Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Glitch Pokémon Pokédex ACE in Generation I - Page 2

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: jfb1337
Date: 2017-04-26 10:47:28
Does HRAM manipulation also count as ACE? Or not because the only way to get it is by already having ACE in the first place?

Anyway, I decided to do a search for jp [hl] to find other potential ACE entry points (besides the ones that mess with the stack such as trade centre RCE, or exotic stuff like cartswap and HRAm manip, or potentially anything that messes with the ROM bank in an unexpected manor, or anything which pushes something to the stack and then rets to it, though I don't know if the game ever does this):

pokered$ git grep "jp \[hl\]"
engine/battle/animations.asm:  jp [hl] ; jump to special effect function
engine/battle/animations.asm:  jp [hl]
engine/battle/animations.asm:  jp [hl]
engine/battle/animations.asm:  jp [hl]
engine/battle/battle_transitions.asm:  jp [hl]
engine/battle/core.asm: jp [hl]
engine/battle/core.asm: jp [hl]
engine/battle/core.asm: jp [hl] ; jump to special effect handler
engine/battle/trainer_ai.asm:  jp [hl]      ; execute modification function
engine/battle/trainer_ai.asm:  jp [hl]
engine/cable_club.asm:  jp [hl]
engine/items/items.asm: jp [hl]
engine/menu/start_sub_menus.asm:        jp [hl]
engine/menu/text_box.asm:      jp [hl] ; jump to the function
engine/overworld/player_state.asm:      jp [hl]
engine/overworld/ssanne.asm:    jp [hl]
engine/palettes.asm:    jp [hl]
engine/slot_machine.asm:        jp [hl]
engine/trade.asm:      jp [hl] ; call trade func, which will return to the top of the loop
home.asm:      jp [hl]
home.asm:      jp [hl]
home.asm:      jp [hl]
home/overworld.asm:    jp [hl] ; jump to script
home/predef.asm:        jp [hl]

OK so that's 24 possibilities (for R/B at least, haven't checked Y):

- The 4 in animations.asm look like they're either non-manipulable, or fall under Glitch Move ACE (via animation pointers)

- The 1 in battle_transitions.asm is non-manipulable (only influenced by bc which is set to 0, then only set by a few functions that never set bc to something invalid)

- The 3 in core.asm are either non manipulable or fall under Glitch Move ACE (via move effects)

- The 1 in trainer_ai.asm is the ZZAZZ trainer ACE (are there other glitch trainers that trigger ACE too?)

- The 1 in cable_club.asm is seemed interesting, but it turns out that the address it reads from to determine the jump, CC38 aka wTradeCenterPointerTableIndex, is set right before every time the function that contains the jump is called, so it's unmanipulable.

- The 1 in items.asm is Glitch Item ACE, the 8F that we all know and love

- The 1 in start_submenus.asm is for out of battle moves, which seemed interesting since there is an unused field move $B4, but it would just act like surf since in its place is an extra pointer to the surf function. But maybe $cd3d AKA wFieldMoves could be manipulated somehow? Though this is very unlikely.

- The 1 in text_box.asm doesn't seem manipulable since it searches through a table that is properly terminated by $FF

- The 1 in player_state.asm looks interesting: It's determined by wSpriteStateData1 + 9, aka $C109, the player's current direction. Could that be potentially manipulated somehow?

- The 1 in ssanne.asm is ALSO based on wSpriteStateData1 + 9

- The 1 is palletes.asm is about SGB pallete commands. But it seems like every time RunPaletteCommand is called, b is set to a valid palette command already, so there doesn't seem to be room for manipulation.

- The 1 in slot_machine.asm is for a pointer to a reward function that's based on the symbol on the wheel that matched. Unfortunately that doesn't seem possible to manipulate.

- The 1 in trade.asm is non manipulable, as the pointer it uses is only ever set to a valid trade animation function which just follows a fixed sequence defined entirely in ROM.

- The 3 in home.asm are in Bankswitch, CallFunctionInTable, and CheckForHiddenObjectOrBookshelfOrCardKeyDoor.
–The latter is non manipulable since it searches for a pointer in a well-terminated array so it only loads valid hidden object pointers.
–Bankswitch is also non manipulable since it always sets hl properly before being called.
–CallFunctionInTable is only used in scripts (which would fall under the map script ACE methods) and a couple of places in home.asm, one also to do with map scripts, and the other for NPC movement scripts, which after a quick glance over where the addresses involved are used, they seem to all be only set to constant values, unless $CC57 or $CF10 could be manipulated somehow.

- The 1 in overworld.asm is the map script, which covers 3 types of map pointer ACEs.

- Finally, the one in Predef.asm is for Predef pointers. Probably not manipulable since a predef ID is always set before calling Predef.

I was surprised that TextCommandProcessor doesn't show up, but I discovered that actually uses "jp hl" instead of "jp [hl]" like I was searching for.

There are 2 other instances of "jp hl": One also in text.asm to a non manipulable function table, since it's only used when a < 0xE [even if this were manipulable, it wouldn't be very useful since it's part of the text command processor which you can already use 08 to turn into ACE anyway]. The other is in naming_screen.asm, on a non-manipulable table for button input.

Anyway, the next interesting thing to search for is TextCommandProcessor itself:

pokered$ git grep TextCommandProcessor
engine/cable_club.asm:  call TextCommandProcessor
engine/menu/pokedex.asm:        call TextCommandProcessor ; print pokedex description text
home.asm:      call TextCommandProcessor
home.asm:      jp TextCommandProcessor
home/text.asm:  call TextCommandProcessor
home/text.asm:TextCommandProcessor::
home/text.asm:  call TextCommandProcessor

The calls in text.asm are the handlers for TX_FAR, and Char55, which points to a fixed text in ROM.
The call in cable_club.asm is also a fixed text string.
The call in pokedex.asm is this ACE method!
The calls in home.asm are part of PrintText, which gives us something else to search for, and TrainerEndBattletext. Could we possibly manipulate the win/lose text pointers at d08c from within battle?

At this point I searched for PrintText… and there are TONS of results., too many to list here and more than I'm willing to check at the moment. They probably fall into the category of glitch text box ACE though.

But if anyone wants to add a 13th method to the list, PrintText is a good place to start.

Also, note that ACE doesn't necessarily need to point to RAM - Maybe there's something which points somewhere in ROM that's in the middle of a function that messes with the push/pop balance, causing the game to jump again to somewhere else when it hits a ret? A bit like how Coin Case ACE works.

Also, research into what unlocks SRAM would be nice, since sometimes when I hit an rst 38 I lose my save, and sometimes I don't, with no pattern I can see, so it would be nice to know what unlocks SRAM so I could take precautions.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Parzival
Date: 2017-04-26 10:56:26
Several (read: most) of the invalid Predefs in Yellow over… it's like $80 or so… execute data from WRAM (thanks to whoever wrote the Wiki article for bringing those to my attention!) so we could probably start there in RB as well.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Torchickens
Date: 2017-04-26 13:01:00
Wow, thanks for this jfb1337.

I suppose HRAM ACE counts as the Pikachu glitch emote ACE was included on the list as well.

I'll look into your finds to see if any other methods are possible.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: ISSOtm
Date: 2017-04-26 15:44:48
@Parzival : calling invalid predefs without ACE is currently impossible. I might become wrong at some point.

@jfb1337 : Nice grep ! :P
$C109 isn't manipulable on its own, BUT Glitch Pokémon sprites (like Yellow's "pixel" Missingno.) can scramble this. This might be an entry point for ACE !
$CD3D should be overwritten by Brock Through Walls or the NoClip "Museum guy" method. This could also be an entry point ^^
If I overlooked other entries you marked as "potential", please tell me and I'll look at those too !

I didn't see you "git grep "jp hl", though ? And I can't do it because lack of Linux etc.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Torchickens
Date: 2017-04-26 16:18:13

@Parzival : calling invalid predefs without ACE is currently impossible. I might become wrong at some point.

@jfb1337 : Nice grep ! :P
$C109 isn't manipulable on its own, BUT Glitch Pokémon sprites (like Yellow's "pixel" Missingno.) can scramble this. This might be an entry point for ACE !
$CD3D should be overwritten by Brock Through Walls or the NoClip "Museum guy" method. This could also be an entry point ^^
If I overlooked other entries you marked as "potential", please tell me and I'll look at those too !

I didn't see you "git grep "jp hl", though ? And I can't do it because lack of Linux etc.


$D08C can theoretically be manipulated with CoolTrainer to any reasonable address represented by map tiles at BGB coordinate x=03 y=0F, or the blue tile here:

[img]http://i.imgur.com/iUGvGex.png[/img]

..but you'd need to not touch address $D078 or anything else that could lead the battle to freeze/end. If Glitch Cities alone aren't enough a tile printing glitch item combined with 9F to save the screen data may help.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: ISSOtm
Date: 2017-04-26 16:52:49
This address should be zero to be non-crashing, as far as a quick look into pokered could tell me. Maybe doable by Glitch Cities.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: jfb1337
Date: 2017-04-26 18:09:24


I didn't see you "git grep "jp hl", though ? And I can't do it because lack of Linux etc.


Here:
pokered$ git grep "jp hl"
engine/menu/naming_screen.asm:  jp hl
home/text.asm:  jp hl
home/text.asm:  jp hl




Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: ISSOtm
Date: 2017-04-26 18:29:08
Thanks ! These don't look like they can serve our purposes.
Oh well, at least you checked out :)

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: jfb1337
Date: 2017-04-26 18:30:44
Also, I don't think CD3D would actually be possible since it gets written to when you select a pokemon, at which point there's no way to change it before the point it is read when you select one of the feild moves. I was originally thinking about super glitch corruption from the unused field move, but the game stores names of field moves separately so this one is just a properly terminated empty string.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Torchickens
Date: 2017-05-02 12:10:36
I briefly looked at the indices for C109 in Yellow and already found some really interesting behaviour:

0E, 0F: Execute DA41 - This can fall through to wDayCareInUse and then the manipulable wNumInBox.
12, 13: Execute D367 - This can be manipulated via the expanded items pack.
20: Enable "Blind Pikachu" effect. Another fun way to do it!

Sadly simply changing the value doesn't seem to be sufficient as it will reset back to a normal value, and the value must remain the same while walking on the exit mat.

As ISSOtm said we might be able to get a glitch Pokémon corruption (Yellow MissingNo.'s sprite corruption if it doesn't freeze the game can do it after you run away, are there any others?) that sets this and hopefully to an exploitable value. If we use a save file that has never encountered a glitch Pokémon and corrupted the SRAM there may be a point in which x number of encounters always results in the exploitable value.

Edit: If you use Lg- then you can execute 0E's arbitrary code (or theoretically another ID's script) that way, bingo!

Here are the other execution points that execute C000-FDFF.

2C - DFE6
2D - DFE6
3A - FA0A
3B - FA0A
3E - D368
3F - D368
50 - C9A7
51 - C9A7
54 - C937
55 - C937
56 - E5C9
57 - E5C9
58 - D5E5
59 - D5E5
5A - C5D5
5B - C5D5
5C - CDC5
5D - CDC5
5E - D4CD
5F - D4CD
62 - FA42
63 - FA42
66 - D35D
67 - D35D
70 - FA35
71 - FA35
74 - C109
75 - C109
76 - CBC1
77 - CBC1
82 - C021
83 - C021
8E - FA6F
8F - FA6F
90 - C5FA
91 - C5FA
92 - CFC5
93 - CFC5
9A - CD00
9B - CD00
A0 - C13D
A1 - C13D
A2 - D1C1
A3 - D1C1
A4 - E1D1
A5 - E1D1
A6 - C9E1
A7 - C9E1
A8 - C8C9
A9 - C8C9
AC - D041
AD - D041
B0 - D341
B1 - D341
B4 - D641
B5 - D641
C7 - D0E4
DA - FAFF
DB - FAFF
DC - C5FA
DD - C5FA
DE - CFC5
DF - CFC5
EC - D918
ED - D918
F2 - D618
F3 - D618
F4 - E5D6
F5 - E5D6
F6 - D5E5
F7 - D5E5
F8 - C5D5
F9 - C5D5

The only task now is finding out which series of corruptions would bring up a suitable execution point.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Torchickens
Date: 2017-05-02 16:09:06
OK done!

From a save file with wiped SRAM data view 0xEC's summary sprite three times and then encounter Yellow MissingNo three times in Viridian Forest.

You may get this wonderful piece of art (C109=0F). :)

[img]http://i.imgur.com/UfNsIVI.png[/img]

Then use Lg- and the game will execute DA41. Let this fall through to DA7F and use Pigdevil2010's bootstrap code (see http://forums.glitchcity.info/index.php?topic=6638.msg194861#msg194861) to redirect to item 3 and then add your code there.

Do note that DA41 is WPlayTimeMaxed and wPlayTimeMinutes and wPlayTimeSeconds, wPlayTimeFrames follow. This means PlayTimeMinutes must not be a value that writes to h, causes a freeze, causes a jump so that DA7F isn't accessed, and you must be lucky enough to not get a freeze from the seconds and frames value.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Caveat
Date: 2017-05-02 16:35:33

OK done!

From a save file with wiped SRAM data view 0xEC's summary sprite three times and then encounter Yellow MissingNo three times in Viridian Forest.

You may get this wonderful piece of art (C109=0F). :)

[img]http://i.imgur.com/UfNsIVI.png[/img]

Then use Lg- and the game will execute DA41. Let this fall through to DA7F and use Pigdevil2010's bootstrap code (see http://forums.glitchcity.info/index.php?topic=6638.msg194861#msg194861) to redirect to item 3 and then add your code there.

Do note that DA41 is WPlayTimeMaxed and wPlayTimeMinutes and wPlayTimeSeconds, wPlayTimeFrames follow. This means PlayTimeMinutes must not be a value that writes to h, causes a freeze, causes a jump so that DA7F isn't accessed, and you must be lucky enough to not get a freeze from the seconds and frames value.


Is this the most complex setup for ACE yet?

I don't know how complicated most of the other methods are, but this is still ridiculous.

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Torchickens
Date: 2017-05-03 15:26:04


OK done!

From a save file with wiped SRAM data view 0xEC's summary sprite three times and then encounter Yellow MissingNo three times in Viridian Forest.

You may get this wonderful piece of art (C109=0F). :)

[img]http://i.imgur.com/UfNsIVI.png[/img]

Then use Lg- and the game will execute DA41. Let this fall through to DA7F and use Pigdevil2010's bootstrap code (see http://forums.glitchcity.info/index.php?topic=6638.msg194861#msg194861) to redirect to item 3 and then add your code there.

Do note that DA41 is WPlayTimeMaxed and wPlayTimeMinutes and wPlayTimeSeconds, wPlayTimeFrames follow. This means PlayTimeMinutes must not be a value that writes to h, causes a freeze, causes a jump so that DA7F isn't accessed, and you must be lucky enough to not get a freeze from the seconds and frames value.


Is this the most complex setup for ACE yet?

I don't know how complicated most of the other methods are, but this is still ridiculous.


Turns out this may work if you open your menu at Viridian City's PC before going to Viridian Forest and have never seen MissingNo. before, so it seems this is less hard to set up than previously thought, although there are some unknown complications that would prevent C109 becoming 0F.

MissingNo. can be taken from one of the Trainers that do not differ in Yellow from this image. Notably you can Rival's effect through Lorelei's door and Selfdestruct to Bruno's second Pokémon, lose the match and guarantee infinite MissingNo. To enable the Special encounter you can be guided by the Pewter City museum NPC.

I successfully got this to work on console, but that was with a MissingNo.>0xEC back-sprite>MissingNo. method so there is a chance the new Viridian City PC method may not work.

Even with this, this is a bit harder than map script and 8F/ws m arbitrary code execution due to the luck element (if the play time data is problematic you'd have to delete the save file because you can't save the C109 value), having to have never seen a glitch Pokémon sprite (I suppose Fossil/Ghost MissingNo. won't count) and importantly having to obtain the glitch item Lg- (hex:6E). If you're able to obtain glitch items you probably will have set up dry underflow and could just use custom map script ACE/LOL glitch with items with quantities over 99 from Celadon looping map trick or MissingNo. to set up the storage box bootstrap code.

It's nice that this seems not to be a too unreasonable method of ACE however.

Pikachu glitch emote and HRAM ACE could be seen as examples of more difficult methods as they already require arbitrary code execution to begin with.


I successfully got this to work on console, but that was with a MissingNo.>0xEC back-sprite>MissingNo. method so there is a chance the new Viridian City PC method may not work.


Does seem to work on real console. :)

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Parzival
Date: 2017-05-03 18:11:26
(IIRC) ACE Counter: 14.
Holy hell, so much shit coding.
FAILTRAIN COUNTER: OVERFLOW

Re: Glitch Pokémon Pokédex ACE in Generation I

Posted by: Caveat
Date: 2017-05-03 18:18:13

(IIRC) ACE Counter: 14.
Holy hell, so much s**t coding.
FAILTRAIN COUNTER: OVERFLOW

I think this game may legitimately be one of the buggiest games ever.

Move over, Superman 64…