36
edits
Changes
Jump to navigation
Jump to search
mLine 1:
Line 1: − This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com. − Before you contact anyone about your dsiware, please make sure your dsiware is _not_ listed on this page anywhere. − Don't bother if all you care about is warez and don't care at all about homebrew: DSiWareHax SD card loader will never load warez directly, only homebrew. − − It would be nice to target DSiWare that are listed under the DSi Shop most popular search: Nintendo would have a lot of difficultly removing DSiWare from that list without ticking off a lot of non-homebrewer customers. Targets not on that list will suffer the same fate as Sudoku,(removed quickly and patched eventually) if exploits for those were released. − − DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi save_extract and save_adjust both require sd_key, but we will not redistribute this key. − − For these lists status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started. Status "Done" means code reverse engineering was finished. − Line 19:
Line 9: − + − + − + Line 31:
Line 21: − + Line 82:
Line 72: − |- − | Crazy Sudoku − | Player name − | None − | Has ASCII strings for player name. Line 107:
Line 92: − |- − | Frogger Returns − | High-Scores − | Started − | Has ASCII high-scores. Line 165:
Line 145: + + + + Line 181:
Line 165: + + + + Line 188:
Line 176: − + Line 197:
Line 185: + + + + Line 213:
Line 205: + + + + Line 222:
Line 218: − + − + − + + + + + Line 242:
Line 242: − + Line 265:
Line 265: + + + + Line 299:
Line 303: + + + + + + + + Line 305:
Line 317: + + + + Line 331:
Line 347: + + + + − + Line 438:
Line 458: − + Line 445:
Line 465: + + + + Line 464:
Line 488: − +
→DSiWare with finished analysis
== Total listed DSiWare ==
== Total listed DSiWare ==
|-
|-
| Incomplete
| Incomplete
| 21
| 20
|-
|-
| Done
| Done
| 17
| 22
|-
|-
| DSiWare which probably aren't exploitable
| DSiWare which probably aren't exploitable
| 53
| 59
|-
|-
| Already have
| Already have
|-
|-
| All total
| All total
| 94
| 100
|}
|}
| None
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
|-
| Crystal Monsters
| Crystal Monsters
| Started
| Started
| The xml .plist the game uses for storing savedata contains high-scores strings.
| The xml .plist the game uses for storing savedata contains high-scores strings.
|-
|-
| Guitar Rock Tour
| Guitar Rock Tour
| High-Scores
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
|-
| Arcade Hoops Basketball
| Arcade Hoops Basketball
| High-scores and word list
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Crazy Sudoku
| Profile names/Data File
| The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
|-
| Dark Void Zero
| Dark Void Zero
| Digger Dan & Kaboom
| Digger Dan & Kaboom
| Player name
| Player name
| Save has ASCII playername, but there's <10KB free in the savimage anyway.
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
|-
| Dracula
| Dracula
| None
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
|-
| Mario Calculator
| Mario Calculator
| High-scores
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|-
|-
| Soul of Darkness
| Soul of Darkness
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
|-
| Rayman
| Telegraph Sudoku & Kakuro
| Player name
| Profile name
| No overflow, with a long string the game only displays one extra character.
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| WordSearcher
| Player name & WordSearch Board
| Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}
|}
| Absolute Reversi
| Absolute Reversi
| None
| None
| No strings in savedata.
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
|-
| A Little Bit of... All-Time Classics: Card Classics
| A Little Bit of... All-Time Classics: Card Classics
|-
|-
| Aquia: Art Style Series
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| None
| No strings
| No strings
| None
| None
| No strings in save.
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
|-
| Countdown Calender
| Countdown Calender
|-
|-
| Crash Course Domo
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| None
| No strings.
| No strings.
| None
| None
| No strings in savedata.
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
|-
| FIZZ
| FIZZ
| High-scores
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
|-
| Flipper
| Flipper
| Tetris Party Live
| Tetris Party Live
| None
| None
| Zero text input.
| Zero text input, not enough payload space anyway.
|-
|-
| WarioWare: Snapped
| WarioWare: Snapped
|-
|-
| ZENGAGE: Art Style Series
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| None
| No strings.
| No strings.
|-
|-
| Opera
| Opera
| Nothing interesting in savedata.
| The savedata is private NAND-only, no savedata is copied to SD card.
|}
|}