TryObjectEvent arbitrary code execution: Difference between revisions

From Glitch City Wiki
Jump to navigation Jump to search
Content added Content deleted
VisualWikitext
>Torchickens
(Created page with "'''TryObjectEvent arbitrary code execution''' is an engine vulnerability, known to be in {{Crystal}}.<ref>[https://github.com/pret/pokecrystal/blob/master/docs/bugs_and_glitch...")
 
>Torchickens
No edit summary
Line 27: Line 27:
</tt>
</tt>


{{Researchneeded|Might this the cause of [[Burned Tower Silver wrong side glitch]]?}}
{{Researchneeded|Might this be the cause of [[Burned Tower Silver wrong side glitch]]?}}
{{clr}}
{{clr}}
==References==
==References==

Revision as of 20:58, 17 December 2019

TryObjectEvent arbitrary code execution is an engine vulnerability, known to be in Pokémon Crystal.[1]

When this function is called, if the carry flag is not set, it is possible for the game to cause arbitrary code execution with bc as the pointer.

The following is the code that causes it in the Pokémon Crystal disassembly. It seems the fix is to add a pop bc instruction.

-; Bug: If IsInArray returns nc, data at bc will be executed as code. 

	push bc
	ld de, 3
	ld hl, .pointers
	call IsInArray
	jr nc, .nope
	pop bc

	inc hl
	ld a, [hli]
	ld h, [hl]
	ld l, a
	jp hl

.nope

- ; pop bc + pop bc 

	xor a
	ret

More research is needed for this article.

Reason given: Might this be the cause of Burned Tower Silver wrong side glitch?



References

  1. Pokémon Crystal disassembly
Retrieved from "https://glitchcity.wiki/wiki/TryObjectEvent_arbitrary_code_execution?oldid=35046"