Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Korean TM49 arbitrary code execution thread - Page 1

Korean TM49 arbitrary code execution thread

Posted by: Torchickens
Date: 2019-08-23 12:19:24
Using this method, you can perform arbitrary code execution with wrong pocket TM49 (gift from Bugsy). You don't need a bootstrap Pokémon for this method as it runs PC items directly. It requires a Bellsprout and clearing the whole game without saving with the save cleared with Up+Select+B.

https://www.youtube.com/watch?v=pbSavUyFC_Y

The following code from PC item 5 will let you warp to the Safari Zone gate for instance once you use TM49 from the wrong pocket:


X Accuracy x1
TM27 x1 (Return, Goldenrod Department Store gift)
Ultra Ball x2
Great Ball x45
Great Ball x45
Great Ball x45
Great Ball x45
Full Restore x3
Energypowder x4
Focus Band x1 (Saffron City Fighting Dojo)
Ultra Ball x2
Great Ball x44
Super Potion x80
Ultra Ball x4
Heal Powder x4
Leaf Stone x1 (Sea Cottage (from Bill's grandfather) or possibly Mystery Gift)
Ultra Ball x2
TM10 x(any) (Get from Lake of Rage or buy from Celadon Department Store)

I'm going to try and make a code to fill the Pokédex and a wild Pokémon mod, given that in VC Korean Gold/Silver it seems to be normally impossible. Watch this space :).

Re: Korean TM49 arbitrary code execution thread

Posted by: bwill11
Date: 2019-08-23 12:39:50
Why is it necessary to not have a save file?

Re: Korean TM49 arbitrary code execution thread

Posted by: Torchickens
Date: 2019-08-23 20:02:35

Why is it necessary to not have a save file?


Saving the game any other way than entering the Hall of Fame initialises the box data, making the 'free bad clone' this way impossible.

Here is a code to complete the Pokédex with TM49, from PC item 5. You need any wrong pocket copy of TM49.

PC item 5 and below:

X Accuracy x2
Ultra Ball x46
Great Ball x1
Great Ball x4
Poké Doll x94
X Accuracy x1
TM28 x1
Poke Ball x5
Nevemeltice x1
Antidote x9
Great Ball x62
TM04 x1
Burn Heal x10
TM42 x1
TM24 x1
(Any item) x2
Full Restore x1
Paralyz Heal x13
Energypowder x12
Full Restore x1
Escape Rope x19
Protein x27
Repel x20
TM19 x1
Calcium x1
Great Ball x4
Full Restore x7
Energypowder x38
TM29 x1
Full Heal x38
Fresh Water x1
Full Restore x1
Paralyz Heal x4
Stick x1
Great Ball x4
Leaf Stone x1
Bicycle x1
Fresh Water x32
Spell Tag x1
Great Ball x4
TM10 x1
Great Ball x4

To get 251 seen/own instead of x0, swap the items starting from Full Restore x7 to item 5 and up and use TM47 again, or just toss everything above it.

To get multiple of the same stack, the same method as EN Gold (buy two 99 stacks and toss from them after depositing them) may work.

Code at D2D6:

2102022E04010404255E2101DC0105056B01090904
3EC2010A0AEA01D70102010E010D0D790C0E01131
31B1B1414D2011F0104040E077926DD0126262E010
E010D0469010404220107012E2071010404C9010404FF

This is annoying for now, but hopefully it should work on Virtual Console too.



Edit on August 25 2019: Sorry I made an error with this code. The code by mistake, assumed the TM28 x1 was the glitched unusable one (ID 0xDC), which you can only get with cheats. You may still be able to get this (e.g. swapping from expanded Balls pocket, another ACE) but use it with the normal TM28 and your party names will be corrupted instead.

At first glance, there wasn't a work around other than the following. Assuming you have the normal TM28 (0xDB) instead; use (any item) x2 below the TM24, instead of Ultra Ball x1. This adds 256 to the FF fill length, which now starts at DB01 instead of DC01; ensuring the same Pokédex data is touched. In other words, both your party names and Pokédex will be corrupted, so be sure to use this with party Pokémon you don't want, which can be released later. The PC Pokémon names will be fine.

Re: Korean TM49 arbitrary code execution thread

Posted by: CasualPokePlayer
Date: 2020-01-31 01:17:56
Old thread, but I noticed how very long the Pokedex Completion item list is and the need to use stacks of the same item. So I looked into it and made a more optimized item list (all item stacks unique, all items are re-obtainable, it's much shorter and easier to obtain, and it will check all seen data and caught data out of the box, and no corruption in other areas).

Items starting at PC Item 2 (yes I said it right, 2, look at the code to see why)

Any Item x24
Repel xAny
Any xAny
PP Up x01
X Accuracy x32
TM29 x01
Poke Ball x31
Portrait Mail x03
Awakening x95
Energypowder x50
Dragon Scale x02
Ultra Ball x34
Max Repel x02
X Special x43
Lovely Mail x05
Potion x32
TM32 x01
Antidote x31
Paralyz Heal x11
Carbos x02
Burn Heal x40
TM38 x02
TM10 xAny


jr $14 ; jump to the ld (bc),a after the sub a,a
~~
ld a,01 ; execution starts here
ld hl,DD20 ; the end of Pokedex Seen Data, code will write the flags backwards
ld bc,1F05
or a,a ; filler           
inc bc ; bc = $1F06             
inc c ; c = $07             
ld e,a ;  e = $01           
ld a,c ; a = $07           
ld (hld),a ; (hl) = $07
sub a,a ; a = $00
ld (bc),a ; filler             
ld (bc),a ; filler
ld (hli),a ; (hl) = $00
dec hl ; undo the inc hl from previous instruction
ld (bc),a ; filler
dec (hl) ; (hl) = $FF
dec hl ; go to next byte to write
cp a,b ; filler
dec b ; decrease loop counter
ld (de),a ; filler
jr nz,$E0 ; jump to the jr $14, jump taken until b = $00
ld bc,1F09
dec c ; c = $08
dec bc ; bc = $1F07
dec e ; decrease e for a 1 time loop
ld (bc),a ; filler
ld a,(bc) ; filler
jr z,$E6 ; jump to the ld a,c when e = $00, jump only taken 1 time
ld (bc),a ; filler
ret

EDIT: Added comments to code

Re: Korean TM49 arbitrary code execution thread

Posted by: Torchickens
Date: 2020-02-01 14:00:14
Thanks for all this! ^^ This looks it'll be great for future Korean Gold/Silver players. (Even though I've spent a lot of time with ACE I'm still a poor programmer)

Re: Korean TM49 arbitrary code execution thread

Posted by: Parzival
Date: 2020-02-01 18:04:01
couldn't one just loop through the applicable part of WRAM/SRAM and write FF to the entire area? To my knowledge, it's just a straight-up bitfield…

Re: Korean TM49 arbitrary code execution thread

Posted by: CasualPokePlayer
Date: 2020-02-02 04:44:12
WRAM is far more simple to do as save data in SRAM protected under a checksum, and it's also locked so you would have to unlock it. Looping through the WRAM part of Pokedex data is (mostly) what I do, however, there is a slight caveat as the end of the Pokedex data is $07 instead of $FF, since there are only 251 mons in the game. But that is fairly simple to get around (just make it so once loop 1 finishes/before it starts (depending on if you go forwards or backwards, I decided to go backwards because items restrictions made it more favorable), it writes $07 instead of $FF, then make loop 1 loop once more so you can get seen/owned data too (again, depending on whether you go forwards or backwards).

Re: Korean TM49 arbitrary code execution thread

Posted by: Parzival
Date: 2020-02-02 10:25:20

WRAM is far more simple to do as save data in SRAM protected under a checksum, and it's also locked so you would have to unlock it. Looping through the WRAM part of Pokedex data is (mostly) what I do, however, there is a slight caveat as the end of the Pokedex data is $07 instead of $FF, since there are only 251 mons in the game. But that is fairly simple to get around (just make it so once loop 1 finishes/before it starts (depending on if you go forwards or backwards, I decided to go backwards because items restrictions made it more favorable), it writes $07 instead of $FF, then make loop 1 loop once more so you can get seen/owned data too (again, depending on whether you go forwards or backwards).
Unlocking SRAM is as simple as writing any byte ending in A to 0000 (additionally, it's often unlocked as bank 0 is used for buffer space,) and the game calculates the checksum when saving, so we should be able to reuse that code, in theory.
Does this version use the same memory setup as US GS? (It's in WRAM in US GS, which is nice.)

Re: Korean TM49 arbitrary code execution thread

Posted by: CasualPokePlayer
Date: 2020-02-02 15:17:31
You kinda proved my point on SRAM being more complicated lol, sure you could do that but that adds more items to the item list.

It doesn't have the same memory layout as US GS,  sadly. Heck the box names seem to use 2 bytes instead of 1 (so it's not optimal for ACE payloads). Although, I haven't looked into the mail buffer, maybe that could be used for longer ACE payloads?

EDIT: when I mean different layout, I mean different locations for memory addresses, the structure is *mostly* the same as US GS tho.

Re: Korean TM49 arbitrary code execution thread

Posted by: Parzival
Date: 2020-02-02 16:00:41
Found it:
Continuous memory block from DCE2 to DD22, total of 3F bytes. Owned data from DCE2 to DD01, seen data from DD02 to DD22.

That was an interesting game of Battleship…

EDIT: ok so i'm stupid, seen data's the latter half. Fixed.

EDIT 2: oh ok so apparently doing it like this allows for glitch mons to have their pokedex entries seen. That was weird to see while flicking through the list…
gastly, haunter, gengar, gengar confetti, onix…

Re: Korean TM49 arbitrary code execution thread

Posted by: CasualPokePlayer
Date: 2020-02-02 16:09:23
Yeah, as I said, the end of the seen/owned data both have a $07 byte at the end as only 251 slots are valid (with 5 invalid slots).