Wii exploit idea! (Involving SSBB) May 06, 2009 05:57AM | Registered: 15 years ago Posts: 12 |
Re: Wii exploit idea! (Involving SSBB) May 06, 2009 06:20AM | Admin Registered: 16 years ago Posts: 3,247 |
Re: Wii exploit idea! (Involving SSBB) May 06, 2009 06:24AM | Registered: 15 years ago Posts: 12 |
Re: Wii exploit idea! (Involving SSBB) May 06, 2009 11:44AM | Registered: 15 years ago Posts: 384 |
Re: Wii exploit idea! (Involving SSBB) May 06, 2009 06:22PM | Registered: 16 years ago Posts: 1,012 |
Quote
bg4545
AFAIK there is no way to convert pictures to bin files for SSBB, only the other way around
Re: Wii exploit idea! (Involving SSBB) May 06, 2009 06:30PM | Registered: 15 years ago Posts: 59 |
Re: Wii exploit idea! (Involving SSBB) May 06, 2009 06:39PM | Admin Registered: 16 years ago Posts: 3,247 |
I meant that no one has made a way to convert pictures to .bin, not that it's impossible.Quote
daniel_c_wQuote
bg4545
AFAIK there is no way to convert pictures to bin files for SSBB, only the other way around
I strongly disagree. It can work both ways.
The question is: is SSBBB picture render code vulnerable?
Can you create picture data, that crash the game, which would be a good indicator, that there could (!) be an exploit.
Re: Wii exploit idea! (Involving SSBB) May 06, 2009 06:42PM | Registered: 16 years ago Posts: 1,012 |
// .out to jpg converter -- by GTCoder, with tons of help from segher, and a big breakthrough by Ondo // // License: // // You can modify the code as long as you credit the source. // You can distribute the code. // You can distribute binaries of the code. // You CANNOT sell it. // No guarantee is made for the code's fitness for any particular purpose. // -GTCoder #include#include #include // Increases the size of the buffer by two, given the length, and adjusts the length's value. // Returns 0 for success, and -1 for failure. int increase_buffer_size(unsigned char **buffer, unsigned int *buffersize) { if(buffer == NULL || *buffer == NULL || buffersize == NULL) { printf("Error: Invalid pointers passed when trying to increase buffer size!\n"); return -1; } *buffersize = (*buffersize) * 2; // increase buffer size by 2 *buffer = realloc(*buffer, *buffersize); if(buffer == NULL) { printf("Error: Unable to allocate memory.\n"); return -1; } else { return 0; } } char *decode_lzss_stuff(FILE *fp_i, unsigned int *length_ptr) { unsigned char *outbuffer; // decoded data unsigned int buffersize = 128000; // arbitrary initial size unsigned char controlbyte; unsigned int bufferindex = 0; unsigned int i; // used for looping unsigned char tempbuffer[10]; // actually only 2-4 bytes should be needed unsigned int num_bytes_to_copy; unsigned int backwards_offset; int copy_start_index; unsigned int copy_counter; outbuffer = malloc(buffersize); if(outbuffer == NULL) { printf("Error: Unable to allocate memory.\n"); return NULL; } while(!feof(fp_i)) { // Give a big safety margin for fun. If we get close to it later, we'll realloc midstream. if(bufferindex > (buffersize-0x10000)) { if(increase_buffer_size(&outbuffer, &buffersize) != 0) { printf("Fatal error -- couldn't get enough memory.\n"); return NULL; } } controlbyte = fgetc(fp_i); if(feof(fp_i)) { continue; } //printf("Control byte: 0x%02x\n", controlbyte); for(i = 0; i < 8; i++) { if(controlbyte & (0x80 >> i)) { // decode encoded data tempbuffer[0] = fgetc(fp_i); tempbuffer[1] = fgetc(fp_i); // if the first nibble is 0, get a third byte if((tempbuffer[0] & 0xF0) == 0) { tempbuffer[2] = fgetc(fp_i); //printf("0x %02x %02x %02x\n", tempbuffer[0], tempbuffer[1], tempbuffer[2]); num_bytes_to_copy = (((unsigned int) tempbuffer[0]) * 0x10) + (tempbuffer[1] >> 4) + 0x11; backwards_offset = (((unsigned int) (tempbuffer[1] & 0x0F)) * 0x100) + tempbuffer[2] + 1; } // If the first nibble is 1, grab TWO more bytes. (next four nibbles will be length, then three offset) // HUGE thanks to Ondo for figuring this part out! else if((tempbuffer[0] & 0xF0) == 0x10) { tempbuffer[2] = fgetc(fp_i); tempbuffer[3] = fgetc(fp_i); //printf("0x %02x %02x %02x %02x\n", tempbuffer[0], tempbuffer[1], tempbuffer[2], tempbuffer[3]); num_bytes_to_copy = (((unsigned int) tempbuffer[0] & 0x0F) * 0x1000) + (((unsigned int) tempbuffer[1]) * 0x10) + (tempbuffer[2] >> 4) + 0x111; backwards_offset = (((unsigned int) (tempbuffer[2] & 0x0F)) * 0x100) + tempbuffer[3] + 1; } // otherwise, do a normal decompress using two bytes else { //printf("0x %02x %02x\n", tempbuffer[0], tempbuffer[1]); num_bytes_to_copy = (tempbuffer[0] >> 4) + 0x01; backwards_offset = (((unsigned int) (tempbuffer[0] & 0x0F)) * 0x100) + tempbuffer[1] + 1; } if(backwards_offset <= 0) { printf("Error: Backwards offset is <= 0, this probably is wrong.\n"); } else { copy_start_index = bufferindex - backwards_offset; if(copy_start_index < 0) { printf("Error: Copy start index is < 0.\n"); printf("copy_start_index = %d\n", copy_start_index); printf("Backwards offset coding bytes: 0x %02x %02x %02x %02x\n", tempbuffer[0], tempbuffer[1], tempbuffer[2], tempbuffer[3]); printf("num_bytes_to_copy = %d\n", num_bytes_to_copy); printf("backwards_offset = %d\n", backwards_offset); printf("bufferindex = %d\n", bufferindex); printf("buffersize = %d\n", buffersize); } for(copy_counter = 0; copy_counter < num_bytes_to_copy; copy_counter++) { if(bufferindex > (buffersize - 16)) { printf("%d\n", bufferindex); printf("Running short on buffer space. Allocating some more!\n"); if(increase_buffer_size(&outbuffer, &buffersize) != 0) { printf("Fatal error -- couldn't get enough memory.\n"); return NULL; } printf("New buffer size: %u\n", buffersize); //printf("Error: Buffer overflow averted! bufferindex = %d\n", bufferindex); } if(copy_start_index < 0) { // this shouldn't happen...it's a sort-of safety net printf("Error: Too early. Filling in with 0x00.\n"); outbuffer[bufferindex] = 0x00; bufferindex++; } else if((copy_start_index + copy_counter) >= bufferindex) { printf("Error: The input seems to be telling us to copy uninitialized data.\n"); printf("copy_start_index = %d\n", copy_start_index); printf("copy_counter = %d\n", copy_counter); printf("Backwards offset coding bytes: 0x %02x %02x %02x %02x\n", tempbuffer[0], tempbuffer[1], tempbuffer[2], tempbuffer[3]); printf("num_bytes_to_copy = %d\n", num_bytes_to_copy); printf("backwards_offset = %d\n", backwards_offset); printf("bufferindex = %d\n", bufferindex); printf("buffersize = %d\n", buffersize); break; } else { outbuffer[bufferindex] = outbuffer[copy_start_index + copy_counter]; bufferindex++; } } // end copy loop } // end valid backwards offset } // end encoded data else { outbuffer[bufferindex] = fgetc(fp_i); bufferindex++; } // end literal data } // end looping through atoms for a given control word } // end looping through file if(length_ptr != NULL) { *length_ptr = bufferindex; } else { printf("Hey, invalid length pointer supplied!\n"); } return outbuffer; } int main(int argc, char *argv[]) { FILE *fp_i, *fp_o; unsigned char curbyte; unsigned int i; unsigned int decoded_length; unsigned int end_detection; char *outbuffer; if(argc != 3) { printf("Usage: out2jpg input_file output_file\n"); exit(-1); } fp_i = fopen(argv[1], "rb"); if(fp_i == NULL) { printf("Error opening input file %s.\n", argv[1]); exit(-1); } fp_o = fopen(argv[2], "wb"); if(fp_o == NULL) { printf("Error opening output file %s.\n", argv[2]); fclose(fp_i); exit(-1); } // TODO: shouldn't blindly assume the formatting is correct, but that's what I'm going to do here. // drop the first 16 bytes for(i = 0; i < 0x10; i++) { fgetc(fp_i); } curbyte = fgetc(fp_i); // if the byte at offset 0x10 is 0x00, the image is not compressed, it seems. // TODO: while dropping bytes, grab the one that specifies widescreen (at offset 0x44, I think), and resize // (this should be done in another place, too, for compressed images) if(curbyte == 0x00) { // does not use LZSS compression, so just dump the raw JPG for(i = 0; i < 0x3B; i++) { curbyte = fgetc(fp_i); if(i == 0x33) { // the byte at offset 0x44 indicates 0x01 for widescreen 16:9 and 0x00 for normal 4:3, it seems if(curbyte == 0x01) { printf("Widescreen 16:9!\n"); } else { printf("Normal 4:3\n"); } } } // now, the JPG should be available. end_detection = 0; while(!feof(fp_i)) { curbyte = fgetc(fp_i); fputc(curbyte, fp_o); // Detect FFD9 at the end of the JPG, and don't write any data after it. if(end_detection == 1 && curbyte == 0xD9) { break; } else if(curbyte == 0xFF) { end_detection = 1; } else { end_detection = 0; } } fclose(fp_i); fclose(fp_o); // TODO //do_widescreen_conversion(convert_option); return 0; } else { printf("Decompressing JPG...\n"); } // Drop 3 bytes to get to the start of the data (I think it always starts here for compressed data) for(i = 0; i < 3; i++) { fgetc(fp_i); } outbuffer = decode_lzss_stuff(fp_i, &decoded_length); end_detection = 0; // write the output, dropping the first 0x3C bytes to get to the start of the JPG data for(i = 0x3C; i < decoded_length; i++) { fputc(outbuffer, fp_o); // Detect FFD9 at the end of the JPG, and don't write any data after it. if(end_detection == 1 && (unsigned char) outbuffer == 0xD9) { break; } else if((unsigned char) outbuffer == 0xFF) { end_detection = 1; } else { end_detection = 0; } } fclose(fp_i); fclose(fp_o); if(outbuffer[0x44] == 0x01) { // byte at offset 0x44 is 0x01 for widescreen 16:9 and 0x00 for normal 4:3, it seems printf("Widescreen 16:9!\n"); } else { printf("Normal 4:3\n"); } if(outbuffer != NULL) { free(outbuffer); } // TODO //do_widescreen_conversion(convert_option); return 0; }
Re: Wii exploit idea! (Involving SSBB) May 06, 2009 07:00PM | Registered: 15 years ago Posts: 59 |
Re: Wii exploit idea! (Involving SSBB) May 06, 2009 07:19PM | Registered: 16 years ago Posts: 1,012 |
Re: Wii exploit idea! (Involving SSBB) May 06, 2009 07:25PM | Registered: 15 years ago Posts: 59 |
Re: Wii exploit idea! (Involving SSBB) May 06, 2009 10:29PM | Admin Registered: 16 years ago Posts: 271 |
Re: Wii exploit idea! (Involving SSBB) May 06, 2009 11:04PM | Registered: 15 years ago Posts: 920 |
Re: Wii exploit idea! (Involving SSBB) May 07, 2009 12:12AM | Registered: 16 years ago Posts: 1,012 |
Quote
bushing
Oops, looks like the board ate your #include statements. :(
Quote
bushing
Anyway, this is a good start -- SSBB has the ability to load lots of crap from SD, and it's a popular game.
Re: Wii exploit idea! (Involving SSBB) May 07, 2009 12:49AM | Registered: 15 years ago Posts: 12 |
Re: Wii exploit idea! (Involving SSBB) May 07, 2009 03:40AM | Registered: 15 years ago Posts: 6 |
Re: Wii exploit idea! (Involving SSBB) May 07, 2009 11:32AM | Registered: 15 years ago Posts: 499 |
Re: Wii exploit idea! (Involving SSBB) May 07, 2009 11:32PM | Registered: 15 years ago Posts: 12 |
Re:Exploit Idea May 07, 2009 11:33PM | Registered: 15 years ago Posts: 12 |
Re: Wii exploit idea! (Involving SSBB) May 07, 2009 11:35PM | Registered: 15 years ago Posts: 12 |