Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Continuous ACE with a glitch map script in the Game Corner - Page 1

Continuous ACE with a glitch map script in the Game Corner

Posted by: metalmario32
Date: 2019-07-26 13:08:58
Glitch script 0x14 in the Game Corner executes FAC9 in Echo RAM (copy of DAC9) not once, but continuously. This causes mass memory corruption if DAC9 does not contain good data (like a ret). Could this be abused for continuous ACE? It might be impractical, but it is easy to manipulate due to DAC9 being the least significant HP EV byte of the 2nd stored Pokémon, which could be used to fall through to other data, like the PP of the moves of the second Pokémon in the box, which is easily manipulable. I will try to post a video of this script's effects within the week.

Re: Continuous ACE with a glitch map script in the Game Corner

Posted by: bwill11
Date: 2019-07-26 14:13:08
This could be useful to make essentially an ACE for loop. I don't know if there's another way of getting the same effect (I'm not familiar with gbz80) but here's what I came up with-
-Activate map script with some method
- at DAC9, code to jump to PC items
-in PC items:
(Code)
(Code to decrease TM01s by 1)
TM01*(y)
(Code to deactivate map script)
You could probably get a similar effect by having PC and inventory jump to each other but with this method you can keep inventory free to use.

Re: Continuous ACE with a glitch map script in the Game Corner

Posted by: metalmario32
Date: 2019-07-26 14:43:44
The setup you described might be useful, thanks! I assume that there will be a conditional jump somewhere within that code (I think it's a jp nz?) But anyway, it is an interesting method of continuous ACE, but I think swapping an item stack into D36E/F to achieve continuous ACE is probably better, and doesn't cause side effects.

Re: Continuous ACE with a glitch map script in the Game Corner

Posted by: bwill11
Date: 2019-07-26 15:02:20

But anyway, it is an interesting method of continuous ACE, but I think swapping an item stack into D36E/F to achieve continuous ACE is probably better, and doesn't cause side effects.

Wait, what side effects does it have? You did say that it causes memory corruption unless DAC9 contains good data, but that can be controlled. Also, I've never heard of swapping an item stack to D363 to execute code, how is this done?

Re: Continuous ACE with a glitch map script in the Game Corner

Posted by: metalmario32
Date: 2019-07-26 16:41:58
I noticed that if you trigger this script without a jump instruction, the script corrupts various areas of memory, possibly destroying your save file. Also D36E/F points to the current map's script pointer (I think?) and if you switch a Water Stone x211 into item 41, it will execute continuous ACE from the third item until you leave the map.

Edit: To clarify, item 41 is item 41 in the expanded bag, not the PC. Also, the mass memory corruption is only caused when you don't reroute the jump properly, for example someone could trigger this script without carefully setting up their boxes.

Edit 2: The PC has 50 items, so it wouldn't be expanded :P (Reference to edit one)