Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: PMD: Red Rescue Team: Arbitary code execution with hex:0999 glitch move info  (Read 1074 times)

0 Members and 1 Guest are viewing this topic.

MarcinTVP8

  • GCLF Member
  • Offline Offline
  • 0OLDRED
    • View Profile
Finally! I found arbitary code execution in Pokémon Mystery Dungeon: Red Rescue Team!

Viewing an hex:0999 glitch move info will cause the game to start executing code somewhere around 5ec1200c.

Viewing the glitch move name rarely occurs, so I have prepared a save state for this.

Just load the save state in VBA, click Info, and enjoy the glitchness!

(Note: The save state has been created on VBA version 1.8.0)

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Did you use original VBA? Since that emulator is very old and inaccurate, could you please try VBA-M and/or mGBA?

MarcinTVP8

  • GCLF Member
  • Offline Offline
  • 0OLDRED
    • View Profile
I did use the VBA 1.8.0 and I do not want to change versions.

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
I checked it, this is a buffer overflow caused by the glitch move's description. Code execution takes place by overwriting the IRQ handler (similar to what happens in Gen III with decamark summary screens)
This exact move is not exploitable, since the instruction pointer lands in unmapped memory. But there probably is an index that would work for ACE.

Edit: Never mind, it actually locks up the game in both mGBA and No$gba Debug, so I'm forced to think that this is just an emulation error
« Last Edit: January 10, 2017, 08:29:21 am by TheZZAZZGlitch »
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF