Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Wack0

Pages: [1] 2 3 ... 59
1
Generation III Glitch Discussion / Re: Manipulate specific flags?
« on: March 24, 2017, 05:50:07 am »
Unfortunately, not possible. The GBA's JoyBus link support only allows for a GBA to be the slave.

I'm getting of topic, but the GBA 10ANNIV rom (and probably others) worked by sending a client application the GBA from another GBA. The leaked official SDK has an example about this too (by the way one of the 10ANNIV roms was made public recently).

That uses the GBA BIOS multiboot, which is different from the multiboot implemented inside of R/S/E/FR/LG (which uses the JoyBus protocol over the link cable for communicaion with the GameCube games).
2
Generation III Glitch Discussion / Re: Manipulate specific flags?
« on: March 21, 2017, 11:30:17 am »
Would be interesting to see this implemented as a GBA to GBA hombrew

Unfortunately, not possible. The GBA's JoyBus link support only allows for a GBA to be the slave.
3
Generation III Glitch Discussion / Re: Manipulate specific flags?
« on: March 21, 2017, 07:26:52 am »
You should look up Z80ASM guides for the TI-83+. It'll carry over nicely to the gbz80.
Anyway, 60 instructions may not be enough, because the game may check for such changes and null them or if you just save the flags and RET the hell out, you may not exit cleanly. You may even have to call the normal functions that handle special events. Ask ISSOtm, Wack0 or TheZZAZZGlitch.

GBA uses ARMv4...

Anyway, if you want code exec, and you have a Wii and a GC->GBA link cable, you can use the RCE I found and detailed here http://forums.glitchcity.info/index.php?topic=7861.0

You'll be able to write your payloads in C there, hopefully it's what you need (you'd be able to get the items with it as well, FYI, you'll have lots of space for your payload, about 124 KB...)
4
Generation III Glitch Discussion / Re: Gen III Remote Code Execution
« on: March 18, 2017, 03:34:58 pm »
A little of topic here, but since you reversed the transfered rom and know how game detection works, modifiying the colosseum USA/JAP bonus disc to accept other region carts would be feasible? I'd really like to test that. I checked a little the code, do they only use gamecodes for that?

I reversed the transfer process itself, not any transfered multiboot images.
5
General Discussion / Re: Yeniaul's Discord Server (and rules)
« on: February 27, 2017, 03:45:50 pm »
The invitation link is dead again.
How fast do these links expire?

Try this link, I just generated a nonexpiring one: https://discord.gg/FHdxXSb

I still can't join. It keeps giving me the same message:
The instant invite is invalid or has expired
I'm using the web interface, not the app. I've never used Discord before, so I have no idea if this is an issue.

That's weird. Perhaps you could try using a different browser?
6
General Discussion / Re: Yeniaul's Discord Server (and rules)
« on: February 27, 2017, 11:46:22 am »
The invitation link is dead again.
How fast do these links expire?

Try this link, I just generated a nonexpiring one: https://discord.gg/FHdxXSb
7
Generation III Glitch Discussion / Re: Gen III Remote Code Execution
« on: February 26, 2017, 08:44:59 am »
New major commit.

  • Added save-block structure definitions
  • Added a helper library, includes functions for decrypting and encrypting Pokémon structures (encrypting also fixes the checksum); a function to get a Pokémon substructure (it's less than 10% of the size of the original!); helper functions for getting specific substructures; functions for calculating and fixing a Pokémon's checksum (in case you want to do this manually); functions for calculating Enigma Berry checksums; and a function for calculating a ramscript (that feature that overrides NPC scripts) checksum.
  • Changed the example payload, it's now an adapted version of the one in the previous post that warps to the Hall of Fame, that way the example is the ideal of how a payload should look (supporting all R/S/FR/LG/E, etc).

Now, writing payloads should be easier.

Here's another example payload that adds a ramscript, which replaces Brendan's mother's script (R/S/E)/Red's mother's script (FR/LG), causing them to say "Pwned!". (Yes, I know you won't be able to see it if you're playing R/S/E as May, but really, it's such a small change that you should be able to figure it out pretty easily.)

Code: [Select]
/*
 * Example Gen3-multiboot payload by slipstream/RoL 2017.
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 *
 * payload.c: place where user payload should go :)
 */

#include <gba.h>
#include <string.h>
#include "payload.h"

// Your payload code should obviously go into the body of this, the payload function.
void payload(pSaveBlock1 SaveBlock1,pSaveBlock2 SaveBlock2,pSaveBlock3 SaveBlock3) {
struct RamScript* ramScript;
if (GAME_RS) ramScript = &(SaveBlock1->rs.ramScript);
else if (GAME_FRLG) ramScript = &(SaveBlock1->frlg.ramScript);
else if (GAME_EM) ramScript = &(SaveBlock1->e.ramScript);
else return;
ramScript->data.magic = 0x33;
if (GAME_FRLG) {
ramScript->data.mapGroup = 4; // Pallet Town indoors
ramScript->data.mapNum = 0; // Red's house 1F
ramScript->data.objectId = 1; // Red's mother
} else {
ramScript->data.mapGroup = 1; // Littleroot Town indoors
ramScript->data.mapNum = 0; // Brendan's house 1F
ramScript->data.objectId = 1; // Brendan's mother
}
u8 script[] = ""
"\xb8\x00\x00\x00\x00" // setvaddress 0
"\xbd\x0e\x00\x00\x00" // vtext msgtext
"\x66" // waittext
"\x6d" // waitbutton
"\x6c" // release
"\x02" // end
"\xCA\xEB\xE2\xD9\xD8\xAB\xFF"; // msgtext: "Pwned!"
// copy the script to its rightful place
memcpy(&(ramScript->data.script),script,sizeof(script));
// fix the checksum
ramScript->checksum = CalculateRamScriptChecksum(ramScript);
// all done!
return;
}
8
Pokémon Discussion / Re: Anatomy of an e-Reader Mystery Event
« on: February 24, 2017, 11:58:27 am »
Whilst reversing Gen III and adding the save structures of the various games to my payload code, I noticed something.

The Enigma Berry structure is different in FR/LG/Emerald!

It's only 0x30 bytes long; the sprite, palette and tag description elements were removed, leaving only the base Berry structure (0x1C bytes), the item-usage-by-trainer structure (0x12 bytes), the hold item effect (2 bytes) and bytewise checksum (4 bytes).

edit: the change was made in FR/LG, not Emerald (Emerald just inherited it)
9
Pokémon Discussion / Re: Debug menus in Japanese Crystal
« on: February 23, 2017, 04:09:08 am »
This is not the same debug menu from other GSC Pokemon game?

If you're talking about the trainer/Pokémon sprite viewer, that's actually a part of it.
10
Try the Ditto glitch with special of 182, 183 or 184. These are fossil/ghost MissingNo., so won't freeze on the opponent's side.
11
Generation III Glitch Discussion / Re: Gen III Remote Code Execution
« on: February 21, 2017, 03:01:50 pm »
New commits, added FR/LG/E secure-area decryption, party reloading from the loaded save file after calling the payload (so now it's possible to modify the party and have the changes reflected; watch out for the crypto and the checksumming though!), and some helpful macros (GAME_x where x can be RUBY, SAPP, RS, FR, LG, FRLG, EM and LANG_JAPAN) to more easily allow for payloads compatible with all of Gen III.

About "payloads compatible with all of Gen III", here's a Hall of Fame payload. It contains partial savedata structures that are themselves partially from pokeruby. Eventually more complete structures will get integrated into the project.

Code: [Select]
/*
 * Example Gen3-multiboot payload by slipstream/RoL 2017.
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 *
 * payload.c: place where user payload should go :)
 */

#include <gba.h>
#include "payload.h"

typedef struct {
s16 x;
s16 y;
} Coords16;

typedef struct {
s8 mapGroup;
s8 mapNum;
s8 warpId;
s16 x;
s16 y;
} WarpData;

// ugh..

struct PokemonSubstruct0
{
    u16 species;
    u16 heldItem;
    u32 experience;
    u8 ppBonuses;
    u8 friendship;
};

struct PokemonSubstruct1
{
    u16 moves[4];
    u8 pp[4];
};

struct PokemonSubstruct2
{
    u8 hpEV;
    u8 attackEV;
    u8 defenseEV;
    u8 speedEV;
    u8 spAttackEV;
    u8 spDefenseEV;
    u8 cool;
    u8 beauty;
    u8 cute;
    u8 smart;
    u8 tough;
    u8 sheen;
};

struct PokemonSubstruct3
{
 /* 0x00 */ u8 pokerus;
 /* 0x01 */ u8 metLocation;

 /* 0x02 */ u16 metLevel:7;
 /* 0x02 */ u16 metGame:4;
 /* 0x03 */ u16 pokeball:4;
 /* 0x03 */ u16 otGender:1;

 /* 0x04 */ u32 hpIV:5;
 /* 0x04 */ u32 attackIV:5;
 /* 0x05 */ u32 defenseIV:5;
 /* 0x05 */ u32 speedIV:5;
 /* 0x05 */ u32 spAttackIV:5;
 /* 0x06 */ u32 spDefenseIV:5;
 /* 0x07 */ u32 isEgg:1;
 /* 0x07 */ u32 altAbility:1;

 /* 0x08 */ u32 coolRibbon:3;
 /* 0x08 */ u32 beautyRibbon:3;
 /* 0x08 */ u32 cuteRibbon:3;
 /* 0x09 */ u32 smartRibbon:3;
 /* 0x09 */ u32 toughRibbon:3;
 /* 0x09 */ u32 championRibbon:1;
 /* 0x0A */ u32 winningRibbon:1;
 /* 0x0A */ u32 victoryRibbon:1;
 /* 0x0A */ u32 artistRibbon:1;
 /* 0x0A */ u32 effortRibbon:1;
 /* 0x0A */ u32 giftRibbon1:1;
 /* 0x0A */ u32 giftRibbon2:1;
 /* 0x0A */ u32 giftRibbon3:1;
 /* 0x0A */ u32 giftRibbon4:1;
 /* 0x0B */ u32 giftRibbon5:1;
 /* 0x0B */ u32 giftRibbon6:1;
 /* 0x0B */ u32 giftRibbon7:1;
 /* 0x0B */ u32 fatefulEncounter:5; // unused in Ruby/Sapphire, but the high bit must be set for Mew/Deoxys to obey in FR/LG/Emerald
};

union PokemonSubstruct
{
    struct PokemonSubstruct0 type0;
    struct PokemonSubstruct1 type1;
    struct PokemonSubstruct2 type2;
    struct PokemonSubstruct3 type3;
    u16 raw[6];
};

// yes, I know, international lengths, who cares..
#define POKEMON_NAME_LENGTH 10
#define OT_NAME_LENGTH 7

struct BoxPokemon
{
    u32 personality;
    u32 otId;
    u8 nickname[POKEMON_NAME_LENGTH];
    u8 language;
    u8 isBadEgg:1;
    u8 hasSpecies:1;
    u8 isEgg:1;
    u8 unused:5;
    u8 otName[OT_NAME_LENGTH];
    u8 markings;
    u16 checksum;
    u16 unknown;

    union
    {
        u32 raw[12];
        union PokemonSubstruct substructs[4];
    } secure;
};

struct Pokemon
{
    struct BoxPokemon box;
    u32 status;
    u8 level;
    u8 pokerus;
    u16 hp;
    u16 maxHP;
    u16 attack;
    u16 defense;
    u16 speed;
    u16 spAttack;
    u16 spDefense;
};

typedef struct {
Coords16 pos;
WarpData location;
WarpData warps[4];
u16 battleMusic;
u8 weather;
u8 unk_2F;
u8 flashUsed;
u16 mapDataID;
// there's a better way to do this, but for PoC purposes it's fine
union {
struct {
u16 mapView[0x100];
u8 playerPartyCount;
struct Pokemon party[6];
} rse;
struct {
u8 playerPartyCount;
struct Pokemon party[6];
} frlg;
} version;
} partialSaveBlock1;

// Your payload code should obviously go into the body of this, the payload function.
void payload(pSaveBlock1 SaveBlock1,pSaveBlock2 SaveBlock2,pSaveBlock3 SaveBlock3) {
// HoF-warp example payload!
partialSaveBlock1* psb1 = (partialSaveBlock1*)SaveBlock1;
if (GAME_FRLG) {
psb1->location.mapGroup = 1; // generic indoors?
psb1->location.mapNum = 80; // Hall of Fame
// set coords to the same place that the champions' room script sets them to
psb1->location.x = psb1->pos.x = 5;
psb1->location.y = psb1->pos.y = 12;
psb1->mapDataID = 0xDA; // from HoF map-header
} else {
psb1->location.mapGroup = 16; // Ever Grande City
psb1->location.mapNum = 11; // Hall of Fame
// set coords to the same place that the champions' room script sets them to
psb1->location.x = psb1->pos.x = 7;
psb1->location.y = psb1->pos.y = 16;
psb1->mapDataID = ( GAME_EM ? 298 : 299 ); // from HoF map-header
}
psb1->location.warpId = 0xff;
// make sure the HoF script doesn't crash, which it will do if 0 pokémon
if (!GAME_FRLG) {
if (psb1->version.rse.playerPartyCount == 0) {
psb1->version.rse.playerPartyCount = 1;
// this isn't enough, the heal animation recalculates the party count ignoring empty spots
// so let's hack together one. i don't care about it becoming a bad egg at all.
psb1->version.rse.party[0].box.personality++;
}
} else {
if (psb1->version.frlg.playerPartyCount == 0) {
psb1->version.frlg.playerPartyCount = 1;
// this isn't enough, the heal animation recalculates the party count ignoring empty spots
// so let's hack together one. i don't care about it becoming a bad egg at all.
psb1->version.frlg.party[0].box.personality++;
}
}
}

Also on the to-do list: Pokémon data structure element getters/setter functions (yaknow, to deal with the substructures and the crypto and the checksumming).
12
Generation III Glitch Discussion / Re: Gen III Remote Code Execution
« on: February 21, 2017, 09:10:21 am »
I have just made a patcher for the Interactive Multi-Game Demo Disc Version 16 (USA) ISO because I got too bored of doing it manually.

It's made in C#, here's the code:

Code: [Select]
using System;
using System.IO;
using System.Text;

class ReplacePayload {

static bool ByteArrayCompare(byte[] a1,int offseta1, byte[] a2,int offseta2,int length) {
if (offseta1 + length > a1.Length)
return false;
if (offseta2 + length > a2.Length)
return false;

    for (int i=0; i<length; i++)
if (a1[offseta1+i]!=a2[offseta2+i])
            return false;

return true;
}

public static void Main(string[] args) {
if (args.Length < 2) {
Console.WriteLine("Usage: {0} <ISO path> <payload path>",System.Diagnostics.Process.GetCurrentProcess().MainModule.FileName);
Console.WriteLine("ISO must be \"Interactive Multi-Game Demo Disc Version 16 (USA).iso\"");
return;
}
// read the payload
byte[] payload;
try {
payload = File.ReadAllBytes(args[1]);
} catch (Exception e) {
Console.WriteLine("An error occured when reading the payload.");
Console.WriteLine(e.ToString());
return;
}
// check the Nintendo logo
byte[] NintendoLogo = Convert.FromBase64String("JP+uUWmaoiE9hIIKhOQJrREki5jAgX8ho1K+GZMJziAQRkpK+Ccx7FjH6DOC486/hfTflM5LCcGUVorAE3Kn/J+ETXOjypphWJejJ/wDmHYjHcdhAwSuVr84hABApw79/1L+A2+VMPGX+8CFYNaAJaljvgMBTjji+aI0/7s+A0R4AJDLiBE6lGXAfGOH8Dyv1iXkizgKrHIh1PgH");
if (!ByteArrayCompare(payload,4,NintendoLogo,0,NintendoLogo.Length)) {
Console.WriteLine("The payload file is not a valid GBA binary (bad Nintendo logo)");
return;
}
// check the length
if (payload.Length > 31872) {
Console.WriteLine("The payload file is too big. Payload files to be patched in to the ISO can not be larger than 31872 bytes.");
return;
}
// open the file
FileStream fs;
try {
fs = new FileStream(args[0],FileMode.Open,FileAccess.ReadWrite);
} catch (Exception e) {
Console.WriteLine("An error occured when opening the ISO.");
Console.WriteLine(e.ToString());
return;
}

// make sure this ISO is the right one
byte[] gameCodeBytes = new byte[6];
try {
fs.Read(gameCodeBytes,0,6);
} catch (Exception e) {
fs.Close();
Console.WriteLine("An error occured when reading the game code from the ISO.");
Console.WriteLine(e.ToString());
return;
}
if (Encoding.ASCII.GetString(gameCodeBytes) != "D79E01") {
fs.Close();
Console.WriteLine("This ISO is not Interactive Multi-Game Demo Disc Version 16 (USA)!");
return;
}
// patch the jumps
foreach (long offset in new long[] { 0x45ded5fc, 0x45ecdf1c }) {
try {
fs.Seek(offset,SeekOrigin.Begin);
fs.WriteByte(0x48);
fs.WriteByte(0x00);
} catch (Exception e) {
fs.Close();
Console.WriteLine("An error occured when patching the Berry Glitch fix executable in the ISO.");
Console.WriteLine(e.ToString());
return;
}
}
// patch the payload
try {
fs.Seek(0x45f2ae30,SeekOrigin.Begin);
fs.Write(payload,0,payload.Length);
} catch (Exception e) {
fs.Close();
Console.WriteLine("An error occured when patching the multiboot payload in the ISO.");
Console.WriteLine(e.ToString());
return;
}
fs.Close();
Console.WriteLine("The ISO has been patched successfully and now contains your payload and works with any Gen 3 game.");
}
}

To compile it, just save it out as replace_payload.cs, open up a command prompt window in the directory you saved it to and run C:\windows\Microsoft.NET\Framework\v4.0.30319\csc replace_payload.cs (for .NET 4.x) or C:\windows\Microsoft.NET\Framework\v2.0.50727\csc replace_payload.cs (for .NET 2.x). It supports both.

You should also be able to use mono in other operating systems too, I believe there the command would be msc replace_payload.cs
(you can also use the official MS .NET Framework in wine if that's your thing.)

It's a command line executable, just run it like replace_payload.exe "Interactive Multi-Game Demo Disc Version 16 (USA) - Copy.iso" gba_pkjb.gba

Obviously replace the ISO and multiboot image paths as appropriate. Run it on a copy of the ISO as it will overwrite the ISO.
13
Generation III Glitch Discussion / Re: Gen III Remote Code Execution
« on: February 21, 2017, 04:04:11 am »
So even Fire Red/Leaf Green game?

Yes, although with the following caveats:

- some payloads designed for RSE won't work on FRLG (the example one works fine everywhere though)
- parts of the FRLGE save files are crypted, working on rectifying that
14
Generation III Glitch Discussion / Re: Gen III Remote Code Execution
« on: February 20, 2017, 12:39:14 pm »
I've made a new commit that updates the payload: https://github.com/Wack0/gba-gen3multiboot/commit/d448823ffb540cb462548552efe4b5650e66de95

It now supports every Generation III game (except Pokémon LeafGreen v1.1 (Japan) due to it being undumped).

I haven't tested some Generation III games, mostly Sapphire which in every instance have the same offsets as Ruby. If the payload doesn't work on one of your Generation III games, post here, or create a GitHub issue, or both.

Payload code now goes into the payload() function in payload.c, because main() is now over 200 lines long to detect the Generation III game.

Coming soon(tm): actual save-block structure definition. "Soon(tm)" because I don't really want to do that right now. If anyone wants to do it for memake a start or help me with it, pull requests would be much appreciated - it may motivate me to finish it sooner. :)
15
Generation III Glitch Discussion / Re: Gen III Remote Code Execution
« on: February 19, 2017, 04:38:24 pm »
Meanwhile, I'm busy working on getting the example payload compatible with all of Gen 3.

I'd like to note something pretty important here.

Game Freak were sneaky fuckers.

In FR/LG (and probably Emerald as well) they left the save file loading code in place..

..then they added new code that reloads the save at the title screen after setting up ASLR.

Of course, my current in-dev payload now bypasses this.. by bypassing the title screen entirely and jumping straight to the Continue/New Game menu.
Pages: [1] 2 3 ... 59