TryObjectEvent arbitrary code execution: Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
>Torchickens (Created page with "'''TryObjectEvent arbitrary code execution''' is an engine vulnerability, known to be in {{Crystal}}.<ref>[https://github.com/pret/pokecrystal/blob/master/docs/bugs_and_glitch...") |
>Torchickens No edit summary |
||
Line 27: | Line 27: | ||
</tt> |
</tt> |
||
{{Researchneeded|Might this the cause of [[Burned Tower Silver wrong side glitch]]?}} |
{{Researchneeded|Might this be the cause of [[Burned Tower Silver wrong side glitch]]?}} |
||
{{clr}} |
{{clr}} |
||
==References== |
==References== |
Revision as of 20:58, 17 December 2019
TryObjectEvent arbitrary code execution is an engine vulnerability, known to be in Pokémon Crystal.[1]
When this function is called, if the carry flag is not set, it is possible for the game to cause arbitrary code execution with bc as the pointer.
The following is the code that causes it in the Pokémon Crystal disassembly. It seems the fix is to add a pop bc instruction.
-; Bug: If IsInArray returns nc, data at bc will be executed as code.
push bc ld de, 3 ld hl, .pointers call IsInArray jr nc, .nope pop bc
inc hl ld a, [hli] ld h, [hl] ld l, a jp hl
.nope
- ; pop bc + pop bc
xor a ret
More research is needed for this article.
| |
Reason given: Might this be the cause of Burned Tower Silver wrong side glitch? |