Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

12 Good

1 Follower

About Tux

  • Rank
  • Birthday 09/06/1997

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Holy sh*t ... I've not been there for a month. Kudos for releasing this @StarsMmd
  2. Why is compression size an issue? Be careful as you'll need to move all branches since they are absolute.
  3. It's only debugging info iirc. Pokémon has a debugging menu disabled on retail. I've made a code to make it appear a while ago, but it was PAL only and doesn't work on latest Dolphin releases. Basically it just displays timers, currently running functions on each task with the lines, and the free stack space for each task.
  4. Sorry for not reponding ^^' I didn't made any research on for some time; however I've identified some other classes (Shadow Pokémon handling, party handling) but the problem is that I'm missing the significance of many of their methods... feel free to PR though. It's debugging information, and it's most likely a remnant of a higher-level language being assembled.
  5. Someone else got a corrupted PMD EoS save file, for some unknown reason. I mean, TWLSaveTool reads the 128KB eeprom's contents like it does for any other kind of eeprom. Anyways, that's good news .
  6. I've been doing some research about PBR since yesterday, and found some really interesting stuff. The save file, which is location is "nand:/title/00010000/52504250/data/GeniusPbr/PbrSaveData" is made of two contiguous "save slots" ("current" and "backup"), each one being 0x1c0000 bytes of size. It turns out that they are encrypted the same way save slots are. The encryption/decryption/checksum calculation routines can be here. Without further ado, here is what I know about the various structures. Save slots (0x1c0000 bytes): /* struct SaveSlot (size = 0x1c0000) */ 0x00: u16 encryptio
  7. You need to download BOTH archives (the one that is ~300KB and the ~15MB one) and extract them in the same folder.
  8. I assumed you wanted to play backup games, sorry . But, still, $60 for a single game you may not play much is a lot ... Have you got a friend having an exploited 3DS and a cartridge of OOT ? If so, you can install the corresponding exploit (although it's a bit tricky ...)
  9. Done, I've added "--display-code-offsets".
  10. I made a tool exploiting this vulnerability : http://www.mediafire.com/download/10xm5gjb8yo299s/pkmgchax.zip (all NTSC-U/PAL versions supported, tested on PAL; I'm lacking the address of in-battle Pokémon for Japanese versions). You need to copy your save file under the name "save.gci", and the code you want to be executed upon entering a Pokémon battle (NOTE: its location in RAM may is only known at runtime) under the name "payload.bin", in the same folder as the executable.
  11. Looks like there is a buffer overflow vulnerability in the implementation of the script version of printf: ROM:801BE670 # int __fastcall scriptPrintf(void *format, void *args) ROM:801BE670 scriptPrintf: # CODE XREF: scriptStdFunctions2Handler+270p ROM:801BE670 ROM:801BE670 .set var_12C, -0x12C ROM:801BE670 .set sprintf_buffer, -0x128 ROM:801BE670 .set var_28, -0x28 ROM:801BE670 .set var_1C, -0x1C ROM:801BE670 .set lr, 4 ROM:801BE670 ROM:801BE670 stwu r1, -0x130(r1) ROM:801BE674 mflr r0 ROM:801BE678 stw
  12. td;dr: So, it is basically possible to run arbitrary code on Pokémon Colosseum and , provided you can load modified save files. (even if it's actually useless ...) How it works: On Pokémon Colosseum and , text, and especially Pokémon names, is stored as UTF-16 null-terminated strings (well, not UTF-16 exactly, but almost). When sending a Pokémon in battle, the games copies its name on a stack-allocated buffer, without proper bound-checking. # Pokémon , PAL ROM:8023B034 # =============== S U B R O U T I N E ======================================= ROM:8023B034 ROM:8023B034 ROM:8023B034 sub_
  • Create New...