Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 209617 times)

0 Members and 1 Guest are viewing this topic.

Yeniaul

  • Guest
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #555 on: February 15, 2017, 08:09:54 pm »
...broken.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #556 on: February 16, 2017, 06:14:57 am »
Works for me.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

SaneBane

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #557 on: February 20, 2017, 06:30:06 am »
Hey you all!
Thank you so much for all the help and support in this forum! I managed to obtain the S7 in the german version of Red, but I'm struggling to figure out how to "convert" the item setups for the hacks to function.. it's kinda over my head.
Can you help me?

I want to change my Mew's Trainer ID(22796) and OT(GF) so I can transfer it over to Sun/Moon + change the DVs of a Pokemon so it will be shiny.

I followed this guide for my english version of the game and it worked fine:
https://www.youtube.com/watch?v=H8AgGp5cqPI&t=1080s
I'd love to do the same with my german version!

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #558 on: February 20, 2017, 11:27:08 am »
Use to change your OT :
Code: [Select]
any item/ws# #m#
any item/ws# #m# (one of these has to be ws# #m# obviously)
TM50 x186
TM10 x3 (works with 64, but 3 should too)
TM34 x93
TM09 x35
Poké Ball x52
X Accuracy x44
Great Ball x52
TM01 x[any qty]

Use to change your TID :
Code: [Select]
any item/ws# #m#
any item/ws# #m#
Lemonade x89
Repel x12
Carbos x 211 (Should work even if you remove this item)
X Accuracy x94
Water Stone x115
TM01 x(any)

Didn't try, so if you could send me some feedback whether it worked or not I'd appreciate it a lot.
Also, if you want to keep your OT and TID, tell us, we'll do the job.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

NukingDragons

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #559 on: February 26, 2017, 05:26:15 pm »
I found a typo in the Super-compressed 3-Pokémon setup.

Super-compressed 3-Pokémon setup (problematic because of hex D3 glitch Pokémon, which can be difficult to obtain; also, some item lists do not work with this setup)

1.  Exactly 6 Pokémon in the party                                    [0xD163 = 0x06]
2.  Hex C3 glitch Pokémon as the first Pokémon                        [0xD164 = 0xC3]
3.  Onix as the second Pokémon                                        [0xD165 = 0x22]
4.  Hex D3 glitch Pokémon as the third Pokémon                        [0xD166 = 0xD3]


That setup has this code:
Code: [Select]
WRA1:D163 06 C3         ld b, 0xC3
WRA1:D165 22            ld (hl), a
WRA1:D166 D3            <Invalid Opcode>

Which does NOT jump to the third item in memory, because of the 6 Pokémon in the party.

However, a party of 3(Minimum) to 5, DOES work:
Code: [Select]
WRA1:D163 03               inc bc
WRA1:D164 C3 22 D3         jp 0xD322

With 4:
Code: [Select]
WRA1:D163 04               inc b
WRA1:D164 C3 22 D3         jp 0xD322

And with 5:
Code: [Select]
WRA1:D163 05               dec b
WRA1:D164 C3 22 D3         jp 0xD322

Also, for the "some item scripts wont work with this setup" issue, you can use this right before your main script if you don't want to rewrite it:
(Sets HL to 0xD322)
Code: [Select]
8F / first item (Depends on the script)
8F / second item (Depends on the script)
X Accuracy x34
Carbos x211
<Script>

Hope this helps :)

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #560 on: February 26, 2017, 06:55:16 pm »
Nice ! I'm adding this to the wiki page right away !
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Anna Says Hi

  • GCLF Member
  • Offline Offline
  • Too bad! The trade was cancelled.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #561 on: February 28, 2017, 01:02:50 pm »
Hi, new poster here. I'm sharing one of my 8F setups.
(With the 5-pokemon 233 HP bootstrap)

Morphing item 2 with 2 items worth of code

8F
[Item to morph] x[any qty]
TM03 x141
Full Heal x201 / Revive x201

Code: [Select]
HL contains D322
D322: CB 8D
D324: 34 / 35
D325: C9

D322: RES 1, L
D324: INC (HL) / DEC (HL)
D325: RET

The advantage of this setup is that it's the same length as the "obtain 255 of item 2" setup, so only 2 Select presses are needed and the bag isn't disorganised. The disadvantage is that TM03 is not buyable and you have to use the 3-item morph setup if you've used or tossed it already.

One of the things I'm looking for is a memory viewer and editor GUI. I remember seeing a video that had a textbox that showed the contents of RAM at the time, and it might have been created by 8F. Unfortunately, we're probably limited by the fact we can only use 254 or so bytes, even for the extended 8F setup. So I wonder if we can bypass that limit. If we could write to different bytes when making our 8F setup (like 01:B524 in SRAM or C5D0 in WRAM) then we could have a way to make much longer programs, perhaps enough to code in a easy-to-use RAM editor GUI.
(FYI i'm thinking of something like this except with a bigger window)
Code: [Select]
*-------*
|D000 XX|
|D001 XX|
|D002 XX|
*-------*

Torchickens

  • Administrator
  • *****
  • Online Online
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #562 on: February 28, 2017, 04:08:20 pm »
Thanks for this Anna Says Hi!  :)

You're in luck, a memory editor GUI has fortunately already been made. It was originally created by offgao for Japanese versions but was ported by Cryo. See this post for the raw code.

Although TheZZAZZGlitch's memory editing method by default can only modify 256 bytes, you can write more than that and execute the program by following the instructions in the description of this video (link).
« Last Edit: February 28, 2017, 04:09:02 pm by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

jfb1337

  • ACE trainer
  • GCLF Member
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #563 on: March 13, 2017, 05:06:26 am »
What would be the fastest/easiest way to get a working 8F setup starting from a brand new save file?

I'm guessing it would start out like the standard speedrun route (Brock thru walls to Saffron, encounter missingno via Trainer Fly with Abra, then item underflow) but then use the undereflow to obtain 8F instead... Then what would be the optimal way to get all the pokémon required for the bootstrap? Regular encounters, or trainer fly?

Torchickens

  • Administrator
  • *****
  • Online Online
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #564 on: March 13, 2017, 08:45:12 am »
In Pokémon Yellow I used stable unstable MissingNo., dry underflow, Celadon looping map trick and Rival LOL glitch for the bootstrap Pokémon.

The Brock Through Walls/Trainer-Fly  with Abra sounds good for Red/Blue.

Rival LOL glitch is probably a good method for Pokémon Red and Blue as well if you have a six letter long Rival name, although you could also get your Pokémon by warping to places that have them (Route 1 for Pidgey, Safari Zone or Cerulean Cave [use Rival's item or enter Hall of Fame] for Parasect, Rock Tunnel or Victory Road for Onix, water for Tentacool [use ?????], Safari Zone for Kangaskhan.

I'm unsure if Trainer-Fly would be better as you'd need specific Special stats from specific Trainers or party Pokémon, so regular encounters/LOL glitch seems to be better.
« Last Edit: March 13, 2017, 08:45:57 am by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #565 on: March 13, 2017, 11:42:10 am »
What would be the fastest/easiest way to get a working 8F setup starting from a brand new save file?

I'm guessing it would start out like the standard speedrun route (Brock thru walls to Saffron, encounter missingno via Trainer Fly with Abra, then item underflow) but then use the underflow to obtain 8F instead... Then what would be the optimal way to get all the pokémon required for the bootstrap? Regular encounters, or trainer fly?
For the level 100 Pidgey I recommend TFlying, fighting against FISHERMAN's level 27 GOLDEEN in Route 12, Growl x6, catch Pidgey, DON'T SAVE, level to 100, cancel evolution, use HP Ups and remove HP using poison then Antidote (1 HP each 4 steps) or Lv 2 Pokémon (2 HP per hit usually, ie when not Crit :P).
Note that some Pidgeys cannot reach 233 Max HP due to low stats, that's why you shouldn't save until after you made sure you caught a correct one.

I also prefer to catch Arbok from Trainer-Fly (if using the 6-Pokémon setup, the best IMO) ; for the Kangaskhan I recommend you go into a Safari part of the zone where Kangaskhans appear and get kicked out of the Safari challenge in this zone. Then do the usual Surf thingy without loading other grass Pokémon data, and you're good (Note : doesn't work in Pokémon Yellow. Not suited for children under 3 IQ.)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

jfb1337

  • ACE trainer
  • GCLF Member
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #566 on: March 19, 2017, 11:50:53 am »
Thanks! I obtained an 8F on VC blue and got the setup working yesterday, just using normal encounters, in about 3.5 hours.

I made a simple script to easily obtain any item, which s very useful for building other scripts:

Code: [Select]
ldd a, (hl)
ldd a, (hl)
ldi (hl), a
inc b ; filler
ld (hl), 1
dec (hl)
inc b ; filler
ret
which compiles to
Code: [Select]
Dire Hit x58
Water Stone x4
Max revive x1
Revive x4
TM01 x[Any qty]
This sets the index of the 2nd item to its quantity (make sure 8F is the first irem obviously), and it's quantity to 0 for easy tossing to any desired quantity.

This requires only items that can be bought from Celedon dept store, with no missingno duping.

Then, you can use it once to get a Max revive x0 stack, so you can get rid of the revive to compact the script slightly.
« Last Edit: March 19, 2017, 12:12:04 pm by jfb1337 »

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #567 on: March 20, 2017, 06:09:50 am »
You could remove the
Code: [Select]
ld a, [hli]
ld [hld], a
since it effectively does nothing.
Item pack :
Code: [Select]
8F
[item] x(Any)
Dire Hit x4
Max revive x1
Revive x4
TM01 x[Any qty]

A more efficient setup (IMO) is
Code: [Select]
8F
Item x[any qty]
Poké Ball (or Great Ball) x43
Revive x3
TM01 x[any qty]
Toss all of "Item" but one, then use. You now have 0 of that item :)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

jfb1337

  • ACE trainer
  • GCLF Member
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #568 on: March 20, 2017, 02:32:21 pm »
The ld a, [hld] / ld [hli], a part is what copies the quantity of the item to its index, allowing access to any item index; your script just sets the quantity to 0. But since both are useful behaviours, then I swap the water stones (ld a [hli]) with HP ups (inc hl) if I want to reset the item quantity without setting the index too.

Another question: Is there an easy way to find the memory locations and ROM banks that corresponds to a particular label in the disassembly? I had an idea for a script to make tossing items a bit less tedious by copying the graphics for digits or letters over the place where the game reads tiles for glitch quantities from, so it would be easier to see at a glance how many items you have / are tossing, but I'd need the locations for CopyVideoData and FontGraphics

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #569 on: March 20, 2017, 03:05:59 pm »
When you build the ROM, it generates two files which contain all the addresses.
I attached the file for Red.

I recommend you know how to use Ctrl+F :P
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)