Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 1

Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Sanqui
Date: 2013-07-10 07:46:32
Hello all!  I was going to hold off releasing this until I make an actual "hello world"-like proof of concept, but I don't think you guys need one, and I bet you'll try to do some cool stuff with it yourself.

So, this exploit allows you to execute arbitrary code (i.e., jailbreak) the English version of Pokémon Gold.  Unfortunately, it is much more limited than the 8F item you have grown to like from Gen 1, but it's still pretty nifty, and might pave way to a better exploit!

Long explanation

To explain.  You have probably heard of the coin case glitch, where if you speak to the Machop in Vermilion and open the coin case, the game crashes.  But I haven't found anybody actually studying what the game does, so I traced it and figured out why it happens.
In short, I believe the translators messed up.  The text script for the Coin Case ("Coins: 1234") ends in a $57, which while a valid text ending byte, is not a valid text script byte.  (The correct one would've been $50.)  Since after printing the number, the game is in text script mode, the game reads an invalid pointer and, surprise, jumps into memory at $e112 (since that's ECHO RAM, it's essentially $c112).  This section of RAM is used by cries.  Most of the time, it's filled by zeroes, and by sheer luck ends in a ret.  But if you play a cry immediately before opening the Coin Case, the memory will be tainted.
Most cries don't do much, some return successfully, some mess with the text a bit.  Machop's cry is special, because it happens to contain inc sp.  This causes the ret to go elsewhere, specifically, $eb12, which contains some overworld stuff…  Specifically, as you move around, it has tile attributes for the window tilemap.  The contents are mostly unpredictable, but consistent if you move in a specific pattern, which will lead us, to $FA98 (again, ECHO RAM, so essentially $DA98).  This is in the middle of the third party Pokémon's data, which is already something we can sanely work with!  You could probably hunt a Pokémon with specific EVs and stats in order to construct some opcodes, but I opted for picking a Pokémon which's data doesn't do anything and slides through to the fourth Pokémon. 
The first three bytes of a Pokémon are species, item and first move.  Thus, we can construct a Pokémon which "jumps" somewhere useful.  I picked the PC box for this purpose: $D61A, which si the second boxed item's amount.
So, now we can get the game to execute what we can control.  Unfortunately, like I warned, this method is extremely limited.  Since the arbitrary code on the way tampered with the stack and random memory, one would have to carefully reconstruct these in order to return control *back* to the game after opening the Coin Case.  It should be possible, but I didn't explore this.  So, for now, this is an one-way trip.

Preparation
Get a Quagsire with HP Up and Sleep Talk as the first move.  Put it fourth in party.
Put a valid slide Pokémon in slot 3.  A low-level freshly caught or hatched Pokémon should work.  (The Pokémon's data CANNOT have code which changes code flow, such as jumps, calls or rets.)
Build the code you want to execute in the PC, starting from the second item's count.

Exploit
You MUST move in specific ways, though there may be other methods.
0. Prepare everything.
1. Save & Restart, or step through a warp.
2. Take a step down and four steps right.  (Three to the left might work, too?)
For example, if you were performing this trick from Elm's lab (the traditional method), you'd be standing here:
[img]http://sanqui.sweb.cz/screen/2013071014%3A44%3A34bgb-POKEMON_GLDAAUE-ab16.png[/img]
3. Listen to Machop's cry (I used the Pokédex, but party should work too)
4. Open the bag and change pockets at least once
5. Open the Coin Case
At this point, the game does a ton of wacky stuff and eventually jumps to $D61A, which should contain your code!
The state is (but it might depend on your slide Pokémon):
af=2800  bc=0f0f  de=0600  hl=1c2f  sp=dfbc  pc=d61a  rom=66
Interrupts DISABLED (?)

Final words
I don't believe this exploit works the Japanese version, but I haven't tested.  It was definitely fixed in Crystal.  It also may have been fixed in other language revisions.

I hope to see some cool stuff done with this, but I do realize that the set up is kind of annoying.  Have fun, anyway.

Sanqui/Sanky
P.S.: As a bonus, have this nifty table! http://pastebin.com/raw.php?i=arPmsvYu
P.P.S.: Have you people really got no real IRC channel I could hang out in?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case Glitch

Posted by: TheZZAZZGlitch
Date: 2013-07-11 03:37:14
That's awesome. And I thought Gen II was written well.
I did some more research into this, and I have a lot to say:

First of all, it works. However, this is a lot more difficult to pull off and exploit. Mainly because of all those random factors - before the instruction pointer reaches its destination, it needs to go through many different addresses. Also, because there's no Missingno in G/S, there's no item duplication either, so the possibilities are severely restricted by player's money and item availability.

A small thing about requirements: There is one necessity you forgot: Before using the Coin Case, it is required to change your bag pocket at least once, as in this example:

Bag opens and starts in the Items pocket: just go to Key Items and use Coin Case.
Bag opens and starts in the Key Items pocket: go to any pocket first, then go back to Key Items and use Coin Case.

This is required since playing the "pocket switch" sound changes bytes at $E162 to {0x08,0x00,0x00} - ld (0000),sp; otherwise, the bytes are left with values {0x20,0x10,0x00} - jr nz,E174 - which causes the game to skip important code parts.

About a "slide Pokemon": It seems that any low level Pokemon will do the trick. Those little critters will probably not have any stats/IVs bigger than 32, and thus, they should not be able to change the code flow.

Now it's time to end the boring part and do something amazing with it!

Doing something useful seems impossible, since after all this the stack is severely messed up. However, there is a small trick that will bring everything back to order:

inc  sp
ld  bc,$0134
push bc
jp  12f5

The first [inc sp] negates the effects of the previous [inc sp]. After this, the stack will look like this:

[tt]    Return address to the Coin Case script
SP-> Text loading routine: saved register AF
    *Text loading routine's saved register HL should be there*
    *Return address to the text reading routine should be there*[/tt]

Then, I push a value $0134 into the location where text reading function's saved register HL was supposed to be, and I jump back where the text reading routine is located ($12F5). The game is now tricked into thinking it was reading text data from $0134. On a normal clean ROM, address $0134 always contains value $50 - so the text routine thinks that text data is over and returns control back to the game. Mission accomplished!

Hello World:

This is an example program, which will display first Pokemon's nickname instead of the amount of coins, as long this nickname is less than 10 characters:

[img]http://i40.tinypic.com/qo83nd.jpg[/img]

Because of many restrictions, most of the code are just elaborate ways of doing nothing, just to pad the memory and make the program representable with items.

WRA1:D61A 26 DA            ld  h,DA      ; hl = $DA??
WRA1:D61C 02              ld  (bc),a    ; * do nothing
WRA1:D61D 24              inc  h        ; hl = $DB??
WRA1:D61E 01 ?? ??        ld  bc,????  ; * do nothing
WRA1:D621 B5              or  l        ; * do nothing
WRA1:D622 2E 8A            ld  l,8A      ; hl = $DB8A
WRA1:D624 01 ?? ??        ld  bc,????  ; * do nothing
WRA1:D627 AF              xor  a        ; a = $00
WRA1:D628 01 ?? ??        ld  bc,????  ; * do nothing
WRA1:D62B 22              ldi  (hl),a    ; $DB8A = $00, HL = $DB8B
WRA1:D62C 01 ?? ??        ld  bc,????  ; * do nothing
WRA1:D62F 0B              dec  bc        ; * do nothing
WRA1:D630 3E 27            ld  a,27      ; a = $27
WRA1:D632 07              rlca          ; a = $4E
WRA1:D633 B8              cp  b        ; * do nothing
WRA1:D634 3C              inc  a        ; a = $4F
WRA1:D635 02              ld  (bc),a    ; * do nothing
WRA1:D636 22              ldi  (hl),a    ; $DB8B = $4F, HL = $DB8C
WRA1:D637 9E              sbc  a,(hl)    ; * do nothing
WRA1:D638 33              inc  sp        ; bring the stack back to order
WRA1:D639 2B              dec  hl        ; hl = $DB8B
WRA1:D63A 2B              dec  hl        ; hl = $DB8A
WRA1:D63B E5              push hl        ; make the game read text from $DB8A
WRA1:D63C 01 ?? ??        ld  bc,????  ; * do nothing
WRA1:D63F 26 12            ld  h,12      ; hl = $128A
WRA1:D641 B7              or  a        ; * do nothing
WRA1:D642 2E F5            ld  l,F5      ; hl = $12F5
WRA1:D644 01 ?? ??        ld  bc,????  ; * do nothing
WRA1:D647 E9              jp  hl        ; jump to $12F5 (print the text and return control)
WRA1:D648 01 FF 01        ld  bc,01ff  ; leftovers (last item's qty and end of list marker)

Represented as items:

[tt][ANY ITEM]                x[ANY QUANTITY]
[ANY ITEM]                x38
TM27                      x2
Nugget                    x1
[ANY ITEM]                x[ANY QUANTITY]
Surf Mail                  x46
Charcoal                  x1
[ANY ITEM]                x[ANY QUANTITY]
Squirtbottle              x1
[ANY ITEM]                x[ANY QUANTITY]
Leaf Stone                x1
[ANY ITEM]                x[ANY QUANTITY]
Ice Heal                  x62
Revive                    x7
Lovely Mail                x60
Ultra Ball                x34
Flower Mail                x51
Max Repel                  x43
TM37                      x1
[ANY ITEM]                x[ANY QUANTITY]
Full Heal                  x18
Portraitmail              x46
HM03                      x1
[ANY ITEM]                x[ANY QUANTITY]
TM41                      x1[/tt]

A video here: http://www.youtube.com/watch?v=lB2ja6p-sjg

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case Glitch

Posted by: Sanqui
Date: 2013-07-11 10:41:40
That's awesome. And I thought Gen II was written well.

It mostly is.  You can't blame the original programmers for this :P
First of all, it works. However, this is a lot more difficult to pull off and exploit. Mainly because of all those random factors - before the instruction pointer reaches its destination, it needs to go through many different addresses. Also, because there's no Missingno in G/S, there's no item duplication either, so the possibilities are severely restricted by player's money and item availability.

Indeed, but we may be able to use this exploit to duplicate items and generate new ones. 
A small thing about requirements: There is one necessity you forgot: Before using the Coin Case, it is required to change your bag pocket at least once

Nice catch!  This explains why I seemingly had to include the reset step: resetting the game makes the Bag start in the Items pocket.

Nice work about the hello world!  I was going to do one myself, but I got seriously annoyed by writing code in terms of items, even with the handy table I linked.  Maybe we could create some more useful bootstrapping routine?  I wonder if an exploit more similar to 8F could be found (one which could be ran always with less setup), since we can edit anything in WRAM.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: camper
Date: 2013-07-11 11:48:40
Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2013-07-11 14:38:03

Sanqui/Sanky
P.S.: As a bonus, have this nifty table! http://pastebin.com/raw.php?i=arPmsvYu
P.P.S.: Have you people really got no real IRC channel I could hang out in?


Hi Sanqui, great work on discovering this! Glitch City has a temporary IRC that can be found here. (original thread)


Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.


Actually, both item mutation and item duplication is possible with the duplicate Key Items exploit, which occurs when swapping one Key Item with another of the same type directly below it.

When a Pokémon is holding a Key Item (available via the Celebi glitch), taking it places it into the Key Items pocket. You can only have quantities greater than 99 in the Key Items pocket though, as the only way of 'moving them into the Items pocket' is depositing them into the PC (note Key Item quantities never decrease) and withdrawing them.

For convenience, I'll re-post the important parts from the description.

There are two different kinds of effects which I'll label (1) and (2):

1) If the sum of the first Key Item's index number and the item below the second Key Item is less than or equal to 100, then the second item identifier becomes equal to the index number of the Key Item plus that of another item directly underneath the item swapped. Its quantity is determined by what was the item identifier of the third item.

For example, consider the following Key Items pack:

Lost Item (index no. 130)
Lost Item (index no. 130)
Card Key (index no. 127)
Basement Key (index no. 133)
CANCEL (index no. 255)

If we swap the first Lost Item with the second, we lose the original second Lost Item and the Card Key, but the second Lost Item will turn into a Master Ball with quantity 133 (Basement Key's index number). The reason why the second item turns into a Master Ball in this example is because the Card Key is index number 127 (7F) and the Lost Item is index number 130 (82). Adding these together gives 257, but since items are defined by one byte, this becomes 257 modulo 256 or 1, which is Master Ball's index number.

Therefore we get:

Lost Item (index no. 130)
Master Ball (index no. 257 == 1) x133
CANCEL (index no. 255)

2) If the sum of the first Key Item's index number and the item below the second Key Item is greater than 100, then the third item is not lost, but becomes a BLK Apricorn (index no. 99). The second item identifier becomes equal to that of the sum of the first Key Item index number and the original third item minus 99. Its quantity is derived from the new third item identifier.

For example, consider the following Key Items pack:

Lost Item (index no. 130)
Lost Item (index no. 130)
Master Ball (index no. 1) x7
Bicycle (index no. 7)
CANCEL

If we swap the first Key Item with the second this gives us:

Lost Item (index no. 130)
Rare Candy (index no. 32 [130+1-99] )
BLK Apricorn (index no. 99)
Bicycle (index no.7)
CANCEL (index no. 255)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: krynxe
Date: 2013-10-03 02:17:57
Well, ZZAZZglitch posted a very interesting video. Always a pleasure to see what that guy comes up with next, haha

I'm glad to see some real practical use to the coin case here. And that phonecall to '999' that initiates the hall of fame is incredibly weird. This definitely piques my interest.

Also, I've noticed some videos posted here using machoke's cry instead of machop. They seem to yield the same results, but what about other cries?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2013-10-03 05:50:16

Also, I've noticed some videos posted here using machoke's cry instead of machop. They seem to yield the same results, but what about other cries?


Certain cries give different effects. There is an incomplete list of typical effects here by Rsrdaman.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: MrWint
Date: 2013-10-03 11:18:53
Nice find, Sanqui, it has quite the potential.

I looked into the glitch a bit and want to share what I found out so far.

The RAM at $C112 and onwards belongs to the parameters of the SFX channels 5-8. These parameters are reset frequently (e.g. every time you enter a new area, including after trainer battles), so you can't store sound effects. Also, certain sounds only use certain channels, leaving the others untouched. For example, the menu opening sound and the item page switch sound only use channel 8. That's is why they don't override the cry and the trick works at all.
I tested all sound effects and cries, only very few are useful:

All of them do the same thing, they corrupt the stack with "inc sp" and jump to $EB12. The content of the registers differs slightly depending on the Pokémon used and the data of channel 8.

From $CB12, the code proceeds to $CC20, where the next interesting RAM content is. In addresses $CC20-$CC48 background tiles are stored. More specifically, the tiles that are loaded whenever the player moves. Each time you go a step, the newly visible tiles need to be loaded, and this is the buffer they are stored in before copying them to VRAM. When moving vertically, these are 40 tiles (20x2) and when moving horizontally it is 36 tiles (2x18). Addresses $CC48-$CC70 contain the corresponding pallettes (tiles are 2bit, the pallette defines the color scheme). None of these are too interesting, the values are usually to small to change the code flow, the most interesting thing you can do here is calling "inc sp" or "dec sp" to fix the stack.

The real interesing data follows, $CC70-CC98 contains pointers to VRAM addresses where the newly loaded tiles are inserted in the BG map. The BG map is a 32x32 tile buffer located at $9800-$9C00 which holds the current background tiles. It features a "window", that defines the (20x18 tiles) portion of the buffer that is actually visible on screen. When moving, the new tiles are inserted at the respective edge of the window and then the window is moves smoothly to that side to create the moving effect. Each pointer describes a 2x1 tile area, so there are half as many pointers as tiles to insert. I saw in your screnshot that you are using BGB, it has a nice visualization of the BG map (look for "vram viewer" in the menu), it helps to see what is going on.
Fortunately, the window is reset very often, every time anything partially covers the screen (including battles, entering a map, opening the menu, talking to an NPC, …), so it's easy to manipulate.
The addresses you used in your example are $98DA, $98FA, which spell out to "jp c,$FA98". You can get other addresses as well, but they all end on $98-$9B, since this these are the values the pointers can have.
The most important conclusion is that you can generate this jump everywhere, not just in New Bark. For example, you can just reset your window (e.g. by opening the menu) and then use the same choreography as in New Bark (1x down, 4x right) to get the same addresses and therefore the same jump. However, you need to make sure that the carry flag is set, otherwise you won't jump.

From there on, you have enough manipulation options to execute arbitrary code.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: OwnageMuch
Date: 2013-12-09 17:13:40
Gold version TAS in 59:36.02 by TheZZAZZGlitch: http://tasvideos.org/4126S.html

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2013-12-10 09:40:30

Gold version TAS in 59:36.02 by TheZZAZZGlitch: http://tasvideos.org/4126S.html


I enjoyed that. There are parts that could probably be improved, like getting better DVs on Totodile to score KOs earlier or resetting earlier while cloning (it's possible to clone Pokémon a bit after the yes/no box disappears) but I think you did a good job overall, ZZAZZ.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Stackout
Date: 2013-12-10 11:56:31
Btw, I just checked in European G/S and the bug is fixed (proper $50 terminator in all of FR/IT/DE/ES).

Figures.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Sanqui
Date: 2014-01-09 07:33:12
Pokémon Gold can now be beat in under 50 minutes with the route I came up with.  (I was kind of disappointed with the TASes, sorry!)

Here's a run in 49:49 by Dabomstew (WR at posting time): https://www.youtube.com/watch?v=c9EfVBGK-GU

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: TheZZAZZGlitch
Date: 2014-01-09 14:28:19
I was kind of disappointed with the TASes, sorry!


No need to sorry, I am aware that my TAS attempts sucked hairy balls. It's great that there is a person who knows way more about speedrunning than me - thanks to you, the 'coin case speedrunning' idea won't get completely forgotten about. Much thanks. Very happy. So amaze. Wow.

Return TM is available in Goldenrod Dept. Store only on Sundays, I think it should be included in the basic steps.

Also, I don't really know why is that particular piece of code helpful or required:
xor a
(...)
ld [$ff83], a ; kill OAM DMA

Other than that, everything looks awesome. One day I'll try this out, to see if it works.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Sanqui
Date: 2014-01-09 17:13:22
It's great that there is a person who knows way more about speedrunning than me - thanks to you, the 'coin case speedrunning' idea won't get completely forgotten about. Much thanks. Very happy. So amaze. Wow.

Such coin case.
I have a very theoretical route for a TAS, too, but it's still in the works.  It would involve extremely heavy RNG abuse.  (And hopefully no boxes.)
Return TM is available in Goldenrod Dept. Store only on Sundays, I think it should be included in the basic steps.

Oh, right.  Thanks a bunch for reminding me of that person, by the way.  Not sure if I had remembered without having seen your TAS.

Also, I don't really know why is that particular piece of code helpful or required:
xor a
(...)
ld [$ff83], a ; kill OAM DMA

Other than that, everything looks awesome. One day I'll try this out, to see if it works.

I found that the fastest way to recover from coin case is popping thrice, after which a ret jumps into some vblank function, which calls the OAM DMA.  However, since it's performed outside of the proper time, the game accesses non-hram when it's forbidden to. and executes garbage data and most definitely crashes.  This is kind of unlucky since it's the ONLY thing I know of that bgb doesn't emulate, so I only figured out it does that when testing in Gambatte.  Anyway, obviously the simplest solution is to kill the DMA.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Stackout
Date: 2014-01-10 09:08:51

I found that the fastest way to recover from coin case is popping thrice, after which a ret jumps into some vblank function, which calls the OAM DMA.  However, since it's performed outside of the proper time, the game accesses non-hram when it's forbidden to. and executes garbage data and most definitely crashes.  This is kind of unlucky since it's the ONLY thing I know of that bgb doesn't emulate, so I only figured out it does that when testing in Gambatte.  Anyway, obviously the simplest solution is to kill the DMA.


Remember a ret pops whatever's on the top of the stack into pc.
So you can push the address of whatever you want onto the stack, and a ret would make the pc transfer there..