36
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, etc) input, add it to this list, then mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com.+ − + + + + + + + + + + + + + + + + + + + + + + + + Line 7:
Line 30: − + − + − + + + + + + − + + + + + + − + + + + + + + + + + + + + + + + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − + Line 29:
Line 122: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→Total listed DSiWare
== Total listed DSiWare ==
== List of DSiWare with incomplete analysis ==
Total DSiWare in below lists.
{| class="wikitable" border="1"
|-
! List
! Total
|-
| Incomplete
| 16
|-
| Done
| 27
|-
| DSiWare which probably aren't exploitable
| 59
|-
| Already have
| 3
|-
| All total
| 100
|}
== DSiWare with incomplete analysis ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! Name
! Name
! Input type(s)
! Input type(s)
! Status
! Status
! Description
! Description
|-
|-
| Dracula
| Academy: Tic-Tac-Toe
| No manual input
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Advanced Circuits
| Profile names
| Started
| Started
| Savedata contains UTF8 high-scores from DSi username, and perks/powerups.
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
|-
| FIZZ
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| None
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Crystal Monsters
| Player name
| Started
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
| Faceez
| Player name?
| None
| Has ASCII string but the checksum is unknown.
|-
| Jelly Car 2
| High Score name
| None
| Uses ASCII player name for time scores; It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
| Mixed Messages
| Player name and other text
| None
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
| Number Battle
| Player name
| None
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
| Pop Superstar: Road to celebrity
| Player name
| None
| Has ASCII strings.
|}
|}
== List of DSiWare with finished analysis ==
== DSiWare with finished analysis ==
! Input type(s)
! Input type(s)
! Description
! Description
|-
| 5 in 1 Solitaire
| Profile names
| Game didn't crash with a long profile string.
|-
| Airport Mania: Non Stop Flights
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
| Arcade Hoops Basketball
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
| Bookworm
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Crazy Sudoku
| Profile names/Data File
| The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
|-
| Dark Void Zero
| Dark Void Zero
| High-Scores
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields.
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
| Dracula
| No manual input
| Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
|-
| Escapee Go
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Fieldrunners
| High-Scores
| The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Guitar Rock Tour
| High-Scores
| Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].
|-
| Legends of Exidia
| Player name
| Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
| Paul's Shooting Adventure
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
| Primrose
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
| Sudoku
| Player name
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
| Telegraph Sudoku & Kakuro
| Profile name
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| The Legend of Zelda: Four Swords Anniversary
| Savedata filesize
| The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].
|-
| UNO
| Profile names
| Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].
|-
| WordSearcher
| Player name & WordSearch Board
| Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}
== DSiWare that probably don't have vulnerabilities ==
{| class="wikitable" border="1"
|-
! Name
! Input type(s)
! Description
|-
| 24/7 Solitaire
| None
| No high-scores or string input.
|-
| Absolute Reversi
| None
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| No strings
|-
| Birds & Beans
| No strings
| No strings in savedata.
|-
| Boom Boom Squaries
| No strings
| No strings in savedata.
|-
| Bomberman Blitz
| Name
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
| Brain Age Express: Arts & Letters
| None
| No strings in savedata.
|-
| Brain Age Express: Math
| None
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
| Dictionary 6 in 1
| None
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
| Dr. Mario Express
| None
| No strings.
|-
| Earthworm Jim
| None
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
| FIZZ
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
| Gene Labs
| None
| Small savedata with no strings.
|-
| Glory Days - Tactical Defense
| No strings
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
| Metal Torrent
| Player name
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| No strings.
|-
| Mighty Flip Champs
| None
| No strings.
|-
| My Exotic Farm
| Player name
| Not exploitable, there's a 0x01 byte immediately after the string not null-terminated.
|-
| Paper Airplane Chase
| None
| The size of both files in the savedata are only 8 bytes, no strings.
|-
| PiCOPiCT: Art Style series
| None
| No strings.
|-
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| No strings.
|-
| Pyoro
| None
| 16-byte savedata no strings.
|-
| Photo Clock
| None
| Small savedata, no strings at all.
|-
| Photo Dojo
| Handwritten character name via stylus
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
| Shantae: Risky's Revenge
| None
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
| Starship Defense
| None
| No strings.
|-
| Tetris Party Live
| None
| Zero text input, not enough payload space anyway.
|-
| WarioWare: Snapped
| None
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}
== DSiWare that were already obtained for analysis ==
Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns.
{| class="wikitable" border="1"
|-
! Name
! Text format
|-
| Flipnote Studio
| UCS-2
|-
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}
|}