Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Celebi Egg glitch
SRAM glitch
Pomeg glitch data corruption
Tweaking
Pokémon cloning
Arbitrary code execution
Glitches by Generation
Other major glitches
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: CC57/8 continuous arbitrary code execution  (Read 210 times)

0 Members and 1 Guest are viewing this topic.

Quirky Flower Chicken ❤✿

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • (Image thanks Sanrio + Pexels)
    • View Profile
CC57/8 continuous arbitrary code execution
« on: December 09, 2018, 05:35:07 am »
If CC57/8 reads DD 00, the game will execute arbitrary code at F5D5 not just once but continuously. This is in the expanded PC items and can be changed to C3 XX D3. The general idea might be to use 4F/-g m/8F, etc. to set CC57 to DD and set CC58 to 00 if it isn't 00 already.

An advantage to this over D36E/D36F ACE is that it stays even after changing maps. Unfortunately have to go so can't do anymore testing right now, but I wonder if it works in battle?

(Image © Sanrio, Nintendo, HAL Laboratory)

✿ Hi! I'm Evie. I'm a transgender woman, but any pronouns are fine. She/her preferred. ✿ 🦋

Nature: Passive, kind, but a little shy sometimes in public though warms up. Sensitive, however brave. I have a hidden protective side to me. Liberal feminist.

War is the birth of new love, love is the birth of new war. Having died once, lived twice. Together alone we are together.

Thank you for this lovely artwork Nyapon! :3

Parzival

  • Buyer beware: House comes with 3 free skeletons in a closet of your choice.
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • This box intentionally left blank. ...wait...
    • View Profile
    • (null)
Re: CC57/8 continuous arbitrary code execution
« Reply #1 on: December 10, 2018, 08:47:08 pm »
What do these control, precisely?
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

Sherkel

  • The first unquiring one to bare arms
  • Staff
  • *****
  • Online Online
  • Gender: Male
  • リリー再び!
    • View Profile
Re: CC57/8 continuous arbitrary code execution
« Reply #2 on: December 11, 2018, 03:41:33 pm »
What do these control, precisely?
What are you asking, precisely? :P
 
 

metalmario32

  • The ENG Pokémon Fan
  • GCLF Member
  • Offline Offline
  • Gender: Male
  • The English Pokémon RBY Nerd 🤓
    • View Profile
Re: CC57/8 continuous arbitrary code execution
« Reply #3 on: December 12, 2018, 06:44:27 am »
What do these control, precisely?
What are you asking, precisely? :P

He's asking what in-game variables those addresses control, precisely.
I've been a fan of Pokémon since my first game. That was Platinum, though. Ever since then, I've played every single generation of Pokémon at least once and got into glitching them when I got RBY. Oh boy, the fun times that I had as a kid... I <3 GLITCH CITY LABORATORIES for bringing back my childhood!

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: CC57/8 continuous arbitrary code execution
« Reply #4 on: December 12, 2018, 06:59:54 am »
What do these control, precisely?
What are you asking, precisely? :P

He's asking what in-game variables those addresses control, precisely.


...which is precisely the reason why Pokered exists! :^)


Anyways, CC57 is responsible for the location in the pointer table to call for NPC Movement scripts, which, as you might've guessed, are executed continuously to keep the NPCs moving. CC58 controls the ROM bank for the movement script.


Gonna take a guess as to how this works...

When setting CC57 higher than the amount of pointers, the program will read past the pointer table and treat unrelated data as pointers (aka, how 8f works). It will than call the pointer it grabs, which in this case, happens to be F5D5.


Don't have access to an emulator right now so can't be too sure.
« Last Edit: December 12, 2018, 07:01:39 am by Epsilon »
grouchy

metalmario32

  • The ENG Pokémon Fan
  • GCLF Member
  • Offline Offline
  • Gender: Male
  • The English Pokémon RBY Nerd 🤓
    • View Profile
Re: CC57/8 continuous arbitrary code execution
« Reply #5 on: December 12, 2018, 07:20:37 am »
What do these control, precisely?
What are you asking, precisely? :P

He's asking what in-game variables those addresses control, precisely.


...which is precisely the reason why Pokered exists! :^)


Anyways, CC57 is responsible for the location in the pointer table to call for NPC Movement scripts, which, as you might've guessed, are executed continuously to keep the NPCs moving. CC58 controls the ROM bank for the movement script.


Gonna take a guess as to how this works...

When setting CC57 higher than the amount of pointers, the program will read past the pointer table and treat unrelated data as pointers (aka, how 8f works). It will than call the pointer it grabs, which in this case, happens to be F5D5.


Don't have access to an emulator right now so can't be too sure.

So what's happening is, what would be interpreted as NPC movement data is invalid beyond certain pointers, and therefore points to a glitch location to execute ACE?
I've been a fan of Pokémon since my first game. That was Platinum, though. Ever since then, I've played every single generation of Pokémon at least once and got into glitching them when I got RBY. Oh boy, the fun times that I had as a kid... I <3 GLITCH CITY LABORATORIES for bringing back my childhood!

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: CC57/8 continuous arbitrary code execution
« Reply #6 on: December 12, 2018, 07:50:47 am »
So what's happening is, what would be interpreted as NPC movement data is invalid beyond certain pointers, and therefore points to a glitch location to execute ACE?


Take a gander at this line pokered's home.asm.

As you can see, it takes the value at CC57, takes a pointer to a list of pointers to movement script pointer tables (phew!), and adds the two. It then grabs the pointer it finds there, puts it in hl, and makes a call to CallFunctionInTable.


So yeah, i'm assuming that's what's going on there.


Something else to note: The function I linked loads the value at CF10 (responsible for the function number in the pointer table) into the accumulator before making the call to CallFunctionInTable. I do wonder if that value may change the ability to do this trick.


EDIT: Some semi-important findings in this regard


The way this works is because the function I originally linked adds CC57 (which is DDh in the trick) to to the pointer to the pointer table which points to the other movement script pointer table. It gets 3193, which points to D5h and F5h. CallFunctionInTable reads these values and calls F5D5.

However, CF10 affects what pointer CallFunctionInTable calls when called with RunNPCMovementScript. This means CF10 must be zero or else this will not work!

Not sure what changes CF10, however.


Edit2: Something else to note:


While Torchic included setting CC58 to 0 in her instructions, this is actually unnecessary. 3193, which contains the "pointer" to FDF5, is in the "home" ROM bank - meaning it's irrelevant as to what the ROM bank is at the time of CallFunctionFromTable.


but I wonder if it works in battle?

No. NPC Movement scripts are not executed during battle.
« Last Edit: December 12, 2018, 11:17:55 am by Epsilon »
grouchy

Quirky Flower Chicken ❤✿

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • (Image thanks Sanrio + Pexels)
    • View Profile
Re: CC57/8 continuous arbitrary code execution
« Reply #7 on: December 15, 2018, 03:52:26 pm »
Thank you for the input guys! Ah.. Unfortunate that it doesn't work in battle. :(
« Last Edit: December 15, 2018, 05:59:22 pm by Evie ❤✿ »

(Image © Sanrio, Nintendo, HAL Laboratory)

✿ Hi! I'm Evie. I'm a transgender woman, but any pronouns are fine. She/her preferred. ✿ 🦋

Nature: Passive, kind, but a little shy sometimes in public though warms up. Sensitive, however brave. I have a hidden protective side to me. Liberal feminist.

War is the birth of new love, love is the birth of new war. Having died once, lived twice. Together alone we are together.

Thank you for this lovely artwork Nyapon! :3