Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 217072 times)

0 Members and 1 Guest are viewing this topic.

camper

  • aka GlitcherRed, azum4roll
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • 975642dx║'r DExsfoF▓1 error.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #15 on: April 27, 2013, 11:40:50 am »
The character before the MN symbol counts, not the one after.
« Last Edit: April 27, 2013, 11:41:03 am by camper »
Youtube
 

Guess where this is?

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #16 on: April 27, 2013, 11:58:41 am »
Doing arbitrary code execution stuff, forgetting how the classic old man glitch works :P
But even when I take the character before as the level byte, I still keep getting the same roster.
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #17 on: April 27, 2013, 01:08:07 pm »
Quote
Due to having an invalid encounter flag, 94 and 94h's Pokédex number #213 means that they add 16 to the fourth item identifier provided that it is not  $X4 $X5 $X6 $X7 $XC $XD $XE $XF. If you put a Good Rod in the fourth position, and then use this glitch or the Cable Club escape glitch with a 94 or 94h, you can easily turn your Good Rod (4Dh) into an 8F (5Dh)

Well, that's amazing. However, it still requires having a right name. Also, no matter which roster (letter after the MN symbol) I try, Prof. Oak will throw a "◣ゥ 8" (hex C9) out. Maybe this roster on the video has something to do with that Rocket in Silph Co. the author of the video fought previously and lost to?

The second/fourth/sixth letters only change the wild Pokémon levels, not the Trainer rosters. Roster numbers are normally determined by the memory address D05D. The reason why "◣ゥ 8" (hex C9) is sent out as the first Pokémon is because the game doesn't update D05D with coast-glitch Trainers so the game loads roster 256 (00) if you haven't fought a previous Trainer.

In order to get Professor Oak to have a 94, you must get the game to load roster 28h. The Rocket on Silph Co. 11F just happens to use Rocket roster 28h. You don't have to lose to him to get the roster into memory, you can beat him too.

Anyways, thank you about all those information on encounter flags - maybe I will be able to use this to shorten up my first obtainment method.

You're welcome.

Few glitched rosters can be found by the Ditto trick. (2, to be exact, without the use of a Pokemon with Swords Dance)

I don't know what you mean. You can access 6 unique glitch rosters with Lance (as the roster number starts at 7 and can be reduced with Growls), and more with glitch Trainer classes (though they activate the ZZAZZ glitch).

In total this comes to 6 + 7*9 = 69 rosters.
« Last Edit: April 27, 2013, 01:33:06 pm by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #18 on: April 27, 2013, 01:46:53 pm »
Due to having an invalid encounter flag, 94 and 94h's Pokédex number #213 means that they add 16 to the fourth item identifier provided that it is not  $X4 $X5 $X6 $X7 $XC $XD $XE $XF. If you put a Good Rod in the fourth position, and then use this glitch or the Cable Club escape glitch with a 94 or 94h, you can easily turn your Good Rod (4Dh) into an 8F (5Dh).

I assume this could also be done with RB:E8, RB:E2 and RB:E5, which have dex #245, and therefore do the same thing but to the sixth slot?
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #19 on: April 27, 2013, 02:13:04 pm »
Due to having an invalid encounter flag, 94 and 94h's Pokédex number #213 means that they add 16 to the fourth item identifier provided that it is not  $X4 $X5 $X6 $X7 $XC $XD $XE $XF. If you put a Good Rod in the fourth position, and then use this glitch or the Cable Club escape glitch with a 94 or 94h, you can easily turn your Good Rod (4Dh) into an 8F (5Dh).

I assume this could also be done with RB:E8, RB:E2 and RB:E5, which have dex #245, and therefore do the same thing but to the sixth slot?

In theory they should, however all the Pokémon you mention froze the game when I got them to appear on the opponent's side. You'd need to do the Cable Club blackout glitch in combination with the Johto guard glitch (or maybe the remaining HP glitch) to get them to appear as well.

The only known item mutation glitch Pokémon (when Paco81 and I researched them on the temporary forums) that can be seen without the Cable Club blackout glitch are 94 #213 (via Prof Oak roster 28h) and p PkMnp' ' #230 in Yellow which can be seen via the Ditto glitch with a Special stat of 194.
« Last Edit: April 27, 2013, 02:15:16 pm by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Vuroja5

  • GCLF Member
  • Offline Offline
  • The hooked Dragonite attacked!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #20 on: April 27, 2013, 02:53:46 pm »
This must be the most significant discovery since the Mew glitch. You've enabled nearly all the useful Select button glitches for use on Red/Blue. Great job TheZZAZZGlitch.

camper

  • aka GlitcherRed, azum4roll
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • 975642dx║'r DExsfoF▓1 error.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #21 on: April 27, 2013, 11:17:32 pm »
Few glitched rosters can be found by the Ditto trick. (2, to be exact, without the use of a Pokemon with Swords Dance)

I don't know what you mean. You can access 6 unique glitch rosters with Lance (as the roster number starts at 7 and can be reduced with Growls), and more with glitch Trainer classes (though they activate the ZZAZZ glitch).

In total this comes to 6 + 7*9 = 69 rosters.
I was too sleepy to think well. :-[
Yes, you can access 6 glitch rosters with Lance (02h - 07h). However, encountering ZZAZZ glitch trainers doesn't end up fighting the actual roster. The game fetches other data from elsewhere and replaces the roster during the blackout time. For instance, opening the Fly menu before the encounter makes the glitch entirely different.
Youtube
 

Guess where this is?

TheDarkAce

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • TheDarkAce - Hidden by Q's Cancel :P
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #22 on: April 28, 2013, 08:37:26 am »
Quote
will it work on yellow?

The shown method of obtaining 8F won't work in Yellow, as it uses Super Glitch, which works differently for this game.

Also, 8F does not execute code from $D163 in Yellow, but from $04FE instead - which has a less beneficial effect of teleporting you to a messed up version of a Pokemon Center.
Yellow has a relatively similar item "ws m" (hex 63), which executes code from $DA7F (number of Pokemon in the current box), but we still don't know how to obtain it though.

surely you can use p PKMN p to get the glitch item ws m?
can't remember how p PKMN p works though

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #23 on: April 28, 2013, 10:04:14 am »
Actually, If I think more about it, doing it in Yellow is even easier than on Red/Blue.

Encountering p PkMn p' ' in Yellow will add 32 to the identifier of the fifth slot in bag if the item does not have one of the following hexadecimal identifiers: $2X $3X $6X $7X $AX $BX $EX $FX. Having X Speed on the fifth slot and encountering p PkMn p' ' is enough to get "ws m".

Also, bootstrapping code for "ws m" is a lot easier to deploy, as it only relies on Pokemon in the current box, and no specific moves/PP values/stats are needed. The requirements to make "ws m" execute code from 3rd item slot are as follows:

1.  20 Pokémon in your PC box                                         [0xDA7F = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                 [0xDA80 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                 [0xDA81 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                 [0xDA82 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                 [0xDA83 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                 [0xDA84 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                 [0xDA85 = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xDA86 = 0x06]
9.  Growlithe as the 8th Pokémon in the current PC box                [0xDA87 = 0x21]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xDA88 = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                 [0xDA89 = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                 [0xDA8A = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                 [0xDA8B = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                 [0xDA8C = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                 [0xDA8D = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                 [0xDA8E = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                 [0xDA8F = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                 [0xDA90 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                 [0xDA91 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                 [0xDA92 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                 [0xDA93 = 0x06]
 :: END OF LIST MARKER [0xFF]                                         [0xDA94 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                 [0xDA95 = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                     [0xDA96 = 0x00]
                                               +-                     [0xDA97 = 0xE9]


ASM:
Code: [Select]
; initial value of hl = DA7F
WRA1:DA7F 14               inc  d      ; offset hack: 20 Pokémon in the box
WRA1:DA80 25               dec  h      ; hl = D97F
WRA1:DA81 25               dec  h      ; hl = D87F
WRA1:DA82 25               dec  h      ; hl = D77F
WRA1:DA83 25               dec  h      ; hl = D67F
WRA1:DA84 25               dec  h      ; hl = D57F
WRA1:DA85 25               dec  h      ; hl = D47F
WRA1:DA86 06 21            ld   b,21
WRA1:DA88 68               ld   l,b    ; hl = D423
WRA1:DA89 A9               xor  c      ; offset hack: do nothing until ip=DA93
WRA1:DA8A A9               xor  c
WRA1:DA8B A9               xor  c
WRA1:DA8C A9               xor  c
WRA1:DA8D A9               xor  c
WRA1:DA8E A9               xor  c
WRA1:DA8F A9               xor  c
WRA1:DA90 A9               xor  c
WRA1:DA91 A9               xor  c
WRA1:DA92 A9               xor  c
WRA1:DA93 06 FF            ld   b,FF   ; offset hack: making an end of list FF byte an operand so it doesn't translate to [rst 38]
WRA1:DA95 25               dec  h      ; hl = D323
WRA1:DA96 00               nop 
WRA1:DA97 E9               jp   hl

Note: All tricks from Red/Blue with an exception of "changing the second item" won't work in Yellow, as the addresses are different. They need to be modified in order to work.
« Last Edit: April 29, 2013, 10:28:32 pm by TheZZAZZGlitch »
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #24 on: April 28, 2013, 11:45:44 am »
That's cool. Nice work.

Note in Yellow D323 is the identifier of item 4, not item 3. You could replace step 9 with having Growlithe (21h) as the 8th Pokémon instead of Fearow (23h) to get b = 21 (where D321 = item 3).
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #25 on: April 29, 2013, 10:16:27 am »
Now, i wonder if there is a similar item in JP Yellow, and in fr/de/es/it RBY.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

IceMans

  • OT/999999999999999
  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #26 on: April 29, 2013, 10:34:14 am »
Interesting nice to hear that this can be done in yellow as well as Red and Blue.
Can't wait to try this :P

Blaziken257

  • Member+
  • Offline Offline
  • I am Error!
    • View Profile
    • Tulunk Village
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #27 on: April 29, 2013, 09:42:01 pm »
This is all impressive, but there's one thing that's been puzzling me...

As for walking through walls and escaping from a trainer battle, it involves storing whatever is in register A into a memory address. However, what value does A happen to be when executing this code? A is never modified in the bootstrap code, and I don't see it anywhere else, either. Or am I missing something?

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #28 on: April 29, 2013, 10:26:51 pm »
When execution gets to the item list, registers are guaranteed to have following values initially:

Red/Blue:

af = 6300 [a=63, f=00]
bc = 22B8 [b=22, c=B8]
de = 0001 [d=00, e=01]
hl = D322 [h=D3, l=22]

Yellow:

af = 7F40 [a=7F, f=40]
bc = FFC4 [b=FF, c=C4]
de = 0101 [d=01, e=01]
hl = D321 [h=D3, l=21]


Quote
Note in Yellow D323 is the identifier of item 4, not item 3. You could replace step 9 with having Growlithe (21h) as the 8th Pokémon instead of Fearow (23h) to get b = 21 (where D321 = item 3).
That was a mistake, thank you for pointing that out.

Edit: Thanks to Torchickens and his information about encounter flags, I have found a new, easier and side-effect-less method of obtaining 8F in Red/Blue. It does not require having a specific name, unlike the previous Prof. Oak's glitch roster method.

Video: http://www.youtube.com/watch?v=WD_GVaQwn8o
Instructions/requirements/execution steps can be found in the first post in this thread.
« Last Edit: April 30, 2013, 08:54:49 am by TheZZAZZGlitch »
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #29 on: April 30, 2013, 10:08:39 am »
Well, just decided to quickly code something for 8F...

CHANGE ANY BYTE IN RAM TO ANYTHING
(or, psuedo-GameShark in software)

This code uses only 5 basic items, and will easily allow you to modify any byte in RAM one wants to.

Item 1: any item
Item 2: 8F
Item 3: Lemonade, quantity (byte to change to, or 2nd byte of GScode)
Item 4: X Accuracy, quantity (low byte of RAM address to change, or 3rd byte of GScode)
Item 5: Carbos, quantity (high byte of RAM address to change, or 4th byte of GScode)
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

ASM:
Code: [Select]
D322: 3E xx         ld a, xx
D324: 2E xx         ld l, xx
D326: 26 xx         ld h, xx
D328: 04            inc b
D329: 77            ld (hl), a
D32A: 3C            inc a
D32B: C9            ret

So, for GameShark code 011559D0, which would encounter a Mew after you close the menu (and yes, this is the one i tested it with -- on a real cart no less), use the following item list:

Item 1: any item (but I guess you'd want Master Balls here for this example!)
Item 2: 8F
Item 3: Lemonade, quantity 21
Item 4: X Accuracy, quantity 89
Item 5: Carbos, quantity 208
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

By the way, since no address is hardcoded, this *should* work on Yellow too; but I haven't tested it there. (obviously the example posted above won't!)
« Last Edit: May 01, 2013, 06:04:08 am by Wack0 »
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016