This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com.
List of DSiWare with incomplete analysis
Name
|
Input type(s)
|
Status
|
Description
|
List of DSiWare with finished analysis
Name
|
Input type(s)
|
Description
|
Dark Void Zero
|
High-Scores
|
No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields.
|
Dracula
|
No manual input
|
Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|
Arcade Hoops Basketball
|
High-Scores, names via settings
|
Has ASCII high-scores with null terminated strings, no string bugs.
|
List of DSiWare that probably don't have vulnerabilities
Name
|
Input type(s)
|
Description
|
FIZZ
|
High-scores
|
None
|
Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
|
Photo Dojo
|
Handwritten character name via stylus
|
Savedata only contains .jpg files and some tiny "save"/"info" files.
|
Photo Clock
|
None
|
Small savedata, no strings at all.
|
Brain Age Express: Arts & Letters
|
None
|
No strings in savedata.
|
Brain Age Express: Math
|
None
|
No strings in savedata.
|