Changes

DSiWare VulnList (view source)

Revision as of 09:19, 12 May 2014

401 bytes added , 09:19, 12 May 2014

m

no edit summary

Line 1: Line 1: −

This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com.

−

~~Before you contact anyone about your dsiware, please make sure your dsiware is _not_ listed on this page anywhere.~~

−

It would be nice to target DSiWare that are listed under the DSi Shop most popular search: Nintendo would have a lot of difficultly removing DSiWare from that list without ticking off a lot of non-homebrewer customers. Targets not on that list will suffer the same fate as Sudoku,(removed quickly and patched eventually) if exploits for those were released.

−

~~DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi save_extract and save_adjust both require sd_key, but we will not redistribute this key.~~

−

For these lists status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started. Status "Done" means code reverse engineering was finished.

−

== Total listed DSiWare ==

Line 18: Line 9:

|-

| Incomplete

−

| 22

+

| 20

|-

| Done

−

| 13

+

| 18

|-

| DSiWare which probably aren't exploitable

−

| 45

+

| 59

|-

| Already have

Line 30: Line 21:

|-

| All total

−

| 83

+

| 100

|}

Line 45: Line 36:

| Player name

| None

−

| Has an UCS-2 player name.

+

| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.

|-

| Advanced Circuits

Line 65: Line 56:

| High-scores

| None

−

| Checksum is unknown has ASCII strings.

+

| Checksum is unknown, save has ASCII strings.

|-

| Bounce & Break

| High-scores

−

| ~~None~~

+

| Started

−

| Has ASCII high-scores ~~but checksum is unknown~~.

+

| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.

|-

| Card games

Line 80: Line 71:

| Profile names

| None

−

| Has ASCII strings.

+

| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.

+

|-

+

| Crazy Sudoku

+

| Player name

+

| None

+

| Has ASCII strings for player name.

|-

| Crystal Monsters

| Player name

| Started

−

| Has ASCII player name.

+

| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.

−

|-

−

~~| DIGIDRIVE: Art Style Series~~

−

~~| ?~~

−

~~| None~~

−

~~| Didn't check the sav yet but probably doesn't have strings like other artstyle games~~.

|-

| Elemental Masters

Line 106: Line 97:

| Started

| The xml .plist the game uses for storing savedata contains high-scores strings.

−

|-

−

~~| Frogger Returns~~

−

~~| High-Scores~~

−

~~| Started~~

−

~~| Has ASCII high-scores.~~

|-

| Guitar Rock Tour

Line 131: Line 117:

| None

| Uses ASCII for player name and other text input, but the checksum is unknown.

−

|-

−

~~| My Notebook: Pearl~~

−

~~| ?~~

−

~~| None~~

−

~~| Didn't check the sav but probably doesn't have strings like the other notebook dsiware?~~

|-

| Number Battle

Line 145: Line 126:

| Player name

| None

−

| Has ASCII strings~~, unknown checksum~~.

+

| Has ASCII strings.

|-

| UNO

| Player name and high-scores

| Started

−

| Has ASCII text.

+

| Has ASCII text. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.

|}

Line 189: Line 170:

| High-Scores

| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.

+

|-

+

| Digger Dan & Kaboom

+

| Player name

+

| The ASCII player names aren't exploitable, but the save is <10KB anyway.

|-

| Dracula

Line 197: Line 182:

| None

| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.

+

|-

+

| Frogger Returns

+

| High-Scores

+

| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.

+

|-

+

| Mario Calculator

+

| None

+

| No savedata at all in the tad.

|-

| Paul's Shooting Adventure

| High-Scores

| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.

+

|-

+

| Prehistorik Man

+

| Password text

+

| Has some ASCII password text for continuing, but there's less than 10KB free.

|-

| Primrose

| High-scores

| Has English-only high-scores and a trivial checksum, not exploitable.

+

|-

+

| Soul of Darkness

+

| Player name

+

| Has ASCII player name with 3 profiles.

|-

| Sudoku

Line 230: Line 231:

| Absolute Reversi

| None

−

| No strings in savedata.

+

| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)

|-

| A Little Bit of... All-Time Classics: Card Classics

Line 241: Line 242:

|-

| A Little Bit of... All-Time Classics: Strategy Games

+

| None

+

| No strings

+

|-

+

| Alpha Bounce

| None

| No strings

Line 249: Line 254:

|-

| Aquia: Art Style Series

+

| None

+

| No strings

+

|-

+

| Aura Aura Climber

| None

| No strings

Line 279: Line 288:

| None

| No strings in savedata.

+

|-

+

| Brain Drain

+

| None

+

| No strings in save.

+

|-

+

| Castle of Magic

+

| None

+

| No strings

+

|-

+

| Cave Story

+

| None

+

| No strings

|-

| Countdown Calender

Line 285: Line 306:

|-

| Crash Course Domo

+

| None

+

| No strings.

+

|-

+

| Chronos Twins

| None

| No strings.

Line 291: Line 316:

| None

| No strings in savedata.

+

|-

+

| DIGIDRIVE: Art Style Series

+

| None

+

| No strings.

+

|-

+

| DodoGo! Robo

+

| None

+

| No strings

|-

| Dr. Mario Express

Line 303: Line 336:

| None

| No strings in savedata.

+

|-

+

| Little Red Riding Hood's Zombie BBQ

+

| None

+

| No strings

|-

| FIZZ

| High-scores

−

| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. ~~A vuln is unlikely~~.

+

| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.

|-

| Flipper

Line 323: Line 360:

| No strings

| Saves only scores not strings.

+

|-

+

| GO Series: 10 Second Run

+

| None

+

| No strings.

|-

| Metal Torrent

Line 333: Line 374:

|-

| My Notebook: Blue

+

| None

+

| No strings.

+

|-

+

| My Notebook: Pearl

| None

| No strings.

Line 359: Line 404:

| None

| No strings.

+

|-

+

| Plants Vs. Zombies

+

| None

+

| No strings, uses system user name for player name.

|-

| Pop Island

Line 379: Line 428:

| None

| Has 3 save slots but no string input.

+

|-

+

| Simply Minesweeper

+

| None

+

| No strings.

|-

| Sokomania

Line 394: Line 447:

| Tetris Party Live

| None

−

| Zero text input.

+

| Zero text input, not enough payload space anyway.

|-

| WarioWare: Snapped

Line 401: Line 454:

|-

| ZENGAGE: Art Style Series

+

| None

+

| No strings.

+

|-

+

| Zenonia

| None

| No strings.

Line 420: Line 477:

|-

| Opera

−

| ~~Nothing interesting in~~ savedata.

+

| The savedata is private NAND-only, no savedata is copied to SD card.

|}

Yellows8

Bureaucrats, Administrators

478

edits

Changes

DSiWare VulnList (view source)

Revision as of 09:19, 12 May 2014

Navigation menu

Search