Remote-code exploit discovered in Pokémon Ultra Sun to allow payload injection for speedrunning

Screenshot_2024-08-06_23-10-02.jpg

Wack0 (also known as "Slipstream") identified a "pialease nerf" stack buffer overflow for the game "Pokémon Ultra Sun," which can allow a payload to be executed, for the ability to perform speedrunning tasks or installing custom firmware if this is the case. The exploit appears to only work correctly with "Ultra Sun" at the time of writing with version 2.2.0; however, it is unclear whether older versions will work or if Ultra Moon might be supported.

To follow the steps in the guide, you will need both a first and secondary 3DS console with the same game installed, and both must have the same initial versions; otherwise, the exploit will not work. During this time, the exploit will run in the background on your second 3DS, and you must start a new game using Litten or Popplio as the starter. As you progress through the game, you will need to visit the nearest Pokémon Center. From there, access the Start Menu, select Quick Link, and connect. The first 3DS connected to the secondary will suddenly crash and reset. From there, load the save file and you'll be in the Champions Room to battle with a Level 100 "Darkrai", which is where the code-execution will begin.

:arrow: Source
 

raxadian

Well-Known Member
Member
Joined
Nov 10, 2018
Messages
4,610
Trophies
1
Age
41
XP
4,853
Country
Argentina
I don't think this counts for anything but the anything speedrun category since it requires hacking the game.
 

AdenTheThird

The Apathetical Atheist
Member
Joined
Apr 1, 2018
Messages
1,174
Trophies
2
Location
Pacific Ocean
XP
2,867
Country
United States
Jesus Christ yall. This just in, local Temper asks a question and inadvertently starts a war.

The author used this example code to teleport to the Champion's room from a near-fresh save file, and entered the Hall of Fame in under 40 mins because of it. Of course this would never become an actual category.

In the future, I could see race communities using this exploit to skip intro cutscenes or start with a predetermined mon and stats.
Gotcha. Thanks for the clarification. It'll be interesting to see how this affects the speedrunning communities and if any other similar exploits are discovered. What an incredible exploit!
 
  • Like
Reactions: SylverReZ

The Real Jdbye

*is birb*
Member
Joined
Mar 17, 2010
Messages
23,633
Trophies
5
Location
Space
XP
14,438
Country
Norway
The author used this example code to teleport to the Champion's room from a near-fresh save file, and entered the Hall of Fame in under 40 mins because of it. Of course this would never become an actual category.

In the future, I could see race communities using this exploit to skip intro cutscenes or start with a predetermined mon and stats.
Any% ACE is its own category in many games. However, I'm not sure if the need for a second console would be allowed under typical Any% ACE category rules.
 
  • Like
Reactions: raxadian

4d1xlaan

Well-Known Member
Member
Joined
Apr 21, 2024
Messages
810
Trophies
0
XP
825
Country
United States
You are capable of making a logical inference without having to read the exact words you're looking for and understand from context, right? Yes, it isn't outright mentioned that Ultra Moon is/isn't supported, but there are enough references made to it either directly or indirectly that you can make a logical inference and draw a conclusion by what is being said, no?
the shared exploit targets ultra sun, yes, but until you can demonstrate that the same vulnerability doesn't also exist in ultra moon (allowing to write an exploit targeting it instead), I would probably hold off from acting like a know it all
 

Pismire

Member
Newcomer
Joined
May 5, 2023
Messages
9
Trophies
0
XP
421
Country
United States
Do you have any links to these n64 ones?

Do you mean like the OOT stale reference etc?

Yeah, the ACE vulnerabilities on Majora's Mask, OOT, Paper Mario 64... Nintendo seems to be secretly skilled at coding their games in such a way that doing extremely arbitrary things can lead to some truly powerful stuff.

It's interesting to think about, I wonder if most of these things are found in Nintendo games purely because of the larger community there and if there's exploits like this elsewhere that're just waiting to be found.
 
  • Like
Reactions: KiiWii

Fishaman P

Speedrunner
Member
Joined
Jan 2, 2010
Messages
3,330
Trophies
1
Location
Wisconsin
Website
twitch.tv
XP
2,391
Country
United States
Any% ACE is its own category in many games. However, I'm not sure if the need for a second console would be allowed under typical Any% ACE category rules.
Even if the technique were allowed in a meme category, it would definitely be with a more optimized payload. Fighting the Champion with a (randomized) Lv100 Darkrai is definitely not the fastest way to the HoF/credits.
 
  • Like
Reactions: 4d1xlaan

ack

Well-Known Member
Member
Joined
Jan 30, 2020
Messages
367
Trophies
0
XP
756
Country
United States
I wonder if this will spike the price of pre-owned copies of Ultra Sun?
Quick check of CeX shows it's currently at £35 (Ultra Moon is actually more expensive at £38) - let's see where they're at in a month or two.
no, the exploit is in pia, and it works on any version of it before 4.0, so pretty much every first party 3ds game is vulnerable. So there is literally no reason to hoard copies of ultra sun.
Post automatically merged:

"The underlying issue is present in the Pia library for 3DS, before version 4.0.

A UDS packet as received by Pia contains a command type, where cmd=1 is higher-layer game-data, and other cmds are parsed internally.

A function named "UdsNode::ParseUpdateMigrationNodeInfoMessage" is called to handle packets with cmd=5.

This checks the player nodeID (returns if not player 1, that is, UDS network host), then calls an additional function which does a loop of 64-bit copies to a fixed-size stack buffer using unchecked index and data from the received packet contents.

This therefore leads to trivial RCE (of every UDS network client) by just sending a single UDS packet; only 0xC u64s on stack can be overwritten easily, but just 2 is enough to start a ROP chain and pivot to the rest of the UDS packet contents elsewhere on the stack.

Earliest version of Pia known to be vulnerable is v2.x. v1.x still parses this packet, but does not copy the contents to stack (index is still unchecked there leading to heap overflow but due to overwrites not being contiguous in memory it may or may not be exploitable)." -wack0
 

Crystal_tofu

Well-Known Member
Member
Joined
Apr 25, 2024
Messages
190
Trophies
0
Location
Cyber World
XP
386
Country
United States
Jesus Christ yall. This just in, local Temper asks a question and inadvertently starts a war.


Gotcha. Thanks for the clarification. It'll be interesting to see how this affects the speedrunning communities and if any other similar exploits are discovered. What an incredible exploit!
i have my own personal tinfoil hat theory that anything Pokemon related brought up on the internet will start an argument of some kind. but I'm just some furry woman on the internet so we all know who the real crazy one is here.
 

4d1xlaan

Well-Known Member
Member
Joined
Apr 21, 2024
Messages
810
Trophies
0
XP
825
Country
United States
Even if the technique were allowed in a meme category, it would definitely be with a more optimized payload. Fighting the Champion with a (randomized) Lv100 Darkrai is definitely not the fastest way to the HoF/credits.
can you set stats to 999 in save data independently of ivs in gen 7, like you could in the older games? that would for sure be the way to go, then any pokémon will basically one hit ko the entire champion's team no matter which move you used
 

Fishaman P

Speedrunner
Member
Joined
Jan 2, 2010
Messages
3,330
Trophies
1
Location
Wisconsin
Website
twitch.tv
XP
2,391
Country
United States
can you set stats to 999 in save data independently of ivs in gen 7, like you could in the older games? that would for sure be the way to go, then any pokémon will basically one hit ko the entire champion's team no matter which move you used
I would personally either find a way to call the credits directly, call the Hall of Fame function directly, or rewrite a map script to trigger the HoF "organically".
 
  • Like
Reactions: 4d1xlaan

4d1xlaan

Well-Known Member
Member
Joined
Apr 21, 2024
Messages
810
Trophies
0
XP
825
Country
United States
I would personally either find a way to call the credits directly, call the Hall of Fame function directly, or rewrite a map script to trigger the HoF "organically".
I guess it depends on if you can also get arbitrary code execution by getting the game to read malformed save data, otherwise I'm not sure how realistic rewriting map scripts would be

if the vulnerability allows editing anywhere in memory though, then that would be doable. but I'm guessing there might be a reason why all they did is save editing
 

Fishaman P

Speedrunner
Member
Joined
Jan 2, 2010
Messages
3,330
Trophies
1
Location
Wisconsin
Website
twitch.tv
XP
2,391
Country
United States
I guess it depends on if you can also get arbitrary code execution by getting the game to read malformed save data, otherwise I'm not sure how realistic rewriting map scripts would be

if the vulnerability allows editing anywhere in memory though, then that would be doable. but I'm guessing there might be a reason why all they did is save editing
The vuln gives ROP, which ideally provides a turing-complete environment. Building that ROP chain depends on the programmer's tools and skills though
 
  • Like
Reactions: 4d1xlaan

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Xdqwerty @ Xdqwerty: @BigOnYa, now shut up +1