How do game exploits work?

Discussion in '3DS - Homebrew Development and Emulators' started by mashers, Jun 12, 2015.

  1. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,155
    Jun 10, 2015
    Kongo Jungle
    I've always been fascinated by this. What actually happens when a game save exploit (or QR code exploit in the case of ninjhax) is initiated? How do they bypass the system's security and allow the payload to execute? And how to people find the exploits?! I'm sure the answers to these questions is more complicated than I could possibly realise, but I'm hoping somebody can shed some light.
     
  2. julian20

    julian20 GBAtemp Fan

    Member
    336
    265
    Jan 10, 2015
    Gambia, The
  3. TheCruel

    TheCruel Developer

    Banned
    1,351
    2,884
    Dec 6, 2013
    United States
    Some answers here: https://gbatemp.net/threads/how-do-people-find-exploits-on-consoles-like-3ds.389594/

    The most common exploit entry points tend to be stack smashing (both ninjhax and mset use it): overflowing a buffer that doesn't properly check data sizes so that you can access memory locations that weren't intended for modification. Then it's just a matter of examining memory and trying to trace execution so you can figure out what needs to be changed to get the call stack to go where you want. This typically isn't enough to get full control over a console, and exploits tend to chain multiple exploits, called stages.
     
    marc00077 and atkfromabove like this.
  4. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,155
    Jun 10, 2015
    Kongo Jungle
    Thank you both for the information and links. Time for some reading :)
     
  5. atkfromabove

    atkfromabove GBAtemp Fan

    Member
    318
    52
    Feb 9, 2015
    United States
    The state with lots of wives
    I like the way you explained that
     
  6. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,155
    Jun 10, 2015
    Kongo Jungle
    So, if the exploits rely on overflows within a particular piece of software, how does a system firmware update patch this? Does it include a patch for that particular piece of software, or does it improve memory management so overflows are not possible at all any more? Put another way, is it still possible for further exploits to be found in >9.2?
     
  7. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,553
    9,379
    Nov 21, 2005
    Overflows are not the only means by which to do things but they are popular and a common thing that the C programming language, the one favoured for low level work, can cause to happen if the programmer is not paying attention.
    Firmware updates fix things in various ways. The Wii twilight princess hacks at first were fixed by the system menu attempting to detect the specific thing used by the exploit, which promptly could be changed for another and the hack was back, another time I think it was that they detected it but neglected to get rid of it properly. Until the last fix they were generally considered the bad way of doing it.
    If it is an updateable menu rather than the not so updateable wii game then they probably figured out how the exploit worked (they can download it too and they have better debug options a lot of the time) and fix the issue there. If they were doing it well then they could also check the rest of the firmware at the same time to see if there are any others. Improving memory mangement so overflows are not possible is not really a thing, there are more memory safe (and possibly slower) versions of C like http://www.seclab.cs.sunysb.edu/mscc/ but few people use them.

    There are always possibilities for bugs that lead to exploits in complex software. To that end post 9.2 things could be found. Not to mention 3ds hackers have not even touched upon hardware methods yet beyond nand dumping/reflashing.

    You might also like the following
     
  8. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,155
    Jun 10, 2015
    Kongo Jungle
    Thank you @FAST6191, that was interesting to read. I'll have a look at the video too. Damn, I wish I hadn't updated to 9.8 :ohnoes:
     
  9. zoogie

    zoogie simple pimp tool

    Member
    6,353
    8,056
    Nov 30, 2014
    United States
  10. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,155
    Jun 10, 2015
    Kongo Jungle
    Oh wow, I had no idea! Thanks buddy!
     
    zoogie likes this.
  11. mrbits

    mrbits GBAtemp Regular

    Member
    175
    20
    Jun 10, 2015
  12. zoogie

    zoogie simple pimp tool

    Member
    6,353
    8,056
    Nov 30, 2014
    United States
    It's an entry point so yeah it might help them. RegionFour already provides that though.
    With only about 20K Cubic Ninja's out there they might want to consider a new entry point. (maybe subbing the blue card for a one-off CN clone cart, I dunno)

    Even then, they still need a new arm9 exploit, and those are hard to find now.
     
  13. loco365

    loco365 GBAtemp Guru

    Member
    5,458
    2,674
    Sep 1, 2010
    How do they work? Very carefully. No joke.

    The code that goes into an exploit usually exposes flaws and loopholes within code, such as a stack or some kind of pointer, or even code that isn't checked properly by the game. By prying those flaws and loopholes open and playing with the system in just the right way (Like the ROP chains that were once used for loading DAT files on the 3DS), you can eventually get to the point where you have complete control over the system.
     
  14. StriderVM

    StriderVM GBAtemp Fan

    Member
    424
    87
    Jan 16, 2015
    The most non programmer friendly explanation of an "exploit" that I could think of is like this :

    An exploit is basically like being able to access a house you aren't supposed to. The system is the house, the security is the lock(s), and the exploit is a way to get into the house without doing it the normal way (Using a key to unlock and gain access to the house.)
     
  15. ghjfdtg

    ghjfdtg Advanced Member

    Newcomer
    59
    42
    Jul 13, 2014
    More like the owners of the house failed to secure it properly before they were away and you can open the door with a credit card.
     
  16. dubbz82

    dubbz82 GBAtemp Advanced Maniac

    Member
    1,507
    814
    Feb 2, 2014
    United States

    More like digging a hole underneath the house to access the basement...with a toothpick. At least usually.
     
    gamesquest1 likes this.
  17. gamesquest1

    gamesquest1 Nabnut

    Member
    14,137
    9,479
    Sep 23, 2013
    i think most people who have played games have done something that's spiritually the same principles as hacking, which would be glitches and exploits in games, such as using items piled up to access an area that should technically be inaccessible, finding out that jumping through a bunch of hoops in some weird order causes some obscure result that was not originally intended, finding out that there is a little hole in the map and you can shoot a portal through and skip 90% of the level.........fundamentally its all the same thing, which is bypassing the normal restrictions to access what is normally inaccessible, poking holes in the design that provide enough leeway for you to slip through the cracks of control essentially giving you much more freedom than the developers intended

    yeah hacking a system is a much more complicated process, but its fairly similar in how you would go about it, its all just about assessing something, drawing up a map of where you need to get to, mapping out the pitfalls, exploring all the behavior of the security implementations and trying to spot some way to either take control of that security or sneak past it without setting off any tripwires, sometimes you will get 90% to your destination before finding out that there is some impossible wall standing between you and what you needed, and then you have to backtrack and find an alternate route, essentially becoming the number 1 coding grammar nazi, looking for,finding and exploiting any mistake or oversight you can find in how the system behaves, and finding a error is only a small part of the process the actual hard work is figuring a way to use that mistake to your advantage....its all good saying "oh if i open 5 tabs on the browser then go to youtube the 3DS crashes".....but how can you use that to your advantage?, WHY does it crash?, does it result in anything at all exploitable? how far can you take this mistake?, can it get you to somewhere else where you can surf a chain of exploits to never never land? or is it just dropping you off at useless crashed system city?
     
    Last edited by gamesquest1, Jun 16, 2015