5,579
edits
Changes
→Explanation: added the system menu check fails
Line 97:
Line 97:
== Explanation ==
== Explanation ==
The hack exploits a [http://en.wikipedia.org/wiki/Stack_smashing buffer overflow error] caused by loading a specially crafted save file for Twilight Princess. The save file stores a custom name for Epona, Link's horse, that is much longer than what the game would usually allow, in fact it even contains a small program. While the game doesn't allow you to manually enter a name this long it doesn't check the name in the file. When the game tries to load the name into memory it inadvertently drops the small program into memory filling not only the "horse name" buffer but adjacent ones. In a round about way these regions of memory happen to be designated the next region the console should execute. As you can see the save file is specially crafted indeed. Once the code loads it runs either a "boot.elf" or "boot.dol" file from the root of the SD card. If the boot.elf and bootmini.elf that loads HackMii exists on the root of your SD Card, you can use it to then install BootMii IOS, BootMii Boot2 (if compatible), or, importantly, the Homebrew Channel.
The hack exploits a [http://en.wikipedia.org/wiki/Stack_smashing buffer overflow error] caused by loading a specially crafted save file for Twilight Princess. The save file stores a custom name for Epona, Link's horse, that is much longer than what the game would usually allow, in fact it even contains a small program. While the game doesn't allow you to manually enter a name this long it doesn't check the name in the file. When the game tries to load the name into memory it inadvertently drops the small program into memory filling not only the "horse name" buffer but adjacent ones. In a round about way these regions of memory happen to be designated the next region the console should execute. As you can see the save file is specially crafted indeed. Once the code loads it runs either a "boot.elf" or "boot.dol" file from the root of the SD card. If the boot.elf and bootmini.elf that loads HackMii exists on the root of your SD Card, you can use it to then install BootMii IOS, BootMii Boot2 (if compatible), or, importantly, the Homebrew Channel.
+
+When [[System Menu 3.3]] came around, a check was added to delete all Twilight Hack save files, and prevent them from being copied onto the [[Hardware/NAND|NAND]]. Luckily, the [[System Menu]] only checked the first instance of zeldaTp.dat in the save, which meant a hacked zeldaTp.dat could be placed later in the WAD and survive.
+
+A similar bug existed in the [[System Menu 3.4]], although here, only the last zeldaTp.dat was checked, meaning the first zeldaTp.dat could contain the exploit here.
== [[Wiibrew FAQ|FAQ]] ==
== [[Wiibrew FAQ|FAQ]] ==