Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg data corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 279506 times)

0 Members and 1 Guest are viewing this topic.

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #750 on: November 28, 2017, 04:54:18 am »
if I wanted to set the time played to 0 hours 0 minutes 0 seconds and 0 frames ever frame (e.g. write 00 to DA40 through DA45 every frame) How might I go accomplishing this task? It doesn't have to be the item set up, it can be the long setup with moving about on a map to set it byte by byte, though the easier item only way would be best if possible.

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #751 on: November 28, 2017, 05:37:09 am »
Hmm, that's a very interesting idea...

I guess we could use OAM DMA Hijacking? OAM DMA routine is FF80-FF89. Using the item setup to modify this routine to jump, at each frame, to other items, and writing a code with these items that affect DA40 to DA45 may work. I could try that to be sure...
« Last Edit: November 28, 2017, 05:37:45 am by Krys3000 »

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #752 on: November 28, 2017, 05:49:51 am »
Hmm, that's a very interesting idea...

I guess we could use OAM DMA Hijacking? OAM DMA routine is FF80-FF89. Using the item setup to modify this routine to jump, at each frame, to other items, and writing a code with these items that affect DA40 to DA45 may work. I could try that to be sure...

Interestingly enough, OAM hijacking in R/B/Y will freeze the game upon encountering a Pokémon or moving to a different area.

ISSOtm pointed out that I was doing it wrong, you're not supposed to overwrite the terminating "ret" at $FF98.
« Last Edit: November 29, 2017, 06:13:43 am by Couldntthinkofaname »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #753 on: November 28, 2017, 09:38:21 am »
Really? That's so lame  :-\

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Online Online
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #754 on: November 29, 2017, 06:32:09 am »
Um, no, it doesn't. (We discussed, and it was because his DMA hijacking setup was a little bit dirty. The one I use is 100% clean.)


Anyways ; to do this "setting play time to 0" using DMA hijacking, I have made a setup that almost works.
Almost, because it sets your play time to 0 hours 0 minutes 0 seconds and one frame. This can be fixed, at the cost of an extra

So, we'll be setting up your PC items first.
Code: [Select]
X Accuracy x65
Carbos x218
Poké Ball x175
Repel x5
Water Stone x29
Fire Stone x252
Lemonade x195
Awakening x70
TM01 x1
[any items past here if you want, doesn't matter]

Save, just to be sure.
Then, set up your item pack :
Code: [Select]
8F
[any item] x[any qty]
Lemonade x201
X Accuracy x128
Carbos x255
Water Stone x201
(or Water Stone x3 then TM01 x[any])
Use 8F. Now, sprites on-screen should stop updating. If not, then you didn't use the proper quantities, reset the game.

Otherwise, this means you successfully disabled the OAM DMA routine, which is a key component of updating sprites. Since that function is executed on every frame, and we're going to hijack it to run our own code, we need to disable it.
Now, we're going to set it up to hijack its exec.

Get yourself 131 X Accuracies and 226 Lemonades. (By that I mean, set the quantities of the corresponding stacks to the corresponding value)
Use 8F.
Toss 1 X Accuracy and 13 Lemonades. (You have 213)
Use 8F.
Toss 1 X Accuracy and 154 Lemonades. (You have 59)
Use 8F.
Toss 1 X Accuracy and set your number of Lemonades to 205.
Use 8F, and hopefully you won't crash. If you don't, your play time will now be stuck ! (0 hours 0 minutes 0 seconds 1 frame)


Memory editor alternative, starting after saving after setting up the PC items.
Go to FF80, and write CD 3B D5 E2 in one go (notably, this will NOT work with offgao's memory editor).


Now, if you're reeeeally picky, you can set the play time to 0 frames instead. Just run the following 8F script.
Code: [Select]
Lemonade x2
X Accuracy x50
Carbos x218
Water Stone x201
This will tell the game to stop counting play time, which will freeze the counter to 0 frames instead of 1.


About persistence of the hijack... the hijack is destroyed by saving and resetting. Basically, you should resume from where I recommended to save ; obviously the payload stored using your PC items will have survived, but the final step of the hijack (the five 8F uses, and optionally the sixth one to freeze at 0 frames) must be started over every time you reset the game, even if you saved.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #755 on: December 02, 2017, 12:52:56 am »
Um, no, it doesn't. (We discussed, and it was because his DMA hijacking setup was a little bit dirty. The one I use is 100% clean.)


Anyways ; to do this "setting play time to 0" using DMA hijacking, I have made a setup that almost works.
Almost, because it sets your play time to 0 hours 0 minutes 0 seconds and one frame. This can be fixed, at the cost of an extra

So, we'll be setting up your PC items first.
Code: [Select]
X Accuracy x65
Carbos x218
Poké Ball x175
Repel x5
Water Stone x29
Fire Stone x252
Lemonade x195
Awakening x70
TM01 x1
[any items past here if you want, doesn't matter]

Save, just to be sure.
Then, set up your item pack :
Code: [Select]
8F
[any item] x[any qty]
Lemonade x201
X Accuracy x128
Carbos x255
Water Stone x201
(or Water Stone x3 then TM01 x[any])
Use 8F. Now, sprites on-screen should stop updating. If not, then you didn't use the proper quantities, reset the game.

Otherwise, this means you successfully disabled the OAM DMA routine, which is a key component of updating sprites. Since that function is executed on every frame, and we're going to hijack it to run our own code, we need to disable it.
Now, we're going to set it up to hijack its exec.

Get yourself 131 X Accuracies and 226 Lemonades. (By that I mean, set the quantities of the corresponding stacks to the corresponding value)
Use 8F.
Toss 1 X Accuracy and 13 Lemonades. (You have 213)
Use 8F.
Toss 1 X Accuracy and 154 Lemonades. (You have 59)
Use 8F.
Toss 1 X Accuracy and set your number of Lemonades to 205.
Use 8F, and hopefully you won't crash. If you don't, your play time will now be stuck ! (0 hours 0 minutes 0 seconds 1 frame)


Memory editor alternative, starting after saving after setting up the PC items.
Go to FF80, and write CD 3B D5 E2 in one go (notably, this will NOT work with offgao's memory editor).


Now, if you're reeeeally picky, you can set the play time to 0 frames instead. Just run the following 8F script.
Code: [Select]
Lemonade x2
X Accuracy x50
Carbos x218
Water Stone x201
This will tell the game to stop counting play time, which will freeze the counter to 0 frames instead of 1.


About persistence of the hijack... the hijack is destroyed by saving and resetting. Basically, you should resume from where I recommended to save ; obviously the payload stored using your PC items will have survived, but the final step of the hijack (the five 8F uses, and optionally the sixth one to freeze at 0 frames) must be started over every time you reset the game, even if you saved.


Also for those who want the codes as hex code:

from 0xd53b through 0xd54c (items in pc)

2e 41 26 da 04 af 1e 05 22 1d 20 fc 3e c3 0e 46 C9 01

you want to make sure the item list still terminates properly too (the game, from what I can tell, sets item id to 0xFF and amount to 0x01 to terminate the menu) for and that your items in pc count is equal to the number of items in your pc in hex (0xd53a set to 09 if you just have the items needed and nothing else).

From 0xd31e to 0xd329 (items in inventory)

5d xx xy xx 3e C9 2e 80 26 ff 22 C9

note that when I have written xx it means any quantity (you don't need tow orry about how many of 8f you have, for example, since it's not part of the code itself) and when I have written xy it means any value other than FF (as that would terminate the list. I used the shorter item pack that ends with water stone x 201 for this because less bytes to write.)

Again, make sure the item list terminates properly (the same way as the PC item list - item id FF and amount 01 ([though I assume the amount wouldn't actually matter but I'd rather take the safest route]) and that the item pack item count at 0xd31d is equal to the amount of items in your item pack, in hex. 06 if it's just the items needed for example.)

That's the initial setup, then you just follow the rest of the instructions.

I'd imagine there are plenty of things we could do using DMA hijacking to execute instructions every frame, but this is just a simple example.

Edit: Going to make a guide to doing this step by step assuming you start with the initial item setups in your pc and item pack, and using 'M to dupe items when necessary (presumably if you were doing this 'legit' you'd have to have used 'M to get item amounts anyway for whatever for most codes, since you often need 201 of an item to return)



Here goes. Note: once you get the initial items set up you should save just in case! That way if you don't screw up too badly and wreck your save file you should be able to retry.

step 0: have the initial items set up in pc and item pack, duh.
step 0.5: talk to the old man in viridian city
step 0.75: fly to cinnibar island or fly to fuschia city and surf down to the east side of seafoam islands. I'd suggest the former as it's much quicker.

step 1: use 8F the first time. (MAKE SURE YOUR ITEMS ARE IN ORDER FIRST) (X accuracy count: 128. Lemonade count: 201)

step 2.1: toss 125 X accuracies (if you want to  be able to see what you are doing, I'd suggest tossing 99 then 26.) X accuracy count: 3
step 2.2: dupe X accuracy with 'M (X accuracy count is now 131)

step 3.1: toss 103 Lemonades (if you want to  be able to see what you are doing, I'd suggest tossing 99 then 4.)  Lemonade count: 98
step 3.2: dupe lemonades with 'M (Lemonade count is now 226)


(step 2.1 is a prerequisite for 2.2 and 3.1 is a prerequisite of 3.2, but you can do steps 2 and 3 in either order as long as you do the sub-steps in order)

step 4: rearrange items to be back in order as follows:
8f x any amount
any item x any amount
lemonade x 226
x accuracy x 131
carbos x 255
water stone x 201 (or water stone x 3 then TM01 x [any])

step 5: use 8f for the second time (MAKE SURE YOUR ITEMS ARE IN ORDER FIRST)

step 6: toss 1 x accuracy and 13 lemonades (x accuracy count: 130 lemonade count: 213)

step 7: use 8f for the  third time (MAKE SURE YOUR ITEMS ARE IN ORDER FIRST)

step 8.1: toss 1 x accuracy (x accuracy count: 129)
step 8.2 toss 154 lemonades (if you want to  be able to see what you are doing, I'd suggest tossing 99 then 55.) (lemonade count: 59)

step 9: use 8f for the fourth time (MAKE SURE YOUR ITEMS ARE IN ORDER FIRST)

step 10: toss 1 x accuracy (x accuracy count: 128)

step 11.1: toss 58 lemonades (lemonade count: 1)
step 11.2: dupe lemonades with 'M (lemonade count: 129)
step 11.3: toss 52 lemonades (lemonade count: 77)
step 11.4: dupe lemonades with 'M (lemonade count: 205)

note: step 11 can be done many different ways as long as you end up with 205 lemonades, but I usually toss all but 1 to begin with because it is easy to keep track of. Step 10 and 11 can also be done either way around as long as you do step 1 1 properly to end up with 205 lemonades.

step 12: rearrange items to be back in order as follows:
8f x any amount
any item x any amount
lemonade x 205
x accuracy x 128
carbos x 255
water stone x 201 (or water stone x 3 then TM01 x [any])

step 13: use 8f for the fifth time (MAKE SURE YOUR ITEMS ARE IN ORDER FIRST)

THE REST WILL MAKE IT 0 HOURS 0 MINUTES 0 SECONDS AND 0 FRAMES INSTEAD OF  0 HOURS 0 MINUTES 0 SECONDS AND 1 FRAME, AND IS OPTIONAL.

step 14.1 : toss 203 lemonades (if you want to  be able to see what you are doing, I'd suggest tossing 99, then 99, then 5.) (lemonade count: 2)
step 14.2: toss 78 x accuracies and 37 carboses. x accuracy count: 50 carbos count: 218

step 15: use 8f for the sixth and final time (MAKE SURE YOUR ITEMS ARE IN ORDER STILL FIRST)

Congrats you now have a time of 0:00:00 and 0 frames!
« Last Edit: December 02, 2017, 01:58:08 am by Azarokkusu »

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #756 on: December 12, 2017, 01:49:21 am »
Could some thing like the game memory hacking itself rom hack be done with 8f it would be cool to see the game glitching itself on a real cartridge.

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #757 on: December 12, 2017, 05:41:20 am »
Could some thing like the game memory hacking itself rom hack be done with 8f it would be cool to see the game glitching itself on a real cartridge.

...

????????

I'm going to assume you're reffering to a ROM hack that alters data pseudo-randomly, in which case, no, that cannot be done with 8f under any circumstances. If you want to make a ROM hack, use pokered.
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Parzival

  • DO NOT TOUCH SPAGOOT
  • GCLF Member
  • *
  • Offline Offline
  • AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #758 on: December 12, 2017, 08:32:01 am »
Could some thing like the game memory hacking itself rom hack be done with 8f it would be cool to see the game glitching itself on a real cartridge.

...

????????

I'm going to assume you're reffering to a ROM hack that alters data pseudo-randomly, in which case, no, that cannot be done with 8f under any circumstances. If you want to make a ROM hack, use pokered.
Yeah, it adds some register mixing to VBlank. That's not RAMable.
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.


ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Online Online
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #759 on: December 12, 2017, 06:59:09 pm »
Actually, it's doable, but differently. Again, DMA hijacking is king.

Concept : (I don't feel like working out the exact details)
VBlank saves registers (push af at beginning, pop af before returning, for example).

Thus, their values are written on the stack.
Code: [Select]
ld hl, sp+X
ld [hl], Y
ld a, $C3
ld c, $46
ret
:)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Parzival

  • DO NOT TOUCH SPAGOOT
  • GCLF Member
  • *
  • Offline Offline
  • AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #760 on: December 13, 2017, 06:40:51 pm »
Until it steamrolls itself.
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.


ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Online Online
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #761 on: December 13, 2017, 06:54:28 pm »
If there are at least 8 bytes free in HRAM, you can fit this code there, and greatly reduce the chances of said code steamrolling itself. Unless you corrupt h with $FF.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #762 on: January 13, 2018, 10:05:17 am »
CartSwap using button input

CartSwap currently uses a timer to delay frames until reboot, meaning the user must quickly pull out the cartridge and insert a new one before the timer ends.

This new version simply waits until the user presses START before rebooting.

8f
Any xAny
TM43 x4 (hex:04)
Lemonade x16 (hex:10)
Carbos x255 (hex:FF)
X Accuracy x1 (hex:01)
Ice Heal x45 (hex:2D)
Burn Heal x119 (hex:77)
Elixer x126 (hex:7E)
TM30 x15 (hex:0F)
Awakening x7 (hex:07)
Potion x185 (hex:B9)
Fire Stone x235 (hex:EB)
X Attack x101 (hex:65)
Protein x14 (hex:0E)
Master Ball x121 (hex:79)
TM33 x[Any qty]

ASM:
Code: [Select]
di ; Prevent the game from prematurely executing the other game's interrupts
inc b ; Filler
.loop
ld a,$10 ; a = $10
ld h,$ff ; hl = $FF22
ld l,$01 ; hl = $FF01
dec c ; Filler
dec l ; hl = $FF00, hardware register responsible for Joypad input
inc c ; Filler
ld (hl),a ; Enable polling for button inputs
ld d,d ; Filler
ld a,(hl) ; Grab current button inputs
and $0f ; Filter out unrelated upper nibble
ld c,$07 ; c = $07
inc d ; Filler
cp c ; compare a with c. In binary, this would check for %0111, as bit 3 is reset if START is pressed
jr nz,.loop ; Not Equal? Go to loop
ld b,c ; Filler
ld h,l ; hl = $0000
inc h ; hl = $0100 (GB booting point)
ld c,1 ; c = 1
ld a,c ; a = 1
jp hl ; Reboot
« Last Edit: January 13, 2018, 10:05:51 am by Epsilon »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Online Online
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #763 on: January 16, 2018, 11:28:01 pm »
A CartSwap setup had been made (by Cryo, IIRC), which used the joypad to wake up the Game Boy. It did this, plus fillers :
Code: [Select]
ld a, $20 ; Select dpad
ldh [$FF00], a
ld a, $10 ; Joypad interrupt
ldh [$FFFF], a
stop ; $10, makes the Game Boy "deep sleep" until an interrupt occurs
XX ; Any byte
xor a
ld [$FF0F], a
inc a
ld [$FFFF], a
halt ; Wait for a VBlank interrupt, this helps stabilize the state

The user should simply run the code, swap carts, and press the D-Pad.
(Note : if the D-Pad is already held when the setup is ran, it will fail.)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Parzival

  • DO NOT TOUCH SPAGOOT
  • GCLF Member
  • *
  • Offline Offline
  • AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #764 on: January 17, 2018, 08:58:13 am »
A CartSwap setup had been made (by Cryo, IIRC), which used the joypad to wake up the Game Boy. It did this, plus fillers :
Code: [Select]
ld a, $20 ; Select dpad
ldh [$FF00], a
ld a, $10 ; Joypad interrupt
ldh [$FFFF], a
stop ; $10, makes the Game Boy "deep sleep" until an interrupt occurs
XX ; Any byte
xor a
ld [$FF0F], a
inc a
ld [$FFFF], a
halt ; Wait for a VBlank interrupt, this helps stabilize the state

The user should simply run the code, swap carts, and press the D-Pad.
(Note : if the D-Pad is already held when the setup is ran, it will fail.)
It'd probably help if we spent about 1/4 of a second wasting time in this setup so we have time to compensate for user reaction time and button bounce.
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.