Line 1: |
Line 1: |
− | This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com.
| + | == Total listed DSiWare == |
| | | |
− | == List of DSiWare with incomplete analysis == | + | Total DSiWare in below lists. |
| + | |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! List |
| + | ! Total |
| + | |- |
| + | | Incomplete |
| + | | 16 |
| + | |- |
| + | | Done |
| + | | 27 |
| + | |- |
| + | | DSiWare which probably aren't exploitable |
| + | | 59 |
| + | |- |
| + | | Already have |
| + | | 3 |
| + | |- |
| + | | All total |
| + | | 100 |
| + | |} |
| + | |
| + | == DSiWare with incomplete analysis == |
| | | |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
Line 10: |
Line 33: |
| ! Description | | ! Description |
| |- | | |- |
− | | 24/7 Solitare | + | | Academy: Tic-Tac-Toe |
− | | ? | + | | Player name |
| + | | None |
| + | | Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index. |
| + | |- |
| + | | Advanced Circuits |
| + | | Profile names |
| + | | Started |
| + | | Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown. |
| + | |- |
| + | | Arcade Bowling |
| + | | High-Scores |
| + | | None |
| + | | The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores? |
| + | |- |
| + | | Art Academy: First Semester |
| + | | None? |
| + | | None |
| + | | Has some ASCII strings in savedata, but they seem to be from the game binary not user input? |
| + | |- |
| + | | Bejeweled Twist |
| + | | High-scores |
| + | | None |
| + | | Checksum is unknown, save has ASCII strings. |
| + | |- |
| + | | Bounce & Break |
| + | | High-scores |
| | Started | | | Started |
− | | Unknown if this has ASCII strings? | + | | Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index. |
| + | |- |
| + | | Card games |
| + | | Player name |
| + | | None |
| + | | Has ASCII player names, checksum is unknown. |
| |- | | |- |
− | | Paul's Shooting Adventure | + | | Chess Challenge |
− | | ? | + | | Profile names |
| + | | None |
| + | | Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index. |
| + | |- |
| + | | Crystal Monsters |
| + | | Player name |
| | Started | | | Started |
− | | Unknown if this has any input or high-scores. | + | | Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail. |
| + | |- |
| + | | Elemental Masters |
| + | | Player name? |
| + | | None |
| + | | Has ASCII strings but the checksum is unknown. |
| + | |- |
| + | | Faceez |
| + | | Player name? |
| + | | None |
| + | | Has ASCII string but the checksum is unknown. |
| + | |- |
| + | | Jelly Car 2 |
| + | | High Score name |
| + | | None |
| + | | Uses ASCII player name for time scores; It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index. |
| + | |- |
| + | | Lets golf |
| + | | Player name |
| + | | None |
| + | | Has ASCII player name checksum is unknown. |
| + | |- |
| + | | Mixed Messages |
| + | | Player name and other text |
| + | | None |
| + | | Uses ASCII for player name and other text input, but the checksum is unknown. |
| + | |- |
| + | | Number Battle |
| + | | Player name |
| + | | None |
| + | | Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown. |
| + | |- |
| + | | Pop Superstar: Road to celebrity |
| + | | Player name |
| + | | None |
| + | | Has ASCII strings. |
| |} | | |} |
| | | |
− | == List of DSiWare with finished analysis == | + | == DSiWare with finished analysis == |
| | | |
| | | |
Line 29: |
Line 122: |
| ! Input type(s) | | ! Input type(s) |
| ! Description | | ! Description |
| + | |- |
| + | | 5 in 1 Solitaire |
| + | | Profile names |
| + | | Game didn't crash with a long profile string. |
| + | |- |
| + | | Airport Mania: Non Stop Flights |
| + | | High-Scores |
| + | | Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable. |
| + | |- |
| + | | Academy: Checkers |
| + | | Profile names |
| + | | Game didn't crash with a long profile string. |
| + | |- |
| + | | Arcade Hoops Basketball |
| + | | High-Scores, names via settings |
| + | | Has ASCII high-scores with null terminated strings, no string bugs. |
| + | |- |
| + | | Army Defender |
| + | | High-scores |
| + | | Has ASCII strings for high-scores, game didn't crash with modified high-scores. |
| + | |- |
| + | | Bloons |
| + | | Profile names |
| + | | Has some profile names but they're all in one tiny savfile. |
| + | |- |
| + | | Bookworm |
| + | | High-scores and word list |
| + | | Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. ) |
| + | |- |
| + | | Crazy Sudoku |
| + | | Profile names/Data File |
| + | | The ASCII player name or the game data aren't exploitable. This game can still be crashed. |
| |- | | |- |
| | Dark Void Zero | | | Dark Void Zero |
− | | High-Scores | + | | High-Scores |
− | | No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields. | + | | No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable. |
| + | |- |
| + | | Digger Dan & Kaboom |
| + | | Player name |
| + | | The ASCII player names aren't exploitable, but the save is <10KB anyway. |
| |- | | |- |
| | Dracula | | | Dracula |
Line 38: |
Line 167: |
| | Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs. | | | Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs. |
| |- | | |- |
− | | Arcade Hoops Basketball | + | | Escapee Go |
− | | High-Scores, names via settings | + | | None |
− | | Has ASCII high-scores with null terminated strings, no string bugs. | + | | Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable. |
| + | |- |
| + | | Fieldrunners |
| + | | High-Scores |
| + | | The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax]. |
| + | |- |
| + | | Frogger Returns |
| + | | High-Scores |
| + | | Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh. |
| + | |- |
| + | | Guitar Rock Tour |
| + | | High-Scores |
| + | | Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn]. |
| + | |- |
| + | | Legends of Exidia |
| + | | Player name |
| + | | Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax]. |
| + | |- |
| + | | Mario Calculator |
| + | | None |
| + | | No savedata at all in the tad. |
| + | |- |
| + | | Paul's Shooting Adventure |
| + | | High-Scores |
| + | | Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable. |
| + | |- |
| + | | Prehistorik Man |
| + | | Password text |
| + | | Has some ASCII password text for continuing, but there's less than 10KB free. |
| + | |- |
| + | | Primrose |
| + | | High-scores |
| + | | Has English-only high-scores and a trivial checksum, not exploitable. |
| + | |- |
| + | | Rayman |
| + | | Player name |
| + | | No overflow, with a long string the game only displays one extra character. |
| + | |- |
| + | | Soul of Darkness |
| + | | Player name |
| + | | Has ASCII player name with 3 profiles. |
| + | |- |
| + | | Sudoku |
| + | | Player name |
| + | | Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]]. |
| + | |- |
| + | | Telegraph Sudoku & Kakuro |
| + | | Profile name |
| + | | No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars |
| + | |- |
| + | | The Legend of Zelda: Four Swords Anniversary |
| + | | Savedata filesize |
| + | | The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax]. |
| + | |- |
| + | | UNO |
| + | | Profile names |
| + | | Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn]. |
| + | |- |
| + | | WordSearcher |
| + | | Player name & WordSearch Board |
| + | | Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable |
| |} | | |} |
| | | |
− | == List of DSiWare that probably don't have vulnerabilities == | + | == DSiWare that probably don't have vulnerabilities == |
| | | |
| | | |
Line 51: |
Line 240: |
| ! Input type(s) | | ! Input type(s) |
| ! Description | | ! Description |
| + | |- |
| + | | 24/7 Solitaire |
| + | | None |
| + | | No high-scores or string input. |
| + | |- |
| + | | Absolute Reversi |
| + | | None |
| + | | No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB) |
| + | |- |
| + | | A Little Bit of... All-Time Classics: Card Classics |
| + | | None |
| + | | No strings |
| + | |- |
| + | | A Little Bit of... All-Time Classics: Family Games |
| + | | None |
| + | | No strings |
| + | |- |
| + | | A Little Bit of... All-Time Classics: Strategy Games |
| + | | None |
| + | | No strings |
| + | |- |
| + | | Alpha Bounce |
| + | | None |
| + | | No strings |
| + | |- |
| + | | Asphalt 4 |
| + | | None |
| + | | No strings |
| + | |- |
| + | | Aquia: Art Style Series |
| + | | None |
| + | | No strings |
| + | |- |
| + | | Aura Aura Climber |
| + | | None |
| + | | No strings |
| + | |- |
| + | | Birds & Beans |
| + | | No strings |
| + | | No strings in savedata. |
| + | |- |
| + | | Boom Boom Squaries |
| + | | No strings |
| + | | No strings in savedata. |
| + | |- |
| + | | Bomberman Blitz |
| + | | Name |
| + | | Has UCS-2 strings. |
| + | |- |
| + | | Boxlife |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Blackjack |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Brain Age Express: Arts & Letters |
| + | | None |
| + | | No strings in savedata. |
| + | |- |
| + | | Brain Age Express: Math |
| + | | None |
| + | | No strings in savedata. |
| + | |- |
| + | | Brain Drain |
| + | | None |
| + | | No strings in save. |
| + | |- |
| + | | Castle of Magic |
| + | | None |
| + | | No strings |
| + | |- |
| + | | Cave Story |
| + | | None |
| + | | No strings |
| + | |- |
| + | | Countdown Calender |
| + | | None |
| + | | No user strings. There's many "ANIV" tokens in the save and some embedded bmp files. |
| + | |- |
| + | | Crash Course Domo |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Chronos Twins |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Dictionary 6 in 1 |
| + | | None |
| + | | No strings in savedata. |
| + | |- |
| + | | DIGIDRIVE: Art Style Series |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | DodoGo! Robo |
| + | | None |
| + | | No strings |
| + | |- |
| + | | Dr. Mario Express |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Earthworm Jim |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Extreme Hangman |
| + | | None |
| + | | No strings in savedata. |
| + | |- |
| + | | Little Red Riding Hood's Zombie BBQ |
| + | | None |
| + | | No strings |
| |- | | |- |
| | FIZZ | | | FIZZ |
| | High-scores | | | High-scores |
− | | Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely. | + | | Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways. |
| + | |- |
| + | | Flipper |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Frenzic |
| + | | High-scores |
| + | | Has UCS-2 high-scores. |
| + | |- |
| + | | Gene Labs |
| + | | None |
| + | | Small savedata with no strings. |
| + | |- |
| + | | Glory Days - Tactical Defense |
| + | | No strings |
| + | | Saves only scores not strings. |
| + | |- |
| + | | GO Series: 10 Second Run |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Metal Torrent |
| + | | Player name |
| + | | Uses a UCS-2 string. |
| + | |- |
| + | | Master of Illusion Express: Psychic Camera |
| + | | None |
| + | | Tiny savfile no strings. |
| + | |- |
| + | | My Notebook: Blue |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | My Notebook: Pearl |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | My Sims: Camera |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Mighty Flip Champs |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | My Exotic Farm |
| + | | Player name |
| + | | Not exploitable, there's a 0x01 byte immediately after the string not null-terminated. |
| + | |- |
| + | | Paper Airplane Chase |
| + | | None |
| + | | The size of both files in the savedata are only 8 bytes, no strings. |
| + | |- |
| + | | PiCOPiCT: Art Style series |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | PiCTOBiTS: Art Style series |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Plants Vs. Zombies |
| + | | None |
| + | | No strings, uses system user name for player name. |
| + | |- |
| + | | Pop Island |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Pyoro |
| + | | None |
| + | | 16-byte savedata no strings. |
| + | |- |
| + | | Photo Clock |
| + | | None |
| + | | Small savedata, no strings at all. |
| |- | | |- |
| | Photo Dojo | | | Photo Dojo |
Line 60: |
Line 441: |
| | Savedata only contains .jpg files and some tiny "save"/"info" files. | | | Savedata only contains .jpg files and some tiny "save"/"info" files. |
| |- | | |- |
− | | Photo Clock | + | | Shantae: Risky's Revenge |
| + | | None |
| + | | Has 3 save slots but no string input. |
| + | |- |
| + | | Simply Minesweeper |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Sokomania |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Sparkle Snapshots |
| | None | | | None |
− | | Small savedata, no strings at all. | + | | No strings. |
| |- | | |- |
− | | Brain Age Express: Arts & Letters | + | | Starship Defense |
| | None | | | None |
− | | No strings in savedata. | + | | No strings. |
| |- | | |- |
− | | Brain Age Express: Math | + | | Tetris Party Live |
| | None | | | None |
− | | No strings in savedata. | + | | Zero text input, not enough payload space anyway. |
| |- | | |- |
| | WarioWare: Snapped | | | WarioWare: Snapped |
Line 76: |
Line 469: |
| | No high-scores or string input. | | | No high-scores or string input. |
| |- | | |- |
− | | Gene Labs | + | | ZENGAGE: Art Style Series |
| + | | None |
| + | | No strings. |
| + | |- |
| + | | Zenonia |
| | None | | | None |
− | | Small savedata with no strings. | + | | No strings. |
| + | |} |
| + | |
| + | == DSiWare that were already obtained for analysis == |
| + | Do not contact us about the DSiWare in this list, we already have them. We had these for ages, and never managed to find any vulns. |
| + | |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Name |
| + | ! Text format |
| + | |- |
| + | | Flipnote Studio |
| + | | UCS-2 |
| + | |- |
| + | | Mario Vs. Donkey Kong: Minis March Again |
| + | | UCS-2 |
| + | |- |
| + | | Opera |
| + | | The savedata is private NAND-only, no savedata is copied to SD card. |
| |} | | |} |