Hacking Why Zelda?

WiiCrazy

WiiCrazy

Be water my friend!
Member
Level 4
Joined
May 8, 2008
Messages
2,395
Trophies
0
Location
Istanbul
Website
www.tepetaklak.com
XP
387
Country
http://log.hackmii.com/?d=8&m=8&y=2008

It's said that zelda has debug symbols on the disc, that makes debugging easier... It's a good reason to choose zelda...

Now with today's accomplishments it's whole a lot easy to create a save exploit... one with a debugging device like usbgecko with necessary skills can create a similar hack maybe even using the tweezers original chainloader without much hassle...

But today, it's just totally unnecessary, just buy or rent the zelda...
 
W

WiiPower

Well-Known Member
Member
Level 3
Joined
Oct 17, 2008
Messages
8,165
Trophies
0
XP
345
Country
Gambia, The
WiiCrazy said:
http://log.hackmii.com/?d=8&m=8&y=2008

It's said that zelda has debug symbols on the disc, that makes debugging easier... It's a good reason to choose zelda...

Now with today's accomplishments it's whole a lot easy to create a save exploit... one with a debugging device like usbgecko with necessary skills can create a similar hack maybe even using the tweezers original chainloader without much hassle...

But today, it's just totally unnecessary, just buy or rent the zelda...
Click to expand...

Does the usbgecko work without Gecko OS?
 
WiiCrazy

WiiCrazy

Be water my friend!
Member
Level 4
Joined
May 8, 2008
Messages
2,395
Trophies
0
Location
Istanbul
Website
www.tepetaklak.com
XP
387
Country
Guess you can use it... homebrew channel uses it... usbgecko is not much different from a gamecube controller attached to the wii, if you send the correct data to it, it will just transfer that through usb...

But if you are talking about hooking the game, of course you should use gecko os... but if you are exploitting the game through save the first step is actually hooking the game... which of course you can simplify by simulating the hook with gecko os patches instead of everytime getting the modified save into the wii...
 
W

WiiPower

Well-Known Member
Member
Level 3
Joined
Oct 17, 2008
Messages
8,165
Trophies
0
XP
345
Country
Gambia, The
That's what i thought. Without the twilight hack you weren't able to debug wii games, that's why they used the gamecube version of zelda.
 
cracker

cracker

Nyah!
Member
Level 10
Joined
Aug 24, 2005
Messages
3,619
Trophies
1
XP
2,213
Country
United States
WiiPower said:
cracker said:
1. As mentioned before it was an upgraded version of the GC version so it possibly had the same exploitable code in it

It's not an upgraded version, both versions were developed as one game with only 2 differences: the controls and they are mirror inverted.


I would consider the controls an upgrade...

WiiPower said:
QUOTE(WiiCrazy @ Dec 28 2008, 01:35 PM)
Click to expand...
http://log.hackmii.com/?d=8&m=8&y=2008

It's said that zelda has debug symbols on the disc, that makes debugging easier... It's a good reason to choose zelda...

Now with today's accomplishments it's whole a lot easy to create a save exploit... one with a debugging device like usbgecko with necessary skills can create a similar hack maybe even using the tweezers original chainloader without much hassle...

But today, it's just totally unnecessary, just buy or rent the zelda...
Click to expand...

Does the usbgecko work without Gecko OS?
Click to expand...

Yes but you can't remotely debug without using Gecko OS to hook and boot the game with WiiRD.
 
K

kytran

Well-Known Member
Member
Level 1
Joined
Nov 14, 2008
Messages
148
Trophies
0
XP
59
Country
Canada
lolol i borrowed the game from a guy at work, and still have it.. almost 2 years.. guess he was happy cause i set him up with gamma as well , why need the disc
tongue.gif
 
WiiCrazy

WiiCrazy

Be water my friend!
Member
Level 4
Joined
May 8, 2008
Messages
2,395
Trophies
0
Location
Istanbul
Website
www.tepetaklak.com
XP
387
Country
WiiPower said:
That's what i thought. Without the twilight hack you weren't able to debug wii games, that's why they used the gamecube version of zelda.
Click to expand...


I posted a reply to this but it seems it ended up in /dev/null ...

so basically it can't be gamecube disc that they worked on since gamecube has limited hardware and the actual hack would be running in wii mode...

also they had previously the means of running unsigned code through trucha signed discs with modchip...

and finally, getting unsigned code running on the wii is not enough to produce the actual hack... the harder thing is to code something that loads something else and do stuff which actually needs the debugging...
 
W

WiiPower

Well-Known Member
Member
Level 3
Joined
Oct 17, 2008
Messages
8,165
Trophies
0
XP
345
Country
Gambia, The
WiiCrazy said:
WiiPower said:
That's what i thought. Without the twilight hack you weren't able to debug wii games, that's why they used the gamecube version of zelda.
Click to expand...


I posted a reply to this but it seems it ended up in /dev/null ...

so basically it can't be gamecube disc that they worked on since gamecube has limited hardware and the actual hack would be running in wii mode...

also they had previously the means of running unsigned code through trucha signed discs with modchip...

and finally, getting unsigned code running on the wii is not enough to produce the actual hack... the harder thing is to code something that loads something else and do stuff which actually needs the debugging...
Click to expand...

They debugged the gamecube game, found the exploit, and then they figured somehow out, how to use this overflow on wii hardware. This is still difficult, but with the debugging of the gamecube version they knew where to look.
 
raulpica

raulpica

With your drill, thrust to the sky!
Former Staff
Level 16
Joined
Oct 23, 2007
Messages
11,056
Trophies
0
Location
PowerLevel: 9001
XP
5,716
Country
Italy
WiiPower said:
WiiCrazy said:
WiiPower said:
That's what i thought. Without the twilight hack you weren't able to debug wii games, that's why they used the gamecube version of zelda.
Click to expand...


I posted a reply to this but it seems it ended up in /dev/null ...

so basically it can't be gamecube disc that they worked on since gamecube has limited hardware and the actual hack would be running in wii mode...

also they had previously the means of running unsigned code through trucha signed discs with modchip...

and finally, getting unsigned code running on the wii is not enough to produce the actual hack... the harder thing is to code something that loads something else and do stuff which actually needs the debugging...
Click to expand...

They debugged the gamecube game, found the exploit, and then they figured somehow out, how to use this overflow on wii hardware. This is still difficult, but with the debugging of the gamecube version they knew where to look.
Click to expand...
Actually, they debugged Zelda Wii by patching it to output debug info (the disc was trucha-signed), discovered the stack smash vulnerability, created a faulty save and there's the TP hack.

It seems to me that they haven't used the GC version at all
tongue.gif
 
WiiCrazy

WiiCrazy

Be water my friend!
Member
Level 4
Joined
May 8, 2008
Messages
2,395
Trophies
0
Location
Istanbul
Website
www.tepetaklak.com
XP
387
Country
WiiPower said:
They debugged the gamecube game, found the exploit, and then they figured somehow out, how to use this overflow on wii hardware. This is still difficult, but with the debugging of the gamecube version they knew where to look.
Click to expand...

The application on the gamecube game and wii one do not match, how could they possibly find the exploit by debugging the gamecube game?

So you know, when you change a lot of thing in a program and recompile lots of changes occur in the underlying assembly code... That kind of hacking is done at the assembly level...

It doesn't seem rational to me...

You can find a similar exploit just modifying the savefile of games that relies on user's text entry, change the text with a lengthy one and expect the game crash...
That's the part you are finding the exploit... You don't need to debug anything for this step...

If you happen to create a nice crash which actually you get data into the executing code's space then you try diverting that code into the other part of your code in the savefile...

The second step needs the debugging and should be done on the actual wii game...
 
raulpica

raulpica

With your drill, thrust to the sky!
Former Staff
Level 16
Joined
Oct 23, 2007
Messages
11,056
Trophies
0
Location
PowerLevel: 9001
XP
5,716
Country
Italy
Maybe I was too cryptic in my previous post
ph34r.gif

So... here's how it really went (took the two most esplicative quotes from this log):
bushing said:
22:16:19 no, more like "unspecified source of decrypted update partition" -> unencrypted IOS -> discovery of starlet -> understanding of how discs are signed and encrypted in general (H0-H4), discovery of strncmp bug
-> tweezer attack -> retail AES common key -> patched Lego Star Wars disc
Bushing found a way to get a decrypted update partition and by examining it, they discovered some traces of ARM code in the disassembly. That was the discovery of Starlet.
With that, they understood how discs are signed and encrypted and discovered that there was a signing bug. By using the tweezer attack, they got the keys.
Knowing about the signing bug and having the keys, they could actually fake-sign discs.

That was just before the 24C3. After that...
dasda18:34:39 and the twilight hack: tweezers => keys => decrypted disc => decrypted ios => trucha bug => patch zelda to output debug info => create faulty save => mess around.
Click to expand...
Having the Trucha bug, they just took Zelda, decrypted the disc, and patched the game to output debug info. By looking at the debug info, they found the vulnerability in Epona's name. Creating a faulty savegame, they stack-smashed the game and ran arbitrary code thru it. That's how the TP hack was created.

Nice story, huh?
smile.gif
I hope I haven't done some errors in the explaining
ph34r.gif
 
K

Katie

Member
Newcomer
Level 1
Joined
Dec 28, 2008
Messages
6
Trophies
0
XP
1
Country
France
Hello!
Sorry if this question was already asked but if I buy a brand new Zelda in store, will it be debugged?
thanks
gbasp.gif
I am totally newbie and trying to understand how all this works ;-)
 
W

WiiPower

Well-Known Member
Member
Level 3
Joined
Oct 17, 2008
Messages
8,165
Trophies
0
XP
345
Country
Gambia, The
raulpica said:
That was just before the 24C3. After that...
dasda said:
18:34:39 and the twilight hack: tweezers => keys => decrypted disc => decrypted ios => trucha bug => patch zelda to output debug info => create faulty save => mess around.
Click to expand...
Having the Trucha bug, they just took Zelda, decrypted the disc, and patched the game to output debug info. By looking at the debug info, they found the vulnerability in Epona's name. Creating a faulty savegame, they stack-smashed the game and ran arbitrary code thru it. That's how the TP hack was created.

Nice story, huh?
smile.gif
I hope I haven't done some errors in the explaining
ph34r.gif
Click to expand...

Thank you, i really thought they used the gamecube version.
 
raulpica

raulpica

With your drill, thrust to the sky!
Former Staff
Level 16
Joined
Oct 23, 2007
Messages
11,056
Trophies
0
Location
PowerLevel: 9001
XP
5,716
Country
Italy
Katie said:
Hello!
Sorry if this question was already asked but if I buy a brand new Zelda in store, will it be debugged?
thanks
gbasp.gif
I am totally newbie and trying to understand how all this works ;-)
Don't worry, every copy of Zelda Wii out there works perfectly
smile.gif


QUOTE(WiiPower @ Dec 28 2008, 05:17 PM) Thank you, i really thought they used the gamecube version.
Click to expand...
You're welcome
smile.gif
Glad to have been helpful
smile.gif
 
snikerz

snikerz

Well-Known Member
Member
Level 4
Joined
Nov 30, 2008
Messages
502
Trophies
1
Website
Visit site
XP
462
Country
Lesotho
well, if you go and buy zelda you will be able to execute the twilight hack and install the homebrew channel. debugging is a completely different story!
biggrin.gif
 
K

Katie

Member
Newcomer
Level 1
Joined
Dec 28, 2008
Messages
6
Trophies
0
XP
1
Country
France
thanks!!! I feel so "newbie" ;-) now I have to understand how to downgrade from 3.4 to 3.2 ;-) I am actively readings topics... sounds complicated!
Thanks again!
 
cracker

cracker

Nyah!
Member
Level 10
Joined
Aug 24, 2005
Messages
3,619
Trophies
1
XP
2,213
Country
United States
Katie said:
thanks!!! I feel so "newbie" ;-) now I have to understand how to downgrade from 3.4 to 3.2 ;-) I am actively readings topics... sounds complicated!
Thanks again!
Click to expand...

Do you have a chip or the Hombrew Channel installed already? If not then you can't downgrade (yet).
 
K

Katie

Member
Newcomer
Level 1
Joined
Dec 28, 2008
Messages
6
Trophies
0
XP
1
Country
France
no my wii is new !!! argggggg
hate2.gif

but thanks for the information! (I love the "yet")
do you then advice me to wait before bying zelda or put a chip?
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Emulation  Snes9x unacceptable input latency

Hacking  Bricked Wii Family Edition

Hacking Tutorial Project  Wiiflow lite 5.5.4 , 10 themes in one pack 2024 - with extras

64DD on Wii?

All Channels Discussion

Astebros doesn't work on GenPlusGx

Hacking  Animal Crossing City Folk not working on any USBLoader

Feedback  Hacking The Internet Channel. "Internet Channel Deluxe" ? [WIP]

General chit-chat
Help Users
  • No one is chatting at the moment.
    AncientBoi @ AncientBoi: I just Luv having CEX :)