Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex

Major Glitches
Trainer escape glitch
:- Mew trick
:- Ditto trick
Celebi trick
Old man trick
Pokémon merge glitch
Pokémon cloning
More

Glitches by Generation/Game
Generation I
Generation II
Generation III
Generation IV
Generation V
Generation VI
Japan only glitches
Non-core series glitches
Non-Pokémon glitches

Pokémon GameShark Codes
Red, Green, Blue, Yellow (JP only)
Red, Blue, Yellow
Gold and Silver
Crystal

References
The BIG Hex List
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Past glitches
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology

Interactive Tools
Old man trick name generator
Special stat encounter checker

Unused Content and Prerelease Information
Generation II Safari Zone
Unused Olivine City house
Early English promotional Pokémon names
Bird type
Cacophony ability
Unused music
More

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 75304 times)

0 Members and 4 Guests are viewing this topic.

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • The game hurt itself in its confusion!
    • View Profile
Arbitrary code execution in Red/Blue using the "8F" item
« on: April 25, 2013, 07:57:48 AM »
Newcomers: I highly recommend you read beyond this thread's first post. Thanks to the later posts you will learn how to do the described glitch on Yellow, Japanese Red/Green/Yellow or other international releases, and you'll find many different item lists for performing different tasks.

WHAT'S 8F?

8F is a Red/Blue equivalent of JP Red/Green's 5かい - an item executing machine code starting from $D163 (Number of Pokemon) upon use. Its hex identifier is 0x5D, despite its hex-like name. 8F is treated by the game as a key item and it can't be tossed away or sold in the mart.

As address $D163 contains re-writeable data, it is possible to redirect the instruction pointer to the item list with relative jumps and easily run arbitrary code just by spelling the opcodes with items. With enough items, one could also make a program that reads key input continuously, writes it somewhere in the RAM and jumps to it after a while, allowing to even run your own homebrew software (jailbreaking the gameboy, lolz).

HOW TO OBTAIN IT:

OBTAINING 8F USING ITEM COUNTER UNDERFLOW GLITCH:

PREREQUISITES:

 - Access to any event that removes an item from your inventory (Saffron guards, handing out a fossil in Cinnabar Lab, giving Gold Teeth to the Warden etc.)
 - A following item list:
   Any item x[Any qty]
   X Special x255
   Item you need to give away x1

EXECUTION:

1. Toss the first item. It should change to X Special x255
2. Continue tossing the first item until the item menu "stops responding"
3. Trigger an event that removes the item from your inventory
4. Now, you should have 255 items with you. Go to the eastmost corner of Celadon City:



5. Toss 254 of your X Specials. Then swap the 'X Special x1' with 'Nugget x1' (35th item)
6. Try walking to the right - the map should now loop back to the left side of Celadon City. The amount of steps you take to the right determines the item you will get, so position yourself properly to obtain 8F. Swap it with the first item, then fly back to Celadon.
7. Store one of your newly acquired glitch items into the PC. Then buy any 3 items to bring your inventory back to normal.

A video of this method (makes it a lot easier to understand): http://www.youtube.com/watch?v=98_azamLeh4

OBTAINING 8F USING INVALID ENCOUNTER FLAGS (OBSOLETE):

PREREQUISITES:

 - A Ditto with a Cooltrainer move, nicknamed "R:u"
 - At least 1 Escape Rope
 - Good Rod on your 4th item slot
 - Exactly 10 Pokemon in your current box (this tremendously increases the chances of Cooltrainer move working properly)
 - Preferably a Bicycle, to make things a little bit faster.

EXECUTION:

1. Heal your Pokemon in Fuchsia City's Pokemon Center.
2. Do the Safari Zone walk through walls glitch, with only Ditto in your party.
3. After you appear back at the Fuchsia City's Center with noclip activated, walk exactly:
 a) 19 steps west
 b) 28 steps north
 c) 1 step west
 d) 29 steps north
 e) 11 steps east
4. Open your Pokemon menu and close it (important). You may want to use bicycle now to travel faster - you won't be able to do this later.
5. Go 11 steps west and keep walking south until you find yourself back on Route 18. Do not open your Start menu from now on.
6. Walk/bike to Seafoam Islands and enter the cave.
7. Encounter a wild Pokemon, and continuously try to use the Cooltrainer move. If it does not work after about 15 tries, quit the battle and start a new one. Do not open your Pokemon menu, Item menu or Start menu at all!
8. Eventually, the music will fade out, the move typing will become blank, and name of the opponent will get changed. Catch the resulting Pokemon - the game will state you caught a "98", and your Good Rod will turn into an 8F.
9. Use an Escape Rope, as there's a slight chance the game will crash after exiting the cave normally.

OBTAINING 8F WITH A CORRUPTED ITEM PACK (OBSOLETE):

This method is not recommended - it has a lot of side effects and is terribly complicated. Use it only when the encounter flag method does not seem to work for you.

PREREQUISITES:

 - A Pokemon on the first slot meeting very specific requirements:
    > It needs to have a Super Glitch as a 4th move
    > Its three moves besides the Super Glitch have to contain 25 characters in total
    > One of its three moves needs to be 4 characters long
    > This Pokemon needs to be able to learn Mega Kick through TM05
    An example: ゥL ||ゥM 4 (hex C6) with moves Body Slam, TM50, Quick Attack, [Super Glitch]
 - Any Pokemon on the second slot you don't care about, nicknamed "cccccccc". It will be gone in the process, so don't use your L100 Charizard.
 - A Pokemon on the third slot knowing Fly.
 - Exactly 3 useless items in your Bag. They will get destroyed again, so don't pick anything important.
 - TM05 (Mega Kick), deposited in the PC
 - At least one free space in the PC to store your obtained 8F
 - An empty Pokemon box currently selected, most likely box 12

SIDE EFFECTS:

Sadly, those side effects are actually quite annoying. But also, happily enough, one can fix them with 8F's arbitrary code execution.

1. Your player name will become blank (the game will save just fine though). However, with 8F's arbitrary code execution capabilities, one can change his name back to something nice.
2. Lower 5 Pokedex bytes will become corrupted, displaying some yet unseen species as caught. There's no easy way to fix this, but it's not a big deal unless you care about your Pokedex progression.
3. Your Pokemon box may get to a state where trying to release the glitch Pokemon inside will crash the game. This side effect does not happen every time, but if it does, again, this can be fixed with 8F's arbitrary code execution.

EXECUTION:

The process is a little bit complicated, but after around 15 minutes of hard work, you should be able to claim your own 8F without a cheating device.

1. Go to the exact spot shown on the screenshot below (second to last house on Celadon's south-east). Open up and close immediately your Pokemon menu while still standing on that spot.



2. Go into a patch of grass and encounter a wild Pokemon. Do not open your start menu while going there.
3. Open and close your fight menu a few times, then run from the battle.
4. Open your Start menu. Your name should be glitched. If it isn't, repeat step 3.
5. Now you should have 16 Pokemon. Go to the Celadon's Pokemon Center and talk to Nurse Joy, but don't heal.
6. Go to the exact spot shown on the screenshot below:



7. Open up your Pokemon menu, swap the 2nd Pokemon with the 10th.
8. Now your item pack should have 162 items, with the first item being "RIVAL's" and the second being Ether.
9. If you have more than 1 Ether on the second position, toss them so only 1 remains.
10. Swap the Ether (2nd item) with the 35th one (for this location this should be a Nugget)
11. Try walking to the right - the map should now loop back to the left side of Celadon City.
12. Keep walking to the right until you find the spot below:



13. Open your item pack here - the Ether should turn into 8F. Switch it back with the second item to keep it.
14. Fly away to any town. Go to the Pokemon Center.
15. Store one of your 8Fs in the PC. 8F is treated like a key item and depositing more than one will clutter your PC.
16. (Optional) You can also deposit "RIVAL's" into the PC to get 2 glitch items for the price of one.
17. Swap the 10th Pokemon back with the 2nd. This will clear all your items.
18. Withdraw TM05 from your PC.
19. Swap the 2nd Pokemon with the 5th to avoid crashing in the next few steps.
20. Swap the 3rd Pokemon with the 2nd so your Pokemon with Fly won't get obliterated by Charizard 'Ms
21. Deposit your LM4 and your Pokemon with Fly.
22. From now on keep depositing Pokemon into your empty box until you're left with just one Pokemon in your party.
23. Withdraw LM4 and the Pokemon with Fly.
24. Exit out the PC and move the first Pokemon (Charizard 'M) to the last slot.
25. Deposit the Charizard 'M. You should now have only LM4 and the flyer in your team.
26. Because of the Super Glitch, your LM4 became an unstable hybrid of Krabby. Fly to Cerulean City, bring your LM4 into Daycare and take it out to change it back to LM4.
27. Fly back to Celadon City, stand in the spot below:



28. Teach your LM4 Mega Kick (use TM05). Replace the move with 4 characters in its name, otherwise stuff won't work as intended.
29. Fly to Cerulean City again, stand in the spot shown below:



30. Open your Pokemon menu here (important). If your LM4 is now the second Pokemon in your party, switch it back to the first slot.
31. Fight a wild Pokemon. Open up and close your fight menu a few times, then run from the battle.
32. Your name should be now blank. If it isn't, repeat step 30.
33. Fly to any Pokemon Center and heal your Pokemon.
34. And finally, you're done! You are now free to save the game if you're brave enough. Withdraw your 8F and have fun.

Full video presenting this done step by step: http://www.youtube.com/watch?v=Sw0h7ImFsAs

BOOTSTRAPPING

8F won't do anything amazing by itself - in order to make it execute code from $D322 (third item), we need to use the party Pokemon to spell out a short bootstrapping program, which will redirect the instruction pointer to your item pack. The requirements are as follows:

1.  6 Pokémon                                                         [0xD163 = 0x06]
2.  Onix as the first Pokémon                                         [0xD164 = 0x22]
3.  Pidgey as the second Pokémon                                      [0xD165 = 0x24]
4.  Tentacool as the third Pokémon                                    [0xD165 = 0x18]
5.  Meowth as the fourth Pokémon                                      [0xD166 = 0x4D]
6.  24 PP left on the second Pokémon's second move                    [0xD1B5 = 0x18]
7.  21 PP left on the second Pokémon's third move w/ 1 PP Up used     [0xD1B6 = 0x55]
8.  36 PP left on the fourth Pokémon's first move                     [0xD20C = 0x24]
9.  24 PP left on the fourth Pokémon's second move                    [0xD20D = 0x18]
10. 20 PP left on the fourth Pokémon's third move                     [0xD20E = 0x14]
11. Double Team as the fifth Pokémon's first move                     [0xD223 = 0x68]
12. Double Kick as the fifth Pokémon's second move                    [0xD224 = 0x18]
13. Strength as the fifth Pokémon's third move                        [0xD225 = 0x46]
14. Sixth Pokémon's attack stat has to be exactly 233                 [0xD26C = 0xE9]


(11/12/13: Hitmonlee is probably the only Pokémon that can learn all of those moves)

Resulting ASM:
Code: [Select]
; -- Initial value of hl: D163
WRA1:D163 06 22            ld   b,22    ;  b = 22
WRA1:D165 24               inc  h       ; hl = D263
WRA1:D166 18 4D            jr   D1B5

WRA1:D1B5 18 55            jr   D20C

WRA1:D20C 24               inc  h       ; hl = D363
WRA1:D20D 18 14            jr   D223

WRA1:D223 68               ld   l,b     ; hl = D322
WRA1:D224 18 46            jr   D26C

WRA1:D26C E9               jp   hl



Sadly, we can't use K)ry's original code from Pokemon Green, as in international versions the opcodes [jp imm16] and [call imm16] can't be represented in a Pokemon's nickname, foiling our evil plan.

Well, now we're done with all those preparations, let's try to actually do something with this item! Below I present some examples of what is possible.

USING 8F TO OUR ADVANTAGE

"CATCH 'EM ALL" SCRIPT

This is just K)ry's ASM for JP Red/Green ported on the international release. With those items, 8F will act like an item that forces a Pokemon encounter based on the quantity of item #1, allowing to catch all 151 Pokemon easily.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=782s

ITEM LIST (starting from the first slot):
* Preferably Master Balls
* 8F
TM50                 x31
TM11                 x4
TM34                 x89
TM08                 x201


ASM:
Code: [Select]
WRA1:D322 FA 1F D3         ld   a,(D31F)
WRA1:D325 04               inc  b
WRA1:D326 EA 59 D0         ld   (D059),a
WRA1:D329 C9               ret 

ALTERNATIVE CATCH 'EM ALL

This version of the Catch 'Em All script requires more items, but gives the Pokemon instead of forcing an encounter (like: BLUE got EEVEE!), and allows for getting normally unobtainable glitch Pokemon without trading. The given Pokemon depends on the quantity of the 3rd item.

Remark: Avoid obtaining Missingno with this method. It will duplicate your 6th item and screw the opcodes up.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=865s

ITEM LIST (starting from the first slot):
* Any item
* 8F
Repel                x[SpeciesIndex]
X Speed              x14
Ultra Ball           x64
TM05                 x72
Lemonade             x201


ASM:
Code: [Select]
WRA1:D322 1E 20            ld   e,[SpeciesIndex]
WRA1:D324 43               ld   b,e
WRA1:D325 0E 02            ld   c,02
WRA1:D327 40               ld   b,b
WRA1:D328 CD 48 3E         call 3E48
WRA1:D32B C9               ret

FIX THE PLAYER'S NAME

One of the side effects of obtaining 8F is blanking out your name. However, with this setup, you can change your name to the nickname of your first Pokemon. Using 8F will copy one letter from your first Pokemon's nickname to your player name. Use 8F (length of the name+1) times to copy all the name characters and bring your name back to normal.
Warning: This code is self modifying, it will increase quantities of items #3 and #5 every use - remember to set those quantities back to 181 and 88 if you want to reset this. Also use carefully, as there's no memory protection implemented and you may cause save corruption if you're not careful.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=918s

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM50                 x181
TM10                 x64
TM34                 x88
TM09                 x46
Calcium              x52
X Accuracy           x35
Full Heal            x201


ASM:
Code: [Select]
WRA1:D322 FA B5 D2         ld   a,(D2B5)
WRA1:D325 40               ld   b,b
WRA1:D326 EA 58 D1         ld   (D158),a
WRA1:D329 2E 27            ld   l,27
WRA1:D32B 34               inc  (hl)
WRA1:D32C 2E 23            ld   l,23
WRA1:D32E 34               inc  (hl)
WRA1:D32F C9               ret 

CHANGE THE SECOND ITEM

This easy code uses only 3 basic items, and it increases the first item's index by 1 every time 8F is used. You can obtain normally unobtainable items, glitch items or TMs so you can do other item configurations described.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=974s

ITEM LIST (starting from the first slot):
* 8F
* Item you want to morph
Burn Heal            x43
Ice Heal             x43
Full Heal            x201


ASM:
Code: [Select]
WRA1:D322 0C               inc  c
WRA1:D323 2B               dec  hl
WRA1:D324 0D               dec  c
WRA1:D325 2B               dec  hl
WRA1:D32A 34               inc  (hl)
WRA1:D32B C9               ret


WALK THROUGH WALLS

Jump off a ledge after using 8F to walk through walls.

http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1020s

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x20
TM15                 x201


ASM:
Code: [Select]
WRA1:D322 EA 14 D7         ld (d714),a
WRA1:D325 C9               ret

ESCAPE FROM A TRAINER BATTLE

This turns 8F into an item which allows escaping from any battle, including trainer battles.

http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1048s

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x120
TM08                 x201


ASM:
Code: [Select]
WRA1:D322 EA 78 D0         ld (d078),a
WRA1:D325 C9               ret

CLEAR A POKEMON BOX

While obtaining 8F there's a slight chance Pokemon at your box will get corrupted and will crash the game upon releasing. One can either deal with it and switch to another box, or make the box empty with this item configuration.

Switch to the corrupted box, use the 8F, done. Be careful though, you don't probably want to clear the box with your L100 legendaries.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1104s

ITEM LIST (starting from the first slot):
* Any item
* 8F
Lemonade             x1
Soda Pop             x64
TM34                 x128
TM18                 x201


ASM:
Code: [Select]
WRA1:D322 3E 01            ld a,01
WRA1:D324 3D               dec a
WRA1:D325 40               ld b,b
WRA1:D326 EA 80 DA         ld (da80),a
WRA1:D329 C9               ret

ENDING REMARK: BIG ITEM QUANTITIES?

All of those item lists will have at least one item with quantity bigger than 99. Obviously, it's possible to obtain those big quantities using the Missingno. item duplication glitch (duplicating a 99 item stack will result in a 227 item stack).
However, the numbers bigger than 9 are represented with glitch blobs, so it's normally impossible to read how many items you actually have. This short image guide below will help you with reading quantities of those big item stacks.


* This image uses the Pokemon Center tileset
« Last Edit: December 07, 2013, 11:30:31 AM by TheZZAZZGlitch »

Torchickens

  • AKA Chickasaurus
  • Administrator
  • *****
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #1 on: April 25, 2013, 10:27:50 AM »
Impressive. Great work on finding all those extra tricks and an alternative to k(y's code too!

I'm gonna re-post the CPU registers for D322 that you added as a caption in your video.

Quote
af = 6300 [a=63, f=00]
bc = 22B8 [b=22, c=B8]
de= 0001 [d=00, e=01]
hl= D322 [h=D3, l=22]
All flags reset
Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki


Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Moderator
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #2 on: April 25, 2013, 10:34:27 AM »
yay, I think everyone was waiting for this.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchive • irc.ringoflightning.net #arena • WackyChatVerseCrypt

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

camper

  • aka GlitcherRed, Azum4roll
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • 975642dx║'r DExsfoF▓1 error.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #3 on: April 25, 2013, 11:20:28 AM »
Why is step 5 necessary?

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • The game hurt itself in its confusion!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #4 on: April 25, 2013, 11:37:47 AM »
Quote
Why is step 5 necessary?

Super Glitch changes the boxset value ($D12C) to a glitch value 0x10, which corrupts the map if viewed. By opening the Pokemon Center's HEAL/CANCEL dialog the boxset value gets reset back to 0 (default YES/NO), so the game does not corrupt my map when I try to toss an item or save. Step 33 is necessary for the exact same reason.

Torchickens

  • AKA Chickasaurus
  • Administrator
  • *****
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #5 on: April 25, 2013, 11:42:14 AM »
Here are a few simple tricks I made that work with the bootstrap program:


Gym Leader theme plays for the next battle

Use this outside of battle to make the next battle play the Gym Leader theme.

Requirements:

Item 3 = TM34 x 92
Item 4 = TM08 x 201

ASM:

Code: [Select]
WRA1: D322 EA 5C D0               ld (D05C), a  : Put 63h into D05C
WRA1: D325 C9                     ret

Battle Safari Zone style

Use 8F in the middle of the battle to turn it into a Safari Zone battle. If you use it outside of battle, you'll be forced to use item 1 infinitely.

Requirements:

Item 3 = Lemonade x 2
Item 4 = TM34 x 90
Item 5 = TM08 x 201

ASM:

Code: [Select]
WRA1: D322 3E 02                  ld a, 02 : Put 02h into a
WRA1: D324 EA 5A D0               ld (D05A), a  : Put 02h into D05A
WRA1: D327 C9   ret



Steal other Trainer's Pokémon without Gameshark

Use this in a Trainer battle to enable the ability to catch the enemy Pokémon and escape from battle. You can also use it to disable wild battles, but you can't use it to turn a Trainer into a Pokémon.



Requirements:

Item 3 = Lemonade x 1
Item 4 = TM34 x 87
Item 5 = TM08 x 201

ASM:

Code: [Select]
WRA1: D322 3E 01   ld a, 01: Put 01h into a
WRA1: D324 EA 57 D0   ld (D057), a: Put 01h into D057
WRA1: D327 C9   ret
« Last Edit: April 25, 2013, 11:50:53 AM by Torchickens »
Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki


blahpy

  • Yeah! Pomeg Berry!
  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #6 on: April 25, 2013, 03:41:13 PM »
Words can't even describe how I felt reading this. You're amazing.

TheDarkAce

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • TheDarkAce - Hidden by Q's Cancel :P
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #7 on: April 25, 2013, 08:54:57 PM »
I'm in awe of this, congratulations on the find!

i may have to try this at some point...

will it work on yellow?

if so, how do you get the enormous quantities of items on there?

i heard you can only ever get 129 per stack (missingnoXpert's Lets Glitch series on youtube taught me most of my glitching knowledge for R/B/Y, along with a bit of experimentation and whatever i could gleam from various sources, including the main site)

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • The game hurt itself in its confusion!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #8 on: April 25, 2013, 09:54:10 PM »
Quote
will it work on yellow?

The shown method of obtaining 8F won't work in Yellow, as it uses Super Glitch, which works differently for this game.

Also, 8F does not execute code from $D163 in Yellow, but from $04FE instead - which has a less beneficial effect of teleporting you to a messed up version of a Pokemon Center.
Yellow has a relatively similar item "ws m" (hex 63), which executes code from $DA7F (number of Pokemon in the current box), but we still don't know how to obtain it though.
« Last Edit: April 25, 2013, 09:54:41 PM by TheZZAZZGlitch »

Torchickens

  • AKA Chickasaurus
  • Administrator
  • *****
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #9 on: April 26, 2013, 06:54:19 AM »
if so, how do you get the enormous quantities of items on there?

i heard you can only ever get 129 per stack (missingnoXpert's Lets Glitch series on youtube taught me most of my glitching knowledge for R/B/Y, along with a bit of experimentation and whatever i could gleam from various sources, including the main site)

Just toss 2 or more items after it is duplicated by 128 the first time. For example, if you encounter Missingno. when you have 127 items in the sixth position, you will get 255. This is because all Dex #000 Pokémon add 128 to the quantity of the sixth item upon encounter provided that it is less than 128. Also capturing the Pokémon/obtaining it as a gift counts as both seeing it (adding 128 to the sixth item if its quantity is less than 128) and owning it (this registers Cubone in the Pokédex as 'seen'. You can avoid seeing Missingno.'s Pokédex entry and the Rhydon glitch if you've seen Cubone).

To duplicate your items on Yellow without a risk of freezing the game, you can use the Ditto glitch to encounter one of the special Missingno. (special stat = 182 [Kabutops fossil], 183 [Aerodactyl Fossil] or 184 [Ghost Missingno.] ) These are safe and won't freeze the game.

Alternatively, you can perform the Cable Club escape glitch with more than one Dex #000 Pokémon or similar item duplicating glitch Pokémon that don't freeze the game to duplicate multiple items by throwing balls / switching different items into the sixth position.
« Last Edit: April 26, 2013, 07:47:33 AM by Torchickens »
Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki


Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Moderator
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #10 on: April 26, 2013, 08:20:49 AM »
Here are a few simple tricks I made that work with the bootstrap program:

so in theory, 01xxyyzz gameshark codes could easily be converted for use with 8F with following asm skeleton:

Code: [Select]
D322 : 3E xx          ld a, xx      ; register a = xx
D324 : EA yy zz       ld (zzyy),a   ; memory address zzyy = register a
D327 : C9             ret           ; does this even need explaining?!

...which corresponds to following items:
Code: [Select]
Item3: Lemonade, quantity xx
Item4: TM34, quantity yy
Item5: Item with hex zz, quantity 201

...and if hex zz corresponds to glitch item or otherwise unobtainable item, one can change the second item using TheZZAZZGlitch's code above.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchive • irc.ringoflightning.net #arena • WackyChatVerseCrypt

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

TheDarkAce

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • TheDarkAce - Hidden by Q's Cancel :P
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #11 on: April 26, 2013, 05:26:01 PM »
Steal other Trainer's Pokémon without Gameshark

Use this in a Trainer battle to enable the ability to catch the enemy Pokémon and escape from battle. You can also use it to disable wild battles, but you can't use it to turn a Trainer into a Pokémon.



Requirements:

Item 3 = Lemonade x 1
Item 4 = TM34 x 87
Item 5 = TM08 x 201

ASM:

Code: [Select]
WRA1: D322 3E 01   ld a, 01: Put 01h into a
WRA1: D324 EA 57 D0   ld (D057), a: Put 01h into D057
WRA1: D327 C9   ret

just thought of a way to use this - use the ditto trick to set up a battle with a trainer with an abnormal level for a certain route, then set up the bootstrap code at the pokemon center you teleported to. once in the battle, run the code and you now have a stupidly high level pokemon... am i thinking about this right?

Torchickens

  • AKA Chickasaurus
  • Administrator
  • *****
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #12 on: April 27, 2013, 06:07:28 AM »
Hey TheZZAZZGlitch, I found a much easier way to obtain 8F.

Due to having an invalid encounter flag, 94 and 94h's Pokédex number #213 means that they add 16 to the fourth item identifier provided that it is not  $X4 $X5 $X6 $X7 $XC $XD $XE $XF. If you put a Good Rod in the fourth position, and then use this glitch or the Cable Club escape glitch with a 94 or 94h, you can easily turn your Good Rod (4Dh) into an 8F (5Dh).

Steal other Trainer's Pokémon without Gameshark

Use this in a Trainer battle to enable the ability to catch the enemy Pokémon and escape from battle. You can also use it to disable wild battles, but you can't use it to turn a Trainer into a Pokémon.



Requirements:

Item 3 = Lemonade x 1
Item 4 = TM34 x 87
Item 5 = TM08 x 201

ASM:

Code: [Select]
WRA1: D322 3E 01   ld a, 01: Put 01h into a
WRA1: D324 EA 57 D0   ld (D057), a: Put 01h into D057
WRA1: D327 C9   ret

just thought of a way to use this - use the ditto trick to set up a battle with a trainer with an abnormal level for a certain route, then set up the bootstrap code at the pokemon center you teleported to. once in the battle, run the code and you now have a stupidly high level pokemon... am i thinking about this right?

Yes, you're right. You can do this with glitchy Trainers from the Ditto glitch or Old Man glitch to get Pokémon over level 100. There's something I forgot to mention though, a) using 8F counts as using up one turn, so Super Glitch/ moves that freeze the game might be a problem b) you'll still need a Master Ball or other type of Poké Ball to capture the Pokémon.
« Last Edit: April 27, 2013, 06:11:51 AM by Torchickens »
Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki


camper

  • aka GlitcherRed, Azum4roll
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • 975642dx║'r DExsfoF▓1 error.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #13 on: April 27, 2013, 10:43:36 AM »
Which identifier is the first video's glitch roster? It can be 80h, 82h or 87h from the name. I guess only one of them corresponds to that roster.

I don't prefer the Cable Club escape glitch, mainly because of the need of TGB Dual.

just thought of a way to use this - use the ditto trick to set up a battle with a trainer with an abnormal level for a certain route, then set up the bootstrap code at the pokemon center you teleported to. once in the battle, run the code and you now have a stupidly high level pokemon... am i thinking about this right?
Few glitched rosters can be found by the Ditto trick. (2, to be exact, without the use of a Pokemon with Swords Dance)

Btw,
Unlike the 'death Trainer' found after the ZZAZZ glitch, a Trainer with Red's picture cannot be found by encountering a wild Pokémon and will only be found when trying to encounter an existing Trainer.
This is not true. ZZAZZ glitch won't change wild Pokemon encounters.

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • The game hurt itself in its confusion!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #14 on: April 27, 2013, 11:17:21 AM »
Quote
Due to having an invalid encounter flag, 94 and 94h's Pokédex number #213 means that they add 16 to the fourth item identifier provided that it is not  $X4 $X5 $X6 $X7 $XC $XD $XE $XF. If you put a Good Rod in the fourth position, and then use this glitch or the Cable Club escape glitch with a 94 or 94h, you can easily turn your Good Rod (4Dh) into an 8F (5Dh)

Well, that's amazing. However, it still requires having a right name. Also, no matter which roster (letter after the MN symbol) I try, Prof. Oak will throw a "◣ゥ 8" (hex C9) out. Maybe this roster on the video has something to do with that Rocket in Silph Co. the author of the video fought previously and lost to?

Also, about the Cable Club escape glitch, it obviously requires access to the Cable Club. Also, to make trainers send out a "94" or "94h", the other trainer needs to own it first. And to own it, Johto guard glitch is needed. And to do this, one needs a hex FF ????? and a bad clone. And this gets far more complicated than the original method.

Anyways, thank you about all those information on encounter flags - maybe I will be able to use this to shorten up my first obtainment method.
« Last Edit: April 27, 2013, 11:18:23 AM by TheZZAZZGlitch »