Type 0xD0 move glitch: Difference between revisions

← Older edit

Type 0xD0 move glitch (view source)

Revision as of 17:00, 29 March 2024

2,587 bytes added , 1 month ago

→‎Technical information: Reorganized the text a little.

VisualWikitext

WindyAndHikari

27

edits

Revision as of 20:33, 16 August 2017 (view source) >Torchickens No edit summary ← Older edit		Latest revision as of 17:00, 29 March 2024 (view source) WindyAndHikari (talk \| contribs) (→‎Technical information: Reorganized the text a little.)
(11 intermediate revisions by 6 users not shown)
Line 1: {{Major glitches}} [[File:Type 0xD0 summary.png\|thumb\|right\|160px\|Move 0x00 displaying type 0xD0. The many "9"s are a possible side effect of [[VRAM inaccessibility]].]] '''Type 0xD0 move glitch''', also known as '''Move 0x00 arbitrary code execution''' (not to be confused with [[- (Generation I move)]] arbitrary code execution in {{RB}}) is a glitch in at least English {{GS}} that allows the player to ~~execute~~perform [[arbitrary code execution]] without using the Coin Case. An advantage to this glitch over Coin Case glitch is that it may not corrupt the stack (similar to wrong pocket TM ACE which never corrupts the stack), however it requires move 0x00 which can only be obtained by trading a Pokémon with it over from Generation I (such as [[- (move)\|"-" move Ditto]] with the [[swapping Transform moves glitch]]), obtaining a [[bad clone]], or using another form of arbitrary code execution). This glitch has been used in any% speedruns of Pokémon Gold and Silver ([https://www.youtube.com/watch?v=3mI3Cdt4j24 see here]), and was researched by ~~Luckytyphlosion~~luckytyphlosion. ChickasaurusGL also adapted it for non-speedrunning uses. ==Summary== You can execute arbitrary code by moving in a specific way in Cherrygrove City (see ~~these~~ pictures ~~http://i.imgur.com/I0UjT7z.png~~below) and viewing move 0x00 from the move description menu in a Pokémon's summary provided the following requirements are met: [[File:Type 0xD0 path.png]] 1. You have exactly four Pokémon.▼ ▲1. #You have exactly four Pokémon. ~~1i)~~ #The first Pokémon has move 0x00 (e.g. a "CoolTrainer" Ditto). ~~1ii)~~ #The third Pokémon is a low level 'slide' Pokémon you caught in the wild (whether it will work is up to chance but if you find one that works it will always work, possibly the same one compatible for Coin Case ACE without bad DVs etc.) ~~1iii)~~ #To be safe have Pokémon 2 and 3 have the bird and tailed creature menu sprites and have no Pokémon hold an item except for Pokémon 4.▼ 2. #Pokémon 4 is a Quagsire with TM02 and Return as its first move (for box name ACE at D8C0 (box 1 character 2)) or a Quagsire with HP Up and Sleep Talk as its first move (for stored items ACE at D61A (second item quantity)).▼ ▲1iii) To be safe have Pokémon 2 and 3 have the bird and tailed creature menu sprites and have no Pokémon hold an item except for Pokémon 4. ▲2. Pokémon 4 is a Quagsire with TM02 and Return as its first move (for box name ACE at D8C0 (box 1 character 2)) or a Quagsire with HP Up and Sleep Talk as its first move (for stored items ACE at D61A (second item quantity)). Before you move one step up and four steps right from picture 3, save the game. Afterwards view Pokémon 1's moves from the move description menu and close it repeatedly until your code works. ~~Sometimes this will not execute arbitrary code. At times it is possible to get a flashing color 'disco' effect as well.~~ ==Example box name code== This box name code, ~~with~~conceptualized ~~many~~by ~~thanks~~Crystal_ ~~to Crystal_~~and ~~for~~optimized ~~the~~by ~~concept~~TimoVM, allows us to warp to the Bug-Catching Contest and obtain Celebi. The box names for that are as ~~such~~follows: <pre> ~~Box 1: Bp'vZ'vL55~~ Box 1: p 0 5 é ! 6 ? z Box 2: H é '~~r2p~~m 2 p '~~vA'vF~~v 6 5▼ Box 3: é~~!Ap~~ A 'v/t h 'v)d▼ </pre> ==Technical information==▼ ▲Box 2: é'r2p'vA'vF When viewing the party screen or the move screen, the game displays small Pokémon icons and animates them based on their current hit point values and status. While it is doing this, the game stores the animation data in a structure starting from address $C51C, which lies right beyond the end of screen tile data at $C508. The game can store and animate up to 10 sprites this way. In particular, the move screen only has a single animated sprite (the current Pokémon's icon in the top left of the screen). ▲Box 3: é!Ap'v/'v) An important field of the animation data structure is the ''animation type'', stored in address $C51E (wSpriteAnim1AnimSeqID) for the first animated sprite. This is used to index a jump table that is used to control the behavior of the animation. By overwriting this address with an invalid value, we can index this table out of bounds, potentially triggering ACE. ~~Box 4: é?2p'v5'vA~~ The glitch type 0xD0 (the type of move 0x00) can overwrite $C51E by overflowing the tile data when its name is printed on the move screen, if said name is long enough. The source of the type name is 0x8350 in VRAM, hence affected by what is or was displayed on the screen; in particular, the party screen may affect 0x8350 if you have enough Pokémon menu sprites and/or held items in the party{{fact}}. This also means that the name is susceptible to VRAM accessibility: if the game attempts to read a character while VRAM is inaccessible it will read value $FF and print a '9' instead of the expected character. This means that the effects of the glitch can differ depending on the exact timing of the name being printed on screen. ~~Box 5: 'vBéA'tp'vZ~~ Overall, it might be difficult to manipulate the data written to $C51E exactly. However, due to the structure of the code located right after the jump table, a reasonable amount of pointers will land in the vicinity of either the $C9xx region or the $E9xx region (echo RAM for the $C9xx region). For smaller maps, execution will safely slide until it reaches three regions: ~~Box 6: 'v[éx2~~ $CC20 contains wBGMapBuffer, which temporarily buffers newly inserted tile IDs. * $CC48 contains wBGMapPalBuffer, which temporarily buffers newly inserted tile palettes. * $CC70 contains wBGMapBufferPointers, which temporarily buffers VRAM addresses of newly inserted tiles. All three of these are affected by the movement pattern of the player. wBGMapBuffer and wBGMapPalBuffer do not contain much useful data, but can fairly easily be manipulated to allow execution to safely slide through, while wBGMapBufferPointers can be directly manipulated to jump to a small selection of possible addresses. ~~(x is the multiplication sign)~~ ▲==Technical information== Due to the specific movement pattern used, wBGMapBufferPointers starts with the byte sequence of DA 9B FA (jp c, FA9B, at $EC70), which causes the game to execute $FA9B (echo RAM for $DA9B). Move 0x00 has a glitch type, specifically glitch type 0xD0. The source of its glitch type is 0x8350 in VRAM, hence what is or what was on the screen will affect what the game brings up as a type name; possibly with what's on the Pokémon menu affecting 0x8350{{fact}}, as 0x8350 may be written to if you have enough Pokémon menu sprites and/or held items in the party. As $DA9B is Pokémon 3's Speed DVs, we can make the data slide over to Pokémon 4. Using Quagsire, the code can be redirected to somewhere else (such as box names or stored items) where we can spell out code.▼ When we have 'good' data at 0x8350 the name of the glitch type causes memory corruption, and by making the specific movements in Cherrygrove City/meeting the party requirements the game may start to execute arbitrary code on attempts, seemingly at random. The consistency of the glitch can be increased by having a specific player name consisting of a single kind of character (eg. "RRRRRRR"). When the game encounters a 0x52 control code character, it will print the player's name, filling a 7-byte range with the same value and increasing the odds of writing the desired value to $C51E. ~~If by chance the game executes E9F0 (Echo RAM for C9F0) then it will eventually come across jr c, EC68 (@EC2D) and jp c, FA9B (@EC70), which causes the game to execute FA9B (DA9B).~~ The effect pointers are sourced from DoSpriteAnimFrame.Jumptable ($23:5473 in EN G/S). This ROM bank contains several minor version differences, leading to some version-exclusive effect pointers. ▲As DA9B is Pokémon 3's Speed DVs, we can make the data slide over to Pokémon 4. Using Quagsire, the code can be redirected to somewhere else (such as box names or stored items) where we can spell out code. Here is the assembly code for the box name code to obtain Celebi: <pre> ~~xor a~~ AF xor a ; a = $00 ~~sub 99~~ F6 FB or $FB ; a = $FB, Celebi species ID ~~sub 8b~~ EA E7 FC ld [wContestMon],a ei E6 B9 and $B9 ; a = $B9 ei 50 ld d,b 87 add a, a ; a = $72 ~~ld (f8d3),a~~ EA D2 F8 ld [F8D2],a ~~xor a~~ AF xor a ; a = $00 ~~sub 80~~ D6 FC sub $FC ; a = $04 ~~sub 85~~ FB ei ~~ld d,b~~ 50 ld ~~(80e7)~~d,ab EA 72 D5 ld [wStatusFlags2],a ; located at $D8D2, $72 written by earlier code ~~xor a~~ A7 and a, a ; reset carry flag ~~sub f3~~ D0 ret nc ~~sub 9b~~ </pre> ~~ld d,b~~ ~~ld (f8e6),a~~ ~~xor a~~ ~~sub fb~~ ~~sub 80~~ ~~ld d,b~~ ~~sub 81~~ ~~ld (d580),a~~ ~~xor a~~ ~~sub 99~~ ~~ld d,b~~ ~~sub 9e~~ ~~ld (f8f1),a~~ ~~ld d,b~~ ~~ld d,b~~ ~~ld d,b~~ ~~ld d,b~~ ==YouTube video== Line 91 ⟶ 77: ==See also== *[~~http~~https://forums.glitchcity.info/index.php?topic=8000.0 Glitch City Laboratories Forums thread]