Glitch City Laboratories Archives

ACE via Cable Club and Persistent ACE

Posted by: ds84182

Date: 2016-11-09 18:08:41

I wrote an arbitrary code execution platform thing based off of http://vaguilar.js.org/posts/1/. It achieves code execution through the Cable Club and expands it by loading different SRAM payloads that the user can select (currently can dump and flash the entire SRAM). Using SRAM dump and flash I can unload a payload into the save file of the game that executes code while the game is running AS LONG AS THE USER VISITS PALLET TOWN ONCE DURING RUNTIME. The persistent code runs from SRAM in some empty unused area. When the user presses the SELECT button it shows a menu that lets you fly anywhere (using the standard fly dialog) without having a Pokemon that knows fly (it also overrides the fly list so you can fly places without visiting there first).

The code can be found here: https://github.com/ds84182/redisdead

I have no clue if it works on other peoples computers. It requires an environment set up in a certain way.

Re: ACE via Cable Club and Persistent ACE

Posted by: Aldrasio

Date: 2016-12-07 22:00:51

Does this work with any save file? I did something like this a while ago based on the same post. I got it to upload save files just fine off of a new game (demonstrated here), but I ran into a roadblock when it came to downloading save files. The RAM address used for the stack overflow is in the middle of the game's flag data, so a lot of the time I'd randomly get an instruction that hung the CPU. Using a new game guaranteed that most of the flag data was 00, so it just nop'd into the injected code.

Arbitrary Code Execution Discussion

ACE via Cable Club and Persistent ACE - Page 1

ACE via Cable Club and Persistent ACE

Re: ACE via Cable Club and Persistent ACE