Getting the Ball Rolling

Getting the Ball Rolling

by ferris

This week a couple really rad things happened!

First of all, the exploit toolkit we've been working on for the Switch dropped, called PegaSwitch! This has very much been a community effort, and, now that that part's out, I can write about some of my involvement more specifically :) .

Basically, the most significant thing I contributed here was the first of a series of JOP gadgets that allow us to leak the stack pointer, which gives us ROP. Particularly, the gadget that I found allows us to load the register x8 with a known value by exploiting a small piece of code that includes the ADRP instruction. Since the x8 register is used all over the place for branching (typically it's loaded with an address or an offset and then branched to, usually directly, but sometimes through another reg), this opened the door for finding tons more useful gadgets to get the value we wanted (the stack pointer) into the correct return register (x24) before branching back through the correct link address (x27) to return to JavaScript.

The funny thing was, I had never even read a single line of ARM assembler before trying this. However, after asking some basic questions (which arguments are typically the src/dst, etc) it came pretty naturally, as I've grown quite used to staring at big blocks of RISC while working on Rustual Boy.

We had some memdumps that were converted to ELF, which allowed us to dig into them with standard tools. However, as I didn't own IDA pro (which is required over the free version in order to look at 64-bit binaries), I wasn't on Mac (so I couldn't use Hopper), I couldn't get radare2's ROP search functions to work for some reason, and I had some rad music on, I ended up just digging through some functions by hand. Since I knew we wanted sp leaked into x24 and then to return through x27, I could at least try to find one or more gadgets that could be chained together to satisfy those constraints.

Pretty early on, it was quite clear that x24 and x27 were hardly ever used in the particular dump I was looking at. But, I noticed x8 was branched through all the time - often just by loading a value and branching to that directly based on the value in x8. I also found tons of small gadgets that, given a known value of x8, would be super easy to chain together and get us sp in a number of fun ways! So, I started digging again for something to control x8.

The particular gadget I ended up finding was very easy to find, and it was very early on in the binary, so it didn't take me long at all! After that we could assume control of x8, and I just sat there finding gadget after gadget that would be really useful.

Little did I know, however, that another one of us had already found loads of gadgets to get the values we needed into the right registers, but they all hinged on having control of certain registers which we didn't have. But, while I was still digging for fun gadgets given known values for x8, suddenly he came online, and seeing that we could now control that register, shared the perfect gadget to take advantage of it!

So, in the end, without me even running the exploit locally or anything, I was able to find a critical gadget that we still use today in PegaSwitch in order to leak the stack pointer. It was a bit of luck, yes, but I'd pin it down more to a "why not just dig in and try" it attitude (as there's a lot of code here, so something's gotta be useful)! It only took me a couple hours of looking, and I actually wonder how long it would've taken to find such a gadget if I hadn't been looking by hand and just observing what I was seeing, rather than searching for something specific :) .

Anyways, that was really cool, and as this is really my first ever "hacking in the dark" experience, it's been extremely fun and I'm very proud to be on such a great team and to help out where I can! Apart from that, the week[end] was spent kicking off some stuff for Revision, which should be pretty rad. But you'll hear more of that in the coming weeks :)

Until next time!

Last Edited on Tue Mar 14 2017 11:56:55 GMT-0400 (EDT)