1. Anti

    OP Anti GBAtemp Regular
    Member

    Joined:
    Jan 15, 2008
    Messages:
    136
    Country:
    United States
    I was wondering, how does someone find a stack buffer overflow? is it ripping and wading through tons of data until one is found? what does someone look for when looking for a stack buffer overflow location?
     
  2. fogbank

    fogbank GBAtemp Fan
    Member

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    If you were looking for a buffer overflow in a Wii game, for example, you would need to rip the game from the disc, decrypt it, and disassemble the executable (e.g. dol) file. Then you would need to identify an "unchecked" buffer in the program code, meaning a buffer that is assigned data without checking the length of the data first. Even then this is probably only useful if the data assigned to the buffer can somehow be manipulated by the user. Like the name of a character's horse that the user supplies when playing the game. Otherwise the program itself would be assigning the data to the buffer, and it is unlikely that the game developers would exploit their own unchecked buffer [​IMG] Once an unchecked buffer is found it has to be correctly exploited to inject user generated code, otherwise the program would probably just crash.
     
  3. WiiCrazy

    WiiCrazy Be water my friend!
    Member

    Joined:
    May 8, 2008
    Messages:
    2,392
    Country:
    To add, a game might use a string which it stored itself... That might be a static string from the game's binary, some calculated string or similar... You can exploit the buggy code as long as you can modify that string. That is game gets the string from savegame and you can bypass the checksum protection against savegame modification.

    So what can an average user do to find possible games to exploit?
    1. Categorize games and find those that accept user input for some string
    2. Extract the saves of different games and check the raw data for null (byte 0 in C language) terminated strings which game might be copying into the savefile in certain phases in the game... Say in a rpg game it might be name of a location.. In another game it might just be an adjective attributed to the player's character... anything... You can simplify the process using string searching applications.

    Then a hacker can come along and indeed dissasemble the code and see if there is a bug to exploit where those strings are used...

    ps: games should not be wifi supporting ones, an exploit geared towards a wifi game is futile since a non hacked wii will not allow savegames of such games to be copied on to the system memory.
     
  4. FenrirWolf

    FenrirWolf GBAtemp Psycho!
    Member

    Joined:
    Nov 19, 2008
    Messages:
    4,347
    Country:
    United States
    I thought they let you copy Wifi game saves TO a Wii, but not FROM one. That's what I recall, anyway. Maybe I'm wrong.
     
  5. WiiCrazy

    WiiCrazy Be water my friend!
    Member

    Joined:
    May 8, 2008
    Messages:
    2,392
    Country:
    Afaik, you can't copy them either way... If you can't copy them from a wii then there shouldn't exist any save to copy to a wii. Though EA's games are an exception. I guess that's because they use their own online system.
     
  6. SifJar

    SifJar Not a pirate
    Member

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    You CAN copy saves of WiFi games to an unmodded Wii, you just need to remove the NoCopy flag. In the decrypted save, there is a byte in the header.bin that makes it "NoCopy", changing it will allow it to be copied to any Wii with no issues. In a few games (only one I know of is COD:MWR) this causes the game to read the save as corrupted, but it definitely works in older games. Alternatively, you can install the save, and use Gecko OS's rebooter to copy the save, as in more recent versions of Gecko OS, this makes it remove the NoCopy flag from the save, rather than just ignore it.
     
  7. Drag0nflamez

    Drag0nflamez GBAtemp Regular
    Member

    Joined:
    Jun 20, 2009
    Messages:
    231
    Country:
    Netherlands
    Or you decrypt the savefile, get it into a HEX editor and check for user set things (like location, name). I guess this must have created the Twilight Hack. If you found a buffer overflow, you just put twilight hack code in the save, try it then put it on Hackmii including source code so others can port the save to other regions.

    And please, make the exploits for games available in every region (Korea should be ignored, because their Wii catalog is so small, they just got Wii Sports Resort, and every game in there can't be exploited, it seems)
     
  8. WiiCrazy

    WiiCrazy Be water my friend!
    Member

    Joined:
    May 8, 2008
    Messages:
    2,392
    Country:
    Well no one is working on a new exploit, we are just trying to answer the OP's question...
     
  9. SifJar

    SifJar Not a pirate
    Member

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    I'm fairly sure, as I'm pretty sure this is the reason the patch in the Gecko OS rebooter was changed, so it could be copied to unmodded Wiis. Although I had not heard of the nocopy folder before. I haven't looked into saves that much. That could be the downfall of this idea.
     
  10. WiiCrazy

    WiiCrazy Be water my friend!
    Member

    Joined:
    May 8, 2008
    Messages:
    2,392
    Country:
    Indeed,
    You can't copy Internet Channel's save from nand->sd but you can copy it patching system menu. Then you can copy that save back from sd card to nand without doing any patching...

    Btw, possibly there are numerous attack vectors in Internet Channel... Why? It's savefile is just some binary plus lots of configuration text... Still it's not a good candidate for exploiting though

    Tried one wifi game Tatsunoko vs Capcom, same way it copies back perfectly... So Fenrirwolf is right... To sum it up, it's possible to exploit wifi games too (unsure of those games that use nocopy folders...Tatsunoko was not one of them)
     
  11. SifJar

    SifJar Not a pirate
    Member

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    Sort of...it only works with Gecko OS's patch AFAIK, because it actually removes the NoCopy flag. If the NoCopy flag is intact (e.g. copied via Priiloader patched System Menu), the save won't be able to be copied to an unmodified Wii AFAIK.
     
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - Overflows, Buffer, Stack