Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 198: | Line 198: | ||
===== Bug Description ===== | ===== Bug Description ===== | ||
Okage Shadow King has a typical stack buffer overflow if you extend the player or town name in a savedata. | Okage Shadow King has a typical stack buffer overflow if you extend the player or town name in a savedata. | ||
===== Exploit Implementation ===== | ===== Exploit Implementation ===== | ||
Line 206: | Line 205: | ||
===== Save data format ===== | ===== Save data format ===== | ||
* The save data has no digest | * The save data has no digest. Strings can be modified and extended without making any crash. | ||
* The records pages data are stored as follows: for each record, signed int (4 bytes) for the time/most KO's | * The records pages data are stored as follows: for each record, signed int (4 bytes) for the time/most KO's, followed by ?22?-byte string. | ||
===== Bug description ===== | ===== Bug description ===== | ||
* To trigger the exploit, in the main menu, go to Options then Hall of Fame. The Hall of Fame will trigger the exploit when you go to the page where the player name was extended in save data to more than 256 characters as the code copies from save data the best players' names without checking length. | * To trigger the exploit, in the main menu, go to Options then Hall of Fame. The Hall of Fame will trigger the exploit when you go to the page where the player name was extended in save data to more than 256 characters as the code copies from save data the best players' names without checking length. | ||
* Player name max length allowed when breaking a record: 10 characters as the keyboard gets disabled | * Player name max length allowed when breaking a record: 10 characters as the keyboard gets disabled |