Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: CC57/8 continuous arbitrary code execution  (Read 400 times)

0 Members and 1 Guest are viewing this topic.

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody ✿(not really a mum but wanna be)
    • View Profile
CC57/8 continuous arbitrary code execution
« on: December 09, 2018, 05:35:07 am »
If CC57/8 reads DD 00, the game will execute arbitrary code at F5D5 not just once but continuously. This is in the expanded PC items and can be changed to C3 XX D3. The general idea might be to use 4F/-g m/8F, etc. to set CC57 to DD and set CC58 to 00 if it isn't 00 already.

An advantage to this over D36E/D36F ACE is that it stays even after changing maps. Unfortunately have to go so can't do anymore testing right now, but I wonder if it works in battle?

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Parzival

  • Buyer beware: House comes with 3 free skeletons in a closet of your choice.
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • This box intentionally left blank. ...wait...
    • View Profile
    • (null)
Re: CC57/8 continuous arbitrary code execution
« Reply #1 on: December 10, 2018, 08:47:08 pm »
What do these control, precisely?


Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

Sherkel

  • Ringsome on the aquaface
  • Administrator
  • *****
  • Online Online
  • Gender: Male
  • PSYNCIN' IN THE CHaiN
    • View Profile
Re: CC57/8 continuous arbitrary code execution
« Reply #2 on: December 11, 2018, 03:41:33 pm »
What do these control, precisely?
What are you asking, precisely? :P

I come and go. Apparently still more than most of the other regulars, so hard to say it's a semi-hiatus of some sort. Suggestions for wiki organization are appreciated here if you haven't seen this thread yet.
I don't have a habit of keeping Discord open, so direct inquiries are still preferred through here.

metalmario32

  • The ENG Pokémon Nerd
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • RST 38? What's that? ... Oh.
    • View Profile
Re: CC57/8 continuous arbitrary code execution
« Reply #3 on: December 12, 2018, 06:44:27 am »
What do these control, precisely?
What are you asking, precisely? :P

He's asking what in-game variables those addresses control, precisely.
I've been a fan of Pokémon since my first game. That was Platinum, though. Ever since then, I've played every single generation of Pokémon at least once and got into glitching them when I got RBY. Oh boy, the fun times that I had as a kid... I <3 GLITCH CITY LABORATORIES for bringing back my childhood!

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: CC57/8 continuous arbitrary code execution
« Reply #4 on: December 12, 2018, 06:59:54 am »
What do these control, precisely?
What are you asking, precisely? :P

He's asking what in-game variables those addresses control, precisely.


...which is precisely the reason why Pokered exists! :^)


Anyways, CC57 is responsible for the location in the pointer table to call for NPC Movement scripts, which, as you might've guessed, are executed continuously to keep the NPCs moving. CC58 controls the ROM bank for the movement script.


Gonna take a guess as to how this works...

When setting CC57 higher than the amount of pointers, the program will read past the pointer table and treat unrelated data as pointers (aka, how 8f works). It will than call the pointer it grabs, which in this case, happens to be F5D5.


Don't have access to an emulator right now so can't be too sure.
« Last Edit: December 12, 2018, 07:01:39 am by Epsilon »
grouchy

metalmario32

  • The ENG Pokémon Nerd
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • RST 38? What's that? ... Oh.
    • View Profile
Re: CC57/8 continuous arbitrary code execution
« Reply #5 on: December 12, 2018, 07:20:37 am »
What do these control, precisely?
What are you asking, precisely? :P

He's asking what in-game variables those addresses control, precisely.


...which is precisely the reason why Pokered exists! :^)


Anyways, CC57 is responsible for the location in the pointer table to call for NPC Movement scripts, which, as you might've guessed, are executed continuously to keep the NPCs moving. CC58 controls the ROM bank for the movement script.


Gonna take a guess as to how this works...

When setting CC57 higher than the amount of pointers, the program will read past the pointer table and treat unrelated data as pointers (aka, how 8f works). It will than call the pointer it grabs, which in this case, happens to be F5D5.


Don't have access to an emulator right now so can't be too sure.

So what's happening is, what would be interpreted as NPC movement data is invalid beyond certain pointers, and therefore points to a glitch location to execute ACE?
I've been a fan of Pokémon since my first game. That was Platinum, though. Ever since then, I've played every single generation of Pokémon at least once and got into glitching them when I got RBY. Oh boy, the fun times that I had as a kid... I <3 GLITCH CITY LABORATORIES for bringing back my childhood!

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: CC57/8 continuous arbitrary code execution
« Reply #6 on: December 12, 2018, 07:50:47 am »
So what's happening is, what would be interpreted as NPC movement data is invalid beyond certain pointers, and therefore points to a glitch location to execute ACE?


Take a gander at this line pokered's home.asm.

As you can see, it takes the value at CC57, takes a pointer to a list of pointers to movement script pointer tables (phew!), and adds the two. It then grabs the pointer it finds there, puts it in hl, and makes a call to CallFunctionInTable.


So yeah, i'm assuming that's what's going on there.


Something else to note: The function I linked loads the value at CF10 (responsible for the function number in the pointer table) into the accumulator before making the call to CallFunctionInTable. I do wonder if that value may change the ability to do this trick.


EDIT: Some semi-important findings in this regard


The way this works is because the function I originally linked adds CC57 (which is DDh in the trick) to to the pointer to the pointer table which points to the other movement script pointer table. It gets 3193, which points to D5h and F5h. CallFunctionInTable reads these values and calls F5D5.

However, CF10 affects what pointer CallFunctionInTable calls when called with RunNPCMovementScript. This means CF10 must be zero or else this will not work!

Not sure what changes CF10, however.


Edit2: Something else to note:


While Torchic included setting CC58 to 0 in her instructions, this is actually unnecessary. 3193, which contains the "pointer" to FDF5, is in the "home" ROM bank - meaning it's irrelevant as to what the ROM bank is at the time of CallFunctionFromTable.


but I wonder if it works in battle?

No. NPC Movement scripts are not executed during battle.
« Last Edit: December 12, 2018, 11:17:55 am by Epsilon »
grouchy

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody ✿(not really a mum but wanna be)
    • View Profile
Re: CC57/8 continuous arbitrary code execution
« Reply #7 on: December 15, 2018, 03:52:26 pm »
Thank you for the input guys! Ah.. Unfortunate that it doesn't work in battle. :(
« Last Edit: December 15, 2018, 05:59:22 pm by Evie ❤✿ »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3