Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Glitch Pokémon Pokédex ACE in Generation I - Page 1

Glitch Pokémon Pokédex ACE in Generation I

Posted by: Torchickens
Date: 2017-04-23 15:26:32
The data for glitch Pokémon Pokédex is retrieved from a specific location in the Game Boy address BUS. In Pokémon Red, this address should be the value of register de when a breakpoint is set to 10:436D and the Pokémon's Pokédex entry is loaded.

A good number of glitch Pokémon take their data from writable memory, including:

BF: 9183
C0: 8B88
C6: 8F50
C7: 9180
C8: 8D84
CE: 8F50
CF: 888E
D0: 8E92
D2: 888F
D6: B417*
D8: 8550
D9: 8880
DA: 9891
DC: AA00*
E0: 8893
E1: 988D
E2: 817F
E3: 9188
E9: 8150
EA: 8B80
EE: CB17*
EF: 8350
F1: 8891
F2: 8B8B
F8: 8487
F9: 8C91
FA: 9388
FB: 9182
FC: 8180
FE: C203*

(You must have not set the glitch Pokémon's capture flag to see its Pokédex entry)

Thanks to the Pokémon Red disassembly, we know the data is formatted like this.

*(Species string terminated by 50).
*Four bytes apparently affecting height and weight.
*Text code.
*0x50

While the text code (usually?) begins with 17, which is apparently the "text far" command we could replace it with 08, which allows us to execute arbitrary code following the 08.

The addresses marked with an asterisk probably have the most potential to be abused. In particular D6 (B417) and DC (AA00), which is somewhere in the Hall of Fame data for SRAM bank 0.

When I caught a glitch Pokémon it appears that the SRAM was left open, so hopefully we may be able to add a bootstrap code here to items or a different location to execute arbitrary code, provided that we catch a 0xD6 or 0xDC with the LOL glitch.

Chances are if you are able to catch these glitch Pokémon using the LOL glitch you already have access to the expanded items pack, which sadly makes this glitch unnecessary as you could modify the map script in the expanded items pack or bring up an 8F for arbitrary code execution but it's still a nice glitch.

Edit: I checked Blue and nothing changed sadly, though just noticed I may have missed 0xF0 (8350).

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Caveat
Date: 2017-04-23 17:06:52
I know there are glitch Pokemon with movesets and evolutions read from writable memory, but what do all the other ones do?

Is there a Pokemon that takes its stats or TM moves from writable memory? That could be fun to tinker with…

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Torchickens
Date: 2017-04-23 17:47:40

I know there are glitch Pokemon with movesets and evolutions read from writable memory, but what do all the other ones do?

Is there a Pokemon that takes its stats or TM moves from writable memory? That could be fun to tinker with…


Technically, Fossil and Ghost MissingNo. can be manipulated to have different base stats and/or a different TM/HM learnset but it has to be taken from an existing Pokémon or glitch Pokémon.

https://www.youtube.com/watch?v=JnwN-uIVliA

Otherwise I don't think so as all data (except for pointers within the data) for Pokédex numbers (where the TM/HM data is stored) end up in ROM, and the TM/HM data is just a series of eight bytes wherever in the ROM the game ends up (TM/HM flags).

However, there is the possibility of a glitch Pokémon with a sprite from RAM. If so there is a slim chance we might even be able to assign a custom sprite without OAM hacking, but it would also have to have the dimensions data (not manipulable and from the ROM) assigned to that glitch Pokémon. In other words it seems there could be a size limit for that sprite, and for glitch Pokémon with a x0 dimension their sprites could still freeze the game.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: ISSOtm
Date: 2017-04-24 04:31:43
Pokémon sprites aren't managed by the OAM. They are written on the tilemap (otherwise they'd take all sprite slots and there would be nothing remaining for attack animations)

Also, C203 ACE (Pokémon FE) has a slim chance of being possible (I personally doubt it, but… let's cross fingers !) and CB17 ACE may be possible, it runs code based on map data and lastly drawn tiles, and eventually on menu data (<- this one almost always crashes due to bad luck).

VRAM should be locked when data is pulled from it, so I doubt about all non-* entries.

The two SRAM candidates (B417 for hex:D6 and AA00 for hex:DC) may yield ACE, but we need to study what locks and what unlocks SRAM more. And then they may require ridiculous setups to yield ACE, but that'd be the 13th (maybe 14th ? I lost count) ACE exploit in these games.


Yes, we have more than 10 different ACE exploits.
QUALITY PROGRAMMING, GAME FREAK

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Torchickens
Date: 2017-04-24 08:32:38
Updated with Yellow pointers:

(Set a breakpoint to 10:4405 and check de)

00: 9288
BF: 8492
C0: 8384
C2: 9604
C6: 8492
C7: 8384
CD: 8492
CE: 8384
D0: A207/FREEZE
D4: 888B
D5: 8099
D6: 8391
D8: BE00
DC: 8B85
DD: 8C80
E1: 8417
E3: 8550
E4: 808B
E5: 848C
E7: D007
EB: 8893
EC: 988D
ED: 9493
EE: 9391
EF: 848B
F1: C808
F5: 9493
F6: 9391
F7: 848B
F9: F403 (!!)
FD: 8792
FE: 8B84
FF: 858B

F403 is Echo RAM for D403, which can be manipulated by changing item 116+ in the expanded items pack, although you don't have that much space because items 129-256 represent items 1-128 again.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: ISSOtm
Date: 2017-04-24 10:56:49
Now THAT is really interesting !

E7 runs code from D007, which is wEnemyMonBaseExp.
Right then is the player Pokémon's name, so no problem ! Having a nick with a perfect number of characters means the first executed byte will be the player Pokémon's HP (low byte). Making this $08 is easy.
ACE HYPEEEEEEEEEEEE
Setup that would work, though it's not the only one :
- "Box level" (?) 1-byte instruction that doesn't crash
- No status problem
- The Pokémon's type #1 should be $01 (FIGHT-type ?)
And then the Pokémon's moves onwards will be ran as code.

F1's C808 is in the middle of a "LY override buffer". No idea what this is, but if the first read byte is $08, then this may NOP-slide into some printer-related data. Might lead to ACE ?

F403 : is in the middle of some warp data. As Torchickens pointed it out, this could be manipulated..!
We can re-route execution to the item pack (either direct jump, or set hl then jp hl)

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: VaeporSage
Date: 2017-04-24 20:38:58
If this works out, how many 1st Gen ACE methods would that make now?  ;D

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: ISSOtm
Date: 2017-04-25 03:07:39
- Glitch item ACE
- Custom map script ACE
- Glitch map's map script ACE
- Normal map glitched map script ACE
- Glitch move ACE
- Glitch text boxes ACE
- Pikachu off-screen ACE
- Pikachu glitch emote ACE
- CartSwap ACE
- ZZAZZ Trainer ACE
- Glitch Pokédex entries ACE

That'd make it the 11th ACE exploit. Unless I forgot one in this list, which would make it 12th.
¯\_()_/¯

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Torchickens
Date: 2017-04-25 09:00:44
I think you forgot remote code execution in the Trade Center (the exploit MrCheeze did for the R/B virus), so that makes at least 12.

https://www.youtube.com/watch?v=h5Igc18hc2Q

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Parzival
Date: 2017-04-25 13:09:43

- Glitch item ACE
- Custom map script ACE
- Glitch map's map script ACE
- Normal map glitched map script ACE
- Glitch move ACE
- Glitch text boxes ACE
- Pikachu off-screen ACE
- Pikachu glitch emote ACE
- CartSwap ACE
- ZZAZZ Trainer ACE
- Glitch Pokédex entries ACE

That'd make it the 11th ACE exploit. Unless I forgot one in this list, which would make it 12th.
¯\_()_/¯
Game Freak's FailTrain just doesn't stop, does it?

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Torchickens
Date: 2017-04-25 14:37:34
Yeah, it's quite unfortunate for Game Freak.

Interestingly, if you call Wack0's Hall of Fame script using 0xF9 ACE, the Hall of Fame sequence runs without any problems but upon choosing continue you don't receive the Pokémon (which would have been a Rhydon).

[img]http://i.imgur.com/on31H7N.gif[/img]

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Parzival
Date: 2017-04-25 16:31:36
Nice find!

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Caveat
Date: 2017-04-25 19:44:06
Much like science in general, glitching seems to not be based on the principle of "why", but the principle of "why NOT?"

Do we need 12 ways to execute arbitrary code? Hell no, but that won't stop any of us.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Torchickens
Date: 2017-04-26 08:51:59

The two SRAM candidates (B417 for hex:D6 and AA00 for hex:DC) may yield ACE, but we need to study what locks and what unlocks SRAM more. And then they may require ridiculous setups to yield ACE, but that'd be the 13th (maybe 14th ? I lost count) ACE exploit in these games.


Looking into Red/Blue's now and will hopefully include it with Yellow ACE in a video.

I almost did this with 0xDC (AA00) using Pokémon 5 with a 50 terminator in the right place and Pokémon 6 as a Level 8 Pokémon with an invalid nickname but then it seems the SRAM data got corrupted because of 0xDC's sprite on the Pokédex entry and that might be why it didn't work.

I'm not sure if you can do it with 0xD6 without another ACE or Hall of Fame corruption as it lands on one of the 00s, and even with a 0x50 directly following it you can't use the 08 text code five bytes later.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Parzival
Date: 2017-04-26 09:06:48
Correct me if I'm wrong, but isn't SRAM unlocked by writing any byte ending in a 0xA nybble to 0000-1FFF?