Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Wack0

Pages: [1] 2 3 ... 5
Generation III Glitch Discussion / Gen III Remote Code Execution
« on: February 18, 2017, 07:58:35 pm »
TL;DR: with a Wii or GameCube where you can run homebrew (obviously easier with a Wii), and a GBA->GC link cable, you can abuse the functionality officially used by Pokémon Colosseum/XD/a bunch of Berry Glitch fixdiscs to get code exec in the context of Gen III.
(of course, you could also use the GBA BIOS multiboot, but here you don't have to press any buttons on the GBA BIOS to get multiboot going! And because this is in the Gen III ROM, this can legitimately be called Gen III RCE :P)

What is this?
Have you ever connected up Pokémon Colosseum/XD to your Gen III game? Remember how it told you to turn the GBA on with the GBA->GC link cable plugged in, then it took an awfully long time on the copyright screen and then showed some Colosseum/XD thing?
The awfully long time on the copyright screen was Colosseum/XD transferring a multiboot image (basically a GBA ROM image with modifications, namely it runs from RAM lol) to your GBA. The Colosseum/XD thing on the GBA was basically your GBA executing that multiboot image.
After two days of reversing (this multiboot protocol is pretty different to the one used by the BIOS, but it does have a couple of similarities), I got a respectable PoC working. So, where else to release this to the world?

Here's an image of, basically, the very PoC I'm releasing today. The payload only supports an English Pokémon Ruby, version 1.0, 1.1 or 1.2 (because that's the only of my Gen III carts I could find; I didn't know what version it was; and the GC/Wii-side application doesn't work inside Dolphin); The payload now supports every Generation III game, except Pokémon LeafGreen v1.1 (Japan) due to it being undumped; it calls the game's save-loading function, replaces the first character of the player name with 'z', then returns to the game (by calling the game's main loop as a function, because just returning would reload the save and overwrite the change made).

Where's the code?
Right here:

If you want to modify the GBA-side payload, you can naturally find it in the gba directory. Note that the payload is in the C language. A refreshing change of pace from position-independent ASM shellcode, I'm sure you'll agree.

To compile this, you'll need devkitPro (devkitARM for the GBA side and devkitPPC for the GC/Wii side). Remember, this is very much a proof of concept which I'm sure will be improved on by others.

How do I run it after compiling?

I assume you have a Wii (I'm not even going to mention GameCube, I think all the good ways to get homebrew running there need a Wii anyway lol), with the Homebrew Channel installed and running. Just execute the compiled gen3multiboot_wii.dol there. When testing, I always used wiiload, it being quicker than copying a new binary to the SD card every time.

Make sure you have a GameCube controller plugged into controller port 1 and your GC->GBA link cable plugged into port 2.

Hey, it didn't work. What gives?

Code execution on the GBA side is not 100% reliable for some reason. A couple of different things could go wrong. If you see an error about KeyC derivation, you should just be able to turn your GBA off, press any button on your GameCube controller plugged into port 1, then turn your GBA back on again.

If, however, your GBA didn't seem to notice the code being transferred to it, and your Wii has frozen on a line with a CRC, you're going to need to power off both GBA and Wii, turn your Wii back on, get back into the Homebrew Channel and run gen3multiboot_wii.dol again.

It may take a few tries but it will eventually work.

What is this "different" protocol?

If you want technical details, best see the source code.
At a higher level, it goes like this:

  • GBA game starts, game calls the multiboot main() function
  • GC sends a reset command, GBA sends a game code
  • GC receives game code, maybe checks to see if it's supported, and sends it back to GBA
  • GBA checks this, if it's wrong then GBA stops listening on the JoyBus link cable
  • GC generates and sends the first of three 32-bit encryption keys. This is officially (yay for debug messages!) called "KeyA" (imaginative). GBA checks one of the bytes to make sure it's valid, then generates and sends its own encryption key, "KeyB".
  • KeyA and KeyB are XORed together to form the initial value of the checksum (algorithm used is the same as the GBA BIOS multiboot). This value is also obfuscated to form a session key that will be used to encrypt most of the multiboot image when it is sent (again, algorithm used is the same as GBA BIOS)
  • GC sends the size of the multiboot image it's about to send, in uint32s, to GBA. GC then sends the ROM header (up to 0xA0, the end of the Nintendo logo) to GBA in the clear. When this is done, GBA checks the received Nintendo logo to make sure it's the same as the Nintendo logo in the ROM of the cartridge it's executing. If not, GBA stops listening on the JoyBus link cable.
  • GC sends the rest of the multiboot image to the GBA. Each uint32 is encrypted using the session key, which is also incremented in the same way as the GBA BIOS multiboot. Each plaintext uint32 is also checksummed, using the existing checksum as the initial value, again the algorithm used here is the same as the GBA BIOS multiboot.
  • GBA, as it's receiving the image, decrypts it, and checksums the plaintext in the same way. After this is done, the GBA will send GC a value that can be used with the correct multiboot image checksum to derive KeyC, which was created by GBA using some historical value of its VCount register.
  • GC receives this value, and attempts to derive KeyC. It will use the derived KeyC to create a "boot key" which is sent to GBA; if this boot key is the same as the one the GBA already created, it will call the entry point of the sent multiboot image. If not, GBA will stop listening on the JoyBus link cable.

This took me quite some time of reversing work to figure out (there was lots of info about the GBA BIOS multiboot protocol on the internet; only ARM ASM code about this one, from the Pokémon reverse engineering project). I hope it helps someone.
Generation VII Glitch Discussion / Gen VII invalid Pokémon / etc research
« on: December 09, 2016, 11:06:29 am »
Finally got that modded PKHeX compiled. Find it here - mirrors would be appreciated.

Expect lots and lots of lag, this has support for Pokémon/items/attacks up to 0xffff.

I took a Pokémon in my box, made a copy of it, changed its species to 0xffff, gave it move 0xffff, shoved it in the PC.

When hovering over it in the PC I got a nice crash, a null pointer deref related to the attack name (Luma's exception dump showed r0 to r4 all being zero, and pc pointed at ldr r1, [r4, #0x84]).

Changed the attack 0xffff to something valid (Flamethrower), and now I can hover over it in the PC! It looks like Kirlia; and viewing its summary crashes in the exact same place as before.

0xffff's species name is not constant. I think it's based on the level number of the Pokémon you previously selected or something. (it changed from "70" to "64", then hovering over it inside the PC when the Pokémon was in the party caused a crash)

OK, that's interesting. Put 0xffff in the party, went  back out of the PC, went back into the PC, touched 0xffff (to avoid a crash), and it now looks like Staravia.

he forced a mystery gift retrieval when there was nothing waiting and got a Bad Egg named after himself.
Pokémon Discussion / R/B/Y VC, and butthurt morons on miiverse
« on: October 25, 2016, 06:42:18 pm »
So I hopped onto miiverse for the first time in a while and looked through the Gen1VC community.

I noticed at least one person spreading rumours that "you'll never be able to send your fake Mew to Sun/Moon" on posts showing a wild Mew encounter or capture using Trainer-Fly.

Of course this is pure speculation at this point, we won't know for sure what Gen1VC transfer stuff will be accepted until Gen7's release.

I can only assume the people spreading these rumours never managed to do Trainer-Fly successfully, and are taking out their anger on others.

This page showed up in my Twitter feed today. I thought some people here may find it interesting.

Some of the art made for the incompatibility messages happens to be rather enjoyable.

I wonder why the incompatibilty message for the German version of Monsters Inc (GBC) got inverted when compared to the English version.

I also note similar fonts used in some of the messages; could these be tied together by a common dev? (the one I noticed specifically was the one used by Micromachines V3, Championship Motocross, and other GBC games; as it's also used in the copyright messages of the first Harry Potter game for GBA, which I have a cart of.)
Forum Discussion / Forum links broken?
« on: August 12, 2016, 05:51:29 pm »
Seems the recent maintenance changed the forum URL format and broke all external links to topics, posts etc?
Pokémon Discussion / I figured out the cause of my dead Red cart.
« on: August 10, 2016, 04:12:57 am »
Turns out the bank switcher is screwed, and only the first 512kb of the ROM can be accessed.

Other carts (Red and Blue) have developed the same issue over time.

Have fun screwing about with it in an emulator, just cut a Red or Blue ROM down to the first 512kb!

The article details code exec in Gen 1 via save corruption, and utilising that to escape the SGB to get full code exec on the SNES.

As is the style of PoC||GTFO, the pdf is also valid as a zip file (which includes a copy of the pokered disassembly), and as an LSNES movie which does that.
Video Games/Glitches Discussion / The Simpsons Hit and Run
« on: December 18, 2015, 11:59:31 am »
I saw this video

I think a topic discussing some of these things would be interesting.

I've done a little experimentation and I got the no vehicles glitch to work by going into a race, canceling it then immediately selecting a mission. I noticed it does not work at all in certain types of missions, as in those that require you to interact some way with a vehicle (follow, hit and collect, destroy etc).

Next up, void fun. I haven't yet consistently managed to get into the void from that spot in Level 7, I think practise is needed. However the guy who made the video forgot about that you can press a button to respawn your car (Back on Xbox, not sure about other platforms). I reproduced getting to Kang and Kodos' spaceship through the void, but hitting the Back button after hitting the invisible wall respawned my car on the other side of the wall, and driving into the spaceship destroyed my car as usual! I still think horn-to-jump is the easiest way to get into the void though.

EDIT: I just successfully completed L7M3 going exclusively through the void, using horn to jump to get in. I had ~45 seconds left on the clock on completion (as a reminder, in L7M3 you have 1:40 to travel the entire length of the map (power plant to school playground).
Generation VI Glitch Discussion / Invalid Pokémon in Gen 6
« on: January 30, 2015, 02:25:02 pm »
So, thanks to the 9.x browser exploit, we're now in a position to research Gen 6.

I patched PKHex to allow for invalid moves, items and Pokémon. Above a certain point, when selecting an invalid Pokémon from the list, it will throw an exception, but you can just click continue and it'll work fine.

First thing to note is that invalid Pokémon (in Omega Ruby at least) seems to use Bulbasaur's sprite/texture, and have Normal type. I'm not sure how it gets the cry, one of them has Deoxys' cry. They do not learn any moves, and cannot be taught any TMs or HMs.

I first used some invalid Pokémon close to the last valid one, that don't error out, and got unremarkable Pokémon with bad stats. (14 Speed after Rare Candying to Level 100!)

I then tried 0x82B1, and it's pretty unstable, as I assume most will be. I had to use Withdraw Pokémon, withdraw 0x82B1 then press B straight away to avoid a freeze. I tried to use a Rare Candy on it and the game froze, probably trying to recalculate stats. It has no cry, and Pokédex number ?55 (convert 0x82B1 to decimal to see why that is!)

No screenshots yet, (I'm obviously doing this on real hardware and I don't have any decent way to take them) but the glitch Pokémon I tried (not 0x82B1 yet!) worked fine in battles and in contests. As said by someone else, species names seem to be dynamic. Sometimes they are blank, in summary screens it's their dex number and so on.

When I get home, I'll provide a download link to the modded PkHex. That is if Torchickens hasn't uploaded it (I already gave it to him). It's a .NET exe so you *should* be able to run it on non-Windows platforms using mono.

Apologies for any typos, etc in this post, I made it on my Android tablet.
Otherwise known as: Adventures of my Glitchy Ruby Save File, Part (TM)34.

If you don't know, I used cheats on a brand new Ruby save file. This gives me access to 255 Pokémon. I also cheated the Retire option to warp to the Safari Zone. Current location: Lilycove City.

Enough of that, here's why I made this topic.

As you should know, some glitch moves corrupt RAM when their names are displayed. The 18th Pokémon from the bottom on my Ruby save contains three stable-enough glitch moves. One or more of them corrupt my Berry pocket, giving me two different glitch berries, quantity 12369.

I had the bright idea to check the tags. The first one causes a freeze. The second, however...

Well, it shows a glitched tag. Either a discoloured Cheri Berry tag with a glitch sprite, or a discoloured blank tag with a glitch sprite. Anyway, the fun begins when you go back to your bag.

This unknown glitch berry tag corrupts a lot of RAM. All items pockets got corrupted (TM34 was in every pocket, working as usual). On at least one occasion I got Doubleslap as an HM (HM 7920 in case you are wondering). Use one of the many, many ???????? items you have, and watch as Dad's message gives way to an insanely long corrupted name, that I let scroll by for five minutes before deciding enough was enough and resetting already. Using one of your TMs (choose a pocket, any pocket!) shows your party isn't corrupted, but even your gender got corrupted (I was Brendan, but the Bag's blue pattern changed to red). Unfortunately, the whole truth you never get to see. Exit your Bag to get a freeze. Maybe due to the insanely long name. I don't know.

Now then, who wants to hack the Pokémon and Retire options onto a brand new Ruby save and do this for yourself, as real hardware means I have absolutely no idea what the index number of this glitch berry is.

Or, by the way TM34s showed up in my berry pocket, maybe it's some kind of side-effect of a non-berry in the berry pocket? It could be a bog standard ???????? item for all I know.
Generation VI Glitch Discussion / ORAS Surfing Wailmer evolve freeze
« on: December 02, 2014, 08:32:29 am »
Found this thread on reddit:

Will quote the contents just in case the post gets deleted.

Wailmer, as we all know, has a special surf sprite. If you let it evolve while you are surfing on it, your game crashes and both screens go black.

Can anyone confirm?
Remember Newo's old extended hacker? Well, screw that. It was always buggy, probably because I don't think Newo actually had the source code.

I've taken karatekid552's Gen 3 hacking suite (that's coded in python for proper multiplatform support), and added support for invalid pokemon, and everything that goes with that.

The only known bug is that the moves tab on glitch Pokémon (probably) isn't right; and obviously, don't even TRY to edit data about an invalid pokemon!

The Egg Moves tab also doesn't work with invalid Pokémon... but seeing as most decamarks freeze on hatch anyway...

Please note that it will take a few minutes to load a ROM with this tool...


Win32 (self-contained exe):
Python 2 code (for running on other platforms - needs Python Imaging Library and wxPython2.8):
Generation II Glitch Discussion / Possible glitch in Celebi Machines
« on: September 06, 2014, 01:39:51 pm »
Obviously, it is not known if there are any Mew/Celebi Machines in the wild anymore. And of course, there were different revisions of the Celebi Machine (the earliest ones seen at events like Pokémon Fun Fest 2001 had the same blue-coloured case as a Mew Machine, later Celebi Machines had a yellow case).

Anyway, last night I was scouring the internet for any info related to the Mew/Celebi Machines, and came across this page:

It mentions a supposed Nintendo employee, "Arnold", using an early Celebi machine at Fun Fest 2001. (you can see a picture of said Celebi machine, from the back)

I will quote from the page here, with typos intact:

"A few minuets later he tried uploading Celebi to my Silver and it crashed. I got nervous thinking my game’s memory was erased.  Arnold seemed to know what he was doing. He put my Silver into his Gameboy and turned it on. I asked him what was the matter. He said, ”I’m looking for a Pokémon with an item attached to it”. He told me 1of my Pokémon, “Kenya”, had mail attached to it.  He told me to take the mail off of it. So I took the mail off and saved. Then I took Silver out of his Gameboy. A couple of minutes later I gave my silver back to Arnold and he uploaded Celebi. I was so HAPPY!"

So, there was a known glitch in Celebi Machines (at least, the early ones) wherein it would freeze if a Pokémon (probably in the party) had a hold item attached.

Obviously, without a ROM dump of the Celebi Machine's ROM (which will naturally happen when hell freezes over :p), any further details regarding this glitch are unknown.

(By the way, according to visible SGB borders in photos from the time, the Mew Machine used a ROM based on Japanese Blue; and the Celebi Machine used a ROM based on Japanese Gold)
Arbitrary Code Execution Discussion / R/B: Battle Test Debug Function
« on: July 29, 2014, 02:56:02 am »
I noticed this debug function in the pokered disasm just now, that has been stubbed out (ret placed at the beginning). It's been documented, but there's no reference to it in any other site yet.

Code: [Select]

call GBPalNormal

; Don't mess around
; with obedience.
ld a, %10000000 ; EARTHBADGE

ld hl, W_FLAGS_D733
set 0, [hl]

; Reset the party.
ld hl, wPartyCount
xor a
ld [hli], a
dec a
ld [hl], a

; Give the player a
; level 20 Rhydon.
ld a, RHYDON
ld [wcf91], a
ld a, 20
xor a
ld [wcc49], a
ld [W_CURMAP], a
call AddPartyMon

; Fight against a
; level 20 Rhydon.
ld a, RHYDON

predef InitOpponent

; When the battle ends,
; do it all again.
ld a, 1
ld [wcfcb], a
jr .loop

I think the comments are enough to explain this one.

The actual function start (after the ret) is at 1:4da6. So here's 8F code for it!

Code: [Select]
ld c,$01
ld h,$4d
ld l,$a6
ld b,c
ld b,b
call $35d6

0e 01 26 4d 2e a6 41 40 cd d6 35 c9

Awakening  x  1
Carbos     x77
X Accuracy x166
X Attack   x 64
TM05       x214
Revive     x201

Pages: [1] 2 3 ... 5