Toggle sidebar

Hacking ninjhax reverse engineering?

Deleted member 282441

Deleted member 282441

AKA ZeroTheSavior
Member
Level 3
Joined
Aug 7, 2011
Messages
320
Reaction score
37
Trophies
0
Location
Gensokyo
XP
326
Country
United States
Since all the copies of cubic ninja are gone, would it be possible to reverse engineer this and make a hack for another game?

Well, there's some problems with this first:
1. The exploit is highly specific, since 3DS FW comes into play (and it seems updating it will break it)
2. Not many games with such a huge QR image scanner
3. I have no idea what I'm doing

But aside from that, can it be done in a timely manner or would it take a tremendous amount of time to do?
 
  • Like
Reactions: Margen67
It'll be open source once the exploit gets patched. If you can hang on until then, someone will most likely try porting it to another game.
 
The QR code probably takes advantage of how Cubic Ninja handles unexpected data (like Twilight Princess not expecting names to be longer than they should be). Odds are that it can't be reused in other games that use QR codes (like Pushmo) unless it is a QR reading exploit.

The only way you are going to reverse-engineer it is if you reverse-engineer normal Cubic Ninja QR codes first so you can figure out how it breaks.
 
  • Like
Reactions: Fpsrussia117
Use my NCCH decryptor to decrypt Cubic Ninja .3DS and ctrtool to extract the .code portion from the ExeFS.bin Then load up the extracted code.bin in IDA and find the functions that handle the QR loading. From there it's just understanding how the overflow works. Then you can piece together the payload and reverse the ROP chain. To determine how the rop gadgets work you will have to have the binaries from which they are called from. :) This means you will have to have RAM dumps (kernel access) or the title keys to decrypt from the CDN for the firmware version you're targeting.
 
  • Like
Reactions: lismati, UraKn0x, dronesplitter and 4 others
informational purposes only, my curiosity: smea exploit is kernel patched (only usermode), but he said time ago, that he exploit could actually do anything and he put OF HIS WILL a protection to kernel for avoid piracy; so this mean at the begin his exploit has full? Can someone hack/remove the protection made by smea and in this way get a full kernel exploit?
 
Lord M said:
informational purposes only, my curiosity: smea exploit is kernel patched (only usermode), but he said time ago, that he exploit could actually do anything and he put OF HIS WILL a protection to kernel for avoid piracy; so this mean at the begin his exploit has full? Can someone hack/remove the protection made by smea and in this way get a full kernel exploit?
Click to expand...

More like he release only a usermode exp OF HIS WILL.
 
  • Like
Reactions: Margen67
Lord M said:
informational purposes only, my curiosity: smea exploit is kernel patched (only usermode), but he said time ago, that he exploit could actually do anything and he put OF HIS WILL a protection to kernel for avoid piracy; so this mean at the begin his exploit has full? Can someone hack/remove the protection made by smea and in this way get a full kernel exploit?
Click to expand...

Duo8 said:
More like he release only a usermode exp OF HIS WILL.
Click to expand...

Yes, actually his first exploit was SSSpwn (which I believe gives full kernel mode access). Moreover, I think that this "QR exploit" it's just one of a (few) exploits list "they" (him and the other 3DS devs) came through by now on the new versions
 
Areseru said:
Yes, actually his first exploit was SSSpwn (which I believe gives full kernel mode access). Moreover, I think that this "QR exploit" it's just one of a (few) exploits list "they" (him and the other 3DS devs) came through by now on the new versions
Click to expand...

It's not just a "QR exploit", just saying....
 
mathieulh said:
It's not just a "QR exploit", just saying....
Click to expand...

Yeah probably, I haven't seen in depth yet how it works, just a "label" for non-technical users...
I saw from the gitHub repo that HBC works even without a SD inserted in the 3DS, which means that the QR must contain the executable code and maybe a ROP toolchain for the exec, am I wrong?
 
Areseru said:
Yeah probably, I haven't seen in depth yet how it works, just a "label" for non-technical users...
I saw from the gitHub repo that HBC works even without a SD inserted in the 3DS, which means that the QR must contain the executable code and maybe a ROP toolchain for the exec, am I wrong?
Click to expand...

That's way too much for a QR code. You can't easily fit a hb loader in it.
 
Areseru said:
Yeah probably, I haven't seen in depth yet how it works, just a "label" for non-technical users...
I saw from the gitHub repo that HBC works even without a SD inserted in the 3DS, which means that the QR must contain the executable code and maybe a ROP toolchain for the exec, am I wrong?
Click to expand...

Let's just say the QR part is just the initial step (you don't actually need to use QR or Cubic Ninja for this step, any proper game exploit would have done the work as an entrypoint).
I've seen (mostly) how it works but I am not giving any details, I rather let smea do it should he ever want to, I am pretty sure he doesn't want people to do more with this than running homebrews so I am threading with fire here and I will just avoid speaking further about this.
 
Areseru said:
Yeah probably, I haven't seen in depth yet how it works, just a "label" for non-technical users...
I saw from the gitHub repo that HBC works even without a SD inserted in the 3DS, which means that the QR must contain the executable code and maybe a ROP toolchain for the exec, am I wrong?
Click to expand...
i would imagine the QR triggers the boot.3dsx, and give you the option to install it to the games save chip....so after the initial install(which would require the boot.3dsx on the SD, it may just be stored inside the save chip for loading without the SD present.....idk very heavy speculation, but i doubt the actual QR code would be enough to store the actual loader
 
mathieulh said:
It's not just a "QR exploit", just saying....
Click to expand...
It seems people forgot how it's trigger able from multiple software (even from mset hack for example) and the 3ds has "execute never" so you can't just load binaries... So the qr exploit would only allow rop chains, and another exploit is used, triggered with rop (the flaw named "ssspwn"). So this will be fixed on the next update, no doubt about it.
 
  • Like
Reactions: mathieulh
Duo8 said:
That's way too much for a QR code. You can't easily fit a hb loader in it.
Click to expand...

mathieulh said:
Let's just say the QR part is just the initial step.
I've seen (mostly) how it works but I am not giving any details, I rather let smea do it should he ever want to, I am pretty sure he doesn't want people to do more with this than running homebrews so I am threading with fire here and I will just avoid speaking further about this.
Click to expand...

Thanks for the clarifications guys, I will surely give a look-in-depth to the whole thing
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Why did the price of 3ds shoot up ?

Hacking Homebrew Project  BlazerTube - a YouTube 3DS revival using the REAL app!

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Problems getting Homebrew to appear outside of the Homebrew Launcher (homebrew won't appear on the HOME menu)

Website for finding alternative games for 3DS

Hardware  2 Broken 3DSes, need help

Gaming  any good rpgs on 3ds?

Hacking  Modding Reassurance