Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue with cooltrainer glitch move.  (Read 1287 times)

0 Members and 1 Guest are viewing this topic.

Crystal_

  • Distinguished Member
  • *
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
Basically, out of unrelated data, hex 00's move effect turns out to be 0x74, which essentially makes its move effect pointer point to F928. The cooltrainer move will execute its move effect function at the end of the ExecuteMove routine, and only if the target isn't fainted. Since cooltrainer has a glitch move effect, it's not present in any of the special move effect arrays and thus falls into the last call to the move effect handling function, where all the move effects that have not been handled yet are supposed to be taken care of.

F928 is exactly the start of the enemy party Pokemon data. It's not the best place to end up at, but it's still RAM nonetheless.



After spending some time considering all the options, this is the best I could come up with:

Code: [Select]
add hl, hl
nop
jp [hl]

Which corresponds to Machoke with 233 current HP in the fourth position of the last fought opponent. This already makes access to the cable club with another player/game a necessity.

This makes us jump to F250, which is the move 2 of the sixth party Pokemon. It's more manageable but we still need to find a way to reach bag items, ideally. I came up with the following setup to reach F31E (item 1):

Party Pokemon #6: (Golbat)
- Hyper Beam as 2nd move
- Supersonic as 3rd move
- Leech Life as 4th move

which is:

Code: [Select]
ccf
jr nc, $8d

hl overflowed in the last ld hl, hl instruction so we will be jumping to F1E0 here, which is the move 1 PP of party Pokemon #3.

And then:

Party Pokemon #3:
- PP of move 1: C3 (3 PP, 3 PP ups)
- PP of move 2: 1E (30 PP, 0 PP ups)
- PP of move 3: D3 (19 PP, 3 PP ups)

Or jp D31E, which means that we finally made it to the item 1 of our bag.

Given how easy is to get a Ditto learn cooltrainer I was hoping that this could make a decent alternative to ACE with 8F as this item is not particularly easy to obtain. However this also has many inconveniences.

- Need to have someone else with a very high level Machoke (around 80) to battle with
- Need 6 PP Ups
- Need a lot coins to buy Hyper Beam

What's more, in order to keep the opponent's party Pokemon in RAM we must perform the cable club escape glitch or else the data will be gone when we reset. Sure, the first thing we could do with ACE is clear the flag that makes the game think we are in the cable club (is it wLinkState?, I'm too lazy to properly check right now) so we can actually save and end all the other side effects. But this inconvenience basically turned if off for me compared to 8F.

Also to note is the well know corrupting side effects of the cooltrainer move as well as the fact that cooltrainer ACE won't be as versatile as 8F since we can only use it during battle. I thought at first that cooltrainer ACE might make a decent alternative to hack yourself 8F but all the flaws considered it definitely doesn't appear to be the case

The ACE exploit is there though, in case someone can come up with a better bootstrap code.

EDIT: Made a typo, it's not D929, but D928. Fixed the screenshot too.
« Last Edit: June 05, 2016, 12:18:44 pm by Crystal_ »

danny

  • Decamark Collector and Pokémaniac
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • i hate being alive
    • View Profile
Re: Arbitrary code execution in Red/Blue with cooltrainer glitch move.
« Reply #1 on: June 05, 2016, 11:28:43 am »
Surprised nobody found this yet. I'll look into other glitch moves. How do you find the pointers?
i ain't happy, i'm feeling glad
i got sunshine, in a bag
i'm useless, but not for long
my future is coming on

Crystal_

  • Distinguished Member
  • *
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
Re: Arbitrary code execution in Red/Blue with cooltrainer glitch move.
« Reply #2 on: June 05, 2016, 11:36:54 am »
From data past this table: https://github.com/pret/pokered/blob/master/engine/battle/core.asm#L7142

Note that move effects with id 80-FF point to same as 00-7F though (or rather 81-00 = 01-80), other than that the moment when they are called may be different.

The pointers will be made up from the unused sleep effect function below the table.

I tracked down other glitch moves in the past, but it's still pretty suboptimal. For example, glitch move TM42's effect handler points to CD11, which is the least significant byte of the player's active Pokemon's unmodified HP stat: https://www.youtube.com/watch?v=FoV9HUtVICE
« Last Edit: June 05, 2016, 11:41:18 am by Crystal_ »

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Red/Blue with cooltrainer glitch move.
« Reply #3 on: June 05, 2016, 12:15:00 pm »
Very nice job Crystal_, that makes another way to execute code in 1G. Joining 8F, Pikachu off-screen, B1F, TM42... maybe others too, at a time I was working on a way to execute code from tiles using \-g* (hex:6F) but never had the time to finish it.

I'll tweet about this with prama's account  ;D

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
Re: Arbitrary code execution in Red/Blue with cooltrainer glitch move.
« Reply #4 on: June 05, 2016, 12:38:22 pm »
This is already known and was used in the (now obsolete) Pokémon Blue TAS in 28:07.28 by MrWint. Except there, instead of trying to make use of the opponent Pokemon data, this area was just filled with harmless instructions to let the execution slide all the way to boxed Pokemon data at $DA80.
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

camper

  • aka GlitcherRed, azum4roll
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • 975642dx║'r DExsfoF▓1 error.
    • View Profile
Re: Arbitrary code execution in Red/Blue with cooltrainer glitch move.
« Reply #5 on: June 05, 2016, 09:17:41 pm »
You'll also need an X Accuracy to reliably hit with the move, or the move effect won't happen.
Youtube
 

Guess where this is?