Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

0x1508 exploit help question (also easy battle/no weather ACE)? - Page 1

0x1508 exploit help question (also easy battle/no weather ACE)?

Posted by: Torchickens
Date: 2020-02-25 13:00:20
Hi. As I don't use ROMs anymore, I'm unfortunately struggling to troubleshoot this problem I'm having (e.g. the state of the stack and program counter). I'm using EN Crystal, however my save battery doesn't seem to work at all anymore, and don't want to try it on Virtual Console until it works.

From the wiki thanks to pfero:


If the player has the ability to put arbitrary data in a string, then both the setup and the bootstrap can actually both be done from within the string itself:

Instead of setting up "0x15 0x00" after the string buffer, 0x15 followed by 0x00 in the string itself could be used to trigger this glitch.
By putting carefully constructed byte sequences between 0x15 and 0x00, valid mobile functions can be triggered and modify the value at $CD52.
This principle can be used after the player has already achieved ACE, to make subsequent execution of arbitrary code easier. Alternatively, they might be used to setup ACE by trading with another game, or with a game-altering device.

The following self-contained setups are designed by pfero:

4F 15 08 05 C9 00 (code) 37 C9
This works in any unverified string, notably including Pokémon nickname and mail messages. This means that it can be transferred from any Generation I game (with just enough space to jump to a more convenient location) or Generation II game (with more space to possibly write a "built-in" payload).


Question here: If you use this setup, are there any other setups you need with it? Is it that all I need to do is have this nickname, and any secondary bootstrapping, followed by the actual code at (code)?
I had a thought with this but don't know if it would work, that if all you need is the nickname could we perform arbitrary code execution in battle?

For this I used 18 87 in code in Pokémon 1's nickname. (redirection to DDD0); party Pokémon 6's held item.  There I placed C3 75 DB (to TM/HM pocket) and finally in TM/HM pocket, I tried ld a,fb ld (d204),a ret  (3E FB EA 04 D2 C9) - which is code to turn the enemy Pokémon into Celebi. This way theoretically it would make a properly terminated name that still makes use of Crystal's $15 character exploit.

Unfortunately however, it didn't work. After one version of my code that omitted it, I added a pop [hl] in case that was needed, but it wouldn't work either. For reference, here is my code in GameShark format, so you can enter these and select "go to" de41, "go to" ddd0 and "go to" db75 if you use emulators.

014F41de
011542de
010843de
010544de
01c945de
010046de
011847de
018748de
013749de
01c94ade
01504bde

01c3d0dd
0175d1dd
01dbd2dd

013e75db
01fb76db
01ea77db
010478db
01d279db
01e17adb
01c97bdb

All I get so far is freezes or resets. Could anyone help please? Thanks :)

Re: 0x1508 exploit help question (also easy battle/no weather ACE)?

Posted by: CasualPokePlayer
Date: 2020-03-01 21:19:05
I looked into this, and the results were… interesting to say the least.

I first tested it by looking at the nickname in the party screen (just in case battle did smth weird, just checking if the actual payload is correct)

pc = $CD52, does some stuff then rets to D079 (wStringBuffer1+06, seems to be correct)

pc = $D079, jr 87, which does jr D002 (which is wKeepSevenBiasChance? Which nop slides downwards then hits some rst 38 bytes and ofc standard 00 39 crash). So that's a big issue. I think you thought it jumps to DE47 (wPartyMonNicknames+06), but it doesn't, it jumps to a string buffer where the nickname is stored (since that is the source of the string anyways).

I used bgb to forced it to jump to wPartyMon6Item instead of wKeepSevenBiasChance, then it jumps to $DB75 (which is wBoxNames? You say "to TM/HM pocket" so this might have been a mistake), then the code goes down, and crashes yet again because you put a pop hl in the ret byte but didn't put a ret byte after the pop hl. I put a ret after the pop hl and it returned safely and did the thing that it intended.

Now I went ahead and looked into actually executing it in a battle, and that was interesting to say the least. When it rets, it doesn't go to D079, it now goes to C627 (battles have a different buffer, this is sometime after in that buffer). So now you have jr 87 in C627, which jumps to C5B0. Obviously wrong, so something else would have to be used. This buffer is actually not that bad to use, since right after the string, we get wBattleMonSpecies, wBattleMonItem, and wBattleMoves. All of which are completely abusable. So, for a simple payload, instead of 18 87, use 18 03 (jr wBattleMonSpecies, jumps over the ret that's in the name), and have the payload mon be a Quagsire holding Miracle Seed with Safeguard as its first move (this might sound a bit familiar ;^). From there, have DB75 and onwards have 3E FB EA 04 D2 E1 C9. (ld a,FB ld (wTempEnemyMonSpecies),a pop hl ret). And then catch Celebi ;)

EDIT: Although, since it seems that you meant to redirect execution to items, you will probably want a different payload mon. Instead of a Quagsire holding Miracle Seed with Safeguard, you'd want a Quagsire holding TM50 with Return as its first move (yes, the known bootstrap for PC Items). Then for PC Items, you'd want this payload (or something else ig but this is somewhat optimized for item restrictions).

TM33 x01
Wht Apricorn x01
Burn Heal x22
TM18 x01
Great Ball xAny
Repel x89
Potion x03
TM10 xAny


For actual code on this payload:


pop hl
ld bc,$0161
ld a,(bc) ; a = $FB
ld d,$D1
ld bc,$xx04 ; c = $04
inc d ; d = $D2
ld e,c ; de = $D204
ld (de), a ; wTempEnemyMonSpecies = $FB
inc bc ; filler
ret

EDIT2: Also after just doing tests with this, the code works fine, but I'm questioning the "properly terminated name" part lol
[img]https://i.gyazo.com/cb717e92f0006e5cdd69f927985f8743.png[/img]

Re: 0x1508 exploit help question (also easy battle/no weather ACE)?

Posted by: Torchickens
Date: 2020-03-02 03:53:48
Thank you so much! :D

Re: 0x1508 exploit help question (also easy battle/no weather ACE)?

Posted by: Unused Trainer
Date: 2020-03-02 04:48:29
So the ACE function is very good working even in the second generation?

Re: 0x1508 exploit help question (also easy battle/no weather ACE)?

Posted by: CasualPokePlayer
Date: 2020-03-02 12:46:41
Well the ACE exploit is just the result of Gamefreak sucking at error checking. It works fine if you know where it's actually executing at.

Also, I sorta dislike how the payload mon is just a bootstrap, so here is a compact setup that has the entire payload onto the pokemon.

Poliwrath, holding HM09, with the moves Morning Sun, Comet Punch, Fury Cutter, and Dragonbreath (in that order), with 12 Attack and 9 Defense DVs. Preferably, you would use Gen 1 to obtain such a mon, by changing Poliwrath's catch rate to $FB, and give it the moves TM34, Comet Punch, TM10, and TM25, and ACE in $C9 for the Attack/Defense DVs. And also ACE in the 0x1508 name itself.

Re: 0x1508 exploit help question (also easy battle/no weather ACE)?

Posted by: Torchickens
Date: 2020-03-02 13:48:44

So the ACE function is very good working even in the second generation?


Convenient to use? Yes, potentially with this. :) However, a link trade may be needed.

Re: 0x1508 exploit help question (also easy battle/no weather ACE)?

Posted by: CasualPokePlayer
Date: 2020-03-02 22:25:27

So, for a simple payload, instead of 18 87, use 18 03 (jr wBattleMonSpecies, jumps over the ret that's in the name), and have the payload mon be a Quagsire holding Miracle Seed with Safeguard as its first move (this might sound a bit familiar ;^).


I looked into an actual box name for this (and keeping in mind 3DSVC restrictions, cough no ECHO RAM cough), and I've figured out a box code that works and attempts to minimize potential corruption. Here it is:


. Z p 0 'm <PK> 3
. <Space> . G 0 5 p
. <Space> . <Space> 0 p 'v
<PK> 3 . <Space> . <MN> p
'd

Screenshot of code from bgb because am too lazy to actually write it down
[img]https://i.gyazo.com/dac1b790c77a3febbc15d5cdc7bc9df9.png[/img]

Also, random tests of this indicate that it only sometimes work (stack pointer BS is too much, sometimes it crashes but usually it's stable, S/Q until it works fine ig lol). Although, as long as it's stable (most of the time it is), corruption will be minimal.

Re: 0x1508 exploit help question (also easy battle/no weather ACE)?

Posted by: Torchickens
Date: 2020-03-03 12:04:59
Wow!, thanks! ^^

Re: 0x1508 exploit help question (also easy battle/no weather ACE)?

Posted by: Torchickens
Date: 2020-03-05 09:09:11


So, for a simple payload, instead of 18 87, use 18 03 (jr wBattleMonSpecies, jumps over the ret that's in the name), and have the payload mon be a Quagsire holding Miracle Seed with Safeguard as its first move (this might sound a bit familiar ;^).


I looked into an actual box name for this (and keeping in mind 3DSVC restrictions, cough no ECHO RAM cough), and I've figured out a box code that works and attempts to minimize potential corruption. Here it is:


I think Echo RAM possibly does work on 3DS VC(?), it might just be cases like Stadium Game Boy tower. https://forums.glitchcity.info/index.php?topic=7559.0

Re: 0x1508 exploit help question (also easy battle/no weather ACE)?

Posted by: CasualPokePlayer
Date: 2020-03-05 14:22:58

I think Echo RAM possibly does work on 3DS VC(?), it might just be cases like Stadium Game Boy tower. https://forums.glitchcity.info/index.php?topic=7559.0

Ohhh, I was thinking of another emulation inaccuracy and mistook that for lack of ECHO RAM emulation lol, I guess the box code is useful for VBA users lol

Re: 0x1508 exploit help question (also easy battle/no weather ACE)?

Posted by: Torchickens
Date: 2020-03-05 14:38:10

Ohhh, I was thinking of another emulation inaccuracy and mistook that for lack of ECHO RAM emulation lol, I guess the box code is useful for VBA users lol


That's OK mousie ^^. Umm yeah lol. :) I wonder if there are any cases it's actually better to use Stadium Game Boy Tower and old VBA versions for glitching. Not sure what exactly happens when those run Echo RAM.

Re: 0x1508 exploit help question (also easy battle/no weather ACE)?

Posted by: CasualPokePlayer
Date: 2020-03-05 23:26:09

I wonder if there are any cases it's actually better to use Stadium Game Boy Tower

I guess Bad Clones? lol

For box names that abuse ECHO RAM

p 'v 6 é <Space> 5 l <PK>
é 'm 'm 'd
xor a ; get $00
sub a,$FC ; get $04
ld (FB7F),a
xor e ; $04 XOR $FF = $FB
pop hl ; needed to avoid crash
ld (D2[D2]),a ; [D2] is replaced by the ACE
ret nc ; carry flag isn't set by previous ACE so xor a isn't needed

Box names are fun to make lol

EDIT: Fixed box names lol

EDIT2: Actually fixed box names and tested them lol, they work

Re: 0x1508 exploit help question (also easy battle/no weather ACE)?

Posted by: Torchickens
Date: 2020-03-06 02:39:28
*facepalm* Evie you idiot of course bad clones. Great, thanks! ^^