I'm new to security researching but have always been interested, so I recently dove in to try to reverse-engineer the GameCube's IPL and see if a gameless softmod is possible. Even though I don't have much experience in this, I managed to find something that could be exploitable, though I don't know how.
There's a function at 0x8131BE7C that returns the total size of the icon graphics for a save file. It does this by looping over all the icon formats for the frames, which is stored in the directory entry for a file. It does a bitwise AND with 3 for each icon, then sets a size based on that format's expected length. However, the switch statement only checks for formats 0, 1, and 2, leaving 3 to skip right past it, and leaving the icon size untouched! If done for the first frame of an icon, then it uses an uninitialized value for the size of that frame, which happens to be a pointer that was loaded earlier (0x81466B60). This could lead to a buffer overflow!
Unfortunately, that's as far as I got, as upon returning from this function, the size is checked for sanity in order to ensure the icon read doesn't go outside the bounds of the memory card. But maybe someone smarter than me can use this oversight as an exploit vector for something similar to FreePSXBoot?
There's a function at 0x8131BE7C that returns the total size of the icon graphics for a save file. It does this by looping over all the icon formats for the frames, which is stored in the directory entry for a file. It does a bitwise AND with 3 for each icon, then sets a size based on that format's expected length. However, the switch statement only checks for formats 0, 1, and 2, leaving 3 to skip right past it, and leaving the icon size untouched! If done for the first frame of an icon, then it uses an uninitialized value for the size of that frame, which happens to be a pointer that was loaded earlier (0x81466B60). This could lead to a buffer overflow!
Unfortunately, that's as far as I got, as upon returning from this function, the size is checked for sanity in order to ensure the icon read doesn't go outside the bounds of the memory card. But maybe someone smarter than me can use this oversight as an exploit vector for something similar to FreePSXBoot?