DSiBrew

DSiWare VulnList: Difference between revisions

← Older editNewer edit →
Added dsiware that can be crashed section, added 3 dsiware to probably don't have vulns section.
Line 2: Line 2:


DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi
DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi
For these lists status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started. Status "Done" means code reverse engineering was finished.
== DSiWare that can be crashed ==
{| class="wikitable" border="1"
|-
!  Name
!  Input type(s)
!  Status
!  Description
|-
|  Dark Void Zero
| High-Scores
| Done
| No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields, and that var is used with level class init. Level class init fail is most likely the cause of the crash which isn't exploitable, level paths are determined by if statements and the level object is used uninitialized when the level var is out-of-bounds.
|-
|  Frogger Returns
|  High-scores
|  Started
|  Has ASCII null-terminated high-scores. Manged to crash this game. The high-score draw function uses strcpy to copy the records' name to a static buffer, it's unknown if this is exploitable.
|}


== DSiWare with incomplete analysis ==
== DSiWare with incomplete analysis ==
Status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started.


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 22: Line 43:
|  None
|  None
|  Has high-scores without names, scores are ASCII null-terminated strings.
|  Has high-scores without names, scores are ASCII null-terminated strings.
|-
|  Frogger Returns
|  High-scores
|  Started
|  Has ASCII null-terminated high-scores. Manged to crash this game. The high-score draw function uses strcpy to copy the records' name to a static buffer. But all the functions that copy to these lists seem to use strncpy, and it's unknown what code copies from savedata records to these lists.
|-
|-
|  Legends of Exidia
|  Legends of Exidia
Line 46: Line 62:
|  High-Scores, names via settings
|  High-Scores, names via settings
|  Has ASCII high-scores with null terminated strings, no string bugs.
|  Has ASCII high-scores with null terminated strings, no string bugs.
|-
|  Dark Void Zero
| High-Scores
| No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields, and that var is used with level class init. Level class init fail is most likely the cause of the crash which isn't exploitable, level paths are determined by if statements and the level object is used uninitialized when the level var is out-of-bounds.
|-
|-
|  Dracula
|  Dracula
Line 72: Line 84:
|  None
|  None
|  No high-scores or string input.
|  No high-scores or string input.
|-
|  Aquia: Art Style Series
|  None
|  No strings
|-
|-
|  Brain Age Express: Arts & Letters
|  Brain Age Express: Arts & Letters
Line 80: Line 96:
|  None
|  None
|  No strings in savedata.
|  No strings in savedata.
|-
|  Dr. Mario Express
|  None
|  No strings
|-
|-
|  FIZZ
|  FIZZ
Line 88: Line 108:
|  None
|  None
|  Small savedata with no strings.
|  Small savedata with no strings.
|-
|  Paper Airplane Chase
|  None
|  The size of both files in the savedata are only 8 bytes, no strings.
|-
|-
|  Photo Clock
|  Photo Clock
Retrieved from "https://dsibrew.org/wiki/DSiWare_VulnList"