Difference between revisions of "DSiWare VulnList"
Line 55: | Line 55: | ||
| High-Scores | | High-Scores | ||
| None | | None | ||
− | | | + | | The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores? |
|- | |- | ||
| Art Academy: First Semester | | Art Academy: First Semester |
Revision as of 23:12, 20 February 2011
This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com. Before you contact anyone about your dsiware, please make sure your dsiware is _not_ listed on this page anywhere.
It would be nice to target DSiWare that are listed under the DSi Shop most popular search: Nintendo would have a lot of difficultly removing DSiWare from that list without ticking off a lot of non-homebrewer customers. Targets not on that list will suffer the same fate as Sudoku,(removed quickly and patched eventually) if exploits for those were released.
DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi save_extract and save_adjust both require sd_key, but we will not redistribute this key.
For these lists status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started. Status "Done" means code reverse engineering was finished.
Total listed DSiWare
Total DSiWare in below lists.
List | Total |
---|---|
Incomplete | 26 |
Done | 13 |
DSiWare which probably aren't exploitable | 37 |
Already have | 3 |
All total | 79 |
DSiWare with incomplete analysis
Name | Input type(s) | Status | Description |
---|---|---|---|
Academy: Tic-Tac-Toe | Player name | None | Has an UCS-2 player name. |
Advanced Circuits | Profile names | Started | Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown. |
Arcade Bowling | High-Scores | None | The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores? |
Art Academy: First Semester | None? | None | Has some ASCII strings in savedata, but they seem to be from the game binary not user input? |
Bejeweled Twist | High-scores | None | Checksum is unknown has ASCII strings. |
Blackjack | ? | None | Didn't check savedata at all yet. |
Card games | ? | None | Didn't check sav yet. |
Chess Challenge | Profile names | None | Has ASCII strings. |
Countdown Calender | ? | None | Didn't check sav yet. |
Crystal Monsters | Player name | Started | Has ASCII player name. |
DIGIDRIVE: Art Style Series | ? | None | Didn't check the sav yet but probably doesn't have strings like other artstyle games. |
Elemental Masters | Player name? | None | Has ASCII strings but the checksum is unknown. |
Faceez | Player name? | None | Has ASCII string but the checksum is unknown. |
Field Runners | High-Scores | Started | The xml .plist the game uses for storing savedata contains high-scores strings. |
Frogger Returns | High-Scores | Started | Has ASCII high-scores. |
Guitar Rock Tour | High-Scores | Started | Has ASCII high-scores. |
Legends of Exidia | Player name | Started | Has ASCII player name. |
Lets golf | Player name | None | Has ASCII player name checksum is unknown. |
Master of Illusion Express: Psychic Camera | ? | None | Didn't check sav yet. |
Mixed Messages | Player name and other text | None | Uses ASCII for player name and other text input, but the checksum is unknown. |
My Notebook: Pearl | ? | None | Didn't check the sav but probably doesn't have strings like the other notebook dsiware? |
Number Battle | Player name | None | Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown. |
Pop Superstar: Road to celebrity | Player name | None | Has ASCII strings, unknown checksum. |
Sparkle Snapshots | ? | None | Didn't check sav yet. |
UNO | Player name and high-scores | Started | Has ASCII text. |
ZENGAGE: Art Style Series | ? | None | Didn't check the sav yet but probably doesn't have strings like other artstyle games. |
DSiWare with finished analysis
Name | Input type(s) | Description |
---|---|---|
5 in 1 Solitaire | Profile names | Game didn't crash with a long profile string. |
Airport Mania: Non Stop Flights | High-Scores | Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable. |
Arcade Hoops Basketball | High-Scores, names via settings | Has ASCII high-scores with null terminated strings, no string bugs. |
Army Defender | High-scores | Has ASCII strings for high-scores, game didn't crash with modified high-scores. |
Bloons | Profile names | Has some profile names but they're all in one tiny savfile. |
Bookworm | High-scores and word list | Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. ) |
Dark Void Zero | High-Scores | No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable. |
Dracula | No manual input | Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs. |
Escapee Go | None | Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable. |
Paul's Shooting Adventure | High-Scores | Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable. |
Primrose | High-scores | Has English-only high-scores and a trivial checksum, not exploitable. |
Sudoku | Player name | Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through Sudokuhax. |
Rayman | Player name | No overflow, with a long string the game only displays one extra character. |
DSiWare that probably don't have vulnerabilities
Name | Input type(s) | Description |
---|---|---|
24/7 Solitaire | None | No high-scores or string input. |
Absolute Reversi | None | No strings in savedata. |
A Little Bit of... All-Time Classics: Card Classics | None | No strings |
A Little Bit of... All-Time Classics: Family Games | None | No strings |
A Little Bit of... All-Time Classics: Strategy Games | None | No strings |
Asphalt 4 | None | No strings |
Aquia: Art Style Series | None | No strings |
Birds & Beans | No strings | No strings in savedata. |
Boom Boom Squaries | No strings | No strings in savedata. |
Bomberman Blitz | Name | Has UCS-2 strings. |
Brain Age Express: Arts & Letters | None | No strings in savedata. |
Brain Age Express: Math | None | No strings in savedata. |
Crash Course Domo | None | No strings. |
Dictionary 6 in 1 | None | No strings in savedata. |
Dr. Mario Express | None | No strings. |
Earthworm Jim | None | No strings. |
Extreme Hangman | None | No strings in savedata. |
FIZZ | High-scores | Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely. |
Frenzic | High-scores | Has UCS-2 high-scores. |
Gene Labs | None | Small savedata with no strings. |
Glory Days - Tactical Defense | No strings | Saves only scores not strings. |
Metal Torrent | Player name | Uses a UCS-2 string. |
My Notebook: Blue | None | No strings. |
My Sims: Camera | None | No strings. |
Mighty Flip Champs | None | No strings. |
My Exotic Farm | Player name | Not exploitable, there's a 0x01 byte immediately after the string not null-terminated. |
Paper Airplane Chase | None | The size of both files in the savedata are only 8 bytes, no strings. |
PiCOPiCT: Art Style series | None | No strings. |
PiCTOBiTS: Art Style series | None | No strings. |
Pyoro | None | 16-byte savedata no strings. |
Photo Clock | None | Small savedata, no strings at all. |
Photo Dojo | Handwritten character name via stylus | Savedata only contains .jpg files and some tiny "save"/"info" files. |
Shantae: Risky's Revenge | None | Has 3 save slots but no string input. |
Sokomania | None | No strings. |
Starship Defense | None | No strings. |
Tetris Party Live | None | Zero text input. |
WarioWare: Snapped | None | No high-scores or string input. |
DSiWare that were already obtained for analysis
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.
Name | Text format |
---|---|
Flipnote Studio | UCS-2 |
Mario Vs. Donkey Kong: Minis March Again | UCS-2 |
Opera | Nothing interesting in savedata. |