Using Security Vulnerabilities to Get Every World Record in Mario Kart Wii
Vložit
- čas přidán 11. 09. 2024
- In this video, I explore the use of security vulnerabilities in Mario Kart Wii and the Wii's embedded operating system to alter the game's code on an unmodified console.
An unedited video of the payload execution starting from factory reset can be found here: • Full Recording of RCE ...
Here is a write-up on how you can try out a demo script: pastebin.com/f...
Thanks to:
MikeIsAStar: / @starmkwii and github.com/Mik...
shutterbug2000: / shutterbug20002
Seeky: / @seekyct and github.com/See...
Wiimm: / @wiimm1 and github.com/Wiimm
Leseratte: / @leseratte and github.com/Les...
_____________________________
Twitter: / tasmalleo
Twitch: / tasmalleo
Join my Discord! / discord
Intro/Outro by TheSneakySpy: / thesneakyspy and / thesneakyspy
Check out Mario Kart Wii TASes: mkwtas.com
An interesting fact that some people probably don't know is that Wiimmfi also abuses this buffer overrun in order to run code on your console when you connect with the DNS method. This is how the server facilitates providing security patches to the game - as this is not the only way one can get code running on MKW over the network. The game is played peer-to-peer, and there are at least 2 exploits that would permit your online opponents to run any code they wanted on your game, and the server would be none the wiser that this had happened! The side effects of which could be genuinely awful, as you could easily brick a Wii console by running malicious code on it. So, before you can even connect to an opponent, the server uses this bug demonstrated in the video to temporarily take control of your game, remove those exploits, and only after that allows you to find opponents.
It's also worth noting that every single Wii game ever released has this buffer overrun in it. It's a fundamental flaw in the networking library they used. So you could actually mess with literally any WFC-enabled Wii game in this manner - assuming you can get them logged in, your mileage may vary depending on required IOS.
What networking library did they use so I can be sure to avoid it?
@@romajimamulo It's a Nintendo-developed one that we know as "DWC", not the kind of thing that'd be publicly available anyways.
RCE in a Nintendo networking library?
yeah, that sounds about right, they did it again years later with pia on 3DS (and I guess switch/wii u too?)
Hey MrBean35000vr- just wanted to say thank you for all the quality content over the years!
Using vulnerabilies to patch more vulnerabilities. The ultimate gray hat move.
MKW needs more technical videos like this
Yes
animations were super cute and helped me understand a lot of concepts much easier. Great vid
Malleo just showed up, dropped pandora's box of code into the community as a whole, and dipped. what a legend
This may be the single nerdiest video to ever grace this game’s community. Incredible work
I’m guessing you haven’t seen a Bismuth video. 😂
must have never heard of zelda oot srm either
I’m talking about Mario Kart Wii here, I don’t get why people are interpreting it as Mario or Nintendo as a whole
what does that have to do with "this game's community" as said in the comment@@luca4k484
@@Nightcaathonestly no idea, but anyways I think you might be right. Did you ever see the bcwii glitch physics video by wrath? That was a classic
Can't wait to run Doom on Mario Kart Wii!
Rioting if they dont make it wii wheel compatible
I'm finishing up my Computer Science undergrad in the coming spring, so I was already familiar with everything discussed here. And I have to say-you did an *excellent* job explaining what's going on behind the scenes while managing to keep it super easy to understand for non-computer people.
A video like this one-one about a fun game that people already know about, combined with juuust enough of an introduction into a complex field-is the kind of video that will ignite a spark to eventually create the most curious and inquisitive students. My heart is full imagining some young ones today stumbling across this video and thinking, "wow, computer science is so cool!" I hope there will be at least a few, because I love this stuff so much and I would love for more people to enjoy it too.
Again, excellent work; and thank you for this video. I may use it to sell computer science to some of my nephews next time I see them 😄. You've earned whatever likes and subscriptions you want from me!
I've had an interest in cybersecurity concepts nested away since I started reading on Wii homebrewing back in the day. I might not be one of the young ones, but this is a huge push in the direction of actually pursuing the field for me :)
Such a high quality production. Good stuff as always
I love the way you presented the information, especially going with assumptions then immediately proving them wrong -- Not only is it nice every part gets explained, but it also helps to retain attention by approaching new info in a different way! That on top of the visuals made it incredibly easy to digest
I do have a question though, is it possible to recognize when the slowdown script is used, or to a lesser degree? Like let's say 75% the normal speed
If you have a playback of the inputs, inspecting them can make it clear if someone is cheating by looking to see if they're unnaturally fast. That's how the trackmania community caught Riolu cheating many of his records.
Mario Kart Double Dash legend I know you!
@@TheNerd484 Right, hence why I mentioned slowing the game down by less than 50%, to conceal inhuman reactions and input speeds.
@@GoombaNLIf the inputs are humanly possible, and all people have is the ghost, it would be impossible to tell the ghost was created by illegitimate means. The ghosts don't have some sort of authenticity check as far as I know. This is why recorded video of WRs are so important.
This man basically did Arbitrary Code Execution on MKW, he must be stopped!
Definitely arbitrary code, I don't think it can function as Total Control though.
is this a new entry point for homebrew installation or was this known
@@oussama7132 I'm not super familiar, but I suspect that because it's only modifying game code it won't do anything to the system.
@@MudakTheMultiplier but i remember that some games like twilight princess have entry points that can be exploited using modified save files. i think running homebrew channel is possible with this
@@oussama7132 The issue is that it would be brutally difficult. You'd have to make 100% sure that all the addresses you're writing to wouldn't crash, and if it does, that the crash is *achieving* something.
What a title. Great watch. Always enjoy any new Malleo content, whether I fully understand it or not (I think I understood most of it :P)
I have a master’s and undergrad degree in CS, currently working at big tech with a side gig of teaching CS. Despite already knowing the content you presented, I had so much fun watching. Hope you continue making videos in this niche of programming and video game modification/exploits
As somebody with a Bachelor's degree in software, and no job, do I need to get a Master's?
Nothing brings me more happiness than a new video from the content GOAT, Malleo
Good stuff as always!
Ah yes, I think I recall this bug in the Wii’s digital signature system. It wasn’t just used for connecting to the internet; every game had a signature calculated over the disc contents, to try to prevent exploits through modifying games to contain code other than what the developer had actually made. I was aware of it through Guitar Hero, and exploiting this bug was how that community was able to insert their own custom songs into that game - by taking the original game, replacing the files for a song with their own, then “fakesigning” that disc image. To see it used in this manner, to arbitrarily patch games that haven’t seen official updates in decades… on a system that never actually had game updates, and to do so inside the game environment itself, is seriously impressive.
Massive props to wiimm for keeping this game alive
Hey Malleo, love how informative and easy to understand your explanation videos always are. You're a natural at these. And congrats on the engagement!! I'm sure you and Megan will be very happy.
Long time no see! Hope you are well. Thank you for the kind words!
any runs doing stuff like this would get you in an alleyway with guys snapping menacingly going "ey, bub! you hijacked the Wiimmfi...so I hope you don't mind we hijack your life!"
Congratulations on your engagement??? That's super exciting!!
dude what a video man, as a CS student you seriously did such a good job explaining these concepts. Awesome video man
I've been struggling to understand DNS servers for the longest time. Like, genuinely. The instant you said "it's like an internet phone book" my mind was blown at how many dots connected. Thank you.
It's such a good analogy and I'm scared that it might not work for long because nobody makes phonebooks anymore.
@@MudakTheMultiplier That was my fear as well. I am right at the mark of the generation where I know what a phone book is and used one when I was younger.
I mean contact book also works, and that’s the metaphor/analogy phones and such use
@@JuneNafziger but to anyone that age "contacts" means "the list of people you can call" so many of them don't even interface with phone numbers at all anymore.
@@MudakTheMultiplier from my experience they still understand that a phone number is an address for calls/SMS though, even if they rarely manually enter them and don’t understand the structure.
idk if it's just because i've taken classes on architecture and OS stuff now, but this is the best description of arbitrary code execution i've seen so far
This is super interesting and well explained! I thought I understood how it worked when I saw that for wiimmfi there were special DNS servers, but I never even considered certificates and all that stuff. Thank you for making this!
0:24 Milei is that you
I came for Mario Kart Wii, and stayed for the computer science. Truly, one of the videos of all time
14:24 Except the late WFC, wherein I remember seeing a legitimate WR only once.
One would think a 4-second Luigi Circuit run in which Funky Kong misses the first turn and AFKs on a wall could be automatically deleted in an instant, but nope.
As a modder of the Wii, I found it incredible that you managed to pull this off on a vanilla console! Definitely a fascinating watch :)
This was an awesome video - excellent explanation with visuals :)
One piece of feedback though - the error-beep at around ~8:15 triggered my tinnitus, which is exceptionally unpleasant. I feel like it would've been sufficient to have it play for a second or two to get the point across
Thank you for your work, it's really appreciated
You always do a great job of conveying concepts in a way that's digestible for people who aren't familiar with the subject
As a software developer myself, this is a brilliant video. You covered very technical subjects in a very simple and approachable way. Very well done.
I think I learned more in this video than I did in my computer networks and intro to cybersecurity classes combined. Great video and fascinating exploits
Wonderful video!! I have been taking a security course and I was struggling with some of the concepts you explain here. But things clicked for me when you put it in terms of how to go really fast in video game. ❤
Nice!
I’m gonna be boring and ask for an update on the 100% tas again. I’ve rewatched your other tases multiple times (particularly the 2:22 one that one just seems so iconic) cuz your content is just so good.
Sending love and good vibes to whatever stress (if any) you’re going through 👏🏻
initially clicked to listen in the background, ended up restarting it and taking notes LOL. as well as being incredibly entertaining, it was a great lesson!! we need more videos like this haha, this was lovely. thank you, Malleo!! :)
shoutout to the team figuring this out
I just wanna say, thank you for the excellent subtitle job. Many youtubers don't even bother, which can make it very hard to understand what they're saying! I always give props to any creator that actually bothers with well edited, accurate subtitles.
He went from new Wii to unlocking Funky Kong real quick. I approve, that is the first thing you should be doing.
Actually, I wrote a small script to automatically transcribe those messages :P
For those who are curious, you can hit read more
Message 1: Did you seriously copy this by-hand in order to figure out what this says? Nice.
Message 2: Seriously shoutout to MikeIsAStar for his help on this video!
Message 3: Oh my gosh, this isn't good! You caused a buffer overflow, silly Nintendo. Kids, remember to always check that the size argument in your memcpy is less than or equal to the size of both the source and destination buffers to prevent this type of memory exploit. Thanks!
I really liked how you explained tge Wiimmfi Network in this. I always wondered how it works and getting it explained while the core concept of the Video didnt need you too - great job man.
I must've put hundreds of hours into this game as a kid. It's neat to see it broken down in such a technical manner now.
awesome video! love the explanations and the effort you went through for everyone to be able to understand
14:00 Riolu approves!
I was so deep into this video I forgot it was even about getting world records
Haha I was about to mention it would be nice to have a longer video where you show the full setup and process of the Wii hacking.
And in the end, you mention you have such an uncut version already available! Amazing, I subbed.
You always come back with some crazy plan that is truly a sight to see!
i really really appreciate how you went over every detail- i'm incredibly new to computer science as a whole and love seeing applications in full games (especially mario kart wii), but i find it hard to find people who will show the full process so i can follow along. god this is so cool
As a computer science graduate and now cyber security student with a buffer overflow project, I wish that was our course content
seriously one of the best videos i’ve ever watched on youtube, great job instantly subscribed and shared with my friends keep it up
this is such an amazing demonstration and explanation of very common considerations in computer science. I was always curious of all of these things
Wow this is incredible! Is the ACE payload limited by the 128 bytes of buffer size or can we get past that somehow? Thinking about how possible would it be to ACE in anything we'd want, like maybe transferring a custom track over wiimmfi on the fly
This is one of these videos that reminds me that there are simply different kinds of people in the world. I did take computer science, but my understanding caps at a senior high school level. I simply cannot comprehend these sort of things and the fact that some people can never fails to baffle me.
I'm nerding out hardcore on this, thank you so much for sharing. Great video!
Positively lovely explanations of all of these CS, network, and data science concepts!!
And this is why there are categories within glitched lmao. ACE, no major glitches, etc
I would say that the buffer overflow is where a "glitch" in MKWii has been used, and is clearly where the line can be drawn about what is and isn't a glitch. The game clearly intends to not overwrite data outside of the buffer, but fails to avoid that due to a lack of code to handle oversized packets. I'd call it a glitch and not an exploit because there are no "normal" circumstances where the data packets would be oversized and perfectly crafted for this purpose, and unlike exploits where you put together intended systems and mechanics in unintended ways, receiving oversized packets is unintended right off the bat.
Alternatively, you could simply file this problem under "external tools used", where the proxy server that modifies packets easily fits the definition
genuinely interesting video about a topic i struggle to understand, i never thought this day would come
Thank you for this amazing video! I learned a lot throughout the process, and knowing how these exploits and programs work is always very interesting!
So glad I became an Electrical Engineer so that I get to sit here and delight in all the cool shit this community does
Good video Malleo!
This makes TONS of sense. Amazing video Malleo.😊
Ha! Arbitary Code Execution for the Mario Kart Wii. You love to see it.
This video is RIGHT up my alley, i absolutely love it. Very clear and consise and engaging. Great work!!
I've got two questions:
1. What happens with data that is between the buffer and the link register? What if it contained something important we shouldn't be overwriting with something?
2. How can we modify code? If you are in the menu the code for being in a race shouldn't be loaded into RAM, right? But you can still modify the items you receive during a time trial
Jeez, this is far more interesting than my day job maintaining gps software =3 Nice job!
awesome video!! feels so weird that it's all technically vanilla haha :) first time a mario kart game has had ACE! really really cool video thank you so much malleo :D
Cant wait for the 100% Paper Mario Tas :')
This video is awesome, mariokart wii is one of my favorite games and Im studying comp sci in college rn so this is so fascinating.
Yeah it makes sense to consider this a modification, because you're using a valid console connection (wifi) to connect to arbitrary non-standard devices. That'd be like rewriting the games code by using a custom wire to attach your computer to a controller port. The port is valid, but connecting your computer is a modification.
Banger of a video cannot lie
nice video. even if you already know the concepts behind these types of exploits, its always nice to see them in action :-)
Me who is a super cool nerd nerd: “Oh yeah, now we’re cookin’l
I've been a programmer for a while now, and this thaught me a lot. Nice!
I always look forward to your videos, Glad you're back!
And now I know why it's called "Stack Overflow"
This video is just plain awesome 🤩 such a fun idea and cool to see it all in practice
The visualizations are on point. Very well made! :)
Hopefully there's anti-cheats in CTGP to prevent this from being used there?
There are!
Room encryption
Best explanation of stack overflows ive ever seen
Incredible video, well explained and really interesting !
Just completed the GFACT course and I feel smart understanding all this
Banger video! What's the song at 5:13?
Corridors of Time - Chrono Trigger
This needs more views
If your old Wii can still read GameCube discs, it might just be struggling with 8GB dual-layer discs. I had an old Wii with the same problem. Any game released after January 2008 (the release of Brawl, the first dual-layer Wii game) would give an error, but earlier single-layer games like Wii Sports and Wii Play were fine. I didn't own any GameCube games, but since they're single-layer I assume they would've worked.
I like that jump!!
wonder if malleo will make content on the book of mario: thousands of doors remake.
The Chrono Trigger Music in background is sick
Holy shit Malleo?? I haven't seen an upload from you in a small minute
Using Security Vulnerabilities to Get Every World Record in Mario Kart Wii
Educational and entertaining^^
Yoo, you have a Megan? Congrats, wish you two the best!
im surprised that the wii uses certificates to verify this but geometry dash didn't even verify web requests for the first few years of the game
Intercepting network packets to modify Mario Kart Wii code? My interests have collided! Also, really well done explanation on DNS servers and certificates.
14:00 ah yes, the riolu approach
This is super good!!
The slowdown, riolu memories.
love the chrono trigger music
Great video!
Awesome stuff, would love to see more about how these addresses are found, I suppose probably a debugger attached to an emulator?
Amazing video !!! 😮
Imagine modding a switch with this
This was a really ironic video to watch while skipping my net-centric computing class