Stack Buffer Overflows...?

Discussion in 'Wii - Hacking' started by Anti, Jul 23, 2010.

Jul 23, 2010

Stack Buffer Overflows...? by Anti at 8:47 PM (1,647 Views / 0 Likes) 10 replies

  1. Anti
    OP

    Member Anti GBAtemp Regular

    Joined:
    Jan 15, 2008
    Messages:
    136
    Location:
    Earth
    Country:
    United States
    I was wondering, how does someone find a stack buffer overflow? is it ripping and wading through tons of data until one is found? what does someone look for when looking for a stack buffer overflow location?
     
  2. fogbank

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    If you were looking for a buffer overflow in a Wii game, for example, you would need to rip the game from the disc, decrypt it, and disassemble the executable (e.g. dol) file. Then you would need to identify an "unchecked" buffer in the program code, meaning a buffer that is assigned data without checking the length of the data first. Even then this is probably only useful if the data assigned to the buffer can somehow be manipulated by the user. Like the name of a character's horse that the user supplies when playing the game. Otherwise the program itself would be assigning the data to the buffer, and it is unlikely that the game developers would exploit their own unchecked buffer [​IMG] Once an unchecked buffer is found it has to be correctly exploited to inject user generated code, otherwise the program would probably just crash.
     
  3. WiiCrazy

    Member WiiCrazy Be water my friend!

    Joined:
    May 8, 2008
    Messages:
    2,391
    Location:
    Istanbul
    Country:
    Turkey
    To add, a game might use a string which it stored itself... That might be a static string from the game's binary, some calculated string or similar... You can exploit the buggy code as long as you can modify that string. That is game gets the string from savegame and you can bypass the checksum protection against savegame modification.

    So what can an average user do to find possible games to exploit?
    1. Categorize games and find those that accept user input for some string
    2. Extract the saves of different games and check the raw data for null (byte 0 in C language) terminated strings which game might be copying into the savefile in certain phases in the game... Say in a rpg game it might be name of a location.. In another game it might just be an adjective attributed to the player's character... anything... You can simplify the process using string searching applications.

    Then a hacker can come along and indeed dissasemble the code and see if there is a bug to exploit where those strings are used...

    ps: games should not be wifi supporting ones, an exploit geared towards a wifi game is futile since a non hacked wii will not allow savegames of such games to be copied on to the system memory.
     
  4. FenrirWolf

    Member FenrirWolf GBAtemp Psycho!

    Joined:
    Nov 19, 2008
    Messages:
    4,343
    Location:
    Beaverton, OR
    Country:
    United States
    I thought they let you copy Wifi game saves TO a Wii, but not FROM one. That's what I recall, anyway. Maybe I'm wrong.
     
  5. WiiCrazy

    Member WiiCrazy Be water my friend!

    Joined:
    May 8, 2008
    Messages:
    2,391
    Location:
    Istanbul
    Country:
    Turkey
    Afaik, you can't copy them either way... If you can't copy them from a wii then there shouldn't exist any save to copy to a wii. Though EA's games are an exception. I guess that's because they use their own online system.
     
  6. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    You CAN copy saves of WiFi games to an unmodded Wii, you just need to remove the NoCopy flag. In the decrypted save, there is a byte in the header.bin that makes it "NoCopy", changing it will allow it to be copied to any Wii with no issues. In a few games (only one I know of is COD:MWR) this causes the game to read the save as corrupted, but it definitely works in older games. Alternatively, you can install the save, and use Gecko OS's rebooter to copy the save, as in more recent versions of Gecko OS, this makes it remove the NoCopy flag from the save, rather than just ignore it.
     
  7. Drag0nflamez

    Member Drag0nflamez GBAtemp Regular

    Joined:
    Jun 20, 2009
    Messages:
    231
    Location:
    127.0.0.1
    Country:
    Netherlands
    Or you decrypt the savefile, get it into a HEX editor and check for user set things (like location, name). I guess this must have created the Twilight Hack. If you found a buffer overflow, you just put twilight hack code in the save, try it then put it on Hackmii including source code so others can port the save to other regions.

    And please, make the exploits for games available in every region (Korea should be ignored, because their Wii catalog is so small, they just got Wii Sports Resort, and every game in there can't be exploited, it seems)
     
  8. WiiCrazy

    Member WiiCrazy Be water my friend!

    Joined:
    May 8, 2008
    Messages:
    2,391
    Location:
    Istanbul
    Country:
    Turkey
    Well no one is working on a new exploit, we are just trying to answer the OP's question...
     
  9. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    I'm fairly sure, as I'm pretty sure this is the reason the patch in the Gecko OS rebooter was changed, so it could be copied to unmodded Wiis. Although I had not heard of the nocopy folder before. I haven't looked into saves that much. That could be the downfall of this idea.
     
  10. WiiCrazy

    Member WiiCrazy Be water my friend!

    Joined:
    May 8, 2008
    Messages:
    2,391
    Location:
    Istanbul
    Country:
    Turkey
    Indeed,
    You can't copy Internet Channel's save from nand->sd but you can copy it patching system menu. Then you can copy that save back from sd card to nand without doing any patching...

    Btw, possibly there are numerous attack vectors in Internet Channel... Why? It's savefile is just some binary plus lots of configuration text... Still it's not a good candidate for exploiting though

    Tried one wifi game Tatsunoko vs Capcom, same way it copies back perfectly... So Fenrirwolf is right... To sum it up, it's possible to exploit wifi games too (unsure of those games that use nocopy folders...Tatsunoko was not one of them)
     
  11. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    Sort of...it only works with Gecko OS's patch AFAIK, because it actually removes the NoCopy flag. If the NoCopy flag is intact (e.g. copied via Priiloader patched System Menu), the save won't be able to be copied to an unmodified Wii AFAIK.
     

Share This Page