Welcome to Sn1 Security

Game Boy Pokémon Red Hacking

Intro

A few (7 to be exact) years ago, I was playing around with a buffer-overflow in Pokémon Red for Game Boy (the game was released 1996). The overflow occurs when two Game Boys are connected using a link-cable, intended to trade Pokémon between players.

In this post I want to talk about how I abused this overflow to “install programs” into a Pokémon game, which survive restarts and can be run and used during game-play. When I initially did this, I uploaded the code without much explanation to GitHub, hopefully this post gives the missing details for anyone interested.

Word of warning: This skims over the technical details, but if you never played Pokémon you may have a hard time following

Pokémon dictionary

TermDescription
Pokémon partyUp to 6 Pokémon that the player walks around with
Pokémon storageStorage system allowing 240 Pokémon, split into 12 “boxes” of 20 Pokémon
DaycarePlace to store single Pokémon that increases in levels during game-play
Glitch itemItem not supposed to exist in-game, behaves glitch-y
PokédexIn-game tracking of all Pokémons the player has seen

Pictures of final in-game usage.

Lets start with a few screen-shots of what it looks like to use one of the “installed programs”.

List of "installed programs" stored as Pokémons in Box No. 1
Using the magical 7A item which launches 7ARunner
The 7ARunner program lists usable programs

The FillDex program fills the players pokédex.

Player pokédex has been filled.

Now on to describing how this was achieved

Background

I will not focus on the initial buffer-overflow vulnerability itself, the details are well explained by vaguilar.

The summary is that, when trading we can send more than the maximum 6 Pokémons and start writing outside the display buffer. One small constraint makes the exploit a little bit more interesting: we can only write hard-coded Pokémon names outside the buffer. Anyway, it ends up that we can provide a payload of 198 bytes.

Installing and running programs

The following section describes how this vulnerability was leveraged to “install programs” that can be used in-game to for example magically generate items to the player.

The two steps that needs to be taken are:

  1. We need a location to store our programs
  2. We need a way to execute the programs

Storage

The obvious choice for where to store our programs was was within Pokémons. The game is built with support for a player to collect all Pokémon, and has a place to store them and their player-chosen names.

Using this storage system we can reuse the 11 Pokémon-name location for program names, and the 32 byte Pokémon-stats location for the code. The programs can be stored nicely structured and without risk of corruption, players can even delete programs by using the games built-in support to remove Pokémons.

Running

This step is slightly more tricky, we need build an environment where the player can run our programs without having to connect a link-cable and reusing the exploit.

Glitch items to the rescue! When a player uses an item in Pokémon, the game executes the function in ItemUsePtrTable[usedItemID]. Some item IDs (Those between 0x53-0xC4) are glitch items. Since the ItemUsePtrTable is only 0x53 items long, using these items jump to random locations in memory.

One famous glitch-item is 0x5D which jumps to the location storing your Pokémon party data. You can then arrange your Pokémon party so that its stored data corresponds to Z80 instructions. One major issue with this is that you can’t play the game normally as you are locked into having specific Pokémon with specific stats.

Luckily I found another glitch-item, 0x7A, which incidentally attempts to execute the bytes within the daycare-Pokémon’s information. This allows us to setup a jump to our program location within the Pokémon storage, and only limits our game-play by excluding in-game daycare use.

Flow summary

  1. Connect a link cable and use Pokémon to execute arbitrary code
  2. Execute a program that allows arbitrary read & write over the link cable
  3. Modify the game state:
    • Player has the 0x7A item in inventory
    • Daycare Pokémon trainer data jumps to first stored Pokémon
    • First stored Pokémon is “Program chooser program” (Named 7ARunner)
    • Second to N stored Pokémon are programs
  4. Play the game with new features

Final notes

The reason I like this small demo, and feel it is worth re-iterating is the fact that even when we have multiple clear vulnerabilities, it may still require a bit of luck for all starts to align and allow us to abuse them.

As said, this was done many years ago, but the code is available here and was tested to work last year. Doing this on a real Game Boy only requires you to cut up a link-cable and hook it up to a raspberry-pi.