3dbrew

Changes

3DS Userland Flaws (edit)

Revision as of 03:31, 10 September 2020

770 bytes added ,  03:31, 10 September 2020
no edit summary
Line 216: Line 216:  
| February 8, 2019
 
| February 8, 2019
 
| [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]]
 
| [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]]
 +
|-
 +
| Picross 3D: Round 2
 +
| Out of bounds array access allowing to point to fabricated objects and vtable
 +
| Game only checks save header. With the last interacted save slot index at +0xb270 in the save data unchecked we can achieve a predictable out of bounds access, as well inserting ROP data without detecting save corruption. Game references an object from an array of 3 elements and passes it to a function that will read object pointers and hit a vtable call. With a copy save data left in memory and a properly calculated index, we can point to a fake object position in the save, vtable jump to a stack pivot and start the ROP chain.
 +
| None
 +
| App: Initial version
 +
| September 10, 2020
 +
| August 24, 2020
 +
| [[User: Luigoalma|Luigoalma]] and [[User: Kartik|Kartik]]
 
|}
 
|}
  
Luigoalma
26

edits

Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/21330"