5,579
edits
Changes
Jump to navigation
Jump to search
Line 175:
Line 175: + + + + + + + +
→IOS: Added the ES_GetTicketViews hack
| {{SortableMonth|Feb|2022}}
| {{SortableMonth|Feb|2022}}
| {{User|Hallowizer}}
| {{User|Hallowizer}}
|-
| ES
| ES_GetTicketViews does not limit the ticket view count
| Because a [[ticket]] view is 0xD8 bytes, ES_GetTicketViews verifies that every address between <code>views</code> and <code>views + size*0xd8</code> is in a [[Broadway]]-accessible location. However, ES_GetTicketViews does not place an upper bound on the number of ticket views. By requesting 0x200000000 ticket views, the total size is 0x1B00000000, which is 0 mod 2<sup>32</sup>. As a result, no addresses are checked, and the ticket view can be written to any location in memory. By pointing at the ES stack, the return value can be pointed to lomem.
| ES code execution (used by [[Riivolution]] and [[HackMii Installer]])
| Unfixed
| {{SortableMonth|Mar|2010}}
| {{User|tueidj}}
|-
|-
| FS
| FS