Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 159: | Line 159: | ||
|Carol Vorderman's Sudoku | |Carol Vorderman's Sudoku | ||
|Stack Buffer Overflow via unchecked string length | |Stack Buffer Overflow via unchecked string length | ||
|The | |The savefile stores plaintext profile & highscore names. There are no checks regarding the size-length of the profile & highscore names. Once can use a very large string to overwrite and gain control of the stack and jump to unsigned code. | ||
This vulnerability | This vulnerability was ported over to the PSP version of the game. See [https://github.com/ChampionLeake/SudokuSTACK here] | ||
|N/A | |N/A | ||
|December 2021 | |December 2021 | ||
|ChampionLeake | |ChampionLeake | ||
|- | |- | ||
|Star Wars Racer Revenge | |Star Wars Racer Revenge | ||
|Stack-Smash via unchecked "Record Name" length | |Stack-Smash via unchecked "Record Name" length | ||
|The game allows players | |The game allows players record their names when breaking lap records on a course. However, the size of the name is not checked. Using a very large name can overwrite addresses on the stack and gain control of the $ra, which can be used to jump to unsigned code. | ||
|N/A | |N/A | ||
|August 2023 | |August 2023 | ||
Line 214: | Line 214: | ||
* Player name max length allowed when breaking a record: 10 characters as the keyboard gets disabled | * Player name max length allowed when breaking a record: 10 characters as the keyboard gets disabled | ||
** Player name is registered in save data the first time that you make a new record but it seems not used at all. | ** Player name is registered in save data the first time that you make a new record but it seems not used at all. | ||
* Player name max length displayed in the record page: 21 characters as it is done a sort of "memcpy(src, dst, 21)" in a 22-byte | * Player name max length displayed in the record page: 21 characters as it is done a sort of "memcpy(src, dst, 21)" in a 22-byte buffer | ||
** 9 player names are displayed on each Hall of Fame page, stored temporarily in memory respectively at addresses: 0xF98B20, 0xFADB60, 0xFB29D0, 0xFB4E00, 0xFB7210, 0xFB9640, 0xFBBA50, 0xFBDE80, 0xCCE320 | ** 9 player names are displayed on each Hall of Fame page, stored temporarily in memory respectively at addresses: 0xF98B20, 0xFADB60, 0xFB29D0, 0xFB4E00, 0xFB7210, 0xFB9640, 0xFBBA50, 0xFBDE80, 0xCCE320 | ||
* buffer size: expected to be 256 bytes from tests (nothing happens when length is 256 characters followed by a zero byte) | * buffer size: expected to be 256 bytes from tests (nothing happens when length is 256 characters followed by a zero byte) | ||
Line 228: | Line 228: | ||
===== Official cheat codes ===== | ===== Official cheat codes ===== | ||
* It might be useful to unlock more tracks in order to have more possibilities to trigger the buffer overflow in the records menu. | * It might be useful to unlock more tracks in order to have more possibilities to trigger the buffer overflow in the records menu. | ||
* To enable cheat codes, it is often forgotten in guides that you have to make a new record, then type "NO TIME" as player name. This has to be done only once as it is stored in save data. Then at the main menu, hold R1, R2, L1 and L2 while you press | * To enable cheat codes, it is often forgotten in guides that you have to make a new record, then type "NO TIME" as player name. This has to be done only once as it is stored in save data. Then at the main menu, hold R1, R2, L1 and L2 while you press succesively the following cheat combos. The cheats remain in save data but some can be disabled at wish. The following cheat codes were found by looking at the debug strings of the binary files: | ||
** No Player Damage Cheat ON/OFF: uuddlrlrscsc ON/OFF -> up, up, down, down, left, right, left, right, square, circle, square, circle | ** No Player Damage Cheat ON/OFF: uuddlrlrscsc ON/OFF -> up, up, down, down, left, right, left, right, square, circle, square, circle | ||
** (NOT CONFIRMED) No Player Overheat Cheat ON/OFF: balrefsc -> ?ba?, left, right, ?ef?, square, circle. | ** (NOT CONFIRMED) No Player Overheat Cheat ON/OFF: balrefsc -> ?ba?, left, right, ?ef?, square, circle. | ||
Line 256: | Line 256: | ||
https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3 | https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3 | ||
==== Viewtiful Joe 2 demo on the NTSC U/C region 2004 Holiday Demo Disc ==== | ==== Viewtiful Joe 2 demo on the NTSC U/C region 2004 Holiday Demo Disc ==== | ||
Line 267: | Line 264: | ||
=== Possible vulnerable games === | === Possible vulnerable games === | ||
==== World War Zero Iron Storm ==== | ==== World War Zero Iron Storm ==== | ||
Line 301: | Line 280: | ||
==== All FIFA games ==== | ==== All FIFA games ==== | ||
FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See [https://github.com/CTurt/Dara|DARA by CTurt]. | Possibly vulnerable FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See [https://github.com/CTurt/Dara|DARA by CTurt]. | ||
==== List of other games ==== | ==== List of other games ==== | ||
See [https://github.com/libretro/LRPS2/blob/main/resources/GameIndex.yaml a list of almost all PS2 games]. Some may be vulnerable. | See [https://github.com/libretro/LRPS2/blob/main/resources/GameIndex.yaml a list of almost all PS2 games]. Some may be vulnerable. |