned about Data Execution Prevention and ASLR. I could not find any books about this topic or similar topics (mostly because I didn't know what to look up.) Could anyone give me a book to learn about these things in more detail?

    These are all the books that I have found, and I do not know where to start. Should I learn ARM first, and then learn about Operating Systems, and then Reverse engineering? If anyone could help me with this and also link a few books ( and which order to read them in) I would be very grateful.

    Thanks.
     
    Last edited by TheToaster, Feb 20, 2016
    TR_mahmutpek likes this.
  2. TR_mahmutpek

    TR_mahmutpek GBAtemp Advanced Fan

    Member
    630
    134
    Jul 28, 2015
    Good luck :)
     
    TheToaster likes this.
  3. Coto

    Coto GBAtemp Addict

    Member
    2,365
    415
    Jun 4, 2010
    Chile
    read the ARM exception handling book, ARM THUMB mode and ARM ARM mode (yes) instruction books. full stack descending full stack ascending , endianness, memory mapping through arm's memory protection unit and interrupts
     
  4. TheToaster
    OP

    TheToaster Warrior of the Toast

    Member
    430
    163
    Aug 11, 2015
    United States
    USA
    Thanks. But are there any books explaining reverse engineering of ARM? Also an introduction to ROP (buffer overflows and race conditions etc.) would be nice. I also want to learn about Data Execution Prevention (DEP) and ASLR. Any ideas?
     
  5. Coto

    Coto GBAtemp Addict

    Member
    2,365
    415
    Jun 4, 2010
    Chile
    you wont probably get anywhere if you dont understand these concepts first
     
  6. TheToaster
    OP

    TheToaster Warrior of the Toast

    Member
    430
    163
    Aug 11, 2015
    United States
    USA
    OK. So I have to learn from the ARM exception handling book, the ARM THUMB mode instruction book, and the ARM ARM mode instruction book? Would THIS book also teach me the concepts you listed?

    Another question: once I have thoroughly learned ARM assembly, then I can read the "Operating Systems" book in the OP, then I read about "Reverse Engineering"?
     
    Last edited by TheToaster, Feb 20, 2016
  7. orly3

    orly3 Advanced Member

    Newcomer
    64
    58
    Jun 8, 2015
    If you'd like to learn about how to actually exploit something, cturt has a very informative, easy to follow guide for nds game exploits: https://cturt.github.io/DS-exploit-finding.html
    Good luck with your research :)
     
    TheToaster likes this.
  8. Raffle

    Raffle Member

    Newcomer
    27
    2
    Nov 6, 2015
    Brazil
    good to see people really wanting to learn not just thinking tha all happens with magic
     
    Last edited by Raffle, Feb 20, 2016
  9. TheToaster
    OP

    TheToaster Warrior of the Toast

    Member
    430
    163
    Aug 11, 2015
    United States
    USA
    Thanks, I took a look at that. Does it only apply to NDS?

    Anywho, it is a good guide to stack-smashing. Do you have any books or links that I can learn about DEP, ASLR, and how to bypass these kinds of restrictions?
     
  10. Myria

    Myria GBAtemp Fan

    Member
    432
    410
    Jul 24, 2014
    United States
    3DS has no ASLR, so don't worry about that =^-^=

    To get around NX/DEP, the standard approach on 3DS is to call GPU API functions to trigger a texture DMA that overwrites existing memory that's already marked executable. This technique on 3DS is known as "gspwn".

    The reason you want to know both ARM and Thumb is because you can switch between them just by changing the low bit of the program counter (ARM=0, Thumb=1). You can put a return address as either ARM or Thumb in your ROP chain stack, and the CPU will switch modes. This is very powerful in ROP on ARM, because it allows you to reinterpret ARM opcodes as Thumb and vice versa, allowing you to use ROP gadgets that you wouldn't have otherwise. (This is very similar to how ROP on x86 can potentially get access to additional gadgets by jumping to the middle of existing instructions. Specifically that doesn't work on ARM CPUs, but reinterpreting as the wrong instruction set gives similar benefits.)
     
    Last edited by Myria, Feb 20, 2016 - Reason: On 3DS
    Mrrraou, TheCruel and TheToaster like this.
  11. TheToaster
    OP

    TheToaster Warrior of the Toast

    Member
    430
    163
    Aug 11, 2015
    United States
    USA
    Yea, I kinda figured that the 3DS had no ASLR (I just saw it in CCC 2015). Thanks for your reply! It is very useful.
     
  12. Roboman

    Roboman GBAtemp Fan

    Member
    300
    70
    Jan 7, 2016
    United States
  13. gallymimu

    gallymimu EE Expert

    Member
    297
    114
    Mar 15, 2009
    United States
    HA,

    What OP needs to understand is that there is a lot of learning that has to go on before the pathway to exploitation will open. He needs to learn ARM assembly. He needs to learn about OSes. He needs to learn about memory mapped memory and peripherals and how video memory is incorporated. He needs to learn about the 3DS architecture both high level and low level and it's OS long before any practical exploitation can be explored.

    It's a bit like saying "I want to learn to cheat at Nascar so I can win a race, where do I find a book on that" Well... first ya gotta learn to drive, then you gotta learn about cars, then you gotta learn about racing, then you gotta learn the rules of Nascar, then ya probably gotta get good at Nascar racing, Then you gotta understand the things that make the racers win or lose, THEN you might start seeing ways to bend or cheat the rules to modify your car in a way that won't get caught and see if you can sneak by the authorities and win the race :).

    All the pieces and background and expertise must be in place before you can start to see the opportunities to win at a game like this.
     
  14. TheToaster
    OP

    TheToaster Warrior of the Toast

    Member
    430
    163
    Aug 11, 2015
    United States
    USA
    Yes, I understand that. I am currently learning ARM assembly. I am not an idiot to think exploitation is a simple thing to do: I understand the effort that goes into exploiting and reverse engineering and I have also gained an appreciation for the amazing hackers on the 3DS scene for being able to come so far.

    Nowhere in my post did I ever state that exploitation was easy
    I just wanted some advice on getting started and what steps to take after I have got a firm grasp on these concepts.
     
  15. gallymimu

    gallymimu EE Expert

    Member
    297
    114
    Mar 15, 2009
    United States
    I wasn't implying that you thought it was easy, but rather, that you thought there was a clear step by step direction (i.e. book) toward your goal which likely doesn't exist, as I said, you goal is a culmination of puzzle pieces.

    Sorry if it came across as indicating you were dumb, that wasn't the intent and I applaud your for digging in instead of being like most of the lazy ass hats on this forum!
     
    TheToaster likes this.
  16. TheToaster
    OP

    TheToaster Warrior of the Toast

    Member
    430
    163
    Aug 11, 2015
    United States
    USA
    So do you think the book on "Operating Systems" in my post might be useful in any way?
     
  17. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,964
    3,238
    Nov 18, 2012
    United States
    Las Vegas
    I honestly think you'd get somewhere sooner just doing straight reverse engineering, ie look into how some game or app does X specifically. Learn to read, write, and hack ARM assembly. Once you fully understand how ARM works and how the stack works, that's when you can actually start working on exploitation. You'll also want to know how the 3DS specifically works, how processes/services communicate with each other, permissions with those services, etc.