Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Non-Core Game Glitch Discussion

PMD: Red Rescue Team: Arbitary code execution with hex:0999 glitch move info - Page 1

PMD: Red Rescue Team: Arbitary code execution with hex:0999 glitch move info

Posted by: MarcinTVP8
Date: 2017-01-09 14:13:19
Finally! I found arbitary code execution in Pokémon Mystery Dungeon: Red Rescue Team!

Viewing an hex:0999 glitch move info will cause the game to start executing code somewhere around 5ec1200c.

Viewing the glitch move name rarely occurs, so I have prepared a save state for this.

Just load the save state in VBA, click Info, and enjoy the glitchness!

(Note: The save state has been created on VBA version 1.8.0)

Re: PMD: Red Rescue Team: Arbitary code execution with hex:0999 glitch move info

Posted by: SatoMew
Date: 2017-01-09 14:30:15
Did you use original VBA? Since that emulator is very old and inaccurate, could you please try VBA-M and/or mGBA?

Re: PMD: Red Rescue Team: Arbitary code execution with hex:0999 glitch move info

Posted by: MarcinTVP8
Date: 2017-01-09 14:53:37
I did use the VBA 1.8.0 and I do not want to change versions.

Re: PMD: Red Rescue Team: Arbitary code execution with hex:0999 glitch move info

Posted by: TheZZAZZGlitch
Date: 2017-01-10 07:01:19
I checked it, this is a buffer overflow caused by the glitch move's description. Code execution takes place by overwriting the IRQ handler (similar to what happens in Gen III with decamark summary screens)
This exact move is not exploitable, since the instruction pointer lands in unmapped memory. But there probably is an index that would work for ACE.

Edit: Never mind, it actually locks up the game in both mGBA and No$gba Debug, so I'm forced to think that this is just an emulation error