WiiBrew

Changes

Wii system flaws (view source)

Revision as of 22:51, 4 April 2022

750 bytes added ,  22:51, 4 April 2022
β†’β€ŽIOS: Added the ES_GetTicketViews hack
Line 175: Line 175:  
| {{SortableMonth|Feb|2022}}
 
| {{SortableMonth|Feb|2022}}
 
| {{User|Hallowizer}}
 
| {{User|Hallowizer}}
 +
|-
 +
| ES
 +
| ES_GetTicketViews does not limit the ticket view count
 +
| Because a [[ticket]] view is 0xD8 bytes, ES_GetTicketViews verifies that every address between <code>views</code> and <code>views + size*0xd8</code> is in a [[Broadway]]-accessible location. However, ES_GetTicketViews does not place an upper bound on the number of ticket views. By requesting 0x200000000 ticket views, the total size is 0x1B00000000, which is 0 mod 2<sup>32</sup>. As a result, no addresses are checked, and the ticket view can be written to any location in memory. By pointing at the ES stack, the return value can be pointed to lomem.
 +
| ES code execution (used by [[Riivolution]] and [[HackMii Installer]])
 +
| Unfixed
 +
| {{SortableMonth|Mar|2010}}
 +
| {{User|tueidj}}
 
|-
 
|-
 
| FS
 
| FS
Hallowizer
5,579

edits

Retrieved from "https://wiibrew.org/wiki/Special:MobileDiff/116526"