Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue with cooltrainer glitch move. - Page 1

Arbitrary code execution in Red/Blue with cooltrainer glitch move.

Posted by: Crystal_
Date: 2016-06-05 12:24:28
Basically, out of unrelated data, hex 00's move effect turns out to be 0x74, which essentially makes its move effect pointer point to F928. The cooltrainer move will execute its move effect function at the end of the ExecuteMove routine, and only if the target isn't fainted. Since cooltrainer has a glitch move effect, it's not present in any of the special move effect arrays and thus falls into the last call to the move effect handling function, where all the move effects that have not been handled yet are supposed to be taken care of.

F928 is exactly the start of the enemy party Pokemon data. It's not the best place to end up at, but it's still RAM nonetheless.

[img]http://i.imgur.com/DWUmEA7.png[/img]

After spending some time considering all the options, this is the best I could come up with:

add hl, hl
nop
jp [hl]

Which corresponds to Machoke with 233 current HP in the fourth position of the last fought opponent. This already makes access to the cable club with another player/game a necessity.

This makes us jump to F250, which is the move 2 of the sixth party Pokemon. It's more manageable but we still need to find a way to reach bag items, ideally. I came up with the following setup to reach F31E (item 1):

Party Pokemon #6: (Golbat)
- Hyper Beam as 2nd move
- Supersonic as 3rd move
- Leech Life as 4th move

which is:

ccf
jr nc, $8d

hl overflowed in the last ld hl, hl instruction so we will be jumping to F1E0 here, which is the move 1 PP of party Pokemon #3.

And then:

Party Pokemon #3:
- PP of move 1: C3 (3 PP, 3 PP ups)
- PP of move 2: 1E (30 PP, 0 PP ups)
- PP of move 3: D3 (19 PP, 3 PP ups)

Or jp D31E, which means that we finally made it to the item 1 of our bag.

Given how easy is to get a Ditto learn cooltrainer I was hoping that this could make a decent alternative to ACE with 8F as this item is not particularly easy to obtain. However this also has many inconveniences.

- Need to have someone else with a very high level Machoke (around 80) to battle with
- Need 6 PP Ups
- Need a lot coins to buy Hyper Beam

What's more, in order to keep the opponent's party Pokemon in RAM we must perform the cable club escape glitch or else the data will be gone when we reset. Sure, the first thing we could do with ACE is clear the flag that makes the game think we are in the cable club (is it wLinkState?, I'm too lazy to properly check right now) so we can actually save and end all the other side effects. But this inconvenience basically turned if off for me compared to 8F.

Also to note is the well know corrupting side effects of the cooltrainer move as well as the fact that cooltrainer ACE won't be as versatile as 8F since we can only use it during battle. I thought at first that cooltrainer ACE might make a decent alternative to hack yourself 8F but all the flaws considered it definitely doesn't appear to be the case

The ACE exploit is there though, in case someone can come up with a better bootstrap code.

EDIT: Made a typo, it's not D929, but D928. Fixed the screenshot too.

Re: Arbitrary code execution in Red/Blue with cooltrainer glitch move.

Posted by: Spoink
Date: 2016-06-05 12:28:43
Surprised nobody found this yet. I'll look into other glitch moves. How do you find the pointers?

Re: Arbitrary code execution in Red/Blue with cooltrainer glitch move.

Posted by: Crystal_
Date: 2016-06-05 12:36:54
From data past this table: https://github.com/pret/pokered/blob/master/engine/battle/core.asm#L7142

Note that move effects with id 80-FF point to same as 00-7F though (or rather 81-00 = 01-80), other than that the moment when they are called may be different.

The pointers will be made up from the unused sleep effect function below the table.

I tracked down other glitch moves in the past, but it's still pretty suboptimal. For example, glitch move TM42's effect handler points to CD11, which is the least significant byte of the player's active Pokemon's unmodified HP stat: https://www.youtube.com/watch?v=FoV9HUtVICE

Re: Arbitrary code execution in Red/Blue with cooltrainer glitch move.

Posted by: Krys3000
Date: 2016-06-05 13:15:00
Very nice job Crystal_, that makes another way to execute code in 1G. Joining 8F, Pikachu off-screen, B1F, TM42… maybe others too, at a time I was working on a way to execute code from tiles using \-g* (hex:6F) but never had the time to finish it.

I'll tweet about this with prama's account  ;D

Re: Arbitrary code execution in Red/Blue with cooltrainer glitch move.

Posted by: TheZZAZZGlitch
Date: 2016-06-05 13:38:22
This is already known and was used in the (now obsolete) Pokémon Blue TAS in 28:07.28 by MrWint. Except there, instead of trying to make use of the opponent Pokemon data, this area was just filled with harmless instructions to let the execution slide all the way to boxed Pokemon data at $DA80.

Re: Arbitrary code execution in Red/Blue with cooltrainer glitch move.

Posted by: camper
Date: 2016-06-05 22:17:41
You'll also need an X Accuracy to reliably hit with the move, or the move effect won't happen.