Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in English Pokémon Crystal - Page 1

Arbitrary code execution in English Pokémon Crystal

Posted by: Torchickens
Date: 2014-06-23 09:53:41
In Generation II, when TMs and HMs are in the items, balls or key items pocket they do not work properly.

In Crystal, HM06 (item hex:F8) in the items, balls or key items pocket has an invalid pointer that jumps to ROM0:3ACB. I actually didn't find this through hacking, but through a tool called Item Editor GSC made by Mateo.

After I looked into it further, there is the code 'jp nc, CD1A' (D2 1A CD) here, where the game will jump to CD1A, which is in RAM.

Arbitrary code execution is possible if you wrote your own code at CD1A with cheats, like make the first Poké Ball Master Ball: 3E 01 EA D8 D8 C9, but unfortunately CD1A is not the most manipulable location.

On my save CD1A-CD1F is 00, so the emulator falls through. There is code from CD20 that seems to change based on your location on the map after you take at least one step, so the emulator tries to run the code there.

Theoretically, you could probably manipulate this code to redirect you to something where you can have more controllable code, like D8F2; the first item in the PC.

There is another obstacle though: How do you obtain HM06 in the wrong pocket?

When you get a Pokémon that is holding HM06 via a Generation I Pokémon with an unused catch rate in memory (because catch rates get converted into items) or theoretically through the bad clone glitch, when you take it off it goes into the TM/HM pocket, meaning that it works the way it should do.

This means that we need to think of another way of obtaining HM06.

Also, it's definitely worth asking: Are there any other TMs/HMs in the wrong pocket where you can make the game jump to somewhere in memory?

Here is a suggestion for getting HM06:

Possible method:

1) Get a ????? (00) through the bad clone glitch.
2) Try to get a glitch Unown through 6+ party trick that causes map corruption. The 6+ party trick requires a hex:00 obtained with the bad clone glitch. Map corruption Unown include 80, 8B, 8D, 90, 9E, A1, C0, D3.

I haven't confirmed if it's possible to get glitch Unown this way in Pokémon Crystal, (though it is possible in Gold/Silver through the defense stat of the Pokémon in the fifth position modulo 256) unfortunately.

3) Prepare yourself just a poisoned Pokémon, view your map corruption Unown, then step into an out of bounds location that will give you a HM06 or a more/equally suitable item.

With two locations; south of Prof. Elm's lab (through glitch Unown 8D) and south of Mt. Silver (the latter through cheats, might work with 8D), I got HM06 in the Balls pocket.

Look at the pictures below:

[img]http://i.minus.com/jMGNqYAHLZUzq.png[/img][img]http://i.minus.com/jbiHs3Rat3QeOs.png[/img][img]http://i.minus.com/jiZhXNGEj1Y6M.png[/img] [img]http://i.minus.com/jbn5dBqDbYT8wR.png[/img]

[img]http://i.minus.com/jmMuTczT6cciZ.png[/img][img]http://i.minus.com/jblCJnHkAhJFfS.png[/img][img]http://i.minus.com/jcuPpzf5k5wM9.png[/img][img]http://i.minus.com/j8r6niJz2FH8b.png[/img]

[img]http://i.minus.com/jbn0SUDlRv4vXg.png[/img][img]http://i.minus.com/jbifrTHCuai52F.png[/img][img]http://i.minus.com/jI8n288EuAFbd.png[/img][img]http://i.minus.com/jZNsE7NEULEWJ.png[/img]

[img]http://i.minus.com/jbxz3nc5RX0Aml.png[/img]

I viewed the Glitch Unown on the exit mat, exited the Pokédex, then went left and down.

My items were corrupted.

After scrolling past Cancel in the Balls pocket I found a HM06 in where the end position was supposed to be (D8F0; 13th Ball ID).

I was going to suggest that you could white out due to poison to keep it, then swap it to the first position, but unfortunately all poisoned status ailments are removed once you enter the map.

So maybe it would be a good idea to search for out of bounds locations where you can Teleport away or where poison doesn't get removed? You may not be able to Fly away due to badges getting removed.

Going out of bounds messes up your items, possibly included stored items, so that may be a problem if you have either more than the maximum number of items (withdrawing them would shift up unrelated data and likely cause a freeze) or if you're given the hex:00 item, where the game causes a lock-up when you scroll down to it or when you try to view it (I don't know if this always happens).

See also:

Maybe this glitch is worth looking into, more so than my method above. I don't understand it because I haven't tried it, only the duplicate key items part, so I can't theorize about it. It would have far less bad side effects though.

Edit: The emulator I used was VBA-rr-svn480-win32. Other emulators may give different results when stepping out of bounds.

Edit 2: Copy and paste from a slightly changed version of my post on Háčky's thread :-


I was close to getting HM06 in the Balls pocket without cheating in Pokémon Crystal with Háčky's trick.

I got three Secret Potions, and performed your trick up to the two Secret Potions in position 25 and 26 (where end should be). From there, I swapped them and caused the bytes shift upwards glitch in the balls pocket. Then, the end (FF) byte got converted into a quantity of 255. Since all quantities become items, I wanted to toss 7 of them to get a quantity of 248 (F8), which is HM06's index number, so that when I repeated the 'swap two stacks of Secret Potions at position 25 and 26 trick' it'd give me HM06.

Unfortunately the quantities of the items in the balls pocket wouldn't get reduced (now I understand that this is what your trick is about; using items infinitely including PC items from the Balls pocket) so I couldn't get HM06.

Is there a way to work around this? Trying to go out of bounds to get HM06 is emulator dependent, and the map distortion methods have a random element to them.

Edit: I have another question too. What is the address D958 used for in Crystal? It's a Max Revive (hex:28) on my save, but I'd like it to be HM06. It's the first and only item address after the PC item addresses (which directly follow the balls addresses) that I can access without a hex:00 item freeze.

Re: Theory - Arbitrary code execution in English Pokémon Crystal

Posted by: Torchickens
Date: 2014-06-23 16:25:21
New developments, big thanks to Wack0. Sorry for double posting, but I thought these developments would be good to describe in a new post.

Wack0 found that TM33 outside of the TM/HM pocket points to F418 (in Echo RAM), which is essentially D418.

This is used for the third character of the nickname of enemy Pokémon #5. When you enter a link battle, this data gets written to. So by using 8F or w sm in Pokémon Red/Blue/Yellow, you can give a Pokémon whatever you want as its nickname, including something like 'jp $xxyy' (C3 yy xx) then theoretically send it to a second Generation II game, make it the fifth Pokémon, then battle with the second game to put that data into F418.

The data stays when you leave the Cable Club Colosseum, but not after you save and reset the game, so it's theoretically possible to jump to anywhere more useful, but only in the same session and after linking up with the other Trainer.

Probably all that's left to do now is actually get the item outside the TM/HM pocket.

Another item, TM18 points to D230; the wild battle type. Wack0 suggests that maybe the code can fall through to D280 (number of Pokémon in enemy Trainer's party)

In Spanish Crystal, TM11 is assumed to be the equivalent of TM18, because it also points to F418, and the Spanish items pocket item addresses are the same as the English version (but this is a sweeping assumption, take it with a pinch of salt).

Wack0 tried using GSC Item Editor with other languages too but he got a freeze.

Also, we may have an alternative to Coin Case ACE in Gold and Silver. TM25 points to FA6A (the same as DA6A), and DA6A is the least significant Defense EV byte of the second Pokémon in the party. The Speed EVs word follows, and you can make a jump to somewhere more useful (via C3 yy xx again). This may be possible without trading, but getting the exact EVs would be tedious and it would be hard to keep track of them without memory viewer. Like getting the right nickname for enemy Pokémon #5, you should also be able to use 8F/ws m on Generation I to make the second Pokémon have the Defense and Speed EVs you want.

An advantage of this compared to Coin Case ACE is that you can easily point to somewhere different, and you don't have to walk around and use the item in a specific place, but setting up takes longer.

Edit: I overlooked something. You can get TM01-HM07 in the balls pocket by performing Háčky's trick and having TMs/HMs in the items storage system in the PC.

Re: Theory - Arbitrary code execution in English Pokémon Crystal

Posted by: Spoink
Date: 2014-06-23 18:31:53
Very interesting. Vey interesting indeed… 8)

Re: Theory - Arbitrary code execution in English Pokémon Crystal

Posted by: Stackout
Date: 2014-06-24 04:26:26
I'm guessing that GSC Item Editor is using the wrong offsets on non-English ROMs. So I'll have to code something myself for that. I won't have time to do this for a while, though.

Re: Arbitrary code execution in English Pokémon Crystal

Posted by: Torchickens
Date: 2014-06-24 09:49:01
[size=14pt]Edit (June 26th 2014): ACE confirmed on emulator. See my video for the method.[/size]

Yes! I made a 'get Celebi in Ilex Forest TM33' code that works, just like how Paco81 wanted to encounter Celebi there without GameShark in 2011.

The only thing that may put people off with my method is that you don't receive the GS Ball from the Pokémon Center; Kurt thinks you gave him a GS Ball so he 'gives it you back'. I basically set DA89 to C0 (address value by exatron).

What you need to do:

1) On a Generation I game name a Pokémon any two characters first, then the third-sixth characters as C3 F2 D8 C9 using 8F/ ws m. This will be 'jump to stored PC item 1' in Generation II.

A 8F/ws m code for this hasn't been made yet, but I'll work on it.

The nickname will look like this:

[img]http://i.minus.com/jCKA5cXWxNrqx.png[/img]

2) Hack Key Items as hold items on to Pokémon in your Generation I game using 8F/ ws m. You need to fill your Key Items pocket on Crystal, so count how many Key Items you have in Crystal and do 25 (max number) minus that to see how many you need.

No code is available yet, so I'll work on it. You need to be careful as you can't see the results until you link up with a Generation II game.

Make two of them be Machine Part (80h) and two of them be SecretPotion (43h).

3) Set up the following PC items:

Item 1: Great Ball x 62
Item 2: TM02 x 38
Item 3: TM27 x 46
Item 4: Charcoal x 45
Item 5: Leaf Stone x 04
Item 6: TM10 x (any quantity)

ASM:

inc b ; decrease 'b' by 1 (junk code)
ld a, C0 (a=C0)
ld h, DA (h=DA)
ld l, 8A (l=8A)
dec l; decrease 'l' by 1 (because 89 is a Teru-Sama. Getting a Teru-Sama is more trouble than it's worth)
ldi (hl), a (puts a into hl as a memory address, i.e. C0 into DA89 then alters hl in some way)
inc b (junk code)
ret (end)


Plus you'll need a TM33 somewhere in the PC, maybe as item 7?

4) Trade over the Key Items Pokémon, and then the invalid nickname Pokémon to a second Generation II game. Do Háčky's [url=http://use items stored in the PC, infinitely trick to be able to access your PC items from the Balls pocket. You need any Apricorn ball (not a regular ball because their index numbers are too low) in the first position to be able to scroll down enough after the byte shifting.

5) Enter a link battle with the second Generation II game, with the invalid nickname Pokémon in the fifth position. Run, then make sure not to reset the game or enter a battle.

6) Un-fill your Key Items pocket (important or you'll later activate the Ilex Forest event without a GS Ball to put in the shrine!)  Go to Kurt's house in Azalea Town. Scroll through your Balls pocket and select the TM33. Use it.

7) Kurt should say "(NAME)! This Ball started to shake while I was checking it. There must be something to this!" then go out.  Ilex Forest will become 'restless' and Kurt will 'give you the GS Ball back', even though you never had one.

8 ) Go west of Azalea Town to Ilex Forest with a Pokémon knowing Cut. Go to the shrine, and press A on it, then you'll encounter a level 30 Celebi.

9) Capture it and enjoy! :)

Note that this is still a theory, even though the code works. I'm planning on making a video (may be multiple parts) to get Celebi without any cheats.

On hindsight, you could probably send a GS Ball over from Generation I to Crystal then set DA89 to 40, but never mind. I don't know if it would be easier.

Edit: Here is an 8F code for Red and Blue that does two things:

1) Writes C3 F2 D8 to DE08-DE0A :- first stored Pokémon nickname characters 3-5 (I don't think the ret was really needed)
2) Writes the number of items in the second position (D321) to the first stored Pokémon's catch rate.

3E C3      |ld a, C3
26 DE      |ld h, DE
2E 08      |ld l, 08
22          |ld (hli),a
3E F2      |ld a, F2
22          |ld (hli),a
3E D8      |ld a, D8
04          |inc b
22          |ld (hli),a
FA 21 D3 |ld a, D321
04          |inc b
EA 9D DA |ld DA9D, a
C9          |ret

Items from #3:

Lemonade x 195 (C3)
Carbos x 222 (DE)
X Accuracy x 8 (08h)
Water Stone x 62 (3E)
TM42 x 34 (22h)
Lemonade x 216 (D8)
Poké Ball x 34 (22h)
TM50 x 33 (21h)
TM11 x 4 (04h)
TM34 x 157 (9D)
TM18 x 201 (C9)

How to use it:

1) Use either Pigdevil2010's or TheZZAZZGlitch's 8F payload code.
2) Have a stored Pokémon in the first position of every box.
3) Get 128 (80h) Master Balls in the second position for Machine Part. Use it, switch to the next box, then use it again until you did box 10. The Pokémon's nicknames will change and the Pokémon will technically be holding a Machine Part.
4) For the last two boxes, toss 61 Master Balls to get 67 (hex:43). Use 8F again and the held item will be Secret Potion.

You need to point 8F to the third item. The payloads I mentioned above do that.