Wii exploit idea! (Involving SSBB)

Im probably sure you guys know that we can convert our SSBB snapshots files to regular picture files to use in our PC, but what if we try a TIFF exploit... (forgive if i sound like an idiot, im only 13) all we do is make the picture be able to crash the Wii then hopefully convert the picture back to a BIN file place it in the snapshot folder of our SD card load it in smash bros and possibly do something similar to tue twilight hack

please feel free to express your thoughts!

AFAIK there is no way to convert pictures to bin files for SSBB, only the other way around

:/ i feel like a complete idiot...
thanks anyway for clearing that up :D

Don't feel like an idoit!
You're 13 and already know more than bunch of people on these forums (including me).

Quote
bg4545
AFAIK there is no way to convert pictures to bin files for SSBB, only the other way around

I strongly disagree. It can work both ways.

The question is: is SSBBB picture render code vulnerable?
Can you create picture data, that crash the game, which would be a good indicator, that there could (!) be an exploit.

Well would you want to put pictures onto SSBB anyway, we've already got photo channel?

By the way i'm only 14 and i'm not an idiot :D

Quote
daniel_c_w

Quote
bg4545
AFAIK there is no way to convert pictures to bin files for SSBB, only the other way around

I strongly disagree. It can work both ways.

The question is: is SSBBB picture render code vulnerable?
Can you create picture data, that crash the game, which would be a good indicator, that there could (!) be an exploit.

I meant that no one has made a way to convert pictures to .bin, not that it's impossible.

@Kezza826
We're talking about the screenshots in Brawl being exploited, not just putting pictures on there...

You can find the source code for bin2jpeg on its creator's site:

Now it justs needs to be inverted.

// .out to jpg converter -- by GTCoder, with tons of help from segher, and a big breakthrough by Ondo
//
// License:
//
// You can modify the code as long as you credit the source.
// You can distribute the code.
// You can distribute binaries of the code.
// You CANNOT sell it.
// No guarantee is made for the code's fitness for any particular purpose.
// -GTCoder

#include 
#include 
#include 

// Increases the size of the buffer by two, given the length, and adjusts the length's value.
// Returns 0 for success, and -1 for failure.
int increase_buffer_size(unsigned char **buffer, unsigned int *buffersize) {
    if(buffer == NULL || *buffer == NULL || buffersize == NULL) {
        printf("Error:  Invalid pointers passed when trying to increase buffer size!\n");
        return -1;
    }
    *buffersize = (*buffersize) *  2; // increase buffer size by 2
    *buffer = realloc(*buffer, *buffersize);
    if(buffer == NULL) {
        printf("Error:  Unable to allocate memory.\n");
        return -1;
    }
    else {
        return 0;
    }
}

char *decode_lzss_stuff(FILE *fp_i, unsigned int *length_ptr) {
    unsigned char *outbuffer; // decoded data
    unsigned int buffersize = 128000; // arbitrary initial size
    unsigned char controlbyte;
    unsigned int bufferindex = 0;
    unsigned int i; // used for looping
    unsigned char tempbuffer[10]; // actually only 2-4 bytes should be needed
    unsigned int num_bytes_to_copy;
    unsigned int backwards_offset;
    int copy_start_index;
    unsigned int copy_counter;

    outbuffer = malloc(buffersize);
    if(outbuffer == NULL) {
        printf("Error:  Unable to allocate memory.\n");
        return NULL;
    }

    while(!feof(fp_i)) {
        // Give a big safety margin for fun.  If we get close to it later, we'll realloc midstream.
        if(bufferindex > (buffersize-0x10000)) {
            if(increase_buffer_size(&outbuffer, &buffersize) != 0) {
                printf("Fatal error -- couldn't get enough memory.\n");
                return NULL;
            }
        }
        controlbyte = fgetc(fp_i);
        if(feof(fp_i)) {
            continue;
        }
        //printf("Control byte:  0x%02x\n", controlbyte);
        for(i = 0; i < 8; i++) {
            if(controlbyte & (0x80 >> i)) {
                // decode encoded data
                tempbuffer[0] = fgetc(fp_i);
                tempbuffer[1] = fgetc(fp_i);
                // if the first nibble is 0, get a third byte
                if((tempbuffer[0] & 0xF0) == 0) {
                    tempbuffer[2] = fgetc(fp_i);
                    //printf("0x %02x %02x %02x\n", tempbuffer[0], tempbuffer[1], tempbuffer[2]);
                    num_bytes_to_copy = (((unsigned int) tempbuffer[0]) * 0x10) + (tempbuffer[1] >> 4) + 0x11;
                    backwards_offset = (((unsigned int) (tempbuffer[1] & 0x0F)) * 0x100) + tempbuffer[2] + 1;
                }
                // If the first nibble is 1, grab TWO more bytes.  (next four nibbles will be length, then three offset)
                // HUGE thanks to Ondo for figuring this part out!  
                else if((tempbuffer[0] & 0xF0) == 0x10) {
                    tempbuffer[2] = fgetc(fp_i);
                    tempbuffer[3] = fgetc(fp_i);
                    //printf("0x %02x %02x %02x %02x\n", tempbuffer[0], tempbuffer[1], tempbuffer[2], tempbuffer[3]);
                    num_bytes_to_copy =
                        (((unsigned int) tempbuffer[0] & 0x0F) * 0x1000) +
                        (((unsigned int) tempbuffer[1]) * 0x10) +
                        (tempbuffer[2] >> 4) + 0x111;
                    backwards_offset = (((unsigned int) (tempbuffer[2] & 0x0F)) * 0x100) + tempbuffer[3] + 1;
                }
                // otherwise, do a normal decompress using two bytes
                else {
                    //printf("0x %02x %02x\n", tempbuffer[0], tempbuffer[1]);
                    num_bytes_to_copy = (tempbuffer[0] >> 4) + 0x01;
                    backwards_offset = (((unsigned int) (tempbuffer[0] & 0x0F)) * 0x100) + tempbuffer[1] + 1;
                }
                if(backwards_offset <= 0) {
                    printf("Error:  Backwards offset is <= 0, this probably is wrong.\n");
                }
                else {
                    copy_start_index = bufferindex - backwards_offset;
                    if(copy_start_index < 0) {
                        printf("Error:  Copy start index is < 0.\n");
                        printf("copy_start_index = %d\n", copy_start_index);
                        printf("Backwards offset coding bytes:  0x %02x %02x %02x %02x\n",
                                tempbuffer[0], tempbuffer[1], tempbuffer[2], tempbuffer[3]);
                        printf("num_bytes_to_copy = %d\n", num_bytes_to_copy);
                        printf("backwards_offset = %d\n", backwards_offset);
                        printf("bufferindex = %d\n", bufferindex);
                        printf("buffersize = %d\n", buffersize);
                    }
                    for(copy_counter = 0; copy_counter < num_bytes_to_copy; copy_counter++) {
                        if(bufferindex > (buffersize - 16)) {
                            printf("%d\n", bufferindex);
                            printf("Running short on buffer space.  Allocating some more!\n");
                            if(increase_buffer_size(&outbuffer, &buffersize) != 0) {
                                printf("Fatal error -- couldn't get enough memory.\n");
                                return NULL;
                            }
                            printf("New buffer size:  %u\n", buffersize);
                            //printf("Error:  Buffer overflow averted!  bufferindex = %d\n", bufferindex);
                        }
                        if(copy_start_index < 0) { // this shouldn't happen...it's a sort-of safety net
                            printf("Error:  Too early.  Filling in with 0x00.\n");
                            outbuffer[bufferindex] = 0x00;
                            bufferindex++;
                        }
                        else if((copy_start_index + copy_counter) >= bufferindex) {
                            printf("Error:  The input seems to be telling us to copy uninitialized data.\n");
                            printf("copy_start_index = %d\n", copy_start_index);
                            printf("copy_counter = %d\n", copy_counter);
                            printf("Backwards offset coding bytes:  0x %02x %02x %02x %02x\n",
                                    tempbuffer[0], tempbuffer[1], tempbuffer[2], tempbuffer[3]);
                            printf("num_bytes_to_copy = %d\n", num_bytes_to_copy);
                            printf("backwards_offset = %d\n", backwards_offset);
                            printf("bufferindex = %d\n", bufferindex);
                            printf("buffersize = %d\n", buffersize);
                            break;
                        }
                        else {
                            outbuffer[bufferindex] = outbuffer[copy_start_index + copy_counter];
                            bufferindex++;
                        }
                    } // end copy loop
                } // end valid backwards offset
            } // end encoded data
            else {
                outbuffer[bufferindex] = fgetc(fp_i);
                bufferindex++;
            } // end literal data
        } // end looping through atoms for a given control word
    } // end looping through file

    if(length_ptr != NULL) {
        *length_ptr = bufferindex;
    }
    else {
        printf("Hey, invalid length pointer supplied!\n");
    }
    return outbuffer;
}

int main(int argc, char *argv[]) {
    FILE *fp_i, *fp_o;
    unsigned char curbyte;
    unsigned int i;
    unsigned int decoded_length;
    unsigned int end_detection;
    char *outbuffer;

    if(argc != 3) {
        printf("Usage:  out2jpg input_file output_file\n");
        exit(-1);
    }
    fp_i = fopen(argv[1], "rb");
    if(fp_i == NULL) {
        printf("Error opening input file %s.\n", argv[1]);
        exit(-1);
    }
    fp_o = fopen(argv[2], "wb");
    if(fp_o == NULL) {
        printf("Error opening output file %s.\n", argv[2]);
        fclose(fp_i);
        exit(-1);
    }

    // TODO:  shouldn't blindly assume the formatting is correct, but that's what I'm going to do here.

    // drop the first 16 bytes
    for(i = 0; i < 0x10; i++) {
        fgetc(fp_i);
    }
    curbyte = fgetc(fp_i); // if the byte at offset 0x10 is 0x00, the image is not compressed, it seems.
    // TODO:  while dropping bytes, grab the one that specifies widescreen (at offset 0x44, I think), and resize
    //        (this should be done in another place, too, for compressed images)
    if(curbyte == 0x00) { // does not use LZSS compression, so just dump the raw JPG
        for(i = 0; i < 0x3B; i++) {
            curbyte = fgetc(fp_i);
            if(i == 0x33) { // the byte at offset 0x44 indicates 0x01 for widescreen 16:9 and 0x00 for normal 4:3, it seems
                if(curbyte == 0x01) {
                    printf("Widescreen 16:9!\n");
                }
                else {
                    printf("Normal 4:3\n");
                }
            }
        }
        // now, the JPG should be available.
        end_detection = 0;
        while(!feof(fp_i)) {
            curbyte = fgetc(fp_i);
            fputc(curbyte, fp_o);
            // Detect FFD9 at the end of the JPG, and don't write any data after it.
            if(end_detection == 1 && curbyte == 0xD9) {
                break;
            }
            else if(curbyte == 0xFF) {
                end_detection = 1;
            }
            else {
                end_detection = 0;
            }
        }
        fclose(fp_i);
        fclose(fp_o);
        // TODO
        //do_widescreen_conversion(convert_option);
        return 0;
    }
    else {
        printf("Decompressing JPG...\n");
    }
    // Drop 3 bytes to get to the start of the data (I think it always starts here for compressed data)
    for(i = 0; i < 3; i++) {
        fgetc(fp_i);
    }

    outbuffer = decode_lzss_stuff(fp_i, &decoded_length);
    end_detection = 0;
    // write the output, dropping the first 0x3C bytes to get to the start of the JPG data
    for(i = 0x3C; i < decoded_length; i++) {
        fputc(outbuffer, fp_o);
        // Detect FFD9 at the end of the JPG, and don't write any data after it.
        if(end_detection == 1 && (unsigned char) outbuffer == 0xD9) {
            break;
        }
        else if((unsigned char) outbuffer == 0xFF) {
            end_detection = 1;
        }
        else {
            end_detection = 0;
        }
    }
    fclose(fp_i);
    fclose(fp_o);

    if(outbuffer[0x44] == 0x01) { // byte at offset 0x44 is 0x01 for widescreen 16:9 and 0x00 for normal 4:3, it seems
        printf("Widescreen 16:9!\n");
    }
    else {
        printf("Normal 4:3\n");
    }
    if(outbuffer != NULL) {
        free(outbuffer);
    }
    // TODO
    //do_widescreen_conversion(convert_option);
    return 0;
}

Edited 1 time(s). Last edit at 05/06/2009 06:42PM by daniel_c_w.

Yeah, I just found that on google. I was going to post it but you beat me to it>:-( lol. grrrrr.

But, if you didn't notice the programme is C for Homebrew you need C++



Edited 1 time(s). Last edit at 05/06/2009 07:01PM by Kezza826.

Quote
Kezza826
But, if you didn't notice the programme is C for Homebrew you need C++

You do not need C++ for homebrew.
For example patchMii is C.

And almost every C code is legal C++ code.

Quote
daniel_c_w

Quote
Kezza826
But, if you didn't notice the programme is C for Homebrew you need C++

You do not need C++ for homebrew.
For example patchMii is C.

And almost every C code is legal C++ code.

Oh, ok. Someone told me you had to use C++ but obviously they were wrong.

Oops, looks like the board ate your #include statements. :(

Absolutely nothing I've ever written for the Wii has been in C++, heh. yuck

Anyway, this is a good start -- SSBB has the ability to load lots of crap from SD, and it's a popular game. Each of those alone would make it a good target. Good luck. :)

yeah, I think this is the BEST idea to come from a random forum user since the 4.0 came out!

And, you have received MUCH better attention than the "when iz it gonna be outz! plz huryyyy!" noobs
Good job!

Quote
bushing
Oops, looks like the board ate your #include statements. :(

Well, it is tanken for granted.
Include statements on this board die quicker than a red shirt :D

It were some standard include statements: stdio, stdlib and sys/stat.h

i downloaded the source from here: [download350.mediafire.com]

Quote
bushing
Anyway, this is a good start -- SSBB has the ability to load lots of crap from SD, and it's a popular game.

I am actually surpirsed. I expected that you and the team would have probed SSBB a while ago.



Edited 1 time(s). Last edit at 05/07/2009 12:15AM by daniel_c_w.

to think that i got this idea while taking a shower 0_o its also true that we have the photo channel... i wonder if the current HBC installer would work since ive read sumwhere that it wont..

This is a great idea, but since I'm still more on the noobish side, a few possibly unnecessary questions.

1. Has it been proven that we can make a TIFF that will crash the Wii? If I remember correctly, it was one of the (if not the only) exploit to run homebrew code on the PSP, but will the same principle work here?

2. What about the Photo Channel? (can it even view/read TIFFs? I don't really think so...)

Other than those, your idea sounds pretty easy to get into.



Edited 1 time(s). Last edit at 05/07/2009 03:46AM by MaxyDawg.

This really sounds like a great idea...

BTW, technically this won't be a TIFF exploit, but a JPG one, since Brawl uses JPG...
And maybe you could achieve it with Photo Channel too.

yea like i said im not a genoius xD

I guess it is a JPG exploit

(can sum1 tell me how to delete my posts)



Edited 1 time(s). Last edit at 05/07/2009 11:39PM by lettman8520.

@MaxyDawg
1. Im pretty sure it could work, we just need to find out how to reconvert the pic back to a BIN smash bros would read
2. Your right it probably wont read TIFF's

Sorry for double posting :(



Edited 2 time(s). Last edit at 05/07/2009 11:37PM by lettman8520.