Arbitrary code execution: Difference between revisions

← Older edit

Arbitrary code execution (view source)

Revision as of 16:04, 7 December 2022

7,520 bytes added , 1 year ago

Add initial information on Gen 4 (thanks to RETIRE for corrections!)

VisualWikitext

Vriska

0

edits

Revision as of 15:25, 9 August 2015 (view source) >ISSOtm (→‎In Generation I: Added a section for POS code execution) ← Older edit		Latest revision as of 16:04, 7 December 2022 (view source) Vriska (talk \| contribs) (Add initial information on Gen 4 (thanks to RETIRE for corrections!))
(87 intermediate revisions by 15 users not shown)
Line 1: {{Template:Major_glitches}} {{Template:Arbitrary_code_execution}} {{PRAMA\|ace-1G}} {{Bulbapedia}} {{incomplete\|1=<br><br>The following methods of ACE: custom map script pointer, move effect, Trainer escape glitch text box, bad clone summary, Burned Tower Silver, TM/HM use outside of the correct pocket, glitch Pokédex categories, Pikachu glitch emote, specific details on Generation III summary and move animation ACE, and specific details on Generation IV ACE}} '''Arbitrary code execution''' (Japanese: 任意コード実行) refers to a method that allows the player to force the game to run code in a write-enabled region of the game, often WRAM or RAM (see [http://gameboy.mongenel.com/dmg/asmmemmap.html Game Boy memory map]). If it is manipulable (e.g. if the region is in a representation of the player's current party), this can be abused to run custom code written by the player. It commonly involves an invalid execution pointer (such as via glitch items in Generation I). In English versions, another popular method is as a side effect of the [[Coin Case glitch]] in English {{GS}}, which the player can manipulate to run custom assembly code. ~~'''Arbitrary code execution''' refers to a method that allows the player to force the game to run code written by the player.~~ This custom code is often spelled with items, as a stack of items uses only two (Generation I/II) or four (Generation III) bytes. Box names are also an option for Generation II games. ~~It usually uses an invalid execution pointer (glitch items in Generation I, an incorrectly terminated string in English {{GS}}), which the player can manipulate to run custom assembly code.~~ ~~This custom code is often spelled with items, as a stack of items uses only two bytes.~~ ==In [[bp:Generation I\|Generation I]]== ===Via ~~Items~~items=== Each item that is not a TM or HM (more precisely, with ID less than HM01 (0xC4)), when used, gets its effect from a pointer table. For some glitch items, this effect pointer points to the RAM, enabling arbitrary code execution. ~~Both (glitch) items require a special setup for the item to run correct code.~~ All known ACE glitch items jump into an RAM area that is possible to manipulate, but not quite as easy to manipulate as the item pack. Therefore it is popular to jump to the third item in the item pack, and [[Generation I item codes\|write the main payload there]]. This strategy of first jumping to an easier to manipulate RAM area is called "bootstrapping". For detailed info about these items, read [http://forums.glitchcity.info/index.php/topic,6638.0.html this topic] on GCL forums if playing R/B, or [http://forums.glitchcity.info/index.php/topic,6638.msg189586.html#msg189586 this post] if playing Yellow. There are many ways to obtain those glitch items through glitches. In {{RGB}}, the [[Select glitch]] can easily [[item creation Select glitches\|create]] any glitch item. In the international versions, the most common method is to first obtain an [[expanded item pack]], then find the glitch item in the X coordinate ([[Celadon looping map trick]]) or in [[roaming items]]. ~~It is a good idea to read all the topic messages for info.~~ Below is a summary of commonly used ACE glitch items. For more information, including bootstrapping setups, click on the name of an item to go to its [[ItemDex]] page. ~~====Using てヘ (tehe) in JP Red/Green====~~ ~~<!-- NOTE : Should be tested for JP Yellow, too -->~~ Glitch item hex:7B has its execution script pointing to wild Pokémon data. However, by naming yourself (any character)てルぬ(any characters or nothing) and talking to the Old Man, the script jumps to item pack #3. {\| class="wikitable sortable" ~~====Using 8F (English Red/Blue)====~~ !Version!!ID!!Name!!Effect pointer!!Pointing to!!Notes ~~The 8F item doesn't run arbitrary code in at least the French versions.~~ \|- \|English Red/Blue\|\|0x6A\|\|[[ItemDex/RB:106\|-gm]]\|\|$DA47\|\|Safari Ball count\|\|Followed by Day Care data and box Pokémon data <br /> Equivalent to なかよしバッジ due to the fix for the [[old man full box glitch]] \|- \|Japanese Red/Green/Blue\|\|0x67\|\|[[ItemDexJP/RGB:103\|なかよしバッジ]]\|\|$D983\|\|Safari Ball count\|\|Followed by Day Care data and box Pokémon data \|- \|English Red/Blue\|\|0x5D\|\|[[ItemDex/RB:093\|8F]]\|\|$D163\|\|Party Pokémon data\|\|Equivalent to ５かい due to the fix for the [[old man full box glitch]] \|- \|European non-English Red/Blue\|\|0x5D\|\|[[ItemDex/RB:093#In other European versions\|7EME ETAGE / S7 / 7°P / P7]]\|\|<!-- TODO -->\|\|Party Pokémon data\|\|Same item as 8F \|- \|Japanese Red/Green/Blue\|\|0x5A\|\|[[ItemDexJP/RGB:090\|５かい]]\|\|$D123\|\|Party Pokémon data\|\| \|- \|English Yellow\|\|0x63\|\|[[ItemDex/Y:099\|ws m]]\|\|$DA7F\|\|Box Pokémon data\|\| \|- \|European non-English Yellow\|\|0x63\|\|[[ItemDex/Y:099#In other European versions\|ws l' m / ws & m]]\|\|<!-- TODO -->\|\|Box Pokémon data\|\|Same item as ws m \|- \|English Red/Blue\|\|0x59\|\|[[ItemDex/RB:089\|4F]]\|\|$FA65\|\|Middle of Day Care data \|- \|English Yellow\|\|0x59\|\|[[ItemDex/Y:089\|4F]]\|\|$FA64\|\|Middle of Day Care data\|\| \|- \|European non-English Yellow\|\|0x59\|\|[[ItemDex/Y:089#In other European versions\|3EME ETAGE / S3 / 3°P / P3]]\|\|$FA64\|\|Middle of Day Care data\|\|Same item as 4F \|- \|Japanese Red/Green\|\|0x7B\|\|[[ItemDexJP/RG:123\|てヘ]]\|\|$D806\|\|Grass encounter table\|\|Can be changed to the player's name by the [[Old man trick\|old man]]<!-- NOTE: Should be tested for JP Yellow, too --> \|- \|Japanese Blue\|\|0x7B\|\|[[ItemDexJP/B:123]]\|\|$D806\|\|Grass encounter table\|\|See てヘ. Requires [[0x50 sub-tile]]. \|} Notice that the items in the European non-English versions are all the same as the corresponding item (with the same ID) in English version; however, due to differences in memory layout, the bootstrapping setups will be slightly different. (The "floor items" have different numbers because in those countries, "first floor" refers to what is called second floor in American English.) ====Useful item codes==== ~~The player's party Pokémon must be in a certain order and have certain stats :~~ See [[Generation I item codes]] for some useful item lists for 8F (and possibly other ACE methods). ~~# 5 Pokémon~~ ~~# Pidgey as the first Pokémon~~ ~~# Parasect as the second Pokémon~~ ~~# Onix as the third Pokémon~~ ~~# Tentacool as the fourth Pokémon~~ ~~# Kangaskhan as the fifth Pokémon~~ ~~# Pidgey must have 233 HP~~ ~~To obtain such a Pidgey, Rare Candy it up to Lv100, apply 5~6 HP Ups.~~ ===Via text boxes=== ~~If needed get it poisoned, use a Max Potion (not Full Restore !), walk 4(Pidgey's max HP-233) steps and cure the poison.~~ Each map has a number of different map-specific text boxes, with a table of pointers pointing to each piece of text. Certain glitches like [[Trainer escape glitch#Text box ID matching\|text box ID matching]] can force the game to display a text box that doesn't exist on the current map, which means the pointer may point to anything, including into the RAM. From here, a 0x08 (TX_ASM) text command in a suitable location will enable arbitrary code execution. Notable setups for text box ACE include: ~~When selecting Use on 8F, the game will run code depending on the item pack (starting from item #3)~~ [[Sea Route 21 0x44 text box glitch (English Yellow)]], which is accessed by text box ID matching. ~~The bootstrap code translates to the following ASM :~~ [[Pikachu off-screen glitch#Glitch text box activation and arbitrary code execution\|Pikachu off-screen glitch ACE]], which works by forcing the non-existing sign 04 to appear in the Vermilion City Fan Club. ~~<code>~~ ~~; Initial hl = D163<br/>~~ ~~$D163 <- 05 \|\| dec b<br/>~~ ~~$D164 <- 24 \|\| inc h ; h = D2<br/>~~ ~~$D165 <- 2E \|\|<br/>~~ ~~$D166 <- 22 \|\| ld l, 22 ; l = 22 <br/>~~ ~~$D167 <- 18 \|\| <br/>~~ ~~$D168 <- 02 \|\| jr 2 ; pc = D16B<br/>~~ ~~$D169 <- FF \|\|<br/>~~ ~~$D16A <- FF \|\|<br/>~~ ~~$D16B <- 24 \|\| inc h ; h = D3<br/>~~ ~~$D16C <- 00 \|\| nop<br/>~~ ~~$D16D <- e9 \|\| jp hl ; pc = D322~~ ~~</code>~~ ===Via "TRAINER 4" (hex:FC)=== ~~To make 8F run code starting from item 1, replace the Onix with a Tangela.~~ This method will make [[TrainerDex/RB:052\|"TRAINER 4"]] (hex:FC) (encountered via the [[Trainer escape glitch]]) run code based on the data of the Pokémon in the current PC box. ~~====Using 7eme etage / P7 / S7 (French & Italian / Spanish / German Red/Blue)====~~ ~~These items (which will be referred to as "7F" for this part) run code like 8F in ENglish versions.~~ Requirements : ~~In these versions, 8F has the much less useful effect of returning to the overworld script even in-battle.~~ No Pokémon must ever have been deposited info the Daycare (even on a previous save file) ~~However, the bootstrap code must be slightly changed from the English version : the player should replace Onix by a Graveler.~~ Knowing and being able to perform the [[Trainer escape glitch]] A Pokémon with a Special stat of 252 #One must perform the Trainer escape glitch using a Special stat of 252 (hex:FC) ~~When selecting Use on 7F, the game will run code depending on the item pack (starting from item #3)~~ #Aside from the [[ZZAZZ glitch\|ZZAZZ effects]], upon selecting an attack, code based on the data of the Pokémon that was last deposited into the Daycare (specifically at $FA58) will be run. If no Pokémon was ever deposited, the script will "fall" to boxed Pokémon data. The code at $D040 may also to be adjusted, as not to freeze the game, due to Trainer AI scripts having at least two (ignoring duplicates) separate routines. This Trainer is only known to execute $FA58 and $D040. ~~The bootstrap code translates to the following ASM :~~ ~~<code>~~ ~~; Initial hl = D163<br/>~~ ~~$D163 <- 05 \|\| dec b<br/>~~ ~~$D164 <- 24 \|\| inc h ; h = D2<br/>~~ ~~$D165 <- 2E \|\|<br/>~~ ~~$D166 <- 27 \|\| ld l, 27 ; l = 27<br/>~~ ~~$D167 <- 18 \|\|<br/>~~ ~~$D168 <- 02 \|\| jr 2 ; pc = D16B<br/>~~ ~~$D169 <- FF \|\|<br/>~~ ~~$D16A <- FF \|\|<br/>~~ ~~$D16B <- 24 \|\| inc h ; h = D3<br/>~~ ~~$D16C <- 00 \|\| nop<br/>~~ ~~$D16D <- e9 \|\| jp hl ; pc = D327~~ ~~</code>~~ {{Youtube\|5x9G5BWanWw\|TheZZAZZGlitch}} ~~To make "7F" run code starting item 1, replace the Graveler with a Fearow.~~ ==In [[bp:Generation II\|Generation II]]== ~~====Using "ws m" (Yellow)====~~ {{PRAMA\|ace-2G}} ~~The Pokémon in the '''current''' PC box must be in a certain order for the instruction pointer to be redirected to the item pack :~~ ===Gold and Silver=== ~~# 11 Pokémon in your '''current''' PC box~~ {{main\|Coin Case glitch}} ~~# Seel as the 1st Pokémon in the current PC box~~ ~~# Parasect as the 2nd Pokémon in the current PC box~~ ~~# Growlithe as the 3rd Pokémon in the current PC box~~ ~~# Magikarp as the 4th Pokémon in the current PC box~~ ~~# Psyduck as the 5th Pokémon in the current PC box~~ ~~# Flareon as the 6th Pokémon in the current PC box~~ ~~# Tentacool as the 7th Pokémon in the current PC box~~ ~~# Nidoqueen as the 8th Pokémon in the current PC box~~ ~~# Three more Pokémon~~ ~~# Finally, Seel's HP must be 233~~ The English versions of {{GS}} use a hex:57 character as a terminator for the Coin Case's "Coins: (x)" text, like in the Japanese versions. ~~Much like 8F, the contents of the item pack (starting from item 3) will be read as ASM code.~~ While this is a valid control character for the Japanese version, it isn't for the English versions, causing the game to jump into the memory at echo RAM address E112 and execute code there. ~~===Useful item codes===~~ ~~All the following items lists begin from the first item pack slot.~~ ~~====Non-key item duplication====~~ ~~<code>~~ 8F Bellsprout, Machop and Machamp's cries make the coin case run a "inc sp" which changes the game into running code based on a palette table. Standing at certain places makes the code jump to data regarding party Pokémon data, and finally to the PC items. ~~The item to duplicate x1~~ ===Crystal=== ~~X Accuracy x33~~ {{main\|0x1500 control code arbitrary code execution}} In {{C}}, there is a recently found way to execute arbitrary code. It is based on getting [[unterminated name Pokémon (Generation II)\|a Pokémon with an unterminated name]] (can be done with the [[bad clone glitch]]) and viewing its name unprotected (e.g. in the stats screen or in the PC). ~~Revive x201~~ ~~</code>~~ This method was first used in a speedrun by Werster. The exploitation strategy consists of renaming boxes to specific names, and jumping there with a specific trainer ID. Until mid 2020, the [[Pokémon Crystal any% speedrun route\|any% speedrun route]] was based on this method. However, [https://pastebin.com/3satHMsE the current route] now consists of using wrong pocket TM22 to achieve ACE, using the item quantity buffer and item quantity change buffer to quickly jump into the Mail buffer, where the payload is stored. ~~To obtain the 201 Revive stack, have Revive x73 in the sixth item pack slot, then encounter / capture MissingNo or 'M. It will be a stack of 201 Revives.~~ {{Youtube\|Gj7m4vh18c8\|Werster}} ==In [[bp:Generation III\|Generation III]]== ~~Upon using 8F, the quantity of item #2 will be decreased by one. If there was only one item, it will be a stack of zero items. Tossing one of these rolls the quantity back to 255.~~ There are at least three methods of arbitrary code execution, all stemming from the use of [[Glitzer Popping]]. ===Via stack overflow=== Certain glitch pokemon have very long species names that overflow the stack and cause execution to jump to save RAM. The method is dependent on save block ordering and is somewhat impractical, but was first performed in [http://youtu.be/m9pvNYdhldo this video] by TheZZAZZGlitch. ~~====Gameshark-like code====~~ ~~The following item list will work the same way a game-altering device does.~~ ===Via glitch move animation=== ~~<code>~~ Similar to the above, certain glitch moves that can be acquired via Glitzer Popping have animation scripts that point to PC data. When the animation for these moves play, PC data is treated like an animation script and may create sprites, call callbacks, etc. 8F By writing an animation script that launches a visual or sound task, execution can be redirected into bad data, PC data, PC Box names etc. Below are the most relevant glitch move IDs, EVs required on the in-game trade Plusle to acquire them with glitzer popping, and target script addresses for different versions of Pokemon Emerald. Note that due to address mirroring, addresses like 0x02330000 are mirrored with 0x02030000. {\| class="wikitable" \|- !Version!!Move ID!!EVs!!Target \|- \|US\|\|0x1608\|\|8 HP 22 Attack\|\|0x02030400 (Box 12, slot 15) \|- \|JP\|\|0x3110\|\|16 HP 49 Attack\|\|0x02330000 (Box 12, slot 14) \|} As for the animation script, a Pokemon nickname can be used on Japanese Emerald, using this [https://bulbapedia.bulbagarden.net/wiki/Character_encoding_in_Generation_III character map]. An example script may look like: 1F zz yy xx ww FF to execute code at address 0xWWXXYYZZ. On other versions, setting up the bootstrap script is more complicated. There is a [https://pastebin.com/U5ajVMp8 Pastebin guide] for this by Metarkai. ~~Any item x Any qty~~ This strategy was used in [https://www.youtube.com/watch?v=cY_O9nRwxc4&t=3309s this TAS] by merrp, using a bootstrap nickname of: 1F 09 18 03 02 FF (まけねうい), targeting Box 1's name. ~~X Accuracy x(b2)~~ This method is somewhat finicky because of its dependence on Emerald's memory layout randomization. If the bootstrap in the PC does not line up exactly with the script address, code will not be executed. This means that blindly, per battle, this method has only a 1/32 chance of actually working. ~~Carbon x(b3)~~ ===Via glitch sprite animation=== ~~Max Revive x(b1)~~ Yet another case where glitch pokemon/moves have exploitable behavior. In Emerald, each pokemon's sprite has a small animation when its summary is viewed. Certain glitch pokemon have sprites whose animation callbacks are in RAM, specifically, again, in PC data. Below are the relevant species IDs, EVs required on the in-game trade Seedot to acquire, and target addresses. Again, due to address mirroring, 0x0206xxxx is mirrored with 0x0202xxxx. {\| class="wikitable" \|- !Version!!Species ID!!EVs!!Target!!ARM/THUMB \|- \|US\|\|0x40E9\|\|233 HP 64 Attack\|\|0x0206FFFF (Box 12 Slot 3)\|\|THUMB \|- \|US\|\|0x0611\|\|17 HP 6 Attack\|\|0x0206FEFE (Box 12 Slot 3)\|\|ARM \|- \|JP\|\|0x085F\|\|95 HP 8 Attack\|\|0x0206FFFF (Box 12 Slot 3)\|\|THUMB \|- \|JP\|\|0x0615\|\|21 HP 6 Attack\|\|0x0206FEFE (Box 12 Slot 3)\|\|ARM \|} Species IDs with asterisks cannot be safely viewed from the summary screen; the game will crash from its species name. They can only be used for ACE by either hatching them from an Egg, or viewing their animation in a Pokemon Contest. [https://problemkaputt.de/gbatek.htm THUMB or ARM code] can be executed by using PC Box names as instructions and leaving Boxes 12-14 empty. This is much easier on JP Emerald due to the number of available characters. ~~Poké Ball x201~~ ~~</code>~~ On US Emerald using species 0x40E9, since writing THUMB code is extremely limited, it may be useful to place a pokemon with the following nickname in Box 12 Slot 4: (x♂zN”6FFxC). This switches execution into ARM mode at Box 12 Slot 13's nickname, as long as your Trainer ID & Secret ID are valid THUMB instructions. To obtain the 201 Poké Balls stack, have Poké Balls x73 in the sixth item pack slot, then encounter / capture MissingNo or 'M. It will be a stack of 201 Poké Balls. It is also possible to use the Non-key items duplication code. This glitch has been used in the latest (as of 2020/03/19) Any% WR Emerald speedrun by Startoria: https://www.youtube.com/watch?v=M5HrQM5boQs. The code used in the run was written by merrp. ~~This code aims to write code like the Gameshark code "01(b1)(b2)(b3)".~~ This is by far the most consistent method of ACE in Emerald. Once the glitch pokemon is acquired, all that's needed is to look at it, either by hatching it from an Egg, from the summary, or a Pokemon Contest. Although Emerald's memory randomization still shifts PC data around, as long as code is placed far enough past the maximum shift distance, it will execute 100% of the time. This is why it is suggested to place code in box names or Box 12 Slot 4 even though this targets Box 12 Slot 3. ~~For example, the code 010138CD, which allows to walk through walls, can be transcripted into the following :~~ ==In [[bp:Generation IV\|Generation IV]]== ~~<code>~~ ===Via Retire glitch=== ~~X Accuracy x(b2)~~ Executing a script with an index higher than the available script indexes in a map via the [[Retire glitch]] can be used to obtain arbitrary script execution, which can be escalated to full ACE. This method has been [https://www.craft.do/s/VTsIAtSd7ob1uT refined] over time. {{Youtube\|tmPzFAuKMA8\|RETIRE}} ~~Carbon x(b3)~~ ===Via Alt-Retire glitch=== ~~Max Revive x(b1)~~ Similarly to the previous method, arbitrary script execution can also be obtained via the [[Alt-Retire glitch]]. ===Via NPC ASE=== ~~Poké Ball x201~~ Interacting with an NPC runs a script with an index equal to the event_id of that NPC. ASE can be obtained through invalid event_ids. Currently, this can only be achieved via an existing ASE method. There is a [https://www.craft.do/s/oLpZYx2GFRf8N1 guide] for this by RETIRE. ~~</code>~~ ==In [[bp:Generation VI\|Generation VI]]== ~~===Via ZZAZZ Trainer hex:FC===~~ A heap overflow utilising a crafted Secret Base name can be used to achieve arbitrary code execution in Pokémon Omega Ruby and Alpha Sapphire. This vulnerability ("basehaxx") was found by MrNbaYoh and is used to execute homebrew/unsigned code on the 3DS. ~~[http://youtu.be/5x9G5BWanWw Video by TheZZAZZGlitch]~~ ==Custom data== ~~This method will make the ZZAZZ trainer hex:FC (encountered via the [[Trainer escape glitch]]) to run code based on the data of the Pokémon in the current PC box.~~ Arbitrary code execution can be used to create custom data, such as sprites, text and sounds. [[Arbitrary sprites\|Custom Pokémon and Trainer front/back sprites]] ~~Requirements :~~ [[Custom maps]] * No Pokémon must ever have been deposited info the Daycare (even on a previous save file) [[Custom player sprite]] Knowing and being able to perform the [[Trainer-Fly glitch]] [[Custom Pokédex entries]] A Pokémon with a Special stat of 252 [[Custom screens]] [[Custom text boxes]] [[Custom tilesets]] [[Custom PCM sound effects]] ==Related articles== ~~# One must perform the Trainer escape glitch using a Special stat of 252 (hex:FC)~~ # Aside from the ZZAZZ effects, upon selecting an attack, code based on the data of the Pokémon that was last deposited into the Daycare will be run. If no Pokémon was ever deposited, the script will "fall" to boxed Pokémon data. ~~===Via Pikachu Off-Screen (POS) corruption===~~ ~~This section will be filled in soon !~~ ~~==In [[bp:Generation II\|Generation II]]==~~ ~~{{main\|Coin Case glitch}}~~ ~~The English versions of {{GS}} use a hex:57 character as a terminator for the Coin Case's "Coins: (x)" text, like in the Japanese versions.~~ ~~While this is a valid control character for the Japanese version, it isn't for the English versions, causing the game to jump into the memory at echo RAM address E112 and execute code there.~~ Bellsprout, Machop and Machamp's cries make the coin case run a "inc sp" which changes the game into running code based on a palette table. Standing at certain places makes the code jump to data regarding party Pokémon data, and finally to the PC items. ~~==In [[bp:Generation III\|Generation III]]==~~ ~~The method is extremely complicated, but can be achieved.~~ [[Executing large programs with arbitrary code execution]]. ~~To learn how, watch [http://youtu.be/m9pvNYdhldo this video] by TheZZAZZGlitch~~ [[Cart-swap arbitrary code execution]] [[Remote code execution]] [[List of 8F bootstrap setups]] [[List of arbitrary code execution programs]] [[GB Programming]] [[Category:~~Generation_I_glitches~~Arbitrary code execution\|*]] [[Category:~~Generation_II_glitches~~Generation I glitches]] [[Category:~~Generation_III_glitches~~Generation II glitches]] [[Category:Generation III glitches]] [[Category:Generation VI glitches]]