Hacking twilight hack technical details

A

amjad163

Member
OP
Newcomer
Level 1
Joined
Jun 4, 2011
Messages
6
Trophies
0
XP
6
Country
United States
Hi,

As for my understanding, the twilight hack in wii happens because of the overflow caused by the horse name, which then leads to load the program located in SD card.

I guess the horse name consists of instructions to make the processor jump to the program in the SD card. My question is how do you know the address of the program in SD card when you inject the string in the form of horse name?Is it always the same, say X ?If yes, then how do you find X?

Thanks for the reply,
Amjad
 
A

amjad163

Member
OP
Newcomer
Level 1
Joined
Jun 4, 2011
Messages
6
Trophies
0
XP
6
Country
United States
Thanks PsyBlade for the quick reply. So is this what the twilight hack does? Certainly searching helps, but it's not a simple task given that the code will be in assembly instructions and we need to search whole address space.
 
giantpune

giantpune

Well-Known Member
Member
Level 2
Joined
Apr 10, 2009
Messages
2,860
Trophies
0
XP
213
Country
United States
every time the game runs, it copies its save file to the same spot in memory. there is some executable code tucked away in the save file, and you are assured that each time you play the game, it will copy that executable code to the same spot in memory.
 
A

amjad163

Member
OP
Newcomer
Level 1
Joined
Jun 4, 2011
Messages
6
Trophies
0
XP
6
Country
United States
giantpune said:
every time the game runs, it copies its save file to the same spot in memory. there is some executable code tucked away in the save file, and you are assured that each time you play the game, it will copy that executable code to the same spot in memory.
Click to expand...
Thanks for the reply. I am more interested about the "executable code tucked". If we analyze this code, it has to have an assembly instruction similar to jmp or call to the SD memory location. I agree that the memory location would be the same each time you play the game, but what value would you use for jmp or call instruction?
 
giantpune

giantpune

Well-Known Member
Member
Level 2
Joined
Apr 10, 2009
Messages
2,860
Trophies
0
XP
213
Country
United States
at the end of the horse's name is the address in memory of the executable code. the game overflows the buffer and writes that address over top of the address of the return address on the stack. then it goes on to run like normal for a short bit until it tries to return to the calling function. it gets the address that is planted there on the stack and jumps to team twiizers' code that is in the save file.

from there, it does a couple checks to see which version of the game is actually running. and based on that, it decides which addresses to use from the game itself. it uses the game's own nand_open and nand_read() functions to copy its elf loader from the nand into memory, and then jumps to that code.

it is that elf loader that is the black screen with white text that actually inits the SD card, looks for boot.elf, loads the file into memory, and runs it.
 
A

alexdodd

Member
Newcomer
Level 1
Joined
Jan 14, 2010
Messages
14
Trophies
0
XP
50
Country
It's all pretty impressive
smile.gif
 
FAST6191

FAST6191

Techromancer
Editorial Team
Level 33
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,321
Country
United Kingdom
A link you might find interesting
http://hackmii.com/2010/01/the-stm-release-exploit/

Also some of the newer exploits use similar methods else are more or less ports of some of the twilight hack code.

As for where that is always the problem with this sort of thing and indeed newer protection methods like DEP make use of this by scatting things around the memory and having the OS keep track of where it all effectively is (it more or less does this anyway in windows as part of how it works) but making it invisible to the program at large. Consoles mainly do this with cheats rather than for some measure of protection; see pointer codes and other such cheat prevention methods.

Still I am not sure it came down to it but there was also the GC version of this game and the GC was more or less entirely hacked when this was going down which would have allowed for some educated guesses. Nowadays the wii is more or less hacked and emulated so you have many options by which to debug things.

Other than that what giantpune said.
 
A

amjad163

Member
OP
Newcomer
Level 1
Joined
Jun 4, 2011
Messages
6
Trophies
0
XP
6
Country
United States
caaraa said:
every time the game runs, it copies its save file to the same spot in memory.
18.games.jpg
44553433@N00.jpg
Click to expand...
Bang on!!So how do I know the 'spot in memory' address?I mean what value of address needs to be encoded in the jmp/call instruction of the loader program?
 
A

amjad163

Member
OP
Newcomer
Level 1
Joined
Jun 4, 2011
Messages
6
Trophies
0
XP
6
Country
United States
giantpune said:
and jumps to team twiizers' code that is in the save file.
to jump you need to know the address right?what address value will be used?

QUOTE(giantpune @ Jun 5 2011, 06:42 AM) from there, it does a couple checks to see which version of the game is actually running. and based on that, it decides which addresses to use from the game itself. it uses the game's own nand_open and nand_read() functions to copy its elf loader from the nand into memory, and then jumps to that code
Click to expand...
From where?You meant after the "jump to team twiizers' code that is in the save file."? If yes, how did you know to which address to jump.
Or did you mean just after the overflow and when the 'return' happens?
 
A

amjad163

Member
OP
Newcomer
Level 1
Joined
Jun 4, 2011
Messages
6
Trophies
0
XP
6
Country
United States
FAST6191 said:
A link you might find interesting
http://hackmii.com/2010/01/the-stm-release-exploit/

Also some of the newer exploits use similar methods else are more or less ports of some of the twilight hack code.

As for where that is always the problem with this sort of thing and indeed newer protection methods like DEP make use of this by scatting things around the memory and having the OS keep track of where it all effectively is (it more or less does this anyway in windows as part of how it works) but making it invisible to the program at large. Consoles mainly do this with cheats rather than for some measure of protection; see pointer codes and other such cheat prevention methods.

Still I am not sure it came down to it but there was also the GC version of this game and the GC was more or less entirely hacked when this was going down which would have allowed for some educated guesses. Nowadays the wii is more or less hacked and emulated so you have many options by which to debug things.

Other than that what giantpune said.
Click to expand...
Thanks for the link..I will go through it..
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hardware  Help my Wii‘s broken !!!

Hacking Homebrew  OSCDL version 1.4.0

Wiiflow brings me back to sys menu... sometimes.

Emulation  Snes9x unacceptable input latency

All Channels Discussion

Hacking  Wii randonly slowing down mid-game

Hacking  AARTool for Wii archives

Iso Patch harder super mario bros wii

General chit-chat
Help Users
  • SylverReZ @ SylverReZ:
    :tpi:
  • Maximumbeans @ Maximumbeans:
    I can't believe you got me with that
     +1
  • SylverReZ @ SylverReZ:
    Lol
  • SylverReZ @ SylverReZ:
    I haven't been gaming for such a long time. Been mostly busy with sleep, hardware tinkering and checking GBAtemp frequently.
  • SylverReZ @ SylverReZ:
    Hope you've had a good morning.
  • Maximumbeans @ Maximumbeans:
    It's going alright thanks :) I know what you mean with gaming time. It's precious where I can get it these days.
     +1
  • Maximumbeans @ Maximumbeans:
    I think that's why I focus on just enjoying single player experiences that aren't too competitive
  • Maximumbeans @ Maximumbeans:
    How are you doing?
  • SylverReZ @ SylverReZ:
    There's also this thing where I'm hyperfocused at night and cannot get to sleep.
  • SylverReZ @ SylverReZ:
    @Maximumbeans, I'm doing alright, thanks.
     +1
  • Maximumbeans @ Maximumbeans:
    That must be rough. Productive I'm sure but hard to balance with daily life
     +1
  • SylverReZ @ SylverReZ:
    @Maximumbeans, Indeed. I've been working on getting this Infecutus chip to work on my PS2. But after soldering, I realised that a plastic piece was missing from the power ribbon cable to the power and eject buttons.
  • SylverReZ @ SylverReZ:
    Now I could go with soldering the contacts from the cable to the connector on the mobo, but doesn't sound like a good permanent solution.
  • Maximumbeans @ Maximumbeans:
    Man, that's beyond my brain :rofl: I'm no good with hardware for now. I'd like to get into hardmods in future though
  • SylverReZ @ SylverReZ:
    @Maximumbeans, Maybe start practice soldering. Get a cheap-ass soldering iron and follow some good YouTube tutorials.
     +1
  • SylverReZ @ SylverReZ:
    Least my experience has gotten better than over a decade ago. My iron would constantly bump into components and break them.
  • Maximumbeans @ Maximumbeans:
    Sounds good. I actually did soldering but like 16 years ago for school so uuuuh probably rusty haha
  • SylverReZ @ SylverReZ:
    @Maximumbeans, Same here. I did soldering at school from a teacher who I honestly liked since he had plenty of good electronics experience.
     +1
  • SylverReZ @ SylverReZ:
    https://www.youtube.com/watch?v=c7BVtGnlxT8
  • Maximumbeans @ Maximumbeans:
    I wish I could play chess well
     +1
  • Maximumbeans @ Maximumbeans:
    Useless but a true art
     +1
  • SylverReZ @ SylverReZ:
    @Maximumbeans, I had a friend who had a glass chess set for their birthday.
  • SylverReZ @ SylverReZ:
    It was like all clear and fancy. Tbf I'm not too experienced with chess, but would like to learn someday.
  • Maximumbeans @ Maximumbeans:
    That sounds really cool
  • Maximumbeans @ Maximumbeans:
    I know the basics but no strategy at all :rofl:
    Maximumbeans @ Maximumbeans: I know the basics but no strategy at all :rofl: