Injects arbitrary code into Mario Kart Wii.
In Mario Kart Wii, competition data is stored within the game's save data. The course data for competitions is compressed using a proprietary compression format (Yaz
) that was developed by Nintendo. The decompression function can be exploited via meticulously crafted compressed data, resulting in an overflow of the output buffer. In this instance, the buffer overflow leads to an arbitrary write, which grants the ability to write a single word to any memory address. By writing a branch instruction to the game's exception handler, code execution can be diverted in the event of a game crash. Following the arbitrary write, a Data Storage Interrupt (DSI
) exception is triggered, resulting in code execution being redirected to the payload.
- Obtain an SD card that has a capacity of 2 gigabytes or less
- Format the SD card to FAT16 or FAT32
- Create the filepath
sd:/private/wii/title/RMC[E|P|J|K]
on the SD card. The final character should match the version of Mario Kart Wii that will be used - Transfer the
data.bin
file that corresponds to the version of Mario Kart Wii that will be used into the aforementioned folder - Place the
boot.elf
file to be executed on the root of the SD card (sd:/
) - Enable WiiConnect24
- Delete the save data for the version of Mario Kart Wii that will be used
- Transfer the save data from the SD card to the Wii
- Launch Mario Kart Wii
- Start the competition
- Many thanks to Team Twiizers for creating
Savezelda
- Many thanks segher for creating
twintig
- Many thanks to jay for creating the banner
- Many thanks to chillz for creating the icons
Many thanks to the individuals listed below for their help with translations.
- custard
- varemi
- juno