36
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com. − Before you contact anyone about your dsiware, please make sure your dsiware is _not_ listed on this page anywhere. − − It would be nice to target DSiWare that are listed under the DSi Shop most popular search: Nintendo would have a lot of difficultly removing DSiWare from that list without ticking off a lot of non-homebrewer customers. Targets not on that list will suffer the same fate as Sudoku,(removed quickly and patched less than a week) if exploits for those were released. − − DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi − − For these lists status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started. Status "Done" means code reverse engineering was finished. − Line 18:
Line 9: − + − + − + − + − + Line 41:
Line 32: + + + + + Line 46:
Line 42: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − + + + + + + − + − + − + − + + + + + + + + + + + − + − + − + − + − + − + − + − + − + − + − + Line 89:
Line 130: + + + + + + + + + + + + + + + + + + + + Line 109:
Line 170: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 122:
Line 215: − + − + − + + + + + + + + + + + + + Line 142:
Line 247: − + + + + + + + + + + + + + + + + + + + + + + + + + Line 159:
Line 288: + + + + + + + + Line 167:
Line 304: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 179:
Line 348: + + + + + + + + − + + + + + + + + + Line 191:
Line 376: + + + + + + + + + + + + + + + + Line 217:
Line 418: + + + + + + + + Line 232:
Line 441: − + + + + + + + + + + + + + Line 242:
Line 463: − + + + + + + + + + Line 262:
Line 491: + + +
→Total listed DSiWare
== Total listed DSiWare ==
== Total listed DSiWare ==
|-
|-
| Incomplete
| Incomplete
| 6
| 16
|-
|-
| Done
| Done
| 11
| 27
|-
|-
| DSiWare which probably aren't exploitable
| DSiWare which probably aren't exploitable
| 28
| 59
|-
|-
| Already have
| Already have
| 2
| 3
|-
|-
| All total
| All total
| 47
| 100
|}
|}
! Status
! Status
! Description
! Description
|-
| Academy: Tic-Tac-Toe
| Player name
| None
| Has an UCS-2 player name. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
|-
| Advanced Circuits
| Advanced Circuits
| Started
| Started
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
| Save slots are obfuscated, the algorithm is understood for all but the first save slot. The checksum calculation is unknown.
|-
| Arcade Bowling
| High-Scores
| None
| The checksum seemed to be identical to arcade hoops, but when save modification was attempted the game appeared to reset the high-scores?
|-
| Art Academy: First Semester
| None?
| None
| Has some ASCII strings in savedata, but they seem to be from the game binary not user input?
|-
| Bejeweled Twist
| High-scores
| None
| Checksum is unknown, save has ASCII strings.
|-
| Bounce & Break
| High-scores
| Started
| Has ASCII high-scores. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Card games
| Player name
| None
| Has ASCII player names, checksum is unknown.
|-
| Chess Challenge
| Profile names
| None
| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
|-
| Crystal Monsters
| Crystal Monsters
| Player name
| Player name
| Started
| Started
| Has ASCII player name.
| Has ASCII player name. Not sure if this can be exploited somehow, it crashes /w array-index out-of-bounds fail.
|-
| Elemental Masters
| Player name?
| None
| Has ASCII strings but the checksum is unknown.
|-
|-
| Frogger Returns
| Faceez
| High-Scores
| Player name?
| Started
| None
| Has ASCII high-scores.
| Has ASCII string but the checksum is unknown.
|-
| Jelly Car 2
| High Score name
| None
| Uses ASCII player name for time scores; It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
|-
| Lets golf
| Player name
| None
| Has ASCII player name checksum is unknown.
|-
|-
| Guitar Rock Hero
| Mixed Messages
| High-Scores
| Player name and other text
| Started
| None
| Has ASCII high-scores.
| Uses ASCII for player name and other text input, but the checksum is unknown.
|-
|-
| Legends of Exidia
| Number Battle
| Player name
| Player name
| Started
| None
| Has ASCII player name.
| Uses ASCII strings, the value of each char is - 0x20 of the actual ASCII value. The checksum is unknown.
|-
|-
| UNO
| Pop Superstar: Road to celebrity
| Player name and high-scores
| Player name
| Started
| None
| Has ASCII text.
| Has ASCII strings.
|}
|}
| High-Scores
| High-Scores
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
|-
| Academy: Checkers
| Profile names
| Game didn't crash with a long profile string.
|-
|-
| Arcade Hoops Basketball
| Arcade Hoops Basketball
| High-Scores, names via settings
| High-Scores, names via settings
| Has ASCII high-scores with null terminated strings, no string bugs.
| Has ASCII high-scores with null terminated strings, no string bugs.
|-
| Army Defender
| High-scores
| Has ASCII strings for high-scores, game didn't crash with modified high-scores.
|-
| Bloons
| Profile names
| Has some profile names but they're all in one tiny savfile.
|-
|-
| Bookworm
| Bookworm
| High-scores and word list
| High-scores and word list
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )
|-
| Crazy Sudoku
| Profile names/Data File
| The ASCII player name or the game data aren't exploitable. This game can still be crashed.
|-
|-
| Dark Void Zero
| Dark Void Zero
| High-Scores
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
| No limit on length of drawn record names, no vuln with high-scores. Although this game can be crashed it isn't exploitable.
|-
| Digger Dan & Kaboom
| Player name
| The ASCII player names aren't exploitable, but the save is <10KB anyway.
|-
|-
| Dracula
| Dracula
| None
| None
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
|-
| Fieldrunners
| High-Scores
| The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].
|-
| Frogger Returns
| High-Scores
| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
|-
| Guitar Rock Tour
| High-Scores
| Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].
|-
| Legends of Exidia
| Player name
| Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].
|-
| Mario Calculator
| None
| No savedata at all in the tad.
|-
|-
| Paul's Shooting Adventure
| Paul's Shooting Adventure
| High-Scores
| High-Scores
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
| Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.
|-
| Prehistorik Man
| Password text
| Has some ASCII password text for continuing, but there's less than 10KB free.
|-
|-
| Primrose
| Primrose
| High-scores
| High-scores
| Has English-only high-scores and a trivial checksum, not exploitable.
| Has English-only high-scores and a trivial checksum, not exploitable.
|-
| Rayman
| Player name
| No overflow, with a long string the game only displays one extra character.
|-
| Soul of Darkness
| Player name
| Has ASCII player name with 3 profiles.
|-
|-
| Sudoku
| Sudoku
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
|-
|-
| Rayman
| Telegraph Sudoku & Kakuro
| Player name
| Profile name
| No overflow, with a long string the game only displays one extra character.
| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
|-
| The Legend of Zelda: Four Swords Anniversary
| Savedata filesize
| The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].
|-
| UNO
| Profile names
| Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].
|-
| WordSearcher
| Player name & WordSearch Board
| Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
|}
|}
| Absolute Reversi
| Absolute Reversi
| None
| None
| No strings in savedata.
| No strings in savedata, not enough space for payload anyways.(payload exceeds the free space by ~6KB)
|-
| A Little Bit of... All-Time Classics: Card Classics
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Family Games
| None
| No strings
|-
| A Little Bit of... All-Time Classics: Strategy Games
| None
| No strings
|-
| Alpha Bounce
| None
| No strings
|-
| Asphalt 4
| None
| No strings
|-
|-
| Aquia: Art Style Series
| Aquia: Art Style Series
| None
| No strings
|-
| Aura Aura Climber
| None
| None
| No strings
| No strings
| Name
| Name
| Has UCS-2 strings.
| Has UCS-2 strings.
|-
| Boxlife
| None
| No strings.
|-
| Blackjack
| None
| No strings.
|-
|-
| Brain Age Express: Arts & Letters
| Brain Age Express: Arts & Letters
| None
| None
| No strings in savedata.
| No strings in savedata.
|-
| Brain Drain
| None
| No strings in save.
|-
| Castle of Magic
| None
| No strings
|-
| Cave Story
| None
| No strings
|-
| Countdown Calender
| None
| No user strings. There's many "ANIV" tokens in the save and some embedded bmp files.
|-
| Crash Course Domo
| None
| No strings.
|-
| Chronos Twins
| None
| No strings.
|-
|-
| Dictionary 6 in 1
| Dictionary 6 in 1
| None
| None
| No strings in savedata.
| No strings in savedata.
|-
| DIGIDRIVE: Art Style Series
| None
| No strings.
|-
| DodoGo! Robo
| None
| No strings
|-
|-
| Dr. Mario Express
| Dr. Mario Express
| None
| None
| No strings.
| No strings.
|-
| Extreme Hangman
| None
| No strings in savedata.
|-
| Little Red Riding Hood's Zombie BBQ
| None
| No strings
|-
|-
| FIZZ
| FIZZ
| High-scores
| High-scores
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
| Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. Can't be crashed at all, no payload space anyways.
|-
| Flipper
| None
| No strings.
|-
| Frenzic
| High-scores
| Has UCS-2 high-scores.
|-
|-
| Gene Labs
| Gene Labs
| No strings
| No strings
| Saves only scores not strings.
| Saves only scores not strings.
|-
| GO Series: 10 Second Run
| None
| No strings.
|-
|-
| Metal Torrent
| Metal Torrent
| Player name
| Player name
| Uses a UCS-2 string.
| Uses a UCS-2 string.
|-
| Master of Illusion Express: Psychic Camera
| None
| Tiny savfile no strings.
|-
|-
| My Notebook: Blue
| My Notebook: Blue
| None
| No strings.
|-
| My Notebook: Pearl
| None
| No strings.
|-
| My Sims: Camera
| None
| None
| No strings.
| No strings.
|-
|-
| PiCTOBiTS: Art Style series
| PiCTOBiTS: Art Style series
| None
| No strings.
|-
| Plants Vs. Zombies
| None
| No strings, uses system user name for player name.
|-
| Pop Island
| None
| None
| No strings.
| No strings.
| Savedata only contains .jpg files and some tiny "save"/"info" files.
| Savedata only contains .jpg files and some tiny "save"/"info" files.
|-
|-
| Shantae
| Shantae: Risky's Revenge
| None
| None
| Has 3 save slots but no string input.
| Has 3 save slots but no string input.
|-
| Simply Minesweeper
| None
| No strings.
|-
| Sokomania
| None
| No strings.
|-
| Sparkle Snapshots
| None
| No strings.
|-
|-
| Starship Defense
| Starship Defense
| Tetris Party Live
| Tetris Party Live
| None
| None
| Zero text input.
| Zero text input, not enough payload space anyway.
|-
|-
| WarioWare: Snapped
| WarioWare: Snapped
| None
| None
| No high-scores or string input.
| No high-scores or string input.
|-
| ZENGAGE: Art Style Series
| None
| No strings.
|-
| Zenonia
| None
| No strings.
|}
|}
| Mario Vs. Donkey Kong: Minis March Again
| Mario Vs. Donkey Kong: Minis March Again
| UCS-2
| UCS-2
|-
| Opera
| The savedata is private NAND-only, no savedata is copied to SD card.
|}
|}