Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

ZZAZZ glitch trainer $FC arbitrary code execution - Page 1

ZZAZZ glitch trainer $FC arbitrary code execution

Posted by: joshuarpl
Date: 2019-01-08 10:54:39
You've heard of $FC glitch trainer in POKeMON Yellow, right? Well, why the game crashes when using a move is because for some reason it executes code from $DA80! Glitch expert TheZZAZZGlitch confirmed with his payload that displays a Doge and some glitch characters, and some text!

Here, I can explain!
When entering the instructions
ld a,00
inc a
ld ($C3A0),a
jp $DA82
into $DA80 (where the glitch trainer executes code from!)
I can confirm that when I use a move, that code will be executed because if you look at the code, you can see that it places a tile on-screen, and constantly changes to the next tile ID.
And that it does!
Hope that got you an idea!
I have 1 question, though!
How do you use the command db?

Re: ZZAZZ glitch trainer $FC arbitrary code execution

Posted by: Torchickens
Date: 2019-01-08 11:05:16
Nice observation. :)

Db is not a command though, it only means that the following bytes are not ASM and are data rather than code; for instance, if you had "db 91 84 83 50", it would be useful for identifying that it is not the code sub a,c add a,h add a,e ld d,b but rather data; in this case the player name "RED". In the assembled ROM db is not used, and is similar to a label. (like wCurOpponent as opposed to d058)

Re: ZZAZZ glitch trainer $FC arbitrary code execution

Posted by: joshuarpl
Date: 2019-01-08 13:03:29
…OK, but just loading a value into A and loading A into the screen location to make text would be pretty big code!
Also, I learned how to make animations, I modified the C3A0 data with the BGB debugger to say Happy 2019, and then wrote ASM code at DA80 to constantly switch H to bold H and then to Normal H, Oh, and yes I am using Pokemon Yellow!

Re: ZZAZZ glitch trainer $FC arbitrary code execution

Posted by: Torchickens
Date: 2019-01-08 13:35:22
Yes, there are ways to work around this, (rather than ld a, xx; ld (yyxx),a etc. which uses five bytes each) such as you can save some space with arithmetic registers (e.g. binary bit shifting registers and if you want 0x00 use xor a because "a xor a" is always 0). This requires some basics electronics knowledge but can be self-taught relatively quickly while playing with Windows Calculator on Programmer.

Also TheZZAZZGlitch's method of jumping back earlier could be considered like an algorithm. So sometimes I guess (although I've not wrote many complex programs) what a programmer might do is do a thought experiment and imagine: "how would I achieve this, what do I want the program to generally do", and adapt it into programming context.

ISSOtm also knows of CPU saving strategies, so if you make programs he might be able to optimise the code for you.

Nice work by the way! ^^

Re: ZZAZZ glitch trainer $FC arbitrary code execution

Posted by: joshuarpl
Date: 2019-01-08 15:04:26

Yes, there are ways to work around this, (rather than ld a, xx; ld (yyxx),a etc. which uses five bytes each) such as you can save some space with arithmetic registers (e.g. binary bit shifting registers and if you want 0x00 use xor a because "a xor a" is always 0). This requires some basics electronics knowledge but can be self-taught relatively quickly while playing with Windows Calculator on Programmer.

Also TheZZAZZGlitch's method of jumping back earlier could be considered like an algorithm. So sometimes I guess (although I've not wrote many complex programs) what a programmer might do is do a thought experiment and imagine: "how would I achieve this, what do I want the program to generally do", and adapt it into programming context.

ISSOtm also knows of CPU saving strategies, so if you make programs he might be able to optimise the code for you.

Nice work by the way! ^^


Haha, The space of 00's from address DA80 goes all the way to DEE0!
How do you make the game wait for user input or make certain button inputs do something?

Re: ZZAZZ glitch trainer $FC arbitrary code execution

Posted by: Torchickens
Date: 2019-01-08 15:59:09


Yes, there are ways to work around this, (rather than ld a, xx; ld (yyxx),a etc. which uses five bytes each) such as you can save some space with arithmetic registers (e.g. binary bit shifting registers and if you want 0x00 use xor a because "a xor a" is always 0). This requires some basics electronics knowledge but can be self-taught relatively quickly while playing with Windows Calculator on Programmer.

Also TheZZAZZGlitch's method of jumping back earlier could be considered like an algorithm. So sometimes I guess (although I've not wrote many complex programs) what a programmer might do is do a thought experiment and imagine: "how would I achieve this, what do I want the program to generally do", and adapt it into programming context.

ISSOtm also knows of CPU saving strategies, so if you make programs he might be able to optimise the code for you.

Nice work by the way! ^^


Haha, The space of 00's from address DA80 goes all the way to DEE0!
How do you make the game wait for user input or make certain button inputs do something?


Oh… I see. Hmm, perhaps that was one of the things which worked, but as you said likely could be optimised.

In relation to your question: In short, you'll need to loop the code and read FFB3, because FFB3 is a HRAM address which updates with button data.

FFB3 states are as such:

Bit 0: A-Button pressed (take value, add +01 to add check)
Bit 1: B-Button pressed (take value, add +02 to add check)
Bit 2: Select pressed (take value, add +04 to add check)
Bit 3: Start pressed (take value, add +08 to add check)
Bit 4: D-pad right pressed (take value, add +10 to add check)
Bit 5: D-pad left pressed (take value, add +20 to add check)
Bit 6: D-pad up pressed (take value, add +40 to add check)
Bit 7: D-pad down pressed (take value, add +80 to add check)

I have a program that makes Pikachu move based on the d-pad. It works by essentially doing a check that the values when subtracted makes FFB3 less than $01. You can play around with it so that other memory addresses are set. For example, a 'cheat mode' where pressing Start lets you walk through walls, pressing Select lets you disable it, and you may be able to give it some permanence with the recently documented on these forums 0xCC57 method (but at the moment, you will need to work it for Red/Blue; no CC57 Yellow ACE may be documented on the Internet yet). You can use D36D-D36E for an EN Yellow Version instead of D36E-D36F (EN Red/Blue Version) though if you settle for the map script method (although it only applies to the current map unless activated again).

Hope this helps :).

Re: ZZAZZ glitch trainer $FC arbitrary code execution

Posted by: joshuarpl
Date: 2019-01-08 17:25:41
For example, what is code that would lock the game until you press A?

Re: ZZAZZ glitch trainer $FC arbitrary code execution

Posted by: ISSOtm
Date: 2019-01-08 18:02:40
You should refer to the disasm, especially wram.asm. There's documentation on the different RAM addresses and their functionality.
Further, if you want to know the answer to this kind of questions, you should find a piece of code that does what you want, and figure out how it works. For example, home/init.asm references `PlayIntro` (use GitHub's search to find it's in engine/intro.asm), which references `PlayShootingStar` (just below), which calls `AnimateShootingStar` (engine/gamefreak.asm), which calls `CheckForUserInterruption` (home.asm). There you can see it calls `JoypadLowSensitivity` and reads back `hJoyHeld` and `hJoy5`. It's up to you to figure out how those work!

All this, because we'll quickly grow tired if we you need every answer spoonfed to you, so you should start learning how to be autonomous. Of course, if you're still stumped, you can ask us - it's always nice to help someone who proves they do efforts but don't make it. You're on a good start!

Re: ZZAZZ glitch trainer $FC arbitrary code execution

Posted by: joshuarpl
Date: 2019-04-21 09:29:57
Could anyone find a Z80 Assembler to Hexadecimal converter, where you can use labels, db, and stuff like that?

Re: ZZAZZ glitch trainer $FC arbitrary code execution

Posted by: Sherkel
Date: 2019-04-21 10:33:29
That would be RGBDS.