Difference between revisions of "DSiWare VulnList"

From DSiBrew
Jump to navigation Jump to search
 
(121 intermediate revisions by 7 users not shown)
Line 1: Line 1:
This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com.
+
== Total listed DSiWare ==
Before you contact anyone about your dsiware, please make sure your dsiware is _not_ listed on this page anywhere.
 
  
DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi
+
Total DSiWare in below lists.
  
For these lists status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started. Status "Done" means code reverse engineering was finished.
+
{| class="wikitable" border="1"
 +
|-
 +
!  List
 +
!  Total
 +
|-
 +
|  Incomplete
 +
|  16
 +
|-
 +
|  Done
 +
|  27
 +
|-
 +
DSiWare which probably aren't exploitable
 +
|  59
 +
|-
 +
|  Already have
 +
|  3
 +
|-
 +
|  All total
 +
|  100
 +
|}
  
== DSiWare that can be crashed ==
+
== DSiWare with incomplete analysis ==
  
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 13: Line 31:
 
!  Input type(s)
 
!  Input type(s)
 
!  Status
 
!  Status
!  Regions
 
!  Developer
 
!  Points
 
 
!  Description
 
!  Description
 
|-
 
|-
Dark Void Zero
+
Academy: Tic-Tac-Toe
 +
|  Player name
 +
|  None
 +
|  Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
 +
|-
 +
|  Advanced Circuits
 +
|  Profile names
 +
|  Started
 +
|  Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
 +
|-
 +
|  Arcade Bowling
 
|  High-Scores
 
|  High-Scores
Done
+
None
USA/EUR
+
The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
Capcom
+
|-
500
+
|  Art Academy: First Semester
No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields, and that var is used with level class init. Level class init fail is most likely the cause of the crash which isn't exploitable, level paths are determined by if statements and the level object is used uninitialized when the level var is out-of-bounds.
+
None?
 +
None
 +
Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
 
|-
 
|-
Frogger Returns
+
Bejeweled Twist
 
|  High-scores
 
|  High-scores
Started
+
None
USA
+
Checksum is unknown, save has ASCII strings.
|  Konami
 
|  500
 
|  Has ASCII null-terminated high-scores. Manged to crash this game. The high-score draw function uses strcpy to copy the records' name to a static buffer, it's unknown if this is exploitable.
 
 
|-
 
|-
Guitar Rock Hero
+
Bounce & Break
 
|  High-scores
 
|  High-scores
 
|  Started
 
|  Started
|  USA/EUR
+
|  Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|  Gameloft
 
|  500
 
|  Has ASCII strings for high-scores. Overwriting high-scores with a 0x194f-byte string caused the game to crash.
 
 
|-
 
|-
Legends of Exidia
+
Card games
 +
|  Player name
 +
|  None
 +
|  Has ASCII player names, checksum is unknown.
 +
|-
 +
|  Chess Challenge
 +
|  Profile names
 +
|  None
 +
|  Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
 +
|-
 +
|  Crystal Monsters
 
|  Player name
 
|  Player name
 
|  Started
 
|  Started
|  USA/EUR/JP
+
|  Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|  Gameloft
 
|  800
 
|  Has ASCII player name in one file, and UCS-2 player name in a profile file. This game was crashed by modifying strings in the profile savedata file.
 
 
|-
 
|-
Sudoku
+
Elemental Masters
 +
|  Player name?
 +
|  None
 +
|  Has ASCII strings but the checksum is unknown.
 +
|-
 +
|  Faceez
 +
|  Player name?
 +
|  None
 +
|  Has ASCII string but the checksum is unknown.
 +
|-
 +
|  Jelly Car 2
 +
|  High Score name
 +
|  None
 +
|  Uses ASCII player name for time scores; It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
 +
|-
 +
|  Lets golf
 
|  Player name
 
|  Player name
Started
+
None
USA/EUR
+
Has ASCII player name checksum is unknown.
EA
+
|-
200
+
|  Mixed Messages
Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name.
+
Player name and other text
|}
+
None
 
+
Uses ASCII for player name and other text input, but the checksum is unknown.
== DSiWare with incomplete analysis ==
 
 
 
{| class="wikitable" border="1"
 
 
|-
 
|-
! Name
+
| Number Battle
! Input type(s)
+
| Player name
! Status
+
| None
! Description
+
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
 
|-
 
|-
Advanced Circuits
+
Pop Superstar: Road to celebrity
Profile names
+
Player name
Started
+
None
Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
+
Has ASCII strings.
 
|}
 
|}
  
Line 84: Line 124:
 
|-
 
|-
 
|  5 in 1 Solitaire
 
|  5 in 1 Solitaire
 +
|  Profile names
 +
|  Game didn't crash with a long profile string.
 +
|-
 +
|  Airport Mania: Non Stop Flights
 +
|  High-Scores
 +
|  Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
 +
|-
 +
|  Academy: Checkers
 
|  Profile names
 
|  Profile names
 
|  Game didn't crash with a long profile string.
 
|  Game didn't crash with a long profile string.
Line 90: Line 138:
 
|  High-Scores, names via settings
 
|  High-Scores, names via settings
 
|  Has ASCII high-scores with null terminated strings, no string bugs.
 
|  Has ASCII high-scores with null terminated strings, no string bugs.
 +
|-
 +
|  Army Defender
 +
|  High-scores
 +
|  Has ASCII strings for high-scores, game didn't crash with modified high-scores.
 +
|-
 +
|  Bloons
 +
|  Profile names
 +
|  Has some profile names but they're all in one tiny savfile.
 
|-
 
|-
 
|  Bookworm
 
|  Bookworm
 
|  High-scores and word list
 
|  High-scores and word list
 
|  Has ASCII null-terminated high-score list names and null-terminated word list strings.  ( No crash, just nice very high scores, and very long words displayed. )
 
|  Has ASCII null-terminated high-score list names and null-terminated word list strings.  ( No crash, just nice very high scores, and very long words displayed. )
 +
|-
 +
|  Crazy Sudoku
 +
|  Profile names/Data File
 +
|  The ASCII player name or the game data aren't exploitable. This game can still be crashed.
 +
|-
 +
|  Dark Void Zero
 +
|  High-Scores
 +
|  No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
 +
|-
 +
|  Digger Dan & Kaboom
 +
|  Player name
 +
|  The ASCII player names aren't exploitable, but the save is <10KB anyway.
 
|-
 
|-
 
|  Dracula
 
|  Dracula
Line 102: Line 170:
 
|  None
 
|  None
 
|  Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
 
|  Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
 +
|-
 +
|  Fieldrunners
 +
|  High-Scores
 +
|  The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].
 +
|-
 +
|  Frogger Returns
 +
|  High-Scores
 +
|  Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
 +
|-
 +
|  Guitar Rock Tour
 +
|  High-Scores
 +
|  Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].
 +
|-
 +
|  Legends of Exidia
 +
|  Player name
 +
|  Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].
 +
|-
 +
|  Mario Calculator
 +
|  None
 +
|  No savedata at all in the tad.
 
|-
 
|-
 
|  Paul's Shooting Adventure
 
|  Paul's Shooting Adventure
 
|  High-Scores
 
|  High-Scores
 
|  Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
 
|  Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
 +
|-
 +
|  Prehistorik Man
 +
|  Password text
 +
|  Has some ASCII password text for continuing, but there's less than 10KB free.
 
|-
 
|-
 
|  Primrose
 
|  Primrose
 
|  High-scores
 
|  High-scores
 
|  Has English-only high-scores and a trivial checksum, not exploitable.
 
|  Has English-only high-scores and a trivial checksum, not exploitable.
 +
|-
 +
|  Rayman
 +
|  Player name
 +
|  No overflow, with a long string the game only displays one extra character.
 +
|-
 +
|  Soul of Darkness
 +
|  Player name
 +
|  Has ASCII player name with 3 profiles.
 +
|-
 +
|  Sudoku
 +
|  Player name
 +
|  Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
 +
|-
 +
|  Telegraph Sudoku & Kakuro
 +
|  Profile name
 +
|  No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
 +
|-
 +
|  The Legend of Zelda: Four Swords Anniversary
 +
|  Savedata filesize
 +
|  The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].
 +
|-
 +
|  UNO
 +
|  Profile names
 +
|  Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].
 +
|-
 +
|  WordSearcher
 +
|  Player name & WordSearch Board
 +
|  Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
 
|}
 
|}
  
Line 124: Line 244:
 
|  None
 
|  None
 
|  No high-scores or string input.
 
|  No high-scores or string input.
 +
|-
 +
|  Absolute Reversi
 +
|  None
 +
|  No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
 +
|-
 +
|  A Little Bit of... All-Time Classics: Card Classics
 +
|  None
 +
|  No strings
 +
|-
 +
|  A Little Bit of... All-Time Classics: Family Games
 +
|  None
 +
|  No strings
 +
|-
 +
|  A Little Bit of... All-Time Classics: Strategy Games
 +
|  None
 +
|  No strings
 +
|-
 +
|  Alpha Bounce
 +
|  None
 +
|  No strings
 +
|-
 +
|  Asphalt 4
 +
|  None
 +
|  No strings
 
|-
 
|-
 
|  Aquia: Art Style Series
 
|  Aquia: Art Style Series
 
|  None
 
|  None
 
|  No strings
 
|  No strings
 +
|-
 +
|  Aura Aura Climber
 +
|  None
 +
|  No strings
 +
|-
 +
|  Birds & Beans
 +
|  No strings
 +
|  No strings in savedata.
 +
|-
 +
|  Boom Boom Squaries
 +
|  No strings
 +
|  No strings in savedata.
 +
|-
 +
|  Bomberman Blitz
 +
|  Name
 +
|  Has UCS-2 strings.
 +
|-
 +
|  Boxlife
 +
|  None
 +
|  No strings.
 +
|-
 +
|  Blackjack
 +
|  None
 +
|  No strings.
 
|-
 
|-
 
|  Brain Age Express: Arts & Letters
 
|  Brain Age Express: Arts & Letters
Line 136: Line 304:
 
|  None
 
|  None
 
|  No strings in savedata.
 
|  No strings in savedata.
 +
|-
 +
|  Brain Drain
 +
|  None
 +
|  No strings in save.
 +
|-
 +
|  Castle of Magic
 +
|  None
 +
|  No strings
 +
|-
 +
|  Cave Story
 +
|  None
 +
|  No strings
 +
|-
 +
|  Countdown Calender
 +
|  None
 +
|  No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
 +
|-
 +
|  Crash Course Domo
 +
|  None
 +
|  No strings.
 +
|-
 +
|  Chronos Twins
 +
|  None
 +
|  No strings.
 
|-
 
|-
 
|  Dictionary 6 in 1
 
|  Dictionary 6 in 1
 
|  None
 
|  None
 
|  No strings in savedata.
 
|  No strings in savedata.
 +
|-
 +
|  DIGIDRIVE: Art Style Series
 +
|  None
 +
|  No strings.
 +
|-
 +
|  DodoGo! Robo
 +
|  None
 +
|  No strings
 
|-
 
|-
 
|  Dr. Mario Express
 
|  Dr. Mario Express
 +
|  None
 +
|  No strings.
 +
|-
 +
|  Earthworm Jim
 +
|  None
 +
|  No strings.
 +
|-
 +
|  Extreme Hangman
 +
|  None
 +
|  No strings in savedata.
 +
|-
 +
|  Little Red Riding Hood's Zombie BBQ
 
|  None
 
|  None
 
|  No strings
 
|  No strings
Line 147: Line 359:
 
|  FIZZ
 
|  FIZZ
 
|  High-scores
 
|  High-scores
|  Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
+
|  Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
 +
|-
 +
|  Flipper
 +
|  None
 +
|  No strings.
 +
|-
 +
|  Frenzic
 +
|  High-scores
 +
|  Has UCS-2 high-scores.
 
|-
 
|-
 
|  Gene Labs
 
|  Gene Labs
 
|  None
 
|  None
 
|  Small savedata with no strings.
 
|  Small savedata with no strings.
 +
|-
 +
|  Glory Days - Tactical Defense
 +
|  No strings
 +
|  Saves only scores not strings.
 +
|-
 +
|  GO Series: 10 Second Run
 +
|  None
 +
|  No strings.
 +
|-
 +
|  Metal Torrent
 +
|  Player name
 +
|  Uses a UCS-2 string.
 +
|-
 +
|  Master of Illusion Express: Psychic Camera
 +
|  None
 +
|  Tiny savfile no strings.
 +
|-
 +
|  My Notebook: Blue
 +
|  None
 +
|  No strings.
 +
|-
 +
|  My Notebook: Pearl
 +
|  None
 +
|  No strings.
 +
|-
 +
|  My Sims: Camera
 +
|  None
 +
|  No strings.
 +
|-
 +
|  Mighty Flip Champs
 +
|  None
 +
|  No strings.
 +
|-
 +
|  My Exotic Farm
 +
|  Player name
 +
|  Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
 
|-
 
|-
 
|  Paper Airplane Chase
 
|  Paper Airplane Chase
 
|  None
 
|  None
 
|  The size of both files in the savedata are only 8 bytes, no strings.
 
|  The size of both files in the savedata are only 8 bytes, no strings.
 +
|-
 +
|  PiCOPiCT: Art Style series
 +
|  None
 +
|  No strings.
 +
|-
 +
|  PiCTOBiTS: Art Style series
 +
|  None
 +
|  No strings.
 +
|-
 +
|  Plants Vs. Zombies
 +
|  None
 +
|  No strings, uses system user name for player name.
 +
|-
 +
|  Pop Island
 +
|  None
 +
|  No strings.
 
|-
 
|-
 
|  Pyoro
 
|  Pyoro
Line 168: Line 440:
 
|  Handwritten character name via stylus
 
|  Handwritten character name via stylus
 
|  Savedata only contains .jpg files and some tiny "save"/"info" files.
 
|  Savedata only contains .jpg files and some tiny "save"/"info" files.
 +
|-
 +
|  Shantae: Risky's Revenge
 +
|  None
 +
|  Has 3 save slots but no string input.
 +
|-
 +
|  Simply Minesweeper
 +
|  None
 +
|  No strings.
 +
|-
 +
|  Sokomania
 +
|  None
 +
|  No strings.
 +
|-
 +
|  Sparkle Snapshots
 +
|  None
 +
|  No strings.
 +
|-
 +
|  Starship Defense
 +
|  None
 +
|  No strings.
 
|-
 
|-
 
|  Tetris Party Live
 
|  Tetris Party Live
 
|  None
 
|  None
|  Zero text input.
+
|  Zero text input, not enough payload space anyway.
 
|-
 
|-
 
|  WarioWare: Snapped
 
|  WarioWare: Snapped
 
|  None
 
|  None
 
|  No high-scores or string input.
 
|  No high-scores or string input.
 +
|-
 +
|  ZENGAGE: Art Style Series
 +
|  None
 +
|  No strings.
 +
|-
 +
|  Zenonia
 +
|  None
 +
|  No strings.
 
|}
 
|}
  
 
== DSiWare that were already obtained for analysis ==
 
== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them.
+
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.
  
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 191: Line 491:
 
|  Mario Vs. Donkey Kong: Minis March Again
 
|  Mario Vs. Donkey Kong: Minis March Again
 
|  UCS-2
 
|  UCS-2
 +
|-
 +
|  Opera
 +
|  The savedata is private NAND-only, no savedata is copied to SD card.
 
|}
 
|}

Latest revision as of 04:09, 31 March 2019

Total listed DSiWare

Total DSiWare in below lists.

List Total
Incomplete 16
Done 27
DSiWare which probably aren't exploitable 59
Already have 3
All total 100

DSiWare with incomplete analysis

Name Input type(s) Status Description
Academy: Tic-Tac-Toe Player name None Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
Advanced Circuits Profile names Started Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
Arcade Bowling High-Scores None The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
Art Academy: First Semester None? None Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
Bejeweled Twist High-scores None Checksum is unknown, save has ASCII strings.
Bounce & Break High-scores Started Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
Card games Player name None Has ASCII player names, checksum is unknown.
Chess Challenge Profile names None Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
Crystal Monsters Player name Started Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
Elemental Masters Player name? None Has ASCII strings but the checksum is unknown.
Faceez Player name? None Has ASCII string but the checksum is unknown.
Jelly Car 2 High Score name None Uses ASCII player name for time scores; It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
Lets golf Player name None Has ASCII player name checksum is unknown.
Mixed Messages Player name and other text None Uses ASCII for player name and other text input, but the checksum is unknown.
Number Battle Player name None Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
Pop Superstar: Road to celebrity Player name None Has ASCII strings.

DSiWare with finished analysis

Name Input type(s) Description
5 in 1 Solitaire Profile names Game didn't crash with a long profile string.
Airport Mania: Non Stop Flights High-Scores Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
Academy: Checkers Profile names Game didn't crash with a long profile string.
Arcade Hoops Basketball High-Scores, names via settings Has ASCII high-scores with null terminated strings, no string bugs.
Army Defender High-scores Has ASCII strings for high-scores, game didn't crash with modified high-scores.
Bloons Profile names Has some profile names but they're all in one tiny savfile.
Bookworm High-scores and word list Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
Crazy Sudoku Profile names/Data File The ASCII player name or the game data aren't exploitable. This game can still be crashed.
Dark Void Zero High-Scores No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
Digger Dan & Kaboom Player name The ASCII player names aren't exploitable, but the save is <10KB anyway.
Dracula No manual input Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
Escapee Go None Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
Fieldrunners High-Scores The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through fieldrunnerhax.
Frogger Returns High-Scores Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
Guitar Rock Tour High-Scores Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through grtpwn.
Legends of Exidia Player name Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through exidiahax.
Mario Calculator None No savedata at all in the tad.
Paul's Shooting Adventure High-Scores Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
Prehistorik Man Password text Has some ASCII password text for continuing, but there's less than 10KB free.
Primrose High-scores Has English-only high-scores and a trivial checksum, not exploitable.
Rayman Player name No overflow, with a long string the game only displays one extra character.
Soul of Darkness Player name Has ASCII player name with 3 profiles.
Sudoku Player name Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through Sudokuhax.
Telegraph Sudoku & Kakuro Profile name No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
The Legend of Zelda: Four Swords Anniversary Savedata filesize The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through 4swordshax.
UNO Profile names Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as UNO*pwn.
WordSearcher Player name & WordSearch Board Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable

DSiWare that probably don't have vulnerabilities

Name Input type(s) Description
24/7 Solitaire None No high-scores or string input.
Absolute Reversi None No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
A Little Bit of... All-Time Classics: Card Classics None No strings
A Little Bit of... All-Time Classics: Family Games None No strings
A Little Bit of... All-Time Classics: Strategy Games None No strings
Alpha Bounce None No strings
Asphalt 4 None No strings
Aquia: Art Style Series None No strings
Aura Aura Climber None No strings
Birds & Beans No strings No strings in savedata.
Boom Boom Squaries No strings No strings in savedata.
Bomberman Blitz Name Has UCS-2 strings.
Boxlife None No strings.
Blackjack None No strings.
Brain Age Express: Arts & Letters None No strings in savedata.
Brain Age Express: Math None No strings in savedata.
Brain Drain None No strings in save.
Castle of Magic None No strings
Cave Story None No strings
Countdown Calender None No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
Crash Course Domo None No strings.
Chronos Twins None No strings.
Dictionary 6 in 1 None No strings in savedata.
DIGIDRIVE: Art Style Series None No strings.
DodoGo! Robo None No strings
Dr. Mario Express None No strings.
Earthworm Jim None No strings.
Extreme Hangman None No strings in savedata.
Little Red Riding Hood's Zombie BBQ None No strings
FIZZ High-scores Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
Flipper None No strings.
Frenzic High-scores Has UCS-2 high-scores.
Gene Labs None Small savedata with no strings.
Glory Days - Tactical Defense No strings Saves only scores not strings.
GO Series: 10 Second Run None No strings.
Metal Torrent Player name Uses a UCS-2 string.
Master of Illusion Express: Psychic Camera None Tiny savfile no strings.
My Notebook: Blue None No strings.
My Notebook: Pearl None No strings.
My Sims: Camera None No strings.
Mighty Flip Champs None No strings.
My Exotic Farm Player name Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
Paper Airplane Chase None The size of both files in the savedata are only 8 bytes, no strings.
PiCOPiCT: Art Style series None No strings.
PiCTOBiTS: Art Style series None No strings.
Plants Vs. Zombies None No strings, uses system user name for player name.
Pop Island None No strings.
Pyoro None 16-byte savedata no strings.
Photo Clock None Small savedata, no strings at all.
Photo Dojo Handwritten character name via stylus Savedata only contains .jpg files and some tiny "save"/"info" files.
Shantae: Risky's Revenge None Has 3 save slots but no string input.
Simply Minesweeper None No strings.
Sokomania None No strings.
Sparkle Snapshots None No strings.
Starship Defense None No strings.
Tetris Party Live None Zero text input, not enough payload space anyway.
WarioWare: Snapped None No high-scores or string input.
ZENGAGE: Art Style Series None No strings.
Zenonia None No strings.

DSiWare that were already obtained for analysis

Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

Name Text format
Flipnote Studio UCS-2
Mario Vs. Donkey Kong: Minis March Again UCS-2
Opera The savedata is private NAND-only, no savedata is copied to SD card.