TryObjectEvent arbitrary code execution: Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
>Torchickens No edit summary |
>Torchickens No edit summary |
||
Line 1: | Line 1: | ||
'''TryObjectEvent arbitrary code execution''' is an engine vulnerability, known to be in {{Crystal}}.<ref>[https://github.com/pret/pokecrystal/blob/master/docs/bugs_and_glitches.md Pokémon Crystal disassembly]</ref> |
'''TryObjectEvent arbitrary code execution''' is an engine vulnerability or [[glitch]], known to be in {{Crystal}}.<ref>[https://github.com/pret/pokecrystal/blob/master/docs/bugs_and_glitches.md Pokémon Crystal disassembly]</ref> |
||
When this function is called, if the carry flag is not set, it is possible for the game to cause [[arbitrary code execution]] with bc as the pointer. |
When this function is called, if the carry flag is not set, it is possible for the game to cause [[arbitrary code execution]] with bc as the pointer. |
||
Line 32: | Line 32: | ||
<references/> |
<references/> |
||
[[Category:Engine vulnerabilities]] |
[[Category:Engine vulnerabilities]] |
||
[[Category:Generation II glitches]] |
Latest revision as of 21:00, 17 December 2019
TryObjectEvent arbitrary code execution is an engine vulnerability or glitch, known to be in Pokémon Crystal.[1]
When this function is called, if the carry flag is not set, it is possible for the game to cause arbitrary code execution with bc as the pointer.
The following is the code that causes it in the Pokémon Crystal disassembly. It seems the fix is to add a pop bc instruction.
-; Bug: If IsInArray returns nc, data at bc will be executed as code.
push bc ld de, 3 ld hl, .pointers call IsInArray jr nc, .nope pop bc
inc hl ld a, [hli] ld h, [hl] ld l, a jp hl
.nope
- ; pop bc + pop bc
xor a ret
More research is needed for this article.
| |
Reason given: Might this be the cause of Burned Tower Silver wrong side glitch? |