Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 228857 times)

0 Members and 1 Guest are viewing this topic.

DrManowar

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #585 on: May 18, 2017, 09:04:15 pm »
This past week, I have been learning about arbitrary code execution. I started off with simple scripts in Pokemon Yellow, and I am currently working on creating Pong in Pokemon Blue using TheZZAZZGlitch's code. Currently, the program is running when I use 8F, but unlike in the video by TheZZAZZGlitch, my ball is always starting off by going in the top left direction instead of the top right direction. This is causing the ball to phase through the left wall and causing the ball to phase through the paddle on its way down.

I finally noticed a workaround: First, I changed the last "0D" byte in the seventh row to a "0A", waited for the ball to continuously hit the paddle and the top left corner repeatedly, and then I changed that "0A" byte back to a "0D". After changing it back to the 0D while the program is running, it functions completely as intended. I should mention that I am trying this on VBA which is how I am editing the memory.

I am looking for a workaround to this that would allow me to not have to manually change the memory while the program is running. Would anyone know how to change the bytes around to allow the ball to start off moving in the top right direction rather than the top left? I am not sure if this would be the solution though. Any help is greatly appreciated.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #586 on: May 19, 2017, 05:53:56 am »
Well, VBA is a pretty bad emulator (even more for the GB than the GBA), so first of all I think you should switch to either BGB, Gambatte, or at the very least VBA-M.
I'm not sure this will fix the error, though.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Laffeyh

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #587 on: June 07, 2017, 09:56:10 am »
Hey there,

I am searching for a modified Alternative Catch 'Em All glitch.
I would like to add the Pokemon I want to the current active box not to my team and change the obtained Pokemon's DVs to the shiny values in the same step. It is pretty annoying to change the whole setup and doing the item duplication glitch for every 20 pokemon.

Furthermore, is there any general explanation on some of the Items? Do Items like Lemonade, fresh water, the X items, Carbos and so on have a general function in EVERY code, or are they for exampe only doing certain things in different setups?
For example I see, that many glitches regarding the boxes have carbos and many codes use X-Acc or X-Speed.

Thanks for the nice guide and the huge discussion here on this forum,
Laffeyh

TheSixthItem

  • Game breaker
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • ZZAZZDZZGZZUZZKZZ#ZZXZZUZZ7ZZ#ZZ
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #588 on: June 07, 2017, 01:53:00 pm »
@Laffeyh
Addresses to internal functions are different in Yellow. The GivePokemon subroutine is at $3E59, not at $3E48.
The solution is to replace 'TM05 x72' with 'TM05 x89' to update the function address.
« Last Edit: June 07, 2017, 01:53:46 pm by TheSixthItem »
I do things

jfb1337

  • ACE trainer
  • GCLF Member
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #589 on: June 08, 2017, 02:19:50 pm »

Furthermore, is there any general explanation on some of the Items? Do Items like Lemonade, fresh water, the X items, Carbos and so on have a general function in EVERY code, or are they for exampe only doing certain things in different setups?
For example I see, that many glitches regarding the boxes have carbos and many codes use X-Acc or X-Speed.

Thanks for the nice guide and the huge discussion here on this forum,
Laffeyh

The items basically correspond to certain opcodes (instructions) in Z80 assembly. You can learn about it by this guide on the site, or by plenty of other resources online too. The game stores items by an ID number followed by the number of them you have, and ACE takes odvantage of that by making the game reinterpret that list of numbers as code to be run. A list of which items items correspond to which opcdes is here.

The items you see a lot in scripts basically correspond to commonly used opcodes, for example Lemonade is "ld a, $xx" (where xx is the next number n memory, the quantity of this item stack), which sets the "a" register to whatever you want, which is very useful since that can then be written to somewhere in memory or you could do arithmetic to it or whatever. Carbos and X accuracy correspond to "ld h, $xx" and "ld l, $xx" respectively, which are used most often to determine where something should be written in memory, or sometimes where to jump to.


8F

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #590 on: June 15, 2017, 07:46:56 am »
Hi everyone.

I was attempting to get 8F but am running into a problem I'm hoping someone could help me with.

In order to get the 255 x specials needed, I used the 6th item trick with MissingNo, however after doing so I am unable to get the inventory required to do the trick. This is because attempting to toss or deposit the extra items just turns them into X Special x 255 and therefore I can't get the inventory required to receive 8F.

Any ideas how I can fix this?

E: So I tried it anyway and must've messed up towards the end because the game crashed and lost my save so does anyone know a quick way to set myself up for getting 8F? In the save I just lost I used brock through walls to get HM Fly and Surf as well as going to cerulean cave to get a high level pokemon to defeat the two gym leaders in order to access the Old Man trick but is there a quicker method?
« Last Edit: June 15, 2017, 09:55:21 am by 8F »

Parzival

  • The Betrayed, The Cleansed, The Reborn
  • GCLF Member
  • *
  • Offline Offline
  • It begins.
    • View Profile
    • YT Channel
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #591 on: June 15, 2017, 04:59:35 pm »
There's already-set-up saves for 8F and ws m... somewhere... I think Torchickens uploaded them, try asking her.
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

I'm working with a small team on a few secret projects. I don't know when they'll be released, but when they are, they'll be below.


8F

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #592 on: June 16, 2017, 02:31:55 am »
Sorry, I should've  mentioned that I'm playing on the 3DS

jfb1337

  • ACE trainer
  • GCLF Member
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #593 on: June 16, 2017, 07:26:20 am »
The fastest way to get the 8F setup would be to encounter missingno via Trainer Fly, not Old Man Trick. This can be done by losing to the 2nd trainer's machop in Saffron dojo after setting up the TFly.

What do you mean by not having the right inventory? Once you have 255 x specials, all you need are two of any tossable item to do the dry variant of Item Underflow.


ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #594 on: June 16, 2017, 09:17:14 am »
You can also lose to Misty to get the correct encounter Special.
« Last Edit: June 16, 2017, 09:18:13 am by ISSOtm »
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #595 on: June 16, 2017, 10:57:05 am »
Hi everyone.

I was attempting to get 8F but am running into a problem I'm hoping someone could help me with.

In order to get the 255 x specials needed, I used the 6th item trick with MissingNo, however after doing so I am unable to get the inventory required to do the trick. This is because attempting to toss or deposit the extra items just turns them into X Special x 255 and therefore I can't get the inventory required to receive 8F.

Any ideas how I can fix this?

E: So I tried it anyway and must've messed up towards the end because the game crashed and lost my save so does anyone know a quick way to set myself up for getting 8F? In the save I just lost I used brock through walls to get HM Fly and Surf as well as going to cerulean cave to get a high level pokemon to defeat the two gym leaders in order to access the Old Man trick but is there a quicker method?

Hi 8F! What you need to do is obtain three stacks of the X Special x255 (by putting the initial x255 in slot 3 and then tossing all of slot 2 and slot 1) but have only one item registered; so there are three X Specials at the top but you can only scroll down to the first two and the second acts as a Cancel. Afterwards tossing 253 of the first X Special and swapping the X Special x2 with the second stack and then the third with give you an X Special x0 and underflow the inventory.

An early way to get a x255 stack is this:

1) Use Brock Through Walls to go to Saffron City then heal at Saffron City Pokémon Center
2) Go west to Celadon City to buy an Abra using the coins on the ground at the Game Corner
3) Head to Route 6 and set up a Trainer-Fly using Abra's Teleport.
4) Lose to the first Black Belt at Saffron Fighting Dojo.
5) Return to Route 6 after flashing the Start menu to encounter MissingNo. to get x129 of an item in slot 6.
6) Toss two of the item, run from MissingNo. and repeat steps 3-5 to encounter another MissingNo. and get x255.

(Note: It may also be possible to use up two of the item in slot 6 once you get x129 and then catch MissingNo. to get x255 (e.g. if it's an X Attack but the item in slot 6 shouldn't be a Poké Ball)

If you have another 3DS with Red/Blue you can also obtain a CoolTrainer Ditto on Red/Blue (use Transform, swap first move with second move and run), enter battle with it in Diglett's Cave, flash the Pokémon menu (important) and then scroll through Ditto's move until the music fades. Afterwards, the Pokémon will turn into MissingNo. and catching it will duplicate the slot 6 item if there are under 128.

Hope that helps and sorry for late response!  :)
« Last Edit: June 16, 2017, 10:58:11 am by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Problems with 8F

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #596 on: June 19, 2017, 05:07:03 am »
Hello guys,
Ive got a problem in getting the 8F Item. I tried the item undeflow glitch (dry version without an item event giveaway) several times but every time Im searching for it, I only find an Item called 7S in the place of 8F shown in several YT Videos. So I thought thats the german version of the 8F Item (Playing German version of pokemon Red on the VC). I tried the item morphing glitch but nothing happened, I even tried to change my TID to get the ideal TID for exchanging my mew to pokemonbank but still no effects. Did I get something wrong or are there other methods for obtaining the 8F Item? Thanks in advance for the help guys :)

Edit: Its S7 not 7S sorry!
« Last Edit: June 19, 2017, 05:09:28 am by Problems with 8F »

Skeef

  • GCLF Member
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #597 on: June 19, 2017, 01:40:41 pm »
Are you using the correct bootstrap? The German version requires a different party set-up then the English. There is one posted on page 4 (the first post, easy to find). But its a pretty old one. Othere European players may have a less complicated one.

PS: S7 is indeed the german 8F.

Problems with 8F

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #598 on: June 19, 2017, 02:16:51 pm »
Thx for the answer, so Ive got the 8F Item :)
It seems that I used the wrong one:

1. Pidgey with 233 hp
2. Parasect
3. Onix
4. Tentacool
5. Kanghaskan

I will try the other one on page 4, thx!

PS: Ive used this video as a guide for the people that are interested.
https://youtu.be/H8AgGp5cqPI
« Last Edit: June 19, 2017, 02:26:09 pm by Problems with 8F »

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #599 on: June 19, 2017, 08:52:23 pm »
Thx for the answer, so Ive got the 8F Item :)
It seems that I used the wrong one:

1. Pidgey with 233 hp
2. Parasect
3. Onix
4. Tentacool
5. Kanghaskan

I will try the other one on page 4, thx!

PS: Ive used this video as a guide for the people that are interested.
https://youtu.be/H8AgGp5cqPI

Yeah, in non-English European versions you will likely need to use a different bootstrap code.

Note before you use the change player ID items code you will also need to alter it as memory addresses in non-English European versions are +5 of the original.

In the code below (the one you may have tried using to change your Trainer ID part 1) you will just need to change the X Accuracy x89 into an X Accuracy x94, and similar logic applies to the rest.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM11/TM43   x1   ; D3/F3 + ld bc,
Any Item    xAny ; ????
X Accuracy  x89  ; ld l, 59
Lemonade    x89  ; ld a, 59
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret

For the second code (trainer ID change part 2 below), change X Accuracy x90 to X Accuracy x95.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM11/TM43   x1   ; D3/F3 + ld bc,
Any Item    xAny ; ????
X Accuracy  x90  ; ld l, 5A
Lemonade    x12  ; ld a, 0C
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret

For the third code (player name letter 1 change) change X Accuracy x88 to X Accuracy x93.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM09/TM41   x1   ; D1/F1 + ld bc,
Any Item    xAny ; ????
X Accuracy  x88  ; ld l, 58
Lemonade    x134 ; ld a, 86
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret


For the fourth code (player name letter 2 change) change X Accuracy x89 to X Accuracy x94.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM09/TM41   x1   ; D1/F1 + ld bc,
Any Item    xAny ; ????
X Accuracy  x89  ; ld l, 59
Lemonade    x133 ; ld a, 85
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret

For the fifth code (player name terminator in position 3) code, change X Accuracy x90 to X Accuracy x95.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM09/TM41   x1   ; D1/F1 + ld bc,
Any Item    xAny ; ????
X Accuracy  x90  ; ld l, 5A
Lemonade    x80  ; ld a, 50
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret

When certain memory addresses are defined in the code, such as many in the DXXX region (but not for instance CD38, which when set to 1 allows you to walk through walls) most of the time you will just need to change them to be +5 of the original (which you can do using a calculator that supports hexadecimal such as Windows Calculator or just regard digits beyond 9 as A-F as you count up by five).

Note that this logic doesn't apply to addresses that use "call" or "jp" to run a routine in the ROM, such as the gift Pokémon code. For that you will have to locate the routine in the original English version in a debugger, converting the address from a pointer to an offset if necessary (only for addresses between 4000-7FFF) then use a hex editor to look for similar byte code in the non-English European version, then convert it back into a pointer and this will be your address following call, jp.

My explanation isn't adequate though as it doesn't explain things like how to use a hex editor, how to convert a pointer to an offset or how you may have to swap the byte order ("endianness") due to an address following call or jp being formatted yyxx rather than xxyy. So if you ever need to convert a code that uses call or jp in such a way let me know and I'll walk you through it and convert it for you.

Hope this helps!  :)
« Last Edit: June 19, 2017, 08:57:48 pm by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.