Hacking consoles: a learning journey (part 3)

11 Responses

  1. Freakler

    there are at least 3 different ways to exploit Patapon 2

  2. Predator0808

    Very nice writeup, keep on!

    • TheOct0

      Thanks man, I’m glad to start recognizing some familiar faces in the comments 🙂
      I’m really enjoying myself doing this, so I’m more than happy to keep it going. I’ll do my best to have some kind of result for next time, so stay tuned!

  3. anon

    >using 4 bytes when they only need 2
    I think you’re confused about the hexadecimal representation. Each digit in hexadecimal (1-F) corresponds to 4 bits, so 2 digits make 1 byte.

    The encoding is actually just UTF-16, which uses 2 byte characters, unlike UTF-8 which 1 byte per character. In this case, you could just change the text encoding while searching with hxd.

    • TheOct0

      Yeah, thanks for pointing that out. In French, we call a byte an “octet”, and I very well know that 8 bits make an “octet”, but the byte thing in English always puts me off. My teacher would not be proud of me, I’ll make a post-it note not to do that mistake again 🙂
      About the encoding part, I’ve never really been interested in this kind of thing while studying programming, so I prefer using simpler descriptions rather than learning that, at least for now.

  4. qwikrazor87

    This was a fun one to exploit (again. Keep it up. 🙂

  5. Bill

    I don’t understand from your console output just where do you know where to strike.

    • TheOct0

      I’ll try to explain it a different way here for you 🙂
      When you create your name in the save, the game expects to see a name that is 4 characters or less (“oct0”, “test”, “abc”, but not “sarah” for example because it is too long). If we manually go into the save file and change that to make a name that is longer, the game is confused and reads the whole name even though it should be 4 characters.
      For example, if you had a question on a written text and you wrote too much, your answer would also be written in the next question.
      What is interesting for us is that we want to write in the next question! So, we write a lot of things for the game to read instead of our name, and we try and see what goes where it shouldn’t.
      If you look at what we wrote, you will see “30 31 32 … 3C 3D 3E 3F” somewhere, since I wrote this. And, if we look at the console output, we see “$ra=3F3E3D3C”. So, we know exactly what part of what we wrote in place of the name is interesting to take control of that $ra.
      Tell me if you still don’t understand 🙂

      • jra

        Thanks for explaining – I also did not catch that when reading. Okay, so we look for places where part of the pattern is written out, which is is multiple places, like $s0 and $s4 also – or is $ra the only one of significance?

        • TheOct0

          For our example, we need to take control of $ra because this specifically is the variable that stores the next instruction. If we can take control of this one specifically, then we’ll be able to tell the program what to do next.
          The next post (part 4.5) will be an explanation of this kind of technical stuff in the Patapon 2 Savefile Exploit, so I’ll do my best to answer this kind of questions in detail there 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Most comments are automatically approved, but in some cases, it might take up to 24h for your comments to show up on the site, if they need manual moderation. Thanks for your understanding