I was wondering, how does someone find a stack buffer overflow? is it ripping and wading through tons of data until one is found? what does someone look for when looking for a stack buffer overflow location?
Anti said:
If you were looking for a buffer overflow in a Wii game, for example, you would need to rip the game from the disc, decrypt it, and disassemble the executable (e.g. dol) file. Then you would need to identify an "unchecked" buffer in the program code, meaning a buffer that is assigned data without checking the length of the data first. Even then this is probably only useful if the data assigned to the buffer can somehow be manipulated by the user. Like the name of a character's horse that the user supplies when playing the game. Otherwise the program itself would be assigning the data to the buffer, and it is unlikely that the game developers would exploit their own unchecked buffer
- Joined
- May 8, 2008
- Messages
- 2,395
- Trophies
- 0
- Location
- Istanbul
- Website
- www.tepetaklak.com
- XP
- 387
- Country
fogbank said:Anti said:
If you were looking for a buffer overflow in a Wii game, for example, you would need to rip the game from the disc, decrypt it, and disassemble the executable (e.g. dol) file. Then you would need to identify an "unchecked" buffer in the program code, meaning a buffer that is assigned data without checking the length of the data first. Even then this is probably only useful if the data assigned to the buffer can somehow be manipulated by the user. Like the name of a character's horse that the user supplies when playing the game. Otherwise the program itself would be assigning the data to the buffer, and it is unlikely that the game developers would exploit their own unchecked bufferOnce an unchecked buffer is found it has to be correctly exploited to inject user generated code, otherwise the program would probably just crash.
To add, a game might use a string which it stored itself... That might be a static string from the game's binary, some calculated string or similar... You can exploit the buggy code as long as you can modify that string. That is game gets the string from savegame and you can bypass the checksum protection against savegame modification.
So what can an average user do to find possible games to exploit?
1. Categorize games and find those that accept user input for some string
2. Extract the saves of different games and check the raw data for null (byte 0 in C language) terminated strings which game might be copying into the savefile in certain phases in the game... Say in a rpg game it might be name of a location.. In another game it might just be an adjective attributed to the player's character... anything... You can simplify the process using string searching applications.
Then a hacker can come along and indeed dissasemble the code and see if there is a bug to exploit where those strings are used...
ps: games should not be wifi supporting ones, an exploit geared towards a wifi game is futile since a non hacked wii will not allow savegames of such games to be copied on to the system memory.
I thought they let you copy Wifi game saves TO a Wii, but not FROM one. That's what I recall, anyway. Maybe I'm wrong.
- Joined
- May 8, 2008
- Messages
- 2,395
- Trophies
- 0
- Location
- Istanbul
- Website
- www.tepetaklak.com
- XP
- 387
- Country
FenrirWolf said:
Afaik, you can't copy them either way... If you can't copy them from a wii then there shouldn't exist any save to copy to a wii. Though EA's games are an exception. I guess that's because they use their own online system.
You CAN copy saves of WiFi games to an unmodded Wii, you just need to remove the NoCopy flag. In the decrypted save, there is a byte in the header.bin that makes it "NoCopy", changing it will allow it to be copied to any Wii with no issues. In a few games (only one I know of is COD:MWR) this causes the game to read the save as corrupted, but it definitely works in older games. Alternatively, you can install the save, and use Gecko OS's rebooter to copy the save, as in more recent versions of Gecko OS, this makes it remove the NoCopy flag from the save, rather than just ignore it.
- Joined
- Jun 20, 2009
- Messages
- 231
- Trophies
- 0
- Age
- 27
- Location
- 127.0.0.1
- Website
- Visit site
- XP
- 111
- Country
Or you decrypt the savefile, get it into a HEX editor and check for user set things (like location, name). I guess this must have created the Twilight Hack. If you found a buffer overflow, you just put twilight hack code in the save, try it then put it on Hackmii including source code so others can port the save to other regions.
And please, make the exploits for games available in every region (Korea should be ignored, because their Wii catalog is so small, they just got Wii Sports Resort, and every game in there can't be exploited, it seems)
And please, make the exploits for games available in every region (Korea should be ignored, because their Wii catalog is so small, they just got Wii Sports Resort, and every game in there can't be exploited, it seems)
WiiCrazy said:
I'm fairly sure, as I'm pretty sure this is the reason the patch in the Gecko OS rebooter was changed, so it could be copied to unmodded Wiis. Although I had not heard of the nocopy folder before. I haven't looked into saves that much. That could be the downfall of this idea.
- Joined
- May 8, 2008
- Messages
- 2,395
- Trophies
- 0
- Location
- Istanbul
- Website
- www.tepetaklak.com
- XP
- 387
- Country
Indeed,
You can't copy Internet Channel's save from nand->sd but you can copy it patching system menu. Then you can copy that save back from sd card to nand without doing any patching...
Btw, possibly there are numerous attack vectors in Internet Channel... Why? It's savefile is just some binary plus lots of configuration text... Still it's not a good candidate for exploiting though
Tried one wifi game Tatsunoko vs Capcom, same way it copies back perfectly... So Fenrirwolf is right... To sum it up, it's possible to exploit wifi games too (unsure of those games that use nocopy folders...Tatsunoko was not one of them)
You can't copy Internet Channel's save from nand->sd but you can copy it patching system menu. Then you can copy that save back from sd card to nand without doing any patching...
Btw, possibly there are numerous attack vectors in Internet Channel... Why? It's savefile is just some binary plus lots of configuration text... Still it's not a good candidate for exploiting though
Tried one wifi game Tatsunoko vs Capcom, same way it copies back perfectly... So Fenrirwolf is right... To sum it up, it's possible to exploit wifi games too (unsure of those games that use nocopy folders...Tatsunoko was not one of them)
WiiCrazy said:
Sort of...it only works with Gecko OS's patch AFAIK, because it actually removes the NoCopy flag. If the NoCopy flag is intact (e.g. copied via Priiloader patched System Menu), the save won't be able to be copied to an unmodified Wii AFAIK.
Similar threads
