Terrible 3DS Ubisoft Game Cubic Ninja Sells out due to it being the source of a 3DS homebrew exploit - Polidicks

[URL]http://arstechnica.com/gaming/2014/11/3ds-homebrew-exploit-causes-popularity-surge-for-obscure-2011-game/[/URL] [QUOTE] It all started early Monday, when the hacking community at GBATemp (known for publicizing many previous Nintendo console exploits) announced that a hacker going by the handle smealum got homebrew code running on a 3DS after months of work. The initial post noted that the exploit requires a specific 3DS game to work, but the group said they'd be keeping the identity of that title secret until the exploit was officially "released" to the public on November 22. Since then, however, GBATemp says that "plans are accelerated," and smealum revealed on Twitter Monday night that the exploitable game was Cubic Ninja, a tilt-controlled action adventure that got abysmal reviews just after the 3DS' launch in early 2011. While the game is available for download through the Nintendo eShop, only the Japanese edition of the download can be used for the homebrew exploit, according to smealum. To get homebrew working on North American or European hardware, you need to track down an actual retail copy of the game card. What happened next was eminently predictable: Cubic Ninja went from a bargain basement clearance item to an in-demand find literally overnight. Over on eBay, copies of the game were generally selling in the $3 to $7 range as recently as yesterday, with one copy finishing its auction as low as $1.04 last month. In the 15 or so hours since the exploit was announced, eBay sale prices have shot up as high as $40, with even the "cheap" North American Buy It Now auctions going for a minimum of $25 or so. Right now, one eBay profiteer is asking $300 for a new sealed copy, noting in the auction title that "This is the game you need for the Homebrew Project. These games are becoming difficult to find due to game developers hoarding these games."[/QUOTE] [video=youtube;bkehsPDPWaA]http://www.youtube.com/watch?v=bkehsPDPWaA[/video] ubisoft you done it again

finally the 3ds homebrew scene is launching

nice job ubisoft, nintendo's not gonna be happy when all the chinese bootleg mario games start coming out for 3DS

[QUOTE=AJ10017;46524142]nice job ubisoft, nintendo's not gonna be happy when all the chinese bootleg mario games start coming out for 3DS[/QUOTE] I don't think China's capable of doing that yet since they're [I]still[/I] making crap like NES bootlegs and dedicated 16-bit plug n' play consoles.

It was released on the eShop in Japan, and now it's getting removed because of it [img]https://pbs.twimg.com/media/B2xrVVcCAAAkzxO.png[/img]

I'm willing to bet money that someone will use this to create a better exploit that a lot more people can use.

Twilight Princess all over again. I'd be interested to know what specifically about these games are allowing the exploit and why the Nintendo can't prevent developers from doing this mistake.

[QUOTE=Gbps;46524340]Twilight Princess all over again. I'd be interested to know what specifically about these games are allowing the exploit and why the Nintendo can't prevent developers from doing this mistake.[/QUOTE] This kind of zero-day exploits are normally a result of various different factors, including completely unrelated code that wasn't properly debugged or wasn't written secure enough, on top of (probably) a third-party developer releasing code that allows this exploit (even if they had 100% understanding of the 3DS software I don't think they would've avoided this). This chain of exploits happening on bad/undebugged code normally results in a way of running unsigned code, arbitrary code, etc, which is pretty much game over for this kind of closed systems. They were using it and now that it has been released it'll be fixed by Nintendo pretty soon, probably.

Unlike the Wii and DS, Nintendo can patch the games now. We'll have to see how this plays out.

[QUOTE=Gbps;46524340]Twilight Princess all over again. I'd be interested to know what specifically about these games are allowing the exploit and why the Nintendo can't prevent developers from doing this mistake.[/QUOTE] The goal is always to get custom code running on the hardware. The first step is actually writing your own code to some place in RAM. In Twilight Princess the exploiters manipulated the (I think) horse's name in the save file. They made the name longer than the amount of memory that was reserved for the name and put their own code inside the name. When loading the save the game wrote their code to the memory [I]after[/I] the horse name. The simplest bug (like not checking string lengths) can be used, you just have to find them.

[QUOTE=Dr. Evilcop;46524506]Unlike the Wii and DS, Nintendo can patch the games now. We'll have to see how this plays out.[/QUOTE] Until custom firmware is established, nothing will probably change.

Ubisoft programming always works in the most unexpected ways.

[QUOTE=Maegord;46524580]Ubisoft programming always works in the most unexpected ways.[/QUOTE] Ubisoft didn't make it.

Funny how many consoles are exploited by games, Xbox and PS2 had a few 007 caused exploits in both.

-i just remembered it actually has a hb channel installer :suicide:-

they can't stop it forever.

Shame you can't use a Rom. I'll just stick with my Gateway since it's reliable, and hopefully someone will improve upon this to not need a game, and enable more features (like cartless ROM loading, although you can technically already do this by converting your roms to CIA and installing it to your system proper with the recent Devmenu support added in the last Gateway update.)

[QUOTE=Sam Za Nemesis;46524880] There's already a 4.5 CFW [/QUOTE] That, there IS. I actually read that Gateway is gonna be adding 9.0.0 to 9.2.0-20 support "Soon", which is a pretty big announcement. Considering the prices Cubic Ninja is jumping up to and the SKY3DS being a thing that exists now, there might be a 3DS scene arms race coming up, probably. I'm very curious as to what the outcome of these events will be.

I was going to find a copy, but 12 hours after the announcement the nearest copy in a GameStop is out in the sticks in New York state. After hearing that from the dude behind the counter I said fuck it, I'll buy it online. Online copies are going for $50+, so I said fuck it, I'll buy a Gateway for $20 more and load Cubic Ninja on the Gateway so I can load homebrew. Gateway doesn't support the latest firmware yet, but it will. And it's imagined it won't support homebrew, similar to Sky3DS. So if you want homebrew, you have to load a backup of a legit signed game and use an exploit to get usermode homebrew running.

If we just wait i'm sure they'll have something that can be installed without the game. Also, thanks ubi

Oh wow, this was pretty much the second game I got for my 3DS. Only played it once, insanely shit game.

[QUOTE=Gbps;46524340]Twilight Princess all over again. [/QUOTE] I will still never figure out how they ever made this happen

[QUOTE=HyperTails;46525447]I will still never figure out how they ever made this happen[/QUOTE] Something in the code could be manipulated to execute save data as code?

Yeah with (Smash Stack?) all you had to do was load an exploit that was disguised as a custom stage and that was able to boot the hack.

[QUOTE=Dantz Bolrew;46525640]Yeah with (Smash Stack?) all you had to do was load an exploit that was disguised as a custom stage and that was able to boot the hack.[/QUOTE] The Wii had a ton of exploits though, like fakesigning or the menu preview exploit. Being able to play games without switching the discs is incredibly convenient in comparison, but most of the homebrew seems to be pretty bad. The homebrew tools are very good though: If you set it up correctly then a softmodded Wii is more difficult to brick than the original, because you can always restore a backup.

Isn't the studio that made that game kill? How is nintendo going to patch it without source code? [editline]19th November 2014[/editline] They could just do it in the firmware, like apply a patch at run-time that makes the exploit not work anymore. That's how sony fixes the Psvita PSPEmu exploits.

Why are they so against homebrews? I don't really see them impacting the sales of main stream games. They'd mostly just be like all those free rpg maker games or shitty free sidescrollers. Only rarely would a homebrew game be good enough to accumulate a large audience. Why exactly do they try so hard to stop this?

I wonder if this has compatibility with Gateway EmuNAND so I can have both a multi-launcher and a homebrew channel at the same time. I fuckin' love my Gateway because of its region-unlocking capability.

[QUOTE=Fatfatfatty;46525518]Something in the code could be manipulated to execute save data as code?[/QUOTE] Like Robber said, it was a simple matter of making the game overflow into a to-be-executed memory address. How do you do that? Simple: Find a string that's read by the game during an event, ANY event, figure out how to write a "custom", so to speak, string and write a string of junk data just long enough to make it 'exit' the boundaries of the string and get into the next executed address and write your arbitrary code right there. IF the game just happens to not bother checking if the string is long enough, too short or too long (Which is the case way, way often since input boxes usually have a limited in-game character limit and developers are pretty much completely focused on getting the game to market rather than worrying about security exploits), the string will overflow and cram the arbitrary code of the exploit creator's choice into the next n memory address(es), which JUST SO happens to be the next address the game was "told" to execute. In simpler terms, the exploit consists of making the RAM the game is using change from: METADATA-CONSOLECODE-GAMECODE-CHARACTERNAME-STUFF-GAMECODE- To: METADATA-CONSOLECODE-GAMECODE-CHARACTERNAMEAAAAAAAhw.load("boot.elf")- Now the problem here is most consoles will not let you do that because of how hideously popular buffer overflow exploits are nowadays. Most consoles have protection against these, such as code signing, hypervisors, hashing, etc. Some of these methods will be rendered useless in the event of a system crash, which opens the ability to create an exploit. The Wii, namely, required that the savefile used to run the Twilight Hack be properly encrypted in the same manner as a normal savefile, which was doable by encrypting the file in a way that SEEMED legit to the console, but really wasn't, by exploiting the fact that any Wii could have any encryption key and the fact that Wii savegames are cross-compatible. This was of course patched in later firmware versions, but the Smash Stack exploit, which branches off the fact that Smash Brawl loads stage data directly off the SD without consulting the Wii first, allows for an exploit where the stack overflow is performed by simply creating a garbage string inside the stage data. Of course, there's no surefire way of knowing WHAT security measures a console has in place, so quite a bit of tinkering is required to find those measures in the first place, let alone the amount required to waltz around them at all, and downright jailbreaking/hacking isn't the same thing as simply exploiting to do something. As for the 3DS in particular: The reason the 3DS has proven unhackable is because its ARM processor uses No-eXecute (NX) bits which cause read strings to be ignored in the event of a buffer overflow, rendering that type of attack very difficult to find. One was found in the Nintendo DS Profile settings menu, where one could write a garbage string in place of a name, causing a stack smash where the console's main firmware crashed, allowing arbitrary code to be run. This was patched in later firmware versions, which is why the Gateway cartridge requires versions 4.1 to 4.5. Smealum's exploit, I believe, uses a similar method using the poorly-coded heap of absolute fucking shite that is Cubic Ninja to punch a hole in the system's firmware, again allowing for the execution of abritrary code. Nobody knows how the Gateway team will handle their apparently-successful attempts at cracking System 9.2.0's shell, but it can be assumed that it's more of the same. So now you know.

[QUOTE=Oicani Gonzales;46525966]the problem with gateway is that you still need to start with a 4.5 firmware (which is old as shit). 9.0+ support is for games only, not for starters supporting newer firmwares would be really difficult / meaningful[/QUOTE] I dunno, if Cubic Ninja plus a perfectly convenient i-presume-it's-a-savefile-exploit can result in arbitrary code execution and homebrew capabilities, I'd imagine the GW team has a pretty big ace in their hole/trick up their sleeve/scooper in their pooper. Even then, IF it's only capable of playing backups, I'd assume nothing's stopping anyone from running SSSpwn using a Cubic Ninja ROM (which is slowly turning into the cheaper approach), giving you the best of both worlds.