Top Post

This is a blog that I have made for discussing and posting content related to my MUGEN characters or other programming-related things, whether MUGEN or not. My characters are private/trade-only to prevent edits and the like. More often than not, asking will get you them, though.
Feel free to post a comment if you have any concerns. I mostly post in English, but can speak Japanese to an extent. I'll use a translator for any other language, so feel free to use your native one if you don't feel comfortable speaking in one of those two.

Characters created/collaborated on:

Theorem
theorem

Gefühl
Y-Gefühl (憂愁ゲフール)

ASYuuka
ASYuuka (ασιν)

Before I Forget Again

Version 1 of ASYuuka has been complete since the 20th, I just forgot to post a video link

Here's a showcase of her done by Buraido.

I don't know how to make youtube videos embed in this blog, sorry

An Explanation on Exploitation

More specifically, DisplayToClipboard exploitation.
There are various methods MUGEN characters use exploiting it in order to accomplish many tasks. Let's walk through them.

%n:
This is an exploit in C++'s printf function that is very easy to pick up, which is why so many characters exist that use this exploit. It's basically essential for most forms of arbitrary code execution as well unless you know what you're doing or are using a certain other method.
text = "%n"
params = a
This will set the value of the specified address "a" to 0. I'll assume you know what the rest of a DisplayToClipboard structure looks like.
Of course, you can specify more than one...
text = "%n%n"
params = a1, a2
This will set both the addresses "a1" and "a2" to 0.
If you want to set the address to an arbitrary value, you can use %#u or %#d.
text = "%123u%n"
params = c, a
Will set the address "a" to 123. The "c" in the parameters does not matter in this case, but keep in mind that if the number of c's digits exceed the number you put, it will default to c's digits instead. Typically c is 0 for that reason.
%n, for those uninformed, will set the address to the value of the number of characters before it. %n itself doesn't count as a character. %123u/%123d will display a total of 123 characters, including the number specified, for instance. The only difference between %u and %d is that %u is unsigned.
Now, for more dynamic values that can change, a different form of %d is used.
text = "%.*d%n%d"
params = var(x), 0, a
This allows you to use a variable instead of a constant. It will set the address "a" to whatever var(x) just so happens to be [the * will become var(x)]. 0 is the second operator because the "." in states that 0 will output nothing if var(x) is 0. Using a variable itself is typically bad practice due to the clipboard's buffer being only 1024 bytes long. Typically, var(x)&255 and its derivatives are used for that reason. Something else to note is that MUGEN's processing is weird with this, there should be 4 parameters but only 3 will be accepted by its code checking. This means that the last %d doesn't actually do anything.
Misc notes about %n: It will set the 3 bytes immediately after the one you're setting to 0, as it's basically a mov instruction. It will also only work on WinMUGEN. This is why so many people use it instead of MUGEN 1.X for cheap characters, among other reasons; you will be missed, state controller overflow.

So now that we got through with the biggest one of all, let's take a look at some of the things you can use along with it after you've set up some code using it as an address. Sorry, I'm not giving a tutorial on ASM.

%f:
Yes, you heard me right, the common float display thing has an exploit that can be (ab)used. I mean, come on, edits like Huitloxopetl and R'lyeh Text-Special exist as proof of that.
The %f exploit only works because the MUGEN developers decided to leave the address for handling %f processing in read-write memory, which means that it can be set by %n or other means. %f's handler is stored at 0x004B48E8 [4933864 in decimal] for reference. It is normally 0x00496651, which is why a jmp 00496651 instruction is required at the end of the code, but since it's in read-write space, it can be repointed to another address. This allows you to execute code at any address that you've set up beforehand by simply using the innocent %f in a DisplayToClipboard.
text = "%f"
params = pos X
is a commonly used method of executing %f once it's done.
Misc notes about %f: Since you overwrote the %f pointer entirely, the potential to jump to the code abnormally (i.e. an unedited Reisen using %f to list the enemy's distance), will persist into the next match(es) until it's reset. This is the reason why I don't really like it that much compared to other methods. Whether it is compatible with MUGEN 1.X or not is unknown at this time.

%1024u:
My personal favorite, buffer overflow. It doesn't have to be %1024u, it can really be any operator like it with a 1024 preceding it. It cannot really just be %1024u though, and needs to be in this format.
text = "%1024uDCBA"
params = whatever ;probably not needed
This will execute code at an address that depends on the character code of D, C, B, and A. "A" in this context is typically unused as most of your code will probably be written at about 0x004B4000 anyways. Please keep in mind that inserting a null terminator [hex code 00] will immediately end your code, so it cannot be used mid-way into the address. As an example, a DCBA of... well... DCBA... will execute code at the address 0x41424344. A DCBA of J@K (this is typically used in address acquisition) will execute code at the address 0x004B404A.
Note that in order to return to the main portion of the game's code with no ill side effects, the following ASM is required at the end of your code:
add esp,14
pop esi
add esp,00000400
mov [esp],004713F3
ret
(Bytes: 83 C4 14 5E 81 C4 00 04 00 00 C7 04 24 F3 13 47 00 C3)
Misc notes about %1024u: This is the method I personally prefer due to it only being executed on demand. However, it should be noted that overwriting the code with another piece in the same state is not something I'd recommend doing (in my experience, it crashes). Also, it doesn't work on MUGEN 1.1 due to the buffer being terminated properly. However, this should work on MUGEN 1.0 due to another similar method working...

Clipboard code execution:
Also known as the Void method by some. It's the most technical branch of MUGEN DisplayToClipboard exploits to pick up, and for good reason. The general format is the following:
text = "your code goes here%????uBkA"
params = whatever ;probably not needed
Note the ???? instead of 1024. This is because your code's bytes and this number must add up to 1024 exactly, so the number depends on your code. Of course, you have to use characters instead of %n. There's also the added limiter that you still cannot use a null terminator at all, oftentimes requiring mov + sub shenanigans in order to execute your code properly. Once you get this down, everything else will come smoothly. The ending code is similar to %1024u's, except it requires "add esp,0C" instead of "add esp,14" and "add esp,00000400" is split into 16 "add esp,40" expressions.
Misc notes about clipboard code execution: Due to it requiring you to write every byte in a single line and the null terminator being completely banned, this is a more technical method of arbitrary code execution. I have heard this works on MUGEN 1.0, but not in MUGEN 1.1. Perhaps it can be used to replace %n in MUGEN 1.0 in the future? Who knows...

Anyways this is my long explanation on code and stuff have fun with it now

R'lyeh!

Screen Shot 2016-09-08 at 16,34,33
Screen Shot 2016-09-08 at 16,34,36
Screen Shot 2016-09-08 at 16,35,38
I did it! My theory of state code pointer backing up worked! Yuuka can now survive %f root deleter!
All it took was a bit of extra code and some preparations, but now Yuuka should be able to survive root deleter assuming everything's initialized.

R'lyeh didn't really win according to the game, but her %f makes her win while she's active meaning that she'll go to statedef 180 anyway, so...
Also, this attack actually doesn't skip to roundstate = 3, but another one does. That would be the darkja-esque move.

R'lyeh...

Screen Shot 2016-09-07 at 17,02,23
R'lyeh Text-Special... is a bit strong, isn't she?
I know she uses the %f bug... but what exactly makes her so strong? Is there a way to counter it?
Let's examine the %f bug's strongest piece of code.

pushad ;initialization
pushfd ;initialization
mov eax,[004b5b4c] ;get MUGEN's address
mov ebx,[eax+0000b788] ;get the enemy's address (+0000b784 if teamside = 2)
mov ecx,[ebx+00000be8] ;get the state code pointer of the enemy
mov [ecx],004b4000 ;move a null address to the state code pointer of the enemy
popfd ;finalization
popad ;finalization
mov [004b4458],00000000 ;finalization
jmp 00496651 ;return to normal code


So it's basically root deleter, huh? How interesting...
And since it overwrites the code of the pointer itself, helpers aren't immune to it even though just the enemy's address is gotten...
I wonder if there's a way to counter it...
Profile

Choon

Author:Choon
Welcome to my blog.
Feel free to leave comments on my posts. I'll get back to them when I notice them.
"http" is a banned phrase to prevent issues.

Latest journals
Latest comments
Monthly archive
Category
Search form
Display RSS link.
Link
Friend request form

Want to be friends with this user.