Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Sanqui

Pages: [1]
The Dumpster Out Back / Re: Brock Through Walls
« on: August 19, 2014, 04:15:48 pm »
Move 2's PP should be 36, and move 3's PP should be 16, not the other way round.
That's right.  Sorry for the confusion.
By the way, if you have multiple Pokémon, Bulbasaur (or whoever has the right PP) needs to be last when you flash your Pokémon menu.
Generation I Glitch Discussion / Brock Through Walls
« on: August 19, 2014, 03:04:56 am »
This is a relatively easy glitch which lets you walk through walls as early as Brock skip.  Basically, performing the Brock skip and then speaking to the guy who leads you the gym from the right, while having a specific setup, activates a walk through walls state.
You can see it in action in this WR run:

How this works is as follows.  When the guy's script activates, the game searches through a table of coordinates and pointers to figure out your initial movement.  However, the developers didn't account for you standing to the right of him, so there's no path defined.  Usually, if you try to speak to him without any preparation, the game will softlock, since it can't find your coordinates anywhere in memory.  However, with a little setup, you can prop the game to find your position and read an invalid path.
The method used in this run requires having a Lv. 8 Bulbasaur with 16 Tackle PP and 36 Growl PP, having the moves in the 2nd and 3rd slot.  You also need to look at its stats screen.  This results in the game finding the player coordinates in memory as the PP (the coords need to be at xxx2, xxx6, xxxA, or xxxE), and reading the next two bytes (4rd PP and level) as a pointer to the path.  $800 happens to be an useful glitch path, which overflows and overwrites the "disallowed buttons" variable, letting you walk through walls.

Cheers to 0xwas for demonstrating this on the Japanese version (where the setup is more trivial), MrWint for explaining how the glitch works, myself for figuring out the details again (Kappa), Dabomstew for figuring out the Bulbasaur setup, and Shenanagans other routing and doing the run.  Great job all around!
Hello all!  I was going to hold off releasing this until I make an actual "hello world"-like proof of concept, but I don't think you guys need one, and I bet you'll try to do some cool stuff with it yourself.

So, this exploit allows you to execute arbitrary code (i.e., jailbreak) the English version of Pokémon Gold.  Unfortunately, it is much more limited than the 8F item you have grown to like from Gen 1, but it's still pretty nifty, and might pave way to a better exploit!

Long explanation

To explain.  You have probably heard of the coin case glitch, where if you speak to the Machop in Vermilion and open the coin case, the game crashes.  But I haven't found anybody actually studying what the game does, so I traced it and figured out why it happens.
In short, I believe the translators messed up.  The text script for the Coin Case ("Coins: 1234") ends in a $57, which while a valid text ending byte, is not a valid text script byte.  (The correct one would've been $50.)  Since after printing the number, the game is in text script mode, the game reads an invalid pointer and, surprise, jumps into memory at $e112 (since that's ECHO RAM, it's essentially $c112).  This section of RAM is used by cries.  Most of the time, it's filled by zeroes, and by sheer luck ends in a ret.  But if you play a cry immediately before opening the Coin Case, the memory will be tainted.
Most cries don't do much, some return successfully, some mess with the text a bit.  Machop's cry is special, because it happens to contain inc sp.  This causes the ret to go elsewhere, specifically, $eb12, which contains some overworld stuff...  Specifically, as you move around, it has tile attributes for the window tilemap.  The contents are mostly unpredictable, but consistent if you move in a specific pattern, which will lead us, to $FA98 (again, ECHO RAM, so essentially $DA98).  This is in the middle of the third party Pokémon's data, which is already something we can sanely work with!  You could probably hunt a Pokémon with specific EVs and stats in order to construct some opcodes, but I opted for picking a Pokémon which's data doesn't do anything and slides through to the fourth Pokémon. 
The first three bytes of a Pokémon are species, item and first move.  Thus, we can construct a Pokémon which "jumps" somewhere useful.  I picked the PC box for this purpose: $D61A, which si the second boxed item's amount.
So, now we can get the game to execute what we can control.  Unfortunately, like I warned, this method is extremely limited.  Since the arbitrary code on the way tampered with the stack and random memory, one would have to carefully reconstruct these in order to return control *back* to the game after opening the Coin Case.  It should be possible, but I didn't explore this.  So, for now, this is an one-way trip.

Get a Quagsire with HP Up and Sleep Talk as the first move.  Put it fourth in party.
Put a valid slide Pokémon in slot 3.  A low-level freshly caught or hatched Pokémon should work.  (The Pokémon's data CANNOT have code which changes code flow, such as jumps, calls or rets.)
Build the code you want to execute in the PC, starting from the second item's count.

You MUST move in specific ways, though there may be other methods.
0. Prepare everything.
1. Save & Restart, or step through a warp.
2. Take a step down and four steps right.  (Three to the left might work, too?)
For example, if you were performing this trick from Elm's lab (the traditional method), you'd be standing here:

3. Listen to Machop's cry (I used the Pokédex, but party should work too)
4. Open the bag and change pockets at least once
5. Open the Coin Case
At this point, the game does a ton of wacky stuff and eventually jumps to $D61A, which should contain your code!
The state is (but it might depend on your slide Pokémon):
af=2800  bc=0f0f  de=0600  hl=1c2f  sp=dfbc  pc=d61a  rom=66
Interrupts DISABLED (?)

Final words
I don't believe this exploit works the Japanese version, but I haven't tested.  It was definitely fixed in Crystal.  It also may have been fixed in other language revisions.

I hope to see some cool stuff done with this, but I do realize that the set up is kind of annoying.  Have fun, anyway.

P.S.: As a bonus, have this nifty table!
P.P.S.: Have you people really got no real IRC channel I could hang out in?
Pages: [1]