A Technical Guide to Arbitrary Code Execution
指南
/
A Technical Guide to Arbitrary Code Execution
更新时间 1 month ago Priestess_Emilia

A Technical Guide to Arbitrary Code Execution

Final Fantasy Crystal Chronicles: Echoes of Time

  • Arbitrary Code Execution works on English localizations of the game
  • Addresses mentioned in this guide come from the American DS version

Definitions

Keyword functions

typedef struct Keyword_Functions
{
    [+0x00] void (* function_0) (void);
}
Keyword_Functions;

[0x02136104] struct Keyword_Functions * keyword_functions;

Text variables

typedef struct Text_Variables
{
    [+0x0c] char16_t buffer[63];
    [+0x8a] char16_t blank_0;
    [+0x8c] char16_t blank_1;
    [+0x8e] uint16_t length_total;
    [+0x90] uint16_t length_white;
    [+0x92] uint16_t length_limit;
}
Text_Variables;

[0x02136060] struct Text_Variables text_variables;

Friend code entry

typedef struct Friend_Code_Entry
{
    uint32_t unknown;
    uint64_t friend_code;
}
Friend_Code_Entry;

Friend code list

typedef struct Friend_Code_List
{
    [+0x0c] struct Friend_Code_Entry friend_code_entries[SIZE];
}
Friend_Code_List;

[0x021309dc] struct Friend_Code_List friend_code_list;

Transition amount

[0x021309bc] uint8_t transition_amount_0;
[0x021309bd] uint8_t transition_amount_1;
[0x021309be] uint8_t transition_amount_2;
[0x021309bf] uint8_t transition_amount_3;

Metadata

[0x0211c1b0] uint64_t large_seed_copy_0;
[0x0211c1b8] uint32_t small_seed_copy_0;
[0x02121c20] uint64_t large_seed_copy_1;
[0x02121c28] uint32_t small_seed_copy_1;

Transition variables

[0x0211678f] uint8_t transition_type;
[0x02116790] uint8_t transition_id;
[0x02116791] uint8_t transition_slot;

Buffer overflow

Offset

  • Write 61 typewriter apostrophes
  • Confirm the text

L-dialing

  • Write either L or l
  • Open the keyword menu
  • Touch "let's do this"
  • Turn to the next page
  • Move from "lift" to "Lian"
  • Move from "Lian" to "level"
  • Move from "level" to "let's go"
  • Turn to the next page
  • Move from "Lilty" to "list"
  • Confirm the keyword

Memory corruption

  • Write a right square bracket
  • Erase characters until the end of the text reads listLAg
  • Write the lower part of the address
  • Write the upper part of the address

General rules

Branching

  • Branching to an even address switches to ARM
  • Branching to an odd address switches to Thumb

Credits warp

  • Transition to a menu uses transition_type == 2
  • Transition to the credits uses transition_id == 9

Leaving keyword menu

  • keyword_functions is loaded into a register
  • keyword_functions->function_0 is loaded into a register
  • keyword_functions->function_0 is called as a subroutine

Loading

  • Considering 0x12345678 written at an address A = 4 * N
  • Loading from A + 0 returns 0x12345678
  • Loading from A + 1 returns 0x34567812
  • Loading from A + 2 returns 0x56781234
  • Loading from A + 3 returns 0x78123456

Metadata

  • The variables large_seed and small_seed are randomly generated
  • The seeds are generated when the Friend Roster / Options are erased
  • The seeds are saved on the cartridge and are thus persistent
  • The large_seed can only be generated once per boot
  • The seeds are written at 0x021302D0 in multiplayer mode

Standard run

Gold

  • Acquire the Guardian Bangle
  • Acquire two coins with attribute 30
  • Go to the Town
  • Sell the Guardian Bangle

Heap

  • Hire two characters at the guild
  • Go to the Town entrance
  • Drop 23 coins
  • Drop a coin with attribute 531
  • 0x00000213 is written at 0x0231022C

Transition amount

  • The following ARM code is written at 0x021309BC
+-----------------------+----------+
| LDRNE r1, [r5, -#515] | 15151515 |
+-----------------------+----------+

Friend codes

  • Write the following Friend Codes
  • The following ARM code is written at 0x021309E8
+-------------------------+-------------+----------------+
| MOVNE   r0, #02000000   | 05-13a00402 | 0218-0409-0370 | 
+-------------------------+-------------+----------------+
| MOVNE   r1, r4, LSR #11 | 6f-11a018a4 | 4770-3707-4596 |
+-------------------------+-------------+----------------+
| LDRNE   r2, [PC, #1c]   | 32-159f201c | 2151-1111-4780 |
+-------------------------+-------------+----------------+
| STMIANE r2, {r0-r1}^    | 6f-18c20003 | 4771-5673-7027 |
+-------------------------+-------------+----------------+
| BXNE    LR              | 71-1120001e | 4856-1861-4302 |
+-------------------------+-------------+----------------+
| ADDR    0x0211678c      | 0a-0211678c | 0429-8436-8012 |
+-------------------------+-------------+----------------+

Buffer overflow

  • Lower part of the address: 0x022E (umbrella)
  • Upper part of the address: 0x0231 (squared question mark)
  • 0x0231022E is written at 0x02136104

Execution

  • Write one of the bottom-left arrows
  • Erase characters until length < 63
  • Write a common letter
  • Open the keyword menu
  • Touch the top-right button

NewGame+ run

Weapon

  • Acquire a 3-slot weapon with attribute 0x02123D25
+----+---------------+
| 25 | Fire Stone 1  |
| 3d | Time Stone 1  |
| 12 | Guard Stone 6 |
| 02 | Level 3 + 0/8 |
+----+---------------+

Accessories

  • Acquire and order accessories such that their attributes read as follows
+----+-------------------+
| 02 | Strength Stone 2  |
| 49 | Holy Stone 1      |
| 02 | Strength Stone 2  |
| 20 | Level 1 + 1/8     | 
+----+-------------------+
| 08 | Magic Stone 2     |
| 70 | Anti-Dark Stone 4 |
| 09 | Magic Stone 3     |
| 20 | Level 1 + 1/8     | 
+----+-------------------+
| 48 | Dark Stone 6      |
| 70 | Anti-Dark Stone 4 |
| 70 | Anti-Dark Stone 4 |
| 47 | Level 8 + 2/8     | 
+----+-------------------+
| 8f | Wisdonium         |
| 67 | Anti-Time Stone 1 |
| 11 | Guard Stone 5     |
| 02 | Level 3 + 0/8     | 
+----+-------------------+
  • The following Thumb code is written at 0x02123D24
+-------------------+------+---------------------+
| LDR  r1, [PC, #8] | 4902 | 01001 001 00000010  |
+-------------------+------+---------------------+
| MOV  r0, #2       | 2002 | 00100 000 00000010  |
| STRB r0, [r1, #0] | 7008 | 01110 00000 001 000 |
+-------------------+------+---------------------+
| MOV  r0, #9       | 2009 | 00100 000 00001001  |
| STRB r0, [r1, #1] | 7048 | 01110 00001 001 000 |
+-------------------+------+---------------------+
| BX   LR           | 4770 | 01000 11101 110 000 |
+-------------------+------+---------------------+
| ADDR 0x____678f   | 678f | 0110 0111 1000 1111 |
| ADDR 0x0211____   | 0211 | 0000 0010 0001 0001 |
+-------------------+------+---------------------+

Heap

  • Before completing the Forest, in the Village
  • Drop 22 coins
  • Drop the equipment with attribute 0x02123D25
  • 0x02123D25 is written at 0x02310088

Buffer overflow

  • Lower part of the address: 0x0088 (caret / circumflex)
  • Upper part of the address: 0x0231 (squared question mark)
  • 0x02310088 is written at 0x02136104

Execution

  • Write one of the bottom-left arrows
  • Erase characters until length < 63
  • Write a common letter
  • Open the keyword menu
  • Touch the top-right button
游戏统计
粉丝
29
记录
33
玩家
7
最新记录
Any%
Arbitrary Code Execution
第一名
1st
6m 00s
Priestess_Emilia
3 days ago
Any% (NG+)
Arbitrary Code Execution, Very Hard 10
第一名
1st
0m 59s *
Priestess_Emilia
2 months ago
管理员
超级版主
Deln
超级版主
MLSTRM
版主
Mian_K