Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

CC57/8 continuous arbitrary code execution - Page 1

CC57/8 continuous arbitrary code execution

Posted by: Torchickens
Date: 2018-12-09 05:35:07
If CC57/8 reads DD 00, the game will execute arbitrary code at F5D5 not just once but continuously. This is in the expanded PC items and can be changed to C3 XX D3. The general idea might be to use 4F/-g m/8F, etc. to set CC57 to DD and set CC58 to 00 if it isn't 00 already.

An advantage to this over D36E/D36F ACE is that it stays even after changing maps. Unfortunately have to go so can't do anymore testing right now, but I wonder if it works in battle?

Re: CC57/8 continuous arbitrary code execution

Posted by: Parzival
Date: 2018-12-10 20:47:08
What do these control, precisely?

Re: CC57/8 continuous arbitrary code execution

Posted by: Sherkel
Date: 2018-12-11 15:41:33

What do these control, precisely?
What are you asking, precisely? :P

Re: CC57/8 continuous arbitrary code execution

Posted by: metalmario32
Date: 2018-12-12 06:44:27


What do these control, precisely?
What are you asking, precisely? :P


He's asking what in-game variables those addresses control, precisely.

Re: CC57/8 continuous arbitrary code execution

Posted by: Couldntthinkofaname
Date: 2018-12-12 06:59:54



What do these control, precisely?
What are you asking, precisely? :P


He's asking what in-game variables those addresses control, precisely.



…which is precisely the reason why Pokered exists! :^)


Anyways, CC57 is responsible for the location in the pointer table to call for NPC Movement scripts, which, as you might've guessed, are executed continuously to keep the NPCs moving. CC58 controls the ROM bank for the movement script.


Gonna take a guess as to how this works…

When setting CC57 higher than the amount of pointers, the program will read past the pointer table and treat unrelated data as pointers (aka, how 8f works). It will than call the pointer it grabs, which in this case, happens to be F5D5.


Don't have access to an emulator right now so can't be too sure.

Re: CC57/8 continuous arbitrary code execution

Posted by: metalmario32
Date: 2018-12-12 07:20:37




What do these control, precisely?
What are you asking, precisely? :P


He's asking what in-game variables those addresses control, precisely.



…which is precisely the reason why Pokered exists! :^)


Anyways, CC57 is responsible for the location in the pointer table to call for NPC Movement scripts, which, as you might've guessed, are executed continuously to keep the NPCs moving. CC58 controls the ROM bank for the movement script.


Gonna take a guess as to how this works…

When setting CC57 higher than the amount of pointers, the program will read past the pointer table and treat unrelated data as pointers (aka, how 8f works). It will than call the pointer it grabs, which in this case, happens to be F5D5.


Don't have access to an emulator right now so can't be too sure.


So what's happening is, what would be interpreted as NPC movement data is invalid beyond certain pointers, and therefore points to a glitch location to execute ACE?

Re: CC57/8 continuous arbitrary code execution

Posted by: Couldntthinkofaname
Date: 2018-12-12 07:50:47

So what's happening is, what would be interpreted as NPC movement data is invalid beyond certain pointers, and therefore points to a glitch location to execute ACE?



Take a gander at this line pokered's home.asm.

As you can see, it takes the value at CC57, takes a pointer to a list of pointers to movement script pointer tables (phew!), and adds the two. It then grabs the pointer it finds there, puts it in hl, and makes a call to CallFunctionInTable.


So yeah, i'm assuming that's what's going on there.


Something else to note: The function I linked loads the value at CF10 (responsible for the function number in the pointer table) into the accumulator before making the call to CallFunctionInTable. I do wonder if that value may change the ability to do this trick.


EDIT: Some semi-important findings in this regard


The way this works is because the function I originally linked adds CC57 (which is DDh in the trick) to to the pointer to the pointer table which points to the other movement script pointer table. It gets 3193, which points to D5h and F5h. CallFunctionInTable reads these values and calls F5D5.

However, CF10 affects what pointer CallFunctionInTable calls when called with RunNPCMovementScript. This means CF10 must be zero or else this will not work!

Not sure what changes CF10, however.


Edit2: Something else to note:


While Torchic included setting CC58 to 0 in her instructions, this is actually unnecessary. 3193, which contains the "pointer" to FDF5, is in the "home" ROM bank - meaning it's irrelevant as to what the ROM bank is at the time of CallFunctionFromTable.



but I wonder if it works in battle?


No. NPC Movement scripts are not executed during battle.

Re: CC57/8 continuous arbitrary code execution

Posted by: Torchickens
Date: 2018-12-15 15:52:26
Thank you for the input guys! Ah.. Unfortunate that it doesn't work in battle. :(