That was the second exploit that I have done in DS/DSi, different from the FIFA 07, this game has a special stuff because it is a DSi Enhanced game. DSi Enhanced games runs in DSi mode while is in a DSi(of course we have some features disabled, like SD access), however that is enough.
Like the first exploit, that was a stack smash overflow, the game stores some important information in the save game, like the player name, but we have some issues to fix to finally get save game edition, look these pictures:
The red rectangle is our *special 4 bytes*, they will change every time we change any information in the save file, while the blue rectangle is our profile name(and our target as well). With these information in mind, the next step to solve this problem is digging in the assembly of game, there are some useful plugins. After some research in the game code i found some interesting functions, here the screens:
So, if you look the first function, this is used to calculate the CRC32, the second is the array used in the CRC32 generation, the second function is some checking of save game, so check if the save has the GSID string(our magic num), if not, just ignore it and start a new one. So now we know that our 4 mysterious bytes are the CRC32 of file, to calculate a CRC32 you may write a tool in any kind of programming language or just a hex editor that supports to CRC32 generation. By the way, our save game has this format:
typedef struct save_game_header {
u32 MAGIC_NUM; // always 0x47534944
u32 CRC32;
u8 SAVE_GAME_SIZE //save game size loaded in game, the crc32 has the size of this byte
}
As you know, now we may do save game edition, with this, we just need modify the profile name to do a stack smash overflow, basically we will overflow the stack where our link register(a special purpose register in ARM, where our return address is stored), with control of LR register, we may jump to any address, in this case the address where our code is stored(a hint: use a good emulator, like no$gba, find the address where the save with our code is stored) and finally we will have code running. Of course there are some limitations, the EEEPROM only has 8Kb memory, but just with it, was possibly port the DS Link and run biggest files through the Wi-Fi, big thanks to Mr.Murphy, you may found the version with DSLink here.
As well you may find a example in my github: https://github.com/St4rk/The-Biggest-Loser
Hello, about the exploited game, is it “The Biggest Loser USA”? I couldn’t find this game without “USA” in title, both EU and US version. Thanks in advance.
IIRC it was the USA Version, I have two cards here with USA version but didn’t try with them. I only tried with the flashcard :p
Thank you for information. What do you think, will it be possible to gain SD card access with this exploit in future? I’m not asking if somebody is going to do this, but if it is technically possible to gain SD access with this exploit. Thanks in advance.
I don’t think so. As far as I know the SD Access is disabled when the game starts and afaik² you can’t enable it again.
Thanks for reply. I wonder if it’s about DSi header and cartridge communication protocol or hand-coded policy in firmware. I mean, if Cyclo iEvolution does support DSi mode and was advertised as cartridge with homebrew and commercial ROM support with enabled access to additional functionality, namely camera AND Secure Digital memory card then maybe it is possible to re-enable this. Maybe not in form of exploit, but in form of custom built flashcard. I don’t have iEvo, but it would be really nice if somebody with this flashcard would say a word if it does allow SD access. If not, maybe it’s really true that only DSiware does have SD access. If yes, then it’s quite sad.
Anyway, thanks for all. 🙂