This is an exploit for all versions of Super Paper Mario to allow arbitrary code to be ran from a save file. See this video for a demonstration.
The game calls the function pausewinSetMessage
with the item id of every item in the inventory to display their descriptions in the pause menu. The id is not checked to be valid here, and is used as an index into a table to read the message's name string from. The game then copies that name message onto the stack without checking the length so that it can append "_ex" to it:
By editing a save file's inventory, the id of an item can be set high enough that the pointer to its description message name string can be read from the save file, and that pointer can be set to point to somewhere in the save file too to use a custom string. That custom string can then used to overflow the buffer for the string on the stack and overwrite the link register save after it, meaning that the game can be made to branch to any address desired when this function finishes. By setting this address to somewhere within the save file, arbitrary code can then be ran.
Thanks to a lot of help from Zephiles, as well as some code by PistonMiner that was re-used from the TTYD save exploit rel loader, the payload for this exploit can be made to reboot the game and hook in a few places to load and execute a rel from NAND. See source
for more details.
- Seeky - finding the exploit
- Zephiles - writing the majority of the rel loader payload
- PistonMiner - code re-used from the TTYD save file rel loader
- Segher and Dolphin Emulator developers - Wii save unpacking & packing code referenced