An interesting fact that some people probably don't know is that Wiimmfi also abuses this buffer overrun in order to run code on your console when you connect with the DNS method. This is how the server facilitates providing security patches to the game - as this is not the only way one can get code running on MKW over the network. The game is played peer-to-peer, and there are at least 2 exploits that would permit your online opponents to run any code they wanted on your game, and the server would be none the wiser that this had happened! The side effects of which could be genuinely awful, as you could easily brick a Wii console by running malicious code on it. So, before you can even connect to an opponent, the server uses this bug demonstrated in the video to temporarily take control of your game, remove those exploits, and only after that allows you to find opponents. It's also worth noting that every single Wii game ever released has this buffer overrun in it. It's a fundamental flaw in the networking library they used. So you could actually mess with literally any WFC-enabled Wii game in this manner - assuming you can get them logged in, your mileage may vary depending on required IOS.
I've been struggling to understand DNS servers for the longest time. Like, genuinely. The instant you said "it's like an internet phone book" my mind was blown at how many dots connected. Thank you.
@@MudakTheMultiplier That was my fear as well. I am right at the mark of the generation where I know what a phone book is and used one when I was younger.
@@JuneNafziger but to anyone that age "contacts" means "the list of people you can call" so many of them don't even interface with phone numbers at all anymore.
@@MudakTheMultiplier from my experience they still understand that a phone number is an address for calls/SMS though, even if they rarely manually enter them and don’t understand the structure.
I'm finishing up my Computer Science undergrad in the coming spring, so I was already familiar with everything discussed here. And I have to say-you did an *excellent* job explaining what's going on behind the scenes while managing to keep it super easy to understand for non-computer people. A video like this one-one about a fun game that people already know about, combined with juuust enough of an introduction into a complex field-is the kind of video that will ignite a spark to eventually create the most curious and inquisitive students. My heart is full imagining some young ones today stumbling across this video and thinking, "wow, computer science is so cool!" I hope there will be at least a few, because I love this stuff so much and I would love for more people to enjoy it too. Again, excellent work; and thank you for this video. I may use it to sell computer science to some of my nephews next time I see them 😄. You've earned whatever likes and subscriptions you want from me!
I've had an interest in cybersecurity concepts nested away since I started reading on Wii homebrewing back in the day. I might not be one of the young ones, but this is a huge push in the direction of actually pursuing the field for me :)
I have a master’s and undergrad degree in CS, currently working at big tech with a side gig of teaching CS. Despite already knowing the content you presented, I had so much fun watching. Hope you continue making videos in this niche of programming and video game modification/exploits
I’m gonna be boring and ask for an update on the 100% tas again. I’ve rewatched your other tases multiple times (particularly the 2:22 one that one just seems so iconic) cuz your content is just so good. Sending love and good vibes to whatever stress (if any) you’re going through 👏🏻
any runs doing stuff like this would get you in an alleyway with guys snapping menacingly going "ey, bub! you hijacked the Wiimmfi...so I hope you don't mind we hijack your life!"
Hey Malleo, love how informative and easy to understand your explanation videos always are. You're a natural at these. And congrats on the engagement!! I'm sure you and Megan will be very happy.
I love the way you presented the information, especially going with assumptions then immediately proving them wrong -- Not only is it nice every part gets explained, but it also helps to retain attention by approaching new info in a different way! That on top of the visuals made it incredibly easy to digest I do have a question though, is it possible to recognize when the slowdown script is used, or to a lesser degree? Like let's say 75% the normal speed
If you have a playback of the inputs, inspecting them can make it clear if someone is cheating by looking to see if they're unnaturally fast. That's how the trackmania community caught Riolu cheating many of his records.
@@GoombaNLIf the inputs are humanly possible, and all people have is the ghost, it would be impossible to tell the ghost was created by illegitimate means. The ghosts don't have some sort of authenticity check as far as I know. This is why recorded video of WRs are so important.
initially clicked to listen in the background, ended up restarting it and taking notes LOL. as well as being incredibly entertaining, it was a great lesson!! we need more videos like this haha, this was lovely. thank you, Malleo!! :)
@@MudakTheMultiplier but i remember that some games like twilight princess have entry points that can be exploited using modified save files. i think running homebrew channel is possible with this
@@oussama7132 The issue is that it would be brutally difficult. You'd have to make 100% sure that all the addresses you're writing to wouldn't crash, and if it does, that the crash is *achieving* something.
I just wanna say, thank you for the excellent subtitle job. Many youtubers don't even bother, which can make it very hard to understand what they're saying! I always give props to any creator that actually bothers with well edited, accurate subtitles.
This was an awesome video - excellent explanation with visuals :) One piece of feedback though - the error-beep at around ~8:15 triggered my tinnitus, which is exceptionally unpleasant. I feel like it would've been sufficient to have it play for a second or two to get the point across Thank you for your work, it's really appreciated
idk if it's just because i've taken classes on architecture and OS stuff now, but this is the best description of arbitrary code execution i've seen so far
I really liked how you explained tge Wiimmfi Network in this. I always wondered how it works and getting it explained while the core concept of the Video didnt need you too - great job man.
This is super interesting and well explained! I thought I understood how it worked when I saw that for wiimmfi there were special DNS servers, but I never even considered certificates and all that stuff. Thank you for making this!
I think I learned more in this video than I did in my computer networks and intro to cybersecurity classes combined. Great video and fascinating exploits
Haha I was about to mention it would be nice to have a longer video where you show the full setup and process of the Wii hacking. And in the end, you mention you have such an uncut version already available! Amazing, I subbed.
14:24 Except the late WFC, wherein I remember seeing a legitimate WR only once. One would think a 4-second Luigi Circuit run in which Funky Kong misses the first turn and AFKs on a wall could be automatically deleted in an instant, but nope.
i really really appreciate how you went over every detail- i'm incredibly new to computer science as a whole and love seeing applications in full games (especially mario kart wii), but i find it hard to find people who will show the full process so i can follow along. god this is so cool
Wonderful video!! I have been taking a security course and I was struggling with some of the concepts you explain here. But things clicked for me when you put it in terms of how to go really fast in video game. ❤
Ah yes, I think I recall this bug in the Wii’s digital signature system. It wasn’t just used for connecting to the internet; every game had a signature calculated over the disc contents, to try to prevent exploits through modifying games to contain code other than what the developer had actually made. I was aware of it through Guitar Hero, and exploiting this bug was how that community was able to insert their own custom songs into that game - by taking the original game, replacing the files for a song with their own, then “fakesigning” that disc image. To see it used in this manner, to arbitrarily patch games that haven’t seen official updates in decades… on a system that never actually had game updates, and to do so inside the game environment itself, is seriously impressive.
awesome video!! feels so weird that it's all technically vanilla haha :) first time a mario kart game has had ACE! really really cool video thank you so much malleo :D
This is one of these videos that reminds me that there are simply different kinds of people in the world. I did take computer science, but my understanding caps at a senior high school level. I simply cannot comprehend these sort of things and the fact that some people can never fails to baffle me.
Actually, I wrote a small script to automatically transcribe those messages :P For those who are curious, you can hit read more Message 1: Did you seriously copy this by-hand in order to figure out what this says? Nice. Message 2: Seriously shoutout to MikeIsAStar for his help on this video! Message 3: Oh my gosh, this isn't good! You caused a buffer overflow, silly Nintendo. Kids, remember to always check that the size argument in your memcpy is less than or equal to the size of both the source and destination buffers to prevent this type of memory exploit. Thanks!
I would say that the buffer overflow is where a "glitch" in MKWii has been used, and is clearly where the line can be drawn about what is and isn't a glitch. The game clearly intends to not overwrite data outside of the buffer, but fails to avoid that due to a lack of code to handle oversized packets. I'd call it a glitch and not an exploit because there are no "normal" circumstances where the data packets would be oversized and perfectly crafted for this purpose, and unlike exploits where you put together intended systems and mechanics in unintended ways, receiving oversized packets is unintended right off the bat. Alternatively, you could simply file this problem under "external tools used", where the proxy server that modifies packets easily fits the definition
I've got two questions: 1. What happens with data that is between the buffer and the link register? What if it contained something important we shouldn't be overwriting with something? 2. How can we modify code? If you are in the menu the code for being in a race shouldn't be loaded into RAM, right? But you can still modify the items you receive during a time trial
Intercepting network packets to modify Mario Kart Wii code? My interests have collided! Also, really well done explanation on DNS servers and certificates.
Wow this is incredible! Is the ACE payload limited by the 128 bytes of buffer size or can we get past that somehow? Thinking about how possible would it be to ACE in anything we'd want, like maybe transferring a custom track over wiimmfi on the fly
Yeah it makes sense to consider this a modification, because you're using a valid console connection (wifi) to connect to arbitrary non-standard devices. That'd be like rewriting the games code by using a custom wire to attach your computer to a controller port. The port is valid, but connecting your computer is a modification.
If your old Wii can still read GameCube discs, it might just be struggling with 8GB dual-layer discs. I had an old Wii with the same problem. Any game released after January 2008 (the release of Brawl, the first dual-layer Wii game) would give an error, but earlier single-layer games like Wii Sports and Wii Play were fine. I didn't own any GameCube games, but since they're single-layer I assume they would've worked.
![How to Get a Developer Job - Even in This Economy [Full Course]](http://i.ytimg.com/vi/6nz8GXjxiHg/mqdefault.jpg)
An interesting fact that some people probably don't know is that Wiimmfi also abuses this buffer overrun in order to run code on your console when you connect with the DNS method. This is how the server facilitates providing security patches to the game - as this is not the only way one can get code running on MKW over the network. The game is played peer-to-peer, and there are at least 2 exploits that would permit your online opponents to run any code they wanted on your game, and the server would be none the wiser that this had happened! The side effects of which could be genuinely awful, as you could easily brick a Wii console by running malicious code on it. So, before you can even connect to an opponent, the server uses this bug demonstrated in the video to temporarily take control of your game, remove those exploits, and only after that allows you to find opponents.
It's also worth noting that every single Wii game ever released has this buffer overrun in it. It's a fundamental flaw in the networking library they used. So you could actually mess with literally any WFC-enabled Wii game in this manner - assuming you can get them logged in, your mileage may vary depending on required IOS.
What networking library did they use so I can be sure to avoid it?
@@romajimamulo It's a Nintendo-developed one that we know as "DWC", not the kind of thing that'd be publicly available anyways.
RCE in a Nintendo networking library?
yeah, that sounds about right, they did it again years later with pia on 3DS (and I guess switch/wii u too?)
Hey MrBean35000vr- just wanted to say thank you for all the quality content over the years!
Using vulnerabilies to patch more vulnerabilities. The ultimate gray hat move.
MKW needs more technical videos like this
Yes
I've been struggling to understand DNS servers for the longest time. Like, genuinely. The instant you said "it's like an internet phone book" my mind was blown at how many dots connected. Thank you.
It's such a good analogy and I'm scared that it might not work for long because nobody makes phonebooks anymore.
@@MudakTheMultiplier That was my fear as well. I am right at the mark of the generation where I know what a phone book is and used one when I was younger.
I mean contact book also works, and that’s the metaphor/analogy phones and such use
@@JuneNafziger but to anyone that age "contacts" means "the list of people you can call" so many of them don't even interface with phone numbers at all anymore.
@@MudakTheMultiplier from my experience they still understand that a phone number is an address for calls/SMS though, even if they rarely manually enter them and don’t understand the structure.
animations were super cute and helped me understand a lot of concepts much easier. Great vid
Malleo just showed up, dropped pandora's box of code into the community as a whole, and dipped. what a legend
This may be the single nerdiest video to ever grace this game’s community. Incredible work
I’m guessing you haven’t seen a Bismuth video. 😂
must have never heard of zelda oot srm either
I’m talking about Mario Kart Wii here, I don’t get why people are interpreting it as Mario or Nintendo as a whole
what does that have to do with "this game's community" as said in the comment@@luca4k484
@@Nightcaathonestly no idea, but anyways I think you might be right. Did you ever see the bcwii glitch physics video by wrath? That was a classic
I'm finishing up my Computer Science undergrad in the coming spring, so I was already familiar with everything discussed here. And I have to say-you did an *excellent* job explaining what's going on behind the scenes while managing to keep it super easy to understand for non-computer people.
A video like this one-one about a fun game that people already know about, combined with juuust enough of an introduction into a complex field-is the kind of video that will ignite a spark to eventually create the most curious and inquisitive students. My heart is full imagining some young ones today stumbling across this video and thinking, "wow, computer science is so cool!" I hope there will be at least a few, because I love this stuff so much and I would love for more people to enjoy it too.
Again, excellent work; and thank you for this video. I may use it to sell computer science to some of my nephews next time I see them 😄. You've earned whatever likes and subscriptions you want from me!
I've had an interest in cybersecurity concepts nested away since I started reading on Wii homebrewing back in the day. I might not be one of the young ones, but this is a huge push in the direction of actually pursuing the field for me :)
Can't wait to run Doom on Mario Kart Wii!
Rioting if they dont make it wii wheel compatible
Such a high quality production. Good stuff as always
I have a master’s and undergrad degree in CS, currently working at big tech with a side gig of teaching CS. Despite already knowing the content you presented, I had so much fun watching. Hope you continue making videos in this niche of programming and video game modification/exploits
As somebody with a Bachelor's degree in software, and no job, do I need to get a Master's?
What a title. Great watch. Always enjoy any new Malleo content, whether I fully understand it or not (I think I understood most of it :P)
I’m gonna be boring and ask for an update on the 100% tas again. I’ve rewatched your other tases multiple times (particularly the 2:22 one that one just seems so iconic) cuz your content is just so good.
Sending love and good vibes to whatever stress (if any) you’re going through 👏🏻
Congratulations on your engagement??? That's super exciting!!
any runs doing stuff like this would get you in an alleyway with guys snapping menacingly going "ey, bub! you hijacked the Wiimmfi...so I hope you don't mind we hijack your life!"
dude what a video man, as a CS student you seriously did such a good job explaining these concepts. Awesome video man
0:24 Milei is that you
Hey Malleo, love how informative and easy to understand your explanation videos always are. You're a natural at these. And congrats on the engagement!! I'm sure you and Megan will be very happy.
Long time no see! Hope you are well. Thank you for the kind words!
I love the way you presented the information, especially going with assumptions then immediately proving them wrong -- Not only is it nice every part gets explained, but it also helps to retain attention by approaching new info in a different way! That on top of the visuals made it incredibly easy to digest
I do have a question though, is it possible to recognize when the slowdown script is used, or to a lesser degree? Like let's say 75% the normal speed
If you have a playback of the inputs, inspecting them can make it clear if someone is cheating by looking to see if they're unnaturally fast. That's how the trackmania community caught Riolu cheating many of his records.
Mario Kart Double Dash legend I know you!
@@TheNerd484 Right, hence why I mentioned slowing the game down by less than 50%, to conceal inhuman reactions and input speeds.
@@GoombaNLIf the inputs are humanly possible, and all people have is the ghost, it would be impossible to tell the ghost was created by illegitimate means. The ghosts don't have some sort of authenticity check as far as I know. This is why recorded video of WRs are so important.
initially clicked to listen in the background, ended up restarting it and taking notes LOL. as well as being incredibly entertaining, it was a great lesson!! we need more videos like this haha, this was lovely. thank you, Malleo!! :)
This man basically did Arbitrary Code Execution on MKW, he must be stopped!
Definitely arbitrary code, I don't think it can function as Total Control though.
is this a new entry point for homebrew installation or was this known
@@oussama7132 I'm not super familiar, but I suspect that because it's only modifying game code it won't do anything to the system.
@@MudakTheMultiplier but i remember that some games like twilight princess have entry points that can be exploited using modified save files. i think running homebrew channel is possible with this
@@oussama7132 The issue is that it would be brutally difficult. You'd have to make 100% sure that all the addresses you're writing to wouldn't crash, and if it does, that the crash is *achieving* something.
As a modder of the Wii, I found it incredible that you managed to pull this off on a vanilla console! Definitely a fascinating watch :)
Nothing brings me more happiness than a new video from the content GOAT, Malleo
Good stuff as always!
I just wanna say, thank you for the excellent subtitle job. Many youtubers don't even bother, which can make it very hard to understand what they're saying! I always give props to any creator that actually bothers with well edited, accurate subtitles.
This was an awesome video - excellent explanation with visuals :)
One piece of feedback though - the error-beep at around ~8:15 triggered my tinnitus, which is exceptionally unpleasant. I feel like it would've been sufficient to have it play for a second or two to get the point across
Thank you for your work, it's really appreciated
idk if it's just because i've taken classes on architecture and OS stuff now, but this is the best description of arbitrary code execution i've seen so far
As a software developer myself, this is a brilliant video. You covered very technical subjects in a very simple and approachable way. Very well done.
I really liked how you explained tge Wiimmfi Network in this. I always wondered how it works and getting it explained while the core concept of the Video didnt need you too - great job man.
This is super interesting and well explained! I thought I understood how it worked when I saw that for wiimmfi there were special DNS servers, but I never even considered certificates and all that stuff. Thank you for making this!
Massive props to wiimm for keeping this game alive
I think I learned more in this video than I did in my computer networks and intro to cybersecurity classes combined. Great video and fascinating exploits
shoutout to the team figuring this out
I was so deep into this video I forgot it was even about getting world records
Haha I was about to mention it would be nice to have a longer video where you show the full setup and process of the Wii hacking.
And in the end, you mention you have such an uncut version already available! Amazing, I subbed.
14:24 Except the late WFC, wherein I remember seeing a legitimate WR only once.
One would think a 4-second Luigi Circuit run in which Funky Kong misses the first turn and AFKs on a wall could be automatically deleted in an instant, but nope.
I came for Mario Kart Wii, and stayed for the computer science. Truly, one of the videos of all time
So is this why we got all those 0 second times on the leaderboard back in the early days
seriously one of the best videos i’ve ever watched on youtube, great job instantly subscribed and shared with my friends keep it up
You always do a great job of conveying concepts in a way that's digestible for people who aren't familiar with the subject
i really really appreciate how you went over every detail- i'm incredibly new to computer science as a whole and love seeing applications in full games (especially mario kart wii), but i find it hard to find people who will show the full process so i can follow along. god this is so cool
Wonderful video!! I have been taking a security course and I was struggling with some of the concepts you explain here. But things clicked for me when you put it in terms of how to go really fast in video game. ❤
this is such an amazing demonstration and explanation of very common considerations in computer science. I was always curious of all of these things
He went from new Wii to unlocking Funky Kong real quick. I approve, that is the first thing you should be doing.
Ah yes, I think I recall this bug in the Wii’s digital signature system. It wasn’t just used for connecting to the internet; every game had a signature calculated over the disc contents, to try to prevent exploits through modifying games to contain code other than what the developer had actually made. I was aware of it through Guitar Hero, and exploiting this bug was how that community was able to insert their own custom songs into that game - by taking the original game, replacing the files for a song with their own, then “fakesigning” that disc image. To see it used in this manner, to arbitrarily patch games that haven’t seen official updates in decades… on a system that never actually had game updates, and to do so inside the game environment itself, is seriously impressive.
Thank you for this amazing video! I learned a lot throughout the process, and knowing how these exploits and programs work is always very interesting!
You always come back with some crazy plan that is truly a sight to see!
Ha! Arbitary Code Execution for the Mario Kart Wii. You love to see it.
And now I know why it's called "Stack Overflow"
Jeez, this is far more interesting than my day job maintaining gps software =3 Nice job!
So glad I became an Electrical Engineer so that I get to sit here and delight in all the cool shit this community does
Good video Malleo!
genuinely interesting video about a topic i struggle to understand, i never thought this day would come
This makes TONS of sense. Amazing video Malleo.😊
This video is RIGHT up my alley, i absolutely love it. Very clear and consise and engaging. Great work!!
awesome video!! feels so weird that it's all technically vanilla haha :) first time a mario kart game has had ACE! really really cool video thank you so much malleo :D
Nice!
This video is awesome, mariokart wii is one of my favorite games and Im studying comp sci in college rn so this is so fascinating.
This is one of these videos that reminds me that there are simply different kinds of people in the world. I did take computer science, but my understanding caps at a senior high school level. I simply cannot comprehend these sort of things and the fact that some people can never fails to baffle me.
I'm nerding out hardcore on this, thank you so much for sharing. Great video!
As a computer science graduate and now cyber security student with a buffer overflow project, I wish that was our course content
Positively lovely explanations of all of these CS, network, and data science concepts!!
awesome video! love the explanations and the effort you went through for everyone to be able to understand
I've been a programmer for a while now, and this thaught me a lot. Nice!
nice video. even if you already know the concepts behind these types of exploits, its always nice to see them in action :-)
I always look forward to your videos, Glad you're back!
Incredible video, well explained and really interesting !
I must've put hundreds of hours into this game as a kid. It's neat to see it broken down in such a technical manner now.
Actually, I wrote a small script to automatically transcribe those messages :P
For those who are curious, you can hit read more
Message 1: Did you seriously copy this by-hand in order to figure out what this says? Nice.
Message 2: Seriously shoutout to MikeIsAStar for his help on this video!
Message 3: Oh my gosh, this isn't good! You caused a buffer overflow, silly Nintendo. Kids, remember to always check that the size argument in your memcpy is less than or equal to the size of both the source and destination buffers to prevent this type of memory exploit. Thanks!
This video is just plain awesome 🤩 such a fun idea and cool to see it all in practice
The visualizations are on point. Very well made! :)
14:00 Riolu approves!
14:00 ah yes, the riolu approach
And this is why there are categories within glitched lmao. ACE, no major glitches, etc
Best explanation of stack overflows ive ever seen
Banger of a video cannot lie
Cant wait for the 100% Paper Mario Tas :')
Using Security Vulnerabilities to Get Every World Record in Mario Kart Wii
Yoo, you have a Megan? Congrats, wish you two the best!
Hope your doing well man!
Just completed the GFACT course and I feel smart understanding all this
I would say that the buffer overflow is where a "glitch" in MKWii has been used, and is clearly where the line can be drawn about what is and isn't a glitch. The game clearly intends to not overwrite data outside of the buffer, but fails to avoid that due to a lack of code to handle oversized packets. I'd call it a glitch and not an exploit because there are no "normal" circumstances where the data packets would be oversized and perfectly crafted for this purpose, and unlike exploits where you put together intended systems and mechanics in unintended ways, receiving oversized packets is unintended right off the bat.
Alternatively, you could simply file this problem under "external tools used", where the proxy server that modifies packets easily fits the definition
Me who is a super cool nerd nerd: “Oh yeah, now we’re cookin’l
Amazing video !!! 😮
Great video!
I've got two questions:
1. What happens with data that is between the buffer and the link register? What if it contained something important we shouldn't be overwriting with something?
2. How can we modify code? If you are in the menu the code for being in a race shouldn't be loaded into RAM, right? But you can still modify the items you receive during a time trial
Holy shit Malleo?? I haven't seen an upload from you in a small minute
The Chrono Trigger Music in background is sick
This was a really ironic video to watch while skipping my net-centric computing class
Educational and entertaining^^
This is super good!!
This needs more views
Hopefully there's anti-cheats in CTGP to prevent this from being used there?
There are!
Room encryption
Intercepting network packets to modify Mario Kart Wii code? My interests have collided! Also, really well done explanation on DNS servers and certificates.
Wow this is incredible! Is the ACE payload limited by the 128 bytes of buffer size or can we get past that somehow? Thinking about how possible would it be to ACE in anything we'd want, like maybe transferring a custom track over wiimmfi on the fly
nice video, congrats on getting engaged!
Summoning Salt teaches Gamer History
Malleo teaches Gamer Science and Gamer Math
Yeah it makes sense to consider this a modification, because you're using a valid console connection (wifi) to connect to arbitrary non-standard devices. That'd be like rewriting the games code by using a custom wire to attach your computer to a controller port. The port is valid, but connecting your computer is a modification.
Great video
Yo da legend is back Bois
I really like this video 👍
If your old Wii can still read GameCube discs, it might just be struggling with 8GB dual-layer discs. I had an old Wii with the same problem. Any game released after January 2008 (the release of Brawl, the first dual-layer Wii game) would give an error, but earlier single-layer games like Wii Sports and Wii Play were fine. I didn't own any GameCube games, but since they're single-layer I assume they would've worked.
Banger video! What's the song at 5:13?
Corridors of Time - Chrono Trigger