Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Wack0

Pages: [1] 2 3 ... 60
1
Emulation & ROM Hacking / Re: Emulating the Mobile Adapter GB
« on: Yesterday at 04:26:07 pm »
I wonder how awkward that MD5 implementation is...

Game Freak's parser bugs don't surprise me. An RCE vector here would allow for some interesting custom servers; however RCE via trades exists too, which would be the more dangerous, in my opinion, as any player could trigger it. I guess a custom server would have to somehow detect it (given this RCE vuln would be in the P2P communication with "phone numbers" etc).

And now I'm thinking about a server with its own partial GB emulator, MITMing the connection if it detects an RCE via trading, and specifically implementing GB Mobile Adapter emulation itself so the payload can get any further data... Saved off for further reversing/analysis of course.
2
but if they do a Celebi event just like mew there won't be a way to change its id and ot so it transfers on non english versions

Trading to an English version to do Coin Case code exec may work for European G/S.

Maybe TMs outside of TM pocket code exec (like Crystal) too? Has anybody looked into that in G/S? I guess that would require trading too, though.

Also, possibly Johto Guard Glitch trading back to Gen I and doing it there? I'm probably forgetting something important that would stop that from working, though.
3
Emulation & ROM Hacking / Re: Emulating the Mobile Adapter GB
« on: August 06, 2017, 08:44:12 am »
I looked at the code, the emulation there is incomplete, and seems only there to get Mobile Trainer to work.
4
More ACE? Goddamn, this is getting out-of-hand. How many, total, have been found across the series?

I haven't kept track since that post ISSOtm made, but for Gold/Silver/Crystal there is:

1) Coin Case glitch (EN Gold/Silver only)
2) Move 0x00's type ACE (EN Gold/Silver)
3) Unterminated name Pokémon ACE (Crystal only)
4) Wrong pocket TM/HM ACE (Gold/Silver/Crystal)
5) Glitch Pokédex mode ACE (Gold/Silver(?), Crystal)
6) OAM DMA hijacking (requires another form of arbitrary code execution)

Theoretically as well you can execute arbitrary code with other glitch moves. I noticed opening the Fight menu with move 0xFD as the only move in Japanese Crystal after using an X Accuracy could execute code from WRAM but only to run into a rst 38 (FF byte).

Surprisingly quite a lot for Generation II!

As for Generation III there seem to be only two documented so far:

1) Glitch Pokémon summary ACE
2) Glitch move animation ACE

For the record, you missed RCE through trading in Gen II (TheZZAZZGlitch demonstrated it once, I think his YouTube video description said the bug was similar if not the exact same as the one used for trade RCE in Gen I), and RCE through JoyBus link in Gen III.
5
I came across this thread looking for something else, and thought this looked familiar to me.

Indeed, this multiboot image is not unused.

The GameCube multiboot code changed from R/S to FR/LG/Emerald.

In R/S, after a multiboot image has been completely transferred over JoyBus, interrupts are disabled and the multiboot image is jumped to (the jump points to 0x20000C0, leaving the jump past the image header at offset 0 of the multiboot image unused. This was probably done for a very good reason: the entire 0xC0-byte image header is transferred over JoyBus in the clear, whereas everything after that is encrypted).

In FR/LG/Emerald, after a multiboot image has been completely transferred over JoyBus, the game code of the transferred multiboot image at 0x20000AC is checked. If it is equal to 0x65366347 (with endianness conversion, that's 'Gc6e', the game code for Pokémon Colosseum, specifically the NTSC-US version), the multiboot image that's the subject of this thread is copied to 0x2000000 (ie, copied over the transferred multiboot image), and THEN interrupts are disabled and the multiboot image jumped to.

This was most likely done for compatibility; my guess is that the original Colosseum (US) multiboot image is incompatible with FR/LG/Emerald.
6
Generation I Glitch Discussion / Re: Glitch Pikachu cries in Yellow
« on: April 26, 2017, 01:31:29 pm »
I was just playing around with some of these.
https://youtu.be/NwH3Z4cZYEg

Your video seems to only demonstrate valid cries. Invalid cries start from hex 0x2A (decimal 42).
7
General Discussion / Re: Yeniaul's Discord Server (and rules)
« on: April 20, 2017, 07:51:15 am »
I updated the invite link in the first post.
8
Generation III Glitch Discussion / Re: Manipulate specific flags?
« on: March 24, 2017, 05:50:07 am »
Unfortunately, not possible. The GBA's JoyBus link support only allows for a GBA to be the slave.

I'm getting of topic, but the GBA 10ANNIV rom (and probably others) worked by sending a client application the GBA from another GBA. The leaked official SDK has an example about this too (by the way one of the 10ANNIV roms was made public recently).

That uses the GBA BIOS multiboot, which is different from the multiboot implemented inside of R/S/E/FR/LG (which uses the JoyBus protocol over the link cable for communicaion with the GameCube games).
9
Generation III Glitch Discussion / Re: Manipulate specific flags?
« on: March 21, 2017, 11:30:17 am »
Would be interesting to see this implemented as a GBA to GBA hombrew

Unfortunately, not possible. The GBA's JoyBus link support only allows for a GBA to be the slave.
10
Generation III Glitch Discussion / Re: Manipulate specific flags?
« on: March 21, 2017, 07:26:52 am »
You should look up Z80ASM guides for the TI-83+. It'll carry over nicely to the gbz80.
Anyway, 60 instructions may not be enough, because the game may check for such changes and null them or if you just save the flags and RET the hell out, you may not exit cleanly. You may even have to call the normal functions that handle special events. Ask ISSOtm, Wack0 or TheZZAZZGlitch.

GBA uses ARMv4...

Anyway, if you want code exec, and you have a Wii and a GC->GBA link cable, you can use the RCE I found and detailed here http://forums.glitchcity.info/index.php?topic=7861.0

You'll be able to write your payloads in C there, hopefully it's what you need (you'd be able to get the items with it as well, FYI, you'll have lots of space for your payload, about 124 KB...)
11
Generation III Glitch Discussion / Re: Gen III Remote Code Execution
« on: March 18, 2017, 03:34:58 pm »
A little of topic here, but since you reversed the transfered rom and know how game detection works, modifiying the colosseum USA/JAP bonus disc to accept other region carts would be feasible? I'd really like to test that. I checked a little the code, do they only use gamecodes for that?

I reversed the transfer process itself, not any transfered multiboot images.
12
General Discussion / Re: Yeniaul's Discord Server (and rules)
« on: February 27, 2017, 03:45:50 pm »
The invitation link is dead again.
How fast do these links expire?

Try this link, I just generated a nonexpiring one: https://discord.gg/FHdxXSb

I still can't join. It keeps giving me the same message:
The instant invite is invalid or has expired
I'm using the web interface, not the app. I've never used Discord before, so I have no idea if this is an issue.

That's weird. Perhaps you could try using a different browser?
13
General Discussion / Re: Yeniaul's Discord Server (and rules)
« on: February 27, 2017, 11:46:22 am »
The invitation link is dead again.
How fast do these links expire?

Try this link, I just generated a nonexpiring one: https://discord.gg/FHdxXSb
14
Generation III Glitch Discussion / Re: Gen III Remote Code Execution
« on: February 26, 2017, 08:44:59 am »
New major commit.

  • Added save-block structure definitions
  • Added a helper library, includes functions for decrypting and encrypting Pokémon structures (encrypting also fixes the checksum); a function to get a Pokémon substructure (it's less than 10% of the size of the original!); helper functions for getting specific substructures; functions for calculating and fixing a Pokémon's checksum (in case you want to do this manually); functions for calculating Enigma Berry checksums; and a function for calculating a ramscript (that feature that overrides NPC scripts) checksum.
  • Changed the example payload, it's now an adapted version of the one in the previous post that warps to the Hall of Fame, that way the example is the ideal of how a payload should look (supporting all R/S/FR/LG/E, etc).

Now, writing payloads should be easier.

Here's another example payload that adds a ramscript, which replaces Brendan's mother's script (R/S/E)/Red's mother's script (FR/LG), causing them to say "Pwned!". (Yes, I know you won't be able to see it if you're playing R/S/E as May, but really, it's such a small change that you should be able to figure it out pretty easily.)

Code: [Select]
/*
 * Example Gen3-multiboot payload by slipstream/RoL 2017.
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 *
 * payload.c: place where user payload should go :)
 */

#include <gba.h>
#include <string.h>
#include "payload.h"

// Your payload code should obviously go into the body of this, the payload function.
void payload(pSaveBlock1 SaveBlock1,pSaveBlock2 SaveBlock2,pSaveBlock3 SaveBlock3) {
struct RamScript* ramScript;
if (GAME_RS) ramScript = &(SaveBlock1->rs.ramScript);
else if (GAME_FRLG) ramScript = &(SaveBlock1->frlg.ramScript);
else if (GAME_EM) ramScript = &(SaveBlock1->e.ramScript);
else return;
ramScript->data.magic = 0x33;
if (GAME_FRLG) {
ramScript->data.mapGroup = 4; // Pallet Town indoors
ramScript->data.mapNum = 0; // Red's house 1F
ramScript->data.objectId = 1; // Red's mother
} else {
ramScript->data.mapGroup = 1; // Littleroot Town indoors
ramScript->data.mapNum = 0; // Brendan's house 1F
ramScript->data.objectId = 1; // Brendan's mother
}
u8 script[] = ""
"\xb8\x00\x00\x00\x00" // setvaddress 0
"\xbd\x0e\x00\x00\x00" // vtext msgtext
"\x66" // waittext
"\x6d" // waitbutton
"\x6c" // release
"\x02" // end
"\xCA\xEB\xE2\xD9\xD8\xAB\xFF"; // msgtext: "Pwned!"
// copy the script to its rightful place
memcpy(&(ramScript->data.script),script,sizeof(script));
// fix the checksum
ramScript->checksum = CalculateRamScriptChecksum(ramScript);
// all done!
return;
}
15
Pokémon Discussion / Re: Anatomy of an e-Reader Mystery Event
« on: February 24, 2017, 11:58:27 am »
Whilst reversing Gen III and adding the save structures of the various games to my payload code, I noticed something.

The Enigma Berry structure is different in FR/LG/Emerald!

It's only 0x30 bytes long; the sprite, palette and tag description elements were removed, leaving only the base Berry structure (0x1C bytes), the item-usage-by-trainer structure (0x12 bytes), the hold item effect (2 bytes) and bytewise checksum (4 bytes).

edit: the change was made in FR/LG, not Emerald (Emerald just inherited it)
Pages: [1] 2 3 ... 60