Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Combining 8F item with link cable hacks - Page 1

Combining 8F item with link cable hacks

Posted by: phasip
Date: 2015-05-27 10:24:01
Hey!
This may not be your traditional glitch - but I hope it is welcome here anyway.
I have playing with hacking the pokemon red for gameboy color through a link cable. (https://github.com/Phasip/PokemonLinkHack)
Currently I have been using the BGB emulator to play with and a buspirate to connect to a real gameboy.
I think a raspberry pi with a 10kOhm resistor voltage drop should be usable too.

Using a link cable one can get a 8F item by placing a old rod in the 4th item slot and trading Missingno pokemons to modify it to 8F.
Pokemons containing executable code can simply be traded - allowing for ~32 byte code execution.
Additional code can be transferred through the link cable (via pokemon with serial recv and execute code)

No new hacks are used. Though the link cable has a "patch list" which allows for bytes a bit further than the end of the opponent trainer list to be set to 0xFE. Though apart from game time and number of pokemons in box, no reachable address seems usable.

Re: Combining 8F item with link cable hacks

Posted by: phasip
Date: 2015-05-29 11:12:47
Heyho!

So, I found the 0x7A item - Allows us to jump to 0xFA58.
FA58 is wired to DA58 - which is four bytes into the daycare pokemons original trainer name -

Using 8F and the serial transfer we can run the code
push hl
ld hl,D31E ;First item
ld (hl),7a ;Set to 7a
inc hl
ld (hl),63 ;Set to 7a
ld hl,DA58 ; Daycare OT
ld (hl),18 ; Jump
inc hl
ld (hl),40 ; To DA9a
pop hl
ret
Which changes the first item in our inv to 0x7A and fixes the bytes in daycare to jump to fourth byte of first pokemon in current box.

So, boxed pokemons don't have as much data - but some.
What we can do is box a first pokemon with the code:
ld a,08 ;Bank to switch to
call 35bc ;Bankswitch
ld hl,da80 ;Pokemon location
call 56be ;Listpokemon
call 35cd ;Bankswitchback
ld hl,DA9a
ld a,(cc2b) ;chosen in listpokemon
ld b,00
ld c,21
call 3a87 ;AddNTimes
jp (hl)
( 180000003E08CDBC352180DACDBE56CDCD35219aDAFA2BCC06000E21CD873AE900 00…)
Which lists the names of the "programs" in selected box and jumps to the fourth byte in the selected pokemon.

Bam! Now we can install and run programs.

Edit.
I guess I should mention that all of this has only been tested on my pokemon blue (english), and offsets have been found at https://github.com/iimarckus/pokered/blob/master/wram.asm
Edit2:
Noticed that I said FA instead of 7A …

Re: Combining 8F item with link cable hacks

Posted by: vaguilar
Date: 2015-06-01 14:57:12
Interesting stuff. I also investigated something similar and found a buffer overflow when printing out the Pokemon party in the Cable Club. It allows you to execute whatever program you send in the patch list. More info here if you're interested http://vaguilar.github.io/posts/1/

Re: Combining 8F item with link cable hacks

Posted by: phasip
Date: 2015-06-02 01:43:18
Nice writeup! Was looking for similar work but didn't find this or the spoofing post - I guess I need to work on my google-fu.
I realized there was a problem with strings, but I assumed I would have to mess upp too much of the games memory to be usable.

Will try to use this hack to get the 7a item faster.
Btw, the code above is not completely correct - will try to get stuff up on github later.
–Edit–
Cleanup done, code is nice and uses the exploit to install 7a.

Re: Combining 8F item with link cable hacks

Posted by: Torchickens
Date: 2015-06-02 20:45:39
This sounds very nice. It reminds me of what TheZZAZZGlitch did for Pokémon Crystal.

I might look into your methods and do some Pokémon link hacking too one day. :)

Did you know that -g m (hex:6A) points to DA47? So that's another item for a stored PC bootstrap code instead of a party Pokémon bootstrap code.