[Update] FatesHaxx results, news and exploitability

Discussion in '3DS - Homebrew Development and Emulators' started by seijinshu, Jun 30, 2016.

Thread Status:
Not open for further replies.
  1. seijinshu
    OP

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    Notice: there is an edit at the bottom guys.

    Sad news everyone. After further research, I can't seem to exploit FE:Fates.

    Here are my findings:

    Due to the way the inventory data is stored in the save data (complete unorganized mess), a buffer overflow is not feasible.

    After that, I went for another attack, attacking character data.

    The character data is stored in a way that there could be a way to stack overflow the data (the bane/boon data is stored after the name data with some arbitrary data in between. This also has many flaws. Example: You cannot overflow the name, as they made it like this:

    (Before Name Data)....C.o.r.r.i.n......(After Name Data)

    So unless someone figures out how to overflow those arbitrary bits of the name, there is nothing we can do about the name data overflow idea, nor a good entry point from FE:Fates.

    If one manages to exploit this, it won't be me.

    Sorry to get anyone's hopes up, but I said originally it wasn't very likely.

    EDIT: The name stuff is just UTF16, so there might be a way... (Thanks shinyquagsire23)
     
    Last edited by seijinshu, Jun 30, 2016
    Februarysn0w, Dorimori and Ricken like this.
  2. Thunder Hawk

    Thunder Hawk Firefox Master Race

    Member
    582
    371
    Jan 21, 2013
    United States
    Well... this was a really good try. Good work. c:
     
    Last edited by Thunder Hawk, Jun 30, 2016
    Ricken likes this.
  3. seijinshu
    OP

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    Note the edit at the bottom. I still have a chance

    Sent from my LG-H811 using Tapatalk
     
    Dorimori and Thunder Hawk like this.
  4. Dorimori

    Dorimori professional lurker

    Member
    412
    1,061
    Mar 17, 2016
    United States
    the closet
    Thanks for trying. The amount of shit you got for this was stupid.
     
    Orangy57 and Thunder Hawk like this.
  5. seijinshu
    OP

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    I still have a chance. Read the edit.

    Sent from my LG-H811 using Tapatalk
     
    Thunder Hawk and Dorimori like this.
  6. Dorimori

    Dorimori professional lurker

    Member
    412
    1,061
    Mar 17, 2016
    United States
    the closet
    Regardless of whether it's accomplished or not, thank for taking your time to try this. I hope it goes through.
     
    Thunder Hawk likes this.
  7. seijinshu
    OP

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    No problem

    Sent from my LG-H811 using Tapatalk
     
    Dorimori likes this.
  8. DKB

    DKB FUCK OFF

    Member
    GBAtemp Patron
    DKB is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    1,273
    1,233
    May 29, 2015
    United States
    New York City, Manhattan
    Good luck, that's all I could say.
     
  9. Harvest God

    Harvest God Er a pixel artist?

    Member
    294
    81
    Oct 27, 2015
    United States
    Well I comprehend you on at least saying you can't seem to do it. It was so horrific reading all those posts. Also, the inventory is actually organized along with their other stuff, so don't call it a complete unorganized mess. I don't see an exploit of this possible, even though the save data is quite sensitive hehe.
     
  10. seijinshu
    OP

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    I was never able to comprehend the inventory, but that is just me.

    Sent from my LG-H811 using Tapatalk
     
  11. Mrrraou
    This message by Mrrraou has been removed from public view by BORTZ, Jun 30, 2016, Reason: take your own advice?.
    Jun 30, 2016
  12. shipwreck5

    shipwreck5 Advanced Member

    Newcomer
    59
    31
    May 15, 2015
    Home... Probably
    I wish this works out just so those jerks could eat their words.:rofl2: but seriously i wish there were more people willing to find exploits and more importantly more people who support others.
     
    Ricken, TheVinAnator and Dorimori like this.
  13. TheVinAnator

    TheVinAnator GBATemp's Greatest Vin

    Member
    3,599
    2,641
    Jan 10, 2016
    Canada
    NO COFFEI!
    Nintendo deserves it for censoring our game smh exploit the hell out if it!
     
    Ricken likes this.
  14. shipwreck5

    shipwreck5 Advanced Member

    Newcomer
    59
    31
    May 15, 2015
    Home... Probably
    Its official: Bortz is awesome!
     
  15. Mrrraou

    Mrrraou GBAtemp Advanced Maniac

    Member
    1,869
    2,167
    Oct 17, 2015
    France
    oh well. i guess i'll have to make details about this because mods



    Of course you can't. Have you even used IDA, radare2, or even any disassembler to try reading the game code, if a crash was triggered ? I even doubt you tried to use Luma3DS-dev to get the needed registers to check the crash in the game code.
    wth ? details ? something ? how is it not possible, how is it stored ?

    what the fuck ? you're talking about a stack overflow and then a buffer overflow (overflowing the name) !? what is the logic here ?
    and it's ascii data, not hexadecimal data here, nothing is showing why it can't be overflowed. the real way to see if it a buffer can be overflowed is in the game code, not in the save data... that's completely stupid.
    and overflowing names is not the only way to make exploits. most of the exploits are based on buffer overflows and stack overflows, though.

    There is no relation between the fact it's using utf16 and the fact it's being exploitable to me...

    No comment.





    Also thanks Bortz for removing my video. So if I may, I'll repost it, as I explained myself about it.
     
    Koko-Kun, raulpica, Minnow and 12 others like this.
  16. seijinshu
    OP

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    Lets not rant here. I've done analyzing with Luma-Dev, NTR. UTF16 has the extra spaces in the ASCII plaintext.

    Sent from my LG-H811 using Tapatalk
     
  17. Mrrraou

    Mrrraou GBAtemp Advanced Maniac

    Member
    1,869
    2,167
    Oct 17, 2015
    France
    It's likely that it won't mean really much on the exploit side, most of the time. And analyzing with Luma-dev and NTR, I'm sorry but what ? have you even tried getting sp and lr to know where crashes were triggered and re that part of the code to understand it and then trying to exploit it ? i doubt it so, seriously, from what i'm reading here; you barely did anything.
    and
    i'm sorry but what ? that makes no sense.



    anyway, if you want to be as famous as the prohax guys, well that's good! you're on the good way, you are just alone this time, and trying to say "hacker" stuff in a more "complicated" but illogical way !
    Also, "GBATemp's young and rogue hacker.", that's pretty funny. I wonder how active you are on the Wii U atm, btw.
     
  18. seijinshu
    OP

    seijinshu ...

    Member
    483
    120
    Jan 6, 2016
    United States
    ...
    You gotta remember.
    This is my first project like this. My other projects were simple mods. And why would my activity on the Wii u have any relevance?
    None the less, don't post if all you are spatting out is negative crap and making this thread into a shit circle like the old one is not going to be accepted.

    Bad news: I'm not feeling too well right now. Trying to get my new 3ds up and running is no fun, and on top of the fact that I am feeling a little sick... Ain't pleasant.

    Sent from my LG-H811 using Tapatalk
     
    Last edited by seijinshu, Jun 30, 2016
  19. chaoskagami

    chaoskagami Rawr

    Member
    1,026
    1,368
    Mar 26, 2016
    United States
    ↑↑↓↓←→←→BA
    Not to jump in here, but any class of bug is worthless on the 3DS unless you can get controllable data onto the stack and overwrite lr or pc.

    Neither of which seem to be happening here.
     
  20. Docmudkipz

    Docmudkipz Novice

    Member
    327
    219
    Mar 16, 2016
    United States
    Staring at my computer case's window
    Damn, I would've never guessed that the game wasn't exploitable in the first place.

    Warning: Spoilers inside!
     
  21. Mrrraou

    Mrrraou GBAtemp Advanced Maniac

    Member
    1,869
    2,167
    Oct 17, 2015
    France
    first project != having the right to spread bullshit on the forums and claiming to be an hacker
    if you really want to learn, just do it the right way. you could have learnt the ninjhax writeup, the psmdhax writeup, the (v*)hax writeup, etc...
    you could have learnt ARM, C, how to use IDA/radare2/whatever disasm you wanna use, and try something. And I'm sure someone would have helped you if you needed it at some point. (however, that person wouldn't have done the work for you.)
    The activity on Wii U doesn't have any relevance. I was just talking about your first post on GBAtemp.
    And if all I spat out is "negative crap", then, I'm sorry for you if you can't take constructive criticism. I'm sure harsh and hard on that, but I'm not saying "this is shit, fuck you, kthxbai". And if it's not me that will do it, someone else will. Instead of trying to feel "superior and smart" because some "non-techies" praised you, you should actually try to learn something out of that, instead of spraying bullshit, which is the cause for the stuff happening here.
     
    Minnow and Tomato Hentai like this.
Thread Status:
Not open for further replies.