StateDef Overflow, also known as Def Buffer Overflow or DBOF, is an exploit in WinMUGEN that allows for arbitrary code execution at the time of character selection.
While often referred to this exploit as SuperNull, the latter actually describes characters that use exploits to execute arbitrary code during the character selection, which should not be confused with this.
As it is executed as a character is loaded, rather than during the match, it is one of the most powerful forms of code execution internal characters are capable of. Until the discovery of ZIP Overflow/ZLib Exploit, it was considered to be unstoppable by other internal characters if executed first.
Usage Examples
Offensive Utility
As you'd expect from an exploit with such advantageous timing, there are countless characters that have used this exploit for offensive purposes. The offensive usage of this exploit is largely that of polymorphism, which replaces the entire character select screen with characters that do nothing, allowing the character to have free reign. dsrugal and certain guanyin variants are the most well-known examples of this. An alternate approach, involving closing the MUGEN window and opening one's own copy (similar to the Omed method), has seen use in edits like Ashes Princess ZERO Requiem.
Defensive Utility
In a similar vein, there are also characters that use this method to defend themselves against similar exploits and potentially retaliate accordingly. This is often done by modifying the engine's code to either disable undesired exploits almost completely (Code.Crashed.Killer), ensure that the engine is in a consistent, desired state (Void-Schmelze), or constantly restoring information in case of tampering (Mainyu). This second method, when applied solely to information like the character's folder name, is the method commonly referred to as TTSN (Top-Tier SuperNull) Defense, as it counters the offensive utility mentioned above if executed before the attack.
Miscellaneous Utility
Because this timing occurs during character loading, there are also uses for this exploit that don't fall into the category of offense or defense. Old versions of DarknessSevenNight used this exploit to remove the variable limit, allowing for greater information storage and a more direct, lighter form of %n. Various edits use a version of this exploit that allows for animated select portraits, known as DynamicPortrait, like Beyond Reason. A DBOF file has been released that backports MUGEN 1.1's rotatable Explod functionality to WinMUGEN, which is even seen in more standard characters like Yeen.
Exploit Details
As implied by DBOF's more technical name, this takes advantage of a Buffer Overflow vulnerability in the StateDef parser. When the text within a StateDef header is at least 64 characters long, the return address from this parser is overwritten, resulting in the potential for arbitrary code execution. Note that this is at least 64 characters long, as all strings are null terminated; a 64-character long string is technically 65 if you account for this null terminator.
For example, a StateDef structured like this:
[StateDef 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrsF2@] [State ] Type = Null Trigger1 = 1
will return to the address corresponding to the text F2@ (0x00403246) after StateDef processing.
Creation Tips
There are plenty of templates online for use cases such as TTSN, DynamicPortrait execution, Explod Rotation, and more. Chances are, you don't have to actually make a DBOF exploit on your own. However, if you want to create an exploit that actually does something novel, you need to know x86 assembly before even continuing. The process of creation is relatively simple if you do know it, and simply involves treating your entire state file, starting at the return point, as a list of x86 instructions. With that in mind, here are some tips for novices.
- This is a file-based exploit, rather than a clipboard-based exploit, which means there are some bytes that simply cannot be used that you otherwise would be able to with %c. Notably,
- You cannot use the 0A byte anywhere in your code. This is automatically converted to a 00 byte; this does mean that you can use 00 bytes in your code, but only one at a time. Mind trailing/leading spaces when doing so.
- As per standard MUGEN fare, you cannot use the 3B byte (
;) anywhere in your code, as this will mark the remainder of the line as a comment. The 1A byte is considered an EoF, and also cannot be used. - In the StateDef header itself, you cannot use the 5D byte (
]), as this will prematurely terminate the StateDef number and nullify the exploit. Afterwards is fair game.
- While any return address can be used, the ideal is one that contains an
add esp,0x10; retinstruction set, which executes code from the StateDef number. Examples areF2@(0x00403246),v-@(0x00402d76), andHvH(0x00487648). - It's commonplace to use a jmp instruction by writing something akin to
ë:. An alternate option is using a jne instruction such asu:, which preserves ASCII compatibility (if you hate yourself enough) while accomplishing the same thing due to theadd esp,0x10instruction executed before entry.
1.0/1.1
StateDef Text Parser's buffer size is assignated to 255 bytes and input text strings cannot exceed the assignated size, as their length will be truncated otherwise, making this exploit very ineffective to use in these engine builds.