Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 253742 times)

0 Members and 1 Guest are viewing this topic.

Misdreavus

  • GCLF Member
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #735 on: November 13, 2017, 05:06:25 pm »
Actually,I sent you the wrong code by mistake. Sorry, here's the new code:

Hp EV:
Lemonade   x??
Thunderstone x124
TM 09     x34
Awakening   x??
Poke Ball     x121
Burn Heal    x119
TM 01      xAny

(My original code only allowed for both bytes to be changed to the same value)

To do the conversions, first convert the desired value into hex. In 40000, that would be $9C40. Then take the high byte ($9c), convert it to decimal (156), and have that value be the lemonade quantity. Do the same with the low byte, and put the result into the Awakening quantity.

So HP EV 40000 would be:
Lemonade    x156
Thunderstone    x124
TM 09       x34
Awakening     x64
Poke Ball     x121
Burn Heal     x119
TM 01        xAny
I'm trying to max my Special DV.  I have my pack set up as follows:

Bicycle
8F
Lemonade x255
Thunderstone x132
TM09 x34
Awakening x255
Poke Ball x121
Burn Heal x119
TM01 x1
...

Then I use 8F, but the Special stat of the L7 Chansey in my box (the only Pokémon in that box) doesn't change, when it should be changing from 21 (untrained) to 26 (maxed).

Do I have the right setup, or am I doing something wrong?

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #736 on: November 13, 2017, 06:10:38 pm »
This isn't operator error, I made a mistake when writing the code. As opposed to affecting the stat of box Pokemon 1, it instead affects the first Pokemon in your party. What I failed to realize was that you needed 233 HP Pidgey at the front of your party for bootstrapping. This is why I need to stop doing things while tired.

Give me a moment and I will edit this comment when it's fixed.

Edit: Fixed. This will now edit Pokemon 1 in your current box.

Lemonade         x??
Thunderstone       x??
TM18        x34
Awakening    x??
Poké Ball       x122
Burn Heal       x119
TM01        x[Any qty]


Lemonade: Replace with the high byte of the desired value

Thunderstone:

X167 - HP EV
x169 - Attack EV
x171 - Defense EV
x173 - Speed EV
x175 - Special EV

Awakening: Replace with low byte of desired value

To max out your special EV, you would use:

Lemonade x255
Thunderstone x175
TM18 x34
Awakening x255
Poke Ball x122
Burn Heal x119
TM01 xAny


Agian, apologies for managing to mess this up 2 times in a row lol.
« Last Edit: November 13, 2017, 10:08:04 pm by Couldntthinkofaname »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #737 on: November 14, 2017, 01:48:49 am »
Actually, the 6-Pokémon bootstrap (using Arbok instead of Kangaskhan) lets you have any Pokémon in slot 1, so your previous setup was perfectly fine.

By the way, always use the 6-Pokémon bootstrap. Nothing's more frustrating than your 233 HP Pidgey taking damage.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Str8rush

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #738 on: November 14, 2017, 05:16:00 pm »
Yup, that was the case. I put it into the daycare and got it back, it was a Missigno afterwards. By entering the TimeCapsule, it was shown as a shiny HoOh with Sacred Fire on Slot 3, with Fire/Flying Type. As I tried to trade there still was the Message that there seems to be something wrong with that Pokémon...

Edit: I re-read the topic in the forum where I first read about all this, the author of this thread stated that he was able to trade his generated Ho-Oh to his Silver but not his Lugia. Could this be a thing perhaps, as I am trying it with a Ho-Oh to a Gold Version?


After a few weeks with a little bit of stress and no time, I tried it again and it worked perfectly on my 3DS. I generated shiny Ho-Oh with Sacred Fire, Delibird, Phanpy and Skarmory with caught Missignos and I managed to modify a Pinsir to a Ledyba and a Pidgey to a Chikorita (both are Glitch-Mons).
Only the last one deals a bit of trouble:

I would like to modify a Drowzee (for little effort changing the types) to get Glitch-Pokemon #251 for Celebi using 8F.
I am using the same code which worked perfectly fine for Ledyba and Chikorita in Slot 1 of my current Box:

1. any item
2. 8F
3. Lemonade   251x
4. X Acc      155x
5. Carbos      218x
6. Pokeball      119x
7. Fresh Water   201x

Lemonade 251 is Celebi's index number as listed both on bulbapedia and in the Big Hex List (https://glitchcity.info/wiki/The_Big_HEX_List)

X-Acc 155 is to adress the first slotted pokemon ( $DA96 --> 96 = 150 + 5 because non-english game)
Carbos 218 same

For some reason the modified Pokemon is shwon as a Wobbufett in the Time Capsule.
Wobbufett's index number is 241, which is exactly 10 digits below the 251 of Celebi. I think this could be a reason, but I have no idea how this is possible. I had one Lemonade in Slot 6 of my bag, encountered Missigno (+128 = 129), tossed 6 (= 123) and encountered Missigno again (+128 = 251).

I tried it two times with different pokemon in different boxes and I double-checked my bag. I tried to encounter Missigno with 10 Lemonades in my bag (=138), tossed 6 and encountered Missigno again, which should then be 261, just to make sure I didn't mess anything up to get this difference of 10 to get a Wobbufett, but then I would have more 255 Lemonades in one slot, is that even possible? Where could be a mistake that I didn't see, because it worked for Pinsir --> Ledyba #204 and for Pidgey --> Chikorita #191?
Any idea on how to generate a #251 Glitch Mon otherwise?

Evie ✿

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #739 on: November 14, 2017, 05:25:14 pm »
It sounds like you successfully got the glitch Pokémon FB on the Generation I game.

However, the reason why glitch Pokémon No. 251 doesn't convert into Celebi is that Celebi (and ????? 00, FC, FF Egg) isn't a value in the hard-coded conversion table, so no Generation I glitch Pokémon will ever convert into Celebi I'm afraid. :(

These are all the one-way conversions like this:

http://glitchcity.info/wiki/Time_Capsule_exploit#One-way_conversions

Interestingly the Wobbuffet for #251 and #252 actually appear to be hardcoded. Háčky who documented more complex details of the Time Capsule exploit including this wondered whether the Wobbuffet were an Easter egg and developer joke, as their Japanese name ソーナンス (Sonans) is a play on the phrase "that's the way it is".
« Last Edit: November 14, 2017, 05:26:05 pm by Evie ✿ »
Hi! I identify as transgender female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.



Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

I like to collect interesting video games.
https://www.vgcollect.com/Torchickens

The psychology of birth (including spiritual birth): pain>acceptance/courage in face of pain>embracement>unconditional love and strength

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Xelrog T. Apocalypse

  • That Creepy Misanthrope
  • GCLF Member
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #740 on: November 22, 2017, 01:29:36 pm »
Hello, hello... new guy here, sorry to just barge in. I was hoping I might be able to get a little help.

I just recently started using ACE on my Virtual Console version of Red to get myself some shinies for Pokemon Bank, using this old guide. So far, it's worked great, with one exception: Setting all the DV's to 10 does guarantee all pokemon are shinies, but it also forces them all to be male. I need female shinies as well for the species with gender differences.

Now, I know that because both shininess and gender are determined by the Attack IV in Gens 1 and 2, it's impossible for there to be a shiny female of a species with a 1:8 Male/Female ratio. I'd still like to get the non-1:8's, if possible, though. I don't understand the programming quite well enough for 8F Helper to be useful to me, though...

Does anyone know what item list I would need in order to set the first pokemon in the current box to have an Attack IV of 2? Or first in party, whatever... but I'm already set up for the version of the glitch I linked to above, which affects the first in the box.
« Last Edit: November 22, 2017, 01:30:35 pm by Xelrog T. Apocalypse »

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #741 on: November 22, 2017, 01:51:17 pm »
Yes.

Use:
8f
Any item xany qnty
Thunderstone x177
TM18 x4
Lemonade x42
Ice Heal x34
Awakening x170
Poke ball x121
Max ether x119
TM01 xany

This is for stored Pokémon 1
« Last Edit: November 22, 2017, 01:55:30 pm by Couldntthinkofaname »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Xelrog T. Apocalypse

  • That Creepy Misanthrope
  • GCLF Member
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #742 on: November 22, 2017, 02:07:11 pm »
Yes.

Use:
8f
Any item xany qnty
Thunderstone x177
TM18 x4
Lemonade x42
Ice Heal x34
Awakening x170
Poke ball x121
Max ether x119
TM01 xany

This is for stored Pokémon 1

8F in the first slot? Not the second? This is for the party listed in the thread I linked to?

1st: Pidgey (233HP)
2nd: Parasect
3rd: Onix
4th: Tentacool
5th: Kangaskhan
6th: (empty)
« Last Edit: November 22, 2017, 02:07:44 pm by Xelrog T. Apocalypse »

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #743 on: November 22, 2017, 02:09:29 pm »
8f can be in the first or second slot, it has no regard on the code's effect.

And yes, that party will indeed work with this.
« Last Edit: November 22, 2017, 02:09:59 pm by Couldntthinkofaname »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Xelrog T. Apocalypse

  • That Creepy Misanthrope
  • GCLF Member
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #744 on: November 22, 2017, 03:02:12 pm »
Ah, all right, I get it. The code starts from the third item. I'll give it a shot, thanks a ton.
« Last Edit: November 22, 2017, 03:02:40 pm by Xelrog T. Apocalypse »

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #745 on: November 23, 2017, 02:44:55 am »
Want an ace way of making the game glitch itself how would you run code that changes a random byte in the wram.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #746 on: November 23, 2017, 10:04:24 am »
Just use the "Gameshark code" with arbitrary values. Fuzz with them a bit !
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #747 on: November 23, 2017, 10:10:33 am »
Just use the "Gameshark code" with arbitrary values. Fuzz with them a bit !

You could do that.

You could also do this:

8f
Any item xany
Poke ball x33
TM11 x255
Ice Heal x42
TM45 x42
X Attack x111
TM41 x103
TM40 x212
Max ether x119
TM01 xany

This writes an entirely random byte to an entirely random location. Be very careful, there is nothing stopping this thing from writing into SRAM and invalidating checksums.
Back up your save before using
Messing around with gameshark codes is fun too, you never know what you might find! :)
« Last Edit: November 23, 2017, 10:12:00 am by Couldntthinkofaname »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #748 on: Yesterday at 06:00:54 am »
Ah, all right, I get it. The code starts from the third item. I'll give it a shot, thanks a ton.

It's not irrelevant to question the position of 8F in a given code. The code indeed starts at third item, but the identity and quantity of items 1 and 2 can actually be important, if the code uses their value to do something. The most common case of this is a code that uses a specific quantity of any item in position 2 and then stores this quantity into A for some utility later in the code (for example by starting the code with the opcode 'dec l' followed by 'ld a,(hl)', or by starting with 'ld a,(hld)' a.k.a. 'ld a,(hl-)' or 'ldd a,(hl)' which loads (HL) into A then decrement HL, then any opcode to load (HL) into A again).
Many tricks involving the second item exists, including codes to actually change what the second item is. None of this is the case in what Couldntthinkofaname gave you, but it's a good reaction to actually pay attention to the availability of item 2.

The best is always to understand codes, so you can be sure of what to do. It doesn't require insane programming skills most of the times. I say a lot that even though this board is made to help people (and we are very happy too) most questions asked about code execution could have been solved by the user if he just tried to understand a bit how it works by reading already available explanations. Your question was of course a bit technical, but if it can help, here is, for your information, how a '8F noob' could have solved this problem on its own:

You already did the whole difficult job by pointing out that:
- A Pokémon is shiny when all of its DV are 10, except for the Attack, which can be several values (but never lower than 2)
- Any Pokémon with an attack DV of 2 is female, except for the very specific class of Pokémon with a 7:1 male:female ratio.
- As a result, these Pokémon will never be shiny AND female, but any other shiny Pokémon with an attack DV of 2 will be female.

As pointed out in dozens of posts in this very thread (the last time was 14 days ago: http://forums.glitchcity.info/index.php?topic=6638.msg207657#msg207657) there is a generic 8F code that changes a game data. Using it, you would have found out that, for example, the Attack and Defense DV of Stored Pokémon 1 is controlled by $DAB1. Problem: it is not explained how to differenciate between Attack and Defense DV... Well, the answer is given two posts after the previous one: DVs are coded in half-bytes, meaning that the value of $DAB1 for both DV to be 10 would be AA (as A is 10 in hexadecimal) and therefore, 2A would give an attack DV of 2 and a defense DV of 10.

With this in mind, you could have figured out this item list for yourself:
Item 1: any item
Item 2: 8F
Item 3: Lemonade x42 (2 Attack, A [10] Defense)
Item 4: X Accuracy x177 (decimal equivalent of B1)
Item 5: Carbos x218 (decimal equivalent of DA)
Item 6: Poké Ball x119
Item 7: Fresh Water x201

Of course, this solves the problem by changing an already shinyfied Pokémon to a female. It doesn't change the Speed/Special DV, unlike the code given by Couldntthinkofaname which makes 2/10/10/10 (and therefore should not be used if you want a male shiny). I used no knowledge AT ALL in opcodes to write this to show that anyone could have done that, but to create a code like the one he did, you would indeed need some basics. Maybe I can advise you to read the relevant informations in section IV.10 of the newcomers guide to 2G ACE since opcodes are exactly the same in the first generation, obviously :)

A last note: in the generic code that changes ONE value, by having 34 Poké Ball and following with a quantity of Max Revive, you can directly change the value of the following address as well.
Item 1: any item
Item 2: 8F
Item 3: Lemonade x(value to give to address)
Item 4: X Accuracy x('last two numbers' of the address)
Item 5: Carbos x('first two numbers' of the address)
Item 6: Poké Ball x34
Item 7: Max Revive x(value to give to the following address)
Item 7: Fresh Water x201

Which in our case can be solved by using 42 Lemonade, 177 X Accuracy, 218 Carbos and 170 Max Revive so that it does the same thing than couldntthinkofaname's code.

Hope it helps. Have fun with ACE!
« Last Edit: Yesterday at 06:02:43 am by Krys3000 »

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov