Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 4

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-06 16:21:05
OK.

Major new finding:

8F should work in FR/ES/IT/DE R/B.

In all of these, item $5D points to $D168 which in these games is where "Number of Pokémon" is.

But of course, there's a catch.

Seeing as the offsets are different…
The bootstrap code for English R/B won't work!

So using them there will have to wait until me, TheZZAZZGlitch, or a 3rd party goes and plays around with GB asm and makes a nice payload that can jump to $D327 (3rd item type).

And for all you players of Japanese Blue.. 5kai should work there just as well as it works in Japanese R/G.


For Yellow:

In ES/DE/FR/IT Yellow, item $63 calls DA84 (I think this is Number of Pokémon in Current Box, i have yet to confirm this.)

Of course, different bootstrap code is needed here thanks to the offset differences.

In JP yellow, item $BB calls $DB21, which I think is something in the middle of current box pokémon 7. Either Status, or Type 1. I'm not sure which. UPDATE: if I have my calculations correct, it's Type 1. (Thanks Torchickens!) UPDATE 2: It's actually Type 1 of Pokémon 11 in the current box, not Pokémon 7. (Thanks again Torchickens!)

This would require whole new bootstrap code, it cannot be based on any of the others.

Another update:

Here's bootstrap code for European R/B. TheZZAZZGlitch, thanks a lot for using relative jumps and making my life easier, it only requires one byte change! Please note that I haven't tested this yet and probably won't have a chance to today, but if it doesn't work, I will probably update this post with the working code.

OK, here we go…

[tt]1.  6 Pokémon                                                        [0xD168 = 0x06]
2.  Graveler as the first Pokémon                                    [0xD169 = 0x27]
3.  Pidgey as the second Pokémon                                      [0xD16A = 0x24]
4.  Tentacool as the third Pokémon                                    [0xD16B = 0x18]
5.  Meowth as the fourth Pokémon                                      [0xD16C = 0x4D]
6.  24 PP left on the second Pokémon's second move                    [0xD1BA = 0x18]
7.  21 PP left on the second Pokémon's third move w/ 1 PP Up used    [0xD1BB = 0x55]
8.  36 PP left on the fourth Pokémon's first move                    [0xD211 = 0x24]
9.  24 PP left on the fourth Pokémon's second move                    [0xD212 = 0x18]
10. 20 PP left on the fourth Pokémon's third move                    [0xD213 = 0x14]
11. Double Team as the fifth Pokémon's first move                    [0xD228 = 0x68]
12. Double Kick as the fifth Pokémon's second move                    [0xD229 = 0x18]
13. Strength as the fifth Pokémon's third move                        [0xD230 = 0x46]
14. Sixth Pokémon's attack stat has to be exactly 233                [0xD271 = 0xE9][/tt]

; -- EU R/B
; -- hl: D168
D168: 06 27  ld b,27 ; b=27
D16A: 24    inc h  ; hl = D268
D16B: 18 4D  jr D1BA

D1BA: 18 55  jr D211

D211: 24    inc h  ; hl = D368
D212: 18 14  jr D228

D228: 68    ld l,b  ; hl = D327
D229: 18 46  jr D271

D271: E9    jp hl

EDIT: Just tested, and this payload works totally fine on FR Blue.

Yet another update:

And here's payload code for FR/ES/DE/IT Yellow. Thanks again to TheZZAZZGlitch, again I only need to change one byte!

[tt]1.  20 Pokémon in your PC box                                        [0xDA84 = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                [0xDA85 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                [0xDA86 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                [0xDA87 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                [0xDA88 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                [0xDA89 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                [0xDA8A = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xDA8B = 0x06]
9.  Scyther as the 8th Pokémon in the current PC box                  [0xDA8C = 0x26]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xDA8D = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                [0xDA8E = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                [0xDA8F = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                [0xDA90 = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                [0xDA91 = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                [0xDA92 = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                [0xDA93 = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                [0xDA94 = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                [0xDA95 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                [0xDA96 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                [0xDA97 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                [0xDA98 = 0x06]
:: END OF LIST MARKER [0xFF]                                        [0xDA99 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                [0xDA9A = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                    [0xDA9B = 0x00]
                                              +-                    [0xDA9C = 0xE9][/tt]

; -- EU YELLOW
; initial value of hl = DA84
WRA1:DA84 14              inc  d      ; offset hack: 20 Pokémon in the box
WRA1:DA85 25              dec  h      ; hl = D984
WRA1:DA86 25              dec  h      ; hl = D884
WRA1:DA87 25              dec  h      ; hl = D784
WRA1:DA88 25              dec  h      ; hl = D684
WRA1:DA89 25              dec  h      ; hl = D584
WRA1:DA8A 25              dec  h      ; hl = D484
WRA1:DA8B 06 26            ld  b,26
WRA1:DA8D 68              ld  l,b    ; hl = D426
WRA1:DA8E A9              xor  c      ; offset hack: do nothing until ip=DA93
WRA1:DA8F A9              xor  c
WRA1:DA90 A9              xor  c
WRA1:DA91 A9              xor  c
WRA1:DA92 A9              xor  c
WRA1:DA93 A9              xor  c
WRA1:DA94 A9              xor  c
WRA1:DA95 A9              xor  c
WRA1:DA96 A9              xor  c
WRA1:DA97 A9              xor  c
WRA1:DA98 06 FF            ld  b,FF  ; offset hack: making an end of list FF byte an operand so it doesn't translate to [rst 38]
WRA1:DA9A 25              dec  h      ; hl = D326
WRA1:DA9B 00              nop 
WRA1:DA9C E9              jp  hl

Tested working with FR Yellow. :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: OwnageMuch
Date: 2013-12-07 03:33:54
psst: Nothing major, but some of your memory addresses are a little off in the code box ;)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 04:59:17

psst: Nothing major, but some of your memory addresses are a little off in the code box ;)


I know. I was tired last night. The code works though.

EDIT: fixed now.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: OwnageMuch
Date: 2013-12-07 05:05:47


psst: Nothing major, but some of your memory addresses are a little off in the code box ;)


I know. I was tired last night. The code works though.

EDIT: fixed now.

Hence "nothing major" :P

I just thought you might like to know.

Thanks for all the work you did :o I'm sure TheZZAZZGlitch will be happy if he sees it.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 06:19:35
Dammit, looks like it's a no go with item $BB on Japanese Yellow.

Namely, $BB's name is improperly terminated. And you can't even use it. When you press A on it, pc ends up at $CE01. And this is when the use/trash menu is supposed to come up.

EDIT: Wait a minute.. on Japanese Yellow 1.2 $BB's name IS properly terminated..

…but same result happens. Game freeze before use/trash menu comes up.

1.1 is the same as 1.2. :(

that's odd. During battle when that item is used, the bp at the jump at the end of UseItem is hit.. but hl=$2801 ?!?!??!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-07 06:45:54

Dammit, looks like it's a no go with item $BB on Japanese Yellow.

Namely, $BB's name is improperly terminated. And you can't even use it. When you press A on it, pc ends up at $CE01. And this is when the use/trash menu is supposed to come up.

EDIT: Wait a minute.. on Japanese Yellow 1.2 $BB's name IS properly terminated..

…but same result happens. Game freeze before use/trash menu comes up.

1.1 is the same as 1.2. :(


You can use $BB in battle without any use/toss menu as if it was a Poké Ball. Does this work?

edit: Oops, ninja'd by your edit xD.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 06:49:35
funfact: was just starting to code a payload, and I decided to check if pc reached what I thought it was going to reach.

And it didn't, so.. dafuq's up with that.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-07 06:56:23
That's a shame. Maybe you calculated the wrong identifier and $DB21 is called for something else?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 07:02:08

That's a shame. Maybe you calculated the wrong identifier and $DB21 is called for something else?


Maybe, but I doubt it. My item pointer table dumper shows that the valid items point to what they should.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-07 07:13:21


That's a shame. Maybe you calculated the wrong identifier and $DB21 is called for something else?


Maybe, but I doubt it. My item pointer table dumper shows that the valid items point to what they should.


Ah, OK. That's weird then.

Incidentally $BB has a pretty cool effect on my save. It causes some memory corruption in battle and turns the enemy into a level 127 hex: 38 Ketsuban, like one of those Cooltrainer glitches. It also messes up Pikachu's sprite/position after battle. I'm not sure if all of this happens in the other version (revision) though, and I don't know mine.

Edit: On changing the 11th Pokémon to one of those level 127 Ketsuban, $BB worked the same but changed the opponent into a level 127 Pikachu, however, I'm pretty sure that this is just Japanese Yellow's equivalent of the level 127 Horsea that will appear instead if you mess up the graphics on your side after sending out any Missingno. into battle.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 07:16:27



That's a shame. Maybe you calculated the wrong identifier and $DB21 is called for something else?


Maybe, but I doubt it. My item pointer table dumper shows that the valid items point to what they should.


Ah, OK. That's weird then.

Incidentally $BB has a pretty cool effect on my save. It causes some memory corruption in battle and turns the enemy into a level 127 hex: 38 Ketsuban, like one of those Cooltrainer glitches. It also messes up Pikachu's sprite/position after battle. I'm not sure if all of this happens in the other version (revision) though, and I don't know mine.


What's the MD5 hash of your rom?

v1.0 is aa13e886a47fd473da63b7d5ddf2828d
v1.1 is 96c1f411671b6e1761cf31884dde0dbb
v1.2 is 5d9c071cf6eb5f3a697bbcd9311b4d04

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-07 07:20:56

What's the MD5 hash of your rom?

v1.0 is aa13e886a47fd473da63b7d5ddf2828d
v1.1 is 96c1f411671b6e1761cf31884dde0dbb
v1.2 is 5d9c071cf6eb5f3a697bbcd9311b4d04

AA13E886A47FD473DA63B7D5DDF2828D, so it's v1.0 then.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 07:22:59
Btw, I believe that in v1.1 and v1.2 it just locks up in battle on the items list with the white arrow pointer.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheZZAZZGlitch
Date: 2013-12-07 07:36:43
My item pointer table dumper shows that the valid items point to what they should.


Remember that because of Gen I's broken pointer arithmetic, item with ID $80 acts like $00, $81 like $01, $82 like $02, etc., and your pointer table dumper should take that into account. This would mean that $BB acts like $3B. $3B is an unused 'Coin' item, and that would explain everything, since it's programmed to do nothing.

Japanese Yellow has item $63 (''), which jumps to $D9B2 - number of Pokemon in the current box. Interestingly enough, on English Yellow, item $63 is 'ws m'…
My ROM (telling by the checksum) seems to be v1.0.

Incidentally $BB has a pretty cool effect on my save. It causes some memory corruption in battle and turns the enemy into a level 127 hex: 38 Ketsuban


It has an improperly terminated name, so it causes all those wonderful Super Glitch effects, unless its name is made harmless (method of doing this is the same as in international releases). Also, by accident I found that Japanese version of hooked Metapod is hooked Diglett :D

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 07:38:29

Japanese Yellow has item $63 (''), which jumps to $D9B2 - number of Pokemon in the current box. Interestingly enough, on English Yellow, item $63 is 'ws m'…


Thanks. If I'd have known that D9B2 is number of Pokémon in the current box in JP Yellow (and offsets are the same in 1.0, 1.1 and 1.2), I'd have found this out.

Will modify your payload to work with it now.

EDIT: Here. Again, only one byte needed to be changed.

[tt]1.  20 Pokémon in your PC box                                        [0xD9B2 = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                [0xD9B3 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                [0xD9B4 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                [0xD9B5 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                [0xD9B6 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                [0xD9B7 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                [0xD9B8 = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xD9B9 = 0x06]
9.  Raticate as the 8th Pokémon in the current PC box                [0xD9BA = 0xA6]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xD9BB = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                [0xD9BC = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                [0xD9BD = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                [0xD9BE = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                [0xD9BF = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                [0xD9C0 = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                [0xD9C1 = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                [0xD9C2 = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                [0xD9C3 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                [0xD9C4 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                [0xD9C5 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                [0xD9C6 = 0x06]
:: END OF LIST MARKER [0xFF]                                        [0xD9C7 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                [0xD9C8 = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                    [0xD9C9 = 0x00]
                                              +-                    [0xD9CA = 0xE9][/tt]

; -- JP YELLOW [1.0, 1.1 and 1.2]
; initial value of hl = D9B2
WRA1:D9B2 14              inc  d      ; offset hack: 20 Pokémon in the box
WRA1:D9B3 25              dec  h      ; hl = D884
WRA1:D9B4 25              dec  h      ; hl = D784
WRA1:D9B5 25              dec  h      ; hl = D684
WRA1:D9B6 25              dec  h      ; hl = D584
WRA1:D9B7 25              dec  h      ; hl = D484
WRA1:D9B8 25              dec  h      ; hl = D384
WRA1:D9B9 06 A6            ld  b,A6
WRA1:D9BB 68              ld  l,b    ; hl = D3A6
WRA1:D9BC A9              xor  c      ; offset hack: do nothing until ip=DA93
WRA1:D9BD A9              xor  c
WRA1:D9BE A9              xor  c
WRA1:D9BF A9              xor  c
WRA1:D9C0 A9              xor  c
WRA1:D9C1 A9              xor  c
WRA1:D9C2 A9              xor  c
WRA1:D9C3 A9              xor  c
WRA1:D9C4 A9              xor  c
WRA1:D9C5 A9              xor  c
WRA1:D9C6 06 FF            ld  b,FF  ; offset hack: making an end of list FF byte an operand so it doesn't translate to [rst 38]
WRA1:D9C8 25              dec  h      ; hl = D2A6
WRA1:D9C9 00              nop 
WRA1:D9CA E9              jp  hl