Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 185946 times)

0 Members and 1 Guest are viewing this topic.

jfb1337

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #570 on: March 20, 2017, 03:12:32 pm »
Ah, thanks, I was wondering what the .sym files were for, for some reason it didn't occur to me to look inside them!

Edit: And here is said script:
Code: [Select]
Carbos x90
Master Ball x14
Poké Ball x84
Repel x128
Carbos x24
X Accuracy x134
TM29 x0
Carbos x144
X Accuracy x0
TM01x[Any qty]

Code: [Select]
ld h, $5A
ld bc, $040E ; b = BANK(FontGraphics), c = 14 = how many tiles to copy
ld d, h
ld e, $80 ; de = FontGraphics
ld h, $18
ld l, $86
push hl ; hl = CopyVideoDataDouble
nop
ld h, $90
ld l, $0 ; hl = the tiles in VRAM that come after the digits
ret ; jumps to CopyVideoDataDouble (done this way to avoid glitch items and key items that would result from directly using call or jp)

This turns the tiles beyond the numbers that glitch quantities read from into the letters A through P, so it's easier to see how many items you have / are tossing. (There will also be a bunch of letters all over the background).

The effect goes away when entering/leaving a building, entering/leaving a battle, resetting the game, or closing the PC item menu, and maybe a few other things.

Tested with English blue on BGB.
« Last Edit: March 21, 2017, 08:14:32 am by jfb1337 »

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #571 on: March 26, 2017, 12:20:49 pm »
Since x0 quantities are a bit of a pain to get, I'd recommend this :
Code: [Select]
Carbos x90
Master Ball x13
Poké Ball x84
Repel x128
Carbos x24
X Accuracy x134
TM29 x3
Carbos x144
X Accuracy x0
TM01x[Any qty]

Code: [Select]
ld h, $5A
ld bc, $040D ; b = BANK(FontGraphics), c = 14 - 1 = how many tiles to copy - 1
ld d, h
ld e, $80 ; de = FontGraphics
ld h, $18
ld l, $86
push hl ; hl = CopyVideoDataDouble
inc bc
ld h, $90
ld l, $0 ; hl = the tiles in VRAM that come after the digits
ret ; jumps to CopyVideoDataDouble (done this way to avoid glitch items and key items that would result from directly using call or jp)

(Didn't test it though)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

atav32

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #572 on: April 13, 2017, 03:38:58 pm »
Hey everyone! Just discovered the wonders of 8F! Still got a lot to learn.

I've been using the "Alternative Catch'Em All" code in the original post to receive any Pokemon and it's amazing how well it works!

Quote
ITEM LIST (starting from the first slot):
* Any item
* 8F
Repel                x[SpeciesIndex]
X Speed              x14
Ultra Ball           x64
TM05                 x72
Lemonade             x201

Code: [Select]
ASM:
Code: [Select]
WRA1:D322 1E 20            ld   e,[SpeciesIndex]
WRA1:D324 43               ld   b,e
WRA1:D325 0E 02            ld   c,02
WRA1:D327 40               ld   b,b
WRA1:D328 CD 48 3E         call 3E48
WRA1:D32B C9               ret

But when I started transferring them to Pokemon Bank, I've hit a couple snatches.

The main problem is that the Pokemon you receive are all Lvl 2. But PokeTransporter has level checks for
  • starters & evolutions
  • Ditto
  • Dratini & evolutions
  • legendary birds
  • Mewtwo

Just wondering if there's an easy way to modify the setup to generate a variable Pokemon level. Or maybe hard-coded at Lvl 70 or something.

- - - - -

Unrelated, but just curious: I've read that TM 01 x(any) and [any item] x201 represent the C9 byte which stops code execution. How do they differ? I tried using TM 01 x129 instead of Lemonade x201 in the above setup and it froze the game.

Thanks everyone!

camper

  • aka GlitcherRed, azum4roll
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • 975642dx║'r DExsfoF▓1 error.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #573 on: April 14, 2017, 02:38:29 am »
The Lemonade represents 3E in "call 3E48". Without the Lemonade it translates to "call C948". Even if C948 returns properly (it probably doesn't), it'll still treat the rest of your items as code until it finds a ret.
Youtube
 

Guess where this is?

jfb1337

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #574 on: April 15, 2017, 04:40:15 am »
Here is a script that should work for an arbitrary encounter level:

Repel x[Species index]  ; ld e, [species index]
Awakening x[Level]      ; ld c, [level]
X speed x64                 ; ld b, e / ld b, b
TM05 x72         
Lemonade x201           ; call 3E38 / ret

Replacing the lemonade x201 with a lemonade x4 followed by a TM01 x[any] would also work. (x4 corresponds to inc b which basically does nothing at this point). But the lemonade is important.

Skeef

  • GCLF Member
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #575 on: April 16, 2017, 02:48:12 am »
Hey everyone! Just discovered the wonders of 8F! Still got a lot to learn.

I've been using the "Alternative Catch'Em All" code in the original post to receive any Pokemon and it's amazing how well it works!

Quote
ITEM LIST (starting from the first slot):
* Any item
* 8F
Repel                x[SpeciesIndex]
X Speed              x14
Ultra Ball           x64
TM05                 x72
Lemonade             x201

Code: [Select]
ASM:
Code: [Select]
WRA1:D322 1E 20            ld   e,[SpeciesIndex]
WRA1:D324 43               ld   b,e
WRA1:D325 0E 02            ld   c,02
WRA1:D327 40               ld   b,b
WRA1:D328 CD 48 3E         call 3E48
WRA1:D32B C9               ret

But when I started transferring them to Pokemon Bank, I've hit a couple snatches.

The main problem is that the Pokemon you receive are all Lvl 2. But PokeTransporter has level checks for
  • starters & evolutions
  • Ditto
  • Dratini & evolutions
  • legendary birds
  • Mewtwo

Just wondering if there's an easy way to modify the setup to generate a variable Pokemon level. Or maybe hard-coded at Lvl 70 or something.

- - - - -

Unrelated, but just curious: I've read that TM 01 x(any) and [any item] x201 represent the C9 byte which stops code execution. How do they differ? I tried using TM 01 x129 instead of Lemonade x201 in the above setup and it froze the game.

Thanks everyone!


The Ultra Ball (index 2) actually represents the lvl. For instance using X Accuracy x64 instead of Ultra Ball x64 gives a lvl 46 Pokémon.

atav32

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #576 on: April 16, 2017, 11:41:47 am »
Wow! That's awesome! What tools do you guys use to write and test your code?

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #577 on: April 16, 2017, 12:35:47 pm »
Writing is done usually on Notepad or a sheet of paper. I'm not even joking :P
Then we compile it either by hand or using some nifty tools created by the community (for example these two)

To test them, most of us prefer the BGB emulator and its amazing debugger, but some other emulators such as BizHawk are good options.
Some even take the time to build the setup on console to verify. But it's more rare.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

TheSixthItem

  • GCLF Member
  • Offline Offline
  • ZZAZZSZZOZZ9ZZXZZKZZLZZFZZZYZZOZZTZZ
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #578 on: April 22, 2017, 08:51:51 am »
In yellow, morph second item gives adds 1 to the quantity of item 2. If you have 255 and you use it, you get 0. Is there a way to convert that from ws[glitch]m to 8F?

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #579 on: April 22, 2017, 01:16:23 pm »
In yellow, morph second item gives adds 1 to the quantity of item 2. If you have 255 and you use it, you get 0. Is there a way to convert that from ws[glitch]m to 8F?

Yes. The following code which is a modified version of TheZZAZZGlitch's change second item code (see this thread's first post) should work for changing the item quantity. It should on both Yellow (when using ws m redirected to item 3) and Red/Blue (when using 8F redirected to item 3) because no absolute memory addresses are specified.

* 8F
* Item with quantity you want to morph
Burn Heal            x43
Full Heal            x201

ASM:
Code: [Select]
WRA1:D322 0C               inc  c
WRA1:D323 2B               dec  hl
WRA1:D32A 34               inc  (hl)
WRA1:D32B C9               ret
« Last Edit: April 22, 2017, 01:16:42 pm by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you TMTRAINER for my avatar and Aeriixion for the cute sprite! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Skeef

  • GCLF Member
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #580 on: Yesterday at 01:43:16 pm »
In yellow, morph second item gives adds 1 to the quantity of item 2. If you have 255 and you use it, you get 0. Is there a way to convert that from ws[glitch]m to 8F?

This is wat I use to get 0 of a certain item.

- 8F
- Item you want 0 of x1
- Pokéball x43
- Revive x201

More convinient to turn 1 item into 0 then turning 255 into 0. Its also worth noting that 0 is actually 256, so you can toss them to get any quantity you need.