Exploit Devolopment?

Discussion in '3DS - Homebrew Development and Emulators' started by gudenau, Aug 5, 2015.

  1. gudenau
    OP

    gudenau Never a unique idea

    Member
    3,239
    1,216
    Jul 7, 2010
    United States
    /dev/random
    Lets say I have a crash, and it just happens to lead to ROP. How would I go about finding gadgets, how would I get a dump; or make one from the cia/3ds?
     
  2. Gadorach

    Gadorach Electronics Engineering Technologist

    Member
    952
    684
    Jan 22, 2014
    Canada
    Canada
    2-6 years of university and unbreakable resolve
     
    Azel, Zidapi, st4rk and 3 others like this.
  3. WeedZ

    WeedZ Possibly an enlightened being

    Member
    GBAtemp Patron
    WeedZ is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,706
    5,186
    Jan 13, 2015
    United States
    I recall smea posting pics of this weird pcboard contraption he made that he had soldered to the internals of the ds, so he could push commands, get ram info, not really sure. You want to talk to like smea, yellows8, yifanlu.. those dudes. They're the 733t h4x0rs.
     
  4. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,607
    Nov 3, 2013
    United States
    You'd need a bug that specifically writes user-controlled data onto the stack in order to overwrite the return address for the function you're in and gain execution. Once you've pinpointed exactly where your data is getting written to, you'll know how to generally format your ROP. Knowing how much space to have between the beginning of whatever data you're dealing with and the start of your ROP can be a pain.
    Before finding gadgets, you'll need to know the functions you're dealing with for your exploit. gspwn for basic code execution will work with GSP funcs, for example. You need functions to pop the registers needed for your goals (search for pop {whatever you need} and use that address) and occasionally memory load/store funcs (find regs being loaded from/stored to immediately before the return). When jumping to a full-blown function, make sure you're jumping after the function prologue, or you'll ruin the stack. Also keep an eye on thumb vs arm addresses. For stuff ending in bx lr instead of pop {pc}, you'll need to find a gadget/set of gadgets for setting lr first.
    From there, ROP is pretty much just "writing the stack." You're doing some kinda-weird asm, basically.
     
    marc00077 likes this.
  5. gudenau
    OP

    gudenau Never a unique idea

    Member
    3,239
    1,216
    Jul 7, 2010
    United States
    /dev/random
    But how do I get memory for finding the gadgets?
     
  6. hippy dave

    hippy dave Butts Butts Megabutts

    Member
    2,569
    1,791
    Apr 30, 2012
    So basically just keep hammering buttons until something happens, right?
     
  7. gudenau
    OP

    gudenau Never a unique idea

    Member
    3,239
    1,216
    Jul 7, 2010
    United States
    /dev/random
     
    UraKn0x, NeoSlyde and Jwiz33 like this.