Possible IPL exploit vector?

Discussion / Support for Softmods (SDML, AR, Game Hacks)
Post Reply
Sierraffinity
Posts: 2
Joined: Thu Sep 23, 2021 7:55 am

Possible IPL exploit vector?

Post by Sierraffinity » Tue May 24, 2022 6:29 pm

I'm new to security researching but have always been interested, so I recently dove in to try to reverse-engineer the GameCube's IPL and see if a gameless softmod is possible. Even though I don't have much experience in this, I managed to find something that could be exploitable, though I don't know how.

There's a function at 0x8131BE7C that returns the total size of the icon graphics for a save file. It does this by looping over all the icon formats for the frames, which is stored in the directory entry for a file. It does a bitwise AND with 3 for each icon, then sets a size based on that format's expected length. However, the switch statement only checks for formats 0, 1, and 2, leaving 3 to skip right past it, and leaving the icon size untouched! If done for the first frame of an icon, then it uses an uninitialized value for the size of that frame, which happens to be a pointer that was loaded earlier (0x81466B60). This could lead to a buffer overflow!

Unfortunately, that's as far as I got, as upon returning from this function, the size is checked for sanity in order to ensure the icon read doesn't go outside the bounds of the memory card. But maybe someone smarter than me can use this oversight as an exploit vector for something similar to FreePSXBoot?
User avatar
emu_kidid
Site Admin
Posts: 4927
Joined: Mon Mar 29, 2010 10:06 am
Location: Australia
Contact:

Re: Possible IPL exploit vector?

Post by emu_kidid » Wed May 25, 2022 5:15 am

the size is checked for sanity in order to ensure the icon read doesn't go outside the bounds of the memory card.
How are the "bounds of the memory card" defined as, is it current offset vs total memory card size? that seems unlikely.
Image
Sierraffinity
Posts: 2
Joined: Thu Sep 23, 2021 7:55 am

Re: Possible IPL exploit vector?

Post by Sierraffinity » Wed Jun 08, 2022 12:53 am

emu_kidid wrote:
Wed May 25, 2022 5:15 am
the size is checked for sanity in order to ensure the icon read doesn't go outside the bounds of the memory card.
How are the "bounds of the memory card" defined as, is it current offset vs total memory card size? that seems unlikely.
The bounds of the memory card are just between zero and the total card size. The size is taken as (block size x number of blocks) - yes, they were at one point planning to have memory cards with different block sizes, and if you hack a memory card to show this (e.g. by modifying what Dolphin uses for its virtual memory cards), you can even get the IPL memory card screen to show you differently colored cubes! The IPL allocates enough space for the largest possible combination of block size and count, for both memory cards.
Post Reply