3DS Userland Flaws: Difference between revisions
EvilFlight (talk | contribs) |
No edit summary |
||
| Line 216: | Line 216: | ||
| February 8, 2019 | | February 8, 2019 | ||
| [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]] | | [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]] | ||
|- | |||
| Picross 3D: Round 2 | |||
| Out of bounds array access allowing to point to fabricated objects and vtable | |||
| Game only checks save header. With the last interacted save slot index at +0xb270 in the save data unchecked we can achieve a predictable out of bounds access, as well inserting ROP data without detecting save corruption. Game references an object from an array of 3 elements and passes it to a function that will read object pointers and hit a vtable call. With a copy save data left in memory and a properly calculated index, we can point to a fake object position in the save, vtable jump to a stack pivot and start the ROP chain. | |||
| None | |||
| App: Initial version | |||
| September 10, 2020 | |||
| August 24, 2020 | |||
| [[User: Luigoalma|Luigoalma]] and [[User: Kartik|Kartik]] | |||
|} | |} | ||