DSiBrew

DSiWare VulnList: Difference between revisions

← Older edit
Deminx (talk | contribs)
1 edit
No edit summary
 
(88 intermediate revisions by 3 users not shown)
Line 1: Line 1:
This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com.
Before you contact anyone about your dsiware, please make sure your dsiware is _not_ listed on this page anywhere.
It would be nice to target DSiWare that are listed under the DSi Shop most popular search: Nintendo would have a lot of difficultly removing DSiWare from that list without ticking off a lot of non-homebrewer customers. Targets not on that list will suffer the same fate as Sudoku,(removed quickly and patched less than a week) if exploits for those were released.
DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi save_extract and save_adjust both require sd_key, but we will not redistribute this key.
For these lists status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started. Status "Done" means code reverse engineering was finished.
== Total listed DSiWare ==
== Total listed DSiWare ==


Line 18: Line 9:
|-
|-
|  Incomplete
|  Incomplete
10
16
|-
|-
|  Done
|  Done
11
27
|-
|-
|  DSiWare which probably aren't exploitable
|  DSiWare which probably aren't exploitable
32
59
|-
|-
|  Already have
|  Already have
2
3
|-
|-
|  All total
|  All total
55
100
|}
|}


Line 45: Line 36:
|  Player name
|  Player name
|  None
|  None
|  Has an UCS-2 player name.
|  Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
|-
|  Advanced Circuits
|  Advanced Circuits
Line 51: Line 42:
|  Started
|  Started
|  Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|  Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
|  Arcade Bowling
|  High-Scores
|  None
|  The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
|-
|  Art Academy: First Semester
|  Art Academy: First Semester
Line 57: Line 53:
|  Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|  Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
|-
Army Defender
Bejeweled Twist
|  High-scores
|  None
|  Checksum is unknown, save has ASCII strings.
|-
|  Bounce & Break
|  High-scores
|  High-scores
|  Started
|  Started
|  Has ASCII strings for high-scores, but the checksum is unknown.
|  Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
|  Card games
|  Player name
|  None
|  Has ASCII player names, checksum is unknown.
|-
|  Chess Challenge
|  Profile names
|  None
|  Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
|-
|  Crystal Monsters
|  Crystal Monsters
|  Player name
|  Player name
|  Started
|  Started
|  Has ASCII player name.
|  Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
|  Elemental Masters
|  Player name?
|  None
|  Has ASCII strings but the checksum is unknown.
|-
|  Faceez
|  Player name?
|  None
|  Has ASCII string but the checksum is unknown.
|-
|-
Field Runners
Jelly Car 2
|  High-Scores
|  High Score name
Started
None
The xml .plist the game uses for storing savedata contains high-scores strings.
Uses ASCII player name for time scores; It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
|-
Frogger Returns
Lets golf
High-Scores
Player name
Started
None
|  Has ASCII high-scores.
|  Has ASCII player name checksum is unknown.
|-
|-
Guitar Rock Tour
Mixed Messages
High-Scores
Player name and other text
Started
None
Has ASCII high-scores.
Uses ASCII for player name and other text input, but the checksum is unknown.
|-
|-
Legends of Exidia
Number Battle
|  Player name
|  Player name
Started
None
Has ASCII player name.
Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
|-
UNO
Pop Superstar: Road to celebrity
|  Player name and high-scores
|  Player name
Started
None
|  Has ASCII text.
|  Has ASCII strings.
|}
|}


Line 109: Line 130:
|  High-Scores
|  High-Scores
|  Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|  Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
|  Academy: Checkers
|  Profile names
|  Game didn't crash with a long profile string.
|-
|-
|  Arcade Hoops Basketball
|  Arcade Hoops Basketball
|  High-Scores, names via settings
|  High-Scores, names via settings
|  Has ASCII high-scores with null terminated strings, no string bugs.
|  Has ASCII high-scores with null terminated strings, no string bugs.
|-
|  Army Defender
|  High-scores
|  Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
|  Bloons
|  Profile names
|  Has some profile names but they're all in one tiny savfile.
|-
|-
|  Bookworm
|  Bookworm
|  High-scores and word list
|  High-scores and word list
|  Has ASCII null-terminated high-score list names and null-terminated word list strings.  ( No crash, just nice very high scores, and very long words displayed. )
|  Has ASCII null-terminated high-score list names and null-terminated word list strings.  ( No crash, just nice very high scores, and very long words displayed. )
|-
|  Crazy Sudoku
|  Profile names/Data File
|  The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
|-
|  Dark Void Zero
|  Dark Void Zero
|  High-Scores
|  High-Scores
|  No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|  No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
|  Digger Dan & Kaboom
|  Player name
|  The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
|-
|  Dracula
|  Dracula
Line 129: Line 170:
|  None
|  None
|  Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|  Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
|  Fieldrunners
|  High-Scores
|  The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].
|-
|  Frogger Returns
|  High-Scores
|  Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
|  Guitar Rock Tour
|  High-Scores
|  Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].
|-
|  Legends of Exidia
|  Player name
|  Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].
|-
|  Mario Calculator
|  None
|  No savedata at all in the tad.
|-
|-
|  Paul's Shooting Adventure
|  Paul's Shooting Adventure
|  High-Scores
|  High-Scores
|  Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|  Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
|  Prehistorik Man
|  Password text
|  Has some ASCII password text for continuing, but there's less than 10KB free.
|-
|-
|  Primrose
|  Primrose
|  High-scores
|  High-scores
|  Has English-only high-scores and a trivial checksum, not exploitable.
|  Has English-only high-scores and a trivial checksum, not exploitable.
|-
|  Rayman
|  Player name
|  No overflow, with a long string the game only displays one extra character.
|-
|  Soul of Darkness
|  Player name
|  Has ASCII player name with 3 profiles.
|-
|-
|  Sudoku
|  Sudoku
Line 142: Line 215:
|  Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|  Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
|-
Rayman
Telegraph Sudoku & Kakuro
Player name
Profile name
|  No overflow, with a long string the game only displays one extra character.
|  No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
|  The Legend of Zelda: Four Swords Anniversary
|  Savedata filesize
|  The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].
|-
|  UNO
|  Profile names
|  Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].
|-
|  WordSearcher
|  Player name & WordSearch Board
|  Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}
|}


Line 162: Line 247:
|  Absolute Reversi
|  Absolute Reversi
|  None
|  None
|  No strings in savedata.
|  No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
|-
|  A Little Bit of... All-Time Classics: Card Classics
|  A Little Bit of... All-Time Classics: Card Classics
Line 173: Line 258:
|-
|-
|  A Little Bit of... All-Time Classics: Strategy Games
|  A Little Bit of... All-Time Classics: Strategy Games
|  None
|  No strings
|-
|  Alpha Bounce
|  None
|  No strings
|-
|  Asphalt 4
|  None
|  None
|  No strings
|  No strings
|-
|-
|  Aquia: Art Style Series
|  Aquia: Art Style Series
|  None
|  No strings
|-
|  Aura Aura Climber
|  None
|  None
|  No strings
|  No strings
Line 191: Line 288:
|  Name
|  Name
|  Has UCS-2 strings.
|  Has UCS-2 strings.
|-
|  Boxlife
|  None
|  No strings.
|-
|  Blackjack
|  None
|  No strings.
|-
|-
|  Brain Age Express: Arts & Letters
|  Brain Age Express: Arts & Letters
Line 199: Line 304:
|  None
|  None
|  No strings in savedata.
|  No strings in savedata.
|-
|  Brain Drain
|  None
|  No strings in save.
|-
|  Castle of Magic
|  None
|  No strings
|-
|  Cave Story
|  None
|  No strings
|-
|  Countdown Calender
|  None
|  No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
|  Crash Course Domo
|  None
|  No strings.
|-
|  Chronos Twins
|  None
|  No strings.
|-
|-
|  Dictionary 6 in 1
|  Dictionary 6 in 1
|  None
|  None
|  No strings in savedata.
|  No strings in savedata.
|-
|  DIGIDRIVE: Art Style Series
|  None
|  No strings.
|-
|  DodoGo! Robo
|  None
|  No strings
|-
|-
|  Dr. Mario Express
|  Dr. Mario Express
Line 215: Line 352:
|  None
|  None
|  No strings in savedata.
|  No strings in savedata.
|-
|  Little Red Riding Hood's Zombie BBQ
|  None
|  No strings
|-
|-
|  FIZZ
|  FIZZ
|  High-scores
|  High-scores
|  Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
|  Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
|  Flipper
|  None
|  No strings.
|-
|  Frenzic
|  High-scores
|  Has UCS-2 high-scores.
|-
|-
|  Gene Labs
|  Gene Labs
Line 227: Line 376:
|  No strings
|  No strings
|  Saves only scores not strings.
|  Saves only scores not strings.
|-
|  GO Series: 10 Second Run
|  None
|  No strings.
|-
|-
|  Metal Torrent
|  Metal Torrent
|  Player name
|  Player name
|  Uses a UCS-2 string.
|  Uses a UCS-2 string.
|-
|  Master of Illusion Express: Psychic Camera
|  None
|  Tiny savfile no strings.
|-
|-
|  My Notebook: Blue
|  My Notebook: Blue
|  None
|  No strings.
|-
|  My Notebook: Pearl
|  None
|  No strings.
|-
|  My Sims: Camera
|  None
|  None
|  No strings.
|  No strings.
Line 253: Line 418:
|-
|-
|  PiCTOBiTS: Art Style series
|  PiCTOBiTS: Art Style series
|  None
|  No strings.
|-
|  Plants Vs. Zombies
|  None
|  No strings, uses system user name for player name.
|-
|  Pop Island
|  None
|  None
|  No strings.
|  No strings.
Line 271: Line 444:
|  None
|  None
|  Has 3 save slots but no string input.
|  Has 3 save slots but no string input.
|-
|  Simply Minesweeper
|  None
|  No strings.
|-
|  Sokomania
|  None
|  No strings.
|-
|  Sparkle Snapshots
|  None
|  No strings.
|-
|-
|  Starship Defense
|  Starship Defense
Line 278: Line 463:
|  Tetris Party Live
|  Tetris Party Live
|  None
|  None
|  Zero text input.
|  Zero text input, not enough payload space anyway.
|-
|-
|  WarioWare: Snapped
|  WarioWare: Snapped
|  None
|  None
|  No high-scores or string input.
|  No high-scores or string input.
|-
|  ZENGAGE: Art Style Series
|  None
|  No strings.
|-
|  Zenonia
|  None
|  No strings.
|}
|}


Line 298: Line 491:
|  Mario Vs. Donkey Kong: Minis March Again
|  Mario Vs. Donkey Kong: Minis March Again
|  UCS-2
|  UCS-2
|-
|  Opera
|  The savedata is private NAND-only, no savedata is copied to SD card.
|}
|}
Retrieved from "https://dsibrew.org/wiki/DSiWare_VulnList"