nitpic3d, a secondary 3DS userland exploit for Picross 3D: Round 2 (Europe and USA) and カタチ新発見! 立体ピクロス2 (Japan).
Exploit explanation
Summary:
Out of bounds array access allowing to point to fabricated objects and vtable.
Description:
Game only checks save header. With the last interacted save slot index at +0xb270 in the save data unchecked we can achieve a predictable out of bounds access, as well inserting ROP data without detecting save corruption. Game references an object from an array of 3 elements and passes it to a function that will read object pointers and hit a vtable call. With a copy save data left in memory and a properly calculated index, we can point to a fake object position in the save, vtable jump to a stack pivot and start the ROP chain.
Installing
- Place the nitpic3d_installer itself from releases or your built output in build/ and place it in the 3ds's SD card in /3ds/.
-
After copying folder, place the desired otherapp.bin in the desired region folder inside /3ds/nitpic3d_installer/.
- otherapp.bin can be obtained here, except for European consoles running version 11.10 or above, for that go here instead. Select the desired system version exploit will be running on and download with Download otherapp.
- Run it from another another homebrew entrypoint, or another homebrewed console if planing to install to cart version.
- Instructions on provided README.md inside nitpic3d_installer, plus simple control on screen when installer is running.
Running the exploit
Just open the game, tap to enter the saves screen.
If you get the message Welcome to the Picross 3D Café! (Europe and USA) or いらっしゃいませ。 立体ピクロス カフェへようこそ。 (Japan) with no save slots used, just tap again. If doesn't run, double check if you installed exploit properly.
Credits and special thanks
- Kartik for finding that the game is crashable with random data, letting me investigate and helping me search initial pivot points. Also testing completed exploit save in EUR New3DS. (And enduring my excitement at given moments during exploitation.)
- yellows8 for the the very handy 3ds_ropkit
- Zoogie for helping with the 3ds_ropkit and finding stack pivot, as well helping me test out initial testing phase SAVEDATAs
- knight-ryu12 for testing completed exploit SAVE on JPN New3DS
- ihaveahax for testing on USA New3DS and Old3DS
- LunaDook for testing on JPN Old3DS and USA New3DS too
- Everyone I've may forgotten to mention that assisted and/or supported me
- If I forgot someone, or some detail, tell me
by luigoalma.
Que novedades incluye la versión 1.1.0
Released
Exploit was updated so it becomes possible to build for any language of the game on any region, and installer updated to have them selectable.
Once a selected language is installed, the game must always run on that language.
Just reinstall on another language to change it.