Stack Buffer Overflows...?

Discussion in 'Wii - Hacking' started by Anti, Jul 23, 2010.

  1. Anti
    OP

    Anti GBAtemp Regular

    Member
    136
    1
    Jan 15, 2008
    United States
    Earth
    I was wondering, how does someone find a stack buffer overflow? is it ripping and wading through tons of data until one is found? what does someone look for when looking for a stack buffer overflow location?
     
  2. fogbank

    fogbank GBAtemp Fan

    Member
    413
    0
    Oct 28, 2008
    United States
    If you were looking for a buffer overflow in a Wii game, for example, you would need to rip the game from the disc, decrypt it, and disassemble the executable (e.g. dol) file. Then you would need to identify an "unchecked" buffer in the program code, meaning a buffer that is assigned data without checking the length of the data first. Even then this is probably only useful if the data assigned to the buffer can somehow be manipulated by the user. Like the name of a character's horse that the user supplies when playing the game. Otherwise the program itself would be assigning the data to the buffer, and it is unlikely that the game developers would exploit their own unchecked buffer [​IMG] Once an unchecked buffer is found it has to be correctly exploited to inject user generated code, otherwise the program would probably just crash.
     
  3. WiiCrazy

    WiiCrazy Be water my friend!

    Member
    2,391
    1
    May 8, 2008
    Istanbul
    To add, a game might use a string which it stored itself... That might be a static string from the game's binary, some calculated string or similar... You can exploit the buggy code as long as you can modify that string. That is game gets the string from savegame and you can bypass the checksum protection against savegame modification.

    So what can an average user do to find possible games to exploit?
    1. Categorize games and find those that accept user input for some string
    2. Extract the saves of different games and check the raw data for null (byte 0 in C language) terminated strings which game might be copying into the savefile in certain phases in the game... Say in a rpg game it might be name of a location.. In another game it might just be an adjective attributed to the player's character... anything... You can simplify the process using string searching applications.

    Then a hacker can come along and indeed dissasemble the code and see if there is a bug to exploit where those strings are used...

    ps: games should not be wifi supporting ones, an exploit geared towards a wifi game is futile since a non hacked wii will not allow savegames of such games to be copied on to the system memory.
     
  4. FenrirWolf

    FenrirWolf GBAtemp Psycho!

    Member
    4,346
    326
    Nov 19, 2008
    United States
    Sandy, UT
    I thought they let you copy Wifi game saves TO a Wii, but not FROM one. That's what I recall, anyway. Maybe I'm wrong.
     
  5. WiiCrazy

    WiiCrazy Be water my friend!

    Member
    2,391
    1
    May 8, 2008
    Istanbul
    Afaik, you can't copy them either way... If you can't copy them from a wii then there shouldn't exist any save to copy to a wii. Though EA's games are an exception. I guess that's because they use their own online system.
     
  6. SifJar

    SifJar Not a pirate

    Member
    6,022
    891
    Apr 4, 2009
    You CAN copy saves of WiFi games to an unmodded Wii, you just need to remove the NoCopy flag. In the decrypted save, there is a byte in the header.bin that makes it "NoCopy", changing it will allow it to be copied to any Wii with no issues. In a few games (only one I know of is COD:MWR) this causes the game to read the save as corrupted, but it definitely works in older games. Alternatively, you can install the save, and use Gecko OS's rebooter to copy the save, as in more recent versions of Gecko OS, this makes it remove the NoCopy flag from the save, rather than just ignore it.
     
  7. Drag0nflamez

    Drag0nflamez GBAtemp Regular

    Member
    231
    0
    Jun 20, 2009
    Netherlands
    127.0.0.1
    Or you decrypt the savefile, get it into a HEX editor and check for user set things (like location, name). I guess this must have created the Twilight Hack. If you found a buffer overflow, you just put twilight hack code in the save, try it then put it on Hackmii including source code so others can port the save to other regions.

    And please, make the exploits for games available in every region (Korea should be ignored, because their Wii catalog is so small, they just got Wii Sports Resort, and every game in there can't be exploited, it seems)
     
  8. WiiCrazy

    WiiCrazy Be water my friend!

    Member
    2,391
    1
    May 8, 2008
    Istanbul
    Well no one is working on a new exploit, we are just trying to answer the OP's question...
     
  9. SifJar

    SifJar Not a pirate

    Member
    6,022
    891
    Apr 4, 2009
    I'm fairly sure, as I'm pretty sure this is the reason the patch in the Gecko OS rebooter was changed, so it could be copied to unmodded Wiis. Although I had not heard of the nocopy folder before. I haven't looked into saves that much. That could be the downfall of this idea.
     
  10. WiiCrazy

    WiiCrazy Be water my friend!

    Member
    2,391
    1
    May 8, 2008
    Istanbul
    Indeed,
    You can't copy Internet Channel's save from nand->sd but you can copy it patching system menu. Then you can copy that save back from sd card to nand without doing any patching...

    Btw, possibly there are numerous attack vectors in Internet Channel... Why? It's savefile is just some binary plus lots of configuration text... Still it's not a good candidate for exploiting though

    Tried one wifi game Tatsunoko vs Capcom, same way it copies back perfectly... So Fenrirwolf is right... To sum it up, it's possible to exploit wifi games too (unsure of those games that use nocopy folders...Tatsunoko was not one of them)
     
  11. SifJar

    SifJar Not a pirate

    Member
    6,022
    891
    Apr 4, 2009
    Sort of...it only works with Gecko OS's patch AFAIK, because it actually removes the NoCopy flag. If the NoCopy flag is intact (e.g. copied via Priiloader patched System Menu), the save won't be able to be copied to an unmodified Wii AFAIK.