RAM editing glitch on any 3DS, might lead to an exploit?

Discussion in '3DS - Homebrew Development and Emulators' started by Trinitro21, Jun 27, 2016.

  1. Trinitro21
    OP

    Trinitro21 Backslash!

    Member
    133
    85
    Oct 14, 2015
    Userland
    TL;DR there's an oversight in SmileBASIC that leads to RAM viewing and editing on any 3DS, hacked or unhacked. It could lead to a primary exploit, but it probably won't. I don't know for sure though, so I'm posting it here to see what comes of it.

    In the SmileBASIC interpreter, there's a bug with the BGSCREEN command, which resizes the background layer. The area of the background layer isn't supposed to exceed 16383, but the checks the interpreter performs on the parameters are insufficient and can be bypassed with large enough numbers.

    The game will crash if the area is too large; however, there's a window where the game doesn't crash and the BG layer occupies sizes never meant to be possible. Because of this, it contains memory allocated for other purposes by the interpreter, like variable and function storage and the current program's code.

    With the BG commands, this area of memory can be edited by any 3DS, hacked or unhacked.

    All that is needed to trigger this glitch is this one line of code:
    Code:
    BGSCREEN 0,134217728,16
    Could a primary exploit be made with this bug?

    It is an area of RAM allocated for the interpreter, so it's probably not executable and so likely not exploitable. However I know that there are pointers in the memory that can be edited, as well as many unknown segments of memory. Perhaps a variable's pointer could be edited to use executable memory or some other attack could be developed that could lead to an exploit?

    EDIT: I'm stupid and forgot to give credit.
    This glitch was found by a group of users at smilebasicsource.com, including slackerSnail, 12Me21, and incvoid.
    I was somewhat part of it.
     
    Last edited by Trinitro21, Jul 1, 2016


  2. proflayton123

    proflayton123 Undeclared Shitposter 2.1

    Member
    5,811
    2,165
    Jan 11, 2016
    Japan
    日本
    Finally, a thread with a theory of possible hax with good explanation with it
     
  3. seijinshu

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    Excellent. I think one of these games would be better for hacking than my theory with FE:Fates.
     
  4. PF2M

    PF2M Miiverse Hacker

    Member
    543
    767
    Sep 8, 2015
    United States
    Ohio
    Just tested the crashing version of it and it worked. Reminds me of that one line of Petit Computer code that crashed the game. My question is, how can the line of code you provided be used to edit the RAM? Is there other commands you can type in to do so?
     
  5. Trinitro21
    OP

    Trinitro21 Backslash!

    Member
    133
    85
    Oct 14, 2015
    Userland
    BGGET can be used to get the two bytes at each tile and BGPUT can be used to write a new value.
    RAM editors have already been made, but aren't on the SmileBASIC servers for secrecy. One can be downloaded here and injected into your extdata to be used.
     
  6. Thee_BaBs

    Thee_BaBs GBAtemp Regular

    Member
    128
    22
    Sep 19, 2015
    United States
    edit:ninja'd
     
  7. seijinshu

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    Prolly via programs and scripts. Would be VERY suprising if you wouldnt, since it would not allow you to debug your programs.
     
  8. seijinshu

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    Prolly via programs and scripts. Would be VERY suprising if you wouldnt, since it would not allow you to debug your programs.
     
  9. Trinitro21
    OP

    Trinitro21 Backslash!

    Member
    133
    85
    Oct 14, 2015
    Userland
    The glitch makes the background layer data extend into the rest of the RAM, so simply triggering it and offsetting the background layer is enough to view the RAM. The data can also be retrieved with the BGGET command.
     
  10. seijinshu

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    Hmm. This would actually work with more investigating. Getting the ability to edit RAM would be such an excellent approach. If I successfully get my exploit working, we might be able to do a dual release kinda similar to IronHax/TubeHax.
     
  11. proflayton123

    proflayton123 Undeclared Shitposter 2.1

    Member
    5,811
    2,165
    Jan 11, 2016
    Japan
    日本
    .-.


    Sent from my iPhone using Tapatalk
     
    Tomato Hentai likes this.
  12. seijinshu

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    Yeah, ik. I'm determined. If I don't work out, this one will do the trick
    This one prolly exploitable
     
  13. proflayton123

    proflayton123 Undeclared Shitposter 2.1

    Member
    5,811
    2,165
    Jan 11, 2016
    Japan
    日本
    Many people have already said on your thread many reasons behind it, although this looks more promising


    Sent from my iPhone using Tapatalk
     
    Tomato Hentai likes this.
  14. Damon_girl

    Damon_girl GBAtemp Advanced Fan

    Member
    919
    198
    Oct 27, 2015
    United States
    Can this RAM editing be used for games too? Like on SSB or Hyrule Warriors Legends to make it play better on the old 3DS?
     
  15. KaduPSE

    KaduPSE Revolution and cake

    Member
    235
    171
    Dec 26, 2015
    Brazil
    RAM editing means changing the code/values stored on RAM. The goal would be to replace them with exploitable code. It's not related to performance at all. RAM editing could be used to cheat on games, but since in this case the RAM is filled with data for this title it wouldn't be possible.
     
  16. Mrrraou

    Mrrraou GBAtemp Advanced Maniac

    Member
    1,869
    2,167
    Oct 17, 2015
    France
    not possible because of memory mapping: you can sure read executable memory but not write into it
    you need a rop or a way to be even able to use gspwn
     
    Ricken likes this.
  17. Pandaxclone2

    Pandaxclone2 Pokemon Sprite Artist Hobbyist

    Member
    1,000
    395
    Aug 17, 2015
    noun; a particular place or position.
    It's a shame that smileBASIC isn't even released in european countries. Anyway it'd be neat if this got anywhere; we need all the exploits we can get.
     
    Xiphiidae likes this.
  18. Salamencizer

    Salamencizer Handsome Computer Nerd

    Member
    795
    652
    Oct 3, 2015
    India
    Below
    Especially another primary one.
     
    Pandaxclone2 likes this.
  19. seijinshu

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    If you can, get smilebasic before it is gone... You will want it.

    Sent from my LG-H811 using Tapatalk
     
  20. Clector

    Clector GBAtemp Advanced Fan

    Member
    956
    228
    Mar 15, 2016
    Bangladesh
    Not here
    Then buy it, no?
     
  21. Salamencizer
    This message by Salamencizer has been removed from public view by raulpica, Jun 30, 2016, Reason: wat -rp.
    Jun 27, 2016
  22. Pandaxclone2

    Pandaxclone2 Pokemon Sprite Artist Hobbyist

    Member
    1,000
    395
    Aug 17, 2015
    noun; a particular place or position.
    It's worth getting anyway considering the open coding nature of it.
     
    Minnow and proflayton123 like this.
  23. Clector

    Clector GBAtemp Advanced Fan

    Member
    956
    228
    Mar 15, 2016
    Bangladesh
    Not here
    Well I was going to buy it, but because some things I wanted to buy before I will buy a eShop card this Thursday, but if there"s going to be an exploit it will be better to know so then I will buy it before since we know what Nintendo uses to do whit 3rd Party exploitable games.
     
    Last edited by Clector, Jun 27, 2016