Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Yet another ACE idea (hitflags), also MissingNo. at the beginning of the game - Page 1

Yet another ACE idea (hitflags), also MissingNo. at the beginning of the game

Posted by: Torchickens
Date: 2018-09-10 17:47:09
According to https://glitchcity.info/wiki/User:Kelvinv/HitFlagDex , invalid D05E addresses (normally for critical hit or one hit KO) can cause glitch text boxes to appear. These may be worth analysing as they might be able to cause arbitrary code execution or an arbitrary text box in which the 08 command character tells the game to execute code after it.

There is an obscure way to get invalid D05E values without ACE, and that is with a glitch I found in 2015 known as participants glitch (which I believe Crystal_ helped me with). It requires over 6 Pokémon, which can be achieved at the beginning of the game by using the SRAM glitch to get 255 Pokémon.

Examples:
https://www.youtube.com/watch?v=HUYOC3zFjV4
https://www.youtube.com/watch?v=f7U2MWdCH8k
https://www.youtube.com/watch?v=-WMiGa16aHw


Basically D058 in Red/Blue or D057 in Yellow is the 'participants' address. Bit 0 of this address means Pokémon 1 participated and will gain experience, bit 1 means Pokémon 2 participated, and so on up to (unused bit 0x7) Pokémon 8. However, the game won't stop you from manipulating later addresses by sending out Pokémon beyond slot 8. This has some fun uses, such as forcing a Pokémon battle (Mew and MissingNo. possible but not much use as if you have expanded party you can usually get expanded items pack) via writing to D059 after sending out specific Pokémon (the battle can then be forced with Red/Blue's 9F (hex:5E), Yellow's -gm (hex:6A) and Lg- (hex:6E) and forcing a different D05A (D059 in Yellow) battle mode such as old man/Safari Zone/Professor Oak/invalid battle modes (unfortunately the invalid battle modes seem to be all the same).

Apparently D05E is in range with participants glitch. If D059 is written to by Pokémon 1-8, D05A is written to by Pokémon 9-16, D05B is written to by Pokémon 17-24, D05C is written to by Pokémon 25-32, D05D is written to by Pokémon 33-40 and D05E is written to by Pokémon 41-48.

So the theory goes like this;
1. Document the invalid hitflags text box sources with BGB and see if they execute arbitrary code, or the source text pointer can be forced to do that with an 08 command. Then hope and pray there is a reasonable execution pointer (probably the only convenient ones here would be in items or stored Pokémon).
2. Convert the ID to binary, then determine which Pokémon (from slot 41-48) need to be sent in battle to write the given D05E value.
3. See if you can activate the glitch text box after making a move. (I actually haven't tried this yet, it may be these values need to be locked to D05E, which would be a shame.

Re: Yet another ACE idea (hitflags), also MissingNo. at the beginning of the game

Posted by: ISSOtm
Date: 2018-09-11 02:41:52
Note that attempting to send out Pokémon too far may cause tilemap corruption to overflow, so this should be done with care. If the corruption does overflow, then you kinda need TAS capabilities to mash the Down button and hit A at the right time (maybe twice)

Re: Yet another ACE idea (hitflags), also MissingNo. at the beginning of the game

Posted by: Kelvinv
Date: 2018-09-11 16:18:27
The values have to be locked, which means ACE isn't quite possible.

Re: Yet another ACE idea (hitflags), also MissingNo. at the beginning of the game

Posted by: ISSOtm
Date: 2018-09-12 07:39:13
Why do they have to be locked?

Re: Yet another ACE idea (hitflags), also MissingNo. at the beginning of the game

Posted by: Kelvinv
Date: 2018-09-12 15:24:24
They changed back when i unlocked them and then used  a move.

Re: Yet another ACE idea (hitflags), also MissingNo. at the beginning of the game

Posted by: ISSOtm
Date: 2018-09-12 16:35:05
If you were using an emulator and a GameShark (Action Replay) code, then it's likely that the emulator incorrectly implements Action Replay codes. (You talked about "unlocked")

Re: Yet another ACE idea (hitflags), also MissingNo. at the beginning of the game

Posted by: Torchickens
Date: 2018-09-13 08:06:50

If you were using an emulator and a GameShark (Action Replay) code, then it's likely that the emulator incorrectly implements Action Replay codes. (You talked about "unlocked")


Actually it seems D05E must be set to the value at certain times for this to work, such as certain points while an attack is being made (you can unlock D05E during this point and it will work). The participants glitch will only allow you to set it after a Pokémon is sent out, so unfortunately getting glitch hit flags this way may be impossible.

Kelvinv is right; 01xx5ED0 locked will give you these text boxes, but testing on my Xploder GB I was able to disable the code while a Pidgey was attacking me and it still gave a glitch text box.