Possible CaveStory Exploit

Discussion in '3DS - Homebrew Development and Emulators' started by TheStoneBanana, May 6, 2016.

  1. TheStoneBanana
    OP

    TheStoneBanana GBAtemp Fan

    Member
    495
    867
    Aug 19, 2015
    United States
    I AM NOT SAYING IN ANY WAY THAT THERE IS A DEFINITE EXPLOIT.

    Okay, now that I got that out of the way, allow me to explain myself.

    Back in the VVVVVV exploit release thread, someone mentioned about other Nicalis games possibly containing exploits (as a joke, I assume) so I decided that for my first very technical 3DS project I'd try to pick apart one of the games and see if they could actually be exploited.

    CaveStory, I think, can be. But I don't really know, because I've come to a slight roadstop. Allow me to explain my case thus far.

    [​IMG]
    CaveStory's save slots contain a date and time that the slot was updated. This is stored in plaintext within the save file.

    [​IMG]
    There seemed to be no save protection or checksum at all upon inspecting multiple files, so for kicks and giggles, I edited the date to be something... not a date. To my surprise:

    [​IMG]
    IT WORKED! So, considering that the date and time is a string, and that the end of this string seems to be symbolized by a $00 hexadecimal character, there already seemed to be a clear overflow at hand here. Upon continually lengthening the string, the game did crash. However, here is my roadblock...
    I'm just starting off, so I've got no idea of any good way that I can debug the game and see what is happening in real time order to pinpoint things and be able to formulate proper ROP (if at all possible in this case).
    I understand the basic concept of an exploit (getting a way to manipulate the stack, using ROP gadgets to load our code, and then running it) but, once again, I don't know of the right tools to get this off of the ground and allow me to continue what little research I've put into CaveStory.

    Any help would be greatly appreciated here. Thank you!

    inb4 "another one of these threads hur hur"
     
  2. UraKn0x

    UraKn0x Official senpai

    Member
    360
    268
    Mar 20, 2014
    France
    another one of these threads hur hur
     
  3. CeeDee

    CeeDee hm?~

    Member
    3,836
    5,432
    May 4, 2014
    United States
    somewhere
    Overflows don't always mean some type of exploit can be made from it... but it'd be cool if Cave Story could get one!
     
    Codename likes this.
  4. Froster

    Froster Your Music Producer

    Member
    363
    243
    Sep 6, 2015
    Italy
    that MIDI sequencer
    oh my god I love these threads
     
  5. Link_of_Hyrule

    Link_of_Hyrule GBAtemp Fan

    Member
    451
    133
    Jun 28, 2008
    United States
    Hyrule
    Looks like we just put another game on Nintendo's Indie game chopping block. Although honestly now that you posted this they could just update it before you even get the exploit working and released.
     
  6. TheStoneBanana
    OP

    TheStoneBanana GBAtemp Fan

    Member
    495
    867
    Aug 19, 2015
    United States
    It's not guaranteed that there's an exploit though...
    I'm just speculating based on what I've documented so far, and I can't really go further because I don't really know of the proper tools to debug.
     
  7. UraKn0x

    UraKn0x Official senpai

    Member
    360
    268
    Mar 20, 2014
    France
    Well, you could use NTR debugger... I never used it though, so I can't tell how good it is.
     
  8. TheStoneBanana
    OP

    TheStoneBanana GBAtemp Fan

    Member
    495
    867
    Aug 19, 2015
    United States
    From the looks of it, that is New3DS only. I have an Old3DS, sadly. :(
     
  9. UraKn0x

    UraKn0x Official senpai

    Member
    360
    268
    Mar 20, 2014
    France
    Last edited by UraKn0x, May 6, 2016
    Blundermann likes this.
  10. catlover007

    catlover007 GBAtemp Regular

    Member
    172
    197
    Oct 23, 2015
    Germany
    This thread isn't pointless, there is indeed something which could may be exploited(not a my game crashed, this is the new exploit! Or why isn't letterbox exploit already ported to 3DS!?! thread)
     
  11. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,966
    3,249
    Nov 18, 2012
    United States
    Las Vegas
    String-based exploits (for the most part) are only useful if it overflows into the stack or you can overflow a significant part or portion of the heap. If it's like Pokemon where it buffers the entire save in RAM then it's probably not exploitable, unless the date is copied somewhere. If the string is utf-16 based it's nicer because then you can start overwriting pointers, otherwise once there's a 00 it stops reading, which makes things difficult. I'd say probably not exploitable in that particular spot unless you can get it to crash.

    EDIT: The thing with VVVVVV though was that VVVVVV was ported by someone else to C++, everyone seems to be forgetting that.
     
  12. CeeDee

    CeeDee hm?~

    Member
    3,836
    5,432
    May 4, 2014
    United States
    somewhere
     
  13. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,966
    3,249
    Nov 18, 2012
    United States
    Las Vegas
    Missed that I guess. Either way it also depends on what data it's running into, it has to run into something which can cause a bad write or a bad jump in execution, crashing something is relatively easy when it's just reading data.
     
  14. undertaletrash

    undertaletrash Advanced Member

    Newcomer
    72
    13
    Jan 22, 2016
    Belgium
    nowwhere in particular
    that would be cool.
     
  15. Temarile

    Temarile (ノ◕ヮ◕)ノ*:・゚✧ A9LH ✧゚・: *ヽ(◕ヮ◕ヽ)

    Member
    1,132
    422
    Jan 7, 2016
    Netherlands
    Awesome. Good job! Unfortunately I'm not experienced with this stuff but the more exploits the merrier I'd say :)
     
  16. loco365

    loco365 GBAtemp Guru

    Member
    5,458
    2,674
    Sep 1, 2010
    The best way to check if it's exploitable is to do a disassembly on the main executable and see what's happening in code when this string is read. From there, you can do lots of memory manipulation to obtain *hax.
     
  17. Roboman

    Roboman GBAtemp Fan

    Member
    303
    70
    Jan 7, 2016
    United States
    find out what exactly is in memory when the string is loaded, see what you can overwrite.
     
  18. GalladeGuy

    GalladeGuy Freeze Kirby :3

    Member
    2,588
    2,652
    Oct 28, 2015
    United States
    Interesting...
     
  19. ChampionLeake

    ChampionLeake Advanced Member

    Newcomer
    81
    20
    Jan 19, 2016
    United States
    I tried to do the same thing but I didn't seem to get a crash yet. If you can, can you send me your save file of this bug so I can debug it?
     
  20. AllenHirai

    AllenHirai Advanced Member

    Newcomer
    86
    4
    Apr 17, 2017
    United States
    ooo nice