Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution with move 00's type in English Gold/Silver - Page 1

Arbitrary code execution with move 00's type in English Gold/Silver

Posted by: Torchickens
Date: 2017-06-29 20:19:17
This is something a little similar to this thread for move 00's type in Crystal: http://forums.glitchcity.info/index.php?topic=7704.0

Luckytyphlosion (I think, please correct me if someone else discovered this) found a way to execute arbitrary code execution with move 00's type in Gold/Silver. This type's identifier is 0xD0 (dec:208) and after analysis its type name seems to be sourced from 0x8350 in VRAM.

0x8350 can contain menu-sprite data for Pokémon on the Pokémon menu as well as possibly NPC sprites(?), but when I had exactly four Pokémon (two tailed Pokémon, bird, tailed Pokémon) I got different results that included freezes and arbitrary code execution which didn't occur otherwise when I had six Pokémon.

https://www.youtube.com/watch?v=TdxzLn0txFM

How exactly can we use this for arbitrary code execution outside of speedrunning?

I tried making the movement patterns in the video and at one point the game executed E9F0 (Echo RAM for C9F0). Perhaps that's what the route exploits for it to eventually touch box names at D8BF onward (but that would seem very far away).

An update! When the game executed E9F0, it eventually came across the following:

jr c, EC68(@EC2D)
jp c, FA9B (@EC70)

These may have only appeared when moving around in the pattern in the speedrun route.

At FA9B (DA9B) is the Speed experience byte 1 of the third slot Pokémon. We know from the Coin Case glitch that we can have this as a low level slide Pokémon, so perhaps following it could be a Quagsire holding an item with a specific move 1 (like Quagsire holding HP Up with Sleep Talk as the first move; jp D61A or Quagsire holding TM02 with Return; as the first move; jp D8C0) for us to jump to stored items or box names.

So it looks like we can possibly use this as an alternative to Coin Case glitch, but what would really be cool is if you can do it in Crystal as it's easy to just trade over a CoolTrainer Ditto from Red/Blue/Yellow. That way no 'pseudo-bad clone' would be required nor an unterminated name Pokémon from Red/Blue/Yellow.

Re: Arbitrary code execution with move 00's type in English Gold/Silver

Posted by: Parzival
Date: 2017-06-29 22:22:24
More ACE? Goddamn, this is getting out-of-hand. How many, total, have been found across the series?

Re: Arbitrary code execution with move 00's type in English Gold/Silver

Posted by: Torchickens
Date: 2017-06-30 00:46:20

More ACE? Goddamn, this is getting out-of-hand. How many, total, have been found across the series?


I haven't kept track since that post ISSOtm made, but for Gold/Silver/Crystal there is:

1) Coin Case glitch (EN Gold/Silver only)
2) Move 0x00's type ACE (EN Gold/Silver)
3) Unterminated name Pokémon ACE (Crystal only)
4) Wrong pocket TM/HM ACE (Gold/Silver/Crystal)
5) Glitch Pokédex mode ACE (Gold/Silver(?), Crystal)
6) OAM DMA hijacking (requires another form of arbitrary code execution)

Theoretically as well you can execute arbitrary code with other glitch moves. I noticed opening the Fight menu with move 0xFD as the only move in Japanese Crystal after using an X Accuracy could execute code from WRAM but only to run into a rst 38 (FF byte).

Surprisingly quite a lot for Generation II!

As for Generation III there seem to be only two documented so far:

1) Glitch Pokémon summary ACE
2) Glitch move animation ACE

Re: Arbitrary code execution with move 00's type in English Gold/Silver

Posted by: Charmy
Date: 2017-06-30 05:39:59
and gen 4 maybe has the Cascade glitch being able to ACE (not confirmed yet or is it?) and obviously, a glitch move that when used and properly exploited, gives ACE…
and gen 1 has an uncountable amount…

Re: Arbitrary code execution with move 00's type in English Gold/Silver

Posted by: Parzival
Date: 2017-07-02 22:14:05


[img]http://www.reactiongifs.com/r/2013/06/Mother-of_God.gif[/img]

Re: Arbitrary code execution with move 00's type in English Gold/Silver

Posted by: Stackout
Date: 2017-07-28 10:33:54


More ACE? Goddamn, this is getting out-of-hand. How many, total, have been found across the series?


I haven't kept track since that post ISSOtm made, but for Gold/Silver/Crystal there is:

1) Coin Case glitch (EN Gold/Silver only)
2) Move 0x00's type ACE (EN Gold/Silver)
3) Unterminated name Pokémon ACE (Crystal only)
4) Wrong pocket TM/HM ACE (Gold/Silver/Crystal)
5) Glitch Pokédex mode ACE (Gold/Silver(?), Crystal)
6) OAM DMA hijacking (requires another form of arbitrary code execution)

Theoretically as well you can execute arbitrary code with other glitch moves. I noticed opening the Fight menu with move 0xFD as the only move in Japanese Crystal after using an X Accuracy could execute code from WRAM but only to run into a rst 38 (FF byte).

Surprisingly quite a lot for Generation II!

As for Generation III there seem to be only two documented so far:

1) Glitch Pokémon summary ACE
2) Glitch move animation ACE


For the record, you missed RCE through trading in Gen II (TheZZAZZGlitch demonstrated it once, I think his YouTube video description said the bug was similar if not the exact same as the one used for trade RCE in Gen I), and RCE through JoyBus link in Gen III.