ninjhax reverse engineering?

Discussion in '3DS - Flashcards & Custom Firmwares' started by Mariosegafreak, Nov 21, 2014.

  1. Mariosegafreak
    OP

    Mariosegafreak AKA ZeroTheSavior

    Member
    313
    33
    Aug 7, 2011
    United States
    Gensokyo
    Since all the copies of cubic ninja are gone, would it be possible to reverse engineer this and make a hack for another game?

    Well, there's some problems with this first:
    1. The exploit is highly specific, since 3DS FW comes into play (and it seems updating it will break it)
    2. Not many games with such a huge QR image scanner
    3. I have no idea what I'm doing

    But aside from that, can it be done in a timely manner or would it take a tremendous amount of time to do?
     
    Margen67 likes this.
  2. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,507
    1,154
    May 23, 2012
    It'll be open source once the exploit gets patched. If you can hang on until then, someone will most likely try porting it to another game.
     
  3. gudenau

    gudenau Never a unique idea

    Member
    3,243
    1,216
    Jul 7, 2010
    United States
    /dev/random
    Be quicker to reinvent the wheel I am afraid.
     
  4. Duo8

    Duo8 I don't like video games

    Member
    3,438
    1,138
    Jul 16, 2013
    Well I assume most of the action is on the QR.
    So you can look into that?
     
  5. Mariosegafreak
    OP

    Mariosegafreak AKA ZeroTheSavior

    Member
    313
    33
    Aug 7, 2011
    United States
    Gensokyo
    I decrypted the QR code.

    It's gibberish. I don't know how to read it, or if it's even possible.
     
  6. Duo8

    Duo8 I don't like video games

    Member
    3,438
    1,138
    Jul 16, 2013
    Maybe it is ROP.
    Either way it's not supposed to be plaintext anw.
     
    migles and Margen67 like this.
  7. Zanoab

    Zanoab GBAtemp Regular

    Member
    109
    25
    Dec 4, 2009
    United States
    The QR code probably takes advantage of how Cubic Ninja handles unexpected data (like Twilight Princess not expecting names to be longer than they should be). Odds are that it can't be reused in other games that use QR codes (like Pushmo) unless it is a QR reading exploit.

    The only way you are going to reverse-engineer it is if you reverse-engineer normal Cubic Ninja QR codes first so you can figure out how it breaks.
     
    Fpsrussia117 likes this.
  8. Relys

    Relys Master of Computer Science

    Member
    863
    788
    Jan 5, 2007
    United States
    Use my NCCH decryptor to decrypt Cubic Ninja .3DS and ctrtool to extract the .code portion from the ExeFS.bin Then load up the extracted code.bin in IDA and find the functions that handle the QR loading. From there it's just understanding how the overflow works. Then you can piece together the payload and reverse the ROP chain. To determine how the rop gadgets work you will have to have the binaries from which they are called from. :) This means you will have to have RAM dumps (kernel access) or the title keys to decrypt from the CDN for the firmware version you're targeting.
     
  9. Lord M

    Lord M GBAtemp Advanced Fan

    Member
    845
    182
    Oct 31, 2014
    Italy
    informational purposes only, my curiosity: smea exploit is kernel patched (only usermode), but he said time ago, that he exploit could actually do anything and he put OF HIS WILL a protection to kernel for avoid piracy; so this mean at the begin his exploit has full? Can someone hack/remove the protection made by smea and in this way get a full kernel exploit?
     
  10. Duo8

    Duo8 I don't like video games

    Member
    3,438
    1,138
    Jul 16, 2013
    More like he release only a usermode exp OF HIS WILL.
     
    Margen67 likes this.
  11. Areseru

    Areseru Member

    Newcomer
    20
    7
    Aug 17, 2013
    Italy
    Yes, actually his first exploit was SSSpwn (which I believe gives full kernel mode access). Moreover, I think that this "QR exploit" it's just one of a (few) exploits list "they" (him and the other 3DS devs) came through by now on the new versions
     
  12. mathieulh

    mathieulh GBAtemp Fan

    Member
    331
    383
    Feb 28, 2008
    France
    It's not just a "QR exploit", just saying....
     
  13. Areseru

    Areseru Member

    Newcomer
    20
    7
    Aug 17, 2013
    Italy
    Yeah probably, I haven't seen in depth yet how it works, just a "label" for non-technical users...
    I saw from the gitHub repo that HBC works even without a SD inserted in the 3DS, which means that the QR must contain the executable code and maybe a ROP toolchain for the exec, am I wrong?
     
  14. Duo8

    Duo8 I don't like video games

    Member
    3,438
    1,138
    Jul 16, 2013
    That's way too much for a QR code. You can't easily fit a hb loader in it.
     
  15. mathieulh

    mathieulh GBAtemp Fan

    Member
    331
    383
    Feb 28, 2008
    France
    Let's just say the QR part is just the initial step (you don't actually need to use QR or Cubic Ninja for this step, any proper game exploit would have done the work as an entrypoint).
    I've seen (mostly) how it works but I am not giving any details, I rather let smea do it should he ever want to, I am pretty sure he doesn't want people to do more with this than running homebrews so I am threading with fire here and I will just avoid speaking further about this.
     
  16. gamesquest1

    gamesquest1 Nabnut

    Member
    14,100
    9,435
    Sep 23, 2013
    i would imagine the QR triggers the boot.3dsx, and give you the option to install it to the games save chip....so after the initial install(which would require the boot.3dsx on the SD, it may just be stored inside the save chip for loading without the SD present.....idk very heavy speculation, but i doubt the actual QR code would be enough to store the actual loader
     
  17. Aurora Wright

    Aurora Wright GBAtemp Advanced Maniac

    Member
    1,542
    4,096
    Aug 13, 2006
    Italy
    It seems people forgot how it's trigger able from multiple software (even from mset hack for example) and the 3ds has "execute never" so you can't just load binaries... So the qr exploit would only allow rop chains, and another exploit is used, triggered with rop (the flaw named "ssspwn"). So this will be fixed on the next update, no doubt about it.
     
    mathieulh likes this.
  18. Areseru

    Areseru Member

    Newcomer
    20
    7
    Aug 17, 2013
    Italy
    Thanks for the clarifications guys, I will surely give a look-in-depth to the whole thing