Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Wack0

Pages: [1] 2 3 ... 60
By the way, all the stuff in the SOGABE menu sets some unknown stuff in saveblock2, according to pokeruby.
When you use a glitch move, the name of the move you use is often different from the name you have in the "Fight" menu.
I still don't know why this thing happens, but this is another souce of crash as certain character sequences that the game displays can freeze the game (especially the ones with the "oe oe oe oe....")

Same reason as "a TYPE move", basically there's an array of pointers to these strings in the ROM (starts at 0x401604 in EN Ruby), and the array is indexed by the type-id without any checks, thus some uint32 past this array is used as a pointer to the move-string.
On a list of invalid moves and their effects, not yet. And most invalid moves basically are the Gen III equivalent of Super Glitch because of not only the move / type(?) names being very long (I can't remember if type names inside battle get length-capped or not) but also the "a TYPE move" mechanic (an invalid type here overflows the pointer array, causing the shown move name when used to be also potentially very long). For an invalid move to not have these effects it needs to have a short enough name and a valid type.
(This is also the cause of the "Instant Win", "Instant Flee" etc moves, the long strings getting copied around overwrites the battle type)
Emulation & ROM Hacking / Re: Emulating the Mobile Adapter GB
« on: August 16, 2017, 04:26:07 pm »
I wonder how awkward that MD5 implementation is...

Game Freak's parser bugs don't surprise me. An RCE vector here would allow for some interesting custom servers; however RCE via trades exists too, which would be the more dangerous, in my opinion, as any player could trigger it. I guess a custom server would have to somehow detect it (given this RCE vuln would be in the P2P communication with "phone numbers" etc).

And now I'm thinking about a server with its own partial GB emulator, MITMing the connection if it detects an RCE via trading, and specifically implementing GB Mobile Adapter emulation itself so the payload can get any further data... Saved off for further reversing/analysis of course.
but if they do a Celebi event just like mew there won't be a way to change its id and ot so it transfers on non english versions

Trading to an English version to do Coin Case code exec may work for European G/S.

Maybe TMs outside of TM pocket code exec (like Crystal) too? Has anybody looked into that in G/S? I guess that would require trading too, though.

Also, possibly Johto Guard Glitch trading back to Gen I and doing it there? I'm probably forgetting something important that would stop that from working, though.
Emulation & ROM Hacking / Re: Emulating the Mobile Adapter GB
« on: August 06, 2017, 08:44:12 am »
I looked at the code, the emulation there is incomplete, and seems only there to get Mobile Trainer to work.
More ACE? Goddamn, this is getting out-of-hand. How many, total, have been found across the series?

I haven't kept track since that post ISSOtm made, but for Gold/Silver/Crystal there is:

1) Coin Case glitch (EN Gold/Silver only)
2) Move 0x00's type ACE (EN Gold/Silver)
3) Unterminated name Pokémon ACE (Crystal only)
4) Wrong pocket TM/HM ACE (Gold/Silver/Crystal)
5) Glitch Pokédex mode ACE (Gold/Silver(?), Crystal)
6) OAM DMA hijacking (requires another form of arbitrary code execution)

Theoretically as well you can execute arbitrary code with other glitch moves. I noticed opening the Fight menu with move 0xFD as the only move in Japanese Crystal after using an X Accuracy could execute code from WRAM but only to run into a rst 38 (FF byte).

Surprisingly quite a lot for Generation II!

As for Generation III there seem to be only two documented so far:

1) Glitch Pokémon summary ACE
2) Glitch move animation ACE

For the record, you missed RCE through trading in Gen II (TheZZAZZGlitch demonstrated it once, I think his YouTube video description said the bug was similar if not the exact same as the one used for trade RCE in Gen I), and RCE through JoyBus link in Gen III.
I came across this thread looking for something else, and thought this looked familiar to me.

Indeed, this multiboot image is not unused.

The GameCube multiboot code changed from R/S to FR/LG/Emerald.

In R/S, after a multiboot image has been completely transferred over JoyBus, interrupts are disabled and the multiboot image is jumped to (the jump points to 0x20000C0, leaving the jump past the image header at offset 0 of the multiboot image unused. This was probably done for a very good reason: the entire 0xC0-byte image header is transferred over JoyBus in the clear, whereas everything after that is encrypted).

In FR/LG/Emerald, after a multiboot image has been completely transferred over JoyBus, the game code of the transferred multiboot image at 0x20000AC is checked. If it is equal to 0x65366347 (with endianness conversion, that's 'Gc6e', the game code for Pokémon Colosseum, specifically the NTSC-US version), the multiboot image that's the subject of this thread is copied to 0x2000000 (ie, copied over the transferred multiboot image), and THEN interrupts are disabled and the multiboot image jumped to.

This was most likely done for compatibility; my guess is that the original Colosseum (US) multiboot image is incompatible with FR/LG/Emerald.
Generation I Glitch Discussion / Re: Glitch Pikachu cries in Yellow
« on: April 26, 2017, 01:31:29 pm »
I was just playing around with some of these.

Your video seems to only demonstrate valid cries. Invalid cries start from hex 0x2A (decimal 42).
General Discussion / Re: Yeniaul's Discord Server (and rules)
« on: April 20, 2017, 07:51:15 am »
I updated the invite link in the first post.
Generation III Glitch Discussion / Re: Manipulate specific flags?
« on: March 24, 2017, 05:50:07 am »
Unfortunately, not possible. The GBA's JoyBus link support only allows for a GBA to be the slave.

I'm getting of topic, but the GBA 10ANNIV rom (and probably others) worked by sending a client application the GBA from another GBA. The leaked official SDK has an example about this too (by the way one of the 10ANNIV roms was made public recently).

That uses the GBA BIOS multiboot, which is different from the multiboot implemented inside of R/S/E/FR/LG (which uses the JoyBus protocol over the link cable for communicaion with the GameCube games).
Generation III Glitch Discussion / Re: Manipulate specific flags?
« on: March 21, 2017, 11:30:17 am »
Would be interesting to see this implemented as a GBA to GBA hombrew

Unfortunately, not possible. The GBA's JoyBus link support only allows for a GBA to be the slave.
Generation III Glitch Discussion / Re: Manipulate specific flags?
« on: March 21, 2017, 07:26:52 am »
You should look up Z80ASM guides for the TI-83+. It'll carry over nicely to the gbz80.
Anyway, 60 instructions may not be enough, because the game may check for such changes and null them or if you just save the flags and RET the hell out, you may not exit cleanly. You may even have to call the normal functions that handle special events. Ask ISSOtm, Wack0 or TheZZAZZGlitch.

GBA uses ARMv4...

Anyway, if you want code exec, and you have a Wii and a GC->GBA link cable, you can use the RCE I found and detailed here

You'll be able to write your payloads in C there, hopefully it's what you need (you'd be able to get the items with it as well, FYI, you'll have lots of space for your payload, about 124 KB...)
Generation III Glitch Discussion / Re: Gen III Remote Code Execution
« on: March 18, 2017, 03:34:58 pm »
A little of topic here, but since you reversed the transfered rom and know how game detection works, modifiying the colosseum USA/JAP bonus disc to accept other region carts would be feasible? I'd really like to test that. I checked a little the code, do they only use gamecodes for that?

I reversed the transfer process itself, not any transfered multiboot images.
General Discussion / Re: Yeniaul's Discord Server (and rules)
« on: February 27, 2017, 03:45:50 pm »
The invitation link is dead again.
How fast do these links expire?

Try this link, I just generated a nonexpiring one:

I still can't join. It keeps giving me the same message:
The instant invite is invalid or has expired
I'm using the web interface, not the app. I've never used Discord before, so I have no idea if this is an issue.

That's weird. Perhaps you could try using a different browser?
Pages: [1] 2 3 ... 60