Difference between revisions of "DSiWare VulnList"
Jump to navigation
Jump to search
(Add regions.) |
|||
| Line 13: | Line 13: | ||
! Input type(s) | ! Input type(s) | ||
! Status | ! Status | ||
| + | ! Regions | ||
! Description | ! Description | ||
|- | |- | ||
| Line 18: | Line 19: | ||
| High-Scores | | High-Scores | ||
| Done | | Done | ||
| + | | USA/EUR | ||
| No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields, and that var is used with level class init. Level class init fail is most likely the cause of the crash which isn't exploitable, level paths are determined by if statements and the level object is used uninitialized when the level var is out-of-bounds. | | No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields, and that var is used with level class init. Level class init fail is most likely the cause of the crash which isn't exploitable, level paths are determined by if statements and the level object is used uninitialized when the level var is out-of-bounds. | ||
|- | |- | ||
| Line 23: | Line 25: | ||
| High-scores | | High-scores | ||
| Started | | Started | ||
| + | | USA | ||
| Has ASCII null-terminated high-scores. Manged to crash this game. The high-score draw function uses strcpy to copy the records' name to a static buffer, it's unknown if this is exploitable. | | Has ASCII null-terminated high-scores. Manged to crash this game. The high-score draw function uses strcpy to copy the records' name to a static buffer, it's unknown if this is exploitable. | ||
|- | |- | ||
| Line 28: | Line 31: | ||
| Player name | | Player name | ||
| None | | None | ||
| + | | USA/EUR/JP | ||
| Has ASCII player name in one file, and UCS-2 player name in a profile file. This game was crashed by modifying strings in the profile savedata file. | | Has ASCII player name in one file, and UCS-2 player name in a profile file. This game was crashed by modifying strings in the profile savedata file. | ||
|- | |- | ||
| Sudoku | | Sudoku | ||
| Player name | | Player name | ||
| − | | | + | | Started |
| + | | USA/EUR | ||
| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. | | Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. | ||
|} | |} | ||
Revision as of 07:23, 5 December 2010
This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com. Before you contact anyone about your dsiware, please make sure your dsiware is _not_ listed on this page anywhere.
DSiWare savedata is extracted and modified with these tools: https://github.com/neimod/dsi
For these lists status "None" means code reversing engineering for the DSiWare wasn't started. Status "Started" means code reversing engineering for that DSiWare was started. Status "Done" means code reverse engineering was finished.
DSiWare that can be crashed
| Name | Input type(s) | Status | Regions | Description |
|---|---|---|---|---|
| Dark Void Zero | High-Scores | Done | USA/EUR | No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields, and that var is used with level class init. Level class init fail is most likely the cause of the crash which isn't exploitable, level paths are determined by if statements and the level object is used uninitialized when the level var is out-of-bounds. |
| Frogger Returns | High-scores | Started | USA | Has ASCII null-terminated high-scores. Manged to crash this game. The high-score draw function uses strcpy to copy the records' name to a static buffer, it's unknown if this is exploitable. |
| Legends of Exidia | Player name | None | USA/EUR/JP | Has ASCII player name in one file, and UCS-2 player name in a profile file. This game was crashed by modifying strings in the profile savedata file. |
| Sudoku | Player name | Started | USA/EUR | Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. |
DSiWare with incomplete analysis
| Name | Input type(s) | Status | Description |
|---|---|---|---|
| Primrose | High-scores | None | Has English-only high-scores and a trivial checksum. |
DSiWare with finished analysis
| Name | Input type(s) | Description |
|---|---|---|
| Arcade Hoops Basketball | High-Scores, names via settings | Has ASCII high-scores with null terminated strings, no string bugs. |
| Bookworm | High-scores and word list | Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. ) |
| Dracula | No manual input | Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs. |
| Escapee Go | None | Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable. |
| Paul's Shooting Adventure | High-Scores | Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable. |
DSiWare that probably don't have vulnerabilities
| Name | Input type(s) | Description |
|---|---|---|
| 24/7 Solitaire | None | No high-scores or string input. |
| Aquia: Art Style Series | None | No strings |
| Brain Age Express: Arts & Letters | None | No strings in savedata. |
| Brain Age Express: Math | None | No strings in savedata. |
| Dictionary 6 in 1 | None | No strings in savedata. |
| Dr. Mario Express | None | No strings |
| FIZZ | High-scores | Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely. |
| Gene Labs | None | Small savedata with no strings. |
| Paper Airplane Chase | None | The size of both files in the savedata are only 8 bytes, no strings. |
| Pyoro | None | 16-byte savedata no strings. |
| Photo Clock | None | Small savedata, no strings at all. |
| Photo Dojo | Handwritten character name via stylus | Savedata only contains .jpg files and some tiny "save"/"info" files. |
| WarioWare: Snapped | None | No high-scores or string input. |
DSiWare that were already obtained for analysis
Do not contact us about the DSiWare in this list, we already have them.
| Name | Text format |
|---|---|
| Flipnote Studio | UCS-2 |
| Mario Vs. Donkey Kong: Minis March Again | UCS-2 |