Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Bad Clone/Gen I ACE-less Crystal arbitrary code execution from move 00's type. - Page 1

Bad Clone/Gen I ACE-less Crystal arbitrary code execution from move 00's type.

Posted by: Torchickens
Date: 2016-11-15 18:21:35
In the Generation I and II games (at least the English version), nothing will stop you from trading a CoolTrainer Ditto (obtained with the swapping Transform move glitch over from Red/Blue/Yellow) to Gold/Silver/Crystal.

Is it possible that this move (maybe its effect) could activate arbitrary code execution on a specific revision of Gold/Silver/Crystal? It would be amazing if it could execute reliable arbitrary code even if it was specific to one of the seven revisions for Gold/Silver (English, French, Spanish, German, Italian, Japanese, Korean) or six revisions for Crystal (there is no official Korean version).

Re: Move 00 idea regarding Gold/Silver/Crystal

Posted by: camper
Date: 2016-11-16 02:24:42
The move effect in English Crystal is just Toxic, and since the attack effect ID is taken from the ROM, it won't be anything else.

Maybe the name of the move could do something?

Re: Move 00 idea regarding Gold/Silver/Crystal

Posted by: Krys3000
Date: 2016-11-16 04:28:32
I read somewhere it triggers glitch dimension and stuff like that in Crystal

Re: Move 00 idea regarding Gold/Silver/Crystal

Posted by: Torchickens
Date: 2016-11-16 07:40:59
Thanks for the input so far.

In fact I remember now that Derwin (SloshedMail) used the type name of a glitch move in Crystal which is likely hex:00 to move out of bounds, and in this version you can corrupt your items when you move out of bounds, which might be an access point for TM/HM arbitrary code execution without Celebi trick (this would be amazing, even if it requires a link cable). Additionally something happened to the Pokédex (glitch mode? This might allow for arbitrary code too!)

The only problem is escaping from the out of bounds glitch world. I tried black out techniques by poison with similar Glitch City but these removed the poison, trapping me in the glitch world but if we're really lucky it may not remove the poison or let you Dig/Fly/Escape Rope/Teleport away.

Edit: Also flag corruption could end up being a problem although this might be able to be fixed with the code execution assuming it's possible.

His video:
https://www.youtube.com/watch?v=zq9GhDjAcL8


I read somewhere it triggers glitch dimension and stuff like that in Crystal


Yeah, I think I may have attempted to use this before in some version and got a similar result. When that sort of stuff happens it always raises the question of whether RAM code execution was involved, and on BGB emulator it is possible to check by setting a breakpoint to $C000-$FDFF.

Re: Move 00 idea regarding Gold/Silver/Crystal

Posted by: Torchickens
Date: 2016-11-17 21:57:19
Update: The Move Deleter corruption might be caused by move 00's type name, which is taken from 8091 in VRAM. Since VRAM may be locked emulators may not emulate it correctly, but it seems like on a real console it's possible to get the map corruption with this glitch.

Stepping out of bounds (if possible) may corrupt the Pokédex mode (to hex:74; executes F042) and item pockets, including conveniently a TM17 in the Key Items pocket (to execute FA47 i.e. DA47; somewhere in the expanded balls pocket) and 167 (hex:A7) balls in the Balls Pocket, except this apparently isn't enough balls to access DA47 as 167 only allows access up to DA27 (a quantity).

But if we can change glitch Pokédex mode to 09, we should be able to access FA20 (DA20); an item and possibly use an item/quantity there to jump to box names, use custom box names to escape the Glitch City and then use other box names for different purposes.

Complicating things, stepping into the Glitch City may corrupt the following box name addresses:


db7f>00 db80>FF db8f>00 db90>FF db9f>00 dba0>FF dbaf>00 dbb0>FF dbbf>00 dbc0>FF dbcf>00 dbd0>FF dbdf>00 dbe0>FF dbef>00 dbf0>FF


Most stored PC items are also corrupted.

If it turns out to be a difficulty presenting a code due to the Glitch City breaking the code (very likely because of all the FF or rst 38), I wonder if a mail message might be a solution (but the Glitch City changes all of your party Pokémon to hold HM13 and I couldn't find any mail in the pockets). If it's somehow possible to access the PC in the Glitch City, perhaps the box names could be adjusted there.

Additionally, if TM33 can be manipulated, then perhaps that could be used to initially access link Trainer data first but that is a harder trick due to Generation I ACE being required and the only link for this theoretically being for CoolTrainer Ditto etc.

Additional edit: Maybe if you attached mail before entering the Glitch City the message would be kept in memory. Alternatively stored mail might work. You could store mail before entering the Glitch City. But this data is in SRAM and might be locked if you manage to have the code jump there.

Bad Clone/Gen I ACE-less Crystal arbitrary code execution from move 00's type.

Posted by: Torchickens
Date: 2016-11-18 11:17:26
With a specific box name ("p0Eé'r2x'd"), you can set bit 2 of D84D (which makes the game think you're in a Bug-Catching Contest), close the menu and escape the Glitch City (due to the contest time running up). It is short enough to avoid being corrupted if it is for box 1. Afterwards, you may be able to rename the boxes outside of the Glitch City for additional purposes.

Box name code:


af (xor a); 'a' becomes 0
f6 84 (or 84); 'a' becomes hex:84
ea 4d f8 ('a' is put into F84D)
b7 (reset carry flag)
d0 (ret nc) (end code)


Sods law is the Glitch City actually writes an FF to DA20 (rst 38), which contains another FF like in Generation I.

So another glitch Pokédex mode might be needed. I'll make sure to edit this if I find one.

Edit: Glitch Pokédex mode 114 (hex:72) executes F96C. This is from balls item 75(?) and D96C is apparently part of a 13 byte structure from D964 called FarfetchdPosition in the disassembly.

Certain item addresses in the PC are left untouched, these are:


D8FC
D8FD
D90C
D90D
D91C
D91D
D92C
D92D
D93C
D93D
D94C
D94D


This leaves room for six items and six item quantities.  (items and quantities 6, 14, 22, 30, 38, 46).

In theory, we can keep some items in the PC untouched (five of them) for the following bootstrap code to the beginning of the box names:

Poké Ball x38
TM28 x1
(Any item) x (any quantity)
Great Ball x46
Miracle Seed x1
(Any item) x (any quantity)
TM41 x(any)

Code:

dec b
ld h, DB
ld bc, (any)
inc b
ld l, 75
ld bc, (any)
jp (hl)

;04 26 DB 01 ?? ?? 04 2E 75 01 ?? ?? E9


Note: There may be a way to adjust this code to use only items you can buy. Currently if you missed TM28 and Miracle Seed you may have to start a new game or trade with a game that has the item which is a little sad.

If this all works, possibly the only thing to do outside of writing our own codes is to get glitch Pokédex mode 114 (I looked at TM/HMs since you could store any TM/HM in the PC but couldn't find any available in the pack of 167 balls which didn't have an FF in their execution).

There is one major thing that I oversaw. On a console if the Glitch City acts differently in any way (e.g. not the same amount of balls) there might be problems.

Edit: Getting a quantity of 114 for the glitch Pokédex mode is possible if you have a Coin Case in the key items, and it doesn't get corrupted. There are many other Coin Cases in the corrupted key items pocket and these can be used to remove the Cancels in the key items pocket and shift the balls pocket. If a RageCandyBar was in balls slot 2, it would shift to a quantity of 114 in slot 1. These are my rough notes of how to do this once you get into the Glitch City.


1. Items looks like

Bicycle
Cancel

Select on first Coin Case, brings to the top:

Coin Case
Bicycle
Cancel

Select on next Coin Case you find, put in Bicycle's place:

Coin Case
Coin Case
Bicycle

Select on second Coin Case>position 3. Select on first Coin Case position 2. Swap them to break first Cancel.

Bicycle
Coin Case
X Special x(CD i.e. TM14)
TM14
(...)

Select on first Coin Case>SecretPotion/item above Cancel, go down and find yet another Coin Case below Antidote, swap with the Coin Case you just placed to create Blk Apricorn.

Swap Coin Case above Blk Apricorn with Blk Apricorn, then swap Coin Case with Coin Case below Cancel to create another Blk Apricorn below.
Bring Coin Cases to the bottom of pack (first second one) then swap top one directly above second [cursor on top first], and swap them.

Balls pocket data should have shifted up.

With that done, the only things left to do are:

1) Create codes to bring back the Pokégear, fix items, get all badges back, get Celebi, etc.
2) Test this on a real console as it might not even work if the Glitch City works differently.
3) Write a guide.

Woohoo!

By the way, the name of this Glitch City was "9 99999 BICYCLE" (or similar series of 9s). I was also able to scroll the cursor to "BTL)" and various other glitch locations by pressing Down. To see it you have to enable the Pokégear again. I was able to do this by setting D957 to FF.

[img]http://i.imgur.com/zFLf6uJ.png[/img]

Another important detail is entering the Glitch City will give you a glitch caller (caller FF). If you call them the game may freeze, and when testing the game randomly froze possibly because they called me (if they call you it may execute D4CD) .

Re: Bad Clone/Gen I ACE-less Crystal arbitrary code execution from move 00's type.

Posted by: Krys3000
Date: 2016-11-21 06:44:23
That's truely awesome!

Re: Bad Clone/Gen I ACE-less Crystal arbitrary code execution from move 00's type.

Posted by: Torchickens
Date: 2016-11-23 13:33:29

That's truely awesome!


Glad you like this! :)

Have a few codes to publish:

Bootstrap code @D96C: this code had to be adjusted due to the presence of an FF00 at D970:

0x0
Master Ball xany  ; take from glitched balls pocket; not needed to be brought over
(FF/00 gap; Cancel x0)
Poké Ball x38 ; brought over item no. 1
TM28 x1  ; brought over item no. 2
(Any item) x (any quantity)
Great Ball x46 ; brought over item no. 3
Miracle Seed x1; brought over item no. 4
(Any item) x (any quantity)
TM41 x(any); brought over item no. 5

New Glitch City escape code (the old one had a 4D character which cannot be entered even though it looks like a valid "'r" character so to obtain it the code self-modifies itself):

Box 1: fp0AéA5p
Box 2: ACEp0iG (first three characters can be many things, "ACE" is easy to remember)
Box 3: éL5éA2x'd


and l
xor a
or a,80
ld (fb80),a
xor a
ld d,b
add b
xor b
add b
xor a; a=00
or a,a8  ;a=a8
add (hl);  a= a8+ a5 (hl's value is the "and l" at the top of the code) = 4D mod 0x100
ld d,b
ld d,b
ld (fb8b),a
ld (f880),a
or a
ret nc


Bring back Pokégear (also useful for deleting harmful glitch phone numbers):

Box 1: "p0iGéB5p"
Box 2: "09éA3x'd"


xor a
or a, a8  ;a=a8
add [hl]  ;a8+af mod decimal:256= hex:57
ld (fb81),a  ; replace the upcoming 80 with 57
xor a
ld d,b
or a,ff
ld (f980),a
or a
ret nc
ld d,b
ld d,b


Pokémon 1 species byte 2 (DCDF)=FB; Celebi

Box 1: p0BGGéC5
Box 2: p05éA6x'd

Place an Egg in slot 1 of the party and it will hatch into a Celebi that counts towards your dex.


xor a
or a, 81 ;a=81
add [hl] ;a=30
add [hl]; a=DF
ld (fb82),a ; replace the upcoming 80 with DF
ld d,b
xor a
or a, fb  ; a=FB (Celebi's ID)
ld (fc80),a
or a
ret nc
ld d,b


Pokémon 1 species byte 2 (DCDF)=97; Mew

Box 1: p0BGGéC5
Box 2: p0XéA6x'd

Place an Egg in slot 1 of the party and it will hatch into a Mew that counts towards your dex.


xor a
or a, 81 ;a=81
add [hl] ;a=30
add [hl]; a=DF
ld (fb82),a ; replace the upcoming 80 with DF
ld d,b
xor a
or a, 97  ; a=97 (Mew's ID)
ld (fc80),a
or a
ret nc
ld d,b


Get all 16 badges/get all badges back

Box 1: 'vAp0BG
Box 2: 5éI5p09
Box 3: éA2p0CG
Box 4: é(5p0955
Box 5: éA2x'd


sub a, 80
xor a
or a, 81
add [hl]
ld d,b
ld d,b
ld d,b
ei
ld (fb88),a
xor a
or a,ff
ld d,b
ld d,b
ld (f880),a
xor a
or a,82
add (hl)
ld d,b
ld d,b
ld (fb9a),a
xor a
or a,ff
ei
ei
ld d,b
ld (f880),a
or a
ret nc
ld d,b
ld d,b
ld d,b
ld d,b

Re: Bad Clone/Gen I ACE-less Crystal arbitrary code execution from move 00's type.

Posted by: Nostalgia
Date: 2016-11-25 03:32:26
Really interesting stuff Torchickens. I'd love to see videos on this. Gen II is my favourite Pokemon generation with Crystal being my favourite game - and it's cool to see more exploits being found for Crystal, seeing as most of stuff in the Gen II games you can only do on Gold/Silver like the coin case stuff.

Re: Bad Clone/Gen I ACE-less Crystal arbitrary code execution from move 00's type.

Posted by: Torchickens
Date: 2016-11-25 10:06:29

Really interesting stuff Torchickens. I'd love to see videos on this. Gen II is my favourite Pokemon generation with Crystal being my favourite game - and it's cool to see more exploits being found for Crystal, seeing as most of stuff in the Gen II games you can only do on Gold/Silver like the coin case stuff.


Thank you Nostalgia! Yeah, I'm planning to make a few more codes to:

1) Get a TM17 out of the TM/HM pocket that jumps to box names to disable glitch Pokédex mode and make the Pokédex functionable again without disabling ACE (disabling the glitch Pokédex mode from a glitch Pokédex mode may not work as the game sets it back to the glitch value once you exit).
2) Re-enable deleted Pokédex seen/own values. 251 were in the Pokédex but this changed to 235.

Afterwards, since an adequate amount of tricks have been prepared I'll try to verify it all on console and publish the video on Youtube.

Hopefully going to work on this more tomorrow as want one day for Sun/Moon, another day for research.

Edit with more codes:
Have TM17 items slot 1:

Box 1: p0'déT2x'd


xor a
or a, d0
ld (f893),a
or a
ret nc
ld d,b



TM17 executes DB75:
;don't enter Battle Tower

Box 1: p0'd'vJéI5
Box 2: p0b'vAWW5
Box 3: éI4p0'd5
Box 4: Ié:5p0(female symbol)5
Box 5: 'vAéI4p0'd
Box 6: 'vHém5p05
Box 7: éI4x'd


xor a
or a, d0
sub 89  ; 47
ld (fb88),a
ld d,b
xor a
or a, a1
sub 80
sub [hl]
sub [hl]  ;a=c3
ei
ld d,b
ld (fa88),a    (replaced w fa27)
xor a
or a, d0
ei
ld d,b
sub 88 ; 48
ld (fb9c),a
xor a
or a, f5
ei
ld d,b
sub 80 ;a=75
ld (fa88),a (should be fa48)
xor a
or a, d0
ld d,b
sub 87 ; 49
ld (fbac),a
xor a
or a, fb
ld d,b
ld (fa88),a (should be fa49)
or a
ret nc
ld d,b


Pokédex mode=01 (for when TM17 is used after above code executed with glitch Pokédex mode only)

Box 1: 'vap0WG
Box 2: éI5p0B'vA
Box 3: éA3x'd


sub a, 80
xor a
or a, 96
add [hl]
ld d,b
ld d,b
ld d,b
ld (fb88),a
xor a
or a, 81
sub 80
ld d,b
ld (f980),a
or a
ret nc


Fill Pokédex missing entries for when TM17 is used
Part 1 (bytes 9F, AF, BF):

Box 1 name: p0A'vcéD5
Box 2 name: p09é]Ap
Box 3 name: 0A'vcéU5p
Box 4 name: 09épAp0Q
Box 5 name: 'v'lém5p0A
Box 6 name: 'vcén5p09
Box 7 name: éAAx'd


xor a
or a, 80
sub a2
ld (fb83),a [a=hex:de]
ld d,b
xor a
or a, ff
ld (809f),a    ;DE address 1
xor a
or a, 80
ld d,b
sub a2
ld (fb94),a
xor a
or a, ff
ld d,b
ld (80af),a    ;DE address 2
xor a
or a, 90
ld d,b
sub a,d1
ld (fbac),a
xor a
or a, 80
ld d,b
sub a2
ld (fbad),a
xor a
or a, ff
ld d,b
ld (8080),a  ; DE address 3
or a
ret nc


Part 2 (for TM17):
DECF byte for Pokédex=FF

Box 1 name: p0A'vcéS5
Box 2 name: p0(male symbol)'vQ'vQ
Box 3 name: éR5p09
Box 4 name: éAAx'd


xor a
or a, 80
sub a2
ld (fb92),a [a=hex:de]
ld d,b
xor a
or a, ef
sub 90
sub 90
ld d,b
ld d,b
ld (fb91),a
xor a
or a, ff
ld d,b
ld d,b
ld d,b
ld (8080),a ;DE address 4
or a
ret nc
ld d,b


Edit: On a real Game Boy I got into a Glitch City after saving in front of the Move Deleter, viewing Zubat's Pokédex entry, exiting, re-entering and then viewing move 00 with scrolling. I seem to remember the screen glitched up and when I closed it I was in a Glitch City and was able to walk right to the '999 place'.

Re: Bad Clone/Gen I ACE-less Crystal arbitrary code execution from move 00's type.

Posted by: Nihil
Date: 2016-11-30 15:01:36
Whoa! This is truly impressive, Torchickens! I have to admit I have a hard time following it all, but I'm awed by all the work put into this!

It's really something else how stubborn we are about ACE-ing. If the devs won't give us easy mistakes for us to latch onto (*cough, RIP Gold/Silver Coin Case, cough*) then we'll come up with methods defying the imagination of the most inventive child of a Nintendo worker to ACE this, damnit! XD But really, props for this thread : D

Re: Bad Clone/Gen I ACE-less Crystal arbitrary code execution from move 00's type.

Posted by: Torchickens
Date: 2016-11-30 15:49:08

Whoa! This is truly impressive, Torchickens! I have to admit I have a hard time following it all, but I'm awed by all the work put into this!

It's really something else how stubborn we are about ACE-ing. If the devs won't give us easy mistakes for us to latch onto (*cough, RIP Gold/Silver Coin Case, cough*) then we'll come up with methods defying the imagination of the most inventive child of a Nintendo worker to ACE this, damnit! XD But really, props for this thread : D


Thanks! I've only been able to enter out of bounds once with move 00. Viewing Zubat's Pokémon entry and leaving the Move Deleter house (or possibly just leaving the house) seemed to increase the chances of the map corrupting, but most of the time I just get freezes and non-freezing names.

Yeah, I feel the discovery of how to exploit the Coin Case in particular was great because it starts at an execution address which at first glance may not be manipulable and you have to make a specific movement/cry for it to work.

Re: Bad Clone/Gen I ACE-less Crystal arbitrary code execution from move 00's type.

Posted by: Stackout
Date: 2016-11-30 16:26:09

If the devs won't give us easy mistakes for us to latch onto (*cough, RIP Gold/Silver Coin Case, cough*) then we'll come up with methods defying the imagination of the most inventive child of a Nintendo worker to ACE this, damnit!


This basically describes most of infosec :)

Re: Bad Clone/Gen I ACE-less Crystal arbitrary code execution from move 00's type.

Posted by: Nostalgia
Date: 2016-12-01 11:46:18

Pokémon 1 species byte 2 (DCDF)=FB; Celebi

Box 1: p0BGGéC5
Box 2: p05éA6x'd

Place an Egg in slot 1 of the party and it will hatch into a Celebi that counts towards your dex.


Can I ask for more info on this specifically. Other ways to get Celebi are always good. Previously to get Celebi I'd just trade one over from Gold obtained through the coin case trick, as it's the most safest way to get Celebi. The methods to get Celebi on Crystal just seem too complex for me (I've watched your previous Celebi Crystal videos) but I'm guessing this one is similar in complexity.

I've always wanted a Celebi that is legitimate so it gets it's start moves which are unique to it (Leech Seed, Heal Bell, Recover, Confusion) but whenever I've got a Celebi through the coin case method - because you have to transform a random Pokemon into a Celebi, it never gets its start moves, and I've tried the transform method and the coin case on a egg to hatch into a Celebi method. It never learnt it's start moves but after levelling it up a bit, it learnt it's normal moves starting at level 10 and it registered in the Pokedex.

Tl;dr -  I just want a way to get Celebi in Crystal that isn't too hard and it learns it start moves. It would save time too because my battery on Gold is dead which means I have to play a long time without saving to get to the point I can do the coin case trick. I want to do a new playthrough on Crystal soon and complete the Pokedex.

Re: Bad Clone/Gen I ACE-less Crystal arbitrary code execution from move 00's type.

Posted by: Torchickens
Date: 2016-12-02 09:20:35
This code works similar to the Coin Case ACE code by changing species byte 2 of Pokémon 1 (so when the Pokémon is taken into the Day Care and out it will become Celebi). If used with an Egg, the Egg will hatch into a Celebi although I don't know if its starting moves will be changed. If they aren't changed I'll look into making codes for modifying the Celebi to have its starting moves for you. :)

Theoretically the Coin Case ACE method can be adjusted to use box names as well, so that's something to look into. Although it is harder to write code with box names it would theoretically make things easier since you don't need to get different items for multiple uses. Using Crystal_'s box name RAM modification trick you can modify the starting moves of an existing Celebi (although the bootstrap code for this is still an items set up and it raises the question whether a trick would be viable with only box names).