DSiWare VulnList: Difference between revisions

Retrieved from "https://dsibrew.org/wiki/DSiWare_VulnList"

Please enable JavaScript to pass antispam protection!
Here are the instructions how to enable JavaScript in your web browser http://www.enable-javascript.com.
Antispam by CleanTalk.

@@ Line 1: / Line 1: @@
-This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, etc) input, add it to this list, then mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com.
+== Total listed DSiWare ==
-== List of DSiWare with incomplete analysis ==
+Total DSiWare in below lists.
+{| class="wikitable" border="1"
+|-
+!  List
+!  Total
+|-
+|  Incomplete
+|  16
+|-
+|  Done
+|  27
+|-
+|  DSiWare which probably aren't exploitable
+|  59
+|-
+|  Already have
+|  3
+|-
+|  All total
+|  100
+|}
+== DSiWare with incomplete analysis ==
 {| class="wikitable" border="1"
@@ Line 7: / Line 30: @@
 !  Name
 !  Input type(s)
-! Status
+!  Status
 !  Description
 |-
-|  Dracula
+|  Academy: Tic-Tac-Toe
-|  No manual input
+|  Player name
+|  None
+|  Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
+|-
+|  Advanced Circuits
+|  Profile names
 |  Started
-|  Savedata contains UTF8 high-scores from DSi username, and perks/powerups.
+|  Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
+|-
+|  Arcade Bowling
+|  High-Scores
+|  None
+|  The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
 |-
-|  FIZZ
+|  Art Academy: First Semester
+|  None?
+|  None
+|  Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
+|-
+|  Bejeweled Twist
+|  High-scores
+|  None
+|  Checksum is unknown, save has ASCII strings.
+|-
+|  Bounce & Break
 |  High-scores
+|  Started
+|  Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
+|-
+|  Card games
+|  Player name
 |  None
-|  Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
+|  Has ASCII player names, checksum is unknown.
+|-
+|  Chess Challenge
+|  Profile names
+|  None
+|  Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
+|-
+|  Crystal Monsters
+|  Player name
+|  Started
+|  Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
+|-
+|  Elemental Masters
+|  Player name?
+|  None
+|  Has ASCII strings but the checksum is unknown.
+|-
+|  Faceez
+|  Player name?
+|  None
+|  Has ASCII string but the checksum is unknown.
+|-
+|  Jelly Car 2
+|  High Score name
+|  None
+|  Uses ASCII player name for time scores; It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
+|-
+|  Lets golf
+|  Player name
+|  None
+|  Has ASCII player name checksum is unknown.
+|-
+|  Mixed Messages
+|  Player name and other text
+|  None
+|  Uses ASCII for player name and other text input, but the checksum is unknown.
+|-
+|  Number Battle
+|  Player name
+|  None
+|  Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
+|-
+|  Pop Superstar: Road to celebrity
+|  Player name
+|  None
+|  Has ASCII strings.
 |}
-== List of DSiWare with finished analysis ==
+== DSiWare with finished analysis ==
@@ Line 29: / Line 122: @@
 !  Input type(s)
 !  Description
+|-
+|  5 in 1 Solitaire
+|  Profile names
+|  Game didn't crash with a long profile string.
+|-
+|  Airport Mania: Non Stop Flights
+|  High-Scores
+|  Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
+|-
+|  Academy: Checkers
+|  Profile names
+|  Game didn't crash with a long profile string.
+|-
+|  Arcade Hoops Basketball
+|  High-Scores, names via settings
+|  Has ASCII high-scores with null terminated strings, no string bugs.
+|-
+|  Army Defender
+|  High-scores
+|  Has ASCII strings for high-scores, game didn't crash with modified high-scores.
+|-
+|  Bloons
+|  Profile names
+|  Has some profile names but they're all in one tiny savfile.
+|-
+|  Bookworm
+|  High-scores and word list
+|  Has ASCII null-terminated high-score list names and null-terminated word list strings.  ( No crash, just nice very high scores, and very long words displayed. )
+|-
+|  Crazy Sudoku
+|  Profile names/Data File
+|  The ASCII player name or the game data aren't exploitable. This game can still be crashed.
 |-
 |  Dark Void Zero
-| High-Scores
+|  High-Scores
-| No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields.
+|  No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
+|-
+|  Digger Dan & Kaboom
+|  Player name
+|  The ASCII player names aren't exploitable, but the save is <10KB anyway.
+|-
+|  Dracula
+|  No manual input
+|  Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups.  High-scores doesn't have string bugs.
+|-
+|  Escapee Go
+|  None
+|  Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
+|-
+|  Fieldrunners
+|  High-Scores
+|  The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].
+|-
+|  Frogger Returns
+|  High-Scores
+|  Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
+|-
+|  Guitar Rock Tour
+|  High-Scores
+|  Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].
+|-
+|  Legends of Exidia
+|  Player name
+|  Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].
+|-
+|  Mario Calculator
+|  None
+|  No savedata at all in the tad.
+|-
+|  Paul's Shooting Adventure
+|  High-Scores
+|  Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
+|-
+|  Prehistorik Man
+|  Password text
+|  Has some ASCII password text for continuing, but there's less than 10KB free.
+|-
+|  Primrose
+|  High-scores
+|  Has English-only high-scores and a trivial checksum, not exploitable.
+|-
+|  Rayman
+|  Player name
+|  No overflow, with a long string the game only displays one extra character.
+|-
+|  Soul of Darkness
+|  Player name
+|  Has ASCII player name with 3 profiles.
+|-
+|  Sudoku
+|  Player name
+|  Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
+|-
+|  Telegraph Sudoku & Kakuro
+|  Profile name
+|  No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
+|-
+|  The Legend of Zelda: Four Swords Anniversary
+|  Savedata filesize
+|  The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].
+|-
+|  UNO
+|  Profile names
+|  Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].
+|-
+|  WordSearcher
+|  Player name & WordSearch Board
+|  Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
+|}
+== DSiWare that probably don't have vulnerabilities ==
+{| class="wikitable" border="1"
+|-
+!  Name
+!  Input type(s)
+!  Description
+|-
+|  24/7 Solitaire
+|  None
+|  No high-scores or string input.
+|-
+|  Absolute Reversi
+|  None
+|  No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
+|-
+|  A Little Bit of... All-Time Classics: Card Classics
+|  None
+|  No strings
+|-
+|  A Little Bit of... All-Time Classics: Family Games
+|  None
+|  No strings
+|-
+|  A Little Bit of... All-Time Classics: Strategy Games
+|  None
+|  No strings
+|-
+|  Alpha Bounce
+|  None
+|  No strings
+|-
+|  Asphalt 4
+|  None
+|  No strings
+|-
+|  Aquia: Art Style Series
+|  None
+|  No strings
+|-
+|  Aura Aura Climber
+|  None
+|  No strings
+|-
+|  Birds & Beans
+|  No strings
+|  No strings in savedata.
+|-
+|  Boom Boom Squaries
+|  No strings
+|  No strings in savedata.
+|-
+|  Bomberman Blitz
+|  Name
+|  Has UCS-2 strings.
+|-
+|  Boxlife
+|  None
+|  No strings.
+|-
+|  Blackjack
+|  None
+|  No strings.
+|-
+|  Brain Age Express: Arts & Letters
+|  None
+|  No strings in savedata.
+|-
+|  Brain Age Express: Math
+|  None
+|  No strings in savedata.
+|-
+|  Brain Drain
+|  None
+|  No strings in save.
+|-
+|  Castle of Magic
+|  None
+|  No strings
+|-
+|  Cave Story
+|  None
+|  No strings
+|-
+|  Countdown Calender
+|  None
+|  No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
+|-
+|  Crash Course Domo
+|  None
+|  No strings.
+|-
+|  Chronos Twins
+|  None
+|  No strings.
+|-
+|  Dictionary 6 in 1
+|  None
+|  No strings in savedata.
+|-
+|  DIGIDRIVE: Art Style Series
+|  None
+|  No strings.
+|-
+|  DodoGo! Robo
+|  None
+|  No strings
+|-
+|  Dr. Mario Express
+|  None
+|  No strings.
+|-
+|  Earthworm Jim
+|  None
+|  No strings.
+|-
+|  Extreme Hangman
+|  None
+|  No strings in savedata.
+|-
+|  Little Red Riding Hood's Zombie BBQ
+|  None
+|  No strings
+|-
+|  FIZZ
+|  High-scores
+|  Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
+|-
+|  Flipper
+|  None
+|  No strings.
+|-
+|  Frenzic
+|  High-scores
+|  Has UCS-2 high-scores.
+|-
+|  Gene Labs
+|  None
+|  Small savedata with no strings.
+|-
+|  Glory Days - Tactical Defense
+|  No strings
+|  Saves only scores not strings.
+|-
+|  GO Series: 10 Second Run
+|  None
+|  No strings.
+|-
+|  Metal Torrent
+|  Player name
+|  Uses a UCS-2 string.
+|-
+|  Master of Illusion Express: Psychic Camera
+|  None
+|  Tiny savfile no strings.
+|-
+|  My Notebook: Blue
+|  None
+|  No strings.
+|-
+|  My Notebook: Pearl
+|  None
+|  No strings.
+|-
+|  My Sims: Camera
+|  None
+|  No strings.
+|-
+|  Mighty Flip Champs
+|  None
+|  No strings.
+|-
+|  My Exotic Farm
+|  Player name
+|  Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
+|-
+|  Paper Airplane Chase
+|  None
+|  The size of both files in the savedata are only 8 bytes, no strings.
+|-
+|  PiCOPiCT: Art Style series
+|  None
+|  No strings.
+|-
+|  PiCTOBiTS: Art Style series
+|  None
+|  No strings.
+|-
+|  Plants Vs. Zombies
+|  None
+|  No strings, uses system user name for player name.
+|-
+|  Pop Island
+|  None
+|  No strings.
+|-
+|  Pyoro
+|  None
+|  16-byte savedata no strings.
+|-
+|  Photo Clock
+|  None
+|  Small savedata, no strings at all.
+|-
+|  Photo Dojo
+|  Handwritten character name via stylus
+|  Savedata only contains .jpg files and some tiny "save"/"info" files.
+|-
+|  Shantae: Risky's Revenge
+|  None
+|  Has 3 save slots but no string input.
+|-
+|  Simply Minesweeper
+|  None
+|  No strings.
+|-
+|  Sokomania
+|  None
+|  No strings.
+|-
+|  Sparkle Snapshots
+|  None
+|  No strings.
+|-
+|  Starship Defense
+|  None
+|  No strings.
+|-
+|  Tetris Party Live
+|  None
+|  Zero text input, not enough payload space anyway.
+|-
+|  WarioWare: Snapped
+|  None
+|  No high-scores or string input.
+|-
+|  ZENGAGE: Art Style Series
+|  None
+|  No strings.
+|-
+|  Zenonia
+|  None
+|  No strings.
+|}
+== DSiWare that were already obtained for analysis ==
+Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.
+{| class="wikitable" border="1"
+|-
+!  Name
+!  Text format
+|-
+|  Flipnote Studio
+|  UCS-2
+|-
+|  Mario Vs. Donkey Kong: Minis March Again
+|  UCS-2
+|-
+|  Opera
+|  The savedata is private NAND-only, no savedata is copied to SD card.
 |}