Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: PMD: Red Rescue Team: Arbitary code execution with hex:0999 glitch move info  (Read 465 times)

0 Members and 1 Guest are viewing this topic.

MarcinTVP8

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Finally! I found arbitary code execution in Pokémon Mystery Dungeon: Red Rescue Team!

Viewing an hex:0999 glitch move info will cause the game to start executing code somewhere around 5ec1200c.

Viewing the glitch move name rarely occurs, so I have prepared a save state for this.

Just load the save state in VBA, click Info, and enjoy the glitchness!

(Note: The save state has been created on VBA version 1.8.0)

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Did you use original VBA? Since that emulator is very old and inaccurate, could you please try VBA-M and/or mGBA?

MarcinTVP8

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
I did use the VBA 1.8.0 and I do not want to change versions.

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
I checked it, this is a buffer overflow caused by the glitch move's description. Code execution takes place by overwriting the IRQ handler (similar to what happens in Gen III with decamark summary screens)
This exact move is not exploitable, since the instruction pointer lands in unmapped memory. But there probably is an index that would work for ACE.

Edit: Never mind, it actually locks up the game in both mGBA and No$gba Debug, so I'm forced to think that this is just an emulation error
« Last Edit: January 10, 2017, 08:29:21 am by TheZZAZZGlitch »
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF