- Dolphin emulator portable 3.5 software#
- Dolphin emulator portable 3.5 code#
- Dolphin emulator portable 3.5 iso#
- Dolphin emulator portable 3.5 windows#
Dolphin emulator portable 3.5 windows#
This makes the Windows approach above unusable on Linux, so we will simply pray. Very precarious - mmap cannot return an error when trying to map already used pages. (This is an oversimplification, but it’s close enough for our purposes.) #ifdef _WIN32 This is part of the “fastmem” optimisation, where Dolphin uses a 16GB range of the 64-bit address space to represent memory in the same layout as is seen by the 32-bit processor in the Wii.
![dolphin emulator portable 3.5 dolphin emulator portable 3.5](https://i2.wp.com/thegamepadgamer.com/wp-content/uploads/2021/06/The-Best-Wii-Portable-On-The-Market.jpg)
But this technique is very useful if we know the exact version we’re exploiting and don’t need to be portable.Īlso on macOS and Linux, the virtual memory of the emulated console is mapped at a fixed address (0x2300000000). The drawback of using this memory is that it can change significantly every time the program is recompiled or the source changes. In recent versions, the binary is loaded at a fixed location below 0x80000000 (2GB) so that certain x86 instructions emitted by the JIT can access it. Slot0_read_multiple_block(fd, &out, 0, sizeof (out)) ASLR in Dolphinĭolphin avoids randomised addresses in several places for a variety of reasons. crash by attempting to read from the File::IOFile Ioctl(fd, IOCTL_WRITEHCR, &input, sizeof input, 0, 0) overwrite the low 32-bits of the File::IOFile But after thoroughly reinventing a number of wheels, the proof-of-concept was only a few lines: int slot0 = open("/dev/sdio/slot0", MODE_RW)
Dolphin emulator portable 3.5 iso#
It took me a lot of work to create an ISO file that reproduce this bug, using only Python, P圜rypto, and a PowerPC toolchain, and I learned a lot of interesting lessons. (To my surprise, this bug was introduced by respected exploit writer comex in September 2013.) Better still, there’s a IOCTL_WRITEHCR implemented in the same method with the same bug, allowing memory corruption. The classic byte/word mixup allows reading from anywhere up to index 511 in a 128 element array. The catch, of course, is in the definition: class CWII_IPC_HLE_Device_sdio_slot0 : public IWII_IPC_HLE_Device
Dolphin emulator portable 3.5 code#
This code looks great, it’s bounds checked and everything. INFO_LOG(WII_IPC_SD, "IOCTL_READHCR 0x%08x - 0x%08x", reg, val) WARN_LOG(WII_IPC_SD, "IOCTL_READHCR out of range") U32 BufferOut = Memory::Read_U32(_CommandAddress + 0x18) U32 BufferIn = Memory::Read_U32(_CommandAddress + 0x10) U32 Cmd = Memory::Read_U32(_CommandAddress + 0xC) After a little exploring, I came across the following code (abbreviated): CWII_IPC_HLE_Device_sdio_slot0::IOCtl(u32 _CommandAddress) This provides a considerable attack surface, and is where I began my search for interesting bugs. Instead of requiring a copy of IOS to be fully emulated, Dolphin provides high-level (C++) implementations of all the functionality that IOS usually provides to games. This is implemented using a number of memory-mapped I/O registers. IPC stands for inter-processor communication, and is the means by which the PowerPC processor running the game code communicates with IOS. This provides a variety of services, for example allowing games to read and write files, and communicate over the network. It runs on a separate ARM coprocessor in the Wii.
![dolphin emulator portable 3.5 dolphin emulator portable 3.5](https://i.pcmag.com/imagery/reviews/02y6i65mi4lAYRXbQLBEGiY-2.fit_lim.size_1200x630.v1602690346.jpg)
IOS is the operating system that the Wii provides to games running on it. (I’ve included links to the WiiBrew wiki, which was a valuable source.) Wii IOS IPC HLEĮnough three-letter initialisms? Let’s start with some definitions.
![dolphin emulator portable 3.5 dolphin emulator portable 3.5](https://i.ytimg.com/vi/KDrJTR4pAeI/maxresdefault.jpg)
In Part 1, I’ll show how to make a 100% reliable exploit for Dolphin on macOS, which is portable to every version containing a single, simple bug.
Dolphin emulator portable 3.5 software#
I do call it “exploitation”, because the same techniques can work on software which actually has security requirements.Īnyway, enough disclaimers, let’s dig in. These issues are not “vulnerabilities”, it’s just a collection of interesting tricks that allow games running on Dolphin to execute arbitrary code. These bugs will be fixed, but there will be plenty of other bugs in the future. I f you run something in Dolphin you should understand that it can do anything on your computer. Piracy is a very good way to get yourself hacked. You should not use it to emulate software from untrusted sources. To be clear, Dolphin is not a sandbox, and is not designed to be secure. This has been an interest of mine since I spent some time exploiting a partial GameCube emulator in the last Defcon CTF finals, and I decided to actually explore it following a tweet from a Dolphin developer. In the interests of learning more about Dolphin, Wii, PowerPC, and exploitation, I discovered a handful of bugs, and created an ISO file that can run arbitrary code on the host, portably and reliably. Dolphin is a Wii emulator, and a consistent source of interesting technical problems.