DSiBrew

DSiWare VulnList: Difference between revisions

← Older edit
No edit summary
 
(26 intermediate revisions by 3 users not shown)
Line 1: Line 1:
This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata.
Since system update 1.4.2 blocks copying *all* dsiwarehax, do not contact us about your dsiware anymore at all.
If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com.
Before you contact anyone about your dsiware, please make sure your dsiware is _not_ listed on this page anywhere.
Don't bother if all you care about is warez and don't care at all about homebrew: DSiWareHax SD card loader will never load warez directly, only homebrew.
It would be nice to target DSiWare that are listed under the DSi Shop most popular search: Nintendo would have a lot of difficultly removing DSiWare from that list without ticking off a lot of non-homebrewer customers. Targets not on that list will suffer the same fate as Sudoku,(removed quickly and patched eventually) if exploits for those were released.
DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi save_extract and save_adjust both require sd_key, but we will not redistribute this key.
For these lists status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started. Status "Done" means code reverse engineering was finished.
== Total listed DSiWare ==
== Total listed DSiWare ==


Line 22: Line 9:
|-
|-
|  Incomplete
|  Incomplete
20
16
|-
|-
|  Done
|  Done
18
27
|-
|-
|  DSiWare which probably aren't exploitable
|  DSiWare which probably aren't exploitable
Line 85: Line 72:
|  None
|  None
|  Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|  Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
|  Crazy Sudoku
|  Player name
|  None
|  Has ASCII strings for player name.
|-
|-
|  Crystal Monsters
|  Crystal Monsters
Line 106: Line 88:
|  Has ASCII string but the checksum is unknown.
|  Has ASCII string but the checksum is unknown.
|-
|-
Field Runners
Jelly Car 2
|  High-Scores
|  High Score name
Started
None
The xml .plist the game uses for storing savedata contains high-scores strings.
Uses ASCII player name for time scores; It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
|  Guitar Rock Tour
|  High-Scores
|  Started
|  Has ASCII high-scores.
|-
|  Legends of Exidia
|  Player name
|  Started
|  Has ASCII player name.
|-
|-
|  Lets golf
|  Lets golf
Line 140: Line 112:
|  None
|  None
|  Has ASCII strings.
|  Has ASCII strings.
|-
|  UNO
|  Player name and high-scores
|  Started
|  Has ASCII text. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|}
|}


Line 163: Line 130:
|  High-Scores
|  High-Scores
|  Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|  Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
|  Academy: Checkers
|  Profile names
|  Game didn't crash with a long profile string.
|-
|-
|  Arcade Hoops Basketball
|  Arcade Hoops Basketball
Line 179: Line 150:
|  High-scores and word list
|  High-scores and word list
|  Has ASCII null-terminated high-score list names and null-terminated word list strings.  ( No crash, just nice very high scores, and very long words displayed. )
|  Has ASCII null-terminated high-score list names and null-terminated word list strings.  ( No crash, just nice very high scores, and very long words displayed. )
|-
|  Crazy Sudoku
|  Profile names/Data File
|  The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
|-
|  Dark Void Zero
|  Dark Void Zero
Line 186: Line 161:
|  Digger Dan & Kaboom
|  Digger Dan & Kaboom
|  Player name
|  Player name
Save has ASCII playername, but there's <10KB free in the savimage anyway.
The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
|-
|  Dracula
|  Dracula
Line 195: Line 170:
|  None
|  None
|  Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|  Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
|  Fieldrunners
|  High-Scores
|  The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].
|-
|-
|  Frogger Returns
|  Frogger Returns
|  High-Scores
|  High-Scores
|  Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|  Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
|  Guitar Rock Tour
|  High-Scores
|  Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].
|-
|  Legends of Exidia
|  Player name
|  Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].
|-
|-
|  Mario Calculator
|  Mario Calculator
Line 215: Line 202:
|  High-scores
|  High-scores
|  Has English-only high-scores and a trivial checksum, not exploitable.
|  Has English-only high-scores and a trivial checksum, not exploitable.
|-
|  Rayman
|  Player name
|  No overflow, with a long string the game only displays one extra character.
|-
|-
|  Soul of Darkness
|  Soul of Darkness
Line 224: Line 215:
|  Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|  Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
|-
Rayman
Telegraph Sudoku & Kakuro
Player name
Profile name
|  No overflow, with a long string the game only displays one extra character.
|  No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
|  The Legend of Zelda: Four Swords Anniversary
|  Savedata filesize
|  The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].
|-
|  UNO
|  Profile names
|  Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].
|-
|  WordSearcher
|  Player name & WordSearch Board
|  Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}
|}


Line 244: Line 247:
|  Absolute Reversi
|  Absolute Reversi
|  None
|  None
|  No strings in savedata.
|  No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
|-
|  A Little Bit of... All-Time Classics: Card Classics
|  A Little Bit of... All-Time Classics: Card Classics
Line 356: Line 359:
|  FIZZ
|  FIZZ
|  High-scores
|  High-scores
|  Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
|  Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
|-
|  Flipper
|  Flipper
Line 460: Line 463:
|  Tetris Party Live
|  Tetris Party Live
|  None
|  None
|  Zero text input.
|  Zero text input, not enough payload space anyway.
|-
|-
|  WarioWare: Snapped
|  WarioWare: Snapped
Line 490: Line 493:
|-
|-
|  Opera
|  Opera
Nothing interesting in savedata.
The savedata is private NAND-only, no savedata is copied to SD card.
|}
|}
Test!
Retrieved from "https://dsibrew.org/wiki/DSiWare_VulnList"