Want to learn how to find exploit

Discussion in '3DS - Flashcards & Custom Firmwares' started by delicator, Apr 17, 2015.

  1. delicator
    OP

    delicator Member

    Newcomer
    21
    2
    Mar 10, 2010
    France
    Yes, I know, it's a bit large :)

    But, I'm a dev, I'm curius, and I want to learn.

    I read wiki and topic in here.

    I search precise info about method to search somethink like save exploit, like zelda for 3ds, or even old one like Zelda on wii, or some lego game.

    Have you some link or ressources ?

    Thanks


    edit : reading now http://3dbrew.org/wiki/Savegames
    http://dsibrew.org/wiki/DSiWare_VulnList
     
    sonic2756 likes this.
  2. Shadow#1

    Shadow#1 Wii & 3DS Softmod Expert

    Member
    3,919
    1,074
    Nov 21, 2005
    United States
    LOL
     
  3. CIAwesome526

    CIAwesome526 Im ugly and im proud

    Member
    1,242
    2,254
    Mar 25, 2014
    United States
    The Lake, Kalos Region
    It's not that simple. Maybe you can start by finding different ways to crash your 3DS, but you'll have to modify something first. Maybe d what gateway did and modify some saves, spider exploit is done and patched, so no servers made to crash your ds. It's not easy, or else everyone would do it.
     
  4. Duo8

    Duo8 I don't like video games

    Member
    3,440
    1,140
    Jul 16, 2013
    "Find an exploit" is too broad. You'll at least want to devise some feasible attack vector first, then try to follow it.
     
  5. Shadow#1

    Shadow#1 Wii & 3DS Softmod Expert

    Member
    3,919
    1,074
    Nov 21, 2005
    United States
    hes a "dev" so i work for "Nintendo"
     
  6. CIAwesome526

    CIAwesome526 Im ugly and im proud

    Member
    1,242
    2,254
    Mar 25, 2014
    United States
    The Lake, Kalos Region
    In that case, he should slip a little code into the update before release, which will launch the gateway menu when you scan a QR code in the mii maker.
     
  7. delicator
    OP

    delicator Member

    Newcomer
    21
    2
    Mar 10, 2010
    France
    I have trouble to understand your post, and your point here, Yes I'm a dev, I learn c/c++ year's ago, php mostly, and other stuff in my pro life
    Why are you so agressiv ?
     
    MrJason005 likes this.
  8. delicator
    OP

    delicator Member

    Newcomer
    21
    2
    Mar 10, 2010
    France
    Yes,
    I will like search in forged save type of attack

    In the cubic ninja, it's by QRcode, so I imagine, some function decode and parse the QR, with a vulnerability in memory managment or similar
     
  9. delicator
    OP

    delicator Member

    Newcomer
    21
    2
    Mar 10, 2010
    France
    I think about modify amiibo data (I read it with my phone to see what inside ^^), but amiboo are read only in game, and I don't have retail game using amiibo on 3ds. And why not see what it can be done with custom theme for n3ds
     
  10. CIAwesome526

    CIAwesome526 Im ugly and im proud

    Member
    1,242
    2,254
    Mar 25, 2014
    United States
    The Lake, Kalos Region
    amiibo data is encrypted
     
  11. Duo8

    Duo8 I don't like video games

    Member
    3,440
    1,140
    Jul 16, 2013
    If you want to exploit saves remember that only old games (pre 2.x) can have its save decrypted and reencrypted. And you can only inject a ROP chain.
    I suggest disassembling the game's binary to see how the save is read, since we don't have a complete emulator yet.

    As for ninjhax, the QR code is also a ROP chain.
     
    delicator likes this.
  12. delicator
    OP

    delicator Member

    Newcomer
    21
    2
    Mar 10, 2010
    France
    I have 5 fields : type of tag, techno available, serial number, ATQA and SAK, when I tried to read memory, the app I'm using can support this type of tag.
    But, it's mostly by curiosity, it's my child link amiibo for smash bros, I can't damage it ^^

    I'll be reading about save game, it's good start I think
     
  13. Duo8

    Duo8 I don't like video games

    Member
    3,440
    1,140
    Jul 16, 2013
    Amiibo data is encrypted, signed and write protected (varies between pages).
    Someone disassembled the amiibo module: https://www.reddit.com/r/amiibros/comments/328hqz/amiibo_encryption_reverseengineering/
     
  14. delicator
    OP

    delicator Member

    Newcomer
    21
    2
    Mar 10, 2010
    France
    For the other reader of the thread (and me of course ^^) http://en.wikipedia.org/wiki/Return-oriented_programming

    For the old game, what changed ? The signature/cryting method ?
    Can I find a list of before/after game ?
     
  15. Duo8

    Duo8 I don't like video games

    Member
    3,440
    1,140
    Jul 16, 2013
    Very old 3DS games have a flaw that allows you to calculate the decrypted data. More info here http://3dbrew.org/wiki/Savegames#Repeating_CTR_Fail
    Those may or may not have the data signed. I don't remember. If they do then you need a hacked 3DS to sign the save.
    As for the version, your best bet is to check the game's SDK version.
     
    delicator likes this.