-
Notifications
You must be signed in to change notification settings - Fork 1
Home
Monster Hunter Generations uses the MT
Framework game engine. The flaws
that enable this exploit are found int the rTexure and rQuestData formats
and parsers which are part of MT Framework. It may be possible to exploit other
Capcom games that use this same game engine.
The rTexture file format contains a table of offsets pointing to each of the
textures in the file. The number of offsets in the table is the number of
textures multiplied by the number of mipmap levels. The texture count is
represented with 8 bits in the rTexture header and the number of mipmap
levels is represented with 6 bits. That allows for a maximum of 16065 entries
in the offset table. The function that parses the rTexture format reads this
offset table into a buffer on the stack. It does no bounds checking on the
texture count or number of mipmap levels and yet it only allocates enough space
for 256 table entries. This makes it very easy to gain ROP with a specially
crafted rTexture file. That is if you can trick the game into loading a
custom texture file.
The DLC quests are essentially ZIP files that contain a number of different
files. The only file that is initially parsed is a rQuestsData format file.
The rQuestData lists which files in the ZIP has data about the boss monster,
rewards, etc. It also has a format specifier for each of the files listed,
which is not verified. For instance if the file listed for the boss monster
data (which should be rSetEmMain format) is specified as rTexture format,
it will load that file with the rTexture parser. Which means we can get the
game to load a custom texture file by placing a specially crafted quest in the
save file.