Hacking consoles: a learning journey (part 3)

11 Responses

  1. Freakler says:

    there are at least 3 different ways to exploit Patapon 2

  2. Predator0808 says:

    Very nice writeup, keep on!

    • TheOct0 says:

      Thanks man, I’m glad to start recognizing some familiar faces in the comments 🙂
      I’m really enjoying myself doing this, so I’m more than happy to keep it going. I’ll do my best to have some kind of result for next time, so stay tuned!

  3. anon says:

    >using 4 bytes when they only need 2
    I think you’re confused about the hexadecimal representation. Each digit in hexadecimal (1-F) corresponds to 4 bits, so 2 digits make 1 byte.

    The encoding is actually just UTF-16, which uses 2 byte characters, unlike UTF-8 which 1 byte per character. In this case, you could just change the text encoding while searching with hxd.

    • TheOct0 says:

      Yeah, thanks for pointing that out. In French, we call a byte an “octet”, and I very well know that 8 bits make an “octet”, but the byte thing in English always puts me off. My teacher would not be proud of me, I’ll make a post-it note not to do that mistake again 🙂
      About the encoding part, I’ve never really been interested in this kind of thing while studying programming, so I prefer using simpler descriptions rather than learning that, at least for now.

  4. qwikrazor87 says:

    This was a fun one to exploit (again. Keep it up. 🙂

  5. Bill says:

    I don’t understand from your console output just where do you know where to strike.

    • TheOct0 says:

      I’ll try to explain it a different way here for you 🙂
      When you create your name in the save, the game expects to see a name that is 4 characters or less (“oct0”, “test”, “abc”, but not “sarah” for example because it is too long). If we manually go into the save file and change that to make a name that is longer, the game is confused and reads the whole name even though it should be 4 characters.
      For example, if you had a question on a written text and you wrote too much, your answer would also be written in the next question.
      What is interesting for us is that we want to write in the next question! So, we write a lot of things for the game to read instead of our name, and we try and see what goes where it shouldn’t.
      If you look at what we wrote, you will see “30 31 32 … 3C 3D 3E 3F” somewhere, since I wrote this. And, if we look at the console output, we see “$ra=3F3E3D3C”. So, we know exactly what part of what we wrote in place of the name is interesting to take control of that $ra.
      Tell me if you still don’t understand 🙂

      • jra says:

        Thanks for explaining – I also did not catch that when reading. Okay, so we look for places where part of the pattern is written out, which is is multiple places, like $s0 and $s4 also – or is $ra the only one of significance?

        • TheOct0 says:

          For our example, we need to take control of $ra because this specifically is the variable that stores the next instruction. If we can take control of this one specifically, then we’ll be able to tell the program what to do next.
          The next post (part 4.5) will be an explanation of this kind of technical stuff in the Patapon 2 Savefile Exploit, so I’ll do my best to answer this kind of questions in detail there 🙂

  1. August 13, 2019

    […] (Previous post in this series: Hacking consoles: a learning journey, part 3) […]