Part 9: The Power of a REALLY Big Party

During the early stages of development of Poké Transporter GB, I remembered a video by MrCheeze that I had seen a few years prior called “Creating a "virus" for Pokemon Red and Blue (self replicating save file!!)”. In the video, MrCheeze uses an Arbitrary Code Execution exploit through the Game Boy Link Cable to run custom code (also transmitted through the Link Cable) in order to duplicate a save file. This ACE exploit, more specifically known as Remote Code Execution, is extremely powerful and allows the user to run Assembly instructions on a completely unmodified English copy of Pokémon Red or Blue with no prerequisites. This exploit was exactly what I needed in order to fully implement a transfer protocol like the one in Poké Transporter. I knew that I wanted to implement this early on, but I put it on the back burner due to it’s complexity.

Early this year I finally started to look into the Remote Code Exploit used in MrCheeze’s video. Fortunately MrCheeze documented how the exploit worked on his GitHub. The exploit was originally discovered by vaguilar, although their website is no longer online. Thankfully, a back up of it is still on the Wayback Machine. The exploit was discovered in 2015, and abuses the function that draws the Pokémon names on the drawing screen. By having a ‘party’ of 352 Pokémon with internal ID 0xE3, followed by a Pokémon with an internal ID of 0xFC, we can corrupt the stack and send our Program Counter to read trade data as code. From there, we can upload our own code that we wish to run.

In the FAQ of MrCheeze’s GitHub, the following question is asked:

Can you do this on Yellow/Gold/Silver/Crystal/other languages?

to which he replies:

It's possible, but you can't use the same file used here.

This intrigued me, as the current exploit makes use of glitch Pokémon names that are specific to the English release of Red and Blue. I emailed MrCheeze, asking if he was aware of a different exploit, and began to experiment in the meantime. I started by looking at the second generation of Pokémon, as there are no glitch Pokémon in that game at all. After some time, I realized that unlike generation one there was no cap to how many characters the print name function would write to the screen. This meant that I could perform a similar exploit, but I actually had more control over where my code jumped to. When MrCheeze got back to me, they mentioned that they had found the same exploit a few years ago but never documented it, and congratulated me on having the same independent discovery. Confident that I was able to execute code in both generation one and generation two, I began looking at the actual code I would need to send over the Link Cable. But more on that soon!

An immense thank you to MrCheeze for being so kind and supportive during this project. I remember learning about their discoveries in the Arbitrary Code Execution scene while I was a kid, so to be able to talk to them and independently discover something that they discovered was very rewarding.