MrCheeze | Pokemon Gold Spaceworld 1997 Demo -- Arbitrary Code Execution! @MrCheeze | Uploaded May 2020 | Updated October 2024, 3 days ago.
This project was completed in Sept. 2018, but I sat on it at the time due to not having the motivation to make a proper explanation video back then. But with the Gold/Silver prototypes having renewed relevance recently, it seems like as good a time as any to release this as it exists.
The most important thing in ACE is of course the entrypoint. Given how limited the demo boundaries are, it wasn't easy to find one, but it exists. Whenever you take a held item from a Pokemon the game runs some code to put it back in the bag. The code that runs depends on what pocket the item is assigned to. If you take an invalid item that doesn't have a pocket assigned, the game glitches and jumps to an address in RAM instead (address EA77 in echo ram, to be specific). This is one key piece of the puzzle.
The other key piece is the select glitch, which is documented on GlitchCity: glitchcity.info/wiki/Select_glitches_(Gold/Silver_Nintendo_Space_World_1997_demo)
Basically, if you have N items in your bag, it's possible to swap any Pokemon in your party with Pokemon slots up to #N. If N is more than 6, this lets you corrupt parts of memory other than party data. With a well chosen set of swaps, it's possible to use this to copy an ACE payload near EA77.
The overall route, then, goes like this:
- Start the demo. You will have 5 items to begin with. Also, you will be randomly assigned a starter, if it's grass or water you can continue, but reset if it's the fire starter.
- catch a Girafarig with a held Apple. (note that it only has a chance of carrying an Apple in the Gold non-debug build, which is the most recently updated of the four '97 builds)
- name the Girafarig C1 9E, which happens to correspond to the Pokedex number of Twinz and the item number of Mail.
- do some overworld movement to set address EB74 to D0 and EB26 to 30
- Take this Apple and the Berry from your starter to get seven items.
- execute a series of several Pokemon swaps with the select glitch: (3-1, 7-2, 7-2, 7-1, 7-1, 7-1, 7-1, take item, 8-2, 3-1)
The effect of these swaps is to reinterpret party data in various ways and accomplish the following:
1) partway through, a Mail item will be held by one of the pokemon, we take it for later.
2) at the end, your second pokemon will be a Twinz, and its held item will be an invalid item. (which invalid item depends on if we had the grass or water starter, both will work)
- open the trainer card, to set addresses EB5E-EB61 to opcodes that don't crash
- open Twinz's move list to set EB5B to C1 and EB5C to 02.
The above set of ram setup steps actually places a very tiny ACE payload in ram in the region near EA77. Next, take Twinz's invalid held item, and this code will execute. Its only effect will be to change the number of items in your bag from eight to a very large number (0x77) and then return without crashing. Notably this code will also not actually take the item away from Twinz, so we still have our entrypoint available to run more ACE later. More importantly, our new expanded pack size means that the select glitch will now let us reach and corrupt a vastly larger area of memory.
- Use the Mail item you obtained earlier, and enter any message. Whatever you enter is what will finally be executed as our ACE payload at the end of all this. Because my video is a TAS, I chose to write a bootstrap program for reading controller inputs. If trying to achieve RTA ACE, which is not difficult, you may prefer to come up with some other final payload.
- Give the mail to your starter pokemon.
- Use the select glitch to swap your starter with a Pokemon far out of bounds, specifically pokemon 0x67. The effect of this will be to copy the Mail text data to address EA80, which is conveniently right where our entrypoint takes us.
- Take the invalid item from Twinz again to trigger the full ACE payload from the mail. Depending on your payload, this is Mission Accomplished! In my case, though, the payload is a bootstrap that I use to construct a still larger payload, which provides the game a mock "ending" that Game Freak wouldn't program into the game for at least another year. :)
Although the video uses TAS levels of optimization, everything shown here is fully RTA viable. If you could send a note 23 years in the past to a kid in Japan, and nobody took the controller away from them once the screen started getting glitchy, you could really have some fun with the people back then. For perspective, this is a year before any of the Pokemon games or anime were even seen in the west.
Source for my payload:
github.com/MrCheeze/pokespaceworld-ace
Since it's been two years, I'll also relink the two videos this was following up on:
youtube.com/watch?v=qTfBpRrB37Q
youtube.com/watch?v=5Qop9TlZs2g
This project was completed in Sept. 2018, but I sat on it at the time due to not having the motivation to make a proper explanation video back then. But with the Gold/Silver prototypes having renewed relevance recently, it seems like as good a time as any to release this as it exists.
The most important thing in ACE is of course the entrypoint. Given how limited the demo boundaries are, it wasn't easy to find one, but it exists. Whenever you take a held item from a Pokemon the game runs some code to put it back in the bag. The code that runs depends on what pocket the item is assigned to. If you take an invalid item that doesn't have a pocket assigned, the game glitches and jumps to an address in RAM instead (address EA77 in echo ram, to be specific). This is one key piece of the puzzle.
The other key piece is the select glitch, which is documented on GlitchCity: glitchcity.info/wiki/Select_glitches_(Gold/Silver_Nintendo_Space_World_1997_demo)
Basically, if you have N items in your bag, it's possible to swap any Pokemon in your party with Pokemon slots up to #N. If N is more than 6, this lets you corrupt parts of memory other than party data. With a well chosen set of swaps, it's possible to use this to copy an ACE payload near EA77.
The overall route, then, goes like this:
- Start the demo. You will have 5 items to begin with. Also, you will be randomly assigned a starter, if it's grass or water you can continue, but reset if it's the fire starter.
- catch a Girafarig with a held Apple. (note that it only has a chance of carrying an Apple in the Gold non-debug build, which is the most recently updated of the four '97 builds)
- name the Girafarig C1 9E, which happens to correspond to the Pokedex number of Twinz and the item number of Mail.
- do some overworld movement to set address EB74 to D0 and EB26 to 30
- Take this Apple and the Berry from your starter to get seven items.
- execute a series of several Pokemon swaps with the select glitch: (3-1, 7-2, 7-2, 7-1, 7-1, 7-1, 7-1, take item, 8-2, 3-1)
The effect of these swaps is to reinterpret party data in various ways and accomplish the following:
1) partway through, a Mail item will be held by one of the pokemon, we take it for later.
2) at the end, your second pokemon will be a Twinz, and its held item will be an invalid item. (which invalid item depends on if we had the grass or water starter, both will work)
- open the trainer card, to set addresses EB5E-EB61 to opcodes that don't crash
- open Twinz's move list to set EB5B to C1 and EB5C to 02.
The above set of ram setup steps actually places a very tiny ACE payload in ram in the region near EA77. Next, take Twinz's invalid held item, and this code will execute. Its only effect will be to change the number of items in your bag from eight to a very large number (0x77) and then return without crashing. Notably this code will also not actually take the item away from Twinz, so we still have our entrypoint available to run more ACE later. More importantly, our new expanded pack size means that the select glitch will now let us reach and corrupt a vastly larger area of memory.
- Use the Mail item you obtained earlier, and enter any message. Whatever you enter is what will finally be executed as our ACE payload at the end of all this. Because my video is a TAS, I chose to write a bootstrap program for reading controller inputs. If trying to achieve RTA ACE, which is not difficult, you may prefer to come up with some other final payload.
- Give the mail to your starter pokemon.
- Use the select glitch to swap your starter with a Pokemon far out of bounds, specifically pokemon 0x67. The effect of this will be to copy the Mail text data to address EA80, which is conveniently right where our entrypoint takes us.
- Take the invalid item from Twinz again to trigger the full ACE payload from the mail. Depending on your payload, this is Mission Accomplished! In my case, though, the payload is a bootstrap that I use to construct a still larger payload, which provides the game a mock "ending" that Game Freak wouldn't program into the game for at least another year. :)
Although the video uses TAS levels of optimization, everything shown here is fully RTA viable. If you could send a note 23 years in the past to a kid in Japan, and nobody took the controller away from them once the screen started getting glitchy, you could really have some fun with the people back then. For perspective, this is a year before any of the Pokemon games or anime were even seen in the west.
Source for my payload:
github.com/MrCheeze/pokespaceworld-ace
Since it's been two years, I'll also relink the two videos this was following up on:
youtube.com/watch?v=qTfBpRrB37Q
youtube.com/watch?v=5Qop9TlZs2g
