Difference between revisions of "DSiWare VulnList"

From DSiBrew
Jump to navigation Jump to search
Line 55: Line 55:
 
|  High-Scores
 
|  High-Scores
 
|  None
 
|  None
Checksum needs tinkered with and save modification is pending.
+
The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
 
|-
 
|-
 
|  Art Academy: First Semester
 
|  Art Academy: First Semester

Revision as of 23:12, 20 February 2011

This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com. Before you contact anyone about your dsiware, please make sure your dsiware is _not_ listed on this page anywhere.

It would be nice to target DSiWare that are listed under the DSi Shop most popular search: Nintendo would have a lot of difficultly removing DSiWare from that list without ticking off a lot of non-homebrewer customers. Targets not on that list will suffer the same fate as Sudoku,(removed quickly and patched eventually) if exploits for those were released.

DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi save_extract and save_adjust both require sd_key, but we will not redistribute this key.

For these lists status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started. Status "Done" means code reverse engineering was finished.

Total listed DSiWare

Total DSiWare in below lists.

List Total
Incomplete 26
Done 13
DSiWare which probably aren't exploitable 37
Already have 3
All total 79

DSiWare with incomplete analysis

Name Input type(s) Status Description
Academy: Tic-Tac-Toe Player name None Has an UCS-2 player name.
Advanced Circuits Profile names Started Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
Arcade Bowling High-Scores None The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
Art Academy: First Semester None? None Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
Bejeweled Twist High-scores None Checksum is unknown has ASCII strings.
Blackjack ? None Didn't check savedata at all yet.
Card games ? None Didn't check sav yet.
Chess Challenge Profile names None Has ASCII strings.
Countdown Calender ? None Didn't check sav yet.
Crystal Monsters Player name Started Has ASCII player name.
DIGIDRIVE: Art Style Series ? None Didn't check the sav yet but probably doesn't have strings like other artstyle games.
Elemental Masters Player name? None Has ASCII strings but the checksum is unknown.
Faceez Player name? None Has ASCII string but the checksum is unknown.
Field Runners High-Scores Started The xml .plist the game uses for storing savedata contains high-scores strings.
Frogger Returns High-Scores Started Has ASCII high-scores.
Guitar Rock Tour High-Scores Started Has ASCII high-scores.
Legends of Exidia Player name Started Has ASCII player name.
Lets golf Player name None Has ASCII player name checksum is unknown.
Master of Illusion Express: Psychic Camera ? None Didn't check sav yet.
Mixed Messages Player name and other text None Uses ASCII for player name and other text input, but the checksum is unknown.
My Notebook: Pearl ? None Didn't check the sav but probably doesn't have strings like the other notebook dsiware?
Number Battle Player name None Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
Pop Superstar: Road to celebrity Player name None Has ASCII strings, unknown checksum.
Sparkle Snapshots ? None Didn't check sav yet.
UNO Player name and high-scores Started Has ASCII text.
ZENGAGE: Art Style Series ? None Didn't check the sav yet but probably doesn't have strings like other artstyle games.

DSiWare with finished analysis

Name Input type(s) Description
5 in 1 Solitaire Profile names Game didn't crash with a long profile string.
Airport Mania: Non Stop Flights High-Scores Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
Arcade Hoops Basketball High-Scores, names via settings Has ASCII high-scores with null terminated strings, no string bugs.
Army Defender High-scores Has ASCII strings for high-scores, game didn't crash with modified high-scores.
Bloons Profile names Has some profile names but they're all in one tiny savfile.
Bookworm High-scores and word list Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
Dark Void Zero High-Scores No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
Dracula No manual input Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
Escapee Go None Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
Paul's Shooting Adventure High-Scores Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
Primrose High-scores Has English-only high-scores and a trivial checksum, not exploitable.
Sudoku Player name Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through Sudokuhax.
Rayman Player name No overflow, with a long string the game only displays one extra character.

DSiWare that probably don't have vulnerabilities

Name Input type(s) Description
24/7 Solitaire None No high-scores or string input.
Absolute Reversi None No strings in savedata.
A Little Bit of... All-Time Classics: Card Classics None No strings
A Little Bit of... All-Time Classics: Family Games None No strings
A Little Bit of... All-Time Classics: Strategy Games None No strings
Asphalt 4 None No strings
Aquia: Art Style Series None No strings
Birds & Beans No strings No strings in savedata.
Boom Boom Squaries No strings No strings in savedata.
Bomberman Blitz Name Has UCS-2 strings.
Brain Age Express: Arts & Letters None No strings in savedata.
Brain Age Express: Math None No strings in savedata.
Crash Course Domo None No strings.
Dictionary 6 in 1 None No strings in savedata.
Dr. Mario Express None No strings.
Earthworm Jim None No strings.
Extreme Hangman None No strings in savedata.
FIZZ High-scores Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
Frenzic High-scores Has UCS-2 high-scores.
Gene Labs None Small savedata with no strings.
Glory Days - Tactical Defense No strings Saves only scores not strings.
Metal Torrent Player name Uses a UCS-2 string.
My Notebook: Blue None No strings.
My Sims: Camera None No strings.
Mighty Flip Champs None No strings.
My Exotic Farm Player name Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
Paper Airplane Chase None The size of both files in the savedata are only 8 bytes, no strings.
PiCOPiCT: Art Style series None No strings.
PiCTOBiTS: Art Style series None No strings.
Pyoro None 16-byte savedata no strings.
Photo Clock None Small savedata, no strings at all.
Photo Dojo Handwritten character name via stylus Savedata only contains .jpg files and some tiny "save"/"info" files.
Shantae: Risky's Revenge None Has 3 save slots but no string input.
Sokomania None No strings.
Starship Defense None No strings.
Tetris Party Live None Zero text input.
WarioWare: Snapped None No high-scores or string input.

DSiWare that were already obtained for analysis

Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.

Name Text format
Flipnote Studio UCS-2
Mario Vs. Donkey Kong: Minis March Again UCS-2
Opera Nothing interesting in savedata.