Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 30

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Isaac356
Date: 2016-07-27 21:23:45
Hi,

I'm new here having only recently gotten into Pokémon glitching, but like many others I was frustrated with trying to use the giant image to find the Pokémon that I wanted, so I took it upon myself to create this: https://www.exocron.me/tfly

Simply choose the Pokémon that you want in the dropdown box and the page will list out all the trainers that you can obtain them from, as well as what Pokémon in their party is the one that yields the necessary special stat, and what route/gym/other place they are located in. It's currently very ugly (think early alpha) and only gives a general idea of the trainer's location, but it does work, and since I've already found it helpful I figured I'd throw it out there now and improve it over time. I parsed all the necessary data from the Pokémon Red disassembly (https://github.com/pret/pokered) and the few trainers that I manually verified were correct, but some data is linked up incorrectly (in particular, the Rival data), which I'll need to fix up manually over time.

In addition, if any web designers that are watching this thread want to fork the project and pretty it up, it would be much appreciated.  ;D


Something occurred to me today: Creating a bootstrapping program that takes input from the Gameboy's serial port would be both short to write with items and pretty fast to execute, assuming you had something specifically designed for it attached to the serial port. You could probably make a simple datalink device with an Arduino or something. Has anyone tried this?


Not exactly the same thing, but very similar, someone buffer overflowed the Cable Club and ran some shellcode that way: [youtube]https://www.youtube.com/watch?v=m3e_SyhE3xc[/youtube]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Spoink
Date: 2016-07-27 22:24:26
Welcome Isaac356! This is the wrong topic for your site, but it should come in handy for some people!

I noticed on your site it says "undefined" for some Pokémon (e.g. Marowak and B7). I don't know why that happens

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Isaac356
Date: 2016-07-28 00:36:59

I noticed on your site it says "undefined" for some Pokémon (e.g. Marowak and B7). I don't know why that happens


There are quite a few trainer party entries that don't have any actual map objects linked to them (i.e. Professor Oak). In addition, the rival's entries don't appear to be linked at all (except for the first one - the level 5 starter - in two different places), but I presume that is because the game handles him differently (doesn't show up on map after completion; party data depends on starter choice). For Oak and the rival, I'll be able to designate those separately (they're labeled in the disassembly, and the rival only shows up in a few places so I can mark those down manually), but for the others, I won't know if they're unused data or if Game Freak just pulled some shenanigans (the code is filled with interesting one-off situations that don't match up to the rest of the game, so it's possible that the scripts I wrote to parse the data and re-structure it just missed something).

TL;DR - Probably glitch trainers or rival. I'm leaving them in for now, but I'll be sure to make it more clear what's going on in the future (maybe hide them behind an "Include glitch trainers" checkbox).

At some point, I'm hoping to screen shot all the maps, so hopefully by then I'll notice if the trainer count doesn't match up.


Welcome Isaac356! This is the wrong topic for your site, but it should come in handy for some people!


Yeah, now that I think about it, it probably is. Sorry about that. I was just following the thread since I was starting the arbitrary code execution stuff, and I got too excited about this project.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheZZAZZGlitch
Date: 2016-07-28 01:54:29
The same method of arbitrary code execution through the link cable is possible in Gen II. This (similarly to the Gen I version) works by overflowing the trade partner Pokemon list and overwriting a return address on the stack.

https://www.youtube.com/watch?v=e8CO_e_rKd8

There is also a writeup about the Gen I link cable exploit, so if you want to know exactly how this works, visit: http://vaguilar.js.org/posts/1/
The process is pretty much the same for Gen II.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Aldrasio
Date: 2016-07-28 09:58:42
There is also a writeup about the Gen I link cable exploit, so if you want to know exactly how this works, visit: http://vaguilar.js.org/posts/1/
The process is pretty much the same for Gen II.


Thanks, this is exactly what I was looking for! I kind of want to use this method to dump or load SRAM data to physical carts. On a DMG I think it would take a bit more than 30 seconds to funnel all of SRAM through the serial port, but I admit I've never really coded for serial communication. And hey, if that works, just for lolz I could probably dump the whole ROM through the serial port.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2016-07-28 10:31:03
Welcome to the forums Isaac356! :)

Thanks for the amazing Trainer-Fly database. Is it all right if I link to it on the wiki sidebar?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Isaac356
Date: 2016-07-28 15:05:42
Thanks Torchickens! It would absolutely be all right if you linked it, and that would be awesome!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2016-07-28 16:46:53

Thanks Torchickens! It would absolutely be all right if you linked it, and that would be awesome!


All right then, cool! I've gone ahead and added it to the sidebar. ^_^

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Isaac356
Date: 2016-08-09 21:39:30
We're back!  ;D

I spent the last few days experimenting with loading serial data via 8F. I went through a couple of iterations on the shellcode, trying to eliminate key items and glitch items, before I settled for this:



Technically, the nulls could be eliminated, but that would make the code longer and they're easy enough to obtain.


WRA1:D322 F3              di 
WRA1:D323 21 00 C0        ld  hl,C000
Loop::
WRA1:D326 00              nop 
WRA1:D327 00              nop 
WRA1:D328 E0 01            ld  (ff00+01),a
WRA1:D32A 3E 80            ld  a,80
WRA1:D32C E0 02            ld  (ff00+02),a
Wait_Serial::
WRA1:D32E F0 02            ld  a,(ff00+02)
WRA1:D330 E6 80            and  a,80
WRA1:D332 20 FA            jr  nz,Wait_Serial
Serial_Received::
WRA1:D334 F0 01            ld  a,(ff00+01)
WRA1:D336 22              ldi  (hl),a
WRA1:D337 18 ED            jr  Loop


The code will store bytes received from the serial port (in slave mode, because it's easier for synchronization and we can drive the serial faster than normal) starting at address C000 and never ending…or so it may seem. The nop's are key here. Originally I limited how many bytes to receive, then jumped directly to address C000, but the resulting code barely fit into the item list. Instead, I opted to allow the serial receive to overwrite the loop code, causing the instructions to be changed. Fortunately, jr 0 (18 00) behaves like a nop, therefore when the writing gets to the address D326, you have to send a 18 over the serial port, then on the next byte send a relative offset. When testing, I used FB to rel-jump to D323, which already contained a non-relative jump instruction to C000, but in reality any valid address in the range could be used.

In other words, your serial data sender has to look something like this (in a very Python-esque pseudocode):


for byte in program:
send_serial_data(byte)

for i in range((0xD323 - 0xC000) - len(program)):
send_serial_data(0)

for byte in b"\xC3\x00\xC0\x18\xFB":
send_serial_data(byte)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Aldrasio
Date: 2016-08-10 18:58:08
Instead, I opted to allow the serial receive to overwrite the loop code, causing the instructions to be changed. Fortunately, jr 0 (18 00) behaves like a nop, therefore when the writing gets to the address D326, you have to send a 18 over the serial port, then on the next byte send a relative offset. When testing, I used FB to rel-jump to D323, which already contained a non-relative jump instruction to C000, but in reality any valid address in the range could be used.


Huh, that's a really interesting approach. I like it. I wouldn't have thought to do that. I figured the best way to get around the item quantity bottleneck is to just allow a set number of bytes over serial at first, then send an intermediate bootstrapper, then use that bootstrapper to start receiving the full payload.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2016-09-02 15:41:14
I was watching some Japanese Pokémon glitch videos on Niconico when looking for information about the SRAM glitch in Japanese versions and I found a really interesting video (view without having to create a Niconico account) by taba that discusses arbitrary code execution.

It mentioned arbitrary code execution items in Red/Green discussed here such as 5 (hex: 5A) the Japanese version of 8F; executing D123 (found since long ago), てへ (hex:7B executing D806; the grass encounter table which can be manipulated to the player's name by watching the old man documented by memdump), but also an arbitrary code execution item I wasn't aware of called な (Friend Badge), hex:67; as well as TM18 in Japanese Crystal (I will talk about that in another thread).

For those curious about the name な (Friend Badge) is one of the unexplained unused list texts).



な  (Friend Badge) executes code at D983; which stores the number of Safari Balls. This should mean that you can make it work like "-gm" in English Red/Blue; the item which memdump found executes code from DA47 (also the number of Safari Balls). Following D983 is the Day Care in use byte D984 (0 or 1), and the beginning of the structure for the Day Care Pokémon's nickname D985.

What's notable about  な  (Friend Badge) is that you can use a nickname as the data from D985, and this is good because you can give a Pokémon a nickname at any time whilst with the player name you can normally only set your name at the beginning of the game (although this raises the question if we can change our names in desirable ways with a Select glitch).

Like with てへ, the different mapping for selectable characters in Japanese games allow us to use C3 A6 D2 (て) to jump directly to item 3.

With Friend Badge and no Safari Balls, you can either put a Pokémon named "て" into the Day Care and out again (Day Care data stays after taking the Pokémon out, and for this nickname taking it out is an important step) or deposit a Pokémon with a name such as "" (you can take this Pokémon out if you like, but don't need to). The former method works in this way because having an 1 value (in Safari Ball) at D984 is interpreted as a ld bc, $aabb instruction and this causes D985 and D986 (nickname characters 1 and 2) to be interpreted as operands.

Additionally as illustrated in the video, if you have 30 Safari Balls in memory, then D983 will be 1E; the ld e, $xx instruction. This would cause D984 (is the Pokémon in the Day Care byte) to be interpreted as an operand; meaning theoretically "て" will work if you had 30 Safari Balls and put the Pokémon named "て" into Day Care even if you leave it in.

Friend Badge also works in Japanese Blue.

So remember for Japanese R/G/B Friend Badge is your bff. :)… or worst nightmare if you set things up wrong.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Pavel
Date: 2016-09-04 08:52:32
Hello everyone!

First, I would like to say thank you and amazing job to everyone who has been working on those glitch in the early Pokemon games : ) !

I found this forum while looking for a way to get new exemplaries of TM28 and TM48 that I had used up in my French Pokemon Yellow version (played on Nintendo Virtual Console on a 3DS), and was dumbfounded when I read what one is able to do thanks to the 8F / wsm glitch!

So I attempted to use it, but unfortunately it hasnt worked up until now.
I was able to get the wsm item by using the ditto glitch.
I also got all the pokemon specified at the end of this post of Wack0 (http://forums.glitchcity.info/index.php?topic=6638.msg192543#msg192543), i.e.  the six slowpoke, the voltorb, scyther, jolteon, ten geodude and finally voltorb in this order (the first slowpoke having total and current HP equal to 233).
Finally, using again the ditto glitch, I was able to complete the item quantities requirements:  I wanted to use the change the 2nd item script, so as to get another TM48, whose corresponding item list is described near the end of the first post of this topic (http://forums.glitchcity.info/index.php?topic=6638.msg189501#msg189501).
But when the time comes to select and use the wsm item, then the game freezes.

So I wonder about what I am doing that is wrong, and would like to know if you had some insight about this, if possible.

I thought that maybe those corresponding items list were designed for Pokemon Blue / Red, and did not work for Pokemon Yellow, or maybe because mine is a French version instead of a US one. Maybe its because Im doing something wrong about the bootstrapping step, but I checked again, and its seems to me I have the setting just as Wach0 described in his post (though I wonder about setp 22: why does he repeat Slowpoke as the 1st Pokémon in the current PC box? I guess it is meaningful when describing the corresponding byte state (at the end of the line), but does it translate to something I have to do?), and he said he tested it, and that it worked for him, so I dont know. In your opinion, how did he proceed to test it, and determined that it worked? I want to know so as to be able to determine whether the problem comes from the 'bootstrapping' part, or from the 'item list recipe' part.

It was also mentioned that there could be changes between versions with regards to the item placeholder from which the game starts to read the program, during the processing of the glitch. I read on this topic that the game starts to read from the third place, which is why we can place the wsm item, and possible another item to affect (like in the script I am trying to carry out), in the first and second place; but that for some bootstrapping requirement it could start reading from the first item. I also read something about the game reading from the item storage in the PC instead of in the bag of the player.

So, would it be possible for someone here to help me understand what I did wrong / which one of my assumptions regarding the bootstrapping recipe, the start reading item position, and whether or not we are talking about the bag or the PC, are correct or not for a French Pokemon Yellow version, please?

Again, thanks for all your work, and you sharing it, its wonderful one can do once one understands the inner working of such a game : )

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Yeniaul
Date: 2016-09-04 09:27:18
There's 2 or 3 items with a variant on the name "ws m". Make sure it's the right hex value. I can't remember much, try the page on ws m for inventory photos. Oh, and ws m is Yellow and has a different bootstrap setup, as it runs from boxed PKMN data instead of party PKMN data. Oh, and both need the Daycare to never be used OR the extra leftover data from the last Pokémon expunged from the save, which I can do in a week or so én masse when my Arduinos get here in like 10 days.

EDIT: You're on a French version? Well, there you go. That's the problem. Read the ACE article on the wiki to see the equivalent item.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2016-09-04 09:32:45

It was also mentioned that there could be changes between versions with regards to the item placeholder from which the game starts to read the program, during the processing of the glitch. I read on this topic that the game starts to read from the third place, which is why we can place the wsm item, and possible another item to affect (like in the script I am trying to carry out), in the first and second place; but that for some bootstrapping requirement it could start reading from the first item. I also read something about the game reading from the item storage in the PC instead of in the bag of the player.

So, would it be possible for someone here to help me understand what I did wrong / which one of my assumptions regarding the bootstrapping recipe, the start reading item position, and whether or not we are talking about the bag or the PC, are correct or not for a French Pokemon Yellow version, please?

Again, thanks for all your work, and you sharing it, its wonderful one can do once one understands the inner working of such a game : )


Hi Pavel, welcome to the forums! :)

You are using a correct bootstrap code for the French version (in non-English version European versions the code indeed has to be tweaked, because the addresses are offset by +5).

It's odd that ws m isn't working because if you meet all the item and stored Pokémon requirements the code should work.

Regarding the item position; one thing that may be the problem is if the beginning of your code begins from an item position other than slot 3; as Wack0's bootstrap code is designed to execute your code from slot 3 only; so make sure your item list begins at slot 3.

The place that the item execution begins depends solely on the bootstrap code (how we redirect the code flow from stored Pokémon); so you don't have to worry about ws m executing from the item storage box because that would need a completely different bootstrap code. Using an English language bootstrap code to redirect the code flow to item 3 instead of a French/German/Spanish Italian one may mean that the game would still run the code from D322, which due to the address differences is effectively English Red/Blue's D31E (item 1 quantity).

Additionally make sure that your item quantities/items are correct and the current box loaded is the same storage box as where you stored your 20 Pokémon (the Slowpoke with 233 HP followed by five Slowpoke, Voltorb, Scyther, Jolteon, ten Geodude, Voltorb).

Hope that helps!


Slowpoke as the 1st Pokémon in the current PC box? I guess it is meaningful when describing the corresponding byte state (at the end of the line), but does it translate to something I have to do?), and he said he tested it, and that it worked for him, so I dont know. In your opinion, how did he proceed to test it, and determined that it worked? I want to know so as to be able to determine whether the problem comes from the 'bootstrapping' part, or from the 'item list recipe' part.


You don't need to do anything else (unless your Slowpoke is an unstable hybrid Pokémon) and the reason Slowpoke appears again because after the list of six Pokémon (+the FF end of list)  marks the beginning of Pokémon one's data which contains a copy of the Pokémon's species byte. These bytes would only not match if your Pokémon is a hybrid obtained from a glitch obtained such as Pokémon merge glitch, in which you would fuse a different Pokémon with Slowpoke.


Hnch Pokemon Yellow version, please?

Again, thanks for all your work, and you sharing it, its wonderful one can do once one understands the inner working of such a game : )


Thank you for the kind words and glad you like our findings! :)


There's 2 or 3 items with a variant on the name "ws m". Make sure it's the right hex value. I can't remember much, try the page on ws m for inventory photos. Oh, and ws m is Yellow and has a different bootstrap setup, as it runs from boxed PKMN data instead of party PKMN data. Oh, and both need the Daycare to never be used OR the extra leftover data from the last Pokémon expunged from the save, which I can do in a week or so én masse when my Arduinos get here in like 10 days.


Actually the Day Care information is only true for items like -g m in Red/Blue and theoretically な if you decide to use a stored Pokémon setup in Japanese Red/Green/Blue because 8F and ws m jump directly to D163 (party Pokémon) and DA7F (stored Pokémon) respectively; not running the Day Care data.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Yeniaul
Date: 2016-09-04 09:49:12


There's 2 or 3 items with a variant on the name "ws m". Make sure it's the right hex value. I can't remember much, try the page on ws m for inventory photos. Oh, and ws m is Yellow and has a different bootstrap setup, as it runs from boxed PKMN data instead of party PKMN data. Oh, and both need the Daycare to never be used OR the extra leftover data from the last Pokémon expunged from the save, which I can do in a week or so én masse when my Arduinos get here in like 10 days.


Actually the Day Care information is only true for items like -g m in Red/Blue and theoretically な if you decide to use a stored Pokémon setup in Japanese Red/Green/Blue because 8F and ws m jump directly to D163 (party Pokémon) and DA7F (stored Pokémon) respectively; not running the Day Care data.

Makes no mention of the many items with a variant of the name "ws m" nor how I know this.