2
edits
Changes
Credited Kinnay for documenting everything NEX / PIA / LDN / ENL related
Line 1,080:
Line 1,080:
+
+
+
|}
|}
−=== Enl ===
+=== ENL ===
−This section documents vulnerabilities for Enl. A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2
+This section documents vulnerabilities for [https://github.com/kinnay/NintendoClients/wiki/ENL-Protocol ENL].
−.
+A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2, and more.
+Fun fact, this library appears to re-use network code and concepts from older Nintendo titles such as Mario Kart 7 and some Wii multiplayer games.
+{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 1,095:
Line 1,099:
|-
|-
| enl::TransportManager::updateReceiveBuffer_() nullptr deref
| enl::TransportManager::updateReceiveBuffer_() nullptr deref
−| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID / Index) and a length.
+| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID) and a length.
−The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>
+The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>, it returns NULL if there's no content transporter with the same ID
+*NOTE: The function may be inlined
−Then it will try to dereference the pointer to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>
+Then it will try to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>, dereferencing the pointer to fetch the vtable ptr
[https://gist.github.com/Rambo6Glaz/c088e2ed7a12db08f6322e9f7a3c4911 Pseudocode of the function before it was fixed]
[https://gist.github.com/Rambo6Glaz/c088e2ed7a12db08f6322e9f7a3c4911 Pseudocode of the function before it was fixed]
Line 1,107:
Line 1,113:
| Early April 2022
| Early April 2022
| November 16, 2022
| November 16, 2022
−| [[User:Rambo6Glaz|Rambo6Glaz]]
+| [[User:Rambo6Glaz|Rambo6Glaz]], Kinnay (massive RE help)
|}
|}
There's another one more interesting but it will have to wait a bit :)
There's another one more interesting but it will have to wait a bit :)