Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch
Tweaking
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: ZZAZZ glitch trainer $FC arbitrary code execution  (Read 119 times)

0 Members and 1 Guest are viewing this topic.

joshuarpl

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Oh snap, I destroyed my save file!
    • View Profile
ZZAZZ glitch trainer $FC arbitrary code execution
« on: January 08, 2019, 10:54:39 am »
You've heard of $FC glitch trainer in POKeMON Yellow, right? Well, why the game crashes when using a move is because for some reason it executes code from $DA80! Glitch expert TheZZAZZGlitch confirmed with his payload that displays a Doge and some glitch characters, and some text!

Here, I can explain!
When entering the instructions
ld a,00
inc a
ld ($C3A0),a
jp $DA82
into $DA80 (where the glitch trainer executes code from!)
I can confirm that when I use a move, that code will be executed because if you look at the code, you can see that it places a tile on-screen, and constantly changes to the next tile ID.
And that it does!
Hope that got you an idea!
I have 1 question, though!
How do you use the command db?
If I am necro-bumping, I am sorry.
4 4 scares me on a deep emotional level I can't describe.

Quirky Flower Chicken ❤✿

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Characters © Tsuburaya, Sanrio, Nintendo/TOSE
    • View Profile
Re: ZZAZZ glitch trainer $FC arbitrary code execution
« Reply #1 on: January 08, 2019, 11:05:16 am »
Nice observation. :)

Db is not a command though, it only means that the following bytes are not ASM and are data rather than code; for instance, if you had "db 91 84 83 50", it would be useful for identifying that it is not the code sub a,c add a,h add a,e ld d,b but rather data; in this case the player name "RED". In the assembled ROM db is not used, and is similar to a label. (like wCurOpponent as opposed to d058) ✿

(Image © Sanrio, Nintendo, HAL Laboratory)

✿ Hi! I'm Evie. I'm a transgender woman, but any pronouns are fine. She/her preferred. ✿ 🦋

Please note:

While I'm one of the staff who runs the site, Abwayax is the founder and manages the technical side of the site (specifically the server, but I can do forum/wiki stuff if you like, I suggest if you do to make a thread about it to gather a consensus). Still feel free to contact me about higher site issues though; I will forward them to Abwayax if needed. :)

Forgiveness is timeless, and moments we look back on humble the soul.

Thank you Nyapon for this lovely artwork. :3

joshuarpl

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Oh snap, I destroyed my save file!
    • View Profile
Re: ZZAZZ glitch trainer $FC arbitrary code execution
« Reply #2 on: January 08, 2019, 01:03:29 pm »
...OK, but just loading a value into A and loading A into the screen location to make text would be pretty big code!
Also, I learned how to make animations, I modified the C3A0 data with the BGB debugger to say Happy 2019, and then wrote ASM code at DA80 to constantly switch H to bold H and then to Normal H, Oh, and yes I am using Pokemon Yellow!
If I am necro-bumping, I am sorry.
4 4 scares me on a deep emotional level I can't describe.

Quirky Flower Chicken ❤✿

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Characters © Tsuburaya, Sanrio, Nintendo/TOSE
    • View Profile
Re: ZZAZZ glitch trainer $FC arbitrary code execution
« Reply #3 on: January 08, 2019, 01:35:22 pm »
Yes, there are ways to work around this, (rather than ld a, xx; ld (yyxx),a etc. which uses five bytes each) such as you can save some space with arithmetic registers (e.g. binary bit shifting registers and if you want 0x00 use xor a because "a xor a" is always 0). This requires some basics electronics knowledge but can be self-taught relatively quickly while playing with Windows Calculator on Programmer.

Also TheZZAZZGlitch's method of jumping back earlier could be considered like an algorithm. So sometimes I guess (although I've not wrote many complex programs) what a programmer might do is do a thought experiment and imagine: "how would I achieve this, what do I want the program to generally do", and adapt it into programming context.

ISSOtm also knows of CPU saving strategies, so if you make programs he might be able to optimise the code for you.

Nice work by the way! ^^ ✿
« Last Edit: January 08, 2019, 01:36:25 pm by Evie ❤✿ »

(Image © Sanrio, Nintendo, HAL Laboratory)

✿ Hi! I'm Evie. I'm a transgender woman, but any pronouns are fine. She/her preferred. ✿ 🦋

Please note:

While I'm one of the staff who runs the site, Abwayax is the founder and manages the technical side of the site (specifically the server, but I can do forum/wiki stuff if you like, I suggest if you do to make a thread about it to gather a consensus). Still feel free to contact me about higher site issues though; I will forward them to Abwayax if needed. :)

Forgiveness is timeless, and moments we look back on humble the soul.

Thank you Nyapon for this lovely artwork. :3

joshuarpl

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Oh snap, I destroyed my save file!
    • View Profile
Re: ZZAZZ glitch trainer $FC arbitrary code execution
« Reply #4 on: January 08, 2019, 03:04:26 pm »
Yes, there are ways to work around this, (rather than ld a, xx; ld (yyxx),a etc. which uses five bytes each) such as you can save some space with arithmetic registers (e.g. binary bit shifting registers and if you want 0x00 use xor a because "a xor a" is always 0). This requires some basics electronics knowledge but can be self-taught relatively quickly while playing with Windows Calculator on Programmer.

Also TheZZAZZGlitch's method of jumping back earlier could be considered like an algorithm. So sometimes I guess (although I've not wrote many complex programs) what a programmer might do is do a thought experiment and imagine: "how would I achieve this, what do I want the program to generally do", and adapt it into programming context.

ISSOtm also knows of CPU saving strategies, so if you make programs he might be able to optimise the code for you.

Nice work by the way! ^^ ✿


Haha, The space of 00's from address DA80 goes all the way to DEE0!
How do you make the game wait for user input or make certain button inputs do something?
If I am necro-bumping, I am sorry.
4 4 scares me on a deep emotional level I can't describe.

Quirky Flower Chicken ❤✿

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Characters © Tsuburaya, Sanrio, Nintendo/TOSE
    • View Profile
Re: ZZAZZ glitch trainer $FC arbitrary code execution
« Reply #5 on: January 08, 2019, 03:59:09 pm »
Yes, there are ways to work around this, (rather than ld a, xx; ld (yyxx),a etc. which uses five bytes each) such as you can save some space with arithmetic registers (e.g. binary bit shifting registers and if you want 0x00 use xor a because "a xor a" is always 0). This requires some basics electronics knowledge but can be self-taught relatively quickly while playing with Windows Calculator on Programmer.

Also TheZZAZZGlitch's method of jumping back earlier could be considered like an algorithm. So sometimes I guess (although I've not wrote many complex programs) what a programmer might do is do a thought experiment and imagine: "how would I achieve this, what do I want the program to generally do", and adapt it into programming context.

ISSOtm also knows of CPU saving strategies, so if you make programs he might be able to optimise the code for you.

Nice work by the way! ^^ ✿


Haha, The space of 00's from address DA80 goes all the way to DEE0!
How do you make the game wait for user input or make certain button inputs do something?

Oh... I see. Hmm, perhaps that was one of the things which worked, but as you said likely could be optimised.

In relation to your question: In short, you'll need to loop the code and read FFB3, because FFB3 is a HRAM address which updates with button data.

FFB3 states are as such:

Bit 0: A-Button pressed (take value, add +01 to add check)
Bit 1: B-Button pressed (take value, add +02 to add check)
Bit 2: Select pressed (take value, add +04 to add check)
Bit 3: Start pressed (take value, add +08 to add check)
Bit 4: D-pad right pressed (take value, add +10 to add check)
Bit 5: D-pad left pressed (take value, add +20 to add check)
Bit 6: D-pad up pressed (take value, add +40 to add check)
Bit 7: D-pad down pressed (take value, add +80 to add check)

I have a program that makes Pikachu move based on the d-pad. It works by essentially doing a check that the values when subtracted makes FFB3 less than $01. You can play around with it so that other memory addresses are set. For example, a 'cheat mode' where pressing Start lets you walk through walls, pressing Select lets you disable it, and you may be able to give it some permanence with the recently documented on these forums 0xCC57 method (but at the moment, you will need to work it for Red/Blue; no CC57 Yellow ACE may be documented on the Internet yet). You can use D36D-D36E for an EN Yellow Version instead of D36E-D36F (EN Red/Blue Version) though if you settle for the map script method (although it only applies to the current map unless activated again).

Hope this helps :). ✿
« Last Edit: January 08, 2019, 04:03:23 pm by Evie ❤✿ »

(Image © Sanrio, Nintendo, HAL Laboratory)

✿ Hi! I'm Evie. I'm a transgender woman, but any pronouns are fine. She/her preferred. ✿ 🦋

Please note:

While I'm one of the staff who runs the site, Abwayax is the founder and manages the technical side of the site (specifically the server, but I can do forum/wiki stuff if you like, I suggest if you do to make a thread about it to gather a consensus). Still feel free to contact me about higher site issues though; I will forward them to Abwayax if needed. :)

Forgiveness is timeless, and moments we look back on humble the soul.

Thank you Nyapon for this lovely artwork. :3

joshuarpl

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Oh snap, I destroyed my save file!
    • View Profile
Re: ZZAZZ glitch trainer $FC arbitrary code execution
« Reply #6 on: January 08, 2019, 05:25:41 pm »
For example, what is code that would lock the game until you press A?
If I am necro-bumping, I am sorry.
4 4 scares me on a deep emotional level I can't describe.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: ZZAZZ glitch trainer $FC arbitrary code execution
« Reply #7 on: January 08, 2019, 06:02:40 pm »
You should refer to the disasm, especially wram.asm. There's documentation on the different RAM addresses and their functionality.
Further, if you want to know the answer to this kind of questions, you should find a piece of code that does what you want, and figure out how it works. For example, home/init.asm references `PlayIntro` (use GitHub's search to find it's in engine/intro.asm), which references `PlayShootingStar` (just below), which calls `AnimateShootingStar` (engine/gamefreak.asm), which calls `CheckForUserInterruption` (home.asm). There you can see it calls `JoypadLowSensitivity` and reads back `hJoyHeld` and `hJoy5`. It's up to you to figure out how those work!

All this, because we'll quickly grow tired if we you need every answer spoonfed to you, so you should start learning how to be autonomous. Of course, if you're still stumped, you can ask us - it's always nice to help someone who proves they do efforts but don't make it. You're on a good start!
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)