Ultranull

UltraNull is a coding term that refers to exploits that use Windows DLL Search Order vulnerabilities on, either the MUGEN Engine's executable file or external libraries, to allow for arbitrary code execution during the executable file's initialization stage.

This exploit type is triggered during the program's libraries preloading stage, which makes a big difference between these exploits and the HyperNull exploit series, as the latter is executed during the characters list parsing stage, causing it to have a lower precedence. Supported on all the engine versions (Win, 1.0, and 1.1).

The vulnerability used on this exploit was discovered in early 2023 by a Chinese author called YC0_Xa (aka FHPQ), making use of the Allegro library (alleg40.dll) in WinMUGEN, using DDRAW.dll. But in reality, this vulnerability was discovered on Windows in the 2000s, but it became more widely recognized and discussed between 2009 and 2010. It was first used on MUGEN 1.1b in 2015 by ermaccer with his MugenHook wrapper. Then of course, it was recognized later by the cheap community, thanks to YC0_Xa's SuperPony.

Months later, it was discovered that other DLL files (and even DRV files) can also behave in the same way.

This vulnerability is not only used for characters but also to add features, effects and mods to the engine, which we will discuss later.

Exploit Details

Windows loads libraries based on a search order procedure, and when a program requires a library that is not present in the same directory as the executable file, then it proceeds to use said procedure to get the requested library.

There is, however, a serious problem when system libraries are carelessly imported by the software developer: They can be vulnerable to DLL Hijacking, a general Windows vulnerability that allows attackers to load malicious code in affected programs.

In order for MUGEN to work properly, it needs to load specific libraries (Dynamic Link Library), either from Windows or its own libraries. Basically, you can create any DLL file to load arbitrary code, as long as the filename is one of the dlls that MUGEN loads during initialization. Another crucial thing is that the library must be in the engine's root directory.

There is to count the fact that some of the DLLs can cause MUGEN to suffer delays, stuttering, input problems and more. Some of these problems can last for several seconds while some are permanent.

As this vulnerability resides in the program's code, this exploit type can be used in any version of Windows.

Trivia

Despite being a strong exploit type, it's not used by almost any character. This is because authors are not that interested in very restrictive exploits. On the other hand, it can be often used as an injector for mods/plugins, to extend the engine's functionality. Some examples are: applying shaders, load/execute external files, and more.

There is also a screenpack (Oblivion) which uses UltraNull for external effects.