DSiBrew

DSiWare VulnList: Difference between revisions

← Older edit
Added section for dsiware that we already obtained.
 
(130 intermediate revisions by 7 users not shown)
Line 1: Line 1:
This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com.
== Total listed DSiWare ==
Before you contact anyone about your dsiware, please make sure your dsiware is _not_ listed on this page anywhere.


DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi
Total DSiWare in below lists.


For these lists status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started. Status "Done" means code reverse engineering was finished.
{| class="wikitable" border="1"
|-
!  List
!  Total
|-
|  Incomplete
|  16
|-
|  Done
|  27
|-
DSiWare which probably aren't exploitable
|  59
|-
|  Already have
|  3
|-
|  All total
|  100
|}


== DSiWare that can be crashed ==
== DSiWare with incomplete analysis ==


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 15: Line 33:
!  Description
!  Description
|-
|-
Dark Void Zero
Academy: Tic-Tac-Toe
| High-Scores
| Player name
| Done
| None
| No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields, and that var is used with level class init. Level class init fail is most likely the cause of the crash which isn't exploitable, level paths are determined by if statements and the level object is used uninitialized when the level var is out-of-bounds.
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
|  Advanced Circuits
|  Profile names
|  Started
|  Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
|  Arcade Bowling
|  High-Scores
|  None
|  The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
|  Art Academy: First Semester
|  None?
|  None
|  Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
|  Bejeweled Twist
|  High-scores
|  None
|  Checksum is unknown, save has ASCII strings.
|-
|-
Frogger Returns
Bounce & Break
|  High-scores
|  High-scores
|  Started
|  Started
|  Has ASCII null-terminated high-scores. Manged to crash this game. The high-score draw function uses strcpy to copy the records' name to a static buffer, it's unknown if this is exploitable.
|  Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
|  Card games
|  Player name
|  None
|  Has ASCII player names, checksum is unknown.
|-
|  Chess Challenge
|  Profile names
|  None
|  Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
|-
Legends of Exidia
Crystal Monsters
|  Player name
|  Player name
|  Started
|  Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
|  Elemental Masters
|  Player name?
|  None
|  None
|  Has ASCII player name in one file, and UCS-2 player name in a profile file. This game was crashed by modifying strings in the profile savedata file.
|  Has ASCII strings but the checksum is unknown.
|-
|-
Sudoku
Faceez
|  Player name?
|  None
|  Has ASCII string but the checksum is unknown.
|-
|  Jelly Car 2
|  High Score name
|  None
|  Uses ASCII player name for time scores; It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
|  Lets golf
|  Player name
|  Player name
|  None
|  None
|  Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name.
|  Has ASCII player name checksum is unknown.
|}
|-
 
|  Mixed Messages
== DSiWare with incomplete analysis ==
|  Player name and other text
 
|  None
{| class="wikitable" border="1"
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
|-
! Name
| Number Battle
! Input type(s)
| Player name
! Status
| None
! Description
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
|-
Escapee Go
Pop Superstar: Road to celebrity
|  Player name
|  None
|  None
|  Started
|  Has ASCII strings.
|  Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|}
|}


Line 59: Line 122:
!  Input type(s)
!  Input type(s)
!  Description
!  Description
|-
|  5 in 1 Solitaire
|  Profile names
|  Game didn't crash with a long profile string.
|-
|  Airport Mania: Non Stop Flights
|  High-Scores
|  Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
|  Academy: Checkers
|  Profile names
|  Game didn't crash with a long profile string.
|-
|-
|  Arcade Hoops Basketball
|  Arcade Hoops Basketball
|  High-Scores, names via settings
|  High-Scores, names via settings
|  Has ASCII high-scores with null terminated strings, no string bugs.
|  Has ASCII high-scores with null terminated strings, no string bugs.
|-
|  Army Defender
|  High-scores
|  Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
|  Bloons
|  Profile names
|  Has some profile names but they're all in one tiny savfile.
|-
|-
|  Bookworm
|  Bookworm
|  High-scores and word list
|  High-scores and word list
|  Has ASCII null-terminated high-score list names and null-terminated word list strings.  ( No crash, just nice very high scores, and very long words displayed. )
|  Has ASCII null-terminated high-score list names and null-terminated word list strings.  ( No crash, just nice very high scores, and very long words displayed. )
|-
|  Crazy Sudoku
|  Profile names/Data File
|  The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
|  Dark Void Zero
|  High-Scores
|  No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
|  Digger Dan & Kaboom
|  Player name
|  The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
|-
|  Dracula
|  Dracula
|  No manual input
|  No manual input
|  Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups.  High-scores doesn't have string bugs.
|  Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups.  High-scores doesn't have string bugs.
|-
|  Escapee Go
|  None
|  Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
|  Fieldrunners
|  High-Scores
|  The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].
|-
|  Frogger Returns
|  High-Scores
|  Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
|  Guitar Rock Tour
|  High-Scores
|  Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].
|-
|  Legends of Exidia
|  Player name
|  Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].
|-
|  Mario Calculator
|  None
|  No savedata at all in the tad.
|-
|-
|  Paul's Shooting Adventure
|  Paul's Shooting Adventure
|  High-Scores
|  High-Scores
|  Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|  Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
|  Prehistorik Man
|  Password text
|  Has some ASCII password text for continuing, but there's less than 10KB free.
|-
|  Primrose
|  High-scores
|  Has English-only high-scores and a trivial checksum, not exploitable.
|-
|  Rayman
|  Player name
|  No overflow, with a long string the game only displays one extra character.
|-
|  Soul of Darkness
|  Player name
|  Has ASCII player name with 3 profiles.
|-
|  Sudoku
|  Player name
|  Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
|  Telegraph Sudoku & Kakuro
|  Profile name
|  No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
|  The Legend of Zelda: Four Swords Anniversary
|  Savedata filesize
|  The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].
|-
|  UNO
|  Profile names
|  Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].
|-
|  WordSearcher
|  Player name & WordSearch Board
|  Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}
|}


Line 89: Line 244:
|  None
|  None
|  No high-scores or string input.
|  No high-scores or string input.
|-
|  Absolute Reversi
|  None
|  No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
|  A Little Bit of... All-Time Classics: Card Classics
|  None
|  No strings
|-
|  A Little Bit of... All-Time Classics: Family Games
|  None
|  No strings
|-
|  A Little Bit of... All-Time Classics: Strategy Games
|  None
|  No strings
|-
|  Alpha Bounce
|  None
|  No strings
|-
|  Asphalt 4
|  None
|  No strings
|-
|-
|  Aquia: Art Style Series
|  Aquia: Art Style Series
|  None
|  None
|  No strings
|  No strings
|-
|  Aura Aura Climber
|  None
|  No strings
|-
|  Birds & Beans
|  No strings
|  No strings in savedata.
|-
|  Boom Boom Squaries
|  No strings
|  No strings in savedata.
|-
|  Bomberman Blitz
|  Name
|  Has UCS-2 strings.
|-
|  Boxlife
|  None
|  No strings.
|-
|  Blackjack
|  None
|  No strings.
|-
|-
|  Brain Age Express: Arts & Letters
|  Brain Age Express: Arts & Letters
Line 101: Line 304:
|  None
|  None
|  No strings in savedata.
|  No strings in savedata.
|-
|  Brain Drain
|  None
|  No strings in save.
|-
|  Castle of Magic
|  None
|  No strings
|-
|  Cave Story
|  None
|  No strings
|-
|  Countdown Calender
|  None
|  No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
|  Crash Course Domo
|  None
|  No strings.
|-
|  Chronos Twins
|  None
|  No strings.
|-
|-
|  Dictionary 6 in 1
|  Dictionary 6 in 1
|  None
|  None
|  No strings in savedata.
|  No strings in savedata.
|-
|  DIGIDRIVE: Art Style Series
|  None
|  No strings.
|-
|  DodoGo! Robo
|  None
|  No strings
|-
|-
|  Dr. Mario Express
|  Dr. Mario Express
|  None
|  No strings.
|-
|  Earthworm Jim
|  None
|  No strings.
|-
|  Extreme Hangman
|  None
|  No strings in savedata.
|-
|  Little Red Riding Hood's Zombie BBQ
|  None
|  None
|  No strings
|  No strings
Line 112: Line 359:
|  FIZZ
|  FIZZ
|  High-scores
|  High-scores
|  Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
|  Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
|  Flipper
|  None
|  No strings.
|-
|  Frenzic
|  High-scores
|  Has UCS-2 high-scores.
|-
|-
|  Gene Labs
|  Gene Labs
|  None
|  None
|  Small savedata with no strings.
|  Small savedata with no strings.
|-
|  Glory Days - Tactical Defense
|  No strings
|  Saves only scores not strings.
|-
|  GO Series: 10 Second Run
|  None
|  No strings.
|-
|  Metal Torrent
|  Player name
|  Uses a UCS-2 string.
|-
|  Master of Illusion Express: Psychic Camera
|  None
|  Tiny savfile no strings.
|-
|  My Notebook: Blue
|  None
|  No strings.
|-
|  My Notebook: Pearl
|  None
|  No strings.
|-
|  My Sims: Camera
|  None
|  No strings.
|-
|  Mighty Flip Champs
|  None
|  No strings.
|-
|  My Exotic Farm
|  Player name
|  Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
|-
|  Paper Airplane Chase
|  Paper Airplane Chase
|  None
|  None
|  The size of both files in the savedata are only 8 bytes, no strings.
|  The size of both files in the savedata are only 8 bytes, no strings.
|-
|  PiCOPiCT: Art Style series
|  None
|  No strings.
|-
|  PiCTOBiTS: Art Style series
|  None
|  No strings.
|-
|  Plants Vs. Zombies
|  None
|  No strings, uses system user name for player name.
|-
|  Pop Island
|  None
|  No strings.
|-
|-
|  Pyoro
|  Pyoro
Line 133: Line 440:
|  Handwritten character name via stylus
|  Handwritten character name via stylus
|  Savedata only contains .jpg files and some tiny "save"/"info" files.
|  Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
|  Shantae: Risky's Revenge
|  None
|  Has 3 save slots but no string input.
|-
|  Simply Minesweeper
|  None
|  No strings.
|-
|  Sokomania
|  None
|  No strings.
|-
|  Sparkle Snapshots
|  None
|  No strings.
|-
|  Starship Defense
|  None
|  No strings.
|-
|  Tetris Party Live
|  None
|  Zero text input, not enough payload space anyway.
|-
|-
|  WarioWare: Snapped
|  WarioWare: Snapped
|  None
|  None
|  No high-scores or string input.
|  No high-scores or string input.
|-
|  ZENGAGE: Art Style Series
|  None
|  No strings.
|-
|  Zenonia
|  None
|  No strings.
|}
|}


== DSiWare that were already obtained for analysis ==
== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them.
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 152: Line 491:
|  Mario Vs. Donkey Kong: Minis March Again
|  Mario Vs. Donkey Kong: Minis March Again
|  UCS-2
|  UCS-2
|-
|  Opera
|  The savedata is private NAND-only, no savedata is copied to SD card.
|}
|}
Retrieved from "https://dsibrew.org/wiki/DSiWare_VulnList"