RPwnG strikes back yet again!
RPwnG3 is a secondary 3DS userland exploit for the game "RPG Maker Player/RPG Maker Fes" on the Nintendo 3DS. This exploit allows users to access the Homebrew Launcher from their SD Card.
Flaw description comes from 3dbrew, written by MrNbaYoh: (https://www.3dbrew.org/wiki/3DS_Userland_Flaws)
Buffer overflow via unchecked file size
"When loading a project, the game loads the file to a 0x200000 bytes long buffer. However the size remains unchecked, so with a big enough file one can overflow the buffer and overwrite a thread stack and then achieve ROP."
- Any Nintendo 3DS System on any System Firmware.
- A Digital/Physical copy of "RPGMaker Fes Player/RPGMaker Fes" (USA/JPN 1.1.2 or lower | EUR 1.1.4 or lower).
- Access to the 3DS Homebrew Launcher through another Homebrew Exploit.
- Download the homebrew starter kit from smealum's homebrew launcher website and put it onto the root of your SD Card.
- Download the "RPwnG3_v1.zip" archive and extract the appropriate contents onto your SD card. Be sure to read the "Instructions.txt" file first.
- Make sure to download the otherapp.bin payload from smealum's homebrew launcher website and place it inside this directory:
/3ds/extdata_dump/. - EUR users 11.9 or above, use (https://deadphoenix8091.github.io/3ds/#otherapp)
- Make sure to download the otherapp.bin payload from smealum's homebrew launcher website and place it inside this directory:
- Download the Free DLC that's in-game from "RPGMaker Fes Player/RPGMaker Fes"
- ("Download content" > Select the Free DLC) (this makes the exploit more stable.)
- Use an exisiting Homebrew Exploit to launch into the "extdata_dump" application.
- "Restore extdata specified in config" and exit out of the application.
- Select the
RPwnG3 - USA/JPN/EURproject file and load it. :)
- Q: When I try to load the RPwnG3 project file, I get an error saying "Initial position map does not exist".
- A: You're on a updated version of "RPGMaker Fes Player/RPGMaker Fes" so the exploit will not work. Use MrNbaYoh's RPwnG2.
- Q: RPwnG3 keeps crashing on me and get stuck on a yellow screen.
- A: Make sure you have the right RPwnG3 project file according to your region; make sure you have an updated otherapp.bin file to install using "extdata_dump".
- Q: I get a red screen after triggering RPwnG3.
- A: Make sure the boot.3dsx file is on the root of your SD Card.
- Q: Why did you exploit this game even though we have better alternative methods to access homebrew?
- A: I always wanted to exploit a 3DS userland game; it was a thing on my mind when other devs came out with their own entrypoints.
- Q: Can I immediately download this game off the eShop and install RPwnG3?
- A: No, since the eShop supplies the updated version of RPGMaker Fes Player; If you choose to get this game anyway for sake of it, check out MrNbaYoh's RPwnG2.
- Q: What can you do with this exploit?
- A: Launch the homebrew launcher and play homebrew commercial games from the SD card.
- Q: Can I install this exploit via seedminer?
- A: No, the exploitable files are located where extra save data is stored and seedminer relies on injecting modified saves from title savedata.
- Q: How do I uninstall this exploit?
- A: Hover over the RPwnG3 file and press X to delete it.
- MrNbaYoh: Discovering the flaw, assisting me with A LOT of things and putting up with my stupidity for 3 years straight x).
- yellows8: 3ds_ropkit making things easier.
- smealum: hax payload(otherapp.bin) and the Homebrew Launcher.
- zoogie: Providing helpful Luma3DS tricks(finding heap/code addresses), 3ds_ropkit codebase.
- plutoo: Giving helpful advice about FS functions.
- Kartik: Helped debug issues for 3ds_ropkit.
- luigoalma: Helping with EUR tester, CMP gadget finder for EUR, Makefile assisting.
- stuckpixel: Explaining stack frames and many other things to help me debug.
- Stary2001: Introducing 3ds_ropkit to me.
- Nedwill: Giving helpful advice about gadget debugging.
- MrCheeze: extdata_dump homebrew application.
- everyone once who has supported/assisted me :)