Glitch City Laboratories Forums

Lab γ: Video Games and Glitches Discussion => Generation I Glitch Discussion => Pokémon Glitch Discussion => Arbitrary Code Execution Discussion => Topic started by: TheZZAZZGlitch on April 25, 2013, 07:57:48 am

Title: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheZZAZZGlitch on April 25, 2013, 07:57:48 am
Newcomers: I highly recommend you read beyond this thread's first post. Thanks to the later posts you will learn how to do the described glitch on Yellow, Japanese Red/Green/Yellow or other international releases.

WHAT'S 8F?

8F is a Red/Blue equivalent of JP Red/Green's 5かい - an item executing machine code starting from $D163 (Number of Pokemon) upon use. Its hex identifier is 0x5D, despite its hex-like name. 8F is treated by the game as a key item and it can't be tossed away or sold in the mart.

As address $D163 contains re-writeable data, it is possible to redirect the instruction pointer to the item list with relative jumps and easily run arbitrary code just by spelling the opcodes with items. With enough items, one could also make a program that reads key input continuously, writes it somewhere in the RAM and jumps to it after a while, allowing to even run your own homebrew software (https://www.youtube.com/watch?v=D3EvpRHL_vk).

HOW TO OBTAIN IT:

OBTAINING 8F USING ITEM COUNTER UNDERFLOW GLITCH:

PREREQUISITES:

 - Access to any event that removes an item from your inventory (Saffron guards, handing out a fossil in Cinnabar Lab, etc.)
 - A following item list:
   Any item x[Any qty]
   X Special x255
   Item you need to give away x1

If you don't have access to any item-removing event, you can still do the "dry variation" of the glitch, by following the steps described here (http://forums.glitchcity.info/index.php/topic,6638.msg198625.html#msg198625).

EXECUTION:

1. Toss the first item. It should change to X Special x255
2. Continue tossing the first item until the item menu "stops responding"
3. Trigger an event that removes the item from your inventory
4. Now, you should have 255 items with you. Go to the eastmost corner of Celadon City:

(http://i34.tinypic.com/2me4qdl.png)

5. Toss 254 of your X Specials. Then swap the 'X Special x1' with 'Nugget x1' (35th item)
6. Try walking to the right - the map should now loop back to the left side of Celadon City. The amount of steps you take to the right determines the item you will get, so position yourself properly to obtain 8F. Swap it with the first item, then fly back to Celadon.
7. Store one of your newly acquired glitch items into the PC. Then buy any 3 items to bring your inventory back to normal.

A video of this method (makes it a lot easier to understand): http://www.youtube.com/watch?v=98_azamLeh4 (http://www.youtube.com/watch?v=98_azamLeh4)

OBTAINING 8F USING INVALID ENCOUNTER FLAGS (OBSOLETE):

PREREQUISITES:

 - A Ditto with a Cooltrainer move, nicknamed "R:u"
 - At least 1 Escape Rope
 - Good Rod on your 4th item slot
 - Exactly 10 Pokemon in your current box (this tremendously increases the chances of Cooltrainer move working properly)
 - Preferably a Bicycle, to make things a little bit faster.

EXECUTION:

1. Heal your Pokemon in Fuchsia City's Pokemon Center.
2. Do the Safari Zone walk through walls glitch, with only Ditto in your party.
3. After you appear back at the Fuchsia City's Center with noclip activated, walk exactly:
 a) 19 steps west
 b) 28 steps north
 c) 1 step west
 d) 29 steps north
 e) 11 steps east
4. Open your Pokemon menu and close it (important). You may want to use bicycle now to travel faster - you won't be able to do this later.
5. Go 11 steps west and keep walking south until you find yourself back on Route 18. Do not open your Start menu from now on.
6. Walk/bike to Seafoam Islands and enter the cave.
7. Encounter a wild Pokemon, and continuously try to use the Cooltrainer move. If it does not work after about 15 tries, quit the battle and start a new one. Do not open your Pokemon menu, Item menu or Start menu at all!
8. Eventually, the music will fade out, the move typing will become blank, and name of the opponent will get changed. Catch the resulting Pokemon - the game will state you caught a "98", and your Good Rod will turn into an 8F.
9. Use an Escape Rope, as there's a slight chance the game will crash after exiting the cave normally.

OBTAINING 8F WITH A CORRUPTED ITEM PACK (OBSOLETE):

This method is not recommended - it has a lot of side effects and is terribly complicated. Use it only when any other method does not seem to work for you.

PREREQUISITES:

 - A Pokemon on the first slot meeting very specific requirements:
    > It needs to have a Super Glitch as a 4th move
    > Its three moves besides the Super Glitch have to contain 25 characters in total
    > One of its three moves needs to be 4 characters long
    > This Pokemon needs to be able to learn Mega Kick through TM05
    An example: ?L ||?M 4 (hex C6) with moves Body Slam, TM50, Quick Attack, [Super Glitch]
 - Any Pokemon on the second slot you don't care about, nicknamed "cccccccc". It will be gone in the process, so don't use your L100 Charizard.
 - A Pokemon on the third slot knowing Fly.
 - Exactly 3 useless items in your Bag. They will get destroyed again, so don't pick anything important.
 - TM05 (Mega Kick), deposited in the PC
 - At least one free space in the PC to store your obtained 8F
 - An empty Pokemon box currently selected, most likely box 12

SIDE EFFECTS:

Sadly, those side effects are actually quite annoying. But also, happily enough, one can fix them with 8F's arbitrary code execution.

1. Your player name will become blank (the game will save just fine though). However, with 8F's arbitrary code execution capabilities, one can change his name back to something nice.
2. Lower 5 Pokedex bytes will become corrupted, displaying some yet unseen species as caught. There's no easy way to fix this, but it's not a big deal unless you care about your Pokedex progression.
3. Your Pokemon box may get to a state where trying to release the glitch Pokemon inside will crash the game. This side effect does not happen every time, but if it does, again, this can be fixed with 8F's arbitrary code execution.

EXECUTION:

http://www.youtube.com/watch?v=Sw0h7ImFsAs (http://www.youtube.com/watch?v=Sw0h7ImFsAs)

BOOTSTRAPPING:

8F won't do anything amazing by itself. In order to make it execute code from $D322 (third item), we need to use the party Pokemon to spell out a short program. This program will redirect the instruction pointer to the item pack, so that the effects of 8F become easier to control. This process is referred to as bootstrapping.

There are several bootstrapping configurations that are easier or harder to set up. Below I listed the most commonly used ones.

Pigdevil2010's Pokémon Red/Blue 8F 5-Pokémon 233 HP bootstrap (recommended)

1.  Exactly 5 Pokémon in the party                                    [0xD163 = 0x05]
2.  Pidgey as the first Pokémon                                       [0xD164 = 0x24]
3.  Parasect as the second Pokémon                                    [0xD165 = 0x2E]
4.  Onix as the third Pokémon                                         [0xD166 = 0x22]
5.  Tentacool as the fourth Pokémon                                   [0xD167 = 0x18]
6.  Kangaskhan as the fifth Pokémon                                   [0xD168 = 0x02]
7.  First Pokémon's current HP has to be exactly 233                  [0xD16D = 0xE9]


TheZZAZZGlitch's Pokémon Red/Blue 8F 6-Pokémon 233 Attack bootstrap (outdated, but still popular)

1.  Exactly 5 Pokémon in the party                                    [0xD163 = 0x05]
2.  Onix as the first Pokémon                                         [0xD164 = 0x22]
3.  Pidgey as the second Pokémon                                      [0xD165 = 0x24]
4.  Tentacool as the third Pokémon                                    [0xD165 = 0x18]
5.  Meowth as the fourth Pokémon                                      [0xD166 = 0x4D]
6.  24 PP left on the second Pokémon's second move w/ 0 PP Ups used   [0xD1B5 = 0x18]
7.  21 PP left on the second Pokémon's third move w/ 1 PP Up used     [0xD1B6 = 0x55]
8.  36 PP left on the fourth Pokémon's first move w/ 0 PP Ups used    [0xD20C = 0x24]
9.  24 PP left on the fourth Pokémon's second move w/ 0 PP Ups used   [0xD20D = 0x18]
10. 20 PP left on the fourth Pokémon's third move w/ 0 PP Ups used    [0xD20E = 0x14]
11. Double Team as the fifth Pokémon's first move                     [0xD223 = 0x68]
12. Double Kick as the fifth Pokémon's second move                    [0xD224 = 0x18]
13. Strength as the fifth Pokémon's third move                        [0xD225 = 0x46]
14. Sixth Pokémon's attack stat has to be exactly 233                 [0xD26C = 0xE9]


Super-compressed 3-Pokémon setup (problematic because of hex D3 glitch Pokémon, which can be difficult to obtain; also, some item lists do not work with this setup)

1.  Exactly 6 Pokémon in the party                                    [0xD163 = 0x06]
2.  Hex C3 glitch Pokémon as the first Pokémon                        [0xD164 = 0xC3]
3.  Onix as the second Pokémon                                        [0xD165 = 0x22]
4.  Hex D3 glitch Pokémon as the third Pokémon                        [0xD166 = 0xD3]


There are other versions of the game (Yellow and foreign language localizations of R/B) where items similar to 8F exist. Most notable is the 'ws m' item in Yellow, which executes code starting from the current PC Pokémon storage box. For your convenience, here are several bootstrapping setups for Yellow:

Pigdevil2010's Pokémon Yellow 'ws m' 10-Pokémon 233 HP bootstrap (http://forums.glitchcity.info/index.php/topic,6638.msg194861.html#msg194861) (recommended)
TheZZAZZGlitch's Pokémon Yellow 'ws m' 20-Pokémon 233 HP bootstrap (http://forums.glitchcity.info/index.php/topic,6638.msg189586.html#msg189586) (also recommended, since a lot of the Pokémon on the list are Geodudes and Slowpokes, which are easy to catch)
Pigdevil2010's Pokémon Yellow 'ws m' 19-Pokémon bootstrap (http://forums.glitchcity.info/index.php/topic,6638.msg194458.html#msg194458)

USING 8F TO OUR ADVANTAGE

Well, now we're done with all those preparations, let's try to actually do something with this item! Below I present some examples of what is possible.

"CATCH 'EM ALL" SCRIPT

This is just K)ry's ASM for JP Red/Green (http://www.geocities.jp/kattempla/pokebug/5kai.html) ported on the international release. With those items, 8F will act like an item that forces a Pokemon encounter based on the quantity of item #1, allowing to catch all 151 Pokemon easily.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=782s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=782s)

ITEM LIST (starting from the first slot):
* Preferably Master Balls
* 8F
TM50                 x31
TM11                 x4
TM34                 x89
TM08                 x201


ASM:
Code: [Select]
WRA1:D322 FA 1F D3         ld   a,(D31F)
WRA1:D325 04               inc  b
WRA1:D326 EA 59 D0         ld   (D059),a
WRA1:D329 C9               ret 

ALTERNATIVE CATCH 'EM ALL

This version of the Catch 'Em All script requires more items, but gives the Pokemon instead of forcing an encounter (like: BLUE got EEVEE!), and allows for getting normally unobtainable glitch Pokemon without trading. The given Pokemon depends on the quantity of the 3rd item.

Remark: Avoid obtaining Missingno with this method. It will duplicate your 6th item and screw the opcodes up.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=865s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=865s)

ITEM LIST (starting from the first slot):
* Any item
* 8F
Repel                x[SpeciesIndex]
X Speed              x14
Ultra Ball           x64
TM05                 x72
Lemonade             x201


ASM:
Code: [Select]
WRA1:D322 1E 20            ld   e,[SpeciesIndex]
WRA1:D324 43               ld   b,e
WRA1:D325 0E 02            ld   c,02
WRA1:D327 40               ld   b,b
WRA1:D328 CD 48 3E         call 3E48
WRA1:D32B C9               ret

CHANGE THE PLAYER'S NAME

With this setup, you can change your name to the nickname of your first Pokemon. Using 8F will copy one letter from your first Pokemon's nickname to your player name. Use 8F (length of the name+1) times to copy all the name characters.
Warning: This code is self modifying, it will increase quantities of items #3 and #5 every use - remember to set those quantities back to 181 and 88 if you want to reset this. Also use carefully, as there's no memory protection implemented and you may cause save corruption if you're not careful.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=918s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=918s)

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM50                 x181
TM10                 x64
TM34                 x88
TM09                 x46
Calcium              x52
X Accuracy           x35
Full Heal            x201


ASM:
Code: [Select]
WRA1:D322 FA B5 D2         ld   a,(D2B5)
WRA1:D325 40               ld   b,b
WRA1:D326 EA 58 D1         ld   (D158),a
WRA1:D329 2E 27            ld   l,27
WRA1:D32B 34               inc  (hl)
WRA1:D32C 2E 23            ld   l,23
WRA1:D32E 34               inc  (hl)
WRA1:D32F C9               ret 

CHANGE THE SECOND ITEM

This easy code uses only 3 basic items, and it increases the first item's index by 1 every time 8F is used. You can obtain normally unobtainable items, glitch items or TMs so you can do other item configurations described.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=974s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=974s)

ITEM LIST (starting from the first slot):
* 8F
* Item you want to morph
Burn Heal            x43
Ice Heal             x43
Full Heal            x201


ASM:
Code: [Select]
WRA1:D322 0C               inc  c
WRA1:D323 2B               dec  hl
WRA1:D324 0D               dec  c
WRA1:D325 2B               dec  hl
WRA1:D32A 34               inc  (hl)
WRA1:D32B C9               ret


WALK THROUGH WALLS

Jump off a ledge after using 8F to walk through walls.

http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1020s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1020s)

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x20
TM15                 x201


ASM:
Code: [Select]
WRA1:D322 EA 14 D7         ld (d714),a
WRA1:D325 C9               ret

ESCAPE FROM A TRAINER BATTLE

This turns 8F into an item which allows escaping from any battle, including trainer battles.

http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1048s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1048s)

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x120
TM08                 x201


ASM:
Code: [Select]
WRA1:D322 EA 78 D0         ld (d078),a
WRA1:D325 C9               ret

CLEAR A POKEMON BOX

When 8F was first discovered, the method of obtaining it had a slight chance to corrupt Pokemon at the PC box, causing crashes when trying to release/withdraw them. One can either deal with it and switch to another box, or make the box empty with this item configuration.

Switch to the corrupted box, use 8F, done. Be careful though, you don't probably want to clear the box with your L100 legendaries.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1104s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1104s)

ITEM LIST (starting from the first slot):
* Any item
* 8F
Lemonade             x1
Soda Pop             x64
TM34                 x128
TM18                 x201


ASM:
Code: [Select]
WRA1:D322 3E 01            ld a,01
WRA1:D324 3D               dec a
WRA1:D325 40               ld b,b
WRA1:D326 EA 80 DA         ld (da80),a
WRA1:D329 C9               ret

BUT WAIT, THERE'S MORE!

Possibilities with 8F are unlimited. Here are some other item lists, posted by different people throughout the years (wow, this glitch is 3 years old now? I didn't realize).

Pseudo-GameShark (aka change any byte in RAM to any value) (http://forums.glitchcity.info/index.php/topic,6638.msg189609.html#msg189609) (by Wack0)
Instant Hall of Fame (http://forums.glitchcity.info/index.php/topic,6638.msg192582.html#msg192582) (by Wack0)
Pokémon Yellow US - play Pikachu's Beach (http://forums.glitchcity.info/index.php/topic,6638.msg192586.html#msg192586) (by Wack0)
Change OT of the first slot Pokémon (http://forums.glitchcity.info/index.php/topic,6638.msg192608.html#msg192608) (by blahpy)
Perpetually resetting save file (http://forums.glitchcity.info/index.php/topic,6638.msg192694.html#msg192694) (by Wack0)
Max stat Exp and DVs (http://forums.glitchcity.info/index.php/topic,6638.msg196936.html#msg196936) (by eironeia)
Set debug mode flag (http://forums.glitchcity.info/index.php/topic,6638.msg197206.html#msg197206) (by Rena)
Get 255 of second item (http://forums.glitchcity.info/index.php/topic,6638.msg199715.html#msg199715) (by lowena)
Daycare Pokémon cloning (http://forums.glitchcity.info/index.php/topic,6638.msg200226.html#msg200226) (by Skeef)
Set/unset badges (http://forums.glitchcity.info/index.php/topic,6638.msg200226.html#msg200226) (by Skeef)
Change a Pokémon's typing (http://forums.glitchcity.info/index.php/topic,6638.msg200419.html#msg200419) (by hashtag)
Reusable RAM writer (http://forums.glitchcity.info/index.php/topic,6638.msg200510.html#msg200510) (by Torchickens)
Make Pokémon shiny when traded to Gen II (http://forums.glitchcity.info/index.php/topic,6638.msg200686.html#msg200686) (by Krys3000 & thelinekioubeur)

List last updated on: 2016-07-04

ENDING REMARK: BIG ITEM QUANTITIES?

All of those item lists will have at least one item with quantity bigger than 99. Obviously, it's possible to obtain those big quantities using the Missingno. item duplication glitch (duplicating a 99 item stack will result in a 227 item stack).
However, the numbers bigger than 9 are represented with glitch blobs, so it's normally impossible to read how many items you actually have. This short image guide below will help you with reading quantities of those big item stacks.

(http://i38.tinypic.com/2d8jgqg.png)
* This image uses the Pokemon Center tileset
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on April 25, 2013, 10:27:50 am
Impressive. Great work on finding all those extra tricks and an alternative to k(y's code too!

I'm gonna re-post the CPU registers for D322 that you added as a caption in your video.

Quote
af = 6300 [a=63, f=00]
bc = 22B8 [b=22, c=B8]
de= 0001 [d=00, e=01]
hl= D322 [h=D3, l=22]
All flags reset
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on April 25, 2013, 10:34:27 am
yay, I think everyone was waiting for this.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: camper on April 25, 2013, 11:20:28 am
Why is step 5 necessary?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheZZAZZGlitch on April 25, 2013, 11:37:47 am
Quote
Why is step 5 necessary?

Super Glitch changes the boxset value ($D12C) to a glitch value 0x10, which corrupts the map if viewed. By opening the Pokemon Center's HEAL/CANCEL dialog the boxset value gets reset back to 0 (default YES/NO), so the game does not corrupt my map when I try to toss an item or save. Step 33 is necessary for the exact same reason.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on April 25, 2013, 11:42:14 am
Here are a few simple tricks I made that work with the bootstrap program:


Gym Leader theme plays for the next battle

Use this outside of battle to make the next battle play the Gym Leader theme.

Requirements:

Item 3 = TM34 x 92
Item 4 = TM08 x 201

ASM:

Code: [Select]
WRA1: D322 EA 5C D0               ld (D05C), a  : Put 63h into D05C
WRA1: D325 C9                     ret

Battle Safari Zone style

Use 8F in the middle of the battle to turn it into a Safari Zone battle. If you use it outside of battle, you'll be forced to use item 1 infinitely.

Requirements:

Item 3 = Lemonade x 2
Item 4 = TM34 x 90
Item 5 = TM08 x 201

ASM:

Code: [Select]
WRA1: D322 3E 02                  ld a, 02 : Put 02h into a
WRA1: D324 EA 5A D0               ld (D05A), a  : Put 02h into D05A
WRA1: D327 C9   ret

(http://i.minus.com/jqPcnrhyGwBh3.png)

Steal other Trainer's Pokémon without Gameshark

Use this in a Trainer battle to enable the ability to catch the enemy Pokémon and escape from battle. You can also use it to disable wild battles, but you can't use it to turn a Trainer into a Pokémon.

(http://i.minus.com/jdrkmggEYxevh.png)(http://i.minus.com/jsKIa2lTQprx4.png)

Requirements:

Item 3 = Lemonade x 1
Item 4 = TM34 x 87
Item 5 = TM08 x 201

ASM:

Code: [Select]
WRA1: D322 3E 01   ld a, 01: Put 01h into a
WRA1: D324 EA 57 D0   ld (D057), a: Put 01h into D057
WRA1: D327 C9   ret
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: blahpy on April 25, 2013, 03:41:13 pm
Words can't even describe how I felt reading this. You're amazing.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheDarkAce on April 25, 2013, 08:54:57 pm
I'm in awe of this, congratulations on the find!

i may have to try this at some point...

will it work on yellow?

if so, how do you get the enormous quantities of items on there?

i heard you can only ever get 129 per stack (missingnoXpert's Lets Glitch series on youtube taught me most of my glitching knowledge for R/B/Y, along with a bit of experimentation and whatever i could gleam from various sources, including the main site)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheZZAZZGlitch on April 25, 2013, 09:54:10 pm
Quote
will it work on yellow?

The shown method of obtaining 8F won't work in Yellow, as it uses Super Glitch, which works differently for this game.

Also, 8F does not execute code from $D163 in Yellow, but from $04FE instead - which has a less beneficial effect of teleporting you to a messed up version of a Pokemon Center.
Yellow has a relatively similar item "ws m" (hex 63), which executes code from $DA7F (number of Pokemon in the current box), but we still don't know how to obtain it though.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on April 26, 2013, 06:54:19 am
if so, how do you get the enormous quantities of items on there?

i heard you can only ever get 129 per stack (missingnoXpert's Lets Glitch series on youtube taught me most of my glitching knowledge for R/B/Y, along with a bit of experimentation and whatever i could gleam from various sources, including the main site)

Just toss 2 or more items after it is duplicated by 128 the first time. For example, if you encounter Missingno. when you have 127 items in the sixth position, you will get 255. This is because all Dex #000 Pokémon add 128 to the quantity of the sixth item upon encounter provided that it is less than 128. Also capturing the Pokémon/obtaining it as a gift counts as both seeing it (adding 128 to the sixth item if its quantity is less than 128) and owning it (this registers Cubone in the Pokédex as 'seen'. You can avoid seeing Missingno.'s Pokédex entry and the Rhydon glitch (http://bulbapedia.bulbagarden.net/wiki/Rhydon_glitch) if you've seen Cubone).

To duplicate your items on Yellow without a risk of freezing the game, you can use the Ditto glitch to encounter one of the special Missingno. (special stat = 182 [Kabutops fossil], 183 [Aerodactyl Fossil] or 184 [Ghost Missingno.] ) These are safe and won't freeze the game.

Alternatively, you can perform the Cable Club escape glitch (http://bulbapedia.bulbagarden.net/wiki/Cable_Club_escape_glitch) with more than one Dex #000 Pokémon or similar item duplicating glitch Pokémon that don't freeze the game to duplicate multiple items by throwing balls / switching different items into the sixth position.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on April 26, 2013, 08:20:49 am
Here are a few simple tricks I made that work with the bootstrap program:

so in theory, 01xxyyzz gameshark codes could easily be converted for use with 8F with following asm skeleton:

Code: [Select]
D322 : 3E xx          ld a, xx      ; register a = xx
D324 : EA yy zz       ld (zzyy),a   ; memory address zzyy = register a
D327 : C9             ret           ; does this even need explaining?!

...which corresponds to following items:
Code: [Select]
Item3: Lemonade, quantity xx
Item4: TM34, quantity yy
Item5: Item with hex zz, quantity 201

...and if hex zz corresponds to glitch item or otherwise unobtainable item, one can change the second item using TheZZAZZGlitch's code above.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheDarkAce on April 26, 2013, 05:26:01 pm
Steal other Trainer's Pokémon without Gameshark

Use this in a Trainer battle to enable the ability to catch the enemy Pokémon and escape from battle. You can also use it to disable wild battles, but you can't use it to turn a Trainer into a Pokémon.

(http://i.minus.com/jdrkmggEYxevh.png)(http://i.minus.com/jsKIa2lTQprx4.png)

Requirements:

Item 3 = Lemonade x 1
Item 4 = TM34 x 87
Item 5 = TM08 x 201

ASM:

Code: [Select]
WRA1: D322 3E 01   ld a, 01: Put 01h into a
WRA1: D324 EA 57 D0   ld (D057), a: Put 01h into D057
WRA1: D327 C9   ret

just thought of a way to use this - use the ditto trick to set up a battle with a trainer with an abnormal level for a certain route, then set up the bootstrap code at the pokemon center you teleported to. once in the battle, run the code and you now have a stupidly high level pokemon... am i thinking about this right?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on April 27, 2013, 06:07:28 am
Hey TheZZAZZGlitch, I found a much easier way to obtain 8F.

Due to having an invalid encounter flag (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9dex_flags), 94 and 94h's Pokédex number #213 means that they add 16 to the fourth item identifier provided that it is not  $X4 $X5 $X6 $X7 $XC $XD $XE $XF. If you put a Good Rod in the fourth position, and then use this (http://www.youtube.com/watch?v=8W7RyjER8jM) glitch or the Cable Club escape glitch (http://bulbapedia.bulbagarden.net/wiki/Cable_Club_escape_glitch) with a 94 or 94h, you can easily turn your Good Rod (4Dh) into an 8F (5Dh).

Steal other Trainer's Pokémon without Gameshark

Use this in a Trainer battle to enable the ability to catch the enemy Pokémon and escape from battle. You can also use it to disable wild battles, but you can't use it to turn a Trainer into a Pokémon.

(http://i.minus.com/jdrkmggEYxevh.png)(http://i.minus.com/jsKIa2lTQprx4.png)

Requirements:

Item 3 = Lemonade x 1
Item 4 = TM34 x 87
Item 5 = TM08 x 201

ASM:

Code: [Select]
WRA1: D322 3E 01   ld a, 01: Put 01h into a
WRA1: D324 EA 57 D0   ld (D057), a: Put 01h into D057
WRA1: D327 C9   ret

just thought of a way to use this - use the ditto trick to set up a battle with a trainer with an abnormal level for a certain route, then set up the bootstrap code at the pokemon center you teleported to. once in the battle, run the code and you now have a stupidly high level pokemon... am i thinking about this right?

Yes, you're right. You can do this with glitchy Trainers from the Ditto glitch or Old Man glitch to get Pokémon over level 100. There's something I forgot to mention though, a) using 8F counts as using up one turn, so Super Glitch/ moves that freeze the game might be a problem b) you'll still need a Master Ball or other type of Poké Ball to capture the Pokémon.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: camper on April 27, 2013, 10:43:36 am
Which identifier is the first video's glitch roster? It can be 80h, 82h or 87h from the name. I guess only one of them corresponds to that roster.

I don't prefer the Cable Club escape glitch, mainly because of the need of TGB Dual.

just thought of a way to use this - use the ditto trick to set up a battle with a trainer with an abnormal level for a certain route, then set up the bootstrap code at the pokemon center you teleported to. once in the battle, run the code and you now have a stupidly high level pokemon... am i thinking about this right?
Few glitched rosters can be found by the Ditto trick. (2, to be exact, without the use of a Pokemon with Swords Dance)

Btw,
Quote from: http://bulbapedia.bulbagarden.net/wiki/Cable_Club_escape_glitch#Effects
Unlike the 'death Trainer' found after the ZZAZZ glitch, a Trainer with Red's picture cannot be found by encountering a wild Pokémon and will only be found when trying to encounter an existing Trainer.
This is not true. ZZAZZ glitch won't change wild Pokemon encounters.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheZZAZZGlitch on April 27, 2013, 11:17:21 am
Quote
Due to having an invalid encounter flag (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9dex_flags), 94 and 94h's Pokédex number #213 means that they add 16 to the fourth item identifier provided that it is not  $X4 $X5 $X6 $X7 $XC $XD $XE $XF. If you put a Good Rod in the fourth position, and then use this (http://www.youtube.com/watch?v=8W7RyjER8jM) glitch or the Cable Club escape glitch (http://bulbapedia.bulbagarden.net/wiki/Cable_Club_escape_glitch) with a 94 or 94h, you can easily turn your Good Rod (4Dh) into an 8F (5Dh)

Well, that's amazing. However, it still requires having a right name. Also, no matter which roster (letter after the MN symbol) I try, Prof. Oak will throw a "◣ゥ 8" (hex C9) out. Maybe this roster on the video has something to do with that Rocket in Silph Co. the author of the video fought previously and lost to?

Also, about the Cable Club escape glitch, it obviously requires access to the Cable Club. Also, to make trainers send out a "94" or "94h", the other trainer needs to own it first. And to own it, Johto guard glitch is needed. And to do this, one needs a hex FF ????? and a bad clone. And this gets far more complicated than the original method.

Anyways, thank you about all those information on encounter flags - maybe I will be able to use this to shorten up my first obtainment method.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: camper on April 27, 2013, 11:40:50 am
The character before the MN symbol counts, not the one after.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheZZAZZGlitch on April 27, 2013, 11:58:41 am
Doing arbitrary code execution stuff, forgetting how the classic old man glitch works :P
But even when I take the character before as the level byte, I still keep getting the same roster.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on April 27, 2013, 01:08:07 pm
Quote
Due to having an invalid encounter flag (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9dex_flags), 94 and 94h's Pokédex number #213 means that they add 16 to the fourth item identifier provided that it is not  $X4 $X5 $X6 $X7 $XC $XD $XE $XF. If you put a Good Rod in the fourth position, and then use this (http://www.youtube.com/watch?v=8W7RyjER8jM) glitch or the Cable Club escape glitch (http://bulbapedia.bulbagarden.net/wiki/Cable_Club_escape_glitch) with a 94 or 94h, you can easily turn your Good Rod (4Dh) into an 8F (5Dh)

Well, that's amazing. However, it still requires having a right name. Also, no matter which roster (letter after the MN symbol) I try, Prof. Oak will throw a "◣ゥ 8" (hex C9) out. Maybe this roster on the video has something to do with that Rocket in Silph Co. the author of the video fought previously and lost to?

The second/fourth/sixth letters only change the wild Pokémon levels, not the Trainer rosters. Roster numbers are normally determined by the memory address D05D. The reason why "◣ゥ 8" (hex C9) is sent out as the first Pokémon is because the game doesn't update D05D with coast-glitch Trainers so the game loads roster 256 (00) if you haven't fought a previous Trainer.

In order to get Professor Oak to have a 94, you must get the game to load roster 28h. The Rocket on Silph Co. 11F just happens to use Rocket roster 28h. You don't have to lose to him to get the roster into memory, you can beat him too.

Anyways, thank you about all those information on encounter flags - maybe I will be able to use this to shorten up my first obtainment method.

You're welcome.

Few glitched rosters can be found by the Ditto trick. (2, to be exact, without the use of a Pokemon with Swords Dance)

I don't know what you mean. You can access 6 unique glitch rosters with Lance (as the roster number starts at 7 and can be reduced with Growls), and more with glitch Trainer classes (though they activate the ZZAZZ glitch).

In total this comes to 6 + 7*9 = 69 rosters.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on April 27, 2013, 01:46:53 pm
Due to having an invalid encounter flag (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9dex_flags), 94 and 94h's Pokédex number #213 means that they add 16 to the fourth item identifier provided that it is not  $X4 $X5 $X6 $X7 $XC $XD $XE $XF. If you put a Good Rod in the fourth position, and then use this (http://www.youtube.com/watch?v=8W7RyjER8jM) glitch or the Cable Club escape glitch (http://bulbapedia.bulbagarden.net/wiki/Cable_Club_escape_glitch) with a 94 or 94h, you can easily turn your Good Rod (4Dh) into an 8F (5Dh).

I assume this could also be done with RB:E8, RB:E2 and RB:E5, which have dex #245, and therefore do the same thing but to the sixth slot?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on April 27, 2013, 02:13:04 pm
Due to having an invalid encounter flag (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9dex_flags), 94 and 94h's Pokédex number #213 means that they add 16 to the fourth item identifier provided that it is not  $X4 $X5 $X6 $X7 $XC $XD $XE $XF. If you put a Good Rod in the fourth position, and then use this (http://www.youtube.com/watch?v=8W7RyjER8jM) glitch or the Cable Club escape glitch (http://bulbapedia.bulbagarden.net/wiki/Cable_Club_escape_glitch) with a 94 or 94h, you can easily turn your Good Rod (4Dh) into an 8F (5Dh).

I assume this could also be done with RB:E8, RB:E2 and RB:E5, which have dex #245, and therefore do the same thing but to the sixth slot?

In theory they should, however all the Pokémon you mention froze the game when I got them to appear on the opponent's side. You'd need to do the Cable Club blackout glitch in combination with the Johto guard glitch (or maybe the remaining HP glitch (http://profglitch.proboards.com/index.cgi?board=gcltempboard&action=display&thread=368&page=1)) to get them to appear as well.

The only known item mutation glitch Pokémon (when Paco81 and I researched them on the temporary forums) that can be seen without the Cable Club blackout glitch are 94 #213 (via Prof Oak roster 28h) and p PkMnp' ' #230 in Yellow which can be seen via the Ditto glitch with a Special stat of 194.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Vuroja5 on April 27, 2013, 02:53:46 pm
This must be the most significant discovery since the Mew glitch. You've enabled nearly all the useful Select button glitches for use on Red/Blue. Great job TheZZAZZGlitch.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: camper on April 27, 2013, 11:17:32 pm
Few glitched rosters can be found by the Ditto trick. (2, to be exact, without the use of a Pokemon with Swords Dance)

I don't know what you mean. You can access 6 unique glitch rosters with Lance (as the roster number starts at 7 and can be reduced with Growls), and more with glitch Trainer classes (though they activate the ZZAZZ glitch).

In total this comes to 6 + 7*9 = 69 rosters.
I was too sleepy to think well. :-[
Yes, you can access 6 glitch rosters with Lance (02h - 07h). However, encountering ZZAZZ glitch trainers doesn't end up fighting the actual roster. The game fetches other data from elsewhere and replaces the roster during the blackout time. For instance, opening the Fly menu before the encounter makes the glitch entirely different.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheDarkAce on April 28, 2013, 08:37:26 am
Quote
will it work on yellow?

The shown method of obtaining 8F won't work in Yellow, as it uses Super Glitch, which works differently for this game.

Also, 8F does not execute code from $D163 in Yellow, but from $04FE instead - which has a less beneficial effect of teleporting you to a messed up version of a Pokemon Center.
Yellow has a relatively similar item "ws m" (hex 63), which executes code from $DA7F (number of Pokemon in the current box), but we still don't know how to obtain it though.

surely you can use p PKMN p to get the glitch item ws m?
can't remember how p PKMN p works though
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheZZAZZGlitch on April 28, 2013, 10:04:14 am
Actually, If I think more about it, doing it in Yellow is even easier than on Red/Blue.

Encountering p PkMn p' ' in Yellow will add 32 to the identifier of the fifth slot in bag if the item does not have one of the following hexadecimal identifiers: $2X $3X $6X $7X $AX $BX $EX $FX. Having X Speed on the fifth slot and encountering p PkMn p' ' is enough to get "ws m".

Also, bootstrapping code for "ws m" is a lot easier to deploy, as it only relies on Pokemon in the current box, and no specific moves/PP values/stats are needed. The requirements to make "ws m" execute code from 3rd item slot are as follows:

1.  20 Pokémon in your PC box                                         [0xDA7F = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                 [0xDA80 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                 [0xDA81 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                 [0xDA82 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                 [0xDA83 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                 [0xDA84 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                 [0xDA85 = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xDA86 = 0x06]
9.  Growlithe as the 8th Pokémon in the current PC box                [0xDA87 = 0x21]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xDA88 = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                 [0xDA89 = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                 [0xDA8A = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                 [0xDA8B = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                 [0xDA8C = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                 [0xDA8D = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                 [0xDA8E = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                 [0xDA8F = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                 [0xDA90 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                 [0xDA91 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                 [0xDA92 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                 [0xDA93 = 0x06]
 :: END OF LIST MARKER [0xFF]                                         [0xDA94 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                 [0xDA95 = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                     [0xDA96 = 0x00]
                                               +-                     [0xDA97 = 0xE9]


ASM:
Code: [Select]
; initial value of hl = DA7F
WRA1:DA7F 14               inc  d      ; offset hack: 20 Pokémon in the box
WRA1:DA80 25               dec  h      ; hl = D97F
WRA1:DA81 25               dec  h      ; hl = D87F
WRA1:DA82 25               dec  h      ; hl = D77F
WRA1:DA83 25               dec  h      ; hl = D67F
WRA1:DA84 25               dec  h      ; hl = D57F
WRA1:DA85 25               dec  h      ; hl = D47F
WRA1:DA86 06 21            ld   b,21
WRA1:DA88 68               ld   l,b    ; hl = D423
WRA1:DA89 A9               xor  c      ; offset hack: do nothing until ip=DA93
WRA1:DA8A A9               xor  c
WRA1:DA8B A9               xor  c
WRA1:DA8C A9               xor  c
WRA1:DA8D A9               xor  c
WRA1:DA8E A9               xor  c
WRA1:DA8F A9               xor  c
WRA1:DA90 A9               xor  c
WRA1:DA91 A9               xor  c
WRA1:DA92 A9               xor  c
WRA1:DA93 06 FF            ld   b,FF   ; offset hack: making an end of list FF byte an operand so it doesn't translate to [rst 38]
WRA1:DA95 25               dec  h      ; hl = D323
WRA1:DA96 00               nop 
WRA1:DA97 E9               jp   hl

Note: All tricks from Red/Blue with an exception of "changing the second item" won't work in Yellow, as the addresses are different. They need to be modified in order to work.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on April 28, 2013, 11:45:44 am
That's cool. Nice work.

Note in Yellow D323 is the identifier of item 4, not item 3. You could replace step 9 with having Growlithe (21h) as the 8th Pokémon instead of Fearow (23h) to get b = 21 (where D321 = item 3).
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on April 29, 2013, 10:16:27 am
Now, i wonder if there is a similar item in JP Yellow, and in fr/de/es/it RBY.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: IceMans on April 29, 2013, 10:34:14 am
Interesting nice to hear that this can be done in yellow as well as Red and Blue.
Can't wait to try this :P
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Blaziken257 on April 29, 2013, 09:42:01 pm
This is all impressive, but there's one thing that's been puzzling me...

As for walking through walls and escaping from a trainer battle, it involves storing whatever is in register A into a memory address. However, what value does A happen to be when executing this code? A is never modified in the bootstrap code, and I don't see it anywhere else, either. Or am I missing something?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheZZAZZGlitch on April 29, 2013, 10:26:51 pm
When execution gets to the item list, registers are guaranteed to have following values initially:

Red/Blue:

af = 6300 [a=63, f=00]
bc = 22B8 [b=22, c=B8]
de = 0001 [d=00, e=01]
hl = D322 [h=D3, l=22]

Yellow:

af = 7F40 [a=7F, f=40]
bc = FFC4 [b=FF, c=C4]
de = 0101 [d=01, e=01]
hl = D321 [h=D3, l=21]


Quote
Note in Yellow D323 is the identifier of item 4, not item 3. You could replace step 9 with having Growlithe (21h) as the 8th Pokémon instead of Fearow (23h) to get b = 21 (where D321 = item 3).
That was a mistake, thank you for pointing that out.

Edit: Thanks to Torchickens and his information about encounter flags, I have found a new, easier and side-effect-less method of obtaining 8F in Red/Blue. It does not require having a specific name, unlike the previous Prof. Oak's glitch roster method.

Video: http://www.youtube.com/watch?v=WD_GVaQwn8o
Instructions/requirements/execution steps can be found in the first post in this thread.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on April 30, 2013, 10:08:39 am
Well, just decided to quickly code something for 8F...

CHANGE ANY BYTE IN RAM TO ANYTHING
(or, psuedo-GameShark in software)

This code uses only 5 basic items, and will easily allow you to modify any byte in RAM one wants to.

Item 1: any item
Item 2: 8F
Item 3: Lemonade, quantity (byte to change to, or 2nd byte of GScode)
Item 4: X Accuracy, quantity (low byte of RAM address to change, or 3rd byte of GScode)
Item 5: Carbos, quantity (high byte of RAM address to change, or 4th byte of GScode)
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

ASM:
Code: [Select]
D322: 3E xx         ld a, xx
D324: 2E xx         ld l, xx
D326: 26 xx         ld h, xx
D328: 04            inc b
D329: 77            ld (hl), a
D32A: 3C            inc a
D32B: C9            ret

So, for GameShark code 011559D0, which would encounter a Mew after you close the menu (and yes, this is the one i tested it with -- on a real cart no less), use the following item list:

Item 1: any item (but I guess you'd want Master Balls here for this example!)
Item 2: 8F
Item 3: Lemonade, quantity 21
Item 4: X Accuracy, quantity 89
Item 5: Carbos, quantity 208
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

By the way, since no address is hardcoded, this *should* work on Yellow too; but I haven't tested it there. (obviously the example posted above won't!)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on May 20, 2013, 07:17:42 am
Wow. TheZZAZZGlitch just wrote a program for pong and executed it using 8F.

Link: here (http://www.youtube.com/watch?v=D3EvpRHL_vk)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on May 20, 2013, 01:14:01 pm
Wow. TheZZAZZGlitch just wrote a program for pong and executed it using 8F.

Link: here (http://www.youtube.com/watch?v=D3EvpRHL_vk)

looks more like Breakout with no blocks to break, in my opinion.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Abwayax on November 30, 2013, 08:16:49 pm
Congratulations for your epic discovery!

This thread made front page of Hacker News (http://news.ycombinator.com) today, resulting in hundreds of viewers reading the thread and setting a record for the most visitors online (http://forums.glitchcity.info/index.php?action=stats) on our humble forum.

It's awesome that the server can handle this much traffic today. I remember back in the early days when it went down roughly once a week.

The video is also currently the top post in /r/programming (http://www.reddit.com/r/programming/) today.

I would award you "Distinguished Member" status but someone beat me to it. This makes me wish we had something higher. Distinguished Member+ perhaps?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 01, 2013, 07:24:19 am
Wow, that's cool! Congrats TheZZAZZGlitch for your glitch's sudden recognition.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 01, 2013, 10:38:16 am
Wow. I guess this is notable enough we should have realised it'd get a whole lot of recognition sometime. And to think that it was basically luck that caused it: an invalid item just *happened* to have its function point to a place in RAM that could be easily modified...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: blahpy on December 02, 2013, 04:54:51 pm
This seems to be getting quite the attention! Here's another article that I found when searching HN:

http://hackaday.com/2013/12/02/pokemon-blue-becomes-an-ide/
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 03, 2013, 03:52:23 am
I find it weird that just about nobody giving this attention has mentioned "ws m" in Yellow..

I guess that's what happens when the first post is all people read.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: camper on December 03, 2013, 06:43:21 am
Now there are always 20+ people reading this thread.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 03, 2013, 07:01:29 am
Now there are always 20+ people reading this thread.

Yeah. And how many of those people actually registered? :P
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: camper on December 03, 2013, 07:43:49 am
Last member was 15 November. :P
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 03, 2013, 01:34:55 pm
Last member was 15 November. :P

0, then.

Meh.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 03, 2013, 02:41:57 pm
I'm working on a cheat code compilation video for "ws m", so I'm basically going to show a lot of different item lists and use them for certain cheats (mainly from Matthew Robinson's code archive) and I wondered whether there was an easy way to make the machine continually write to a value like a real Gameshark? Preferably with the ability to turn the code off without resetting.

For instance, D35A changes the music in the current sound bank when you enter a building, but in order for the cheat to work it must be kept on as entering a building changes it to the intended value.

Thanks in advance!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 03, 2013, 04:48:28 pm
I'm working on a cheat code compilation video for "ws m", so I'm basically going to show a lot of different item configurations and use them for certain cheats (mainly from Matthew Robinson's code archive) and I wondered whether there was an easy way to make the machine continually write to a value like a real Gameshark? Preferably with the ability to turn the code off without resetting.

I don't think this is possible. You can't write to ROM, and gameboy definitely doesn't have multi-threading.

Also, "a lot of different item configurations"? You would only really need to base it on this thing that I did. (http://forums.glitchcity.info/index.php/topic,6638.msg189609.html#msg189609)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 03, 2013, 05:07:23 pm
I'm working on a cheat code compilation video for "ws m", so I'm basically going to show a lot of different item configurations and use them for certain cheats (mainly from Matthew Robinson's code archive) and I wondered whether there was an easy way to make the machine continually write to a value like a real Gameshark? Preferably with the ability to turn the code off without resetting.

I don't think this is possible. You can't write to ROM, and gameboy definitely doesn't have multi-threading.

Also, "a lot of different item configurations"? You would only really need to base it on this thing that I did. (http://forums.glitchcity.info/index.php/topic,6638.msg189609.html#msg189609)

I see, OK. Yes, most of the cheats I've done so far are based on that skeleton.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: blahpy on December 03, 2013, 09:30:59 pm
Humourous note: I just went to rename my Onix to what I wanted to change my name to after testing the code at and calling my trainer "ONIX".  Of course, naturally, I now had a different OT and couldn't rename it :D Silly me.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 06, 2013, 04:21:05 pm
OK.

Major new finding:

8F should work in FR/ES/IT/DE R/B.

In all of these, item $5D points to $D168 which in these games is where "Number of Pokémon" is.

But of course, there's a catch.

Seeing as the offsets are different...
The bootstrap code for English R/B won't work!

So using them there will have to wait until me, TheZZAZZGlitch, or a 3rd party goes and plays around with GB asm and makes a nice payload that can jump to $D327 (3rd item type).

And for all you players of Japanese Blue.. 5kai should work there just as well as it works in Japanese R/G.


For Yellow:

In ES/DE/FR/IT Yellow, item $63 calls DA84 (I think this is Number of Pokémon in Current Box, i have yet to confirm this.)

Of course, different bootstrap code is needed here thanks to the offset differences.

In JP yellow, item $BB calls $DB21, which I think is something in the middle of current box pokémon 7. Either Status, or Type 1. I'm not sure which. UPDATE: if I have my calculations correct, it's Type 1. (Thanks Torchickens!) UPDATE 2: It's actually Type 1 of Pokémon 11 in the current box, not Pokémon 7. (Thanks again Torchickens!)

This would require whole new bootstrap code, it cannot be based on any of the others.

Another update:

Here's bootstrap code for European R/B. TheZZAZZGlitch, thanks a lot for using relative jumps and making my life easier, it only requires one byte change! Please note that I haven't tested this yet and probably won't have a chance to today, but if it doesn't work, I will probably update this post with the working code.

OK, here we go...

1.  6 Pokémon                                                         [0xD168 = 0x06]
2.  Graveler as the first Pokémon                                     [0xD169 = 0x27]
3.  Pidgey as the second Pokémon                                      [0xD16A = 0x24]
4.  Tentacool as the third Pokémon                                    [0xD16B = 0x18]
5.  Meowth as the fourth Pokémon                                      [0xD16C = 0x4D]
6.  24 PP left on the second Pokémon's second move                    [0xD1BA = 0x18]
7.  21 PP left on the second Pokémon's third move w/ 1 PP Up used     [0xD1BB = 0x55]
8.  36 PP left on the fourth Pokémon's first move                     [0xD211 = 0x24]
9.  24 PP left on the fourth Pokémon's second move                    [0xD212 = 0x18]
10. 20 PP left on the fourth Pokémon's third move                     [0xD213 = 0x14]
11. Double Team as the fifth Pokémon's first move                     [0xD228 = 0x68]
12. Double Kick as the fifth Pokémon's second move                    [0xD229 = 0x18]
13. Strength as the fifth Pokémon's third move                        [0xD230 = 0x46]
14. Sixth Pokémon's attack stat has to be exactly 233                 [0xD271 = 0xE9]


Code: [Select]
; -- EU R/B
; -- hl: D168
D168: 06 27  ld b,27 ; b=27
D16A: 24     inc h   ; hl = D268
D16B: 18 4D  jr D1BA

D1BA: 18 55  jr D211

D211: 24     inc h   ; hl = D368
D212: 18 14  jr D228

D228: 68     ld l,b  ; hl = D327
D229: 18 46  jr D271

D271: E9     jp hl

EDIT: Just tested, and this payload works totally fine on FR Blue.

Yet another update:

And here's payload code for FR/ES/DE/IT Yellow. Thanks again to TheZZAZZGlitch, again I only need to change one byte!

1.  20 Pokémon in your PC box                                         [0xDA84 = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                 [0xDA85 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                 [0xDA86 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                 [0xDA87 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                 [0xDA88 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                 [0xDA89 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                 [0xDA8A = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xDA8B = 0x06]
9.  Scyther as the 8th Pokémon in the current PC box                  [0xDA8C = 0x26]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xDA8D = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                 [0xDA8E = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                 [0xDA8F = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                 [0xDA90 = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                 [0xDA91 = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                 [0xDA92 = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                 [0xDA93 = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                 [0xDA94 = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                 [0xDA95 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                 [0xDA96 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                 [0xDA97 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                 [0xDA98 = 0x06]
 :: END OF LIST MARKER [0xFF]                                         [0xDA99 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                 [0xDA9A = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                     [0xDA9B = 0x00]
                                               +-                     [0xDA9C = 0xE9]


Code: [Select]
; -- EU YELLOW
; initial value of hl = DA84
WRA1:DA84 14               inc  d      ; offset hack: 20 Pokémon in the box
WRA1:DA85 25               dec  h      ; hl = D984
WRA1:DA86 25               dec  h      ; hl = D884
WRA1:DA87 25               dec  h      ; hl = D784
WRA1:DA88 25               dec  h      ; hl = D684
WRA1:DA89 25               dec  h      ; hl = D584
WRA1:DA8A 25               dec  h      ; hl = D484
WRA1:DA8B 06 26            ld   b,26
WRA1:DA8D 68               ld   l,b    ; hl = D426
WRA1:DA8E A9               xor  c      ; offset hack: do nothing until ip=DA93
WRA1:DA8F A9               xor  c
WRA1:DA90 A9               xor  c
WRA1:DA91 A9               xor  c
WRA1:DA92 A9               xor  c
WRA1:DA93 A9               xor  c
WRA1:DA94 A9               xor  c
WRA1:DA95 A9               xor  c
WRA1:DA96 A9               xor  c
WRA1:DA97 A9               xor  c
WRA1:DA98 06 FF            ld   b,FF   ; offset hack: making an end of list FF byte an operand so it doesn't translate to [rst 38]
WRA1:DA9A 25               dec  h      ; hl = D326
WRA1:DA9B 00               nop 
WRA1:DA9C E9               jp   hl

Tested working with FR Yellow. :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: blahpy on December 07, 2013, 03:33:54 am
psst: Nothing major, but some of your memory addresses are a little off in the code box ;)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 04:59:17 am
psst: Nothing major, but some of your memory addresses are a little off in the code box ;)

I know. I was tired last night. The code works though.

EDIT: fixed now.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: blahpy on December 07, 2013, 05:05:47 am
psst: Nothing major, but some of your memory addresses are a little off in the code box ;)

I know. I was tired last night. The code works though.

EDIT: fixed now.
Hence "nothing major" :P

I just thought you might like to know.

Thanks for all the work you did :o I'm sure TheZZAZZGlitch will be happy if he sees it.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 06:19:35 am
Dammit, looks like it's a no go with item $BB on Japanese Yellow.

Namely, $BB's name is improperly terminated. And you can't even use it. When you press A on it, pc ends up at $CE01. And this is when the use/trash menu is supposed to come up.

EDIT: Wait a minute.. on Japanese Yellow 1.2 $BB's name IS properly terminated..

...but same result happens. Game freeze before use/trash menu comes up.

1.1 is the same as 1.2. :(

that's odd. During battle when that item is used, the bp at the jump at the end of UseItem is hit.. but hl=$2801 ?!?!??!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 07, 2013, 06:45:54 am
Dammit, looks like it's a no go with item $BB on Japanese Yellow.

Namely, $BB's name is improperly terminated. And you can't even use it. When you press A on it, pc ends up at $CE01. And this is when the use/trash menu is supposed to come up.

EDIT: Wait a minute.. on Japanese Yellow 1.2 $BB's name IS properly terminated..

...but same result happens. Game freeze before use/trash menu comes up.

1.1 is the same as 1.2. :(

You can use $BB in battle without any use/toss menu as if it was a Poké Ball. Does this work?

edit: Oops, ninja'd by your edit xD.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 06:49:35 am
funfact: was just starting to code a payload, and I decided to check if pc reached what I thought it was going to reach.

And it didn't, so.. dafuq's up with that.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 07, 2013, 06:56:23 am
That's a shame. Maybe you calculated the wrong identifier and $DB21 is called for something else?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 07:02:08 am
That's a shame. Maybe you calculated the wrong identifier and $DB21 is called for something else?

Maybe, but I doubt it. My item pointer table dumper shows that the valid items point to what they should.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 07, 2013, 07:13:21 am
That's a shame. Maybe you calculated the wrong identifier and $DB21 is called for something else?

Maybe, but I doubt it. My item pointer table dumper shows that the valid items point to what they should.

Ah, OK. That's weird then.

Incidentally $BB has a pretty cool effect on my save. It causes some memory corruption in battle and turns the enemy into a level 127 hex: 38 Ketsuban, like one of those Cooltrainer♀ glitches (http://forums.glitchcity.info/index.php/topic,715.msg189104.html#msg189104). It also messes up Pikachu's sprite/position after battle. I'm not sure if all of this happens in the other version (revision) though, and I don't know mine.

Edit: On changing the 11th Pokémon to one of those level 127 Ketsuban, $BB worked the same but changed the opponent into a level 127 Pikachu, however, I'm pretty sure that this is just Japanese Yellow's equivalent of the level 127 Horsea that will appear instead if you mess up the graphics on your side after sending out any Missingno. into battle.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 07:16:27 am
That's a shame. Maybe you calculated the wrong identifier and $DB21 is called for something else?

Maybe, but I doubt it. My item pointer table dumper shows that the valid items point to what they should.

Ah, OK. That's weird then.

Incidentally $BB has a pretty cool effect on my save. It causes some memory corruption in battle and turns the enemy into a level 127 hex: 38 Ketsuban, like one of those Cooltrainer♀ glitches (http://forums.glitchcity.info/index.php/topic,715.msg189104.html#msg189104). It also messes up Pikachu's sprite/position after battle. I'm not sure if all of this happens in the other version (revision) though, and I don't know mine.

What's the MD5 hash of your rom?

v1.0 is aa13e886a47fd473da63b7d5ddf2828d
v1.1 is 96c1f411671b6e1761cf31884dde0dbb
v1.2 is 5d9c071cf6eb5f3a697bbcd9311b4d04
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 07, 2013, 07:20:56 am
What's the MD5 hash of your rom?

v1.0 is aa13e886a47fd473da63b7d5ddf2828d
v1.1 is 96c1f411671b6e1761cf31884dde0dbb
v1.2 is 5d9c071cf6eb5f3a697bbcd9311b4d04
AA13E886A47FD473DA63B7D5DDF2828D, so it's v1.0 then.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 07:22:59 am
Btw, I believe that in v1.1 and v1.2 it just locks up in battle on the items list with the white arrow pointer.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheZZAZZGlitch on December 07, 2013, 07:36:43 am
Quote
My item pointer table dumper shows that the valid items point to what they should.

Remember that because of Gen I's broken pointer arithmetic, item with ID $80 acts like $00, $81 like $01, $82 like $02, etc., and your pointer table dumper should take that into account. This would mean that $BB acts like $3B. $3B is an unused 'Coin' item, and that would explain everything, since it's programmed to do nothing.

Japanese Yellow has item $63 ('かいがらバッヂ'), which jumps to $D9B2 - number of Pokemon in the current box. Interestingly enough, on English Yellow, item $63 is 'ws m'...
My ROM (telling by the checksum) seems to be v1.0.

Quote
Incidentally $BB has a pretty cool effect on my save. It causes some memory corruption in battle and turns the enemy into a level 127 hex: 38 Ketsuban

It has an improperly terminated name, so it causes all those wonderful Super Glitch effects, unless its name is made harmless (method of doing this is the same as in international releases). Also, by accident I found that Japanese version of hooked Metapod is hooked Diglett :D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 07:38:29 am
Japanese Yellow has item $63 ('かいがらバッヂ'), which jumps to $D9B2 - number of Pokemon in the current box. Interestingly enough, on English Yellow, item $63 is 'ws m'...

Thanks. If I'd have known that D9B2 is number of Pokémon in the current box in JP Yellow (and offsets are the same in 1.0, 1.1 and 1.2), I'd have found this out.

Will modify your payload to work with it now.

EDIT: Here. Again, only one byte needed to be changed.

1.  20 Pokémon in your PC box                                         [0xD9B2 = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                 [0xD9B3 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                 [0xD9B4 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                 [0xD9B5 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                 [0xD9B6 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                 [0xD9B7 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                 [0xD9B8 = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xD9B9 = 0x06]
9.  Raticate as the 8th Pokémon in the current PC box                 [0xD9BA = 0xA6]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xD9BB = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                 [0xD9BC = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                 [0xD9BD = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                 [0xD9BE = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                 [0xD9BF = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                 [0xD9C0 = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                 [0xD9C1 = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                 [0xD9C2 = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                 [0xD9C3 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                 [0xD9C4 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                 [0xD9C5 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                 [0xD9C6 = 0x06]
 :: END OF LIST MARKER [0xFF]                                         [0xD9C7 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                 [0xD9C8 = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                     [0xD9C9 = 0x00]
                                               +-                     [0xD9CA = 0xE9]


Code: [Select]
; -- JP YELLOW [1.0, 1.1 and 1.2]
; initial value of hl = D9B2
WRA1:D9B2 14               inc  d      ; offset hack: 20 Pokémon in the box
WRA1:D9B3 25               dec  h      ; hl = D884
WRA1:D9B4 25               dec  h      ; hl = D784
WRA1:D9B5 25               dec  h      ; hl = D684
WRA1:D9B6 25               dec  h      ; hl = D584
WRA1:D9B7 25               dec  h      ; hl = D484
WRA1:D9B8 25               dec  h      ; hl = D384
WRA1:D9B9 06 A6            ld   b,A6
WRA1:D9BB 68               ld   l,b    ; hl = D3A6
WRA1:D9BC A9               xor  c      ; offset hack: do nothing until ip=DA93
WRA1:D9BD A9               xor  c
WRA1:D9BE A9               xor  c
WRA1:D9BF A9               xor  c
WRA1:D9C0 A9               xor  c
WRA1:D9C1 A9               xor  c
WRA1:D9C2 A9               xor  c
WRA1:D9C3 A9               xor  c
WRA1:D9C4 A9               xor  c
WRA1:D9C5 A9               xor  c
WRA1:D9C6 06 FF            ld   b,FF   ; offset hack: making an end of list FF byte an operand so it doesn't translate to [rst 38]
WRA1:D9C8 25               dec  h      ; hl = D2A6
WRA1:D9C9 00               nop 
WRA1:D9CA E9               jp   hl
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 07, 2013, 07:52:50 am
Quote
My item pointer table dumper shows that the valid items point to what they should.

Remember that because of Gen I's broken pointer arithmetic, item with ID $80 acts like $00, $81 like $01, $82 like $02, etc., and your pointer table dumper should take that into account. This would mean that $BB acts like $3B. $3B is an unused 'Coin' item, and that would explain everything, since it's programmed to do nothing.

Japanese Yellow has item $63 ('かいがらバッヂ'), which jumps to $D9B2 - number of Pokemon in the current box. Interestingly enough, on English Yellow, item $63 is 'ws m'...
My ROM (telling by the checksum) seems to be v1.0.

It has an improperly terminated name, so it causes all those wonderful Super Glitch effects, unless its name is made harmless (method of doing this is the same as in international releases)

<offtop>Suddenly, when I wasn't looking, my thread became popular like chocolate ;p</offtop>
Interesting, TheZZAZZGlitch. I never knew that.

Thanks for coming to the rescue! It's pretty cool that 'かいがらバッヂ' happens to be the equivalent of 'w sm' because that is one of the 'mysterious unused text (http://fryguy64.proboards.com/thread/4084/unused-pok-mon-green-text?page=1&scrollTo=105812)' from Red/Green; ShellBadge.

Btw, I believe that in v1.1 and v1.2 it just locks up in battle on the items list with the white arrow pointer.

I just tested them now. It seems to have a completely different name on Rev A and B ('イ゙ぴま'), instead of  'ぐ(down arrow)へ' and viewing its name doesn't cause characters to be shown the bottom of the screen.

The battle corruption works in all versions, but you have to press A again after the cursor has gone white. Haven't tested if the Pokémon you get are the same.

Quote
Incidentally $BB has a pretty cool effect on my save. It causes some memory corruption in battle and turns the enemy into a level 127 hex: 38 Ketsuban

It has an improperly terminated name, so it causes all those wonderful Super Glitch effects, unless its name is made harmless (method of doing this is the same as in international releases)

<offtop>Suddenly, when I wasn't looking, my thread became popular like chocolate ;p</offtop>

It doesn't seem to have an improperly terminated name in Rev A and Rev B and it still causes corruption.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheZZAZZGlitch on December 07, 2013, 08:15:32 am
Quote
It doesn't seem to have an improperly terminated name in Rev A and Rev B and it still causes corruption.

It doesn't look like it, but it is improperly terminated. In v1.1 and v1.2, its glitched name contains a $00 character, which (for some unknown reason) causes the text engine to stop reading the name, making it look harmless. But it still does not have the $50 character which is used to terminate text strings, and causes all the Super Glitch-like effects.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 07, 2013, 08:22:29 am
Quote
It doesn't seem to have an improperly terminated name in Rev A and Rev B and it still causes corruption.

It doesn't look like it, but it is improperly terminated. In v1.1 and v1.2, its glitched name contains a $00 character, which (for some unknown reason) causes the text engine to stop reading the name, making it look harmless. But it still does not have the $50 character which is used to terminate text strings, and causes all the Super Glitch-like effects.

Ah, OK.

edit: I'm still confused about something — you have to try to use the item to get the corruption to work, unlike move 00 where glitches would occur by scrolling down (I still don't fully understand why that is though, but I know from your Super Glitch thread the game reads the invalid name from somewhere in battle but not on the summary).

edit2: By the way, your images on your Super Glitch thread no longer work. (Smartfeel gives a 404 Error File Not Found). I thought I'd let you know if you still have those images and want to replace them.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheZZAZZGlitch on December 07, 2013, 08:49:50 am
Quote
I'm still confused about something — you have to try to use the item to get the corruption to work, unlike move 00 where glitches would occur by scrolling down (I still don't fully understand why that is, though but I know from your Super Glitch thread the game reads the invalid name from somewhere in battle but not on the summary).

The whole corruption effect occurs when the name is loaded into memory. For items, it is when the Use/Toss menu is displayed. For moves, it occurs when hovering the cursor over a glitched move.

For moves, the memory corruption actually occurs 2 times: Once after viewing the moveset/move list, and once when hovering the cursor over the move.

Quote
By the way, your images on your Super Glitch thread no longer works.

I should still have the images somewhere on my disk, replacing them shouldn't be a problem.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 07, 2013, 08:59:38 am
OK, thanks!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 09:14:21 am
For items, it is when the Use/Toss menu is displayed.

So the nice freeze when the Use/Toss menu should be displayed makes sense...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 10:35:29 am
And now for something completely different:

Enter the Hall of Fame with 8F:

Does what it says. This is for R/B English, offsets will be different everywhere else.

Code: [Select]
ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35d6
ret

0e 16 26 64 2e bb 41 40 cd d6 35 c9

Awakening  x 22
Carbos     x100
X Accuracy x187
X Attack   x 64
TM05       x214
Revive     x201


This basically calls a function labeled in the pokered disasm as "HallofFameRoomScript2". It basically changes some addresses, saves (using a function called "SaveSAVToSRAM"), and calls a function that does hall of fame and credits, then at "The End" waits for a button press and jumps to a function called "InitGame" (soft reset).
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 07, 2013, 10:47:38 am
Here is a list of 'w sm' cheats I made for Pokémon Yellow. Most of them are simple but some could possibly be improved if no glitch items are required/key items with more than one quantity. Thanks TheZZAZZGlitch for the original versions of at least two of these codes.

The unused tune code is based on this video (https://www.youtube.com/watch?v=iNrO_qEYP3c) but Pokechu22 found that you can just change addresses C007, C009 and C00B to $68. I'm not sure if that allows for a better set-up.

I thought I'd post these after Wack0 posted his Hall of Fame code.
__________________________________
Walk through walls (ledge required):

EA 13 D7 C9

Code: [Select]
ld (D713), a
ret

TM34 x19
TM15 x201

___________________________________
Walk through walls (no ledge needed):

3E 01 EA 38 CD C9

Code: [Select]
ld a, 01
ld (CD38), a
ret

Lemonade x1
TM34 x56
TM05 x201

___________________________________

Play RBY unused tune:


93 8C F8 F7 02 40 CD 7D 2D C9


Code: [Select]
sub e
adc a,l
ld hl, sp
rst $30
ld (bc), a
ld b,b
call $7D2D
ret

Anywhere not specified: w sm
Item 3: Glitch item 93h x140
Item 4: TM48 x247
Item 5: Ultra Ball x64
Item 6: TM05 x125
Item 7: Bike Voucher x201
____________________________________________________________________________

Steal other Trainer's Pokémon/escape from Trainer battle:

3E 01 EA 56 D0 C9

Code: [Select]
ld a, 01
ld (D056), a
ret

Lemonade x1
TM34 x86
TM08 x201

___________________________________________________________________________________

Play Gym Leader music:

Code: [Select]
WRA1: D321 EA 5B D0               ld (D05B), a  : Put 63h into D05B
WRA1: D324 C9                     ret

Item 3 = TM34 x 91
Item 4 = TM08 x 201
___________________________________________________________________________________

Battle Safari Zone style:

Code: [Select]
WRA1: D321 3E 02                  ld a, 02 : Put 02h into a
WRA1: D324 EA 59 D0               ld (D059), a  : Put 02h into D059
WRA1: D327 C9   ret

Lemonade x2
TM34 x89
TM08 x201

___________________

Hurry, get away! battle:

Code: [Select]
WRA1: D321 3E 03                  ld a, 03 : Put 02h into a
WRA1: D323 EA 59 D0               ld (D059), a  : Put 03h into D059
WRA1: D326 C9   ret

Lemonade x3
TM34 x89
TM08 x201

___________________

Battle any Pokémon 1 : ID = item 3 quantity (level =last Pokémon battled/withdrawn)

3E xx EA 58 D0 C9

Code: [Select]
ld a, xx
ld (D058),a
ret

Lemonade x1
TM34 x88
TM08 x201

____________________________________________________________________________________

Battle any Pokémon 2 : ID = item 1 quantity (level =last Pokémon battled/withdrawn)


Code: [Select]
WRA1:D321 FA 1E D3         ld   a,(D31E)
WRA1:D324 04               inc  b
WRA1:D325 EA 58 D0         ld   (D058),a
WRA1:D328 C9               ret

TM50 x 30
TM11 x 04
TM34 x 88
TM08 x 201

_____________________________________________________________________________________

Battle any Pokémon (level = 1st item quantity. ID = 6th item quantity)

WRA1:D321 FA 1E D3         ld   a,(D31E)
WRA1:D324 EA 26 D1         ld   (D126),a

3E xx EA 58 D0 C9

Code: [Select]
ld a, (D31E)
ld (D126),a
ld a,02
ld (D058),a
ret

TM50 x30
TM11 x234
Carbos x209
Lemonade x (X)
TM34 x88
TM08 x201

_____________________________________________________________________________________


Change the second item +1

Code: [Select]
WRA1:D321 0C               inc  c
WRA1:D322 2B               dec  hl
WRA1:D323 0D               dec  c
WRA1:D324 2B               dec  hl
WRA1:D329 34               inc  (hl)
WRA1:D32A C9               ret

Burn Heal x43
Ice Heal x43
Full Heal x201

________________

Change the enemy species in battle

3E xx EA D7 CF C9

Lemonade x (X)
TM34 x 215
TM07 x 201

Code: [Select]
ld a, (xx)
ld (CFD7), a
ret

________________

Champion Blue's team

3E xx EA 14 D7 C9

Code: [Select]
ld a, xx
ld (D714), a
ret

Examples: 05 : one Gastly level 22, 77h: level 152 Q

Lemonade x (X)
TM34 x20
TM15 x201

________________

See the unused town's Town Map data (requires Town Map/Fly):

3E 0B EA 5D D3 C9

Code: [Select]
ld a, 0B
ld (D35D), a
ret

Lemonade x11
TM34 x93
TM11 x201

_______________

Map exit modifier:

3E xx EA 64 D3 C9

Code: [Select]
ld a, xx
ld (D36E), a
ret

Lemonade x (X)
TM34 x 100
TM11 x 201

______________

Make Pikachu stay:

Code: [Select]
06 16 | ld b -> 16
26 39 | ld h (39)
2E 64 | ld l (64)
CD 84 3E | call $3E84
C9 | ret

Bicycle x22
Carbos x57
X Accuracy x100
TM05 x132
Lemonade x201

_______________

Trigger Hall of Fame script (not recommended because you can walk up and get bad glitch text and maybe go off the boundaries. Additionally, you need two more glitch items):

3E 39 EA 6D D3 3E 64 EA 6E D3 3E 76 EA 5D D3 C9

Code: [Select]
ld a, 39
ld (D36D), a
ld a, 64
ld (D36E), a
ld a,76
ld (D35D), a
ret

Lemonade x57
TM34 x109
TM11 x62
glitch item 64h x234
glitch item 6Eh x211
Lemonade x118
TM34 x 93
TM11 x 201

_______________

Map color modifier:

3E xx EA 5C D3 C9

Code: [Select]
ld a, xx
ld (D35C), a
ret

Lemonade x (X)
TM34 x92
TM11 x201

_________________
Pikachu's happiness modifier:

3E xx EA 6F D4 C9

Code: [Select]
ld a, xx
ld (D46F), a
ret

Lemonade x (X)
TM34 x 111
TM12 x 201

__________________
Teach Pokémon 1 Surf (first move):

3E 39 EA 72 D1 C9

Code: [Select]
ld a, xx
ld (D172), a
ret

Lemonade x 57
TM34 x 114
TM09 x 201

__________________

Music tempo modifier:

3E xx EA E9 C0 C9

Code: [Select]
ld a, xx
ld (C0E9),a
ret

Lemonade x (X)
TM34 x 233
'small hiragana a' x 201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 11:10:16 am
Enter the Hall of Fame with "ws m" in English Yellow:

(http://goput.it/4hc5.png)

Code: [Select]
ld c,$16
ld h,$64
ld l,$56
ld b,c
ld b,b
call $3e84
ret

0e 16 26 64 2e 56 41 40 cd 84 3e c9

Awakening  x 22
Carbos     x100
X Accuracy x 86
X Attack   x 64
TM05       x132
Lemonade   x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 11:56:20 am
Play Pikachu's Beach in US Yellow:
Please note; the menus don't spawn when you exit Pikachu's Beach, just press B twice to exit them.

(http://goput.it/7cna.png)

Code: [Select]
ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e84
ret

0e 3e 26 40 1D 6B 41 40 cd 84 3e c9

Awakening   x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x132
Lemonade    x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 07, 2013, 12:05:17 pm
For those who are curious, the Pikachu's Beach code starts at 3E:4000. That's 0xF8000.

Part of the Pikachu's Beach code starts at 3E:407A (0xF807A), but executing that alone will cause glitches, including the music not changing and the HP value not displayed correctly. (That pointer in Japanese Yellow can be found here (http://psense.lib.net/Analysis/RGB/poke_y/surf.html).)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 01:09:44 pm
Enter the Hall of Fame with 5kai in Japanese R/G v1.0:

Code: [Select]
ld c,$16
ld h,$7b
ld l,$e4
ld b,c
ld b,b
call $3620
ret

0e 16 26 7b 2e e4 41 40 cd 20 36 c9

Awakening  x 22
Carbos     x123
X Accuracy x228
X Attack   x 64
TM05       x 45
Max Revive x201


...and in Japanese Blue:

(http://goput.it/c42w.png)

Code: [Select]
ld c,$16
ld h,$7e
ld l,$29
ld b,c
ld b,b
call $3636
ret

0e 16 26 7e 2e 29 41 40 cd 36 36 c9

Awakening  x 22
Carbos     x126
X Accuracy x 41
X Attack   x 64
TM05       x 54
Max Revive x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 02:50:53 pm
Enter the Hall of Fame with かいがらバッヂ in Japanese Yellow v1.1 and v1.2:

(http://goput.it/0p76.png)

Code: [Select]
ld c,$16
ld h,$7d
ld l,$c8
ld b,c
ld b,b
call $3e7e
ret

0e 16 26 7d 2e c8 41 40 cd 7e 3e c9

Awakening  x 22
Carbos     x125
X Accuracy x200
X Attack   x 64
TM05       x126
Lemonade   x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 02:56:44 pm
Play Pikachu's Beach with かいがらバッヂ in Japanese Yellow v1.1 and v1.2:

(http://goput.it/w716.png)

Code: [Select]
ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e7e
ret

0e 3e 26 40 1D 6B 41 40 cd 7e 3e c9

Awakening   x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x126
Lemonade    x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 03:25:42 pm
Enter the Hall of Fame with P7 in Spanish R/B:

(http://goput.it/w77h.png)

Code: [Select]
ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35f5
ret

0e 16 26 64 2e bb 41 40 cd f5 35 c9

Awakening (Despertar)    x 22
Carbos (Carburante)      x100
X Accuracy (Precisión X) x187
X Attack (Ataque X)      x 64
TM05 (MT05)              x245
Revive (Revivir)         x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 03:46:27 pm
Enter the Hall of Fame with S7 in German R/B:

(http://goput.it/m6p2.png)

Code: [Select]
ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35f0
ret

0e 16 26 64 2e bb 41 40 cd f0 35 c9

Awakening (Aufwecker)  x 22
Carbos (Carbon)        x100
X Accuracy (X-Treffer) x187
X Attack (X-Angriff)   x 64
TM05                   x240
Revive (Beleber)       x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 04:01:45 pm
Enter the Hall of Fame with 7eme Etage in French R/B:

(http://goput.it/34y8.png)

Code: [Select]
ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35f3
ret

0e 16 26 64 2e bb 41 40 cd f3 35 c9

Awakening (Reveil)       x 22
Carbos (Carbone)         x100
X Accuracy (Precision +) x187
X Attack (Attaque +)     x 64
TM05 (CT05)              x243
Revive (Rappel)          x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 04:23:24 pm
Enter the Hall of Fame with 7ºP in Italian R/B:

(http://goput.it/v30e.png)

Code: [Select]
ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35ee
ret

0e 16 26 64 2e bb 41 40 cd ee 35 c9

Awakening (Sveglia)       x 22
Carbos (Carburante)       x100
X Accuracy (Precisione X) x187
X Attack (Attacco X)      x 64
TM05 (MT05)               x238
Revive (Revitaliz.)       x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 04:35:06 pm
Enter the Hall of Fame with ws m in Spanish and German Yellow:

(http://goput.it/3tka.png)

Code: [Select]
ld c,$16
ld h,$64
ld l,$56
ld b,c
ld b,b
call $3e89
ret

0e 16 26 64 2e 56 41 40 cd 89 3e c9

Awakening  x 22
Carbos     x100
X Accuracy x 86
X Attack   x 64
TM05       x137
Lemonade   x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 04:40:25 pm
Play Pikachu's Beach with ws m in Spanish and German Yellow:

(http://goput.it/ujyu.png)

Code: [Select]
ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e89
ret

0e 3e 26 40 1D 6B 41 40 cd 89 3e c9

Awakening   x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x137
Lemonade    x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 04:48:23 pm
Enter the Hall of Fame with ws m in French Yellow:

(http://goput.it/i6fa.png)

Code: [Select]
ld c,$16
ld h,$64
ld l,$56
ld b,c
ld b,b
call $3e87
ret

0e 16 26 64 2e 56 41 40 cd 87 3e c9

Awakening  x 22
Carbos     x100
X Accuracy x 86
X Attack   x 64
TM05       x135
Lemonade   x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 04:53:14 pm
Play Pikachu's Beach with ws m in French Yellow:

(http://goput.it/bdvt.png)

Code: [Select]
ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e87
ret

0e 3e 26 40 1D 6B 41 40 cd 87 3e c9

Awakening   x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x135
Lemonade    x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 04:59:04 pm
Enter the Hall of Fame with ws m in Italian Yellow:

(http://goput.it/r9qq.png)

Code: [Select]
ld c,$16
ld h,$64
ld l,$56
ld b,c
ld b,b
call $3e82
ret

0e 16 26 64 2e 56 41 40 cd 82 3e c9

Awakening  x 22
Carbos     x100
X Accuracy x 86
X Attack   x 64
TM05       x130
Lemonade   x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 07, 2013, 05:03:11 pm
Play Pikachu's Beach with ws m in Italian Yellow:

(http://goput.it/ko4d.png)

Code: [Select]
ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e82
ret

0e 3e 26 40 1D 6B 41 40 cd 82 3e c9

Awakening   x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x130
Lemonade    x201


..finally, HoF code done for all languages R/G/B/Y! And Pikachu's Beach done for all languages of Yellow!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: blahpy on December 07, 2013, 10:47:44 pm
Humourous note: I just went to rename my Onix to what I wanted to change my name to after testing the code at and calling my trainer "ONIX".  Of course, naturally, I now had a different OT and couldn't rename it :D Silly me.

So, I've devised a way to fix this in spirit of this thread!  It's rather useless, but this program can be used to set the OT of your Onix, allowing you to change its nickname so that you can rename your trainer again (or you could just catch another Onix ;D).  Here's the item list:

Take caution:  Use 8F exactly (name length+1) times to ensure that the trainer name is terminated correctly.
This code is also self-modifying, so make sure that you reset the item quantities if you need to use it again.

Any item (any quantity)
8F
TM50                 x88
TM09                 x64 (x73, x82, x91, x100, x109, x127 should also all work fine here)
TM34                 x115
TM10                 x46
HP Up                x52
X Accuracy           x39
Full Heal            x201


Code: [Select]
WRA1:D322 FA 58 D1         ld a,(D158)
WRA1:D325 40               ld b,b
WRA1:D326 EA 73 D2         ld (D273),a
WRA1:D329 2E 23            ld l,23h
WRA1:D32B 34               inc (hl)
WRA1:D32C 2E 27            ld l,27h
WRA1:D32D 34               inc (hl)
WRA1:D32F C9               ret

For more general use on other Pokémon this can easily be modified to change the OT of the first Pokémon in the box: Simply change the (initial) quantity of TM34 from 115 to 42, and use TM21 in place of TM10.

Note: I haven't actually tested any of this but it all works perfectly theoretically...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 08, 2013, 08:18:48 am
Both your code and the modification works.

So the OT of the first boxed Pokémon starts at DD2A? Never knew that!

Matthew Robinson's code archive strangely says 01xx2ADD modifies part of the 16th PC Pokémon's experience. Is this an error?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 08, 2013, 09:34:10 am
So.. I just found out that the bankswitch function's offset changed between JP R/G 1.0 and 1.1, and between JP Yellow 1.0 and 1.1 (it remains the same between JP Yellow 1.1 and 1.2 tho).

Time for more porting and testing.. *sigh*

Enter the Hall of Fame with 5kai in Japanese R/G v1.1:

(http://goput.it/7lsa.png)
Code: [Select]
ld c,$16
ld h,$7b
ld l,$e4
ld b,c
ld b,b
call $360e
ret

0e 16 26 7b 2e e4 41 40 cd 0e 36 c9

Awakening  x 22
Carbos     x123
X Accuracy x228
X Attack   x 64
TM05       x 14
Max Revive x201


Enter the Hall of Fame with かいがらバッヂ in Japanese Yellow v1.0:
Code: [Select]
ld c,$16
ld h,$7d
ld l,$c8
ld b,c
ld b,b
call $3e7d
ret

0e 16 26 7d 2e c8 41 40 cd 7d 3e c9

Awakening  x 22
Carbos     x125
X Accuracy x200
X Attack   x 64
TM05       x125
Lemonade   x201


Play Pikachu's Beach with かいがらバッヂ in Yellow 1.0:

Code: [Select]
ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e7d
ret

0e 3e 26 40 1D 6B 41 40 cd 7d 3e c9

Awakening   x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x125
Lemonade    x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: blahpy on December 08, 2013, 03:11:42 pm
Both your code and the modification works.

So the OT of the first boxed Pokémon starts at DD2A? Never knew that!

Matthew Robinson's code archive strangely says 01xx2ADD modifies part of the 16th PC Pokémon's experience. Is this an error?

What RAM map are you using? I was using this one: http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Stored_Pok.C3.A9mon (http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Stored_Pok.C3.A9mon)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 08, 2013, 04:04:40 pm
I use DataCrystal too, as well as this (http://www.ocf.berkeley.edu/~jdonald/pokemon/pokemonrbycodes.txt) for GameShark codes and occasionally our GameShark codes page for Red/Blue but I can't find DD2A (OT of the first boxed Pokémon) on any, even though it does work.

Edit 1: Re 16th Pokémon's experience: Looks like it doesn't match up with DataCrystal's addresses (DC93-DC95).
Edit 2: DataCrystal's memory addresses for that are correct.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on December 11, 2013, 02:13:00 pm
Screw your English R/B save file using 8F!

Little bit of malicious fun. I was bored.
Basically, we set the current map's script pointer (at $D36E) to $D336, then we call SaveSAVtoSRAM (to save the game without warning). Then we reach $D336 which is a conditional jump (it only jumps when the carry flag isn't set, which in practise is all the time, this is done because unconditional jump here means glitch item or more than 1 of a key item is required) to $1f49 (which soft resets.)
And because the current map's script pointer in the save file is now $D336.. trying to continue just soft resets.
I think this is kinda more trolly than ZZAZZ's creepypasta thing, and in only 23 bytes too!

Here's a video. (http://www.youtube.com/watch?v=w6FxhbzlmEg) I may port this to Yellow if I can be bothered.

Unfortunately, you need two stacks of X Accuracy, but it's easy to get two stacks of an item anyway (have one 99 stack and purchase or find one more) and it's something very basic that can be found in most (if not all) Poké Marts.

Code: [Select]
ld l,$6E
ld (hl),$36
ld a,$D3
ld ($D36F),a
inc b
ld c,$1c
ld h,$78
ld l,$48 ; 1c:7848: SaveSAVtoSRAM
ld b,c
call $35d6 ; BankSwitch
jp nc,$1f49 ; SoftReset

2E 6E 36 36 3E D3 EA 6F D3 04 0E 1C 26 78 2E 48 41 CD D6 35 D2 49 1F

X Accuracy x110
Max Revive x 54
Lemonade   x211
TM34       x111
TM11       x  4
Awakening  x 28
Carbos     x120
X Accuracy x 72
X Attack   x205
TM14       x 53
TM10       x 73
Old Amber  x  1
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: rortik on December 19, 2013, 02:49:53 pm
Quote
will it work on yellow?

The shown method of obtaining 8F won't work in Yellow, as it uses Super Glitch, which works differently for this game.

Also, 8F does not execute code from $D163 in Yellow, but from $04FE instead - which has a less beneficial effect of teleporting you to a messed up version of a Pokemon Center.
Yellow has a relatively similar item "ws m" (hex 63), which executes code from $DA7F (number of Pokemon in the current box), but we still don't know how to obtain it though.

First let me say I haven't read the entire thread. If you've already found ws m in Yellow, this post is useless to you. But I have had one of these things forever- didn't know what it did though. I'm not fully understanding all this thread, but I'll tell you how to get ws m. Do the Mew Glitch with a special stat of 194 to run into pPkMnp ' ' (which changes the 5th item slot). And have a Super Rod in the 5th item slot. That gives you ws m. As far as I can tell it simply crashes the game though... I have it stored away in my pc.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 19, 2013, 05:45:29 pm
Quote
will it work on yellow?

The shown method of obtaining 8F won't work in Yellow, as it uses Super Glitch, which works differently for this game.

Also, 8F does not execute code from $D163 in Yellow, but from $04FE instead - which has a less beneficial effect of teleporting you to a messed up version of a Pokemon Center.
Yellow has a relatively similar item "ws m" (hex 63), which executes code from $DA7F (number of Pokemon in the current box), but we still don't know how to obtain it though.

First let me say I haven't read the entire thread. If you've already found ws m in Yellow, this post is useless to you. But I have had one of these things forever- didn't know what it did though. I'm not fully understanding all this thread, but I'll tell you how to get ws m. Do the Mew Glitch with a special stat of 194 to run into pPkMnp ' ' (which changes the 5th item slot). And have a Super Rod in the 5th item slot. That gives you ws m. As far as I can tell it simply crashes the game though... I have it stored away in my pc.

Yes. This was already known. Thanks for trying to help though.

TheZZAZZGlitch posted the exact same method you mentioned to obtain w sm. See this post (http://forums.glitchcity.info/index.php/topic,6638.msg189586.html#msg189586). w sm runs code from the number of Pokémon in the current box, and he wrote a bootsrapping code to redirect the program to item 3. If you use it without a proper setup it might freeze the game.

Incidentally, as you probably know, item mutation is one of the easier methods of obtaining 8F[/url]. I'm not sure if you'll find this useful, but I'll repeat my initial idea. Paco81 found out in 2011 that a  coast glitch Trainer's (happens to be for Trainer class 256) roster 28h has a 94; an item mutating Pokémon that adds 16 to the identifier of the fourth slot in the player's bag if the item does not have one of the following hexadecimal identifiers: $1X $3X $5X $7X $9X $BX $DX $FX because of its Pokédex number, 213. Coincidentally, a Rocket on Silph Co. 11F loads it. If you do the Old Man glitch with a letter that gives a Trainer in the third/fifth/seventh position, you can encounter this Trainer (http://www.youtube.com/watch?v=8W7RyjER8jM), and having a Good Rod (hex: 4D) in this position converts it into 8F (hex: 5D) but their Pokémon are strong, they have glitch Pokémon with Super Glitch and the TMTRAINER effect can make them keeping sending out the same Pokémon.

That method was obsoleted (see first post) because TheZZAZZGlitch used Super Glitch to convert the opponent into a 94 without having to have a specific name or strong Pokémon but then that method was obsoleted once again for the item number underflow glitch.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: rortik on December 19, 2013, 09:18:19 pm
Quote
will it work on yellow?

The shown method of obtaining 8F won't work in Yellow, as it uses Super Glitch, which works differently for this game.

Also, 8F does not execute code from $D163 in Yellow, but from $04FE instead - which has a less beneficial effect of teleporting you to a messed up version of a Pokemon Center.
Yellow has a relatively similar item "ws m" (hex 63), which executes code from $DA7F (number of Pokemon in the current box), but we still don't know how to obtain it though.

First let me say I haven't read the entire thread. If you've already found ws m in Yellow, this post is useless to you. But I have had one of these things forever- didn't know what it did though. I'm not fully understanding all this thread, but I'll tell you how to get ws m. Do the Mew Glitch with a special stat of 194 to run into pPkMnp ' ' (which changes the 5th item slot). And have a Super Rod in the 5th item slot. That gives you ws m. As far as I can tell it simply crashes the game though... I have it stored away in my pc.

Yes. This was already known. Thanks for trying to help though.

TheZZAZZGlitch posted the exact same method you mentioned to obtain w sm. See this post (http://forums.glitchcity.info/index.php/topic,6638.msg189586.html#msg189586). w sm runs code from the number of Pokémon in the current box, and he wrote a bootsrapping code to redirect the program to item 3. If you use it without a proper setup it might freeze the game.

Incidentally, as you probably know, item mutation is one of the easier methods of obtaining 8F[/url]. I'm not sure if you'll find this useful, but I'll repeat my initial idea. Paco81 found out in 2011 that a  coast glitch Trainer's (happens to be for Trainer class 256) roster 28h has a 94; an item mutating Pokémon that adds 16 to the identifier of the fourth slot in the player's bag if the item does not have one of the following hexadecimal identifiers: $1X $3X $5X $7X $9X $BX $DX $FX because of its Pokédex number, 213. Coincidentally, a Rocket on Silph Co. 11F loads it. If you do the Old Man glitch with a letter that gives a Trainer in the third/fifth/seventh position, you can encounter this Trainer (http://www.youtube.com/watch?v=8W7RyjER8jM), and having a Good Rod (hex: 4D) in this position converts it into 8F (hex: 5D) but their Pokémon are strong, they have glitch Pokémon with Super Glitch and the TMTRAINER effect can make them keeping sending out the same Pokémon.

That method was obsoleted (see first post) because TheZZAZZGlitch used Super Glitch to convert the opponent into a 94 without having to have a specific name or strong Pokémon but then that method was obsoleted once again for the item number underflow glitch.

Yes, (most of) that made sense to me and I think it get it. I just prefer Yellow :D
Thanks!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: rortik on December 19, 2013, 10:00:34 pm
So what you're saying is, on Yellow, if I get the ws m item and put it in my first slot, then get a combination of items (Ex: steal trainer's pokemon, Lemonade x1, TM34 x86, TM08 x201) and start that in the third item slot, THEN put, in my current PC box:


1. 20 pokemon in the current box
2.  Slowpoke as the 1st Pokémon in the current PC box  with 233 hp,
3.  Slowpoke as the 2nd Pokémon in the current PC box 
4.  Slowpoke as the 3rd Pokémon in the current PC box
5.  Slowpoke as the 4th Pokémon in the current PC box   
6.  Slowpoke as the 5th Pokémon in the current PC box     
7.  Slowpoke as the 6th Pokémon in the current PC box
8.  Voltorb as the 7th Pokémon in the current PC box           
9.  Growlithe as the 8th Pokémon in the current PC box     
10. Jolteon as the 9th Pokémon in the current PC box       
11. Geodude as the 10th Pokémon in the current PC box   
12. Geodude as the 11th Pokémon in the current PC box         
13. Geodude as the 12th Pokémon in the current PC box           
14. Geodude as the 13th Pokémon in the current PC box       
15. Geodude as the 14th Pokémon in the current PC box 
16. Geodude as the 16th Pokémon in the current PC box       
17. Geodude as the 15th Pokémon in the current PC box   
18. Geodude as the 17th Pokémon in the current PC box   
19. Geodude as the 18th Pokémon in the current PC box
20. Geodude as the 19th Pokémon in the current PC box 
21. Voltorb as the 20th Pokémon in the current PC box


Then use ws m the said effect will occur?

Did I get all that right?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 20, 2013, 08:01:56 am
Yep, you're right! The order doesn't matter as long as you meet the requirements once you use w sm, so you could also have those Pokémon in a PC box before obtaining the items but note if you change boxes to something that doesn't have that exact Pokémon setup, it won't work until you change boxes back to the right box again.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: shutterbug2000 on December 22, 2013, 03:58:50 pm
Now, this may make me sound silly, but I'm not sure how to input code for 8F. For example, I need to know how to find coordinates, how to input all values of the code, etc. I'm not new to simple glitches, like how to find missingno., but I am to glitches like this. Anyone willing to help would be awesome :D!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: blahpy on December 22, 2013, 04:19:43 pm
Now, this may make me sound silly, but I'm not sure how to input code for 8F. For example, I need to know how to find coordinates, how to input all values of the code, etc. I'm not new to simple glitches, like how to find missingno., but I am to glitches like this. Anyone willing to help would be awesome :D!

If you want to write your own code to execute using 8F, you're going to need the following things:


I hope this helps!

edit: The guide that turned up a 403 error above can be found here: https://courses.engr.illinois.edu/ece390/books/artofasm/artofasm.html
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: shutterbug2000 on December 22, 2013, 04:23:32 pm
blahpy, thanks for the info! However, there are 2 things I still wonder: how do I find the coordinates, and how to input the code(for example, the 1 Player pong)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: blahpy on December 22, 2013, 04:44:27 pm
blahpy, thanks for the info! However, there are 2 things I still wonder: how do I find the coordinates, and how to input the code(for example, the 1 Player pong)

If it's specifically pong that you want, TheZZAZZGlitch wrote the item list for the bootstrapping program in his video description:

Quote
Item list:
* Bicycle
* 8F
X Accuracy, x97
Burn Heal, x126
Parlyz Heal, x15
HP UP, x15
Ice Heal, x15
Potion, x134
TM34, x20
TM17, x46
Leaf Stone, x52
Great Ball, x201
TM10, x1
TM15, x46

Swap TM17 x46 with TM15 x46, use 8F and jump off a ledge to walk through walls.
Then swap TM17 and TM15 back, toss TM34 until only one of them remains and use a Bicycle. The program is now in entering mode, and upon using 8F one byte is written, with its value depending on your X and Y positions.
To run the created code, swap TM10 x1 with TM34 and use 8F.

It is possible to run custom "applications", with the maximum size of 254 bytes.
Unlike previous attempts of reprogramming the game, no TASing is required, so this can be done by a human on a cartridge just fine.

Then you can program pong itself with the following code:  http://pastebin.com/raw.php?i=GByyfPeA

You will need to use the opcode map from my previous post.  You should be able to find the coordinates for the first few bytes (TheZZAZZGlitch has annotated them) from the video (http://www.youtube.com/watch?v=D3EvpRHL_vk) and work out other coordinates relative to them fairly easily.  It will be very time consuming though.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: shutterbug2000 on December 22, 2013, 04:52:24 pm
Ok, thanks for all your help! :D! Currently reading over the assembly webpage in your first post.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 23, 2013, 08:17:39 am
Now, this may make me sound silly, but I'm not sure how to input code for 8F. For example, I need to know how to find coordinates, how to input all values of the code, etc. I'm not new to simple glitches, like how to find missingno., but I am to glitches like this. Anyone willing to help would be awesome :D!

You only need to find coordinates for TheZZAZZGlitch's 'Pong' program or another large program up to 254 bytes long because you likely can't hold enough items/it would be impractical to go about obtaining them all. Note that I've never tried this myself, so I don't know how long it will take, sorry.

If you are using an emulator, you can check x and y coordinates by looking up memory address D361: (y position) and D362: (x position). Going one step north decreases y by 1 and going one step south increases y by 1. Going one step west decreases x by 1 and going one step increases x by 1. Remember that X and Y coordinates are also relative to the location, so while the north-most point of Vermilion City is $00, the south-most point of Route 6 is $23; it doesn't underflow to $FF.

Personally I prefer this (http://iimarck.us/etc/asmopcodes.txt) list of opcodes but it's up to you which one you use. Blaphy's link might be better because it's in a table that makes it easier to look up a certain identifier.

If you just want to cheat, the bootstrapping code (http://forums.glitchcity.info/index.php/topic,6638.0.html) and item lists (for specific cheats) should be enough. Most of the time, you'll only need to refer to a few opcodes, such as $3E: ld a, xx [i.e. make 'a' the value in xx] and $EA: ld (memory address), a [i.e. put a into a given memory address]. Those things like 'a' are called registers. They're basically things you can store values in so you can put their values in memory addresses (writable memory only like WRAM) or jump to the address in hl (opcode: E9) in the middle of the operation.

Registers change a lot, and when you use items they are set at certain values by default but you can always change them.

These are:

Code: [Select]
af = 6300 [a=63, f=00]
bc = 22B8 [b=22, c=B8]
de= 0001 [d=00, e=01]
hl= D322 [h=D3, l=22]
All flags reset

Remember, for TheZZAZZGlitch's bootstrap code, the code must be spelled out from item 3. As TheZZAZZGlitch redirected the code to item 3, that's why hl is D322 (item 3 identifier).

Here are three cheats (http://forums.glitchcity.info/index.php/topic,6638.msg189509.html#msg189509) I made for 8F in Red/Blue. They are easily changeable. The memory address is stored with the lowest byte first (GameShark code order) and all you have to do is change the value that follows 3E (Lemonade): the value you want and EA (TM34): the memory address that follows.

Example: Gym Leader battle plays for the next battle

As a = 63 by default, we don't need to change the value, but you can do it with a 3E xx (Lemonade x XX) anyway.

So:

Item 3 = TM34 x 92
Item 4 = TM08 x 201

ASM:

Code: [Select]
WRA1: D322 EA 5C D0               ld (D05C), a  : Put 63h into D05C
WRA1: D325 C9

If you look at Datacrystal, you'll see that 5CD0 (Item 3 x92, Item 4=TM08) is the byte that determines whether Gym Leader battle music plays or not in battle, with a value greater than 00 meaning it's on. Change it to CFD8 (D8CF), i.e. (Item 3 x216, Item 4=TM07) and you'll change the species in battle to whatever 'a' is.

To convert hex values to decimal (required to see the right item quantities), you can use Windows Calculator on Programmer mode, enter a value in Hex, then switch it to Dec. Remember to use the big list to check what items have which hexadecimal identifier. Alternatively, you can check with the GameShark code 01xx1ED3, which changes the first item identifier to xx.

In order to obtain item quantities larger than 128, you need to do the Old Man glitch or Ditto glitch to encounter a Pokémon like Missingno. or 'M (that makes getting the right items more difficult in Yellow but fossil and ghost Missingno. never freeze the game). Missingno. and 'M increase the sixth item quantity by 128 only if it's less than 128, so in order to duplicate the sixth item a second time, you have to toss the quantity under 128, e.g. having 127 will give you 255 of an item. Dec:00 Pokémon duplicate the sixth item two times: 1) when you encounter them 2) when you catch them.

If you have any questions, feel free to ask. :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: blahpy on December 23, 2013, 06:28:53 pm
Blaphy

 ::)

I swear more people read it like this than how it actually is, serves me right for using such an obscure name (believe it or not there is a story behind it though!)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 24, 2013, 07:28:19 am
Blaphy

 ::)

I swear more people read it like this than how it actually is, serves me right for using such an obscure name (believe it or not there is a story behind it though!)

Oops, sorry! The 'blah' part helped me remember your name actually, but I still made a typo.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: shutterbug2000 on February 26, 2014, 03:41:08 pm
Ok, so I'm still a little confused. I think I know pretty much how to do it, but for example, when it says "D920_EntryPoint", how do I input that? Thanks in advance!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheZZAZZGlitch on February 26, 2014, 04:28:15 pm
It's a label, it defines a place where the code should jump to.
Trying to translate opcodes into bytes by hand requires too much effort and can be quite complicated, especially when dealing with relative jumps. You're better off using a memory dump below - it already contains all the code:

00D901:  18 1D 14 C9 15 C9 34 AF C9 35 AF C9 47 79 AE 77
00D911:  3E AF CD B1 23 78 C9 3E A6 CD B1 23 CD 48 37 16
00D921:  0E 21 A2 FF 72 2C 72 3E FF CD B1 23 15 01 68 01
00D931:  21 A0 C3 3E 10 E5 CD E0 36 E1 D5 E5 21 E0 C4 7D
00D941:  82 6F AF 22 22 22 22 21 A0 FF 0E 0F F0 A2 A7 CC
00D951:  0D D9 FE 13 CC 0D D9 0E F0 F0 A3 A7 CC 0D D9 FE
00D961:  11 CA 18 D9 FE 0F 20 0D 5A 06 04 F0 A2 BB CC 0D
00D971:  D9 1C 05 20 F8 7E 2C 2C 47 E6 0F CC 07 D9 C4 0A
00D981:  D9 2C 78 E6 F0 CC 07 D9 C4 0A D9 E1 F0 A2 85 6F
00D991:  F0 A3 01 14 00 A7 28 04 09 3D 20 FC 77 D1 7A FE
00D9A1:  10 28 07 F0 F8 E6 10 C4 03 D9 7A A7 28 07 F0 F8
00D9B1:  E6 20 C4 05 D9 76 76 76 76 76 C3 2E D9


Just enter all these bytes in order (starting from $18, $1D, $14 ...), and everything should work perfectly.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on April 15, 2014, 12:55:50 pm
Pigdevil2010 made a simpler version of the ws m (hex: 63) bootstrap code for Yellow and annotated it. He/she was going to post it on the forums, but had some trouble registering.

Here it is:

Notes: Though it's normally impossible for DA94 (end of list terminator, FF) to be E9, using ws m will change it to this value. This is perfectly safe. Only problem is if you withdrew a Pokémon and DA93 (20th Pokémon) was not FF, but this is not possible in normal gameplay.

(You must have exactly 19 Pokémon in the box.)

When you deposit a 20th Pokémon, after using w sm, DA94 gets changed back to FF again.


Pokémon:

Butterfree
Voltorb
Gyarados
Spearow
Golduck
Poliwrath
Voltorb
Pikachu
Clefairy
Golduck
Venomoth
Metapod
Tangela
Nidoking
Haunter
Flareon
Parasect
Growlithe
Voltorb

Which would make the RAM and ASM looked like this:
; Initial hl = DA7F
$DA7F <- 13 || inc de
$DA80 <- 7D || ld a, l ; a = 7F
$DA81 <- 06 ||
$DA82 <- 16 || ld b, 16 ; b = 16
$DA83 <- 05 || dec b ; b = 15 (since Mew is unobtainable)
$DA84 <- 80 || add a, b ; a = 94
$DA85 <- 6F || ld l, a ; l = 94
$DA86 <- 06 ||
$DA87 <- 54 || ld b, 54 ; b = 54
$DA88 <- 04 || inc b ; b = 55 (since Raichu is unobtainable in Yellow)
$DA89 <- 80 || add a, b ; a = E9
$DA8A <- 77 || ld (hl), a ; $DA94 <- E9
$DA8B <- 7C || ld a, h ; a = DA
$DA8C <- 1E ||
$DA8D <- 07 || ld e, 7 ; e = 7
$DA8E <- 93 || sub e ; a = D3
$DA8F <- 67 || ld h, a ; h = D3
$DA90 <- 2E ||
$DA91 <- 21 || ld l, 21 ; l = 21
$DA92 <- 06 ||
$DA93 <- FF || ld b, ff ; rst 38 prevention
$DA94 <- E9 || jp (hl) ; finally jumps to $D321!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: luckytyphlosion on April 15, 2014, 05:26:46 pm
Is it possible to rewrite ROM data with arbitrary code? If not, how many different sections of RAM can you use to use 8F/w sm?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on April 15, 2014, 06:21:23 pm
Is it possible to rewrite ROM data with arbitrary code? If not, how many different sections of RAM can you use to use 8F/w sm?

Not possible; you can never rewrite the ROM (read only memory) without doing something like editing it with a hex editor, even though Game Genie makes temporary patches to the ROM. If you try to write to the ROM with w sm, nothing will happen. The Game Boy/machine alone cannot write to ROM.

You can write to VRAM (0x8000-0x9FFF), RAM (0xC000-0xCFFF), WRAM (0xD000-0xFEFF) and RAM (2) (0xFF80-0xFFFF) with wsm (haven't tested 8F on Red/Blue but I imagine things would work the same). Writing to SRAM and I/O apparently didn't work. I've never looked up what I/O is, but I'm a bit surprised at SRAM not being changed; as it is for data that is saved.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Nerator on April 15, 2014, 08:40:42 pm
If you try to write to the ROM with w sm, nothing will happen.
To be perfectly precise, if i'm not mistaken, if you'll try to write something to ROM0($0000-$3FFF), then the game will switch ROM banks in $4000-$7FFF. For example if you'll execute
Code: [Select]
ld [$2000],a
then game will switch to bank, which number is in register a. For Red/Blue last bank is $2B i believe, for Yellow it's $3F. Not sure, what will happen, if we'll try to write to switchable ROM ($4000-$7FFF), or how it could be used at all.

EDIT:
Actually, what i whote above is not completely right. For the game to switch banks, we need to write in $2000-$2FFF area. Also we can switch the RAM banks (switchable RAM is at $A000-$BFFF) by writing in $4000-$5FFF area. It seems, that RAM contains 16 banks (0-F)
EDIT2:
Aslo i found in diassemby of Red many tries to write values to $6000 and $0000 usually 0 or 1. Have no idea what these are for.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: pigdevil2010 on April 16, 2014, 02:46:26 am
I can finally registered! Thanks Torchickens!

So, since I have a shorter bootstrapping code for w sm. Here is also my shorter bootstrapping code for 8F.

You must have exactly 5 Pokemon in a party, these are:
Pidgey with 233 HP
Parasect
Onix
Tentacool
Kangaskhan

Which would make the RAM and ASM looked like this:
Code: [Select]
; Initial hl = D163
$D163 <- 05 || dec b
$D164 <- 24 || inc h    ; h = D2
$D165 <- 2e ||
$D166 <- 22 || ld l, 22 ; l = 22
$D167 <- 18 ||
$D168 <- 02 || jr 2     ; pc = D16B
$D16B <- 24 || inc h    ; h = D3
$D16C <- 00 || nop
$D16D <- e9 || jp hl    ; pc = D322
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on April 16, 2014, 07:49:53 am
Well done! No more specific remaining PP, or moves.  :D

To get a Pidgey with that much HP at level 100 from being 'fresh' (just Rare Candied), use six HP Ups. This will always give it a max of 237 HP (because HP DVs don't exist in Generation I/II). Five HP Ups will give it 234 HP, but problem is the Pokémon on Route 1 tend to deal 2 or 3 damage. I don't know if it's possible for them to deal 1 HP, but you'd probably have to have stat experience/good DVs on the Pidgey's Defense.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: pigdevil2010 on April 16, 2014, 08:21:37 pm
Five HP Ups will give it 234 HP, but problem is the Pokémon on Route 1 tend to deal 2 or 3 damage. I don't know if it's possible for them to deal 1 HP, but you'd probably have to have stat experience/good DVs on the Pidgey's Defense.
Just make it poisoned, heal it to 234 HP, then walk 4 steps.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on April 17, 2014, 04:31:29 am
Five HP Ups will give it 234 HP, but problem is the Pokémon on Route 1 tend to deal 2 or 3 damage. I don't know if it's possible for them to deal 1 HP, but you'd probably have to have stat experience/good DVs on the Pidgey's Defense.
Just make it poisoned, heal it to 234 HP, then walk 4 steps.

Oops, I forgot about poison. Thanks for mentioning it.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: gskw on April 23, 2014, 01:37:28 am
When I write Z80 ASM, how do I turn it into hex codes?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on April 23, 2014, 12:54:25 pm
When I write Z80 ASM, how do I turn it into hex codes?

http://iimarck.us/etc/asmopcodes.txt can help, or you can use a compiler and get the compiled result out of the object file.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: gskw on April 25, 2014, 09:36:56 am
Thanks. I think I'm going to write my own assembler to make stuff easier...

EDIT: The compiler (http://gskartwii.arkku.net/optohex) is live online!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on April 28, 2014, 03:53:27 am
Thanks. I think I'm going to write my own assembler to make stuff easier...

EDIT: The compiler (http://gskartwii.arkku.net/optohex) is live online!

Heh, thanks. I've been meaning to write one myself actually.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: gskw on April 28, 2014, 09:35:46 am
Why wouldn't we make the code jump into the PC items so we can get more space?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: pigdevil2010 on April 28, 2014, 11:17:54 am
Why wouldn't we make the code jump into the PC items so we can get more space?
Yeah, I once have an idea about doing this too. ;)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: PokeGlitchFanatic on April 28, 2014, 07:14:02 pm
Gosh.The  first gen was screwed up big time.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: pigdevil2010 on April 28, 2014, 10:50:54 pm
I discovered an even more shorter w sm bootstrapping code. It requires just 10 Pokemon in the box, these are

Tangela with 233 HP
Nidoking
Metapod
Haunter
Flareon
Parasect
Growlithe
Tentacool
Grimer
Any Pokemon

Code: [Select]
; Initial hl = DA7F
$DA7F <- 0A || ld a, (bc)
$DA80 <- 1E ||
$DA81 <- 07 || ld e, 7  ; e = 7
$DA82 <- 7C || ld a, h  ; a = DA
$DA83 <- 93 || sub e    ; a = D3
$DA84 <- 67 || ld h, a  ; h = D3
$DA85 <- 2E ||
$DA86 <- 21 || ld l, 21 ; l = 21
$DA87 <- 18 ||
$DA88 <- 0D || jr D     ; pc = DA96
$DA96 <- 00 || nop
$DA97 <- E9 || jp (hl)  ; pc = D321

I also finally discovered the code to make it jump to the first stored item.

8F

You must have exactly 5 Pokemon in a party, these are

Lv. 25 Pidgey with 24 HP, 36 PP left on the first and second move, 24 PP left on the third move and 13 PP left on the forth move
Parasect with 233 HP
Diglett
Tentacool
Kangaskhan

Code: [Select]
; Initial hl = D163
$D163 <- 05 || dec b
$D164 <- 24 || inc h    ; h = D2
$D165 <- 2E ||
$D166 <- 3B || ld l, 3B ; l = 3B
$D167 <- 18 ||
$D168 <- 02 || jr 2     ; pc = D16B
$D16B <- 24 || inc h    ; h = D3
$D16C <- 00 || nop
$D16D <- 18 ||
$D16E <- 19 || jr 19    ; pc = D188
$D188 <- 24 || inc h    ; h = D4
$D189 <- 24 || inc h    ; h = D5
$D18A <- 18 ||
$D18B <- 0D || jr D     ; pc = D199
$D199 <- E9 || jp (hl)  ; pc = D53B

w sm

You must have exactly 10 Pokemon in the box, these are

Tangela with 233 HP
Spearow
Metapod
Haunter
Flareon
Parasect
Seel
Tentacool
Grimer
Any Pokemon

Code: [Select]
; Initial hl = DA7F
$DA7F <- 0A || ld a, (bc)
$DA80 <- 1E ||
$DA81 <- 05 || ld e, 5  ; e = 5
$DA82 <- 7C || ld a, h  ; a = DA
$DA83 <- 93 || sub e    ; a = D5
$DA84 <- 67 || ld h, a  ; h = D5
$DA85 <- 2E ||
$DA86 <- 3A || ld l, 3A ; l = 3A
$DA87 <- 18 ||
$DA88 <- 0D || jr D     ; pc = DA96
$DA96 <- 00 || nop
$DA97 <- E9 || jp (hl)  ; pc = D53A
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: camper on April 29, 2014, 01:04:05 am
Sometimes it's better to have it jump to the third item, for example when we put Master Balls and 8F in the first and second slot and for Catch-em-all purpose.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: pigdevil2010 on April 29, 2014, 01:18:57 am
Sometimes it's better to have it jump to the third item, for example when we put Master Balls and 8F in the first and second slot and for Catch-em-all purpose.
Which code did you mean? Address D322 (D321 in Yellow) is the third item in the pocket.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: gskw on April 29, 2014, 02:56:00 am
He is talking about the 8F code.
And no, it actually jumps to the first item on the PC.
http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Stored_Items
At the point of jp (hl), hl is $D53B, which is the address of the first item on the PC.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Radixan on July 15, 2014, 08:57:30 am
Hello, I just found a way to get the "ws m" item through a corrupted save data in R/B/Y non japanese releases.

(http://i.gyazo.com/8eaf84c3cef09f525f6c09fba27278fa.png)

Once you get a corrupted save data, toss Master Ball x255 and leave your home.
You'll be teleported to Viridian city. Just get into the Pokémon Center, open the bag and swap the ws m with the first Master Ball.
Finally deposit ws m in your PC and will be safe to withdraw it later.

However, I can't continue the game as usual since Pokédex is completed by corruption and Oak will never give me the Pokédex. :/

Regards. :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Zheria on August 22, 2014, 11:17:46 pm
I was wondering if anyone knew how to and would please convert this code from r/b to yellow for me. I have been using ws m on cart and its been really cool. I wanted to try and catch some of the pokemon that you can't obtain with the mew glitch, but unfortunately this code doesn't work on yellow.

Orginally posted by TheZZAZZGlitch for r/b 's 8F:
ALTERNATIVE CATCH 'EM ALL

This version of the Catch 'Em All script requires more items, but gives the Pokemon instead of forcing an encounter (like: BLUE got EEVEE!), and allows for getting normally unobtainable glitch Pokemon without trading. The given Pokemon depends on the quantity of the 3rd item.

Remark: Avoid obtaining Missingno with this method. It will duplicate your 6th item and screw the opcodes up.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=865s

ITEM LIST (starting from the first slot):
* Any item
* 8F
Repel                x[SpeciesIndex]
X Speed              x14
Ultra Ball           x64
TM05                 x72
Lemonade             x201

ASM:
Code: [Select]

WRA1:D322 1E 20            ld   e,[SpeciesIndex]
WRA1:D324 43               ld   b,e
WRA1:D325 0E 02            ld   c,02
WRA1:D327 40               ld   b,b
WRA1:D328 CD 48 3E         call 3E48
WRA1:D32B C9               ret
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheZZAZZGlitch on August 23, 2014, 12:10:58 am
Addresses to internal functions are different in Yellow. The GivePokemon subroutine is at $3E59, not at $3E48.
The solution is to replace 'TM05 x72' with 'TM05 x89' to update the function address.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Zheria on August 23, 2014, 04:19:29 pm
Thank you! It works really well and makes obtaining these glitch pokemon easy!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: nixnyte on September 01, 2014, 04:05:22 am
hi folks!

i've been having fun exploring glitch possibilities in pokemon yellow lately, and i was interested in seeing how quickly arbitrary code execution could be reached off a fresh save file, without using save corruption or item underflow. the two major steps are of course to encounter p PkMn p to get ws m and to have a specific sequence of pokemon in your active box. to do this from a new game, i had to come up with easier setups for each of the steps, so sharing these is my main intention of this post.

in order to encounter p PkMn p, i used a trainer-fly completed by a ditto who transformed into my pokemon with 194 special. the ditto in my route was a result of another trainer fly (two silph co scientists' last pokemon have a special stat of 76), but of course you can find plenty of these in yellow's cinnbar mansion. to get a pokemon with 194 special, i chose to use a kadabra, as i could also use it for my bootstrap code. depending on its DVs, which are made evident at level 50 due to the stat formula, you can use a combination of rare candies and calcium to guarentee 194 special, assuming no previous stat exp.

Code: [Select]
Kadabra
Check Special at level 50 (Special - 125 = DVs)
00 DVs    Level 70    6 Calcium
01 DVs    Level 70    5 Calcium
02 DVs    Level 69    6 Calcium
03 DVs    Level 69    5 Calcium
04 DVs    Level 68    6 Calcium
05 DVs    Level 68    5 Calcium
06 DVs    Level 67    6 Calcium
07 DVs    Level 67    5 Calcium
08 DVs    Level 66    6 Calcium
09 DVs    Level 67    4 Calcium
10 DVs    Level 65    6 Calcium
11 DVs    Level 66    4 Calcium
12 DVs    Level 65    5 Calcium
13 DVs    Level 65    4 Calcium
14 DVs    Level 64    5 Calcium
15 DVs    Level 63    6 Calcium

now for the bootstrap code, i focused on improving pigdevil2010's code posted in reply #105, as it was the only one that didn't require a pokemon with 233 hp. instead, it wrote E9 into the address immediately following the rest of the code. as i've already had trouble deciding how to format this post, i'll mention each block i'm about to paste up front. first is the code i came up with after staring for hours at an opcode table and the big hex list for which pokemon would be easly obtainable. it does successfully allow arbitrary code to be executed from your inventory, but are there side effects due to shortcuts? after that is the order of pokemon in your box to achieve these values, and then where you can find those pokemon very early in the game. for the "anything" slot, i had exactly 1 extra pokemon - pikachu!

Code: [Select]
; initial hl = DA7F
$DA7F <- 0F || rrca
$DA80 <- 2E ||
$DA81 <- 8E || ld l, 8E    ; l = 8E
$DA82 <- 7C || ld a, h     ; a = DA
$DA83 <- 16 ||
$DA84 <- 0F || ld d, 0F    ; d = 0F
$DA85 <- 82 || add a, d    ; a = E9
$DA86 <- 22 || ld (hl+), a ; $DA8E <- E9, l = 8F
$DA87 <- 7C || ld a, h     ; a = DA
$DA88 <- 26 ||
$DA89 <- 07 || ld h, 07    ; h = 07
$DA8A <- 94 || sub h       ; a = D3
$DA8B <- 67 || ld h, a     ; h = D3
$DA8C <- 2E ||
$DA8D <- 21 || ld l, 21    ; l = 21
$DA8E <- E9 || jp (hl)     ; goto $D321

Quote
Parasect
Clefable
Metapod
Gyarados
NidoranF
Golbat
Onix
Metapod
Kadabra
Nidoking
Abra
Flareon
Parasect
Growlithe
(anything)

Quote
Route 2
- Catch 1 NidoranF
- Catch 1 NidoranM (10-12 Rare Candy, Moon Stone)

Virdian Forest
- Catch 2 Metapod

Route 4
- Buy 1 Magikarp (15 Rare Candy)

Mt. Moon
- Catch 2 Paras (22-30 Rare Candy)
- Catch 1 Clefairy (Moon Stone)
- Catch 1 Zubat (9-16 Rare Candy)
- Find 2 Moon Stone

Route 8
- Trainer-Fly 1 Onix
- Trainer-Fly 1 Growlithe

Celadon
- Buy 1 Abra (1 Rare Candy) http://i.imgur.com/EFnPsLp.png
- Receive 1 Eevee (Fire Stone)
- Buy 1 Fire Stone

the other abra was caught on route 6 since i opened the route similarly to the no save corruption speedrun in order to duplicate rare candies and nuggets. i had streamed my first attempt of this to a couple friends on twitch, which the video can be referenced here (http://youtube.com/watch?v=CIvWMYCUF0c) for any visual demonstrations. there is audio "commentary", but it's mostly me chatting with the viewers and mumbling about how its going, so it's not at all important to listen to. i am also not correct about everything i say in the video :) if you're eager enough to continue off the route i used in that video to then actually execute specific bits of arbitrary code, just remember tm 1 will be your best friend for accessing the return opcode.

anyway, hopefully someone finds these references useful!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on September 01, 2014, 06:58:34 am
Hey nixnyte. Thanks for your info and welcome to the forums!

I enjoyed your set up.

That was a creative way to see Ghost Missingno. early on (with the Special stat of the level 80 Starmie (http://forums.glitchcity.info/index.php?topic=6618.0) from Cubone for Machoke trade)! Did you think of that or another speedrunner? (I'm out of touch with the speedrunning community other than the published tricks)

For what it's worth, I also did an arbitrary code execution run (https://www.youtube.com/watch?v=ZVXQ7X65Tt8) (a catch em all one), but it was on Red/Green with trading allowed. It was pretty slow and it could have probably been done without trading with enough effort and probably an improved bootstrap code. I'm considering doing a Red/Green catch em all run without arbitrary code or trading.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: nixnyte on September 01, 2014, 02:31:52 pm
the early ghost (or kabutops fossil) missingno technique is credited to ExtraTricky on the no save corruption (http://wiki.pokemonspeedruns.com/index.php/Pok%C3%A9mon_Yellow/Glitched_No_Save_Corruption) page on the pokemonspeedruns wiki. the puu.sh of trainer pokemon yields (http://puu.sh/257S) for trainer-fly also served useful, but as i desperately found myself wanting to ctrl+f for pokemon on the image, i found a dump of trainers in pokemon yellow (http://www.upokecenter.com/content/pokemon-yellow-trainer-list) on upokecenter. with this key-value special stat (http://pastebin.com/raw.php?i=2CEGEnv9) support file and this simple ruby script (http://pastebin.com/J6hibArd) i wrote, it helped me narrow down which trainers would have favorable special stats. upokecenter also has a trainer list for red and blue if anyone wants to make use of the script for that game. a gameboy opcode table (http://www.pastraiser.com/cpu/gameboy/gameboy_opcodes.html) felt more useful than a list in this instance as well.

other than that, all i did myself was write some custom asm, make some pretty charts, and piece it all together. the asm was the main thing i wanted to share since i believe it's more efficient than the other methods for arbitrary code in yellow. unless i'm forgetting something, that should cover all of the credits and references. i certainly didn't come up with every part on my own :P
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on September 01, 2014, 02:58:55 pm
Cool. Yes, I've heard of the puu.sh file too. Its useful for Red/Blue, but not as useful for Yellow, as some Trainers (except Blue as that's fairly obvious) differ between Red/Blue and Yellow.

I tried to upload it to the wiki here, but it was too big xD.

This (http://iimarck.us/etc/asmopcodes.txt) is the list of opcodes I use.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: memdump on September 18, 2014, 12:38:53 pm
Connect Bootstrap Code Between Red/Blue and Yellow

First I will make this mention. It is easier to set up a bootstrap code in Yellow than it is in Red/Blue. In Yellow you simply trainer fly many Pokemon using Dittos for any opcode since it read 20 from list before complex data structures instead of 6. Red/Blue needs specific PP and limits party. This post tells how to make Red/Blue bootstrap more like Yellow, not other way around. It does not look possible to do other way around anyway.

I introduce item -gm or (http://i.imgur.com/V5GUs6b.png) in game in Vermilion PokeMart. Characters in green change based on map tileset but -gm is fixed (http://i.imgur.com/WrE8aAH.png). This item is x6A or 106 decimal. Like 8F it points to an address in WRAM at wDA47. This address is x39 or 57 decimal bytes before the beginning of the PC list, wDA80. What lies between is follows: W_NUMSAFARIBALLS, W_DAYCARE_IN_USE, W_DAYCAREMONNAME, W_DAYCAREMONOT, wDayCareMon. These values very easily are set to x00 and are x00 by default which is simply skipped opcode. This item can be obtain like 8F, just do procedure for x6A instead of x5D.

In conclusion -gm can be used like ws m to run initial code from PC list which is W_NUMINBOX, wBoxSpecies (x14 or 20 bytes), xFF, then data for individual Pokemon. The cost is -gm must go through many x00 codes before intended code, but this is 228 CPU cycles and is very minimal.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on September 19, 2014, 12:19:31 pm
Thanks memdump, this works wonderfully.

Do note that if the bootstrap code contains absolute jumps though, you'll have to change them to get the exact same item location.

So with Pigdevil2010's latest first item pack ws m code

Quote
Tangela with 233 HP
Nidoking
Metapod
Haunter
Flareon
Parasect
Growlithe
Tentacool
Grimer
Any Pokemon

...You'd need to change the Growlithe (21) to Onix (22) to get to item 3 (D322), but it would still work with Growlithe, only your item code would start at item 2's quantity.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: memdump on September 19, 2014, 11:30:41 pm
More info I found to share. In Red/Blue item x7E (long glitch name) points to address wD887. Do you know this address? It is start of wild Pokemon data... and Old Man glitch writes your name to that space in memory! But, English character set does not give characters that relate to any good opcode value. Maybe corrupt name then perform steps to take advantage of this. Just food for thought.

I said English character set. In Japanese character set, you can name player with more variety of characters. In fact in Midori 1.0 there too exist an item for this. It is x7B instead of x7E and this item is called てヘ (tehe). It points to wD806 which is wild Pokemon data in that game exactly as well. Here is example: You name your player アてルぬ (aterunu). First value is overwritten by x00, the Tokiwa encounter rate, when Old Man ends so does not matter. But next 3 character have values xC3 xA6 xD2 which in ASM is jp wD2A6. This is address of third item in bag in that game! So you name player _てルぬ, obtain てヘ, talk to Old Man, use てヘ, and your name is all that is needed for bootstrap code, and now you run arbitrary code from inventory like before!

I have tested and it works. No Pokemon needed at all for bootstrap. Very cool.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on September 20, 2014, 06:30:25 am
Excellent find. That makes my 5かい linked 151 run look silly. Ha ha.

I guess I'll start thinking about how a Midori v1.0 151 ACE speedrun would go.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on November 08, 2014, 05:31:16 pm
There's a new way to get 8F with 94, thanks to luckytyphlosion's discovery of "double distort CoolTrainers".

It does not use:

*Item underflow glitch
*An out of bounds Glitch City (http://glitchcity.info/wiki/index.php/Out_of_bounds_Glitch_City_(Generation_I)) (previously used by TheZZAZZGlitch for a 94 CoolTrainer).
*Silph Co. 11F Rocket and a Trainer inducing old man glitch name (Paco81's trick to battle a 94 Trainer)
*Walk through walls. (for the out of bounds Glitch City)

The only problems that come to mind is that you seem to need a 7 letter long name, and the fact that CoolTrainer may stop working. I haven't tested all name sizes, but a 6 letter name with an even third character didn't work, and the 7 letter name BBBBBBB (all odd digits) worked contrary to Dabomstew's explanation that the third character has to be even.

Steps:

Get a Pokémon with CoolTrainer as the first move first. You can have Ditto transform then swap move 1 with another move, then run. Keep this Pokémon in the first position. Have a Good Rod as the fourth item.

1) Name a Pokémon or a Ditto "[ANYTHING]×". The × is a multiplication sign.
2) Do a CoolTrainer (keep viewing CoolTrainer move by scrolling/opening closing the fight menu) after opening the items screen here. Don't open the item/Pokémon/Pokédex menu after.
(http://i.imgur.com/hXz9XXB.png).
3) Enter a battle and do a CoolTrainer, but don't catch the enemy yet.
4) Switch to the nicknamed Pokémon (or other Pokémon) and you'll notice a copy of its name will be printed on the screen.
5) Full Heal Ditto (this also updates the screen data), then switch to Ditto.
6) Do a CoolTrainer again, and this time catch the Pokémon to get what you want. If your Ditto has × as the second character, you can open the items menu after sending it into battle before doing the second CoolTrainer; to get 94 with Ditto's name.
7) Your Good Rod will turn into 8F.

Unfortunately, memdump's better ACE item "-g m" cannot be obtained with this CoolTrainer trick, but food for thought, maybe there's another useful item conversion glitch Pokémon that could be used to get it. (from here (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9dex_flags))

Videos:
Dabomstew's video (https://www.youtube.com/watch?v=4OgaEeGSCzY)
My vid (https://www.youtube.com/watch?v=aqy9QSbn1to)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Glitch Genie on November 10, 2014, 08:03:50 pm
Newcomers: I highly recommend you read beyond this thread's first post. Thanks to the later posts you will learn how to do the described glitch on Yellow, Japanese Red/Green/Yellow or other international releases, and you'll find many different item lists for performing different tasks.

WHAT'S 8F?

8F is a Red/Blue equivalent of JP Red/Green's 5かい - an item executing machine code starting from $D163 (Number of Pokemon) upon use. Its hex identifier is 0x5D, despite its hex-like name. 8F is treated by the game as a key item and it can't be tossed away or sold in the mart.

As address $D163 contains re-writeable data, it is possible to redirect the instruction pointer to the item list with relative jumps and easily run arbitrary code just by spelling the opcodes with items. With enough items, one could also make a program that reads key input continuously, writes it somewhere in the RAM and jumps to it after a while, allowing to even run your own homebrew software (jailbreaking the gameboy, lolz).

HOW TO OBTAIN IT:

OBTAINING 8F USING ITEM COUNTER UNDERFLOW GLITCH:

PREREQUISITES:

 - Access to any event that removes an item from your inventory (Saffron guards, handing out a fossil in Cinnabar Lab, giving Gold Teeth to the Warden etc.)
 - A following item list:
   Any item x[Any qty]
   X Special x255
   Item you need to give away x1

EXECUTION:

1. Toss the first item. It should change to X Special x255
2. Continue tossing the first item until the item menu "stops responding"
3. Trigger an event that removes the item from your inventory (example: get Kabuto, omanyte, or Aerodactyl down in Cinnabar)
4. Now, you should have 255 items with you. Go to the eastmost corner of Celadon City:

(http://i34.tinypic.com/2me4qdl.png)

5. Toss 254 of your X Specials. Then swap the 'X Special x1' with 'Nugget x1' (35th item)
6. Try walking to the right - the map should now loop back to the left side of Celadon City. The amount of steps you take to the right determines the item you will get, so position yourself properly to obtain 8F. Swap it with the first item, then fly back to Celadon.
7. Store one of your newly acquired glitch items into the PC. Then buy any 3 items to bring your inventory back to normal.

A video of this method (makes it a lot easier to understand): http://www.youtube.com/watch?v=98_azamLeh4 (http://www.youtube.com/watch?v=98_azamLeh4)

OBTAINING 8F USING INVALID ENCOUNTER FLAGS (OBSOLETE):

PREREQUISITES:

 - A Ditto with a Cooltrainer move, nicknamed "R:u"  (Get Cooltrainer by transforming into a pokemon with 4 moves. swap the second move with the 1st, run, and Ditto's move will be cooltrainer)
 - At least 1 Escape Rope
 - Good Rod on your 4th item slot
 - Exactly 10 Pokemon in your current box (this tremendously increases the chances of Cooltrainer move working properly) (sometimes the Cooltrainer move refuses to work, so if 10 pokemon doesn't work out, try 9 pokemon, and then 8, etc.)
 - Preferably a Bicycle, to make things a little bit faster.

EXECUTION:

1. Heal your Pokemon in Fuchsia City's Pokemon Center.
2. Do the Safari Zone walk through walls glitch, with only Ditto in your party.
3. After you appear back at the Fuchsia City's Center with noclip activated, walk exactly:
 a) 19 steps west
 b) 28 steps north
 c) 1 step west
 d) 29 steps north
 e) 11 steps east
4. Open your Pokemon menu and close it (important). You may want to use bicycle now to travel faster - you won't be able to do this later.
5. Go 11 steps west and keep walking south until you find yourself back on Route 18. Do not open your Start menu from now on.
6. Walk/bike to Seafoam Islands and enter the cave.
7. Encounter a wild Pokemon, and continuously try to use the Cooltrainer move. If it does not work after about 15 tries, quit the battle and start a new one. Do not open your Pokemon menu, Item menu or Start menu at all!
8. Eventually, the music will fade out, the move typing will become blank, and name of the opponent will get changed. Catch the resulting Pokemon - the game will state you caught a "94", and your Good Rod will turn into an 8F.
9. Use an Escape Rope, as there's a slight chance the game will crash after exiting the cave normally.

OBTAINING 8F WITH A CORRUPTED ITEM PACK (OBSOLETE):

This method is not recommended - it has a lot of side effects and is terribly complicated. Use it only when the encounter flag method does not seem to work for you.

PREREQUISITES:

 - A Pokemon on the first slot meeting very specific requirements:
    > It needs to have a Super Glitch as a 4th move
    > Its three moves besides the Super Glitch have to contain 25 characters in total
    > One of its three moves needs to be 4 characters long
    > This Pokemon needs to be able to learn Mega Kick through TM05
    An example: ゥL ||ゥM 4 (hex C6) with moves Body Slam, TM50, Quick Attack, [Super Glitch]
 - Any Pokemon on the second slot you don't care about, nicknamed "cccccccc". It will be gone in the process, so don't use your L100 Charizard.
 - A Pokemon on the third slot knowing Fly.
 - Exactly 3 useless items in your Bag. They will get destroyed again, so don't pick anything important.
 - TM05 (Mega Kick), deposited in the PC
 - At least one free space in the PC to store your obtained 8F
 - An empty Pokemon box currently selected, most likely box 12

SIDE EFFECTS:

Sadly, those side effects are actually quite annoying. But also, happily enough, one can fix them with 8F's arbitrary code execution.

1. Your player name will become blank (the game will save just fine though). However, with 8F's arbitrary code execution capabilities, one can change his name back to something nice.
2. Lower 5 Pokedex bytes will become corrupted, displaying some yet unseen species as caught. There's no easy way to fix this, but it's not a big deal unless you care about your Pokedex progression.
3. Your Pokemon box may get to a state where trying to release the glitch Pokemon inside will crash the game. This side effect does not happen every time, but if it does, again, this can be fixed with 8F's arbitrary code execution.

EXECUTION:

The process is a little bit complicated, but after around 15 minutes of hard work, you should be able to claim your own 8F without a cheating device.

1. Go to the exact spot shown on the screenshot below (second to last house on Celadon's south-east). Open up and close immediately your Pokemon menu while still standing on that spot.

(http://smartfeel.net/images/spot2.png)

2. Go into a patch of grass and encounter a wild Pokemon. Do not open your start menu while going there.
3. Open and close your fight menu a few times, then run from the battle.
4. Open your Start menu. Your name should be glitched. If it isn't, repeat step 3.
5. Now you should have 16 Pokemon. Go to the Celadon's Pokemon Center and talk to Nurse Joy, but don't heal.
6. Go to the exact spot shown on the screenshot below:

(http://i34.tinypic.com/2me4qdl.png)

7. Open up your Pokemon menu, swap the 2nd Pokemon with the 10th.
8. Now your item pack should have 162 items, with the first item being "RIVAL's" and the second being Ether.
9. If you have more than 1 Ether on the second position, toss them so only 1 remains.
10. Swap the Ether (2nd item) with the 35th one (for this location this should be a Nugget)
11. Try walking to the right - the map should now loop back to the left side of Celadon City.
12. Keep walking to the right until you find the spot below:

(http://i37.tinypic.com/fp9oiq.jpg)

13. Open your item pack here - the Ether should turn into 8F. Switch it back with the second item to keep it.
14. Fly away to any town. Go to the Pokemon Center.
15. Store one of your 8Fs in the PC. 8F is treated like a key item and depositing more than one will clutter your PC.
16. (Optional) You can also deposit "RIVAL's" into the PC to get 2 glitch items for the price of one.
17. Swap the 10th Pokemon back with the 2nd. This will clear all your items.
18. Withdraw TM05 from your PC.
19. Swap the 2nd Pokemon with the 5th to avoid crashing in the next few steps.
20. Swap the 3rd Pokemon with the 2nd so your Pokemon with Fly won't get obliterated by Charizard 'Ms
21. Deposit your LM4 and your Pokemon with Fly.
22. From now on keep depositing Pokemon into your empty box until you're left with just one Pokemon in your party.
23. Withdraw LM4 and the Pokemon with Fly.
24. Exit out the PC and move the first Pokemon (Charizard 'M) to the last slot.
25. Deposit the Charizard 'M. You should now have only LM4 and the flyer in your team.
26. Because of the Super Glitch, your LM4 became an unstable hybrid of Krabby. Fly to Cerulean City, bring your LM4 into Daycare and take it out to change it back to LM4.
27. Fly back to Celadon City, stand in the spot below:

(http://i33.tinypic.com/2rf51s4.png)

28. Teach your LM4 Mega Kick (use TM05). Replace the move with 4 characters in its name, otherwise stuff won't work as intended.
29. Fly to Cerulean City again, stand in the spot shown below:

(http://i35.tinypic.com/awokfs.png)

30. Open your Pokemon menu here (important). If your LM4 is now the second Pokemon in your party, switch it back to the first slot.
31. Fight a wild Pokemon. Open up and close your fight menu a few times, then run from the battle.
32. Your name should be now blank. If it isn't, repeat step 30.
33. Fly to any Pokemon Center and heal your Pokemon.
34. And finally, you're done! You are now free to save the game if you're brave enough. Withdraw your 8F and have fun.

Full video presenting this done step by step: http://www.youtube.com/watch?v=Sw0h7ImFsAs (http://www.youtube.com/watch?v=Sw0h7ImFsAs)

BOOTSTRAPPING

8F won't do anything amazing by itself - in order to make it execute code from $D322 (third item), we need to use the party Pokemon to spell out a short bootstrapping program, which will redirect the instruction pointer to your item pack. The requirements are as follows:

1.  6 Pokémon                                                         [0xD163 = 0x06]
2.  Onix as the first Pokémon                                         [0xD164 = 0x22]
3.  Pidgey as the second Pokémon                                      [0xD165 = 0x24]
4.  Tentacool as the third Pokémon                                    [0xD165 = 0x18]
5.  Meowth as the fourth Pokémon                                      [0xD166 = 0x4D]
6.  24 PP left on the second Pokémon's second move                    [0xD1B5 = 0x18]
7.  21 PP left on the second Pokémon's third move w/ 1 PP Up used     [0xD1B6 = 0x55]
8.  36 PP left on the fourth Pokémon's first move                     [0xD20C = 0x24]
9.  24 PP left on the fourth Pokémon's second move                    [0xD20D = 0x18]
10. 20 PP left on the fourth Pokémon's third move                     [0xD20E = 0x14]
11. Double Team as the fifth Pokémon's first move                     [0xD223 = 0x68]
12. Double Kick as the fifth Pokémon's second move                    [0xD224 = 0x18]
13. Strength as the fifth Pokémon's third move                        [0xD225 = 0x46]
14. Sixth Pokémon's attack stat has to be exactly 233                 [0xD26C = 0xE9]


(11/12/13: Hitmonlee is probably the only Pokémon that can learn all of those moves)

Resulting ASM:
Code: [Select]
; -- Initial value of hl: D163
WRA1:D163 06 22            ld   b,22    ;  b = 22
WRA1:D165 24               inc  h       ; hl = D263
WRA1:D166 18 4D            jr   D1B5

WRA1:D1B5 18 55            jr   D20C

WRA1:D20C 24               inc  h       ; hl = D363
WRA1:D20D 18 14            jr   D223

WRA1:D223 68               ld   l,b     ; hl = D322
WRA1:D224 18 46            jr   D26C

WRA1:D26C E9               jp   hl

(http://i37.tinypic.com/55m07l.png)

Sadly, we can't use K)ry's original code from Pokemon Green, as in international versions the opcodes [jp imm16] and [call imm16] can't be represented in a Pokemon's nickname, foiling our evil plan.

Well, now we're done with all those preparations, let's try to actually do something with this item! Below I present some examples of what is possible.

USING 8F TO OUR ADVANTAGE

"CATCH 'EM ALL" SCRIPT

This is just K)ry's ASM for JP Red/Green (http://www.geocities.jp/kattempla/pokebug/5kai.html) ported on the international release. With those items, 8F will act like an item that forces a Pokemon encounter based on the quantity of item #1, allowing to catch all 151 Pokemon easily.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=782s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=782s)

ITEM LIST (starting from the first slot):
* Preferably Master Balls
* 8F
TM50                 x31
TM11                 x4
TM34                 x89
TM08                 x201


ASM:
Code: [Select]
WRA1:D322 FA 1F D3         ld   a,(D31F)
WRA1:D325 04               inc  b
WRA1:D326 EA 59 D0         ld   (D059),a
WRA1:D329 C9               ret 

ALTERNATIVE CATCH 'EM ALL

This version of the Catch 'Em All script requires more items, but gives the Pokemon instead of forcing an encounter (like: BLUE got EEVEE!), and allows for getting normally unobtainable glitch Pokemon without trading. The given Pokemon depends on the quantity of the 3rd item.

Remark: Avoid obtaining Missingno with this method. It will duplicate your 6th item and screw the opcodes up.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=865s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=865s)

ITEM LIST (starting from the first slot):
* Any item
* 8F
Repel                x[SpeciesIndex]
X Speed              x14
Ultra Ball           x64
TM05                 x72
Lemonade             x201


ASM:
Code: [Select]
WRA1:D322 1E 20            ld   e,[SpeciesIndex]
WRA1:D324 43               ld   b,e
WRA1:D325 0E 02            ld   c,02
WRA1:D327 40               ld   b,b
WRA1:D328 CD 48 3E         call 3E48
WRA1:D32B C9               ret

FIX THE PLAYER'S NAME

One of the side effects of obtaining 8F is blanking out your name. However, with this setup, you can change your name to the nickname of your first Pokemon. Using 8F will copy one letter from your first Pokemon's nickname to your player name. Use 8F (length of the name+1) times to copy all the name characters and bring your name back to normal.
Warning: This code is self modifying, it will increase quantities of items #3 and #5 every use - remember to set those quantities back to 181 and 88 if you want to reset this. Also use carefully, as there's no memory protection implemented and you may cause save corruption if you're not careful.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=918s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=918s)

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM50                 x181
TM10                 x64
TM34                 x88
TM09                 x46
Calcium              x52
X Accuracy           x35
Full Heal            x201


ASM:
Code: [Select]
WRA1:D322 FA B5 D2         ld   a,(D2B5)
WRA1:D325 40               ld   b,b
WRA1:D326 EA 58 D1         ld   (D158),a
WRA1:D329 2E 27            ld   l,27
WRA1:D32B 34               inc  (hl)
WRA1:D32C 2E 23            ld   l,23
WRA1:D32E 34               inc  (hl)
WRA1:D32F C9               ret 

CHANGE THE SECOND ITEM

This easy code uses only 3 basic items, and it increases the first item's index by 1 every time 8F is used. You can obtain normally unobtainable items, glitch items or TMs so you can do other item configurations described.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=974s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=974s)

ITEM LIST (starting from the first slot):
* 8F
* Item you want to morph
Burn Heal            x43
Ice Heal             x43
Full Heal            x201


ASM:
Code: [Select]
WRA1:D322 0C               inc  c
WRA1:D323 2B               dec  hl
WRA1:D324 0D               dec  c
WRA1:D325 2B               dec  hl
WRA1:D32A 34               inc  (hl)
WRA1:D32B C9               ret


WALK THROUGH WALLS

Jump off a ledge after using 8F to walk through walls.

http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1020s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1020s)

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x20
TM15                 x201


ASM:
Code: [Select]
WRA1:D322 EA 14 D7         ld (d714),a
WRA1:D325 C9               ret

ESCAPE FROM A TRAINER BATTLE

This turns 8F into an item which allows escaping from any battle, including trainer battles.

http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1048s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1048s)

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x120
TM08                 x201


ASM:
Code: [Select]
WRA1:D322 EA 78 D0         ld (d078),a
WRA1:D325 C9               ret

CLEAR A POKEMON BOX

While obtaining 8F there's a slight chance Pokemon at your box will get corrupted and will crash the game upon releasing. One can either deal with it and switch to another box, or make the box empty with this item configuration.

Switch to the corrupted box, use the 8F, done. Be careful though, you don't probably want to clear the box with your L100 legendaries.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1104s (http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1104s)

ITEM LIST (starting from the first slot):
* Any item
* 8F
Lemonade             x1
Soda Pop             x64
TM34                 x128
TM18                 x201


ASM:
Code: [Select]
WRA1:D322 3E 01            ld a,01
WRA1:D324 3D               dec a
WRA1:D325 40               ld b,b
WRA1:D326 EA 80 DA         ld (da80),a
WRA1:D329 C9               ret

ENDING REMARK: BIG ITEM QUANTITIES?

All of those item lists will have at least one item with quantity bigger than 99. Obviously, it's possible to obtain those big quantities using the Missingno. item duplication glitch (duplicating a 99 item stack will result in a 227 item stack).
However, the numbers bigger than 9 are represented with glitch blobs, so it's normally impossible to read how many items you actually have. This short image guide below will help you with reading quantities of those big item stacks.

(http://i38.tinypic.com/2d8jgqg.png)
* This image uses the Pokemon Center tileset
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yuzihax on November 10, 2014, 08:17:05 pm
I honestly thought you'd just quoted the OP verbatim. You might want to state outright that you're suggesting changes, it's a little confusing!

At least, it is for me, and that's what I'm fairly sure that post is about. Admittedly, I haven't actually read this thread before now!.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: luckytyphlosion on November 10, 2014, 11:56:37 pm
I really don't see anything different about the post, and it looks like he just quoted the whole original post.

Edit: He added "(example: get Kabuto, omanyte, or Aerodactyl down in Cinnabar)" to the Item Counter Underflow Section, and added more information to the CoolTrainer section. It would also be good to add the much easier Cooltrainer method using Double-Distort, but Item Underflow is probably the best method because you can easily get any item for each script.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on November 13, 2014, 04:47:59 am
I really don't see anything different about the post, and it looks like he just quoted the whole original post.

Edit: He added "(example: get Kabuto, omanyte, or Aerodactyl down in Cinnabar)" to the Item Counter Underflow Section, and added more information to the CoolTrainer section. It would also be good to add the much easier Cooltrainer method using Double-Distort, but Item Underflow is probably the best method because you can easily get any item for each script.

>TFW someone thinks a forum is a wiki.

I saw the giant quote and nothing else, and was going to delete the post entirely before I saw the replies to it.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: eironeia on November 17, 2014, 12:10:54 am
Maybe someone finds a use for this. This code maxes out stat exp and DVs for all stats of the first Pokémon in the current PC box. It uses an absolute address and works only for the European versions of the game, but has only been tested using the German version.

It does use copious amounts of throwaway inc b instructions to make expressing it in items easier, so there's a good chance it can be optimized in size or require less items with high quantities.

Code: [Select]
; In C without throwaway increments:
; a = 0xb8;
; h = 0xda;
; l = 0xac;
; do {
;     *((h << 8) | l) = 0xff;
;     l++;
; } while (l != a);

ld a, $b8    ; 3E B8
ld h, $da    ; 26 DA
ld l, $ac    ; 2E AC

ld (hl), $ff ; 36 FF
inc b        ; 04, throwaway (Poké Ball)
inc l        ; 2C
inc b        ; 04, throwaway (Poké Ball)

cp l         ; BD
jr nz, $f8   ; 20 F8
inc b        ; 04, throwaway (Poké Ball)
ret          ; C9

Or expressed in items:
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on November 17, 2014, 10:55:18 am
works only for the European versions of the game, but has only been tested using the German version.

To convert from a DE/FR/IT/ES WRAM address to an EN one, subtract 5.
Title: Debug Mode
Post by: Rena on December 25, 2014, 04:56:52 am
Here's a fun one, based on Wack0's "set any address to anything":
Debug Mode:

Code: [Select]
ld a,$03
ld l,$32
ld h,$D7
inc b
ld (hl),a
inc a
ret

3E 03 2E 32 26 D7 04 77 3C C9

Starting from item #1:
Any Item    xAny
8F          xAny
Lemonade    x  3
X Accuracy  x 50
Carbos      x215
Poké Ball   x119
Fresh Water x201


This sets a flag in address $D732 (bit 1) that enables some nice debug functions:

The last one is the only one we really can see because unfortunately the flag gets reset at new game. It saves, though, so after executing this and saving the game, the effect remains indefinitely. As far as I know, the only things that reset this flag are starting a link battle or starting a new game. (Possibly forced bike/surf areas might affect it too?)

BTW, does ws m work in Red/Blue? When I use it, it says the PC box is full.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on December 25, 2014, 12:31:52 pm
Cool, thanks Rena. The more 8F codes the merrier :D.

No, ws m can't be used to activate arbitrary code in Red and Blue, because its effect pointer is 65B1 (in ROM). It can only be used to activate arbitrary code in Yellow, where it runs WRAM DA7F.

However, as memdump shared, there is an item called -g m that executes code from WRAM DA47 in Red/Blue, and if you don't have bad Day Care data or number of Safari Balls data; you can make the code fall through to DA80 and use Pigdevil2010's latest Yellow stored party Pokémon bootstrap code (http://forums.glitchcity.info/index.php/topic,6638.msg196499.html#msg196499), but with one small change; Onix instead of Growlithe so the code goes to D322 instead of D321.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: luckytyphlosion on December 25, 2014, 04:23:24 pm
By using map script pointer, would it be possible to create a code to make mew appear under the truck :o? (actually it is possible, it's just no one has made a code yet)

EDIT: This code won't work because you can't walk while the game is running through your custom script pointer. Possibly replace it with a "check sprite" piece of code instead?

I have some code for a "make mew appear under the truck" code here, but I need help on sprite related aspects and a text pointer.

Code: [Select]
; make mew appear under the truck
ld a,[$d35e] ; make sure that you're on the ss anne map with the truck
cp a,$5e
ret nz
ld hl, $d728 ; used strength address
bit 0,(hl)
ret z ; return if not using strength
ld hl,$c109 ; player facing direction
ld a,(hl) ; load address value into a
cp a,$08 ; is player facing right?
ret nz ; return if not facing right
ld a,[$d35f] ; top left pointer blocks comparison because I can't
cp a,$08 ; figure out how GetCoordsAndTileinFrontOfPlayer works (help pls)
ret nz
ld a,[$d360]
cp a,$c6
ret nz
xor a
ld b,[$d363] ; compare block coords
cp a,b
ret nz
ld b,[$d364]
cp a,b
ret nz
call $0bd1 ; collision check
ret nc ; return if no collision (collision check sets carry)
; insert sprite data and stuff here
; replace truck block with regular dock block, then make the truck into two sprites
; move each sprite one left
; place a slowbro sprite on the empty space where the truck is
; text pointer for slowbro sprite points to "Mew!"
; starts battle after (can be cheap and set W_ISINBATTLE/d057 to 1)
; set W_CUROPPONENT to $15
; end text pointer
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Rena on December 26, 2014, 03:14:10 am
That would be a pretty sophisticated hack to pull off with ACE. You'd need to store that all somewhere; it'd probably be longer than the inventory, so you'd need a second stage bootstrap to read values into some other buffer (maybe save RAM?) and then resume execution as normal.

You could save some space by reusing Mewtwo's text (when you speak to him, he says "Mew!") and by not bothering to turn the truck into a sprite (just update the map to move the truck tiles, or even just flash the screen and have Mew appear as soon as you push the truck). It might not look quite as good but it'd probably be much easier to pull off. Also it's enough to set W_CUROPPONENT (D059 in Red/Blue) to trigger an encounter; you don't have to set W_ISINBATTLE. (You'd want to set their level, though.)

IIRC, the map script pointer in gen 1 is just a pointer to code that gets called every frame (and maybe a counter?), so you'd have to point that to your new function (and maybe also call the original script after yours finishes). I don't know about walking while the script is running; there's probably a flag that you can set. Or you might be able to take over the animation function; IIRC that's also just a pointer to a function.

Also, see here (https://github.com/RenaKunisaki/pokered/blob/master/hacks/overworld-hms.asm) for an example of GetTileAndCoordsInFrontOfPlayer(). (It just sets some global variables. I don't remember if it also returns something in the registers.)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: luckytyphlosion on December 26, 2014, 10:58:01 am
you could probably use box data for the code, I don't think it'll be that long. You could also use a custom text pointer manip from ram (but I don't know exactly how that would work), and have it put values into "W_CUROPPONENT" through script mode.

I don't think there's any special map script pointer for SS anne (maybe when you leave the boat and you have the boat cutscene) and space isn't much of a problem either, because of box data.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Panda on January 28, 2015, 12:44:06 pm
I'm new here, but I thought I'd register to let you know about this:

http://gbatemp.net/threads/injecting-roms-into-vc-with-only-the-web-browser-sure.379760/

With this knowledge of injecting roms into vc games, what would happen if we were to trigger arbitrary code in a rom swapped Pokemon Blue?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on January 28, 2015, 02:05:55 pm
I'm new here, but I thought I'd register to let you know about this:

http://gbatemp.net/threads/injecting-roms-into-vc-with-only-the-web-browser-sure.379760/

With this knowledge of injecting roms into vc games, what would happen if we were to trigger arbitrary code in a rom swapped Pokemon Blue?

You'd get arbitrary code execution in the emulator. That's it.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: luckytyphlosion on March 01, 2015, 02:00:36 pm
Posting this here since it seems like it's worth it:

http://gameboy.mongenel.com/asmschool.html is a website that teaches you the basics of GBZ80. However, it's incomplete, so there isn't every important thing about Game Boy Programming in the tutorial. Still, it's good for learning the basic gb opcodes to make simple arbitrary code hacks.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: rortik on March 02, 2015, 06:37:14 am
After seeing all the problems with 8F... I think I'll stick to Yellow.

Anyway, with the (fairly) new 3DS exploit allowing me to run GBC games, I now have a working mobile version of Pokemon Yellow again, and am going to try to do some research on the crazy glitch items Yellow has to offer. I don't like emulators on computers.


With ws m, once you've got the following setup:

Anything x [XX] (index number) <-- Slot 1 of inventory
[blank. Not used. I've put ws m here]
TM 50 x 30
TM 11 x 04
TM 34 x 88
TM 08 x 201

You can run into anything you like, based on the number of items you have in Slot 1. I just keep a slot of 183x Pokeballs (just a random item I had) for whenever I need to run into a Missingno. to increase my item count. When I need to do this, I use ws m, then before closing the bag swap the TM 08s with whatever I want to dupe... then close the bag, immediately run from the Aerodactyl Missingno., and swap the TM 08s back. Was kind of a pain to set up without cheating, but now it's incredibly quick and easy.

I haven't read through the entire thread, so my apologies if someone already created this particular code. As usual, it looks like I'm far behind the crowd. I'll post back here if I find anything interesting among the glitch items. I'll be first just gettin' em and probably crashing the game a lot, then I'll look at the code for it later. This game is incredibly broken.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: FMK on March 04, 2015, 01:55:31 am
So because I'm crazy and was bored, I decided to figure out how to compress pigdevil2010's 8F bootstrap into only requiring two Pokemon, as well as making it so you can have anything in slot 1.

Required Party Count: 6
* Slot 2: Tentacool, with 9262 (242E) HP Stat EXP, 8704 (2200) Atk Stat EXP, 9449 (24E9) Def Stat EXP
Slot 3: Venonat

* 54 Dittos, 42 Tentacools, 31 Poliwhirls, 25 Voltorbs, 15 Seels, 8 Pidgeys, 7 Cubones, and 6 Nidoran (F)s need to be killed to reach those exact values.

54 Dittos = 2592 HP, 2592 Atk, 2592 Def
42 Tentacools = 1680 HP, 1680 Atk, 1470 Def
31 Poliwhirls = 2015 HP, 2015 Atk, 2015 Def
25 Voltorbs = 1000 HP, 750 Atk, 1250 Def
15 Seels = 975 HP, 675 Atk, 825
8 Pidgeys = 320 HP, 360 Atk, 320 Def
7 Cubones = 350 HP, 350 Atk, 665 Def
6 Nidoran (F)s = 330 HP, 282 Atk, 312 Def

I'm pretty sure my math is correct, anyways.


Code ends up being
Code: [Select]
; Initial hl = D163
$D163 06 ?? || ld   b,??
$D165 <- 18 ||
$D166 <- 41 || jr 41     ; pc = D1A8
$D1A8 <- 24 || inc h    ; h = D2
$D1A9 <- 2e ||
$D1AA <- 22 || ld l, 22 ; l = 22
$D1AB <- 00 || nop
$D1AC <- 24 || inc h    ; h = D3
$D1AD <- e9 || jp hl    ; pc = D322
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: rortik on March 05, 2015, 10:17:13 pm

________________

Change the enemy species in battle

3E xx EA D7 CF C9

Lemonade x (X)
TM34 x 215
TM07 x 201

Code: [Select]
ld a, (xx)
ld (CFD7), a
ret


For some reason this one isn't working for me. I just use ws m and nothing happens; it just skips my turn. Using it before battle seems to do nothing too.

I'm not the greatest with this stuff, but it seems like it should work... I'm doing nothing differently than I did with all the other bits of code.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: camper on March 05, 2015, 11:19:12 pm

________________

Change the enemy species in battle

3E xx EA D7 CF C9

Lemonade x (X)
TM34 x 215
TM07 x 201

Code: [Select]
ld a, (xx)
ld (CFD7), a
ret


For some reason this one isn't working for me. I just use ws m and nothing happens; it just skips my turn. Using it before battle seems to do nothing too.

I'm not the greatest with this stuff, but it seems like it should work... I'm doing nothing differently than I did with all the other bits of code.

I don't know if that's supposed to work correctly, since iirc items have different effects in battle.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on March 06, 2015, 11:19:28 am
You can execute arbitrary code with 8F and w sm from within a battle too.

That code is working for me. But what I did not know is that the enemy Pokémon's palette doesn't change (indicating the species changed) until you use a ball or open and close the Pokémon menu so it probably worked without you knowing it.

Also ensure that your code starts at item 3 if you are using TheZZAZZGlitch's (http://forums.glitchcity.info/index.php/topic,6638.msg189586.html#msg189586) or Pigdevil2010's (http://forums.glitchcity.info/index.php/topic,6638.msg194458.html#msg194458) item pack bootstrap codes and that you have the relevant stored Pokémon in the current box. I think I may have forgotten to do that in the past even though it may sound obvious.

I don't know if that's supposed to work correctly, since iirc items have different effects in battle.

I know that at least for one item that the 'in battle' check is part of the item's execution code itself (quote, below), so I'm unsure of whether being in battle is entirely relevant; unless you use a code that depends on initial register values which may differ from inside of battle instead of outside of battle or a code that relies on you being in a battle or not:

i.e.
Quote
ItemUseRepelCommon: ; 6005
   ld a,[W_ISINBATTLE]
   and a
   jp nz,ItemUseNotTime

   ld a,b
   ld [$d0db],a
   jp PrintItemUseTextAndRemoveItem
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: rortik on March 06, 2015, 08:34:49 pm
You can execute arbitrary code with 8F and w sm from within a battle too.

That code is working for me. But what I did not know is that the enemy Pokémon's palette doesn't change (indicating the species changed) until you use a ball or open and close the Pokémon menu so it probably worked without you knowing it.

Also ensure that your code starts at item 3 if you are using TheZZAZZGlitch's (http://forums.glitchcity.info/index.php/topic,6638.msg189586.html#msg189586) or Pigdevil2010's (http://forums.glitchcity.info/index.php/topic,6638.msg194458.html#msg194458) item pack bootstrap codes and that you have the relevant stored Pokémon in the current box. I think I may have forgotten to do that in the past even though it may sound obvious.

I don't know if that's supposed to work correctly, since iirc items have different effects in battle.

I know that at least for one item that the 'in battle' check is part of the item's execution code itself (quote, below), so I'm unsure of whether being in battle is entirely relevant; unless you use a code that depends on initial register values which may differ from inside of battle instead of outside of battle or a code that relies on you being in a battle or not:

i.e.
Quote
ItemUseRepelCommon: ; 6005
   ld a,[W_ISINBATTLE]
   and a
   jp nz,ItemUseNotTime

   ld a,b
   ld [$d0db],a
   jp PrintItemUseTextAndRemoveItem

Yep... It just wasn't updating the sprite/name. It works perfectly.

This is actually a wonderful way to encounter Yellow Missingno. as it doesn't ever have to load the sprite. On the other hand, if you've set up arbitrary code execution it's rather useless, as you can simply run into Fossil/Ghost form.

iirc the only use of Yellow Missingno. is to get stuff like permanent lv 255 hC4 via merging. Agatha Ultima, watch out! I can 6-0 you with hC4!!!

This is also (in my opinion) much better of a method than the Johto Guard Glitch, as it allows you to run into things that the Mew Glitch doesn't.

Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: pigdevil2010 on March 09, 2015, 10:01:08 am
I discovered an even more shorter w sm bootstrapping code now.

You must have 11 'mons in the box, which are:
Seel with 233 HP
Parasect
Growlithe
Magikarp
Psyduck
Flareon
Tentacool
Nidoqueen
(Any 'mon x3)

This method results in this code:
Code: [Select]
; Initial hl = DA7F
$DA7F <- 0B    || dec bc
$DA80 <- 3A    || ld a, [hld] ; a = 0B
$DA81 <- 2E 21 || ld l, 21 ; l = 21
$DA83 <- 85    || add a, l ; a = 2C
$DA84 <- 2F    || cpl ; a = D3
$DA85 <- 67    || ld h, a ; h = D3
$DA86 <- 18 10 || jr DA97 ; pc = DA97
$DA97 <- E9    || jp [hl] ; pc = D321

Now it's a half required compared to the old one! :D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on March 09, 2015, 10:35:55 am
Awesome. Thanks for your efforts in always improving the 8F and ws m bootstrap codes, pigdevil. :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SwedishDragon on March 10, 2015, 02:13:42 am
This part:

"Sprite RAM Bug
--------------
There is a flaw in the GameBoy hardware that causes
 trash to be written to OAM RAM if the following commands
 are used while their 16-bit content is in the range
 of $FE00 to $FEFF:

  inc xx     (xx = bc,de, or hl)
  dec xx

  ldi a,(hl)
  ldd a,(hl)

  ldi (hl),a
  ldd (hl),a

 Only sprites 1 & 2 ($FE00 & $FE04) are not affected
 by these instructions."

from http://gameboy.mongenel.com/dmg/gbspec.txt seems interesting, could it be the cause for any glitches? (I indeed do not really know what i am talking about, i just wanted to note it, just in case.)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: pigdevil2010 on March 10, 2015, 11:29:09 am
This part:

"Sprite RAM Bug
--------------
There is a flaw in the GameBoy hardware that causes
 trash to be written to OAM RAM if the following commands
 are used while their 16-bit content is in the range
 of $FE00 to $FEFF:

  inc xx     (xx = bc,de, or hl)
  dec xx

  ldi a,(hl)
  ldd a,(hl)

  ldi (hl),a
  ldd (hl),a

 Only sprites 1 & 2 ($FE00 & $FE04) are not affected
 by these instructions."

from http://gameboy.mongenel.com/dmg/gbspec.txt seems interesting, could it be the cause for any glitches? (I indeed do not really know what i am talking about, i just wanted to note it, just in case.)

I think it is not a cause for normal gameplay. Pokemon Gen 1+2 always access OAM by DMA transfer and never read/write the data directly from it. There is almost no chance that 16-bit registers are loaded with that data unless the game increment/decrement them so hard that it falls in that range.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SwedishDragon on March 10, 2015, 11:34:41 am
oh, ok.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Sherkel on April 01, 2015, 05:51:57 pm
I'm late to the party, but I just have to pop in and say this is mindblowingly amazing. Great work to everyone who helped discover this. I found the "Pong" injection especially amusing. :D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: blahpy on April 02, 2015, 12:03:21 am
I'm late to the party, but I just have to pop in and say this is mindblowingly amazing. Great work to everyone who helped discover this. I found the "Pong" injection especially amusing. :D

Nice to see you're alive!  :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: minderr on April 26, 2015, 05:17:25 am
Hello,
I'm new here, I'm very impressed of what we can do in pokémon, especially about the pong game.
And I think, instead of writing the code using the bag or the pc inventory (witch's long and booooring to setup and code), we could write the code with the keys like in TAS but with 4 keys only and at an human speed: 4 bits/ 1.5 sec or 4 bits/ 2 sec. The very limited amount of bytes possible in the bootstrap code should be a problem to include a delay. Also, I have almost no experience with asm code (except theoretically) and gb/pokemon addresses (there is no good tutorial) so I don't really know how to write an efficient bootstrap code.
Help me, please !

edit: I think a bootstrap code isn't what I want to do, I just want to make a code that save the asm code modifying the inventory ~_~
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Quibz on May 21, 2015, 07:49:36 pm
I was messing around with WS M and found something new that works with it. Every time you use it, it increases the quantity of the second item in your inventory by one.

WS M
(Item you want to increase quantity of)
Ice Heal x43 or Burn Heal x43 (Both seem to work)
Full Heal x201

I'm not an expert at programming, so I don't know if this might have some side effects that make it not worth it, but it works for me, so I thought I'd put it here. Does anyone know if it would have side effects? It would be really useful if it didn't because you could clone items without having to encounter Missingno.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on May 22, 2015, 11:12:16 am
I was messing around with WS M and found something new that works with it. Every time you use it, it increases the quantity of the second item in your inventory by one.

WS M
(Item you want to increase quantity of)
Ice Heal x43 or Burn Heal x43 (Both seem to work)
Full Heal x201

I'm not an expert at programming, so I don't know if this might have some side effects that make it not worth it, but it works for me, so I thought I'd put it here. Does anyone know if it would have side effects? It would be really useful if it didn't because you could clone items without having to encounter Missingno.

In hex this is: (0C/0D) 2B 34 C9

and in gb asm (which I helpfully commented):

Code: [Select]
inc c / dec c ; does nothing useful
dec hl ; decrease hl - it did contain a pointer to item #3 index*, it now contains a pointer to item #2 quantity
inc [hl] ; increase the memory address pointed to by hl - in this case item #2 quantity
ret

* All bootstrap code to jump to item #3 that i've seen puts <address of item #3> in hl and then does jp hl.

If you had Ice Heal x43, Burn Heal x43, Full Heal x201 it'd increase the index number of item #2.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Quibz on May 22, 2015, 09:05:21 pm
Thanks Wack0. So it's safe to use then?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on May 23, 2015, 04:15:12 am
Thanks Wack0. So it's safe to use then?
Yes.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on May 25, 2015, 02:07:46 am
Hello,

I was thinking about the invalid encounter flag method to get 8F. Obviously you turn hex:4D (Good Rod) to hex:5D (8F). This method to get an item seems a little rough (especially if you can perform the cooltrainer corruption, that means you should be able to trigger item underflow which is an easier way to get an item) but it still have some interest. Does that mean you could use the cooltrainer corruption to get ANY item ?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: luckytyphlosion on May 25, 2015, 10:08:28 am
The Pokemon used to get 8F through Cooltrainer distort can only mutate items up to index 0x5F, or the glitch item 10F. So no, you cannot use Cooltrainer corruption to get any item.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Doom Mortal on May 25, 2015, 12:20:14 pm
Hello everyone,

first I want to thank all of you guys who contributed to that amazing discovery, especially TheZZAZZGlitch I want to thank.

Im currently trying to manipulate the move of the first Pokemon in the Box.
But it doesnt work. After using the 8S the first move of the Pokemon is Tm08.

The GSCode to do that I have successfully tested with an Emulator.
Im playing the german Pokemon Blue Version.

Here are the GSCodes:
01|69|9E|DA English
01|69|A3|DA German

I have converted the GSCode into the Pattern that Wack0 http://forums.glitchcity.info/index.php/topic,6638.msg189609.html#msg189609 (http://link) has posted.

Here is my code:
Code: [Select]
Any Item
8F
Lemonade       x105
X-Accuracy       x163
Carbon         x218
Pokeball         x119
Fresh Water x201

What is wrong with with the code ?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on May 25, 2015, 01:32:31 pm
You're definitely using the right quantity of Lemonades?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Doom Mortal on May 25, 2015, 01:47:42 pm
Yes it is the right quantity of Lemonade.   :(
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on May 25, 2015, 05:04:06 pm
Yes it is the right quantity of Lemonade.   :(

That's odd.

0x69 = 0b01101001
0xD0 (identifier of TM08 move) = 0b11010000

Are you able to set a breakpoint on write to $DAA3 and then use 8F?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: luckytyphlosion on May 26, 2015, 05:20:35 pm
Found part of the problem.

The address for wNumBagItems is $d31d in English Pokemon Red/Blue. In the German version, it seems to be $d322.

The pseudo-gameshark code jumps to d322, which is wNumBagItems in German. I don't have a method to change the bootstrap to jump to the third item, however.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: luckytyphlosion on May 26, 2015, 07:40:31 pm
Also something unrelated to the above problem: A very compact 8F bootstrap that can be achieved WITHOUT ACE!

Compact 8F Setup

Pokémon in Party:
6 Pokemon
<Anything>
Tentacool
Electabuzz
<Anything from here on>


Once you have the necessary Pokémon, do either one of the below options:

Cheating method:
Set D91C/E/F to C324D3

Not Cheating method:
* Setup Inventory to this, from the top:

Code: [Select]
Great Ball x155
TM09 x0
Antidote x195
Protein x211
Ether x80

TEXTCODE:
Code: [Select]
WRA1:D320 03 9B D1         ; repoint text to address d19b
WRA1:D323 00               ; print a string
WRA1:D324 0A C3 24 D3 ; print characters 0A, C3, 24, and D3 to address d19b. 0A does not matter.
WRA1:D328 50       ; end text printing mode
WRA1:D329 50       ; end text command mode 

* Then, acquire item underflow, either with the Dry Underflow method or the Fresh Water/Fossil Method.

* Go to Route 6.

* Swap a Repel x211 into the Text Pointer slot (Represented by TM01 x80)

* Talk to the guy talking to the girl.

* You now have a working compact 8F setup, as long as you have 6 Pokemon in the Party, and the specially crafted Tentacool and the Electabuzz are in the 2nd and 3rd slot respectively.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on May 27, 2015, 01:51:56 am
Found part of the problem.

The address for wNumBagItems is $d31d in English Pokemon Red/Blue. In the German version, it seems to be $d322.

The pseudo-gameshark code jumps to d322, which is wNumBagItems in German. I don't have a method to change the bootstrap to jump to the third item, however.

I posted one earlier in the thread (http://forums.glitchcity.info/index.php/topic,6638.msg192543.html#msg192543)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on May 27, 2015, 04:19:14 am
I had the same problem with my french game. See this post by Torchickens (http://forums.glitchcity.info/index.php/topic,7265.msg198432.html#msg198432) about the fact that you have to add 5 to any RAM address in european versions :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Doom Mortal on May 27, 2015, 12:00:24 pm
Sorry for that delay. I was preparing the Pokemon team and items on my PC for testing with the debugger.

But I see you were all on the right way.

I substituded Onix by Graveler and now it works.

It is weird because I tested the old constelation successfully with an MAX DV/ EV Item List.

Thank you very much Wack0, luckytyphlosion, Krys3000.  :D


Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on May 28, 2015, 12:49:11 pm
Happy that your problem is solved  ;)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Trevor on June 04, 2015, 03:07:22 am
one problem solved, next problem here  :P

Hi everybody,

I'm currently trying to obtain the 8F Item using invlid encounter flags (because i have no event that takes an item away and I dont feel like playing the main story all over again...).
The problem has to do with that ditto with the Cooltrainer attack, when trying to use the attack in game I need to click 3 times on "FIGHT" and then again 3 times to read the next "you have no moves for this attack left".
Also after a few tries the game crashes and I have to restart.

But normally as I read it just should do nothing, you should be able to do this as often as you want and also without crashes. Additionally you should only need to click one time on "FIGHT".

To get that Cooltrainer Ditto I just encountered a wild pokemon, transformed into it and then switched attack 1 and 2 and then ran away from the battle - thats it.

PS: I'm using Pokemon Blue

Thanks for help :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on June 04, 2015, 08:41:27 am
Quote
I'm currently trying to obtain the 8F Item using invlid encounter flags (because i have no event that takes an item away and I dont feel like playing the main story all over again...).

Actually you don't need an event anymore. There is a "dry" variation of the item underflow glitch, for which all you need is a stack of 255 X Special. You can get it with MissingNo. using the glitch of your choice. Moreover, if the invalid encounter flag method works, it means the cooltrainer corruption works for you, so that you can encounter a MissingNo. This invalid encounter flag method is obsolete, you should not use it.

The item underflow glitch requires you to have this :
(http://www.prama-initiative.com/RBJ/iug1.png)
French screen, Special + is X Special and the two first item are useless.

Toss the two first useless items, you will have this :
(http://www.prama-initiative.com/RBJ/iug2.png)

Toss several 255x of the first item until you only have access to two items. Toss 253 of that first X Special stack and switch item 1 and 2 twice.  You should have X Special x0, like this :
(http://www.prama-initiative.com/RBJ/iug3.png)

Item underflow will be active. Now go there (near Celadon) :
(http://www.prama-initiative.com/RBJ/iug4.png)

Toss 255 X Special again, and switch the remaining X Special with the Nugget in 35th position. 5 steps right, 5 steps down, 20 steps right and open the item menu to see 8F, that you can switch to a "normal" place (eg : first place). Fly back to Celadon and buy items to fix the item menu.


If you still wanna use the invalid encounter flags, you don't need to USE the attack to trigger the corruption. Just enter/exit the FIGHT menu until it works.

Fact is, cooltrainer corruption doesn't always work, it depends on the values of some RAM addresses. You wil find here (http://forums.glitchcity.info/index.php/topic,6992.msg198569.html#msg198569) TheZZAZZGlitch's methods to maximize the chances. I can tell you that the "renaming party + open unused box" method works very well.

Good luck !
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Trevor on June 05, 2015, 04:10:08 pm
Big thanks for your help!
I would suggest to add that to the first post, it can make users unsure if they thing they need to have access to an event, when its also possible without it.

But well, I now got the item, experimented with it a bit and "ported" some codes to the european non-english versions of pokemon red/blue by just adding 5 to every immediate value in the asm code(I tested it on the german version only)
Adding 5 works if only ram adresses are modified, but how could one figure out what the call adresses in other languages of the games are? Is there like a "call adress map" in addition to the ram map, or is debugging while playing in an emulator needed?
Is it also possible to make a script that plays the final rival battle music or the credits music at the next battle instead of the gym leaders? that music is more fun to listen to :P
And finally a code where you can modify the species and the level of the Pokemon you battle would be also nice (modified "CATCH 'EM ALL" SCRIPT) :)


Ported codes:
Codes for Inventory slot 2 item ID and item count modifier stay the same, because no imm. values are used.

GYM LEADER MUSIC PLAYS FOR NEXT BATTLE R/B EUROPE(NON-ENGLISH)
Use this outside of battle to make the next battle play the Gym Leader theme.

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x97
TM08                 x201

ASM:
Code: [Select]
WRA1:D327 EA 61 D0         ld (d061),a
WRA1:D32A C9               ret


"CATCH 'EM ALL" SCRIPT R/B EUROPE(NON-ENGLISH)

ITEM LIST (starting from the first slot):
* Preferably Master Balls
* 8F
TM50                 x36
TM11                 x4
TM34                 x94
TM08                 x201

ASM:
Code: [Select]
WRA1:D327 FA 24 D3         ld   a,(D324)
WRA1:D32A 04               inc  b
WRA1:D32B EA 5E D0         ld   (D05E),a
WRA1:D32E C9               ret 


WALK THROUGH WALLS R/B EUROPE(NON-ENGLISH)
Jump off a ledge after using 8F to walk through walls.

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x25
TM15                 x201

ASM:
Code: [Select]
WRA1:D327 EA 19 D7         ld (d719),a
WRA1:D32A C9               ret


ESCAPE FROM A TRAINER BATTLE R/B EUROPE(NON-ENGLISH)
This turns 8F into an item which allows escaping from any battle, including trainer battles.

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x125
TM08                 x201

ASM:
Code: [Select]
WRA1:D327 EA 7D D0         ld (d07D),a
WRA1:D32A C9               ret


CATCH OTHER TRAINER'S POKEMON R/B EUROPE(NON-ENGLISH)
Use this in a Trainer battle to enable the ability to catch the enemy Pokémon and escape from battle.
You can also use it to disable wild battles, but you can't use it to turn a Trainer into a Pokémon.

ITEM LIST (starting from the first slot):
* Any item
* 8F
Lemonade             x1
TM34                 x92
TM08                 x201

ASM:
Code: [Select]
WRA1: D327 3E 01   ld a, 01
WRA1: D329 EA 5C D0   ld (D05C),a:
WRA1: D32C C9   ret
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on June 06, 2015, 12:47:28 am
Big thanks for your help!
I would suggest to add that to the first post, it can make users unsure if they thing they need to have access to an event, when its also possible without it.

I guess this is the reason why TheZZAZZGlitch wrote a warning asking for newcomers to read beyond the first post. But, yes, I think it is necessary and would be useful to add the dry underflow to this post.

But well, I now got the item, experimented with it a bit and "ported" some codes to the european non-english versions of pokemon red/blue by just adding 5 to every immediate value in the asm code(I tested it on the german version only)
Adding 5 works if only ram adresses are modified, but how could one figure out what the call adresses in other languages of the games are? Is there like a "call adress map" in addition to the ram map, or is debugging while playing in an emulator needed?

I don't understand well what your problem is.

To create 8F codes for european versions, the only thing you need outside of the RAM Map (http://datacrystal.romhacking.net/wiki/Pokemon_Red:RAM_map) (for which you need to add 5 to every address) is a list of gameboy opcodes (http://www.pastraiser.com/cpu/gameboy/gameboy_opcodes.html). Their match with hex values is the same regardless of the game's localization. Understanding basic opcodes is not complicated, but you might find some help here (http://gameboy.mongenel.com/dmg/opcodes.html) and I have also wrote an article (http://www.prama-initiative.com/index.php?page=8f-code-execution#pro) about it, but it's in french.

However, you must also know that, even if it's fun to create new codes, there is a very easier way to deal with 8F : Gameshark code simulation. Using it with the following items will trigger the gameshark code 01xxyyzz in european versions :

Any item
8F
Lemonade *xx
TM34 *yy
[item which hex value is zz] *201 (=> Comprehensive big list (http://glitchcity.info/biglist.htm))

Don't forget quantities are decimal values. You must get 18 lemonades if your xx is 12. If the zz item appears to be a glitch item, or if you need high quantity of some item, you can use the underflow to get them (using Celadon loop, for example). You can also simulate the gameshark code which changes the first item :

Item you want to change (eg pokeball)
8F
Lemonade *hex value of the glitch item you want to get (in decimal of course)
TM34 *17
TM11 *201

By activating 8F, you will change the first item into your glitch item. Quantity remains the same. Another solution is to use the "morphing second item" code in its european version :

8F
Item which will be changed
Burn Heal x43
Ice Heal x43
Full Heal x201

Every time you activate 8F, the second item will lose a hex, and keep its quantity. With all this, you should not be facing any problem.

Is it also possible to make a script that plays the final rival battle music or the credits music at the next battle instead of the gym leaders? that music is more fun to listen to :P

This audio track is hex:F3 of bank hex:08 according to the RAM map. If you want to use a "normal" 8F code rather than gameshark simulation, there must be a way to do it by manipulating audio channel into thoses values.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on June 06, 2015, 08:22:26 am
how could one figure out what the call adresses in other languages of the games are? Is there like a "call adress map" in addition to the ram map, or is debugging while playing in an emulator needed?

The call addresses are ROM pointers that contain existing code to execute (these functions are called routines). "Call" tells the game to execute this code and return to what it was doing (e.g. if your code has call 3E62 ld a,01; the game will run the code at ROM pointer 3E62 and go back to run ld a,01 after it has finished (unless where it goes back wasn't corrupted)).

Some of the pointers for routines can be found in the Pokémon Red disassembly (https://github.com/iimarckus/pokered/blob/master/main.asm) (e.g. SetIshiharaTeam (https://www.youtube.com/watch?v=rENVogF7izQ): ; 64ca (1:64ca).

Sadly there is no consistent way to port English ROM pointers to other languages. However, because the games are similar, you can with BGB debugger and a hex editor using the method I'll show below.

Let's try to find the equivalent of Red's 3E48 (give Pokémon) for German Red:

With English Red open, go on to BGB, right click on the game and choose Other>Debug. Then right click, select "Go to..." and enter 3E48.

You should get this, which is what code the give Pokémon routine is made up of.

(http://i3.minus.com/ibgOkC7BawA6ji.png)

Leave the window open because we will need to remember the numbers (like 78) next to the ASM instructions (like ld a,b).

Now, open up a hex editor such as HxD (it's freeware) for German Red and use your hex editor's search function (search>find for HxD). Choose to find hex values and enter the values that you think will be shared for the other language's routine.

Note that the values greater than in brackets may be +5 in the non-English European version, except for things in the ROM (values lower than 8000) and specific memory addresses like CD38, C0EF, C0F0 - I'm not sure of the specifics of which addresses get changed and which addresses do not get changed, it may be earlier RAM (CXXX) values.

The start of the routine has 78 EA 91 CF 79; so we can try searching for 78 EA 96 CF 79 (EA 96 CF because there is a "ld (CF91),a").

(http://i1.minus.com/iY4rwMEhnK4l1.png)

This resulted in one match which was at address 3E62.

(http://i2.minus.com/iETYma7vcV1vp.png)

If the address in the hex editor is less than 0x3FFF, you don't have to do anything with it to turn it into a pointer(*) - and you don't have to use the bank switch routine.

So in TheZZAZZGlitch's alternative catch 'em all, CD 48 3E (call 3E48) must be replaced with CD 62 3E (call 3E62).

Sometimes a search may give more than one result, in which you could try checking what you think is the right routine with the most similar code in BGB debugger then test your code with S7, or you could try a search for different values.

These items from item 3 will work with the modified Pokémon set up (http://forums.glitchcity.info/index.php/topic,7265.msg198432.html#msg198432) (Graveler instead of Onix) for non-English European versions:

Schutz x(Pokémon index)
X-Tempo x14
Hyperball x64
TM05 x98
Lemonade x201

i.e. 1E xx 43 0E 02 40 CD 62 3E C9 FF

Is it also possible to make a script that plays the final rival battle music or the credits music at the next battle instead of the gym leaders? that music is more fun to listen to :P

Yes. You can do this either by calling a play music routine with the correct register values (register 'a'=tune and register 'c'=bank) or by modifying both the memory address CFCC (CFC7 in English Red) and the addresses C0EF, C0F0.

CFCC forces the game to play a tune based on the ID you choose. C0EF, C0F0 changes the music bank value (either 02, 08, 1F and 20 is used for a few tracks exclusively in Yellow).

Here are all the tune ID and bank ID values (http://pastebin.com/1epAd2aT).

I originally made a sound test program (https://www.youtube.com/watch?v=DZiMfJJT2So) using the former method. It resets the tune ID and bank ID values back to 0 after you play the tune, so you can select all other tunes afterwards by tossing the quantities.

https://www.youtube.com/watch?v=DZiMfJJT2So

The code for the English version:

Lemonade x(tune ID)
Awakening x(bank ID)
TM05 x161
HP Up x62
Ultra Ball x61
Soda Pop x5
TM34 x35
TM11 x4
Poké Ball x234
Iron x211
TM01 x(anything)

3e (add tune ID here) 0e (add bank ID here) cd a1 23 3e 02 3d 3d 05 ea 23 d3 04 04 ea 25 d3 c9

Code: [Select]
ld a, xx - tune
ld c, yy - bank
call 23A1 - play music
ld a, 02 - a=02
dec a - a=01
dec a - a=00
dec b
ld (D323),a - item 3 quantity =a (00)
inc b
inc b
ld (D325),a - item 4 quantity =a (00)
ret

The only things you have to do here is check the equivalent of 23A1 (using the debugger and hex editor) and change D323/D325 to D328/D32A, and there was one situational problem.

The situational problem: 2A was represented as a Helix Fossil and it's not good to have key items with quantities over one. So I used some alternate code without key items or duplicate stacks.

Often when you want to not use a key item, you can use a one byte opcode to manipulate some registers that you aren't using for your code so that they take the place of an item (e.g. inc b is represented as a good item; a Poké Ball). This page (http://iimarck.us/etc/asmopcodes.txt) has a list of opcode IDs.

Equivalent pointer: Using the method I showed you above, it turns out that basically the same routine (ignoring memory address changes) is also at 23A1 in the German Red, so you don't have to change it.

(Note that this is not the case for every language; in the French version that routine is at 239D).

The following code will work for the German version:

3e (add tune ID here) 0e (add bank ID here) cd a1 23 3e 02 3d 3d 05 ea 28 d3 04 2e 2a 04 77 c9

Limonade x(tune ID)
Aufwecker x(bank ID)
TM05 x161
KP-Plus x62
Hyperball x61
Sprudel x05
TM34 x40
TM11 x04
X-Treffer x42
PokéBall x119
TM01 x(any)

Code: [Select]
ld a, xx - tune
ld c, yy - bank
call 23A1 - play music
ld a, 02 - a=02
dec a - a=01
dec a - a=00
dec b
ld (D328),a - item 3 quantity =a (00)
inc b
ld l,2A  - hl=D32A
inc b
ld (hl),a - item 4 quantity =a (00)
ret

So to play Champion music for example, this (http://pastebin.com/1epAd2aT) tells us the bank ID is 08 and the tune ID is $F3; hence you'd need Limonade x243 (hex:F3) and Aufwecker x8.

And finally a code where you can modify the species and the level of the Pokemon you battle would be also nice (modified "CATCH 'EM ALL" SCRIPT) :)

I was working on one but found it hard to get good items for execution, I'm afraid. I may come back to this another time, or maybe TheZZAZZGlitch can help. Sorry.


(*): About banks - the give Pokémon function does not require a bank switch (and knowledge of how to convert a Game Boy offset into a pointer):

If the address in the hex editor is greater than $3FFF, it has something called a bank (greater than 0); and our pointer (call/jump value) is no longer necessarily the same as a hex editor address (offset).

The game can run from "bank 0" (pointers $0000-3FFF e.g. "give Pokémon") all of the time, but not data from other banks without the game changing banks (in games that support it, Pokémon included) if it is currently on the wrong bank.

The bank is the same as this address modulo divided by $4000 rounded down to the nearest whole number, for example, offset $0F807A contains code that will run Pikachu's Beach in Yellow. $0F807A/$4000 rounded down equals 3E, so the bank is 3E.

If you wanted to run the code at $0F807A, you would have to make the game change banks before running it because the game won't be running on bank 3E when ws m is used.

The 3E is the first byte of a three byte pointer (3E:XXXX). There are two other bytes to the pointer (XXXX) and this represents the pointer you will call, like how we call 3E48 (3E62 on German version) for the give Pokémon function.

To work out bytes 2 and 3 of the pointer, you can do Offset-(0x4000*Bank)+0x4000; so for Pikachu's Beach: ($F807A-$F8000)+$4000; which is $407A.

Or you can use a pointer calculator (https://mega.co.nz/#!1w0nlRZb!iFkbg_WvtY_ia8PvcAxPLkzDR4RWfTeHhutBlHsgoQc) (note that this tells you the second and third bytes the wrong way round; 3E7A40 instead of 3E407A, so you have to remember to swap them for execution).

To execute Pikachu's Beach (which we found has the pointer 3E407A), there is a routine to change ROM banks and jump to an address (the routine for each language can be found here (http://hax.iimarck.us/viewtopic.php?id=4007) thanks to Wack0 - in German Yellow it's $3E89).

Register purposes for this routine:
c=Bank
h=Pointer byte 2
l=Pointer byte 3

So you need to set c to 3E, h to 40, l to 7A then do a call $3E89. This would execute Pikachu's Beach.

(Wack0's German Pikachu's Beach code (http://forums.glitchcity.info/index.php/topic,6638.msg192600.html#msg192600) does this)

If you want to turn a three byte pointer back into an offset, you can do:
romAddress = (bankNumber * 0x4000) + (twoBytePointer - 0x4000)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Shina69 on August 14, 2015, 01:10:52 pm
Good evening, guys.
First of all, you people are absolute unrecognized geniuses for coming up with such amazing programming tricks for the eyes of this humble gamer who spent his childhood exploring the neat forests of pokemon yellow, not regretting knowing so little as i did. Although times change and nostalgia grabs us once again to pick the old dusty cartridges and face our old childhood enemies... a magnificent team starts to assemble. Glitches were learned, stats analyzed, moves tactical duplicated in order to fulfill the needs, but... there's one thing that wasn't forgotten - i can't delete the HM moves.
So i went deep and deeper, cause transfer my beloved X_ゥ-_xゥ, to a Gen 2+ wasn't an option, and i decided to come to you guys, as i got so fascinated with the wonders of arbitrary code execution.

Is there any way to come up with a move deleter for HM's or simply overwrite this annoying Flash move of X_ゥ-_xゥ, on Pokemon Yellow European Version (English)? (i believe this is the proper version, i'm from Portugal and i will try to find that old box!)

Not sure if this is the proper topic to send my request, but i'm deeply thankful for the attention.
Keep mesmerizing us with new knowledge applied to old technologies, you guys rock!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: danny on August 14, 2015, 02:48:59 pm
Shina69:
Catching above L:12 might erase the move, unless you want to keep your current one.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Shina69 on August 14, 2015, 04:36:54 pm
Shina69:
Catching above L:12 might erase the move, unless you want to keep your current one.

Oh i also tried that, forgot to mention  );
Managed to make ditto swords dance 3 times and actually got a L:13 one but the move was still there.
Some other guy got the same results as i read on a youtube video comment, that's why i run out of options  :'(
(by the way, Flash is the 2nd move on the Fight list, if it helps :o)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Misero on August 17, 2015, 12:42:06 pm
Has anyone created a save state meant for this arbitrary code execution?
If not, I'll go with gamesharking my way through.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on August 21, 2015, 12:06:31 pm
Has anyone created a save state meant for this arbitrary code execution?
If not, I'll go with gamesharking my way through.

Here are save files that have 8F and ws m set up with code to get Mew upon using 8F/ws m and closing the menu.

English Red: https://mega.nz/#!8hF1XDiR!M-397Ob3EDtPlOHW3XUSO52FArph3Ork8Y_YXrJ45nQ
English Yellow: https://mega.nz/#!d8sGjZLT!yp1oMA5zGHOxI91I3qgweYZkY1Y6CzL2-m-MrxpSeyY

If you want to change the code the game ends up running after the Pokémon set ups (certain party Pokémon in Red/Blue, certain stored Pokémon in Yellow) you can edit D322 (Red/Blue) or D321 (Yellow) and onward, which represent the item 3 identifier and onward.

Edit: Here is a save file for Japanese Green to get Mew with 5かい (with kattempla/pokebug's party Pokémon set up) or てへ.

If you want to get it with てへ you have to watch the old man's demonstration first.

The set ups have the code beginning at item 2 (D2A4). The Pokémon redirect the program counter to item 2 for use with 5かい. The name アてヨめ (after watching the old man's demonstration) redirects the program counter to item 2 (D2A4) for use with てへ.

https://mega.nz/#!NtMjQYBJ!K8KFbfuo7jI0638BuJIxWm1GsjozVX2iDu1nYRu7GEg
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on August 21, 2015, 01:59:46 pm
Good evening, guys.
First of all, you people are absolute unrecognized geniuses for coming up with such amazing programming tricks for the eyes of this humble gamer who spent his childhood exploring the neat forests of pokemon yellow, not regretting knowing so little as i did. Although times change and nostalgia grabs us once again to pick the old dusty cartridges and face our old childhood enemies... a magnificent team starts to assemble. Glitches were learned, stats analyzed, moves tactical duplicated in order to fulfill the needs, but... there's one thing that wasn't forgotten - i can't delete the HM moves.
So i went deep and deeper, cause transfer my beloved X_ゥ-_xゥ, to a Gen 2+ wasn't an option, and i decided to come to you guys, as i got so fascinated with the wonders of arbitrary code execution.

Is there any way to come up with a move deleter for HM's or simply overwrite this annoying Flash move of X_ゥ-_xゥ, on Pokemon Yellow European Version (English)? (i believe this is the proper version, i'm from Portugal and i will try to find that old box!)

Not sure if this is the proper topic to send my request, but i'm deeply thankful for the attention.
Keep mesmerizing us with new knowledge applied to old technologies, you guys rock!

Sure. We can remove it with ws m!

The following items from item 3 will replace move 1 of Pokémon 1 with a move of your choice:

Lemonade x(move ID)
TM34 x114
TM09 x201

As code:

Code: [Select]
ld a,xx
ld (D172),a
ret

As bytes:

Code: [Select]
3E xx
EA 72 D1
C9

If you want to port this to Red/Blue, replace TM34 x114 with TM34 x115.

To execute the code, you can get the items and use ws m (obtainable with dry underflow (https://www.youtube.com/watch?v=ZyppANEvnh8) and the looping map trick (https://www.youtube.com/watch?v=98_azamLeh4)) with relevant stored Pokémon (example (http://forums.glitchcity.info/index.php/topic,6638.msg194861.html#msg194861)), or another means of arbitrary code. For example, replacing item 41 with Iron x 211 will make the game execute your code from item 5 in Yellow and does not require specific Pokémon.

Another non arbitrary code execution approach to getting X ゥ- xゥ without Flash is by using the remaining HP glitch with a remaining HP of 196, if you can get Q (and this glitch only works if box 1 has never been filled completely). Since this glitch uses catch rate as an FF, data below it like moves are not affected during the data shift backs from each time you withdraw a Pokémon after the terminator is removed (step 6 in the video below and beyond).

This means you can have a Pokémon with the moves you want, then turn it into X ゥ- xゥ and have the moves unchanged.

https://www.youtube.com/watch?v=9l1nuTS3VI0
(click video)

If you can obtain a PokéWTrainer in Pokémon Red (it unfortunately freezes the game on the opponent's side however), then you may be able to trade it to Yellow to become a X ゥ- xゥ without Flash.

In theory, we might be able to get a level 255 X ゥ- xゥ with the overworld Pokémon catch trick (https://www.youtube.com/watch?v=7klMjrBPLkU) in a Glitch City, or some -gm trickery (https://www.youtube.com/watch?v=HwnymX80ZMc), and theoretically, it would appear with moves without Flash.

Shina69:
Catching above L:12 might erase the move, unless you want to keep your current one.
Oh i also tried that, forgot to mention  );
Managed to make ditto swords dance 3 times and actually got a L:13 one but the move was still there.
Some other guy got the same results as i read on a youtube video comment, that's why i run out of options  :'(
(by the way, Flash is the 2nd move on the Fight list, if it helps :o)

Yes, catching one at level 13 did not result in X ゥ- xゥ having Flash for me either. All X ゥ- xゥ level 1 through to level 13 had Flash. For reference, Flash is one of X ゥ- xゥ's starting moves, not just a move learned at a low level, which means it always has it at the lowest level and cannot learn it through level up (unless Flash appears in the level up database as well).

For some reason, in the event that you catch  X ゥ- xゥ at level 255 it will not know Flash. Instead it will know Mega Punch, Tail Whip, Scratch, Disable. According to the Bulbapedia article, Mega Punch, Scratch and Disable are among its last learnable moves, though for whatever reason, Tail Whip isn't one of the last ones. Note that the learned moves list on Bulbapedia has at least one error. At level 1 X ゥ- xゥ will try to learn the arbitrarily named hex:00 move (which is the CoolTrainer[F] type in Red/Blue and supports move selection corruption too in Yellow) if you somehow raise X ゥ- xゥ to that level.

I have some text databases (https://mega.nz/#!o0EXjRYT!Rek3kWUe0etpZgh6NMMmnFE5aL5ebnvT0ueR75JIQKk) with data extracted from the ROMs from various users including a level up database by Echinodermata. Unfortunately there seems to be an error because they note X ゥ- xゥ as learning no moves which isn't true (even though much of the data is correct).
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Searinox on August 22, 2015, 05:02:58 am
Does anyone know any gameshark code for changing the moves of pokemon IN THE BOX? There's gameshark codes for changing party pokemon moves that can I wanted to try to convert to code exec using Chickasaurus' post (http://forums.glitchcity.info/index.php/topic,6638.msg189536.html#msg189536) info but all I can find is codes for the party, not the box, which is useless since we're forced to use a full predefined party for the bootstrap.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on August 23, 2015, 08:37:24 am
To build a Gameshark code, the only thing you need is a ram map (http://datacrystal.romhacking.net/wiki/Pokemon_Red:RAM_map). This gives you the RAM addresses you need to deal with. In your case, RAM addresses for the moves of the first Pokémon in the active box are DA9E to DAA1.

That means you can modify this using the gameshark codes 01xx9EDA to 01xxA1DA with xx being the hex value of the wanted move  ;)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Searinox on August 23, 2015, 12:21:36 pm
I managed this on my own albeit with some problems at first.

Firstly Chickasaurus' post I linked in my previous post didn't work for me. Second, it requires a different item ID for each move which is slightly clunky. At first I had the idea of perhaps attempting a .j as a NOP to bring ID parity back and execute the instruction back in item amount instead of ID, but realised I was getting in way over my head since I would have to then figure out how to redirect to the address with another item and do not fully understand ASM instructions.

I then went to try and find the memory address with VBA's cheat maker. For reasons completely beyond me the cheat searcher finds the address CA9E as the location instead of DA9E, and obviously the cheat doesn't work. Why this is so baffles me. I'm using a modded VBA called VBA-M, svn926. I'm not sure if it's got a bug with memory offset representation but it lead me to a dead end.

Finally I found the RAM layout, but on Bulbapedia. Now I had the correct address, tested the GS code made with it and it worked(why do GS codes have 01xxB2B1 last 2 bytes reversed from how they are in RAM? DA9E editing requires the code to be written as 01xxs9EDA, but anyways I digress...). Now I needed a way to get the code converted into 8F item representation and like I said, I had failed with Chickasaurus' post.

FINALLY I found your wiki (http://glitchcity.info/wiki/index.php/Arbitrary_code_execution#Gameshark-like_code) which worked to convert the code into ACE!

You were mentioning earlier that you were trying to get Flash off some glitch Pokemon... well this may help.

Long story short...

Quote
Have the Pokemon to be altered be the first one in the PC. Have its move to be altered be put in first slot.
Code: [Select]
8F
<any item>
X Accuracy x158 (changing this from 158 for first move to 161 for 4th move SHOULD change the move that's altered, though I have ONLY tested with the first move!)
Carbos x218
Max Revive x<MOVE ID>
Poke Ball x201
Where move ID obviously corresponds to the move's ID (http://www.psypokes.com/rby/codeviewer.php?page=attacks).
This will change the first move of the first Pokemon in your active box.

This also makes it possible to put glitch moves not previously obtainable on Pokemon, or contrary, remove dangerous Super Glitch moves from Pokemon without having to stand on some obscure tile in Celadon City's residence. :D

You are going to end up doing a lot of Pokemon box swapping but also potential move swapping. If needed to get into battles to swap moves without entering an area that will load field data into Cinnabar(for item duping) I've found it feasable to teach Tentacool Surf and put the Pokemon to alter first in party while Surfing the east coast for item duplication, so you don't have to deposit your whole bootstrap party. Even in default setup, with Pokeball being in 6th slot, it's unaffected by potential 'M/Missingno. encounters as 201 doesn't roll in any way since the first bit is already 1 so it doesn't mess up the ret. Keeps things simple.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on August 24, 2015, 02:13:13 pm
Does anyone know any gameshark code for changing the moves of pokemon IN THE BOX? There's gameshark codes for changing party pokemon moves that can I wanted to try to convert to code exec using Chickasaurus' post (http://forums.glitchcity.info/index.php/topic,6638.msg189536.html#msg189536) info but all I can find is codes for the party, not the box, which is useless since we're forced to use a full predefined party for the bootstrap.

Damn. I overlooked that we wouldn't be able to use the code (http://forums.glitchcity.info/index.php/topic,6638.msg198914.html#msg198914) in Red/Blue (with x115 instead of x114) because of 8F requiring specific party Pokémon (unless you wanted to change your Pidgey, Onix etc's moves). The code works in Yellow, but I didn't think about the party Pokémon problem for Red/Blue, sorry.

The code I made works in Pokémon Yellow with ws m because that requires specific stored Pokémon; so in Yellow you can manipulate the moves of party Pokémon.

The glitch item -g m (hex:6A) (http://forums.glitchcity.info/index.php/topic,6638.msg196498.html#msg196498) in Red/Blue can be used with a stored Pokémon bootstrap code akin Pokémon Yellow, provided there aren't bad values in Safari Balls, Day Care (if you have ever deposited a Pokémon in the Day Care this may not be an option as values stay even after withdrawing). Hence that can be used to alter party Pokémon moves in Red/Blue.

If you cannot find a memory address on DataCrystal, another good two places are the GameShark codes archive (http://glitchcity.info/wiki/index.php/Pok%C3%A9mon_Red,_Blue_and_Yellow_GameShark_codes) (as you know, if you reverse the order of the last two bytes you will get the memory address, e.g. 01??81DA 01??96DA means modify DA81 and DA96) as well as Pokémon Red disassembly (https://github.com/iimarckus/pokered/blob/master/wram.asm).


Firstly Chickasaurus' post I linked in my previous post didn't work for me. Second, it requires a different item ID for each move which is slightly clunky. At first I had the idea of perhaps attempting a .j as a NOP to bring ID parity back and execute the instruction back in item amount instead of ID, but realised I was getting in way over my head since I would have to then figure out how to redirect to the address with another item and do not fully understand ASM instructions.

I'm not sure if you did something wrong if it requires a different item ID. You could use that skeleton to create this code to change stored Pokémon 1:

3E xx
EA 9E DA
C9

Lemonade x(move)
TM34 x158 (or 159 for changing move 2, 160 for move 3, 161 for move 4)
TM18 x209

There may be confusion because the endianness is different for this method (9EDA instead of DA9E)
compared to using the h and l registers (DA in h, 9E in l).

I then went to try and find the memory address with VBA's cheat maker. For reasons completely beyond me the cheat searcher finds the address CA9E as the location instead of DA9E, and obviously the cheat doesn't work. Why this is so baffles me. I'm using a modded VBA called VBA-M, svn926. I'm not sure if it's got a bug with memory offset representation but it lead me to a dead end.
Yeah, it is a bug. When you see a CXXX address in cheat searcher, make sure to try it as DXXX as well.

Have the Pokemon to be altered be the first one in the PC. Have its move to be altered be put in first slot.
Code: [Select]
8F
<any item>
X Accuracy x158 (changing this from 158 for first move to 161 for 4th move SHOULD change the move that's altered, though I have ONLY tested with the first move!)
Carbos x218
Max Revive x<MOVE ID>
Poke Ball x201
Where move ID obviously corresponds to the move's ID (http://www.psypokes.com/rby/codeviewer.php?page=attacks).
This will change the first move of the first Pokemon in your active box.

Congratulations on doing this yourself! I see you used l and h. Your code is a little more flexible than the earlier skeleton Wack0 posted for built in GameShark if used as:

X Accuracy x(address byte 2 e.g. 9E)
Carbos x(address byte 1 e.g. DA)
Max Revive x<MOVE ID>
Poke Ball x201

Because the value (move ID) and both address bytes depend on the quantity - you can access every quantity easily (plus 00 if you got the X Accuracy with item underflow because you can have y-block values (following x coordinate) of 00), though you can't edit 00XX as it is in ROM (though you could 'write' 0A to 0000 0A as that opens up SRAM (A000+) for write access, I'm not sure how that works exactly).

Plus, it's a bit messy, but we can use this altered code to set every quantity from item 3-5 to 0 (256, you can toss to get 1-255) upon use if you can force extra stacks of X Accuracy and Carbos and get two Water Stone stacks (by withdrawing two stacks of 99). This lets us change multiple addresses (even if you require a greater quantity) with multiple 8F uses.

X Accuracy x(address byte 2 e.g. 9E)
Carbos x(address byte 1 e.g. DA)
Max Revive x<MOVE ID>
Carbos x 211
X Accuracy x 35
Soda Pop x175
Water Stone x44
Poké Ball x34
Great Ball x44
Water Stone (or PP Up if you don't want two Water Stone stacks) x201

ASM for the footer (set item 3-5 quantities to 0):

Code: [Select]
ld h,D3
ld l,23
dec a
xor a
ldi (hl),a
inc l
inc b
ldi (hl),a
inc bc
inc l
ldd (hl),a
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Searinox on August 24, 2015, 03:36:24 pm
Open up SRAM for write access? That sounds quite dangerous. I can do that with these instructions? Yikes. I don't wanna write to my save file!

Yes I have deposited Pokemon in daycare before. Then again we can make a code to blank out the daycare memory area right? A bit bothersome however, because I use the daycare to stabilize some glitch Pokemon.

Thanks for confirming the VBA Gameshark bug. I'll be updating VBA-M when I have time. Have you run into this before or is it strictly on my emulator build?

Why use code to underflow items to x0? Can't we just create a stack of x255, clone it by tossing something, then toss x254 out of one stack to bring it down to x1 and swap it with the other x255 to merge them into a single x0 stack? Am I misunderstanding?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on August 24, 2015, 04:47:35 pm
Open up SRAM for write access? That sounds quite dangerous. I can do that with these instructions? Yikes. I don't wanna write to my save file!

You do not have to. It is only if you do a 0A write to 0000 and then modify the code to write to a SRAM address of your choice. (These instructions won't have any unexpected side effects). With the old skeleton, you could use the start of it to write to 0000 too, it just required a hex:00 glitch item.

If you are careful, writing to SRAM can be useful because you can choose to write custom Hall of Fame entries.

Yes I have deposited Pokemon in daycare before. Then again we can make a code to blank out the daycare memory area right? A bit bothersome however, because I use the daycare to stabilize some glitch Pokemon.

Yes. You could use a program that alters itself (by means of increasing a quantity, etc.) modifying DA47 (number of Safari Balls) the first use, then DA48 (part of the Day Care the second use) and so on.

Alternatively, you could use the FillMemory (call 36E0) function. First you'd need to set 'a' as 00, bc as how many bytes to fill (DA80-DA47=39h) and hl as DA80. That might be a harder program to write and get reasonable items with.

Thanks for confirming the VBA Gameshark bug. I'll be updating VBA-M when I have time. Have you run into this before or is it strictly on my emulator build?

You're welcome. I've had it on my build too, which is VBA v24 svn422. I do not know if it has been fixed. Yes.

Why use code to underflow items to x0? Can't we just create a stack of x255, clone it by tossing something, then toss x254 out of one stack to bring it down to x1 and swap it with the other x255 to merge them into a single x0 stack? Am I misunderstanding?

Actually yes. You can do that. It would decrease your number of items each time, but if you're not going to use 8F 255 times, that's not such a problem.

My intention is if you want to easily make multiple memory modifications later, even ones that require a higher quantity. Say you edited DA9E; so you toss your X Accuracy until you have 158 but later decided you an wanted to edit DA9F too (x159). But you couldn't create an extra X Accuracy (buying won't add to the stack, the game will try to split the stacks in 99s max) without another duplication or generation - so by setting the quantity back to 0, we could toss 97 to get 159.

(Note, you could of course get 159 first and use 8F and then get 158 and not have to increase the quantity - but if you decided later you wanted to get 160 you'd be 'stuck')

If you can get the right items, the extended code is a straight forward and fast way that is more reliable, for the purpose of making many different modifications not restricted by quantity reducing, but it's not essential (you could do the x255 stack glitch to stockpile x255 items, or repeat item duplication, or fix your item pack then do item underflow again and item generation again).

Thinking about how you could do it with item stack glitch...

If you modified move 1 first but then later wanted to modify move 2 you could bring:

8F
(item)
X Accuracy x255
Max Revive x<MOVE ID>
Poke Ball x201
Carbos x(address byte 1 e.g. DA)
(...249 items)

1) Create an extra X Accuracy x255 in slot 2 by tossing the second item.
2) Get X Accuracy x158 in slot 3 and use 8F.
3) Put the X Accuracy x158 in slot 1. (not slot 2, as to avoid an item merge)
4) Put the X Accuracy x255 in slot 3.
5) Put the X Accuracy x158 in slot 2.
6) Toss the X Accuracy x158 to get an extra x255 and set up the list as above but with X Accuracy x159 instead.

..Repeat steps 2-6 with quantities of your choice for further modifications.

There may be a way that is logistically better.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on August 25, 2015, 06:51:41 am
why do GS codes have 01xxB2B1 last 2 bytes reversed from how they are in RAM?

Because endianness. The Game Boy and GBC uses little-endian.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Searinox on August 26, 2015, 04:41:01 am
This is becoming too fun. Wheeeeeeeeeeee!

Perfect DVs for first Pokemon in active box:
Code: [Select]
8F
<any item>
X Accuracy x178(speed, special, half of hp), then again with 177(attack, defense, the other half of hp)
Carbos x218
Max Revive x255
Poke Ball x201

Tell me, the following code below can work right?

Code: [Select]
8F
<any item>
X Accuracy x178
Carbos x218
Max Revive x255
X Accuracy x177
Carbos x218
Max Revive x255
Poke Ball x201

To do it in one go.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on August 29, 2015, 02:12:58 pm
Yep! That will work.

Your code is like this.

Code: [Select]
ld l, B2
ld h, DA
ld (hl),FF
ld l, B1
ld h, DA
ld (hl),FF
inc b
ret

We can shorten it a little if we turn it into this:

Code: [Select]
ld l, B2
ld h, DA
ld a,FF
ldd (hl),a
ldi (hl),a
ret

Code: [Select]
2E B2 26 DA 3E FF 32 22 C9

As items, this is:
8F
(any item) x (any quantity)
X Accuracy x178
Carbos x218
Lemonade x255
PP Up x34
TM01 x(anything)

Note that if you don't want to use a PP Up, you can use this alternative which has all items you can buy from shops other than 8F. It is the same as the code above but has inc b (Poké Ball, 04) above ldd (hl),a (PP Up, 32) so that what was the PP Up is now expressed as a quantity (hex:32 in decimal or 50).

8F
(any item) x (any quantity)
X Accuracy x178
Carbos x218
Lemonade x255
Poke Ball x50
Water Stone x201

In this code we store FF into the a register for use later. Ldd (hl),a writes to the value of 'a' (FF) into DAB2, and then decrements the hl value to DAB1. Then we can use another ld (hl),a (I chose ldi (hl),a because it represents a good item) to write FF into DAB1.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Searinox on September 01, 2015, 06:41:15 am
How can this be converted easily into a way to write a given value from address X to address X+Y? As in, write a value to a total of Y addresses starting from X?

This one in particular benefits since it would be nice to write FF to all 8 bytes consecutively without filling the inventory ridiculously. This one is for Stat EXP./EVs of first pokemon in active box.
Code: [Select]
8F
<any item>
X Accuracy x175(Special), 173(Speed), 171(Defense), 169(Attack), 167(HP)
Carbos x218
Max Revive x255
Poke Ball x201
2nd byte doesn't matter, 65280 is enough for all 63 stat points at level 100.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on September 15, 2015, 02:00:36 pm
Hello everyone,

If you guys haven't seen it yet, I document in this thread (http://forums.glitchcity.info/index.php/topic,7353.0.html) a new method to trigger an underflow which does not require you to encounter MissingNo. It's called "partial PC underflow" and is inspired by a work TheZZAZZGlitch did a few monthes ago.

I don't know if we can say that it's an easier way, but it's very useful if you can't do the old man trick (e.g. playing in yellow), the ditto trick (e.g. no available trainer) and the cooltrainer trick (corruption not working).

Also this method allows you to get many glitch items, including ws'||lm||, without triggering the underflow so this is even quicker :)

It might be worth mentionning in the first post, it's up to you.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: The G-Meister on September 16, 2015, 09:43:50 am
I've been trying to do a bit of this myself recently, learning up on Gameboy code and the like, and I tried to write a script and (as assumed) it failed massively.

It seems to freeze (not crash, meaning I think I've got the right Pokémon in my box (and yes, I'm using ws m)) whenever I use the item, so I thought it might not be terminated correctly.

I was using the Pokémon arrangement as stated on the GCL page, and started the code at my 3rd item.

So, if I'm correct, is there any way I can make a blank script which simply terminates the moment it gets to my item pack? As in, what item should I put as my third to end the script?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on September 16, 2015, 11:01:35 am
What you are searching for is a ret intruction. Your third item needs to be CT01 (any quantity) if you want to make this blank script.

Depending on the instructions on your code, you always have to finish your items with CT01 or an item in quantity 201 to terminate the code.

If you could speak french, I could advise you ISSOtm's GBZ80 to items compilator (http://prama-initiative.com/8F) which makes things easier, but I don't think he plans an english version for now  :P
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: The G-Meister on September 16, 2015, 12:47:42 pm
Ahhh looking at the big list this makes sense now. This converter (http://gskartwii.arkku.net/optohex) that someone posted doesn't seem to use the right items. I'll do my own work instead of being lazy this time! Thanks!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: The G-Meister on September 16, 2015, 03:05:31 pm
Wait, so if I have my item pack set as follows:

Bicycle
ws m
TM01  x01

It should just do nothing right? The menu should close and I can continue on my merry way? Because if so, I'm still getting the freeze. I'm sure I've got the Pokémon box set up correctly :/

[Edit]: Nevermind! My ineptitude strikes again, the Seel has to have 233 HP not 255

[Edit 2]: Aaaand I'm still getting the freeze >.<
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on September 16, 2015, 03:40:17 pm
Hello again,

Hmm I don't use that setup because I'm playing a french version. I need to check where the problem is. It's late here now, so give me some time and I'll work on this tomorrow :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on September 17, 2015, 02:00:30 am
Now that I think about it, The G-Meister, I'm actually using this setup:

http://forums.glitchcity.info/index.php/topic,6638.msg194861.html#msg194861

with the slight modification that in european non-english games, you have to replace Growlithe with Kadabra.

So I can guarantee you that if you have this in your active box, it will jump to the third item. Then if you have a working code here, things should be OK  :D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: The G-Meister on September 17, 2015, 09:48:37 am
Ah thanks, I'll go try that one.

So incase I'm not alone, can anyone else try the Pokémon box setup for ws m on the GCL page (http://glitchcity.info/wiki/index.php/Arbitrary_code_execution#Using_.22ws_m.22_.28Yellow.29)? Seen as I'm on console, I've got no emulator issues, and just to make sure I'm not being dumb (again), but I think it might not work :/
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: The G-Meister on September 18, 2015, 01:50:54 pm
Dang! So I got the code working finally, and even though IssoTM's coder is French, you only need to be able to 1. understand the code itself, and 2. know translations of the items (a lot of which are similar to the English as well).

It seems that even if we modify the "Bike speed" byte, we STILL can't cycle indoors... It seems Ash abides by the rules even when he's not told to >.<

Aside from that, you can use this code to get onto/off of a bicycle without changing the music, so if you feel like you're getting bored of the bike music, you can just use the first code to get on your bike and keep the music of the area you're in! I'm sure there's much better ways of changing the soundtrack if you're that preoccupied about it though. The amusing side effect is, when you go into a different area, the music has an abrupt key change as it fades out... but that's about it ;-;

Incase anyone feels like compacting this worthless dump, don't bother, seen as it's completely useless... as of yet, anyway.

Anyway, code:

Get OFF your bike, without music change (ws m)

Code: [Select]
ld a, $02
ld ($D6FF), a
ret

3E 02 EA FF D6 C9

Lemonade x2 (technically this can be anything that isn't 1)
TM34 x255
TM14 x201

Get ON your bike, without music change (ws m)

Code: [Select]
ld a, $01
ld ($D6FF), a
ret

3E 01 EA FF D6 C9

Lemonade x1
TM34 x255
TM14 x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on September 19, 2015, 06:56:54 am
Dang! So I got the code working finally, and even though IssoTM's coder is French, you only need to be able to 1. understand the code itself, and 2. know translations of the items (a lot of which are similar to the English as well).
Wow, finally a feedback ! (I thought nobody else than me used it :P)
Well, you just motivated me to release an English version. Okay, I'll get into it.
/me begins working...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: The G-Meister on October 09, 2015, 03:03:43 pm
I was setting the stats of my Mew using some ACE and set both bytes to 255 for each stat (HP, ATK, DEF, SPD, & Special) and every time the value ended up as "F35" with the F not changing when I move into a different area. Does that equate to 13335? And if so, why does pound still not one-hit KO everything? For example, an Onix, where it isn't super effective. It feels like I've either massively overestimated the value, the calculation for not-very-effective damage really cuts down a lot or the glitch numbers don't work correctly. Or something else I've completely overlooked.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SatoMew on October 09, 2015, 03:13:22 pm
I was setting the stats of my Mew using some ACE and set both bytes to 255 for each stat (HP, ATK, DEF, SPD, & Special) and every time the value ended up as "F35" with the F not changing when I move into a different area. Does that equate to 13335? And if so, why does pound still not one-hit KO everything? For example, an Onix, where it isn't super effective. It feels like I've either massively overestimated the value, the calculation for not-very-effective damage really cuts down a lot or the glitch numbers don't work correctly. Or something else I've completely overlooked.

0x0F35 = 3893. It's probably just garbled text, though.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on October 09, 2015, 03:56:37 pm
I already had F35 values when I used gameshark codes to put FF FF in a stat. It that is what you did then it probably equals 65 535, in fact  :P

But why doesn't it makes your Pokémon a real bad ass? I'm not sure about how this works. Maybe you have to change Exp. Stats too?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: The G-Meister on October 09, 2015, 03:59:13 pm
0x0F35 = 3893

What I meant was the "F" was displayed as an "F" in game, as well as the "35" after it. I interpreted that as decimal 133 as the hex list takes the "F" RBY character as 133

I already had F35 values when I used gameshark codes to put FF FF in a stat. It that is what you did then it probably equals 65 535, in fact  :P

But why doesn't it makes your Pokémon a real bad ass? I'm not sure about how this works. Maybe you have to change Exp. Stats too?

Yeah that's exactly what I did.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Háčky on October 09, 2015, 04:18:32 pm
I was setting the stats of my Mew using some ACE and set both bytes to 255 for each stat (HP, ATK, DEF, SPD, & Special) and every time the value ended up as "F35" with the F not changing when I move into a different area. Does that equate to 13335?
No, it’s 65535. “F” is tile number 133, but that doesn’t mean it represents the number 133. To display a digit, the game starts counting from “0”, which is tile 246. After the digit “9” (character code 255), it reaches the end of the table and wraps around, so tile 0 represents the digit 10. The letter “F” would be used for the digit 143 (10 + 133), but since there are only 256 tiles, it can also represent a digit 399 (10 + 256 + 133) or, in your case, 655 (10 + 256 + 256 + 133).

And if so, why does pound still not one-hit KO everything? For example, an Onix, where it isn't super effective. It feels like I've either massively overestimated the value, the calculation for not-very-effective damage really cuts down a lot or the glitch numbers don't work correctly. Or something else I've completely overlooked.
I don’t know all the specifics, but a stat of 65535 would almost certainly cause an overflow in the damage calculation. A more reasonable number like 5000 might work out better.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on October 09, 2015, 05:04:03 pm
I don’t know all the specifics, but a stat of 65535 would almost certainly cause an overflow in the damage calculation. A more reasonable number like 5000 might work out better.

Aaaaaah of course. I remember now that when I reduced the stat I was under the impression I was doing more damage. Thanks, Háčky!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: The G-Meister on October 10, 2015, 02:05:27 am
I don’t know all the specifics, but a stat of 65535 would almost certainly cause an overflow in the damage calculation. A more reasonable number like 5000 might work out better.

It makes sense really. Thanks a bunch. Now I'm off to go look up how damage works
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Crystal_ on October 12, 2015, 09:59:22 am
Quote
And if so, why does pound still not one-hit KO everything? For example, an Onix, where it isn't super effective. It feels like I've either massively overestimated the value, the calculation for not-very-effective damage really cuts down a lot or the glitch numbers don't work correctly. Or something else I've completely overlooked.
Prior to damage calculation:
- Grab the two-byte attack (or special) value of the attacker and the two-byte defense (or special) value of the defender
- Apply Reflect / Light Screen if active and appropriate
- Divide both the attacker's attacking stat and the defender's defensive stat by 4, if either of the two is higher than 255
- Grab the lowerst byte of the resulting stat values to use them for damage calculation

Since your attack stat (65535) is higher than 255, it gets divided by four (so would Onix's defense). 65535 divided by 4 equals 0x3FFF (16383 in decimal). Because only the lowest byte of the result is used for damage calculation, your Mew's attack becomes 0xFF or 255. Since the enemy's defense also got quartered in the process it essentially means that your effective attack is 255 x 4 = 1020.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Darkkis on October 12, 2015, 10:07:40 am
Does anyone mind breaking one of the 8F codes down? I'm REALLY interested in this kind of stuff and I'd love to learn to create a code myself. My life goal after finding about this stuff is to succeed in coding 8F so that by pressing it it brings up a smiley face. Or even succeeding in writing a basic message such as "Hello, World!" would be nice. (if anyone knows how to do this, please let me know!)

For example, could someone break down this code? I don't quite understand how it works.

Code: [Select]
ITEM LIST (starting from the first slot):
* 8F
* Item you want to morph
Burn Heal            x43
Ice Heal             x43
Full Heal            x201

ASM:
WRA1:D322 0C               inc  c
WRA1:D323 2B               dec  hl
WRA1:D324 0D               dec  c
WRA1:D325 2B               dec  hl
WRA1:D32A 34               inc  (hl)
WRA1:D32B C9               ret


I tried to make it so that the game would think I beat Sabrina with this setup, but it didn't work:

Code: [Select]
random item
8F
TM34 x215
ASH (0xB3 item) x201

The data from DataCrystal suggested that the data for beating Sabrina is at D7B3. D7 corresponds to 215 and I decided to use TM34 because it seems to be used a lot in this type of hacks (probably my first screw-up) and B3 corresponds to the item ASH, so I determined it'd work with that setup, since apparently the default value is 63 and it should think I beat Sabrina with any value higher than 1. Where I got the number 201 is that it also seems to be used a lot in this type of hacks, possibly acting as a "stop" for the code? (my second screw-up, I assume.)

Also, I don't understand the opcodes at all: what do stuff like ld and inc even mean? I tried looking up some guides for ASM but there wasn't really any good explanations for them. Please help an interested newbie out.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on October 12, 2015, 10:47:18 am
About the code you mentioned: this payload takes advantage of the register hl containing the address of item 3 (the initial payloads put the address of item 3's identifier in the hl register, then transfers execution there with jp hl).

I'll try to break it down for you, line by line:

inc c - increases the value of the c register by 1. Used here as junk code, so we can use the item quantity to represent the opcode we want to execute, instead of the item identifier.
dec hl - decreases the value of the hl register by 1. The hl register did contain the address of item 3's identifier, after this line it contains the address of item 2's quantity.
dec c - decreases the value of the c register by 1, the same register that was decreased 2 lines ago. Again, this is junk code, used so we can represent the next opcode as a quantity, rather than an item. I'll take the time to explain why this is needed: if you look at the Big List (http://glitchcity.info/biglist.htm), if you express the quantity 43 as an item, it represents the Secret Key. It's possible (albeit a little annoying) to have two stacks of a regular item, but not so without cheating, or manipulating memory some other way, for a key item.
dec hl - As before, the value of the hl register is decreased. After this line, the hl register contains the address of item 2's identifier.
inc (hl) - The brackets around hl mean "the memory address contained in the register"; so, this line increases the value contained in the memory address that is the value of the hl register by 1. As mentioned, at this point, the hl register contains the address of item 2's identifier; so, this line increases item 2's identifier by 1.
ret - This line returns from the function that the game called to use the 8F item, and therefore returns control back to the game.

About why your attempted payload didn't work: you ALMOST got it right. Different CPUs use different byte orders, known as "endianness". You specified the memory address in your payload as big endian, where the most significant byte comes first, that is, D7 B3 corresponds to the address 0xD7B3. However, the Game Boy's CPU, which is a modified version of the Z80, uses little endian format, where the least significant byte comes first, that is, B3 D7 corresponds to the address 0xD7B3.

Stuff like "ld" and "inc" are assembler mnemorics. In this instance, "ld" is short for "load" and "inc" short for "increment". I mentioned earlier that the Game Boy uses a modified Z80. So, if you want to learn about the assembler, you can look up Z80 assembly/assembler; Google can help you there. Another thing that will help is this hexadecimal to Game Boy CPU mapping (http://iimarck.us/etc/asmopcodes.txt) and, of course, the BIG List (http://glitchcity.info/biglist.htm).

Hopefully this has helped you!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Darkkis on October 12, 2015, 11:31:03 am
About the code you mentioned: this payload takes advantage of the register hl containing the address of item 3 (the initial payloads put the address of item 3's identifier in the hl[/t] register, then transfers execution there with jp hl).

I'll try to break it down for you, line by line:

inc c - increases the value of the c register by 1. Used here as junk code, so we can use the item quantity to represent the opcode we want to execute, instead of the item identifier.
dec hl - decreases the value of the hl register by 1. The hl register did contain the address of item 3's identifier, after this line it contains the address of item 2's quantity.
dec c - decreases the value of the c register by 1, the same register that was decreased 2 lines ago. Again, this is junk code, used so we can represent the next opcode as a quantity, rather than an item. I'll take the time to explain why this is needed: if you look at the Big List (http://glitchcity.info/biglist.htm), if you express the quantity 43 as an item, it represents the Secret Key. It's possible (albeit a little annoying) to have two stacks of a regular item, but not so without cheating, or manipulating memory some other way, for a key item.
dec hl - As before, the value of the hl register is decreased. After this line, the hl register contains the address of item 2's identifier.
inc (hl) - The brackets around hl mean "the memory address contained in the register"; so, this line increases the value contained in the memory address that is the value of the hl register by 1. As mentioned, at this point, the hl register contains the address of item 2's identifier; so, this line increases item 2's identifier by 1.
ret - This line returns from the function that the game called to use the 8F item, and therefore returns control back to the game.

About why your attempted payload didn't work: you ALMOST got it right. Different CPUs use different byte orders, known as "endianness". You specified the memory address in your payload as big endian, where the most significant byte comes first, that is, D7 B3 corresponds to the address 0xD7B3. However, the Game Boy's CPU, which is a modified version of the Z80, uses little endian format, where the least significant byte comes first, that is, B3 D7 corresponds to the address 0xD7B3.

Stuff like "ld" and "inc" are assembler mnemorics. In this instance, "ld" is short for "load" and "inc" short for "increment". I mentioned earlier that the Game Boy uses a modified Z80. So, if you want to learn about the assembler, you can look up Z80 assembly/assembler; Google can help you there. Another thing that will help is this hexadecimal to Game Boy CPU mapping (http://iimarck.us/etc/asmopcodes.txt) and, of course, the BIG List (http://glitchcity.info/biglist.htm).

Hopefully this has helped you!

Wow, you don't know how helpful that was, I actually understand the code somewhat now. The only thing I can't comprehend is the junk code: why wouldn't the code work without the junk code? Are we not allowed to have two 'dec hl's in a row? EDIT: Never mind, I got it: the code wouldn't be possible without the junk code because there has to be some data for the item identifiers, lol.

Also, I changed my setup according to the little endian format, and it looks like this now:

Code: [Select]
random item
8F
TM34 x179
TM15 x201

The third item's amount should correspond to B3 and the TM15's identifier should correspond to D7 according to the big list, so the whole thing should correspond to 0xD7B3 and it's still not working. Why?

Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on October 12, 2015, 11:57:49 am
The third item's amount should correspond to B3 and the TM15's identifier should correspond to D7 according to the big list, so the whole thing should correspond to 0xD7B3 and it's still not working. Why?

The event flag for beating Sabrina is bit 1 of 0xD7B3, but this won't give you her badge. Do you want to make the game think you beat Sabrina, or do you want her badge?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Darkkis on October 12, 2015, 12:04:04 pm
The third item's amount should correspond to B3 and the TM15's identifier should correspond to D7 according to the big list, so the whole thing should correspond to 0xD7B3 and it's still not working. Why?

The event flag for beating Sabrina is bit 1 of 0xD7B3, but this won't give you her badge. Do you want to make the game think you beat Sabrina, or do you want her badge?

I figured that if the game thinks I beat Sabrina, it'd let me pass the Soulbadge barrier in Pokemon League, but it didn't. So, where is the event flag even used then?

I would like to get her badge and possibly all badges with this method, since apparently getting event flags for the 3 remaining Gym Leaders was not enough. But DataCrystal says something about "binary switches" in the badges: what are those?


Also, I didn't see this code anywhere, so I decided to post it: it allows you to clone items without using MissingNo or M.

Code: [Select]
8F
Item you want to multiply
Fresh Water x43
Soda Pop x54
TM54 (or any item with the quantity you wish, TM54 has a identifier of 254) x201

And in ASM:
Code: [Select]
inc a
dec hl
dec a
ld (hl),xx ;(with TM54, xx = FE)
rtrn
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on October 13, 2015, 08:26:43 am
The event flag is used so you don't battle Sabrina again after you beat her.

The barrier in Pokemon League goes against "number of badges", which is at D356.

To set this so you have all the badges, you can use an item list like:

Item 3: Lemonade x255
Item 4: X Accuracy x86
Item 5: Carbos x211
Item 6: Poké Ball x119
Item 7: Fresh Water x201

which is based from this template I made 2.5 years(!) ago (http://forums.glitchcity.info/index.php/topic,6638.msg189609.html#msg189609).

This sets $D356 to $FF which gives you all the badges.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SatoMew on October 15, 2015, 11:05:05 am
The event flag for beating Sabrina is bit 1 of 0xD7B3, but this won't give you her badge. Do you want to make the game think you beat Sabrina, or do you want her badge?

Huh, so what exactly happens in Red and Green that causes the "win even if lost" bug (https://www.youtube.com/watch?v=EF3RlidjDJk)?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 15, 2015, 07:57:47 pm
Do you have to set up bootstrap + item setup or just one of them also is it supposed to crash if no setup is done
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on November 16, 2015, 03:30:06 am
Hello,

The glitch item 8F / Wslm reads code from your Team / box.
The standard setup we use redirects the reading to the items.
You could do your codes with Pokémon data only, but it's hard, so we prefer this way.

If you don't have the Team / box setup, it won't work. Depending of the Pokémon, it will most likely freeze.

So unless you feel in the mood to code with Pokémon, you need both.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 16, 2015, 12:13:45 pm
Thank you, I wasn't sure if I wanted to spend the time to get the setup because on the emulator I use (meboy 2.2) when I used 8f an error would pop up instanly stating I was out of bounds, but now you have said that it crashes the game depending on the pokemon you have that could be why it crashes, so I will set it up and hopefully it will fix the problem :D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on November 16, 2015, 12:43:00 pm
No problem ;)
If you're in trouble getting your code to work, don't hesitate to come here and we'll try to help  :P
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 16, 2015, 12:52:03 pm
Will do, thanks again 8)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 17, 2015, 09:46:41 am
Done, works well at least I know 8f is capable for my emulator is there anwhere I can go to find more interesting codes :D How to use Jack properly, what does 4848 do an 8__8 also thanks
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 17, 2015, 11:28:32 am
Also can you do gameshark codes having the hex iitems ?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on November 17, 2015, 01:43:04 pm
I'm not sure to understand your question.

To execute a gameshark code only using 8F, given a Gameshark code is structured this way: AABBCCDD
You can do this :
Any item
8F / ws*l’||lm||
Lemonade xBB (decimaled)
TM34 xCC (decimaled)
hex:DD item x201

To get the DD item, if it is a glitch item, you can use this code:
8F / ws*l’||lm||
Item you want to morph
Burn Heal x43
Ice Heal x43
Full Heal x201

The second item gains 1 hex each time you use the code.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 17, 2015, 03:59:13 pm
Yes, being BB CC and DD being being byte 1-3 right ? I am confused as I have seen this code Walk through walls  010138CD but is it wrongly corrosponded to their items (max revive x accuracy carbos) because I checked their hex in the big list and it dosn't match I am probably checking the wrong place, so could you tell me what I'm doing wrong ? I'm very confused at the moment haha , I have done the catch em all code and any item code and I am just trying to understand how to work it. Thanks for helping :D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on November 17, 2015, 04:54:36 pm
In the Gameshark code you mention,
AA = 01
BB = 01
CC = 38
DD = CD

So the corresponding code is:
Any item
8F / ws*l’||lm||
Lemonade x1
TM34 x56
TM05 x201

Because 38, in decimal, is 56, and TM05 is the item with a hex value of CD (http://glitchcity.info/biglist.htm).
Then use 8F / ws*l’||lm|| and you will walk through walls. Proceed this way with any gameshark code you would like to use.

Please note RAM address $CD38 is in a memory section which doesn't change between versions AND localizations. You will not have to change this code if you use it in Yellow version, nor if you use a foreign game.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 17, 2015, 05:53:53 pm
Ok right what about 1 lemonade and tm 34 where do they come in ?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on November 17, 2015, 06:52:56 pm
In the Gameshark code you mention,
AA = 01
BB = 01
CC = 38
DD = CD

So the corresponding code is:
Any item
8F / ws*l’||lm||
Lemonade x1
TM34 x56
TM05 x201

Because 38, in decimal, is 56, and TM05 is the item with a hex value of CD (http://glitchcity.info/biglist.htm).
Then use 8F / ws*l’||lm|| and you will walk through walls. Proceed this way with any gameshark code you would like to use.

Please note RAM address $CD38 is in a memory section which doesn't change between versions AND localizations. You will not have to change this code if you use it in Yellow version, nor if you use a foreign game.

why use that when this is easier? (all that's needed is 5 items you can get from Celadon department store)

Optimise your code to use only non-glitch/non-key items if possible guys, I always tried to do this...

http://forums.glitchcity.info/index.php/topic,6638.msg189609.html#msg189609
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on November 18, 2015, 03:51:33 am
Thanks, Wack0, I wasn't aware of this new version. I probably missed it while reading the thread. That's really a great code! I will add it to PRAMA too  ;)

Ok right what about 1 lemonade and tm 34 where do they come in ?

To answer this question: I told you earlier using 8F gets the game to read code from party, and having the specific setup redirects the reading to the THIRD item.
Now the third item is Lemonade x1. Third item memory address in english R/B is $D322. Lemonade's hex ID in the Big List is 3E so that's the value for this address.
The following address would be the quantity of Lemonade, then the hex ID of the fourth item, its quantity, fifth item, etc.

Here, we have the following read code:
3E (Lemonade) 01 (x1) EA (TM34) 38 (x56) CD (TM05) C9 (x201)

To understand what it means you need to know how these hex numbers are interpreted as game instructions.

Here's something you could use: http://www.pastraiser.com/cpu/gameboy/gameboy_opcodes.html
In this table, every hex number matches an instruction. The instructions pour the above numbers are:
3E : ld A, d8
This puts the following number into an in-game "A" value. So from now on, A = 01.
Since 01 was integrated to this instruction, we continue with the third one.
EA : LD (a16),A
This specific instructions takes the memory address composed by the next TWO hex numbers and affects A as its value. Note the numbers are read in reverse order here; the memory address will be $CD38. So this instruction gets $CD38 to take the value 1. This is what the gameshark code does, since having 1 as value of this address will get you to walk through walls.
38 and CD having been used here, we conclude this with the last number.
C9 : ret
This is an "end" instruction, that stops the reading of the code. It is very important to place it, otherwise the game will continue to read the following addresses as code... and God knows what can happen then.

Click on Wack0's link and read the ASM (instructions) of its code. You would be able to understand it, if I tell you "inc" is an increase instruction.

Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 18, 2015, 04:03:28 am
Nice, got it so you can pretty much change anything you want with the right code right ?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on November 18, 2015, 04:30:16 am
This code allows you to change the value of ONE memory address. It's very cool, but it's the least you can do using 8F.
You can create codes that will modify a different memory address every time you use it, or codes that will change several values in one take.
You could even create complex programs like TheZZAZZGlitch did creating a Pong, or the way Torchickens changed Pallet Town into a 1G Twinleaf Town. You don't have to limit yourself to the poor gameshark code simulation  :P
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 18, 2015, 08:51:12 am
Yes, you are right but I'm just a beginner haha , am I right in saying for a code with XXXX00XX would be the glitch item j right ?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on November 18, 2015, 09:05:55 am
Actually, the glitch item is the last byte. So it would be for the XXXXXX00 code. And yes, it will be "j" in english games.
The third byte is the quantity of TM34 in the code I posted earlier.

But as Wack0 mentioned, this other code is easier to use:

Any Item
8F / ws*l’||lm||
Lemonade xBB
X Accuracy xCC
Carbos xDD
Poké Ball x119
Fresh Water x201

No need for glitch items or complicated items. In this case, the 00 of your XXXX00XX code will be the quantity of X Accuracy.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 18, 2015, 09:54:10 am
If the dec number is 00 like in this code 01FF00D7 what then
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on November 18, 2015, 01:07:09 pm
Then you should use this code:

Any Item
8F / ws*l’||lm||
Lemonade x255 (FF)
X Accuracy x00 (00)
Carbos x215 (D7)
Poké Ball x119
Fresh Water x201

Or this one:

Any item
8F / ws*l’||lm||
Lemonade x255
TM34 x00
TM15 x201

A quantity of 0 is something that can be obtained. Any quantity above 99 cannot be obtained normally, so you have to use glitches. MissingNo's duplication, for example, can rise the quantity of an item until 255. But in the case of a quantity of 0, because 0 = 256, MissingNo. cannot help.

To get a x0 item, you can use item underflow. I'm guessing you already did it at least once, to get the 8F / ws*l’||lm|| item, unless you used Glitch World RAM Manipulation.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 18, 2015, 02:07:51 pm
Yes I used the item underflow glitch using 255 stacks and dropping items is it an item under cancel or is it close to where you find 8f
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 18, 2015, 02:13:38 pm
Wait I have 0 item bf4 in my pc I will use item morph glitch to change it to accuracy :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 18, 2015, 02:46:16 pm
Hmm this code is supposed to make me walk faster but It definatly isn't changing my walk speed but 8f is working but I don't know what its doing if its even doing anything ? Any way you can check what it does ???
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on November 18, 2015, 03:01:21 pm
I don't know where you get the code, but address $D700 is not related to speed. It's actually your "displacement status". Its value is 00 if you walk, 01 if you're biking, 02 if you're surfing. Changing its value to FF (as 01FF00D7 does) will not do anything.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 18, 2015, 03:06:25 pm
Great. http://www.supercheats.com/gameboy/pokemon-blue/5386/My-Collection-Of-Pokemon-Blue/        he also has slow walking speed fast text speed and slow text speed all simillar codes :/
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on November 18, 2015, 06:20:06 pm
Thanks, Wack0, I wasn't aware of this new version. I probably missed it while reading the thread. That's really a great code! I will add it to PRAMA too  ;)

it's not new, i made it back in 2013.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 19, 2015, 09:59:38 am
So, I's there a website that tells me which each indivisial byte effects which area of memory that I will be able to understand because I can't read code very well
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on November 19, 2015, 11:52:35 am
So, I's there a website that tells me which each indivisial byte effects which area of memory that I will be able to understand because I can't read code very well

We have a list of gameshark codes if that's what you mean: http://glitchcity.info/wiki/index.php/Pok%C3%A9mon_GameShark_codes
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on November 19, 2015, 02:11:52 pm
Otherwise, you can:

- Use this RAM Map which gives most address of the WRAM: http://datacrystal.romhacking.net/wiki/Pokémon_Red/Blue:RAM_map (http://datacrystal.romhacking.net/wiki/Pokémon_Red/Blue:RAM_map)
- Use the disassembly (but it's a bit harder to understand maybe): https://github.com/pret/pokered/blob/941d2b9eb8a59b42ea71a08b34b25c06477cf36d/wram.asm
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 19, 2015, 07:43:41 pm
Exactly what I was looking for so I can make my own codes yes ? And if I was going to like change my sprite or something
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 20, 2015, 04:29:39 am
.. DXXX is that a hex and dec or hex and hex dec
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on November 20, 2015, 06:27:01 am
Absolutely!

Let's say you want to get a Moon Stone in the 19th position of your stored items, for some reason. Look in the RAM Map and you will see this: D55F - Stored Item 19

So $D55F is the address you want to deal with. You also need to know the hex ID for the Moon Stone, that you can get in the big list. In this case it will be 0A.

Therefore, the gameshark code to "get a Moon Stone in the 19th position of the stored items" will be 010A5FD5. Note that the address is reversed in the gameshark code, 5F comes before D5.

Converted into an 8F code, you will have to get the following items:
Any Item
8F / ws*l’||lm||
Lemonade x10 (0A)
X Accuracy x95 (5F)
Carbos x213 (D5)
Poké Ball x119
Fresh Water x201

And here you go: a Moon Stone appears in the 19th position of the stored items!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 20, 2015, 06:52:33 am
Amazing :D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 20, 2015, 11:52:19 am
What is Debug new game in ram map
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on November 20, 2015, 01:00:45 pm
Well, that might be a little complicated to explain. Let's try. You know the value of an address is a hex number. For example, 00 or FF.

Translated into binary, FF is 1111 1111. Eight numbers, right? That means any hexadecimal number can be written with 8 binary numbers.
00 = 0000 0000
01 = 0000 0001
0F = 0000 1111
F0 = 1111 0000
A9 = 1010 1001
To properly translate a hex number into binary, you can use Windows' calculator (programmer mode).

Now, this is important because each bin number is a "bit". The bit can be set ("1") or removed ("0"). For any hex number, you can translate it in a series of 8 bits, either set or removed.

Before talking about the "Debug New Game" address, let's take an easier example. Address $D2F7 is "owning or not owning Pokémon 1 to 8". The owned Pokémon are determined by the bit of the value for this address. If the value is FF, all bits are set (1111 1111) so you have all eight Pokémon. If the value is A9, as you can see above, this means Pokémon 1, 4, 6 and 8 are owned, but 2, 3, 5 and 7, all having their bit to 0, are not.

Now, address $D732 triggers things according to which bits are set or not set.
If the first bit is set (we call this bit "bit 0" and it is actually the last in order; for example in 0000 0001, "bit 0" would be the 1) then play time is counted. That's why this bit is always set.

If bit 1 is set (XXXX XX1X, as with hex:02) when a new game is launched, it activates the debug mode. In this mode, Oak's speech will be shorter. The player's name is set to NINTEN and the rival's name to SONY. You don't start the game in your house, and you can avoid wild encounters by holding B. This is of course never triggered in a normal game.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SnorLapraSuicuinEkans on November 20, 2015, 01:14:35 pm
That all you can do ? Not so great.. Binary is 1248 1632 right ?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: The G-Meister on November 24, 2015, 05:21:06 pm
Gah, anyone know how EV's work in Gen I? To they give a fixed increase to a stat or is it done by a percentage? The first thing I'm trying to do on Red with ACE is max out my Pidgey's EV's (which I have done) but also make it so it's HP is always a max of 233 even when I happen to need to store / retrieve it from the PC. I've set it to 233, but whenever I deposit / withdraw, it becomes like 268 or something.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Háčky on November 24, 2015, 05:51:06 pm
Gah, anyone know how EV's work in Gen I? To they give a fixed increase to a stat or is it done by a percentage? The first thing I'm trying to do on Red with ACE is max out my Pidgey's EV's (which I have done) but also make it so it's HP is always a max of 233 even when I happen to need to store / retrieve it from the PC. I've set it to 233, but whenever I deposit / withdraw, it becomes like 268 or something.
Take the square root of the EVs, and then the calculation is the same as in later generations (4 EVs = 1 stat point at level 100). The maximum of 65535 EVs grants √(65535)/4 ≈ 64 stat points at level 100. If your (presumably level 100) Pidgey has 268 HP with maximum EVs, and you want it to have 233 HP, then you’d need to reduce its HP EVs to around 13456, since √(13456)/4 = 29 points at level 100. (You might have to adjust that for rounding errors.)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: The G-Meister on November 25, 2015, 01:25:13 am
Ahhh thanks a bunch. As my purpose was rather that it didn't gain any EV's from battle, I'll set it to 169, and see if I get 233
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: XTFOX on January 27, 2016, 05:58:19 pm
Ok that 8F Bootstrap is too complicated.  I made a new (simplified) one based off the original one.  Could someone confirm my work?

Pokemon with values in hex after:

6 pokemon [06]
Onix [22]
Pidgey [24]
Pidgey [24]
Jolteon [68]
Tentacool [18]
Pick a pokemon based off Onix's stats

Onix 233 attack > Kadabra [26]
Onix 233 defense > Chansey [28] (Used Below)
Onix 233 speed > Mr. Mime [2A]
Onix 233 Special > Hitmonchan [2C]

Realistically any of the first 4 Pokemon with a 233 stat could work assuming the corresponding hex offset exists as a pokemon.  For example using the 2nd Pidgey's speed doesn't work because the 6th pokemon would need a hex value of 56 which is a MissingNo.

Code: [Select]
; -- Initial value of hl: D163
WRA1:D163 06 22            ld   b,22    ;  b = 22
WRA1:D165 24               inc  h       ; hl = D263
WRA1:D166 24               inc  h       ; hl = D363
WRA1:D167 68               ld   l,b     ; hl = D322
WRA1:D168 18 28            jr   D16A + 28 = D192

WRA1:D192 E9               jp   hl


Just a note I only read the first post, if I am recreating somebody's work and claiming it as my own I apologize.

EDIT: Found the wiki! Looks like a similar one has already been made that also only requires one specific stat.  Though the ability to choose any stat and just change the 6th pokemon is still cool seeing as the wiki one requires Pidgey 233 hp because it uses Pidgey's ID a 2nd time to Inc H. 

Also has anybody tried to figure out why 8F accesses D163?  I looked at the pokemon red dissasembly item page (https://github.com/pret/pokered/blob/master/engine/items/items.asm) and couldn't figure it out.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on February 02, 2016, 06:46:05 am
Also has anybody tried to figure out why 8F accesses D163?  I looked at the pokemon red dissasembly item page (https://github.com/pret/pokered/blob/master/engine/items/items.asm) and couldn't figure it out.

The index bounds are not checked when using an item, the game happily gets the 16-bit integer at ItemUsePtrTable + (2*0x5d) and calls it, which happens to be the wPartyCount from ld a,[wPartyCount].
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: lowena on February 13, 2016, 05:57:17 am
I had several problems while trying to do the dry item underflow glitch to get P7 (7F/8F) in my Spanish Pokemon Blue. Once I got to the step to switch the X Special with the Nugget, scrolling down past Exit the item menu would freeze, but I realized that if I pressed B I could keep going down, and I had to do that several times to get down to the Nugget, and the same to switch the P7 back. The next problem was fixing the item menu. If i bought one item in Celadon, nothing happened. If I bought two, the P7 and everything else was erased. So I had to put the P7 in my PC, fix the menu, then take it back out. Hopefully that doesn't cause any problems. I haven't been able to bootstrap it yet to see if it actually works, but hopefully I don't run into many more problems. I'm probably going to do the compact one with Electabuzz, but unfortunately it's Red only so I'll have to Ditto glitch getting one :') I'll report back with what I find out.

Also, as a note if anyone else trying to get P7 on the Spanish game or some of the other European versions where you can't do the Old Man glitch, in order to get 255x X Special I did the Ditto glitch to encounter a Missingno. which solved the problem. The easiest way to do that is to get up to Fuchsia City, use any long-range trainer you want, consult the usual hex ID table, and encounter a Ditto in the grass immediately east upon leaving Fuchsia City.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on February 13, 2016, 04:42:10 pm
The "long name items" generating "locks" while going down the items in the item menu is a common issue. Spamming B and Down is a good solution to go through indeed, I think what cause this is that some items might match RAM addresses controlling the player's position, and the value of these addresses matches an item with a glitched long name. This would be why if you move to another spot, you might not encounter the problem anymore. Sometimes when I face this, I just move from a few steps and problem solved.

About the menu fixing issue, the first item fixes and errazes the menu, but sometimes you don't see it and need to get a second item. I think it depends of how you trigger the glitch, but anyway you definitively have to store your P7 item before fixing the menu.

In french games, we can perform the Old Man Trick but we can't encounter pixel MissingNo. In this case, using the Ditto Trick to have a ghost/fossil MissingNo. is also our favorite solution. Also remember that you can use the Cooltrainer Trick to encounter a Pokémon, and more simply use the Glitch City RAM Manipulation to give yourself an item x255 without encountering MissingNo. at all.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: lowena on February 13, 2016, 06:48:22 pm
Well I got my P7 bootstrapped (using GCL's setup) and it works! So happy all that work didn't go to waste.

Thanks for the tip about long name items, I'll keep that in mind if I need to do the underflow glitch again. Maybe you could add a note to the underflow glitch guide about the long name and storing 8F to help others in the future? I haven't tried the Cooltrainer glitch yet, nor the Safari Zone glitch. I hadn't even heard of the RAM manipulation glitch but it sounds really cool, I'll have to check that out :)

EDIT: I made an 8F script to give you 255 of an item, useful in conjunction with the Change Second Item script to get any item you need for other scripts. I don't think this should cause any problems but I'm just a beginner, so please someone let me know if this is flawed.

GET 255 OF SECOND ITEM

This code, which is based off of the Change the Second Item code and likewise only requires 3 basic items, will give you 255 of the second item in slot 2. It simply decreases the item by 2, wrapping around backwards from 1 to 255 (0x01 - 0x02 = 0xff in 8 bit math). It is necessary to have only 1 of the item in slot 2.

ITEM LIST (starting from the first slot):
* 8F
* Item you want 255 of x1
Burn Heal x43
Ice Heal   x53
Revive      x201

Code: [Select]
inc c ;0c = Burn Heal
dec hl ;2b = 43
dec c ;0d = Ice Heal
dec [hl] ;35 = 53
dec [hl] ;35 = Revive
ret ;c9 = 201

Also as a bonus, if you use the Revive x201 instead of Full Heall x201 for the Change the Second Item code in the first post of the thread, the item hex ID will go down instead of up. :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on February 14, 2016, 03:30:10 pm
Quote
Maybe you could add a note to the underflow glitch guide about the long name and storing 8F to help others in the future?

Unfortunately, I lack the time to complete my own Pokémon glitch website so I really don't have the time to contribute to GCL's wiki (so I at least try to answer questions on the forum). But yes, there are informations about this glitch and some others that really needs to be added.

Quote
I hadn't even heard of the RAM manipulation glitch but it sounds really cool, I'll have to check that out :)

You will find everything here (http://forums.glitchcity.info/index.php/topic,7353.0.html) (there's a video too). For the same reason, I still don't have the time to write a page for this :)

Nice code to get x255 of the second item! This cleary can be useful. Thanks!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: lowena on February 14, 2016, 04:41:25 pm
I completely understand not having the time to do stuff. Mabe if I stay here long enough and get into glitching/hacking enough I can help with the wiki (no guarantees at all though :P ).

And thank you! I'm glad you find it useful. :)

Does anyone know of a way to assemble code into hex? It would be nice to be able to write code in assembly then assemble it to insert into the ROM or paste into the debugger for testing purposes instead of having to look up the hex for each opcode :c
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on February 15, 2016, 07:20:13 am
I don't know if that answers the question but there is a french "GBZ80 to items" software in which you choose your opcodes and it converts the code into hex values and then directly into items. It was developed by ISSOtm (http://forums.glitchcity.info/index.php?action=profile;u=1400) of the PRAMA Initiative team, who also is a Wiki Contributor here. I don't think it's hard for an english-speaker to understand how to use it, but maybe there is an english equivalent software somewhere.

You can find it here: http://prama-initiative.com/8F/
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: lowena on February 15, 2016, 04:51:02 pm
Thanks! That helps a lot. It would be cool if you could just type assembly and not have to use the dropdown menus (which I recognize would probably be quite a bit more work to code), but it's much better than looking up opcodes in a table. :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on February 16, 2016, 01:56:53 am
It would be cool if you could just type assembly and not have to use the dropdown menus (which I recognize would probably be quite a bit more work to code)

Planned for v.3.0 according to ISSOtm  :D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on February 27, 2016, 08:41:01 pm
Just a note to the OP Nidoking and Nidoqueen are both capable of the moves hitmonlee currently uses for future reference (At the moment it says only Hitmonlee can learn all the moves.)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on February 28, 2016, 01:31:58 pm
Would it be possible to make a code that makes pokemon number 1 in active box have type 1 or type 2 changed to another type. EX what everyone wanted to do and make charizard a fire dragon type, or for type 1 make Onix a grass ground type etc.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on February 28, 2016, 04:11:15 pm
You can do whatever the f*ck you want, dude.

Read this (http://forums.glitchcity.info/index.php/topic,7428.msg199720.html#msg199720) and you should be able to do what you are asking for. In case of problem, come back to ask!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on February 28, 2016, 06:32:01 pm
Using this code but it isn't doing anything just exits the menu. I am trying to change current/active Box pokemon 1 type 2 into dragon. Maybe the type doesn't visibly change but I think it does/should. And yes I double checked my item quantities by hand  (scrolling up from 1) to make sure I have the right numbers.
Elixir ×1 (any any)
8f
Lemonade ×26
X Accuracy ×156
Carbos ×218
Pokeball ×119
Fresh Water ×201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Azarokkusu on February 28, 2016, 08:41:50 pm
   This gave me everything I needed to make my team have maxed out DVs and stat exp, side-effectless! Thanks!

   I did this with the first boxed pokémon in your current box (of course, since you can't have any pokémon you want in your party)

   Item 1: any item (any quantity)
   Item 2: 8F
   Item 3: lemonade x 255
   Item 4: X accuracy x 178
   Item 5: Carbos x 218
   Item 6: pokeball x 119
   Item 7: fresh water x 201

   Then, use 8F, then throw one X accuracy. repeat. 167 X accuracies is the last value you'll need for the last stat exp value (I believe 165 and 166 are regular exp, but if you set the exp value controlled by the two too high it will glitch out somewhat (it rolls over into negatives, as far as I can tell), so not reccomended.)

   This corresponds with 01FFB2DA for 178 X accuracies, 01FFB1DA for 177 and so on.

   01FFB2DA sets speed and special DVs to F (178 x X Special)
   01FFB1DA sets attack and defence DVs to F (177 x X Special)
   HP DV is based on the other DVs (Can't remember the exact details)

   01FFB0DA and 01FFAFDA affect special stat exp  (176 and 175 x X Special)
   01FFAEDA and 01FFADDA affect speed stat exp (174 and 173 x X Special)
   01FFACDA and 01FFABDA affect defense stat exp (172 and 171 x X Special)
   01FFAADA and 01FFA9DA affect attack stat exp (170 and 169 x X Special)
   01FFA8DA and 01FFA7DA affect hp stat exp (168 and 167 x X Special)

Additionally you can teach a pokemon in the first slot of your current box any move:

Item 1: any item (any quantity)
Item 2: 8F
Item 3: Lemonade, quantity equal to move ID of what move you want to teach
Item 4: X Accuracy, quantity 161 for fourth slot, 160 for third slot, 159 for second slot or 158 for first slot
Item 5: Carbos, quantity 218
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

obviously you can use different item values for different box slots, but I find using the first slot in your current box is easy to keep track of.

( Gameshark codes from https://www.ocf.berkeley.edu/~jdonald/pokemon/pokemonrbycodes.txt )
(Big list of all hex values is here: http://glitchcity.info/biglist.htm )
video of the DV and stat exp changing here:  https://www.youtube.com/watch?v=CgsSjsJogTw
video of the move teaching trick here: https://www.youtube.com/watch?v=qcU3tD_IpTQ
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on February 29, 2016, 02:36:50 am
Using this code but it isn't doing anything just exits the menu. I am trying to change current/active Box pokemon 1 type 2 into dragon. Maybe the type doesn't visibly change but I think it does/should. And yes I double checked my item quantities by hand  (scrolling up from 1) to make sure I have the right numbers.
Elixir ×1 (any any)
8f
Lemonade ×26
X Accuracy ×156
Pokeball ×119
Fresh Water ×201
Carbon ×218

$DA9C is the address you want to change in english or american R/B games, and I'm also pretty sure 1A is Dragon-type so yes, your items seem to be correct, although Carbos must be after X Accuracy and before Poké Ball. Check this first, then if it's not the problem, it probably comes from your Pokémon bootstrap setup. Can you tell us more about it? You didn't do the HP/PP Up mistake, right?  ;D

Nice job, Azarokkusu. Might be useful  ;) indeed guys, remember what Crystal_ explained us (http://forums.glitchcity.info/index.php/topic,6638.msg199257.html#msg199257) about giving your Pokémon high stats :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Azarokkusu on February 29, 2016, 02:59:57 am
I feel like just doing more with these gameshark codes. That "CHANGE ANY BYTE IN RAM TO ANYTHING" bit of code Wack0 posted (back on page 2) is amazingly useful. As someone who never actually had a gameshark, it's fun being able to mess with these codes without actually having a gameshark!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Overheat on February 29, 2016, 03:24:04 am
Is this confirmed to work on the VC release? I cannot seem to get the codes to max DVs of the first pokemon in the active box to work, but the game does not crash when I use 8F, it just appears to have no effect.

Thank you.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on February 29, 2016, 05:36:21 am
I actually do have carbos before the Pokeball I made a mistake in my post and didn't catch it. My bootstrap is
Onix
Pidgey 24 pp 2nd move 0 pp up 21 pp 3rd move 1 pp up
Tentacool
Meowth 36 pm 1st move 0 pp up 24 pp 2nd move 0 pp up 20 pp 3rd move 0 pp up
Hitmonlee double team, double kick, strength in that order
Zapdos 233 attack
I have successfully used other codes with this setup before without healing them after getting the right pp.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SunbroTmac on February 29, 2016, 09:08:51 am
Is this confirmed to work on the VC release? I cannot seem to get the codes to max DVs of the first pokemon in the active box to work, but the game does not crash when I use 8F, it just appears to have no effect.

Thank you.

I can confirm that all of these should theoretically work on the VC release the same way as on cart or another emulator. I have 8F on my 3DS Blue and have successfully used the "change 2nd item" code. The changes made to the VC version do not appear to have made ANY glitches inaccessible as far as we know. I'm going to be trying to get max DVs later today as well so I'll PM you about it if you'd like.

EDIT: I just successfully obtained a max DV/Stat exp Snorlax on by VC Blue. Be sure to start at the X accuracy number listed in the main code and decrease by 1 each time you use 8F until you reach 167 so you max out all the stats. If that and your bootstrap team are intact, I'm not sure what else could be an issue.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on February 29, 2016, 09:51:44 am
I actually do have carbos before the Pokeball I made a mistake and didn't catch it. My bootstrap is
Onix
Pidgey 24 pp 2nd move 0 pp up 21 pp 3rd move 1 pp up
Tentacool
Meowth 36 pm 1st move 0 pp up 24 pp 2nd move 0 pp up 20 pp 3rd move 0 pp up
Hitmonlee double team, double kick, strength in that order
Zapdos 233 attack
I have successfully used other codes with this setup before without healing them after getting the right pp.

Seems to be correct also. I'll try today on my own game to change a Pokémon's type and I'll tell you if I succeed.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on February 29, 2016, 12:34:40 pm
Your code works perfectly, as you can see if you watch things happen with a Memory Viewer. Your Pokémon now IS a Dragon-Type Pokémon. But yes indeed, the type text in the profile of your Pokémon isn't changed. Why? I don't know, maybe the game displays the type that matches with the species byte, no matter what the type actually is.

But you now for sure have a Fire/Dragon Charizard!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on February 29, 2016, 01:48:12 pm
I'll test against some electric types at the power plant and will make a edit if it worked. EDIT: It did success!!! Proof video (Potato Cam Quality sorry) https://www.youtube.com/watch?v=2XfrKW1EdgI&
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on February 29, 2016, 02:41:53 pm
Nice!  ;D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Overheat on February 29, 2016, 05:28:05 pm
Is this confirmed to work on the VC release? I cannot seem to get the codes to max DVs of the first pokemon in the active box to work, but the game does not crash when I use 8F, it just appears to have no effect.

Thank you.

I can confirm that all of these should theoretically work on the VC release the same way as on cart or another emulator. I have 8F on my 3DS Blue and have successfully used the "change 2nd item" code. The changes made to the VC version do not appear to have made ANY glitches inaccessible as far as we know. I'm going to be trying to get max DVs later today as well so I'll PM you about it if you'd like.

EDIT: I just successfully obtained a max DV/Stat exp Snorlax on by VC Blue. Be sure to start at the X accuracy number listed in the main code and decrease by 1 each time you use 8F until you reach 167 so you max out all the stats. If that and your bootstrap team are intact, I'm not sure what else could be an issue.

Sorry for the noobish questions. I am away from my game now, but the bootstrap with 233 HP Pidgey, Onix, Kanga, Parasect, and Tentacool (in whatever order listed upthread) would work on VC Red?

I did decrement X-Acc in between 8F uses, but I cannot get a single variable to change.

Thank you for your help!



EDIT:

I got it to work. It turns out my glitched character reading abilities suck and I had 10 too few Carbos.

Thank you.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Azarokkusu on March 01, 2016, 03:13:47 am
Yeah, that's why I usually save, then throw out the item enough times that I should have exactly 99 (throw out 79 x X accuracy for example, to get from 178 to 99) then if the numbers check out I'm right, and I can just reset and reload my save to be back to the right amount. Of course if you get it wrong, you have to do more messing around with duping, or use another setup to set the item amount to what you want, which is a pain either way, but it's good to have a way to make sure you have the right amounts.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: rortik on March 01, 2016, 04:45:33 pm
I've encountered an error while trying to recreate Chickasaurus's Twinleaf Town in R/B glitch.

I've followed the pastebin (http://pastebin.com/UarVudWr) and successfully gotten the first program down, so walking into Pallet displays Twinleaf town. However, I can't get the second program (warps, sign) to work. I've tried it twice on the 3DS version of the game (where I executed the first program flawlessly) and once on an emulator. When I finish the program, then switch TM10 with TM34 and use 8F, going to Pallet crashes the game (this step is not listed in the Pastebin, but is done in the video). When I don't swap them/use 8F, going into Pallet does nothing.

Anyone know what I could be doing wrong?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: GeneraLight on March 03, 2016, 10:14:40 am
Is it possible to change my Trainer ID to 65535 using 8F? What is the code for that? Can you go above 66535 using 8F? Any side effects, like not being able to nickname your Pokemon? I'm looking for a method to get a TID of 65535, preferably before I get my starter.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 03, 2016, 11:22:54 am
Hi GeneraLight,

Trainer ID is encoded by RAM addresses $D359 and $D35A in US/UK games. Every RAM address has an hexadecimal value ranging from 00 to FF. Since we have two addresses, the value for trainer ID can be anything from 0000 to FFFF.

If you don't know how to convert hexadecimal to decimal, note that Windows' Calculator can do that for you. hex:FFFF is dec:65535, so yes, that's the maximal value for a Trainer ID, and since it's as simple as changing WRAM values, you can do that with 8F using Wack0's Change any byte code (http://forums.glitchcity.info/index.php/topic,6638.msg189609.html#msg189609) for example. If you prefer I tried to explain the procedure with colors here (http://forums.glitchcity.info/index.php/topic,6638.msg199419.html#msg199419)  ;D

If Trainer ID was read as BCD (basically meaning hex:99 would mean dec:99 and not dec:153) like it is the case for Money or Casino Chips, it would be possible to go above the maximum under certain conditions, but you can't do that in this case.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on March 03, 2016, 02:10:15 pm
While Wack0's Change any byte code is extremely useful how do I learn to make codes like the ones TheZZAZZGlitch made in the OP post like the catch em all or walk through walls scripts or of course the time he made pong?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 04, 2016, 04:31:32 am
What the 8F item basically does is reading the hex values from the RAM addresses controlling your party as assembler code. The party we use then serves as a bootstrap codes which redirect the reading of hex values as code to the RAM section controlling the item menu (specifically from item 3 onwards)

So what you need to know is:
- What does every single assembler code
- Which assembler opcode is called by which item/quantity

Well I'm definitively not an expert in assembler, but I know enough to do things  ;D

First, you need to see in this RAM Map (http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Items) that item 3's value is address $D322 and the following addresses control one item, then its quantity, then the following item, then its quantity, etc. So the first opcode called here will be according to the hex value of item 3, then second opcode will match the hexadecimal conversion on the quantity of item 3, then the third opcode will be related to the hex value of item 4, and so on.

You can find the hex value of each item in GCL's Big List (http://glitchcity.info/biglist.htm). Therefore, the following inventory:
- Poké Ball x1
- 8F
- Master Ball x35
- Carbos x47
- Fresh Water x7

Will give the following hex sequence once 8F is used: 01 23 1D 2F 2E 07.

Now this page (http://www.pastraiser.com/cpu/gameboy/gameboy_opcodes.html) will tell you which opcode matches which hex value. So you can build your item menu according to the opcodes you'd like to call. Here are the basics:
- LD D,d8 means that the following hex value shall become the value of the variable D. This 'second value' does not give any opcode, then, you will skip to the third one.
- Inc D would mean that the value of D is increased by 1.
- Dec D would decrease it by 1.
- LD D,H would change the value of D for the value of H.
- LD D,(HL) consults the RAM address $HL, takes its current value and affects it as the value of D.
- LD (HL),A changes the value of address $HL to the value of variable A.
- jp HL jumps the code-reading to address $HL (this is what the party boostrap does)
- ret stops the reading activity.

Sometimes to get easy items, you need to add placeholders codes that will not do anything.
Let's take Wack0's code as an example.

Item 3: Lemonade, quantity dec:xx
Item 4: X Accuracy, quantity dec:yy
Item 5: Carbos, quantity dec:zz
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

Gives the following code:
D322: 3E xx         ld a, xx => a becomes the hex conversion of Lemonade's quantity
D324: 2E xx         ld l, yy => l becomes the hex conversion of X Accuracy's quantity
D326: 26 xx         ld h, zz => h becomes the hex conversion of Carbos' quantity
D328: 04            inc b => b is increased (typical placeholder since we're not using b here)
D329: 77            ld (hl), a => The value of address $HL (currently $YYZZ) is now a => $YYZZ gets the value XX which is exactly what you wanted!
D32A: 3C            inc a => a is inceased (typical placeholder since the code is finished)
D32B: C9            ret => end

Note that ISSOtm developed a cool thing (http://prama-initiative.com/8F/) in which you chose your opcodes and it gives you the items. But it's in French.

About the way TheZZAZZGlitch did its Pong, it's a specific code that allows you to create a 254 bytes program. Once active, you can write an opcode by using 8F in specific spots as illustrates this image done by Torchickens (http://www.prama-initiative.com/RBJ/8F4.png).

In Torchickens' videos where he uses this to do things like recreating Twinleaf town, I think there's a pastbin with the code and the instructions to use it.

Have fun!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on March 04, 2016, 11:20:51 am
This is great but how exactly do I figure out what the opcodes do? For a code I want to make I would want to change the text of NPCs and what they do EX give me a pokemon or enter a battle like when you talk to the elite four? This seems like really good information I just don't understand it. I am running on 3DS VC/Cartridge so I don't have access to a memory editor (might change that soon).
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 04, 2016, 12:16:49 pm
I gave you the function of classical basic opcodes that I know and use to do very simple things; What you are asking for is way beyond my knowledge and capacities regarding GBZ80 assembler. You could use such opcodes to jump to addresses (like the ones involved in NPC's texts and scripts) to modify them, but I don't know what those addresses are. There's a disassembly (https://github.com/pret/pokered) that might help you, otherwise you should contact people like TheZZAZZGlitch, Torchickens, Hacky etc. because they are the top bosses of that kind of things :p
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on March 05, 2016, 05:59:45 am
This is great but how exactly do I figure out what the opcodes do? For a code I want to make I would want to change the text of NPCs and what they do EX give me a pokemon or enter a battle like when you talk to the elite four? This seems like really good information I just don't understand it. I am running on 3DS VC/Cartridge so I don't have access to a memory editor (might change that soon).

If you want to figure out what some opcodes do, this page should help: http://z80-heaven.wikidot.com/opcode-reference-chart (please note that the full Z80 has some additional/changed opcodes to what the GB's CPU has, but it should be enough to help anyway)

And if you want to see what some NPCs do, you should be able to check out the pokered disassembly (https://github.com/pret/pokered).
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: danny on March 06, 2016, 12:50:07 pm
This is great but how exactly do I figure out what the opcodes do? For a code I want to make I would want to change the text of NPCs and what they do EX give me a pokemon or enter a battle like when you talk to the elite four? This seems like really good information I just don't understand it. I am running on 3DS VC/Cartridge so I don't have access to a memory editor (might change that soon).

If you want to figure out what some opcodes do, this page should help: http://z80-heaven.wikidot.com/opcode-reference-chart (please note that the full Z80 has some additional/changed opcodes to what the GB's CPU has, but it should be enough to help anyway)

And if you want to see what some NPCs do, you should be able to check out the pokered disassembly (https://github.com/pret/pokered).

I think this is better: http://www.pastraiser.com/cpu/gameboy/gameboy_opcodes.html
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: andr2535 on March 06, 2016, 06:23:23 pm
Hi, I wanted to ask a question that confuses me a bit.

I was trying to use Pigdevil2010's bootstrapping code for w sm(http://forums.glitchcity.info/index.php/topic,6638.msg198107.html#msg198107 (http://forums.glitchcity.info/index.php/topic,6638.msg198107.html#msg198107)),
but my game seems to freeze when I use that bootstrapping code.

So I tried to find the cause of it using the bgb debugger, and it seems like the place where it is supposed to goto DA97, it goes to DA98 instead.
I fixed that by switching Nidoqueen with Nidoran(female).

Does this bootstrapping setup work for anyone(unaltered), or is there some mysterious bug on my end? :P
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on March 06, 2016, 08:23:12 pm
It could have just been a mistake on his part. Or maybe it was you IDK.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 07, 2016, 12:01:45 pm
Didn't we had another guy who had trouble with this setup previously? The G-Meister maybe?

I don't use this one but Torchickens' optimized setup for non-english games (which Haxel slightly modified again I believe) so I don't know but I'll double-check the code manually asap to see if it's a proper boostrap :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: FroggestSpirit on March 09, 2016, 03:33:36 pm
Has anyone made a better bootstrap code using something like wack0's gameshark code?
I was able to have a JP D53B stored as the last 3 bytes of my trainers name (this only works if your name is short enough)
The only downside is that I had my 6th pokemon turn into ID F9, so when I arranged my party like:
6 pokemon:
anything
tentacool
ID F9 pokemon
anything
anything
anything

it works well, taking you to the first item in the PC, however it messes up battle sprites due to the missingno
Edit:also irrelevant, but I did this on the VC re-release
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 10, 2016, 01:25:51 am
In R/B games, there is luckytyphlosion's compact setup: http://forums.glitchcity.info/index.php?topic=6638.msg198585#msg198585

Also there is a glitch Pokémon setup that only uses 3 Pokémon (but you can have up to 5), I don't remember who did it:
h Poké (hex:C3)
Graveler
M p u (hex:D3)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: darksarcasm on March 10, 2016, 11:55:08 am
If I have my party Pokemon arranged correctly for the 8F execution to the third item in my bag (Pidgey, Parasect, Onix, Tentacool, Kangaskhan), am I correct in assuming the sixth slot Pokemon does not matter? By the same token, is the C9 Hex code a stop function, and therefore items below this item won't affect the code? I've noticed that most if not all the example codes in this post end with an item that is multiplied by 201.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 10, 2016, 12:41:10 pm
C9 (item TM01 or anything x201) is a ret instruction which ends your code. So yes, any item afterwards does not matter.

However, it is very different for the setup, as the bootstrap code starts with the value of address $D163 (number of Pokémon). Having 5 Pokémon calls for a placeholder, useless function, but having 6 Pokémon instead of 5 calls for an assign function which also uses the following hex value, 'skipping' it from code reading, and therefore breaking your code.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: darksarcasm on March 10, 2016, 06:37:26 pm
C9 (item TM01 or anything x201) is a ret instruction which ends your code. So yes, any item afterwards does not matter.

However, it is very different for the setup, as the bootstrap code starts with the value of address $D163 (number of Pokémon). Having 5 Pokémon calls for a placeholder, useless function, but having 6 Pokémon instead of 5 calls for an assign function which also uses the following hex value, 'skipping' it from code reading, and therefore breaking your code.

Right, forgot that # of Pokemon in the party has a RAM address.

I really should learn assembly so I could write my own code and to easier understand the game.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 11, 2016, 01:05:57 am
Yep, you don't need to be a super assembler expert to write some nice codes. Understanding a few opcodes is enough! You can also ask if you don't get how to use one. If you have an emulated game, you can also fearlessly try a few things and see how it reacts  :P
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Glisp on March 11, 2016, 08:52:17 pm
by 255 of one item, what do you mean? The Limit is 99 so do I just make multiple stacks, use the Missingno 128 item glitch or what?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 12, 2016, 02:54:07 am
To get x255 of one item, either:
- use MissingNo.'s duplication (capture it or encounter it twice, tossing two items)
- use Glitch City RAM Manipulation to overflow the PC and withdraw any x255 item
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Glisp on March 12, 2016, 12:07:28 pm
Thank you so much
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on March 14, 2016, 08:18:11 pm
___________________________________
Walk through walls (no ledge needed):

3E 01 EA 38 CD C9

Code: [Select]
ld a, 01
ld (CD38), a
ret

Lemonade x1
TM34 x56
TM05 x201

How would you translate this to Red and Blue using 8F instead of ws m?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 15, 2016, 01:37:25 am
You don't need to. Address $CD38 is in a RAM section that doesn't change between any international R/B and Y.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on March 15, 2016, 07:09:59 am
It wasn't working for me earlier because I failed at counting glitch symbols and I had 211 instead of 201.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on March 15, 2016, 04:53:08 pm
Btw, here is a code (should work on all R/B, and I think it also worked with Yellow although I didn't test it) that allows toggling NoClip. Note that activating NoClip by conventional means then using this code won't deactivate NoClip. (Oh well, just enter a building / save&reset and it's okay)
Code: [Select]
X Accuracy x56
Carbon x205
Poké Ball x126 ; Super Balls also work.
Leaf Stone x119
TM01 x(any qty)

corresponding code :
ld l, #$38
ld h, #$CD
inc b ; or dec b. Whatevs.
ld a, [hl]
cpl
ld [hl], a
ret
Usually, $CD38 is zero, so this code puts #$FF into it, thus activating NoClip.
But triggering NoClip using the Safari Zone puts #$01, so when cpl'ed (xor #$FF) it gives #$FE, which is still nonzero.
Using the Pewter City Youngster to disable collision puts a non-FF value in $CD38, so it's the same deal.

I already posted that in another topic (here (http://forums.glitchcity.info/index.php/topic,7436.msg199958.html#msg199958)), but I figured out it would be nice to put it there too, maybe to add it to the first post's code list ?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on March 22, 2016, 01:55:09 pm
Ok so I bought Yellow to screw around with some of its glitches and glitch Pokemon. I got ws m and its not working for me at all. Using the following bootstrap to try and do a basic item duplication code. I got my bootstrap from here http://glitchcity.info/wiki/index.php/Arbitrary_code_execution#Using_.22ws_m.22_.28Yellow.29 When I try to use the code the map reloads and I get stuck in a box where I can't move forever.
Pokemon in box 1 (also current box)
Seel with 233 HP
Parasect
Growlithe
Magikarp
Psyduck
Flareon
Tentacool
Nidoqueen
Missingno Aerodactyl (any pokemon 1)
Snorlax (any pokemon 2)
Gyarados (any pokemon 3)

items
ws m
rare candy x1
burn heal x43
ice heal x53
revive x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 23, 2016, 05:58:46 am
I never used that setup, can't understand how it works and I keep hearing people having trouble with it. Maybe some expert could do some troubleshooting on this. Anyway I would recommend this easier 10-Pokémon setup instead:

Tangela with 233 HP (actual)
Nidoking
Metapod
Haunter
Flareon
Parasect
Growlithe
Tentacool
Grimer
Any Pokémon

Your item code is alright so it should work.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on March 23, 2016, 12:24:52 pm
by actual HP do you mean max or current?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 23, 2016, 02:56:18 pm
Current. Max HP does not matter.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on March 23, 2016, 02:57:57 pm
Thanks. Its working great now!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on March 26, 2016, 10:03:46 am
Ok so I bought Yellow to screw around with some of its glitches and glitch Pokemon. I got ws m and its not working for me at all. Using the following bootstrap to try and do a basic item duplication code. I got my bootstrap from here http://glitchcity.info/wiki/index.php/Arbitrary_code_execution#Using_.22ws_m.22_.28Yellow.29 When I try to use the code the map reloads and I get stuck in a box where I can't move forever.
Pokemon in box 1 (also current box)
Seel with 233 HP
Parasect
Growlithe
Magikarp
Psyduck
Flareon
Tentacool
Nidoqueen
Missingno Aerodactyl (any pokemon 1)
Snorlax (any pokemon 2)
Gyarados (any pokemon 3)

items
ws m
rare candy x1
burn heal x43
ice heal x53
revive x201


Hello all,

I was just looking into that ws m bootstrap. Seems to me like the problem is Nidoqueen.

According to pigdevil2010 ASM here: http://forums.glitchcity.info/index.php/topic,6638.msg198107#msg198107

the command regarding Tentacool and Nidoqueen is:
$DA86 <- 18 10 || jr DA97 ; pc = DA97

I am pretty sure this actually jumps to $DA98. Wich in yellow would be Seels LVL instead of current HP. Changing Nidoqueen with Nidoran(female) should fix this. tho i have not tested this. (I'm also verry new at all this, so if im horribly wrong... sorry  :P)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 27, 2016, 04:14:22 am
8th Pokémon is $DA87 in Yellow, so jr 10 makes it jump to $DA97, Seel's hex ID. Probably not what we wanted indeed. I will rethink of all this.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on March 27, 2016, 06:42:25 am
8th Pokémon is $DA87 in Yellow, so jr 10 makes it jump to $DA97, Seel's hex ID. Probably not what we wanted indeed. I will rethink of all this.

How does that work? I was under the impression that the yellow adresses were the red/blue ones -1. Doesn't that make Seel's index nr $DA95?
Also, looking at relative jumps in other bootstraps they all seem to jump 1 adress further then the value given. So it was my idea that a relative jump takes the value in the following adress, jumps it and pick up from 1 adress further.

like this:
$DA86 <- Tentacool - index 18 = jr
$DA87 <- Nidoqueen - index 10 = jump 10 adresses
$DA97 <- end of jump
$DA98 <- continues reading

Am i missing something?   );
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 27, 2016, 07:03:08 am
I am not such an assembler expert, you might be right about relative jumps, I have no idea. Maybe ISSOtm knows, I'll ask. However,

Quote
How does that work? I was under the impression that the yellow adresses were the red/blue ones

Yes they are decreased by 1 in some RAM section, such as this one. For most address you might change using 8F:
- if US Red/Blue = 0
- then US Yellow = -1
- European R/B = +5
- And European Y = +4
So here, Stored Pokémon 8 ($DA88) is $DA87 in Yellow.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on March 27, 2016, 07:54:01 am
Skeef, you are right, as most of (but not all, an example is $CD38) Yellow's RAM data is shifted from R/B by 1 byte. But beware, as this only means absolute jumps (jp, call) have to be changed, relative jumps (jr) should not change.

Take it like this :
jr $#XX means that the execution skips #XX bytes counting after jr's last byte.
Example for clarity :
hex:: 18 02 C0 DE C9
Code: [Select]
jr $02
.db $C0, $DE
ret
the "18 02 / jr $02" skips two bytes after itself, leading directly to the ret.
Say 18 is located at $DA86.
We have
$DA86:: 18
$DA87:: 02
$DA88:: C0
$DA89:: DE
$DA8A:: C9
Your reasoning would be "jr 02, so I take $DA87 and add $02, that is $DA89"
But you saw that the code jumps to the C9 at $DA8A, right ?
The flaw was that the byte the jump starts from is not the operand byte, but rather the byte after it.

In another way : remember jr $00 does nothing, i.e. it jumps right after itself.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on March 27, 2016, 11:19:43 am
Skeef, you are right, as most of (but not all, an example is $CD38) Yellow's RAM data is shifted from R/B by 1 byte. But beware, as this only means absolute jumps (jp, call) have to be changed, relative jumps (jr) should not change.

Take it like this :
jr $#XX means that the execution skips #XX bytes counting after jr's last byte.
Example for clarity :
hex:: 18 02 C0 DE C9
Code: [Select]
jr $02
.db $C0, $DE
ret
the "18 02 / jr $02" skips two bytes after itself, leading directly to the ret.
Say 18 is located at $DA86.
We have
$DA86:: 18
$DA87:: 02
$DA88:: C0
$DA89:: DE
$DA8A:: C9
Your reasoning would be "jr 02, so I take $DA87 and add $02, that is $DA89"
But you saw that the code jumps to the C9 at $DA8A, right ?
The flaw was that the byte the jump starts from is not the operand byte, but rather the byte after it.

In another way : remember jr $00 does nothing, i.e. it jumps right after itself.


I considered that it could work like that, but since the result is the same it didn't really matter.

I am not such an assembler expert, you might be right about relative jumps, I have no idea. Maybe ISSOtm knows, I'll ask. However,

i'm not an expert either  :P before the release of the vc games last month i didn't know any of this...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 27, 2016, 11:26:42 am
So here isso, $DA86 is Tentacool (jr) and $DA87 is Nidoqueen (10) so the jump goes to $DA97 and reads $DA98? Aren't we supposed to read $DA99 since 233 HP is 00 ($DA98) E9 ($DA99) in Yellow?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on March 27, 2016, 11:55:43 am
So here isso, $DA86 is Tentacool (jr) and $DA87 is Nidoqueen (10) so the jump goes to $DA97 and reads $DA98? Aren't we supposed to read $DA99 since 233 HP is 00 ($DA98) E9 ($DA99) in Yellow?

Its like this:

$DA86 <- Tentacool - index 18 = jr
$DA87 <- Nidoqueen - index 10 = jump 10 adresses
$DA88 <- start the jump
$DA98 <- continues readin
A bit different from what i originally posted, but the result is the same.

Also, you seem to be doing +1 on you're yellow adresses insead of -1
$DA97-$DA98 = current hp in red/blue. That means $DA96-$DA97 = current hp in yellow (right?)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on March 27, 2016, 11:57:47 am
If the Nidoqueen is located at $DA87, the jump should land at $DA98.
If $DA98 is $00, that doesn't matter, it's just a NOP (No OPeration) instruction. It wastes 4 processor cycles. Boo.
So the poblem doesn't seem to be there, but it means that using the Pokémon with the following ID should also work.
Otherwise we are making a mistake somewhere ?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 27, 2016, 12:04:04 pm
Oh yeah, sure. So Skeef is right, the reading continues at $DA98 instead of $DA97. Therefore, Nidoran (female) should do the job.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: technocolor on March 28, 2016, 12:47:04 am
so I see 'homebrew' mentioned in the op ( ͡° ͜ʖ ͡°)
I know the gb and 3ds are like completely different but you think itd be possible? Itd probably have to involve 'breaking out' of the vc emulator in order to access sd card data. Theres plenty of ways to crash the emulator already but I havnt seen anyone talk about really bring this up.
Another thing I thought of along the same lines. Code execution via secret base in oras. Like having a qr code set up for a hacked secret base that will run code upon entering it. Im no programmer though, so maybe I sound ludicrous. But its been on my mind for a little bit recently and thought Id ask.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 28, 2016, 06:07:57 am
Several glitchers from here are thinking about emulator escaping. That would be great yes, unfortunately I can't help  :(
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Alzerek on March 28, 2016, 11:23:28 pm
Im relatively new to this whole arbitrary code execution thing but i am looking into figuring out how to work with it on a larger scale. By larger scale, I mean the whole TheZZAZZGlitches' Pong in Pokemon Blue and Torchicken's rewritting of Pallet town to look like Twinleaf town. How reasonable would it be to apply those methods of writing arbitrary code in Pokemon Yellow, given that the bootstrapping code is already written using the PC box? Is there a setup that is optimal enough to leave a significant amount of memory space in the current box to do such code writing?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on March 29, 2016, 11:12:07 am
Im relatively new to this whole arbitrary code execution thing but i am looking into figuring out how to work with it on a larger scale. By larger scale, I mean the whole TheZZAZZGlitches' Pong in Pokemon Blue and Torchicken's rewritting of Pallet town to look like Twinleaf town. How reasonable would it be to apply those methods of writing arbitrary code in Pokemon Yellow, given that the bootstrapping code is already written using the PC box? Is there a setup that is optimal enough to leave a significant amount of memory space in the current box to do such code writing?

Most of the bootstraps posted here are ofcourse focussed on setting up 8F or WS M without using 8F or WS M to do so. But if you already have a working bootstrap, you could use that to make a more compact one if thats what you need. You can for instance change the EV and IV's from one pokémon to do what you need them to do.

Something like this:
3 pokemon (2 might work to, but i don't really know what the BC register does so loading A into (bc) could do anything)
Tentacool - 9939 hp EV / 11809 Att EV / 59648 def EV
Pidgey
Any

Code: [Select]
; Initial hl = DA7F
$DA7F <- 03    || inc bc
$DA80 <- 18 24 || jr DAA6
$DAA6 <- 26 D3 || ld h, D3 ; h = D3
$DAA8 <- 2E 21 || ld l, 21 ; l = 21
$DAAA <- E9    || jp [hl] ; hl = D321

I hope that's correct and helpfull ^.^ 
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Alzerek on March 29, 2016, 02:19:03 pm
Ah yes thats exactly what I was looking for! I did the basic "simple" setup with the 6 slowpokes and 10 geodudes but it didnt cross my mind to use wsm to make the pokemon for a smaller bootstrap. Thanks!

Edit: The only thing thats unclear to me at this point is rewriting those triggered events like the map pointer of pallet town in order to get the box code to execute.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on March 30, 2016, 07:26:40 am
Finally managed to test the ws m bootstraps. I can now confirm that Nidoran(female) instead of Nidoqueen works.
Also tested my 3 pokémon ws m bootstrap. Also works. :D

So that makes:

11 Pokémon in active box:
Seel with 233 HP
Parasect
Growlithe
Magikarp
Psyduck
Flareon
Tentacool
Nidoran (female) <--- instead of Nidoqueen
any
any
any

And a mini tutorial to make the Tentacool for the 3 pokémon bootstrap:

Having Tentacool as first pokémon in party needs to change these adresses with these value's.
Adress- Hex- Decimal
$D17B - 26 - (38)
$D17C - D3 - (211)
$D17D - 2E - (46)
$D17E - 21 - (33)
$D17F - E9 - (233)

Turned that into an item list bases on Wack0's template (Starting at $D17F):

ITEM LIST (starting from the first slot):
Ws m
Any
Lemonade x(233) <-- change this to match the numbers in the brackets for different adresses.
X Accuracy x127 (-1 each adress)
Carbos x209
Pokéball x119
TM01 x any <-- for sale in Celadon dept. store
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on March 30, 2016, 12:58:16 pm
Nice job, Skeef! Maybe we can ask a wiki contributor to correct the mistake.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on April 05, 2016, 10:36:32 am
Just did it, although and admin's approval (usually torchicken's) is required for the change to appear.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on April 06, 2016, 12:48:53 pm
I did something... This has interested me for some time now.

http://forums.glitchcity.info/index.php/topic=6638.msg196498#msg196498

First thing I thought when I read it was "Why not use the daycare as a bootstrap?" So that's what I tried ^.^
Since the daycare data is not set back to 0 when you take out a pokémon my idea was to use 8F to make a pokémon i could put in and take back out instantly, loading its data into the adresses. But since the daycare has nickname and OT of the pokémon first, this proved to be... difficult.
The next idea was maybe I could just use Wack0 code to insert the value's into the adresses directly. This could work, but it kinda rules out using the daycare. Since then you'd have to Re-insert the data.
And then I realised i could combine the idea's! Instead of runnig a code made with items... run a code made with a pokémon! In other words using 8F to make a pokémon wich when using 8F inserts the data into the adresses! This fixes the first problem cuz we are not putting a pokemon directly into the daycare. And should you ever want to use the daycare again, afer you are done you can simply take the pre-made pokémon out the box and re-run 8F.
So here is what i worked out.

The pokémon list:
6 pokémon
any
Tentacool <- jumping powers!
Wigglytuff <- the actual pokémon
any
any
any

Wigglytuff specifications:
Move 2 - Roar (2E)
Move 3 - Leech Seed (49)
Move 4 - Double Edge (26)
Id: 55862 - (DA 36)
Xp: 2.501.686 - (26 2C 36)
HP EV: 54060 - (D3 2C)
Att EV: 13870 - (36 2E)
Def EV: 11318 - (2C 36)
Spd EV: 8748 - (22 2C)
Spec EV : 14057 - (36 E9)
Att, Def IVs: 12,9 - (C9)

Wich translates to the following asm:
Code: [Select]
; Initial hl = D163
$D163 <- 06 xx || ld b XX
$D165 <- 18 65 || jr D1CC
$D1CC <- 2E 49 || ld l, 49 ; l=49
$D1CE <- 26 DA || ld h, DA : h=DA
$D1D0 <- 36 26 || ld (hl), 26
$D1D2 <- 2C    || inc l ; l=4A
$D1D3 <- 36 D3 || ld (hl), D3
$D1D5 <- 2C    || inc l ; l=4B
$D1D6 <- 36 2E || ld (hl), 2E
$D1D8 <- 2C    || inc l ; l=4C
$D1D9 <- 36 22 || ld (hl), 22
$D1DB <- 2C    || inc l ; l=4D
$D1DC <- 36 E9 || ld (hl), E9
$D1DE <- C9    || ret

In other words, it loads the following value's in the following adresses:
DA49 <- 26
DA4A <- D3
DA4B <- 2E
DA4C <- 22
DA4D <- E9

Now you may have noticed that -gm starts reading at $DA47, but I start putting in data at $DA49, 2 adresses later.
Here's the first 2:
$DA47 is safari balls, this gets set to 0 when you get the "pa: ding dong" but stays at whatever amount you got left should you leave early.
$DA48 is daycare in use or not, this is 0 when there is no pokémon in the daycare.
In other words they do nothing. :D And there you have it. The -gm bootstrap is set up! Without needing any specific party or active box!

Code: [Select]
; Initial hl = DA47
$DA47 <- 00    || nop
$DA48 <- 00    || nop
$DA49 <- 26 D3 || ld h, D3 ; h=D3
$DA4B <- 2E 22 || ld l, 22 ; l=22
$DA4D <- E9    || jp [hl] ; hl = D322

Note: The daycare adresses used here are used to store the pokémon's name. But none of the value's inserted correspond to an actuall letter. I have no idea if thats safe or harmfull for a save file. (I felt i needed to mention that  :P)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on April 07, 2016, 12:50:11 am
Ever thought Tentacool could jump ? No ? YOU WERE SO WRONG.
That method you created is cool, but looks quite heavy to set up (c'mon, ID = DA36 ?)

Also, have you tried to use the game's copying routine ?
It is called CopyData in Pokéred (http://github.com/pret/pokered), but I can't remember its ROM address.

The problems comes from that we cannot easily create Pokémon like that. We'd need easier methods of arbitrarily placing data wherever we want, but also simpler to set up.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on April 09, 2016, 03:30:03 am
Just did it, although and admin's approval (usually torchicken's) is required for the change to appear.

Approved!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on April 09, 2016, 10:29:09 am
Ever thought Tentacool could jump ? No ? YOU WERE SO WRONG.
That method you created is cool, but looks quite heavy to set up (c'mon, ID = DA36 ?)

Also, have you tried to use the game's copying routine ?
It is called CopyData in Pokéred (http://github.com/pret/pokered), but I can't remember its ROM address.

The problems comes from that we cannot easily create Pokémon like that. We'd need easier methods of arbitrarily placing data wherever we want, but also simpler to set up.

Hehe, you think the id nr is a bit far fetched? The xp puts it at lvl 146 :P

I have not cosidered to use the copy routine. No idea what that is O.o

An easyer way so set up would be to put the data into the daycare directly. If you don't use the daycare the value's wont change. The Wigglytuff i made is just an easyer way to set up the bootstrap again after using the daycare.
its 19 bytes to make Wigglytuff, but only 5 bytes need to be set to do it directly. As an added bonus, on a cartridge the daycare value's stay after starting a new game. Not sure if they do on VC tho.

Also, With both 8F and -gm. You can make one start reading at item 3 as usuall and make the other go to the stored items on the PC. That way you can run a code you use ofter (say walk through walls or mulitply items) from the computer. And run others from carried items.

Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on April 10, 2016, 01:54:32 am
Uh, the copy routine is located somewhere in ROM bank 0 ; it copies a chunk of data from somewhere to elsewhere.
You have to call it like so :
ld hl, pointer_to_source
ld de, pointer_to_destination
ld bc, number_of_bytes_to_copy
call copy
(total : 12 bytes)

Still, I cannot find its ROM address.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: danny on April 11, 2016, 03:05:12 pm
The rom address is 00b6
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on April 14, 2016, 09:59:10 am
Made a few random codes that i havent seen on this thread.

Cloning via daycare:
8F
Any
X Accuracy x72
Carbos x218
Max Revive x01
TM01 x(any)

Put the pokémon to clone in the daycare, take it back out. And run the 8F code. The pokémon is now in the daycare again, ready to be taken out.
Code: [Select]
$D322 <- 2E 72 || ld l, 72
$D324 <- 26 DA || ld h, DA
$D326 <- 36 01 || ld (hl), 01
$D328 <- C9    || ret

ATT, DEF, SPD and SPEC IV's 10:
8F
Any
X Accuracy x135(134) <--- first 135, then 134.
Carbos x209
Max Revive x170
TM01 x(any)

This seems a bit random, but this IV spread makes it shiny in gen2 games. Not verry usefull atm unless you still play the cartridges. But if they release them on VC... :D
Code: [Select]
$D322 <- 2E 87(86) || ld l, 87(86)
$D324 <- 26 D1     || ld h, D1
$D326 <- 36 AA     || ld (hl), AA
$D328 <- C9        || ret

Turn Badges on/off
- 8F
- Any
- X Accuracy x86
- Carbos x211
- Max Revive x(XX) <- binary switches
- TM01 x(any)

Pretty straight forward. Just pick the badges you want (or don't want) and convert the byte to decimal to determine the Max Revive quantity.

Binary switches:
00000001 = boulder badge
00000010 = cascade badge
00000100 = thunder badge
00001000 = rainbow badge
00010000 = soul badge
00100000 = marsh badge
01000000 = volcano badge
10000000 = earth badge
Code: [Select]
$D322 <- 2E 56 || ld l, 56
$D324 <- 26 D3 || ld h, D3
$D326 <- 36 xx || ld (hl), xx
$D328 <- C9    || ret
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: realsamusaran on April 22, 2016, 04:05:33 pm
I feel silly asking this, but just to clarify, it doesn't matter what you end your code with as long as it has a hex value of C9?

So every code can be ended with TM01 or any item x201?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on April 23, 2016, 03:32:21 am
Yes  ;)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: realsamusaran on April 23, 2016, 04:45:50 am
I feel silly asking this, but just to clarify, it doesn't matter what you end your code with as long as it has a hex value of C9?

So every code can be ended with TM01 or any item x201?
hm. I tried this, but the codes worked slightly different from how they worked before.

The item duplication code turned my 1 Nugget into 0 (256), and the code to change the item into a different item went -1 instead of +1.

The only thing I changed was swapping the Revive x201 or Full Heal x201 with a TM01. I was very careful, double-checking my bootstrap and the items in the code. I'm not sure what I must have done wrong. Is the Revive read as part of the code before the x201 tells it to end? I guess that was more what I meant to ask.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on April 23, 2016, 06:23:57 am
Yes, the Revive or Full Heal are both part of the code.

The duplication code basicly decreases the ammount of the second item by 2. So having 1 item - 2 rolls to 255. By replacing the
Revive with TM01 the code only does -1. Turning the second item to 00. (but you can still drop them so its not that big a deal)

Not sure what happens with the code to chance the second item tho. If you simply replaced Full Heal x201 with TM01 that code does nothing. If you replaced the Full Heal x201 with Revive x201 however it goes -1.

Either ways, if you don't want to use 201 item quantity, you could do Revive/Full Heal x04 followed by TM01
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: realsamusaran on April 24, 2016, 06:10:59 am
Yes, that must have been what I did for the code to change the item's index. Oopsies. I should pay more attention.

So then if I understand you correctly, the relevant item x 04 followed by TM01 x any would be suitable for any code requiring x 201 of the item at the end?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on April 24, 2016, 07:42:07 am
Well, it's not that simple. The quantity of the 'relevant item' will be read as code. Skeef gave you the example of a quantity of x04, which is a very good example since 04 matches the opcode 'inc b'. Since you finished your code already and won't use b anymore (or never did), then it won't cause any harm.

However, your codes might be more complex than just a one-shot instruction. If you write a function which will, for example, increase something everytime the code is activated, and that function uses the value of b for some reason, it will mess up your code, so you have to find another quantity for your final item - one that matches an opcode that cannot mess with your code.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on April 24, 2016, 11:55:15 am
Exactly. My 8F bootstrap code has 6 pokémon tho, so the first thing it does is ld b xx. Meaning b always resets when i use 8F.

I made a small adjustmen to pigdevil2010's bootstrap to better fit my needs:
Any <--- woot!
Pidgey - 233 hp remaining
Parasect
Onix
Tentacool
Arbok

I can go out with my bootstrap and not mess up the opcodes when i catch a pokémon :D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: danny on April 24, 2016, 05:40:19 pm
Step 1. Do the Mew glitch with 195 special to catch h POKé
Step 2. Catch Onix
Step 3. Do the Remaining HP glitch with HP of 211 to get M p'u
Step 4. Faint them all
Step 5. Put them in this order: h POKé, Onix, M p'u
Step 6. Now you have three free slots with the same effect as 5!

Yes, this requires glitches, but 8F is a glitch too.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on April 25, 2016, 11:59:00 am
Why do you need to faint them? O.o
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: danny on April 25, 2016, 02:44:33 pm
Why do you need to faint them? O.o

so you can use any pokemon you want
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on April 26, 2016, 09:57:22 am
Exactly. My 8F bootstrap code has 6 pokémon tho, so the first thing it does is ld b xx. Meaning b always resets when i use 8F.

I made a small adjustmen to pigdevil2010's bootstrap to better fit my needs:
Any <--- woot!
Pidgey - 233 hp remaining
Parasect
Onix
Tentacool
Arbok

I can go out with my bootstrap and not mess up the opcodes when i catch a pokémon :D
I remeber posting this one a while ago on PRAMA's forums... However, you just made me realize I never added it to the wiki page ! Let's do this.
It won't show up right away tho, as it needs the approval of someone like Torchickens. My edits have to be approved by an "authorized user".
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on April 26, 2016, 12:04:04 pm
I also tried putting pidgey on the 4th place. To see if i could use a pokémon thats not version exlusive instead of Arbok. But apparantly relative jumps can only jump for 128 bytes, making the 4th pokémon out of range  :(.

Also, the change to the wsm bootstrap is still not visible either. It still says Nidoqueen instead of Nidoran (female).
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on April 26, 2016, 04:25:16 pm
Arbok is not version-exclusive. It can be caught easily using the Ditto Glitch (the bottommost Trainer in Route 14 does), check this (http://puu.sh/257S) out.
Cooltrainer may also help (I did make this setup on a Red cartridge, but without ever encountering an Abo or Arbok :P)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on April 27, 2016, 04:56:50 am
Implying you can actually perform the Ditto Trick or Cooltrainer Trick, which might not be the case.

Of course, you can still rely on Old Man/GC RAM Manipulation to get a MissingNo., but it's true that having a setup with no version-exclusive or glitch Pokémon is an improvement.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: realsamusaran on April 29, 2016, 05:27:14 am
Has anyone thought about making a comprehensive list of codes in a single post? My memory is not great and I've got a bit of a learning disability so I'm having trouble doing this on my own without writing down specific instructions others already made. It's a bit time-consuming to comb through 25 pages too.

Maybe a separate list for each one, like a ws m list and an 8F list, etc.

I might as well ask if anyone wants to be generous, has anyone made codes for changing Trainer ID numbers or names? both for the player character and for Pokémon. I want to change my ID number to 01996 in the English Pokémon Yellow with ws m, for when I transfer my Pokémon to Gen 7 from the virtual console.

Changing an owned Pokémon's catch rate would also be useful, if they give Gen 1 Pokémon held items based on that like they did in Gen 2. And being able to overwrite moves 2-4 without going into battle to swap with move 1 would be a time-saver. And I might want to change my Trainer's name too possibly, to RED or Red.

If anyone can help it would be very much appreciated, though only if you have the time and want to do it.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on April 29, 2016, 10:19:24 am
If you want to change something in your game, just use the general single-address change code (http://forums.glitchcity.info/index.php/topic,7428.msg199720.html#msg199720). You don't need to remember anything since you have all the addresses you need in either the RAM Map (http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map) or the Disassembly (https://github.com/pret/pokered/blob/941d2b9eb8a59b42ea71a08b34b25c06477cf36d/wram.asm).

If you don't get how to use this, ask for details  ;)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on April 29, 2016, 01:00:52 pm
Or use these instead.

Change id nr to 01996 on yellow(2 codes):
wsm
Any
X Accuracy   x89
Carbos      x211
Max Revive   x204
TM01      x(any)
-
wsm
Any
X Accuracy   x88
Carbos      x211
Max Revive   x07
TM01      x(any)

Note: Remember this does not change the ID of any pokémon already owned.
---

Changing moves of the fist pokémon in party on yellow:
wsm
Any
X Accuracy x 117/116/115 (move 4, 3 and 2 respecively)
Carbos x 209
Max Revive x Index nr of wanted move
TM01 x(any)

Note: The pokémon may need to have a move in the respective slot before it can be overwritten.
---

Change trainer name to the first pokémon's nickname on yellow:
wsm
Any
TM50      x180
TM10      x64
TM34      x87
TM09      x46
Carbos      x52
X Accuracy   x34
Full Heal   x201

Note1: Change the nickname of pokémon 1 to RED (or red) and press 8F exaclty 4 times.(or lenght of the pokémons nickname +1)
Note2: This is TheZZAZZGlitch's code from red adapted for yellow. Credit to him.

I didn't do a code to change catch rate cuz i don't know if its a good idea to change that and send them to another generation. Also, if you need the codes for red/blue. For theID nr and changing move 2,3,4. All you need to do is +1 to X Accuracy. The code for changing the players name in red/blue is in the first post.

I tested all these codes on yellow. (on a real cartridge to!) My name on yellow is now RED <-- :P
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: realsamusaran on April 30, 2016, 08:02:36 am
@Skeef: thanks a bunch! As far as catch rate goes I was only planning on changing them for Pokémon evolutions who aren't legitimately available to be caught, such as Alakazam or Gengar, since a legal Gengar would have the catch rate of Haunter or Gastly because catch rate stays the same after evolving a Pokémon you own.

I was also considering changing catch rates for Pokémon whose values changed from Red/Blue to Yellow, such as Kadabra or Dragonair. The starter Pikachu also has a unique catch rate when you receive it that no other Pikachu has, even when forcing an encounter with a wild one in Yellow. I messed up my PC box data somehow and lost my starter Pikachu actually...

@Krys3000: I looked at those and I'm having trouble understanding them right now but I'll try figuring something out on my own and when I've got something I'll come here to ask if I've got it right (I don't wanna mess up my save trying it out on my own).
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on April 30, 2016, 08:46:15 am
Hmm, as far as messing up save data goes... If you are playing virtual console, wouln't backing up your SD card also back up the pokémon save?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on May 05, 2016, 05:18:43 am
Of course, you can still rely on Old Man/GC RAM Manipulation to get a MissingNo., but it's true that having a setup with no version-exclusive or glitch Pokémon is an improvement.
Took me a while to figure this out, but oh well. Still worth posting, I guess.
Well, if your first Pokémon's Special Stat is in the following list, you can use Hitmonchan instead of Arbok.
That will make the game read the lower byte of the first Pokémon's Special Stat, and all of these were selected to be harmless, 1-byte instructions.
0, 3, 4, 5, 7, 10, 11, 12, 13, 15, 19, 20, 21, 23, 26, 27, 28, 29, 31, 39, 47, 56, 60, 61, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 118, 120, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195,
(Note : if the stat is higher than 255, subtract 256 and look up the value in this list.

If the stat is in the list and is less than 256, then Hitmonlee will work too.

Under certain circumstances (depending on the Speed Stat, actually), Mr. Mime will also work, but it is more complicated.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Shina69 on May 13, 2016, 02:42:54 pm
Hi, guys! Thanks for helping me on changing the moves on yellow a few months ago, really helped!

I was wondering if it's possible to get HM Fly before getting to Celadon City by arbitrary code execution on pallet town, since only a few glitch pokemons level up learning Fly and that's probably not an option. After i receive the pikachu, maybe he could get it? I saw this video of a guy saving at 0:00 and instantly spawn at the end, maybe i could spawn near the HM Fly little house, although i probably wouldn't be able to leave from there that easily. Although if i was able to walk through walls, it would be easy. But then, how to disable it? I read about the youngster method but my lvl 100 nidoking doesn't really apply, that 4th move pp is difficult to get.

Thanks for the attention, guys! Maybe there's already a way to do it and i don't know.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on May 13, 2016, 03:31:52 pm
Hi, guys! Thanks for helping me on changing the moves on yellow a few months ago, really helped!

I was wondering if it's possible to get HM Fly before getting to Celadon City by arbitrary code execution on pallet town, since only a few glitch pokemons level up learning Fly and that's probably not an option. After i receive the pikachu, maybe he could get it? I saw this video of a guy saving at 0:00 and instantly spawn at the end, maybe i could spawn near the HM Fly little house, although i probably wouldn't be able to leave from there that easily. Although if i was able to walk through walls, it would be easy. But then, how to disable it?

Thanks for the attention, guys! Maybe there's already a way to do it and i don't know.

Yes. Getting to anywhere without arbitrary code execution and/or obtaining HM02 Fly can be done with the expanded items pack warping.

You can obtain the expanded items pack at the beginning of the game with the SRAM glitch (http://forums.glitchcity.info/index.php?topic=6472.0) after doing a swap such as Pokémon 1>Pokémon 10 if you have knowledge of the internal memory layout (http://forums.glitchcity.info/index.php?topic=6914.0) (which is the glitch you saw).

It may be possible to capture a Pokémon to obtain 49-51 total Pokémon instead of 255 (this happens because you normally capture a Golem (Red/Blue) or Magmar (Yellow) with the decimal index number of 49 or 51 respectively, due to the "wild appeared (https://www.youtube.com/watch?v=ELDCr6fxZMY)" glitch); from then on depositing them all is easy, unless for some reason the Pokémon you deposit or withdraw do not have terminated names (PRAMA encountered this on non-English versions, and in English Yellow a workaround might be to view a Pokémon with a specific move 4 such as Counter (like in the glitch "oobLG (https://www.youtube.com/watch?v=_BtVoea5ONM)") but I don't know if this applies to every version). In Red and Blue, the Golem must be caught in a certain place to avoid a freeze. Diglett's Cave works; then you should open the menu to avoid a freeze if you exit by the stairs.

If you keep the expanded items pack, you can warp around as you please; although I'm afraid I don't know of a way how you could obtain items to keep in this way although it's likely very possible, because with the looping map trick (described below and on the first post) you may become trapped without a Pokémon to Teleport away.

If you've obtained an expanded items pack (such as the 255 items pack from dry underflow glitch (http://forums.glitchcity.info/index.php?topic=7175.0)); then you can warp to Celadon City by entering a Pokémon Center, swapping the Ultra Ball x0 at item 32 into Master Ball (left of the exit mat) or "!j" (Red/Blue) or "x" (Yellow) (right of the exit mat)  x(exit place ID (http://bulbapedia.bulbagarden.net/wiki/List_of_locations_by_index_number_(Generation_I))) at item 36, and tossing how many you want. x0 actually represents x256. If you toss 250, then you can warp to Celadon City.

Regular Missingno. for obtaining a x255 stack (by obtaining x129 Potions, using two, capturing the Missingno. to obtain x255) can appear from doing the Trainer escape glitch/Mew glitch with Misty's Starmie (This will work in English Red/Blue but likely not French or Italian Red/Blue. Additionally in English Yellow (unsure about Spanish Yellow), if you have cleared your save file with Up+Select+B there is a way to encounter a "stable unstable Missingno. (http://forums.glitchcity.info/index.php/topic,7436.msg200294.html#msg200294)" which is believed to never freeze the game).

Special Missingno. 182-184 are alternatives to regular Missingno. if your version's Missingno. freezes the game (and for people using the French and Italian versions of Red/Blue you could possibly use the Pokémon menu>Cooltrainer glitch described in the link above). They can be encountered by having Ditto transform into a Pokémon with one of those Special stats.

Alternatively, you can have a 1/8 chance of obtaining one from a double Trainer-Fly involving talking to the Cubone trade girl on Underground Path to encounter a level 80 Starmie first. This was first used in a Pokémon speedrunning route (http://wiki.pokemonspeedruns.com/index.php?title=Pok%C3%A9mon_Yellow/Glitched_No_Save_Corruption/Starmie_Trade_Route).

(Click to view video)
[youtube]https://www.youtube.com/watch?v=73fAlzIbi9k[/youtube]

TheZZAZZGlitch's looping map trick to obtain 8F or ws m allows you to bring up every item into the regular items to keep, except for possibly the non-functionable PP Up copy (32h) and TM55 (FFh, but you can keep the key item HM05 which works the same). You can dig up items of your choice and keep them if you bring them up with Select and then Teleport away.

Steps:

1) Walk to this place.
(http://i.imgur.com/mwJ0mb7.png)
2) Swap an item with an ID of hex:33 or greater into the Nugget x1 found at item position 35, such as Poké Doll or X Special.
3) Keep walking right (to increase the item ID by 1 each step) or left (to decrease it by 1 each step) to change the item, until you find a HM02: Fly.
4) Press Select to bring it up to the top of the items pack and then Teleport away.

Hope that helps and let me know if you have any other questions!  :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Shina69 on May 14, 2016, 04:55:55 pm
Thanks a lot for the wise and meticulous explanation, Torchickens!
Sure it's a wonder the possibilities that Item Underflow brings as well as glitch items, i followed all the steps on SRAM glitch topic and it's a all new world. But, recently, i got more interested on these new recent challenges like the no save corruption speedruns and others that avoid the usage of expanded items pack. I looked through the forum archives and also found players trying to beat the game without battling team rocket members and that made me wonder: is it actually possible to complete pokemon yellow on such conditions plus without time cable exploits of any kind? I followed their topic (http://forums.glitchcity.info/index.php/topic,7448.0.html), but answers stopped a few months ago :(
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: hashtag on May 19, 2016, 05:05:24 pm
Hey, first post!
Using the Wack0's simple Gameshark script to do a couple things, and i'm curious as to what you are supposed to do when the code requires you to enter a 00

for example I have a code that modifies the typing of the current box slot one pokemon. it should look like this

any item
8f
Lemonade * number corresponding to type
X-accuracy * 155 for primary type and 156 for secondary type
Carbos * 218
Pokeball * 119
Fresh Water * 201

This code works perfectly, and i have used it to replace Aerodactyl's flying typing with ghost as a proof of concept. the only problem is that when i want to make something a normal type i would have to have 0 lemonades because 00 is the hex that corresponds with normal. I have tried it just without any lemonades and it freezes the game, as expected. Is it possible to make the game read as having 0 lemonades by somehow rolling it over to 256, or anything like that? Thanks!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on May 19, 2016, 05:36:01 pm
First this code was sort of already made but that's not a big deal since you are new here. To get 0 Lemonades try using this 8F code by lowena

8F
Item you want X2 to get 0 or 1 to get 255
Burn Heal X43
Ice Heal X53
Revive X201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: hashtag on May 19, 2016, 05:41:10 pm
oh sweet thanks!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on May 19, 2016, 05:42:53 pm
First this code was sort of already made but that's not a big deal since you are new here. To get 0 Lemonades try using this 8F code by lowena

8F
Item you want X2 to get 0 or 1 to get 255
Burn Heal X43
Ice Heal X53
Revive X201

Alternatively have lemonade x1 followed by Soda Pop x4.

this is:

Code: [Select]
ld a,01
dec a
inc b
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: camper on May 20, 2016, 12:26:41 pm
You can also get a x0 stack by tossing a whole stack above a x255 stack (which becomes a copy of the x255 stack), tossing 254 of the copy, and swapping the resulting x1 stack with the x255 stack. As a side effect, your item counter will decrease by 2 so you'll lose the stack you tossed and the last stack in your bag.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on June 10, 2016, 04:31:37 pm
Thanks a lot for the wise and meticulous explanation, Torchickens!
Sure it's a wonder the possibilities that Item Underflow brings as well as glitch items, i followed all the steps on SRAM glitch topic and it's a all new world. But, recently, i got more interested on these new recent challenges like the no save corruption speedruns and others that avoid the usage of expanded items pack. I looked through the forum archives and also found players trying to beat the game without battling team rocket members and that made me wonder: is it actually possible to complete pokemon yellow on such conditions plus without time cable exploits of any kind? I followed their topic (http://forums.glitchcity.info/index.php/topic,7448.0.html), but answers stopped a few months ago :(

You're welcome! I don't know the answer to that I'm afraid. Though it's possible to avoid at least some of the Rockets, including:

1) Regular Mt. Moon Rockets (you don't need to fight them).
2) Jessie & James on Mt. Moon (https://www.youtube.com/watch?v=pA3mumxJYJw) (but note in Paco81's video he escapes from a long-range Rocket in Mt. Moon using an Escape Rope).
3) Rocket HQ rockets: Poké Doll Pokémon Tower skip.
4) Silph Co. Rockets: Removing (https://www.youtube.com/watch?v=TYNqXzTKzcw) the gym NPC with the Trainer escape glitch(??)

If there is a way to obtain a "Rival's effect"/"Jack effect" (walk through walls item) early such as "o" (hex:94) before Nugget Bridge, that could possibly be used to bypass the Nugget Rocket and the Rocket blocking the Dig TM NPC's house. It could also be used to bypass the Rocket blocking Fuchsia City's gym (though you might need to Teleport or Dig away after), also eliminating the need to battle Pokémon Tower's Jessie & James.



If you want to use 8F or ws m for many tasks, it's worth it to turn it into an in-built GameShark so you can use it without re-obtain items for different uses (in the case you tossed a quantity but need a higher quantity than what you have left to do something else).

This long code will load the quantity of Lemonade into the address represented by the quantity of Carbos (address first byte) and X Accuracy (address second byte) and reset the quantities back to 0 (actually 256 and tossable to obtain any quantity), so you can truly write whatever you want in RAM, WRAM as many times as you like without having to obtain items again if a quantity is too low.

You can get all of the items below with the Celadon looping map trick (http://glitchcity.info/wiki/index.php/Celadon_looping_map_trick).

Code: [Select]
3E xx 26 xx 2E xx 04 77 26 D3 3E 00 2E 23 04 22 23 22 23 22 C9
Lemonade x(xx)
Carbos x(yy)
X Accuracy x(zz)
Poké Ball x119
Carbos x211
Lemonade x0
X Accuracy x35 (x34 in Yellow)
Poké Ball x34
HP Up x34
HP Up x34
TM01 x0

ld a, 00 - a (value)=xx
ld h, 00 - h (address byte 1)=yy
ld l, 00 - l (address byte 2)=zz
inc b - useless code
ld (hl),a - load a into the address (e.g. D059)
ld h, D3 - we load the address byte 1 as D3 (item quantities are in the D3XX region)
ld a, 00 - we load 'a' as 0 (quantity of 0)
ld l,  23 - l=23, now our address is D323 (item 3 quantity)
inc b - useless code
ld (hli),a - means we put 'a' in D323, and then increase the hl value to D324
inc hl -  hl value=D325
ld (hli),a - means we will load a (0) into D325 (item 4 quantity), and increase hl to D326
inc hl - hl value =D327
ld (hli),a - means we put 'a' in D327 (item 5 quantity)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Ephraim225 on June 15, 2016, 04:04:40 pm
If there is a way to obtain a "Rival's effect"/"Jack effect" (walk through walls item) early such as "o" (hex:94) before Nugget Bridge, that could possibly be used to bypass the Nugget Rocket and the Rocket blocking the Dig TM NPC's house. It could also be used to bypass the Rocket blocking Fuchsia City's gym (though you might need to Teleport or Dig away after), also eliminating the need to battle Pokémon Tower's Jessie & James.

Yellow version speedruns get item underflow by setting up Trainer-Fly in Viridian Forest, having Misty be the most recent trainer battle and then blacking out back to Pewter to get the encounter. If Missingno. doesn't crash, what you can do is duplicate a Potion, use two of them, then capture Missingno. to duplicate them again. 255 Potions. Now you just need the right RAM values for Jack's item.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on June 15, 2016, 04:26:24 pm
If there is a way to obtain a "Rival's effect"/"Jack effect" (walk through walls item) early such as "o" (hex:94) before Nugget Bridge, that could possibly be used to bypass the Nugget Rocket and the Rocket blocking the Dig TM NPC's house. It could also be used to bypass the Rocket blocking Fuchsia City's gym (though you might need to Teleport or Dig away after), also eliminating the need to battle Pokémon Tower's Jessie & James.

Yellow version speedruns get item underflow by setting up Trainer-Fly in Viridian Forest, having Misty be the most recent trainer battle and then blacking out back to Pewter to get the encounter. If Missingno. doesn't crash, what you can do is duplicate a Potion, use two of them, then capture Missingno. to duplicate them again. 255 Potions. Now you just need the right RAM values for Jack's item.
That's true. However Shina69 was asking how we could do this without the expanded items pack.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Ephraim225 on June 16, 2016, 12:43:15 pm
Oh whoops. I didn't look at the previous page ^^;

In that case there's only one other way I can think of: Have the Rocket NPC on Nugget Bridge disappear through the Mew Glitch. For that you'd have to figure out what that NPC's "disappearing object number" is, start the Mew Glitch on a map with that many objects -1, start the Mew Glitch there, head to Nugget Bridge, lose to one of the trainers, then make sure not to cross through any maps with more disappearing objects than the number you want.

So...I suppose it comes down to the number of disappearing objects on Route 24 and which one the Rocket is.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Nostalgia on June 26, 2016, 04:32:42 pm
In Pokemon Yellow using ws m is it possible to change the trainer ID?

I read somewhere that you could, but not sure and never seen a video showing it.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Ketchup901 on June 27, 2016, 12:23:47 am
Is there a catch 'em all script for Yellow? Or at least RAM/ROM maps so I can try to convert it myself?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on June 27, 2016, 01:36:31 pm
Is there a catch 'em all script for Yellow? Or at least RAM/ROM maps so I can try to convert it myself?

Yes. The 'instant battle' catch 'em all script is the same as the Red/Blue catch 'em all script other than we change address D059 to D058 (this is the case with many addresses in Yellow; there is a subtraction of 1 and usually when you see an address in the DXXX you may be able to subtract 1 to get the Yellow address); hence we can use a TM34 x88 instead of TM34 x89.

Like this:
Code: [Select]
Item 3: Lemonade x(xx)
Item 4: TM34 x88
Item 5: TM08 x201

Code: [Select]
3E xx EA 58 D0 C9
Code: [Select]
ld a,xx
ld (D058),a
ret

(As always, this will only work with bootstrap code to item 3 such as this setup by Pigdevil2010 (http://forums.glitchcity.info/index.php/topic,6638.msg194861.html#msg194861))

In case you don't know more addresses can be found on the Pokémon Red RAM map (http://datacrystal.romhacking.net/wiki/Pokemon_Red:RAM_map#Pokemon_1_Settings) and Pokémon Red disassembly/WRAM (https://github.com/pret/pokered/blob/master/wram.asm) :) — we can subtract 1 from them to get many of the Yellow addresses except for some such as CD38 (which when 1 allows us to walk through walls).

Additionally, if you want to receive the Pokémon as a gift; the code needs to be adjusted to account for the change of a location of a routine in the ROM (http://forums.glitchcity.info/index.php/topic,6638.msg196352.html#msg196352):

Code: [Select]
Item 3: Repel x[SpeciesIndex]
Item 4: X Speed  x14
Item 5: Ultra Ball x64
Item 6: TM05  x89
Lemonade x201

Code:
Code: [Select]
1E 20 43 0E 02 40 CD 48 3E C9
ASM:
Code: [Select]
ld   e,[SpeciesIndex]
ld   b,e
ld   c,02
ld   b,b
call 3E48
ret

Hope this helps! ^_^
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on June 27, 2016, 02:54:05 pm
In Pokemon Yellow using ws m is it possible to change the trainer ID?

I read somewhere that you could, but not sure and never seen a video showing it.

Yes. Here is some code for that sole purpose. :)

Code: [Select]
ld a,xx
ld e,yy
ld h,d3
ld l,58
ldi (hl),a
ld (hl),e
ret

Code: [Select]
3E xx 1E xx 26 D3 2E 58 22 73 C9
Code: [Select]
Lemonade x (xx)
Repel x (yy)
Carbos x 211
X Accuracy x88
Water Stone x115
TM01 x(any)

(The X Accuracy is x89 in Red/Blue)

Where the quantity of the Lemonade is the first byte of your new Trainer ID (in hexadecimal) and the quantity of the Repel is the second byte of your Trainer ID (in hexadecimal). For example, if we want the Trainer ID 42965, we can go on Windows Calculator or use a converter (http://www.binaryhexconverter.com/hex-to-decimal-converter) and convert it to get hex:A7D5 (A7 for byte 1 or D5 for byte 2. A7 converts into 167 in decimal, while D5 converts into 213 in decimal). We cannot have Trainer IDs greater than 65535, sadly.

The changes are invisible until you capture a new Pokémon, because the Trainer Card doesn't display the Trainer ID in Generation I.

With the 'in-built GameShark code' in my earlier post (http://forums.glitchcity.info/index.php/topic,6638.msg200510.html#msg200510) designed for multiple tasks (note that for Yellow version we use X Accuracy x34), you can use use the Lemonade as your byte value (e.g. A7) and Carbos x 211, X Accuracy x 88 as the other parameters (h [address byte 1], and l [address byte 2]).

Additionally, if we activate the expanded items pack (http://glitchcity.info/wiki/index.php/Expanded_item_pack), your Trainer ID addresses can be found as item 30's quantity (byte 1) and item 31 (byte 2), which means that if you want to have a particular ID you can get most by tossing from item 30, and changing item 31. The ID 01234 (04D2 in hexadecimal) could be obtained with a quantity of 4 in item 30 and a 'D2 item' (TM10 according to The Big HEX List (http://glitchcity.info/wiki/index.php/The_Big_HEX_List)) in item 31. Glitch items can be obtained with the Celadon looping map trick (http://glitchcity.info/wiki/index.php/Celadon_looping_map_trick), but if you want to do this make sure you carefully navigate the menu slowly with B; as a 'long name glitch item' can easily freeze your game (and there is a chance of Continue being removed from the options) if the A button is pressed on it.

Hope this helps. ^_^
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Nostalgia on June 28, 2016, 10:16:08 am
What's the TM01 for in that code? Because I don't have that TM anymore..
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on June 28, 2016, 12:53:59 pm
What's the TM01 for in that code? Because I don't have that TM anymore..

TM01 ends the code (Hex C9). Its availible in Celadon dept. store.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on June 29, 2016, 07:13:10 am
If you don't use a C9, bad s**t will happen  ;D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Nostalgia on June 30, 2016, 12:02:10 pm
Can you delete old key items with ws m?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on June 30, 2016, 02:30:20 pm
Yeah, you could use a code that mutates items for example. Such as (using pigdevil2010's bootstrap setup !)
Code: [Select]
8F / ws l m
Key item
Poké Ball x43
Great Ball x43
Revive x201
Code: [Select]
inc b
dec hl
inc bc
dec hl
dec (hl)
ret
You'll increase item #2's ID by one each time you use 8F / ws l m. It will be of quantity 1.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on July 02, 2016, 04:18:53 am
So lately I have been looking into TheZZAZZGlitch's pong game. However, after trying to break down the code into map coordinates, I am left with a few questions wich I hope someone can help me with.

The first thing I am wondering about is the entry point. The code starts at $D901. Wich is the opponents 3rd Pokémon type 1. Does the opponent's Pokémon data reset to 0 after saving and restarting or does it persist? In other words, will the pong game still be there after saving?

A few other things I'm not to sure about is some opcodes.
Namely:
- ldi  (hl),a
I cant find this one on the cpu chart. But I'm pretty sure its opcode 22 (ld (hl+),a) wich i think loads a into (hl) and then increments the hl register. Is that correct?

- ld   a,($FF00+A2)
There are a few of these, I have no idea what to do with them  );

And finally, commands that take a 2 byte input. These require the lower byte first then the higher byte right? They already seem to be listed in the code with the lower byte first, but I'm not sure.

Any help on this is much appreciated.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 02, 2016, 01:13:53 pm
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on July 03, 2016, 05:24:00 am
How did you get your own personal Game Freak?  :o
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on July 03, 2016, 06:56:52 am
I don't know if this was known, but here's a shinyzer code created by PRAMA board's member thelinekioubeur. It changes your first stored Pokémon so it will be shiny when traded to 2G games.

Code: [Select]
ld hl, $DAB1
ld a, $EA
ld (hl), a
sub a, $40
inc hl
ld c, a
inc b
ld (hl), c
ret

Code: [Select]
ThunderStone x177
TM18 x62
TM34 x119
TM14 x64
Hp Up x79
Poké Ball x113
TM01 x[whatever]

ThunderStone quantity goes -1 in US Yellow, +5 in european R/B, +4 in european Yellow.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: U_Flame on July 04, 2016, 05:08:08 am
I don't know if this was known, but here's a shinyzer code created by PRAMA board's member thelinekioubeur. It changes your first stored Pokémon so it will be shiny when traded to 2G games.

Code: [Select]
ld hl, $DAB1
ld a, $EA
ld (hl), a
sub a, $40
inc hl
ld c, a
inc b
ld (hl), c
ret

Code: [Select]
ThunderStone x177
TM18 x62
TM34 x119
TM14 x64
Hp Up x79
Poké Ball x113
TM01 x[whatever]

ThunderStone quantity goes -1 in US Yellow, +5 in european R/B, +4 in european Yellow.

This turned my 62 TM18s into 35 "ws m "s. Is that normal? I've double checked to make sure I'm using the right items. If it matters, I'm on US Blue  using 1 TM01 and the only Pokemon in box 1 is "'M 'N g" I haven't checked what gen 2 views it as yet. I did try leveling it up to see if the possibly changed DVs made a ddifference stats, but the game crashes when 'M 'N g levels up.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 04, 2016, 07:24:01 am
The quantity of TM01 REALLY doesn't matter. I mean it.
And, uh, it seems everything is correct. The ws lm shouldn't be here, and I guess you didn't setup your bag properly.
The listing given by Krys3000 start from item #3 !
The full setup should be something like
Code: [Select]
Any item xAny qty
Any item xAny qty
Thunderstone x177
TM18 x62
(etc)
TM01 xAny qty
Any items (or nothing :P)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: U_Flame on July 04, 2016, 09:04:51 am
Oh of course the 3rd item rule! I was so used to following list setups exactly that I forgot that was a thing. Thank you.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on July 04, 2016, 09:47:18 am
Yeah, sorry I did not mention item 1 and 8F/ws l'm, I just copy/pasted thelinekiouber's post and translated it to english. It seemed pretty obvious though  :P
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: U_Flame on July 04, 2016, 11:55:12 am
Yeah in hindsight it kinda was. Oh well, I got a shiny glitch Pokemon now. Probably won't actually matter if I can't find a way to transfer it but its the thought that counts. Yay
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on July 04, 2016, 11:57:36 am
    Okay, simple questions, simple answers.

    Unless it is saved then loaded, RAM doesn't persist. In that case it won't, but don't assume it will be zero.

    There is no official syntax for gb-specific z80 instructions, so here are some aliases :
    • ldi (hl), a
    • ld (hli), a
    • ld (hl+), a
    • ld [hli], a
    Same for ldd and ld-, etc.
    You are correct, ldi (hl), a is totally equivalent to ld (hl), a \ inc hl

    There is a special instruction in gb z80 : ld ($FF00 + imm8), a (as well as ld a, ($FF00 + imm8)
    It saves one byte (thus speed) over ld a, (mem16) and ld (mem16), a

    And the gb z80 is little-endian :
    call $C0DE is "CD DE C0"

    Gotcha ? I will be writing a gbz80 dev page on the wiki some day. Right now I'm spending a week with my gf, so I'm pretty much occupied :P

Thanks  :D

ld a,($FF00+A2)
So this would be "F0 A2"

About negative relative jumps... Took me a while to figure that out, but i think i got it.
Code: [Select]
D99B <- 18 || jr
D99C <- FC || jump to D999
This would be it right?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 05, 2016, 05:04:47 am
When I'm doubting about relative jumps, I remember this :
18 00 (jr @+0) does nothing.
18 FE (jr @-2) loops infinitely.

So what you do is :
In your case, we have
* baseAddr = $D99B + 2 = $D99D
* offset = $FC = -$4 (negative, since its leftmost bit is 1 :P)
So you'd jump to $D99D - $4 because ($FC && $80) = $80
That is D999. You did right !

Oh hey, and a tip about negating :
hex * -1 = (hex XOR $FF) + 1
It's neat to know this if you didn't already.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on July 13, 2016, 01:44:05 pm
Right, the last few days i have been working on the pong game. After a few small problems I finally got to a point where my game does not crash when I execute the program  :P. However its not exaclty the pong as it is in the video. There are 2 things not quite right.

The first thing is the screen color. Its not black. Its more vertical lines of grey and white. Something like this:
(its worth noting that I am trying this on vitual console.)

(http://i63.tinypic.com/4ictcm.png)

The second this is the game over... better yet, there is no game over. When the ball hits the bottom of the screen the ball just dissapears. However the sound of the ball bouncing still plays. Then after a while the ball comes back up from the bottom of the screen into play till I miss it with the pad and it goes under the screen again. So I took a closer look at the code. The "game-over" subroutine starts at $D918. But there are no jumps to that adress (neither relative nor absolute). My guess is thats a small mistake in the code? The following lines a from the code. I think this is where its supposed to jump to $D918 instead of $D976.

Code: [Select]
cp   a,$11
jp   z,D976_UpdateBallPosition ; If Y=$11 (DEC 17), the lower part of the screen, it's game over
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Aldrasio on July 14, 2016, 06:47:57 pm
Here's one that gives you 1 of every TM in your PC box. Just make sure you're OK losing everything in your Item PC, because it overwrites all the items.

Code: [Select]
WRA1:d322 2e 3a            ld   l,3a
WRA1:d324 26 d5            ld   h,d5    ; Initiates HL to point to the Item PC
WRA1:d326 0e 32            ld   c,32    ; 50 Decimal, works as a counter and as a Item PC Number
WRA1:d328 13               inc  de      ; padding
WRA1:d329 06 c9            ld   b,c9    ; TM01
WRA1:d32b 79               ld   a,c     ; Loads 50 into A register
WRA1:d32c 22               ldi  (hl),a  ; First iteration, tells PC it has 50 items; after that, loads 1 into each Item Quantity address
WRA1:d32d 78               ld   a,b     ; Load TM value into A...
WRA1:d32e 22               ldi  (hl),a  ; ...then put that TM in the PC
WRA1:d32f af               xor  a
WRA1:d330 3c               inc  a       ; A = 1
WRA1:d331 04               inc  b       ; Next TM
WRA1:d332 0d               dec  c
WRA1:d333 20 f7            jr   nz,d32c ; Loop until C = 0
WRA1:d335 22               ldi  (hl),a  ; Final item's quantity
WRA1:d336 36 ff            ld   (hl),ff ; End of Item PC list
WRA1:d338 14               inc  d       ; padding
WRA1:d339 c9               ret
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on July 15, 2016, 01:33:54 am
Very cool  :D thanks!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 15, 2016, 09:17:24 am
The Potion x201 can be swapped with a TM01 x[any qty]... supposing you have one :D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Aldrasio on July 15, 2016, 09:42:20 am
The Potion x201 can be swapped with a TM01 x[any qty]... supposing you have one :D

Yeah, but I figured I'd be likely to have potions on hand anyways in normal gameplay. I'm working on a speedrun route where the final goal is to have all the TMs, and the route centers around getting this inventory and using 8F.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on July 15, 2016, 01:44:57 pm
The Potion x201 can be swapped with a TM01 x[any qty]... supposing you have one :D

Yeah, but I figured I'd be likely to have potions on hand anyways in normal gameplay. I'm working on a speedrun route where the final goal is to have all the TMs, and the route centers around getting this inventory and using 8F.

When I code 8F payloads I generally optimize them (adding junk code) to prevent requiring invalid items, multiple key items, multiple stacks of the same item, TMs, etc, where possible. Just so the itemlist is easier to obtain..
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 15, 2016, 05:04:09 pm
The Potion x201 can be swapped with a TM01 x[any qty]... supposing you have one :D

Yeah, but I figured I'd be likely to have potions on hand anyways in normal gameplay. I'm working on a speedrun route where the final goal is to have all the TMs, and the route centers around getting this inventory and using 8F.

When I code 8F payloads I generally optimize them (adding junk code) to prevent requiring invalid items, multiple key items, multiple stacks of the same item, TMs, etc, where possible. Just so the itemlist is easier to obtain..
I know, and in my old GBZ80 compiler (http://prama-initiative.com/8F/beta/), I was planning to add such a feature... but I kinda dropped its development, so oh well.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: danny on July 15, 2016, 08:21:35 pm
Speaking of which does anybody know how to check if address YYZZ is XX, and what the output will be
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheUnReturned on July 15, 2016, 09:49:01 pm
On an other hand, is it possible to switch to invalid sound bank using 8F?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Aldrasio on July 15, 2016, 10:49:44 pm
Speaking of which does anybody know how to check if address YYZZ is XX, and what the output will be

You could load that value into the quantity of the second item using the following inventory:

8F
(quantifiable item, e.g. Ice Heal)
Poke Ball x 43
Awakening x YY
Repel x ZZ
Max Ether x 26
Burn Heal x 119
TM01 x any

Code: [Select]
04          inc b
2b          dec hl
0e YY       ld c, YY
1e ZZ       ld e, ZZ
51          ld d, c
1a          ld a, [de]
0c          inc c
77          ld [hl], a
C9          ret

I haven't tested it yet, but I think that would work.

EDIT: Minor adjustment, decrementing HL is way more efficient than loading the value in directly
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 16, 2016, 05:21:41 am
On an other hand, is it possible to switch to invalid sound bank using 8F?
That'd just require writing to C0EF and C0F0.
This should work :
    Lemonade x[sound bank]
    Carbos x 192
    X Accuracy x239
    Water Stone x119
    TM01 x[any qty] OR Poké Ball x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheUnReturned on July 16, 2016, 06:51:26 am
On an other hand, is it possible to switch to invalid sound bank using 8F?
That'd just require writing to C0EF and C0F0.
This should work :
    Lemonade x[sound bank]
    Carbos x 192
    X Accuracy x239
    Water Stone x119
    TM01 x[any qty] OR Poké Ball x201
what could possibly happen if we use this code before enountering 4 4?
Hell if we know
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on July 16, 2016, 08:19:53 am
On an other hand, is it possible to switch to invalid sound bank using 8F?
That'd just require writing to C0EF and C0F0.
This should work :
    Lemonade x[sound bank]
    Carbos x 192
    X Accuracy x239
    Water Stone x119
    TM01 x[any qty] OR Poké Ball x201
what could possibly happen if we use this code before enountering 4 4?
Hell if we know

absolutely nothing, encountering 4 4 would modify it.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: danny on July 16, 2016, 08:36:14 am
C0EF and C0F0.

Actually, you just need to mod C0EF.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 16, 2016, 11:03:33 am
What is C0F0, then ?

New code :
    Lemonade x[sound bank]
    Carbos x 192
    X Accuracy x239
    Water Stone x201
(unsure, but should be okay)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: NieDzejkob on July 16, 2016, 12:14:36 pm
I was trying to setup the bootstrap party for 8F, and each I found in this post has some flaws. Kangaskhan is tedious to catch and specific stats are difficult to obtain. Because of that, I wrote one that uses only pokemons which are already available when you can obtain 8F (with the celadon looping map/item counter underflow method at least):

6 Pokemons:
1. Onix
2. Jolteon w/ 233 current HP
3. Pidgey
4. Pidgey
5. Tentacool (if you want, you can use mew glitch with clefairy lass in Mt. Moon - near the route 3 exit)
6. Parasect/Psyduck

Code:

D163  06 22  LD B, $22
D165  68     LD L, B          ; HL = D122
D166  24     INC H            ; HL = D222
D167  24     INC H            ; HL = D322
D168  18 2E  JR D198 (parasect)
D169  18 2F  JR D199 (psyduck)

D198  00     NOP
D199  E9     JP (HL)


Also, you can use male nidoran in slot 6 and have 233 HP on Onix, but it is only 5% on blue.

PS. Now I have an idea on how to make it use only one pidgey, but Pidgeys are easy to catch and using Catch 'em all will screw up any bootstrap which isn't 6 pokemon.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 16, 2016, 01:26:27 pm
Seems quite legit. According to Bulbapedia (and with some extremely rough approximations), 233 HP could be achieved near level 90 (level 99 always has more than 233 max HP).
Pidgey could be caught by Trainer-Fly, and Arbok is obtainable through Trainer-Fly. The post you have looked at must have been quite old.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on July 16, 2016, 05:46:56 pm
Actually, Pidgey can have as little as 190 hp at lvl 100. HP does have IV's in gen 1 and 2 games. They just depend on if the other stats have even or odd IV. Thats why HP IV's arnt on the ram map.

Odd attack IV = +8 hp IV
Odd defence IV = +4 hp IV
Odd speed IV = +2 hp IV
Odd special IV = +1 hp IV

So if all are odd the HP IV would be 15.

Edit: Or did you mean Jolteon always has atleast 233 HP at lvl 99?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Aldrasio on July 16, 2016, 10:36:47 pm
Actually, Pidgey can have as little as 190 hp at lvl 100. HP does have IV's in gen 1 and 2 games.

Yeah, with min IVs and no StatXP Pidgey will be stuck at 190 at the worst case. Also, if you use 10 HP UPs on Pidgey, it'll only bring it to 230 HP. It'd need another 3642 StatXP HP points, or 15 Chansey fights at minimum, to bring it up to 233.

That said I'm not a big fan of using Jolteon simply because you can't underflow him to 100 like you can with Pidgey. I'm looking at some other Pokemon in the Medium Slow group to see if I can use one of them for a new bootstrap that can be set up relatively easily using the any% item underflow route.

EDIT: So I came up with a similar team that could be used for bootstrapping:
6 Pokemon:

Code: [Select]
WRA1:d163 06 0f            ld   b,0f
WRA1:d165 24               inc  h
WRA1:d166 24               inc  h
WRA1:d167 2e 22            ld   l,22
WRA1:d169 01 ff 0f         ld   bc,0fff
WRA1:d16c 00               nop 
WRA1:d16d e9               jp   hl

This is slightly different because the program counter doesn't JR past the FF marker at the end of the list; instead, it just rolls past it using a 16-bit load.

For the Nidoran, you can use trainer-fly to get one at level 1 and then EXP underflow it to 100. There's a Youngster before the entrance of Mt Moon that has a Spearow and nothing else (He's the male trainer between 2 ledges; he can only be approached by jumping over a ledge). Trainer-fly before going to see the Youngster, Growl at his Spearow 6 times before defeating it (or being defeated by it), then go back to the trainer-fly location and capture your Nidoran. Underflow it to level 100, use 1 or 2 HP UPs, and it'll have more than 233 HP.

Parasect can be obtained through trainer-fly as well. The first trainer in Blaine's gym has a Pokemon that corresponds to Parasect, so just lose to him to get one. You may need to use some item underflow trickery to get here if you don't have a Secret Key.

The Onix can be replaced with a Pidgey, which would jump to the 4th item in your list instead of the 3rd; Pidgey might be faster to obtain than Onix.

As for Rhydon, you can use the Old Man glitch to catch an 'M off the coast of Cinnabar. The first time you catch an 'M, it gets added to your Pokedex. After it plays the Pokedex entry, 'M magically becomes Rhydon.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: NieDzejkob on July 17, 2016, 02:42:54 am
For the Nidoran, you can use trainer-fly to get one at level 1 and then EXP underflow it to 100.

Never thought about it. I always got my money to ??28?? by selling Ultra Balls from brightness slot and spammed rare candies obtained that way.

Also, how do you know which trainers result in the pokemon you want in Trainer-Fly? I found http://puu.sh/257S but it is terrible. Mostly because you can't search on images automatically.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 17, 2016, 04:13:24 am
Well, we usually use that. You can't search for images, but the same Pokémon tends to appear multiple times in an area, so...
And if you find better, let us know !
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on July 17, 2016, 06:02:24 am

Parasect can be obtained through trainer-fly as well. The first trainer in Blaine's gym has a Pokemon that corresponds to Parasect, so just lose to him to get one. You may need to use some item underflow trickery to get here if you don't have a Secret Key.

The Onix can be replaced with a Pidgey, which would jump to the 4th item in your list instead of the 3rd; Pidgey might be faster to obtain than Onix.

As for Rhydon, you can use the Old Man glitch to catch an 'M off the coast of Cinnabar. The first time you catch an 'M, it gets added to your Pokedex. After it plays the Pokedex entry, 'M magically becomes Rhydon.

Paras evolves at lvl 24, might be simpler to just lvl it up instead of going to cinebar gym.
And wouln't any missingno turn into Rhydon when you box it? Since 'M evolves into Kangashkan its not alot more efficient.
Missingno is easy to trainer fly since just talking to most ingame trade NPC's turns the resulting pokémon into one. <- multiply rare candy's at the same time and you can easily lvl Paras to 24.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 17, 2016, 06:31:03 am
Not all Missingno become Rhydons. Only the one that triggers the Pokédex entry.

Also, European versions have more trouble getting a Missingno, since it automatically crashes the game when encountered. Since we have to Cooltrainer him, we need a Ditto, and for that :
* either we obtain it legit east of Fuchsia City, which implies going to the Cycling Road which implies getting the Poké Flute ;
* or we Trainer-Fly the bottom-left Channeler in Sabrina's Gym, which implies getting Cut and beating Silph Co. (unless we find a way to remove the corresponding Rocket using TFly object removal manipulation).

The best solution I can see is the first one.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on July 17, 2016, 06:32:40 am
Remove snorlax glitch? no pokeflute required  8)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 17, 2016, 06:35:19 am
Yep, forgot about that one. Is it that Snorlax that is removed ? Or the other ?

Also, here are replacements for Rhydon.
Cubone :
Code: [Select]
WRA1:d163 06 0f            ld   b,0f
WRA1:d165 24               inc  h
WRA1:d166 24               inc  h
WRA1:d167 2e 22            ld   l,22
WRA1:d169 11 ff 0f         ld   de,0fff
WRA1:d16c 00               nop 
WRA1:d16d e9               jp   hl

Voltorb :
Code: [Select]
WRA1:d163 06 0f            ld   b,0f
WRA1:d165 24               inc  h
WRA1:d166 24               inc  h
WRA1:d167 2e 22            ld   l,22
WRA1:d169 06 ff            ld b, ff
WRA1:d16b 0f               rrca
WRA1:d16c 00               nop 
WRA1:d16d e9               jp   hl

Gengar :
Code: [Select]
WRA1:d163 06 0f            ld   b,0f
WRA1:d165 24               inc  h
WRA1:d166 24               inc  h
WRA1:d167 2e 22            ld   l,22
WRA1:d169 0e ff            ld c, ff
WRA1:d16b 0f               rrca
WRA1:d16c 00               nop 
WRA1:d16d e9               jp   hl

Gyarados :
Code: [Select]
WRA1:d163 06 0f            ld   b,0f
WRA1:d165 24               inc  h
WRA1:d166 24               inc  h
WRA1:d167 2e 22            ld   l,22
WRA1:d169 16 ff            ld d, ff
WRA1:d16b 0f               rrca
WRA1:d16c 00               nop 
WRA1:d16d e9               jp   hl

Chansey :
Code: [Select]
WRA1:d163 06 0f            ld   b,0f
WRA1:d165 24               inc  h
WRA1:d166 24               inc  h
WRA1:d167 2e 22            ld   l,22
WRA1:d169 28 ff            jr z, d16a ; never occurs because inc h resets this flag
WRA1:d16b 0f               rrca
WRA1:d16c 00               nop 
WRA1:d16d e9               jp   hl

Either Drowzee or hex:38 Missingno will work (if the carry flag is unset, it will be Missingno, otherwise Drowzee)

Drowzee / Missingno :
Code: [Select]
WRA1:d163 06 0f            ld   b,0f
WRA1:d165 24               inc  h
WRA1:d166 24               inc  h
WRA1:d167 2e 22            ld   l,22
WRA1:d169 30/38 ff         jr nc/c, ff ; Drowzee/Missingno
WRA1:d16b 0f               rrca
WRA1:d16c 00               nop 
WRA1:d16d e9               jp   hl

hex:3E Missingno :
Code: [Select]
WRA1:d163 06 0f            ld   b,0f
WRA1:d165 24               inc  h
WRA1:d166 24               inc  h
WRA1:d167 2e 22            ld   l,22
WRA1:d169 3e ff            ld a, ff
WRA1:d16b 0f               rrca
WRA1:d16c 00               nop 
WRA1:d16d e9               jp   hl

Other Pokémon work, but they are all glitch Pokémon, so I didn't mention them.

Cubone is Trainer-Flyable in Routes 6, 9, 24, 25, and in Mt. Moon as well as the Rock Tunnel.
Voltorb seems not to be obtained through TFly, but maybe by Ditto tricing.
Gengar is Trainer-Flyable in from Brock, and also in Routes 3, 24 and 25.
Gyarados can be TFlyed in Routes 9, 13 and Mt. Moon.
Chansey can be TFlyed in Routes 8, 13 and Erika's Gym as well as Lavender Town.
Drowzee can be TFlyed in Routes 11, 12, and 14.

I may have missed some TFly spots, but I can guarantee that Voltorb cannot be obtained.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on July 17, 2016, 06:38:46 am
You can remove both of them with the glitch. I Don't think you can remove the rocket infront of sabrina's gym with the glitch tho. You could use the safari zone walk through wall glitch to walk through him, but thats alot of work.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 17, 2016, 07:20:19 am
I guess it is better to just go to the Cycling Road.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Aldrasio on July 17, 2016, 08:44:23 am
For the Nidoran, you can use trainer-fly to get one at level 1 and then EXP underflow it to 100.
Also, how do you know which trainers result in the pokemon you want in Trainer-Fly? I found http://puu.sh/257S but it is terrible. Mostly because you can't search on images automatically.

That's actually exactly what I used, lol. I had this list (http://bulbapedia.bulbagarden.net/wiki/List_of_Pok%C3%A9mon_by_index_number_(Generation_I)) open, and for higher-valued indices I looked in places where you'd find higher-level trainers. I also zoomed the image out and kinda scanned for the Pokemon I was looking for. Took a while, but I found what I was looking for.

Either Drowzee or hex:38 Missingno will work (if the carry flag is unset, it will be Missingno, otherwise Drowzee)

Drowzee / Missingno :
Code: [Select]
WRA1:d163 06 0f            ld   b,0f
WRA1:d165 24               inc  h
WRA1:d166 24               inc  h
WRA1:d167 2e 22            ld   l,22
WRA1:d169 30/38 ff         jr nc/c, ff ; Drowzee/Missingno
WRA1:d16b 0f               rrca
WRA1:d16c 00               nop 
WRA1:d16d e9               jp   hl

I just checked, all flags are unset once you jump to the items with 8F. It'd have to be Missingno(38).
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 17, 2016, 09:01:09 am
I used the same method for my overly long post. I searched for Pokémons around the world (while having the image zoomed, of course :P), and wrote my results.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on July 17, 2016, 11:30:08 am
Also, European versions have more trouble getting a Missingno, since it automatically crashes the game when encountered.

To be perfectly correct, you should have said "Non-english european R/B versions have more trouble getting a non-Ghost/Fossil MissingNo. by either Ditto or Old Man glitch" (http://forum.saintseiyapedia.com/Smileys/custom/aloy.jpg)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Aldrasio on July 17, 2016, 11:54:21 am
Came up with another script: Change the background music.

Code: [Select]
WRA1:d322 0e xx            ld   c,xx    ; xx for sound bank
WRA1:d324 3e yy            ld   a,yy    ; yy for music index number
WRA1:d326 cd a1 23         call 23a1    ; PlayMusic function
WRA1:d329 c9               ret

And I couldn't find a list of song indices anywhere from googling, so here's one I made from the ROM map (http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red_and_Blue:ROM_map) on Datacrystal a while ago:

Bank 02 (2):
Bank 08 (8):
Bank 1F (31):

So, if for example you wanted to play the SS Anne music, you'd need 2 Awakenings and 216 Lemonades. If you wanted to play the Pokemon Tower music, you'd need 31 Awakenings and 240 Lemonades.

Something to note, if you use anything from Bank 02 or Bank 1F in battle, it'll mess with the other battle sound effects. If you use anything from Bank 08 on the overworld, it'll also mess with other sound effects.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on July 17, 2016, 11:55:41 am
Also, European versions have more trouble getting a Missingno, since it automatically crashes the game when encountered.

To be perfectly correct, you should have said "Non-english european R/B versions have more trouble getting a non-Ghost/Fossil MissingNo. by either Ditto or Old Man glitch" (http://forum.saintseiyapedia.com/Smileys/custom/aloy.jpg)

Tru, My english european red cartidge has no problems with missingno. Nor does my english virtual console. (wich im pretty sure is availible worldwide)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 17, 2016, 03:25:17 pm
Also, my French Rouge (Red) 3DS VC has trouble with Missingno. It crashed on me with a single "beep" when I believe it tried to load its sprite.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Aldrasio on July 25, 2016, 01:34:54 pm
Something occurred to me today: Creating a bootstrapping program that takes input from the Gameboy's serial port would be both short to write with items and pretty fast to execute, assuming you had something specifically designed for it attached to the serial port. You could probably make a simple datalink device with an Arduino or something. Has anyone tried this?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 25, 2016, 06:40:15 pm
You named it.
[youtube]http://www.youtube.com/watch?v=3UnB1fomvAw[/youtube]
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Aldrasio on July 25, 2016, 07:34:05 pm
Yeah, but that TAS's bootstrapper uses the 8 buttons on the Gameboy as 8 bits for input, and it just reads an input each frame. Best you can do with that is 60B/s. With the serial port, if you use the internal clock at its lowest setting you get 1024B/s.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: danny on July 25, 2016, 08:07:40 pm
2:48 is CGOL
2:54 is foreshadowing

And I know 60(+8 or something idkaidc) digits of pi
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Isaac356 on July 27, 2016, 08:23:45 pm
Hi,

I'm new here having only recently gotten into Pokémon glitching, but like many others I was frustrated with trying to use the giant image to find the Pokémon that I wanted, so I took it upon myself to create this: https://www.exocron.me/tfly (https://www.exocron.me/tfly)

Simply choose the Pokémon that you want in the dropdown box and the page will list out all the trainers that you can obtain them from, as well as what Pokémon in their party is the one that yields the necessary special stat, and what route/gym/other place they are located in. It's currently very ugly (think early alpha) and only gives a general idea of the trainer's location, but it does work, and since I've already found it helpful I figured I'd throw it out there now and improve it over time. I parsed all the necessary data from the Pokémon Red disassembly (https://github.com/pret/pokered (https://github.com/pret/pokered)) and the few trainers that I manually verified were correct, but some data is linked up incorrectly (in particular, the Rival data), which I'll need to fix up manually over time.

In addition, if any web designers that are watching this thread want to fork the project and pretty it up, it would be much appreciated.  ;D

Something occurred to me today: Creating a bootstrapping program that takes input from the Gameboy's serial port would be both short to write with items and pretty fast to execute, assuming you had something specifically designed for it attached to the serial port. You could probably make a simple datalink device with an Arduino or something. Has anyone tried this?

Not exactly the same thing, but very similar, someone buffer overflowed the Cable Club and ran some shellcode that way: [youtube]https://www.youtube.com/watch?v=m3e_SyhE3xc[/youtube]
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: danny on July 27, 2016, 09:24:26 pm
Welcome Isaac356! This is the wrong topic for your site, but it should come in handy for some people!

I noticed on your site it says "undefined" for some Pokémon (e.g. Marowak and B7). I don't know why that happens
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Isaac356 on July 27, 2016, 11:36:59 pm
I noticed on your site it says "undefined" for some Pokémon (e.g. Marowak and B7). I don't know why that happens

There are quite a few trainer party entries that don't have any actual map objects linked to them (i.e. Professor Oak). In addition, the rival's entries don't appear to be linked at all (except for the first one - the level 5 starter - in two different places), but I presume that is because the game handles him differently (doesn't show up on map after completion; party data depends on starter choice). For Oak and the rival, I'll be able to designate those separately (they're labeled in the disassembly, and the rival only shows up in a few places so I can mark those down manually), but for the others, I won't know if they're unused data or if Game Freak just pulled some shenanigans (the code is filled with interesting one-off situations that don't match up to the rest of the game, so it's possible that the scripts I wrote to parse the data and re-structure it just missed something).

TL;DR - Probably glitch trainers or rival. I'm leaving them in for now, but I'll be sure to make it more clear what's going on in the future (maybe hide them behind an "Include glitch trainers" checkbox).

At some point, I'm hoping to screen shot all the maps, so hopefully by then I'll notice if the trainer count doesn't match up.

Welcome Isaac356! This is the wrong topic for your site, but it should come in handy for some people!

Yeah, now that I think about it, it probably is. Sorry about that. I was just following the thread since I was starting the arbitrary code execution stuff, and I got too excited about this project.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheZZAZZGlitch on July 28, 2016, 12:54:29 am
The same method of arbitrary code execution through the link cable is possible in Gen II. This (similarly to the Gen I version) works by overflowing the trade partner Pokemon list and overwriting a return address on the stack.

https://www.youtube.com/watch?v=e8CO_e_rKd8

There is also a writeup about the Gen I link cable exploit, so if you want to know exactly how this works, visit: http://vaguilar.js.org/posts/1/
The process is pretty much the same for Gen II.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Aldrasio on July 28, 2016, 08:58:42 am
There is also a writeup about the Gen I link cable exploit, so if you want to know exactly how this works, visit: http://vaguilar.js.org/posts/1/
The process is pretty much the same for Gen II.

Thanks, this is exactly what I was looking for! I kind of want to use this method to dump or load SRAM data to physical carts. On a DMG I think it would take a bit more than 30 seconds to funnel all of SRAM through the serial port, but I admit I've never really coded for serial communication. And hey, if that works, just for lolz I could probably dump the whole ROM through the serial port.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on July 28, 2016, 09:31:03 am
Welcome to the forums Isaac356! :)

Thanks for the amazing Trainer-Fly database. Is it all right if I link to it on the wiki sidebar?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Isaac356 on July 28, 2016, 02:05:42 pm
Thanks Torchickens! It would absolutely be all right if you linked it, and that would be awesome!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on July 28, 2016, 03:46:53 pm
Thanks Torchickens! It would absolutely be all right if you linked it, and that would be awesome!

All right then, cool! I've gone ahead and added it to the sidebar. ^_^
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Isaac356 on August 09, 2016, 08:39:30 pm
We're back!  ;D

I spent the last few days experimenting with loading serial data via 8F. I went through a couple of iterations on the shellcode, trying to eliminate key items and glitch items, before I settled for this:


Technically, the nulls could be eliminated, but that would make the code longer and they're easy enough to obtain.

Code: [Select]
WRA1:D322 F3               di   
WRA1:D323 21 00 C0         ld   hl,C000
Loop::
WRA1:D326 00               nop 
WRA1:D327 00               nop 
WRA1:D328 E0 01            ld   (ff00+01),a
WRA1:D32A 3E 80            ld   a,80
WRA1:D32C E0 02            ld   (ff00+02),a
Wait_Serial::
WRA1:D32E F0 02            ld   a,(ff00+02)
WRA1:D330 E6 80            and  a,80
WRA1:D332 20 FA            jr   nz,Wait_Serial
Serial_Received::
WRA1:D334 F0 01            ld   a,(ff00+01)
WRA1:D336 22               ldi  (hl),a
WRA1:D337 18 ED            jr   Loop

The code will store bytes received from the serial port (in slave mode, because it's easier for synchronization and we can drive the serial faster than normal) starting at address C000 and never ending...or so it may seem. The nop's are key here. Originally I limited how many bytes to receive, then jumped directly to address C000, but the resulting code barely fit into the item list. Instead, I opted to allow the serial receive to overwrite the loop code, causing the instructions to be changed. Fortunately, jr 0 (18 00) behaves like a nop, therefore when the writing gets to the address D326, you have to send a 18 over the serial port, then on the next byte send a relative offset. When testing, I used FB to rel-jump to D323, which already contained a non-relative jump instruction to C000, but in reality any valid address in the range could be used.

In other words, your serial data sender has to look something like this (in a very Python-esque pseudocode):

Code: [Select]
for byte in program:
send_serial_data(byte)

for i in range((0xD323 - 0xC000) - len(program)):
send_serial_data(0)

for byte in b"\xC3\x00\xC0\x18\xFB":
send_serial_data(byte)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Aldrasio on August 10, 2016, 05:58:08 pm
Instead, I opted to allow the serial receive to overwrite the loop code, causing the instructions to be changed. Fortunately, jr 0 (18 00) behaves like a nop, therefore when the writing gets to the address D326, you have to send a 18 over the serial port, then on the next byte send a relative offset. When testing, I used FB to rel-jump to D323, which already contained a non-relative jump instruction to C000, but in reality any valid address in the range could be used.

Huh, that's a really interesting approach. I like it. I wouldn't have thought to do that. I figured the best way to get around the item quantity bottleneck is to just allow a set number of bytes over serial at first, then send an intermediate bootstrapper, then use that bootstrapper to start receiving the full payload.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on September 02, 2016, 02:41:14 pm
I was watching some Japanese Pokémon glitch videos on Niconico when looking for information about the SRAM glitch in Japanese versions and I found a really interesting video (http://www.nicovideo.jp/watch/sm28475711) (view without having to create a Niconico account (http://www.mmcafe.com/nico.html#http://www.nicovideo.jp/watch/sm28475711)) by tabaさん that discusses arbitrary code execution.

It mentioned arbitrary code execution items in Red/Green discussed here such as 5かい (hex: 5A) the Japanese version of 8F; executing D123 (found since long ago), てへ (hex:7B executing D806; the grass encounter table which can be manipulated to the player's name by watching the old man documented by memdump), but also an arbitrary code execution item I wasn't aware of called なかよしバッヂ (Friend Badge), hex:67; as well as TM18 in Japanese Crystal (I will talk about that in another thread).

For those curious about the name なかよしバッヂ (Friend Badge) is one of the unexplained unused list texts (http://bulbapedia.bulbagarden.net/wiki/List_of_items_by_index_number_(Generation_I))).



なかよしバッヂ  (Friend Badge) executes code at D983; which stores the number of Safari Balls. This should mean that you can make it work like "-gm" in English Red/Blue; the item which memdump found executes code from DA47 (also the number of Safari Balls). Following D983 is the Day Care in use byte D984 (0 or 1), and the beginning of the structure for the Day Care Pokémon's nickname D985.

What's notable about  なかよしバッヂ  (Friend Badge) is that you can use a nickname as the data from D985, and this is good because you can give a Pokémon a nickname at any time whilst with the player name you can normally only set your name at the beginning of the game (although this raises the question if we can change our names in desirable ways with a Select glitch).

Like with てへ, the different mapping for selectable characters in Japanese games allow us to use C3 A6 D2 (てルめ) to jump directly to item 3.

With Friend Badge and no Safari Balls, you can either put a Pokémon named "てルめ" into the Day Care and out again (Day Care data stays after taking the Pokémon out, and for this nickname taking it out is an important step) or deposit a Pokémon with a name such as "ガガてルめ" (you can take this Pokémon out if you like, but don't need to). The former method works in this way because having an 1 value (in Safari Ball) at D984 is interpreted as a ld bc, $aabb instruction and this causes D985 and D986 (nickname characters 1 and 2) to be interpreted as operands.

Additionally as illustrated in the video, if you have 30 Safari Balls in memory, then D983 will be 1E; the ld e, $xx instruction. This would cause D984 (is the Pokémon in the Day Care byte) to be interpreted as an operand; meaning theoretically "てルめ" will work if you had 30 Safari Balls and put the Pokémon named "てルめ" into Day Care even if you leave it in.

Friend Badge also works in Japanese Blue.

So remember for Japanese R/G/B Friend Badge is your bff. :)... or worst nightmare if you set things up wrong.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 04, 2016, 07:52:32 am
Hello everyone!

First, I would like to say ‘thank you’ and ‘amazing job’ to everyone who has been working on those glitch in the early Pokemon games : ) !

I found this forum while looking for a way to get new exemplaries of TM28 and TM48 that I had used up in my French Pokemon Yellow version (played on Nintendo Virtual Console on a 3DS), and was dumbfounded when I read what one is able to do thanks to the 8F / wsm glitch!

So I attempted to use it, but unfortunately it hasn’t worked up until now.
I was able to get the wsm item by using the ditto glitch.
I also got all the pokemon specified at the end of this post of Wack0 (http://forums.glitchcity.info/index.php?topic=6638.msg192543#msg192543), i.e.  the six slowpoke, the voltorb, scyther, jolteon, ten geodude and finally voltorb in this order (the first slowpoke having total and current HP equal to 233).
Finally, using again the ditto glitch, I was able to complete the item quantities requirements:  I wanted to use the ‘change the 2nd item’ script, so as to get another TM48, whose corresponding item list is described near the end of the first post of this topic (http://forums.glitchcity.info/index.php?topic=6638.msg189501#msg189501).
But when the time comes to select and use the wsm item, then the game freezes.

So I wonder about what I am doing that is wrong, and would like to know if you had some insight about this, if possible.

I thought that maybe those ‘corresponding items list’ were designed for Pokemon Blue / Red, and did not work for Pokemon Yellow, or maybe because mine is a French version instead of a US one. Maybe it’s because I’m doing something wrong about the bootstrapping step, but I checked again, and its seems to me I have the setting just as Wach0 described in his post (though I wonder about setp 22: why does he repeat ‘Slowpoke as the 1st Pokémon in the current PC box’? I guess it is meaningful when describing the corresponding byte state (at the end of the line), but does it translate to something I have to do?), and he said he tested it, and that it worked for him, so I don’t know. In your opinion, how did he proceed to test it, and determined that it worked? I want to know so as to be able to determine whether the problem comes from the 'bootstrapping' part, or from the 'item list recipe' part.

It was also mentioned that there could be changes between versions with regards to the item placeholder from which the game starts to read the program, during the processing of the glitch. I read on this topic that the game starts to read from the third place, which is why we can place the wsm item, and possible another item to affect (like in the script I am trying to carry out), in the first and second place; but that for some bootstrapping requirement it could start reading from the first item. I also read something about the game reading from the item storage in the PC instead of in the bag of the player.

So, would it be possible for someone here to help me understand what I did wrong / which one of my assumptions regarding the bootstrapping recipe, the ‘start reading item position’, and whether or not we are talking about the bag or the PC, are correct or not for a French Pokemon Yellow version, please?

Again, thanks for all your work, and you sharing it, it’s wonderful one can do once one understands the inner working of such a game : )
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on September 04, 2016, 08:27:18 am
There's 2 or 3 items with a variant on the name "ws m". Make sure it's the right hex value. I can't remember much, try the page on ws m for inventory photos. Oh, and ws m is Yellow and has a different bootstrap setup, as it runs from boxed PKMN data instead of party PKMN data. Oh, and both need the Daycare to never be used OR the extra leftover data from the last Pokémon expunged from the save, which I can do in a week or so én masse when my Arduinos get here in like 10 days.

EDIT: You're on a French version? Well, there you go. That's the problem. Read the ACE article on the wiki to see the equivalent item.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on September 04, 2016, 08:32:45 am
It was also mentioned that there could be changes between versions with regards to the item placeholder from which the game starts to read the program, during the processing of the glitch. I read on this topic that the game starts to read from the third place, which is why we can place the wsm item, and possible another item to affect (like in the script I am trying to carry out), in the first and second place; but that for some bootstrapping requirement it could start reading from the first item. I also read something about the game reading from the item storage in the PC instead of in the bag of the player.

So, would it be possible for someone here to help me understand what I did wrong / which one of my assumptions regarding the bootstrapping recipe, the ‘start reading item position’, and whether or not we are talking about the bag or the PC, are correct or not for a French Pokemon Yellow version, please?

Again, thanks for all your work, and you sharing it, it’s wonderful one can do once one understands the inner working of such a game : )

Hi Pavel, welcome to the forums! :)

You are using a correct bootstrap code for the French version (in non-English version European versions the code indeed has to be tweaked, because the addresses are offset by +5).

It's odd that ws m isn't working because if you meet all the item and stored Pokémon requirements the code should work.

Regarding the item position; one thing that may be the problem is if the beginning of your code begins from an item position other than slot 3; as Wack0's bootstrap code is designed to execute your code from slot 3 only; so make sure your item list begins at slot 3.

The place that the item execution begins depends solely on the bootstrap code (how we redirect the code flow from stored Pokémon); so you don't have to worry about ws m executing from the item storage box because that would need a completely different bootstrap code. Using an English language bootstrap code to redirect the code flow to item 3 instead of a French/German/Spanish Italian one may mean that the game would still run the code from D322, which due to the address differences is effectively English Red/Blue's D31E (item 1 quantity).

Additionally make sure that your item quantities/items are correct and the current box loaded is the same storage box as where you stored your 20 Pokémon (the Slowpoke with 233 HP followed by five Slowpoke, Voltorb, Scyther, Jolteon, ten Geodude, Voltorb).

Hope that helps!

‘Slowpoke as the 1st Pokémon in the current PC box’? I guess it is meaningful when describing the corresponding byte state (at the end of the line), but does it translate to something I have to do?), and he said he tested it, and that it worked for him, so I don’t know. In your opinion, how did he proceed to test it, and determined that it worked? I want to know so as to be able to determine whether the problem comes from the 'bootstrapping' part, or from the 'item list recipe' part.

You don't need to do anything else (unless your Slowpoke is an unstable hybrid Pokémon) and the reason Slowpoke appears again because after the list of six Pokémon (+the FF end of list)  marks the beginning of Pokémon one's data which contains a copy of the Pokémon's species byte. These bytes would only not match if your Pokémon is a hybrid obtained from a glitch obtained such as Pokémon merge glitch, in which you would fuse a different Pokémon with Slowpoke.

Hnch Pokemon Yellow version, please?

Again, thanks for all your work, and you sharing it, it’s wonderful one can do once one understands the inner working of such a game : )

Thank you for the kind words and glad you like our findings! :)

There's 2 or 3 items with a variant on the name "ws m". Make sure it's the right hex value. I can't remember much, try the page on ws m for inventory photos. Oh, and ws m is Yellow and has a different bootstrap setup, as it runs from boxed PKMN data instead of party PKMN data. Oh, and both need the Daycare to never be used OR the extra leftover data from the last Pokémon expunged from the save, which I can do in a week or so én masse when my Arduinos get here in like 10 days.

Actually the Day Care information is only true for items like -g m in Red/Blue and theoretically なかよしバッヂ if you decide to use a stored Pokémon setup in Japanese Red/Green/Blue because 8F and ws m jump directly to D163 (party Pokémon) and DA7F (stored Pokémon) respectively; not running the Day Care data.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on September 04, 2016, 08:49:12 am
There's 2 or 3 items with a variant on the name "ws m". Make sure it's the right hex value. I can't remember much, try the page on ws m for inventory photos. Oh, and ws m is Yellow and has a different bootstrap setup, as it runs from boxed PKMN data instead of party PKMN data. Oh, and both need the Daycare to never be used OR the extra leftover data from the last Pokémon expunged from the save, which I can do in a week or so én masse when my Arduinos get here in like 10 days.

Actually the Day Care information is only true for items like -g m in Red/Blue and theoretically なかよしバッヂ if you decide to use a stored Pokémon setup in Japanese Red/Green/Blue because 8F and ws m jump directly to D163 (party Pokémon) and DA7F (stored Pokémon) respectively; not running the Day Care data.
Makes no mention of the many items with a variant of the name "ws m" nor how I know this.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 04, 2016, 10:00:57 am
Hello Yeniaul and Torchickens, thank you both for your answer!

There's 2 or 3 items with a variant on the name "ws m". Make sure it's the right hex value. I can't remember much, try the page on ws m for inventory photos. Oh, and ws m is Yellow and has a different bootstrap setup, as it runs from boxed PKMN data instead of party PKMN data. Oh, and both need the Daycare to never be used OR the extra leftover data from the last Pokémon expunged from the save, which I can do in a week or so én masse when my Arduinos get here in like 10 days.

Hm, for the ‘ws m’ item, I followed the indications presented in this video (https://www.youtube.com/watch?v=jR5rov2e6PU), where it is obtained using the ditto glitch with a spe value of 194. So if the ‘ws m’ item of the US version is also supposed to work for the French version, then I should have the correct one, because I am sure I used of pokemon with a ‘spe’ stat value equal to 194.

Ok for the bootstrap, yes, I followed the indications provided for Wack0, which are about a box of 20 specific pokemon in a specific order (but the majority of them are asleep and in bad health, following their capture, and my jolteon comes from a lvl 7 evee, obtained through the ditto glitch, don’t know if this is relevant to my problem though). Apart from my jolteon, all of them were captured in a ‘legit’ way, even my scyther.

You are using a correct bootstrap code for the French version (in non-English version European versions the code indeed has to be tweaked, because the addresses are offset by +5).

It's odd that ws m isn't working because if you meet all the item and stored Pokémon requirements the code should work.

Regarding the item position; one thing that may be the problem is if the beginning of your code begins from an item position other than slot 3; as Wack0's bootstrap code is designed to execute your code from slot 3 only; so make sure your item list begins at slot 3.

The place that the item execution begins depends solely on the bootstrap code (how we redirect the code flow from stored Pokémon); so you don't have to worry about ws m executing from the item storage box because that would need a completely different bootstrap code. Using an English language bootstrap code to redirect the code flow to item 3 instead of a French/German/Spanish Italian one may mean that the game would still run the code from D322, which due to the address differences is effectively English Red/Blue's D31E (item 1 quantity).

Additionally make sure that your item quantities/items are correct and the current box loaded is the same storage box as where you stored your 20 Pokémon (the Slowpoke with 233 HP followed by five Slowpoke, Voltorb, Scyther, Jolteon, ten Geodude, Voltorb).

Hope that helps!

Alas, even after verifying everything I could think of, it still did not work, be it the ‘item n°2 x255 script’, or the ‘item n°2 change’ script: my game still freezes.
You mentioned an offset of +5 between the European and the US versions of the game, could it be that this is also relevant to the code being executed by the game when reading the script? For example, if ‘item n°2’  is being referenced by an address number, then the code, and so the list item, should be different between European and US versions, right? For example, while reading the topic a bit more, I found posts where people are presenting evidence that some script / items list are different between the two versions, or even between two European versions with two different languages, such as here (http://forums.glitchcity.info/index.php?topic=6638.msg192602#msg192602) and here (http://forums.glitchcity.info/index.php?topic=6638.msg192604#msg192604): there is a difference of amount of 5 for the TM05’ item.

EDIT:
EDIT: You're on a French version? Well, there you go. That's the problem. Read the ACE article on the wiki to see the equivalent item.
Ok Yeniaul, thanks for the indication, I will look that up right away. I am sorry, I was so focused on my search on this topic / tread of post in particular that I missed the existence of the other resources of this site : /

EDIT 2:
So I’ve read the ACE wiki page (http://glitchcity.info/wiki/Arbitrary_code_execution), and I saw nothing about ‘equivalent items’ between languages for code in general, though there is a section dedicated to ‘Using 7eme etage’ in those European version (http://glitchcity.info/wiki/Arbitrary_code_execution#Using_7eme_etage_.2F_P7_.2F_S7_.28French_.26_Italian_.2F_Spanish_.2F_German_Red.2FBlue.29, to which script is that a reference? Is that the name of another object? ), but it seems to be for Red / Blue only.
There is a short section about the yellow’ wsm (http://glitchcity.info/wiki/Arbitrary_code_execution#Using_.22ws_m.22_.28Yellow.29), but it only talks about the bootstrapping part, and not about an item equivalence between versions.
Finally, I looked up the ‘non-key item duplication’ part (http://glitchcity.info/wiki/Arbitrary_code_execution#Non-key_item_duplication), which uses different items that what I saw up until now, but it seems designed for Red / Blue; or anyway, it doesn’t work either with me : /
Were you thinking about a specific part when recommending me to look up this wiki page, Yeniaul?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on September 04, 2016, 10:46:52 am
No, you were right the first time. It's for RGB that it's different. My bad. :P
Try healing all of them. It may be the status conditions, as that affected my 8F bootstrap one time.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on September 04, 2016, 11:18:25 am
I think with both TheZZAZZGlitch script for changing item 2 and lowena's script for changing item 2 quantity to 255 there should be no differences, as it doesn't specify the address (as in something such as ld a, D05D) and only alters hl; which initially represents item 3 (when you examine the French Yellow bootstrap code; hl ends up becoming D326— item 3).

In the change item 2 identifier script hl is decremented twice to represent item 2 identifier, which is increased by 1 with an inc (hl), so the code should be compatible. The value of 'c' does not matter and is used because it is easy to represent 'inc c' and 'dec c' as an item.

The code for illustration:
Item 1: 8F
Item 2: Item you want to morph
Item 3: Burn Heal            x43
Item 4: Ice Heal             x43
Item 5: Full Heal            x201

ASM:
Code: [Select]
WRA1:D322 0C               inc  c
WRA1:D323 2B               dec  hl
WRA1:D324 0D               dec  c
WRA1:D325 2B               dec  hl
WRA1:D32A 34               inc  (hl)
WRA1:D32B C9               ret
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 04, 2016, 11:26:26 am
No, you were right the first time. It's for RGB that it's different. My bad. :P
Try healing all of them. It may be the status conditions, as that affected my 8F bootstrap one time.

Ok dok, Yeniaul, thanks for information.
I tried that (healing all the pokemon, and then storing them back in the right order), and I think we are onto something because it did change something: now, after the freeze, my save was gone : /
Well, I guess that was bound to happen at some point, and after all, if using ‘ws m’ worked for me, I was going to use it for the ‘perfect stats and DV’ script, which carried the risk of losing the save, according to the author of the nice youtube video showing how to do this on a VC US Pokemon Yellow. I will try again on an emulator, that will allow me to get some practice first, with the possibility to have a backup of the save.


I think with both TheZZAZZGlitch script for changing item 2 and lowena's script for changing item 2 quantity to 255 there should be no differences, as it doesn't specify the address (as in something such as ld a, D05D) and only alters hl; which initially represents item 3 (when you examine the French Yellow bootstrap code; hl ends up becoming D326— item 3).

In the change item 2 identifier script hl is decremented twice to represent item 2 identifier, which is increased by 1 with an inc (hl), so the code should be compatible. The value of 'c' does not matter and is used because it is easy to represent 'inc c' and 'dec c' as an item.

The code for illustration:
Item 1: 8F
Item 2: Item you want to morph
Item 3: Burn Heal            x43
Item 4: Ice Heal             x43
Item 5: Full Heal            x201

ASM:
Code: [Select]
WRA1:D322 0C               inc  c
WRA1:D323 2B               dec  hl
WRA1:D324 0D               dec  c
WRA1:D325 2B               dec  hl
WRA1:D32A 34               inc  (hl)
WRA1:D32B C9               ret

Ok Torchickens, thanks for having continued to look into this. Before I saw your answer, I thought about maybe asking to Wack0 for a compatibility of the scripts I found on this thread between US Yellow and European (specifically French) Yellow; as he seemed to be the one to have worked the most on this non-US versions; but if you are telling me that there is no difference, then I believe you.
I really wonder why it didn’t work for me, I hope that using an emulator will make things easier for me to look into this : )
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on September 04, 2016, 11:32:53 am
You're welcome.

I'm sorry to hear about your save file (it sucks and I know it gives me this horrible sinking feeling) and I hope you get the glitch to work soon. Good luck getting it to work on the emulator!

Ok dok, Yeniaul, thanks for information.
I tried that (healing all the pokemon, and then storing them back in the right order), and I think we are onto something because it did change something: now, after the freeze, my save was gone : /
Well, I guess that was bound to happen at some point, and after all, if using ‘ws m’ worked for me, I was going to use it for the ‘perfect stats and DV’ script, which carried the risk of losing the save, according to the author of the nice youtube video showing how to do this on a VC US Pokemon Yellow. I will try again on an emulator, that will allow me to get some practice first, with the possibility to have a backup of the save.

Note if you get the code to change your Pokémon's stat experience to work (and many other memory editing/execution codes) there is no risk of losing the save file for successful executions as the code doesn't affect the SRAM ($A000-BFFF; which must be write enabled), but I think the only errors are those in preparation, such as having the wrong Pokémon in the current box or a bad item code setup.

This opens up the possibility of the game freezing, such as through execution of the 'rst 38' (hex:FF) instruction. Since at 0038 is another rst 38 this causes the game to fill the memory with a 00 39 pattern and there is a chance it will corrupt the save file (although I don't know much more about the specifics of this; it could be that the SRAM bank was opened and the SRAM was corrupted).
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on September 04, 2016, 01:28:08 pm
Hey Pavel, do you know there is a french website on glitches? Check out PRAMA Initiative. We also have a board in which we can help you with glitches in french, which might be cool for you  ;)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on September 04, 2016, 01:45:17 pm
Hey Pavel, do you know there is a french website on glitches? Check out PRAMA Initiative. We also have a board in which we can help you with glitches in french, which might be cool for you  ;)
Shameless self-promotion is shameless.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 04, 2016, 01:54:48 pm
Note if you get the code to change your Pokémon's stat experience to work (and many other memory editing/execution codes) there is no risk of losing the save file for successful executions as the code doesn't affect the SRAM ($A000-BFFF; which must be write enabled), but I think the only errors are those in preparation, such as having the wrong Pokémon in the current box or a bad item code setup.

This opens up the possibility of the game freezing, such as through execution of the 'rst 38' (hex:FF) instruction. Since at 0038 is another rst 38 this causes the game to fill the memory with a 00 39 pattern and there is a chance it will corrupt the save file (although I don't know much more about the specifics of this; it could be that the SRAM bank was opened and the SRAM was corrupted).

Ok Torchickens, thanks for the explanation.
If that is the case, then maybe I did screw up something about the setup, before my save was erased. I shall find out when I reach this point again. I have found interesting resources here (http://www.smogon.com/forums/threads/pok%C3%A9mon-red-blue-and-yellow-to-be-re-released-for-the-3ds-virtual-console.3555769/page-19) to get to that stage as fast as possible, so as to be able to try it as soon as possible : )

Hey Pavel, do you know there is a french website on glitches? Check out PRAMA Initiative. We also have a board in which we can help you with glitches in french, which might be cool for you  ;)

Ahhhhhhh! After reading the first few lines of the page of PRAMA dedicated to the 8F / 'ws m' glitch, I so wish I pushed my search earlier until I found it and before my save crashed T.T !
Thanks for pointing me to it! As I have said above to Torchickens, I will first so a quickrun until I get to the point where I can safely train using this glitch, and if everything works correctly, I will do the same on the VC version : )

EDIT:
It seems the difference with what I was doing earlier is the bootstrapping recipe, as I tried using the one found by Wack0 instead of this shorter one for yellow, according to PRAMA's page (http://www.prama-initiative.com/index.php?page=8f-code-execution). Also, I obtained 'ws m' using the ditto glitch to encounter a certain glitch pokemon, instead of the item underflow glitch. But the item list recipe I used was correct, I am quite sure of that. Oh well, I shall confirm this once my save is ready.


Hey Pavel, do you know there is a french website on glitches? Check out PRAMA Initiative. We also have a board in which we can help you with glitches in french, which might be cool for you  ;)
Shameless self-promotion is shameless.
Well, this promoted site seems to be more relevant to my problem than a mainly-English-game-version oriented site, so it is not especially shameful if it answers the problem I have proposed, right? Besides, on the 8F page of the site, credit is given to Torchickens and TheZZaZZGlitch, so everything is fine, right?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on September 04, 2016, 02:05:25 pm
Hey Pavel, do you know there is a french website on glitches? Check out PRAMA Initiative. We also have a board in which we can help you with glitches in french, which might be cool for you  ;)
Shameless self-promotion is shameless.

It's more like, you know, pointing out to a guy that there is a place where people can talk about this in his mother tongue.
Would it has been less 'shameless' if someone else pointed it out? This is stupid. You didn't need to be rude.

Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on September 04, 2016, 02:32:04 pm
Hey Pavel, do you know there is a french website on glitches? Check out PRAMA Initiative. We also have a board in which we can help you with glitches in french, which might be cool for you  ;)
Shameless self-promotion is shameless.

It's more like, you know, pointing out to a guy that there is a place where people can talk about this in his mother tongue.
Would it has been less 'shameless' if someone else pointed it out? This is stupid. You didn't need to be rude.
Wow, I'm starting to think you can't pick up sarcasm. I wasn't trying to be rude, but I am now, as you've pissed me off. You need to work on being less of an arsehole.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on September 04, 2016, 03:18:23 pm
Well, I've heard that kind of reflections many times, and I can assure you most of the time people are not joking, but just trying to be a jerk. Sorry if it's not your case, though I don't think that makes me an arsehole.

Anyway, if you insult everyone who don't get a joke, then maybe you should work on that, too.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on September 04, 2016, 04:30:43 pm
Well, I've heard that kind of reflections many times, and I can assure you most of the time people are not joking, but just trying to be a jerk. Sorry if it's not your case, though I don't think that makes me an arsehole.

Anyway, if you insult everyone who don't get a joke, then maybe you should work on that, too.

Check my sig. Blue line. I'm on the Autism Spectrum because I haven't been able to develop social skills (Asperger's Syndrome). And no, you're not an arsehole. More sarcasm.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 04, 2016, 11:33:22 pm
Well, I've heard that kind of reflections many times, and I can assure you most of the time people are not joking, but just trying to be a jerk. Sorry if it's not your case, though I don't think that makes me an arsehole.

Anyway, if you insult everyone who don't get a joke, then maybe you should work on that, too.

Check my sig. Blue line. I'm on the Autism Spectrum because I haven't been able to develop social skills (Asperger's Syndrome). And no, you're not an arsehole. More sarcasm.

Gotcha. Well, IMHO, as far as I know, when talking face to face, things such as sarcasm or irony transpire through the tone of the voice or the expression made by one's face while speaking. It can also been conveined to someone without those clues if the someone knows the speaker well enough 'IRL', and has had the opportunity to train himself to recognize in which situations the speaker is prone to using sarcasm, so that he can apply his predicting skills on just plain text.
Seing as we are not face to face, nor do we know you well enough, we cannot do that, so as a default, people would tend to interpret your words using first degree, just as they appear to be.
In that case, if you want to convey sarcasm through text to people who do not know you well enough, you can use smileys, who take the role of facial expressions. In this case, maybe an emoticon like ': )' or ': D' (i.e.: to mean that your words were not to be taken for their a priori negative connotations) would have done the trick. Conversely, if you wanted to express sarcasm or irony regarding a sentence that carries a priori a positive meaning, you could use perhaps emoticons such as ': /' or '9_9' (for 'rolling eyes').

I am sorry for your condition, but without knowing this, people will expect you to express yourself this way / to have those skills, and, in my opinion, you canot blame them for reacting as they have been attacked when the sum of their previous experiences tells them they probably have been attacked. Now, a de-escalating approach would be to question 'the attacker' in order to know if he really has chosen to attack one, but you should not count on it.
It is true that you put the information regarding your condition in your signature, but your seems quite long (even though only the first sentences are 'normally big', so people might not read it (I know I didn't, and wasn't aware of your message in it until you pointed it out; but then it might be part of what an be expected of a newcomer to correctly read the signature of everyone who post on a forum; seing as I do not participate often on a forum I do not know if such an etiquette exists; if it does, then I sincerely apologize for not respecting it at first).

I apologize if what I have said sounds patronizing, but it seems to me this is better being said / being reminded, so that I can be sure (I do not know the experiences lived by every one of you) that everyone is on the same page. I should not bother you (all of you) afterwards.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Hālian on September 04, 2016, 11:54:29 pm
I am sorry for your condition

Autism is not a condition.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 05, 2016, 12:30:33 am
I am sorry for your condition

Autism is not a condition.

Since my pratice and understanding of English might be not good enough for this yet (or, since I am not concerned, I apparently never learned how to phrase it correctly in either languages, maybe), I apologize for having used this expression then. Now, according to you, and most importantly, according the the person concerned, how should I have phrased this / made a reference to this?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on September 05, 2016, 08:18:05 am
Autism isn't a "condition". It's treated as something curable by modern medicine. Autism may be caused by many things: 3 of a certain chromosome, certain environmental factors, certain genetic combinations, even some chemical imbalances. I'm classified as High-Functioning Asperger's, which is approximately 19% on the Autism Spectrum. Since Asperger's can be environmental OR genetic, my kids may or may not get it.

Oh, and we derailed a STICKY. How'd we even do that???
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on September 05, 2016, 09:42:10 am
Autism isn't a "condition". It's treated as something curable by modern medicine. Autism may be caused by many things: 3 of a certain chromosome, certain environmental factors, certain genetic combinations, even some chemical imbalances. I'm classified as High-Functioning Asperger's, which is approximately 19% on the Autism Spectrum. Since Asperger's can be environmental OR genetic, my kids may or may not get it.

Oh, and we derailed a STICKY. How'd we even do that???

I range on the autistic spectrum and have high functioning autism too. I personally like to think of it as part of who I am. Some people don't understand it and think of it as a 'condition' or 'illness' but it is neither, it doesn't debilitate us nor does it mean we don't have the ability to empathize or have a theory of mind.

The spectrum is fluid, like I know in real life I don't always find social communication natural; and have obsessive interests like with video games and glitches, additionally I'm not very good at fine motor skills. Some people may think when they here the word 'autism' that I have a learning disability but the connotations of that may not be entirely true.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ravioli on September 05, 2016, 02:05:32 pm
im a normal dude who likes glitches and arbitrary code execution

there
now can we get on-subject again so i can continue lurking the thread
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on September 05, 2016, 03:00:53 pm
Sure. Pavel, I've just thought of something very stupid (however, sometimes it's just stupid things that break everything :P), is that box with the correct Pokémon your current box ?

Or, to try something else, try placing some CT01 in your inventory's third slot. If you get a crash, there's a problem with your bootstrapping setup. Otherwise, the problem came from the item list.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: naf102 on September 05, 2016, 05:16:38 pm
All of the 8F codes linked in the front are down so can someone repost those codes in the thread?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on September 05, 2016, 05:34:03 pm
im a normal dude
Wow...
I'm not going to take the rage bait. I'm not going to take the rage bait. I'm not going to take the rage bait.
[size=32]I'm not going to take the rage bait.[/size]
[size=47][colr=red]I'M NOT GOING TO TAKE THE RAGE BAIT.[/color]
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 05, 2016, 08:59:27 pm
Ok everyone, thanks for your answer and the information you have provided me. Again, I apologize if what I said hurt one of you. I would like not to continue derailing this thread, as some have pointed out, but I do not feel the conversation has ended yet, because I am still not sure of which short expression to use in order to refer to it / to its presence in a polite / formal way. Can I use ‘trait of personality’ ? ‘Quirk’ ?

Autism isn't a "condition". It's treated as something curable by modern medicine. Autism may be caused by many things: 3 of a certain chromosome, certain environmental factors, certain genetic combinations, even some chemical imbalances. I'm classified as High-Functioning Asperger's, which is approximately 19% on the Autism Spectrum. Since Asperger's can be environmental OR genetic, my kids may or may not get it.

Oh, and we derailed a STICKY. How'd we even do that???

I am also a bit confused because you said it was not a condition, then you said it is ‘treated as something curable by modern medecine’: are you thus saying that ‘modern medecine’ should stop considering this as ‘something curable’ (much like it was sadly trying to ‘cure’ non-traditional gender until recently?), that doing so is insulting toward you, for instance? Maybe, in any case, you would prefer the word ‘condition’ not to be used, because it is negatively emotionally charged, and you would not want people to behave toward you differently from the way they behave with each other? I am still at loss for now. Clarifying this would also allow to prevent in an easier way the occurences of sentence such as "I am a normal guy." that can be hurtful for persons belonging to a minority (as an aspiring 'sciency guy', I would say a way to put it without any unfortunate implication would be 'I am a more statistically frequent person with regards to what is being discussed.').

But if you and others would prefer that we do not speak of this anymore because it is derailing the thread, so be it

Sure. Pavel, I've just thought of something very stupid (however, sometimes it's just stupid things that break everything :P), is that box with the correct Pokémon your current box ?

Or, to try something else, try placing some CT01 in your inventory's third slot. If you get a crash, there's a problem with your bootstrapping setup. Otherwise, the problem came from the item list.

Oh, that a good idea! From what I have read here, the only thing this object does is encode a ‘return’, so that should indeed allow me to understand whether the problem comes from the bootstrapping part, or from the item recipe, nice one!
For information, using a ROM, I was quickly able to go back to the point where I can perform the glitch, now I am attempting to collect the pokemon necessary for the box setup.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on September 05, 2016, 09:26:32 pm
To tell you the truth I was going to answer you but I forgot the question XD
Anyway, it's more of a name than anything. Y'know, in the way that we're people and not some fucked-up meatbags that just look like humans... which is how society views Autistic people. So... it's a naming convention, like those ever-diminishing middle-names. (Adrian)
So it's not important on a large scale, although those with it have... peculiar abilities. Oh, like the blue line in my signature!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 06, 2016, 11:56:54 am
To tell you the truth I was going to answer you but I forgot the question XD
Anyway, it's more of a name than anything. Y'know, in the way that we're people and not some fucked-up meatbags that just look like humans... which is how society views Autistic people. So... it's a naming convention, like those ever-diminishing middle-names. (Adrian)
So it's not important on a large scale, although those with it have... peculiar abilities. Oh, like the blue line in my signature!

Hm, ok, so, since we are not in the context of a conversation related to medicine or anything, the use of the word “condition” was unnecessary, and instead of “I am sorry for your condition.”, I should have said something along the lines of “I am sorry that this difference between you and a majority of persons often results in such misunderstanding between you and other people.”.


Back to the main topic: it worked! On my ROM save, using the bootstrapping team that is tangela-based, using the wsm item causes no bug a priori. I was able to carry out the ‘duplicate item’ a ‘replace item’ glitches. But when I tried the ‘set perfect DV and stat experience on the first pokemon in the team’ (such as described in this video https://www.youtube.com/watch?v=jR5rov2e6PU), I encountered a bug: after performing the manipulation, I store the pokemon in the PC so as to force the game to compute its stats anew, but when I try to retrieve it, the game freezes. Also, I noticed that the stats respective value are indead increased, except for the speed stat. I checked this out for two pokemon, a lvl100 Mew and a lvl11 Charmander, and I observed the same thing each time. The charmander itself was not EV trained (and Mew wasn’t either), so its speed stat should have risen, even in the unlikely event that its speed DV was perfect from the get-go. So I am wondering if there is a link between the fact that the game froze when trying to retrieve it, and the fact that the speed stat seemed unaffected by the manipulation. Would any of you have any insight regarding this, by chance?

Next I’ll try the daycare cloning manipulation, and the ‘receive a perfect pokemon’ manipulation.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on September 06, 2016, 12:36:17 pm
The only reason I see for the game freezing is your Pokémon had negative EXP (what 'bout its LOVE ? :P)
Didja really really think I'd stand there and take it offset addresses by 5 in the code ?
Oh, and I guess you should change the first byte in the mon's XP to 0x7F? That should correct negative HP.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on September 06, 2016, 03:25:50 pm

Back to the main topic: it worked! On my ROM save, using the bootstrapping team that is tangela-based, using the wsm item causes no bug a priori. I was able to carry out the ‘duplicate item’ a ‘replace item’ glitches. But when I tried the ‘set perfect DV and stat experience on the first pokemon in the team’ (such as described in this video https://www.youtube.com/watch?v=jR5rov2e6PU), I encountered a bug: after performing the manipulation, I store the pokemon in the PC so as to force the game to compute its stats anew, but when I try to retrieve it, the game freezes. Also, I noticed that the stats respective value are indead increased, except for the speed stat. I checked this out for two pokemon, a lvl100 Mew and a lvl11 Charmander, and I observed the same thing each time. The charmander itself was not EV trained (and Mew wasn’t either), so its speed stat should have risen, even in the unlikely event that its speed DV was perfect from the get-go. So I am wondering if there is a link between the fact that the game froze when trying to retrieve it, and the fact that the speed stat seemed unaffected by the manipulation. Would any of you have any insight regarding this, by chance?

Next I’ll try the daycare cloning manipulation, and the ‘receive a perfect pokemon’ manipulation.

Giving a Rare Candy to you're Pokémon should bypass the need to put it in the box. If its not lvl 100 already ofcourse  ::)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on September 06, 2016, 07:01:56 pm

Back to the main topic: it worked! On my ROM save, using the bootstrapping team that is tangela-based, using the wsm item causes no bug a priori. I was able to carry out the ‘duplicate item’ a ‘replace item’ glitches. But when I tried the ‘set perfect DV and stat experience on the first pokemon in the team’ (such as described in this video https://www.youtube.com/watch?v=jR5rov2e6PU), I encountered a bug: after performing the manipulation, I store the pokemon in the PC so as to force the game to compute its stats anew, but when I try to retrieve it, the game freezes. Also, I noticed that the stats respective value are indead increased, except for the speed stat. I checked this out for two pokemon, a lvl100 Mew and a lvl11 Charmander, and I observed the same thing each time. The charmander itself was not EV trained (and Mew wasn’t either), so its speed stat should have risen, even in the unlikely event that its speed DV was perfect from the get-go. So I am wondering if there is a link between the fact that the game froze when trying to retrieve it, and the fact that the speed stat seemed unaffected by the manipulation. Would any of you have any insight regarding this, by chance?

Next I’ll try the daycare cloning manipulation, and the ‘receive a perfect pokemon’ manipulation.
Rare Candy to you're Pokémon
why?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 06, 2016, 09:26:34 pm
The only reason I see for the game freezing is your Pokémon had negative EXP (what 'bout its LOVE ? :P)
Didja really really think I'd stand there and take it offset addresses by 5 in the code ?
Oh, and I guess you should change the first byte in the mon's XP to 0x7F? That should correct negative HP.

Ahah, nice references :D I have only started playing the game only recently, but with what I have spoilt myself already, I even got the second one ; ) Being so meta is already reason enough to be awesome, but when you factor in the characters and the musics, it becomes even more than that!

Yes, now that I think about it, it must be because of the offset of +5. The previous two manipulations seemed simple, and not to necessitate the coding of a memory address, according to what Torchickens said, so that is why they worked for me even though they were primarily conceived to work for a US version. Welp, I won’t escape it this time, I must delve myself into understanding how you guys do it, so that I can modify the code myself. Now that I have a ROM, I can experiment all I want anyway.


Giving a Rare Candy to you're Pokémon should bypass the need to put it in the box. If its not lvl 100 already ofcourse  ::)

Thanks for the information, Skeef. It is a workaround for non lvl100 pokemon, but on the long run it is better for me to learn how to code this myself, so that is what I will try to do for now : )


EDIT:
Ok, made it work: even without understanding the inner details, it is obvious that the 'X accuracy' number represents at least the part of an address, since we have to change it to affect different stats. Since there is an offset of +5 between US and European version, we just have to start the manipulation with 5 more 'X accuracy', i.e. from a number of 139 instead of 134, and stop at 128 instead of 123. So for an European version, the proper starting item list to use is:
1: wsm
2: any item
3: Lemonade x255
4: X Accuracy x139
5: Carbos x209
6: Poke Ball x119
7: Fresh Water x201

Now trying to make the daycare cloning manipulation work (described here: http://forums.glitchcity.info/index.php?topic=6638.msg200226#msg200226). Just taken like this, it does not work for me. I though about which item / item number could represent the address to which I want to add +5, in order to reach 77. After reading the asm code, I think I have to add +5 to the number X Accuracy. I will try this, and come back to tell you whether it worked or not.

EDIT2: Nope, X Accuracy x77 did not work. I really will have to properly look into this.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on September 07, 2016, 12:23:00 am

Back to the main topic: it worked! On my ROM save, using the bootstrapping team that is tangela-based, using the wsm item causes no bug a priori. I was able to carry out the ‘duplicate item’ a ‘replace item’ glitches. But when I tried the ‘set perfect DV and stat experience on the first pokemon in the team’ (such as described in this video https://www.youtube.com/watch?v=jR5rov2e6PU), I encountered a bug: after performing the manipulation, I store the pokemon in the PC so as to force the game to compute its stats anew, but when I try to retrieve it, the game freezes. Also, I noticed that the stats respective value are indead increased, except for the speed stat. I checked this out for two pokemon, a lvl100 Mew and a lvl11 Charmander, and I observed the same thing each time. The charmander itself was not EV trained (and Mew wasn’t either), so its speed stat should have risen, even in the unlikely event that its speed DV was perfect from the get-go. So I am wondering if there is a link between the fact that the game froze when trying to retrieve it, and the fact that the speed stat seemed unaffected by the manipulation. Would any of you have any insight regarding this, by chance?

Next I’ll try the daycare cloning manipulation, and the ‘receive a perfect pokemon’ manipulation.
Rare Candy to you're Pokémon
why?
'Cause typos.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on September 07, 2016, 05:18:56 am
It'd be kinda funny if in 5 years the Autism posts were still there... it'd be like talking about soup in the middle of a Master's essay to see if ...whoever grades those things reads it or not.
Anyway, if the addresses are +5, why'd you lower the number of X Accuracy by more than 60?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on September 07, 2016, 07:27:50 am
He first needs to fix the negative experience Pokémon then run the offset code.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on September 07, 2016, 09:38:21 am
He first needs to fix the negative experience Pokémon then run the offset code.
Well, yeah, but still...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on September 07, 2016, 10:21:40 am

Now trying to make the daycare cloning manipulation work (described here: http://forums.glitchcity.info/index.php?topic=6638.msg200226#msg200226). Just taken like this, it does not work for me. I though about which item / item number could represent the address to which I want to add +5, in order to reach 77. After reading the asm code, I think I have to add +5 to the number X Accuracy. I will try this, and come back to tell you whether it worked or not.

EDIT2: Nope, X Accuracy x77 did not work. I really will have to properly look into this.

Because english yellow has -1 offset to english red/blue. I think the +5 for european yellow is compared to english yellow. That makes +4 compared to english red/blue.

It would need 71 X Accuracy in english yellow. So 76 for european yellow?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 07, 2016, 12:03:17 pm
It'd be kinda funny if in 5 years the Autism posts were still there... it'd be like talking about soup in the middle of a Master's essay to see if ...whoever grades those things reads it or not.
Anyway, if the addresses are +5, why'd you lower the number of X Accuracy by more than 60?

I was now referring to me try to implement the 'daycare cloning' manipulation, not the 'force max DV and experience stat' manipulation anymore, since I finally succeeded in doing this one : )



Now trying to make the daycare cloning manipulation work (described here: http://forums.glitchcity.info/index.php?topic=6638.msg200226#msg200226). Just taken like this, it does not work for me. I though about which item / item number could represent the address to which I want to add +5, in order to reach 77. After reading the asm code, I think I have to add +5 to the number X Accuracy. I will try this, and come back to tell you whether it worked or not.

EDIT2: Nope, X Accuracy x77 did not work. I really will have to properly look into this.

Because english yellow has -1 offset to english red/blue. I think the +5 for european yellow is compared to english yellow. That makes +4 compared to english red/blue.

It would need 71 X Accuracy in english yellow. So 76 for european yellow?


Han, this explains that, I did not know ths relationship between the memory addresses of R/B, and those of Y, thanks for the information. Indeed, when using 76 X Accuracy, it works.
Now I just have to figure out if there is a way to implement a manipulation allowing to receive a pokemon of one's choice, but with the perfect stats already here. But this is just for convenience, because thanks to all of you, I now have the possibility to achieve all that I want to do with a save of Pokemon Yellow : ) !
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on September 08, 2016, 12:46:52 am
Yes,
European R/B = English R/B + 5
English Y = English R/B - 1
European Y = European R/B - 1

So,

European Y = English Y + 5
European Y = English R/B + 4
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Hālian on September 09, 2016, 07:53:40 pm
Y*?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on September 10, 2016, 03:37:53 am
Yeah, sure. Sorry  :D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 11, 2016, 05:15:12 am
Hello everyone,

Still trying to make the ‘Catch Them All 2’ procedure work (described at the end of the first post of the thread, here: http://forums.glitchcity.info/index.php?topic=6638.msg189501#msg189501). My first approach was to try to recognize what is a memory address in the asm code of the manipulation, increase it by 4, then convert it back into a couple ‘item; nb of item’ using a sheet such as this one (https://dl.dropboxusercontent.com/u/54952583/tmp.html). If I understood well, the procedure aims to call the function beginning at the memory address ‘3E48’ in US R/B. That means that the same function should be located at ‘3E4C’ in French Yellow (3E48 + 4). If I am not wrong, that means I should use TM05 x76 instead of TM05 x72. But it does not work, it makes my game freeze.

But something funny happened when I tried it with TM05 x99: it worked, and I got an lvl11 Omastar (I tried the procedure with Repel x40 to get a Chancey, for information). The quantity of repel does not seem to change the species of the pokemon: whether 39, 38 or 26, I always get a lvl11 Omastar. When TM x98, I still get a lvl11 Omastar. When TM05 x97, I get a lvl 211 Omastar. When TM05 x96, I get a lvl 2 Omastar. When using TM05 x95, my game freezes.

I thought that maybe the ‘ld c, 02’ part of the asm code was maybe also linked to a memory address definition down the line (in the called procedure, maybe), so I added +4 to it (that implied using the Bicycle rather than the Ultra Ball, and using first another item so as to be able to set the value to 64), but it changed nothing in particular (still froze when using TM05 x76 or x72, still lvl11 Omastar with TM05 x99), except than when I used TM05 x96, I got a lvl 6 Omastar rather than a Lvl 2, so I assume that this line in the asm procedure is used to set the lvl of the received pokemon to 2, so as to be able to train however one wants.


So I am a bit baffled by this, and I wonder what I still do not know / do not understand so as to be able to translate such a procedure between the different versions of the game.
Also, it would be interesting to have a resource that lists the different procedures stored in the game’s memory, as well as the addresses that allows to call them. Does such as resource exist? For example, how were you able to know that we must use to procedure stored at the address ‘3E48’ for the US B/R version, in this case?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on September 11, 2016, 06:11:02 am
Beware, not every byte in memory is shifted in EU localizations.

Memory is segmented into multiple segments ; namely ROM, VRAM, SRAM, WRAM, ERAM, OAM and HRAM.
ROM addresses differ in complex ways between US and EU localizations. Usually when using functions, keep the address.
VRAM is the same (since a US GB and a EU GB are the same)
SRAM didn't change at all.
WRAM has the +5 (between US R/B and EU R/B) shift, but ONLY past certain addresses (I think the line is near D100).
ERAM is basically a copy of WRAM, but it's... complicated. Avoid it.
Do NOT touch OAM. Srsly.
HRAM didn't change.

So, you should try NOT to modify the function address :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on September 11, 2016, 09:29:44 am
The shift in european non-english games starts at CF00, I think. Well, I don't know for CEXX, but CDXX (battle addresses) are not shifted and CFXX (Mart addresses) definitively are.

Since European non-english R/B and Y are not shifted out of this area, I'm guessing there is no shift between english language R/B and Y either.

For what it's worth, PRAMA has a gameshark section with all the shifted WRAM addresses for everything :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on September 11, 2016, 04:11:48 pm
Shameless ad is shameless. But nevertheless, it's a good resource if you understand French.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 12, 2016, 12:37:22 am
Ah, ok, so it’s more complex that what I thought.
Thanks for the information, ISSOtm and Krys3000. I will look at the Gameshark section of PRAMA : )
Though if I could try to make the ‘Catch Them All 2’, it would be great too (I may have missed something on PRAMA's gameshark section, but I do not remember seing something like this; if I ever find it I will let you know for sure), so I will continue to look into it when I have some time!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: XTFOX on September 15, 2016, 05:04:38 pm
Has anybody tried writing scripts to sections of pokemon data for easy storage? I'd like to be able to just use " call nn " to the address of the script rather than editing items each time.

Code: [Select]
call ZZYY
ret

Items:
Something like above would allow easy access to any script and changing the script would be as simple as swapping item YY x ZZ. For example if I were to have the following code as the first 3 items in the PC and wanted to copy it to Pokemon 4 in party's moves:

Code: [Select]
Box Items:

D53B-D53C: ld h, D3 ;Carbos x 211
D53D-D53E: ld l, 22 ;X Accuracy x 34
D53F:    jp hl ;TM 33 x Any

Code: [Select]
Start of destination WWVV (D1F7)
Start of target code UUTT (D53B)
End of target code ??ZZ +1 (D1FB+1 = D1FC)
Note that all inc b are filler.

Code Value Item Breakdown
inc b ; Pokeball
ld d, UU ;D5 x22 && TM13
inc b ; x04
ld e, TT ;3B Repel x59
ld h, WW ;D1 Carbos x209
ld l, VV ;F7 X Accuracy x247
inc b ; Pokeball
ld a, (de) ; x26
inc de ; Super Potion
ld (hl+),A ; x34
ld a, ZZ ;FC Lemonade x252
inc b ; Pokeball
cp l ; x189
jr nz, F7 ; Fire Stone x247
ret ; TM01

Your Items:

This is just a proof of concept, ideally anybody could change the values of X Accuracy, Carbos, Repel, and Lemonade to make a new destination or starting point for any length script. Note that if you are storing the script to be copied in your item box then TM13 (D5) will never need to change. Finally this current set up is used to copy a bootstrap to Tentacool when using the Pidgey (233 HP), Parasect, Onix, Tentacool, and Kangaskhan bootstrap. This will allow you to use the following pokemon as a bootstrap:

Note that 3, 4 or 5 pokemon can be used as long as the first 2 slots are correct. Anybody have ideas of where to store the scripts? Also does anybody know if hacked pokemon are tradeable on 3DS versions of RBY?

EDIT: Also I didn't think about this while I was writing but this could be used to copy any sections of ram, for example pokemon or item duplication.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Max on September 15, 2016, 08:54:41 pm
I had a similar idea myself: to use the current box RAM for permanent subroutines. I haven't implemented this idea yet because I do not understand enough about the subject. The theory is as follows:

Assuming SRAM holds state due to the cartridge battery,
Assuming SRAM is written to by a "save" subroutine in ROM
Assuming the "save" subroutine copies an entire section of WRAM to SRAM, specifically, that the entire current box pokémon list data is copied to SRAM regardless the number of pokémon in the box

So we can have an empty box filled with subroutines instead of pokémon data.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on September 16, 2016, 05:26:33 pm
I had a similar idea myself: to use the current box RAM for permanent subroutines. I haven't implemented this idea yet because I do not understand enough about the subject. The theory is as follows:

Assuming SRAM holds state due to the cartridge battery,
Assuming SRAM is written to by a "save" subroutine in ROM
Assuming the "save" subroutine copies an entire section of WRAM to SRAM, specifically, that the entire current box pokémon list data is copied to SRAM regardless the number of pokémon in the box

So we can have an empty box filled with subroutines instead of pokémon data.
From what I know, the game does just that. However, to access SRAM, you must unlock it (write $0A in range 0000 - 1FFF). Plus, to prevent your save file from decaying, you should lock SRAM right after (either write any non-$0A to the memory range, or call some game code that just does that). Saving in any way (and accessing / updating the HoF too) should also lock SRAM.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jfb1337 on September 22, 2016, 02:49:42 pm
I just watched this (https://www.youtube.com/watch?v=Zd2595c_72M&t=0s) video, and I don't really understand how it works - How does the code get executed from the save file? I'm assuming there's some kind of buffer overflow exploit in the load routine, I'd be interested to know the details.

The link in the description was broken, after trying to fix it it just led to the first post on this topic.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Charmy on September 22, 2016, 11:21:03 pm
The link in the description was broken, after trying to fix it it just led to the first post on this topic.
Recently, we had some maintaince.

I just watched this (https://www.youtube.com/watch?v=Zd2595c_72M&t=0s) video, and I don't really understand how it works - How does the code get executed from the save file? I'm assuming there's some kind of buffer overflow exploit in the load routine, I'd be interested to know the details.

I semi-understand this.
8F executes code from somewhere around your party, then jumps to it, that's why you need a specific party, to form a jump instruction to jump to the third item data, then the code gets executed.
For larger codes you need to make a script I don't remember.
You can get stacks of items over 99 via 'M or Missingno. (all forms).
Yellow has w  s m, which is equal to 8F.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jfb1337 on September 23, 2016, 04:56:44 pm
The link in the description was broken, after trying to fix it it just led to the first post on this topic.
Recently, we had some maintaince.

I just watched this (https://www.youtube.com/watch?v=Zd2595c_72M&t=0s) video, and I don't really understand how it works - How does the code get executed from the save file? I'm assuming there's some kind of buffer overflow exploit in the load routine, I'd be interested to know the details.

I semi-understand this.
8F executes code from somewhere around your party, then jumps to it, that's why you need a specific party, to form a jump instruction to jump to the third item data, then the code gets executed.
For larger codes you need to make a script I don't remember.
You can get stacks of items over 99 via 'M or Missingno. (all forms).
Yellow has w  s m, which is equal to 8F.

I understand how 8F works, but I don't know how loading the save file after restarting caused arbitrary code to run (in order to display the text and stuff)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 25, 2016, 12:47:01 pm
Hello everyone!

Still trying to get a working version of the ‘Catch Them All 2’ (http://forums.glitchcity.info/index.php?topic=6638.msg189501#msg189501, at the end of the first post) for a French Pokemon Yellow; I’m still stuck with only being able to get an Omastar, with the following minimal code:
1: wsm
2: whatever
3: TM05 x96
4: Lemonade x201
 which translates to the following asm code:
CD 60 3E <=> call 3E60
C9            <=> ret

I guess that the ‘call’ action calls a function which begins at the specified location in memory, and that this function either uses the current value of some counter variables (such as ‘c’ or ‘b’), or the current values located at some places in memory, in which case we use the counter to set the value specified by those memory locations.
I was wondering where you got the information about which memory location correspond to which function, and what are the arguments of a given function, and their corresponding counter / memory location. I read somewhere that things such as a decompilation project, such as 'https://github.com/pret/pokered' can help, but in this case, even if I think I found what I was looking for (https://github.com/pret/pokered/blob/7c01509b6b69b4dc33f5d739589d50f26ffd65b0/engine/give_pokemon.asm), I am still no able to use this knowledge, because I do not know the memory addresses corresponding to the function or its arguments.
Well, I guess I may have found myself a starting memory address for this function that does not make the game freeze (the one I use above, ‘3E60’), but I am not sure that it is the correct one (following the +4 offset between US B/R and European Y, it should have been ‘3E4C’, but this one makes my game freeze), and I am still not able to parametrize the given pokemon species.

So that is why I am asking you: would it be possible for you to tell me you determine where the function you want to call begins in memory, and which are its corresponding arguments, and their respective memory representation / location, please?



I am sorry jfb1337, I do not know enough, I cannot help you : /
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on September 27, 2016, 07:36:59 am
However, to access SRAM, you must unlock it (write $0A in range 0000 - 1FFF). Plus, to prevent your save file from decaying, you should lock SRAM right after (either write any non-$0A to the memory range, or call some game code that just does that). Saving in any way (and accessing / updating the HoF too) should also lock SRAM.

Actually, none of that is necessary in Gen I. SRAM is permanently unlocked there and can be accessed at any time. The programmers didn't decide to take advantage of SRAM locking until Generation II.
I don't agree. See https://github.com/pret/pokered/blob/2b2c6fefd311101c87845c8c498746dc74bd725f/engine/save.asm#L35 and https://github.com/pret/pokered/blob/2b2c6fefd311101c87845c8c498746dc74bd725f/engine/save.asm#L226
SRAM is enabled and disabled, so it is locked in normal gameplay. We would still need to write $0A.

The link in the description was broken, after trying to fix it it just led to the first post on this topic.
Recently, we had some maintaince.

I just watched this (https://www.youtube.com/watch?v=Zd2595c_72M&t=0s) video, and I don't really understand how it works - How does the code get executed from the save file? I'm assuming there's some kind of buffer overflow exploit in the load routine, I'd be interested to know the details.

I semi-understand this.
8F executes code from somewhere around your party, then jumps to it, that's why you need a specific party, to form a jump instruction to jump to the third item data, then the code gets executed.
For larger codes you need to make a script I don't remember.
You can get stacks of items over 99 via 'M or Missingno. (all forms).
Yellow has w  s m, which is equal to 8F.

I understand how 8F works, but I don't know how loading the save file after restarting caused arbitrary code to run (in order to display the text and stuff)
There are several ways of achieving this, such as modifying D36E (the current map script) to run a code written somewhere in RAM (in the case of this creepypasta save file, the PC Pokémon data will largely suffice, I think). Then, you have some code that's automatically ran as the save file is loaded.
I don't know if there is a way to run custom code before selecting a file, but I heavily doubt it.

General method :
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on September 27, 2016, 01:06:28 pm
Ok, I have found what I was looking for. I decided to get my hands dirty and look directly into the disassembly tool. I looked at the address ‘3E48’, as specified in the code for the R/B USA version, saw what the asm code looked like, and found one similar not far from this in the French Yellow version memory: in this version, the recipe for receiving a pokemon starts at 3E5C, which correspond to x92 instead of x72 for the TM05 quantity.

Now the code works wonder, I can receive the pokemon of my choice at lvl2 : )

Thanks again for having taken the time to answer my questions and my messages : ) !
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Dudeopi on October 11, 2016, 11:16:24 am
Hi, I'm new here. I've been trying to learn 8F asm programming and I mostly want something in yellow that gives me max ivs and evs and is easy to set up. So I was wondering if there was a way to use pc Pokémon as the program and then have it apply to the last Pokémon in the pc. That way I could deposit a Pokémon, use w sm, then withdraw the Pokémon. All I've used so far to learn is this website ( http://wahackforo.com/t-25791/gb-gbc-asm-lenguaje-ensamblador-en-gb-gbc ) that explains programming, but it's in Spanish so I'm not sure I'm getting some of the more complex things. Could someone explain like ld and jr and also if someone had a set up for the thing above that'd be great. Thanks.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on October 11, 2016, 12:41:47 pm
Hi, I'm new here. I've been trying to learn 8F asm programming and I mostly want something in yellow that gives me max ivs and evs and is easy to set up. So I was wondering if there was a way to use pc Pokémon as the program and then have it apply to the last Pokémon in the pc. That way I could deposit a Pokémon, use w sm, then withdraw the Pokémon. All I've used so far to learn is this website ( http://wahackforo.com/t-25791/gb-gbc-asm-lenguaje-ensamblador-en-gb-gbc ) that explains programming, but it's in Spanish so I'm not sure I'm getting some of the more complex things. Could someone explain like ld and jr and also if someone had a set up for the thing above that'd be great. Thanks.

Hi Dudeopi. The best way to approach this may be to use the FillMemory routine at 36E0 in Red/Blue or the address 166E in Yellow to fill the structures (which are 12 bytes long and follow on from each other) with FF.

The FillMemory routine fills 'bc' bytes of 'a' to destination 'hl'.

If you are using a bootstrap set up where the last Pokémon is any Pokémon at storage box slot 10 (i.e. this (http://forums.glitchcity.info/index.php?topic=6638.msg194861#msg194861)), this means that you would have to use the address at hl as DBCF, which is DBD0 minus 1 (since many Yellow addresses are -1) or the beginning of the EV and IV structure. (HP EV, Attack EV.... Speed/Special IV)

Code: [Select]
ld a, FF [maximum value]
ld bc, 000C [copy hex:C i.e. 12 bytes]
ld hl, DBCF [destination]
inc d [useless; but used to represent the item as a Potion to avoid representing a CascadeBadge for the 16 later in the code]
call 166E [run the FillMemory routine]
ret [end of code]

3e ff 01 0c 00 21 cf db 14 cd 6e 16 c9

As items, the code you would need for English Yellow would be:
Lemonade x255
Master Ball x12
Item hex:00 (#x##) x33
TM07 x219 [can be replaced with another non-Pokémon 10 attribute destination for future uses]
Potion x205
Lg- (item 6E) x22
TM01 x(any)

These should be placed where the item code begins, such as at item 3 for the above linked bootstrap code.

The locations of routines such as FillMemory can differ between different versions, languages and non-ROM addresses like DBCF may be the value +5; DBD4 in non-English European Yellow.

If you want to do this without calling an internal function, then you may use this alternative code:

Code: [Select]
ld a,FF
ld h, DB
ld l, CF
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ret

3e ff 26 db 2e cf 22 22 22 22 22 22 22 22 22 22 22 22 c9

Lemonade x255
Carbos x219
X Accuracy x207
Water Stone x34
Water Stone x34
Water Stone x34
Water Stone x34
Water Stone x34
Water Stone x34
TM01 x(any)

Many items at quantities x0 can be obtained with the Celadon looping map trick (http://glitchcity.info/wiki/Celadon_looping_map_trick). You can toss from this stack (which is effectively x256) to obtain most items at any quantity.

If you would like a code for another version or language and/or not for stored Pokémon 10 let me know and I'll post one! :)

Could someone explain like ld and jr and also if someone had a set up for the thing above that'd be great. Thanks.

Arbitrary code execution uses places to store data similar to memory addresses (http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Stored_Pok.C3.A9mon) called registers. Registers include 'a', 'b', 'c', 'd', 'e', 'hl' and 'sp'. When we want to write data to an address, we may first place the value in the register and later to the memory address of your choice.

In ld (xxyy),(r) the register is placed into address xxyy. Similarly in ld (r), [xxyy]; the value from the memory address is stored into the register.

If we wanted to obtain a Mew we could write its value (hex:15 (http://glitchcity.info/biglist.htm)) into D058; the stationary encounter address. To do this, you can do:

Quote
ld a, 15 ; a=hex:15
ld (d058),a ; put a into d058
ret ; end of code, needed so the game doesn't execute anything below it

What jr $xx does is cause the code to make a relative jump. To illustrate this, let's say we put a jr $xx at D321; which marks item 3, the first item for a bootstrap code that redirects the code flow from stored Pokémon to items.

A jr $05 here would make the game jump five extra bytes after the end of the instruction (i.e. D323 because jr $xx takes one opcode and one operand)+5; which equals D328.

Relative jump values which are $80 or above are considered as jumping backwards rather than forward beginning with the smaller minus values at $FF. For example, jr $FF would be jumping back by 1 to D322 and jr $80 would be jumping back by 128 to D2A3.

Hope this cleared up any details about writing code! :)

Further instructions are explained on this page (http://marc.rawer.de/Gameboy/Docs/GBCPU_Instr.html), and to look up the opcode for an instruction (needed for representing code as items) we have a reference table here (http://glitchcity.info/wiki/The_Big_HEX_List).
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on October 12, 2016, 03:13:27 am
Ok, I have found what I was looking for. I decided to get my hands dirty and look directly into the disassembly tool. I looked at the address ‘3E48’, as specified in the code for the R/B USA version, saw what the asm code looked like, and found one similar not far from this in the French Yellow version memory: in this version, the recipe for receiving a pokemon starts at 3E5C, which correspond to x92 instead of x72 for the TM05 quantity.

Now the code works wonder, I can receive the pokemon of my choice at lvl2 : )

Thanks again for having taken the time to answer my questions and my messages : ) !

Congratz! Don't hesitate to post the whole code here (and on PRAMA if you can) for everyone to use it :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: NieDzejkob on October 12, 2016, 04:42:33 am
I have an idea for an ACE setup that doesn't require any specific pokemon, just items and underflowed menu, which I think are easier to obtain. I didn't test it yet, but you'd need the following items:

1. Fire Stone x211
2. (null) x124
3. Thunderstone x73
4. TM18 x3
5. Max Revive x195
6. HP Up x54
7. Water Stone x35
8. Great Ball x34
9. TM01 x(any)

You should have no pokemon in the daycare and you should leave the safari zone with 0, 3, 4, 5, 6, 7, 10, 11, 12, 13, 14, 15, 19, 20, 21, 22, 23, 26, 27, 28, 29 or 30 safari balls. Not entering the safari zone at all in the save file also works.

Swap fire stone for the map script pointer slot in the underflow. Close the menu, move to another map and reopen it. Now you can change the items and -gm (hex 6A i think) will execute code from the third item.

The items listed above write the bytes C3 22 D3 (jp D322) to DA49 (daycare nickname). This redirects the execution where we want.

I didn't look into it, but it might be possible to obtain -gm with the swap. To do it, setup should be initiated in a map with script address ending with 6A.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Dudeopi on October 12, 2016, 08:42:26 am
Thank you Torchickens and NieDzejkob for the speedy replies. I'm sorry I couldn't get back to you until now. The link to all of the commands helped a lot. I think I should be a little more clear in what I was wondering however. So I own a Pokémon Yellow cart and a GBC and I recently bought an n64 and stadium. I want to play ou with my friends on console. However, I don't have my n64 with me and I won't for another month, so I'm the mean time I've been messing around in Pokémon Red on my 3ds, where I already have 8F and the such. I'm trying to write a program to use with 8F in red that stores FF to the 12 bytes of a Pokémon, but I've run into some problems. First of all, I want the program to be easily executable, and I believe having 255 of an item causes glitches, and I don't know how to get multiple water stones. So since the 8F bootstrap requires a pidgey in the first spot, I tried writing something to store its catch rate to a pc Pokémon'S evs and ivs. I haven't done anything with item under flow yet, besides getting 8F, so I'm unsure how I do that.

So I really want to write a program for Yellow to do this, and best case senerio in my mind is I replace the w sm bootstrap with the whole program that makes out the poke in the spot after the ret. But for now, I want to learn as much as I can so I can write my own programs in the future. I have a feeling 3ds pokes will get randomized stars when traded forward but I wouldn't want to cheat like that in gen 7. I already wrote some stuff down, but I always find something that makes me go back and change stuff.

I don't know how to post code in a neat box but I can just write it out. This is for the English Red using items:
D322:ld DE,D172; 11 72 D1; store catch rate of pidgey to DE
D325:ld A,(DE);1A; A=255
D326:ld HL,DAC8; 21 C8 DA; HL=address of poke's first stat
D329:ldi (HL),A; 22; put the perfect 255 in the stat and increase to the next stat's address
D32A:Junk; 04; better for items
D32B:ld A,L; put address of poke's next stat in A
D32C:ld D327,A; EA D3 27; put that address as your item
D32F:ret; C9; return

Max Potion x114
Tm09 x26
Thunderstone x200
Tm18 x34
Pokeball x125
Tm34 x211
Calcium x201

You would use 8F 12 times and it would increase the number of thunder stones so you could immediately reuse it, but it uses a lot of  items and I've procrastinated duping all of them because there has to be a better way. Thanks for taking the time to help me with this. I really appreciate it.

Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on October 12, 2016, 10:21:56 am
Try this to speed up duplicating items. It turns item nr 2 into a stack of 0, but 0 is actually 256 so you can drop them.

- 8F
- Item you want 256 (0) of x1
- Pokéball x43
- Revive x201

I don't know how to post code in a neat box but I can just write it out. This is for the English Red using items:

Random tip: If you press Quote on a post you can see in those posts how to do some things.

Code: [Select]
Look at me in a Quote.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Dudeopi on October 12, 2016, 10:58:31 am
Wow thanks! That'll help a ton!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: NieDzejkob on October 12, 2016, 11:07:24 am
Hi Dudeopi,

You can take D, which comes with a zero from the bootstrap/game code, and CPL it. That would give you FF in just two bytes, not depending on the bootstrap code you use:

Code: [Select]
D322  21 C8 DA  LD HL, DAC8
D325  7A        LD A, D
D326  2F        CPL
D327  22        LD (HL+), A
D328  04        INC B ; padding
D329  7D        LD A, L
D32A  EA 27 D3  LD (D327), A ; you assembled it the other way around. It takes practice to remember :)
D32D  C9        RET

I moved the HL load, because it removes the need for the padding (here: junk code to remove glitch items/key items/things like that, if you never heard that word before).

Thunderstone x200
TM18 x122
Leaf Stone x34
Pokeball x125
TM18 x39
TM11 x201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on October 12, 2016, 11:27:32 am
You're welcome Dudeopi. :)

If you still plan on using ws m, setting up the Celadon looping map trick (http://glitchcity.info/wiki/Celadon_looping_map_trick) is actually relatively simple if you have item underflow set up. You stand in the Celadon spot, swap the Nugget x1 with an ID greater than or equal to hex:33 x1 (if you don't have one you can try selling items to manipulate your money and create one) and then keep walking to the right until the x-position byte reads the item x0 (x255) of your choice. The Big List (http://glitchcity.info/biglist.htm) can be used to check the ID.

The item will either be x1 or x0, if it is x1 stepping up or down one step will change it to x0. The one thing that you must be really careful with is making sure you press B when navigating the menu all the time, because one A-press on a 'lag' item (these have unterminated names) can freeze the game and possibly erase the save file if you aren't careful.

If you want to avoid using a x255 quantity and are otherwise happy with the FillMemory code, you can replace ld a, FF with ld a, 01; dec a dec a.

This would change the code to:
Code: [Select]
3e 01 3d 3d 01 0c 00 21 cf db 14 cd 6e 16 c9
; which is:

Lemonade x1
Soda Pop x61
Master Ball x12
Item hex:00 (#x##) x33
TM07 x219 [can be replaced with another non-Pokémon 10 attribute destination for future uses]
Potion x205
Lg- (item 6E) x22
TM01 x(any)

(For a bootstrap code where the last Pokémon is any Pokémon 10 to have its EVs/IVs changed)

Handling items with a 255 quantity is safe as long as you don't toss all of an item above it, which would replace the item directly above it with the same item x255.

If you want to get the items without looping map trick, you may be able to use Skeef or NieDzejkob's code to duplicate the items and get Lg- by encountering a pPkMnp' ' (http://bulbapedia.bulbagarden.net/wiki/PPkMnp%27_%27) with a Super Rod in the fifth position; turning it into a Lg-. I don't know off by heart any locations which may bring up an Lg- in the items pack without you having to convert the Super Rod sadly but will have a search later.

Hope that helps.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: NieDzejkob on October 12, 2016, 11:35:27 am
Wait, whaaat? When did I post about item duplication? If you think about that, then this is a -gm + map script ACE setup that doesn't require catching pokemons.

1. Fire Stone x211
2. (null) x124
3. Thunderstone x73
4. TM18 x3
5. Max Revive x195
6. HP Up x54
7. Water Stone x35
8. Great Ball x34
9. TM01 x(any)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: NieDzejkob on October 12, 2016, 11:45:09 am
And sorry for the double post, but I have an even shorter max IV/EV code, that has to be run only once:

Code: [Select]
D322  21 C8 DA  LD HL, DAC8
D325  7A        LD A, D
D326  2F        CPL
D327  0E 0C     LD C, 0C
D329  C3 E0 36  JP FillMemory/36E0

Thunderstone x200
TM18 x122
Leaf Stone x14
Burn Heal x195
TM24 x54
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on October 12, 2016, 02:28:45 pm
Oh, I think I may have gotten confused somewhere, NieDzejkob. I was under the impression your code was for item duplication because you mentioned getting FF (note: for some reason on my Red it replaces item 3 quantity with C9) but I don't know what the code is used for and I shouldn't have assumed. Sorry if I made the wrong conclusion.

Code: [Select]
D322  21 C8 DA  LD HL, DAC8
D325  7A        LD A, D
D326  2F        CPL
D327  22        LD (HL+), A
D328  04        INC B ; padding
D329  7D        LD A, L
D32A  EA 27 D3  LD (D327), A ; you assembled it the other way around. It takes practice to remember :)
D32D  C9        RET
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: NieDzejkob on October 12, 2016, 04:31:25 pm
It's a shorter version of Dudeopi's code for perfect stats. So the change was intended :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Dudeopi on October 13, 2016, 02:57:55 pm
Thanks everyone who helped out. I've learned a ton! If I have any more questions I know where to go.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Pavel on October 16, 2016, 07:01:40 am
Ok, I have found what I was looking for. I decided to get my hands dirty and look directly into the disassembly tool. I looked at the address ‘3E48’, as specified in the code for the R/B USA version, saw what the asm code looked like, and found one similar not far from this in the French Yellow version memory: in this version, the recipe for receiving a pokemon starts at 3E5C, which correspond to x92 instead of x72 for the TM05 quantity.

Now the code works wonder, I can receive the pokemon of my choice at lvl2 : )

Thanks again for having taken the time to answer my questions and my messages : ) !

Congratz! Don't hesitate to post the whole code here (and on PRAMA if you can) for everyone to use it :)


Gotcha Krys3000, here is a recap of what I found to work with Pokemon Yellow French version:
Those are the result of browsing this forum (thanks to the original authors of the codes!), the help of various members on this forum (thanks again!) and a bit of tinkering an research of mine to make it work on French Yellow version.


Cloning via daycare:
1: wsm
2: any item
3: X Accuracy x76
4: Carbos x218
5: Max Revive x01
6: TM01 x(any)
Put the pokemon in the daycare, retrieve it, then use wsm; now you can retrieve the pokemon one more time


Force encounter with a pokemon of a specified species (lvl is not guaranteed, for me it was lvl11 usually) :
1: Any item
2: wsm
3: Lemonade x[SpeciesIndex] (http://glitchcity.info/wiki/The_Big_HEX_List)
4: TM34 x93
5: TM08 x201


Receive a lvl 2 pokemon of a specified species (as if a NPC was giving it to the character):
1: Any item
2: wsm
3: Repel x[SpeciesIndex] (http://glitchcity.info/wiki/The_Big_HEX_List)
4: X Speed x14
5: Ultra Ball x64
6: TM05 x92
7: Lemonade x201
Note : the lvl is equal to the hex ID (http://glitchcity.info/wiki/The_Big_HEX_List) of the item in the fifth position (here, the Ultra Ball)


Make the first pokemon of the team learn any attack:
1: wsm
2: Any
3: X Accuracy x122/121/120 (slot n°4, 3 and 2 respectively)
4: Carbos x209
5: Max Revive x[MoveIndex] (http://glitchcity.info/wiki/The_Big_HEX_List)
6: TM01 x(any)



Apply max DV and stats experience to first pokemon of the team: (http://www.prama-initiative.com/index.php?page=modification-rbj)
1: Any item
2: wsm
3: Lemonade x255
4: X Accuracy x139
5: Carbos x209
6: Poke Ball x119
7: Fresh Water x201
This will modify the stats of the first pokemon of the team.
First, use wsm once.
Second, toss one X Accuracy, then use wsm. Repeat this second step 11 times, until the number of X Accuracy equals 128.
Now store in and retrieve from the PC the first pokemon of your team, in order to force the game to compute its stats anew.
Beware of the item duplicating glitch with Lemonade x255: do not remove / store an item that is above Lemonade x255, lest you want one item below it to be lost forever. To prevent this, switch Lemonade x255 with the first item when you do not use the code. If the duplicating glitch happened, buy one object to fix the inventory.

Second Pokemon: X Accuracy from x183 to x172, Carbos x209
Third Pokemon: X Accuracy from x227 to x216, Carbos x209
Fourth Pokemon: X Accuracy from x15 to x4, Carbos x210
Fifth Pokemon: X Accuracy from x59 to x48, Carbos x210
Sixth Pokemon: X Accuracy from x103 to x92, Carbos x210

Max Pokemon Lvl:
First Pokemon: X Accuracy x144, Carbos x209
Second Pokemon: X Accuracy x188, Carbos x209
Third Pokemon: X Accuracy x232, Carbos x209
Fourth Pokemon: X Accuracy x20, Carbos x210
Fifth Pokemon: X Accuracy x64, Carbos x210
Sixth Pokemon: X Accuracy x108, Carbos x210
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on January 15, 2017, 05:33:04 pm
European Pokémon Yellow ws m bootstrap setup
The US setup doesn't work because of a 5-byte offset. As such, two more Pokémon are needed, and we replace another one.

All the listed Pokémon must be in the correct order in the active PC box when running ws m.
Code: [Select]
Initial hl = DA84
$DA85 <- 3A || ld/ldi/ldd a, (hl) ; a = 0B
$DA86 <- 0F || rrca ; a = 05
$DA87 <- 3C || inc a : a = 06
$DA88 <- 2E ||
$DA89 <- 26 || ld l, 26
$DA8A <- 85 || add l ; a = 2C
$DA8B <- 2F || cpl ; a = D3
$DA8C <- 67 || ld h,a ; hl = D326
$DA8D <- 18 ||
$DA8E <- 0C || jr 0C ; pc = DA9C
(...)
$DA9C <- E9 || jp (hl) ; pc = D326

[EDIT] If getting Tauros is too much of a pain, remove it an place a Slowbro right after Flareon. Slowbro can be obtained via Trainer-Fly, Tauros cannot. Also easier to catch legitimately,  I guess.

I would like to know if an eleventh Pokémon really is needed (since the ld a, [bc] is cancelled by the following ld(i/d) a, [hl]. This could save one A press Pokémon from both US and EU setups.
Plus, since we overwrite hl during the setup, doing add hl, bc shouldn't be an issue, so 9 Pokémon could be enough for the US setup, saving an extra slot. EU still requires 10, though :P

[EDIT] NVM, 11 Pokémon are required for the US Setup, but the EU one can have only 10.

Also, does ws m work in EU ? Since 8F doesn't in EU R/B, I'm a little bit doubtful.

Thanks in advance !
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on January 16, 2017, 03:06:07 am
Also, I think we should make a separate thread for ws m and move posts there. Since this thread is about 8F, I think it would make more sense...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on January 16, 2017, 06:09:16 am
However, things like R/B to Yellow script conversions would become a pain to collaborate with and talk about, as you would end up posting it in both locations.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on January 16, 2017, 07:42:05 am
Also, does ws m work in EU ? Since 8F doesn't in EU R/B, I'm a little bit doubtful.

It should do. I ported the bootstrap payload what seems like forever ago (http://forums.glitchcity.info/index.php?topic=6638.msg192543#msg192543); however I did cheat and poked the values directly to memory when porting.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on January 16, 2017, 04:16:04 pm
Like, WOW.
I tried my setup with
Mr. Mime with 233 HP
Female Nidoran
Parasect
Kadabra
Magikarp
Arbok
Psyduck
Flareon
Tentacool
Grimer
Pikachu (11th Pokémon)

...
This threw a ball that wiggled twice, failed, gave me a "Pas d'bol, hein ?" ("Tough luck, eh ?")
And then I had no more ws m. WOW.

[EDIT] I messed up big time, this setup jumped to $D425. Epic fail.

We need to remove Arbok and put a Slowpoke right after Flareon.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on January 17, 2017, 11:38:31 am
Bumpity bump, the Slowpoke version of the setup works fine, it should be added to the wiki alongside Wack0's. I don't have enough DETERMINATION to do so, since I'm locked on my phone and I really miss a PC.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jelome1989 on January 25, 2017, 12:48:01 am

Apply max DV and stats experience to first pokemon of the team: (http://www.prama-initiative.com/index.php?page=modification-rbj)
1: Any item
2: wsm
3: Lemonade x255
4: X Accuracy x139
5: Carbos x209
6: Poke Ball x119
7: Fresh Water x201
This will modify the stats of the first pokemon of the team.
First, use wsm once.
Second, toss one X Accuracy, then use wsm. Repeat this second step 11 times, until the number of X Accuracy equals 128.
Now store in and retrieve from the PC the first pokemon of your team, in order to force the game to compute its stats anew.
Beware of the item duplicating glitch with Lemonade x255: do not remove / store an item that is above Lemonade x255, lest you want one item below it to be lost forever. To prevent this, switch Lemonade x255 with the first item when you do not use the code. If the duplicating glitch happened, buy one object to fix the inventory.

Second Pokemon: X Accuracy from x183 to x172, Carbos x209
Third Pokemon: X Accuracy from x227 to x216, Carbos x209
Fourth Pokemon: X Accuracy from x15 to x4, Carbos x210
Fifth Pokemon: X Accuracy from x59 to x48, Carbos x210
Sixth Pokemon: X Accuracy from x103 to x92, Carbos x210


Is there any other way to manipulate DVs --- meaning not just max them out?
For example, I want a specific combination, say I want to make the Pokemon shiny when transferred to Gen 7. I want the DVs to be:
Atk Spe Spc = 10 and Def = 2
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on January 25, 2017, 01:09:42 am
You can use the Gameshark-like code to write each DV manually. That's quite easy.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jelome1989 on January 25, 2017, 01:27:28 am
Sorry, not familiar with these at all, but can you link me that Gameshark-like code? I do know how to convert that to items list but don't know which item holds the data address for the DVs.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on January 25, 2017, 03:06:58 am
Well, just decided to quickly code something for 8F...

CHANGE ANY BYTE IN RAM TO ANYTHING
(or, psuedo-GameShark in software)

This code uses only 5 basic items, and will easily allow you to modify any byte in RAM one wants to.

Item 1: any item
Item 2: 8F
Item 3: Lemonade, quantity (byte to change to, or 2nd byte of GScode)
Item 4: X Accuracy, quantity (low byte of RAM address to change, or 3rd byte of GScode)
Item 5: Carbos, quantity (high byte of RAM address to change, or 4th byte of GScode)
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

ASM:
Code: [Select]
D322: 3E xx         ld a, xx
D324: 2E xx         ld l, xx
D326: 26 xx         ld h, xx
D328: 04            inc b
D329: 77            ld (hl), a
D32A: 3C            inc a
D32B: C9            ret

So, for GameShark code 011559D0, which would encounter a Mew after you close the menu (and yes, this is the one i tested it with -- on a real cart no less), use the following item list:

Item 1: any item (but I guess you'd want Master Balls here for this example!)
Item 2: 8F
Item 3: Lemonade, quantity 21
Item 4: X Accuracy, quantity 89
Item 5: Carbos, quantity 208
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

By the way, since no address is hardcoded, this *should* work on Yellow too; but I haven't tested it there. (obviously the example posted above won't!)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jelome1989 on January 25, 2017, 03:29:39 am
That's not what I'm looking for, but thanks anyway. I found the code to manipulate the DVs, but unfortunately, you can only manipulate the DVs by pairs and not individually, so it would be impossible to manipulate DVs to force shininess when transferring to Gen 7
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Unused Trainer on January 25, 2017, 05:22:07 am
That's not what I'm looking for, but thanks anyway. I found the code to manipulate the DVs, but unfortunately, you can only manipulate the DVs by pairs and not individually, so it would be impossible to manipulate DVs to force shininess when transferring to Gen 7
Yes i agree with you.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jelome1989 on January 25, 2017, 08:28:52 am
Hold on, I might have something here. I executed the code with x10 Lemonades but ended up with 0 Atk and Speed DVs and 10 Defense and Special DVs... Why is that? The Atk should be paired with the Def DVs thus they should end up with equal DVs but why are my results different?

I used this code to manipulate the DVs but replaced 'FF' with '10':
01FF85D1
01FF86D1

Please advise. Thanks

Edit: Hold on, I think I get it now. Seems I made a stupid mistake. Will update later. It seems WE CAN MANIPULATE THE DVs to force shininess after all!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on January 25, 2017, 08:55:31 am
Yep, you can manipulate DVs. There's no problem to manipulate them individually either.

Take the number of ATK DVs, turn it into hex digit #1.
Take the number of DEF DVs, turn them into hex digit #2.
Use the code 01(digit #1)(digit #2)85D1 to manipulate both.
Replace ATK with SPD, DEF with SPE and 85 with 86 and you can manipulate both SPD and SPE DVs !
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jelome1989 on January 25, 2017, 09:34:15 am
Yeah, I got it. I actually recorded it and made it on my first try. Will upload it soon in my channel.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: forsyz on January 25, 2017, 10:47:22 am
How would you change trainer id and name.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on January 25, 2017, 12:40:46 pm
Are you talking about doing such on a save, or on a Pokémon ?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Masked_koopa on January 25, 2017, 01:25:16 pm
Hi, I hate to be a bother, but is it possible to convert this R/B item script to be compatible with yellow? I tried decreasing the quantities of the items that were "D" in the code by one, but I'm reluctant to do more due to risk of save file loss (and I already lost one by being too reckless wi the walk through walls code)



Code: (change character name, from OP)


Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=918s

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM50                 x181
TM10                 x64
TM34                 x88
TM09                 x46
Calcium              x52
X Accuracy           x35
Full Heal             X201
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on January 25, 2017, 04:26:57 pm
Hi, I hate to be a bother, but is it possible to convert this R/B item script to be compatible with yellow? I tried decreasing the quantities of the items that were "D" in the code by one, but I'm reluctant to do more due to risk of save file loss (and I already lost one by being too reckless wi the walk through walls code)


Code: (change character name, from OP)


Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=918s

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM50                 x181
TM10                 x64
TM34                 x88
TM09                 x46
Calcium              x52
X Accuracy           x35
Full Heal             X201

Hi Masked_koopa, no worries. Sure!

As thought you need to decrease addresses and other values by 1. We need to decrease both the addresses and the values for l.

Your code represents the following:

Code: [Select]
ld a, D2B5
ld b,b
ld (D158),a
ld l, 27
inc (hl)
ld l, 23
inc (hl)
ret

We need to change D2B5 to D2B4, D158 to D157, 27 to 26 and 23 to 22, which results in the following items you'll need for Yellow (note Carbos is used instead of Calcium):

TM50 x 180
TM10 x 64
TM34 x 87
TM09 x 46
Carbos x 52
X Accuracy x 34
Full Heal x 201

Hope that helps!  :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Crystal_ on January 28, 2017, 12:09:41 pm
Using 8F to get PokeBank-compatible Mew and shiny Pokemon

https://www.youtube.com/watch?v=H8AgGp5cqPI

Item lists (includes assembly code):
Encounter Mew with 8F: http://pastebin.com/MJd9rA8y
Mew method #1 (change player IDNo. and name): http://pastebin.com/BA4mK4PK
Mew method #2 (change Mew IDNo. and name): http://pastebin.com/z836UeVA
One shiny Pokemon: http://pastebin.com/QaNpSYCc
All current box shiny Pokemon: http://pastebin.com/z6ZVN76z
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: holymoly on January 31, 2017, 06:39:27 pm
i've done the brock through walls glitch to go to saffron and got the 8f item, but i forgot about the party setup and i'm stuck because my strongest pokemon is a lv 9 abra. is there any way to get the five pokemon or do i need to restart?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on February 01, 2017, 01:52:18 am
You can't Teleport back to Pewter ?

Otherwise, you'll have to advance your progression if you want to get the Pokémon.
If you have access to Saffron this won't be too much of a problem.

If you have a Rare Candy, here's how to duplicate it to make stuff that much easier.
1) Buy balls. LOTS. Also buy different items so you have at least 6 occupied slots.
2) Give a drink to the Saffron guards.
3) Heal at Saffron Poké Center.
4) Go south and Trainer-Escape from the top-left Trainer (stand with him on the same row as Red but one tile offscreen, walk left and hold START during the walk, use Teleport).
5) Go to Route 8.
6) Fight the Gambler on the south-east part of the road, lose to his first Pokémon. Make sure he makes at least one step when encountering you, otherwise you'll get a softlock.
BONUS : Before going to Vermilion, pay Snorlax a visit. That should remove him at step 9, which means you can go through Cycling Road :)
7) Make sure Rare Candy is in the 6th slot of your inventory.
8) Open your START menu then head towards Vermilion.
9) Close the menu again then run away (or catch, whatever you want) Missingno.
10) CANDIEZ

Then you can get the Pokémon.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: YellowFreddy on February 06, 2017, 04:49:38 pm
Is there an Intuitive, Searchable, opcode map for the GB, I would like to write some item codes.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Flandre Scarlet on February 06, 2017, 06:14:40 pm
Is there an Intuitive, Searchable, opcode map for the GB, I would like to write some item codes.
Something like this? http://www.pastraiser.com/cpu/gameboy/gameboy_opcodes.html
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on February 07, 2017, 04:34:47 pm
Is there an Intuitive, Searchable, opcode map for the GB, I would like to write some item codes.

As Flandre Scarlet suggested you can use the table found at Pastraiser.

We also have an opcode table on http://glitchcity.info/wiki/The_Big_HEX_List but if you want a plain text file with only opcodes and operands another one can be found here (https://iimarck.us/etc/asmopcodes.txt) which is the table I used to use. I personally feel the latter two are simpler and may be more user friendly.

And if you want to learn assembly I learned some of it after experimenting with http://marc.rawer.de/Gameboy/Docs/GBCPU_Instr.html and http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map for a list of memory addresses, so for example ld a, xx puts a value into a and ld (xxyy),a puts the value of a into another memory address and a ret ($C9 byte) will end the code.

Hope that helps!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on February 08, 2017, 12:48:03 am
You also have our Big HEX List (http://glitchcity.info/wiki/The_Big_HEX_List), whoch makes for a nice conversion tool. It's not as much readable IMO, but saves a ton of time.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: tigere89 on February 09, 2017, 02:23:23 pm
Greetings to all,

I simply wanted to say thank you for the information provided on this topic. Unfortunately I  lost my 8F shortly after obtaining it by putting it into my item box.

This being said, I wanted to confirm that by placing the item in Computer Item Box, that it would be lost; I think this is due to not resetting the item list by buying 3 different items first before saving.

Thank you, any insight would be great.

Tigere89
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Unused Trainer on February 10, 2017, 02:48:36 am
Quick question: how powerfull is the 8F item for discovet new glitchs in future?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on February 10, 2017, 07:25:57 am
Since 8F is all-powerful, I guess "infinitely" is the right answer.
Until we exhaust the number of possible glitches, I guess.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on February 10, 2017, 07:52:27 am
Until we exhaust the number of possible glitches, I guess.
You do realize it's Game Freak's first(?) game we're talking about, right? I doubt my grandkids will see the last glitch to be found in this game be discovered.  ::)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on February 10, 2017, 05:39:06 pm
Until we exhaust the number of possible glitches, I guess.
You do realize it's Game Freak's first(?) game we're talking about, right? I doubt my grandkids will see the last glitch to be found in this game be discovered.  ::)

First GB game, maybe.

First game, no. Their first game was Mendel Palace for NES.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Charmy on February 11, 2017, 03:58:00 am
Until we exhaust the number of possible glitches, I guess.
You do realize it's Game Freak's first(?) game we're talking about, right? I doubt my grandkids will see the last glitch to be found in this game be discovered.  ::)

First GB game, maybe.

First game, no. Their first game was Mendel Palace for NES.
And in Yellow, there's a unused port of it's boss theme, so it's confirmed now.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: []J. on February 14, 2017, 10:27:14 pm
     Hi, I'm new to GCL (at least my account is) and I've recently obtained 8F in Pokemon red due to the recently (I think) discovered easier party arrangement redirecting to the fifth byte of the item menu. After messing with it, (accidentally) making a script of my own, and completing my Pokedex, I quickly became tired of being a script kiddie. I fear that I may loose interest in Pokemon red and never boot the cartridge up again (I understand it's hazardous to script on something lacking savestates, but I'm careful.) due to the fact that there isn't all too much left to do.

Anyway, I'll stop beating around the bush. What is the best resource I can use to learn how to script in Pokemon? I'm fluent in many refined languages, but machine code eludes me.

Any help would be much appreciated.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: NUNsLAUGHTER on February 14, 2017, 10:47:26 pm



Force encounter with a pokemon of a specified species (lvl is not guaranteed, for me it was lvl11 usually) :
1: Any item
2: wsm
3: Lemonade x[SpeciesIndex] (http://glitchcity.info/wiki/The_Big_HEX_List)
4: TM34 x93
5: TM08 x201


Receive a lvl 2 pokemon of a specified species (as if a NPC was giving it to the character):
1: Any item
2: wsm
3: Repel x[SpeciesIndex] (http://glitchcity.info/wiki/The_Big_HEX_List)
4: X Speed x14
5: Ultra Ball x64
6: TM05 x92
7: Lemonade x201
Note : the lvl is equal to the hex ID (http://glitchcity.info/wiki/The_Big_HEX_List) of the item in the fifth position (here, the Ultra ball
For your first one, if you withdraw a level 5/whatever level pokemon then put it back in the pc, next encounter will be that level, at least on blue.
I've got a question for the pokemon giving method, can you use something other than ultra balls to make the pokemon 40/50/100? I'd like to use this for getting ditto but pokebank doesn't see level 2 ditto as acceptable and I'd rather use this than having to battle ditto, catch it then deposit it but I don't want to use a bunch of rare candy, that'd make it more time consuming than the first one.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Unused Trainer on February 15, 2017, 02:46:06 am



Force encounter with a pokemon of a specified species (lvl is not guaranteed, for me it was lvl11 usually) :
1: Any item
2: wsm
3: Lemonade x[SpeciesIndex] (http://glitchcity.info/wiki/The_Big_HEX_List)
4: TM34 x93
5: TM08 x201


Receive a lvl 2 pokemon of a specified species (as if a NPC was giving it to the character):
1: Any item
2: wsm
3: Repel x[SpeciesIndex] (http://glitchcity.info/wiki/The_Big_HEX_List)
4: X Speed x14
5: Ultra Ball x64
6: TM05 x92
7: Lemonade x201
Note : the lvl is equal to the hex ID (http://glitchcity.info/wiki/The_Big_HEX_List) of the item in the fifth position (here, the Ultra ball
For your first one, if you withdraw a level 5/whatever level pokemon then put it back in the pc, next encounter will be that level, at least on blue.
I've got a question for the pokemon giving method, can you use something other than ultra balls to make the pokemon 40/50/100? I'd like to use this for getting ditto but pokebank doesn't see level 2 ditto as acceptable and I'd rather use this than having to battle ditto, catch it then deposit it but I don't want to use a bunch of rare candy, that'd make it more time consuming than the first one.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on February 15, 2017, 09:09:06 am
     Hi, I'm new to GCL (at least my account is) and I've recently obtained 8F in Pokemon red due to the recently (I think) discovered easier party arrangement redirecting to the fifth byte of the item menu. After messing with it, (accidentally) making a script of my own, and completing my Pokedex, I quickly became tired of being a script kiddie. I fear that I may loose interest in Pokemon red and never boot the cartridge up again (I understand it's hazardous to script on something lacking savestates, but I'm careful.) due to the fact that there isn't all too much left to do.

Anyway, I'll stop beating around the bush. What is the best resource I can use to learn how to script in Pokemon? I'm fluent in many refined languages, but machine code eludes me.

Any help would be much appreciated.
I tried making a page about programming for the Game Boy (http://glitchcity.info/wiki/GB_programming). I find it hard to read though, so after you are done reading it head to the "ASM in 28 days" thing linked at the end, it is a tutorial for TI 8x calcs, which have almost the same processor as the GB. The tutorial talks about sutff such as "ports" which don't exist on the GB anymore, but the more you know.
Then you'll probably figure out the rest, just use GBdevWiki (http://gbdev.gg8.se/wiki/) as a reference to all GameBoy-specific stuff.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Wack0 on February 15, 2017, 01:35:46 pm
     Hi, I'm new to GCL (at least my account is) and I've recently obtained 8F in Pokemon red due to the recently (I think) discovered easier party arrangement redirecting to the fifth byte of the item menu. After messing with it, (accidentally) making a script of my own, and completing my Pokedex, I quickly became tired of being a script kiddie. I fear that I may loose interest in Pokemon red and never boot the cartridge up again (I understand it's hazardous to script on something lacking savestates, but I'm careful.) due to the fact that there isn't all too much left to do.

Anyway, I'll stop beating around the bush. What is the best resource I can use to learn how to script in Pokemon? I'm fluent in many refined languages, but machine code eludes me.

Any help would be much appreciated.
I tried making a page about programming for the Game Boy (http://glitchcity.info/wiki/GB_programming). I find it hard to read though, so after you are done reading it head to the "ASM in 28 days" thing linked at the end, it is a tutorial for TI 8x calcs, which have almost the same processor as the GB. The tutorial talks about sutff such as "ports" which don't exist on the GB anymore, but the more you know.
Then you'll probably figure out the rest, just use GBdevWiki (http://gbdev.gg8.se/wiki/) as a reference to all GameBoy-specific stuff.

I'm pretty sure this (http://glitchcity.info/wiki/GB_Programming) is the wiki page you meant to link to.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on February 15, 2017, 02:01:11 pm
Yep.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: []J. on February 15, 2017, 07:25:42 pm
     Hi, I'm new to GCL (at least my account is) and I've recently obtained 8F in Pokemon red due to the recently (I think) discovered easier party arrangement redirecting to the fifth byte of the item menu. After messing with it, (accidentally) making a script of my own, and completing my Pokedex, I quickly became tired of being a script kiddie. I fear that I may loose interest in Pokemon red and never boot the cartridge up again (I understand it's hazardous to script on something lacking savestates, but I'm careful.) due to the fact that there isn't all too much left to do.

Anyway, I'll stop beating around the bush. What is the best resource I can use to learn how to script in Pokemon? I'm fluent in many refined languages, but machine code eludes me.

Any help would be much appreciated.
I tried making a page about programming for the Game Boy (http://glitchcity.info/wiki/GB_programming). I find it hard to read though, so after you are done reading it head to the "ASM in 28 days" thing linked at the end, it is a tutorial for TI 8x calcs, which have almost the same processor as the GB. The tutorial talks about sutff such as "ports" which don't exist on the GB anymore, but the more you know.
Then you'll probably figure out the rest, just use GBdevWiki (http://gbdev.gg8.se/wiki/) as a reference to all GameBoy-specific stuff.

I'm pretty sure this (http://glitchcity.info/wiki/GB_Programming) is the wiki page you meant to link to.

"MediaWiki internal error.

Original exception: [df666237fde71cf5d357b568] /wiki/GB_Programming MWException from line 767 of /application/w/includes/skins/SkinTemplate.php: SkinTemplate::makeTalkUrlDetails given invalid pagename User:[]J.
Backtrace:
#0 /application/w/includes/skins/SkinTemplate.php(606): SkinTemplate->makeTalkUrlDetails(string)
#1 /application/w/includes/skins/SkinTemplate.php(472): SkinTemplate->buildPersonalUrls()
#2 /application/w/includes/skins/SkinTemplate.php(246): SkinTemplate->prepareQuickTemplate(OutputPage)
#3 /application/w/includes/OutputPage.php(2324): SkinTemplate->outputPage()
#4 /application/w/includes/MediaWiki.php(753): OutputPage->output()
#5 /application/w/includes/MediaWiki.php(519): MediaWiki->main()
#6 /application/w/index.php(43): MediaWiki->run()
#7 {main}

Exception caught inside exception handler: [df666237fde71cf5d357b568] /wiki/GB_Programming MWException from line 767 of /application/w/includes/skins/SkinTemplate.php: SkinTemplate::makeTalkUrlDetails given invalid pagename User:[]J.
Backtrace:
#0 /application/w/includes/skins/SkinTemplate.php(606): SkinTemplate->makeTalkUrlDetails(string)
#1 /application/w/includes/skins/SkinTemplate.php(472): SkinTemplate->buildPersonalUrls()
#2 /application/w/includes/skins/SkinTemplate.php(246): SkinTemplate->prepareQuickTemplate(OutputPage)
#3 /application/w/includes/OutputPage.php(2324): SkinTemplate->outputPage()
#4 /application/w/includes/exception/MWException.php(204): OutputPage->output()
#5 /application/w/includes/exception/MWException.php(244): MWException->reportHTML()
#6 /application/w/includes/exception/MWExceptionHandler.php(69): MWException->report()
#7 /application/w/includes/exception/MWExceptionHandler.php(180): MWExceptionHandler::report(MWException)
#8 /application/w/includes/MediaWiki.php(528): MWExceptionHandler::handleException(MWException)
#9 /application/w/index.php(43): MediaWiki->run()
#10 {main}"

This is all that link gave me...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Yeniaul on February 15, 2017, 08:09:54 pm
...broken.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on February 16, 2017, 06:14:57 am
Works for me.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: SaneBane on February 20, 2017, 06:30:06 am
Hey you all!
Thank you so much for all the help and support in this forum! I managed to obtain the S7 in the german version of Red, but I'm struggling to figure out how to "convert" the item setups for the hacks to function.. it's kinda over my head.
Can you help me?

I want to change my Mew's Trainer ID(22796) and OT(GF) so I can transfer it over to Sun/Moon + change the DVs of a Pokemon so it will be shiny.

I followed this guide for my english version of the game and it worked fine:
https://www.youtube.com/watch?v=H8AgGp5cqPI&t=1080s
I'd love to do the same with my german version!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on February 20, 2017, 11:27:08 am
Use to change your OT :
Code: [Select]
any item/ws# #m#
any item/ws# #m# (one of these has to be ws# #m# obviously)
TM50 x186
TM10 x3 (works with 64, but 3 should too)
TM34 x93
TM09 x35
Poké Ball x52
X Accuracy x44
Great Ball x52
TM01 x[any qty]

Use to change your TID :
Code: [Select]
any item/ws# #m#
any item/ws# #m#
Lemonade x89
Repel x12
Carbos x 211 (Should work even if you remove this item)
X Accuracy x94
Water Stone x115
TM01 x(any)

Didn't try, so if you could send me some feedback whether it worked or not I'd appreciate it a lot.
Also, if you want to keep your OT and TID, tell us, we'll do the job.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: NukingDragons on February 26, 2017, 05:26:15 pm
I found a typo in the Super-compressed 3-Pokémon setup.

Super-compressed 3-Pokémon setup (problematic because of hex D3 glitch Pokémon, which can be difficult to obtain; also, some item lists do not work with this setup)

1.  Exactly 6 Pokémon in the party                                    [0xD163 = 0x06]
2.  Hex C3 glitch Pokémon as the first Pokémon                        [0xD164 = 0xC3]
3.  Onix as the second Pokémon                                        [0xD165 = 0x22]
4.  Hex D3 glitch Pokémon as the third Pokémon                        [0xD166 = 0xD3]


That setup has this code:
Code: [Select]
WRA1:D163 06 C3         ld b, 0xC3
WRA1:D165 22            ld (hl), a
WRA1:D166 D3            <Invalid Opcode>

Which does NOT jump to the third item in memory, because of the 6 Pokémon in the party.

However, a party of 3(Minimum) to 5, DOES work:
Code: [Select]
WRA1:D163 03               inc bc
WRA1:D164 C3 22 D3         jp 0xD322

With 4:
Code: [Select]
WRA1:D163 04               inc b
WRA1:D164 C3 22 D3         jp 0xD322

And with 5:
Code: [Select]
WRA1:D163 05               dec b
WRA1:D164 C3 22 D3         jp 0xD322

Also, for the "some item scripts wont work with this setup" issue, you can use this right before your main script if you don't want to rewrite it:
(Sets HL to 0xD322)
Code: [Select]
8F / first item (Depends on the script)
8F / second item (Depends on the script)
X Accuracy x34
Carbos x211
<Script>

Hope this helps :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on February 26, 2017, 06:55:16 pm
Nice ! I'm adding this to the wiki page (http://glitchcity.info/w/index.php?title=Arbitrary_code_execution) right away !
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Anna Says Hi on February 28, 2017, 01:02:50 pm
Hi, new poster here. I'm sharing one of my 8F setups.
(With the 5-pokemon 233 HP bootstrap)

Morphing item 2 with 2 items worth of code

8F
[Item to morph] x[any qty]
TM03 x141
Full Heal x201 / Revive x201

Code: [Select]
HL contains D322
D322: CB 8D
D324: 34 / 35
D325: C9

D322: RES 1, L
D324: INC (HL) / DEC (HL)
D325: RET

The advantage of this setup is that it's the same length as the "obtain 255 of item 2" setup, so only 2 Select presses are needed and the bag isn't disorganised. The disadvantage is that TM03 is not buyable and you have to use the 3-item morph setup if you've used or tossed it already.

One of the things I'm looking for is a memory viewer and editor GUI. I remember seeing a video that had a textbox that showed the contents of RAM at the time, and it might have been created by 8F. Unfortunately, we're probably limited by the fact we can only use 254 or so bytes, even for the extended 8F setup. So I wonder if we can bypass that limit. If we could write to different bytes when making our 8F setup (like 01:B524 in SRAM or C5D0 in WRAM) then we could have a way to make much longer programs, perhaps enough to code in a easy-to-use RAM editor GUI.
(FYI i'm thinking of something like this except with a bigger window)
Code: [Select]
*-------*
|D000 XX|
|D001 XX|
|D002 XX|
*-------*
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on February 28, 2017, 04:08:20 pm
Thanks for this Anna Says Hi!  :)

You're in luck, a memory editor GUI has fortunately already been made. It was originally created by offgao for Japanese versions but was ported by Cryo. See this post (http://forums.glitchcity.info/index.php?topic=7773.msg203697#msg203697) for the raw code.

Although TheZZAZZGlitch's memory editing method (https://www.youtube.com/watch?v=D3EvpRHL_vk) by default can only modify 256 bytes, you can write more than that and execute the program by following the instructions in the description of this video (link (https://www.youtube.com/watch?v=BNyDmZlbsNI)).
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jfb1337 on March 13, 2017, 05:06:26 am
What would be the fastest/easiest way to get a working 8F setup starting from a brand new save file?

I'm guessing it would start out like the standard speedrun route (Brock thru walls to Saffron, encounter missingno via Trainer Fly with Abra, then item underflow) but then use the undereflow to obtain 8F instead... Then what would be the optimal way to get all the pokémon required for the bootstrap? Regular encounters, or trainer fly?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on March 13, 2017, 08:45:12 am
In Pokémon Yellow I used stable unstable MissingNo. (https://www.youtube.com/watch?v=DDkema91-vo&t=8s), dry underflow, Celadon looping map trick (http://glitchcity.info/wiki/Celadon_looping_map_trick) and Rival LOL glitch (http://glitchcity.info/wiki/Rival_LOL_glitch) for the bootstrap Pokémon.

The Brock Through Walls/Trainer-Fly  with Abra sounds good for Red/Blue.

Rival LOL glitch is probably a good method for Pokémon Red and Blue as well if you have a six letter long Rival name, although you could also get your Pokémon by warping to places that have them (Route 1 for Pidgey, Safari Zone or Cerulean Cave [use Rival's item or enter Hall of Fame] for Parasect, Rock Tunnel or Victory Road for Onix, water for Tentacool [use ?????], Safari Zone for Kangaskhan.

I'm unsure if Trainer-Fly would be better as you'd need specific Special stats from specific Trainers or party Pokémon, so regular encounters/LOL glitch seems to be better.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on March 13, 2017, 11:42:10 am
What would be the fastest/easiest way to get a working 8F setup starting from a brand new save file?

I'm guessing it would start out like the standard speedrun route (Brock thru walls to Saffron, encounter missingno via Trainer Fly with Abra, then item underflow) but then use the underflow to obtain 8F instead... Then what would be the optimal way to get all the pokémon required for the bootstrap? Regular encounters, or trainer fly?
For the level 100 Pidgey I recommend TFlying, fighting against FISHERMAN's level 27 GOLDEEN in Route 12, Growl x6, catch Pidgey, DON'T SAVE, level to 100, cancel evolution, use HP Ups and remove HP using poison then Antidote (1 HP each 4 steps) or Lv 2 Pokémon (2 HP per hit usually, ie when not Crit :P).
Note that some Pidgeys cannot reach 233 Max HP due to low stats, that's why you shouldn't save until after you made sure you caught a correct one.

I also prefer to catch Arbok from Trainer-Fly (if using the 6-Pokémon setup, the best IMO) ; for the Kangaskhan I recommend you go into a Safari part of the zone where Kangaskhans appear and get kicked out of the Safari challenge in this zone. Then do the usual Surf thingy without loading other grass Pokémon data, and you're good (Note : doesn't work in Pokémon Yellow. Not suited for children under 3 IQ.)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jfb1337 on March 19, 2017, 11:50:53 am
Thanks! I obtained an 8F on VC blue and got the setup working yesterday, just using normal encounters, in about 3.5 hours.

I made a simple script to easily obtain any item, which s very useful for building other scripts:

Code: [Select]
ldd a, (hl)
ldd a, (hl)
ldi (hl), a
inc b ; filler
ld (hl), 1
dec (hl)
inc b ; filler
ret
which compiles to
Code: [Select]
Dire Hit x58
Water Stone x4
Max revive x1
Revive x4
TM01 x[Any qty]
This sets the index of the 2nd item to its quantity (make sure 8F is the first irem obviously), and it's quantity to 0 for easy tossing to any desired quantity.

This requires only items that can be bought from Celedon dept store, with no missingno duping.

Then, you can use it once to get a Max revive x0 stack, so you can get rid of the revive to compact the script slightly.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on March 20, 2017, 06:09:50 am
You could remove the
Code: [Select]
ld a, [hli]
ld [hld], a
since it effectively does nothing.
Item pack :
Code: [Select]
8F
[item] x(Any)
Dire Hit x4
Max revive x1
Revive x4
TM01 x[Any qty]

A more efficient setup (IMO) is
Code: [Select]
8F
Item x[any qty]
Poké Ball (or Great Ball) x43
Revive x3
TM01 x[any qty]
Toss all of "Item" but one, then use. You now have 0 of that item :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jfb1337 on March 20, 2017, 02:32:21 pm
The ld a, [hld] / ld [hli], a part is what copies the quantity of the item to its index, allowing access to any item index; your script just sets the quantity to 0. But since both are useful behaviours, then I swap the water stones (ld a [hli]) with HP ups (inc hl) if I want to reset the item quantity without setting the index too.

Another question: Is there an easy way to find the memory locations and ROM banks that corresponds to a particular label in the disassembly? I had an idea for a script to make tossing items a bit less tedious by copying the graphics for digits or letters over the place where the game reads tiles for glitch quantities from, so it would be easier to see at a glance how many items you have / are tossing, but I'd need the locations for CopyVideoData and FontGraphics
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on March 20, 2017, 03:05:59 pm
When you build the ROM, it generates two files which contain all the addresses.
I attached the file for Red.

I recommend you know how to use Ctrl+F :P
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jfb1337 on March 20, 2017, 03:12:32 pm
Ah, thanks, I was wondering what the .sym files were for, for some reason it didn't occur to me to look inside them!

Edit: And here is said script:
Code: [Select]
Carbos x90
Master Ball x14
Poké Ball x84
Repel x128
Carbos x24
X Accuracy x134
TM29 x0
Carbos x144
X Accuracy x0
TM01x[Any qty]

Code: [Select]
ld h, $5A
ld bc, $040E ; b = BANK(FontGraphics), c = 14 = how many tiles to copy
ld d, h
ld e, $80 ; de = FontGraphics
ld h, $18
ld l, $86
push hl ; hl = CopyVideoDataDouble
nop
ld h, $90
ld l, $0 ; hl = the tiles in VRAM that come after the digits
ret ; jumps to CopyVideoDataDouble (done this way to avoid glitch items and key items that would result from directly using call or jp)

This turns the tiles beyond the numbers that glitch quantities read from into the letters A through P, so it's easier to see how many items you have / are tossing. (There will also be a bunch of letters all over the background).

The effect goes away when entering/leaving a building, entering/leaving a battle, resetting the game, or closing the PC item menu, and maybe a few other things.

Tested with English blue on BGB.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on March 26, 2017, 12:20:49 pm
Since x0 quantities are a bit of a pain to get, I'd recommend this :
Code: [Select]
Carbos x90
Master Ball x13
Poké Ball x84
Repel x128
Carbos x24
X Accuracy x134
TM29 x3
Carbos x144
X Accuracy x0
TM01x[Any qty]

Code: [Select]
ld h, $5A
ld bc, $040D ; b = BANK(FontGraphics), c = 14 - 1 = how many tiles to copy - 1
ld d, h
ld e, $80 ; de = FontGraphics
ld h, $18
ld l, $86
push hl ; hl = CopyVideoDataDouble
inc bc
ld h, $90
ld l, $0 ; hl = the tiles in VRAM that come after the digits
ret ; jumps to CopyVideoDataDouble (done this way to avoid glitch items and key items that would result from directly using call or jp)

(Didn't test it though)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: atav32 on April 13, 2017, 03:38:58 pm
Hey everyone! Just discovered the wonders of 8F! Still got a lot to learn.

I've been using the "Alternative Catch'Em All" code in the original post to receive any Pokemon and it's amazing how well it works!

Quote
ITEM LIST (starting from the first slot):
* Any item
* 8F
Repel                x[SpeciesIndex]
X Speed              x14
Ultra Ball           x64
TM05                 x72
Lemonade             x201

Code: [Select]
ASM:
Code: [Select]
WRA1:D322 1E 20            ld   e,[SpeciesIndex]
WRA1:D324 43               ld   b,e
WRA1:D325 0E 02            ld   c,02
WRA1:D327 40               ld   b,b
WRA1:D328 CD 48 3E         call 3E48
WRA1:D32B C9               ret

But when I started transferring them to Pokemon Bank, I've hit a couple snatches.

The main problem is that the Pokemon you receive are all Lvl 2. But PokeTransporter has level checks for

Just wondering if there's an easy way to modify the setup to generate a variable Pokemon level. Or maybe hard-coded at Lvl 70 or something.

- - - - -

Unrelated, but just curious: I've read that TM 01 x(any) and [any item] x201 represent the C9 byte which stops code execution. How do they differ? I tried using TM 01 x129 instead of Lemonade x201 in the above setup and it froze the game.

Thanks everyone!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: camper on April 14, 2017, 02:38:29 am
The Lemonade represents 3E in "call 3E48". Without the Lemonade it translates to "call C948". Even if C948 returns properly (it probably doesn't), it'll still treat the rest of your items as code until it finds a ret.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jfb1337 on April 15, 2017, 04:40:15 am
Here is a script that should work for an arbitrary encounter level:

Repel x[Species index]  ; ld e, [species index]
Awakening x[Level]      ; ld c, [level]
X speed x64                 ; ld b, e / ld b, b
TM05 x72         
Lemonade x201           ; call 3E38 / ret

Replacing the lemonade x201 with a lemonade x4 followed by a TM01 x[any] would also work. (x4 corresponds to inc b which basically does nothing at this point). But the lemonade is important.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on April 16, 2017, 02:48:12 am
Hey everyone! Just discovered the wonders of 8F! Still got a lot to learn.

I've been using the "Alternative Catch'Em All" code in the original post to receive any Pokemon and it's amazing how well it works!

Quote
ITEM LIST (starting from the first slot):
* Any item
* 8F
Repel                x[SpeciesIndex]
X Speed              x14
Ultra Ball           x64
TM05                 x72
Lemonade             x201

Code: [Select]
ASM:
Code: [Select]
WRA1:D322 1E 20            ld   e,[SpeciesIndex]
WRA1:D324 43               ld   b,e
WRA1:D325 0E 02            ld   c,02
WRA1:D327 40               ld   b,b
WRA1:D328 CD 48 3E         call 3E48
WRA1:D32B C9               ret

But when I started transferring them to Pokemon Bank, I've hit a couple snatches.

The main problem is that the Pokemon you receive are all Lvl 2. But PokeTransporter has level checks for
  • starters & evolutions
  • Ditto
  • Dratini & evolutions
  • legendary birds
  • Mewtwo

Just wondering if there's an easy way to modify the setup to generate a variable Pokemon level. Or maybe hard-coded at Lvl 70 or something.

- - - - -

Unrelated, but just curious: I've read that TM 01 x(any) and [any item] x201 represent the C9 byte which stops code execution. How do they differ? I tried using TM 01 x129 instead of Lemonade x201 in the above setup and it froze the game.

Thanks everyone!


The Ultra Ball (index 2) actually represents the lvl. For instance using X Accuracy x64 instead of Ultra Ball x64 gives a lvl 46 Pokémon.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: atav32 on April 16, 2017, 11:41:47 am
Wow! That's awesome! What tools do you guys use to write and test your code?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on April 16, 2017, 12:35:47 pm
Writing is done usually on Notepad or a sheet of paper. I'm not even joking :P
Then we compile it either by hand or using some nifty tools created by the community (for example these (http://glitchcity.info/wiki/8F%20Helper) two (http://glitchcity.info/wiki/GBz80%20to%20Items))

To test them, most of us prefer the BGB emulator and its amazing debugger, but some other emulators such as BizHawk are good options.
Some even take the time to build the setup on console to verify. But it's more rare.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheSixthItem on April 22, 2017, 08:51:51 am
In yellow, morph second item gives adds 1 to the quantity of item 2. If you have 255 and you use it, you get 0. Is there a way to convert that from ws[glitch]m to 8F?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on April 22, 2017, 01:16:23 pm
In yellow, morph second item gives adds 1 to the quantity of item 2. If you have 255 and you use it, you get 0. Is there a way to convert that from ws[glitch]m to 8F?

Yes. The following code which is a modified version of TheZZAZZGlitch's change second item code (see this thread's first post) should work for changing the item quantity. It should on both Yellow (when using ws m redirected to item 3) and Red/Blue (when using 8F redirected to item 3) because no absolute memory addresses are specified.

* 8F
* Item with quantity you want to morph
Burn Heal            x43
Full Heal            x201

ASM:
Code: [Select]
WRA1:D322 0C               inc  c
WRA1:D323 2B               dec  hl
WRA1:D32A 34               inc  (hl)
WRA1:D32B C9               ret
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on April 23, 2017, 01:43:16 pm
In yellow, morph second item gives adds 1 to the quantity of item 2. If you have 255 and you use it, you get 0. Is there a way to convert that from ws[glitch]m to 8F?

This is wat I use to get 0 of a certain item.

- 8F
- Item you want 0 of x1
- Pokéball x43
- Revive x201

More convinient to turn 1 item into 0 then turning 255 into 0. Its also worth noting that 0 is actually 256, so you can toss them to get any quantity you need.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Blaki on April 25, 2017, 04:22:46 pm
It's my first 8F script ever, it's not practical by any means, but still a bit fun. It displays a Pokedex entry based on the quantity of the stack of Lemonade !

Lemonade x[Pokemon index value]
TM05 x155 (hex:9B)
Full Heal x201 (hex:C9)

ASM
Code: [Select]
ld a, [Pokemon index value]
call $349B
ret
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Caveat on April 25, 2017, 06:42:35 pm
It's my first 8F script ever, it's not practical by any means, but still a bit fun. It displays a Pokedex entry based on the quantity of the stack of Lemonade !

Lemonade x[Pokemon index value]
TM05 x155 (hex:9B)
Full Heal x201 (hex:C9)

ASM
Code: [Select]
ld a, [Pokemon index value]
call $349B
ret
This could potentially be useful for the Pokedex ACE that was discovered recently...

Even if it only displays complete entries after catching the Pokemon, it could still be used to easily execute the code in that manner.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Parzival on April 25, 2017, 07:04:45 pm
It's my first 8F script ever, it's not practical by any means, but still a bit fun. It displays a Pokedex entry based on the quantity of the stack of Lemonade !

Lemonade x[Pokemon index value]
TM05 x155 (hex:9B)
Full Heal x201 (hex:C9)

ASM
Code: [Select]
ld a, [Pokemon index value]
call $349B
ret
This could potentially be useful for the Pokedex ACE that was discovered recently...

Even if it only displays complete entries after catching the Pokemon, it could still be used to easily execute the code in that manner.
Well, well, a newcomer might've made history...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: camper on April 25, 2017, 11:21:41 pm
Except if you already have 8F you can already do ACE.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: DrManowar on May 18, 2017, 09:04:15 pm
This past week, I have been learning about arbitrary code execution. I started off with simple scripts in Pokemon Yellow, and I am currently working on creating Pong in Pokemon Blue using TheZZAZZGlitch's code. Currently, the program is running when I use 8F, but unlike in the video by TheZZAZZGlitch, my ball is always starting off by going in the top left direction instead of the top right direction. This is causing the ball to phase through the left wall and causing the ball to phase through the paddle on its way down.

I finally noticed a workaround: First, I changed the last "0D" byte in the seventh row to a "0A", waited for the ball to continuously hit the paddle and the top left corner repeatedly, and then I changed that "0A" byte back to a "0D". After changing it back to the 0D while the program is running, it functions completely as intended. I should mention that I am trying this on VBA which is how I am editing the memory.

I am looking for a workaround to this that would allow me to not have to manually change the memory while the program is running. Would anyone know how to change the bytes around to allow the ball to start off moving in the top right direction rather than the top left? I am not sure if this would be the solution though. Any help is greatly appreciated.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on May 19, 2017, 05:53:56 am
Well, VBA is a pretty bad emulator (even more for the GB than the GBA), so first of all I think you should switch to either BGB, Gambatte, or at the very least VBA-M.
I'm not sure this will fix the error, though.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Laffeyh on June 07, 2017, 09:56:10 am
Hey there,

I am searching for a modified Alternative Catch 'Em All glitch.
I would like to add the Pokemon I want to the current active box not to my team and change the obtained Pokemon's DVs to the shiny values in the same step. It is pretty annoying to change the whole setup and doing the item duplication glitch for every 20 pokemon.

Furthermore, is there any general explanation on some of the Items? Do Items like Lemonade, fresh water, the X items, Carbos and so on have a general function in EVERY code, or are they for exampe only doing certain things in different setups?
For example I see, that many glitches regarding the boxes have carbos and many codes use X-Acc or X-Speed.

Thanks for the nice guide and the huge discussion here on this forum,
Laffeyh
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheSixthItem on June 07, 2017, 01:53:00 pm
@Laffeyh
Addresses to internal functions are different in Yellow. The GivePokemon subroutine is at $3E59, not at $3E48.
The solution is to replace 'TM05 x72' with 'TM05 x89' to update the function address.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jfb1337 on June 08, 2017, 02:19:50 pm

Furthermore, is there any general explanation on some of the Items? Do Items like Lemonade, fresh water, the X items, Carbos and so on have a general function in EVERY code, or are they for exampe only doing certain things in different setups?
For example I see, that many glitches regarding the boxes have carbos and many codes use X-Acc or X-Speed.

Thanks for the nice guide and the huge discussion here on this forum,
Laffeyh

The items basically correspond to certain opcodes (instructions) in Z80 assembly. You can learn about it by this guide (http://glitchcity.info/wiki/GB_Programming) on the site, or by plenty of other resources online too. The game stores items by an ID number followed by the number of them you have, and ACE takes odvantage of that by making the game reinterpret that list of numbers as code to be run. A list of which items items correspond to which opcdes is here (http://glitchcity.info/wiki/The_Big_HEX_List).

The items you see a lot in scripts basically correspond to commonly used opcodes, for example Lemonade is "ld a, $xx" (where xx is the next number n memory, the quantity of this item stack), which sets the "a" register to whatever you want, which is very useful since that can then be written to somewhere in memory or you could do arithmetic to it or whatever. Carbos and X accuracy correspond to "ld h, $xx" and "ld l, $xx" respectively, which are used most often to determine where something should be written in memory, or sometimes where to jump to.

Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: 8F on June 15, 2017, 07:46:56 am
Hi everyone.

I was attempting to get 8F but am running into a problem I'm hoping someone could help me with.

In order to get the 255 x specials needed, I used the 6th item trick with MissingNo, however after doing so I am unable to get the inventory required to do the trick. This is because attempting to toss or deposit the extra items just turns them into X Special x 255 and therefore I can't get the inventory required to receive 8F.

Any ideas how I can fix this?

E: So I tried it anyway and must've messed up towards the end because the game crashed and lost my save so does anyone know a quick way to set myself up for getting 8F? In the save I just lost I used brock through walls to get HM Fly and Surf as well as going to cerulean cave to get a high level pokemon to defeat the two gym leaders in order to access the Old Man trick but is there a quicker method?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Parzival on June 15, 2017, 04:59:35 pm
There's already-set-up saves for 8F and ws m... somewhere... I think Torchickens uploaded them, try asking her.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: 8F on June 16, 2017, 02:31:55 am
Sorry, I should've  mentioned that I'm playing on the 3DS
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jfb1337 on June 16, 2017, 07:26:20 am
The fastest way to get the 8F setup would be to encounter missingno via Trainer Fly, not Old Man Trick. This can be done by losing to the 2nd trainer's machop in Saffron dojo after setting up the TFly.

What do you mean by not having the right inventory? Once you have 255 x specials, all you need are two of any tossable item to do the dry variant (http://forums.glitchcity.info/index.php?topic=6638.msg198625.html#msg198625) of Item Underflow.

Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on June 16, 2017, 09:17:14 am
You can also lose to Misty to get the correct encounter Special.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on June 16, 2017, 10:57:05 am
Hi everyone.

I was attempting to get 8F but am running into a problem I'm hoping someone could help me with.

In order to get the 255 x specials needed, I used the 6th item trick with MissingNo, however after doing so I am unable to get the inventory required to do the trick. This is because attempting to toss or deposit the extra items just turns them into X Special x 255 and therefore I can't get the inventory required to receive 8F.

Any ideas how I can fix this?

E: So I tried it anyway and must've messed up towards the end because the game crashed and lost my save so does anyone know a quick way to set myself up for getting 8F? In the save I just lost I used brock through walls to get HM Fly and Surf as well as going to cerulean cave to get a high level pokemon to defeat the two gym leaders in order to access the Old Man trick but is there a quicker method?

Hi 8F! What you need to do is obtain three stacks of the X Special x255 (by putting the initial x255 in slot 3 and then tossing all of slot 2 and slot 1) but have only one item registered; so there are three X Specials at the top but you can only scroll down to the first two and the second acts as a Cancel. Afterwards tossing 253 of the first X Special and swapping the X Special x2 with the second stack and then the third with give you an X Special x0 and underflow the inventory.

An early way to get a x255 stack is this:

1) Use Brock Through Walls to go to Saffron City then heal at Saffron City Pokémon Center
2) Go west to Celadon City to buy an Abra using the coins on the ground at the Game Corner (https://youtu.be/apG4D6S5qi8?t=691)
3) Head to Route 6 and set up a Trainer-Fly using Abra's Teleport.
4) Lose to the first Black Belt at Saffron Fighting Dojo.
5) Return to Route 6 after flashing the Start menu to encounter MissingNo. to get x129 of an item in slot 6.
6) Toss two of the item, run from MissingNo. and repeat steps 3-5 to encounter another MissingNo. and get x255.

(Note: It may also be possible to use up two of the item in slot 6 once you get x129 and then catch MissingNo. to get x255 (e.g. if it's an X Attack but the item in slot 6 shouldn't be a Poké Ball)

If you have another 3DS with Red/Blue you can also obtain a CoolTrainer Ditto on Red/Blue (use Transform, swap first move with second move and run), enter battle with it in Diglett's Cave, flash the Pokémon menu (important) and then scroll through Ditto's move until the music fades. Afterwards, the Pokémon will turn into MissingNo. and catching it will duplicate the slot 6 item if there are under 128.

Hope that helps and sorry for late response!  :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Problems with 8F on June 19, 2017, 05:07:03 am
Hello guys,
Ive got a problem in getting the 8F Item. I tried the item undeflow glitch (dry version without an item event giveaway) several times but every time Im searching for it, I only find an Item called 7S in the place of 8F shown in several YT Videos. So I thought thats the german version of the 8F Item (Playing German version of pokemon Red on the VC). I tried the item morphing glitch but nothing happened, I even tried to change my TID to get the ideal TID for exchanging my mew to pokemonbank but still no effects. Did I get something wrong or are there other methods for obtaining the 8F Item? Thanks in advance for the help guys :)

Edit: Its S7 not 7S sorry!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on June 19, 2017, 01:40:41 pm
Are you using the correct bootstrap? The German version requires a different party set-up then the English. There is one posted on page 4 (the first post, easy to find). But its a pretty old one. Othere European players may have a less complicated one.

PS: S7 is indeed the german 8F.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Problems with 8F on June 19, 2017, 02:16:51 pm
Thx for the answer, so Ive got the 8F Item :)
It seems that I used the wrong one:

1. Pidgey with 233 hp
2. Parasect
3. Onix
4. Tentacool
5. Kanghaskan

I will try the other one on page 4, thx!

PS: Ive used this video as a guide for the people that are interested.
https://youtu.be/H8AgGp5cqPI
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on June 19, 2017, 08:52:23 pm
Thx for the answer, so Ive got the 8F Item :)
It seems that I used the wrong one:

1. Pidgey with 233 hp
2. Parasect
3. Onix
4. Tentacool
5. Kanghaskan

I will try the other one on page 4, thx!

PS: Ive used this video as a guide for the people that are interested.
https://youtu.be/H8AgGp5cqPI

Yeah, in non-English European versions you will likely need to use a different bootstrap code.

Note before you use the change player ID items code you will also need to alter it as memory addresses in non-English European versions are +5 of the original.

In the code below (the one you may have tried using to change your Trainer ID part 1) you will just need to change the X Accuracy x89 into an X Accuracy x94, and similar logic applies to the rest.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM11/TM43   x1   ; D3/F3 + ld bc,
Any Item    xAny ; ????
X Accuracy  x89  ; ld l, 59
Lemonade    x89  ; ld a, 59
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret

For the second code (trainer ID change part 2 below), change X Accuracy x90 to X Accuracy x95.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM11/TM43   x1   ; D3/F3 + ld bc,
Any Item    xAny ; ????
X Accuracy  x90  ; ld l, 5A
Lemonade    x12  ; ld a, 0C
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret

For the third code (player name letter 1 change) change X Accuracy x88 to X Accuracy x93.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM09/TM41   x1   ; D1/F1 + ld bc,
Any Item    xAny ; ????
X Accuracy  x88  ; ld l, 58
Lemonade    x134 ; ld a, 86
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret


For the fourth code (player name letter 2 change) change X Accuracy x89 to X Accuracy x94.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM09/TM41   x1   ; D1/F1 + ld bc,
Any Item    xAny ; ????
X Accuracy  x89  ; ld l, 59
Lemonade    x133 ; ld a, 85
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret

For the fifth code (player name terminator in position 3) code, change X Accuracy x90 to X Accuracy x95.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM09/TM41   x1   ; D1/F1 + ld bc,
Any Item    xAny ; ????
X Accuracy  x90  ; ld l, 5A
Lemonade    x80  ; ld a, 50
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret

When certain memory addresses are defined in the code, such as many in the DXXX region (but not for instance CD38, which when set to 1 allows you to walk through walls) most of the time you will just need to change them to be +5 of the original (which you can do using a calculator that supports hexadecimal such as Windows Calculator or just regard digits beyond 9 as A-F as you count up by five).

Note that this logic doesn't apply to addresses that use "call" or "jp" to run a routine in the ROM, such as the gift Pokémon code. For that you will have to locate the routine in the original English version in a debugger, converting the address from a pointer to an offset if necessary (only for addresses between 4000-7FFF) then use a hex editor to look for similar byte code in the non-English European version, then convert it back into a pointer and this will be your address following call, jp.

My explanation isn't adequate though as it doesn't explain things like how to use a hex editor, how to convert a pointer to an offset or how you may have to swap the byte order ("endianness") due to an address following call or jp being formatted yyxx rather than xxyy. So if you ever need to convert a code that uses call or jp in such a way let me know and I'll walk you through it and convert it for you.

Hope this helps!  :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on June 20, 2017, 04:26:03 am
The offsetting logic is this :
0000-7FFFOffsetting is complex, but things 0000-3FFF shouldn't be offset
8000-9FFFNo offsetting
A000-BFFFNo offsetting either
C000-D1XX (I think ?)No offsetting
D1XX-DFFFOffset +5
FF80-FFFENo offsetting
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on June 20, 2017, 03:33:16 pm
The offsetting logic is this :
0000-7FFFOffsetting is complex, but things 0000-3FFF shouldn't be offset
8000-9FFFNo offsetting
A000-BFFFNo offsetting either
C000-D1XX (I think ?)No offsetting
D1XX-DFFFOffset +5
FF80-FFFENo offsetting

The offset +5 is before D1XX because D059 the instant encounter address is D05E in non-English European versions. I wonder where it begins (and the -1 for Yellow)?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Problems with 8F on June 21, 2017, 01:52:08 am
Thx guys for your very detailed answers. Even if I didnt understand everything I will try your suggestions and post the results :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 24, 2017, 04:34:40 am
well i readed a lot of posts in these days on this spectacular forum. I am using a pokemon yellow italian version and all i can notice and say to you for receve help is that:
http://forums.glitchcity.info/index.php?topic=6638.msg192543#msg192543 this i think is correct box party i must use:
And here's payload code for FR/ES/DE/IT Yellow. Thanks again to TheZZAZZGlitch, again I only need to change one byte!

1.  20 Pokémon in your PC box                                         [0xDA84 = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                 [0xDA85 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                 [0xDA86 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                 [0xDA87 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                 [0xDA88 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                 [0xDA89 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                 [0xDA8A = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xDA8B = 0x06]
9.  Scyther as the 8th Pokémon in the current PC box                  [0xDA8C = 0x26]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xDA8D = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                 [0xDA8E = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                 [0xDA8F = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                 [0xDA90 = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                 [0xDA91 = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                 [0xDA92 = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                 [0xDA93 = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                 [0xDA94 = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                 [0xDA95 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                 [0xDA96 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                 [0xDA97 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                 [0xDA98 = 0x06]
 :: END OF LIST MARKER [0xFF]                                         [0xDA99 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                 [0xDA9A = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                     [0xDA9B = 0x00]
                                               +-                     [0xDA9C = 0xE9]
(quote from Wack0)
well now i need to know how use the items and what items i need to use, the correct order. if you can please post it for create items and multiply them x255 becouse im trying to make a legit mew with OT and ID event.
after i have question... i read about 7em etage, should be item replace to ws m in italian and fench version? sry i don t understand if u best can help me i apretice a lot.
thanks and sry if i wrong to ask in this section or about my last posts...
thanks in advance
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on June 24, 2017, 06:35:13 am
7em etage is for French/Italian Red/Blue, ws m is for Yellow. Tho I don't know if its called that in italian games. Nor if you get it the same way as in english.
The list of Pokémon list is indeed the one you need.

This is how to get w sm in english games. May be the same in italian games. Worth a try i guess.
Do the trainer escape glitch and defeat a Ditto transformed into a Pokémon that has 194 special stat and have X Speed as your 5th item.

And some codes:
Change the second item:

- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)
- TM01 x(any)

This one should turn item 2 into what ever the quantity of the Max Revive corresponds with from the big hex list.
http://glitchcity.info/wiki/The_Big_HEX_List

I don't have a euro-language game to test it, but its what i use on my english Red/Blue +4 X Accuracy.
-------------

Change item 2 ammount to 256 (0) (actually decreases item ammount by 1)

- 8F
- Item you want 256 of x1
- Pokéball x43
- Revive x201

This one should work on any game.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 24, 2017, 08:55:54 am
7em etage is for French/Italian Red/Blue, ws m is for Yellow. Tho I don't know if its called that in italian games. Nor if you get it the same way as in english.
The list of Pokémon list is indeed the one you need.

This is how to get w sm in english games. May be the same in italian games. Worth a try i guess.
Do the trainer escape glitch and defeat a Ditto transformed into a Pokémon that has 194 special stat and have X Speed as your 5th item.

And some codes:
Change the second item:

- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)
- TM01 x(any)

This one should turn item 2 into what ever the quantity of the Max Revive corresponds with from the big hex list.
http://glitchcity.info/wiki/The_Big_HEX_List

I don't have a euro-language game to test it, but its what i use on my english Red/Blue +4 X Accuracy.
-------------

Change item 2 ammount to 256 (0) (actually decreases item ammount by 1)

- 8F
- Item you want 256 of x1
- Pokéball x43
- Revive x201

This one should work on any game.

Well on pokemon yellow italian version i have this item http://imgur.com/a/bs5sY
than i try as you sayed
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...
about
- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

Anyway it don t work... i used box with 6 slowpoke voltorb shyter jolteon 10x geodude and voltorb where 1st slowpoke have 233hp.
i wait answer anyway thanks for your help mate

EDIT 1-
To get any item, use this code:
ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201
and if u give me correct is correct use this for choiche item i need? http://glitchcity.info/biglist.htm
BUT IT DON T WORK


than this too
To get any item quantity, set up your items like so:
ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201 (You should already have this)
DONT WORK.


at last i must use this for change my ID
he item code to change trainer ID is:
any item/ws# #m#
any item/ws# #m#
Lemonade x (xx)
Repel x (yy)
Carbos x 211
X Accuracy x88
Water Stone x115
TM01 x(any)
as we are going for an ID of the GF mew, we want 89 lemonades, and 12 repels. If you want to change your ID back afterward, you need to get it from one of your previously captured pokes (look at summary) and convert it into hexidecimal (there's tonnes of converters online.). Then, split the four digit hexidecimal number into two chunks, the first two digits, and the last two. Then convert those individual chunks back into decimal to find out how many repels and lemonades you need. First chunk is for lemonades, second for repels. Just use ws# #m# to change your ID.

but is this correct?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on June 24, 2017, 05:12:52 pm
What happens when you try to execute a code? Nothing or does the game crash?

Anything else I can advise is to double check your box to see if the Pokémon are all in the correct order. And to make sure the first Slowpoke has 233 hp left, its max hp does not matter.

Also, I just compared the euro Bootstrap code with the english and i think Scyter may be incorrect there. Replacing Scyter with Kadabra could fix it. Cuz Scyter is dec 26 on the big list, but we need hex 26 <--- Thus Kadabra.


Quote
- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

First, look at the big hex list here: http://glitchcity.info/biglist.htm
See the R/B/Y Item column? Say you want to change item 2 into Rare Candy, look in that column for Rare Candy. Now Look in the "Decimal" column on the same row as Rare Candy. As you see its 40, so you need 40 Max Revive to turn item 2 into Rare Candy.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Parzival on June 24, 2017, 05:58:03 pm
What happens when you try to execute a code? Nothing or does the game crash?
What happens when you try to execute a code?
try to execute a code?
execute a code
(http://www.quickmeme.com/img/a2/a2e2c23b6669a334364c83e892bdc9649deeec1aa530b29ce4b6f73f37539d0d.jpg)

Anyway... I have nothing useful to add.

please don't ban me Abwayax-sama I swear I'll change please no don't cave my account in with your ban hammer
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 25, 2017, 03:14:25 am
What happens when you try to execute a code? Nothing or does the game crash?

Anything else I can advise is to double check your box to see if the Pokémon are all in the correct order. And to make sure the first Slowpoke has 233 hp left, its max hp does not matter.

Also, I just compared the euro Bootstrap code with the english and i think Scyter may be incorrect there. Replacing Scyter with Kadabra could fix it. Cuz Scyter is dec 26 on the big list, but we need hex 26 <--- Thus Kadabra.


Quote
- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

First, look at the big hex list here: http://glitchcity.info/biglist.htm
See the R/B/Y Item column? Say you want to change item 2 into Rare Candy, look in that column for Rare Candy. Now Look in the "Decimal" column on the same row as Rare Candy. As you see its 40, so you need 40 Max Revive to turn item 2 into Rare Candy.
thanks for last explain i understand all.
anyway about real big problem i tryed right now to change kadabra with shyter and i try
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201
BUT IT DON T WORK

ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201
DONT WORK.

well or box party for italian version is wrong or setting items are wrong
About question if my game crash or nothing happen when i try execute a code the answer is NOTHING HAPPEN.
thansk for future helps.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on June 25, 2017, 06:44:08 am
What happens when you try to execute a code? Nothing or does the game crash?

Anything else I can advise is to double check your box to see if the Pokémon are all in the correct order. And to make sure the first Slowpoke has 233 hp left, its max hp does not matter.

Also, I just compared the euro Bootstrap code with the english and i think Scyter may be incorrect there. Replacing Scyter with Kadabra could fix it. Cuz Scyter is dec 26 on the big list, but we need hex 26 <--- Thus Kadabra.


Quote
- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

First, look at the big hex list here: http://glitchcity.info/biglist.htm
See the R/B/Y Item column? Say you want to change item 2 into Rare Candy, look in that column for Rare Candy. Now Look in the "Decimal" column on the same row as Rare Candy. As you see its 40, so you need 40 Max Revive to turn item 2 into Rare Candy.
thanks for last explain i understand all.
anyway about real big problem i tryed right now to change kadabra with shyter and i try
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201
BUT IT DON T WORK

ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201
DONT WORK.

well or box party for italian version is wrong or setting items are wrong
About question if my game crash or nothing happen when i try execute a code the answer is NOTHING HAPPEN.
thansk for future helps.

Darn, yes. Like Skeef said we need to replace Scyther with Kadabra. This will make the execution start at item 3. It looks like Wack0 confused decimal:26 (Scyther) with hexadecimal:26 (Kadabra). Sorry for the inconvenience.

You shouldn't have to change the codes in your previous post as they don't specify an absolute memory address.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 25, 2017, 08:57:19 am
What happens when you try to execute a code? Nothing or does the game crash?

Anything else I can advise is to double check your box to see if the Pokémon are all in the correct order. And to make sure the first Slowpoke has 233 hp left, its max hp does not matter.

Also, I just compared the euro Bootstrap code with the english and i think Scyter may be incorrect there. Replacing Scyter with Kadabra could fix it. Cuz Scyter is dec 26 on the big list, but we need hex 26 <--- Thus Kadabra.


Quote
- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

First, look at the big hex list here: http://glitchcity.info/biglist.htm
See the R/B/Y Item column? Say you want to change item 2 into Rare Candy, look in that column for Rare Candy. Now Look in the "Decimal" column on the same row as Rare Candy. As you see its 40, so you need 40 Max Revive to turn item 2 into Rare Candy.
thanks for last explain i understand all.
anyway about real big problem i tryed right now to change kadabra with shyter and i try
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201
BUT IT DON T WORK

ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201
DONT WORK.

well or box party for italian version is wrong or setting items are wrong
About question if my game crash or nothing happen when i try execute a code the answer is NOTHING HAPPEN.
thansk for future helps.

Darn, yes. Like Skeef said we need to replace Scyther with Kadabra. This will make the execution start at item 3. It looks like Wack0 confused decimal:26 (Scyther) with hexadecimal:26 (Kadabra). Sorry for the inconvenience.

You shouldn't have to change the codes in your previous post as they don't specify an absolute memory address.

Well i ll go to replace shyter with kadabra but please can you say me for To get any item quantity, how i must set up my items items?
example : 1st ws m
2nd item x255 x 1
burn heal x43
revive x201
??? which is the setting? this i post not work i need setting for get any item quantity(x255) and to get any item.
thanks again

in the end can u explain how to get ws m? maybe i wrong something
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on June 25, 2017, 11:24:42 am
We call the item ws m, but it can also show up as ws l m, so this is the correct item.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 25, 2017, 11:56:18 am
We call the item ws m, but it can also show up as ws l m, so this is the correct item.

mine is ws & m, is correct? and anyway can answer the other question please?
What happens when you try to execute a code? Nothing or does the game crash?

Anything else I can advise is to double check your box to see if the Pokémon are all in the correct order. And to make sure the first Slowpoke has 233 hp left, its max hp does not matter.

Also, I just compared the euro Bootstrap code with the english and i think Scyter may be incorrect there. Replacing Scyter with Kadabra could fix it. Cuz Scyter is dec 26 on the big list, but we need hex 26 <--- Thus Kadabra.


Quote
- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

First, look at the big hex list here: http://glitchcity.info/biglist.htm
See the R/B/Y Item column? Say you want to change item 2 into Rare Candy, look in that column for Rare Candy. Now Look in the "Decimal" column on the same row as Rare Candy. As you see its 40, so you need 40 Max Revive to turn item 2 into Rare Candy.
thanks for last explain i understand all.
anyway about real big problem i tryed right now to change kadabra with shyter and i try
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201
BUT IT DON T WORK

ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201
DONT WORK.

well or box party for italian version is wrong or setting items are wrong
About question if my game crash or nothing happen when i try execute a code the answer is NOTHING HAPPEN.
thansk for future helps.

Darn, yes. Like Skeef said we need to replace Scyther with Kadabra. This will make the execution start at item 3. It looks like Wack0 confused decimal:26 (Scyther) with hexadecimal:26 (Kadabra). Sorry for the inconvenience.

You shouldn't have to change the codes in your previous post as they don't specify an absolute memory address.

Well i ll go to replace shyter with kadabra but please can you say me for To get any item quantity, how i must set up my items items?
example : 1st ws m
2nd item x255 x 1
burn heal x43
revive x201
??? which is the setting? this i post not work i need setting for get any item quantity(x255) and to get any item.
thanks again

in the end can u explain how to get ws m? maybe i wrong something
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheSixthItem on June 25, 2017, 01:17:03 pm
please don't ban me Abwayax-sama I swear I'll change please no don't cave my account in with your ban hammer
I SAW THAT!
OK but anyway, what is the asm for thezzazzglitch's 20 pokemon ws m bootstrap?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 25, 2017, 02:37:56 pm
???? i need settings for create and multiply items
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on June 25, 2017, 03:23:18 pm
???? i need settings for create and multiply items

Quote
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201
BUT IT DON T WORK

ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201
DONT WORK.

These item setting you tried should all work fine. The last one does not not increase anything tho, it does the same as the first.
Still... if nothing at all happens when you execute ws m there's a problem somewhere else. Did you check if the first Slowpoke has 233 hp left? Did you put Kadabra in the correct spot when you took out Scyter? Is the box with the 20 Pokémon your active box? Are you putting the items in the exact same order as they are listed?

Quote
in the end can u explain how to get ws m? maybe i wrong something

Can you explain how you got your ws m maybe? I already posted how to get it in my first reply.

These are the codes you asked for. You already tried them tho. They work for any version and any language, that cant be the problem.

Change item 2 quantity to 256:
-ws m
-Item you want 256 of x1 <--- only 1 item here.
-Pokéball x43
-Revive x201

Change item 2 into the previous item on the Big Hex List.
-ws m
-Item you want to change x any
-Burn heal x 43
-Ice heal x 43
-Revive x 201

I hope you get this to work. O_o
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 25, 2017, 04:20:57 pm
???? i need settings for create and multiply items

Quote
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201
BUT IT DON T WORK

ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201
DONT WORK.

These item setting you tried should all work fine. The last one does not not increase anything tho, it does the same as the first.
Still... if nothing at all happens when you execute ws m there's a problem somewhere else. Did you check if the first Slowpoke has 233 hp left? Did you put Kadabra in the correct spot when you took out Scyter? Is the box with the 20 Pokémon your active box? Are you putting the items in the exact same order as they are listed?

Quote
in the end can u explain how to get ws m? maybe i wrong something

Can you explain how you got your ws m maybe? I already posted how to get it in my first reply.

These are the codes you asked for. You already tried them tho. They work for any version and any language, that cant be the problem.

Change item 2 quantity to 256:
-ws m
-Item you want 256 of x1 <--- only 1 item here.
-Pokéball x43
-Revive x201

Change item 2 into the previous item on the Big Hex List.
-ws m
-Item you want to change x any
-Burn heal x 43
-Ice heal x 43
-Revive x 201

I hope you get this to work. O_o
yes i check all, the pokemon in the box, the right current box, the right place of kadabra, my 1st slowpoke have 233hp is lv 79, i check all item in the correct place and when i click 1 time A on ws m and B, nothing happen... why? i really going crazy cuz i follow ur all instruction step by step cheking much much time every thing but it don t work.I REALLY DON T UNDERSTAND WHY
i got ws&m by mew glitch with pkmn spec 194 SO I Think this is not problm.
if i change lenguage of console should help?
help me please... thanks again...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on June 25, 2017, 11:15:25 pm
You press 1 time A on ws m and then B? Try pressing A and then again A. O_o
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 26, 2017, 12:49:04 am
You press 1 time A on ws m and then B? Try pressing A and then again A. O_o

If i press 2 times A on ws m it block game and i need restart console ... and i see in the video they press one time only A than B...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 26, 2017, 12:55:52 am
What happens when you try to execute a code? Nothing or does the game crash?

Anything else I can advise is to double check your box to see if the Pokémon are all in the correct order. And to make sure the first Slowpoke has 233 hp left, its max hp does not matter.

Also, I just compared the euro Bootstrap code with the english and i think Scyter may be incorrect there. Replacing Scyter with Kadabra could fix it. Cuz Scyter is dec 26 on the big list, but we need hex 26 <--- Thus Kadabra.


Quote
- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

First, look at the big hex list here: http://glitchcity.info/biglist.htm
See the R/B/Y Item column? Say you want to change item 2 into Rare Candy, look in that column for Rare Candy. Now Look in the "Decimal" column on the same row as Rare Candy. As you see its 40, so you need 40 Max Revive to turn item 2 into Rare Candy.
thanks for last explain i understand all.
anyway about real big problem i tryed right now to change kadabra with shyter and i try
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201
BUT IT DON T WORK

ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201
DONT WORK.

well or box party for italian version is wrong or setting items are wrong
About question if my game crash or nothing happen when i try execute a code the answer is NOTHING HAPPEN.
thansk for future helps.

Darn, yes. Like Skeef said we need to replace Scyther with Kadabra. This will make the execution start at item 3. It looks like Wack0 confused decimal:26 (Scyther) with hexadecimal:26 (Kadabra). Sorry for the inconvenience.

You shouldn't have to change the codes in your previous post as they don't specify an absolute memory address.
Sorry mate what u mean with "start at item 3", i need change slot of items? If yes can u say me how? I chnaged shyter woth kadabra but stil not work... issotm say me to ask you... any idea?
Thanks
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Parzival on June 26, 2017, 01:16:33 am
It should be (iirc)
ws m
Some item you give 0 shits about x whatever
Item to duplicate
<rest of code>

You need the items you want more of to be in slot 3... I think.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 26, 2017, 07:11:02 am
It should be (iirc)
ws m
Some item you give 0 shits about x whatever
Item to duplicate
<rest of code>

You need the items you want more of to be in slot 3... I think.

waht u mean with "Some item you give 0 shits about x whatever", i understand to put 1 crap item, and i try but it don t work.. if i understand wrong can u write bettere settings?thanks
anyway can someone help? Torchickens or issotm u here?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 26, 2017, 07:20:34 am
LET ME ASK ANOTHER QUESTION MAYBE I FIND A SOLUTION... if i use this code
The item code to change trainer ID is:
any item/ws# #m#
any item/ws# #m#
Lemonade x (xx)
Repel x (yy)
Carbos x 211
X Accuracy x88
Water Stone x115
TM01 x(any)
as we are going for an ID of the GF mew, we want 89 lemonades, and 12 repels.

it will work without box party or i need box party for it too? becouse i think if im not able to duplicate and create item, i can have them by encountering fossil missingNo and i ll have all items. But it will change my ID? or need perfect box party? can someone of you repeat box party for italian lenguage versione?
thanks again and again ...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on June 26, 2017, 07:55:28 am
@Parzival there's no "some item etc.".

@asphere
You have to press A twice on ws m, that is : one press to open the "USE / CANCEL" menu, and one more A press to select USE.
If the game locks up at that point or anything, SOMETHING IS WRONG. That means you did trigger the ACE glitch but something in the setup is wrong.


The main principle of ACE is that your item pack will be ran as code by the Game Boy. For convenience reasons, the community chose to start at item 3. If this doesn't make much sense, think of this :
Item slotIts purpose
1None for this glitch.
2None either.
3This is the first item that will be ran as code. As such, this is the first item in a "setup".
4In the same way, this is the second item of a setup
5 onwardsYou get the point.

Since items 1 and 2 usually don't matter, they are usually ws m and another item.

The setup you're trying here is special, because it modifies specifically item 2's quantity (for convenience reasons it's item #2). So, EVERY SINGLE TIME YOU WANT TO USE WS M :

1. Set up a PC box with the specified Pokémon, number of Pokémon, HP when specified, etc.
2. Set up your inventory.
3. MAKE SURE THE PC BOX YOU SET UP IS YOUR CURRENTLY ACTIVE PC BOX
4. Select ws m, open the "USE / CANCEL" dialog, and press A on "USE".
5. Done !


~~~~~~~~~~~~~~~~~~~~~~

For convenience :

PC setup :
Code: [Select]
1.  20 Pokémon in your PC box                                         [0xDA84 = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                 [0xDA85 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                 [0xDA86 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                 [0xDA87 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                 [0xDA88 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                 [0xDA89 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                 [0xDA8A = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xDA8B = 0x06]
9.  Hitmonlee as the 8th Pokémon in the current PC box                  [0xDA8C = 0x2B]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xDA8D = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                 [0xDA8E = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                 [0xDA8F = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                 [0xDA90 = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                 [0xDA91 = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                 [0xDA92 = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                 [0xDA93 = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                 [0xDA94 = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                 [0xDA95 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                 [0xDA96 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                 [0xDA97 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                 [0xDA98 = 0x06]
 :: END OF LIST MARKER [0xFF]                                         [0xDA99 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                 [0xDA9A = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                     [0xDA9B = 0x00]
                                               +-                     [0xDA9C = 0xE9]
Code: [Select]
inc d
dec h ; h = D9
dec h ; h = D8
dec h ; h = D7
dec h ; h = D6
dec h ; h = D5
dec h ; h = D4
ld b, $2B ; Third item in EU versions
ld l, b
xor c ; Do stuff
xor c
xor c
xor c
xor c
xor c
xor c
xor c
xor c
xor c
ld b, $FF ; Skip the crashing $FF
dec h ; h = D3
jp [hl]

Bag setup :
Code: [Select]
ws m
Item to obtain x255
Poké Ball x43
Revive x3 / Great Ball x53 (any of these two will work)
TM01 x[any qty]
[any items after, who cares]
Code: [Select]
dec b
dec hl
{ dec [hl]
{ inc bc
or
{ inc bc
{ dec [hl]
ret
(Stuff that doesn't matter)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 26, 2017, 08:39:58 am
@Parzival there's no "some item etc.".

@asphere
You have to press A twice on ws m, that is : one press to open the "USE / CANCEL" menu, and one more A press to select USE.
If the game locks up at that point or anything, SOMETHING IS WRONG. That means you did trigger the ACE glitch but something in the setup is wrong.


The main principle of ACE is that your item pack will be ran as code by the Game Boy. For convenience reasons, the community chose to start at item 3. If this doesn't make much sense, think of this :
Item slotIts purpose
1None for this glitch.
2None either.
3This is the first item that will be ran as code. As such, this is the first item in a "setup".
4In the same way, this is the second item of a setup
5 onwardsYou get the point.

Since items 1 and 2 usually don't matter, they are usually ws m and another item.

The setup you're trying here is special, because it modifies specifically item 2's quantity (for convenience reasons it's item #2). So, EVERY SINGLE TIME YOU WANT TO USE WS M :

1. Set up a PC box with the specified Pokémon, number of Pokémon, HP when specified, etc.
2. Set up your inventory.
3. MAKE SURE THE PC BOX YOU SET UP IS YOUR CURRENTLY ACTIVE PC BOX
4. Select ws m, open the "USE / CANCEL" dialog, and press A on "USE".
5. Done !


~~~~~~~~~~~~~~~~~~~~~~

For convenience :

PC setup :
Code: [Select]
1.  20 Pokémon in your PC box                                         [0xDA84 = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                 [0xDA85 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                 [0xDA86 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                 [0xDA87 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                 [0xDA88 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                 [0xDA89 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                 [0xDA8A = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xDA8B = 0x06]
9.  Hitmonlee as the 8th Pokémon in the current PC box                  [0xDA8C = 0x2B]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xDA8D = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                 [0xDA8E = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                 [0xDA8F = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                 [0xDA90 = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                 [0xDA91 = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                 [0xDA92 = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                 [0xDA93 = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                 [0xDA94 = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                 [0xDA95 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                 [0xDA96 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                 [0xDA97 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                 [0xDA98 = 0x06]
 :: END OF LIST MARKER [0xFF]                                         [0xDA99 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                 [0xDA9A = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                     [0xDA9B = 0x00]
                                               +-                     [0xDA9C = 0xE9]
Code: [Select]
inc d
dec h ; h = D9
dec h ; h = D8
dec h ; h = D7
dec h ; h = D6
dec h ; h = D5
dec h ; h = D4
ld b, $2B ; Third item in EU versions
ld l, b
xor c ; Do stuff
xor c
xor c
xor c
xor c
xor c
xor c
xor c
xor c
xor c
ld b, $FF ; Skip the crashing $FF
dec h ; h = D3
jp [hl]

Bag setup :
Code: [Select]
ws m
Item to obtain x255
Poké Ball x43
Revive x3 / Great Ball x53 (any of these two will work)
TM01 x[any qty]
[any items after, who cares]
Code: [Select]
dec b
dec hl
{ dec [hl]
{ inc bc
or
{ inc bc
{ dec [hl]
ret
(Stuff that doesn't matter)

sec sec sec... u mean
-1st item crap
-2nd item crap
3rd item ws m
-4th item you want 256 of x1
-5th pokeball x43
-6th revive x201

u mean i need start setting item from 3rd slot????
and about box why now hitmonlee??? kadabra guys saayed me...
which pokemon i must use? heetmonlee kadabra or shyter?????
thanks mate
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheSixthItem on June 26, 2017, 09:04:10 am
No. It's
Item 1: Crap (ws m)
Item 2: Crap (Item you want 256 of)
Item 3: Start Of Code
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 26, 2017, 09:06:43 am
No. It's
Item 1: Crap (ws m)
Item 2: Crap (Item you want 256 of)
Item 3: Start Of Code

i got... it work... finally OMG thansk to all now!!!!!!!!


 i need to know 2 things at last:

THE ITEM CODE TO CHANGE ID
THE ITEM CODE TO CHANGE OT


@ISSOtm @ 
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on June 26, 2017, 09:51:11 am
No. It's
Item 1: Crap (ws m)
Item 2: Crap (Item you want 256 of)
Item 3: Start Of Code

write me all i don t understand what u mean with start of code

Don't use Hitmonlee, use Kadabra instead.

So:


1.  20 Pokémon in your PC box
2.  Slowpoke as the 1st Pokémon in the current PC box
3.  Slowpoke as the 2nd Pokémon in the current PC box
4.  Slowpoke as the 3rd Pokémon in the current PC box
5.  Slowpoke as the 4th Pokémon in the current PC box
6.  Slowpoke as the 5th Pokémon in the current PC box
7.  Slowpoke as the 6th Pokémon in the current PC box
8.  Voltorb as the 7th Pokémon in the current PC box
9.  Kadabra as the 8th Pokémon in the current PC box
10. Jolteon as the 9th Pokémon in the current PC box
11. Geodude as the 10th Pokémon in the current PC box
12. Geodude as the 11th Pokémon in the current PC box
13. Geodude as the 12th Pokémon in the current PC box
14. Geodude as the 13th Pokémon in the current PC box
15. Geodude as the 14th Pokémon in the current PC box
16. Geodude as the 16th Pokémon in the current PC box
17. Geodude as the 15th Pokémon in the current PC box
18. Geodude as the 17th Pokémon in the current PC box
19. Geodude as the 18th Pokémon in the current PC box
20. Geodude as the 19th Pokémon in the current PC box
21. Voltorb as the 20th Pokémon in the current PC box
22. Slowpoke as the 1st Pokémon in the current PC box
23. First PC box Pokémon needs to have 233 HP


With the Kadabra setup your items should look like:

Item slot 1: ws m
Item slot 2: Item x (any)
Item slot 3: Poké Ball x43
Item slot 4: Revive x3 / Great Ball x53 (any should work)
Item slot 5: TM01 x[any qty]
Item slot 6+: anything

(This code reduces the quantity of item 2 by 1 each use or to 255 if at 0)

Otherwise, if you used Hitmonlee the place to put the Poké Ball x43 and the items below would be at item 4 (D32B) (which is "the start of the code").
LET ME ASK ANOTHER QUESTION MAYBE I FIND A SOLUTION... if i use this code
The item code to change trainer ID is:
any item/ws# #m#
any item/ws# #m#
Lemonade x (xx)
Repel x (yy)
Carbos x 211
X Accuracy x88
Water Stone x115
TM01 x(any)
as we are going for an ID of the GF mew, we want 89 lemonades, and 12 repels.

it will work without box party or i need box party for it too? becouse i think if im not able to duplicate and create item, i can have them by encountering fossil missingNo and i ll have all items. But it will change my ID? or need perfect box party? can someone of you repeat box party for italian lenguage versione?
thanks again and again ...

A box party (which is called the bootstrap code) is usually always needed for ws m, and you should always be on the same box where the box code is. The only way you can avoid using one is if you used ws m with the box party to change the data to something like jp D326, or activated another form of arbitrary code execution that doesn't involve ws m.

Since you're using a Italian, French, German or Spanish Yellow version the code to change the ID of the player to 22796, the same as GF Mew (meaning you need to catch a new Pokémon/Mew to give it your ID) is instead this:

Item slot 1: any item/ws# #m#
Item slot 2: any item/ws# #m#
Item slot 3: Lemonade x 89
Item slot 4: Repel x 12
Item slot 5: Carbos x 211
Item slot 6: X Accuracy x93
Item slot 8: Water Stone x115
Item slot 9: TM01 x(any)
Item slot 10+: anything
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 26, 2017, 10:00:47 am
No. It's
Item 1: Crap (ws m)
Item 2: Crap (Item you want 256 of)
Item 3: Start Of Code

write me all i don t understand what u mean with start of code

Don't use Hitmonlee, use Kadabra instead.

So:


1.  20 Pokémon in your PC box
2.  Slowpoke as the 1st Pokémon in the current PC box
3.  Slowpoke as the 2nd Pokémon in the current PC box
4.  Slowpoke as the 3rd Pokémon in the current PC box
5.  Slowpoke as the 4th Pokémon in the current PC box
6.  Slowpoke as the 5th Pokémon in the current PC box
7.  Slowpoke as the 6th Pokémon in the current PC box
8.  Voltorb as the 7th Pokémon in the current PC box
9.  Kadabra as the 8th Pokémon in the current PC box
10. Jolteon as the 9th Pokémon in the current PC box
11. Geodude as the 10th Pokémon in the current PC box
12. Geodude as the 11th Pokémon in the current PC box
13. Geodude as the 12th Pokémon in the current PC box
14. Geodude as the 13th Pokémon in the current PC box
15. Geodude as the 14th Pokémon in the current PC box
16. Geodude as the 16th Pokémon in the current PC box
17. Geodude as the 15th Pokémon in the current PC box
18. Geodude as the 17th Pokémon in the current PC box
19. Geodude as the 18th Pokémon in the current PC box
20. Geodude as the 19th Pokémon in the current PC box
21. Voltorb as the 20th Pokémon in the current PC box
22. Slowpoke as the 1st Pokémon in the current PC box
23. First PC box Pokémon needs to have 233 HP


With the Kadabra setup your items should look like:

Item slot 1: ws m
Item slot 2: Item x (any)
Item slot 3: Poké Ball x43
Item slot 4: Revive x3 / Great Ball x53 (any should work)
Item slot 5: TM01 x[any qty]
Item slot 6+: anything

(This code reduces the quantity of item 2 by 1 each use or to 255 if at 0)

Otherwise, if you used Hitmonlee the place to put the Poké Ball x43 and the items below would be at item 4 (D32B) (which is "the start of the code").
LET ME ASK ANOTHER QUESTION MAYBE I FIND A SOLUTION... if i use this code
The item code to change trainer ID is:
any item/ws# #m#
any item/ws# #m#
Lemonade x (xx)
Repel x (yy)
Carbos x 211
X Accuracy x88
Water Stone x115
TM01 x(any)
as we are going for an ID of the GF mew, we want 89 lemonades, and 12 repels.

it will work without box party or i need box party for it too? becouse i think if im not able to duplicate and create item, i can have them by encountering fossil missingNo and i ll have all items. But it will change my ID? or need perfect box party? can someone of you repeat box party for italian lenguage versione?
thanks again and again ...

A box party (which is called the bootstrap code) is always needed for ws m, and you should always be on the same box where the box code is.

Since you're using a Italian, French, German or Spanish Yellow version the code to change the ID of the player to 22796, the same as GF Mew (meaning you need to catch a new Pokémon/Mew to give it your ID) is instead this:

Item slot 1: any item/ws# #m#
Item slot 2: any item/ws# #m#
Item slot 3: Lemonade x 89
Item slot 4: Repel x 12
Item slot 5: Carbos x 211
Item slot 6: X Accuracy x93
Item slot 8: Water Stone x115
Item slot 9: TM01 x(any)
Item slot 10+: anything

i got... it work... finally OMG thansk to all now!!!!!!!!


 i need to know 2 things at last:

THE ITEM CODE TO CHANGE ID u already give it to me i tryed before and it work fine if please say me how to have my own old id back
THE ITEM CODE TO CHANGE OT

THANKS :D
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on June 26, 2017, 10:47:43 am
THE ITEM CODE TO CHANGE ID u already give it to me i tryed before and it work fine if please say me how to have my own old id back

Sadly you need to have remembered your old ID to do that but if you know it (check an old Pokémon) let me know and I can give you the code. :)

THE ITEM CODE TO CHANGE OT

OK, I've prepared one for the Italian, French, German and Spanish versions for you:

Item in slot 1: any item/ws# #m#
Item in slot 2: any item/ws# #m# (one of these has to be ws# #m#)
Item in slot 3: TM50 x 185
Item in slot 4: TM10 x 64
Item in slot 5: TM34 x 92
Item in slot 6: TM09 x 4
Item in slot 7: X Accuracy x43
Item in slot 7: Full Heal x46
Item in slot 8: Calcium x52
Item in slot 9: TM01 x anything
Item in slot 10+: anything


code to place at D326 and below for testing on memory editor:

FA B9 D2 40 EA 5C D1 04 2E 2B 34 2E 27 34 C9


To use it prepare a Pokémon named "GF" in party slot 1 and use ws m three times.

If you want to change it back after getting Mew, change item 3's quantity back to 185 and item 5's quantity back to 92 (this code changes them so it knows which letter you're on), prepare a Pokémon named (Your name) in slot 1, and use ws m for (your name length+1) times.

Hope this works!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 27, 2017, 11:46:29 am
THE ITEM CODE TO CHANGE ID u already give it to me i tryed before and it work fine if please say me how to have my own old id back

Sadly you need to have remembered your old ID to do that but if you know it (check an old Pokémon) let me know and I can give you the code. :)

THE ITEM CODE TO CHANGE OT

OK, I've prepared one for the Italian, French, German and Spanish versions for you:

Item in slot 1: any item/ws# #m#
Item in slot 2: any item/ws# #m# (one of these has to be ws# #m#)
Item in slot 3: TM50 x 185
Item in slot 4: TM10 x 64
Item in slot 5: TM34 x 92
Item in slot 6: TM09 x 4
Item in slot 7: X Accuracy x43
Item in slot 7: Full Heal x46
Item in slot 8: Calcium x52
Item in slot 9: TM01 x anything
Item in slot 10+: anything


code to place at D326 and below for testing on memory editor:

FA B9 D2 40 EA 5C D1 04 2E 2B 34 2E 27 34 C9


To use it prepare a Pokémon named "GF" in party slot 1 and use ws m three times.

If you want to change it back after getting Mew, change item 3's quantity back to 185 and item 5's quantity back to 92 (this code changes them so it knows which letter you're on), prepare a Pokémon named (Your name) in slot 1, and use ws m for (your name length+1) times.

Hope this works!

thanks... can you please say me item code about how i catch all pokemon? and how i must use it? because if i must use this:
- ws m
 - Item to morph x(any)(meglio 1)
 - X accuracy x36
 - Carbos x211
 - Max Revive x(decimal index nr of item the you want http://glitchcity.info/biglist.htm )
 - TM01 x(any)
but where i will have pokemon i use decimal number?
thanks again
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheSixthItem on June 27, 2017, 03:10:19 pm
THE ITEM CODE TO CHANGE ID u already give it to me i tryed before and it work fine if please say me how to have my own old id back

Sadly you need to have remembered your old ID to do that but if you know it (check an old Pokémon) let me know and I can give you the code. :)

THE ITEM CODE TO CHANGE OT

OK, I've prepared one for the Italian, French, German and Spanish versions for you:

Item in slot 1: any item/ws# #m#
Item in slot 2: any item/ws# #m# (one of these has to be ws# #m#)
Item in slot 3: TM50 x 185
Item in slot 4: TM10 x 64
Item in slot 5: TM34 x 92
Item in slot 6: TM09 x 4
Item in slot 7: X Accuracy x43
Item in slot 7: Full Heal x46
Item in slot 8: Calcium x52
Item in slot 9: TM01 x anything
Item in slot 10+: anything


code to place at D326 and below for testing on memory editor:

FA B9 D2 40 EA 5C D1 04 2E 2B 34 2E 27 34 C9


To use it prepare a Pokémon named "GF" in party slot 1 and use ws m three times.

If you want to change it back after getting Mew, change item 3's quantity back to 185 and item 5's quantity back to 92 (this code changes them so it knows which letter you're on), prepare a Pokémon named (Your name) in slot 1, and use ws m for (your name length+1) times.

Hope this works!

thanks... can you please say me item code about how i catch all pokemon? and how i must use it? because if i must use this:
- ws m
 - Item to morph x(any)(meglio 1)
 - X accuracy x36
 - Carbos x211
 - Max Revive x(decimal index nr of item the you want http://glitchcity.info/biglist.htm )
 - TM01 x(any)
but where i will have pokemon i use decimal number?
thanks again
https://jpst.it/10wNt (Catch any pokemon)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 27, 2017, 06:41:17 pm
THE ITEM CODE TO CHANGE ID u already give it to me i tryed before and it work fine if please say me how to have my own old id back

Sadly you need to have remembered your old ID to do that but if you know it (check an old Pokémon) let me know and I can give you the code. :)

THE ITEM CODE TO CHANGE OT

OK, I've prepared one for the Italian, French, German and Spanish versions for you:

Item in slot 1: any item/ws# #m#
Item in slot 2: any item/ws# #m# (one of these has to be ws# #m#)
Item in slot 3: TM50 x 185
Item in slot 4: TM10 x 64
Item in slot 5: TM34 x 92
Item in slot 6: TM09 x 4
Item in slot 7: X Accuracy x43
Item in slot 7: Full Heal x46
Item in slot 8: Calcium x52
Item in slot 9: TM01 x anything
Item in slot 10+: anything


code to place at D326 and below for testing on memory editor:

FA B9 D2 40 EA 5C D1 04 2E 2B 34 2E 27 34 C9


To use it prepare a Pokémon named "GF" in party slot 1 and use ws m three times.

If you want to change it back after getting Mew, change item 3's quantity back to 185 and item 5's quantity back to 92 (this code changes them so it knows which letter you're on), prepare a Pokémon named (Your name) in slot 1, and use ws m for (your name length+1) times.

Hope this works!

thanks... can you please say me item code about how i catch all pokemon? and how i must use it? because if i must use this:
- ws m
 - Item to morph x(any)(meglio 1)
 - X accuracy x36
 - Carbos x211
 - Max Revive x(decimal index nr of item the you want http://glitchcity.info/biglist.htm )
 - TM01 x(any)
but where i will have pokemon i use decimal number?
thanks again
https://jpst.it/10wNt (Catch any pokemon)

This work for italian version?
And when i use ws m where i ll have pokemon??? Can explain pls?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: TheSixthItem on June 28, 2017, 12:52:30 am
THE ITEM CODE TO CHANGE ID u already give it to me i tryed before and it work fine if please say me how to have my own old id back

Sadly you need to have remembered your old ID to do that but if you know it (check an old Pokémon) let me know and I can give you the code. :)

THE ITEM CODE TO CHANGE OT

OK, I've prepared one for the Italian, French, German and Spanish versions for you:

Item in slot 1: any item/ws# #m#
Item in slot 2: any item/ws# #m# (one of these has to be ws# #m#)
Item in slot 3: TM50 x 185
Item in slot 4: TM10 x 64
Item in slot 5: TM34 x 92
Item in slot 6: TM09 x 4
Item in slot 7: X Accuracy x43
Item in slot 7: Full Heal x46
Item in slot 8: Calcium x52
Item in slot 9: TM01 x anything
Item in slot 10+: anything


code to place at D326 and below for testing on memory editor:

FA B9 D2 40 EA 5C D1 04 2E 2B 34 2E 27 34 C9


To use it prepare a Pokémon named "GF" in party slot 1 and use ws m three times.

If you want to change it back after getting Mew, change item 3's quantity back to 185 and item 5's quantity back to 92 (this code changes them so it knows which letter you're on), prepare a Pokémon named (Your name) in slot 1, and use ws m for (your name length+1) times.

Hope this works!

thanks... can you please say me item code about how i catch all pokemon? and how i must use it? because if i must use this:
- ws m
 - Item to morph x(any)(meglio 1)
 - X accuracy x36
 - Carbos x211
 - Max Revive x(decimal index nr of item the you want http://glitchcity.info/biglist.htm )
 - TM01 x(any)
but where i will have pokemon i use decimal number?
thanks again
https://jpst.it/10wNt (Catch any pokemon)

This work for italian version?
And when i use ws m where i ll have pokemon??? Can explain pls?
Yes, This works for EU versions and to execute this you use ws m and then you enter a battle with the pokemon when you close the menu
Title: Encounter Random Pokemon/Trainer
Post by: Epsilon on June 29, 2017, 07:06:31 am
Encounter random Pokemon or trainer

This code, when used , will encounter a completely random Pokemon or Trainer.

8f
Any Item xAny Qnty
Poke Ball x250
TM11 x255
TM34 x89
TM08 x201

Code: [Select]
inc b ; Useless Filler
ld a,($ffd3) ; Put a random number into a
ld ($d059),a ; force encounter with a
ret ; "It's first grade, Spongebob"

Save your game before using there's a chance you'll encounter a ZZAZZ trainer or a game-crashing pokemon.
Enjoy!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on June 29, 2017, 08:00:20 am
Notice : the above code depends on the last Trainer you fought for the level of the opposing Pokémon / the opposing Trainer's roster ID.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 29, 2017, 01:03:40 pm
THE ITEM CODE TO CHANGE ID u already give it to me i tryed before and it work fine if please say me how to have my own old id back

Sadly you need to have remembered your old ID to do that but if you know it (check an old Pokémon) let me know and I can give you the code. :)

THE ITEM CODE TO CHANGE OT

OK, I've prepared one for the Italian, French, German and Spanish versions for you:

Item in slot 1: any item/ws# #m#
Item in slot 2: any item/ws# #m# (one of these has to be ws# #m#)
Item in slot 3: TM50 x 185
Item in slot 4: TM10 x 64
Item in slot 5: TM34 x 92
Item in slot 6: TM09 x 4
Item in slot 7: X Accuracy x43
Item in slot 7: Full Heal x46
Item in slot 8: Calcium x52
Item in slot 9: TM01 x anything
Item in slot 10+: anything


code to place at D326 and below for testing on memory editor:

FA B9 D2 40 EA 5C D1 04 2E 2B 34 2E 27 34 C9


To use it prepare a Pokémon named "GF" in party slot 1 and use ws m three times.

If you want to change it back after getting Mew, change item 3's quantity back to 185 and item 5's quantity back to 92 (this code changes them so it knows which letter you're on), prepare a Pokémon named (Your name) in slot 1, and use ws m for (your name length+1) times.

Hope this works!
i tryed it but i got only half name... i must refill all items each time i use ws m or just at start? can u explain me better please?
than i have to ask how i can retourn to my ID originally? i know i must change number of repel and lemonade can u say me how many?(my originally ID was 13579) :
Item slot 1: any item/ws# #m#
 Item slot 2: any item/ws# #m#
 Item slot 3: Lemonade x (xx)
 Item slot 4: Repel x (xx)
 Item slot 5: Carbos x 211
 Item slot 6: X Accuracy x93
 Item slot 8: Water Stone x115
 Item slot 9: TM01 x(any)
 Item slot 10+: anything

And last question... is possible to change ID in pokemon silver (2gen)?thanks :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Evie the Mother Hen ☽ ❤ on June 29, 2017, 01:38:17 pm
Each time you use ws m, it adds a letter from the first Pokémon's name. So if it was "GF", you would have to use it once to add the "G", a second time to add the "F" and a third time to add the name terminator. You don't have to change the original items in that code as the code will change itself.

For the ID 13579 in the ID changing code, you need Lemonade x53 and Repel x11.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 29, 2017, 03:51:38 pm
Each time you use ws m, it adds a letter from the first Pokémon's name. So if it was "GF", you would have to use it once to add the "G", a second time to add the "F" and a third time to add the name terminator. You don't have to change the original items in that code as the code will change itself.

For the ID 13579 in the ID changing code, you need Lemonade x53 and Repel x11.
ok i understand i success, thanks
and about the question is possible to change ID in pokemon silver (2gen)?is possibile to do it?
thanks :)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on June 30, 2017, 02:03:48 pm
THE ITEM CODE TO CHANGE ID u already give it to me i tryed before and it work fine if please say me how to have my own old id back

Sadly you need to have remembered your old ID to do that but if you know it (check an old Pokémon) let me know and I can give you the code. :)

THE ITEM CODE TO CHANGE OT

OK, I've prepared one for the Italian, French, German and Spanish versions for you:

Item in slot 1: any item/ws# #m#
Item in slot 2: any item/ws# #m# (one of these has to be ws# #m#)
Item in slot 3: TM50 x 185
Item in slot 4: TM10 x 64
Item in slot 5: TM34 x 92
Item in slot 6: TM09 x 4
Item in slot 7: X Accuracy x43
Item in slot 7: Full Heal x46
Item in slot 8: Calcium x52
Item in slot 9: TM01 x anything
Item in slot 10+: anything


code to place at D326 and below for testing on memory editor:

FA B9 D2 40 EA 5C D1 04 2E 2B 34 2E 27 34 C9


To use it prepare a Pokémon named "GF" in party slot 1 and use ws m three times.

If you want to change it back after getting Mew, change item 3's quantity back to 185 and item 5's quantity back to 92 (this code changes them so it knows which letter you're on), prepare a Pokémon named (Your name) in slot 1, and use ws m for (your name length+1) times.

Hope this works!

thanks... can you please say me item code about how i catch all pokemon? and how i must use it? because if i must use this:
- ws m
 - Item to morph x(any)(meglio 1)
 - X accuracy x36
 - Carbos x211
 - Max Revive x(decimal index nr of item the you want http://glitchcity.info/biglist.htm )
 - TM01 x(any)
but where i will have pokemon i use decimal number?
thanks again
https://jpst.it/10wNt (Catch any pokemon)

This work for italian version?
And when i use ws m where i ll have pokemon??? Can explain pls?
Yes, This works for EU versions and to execute this you use ws m and then you enter a battle with the pokemon when you close the menu
When i use this item i find pkmn lv0, can u help me to find lv 30? or some?
Each time you use ws m, it adds a letter from the first Pokémon's name. So if it was "GF", you would have to use it once to add the "G", a second time to add the "F" and a third time to add the name terminator. You don't have to change the original items in that code as the code will change itself.

For the ID 13579 in the ID changing code, you need Lemonade x53 and Repel x11.

can you say me if is possible to change ID on pokemon silver 2 gen? thanks
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on June 30, 2017, 03:03:14 pm
Quote
When i use this item i find pkmn lv0, can u help me to find lv 30? or some?

ISSOtm said something about it depending on the last trainer you fought. However when I use that code on red, depositing or withrawing a Pokémon into a box changes the lvl 0 to whatever the lvl of the Pokémon I put in or take out of the box. Worth a try I guess. Make sure you don't mess up your bootstrap box or forget to switch back to it if you do that on yellow though.

Quote
can you say me if is possible to change ID on pokemon silver 2 gen? thanks

There seem to be ways of arbitrary code execution on some gen2 games. But I know verry little of that and I'm not sure this is the right thread to discuss gen 2.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 01, 2017, 10:48:27 am
Quote
When i use this item i find pkmn lv0, can u help me to find lv 30? or some?

ISSOtm said something about it depending on the last trainer you fought. However when I use that code on red, depositing or withrawing a Pokémon into a box changes the lvl 0 to whatever the lvl of the Pokémon I put in or take out of the box. Worth a try I guess. Make sure you don't mess up your bootstrap box or forget to switch back to it if you do that on yellow though.
IIRC, the level of the Pokémon you obtain will be based on :
- The level of the last wild Pokémon you fought (if your last fight was against a wild Pokémon)
- The roster ID of the last Trainer you fought (otherwise)
- 0 if you didn't fight since you last started up the game

Quote
can you say me if is possible to change ID on pokemon silver 2 gen? thanks

There seem to be ways of arbitrary code execution on some gen2 games. But I know verry little of that and I'm not sure this is the right thread to discuss gen 2.
Indeed. There are a bunch of different ACE exploits, but I can't tell much more (I forgot lol).


Also please, asphere, stop quoting huge posts, I think you should remove the innermost posts. It can get pretty annoying :P
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on July 01, 2017, 03:17:48 pm
how i can insert this symbol in the nickname of 1 pokemon i catch in yellow? the symbol is '
i want rename a pokemon with apostrophe, how i can do that? becouse when i transfer it on pkmn moon it change name in FARFETCH D, all maiusc without ' and the others 150 pokemon i trasfered change name in correct first letter maiusc the others letters lowercase
can you help me with this?
thanks
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: asphere on July 02, 2017, 03:52:15 am
Maybe someone finds a use for this. This code maxes out stat exp and DVs for all stats of the first Pokémon in the current PC box. It uses an absolute address and works only for the European versions of the game, but has only been tested using the German version.

It does use copious amounts of throwaway inc b instructions to make expressing it in items easier, so there's a good chance it can be optimized in size or require less items with high quantities.

Code: [Select]
; In C without throwaway increments:
; a = 0xb8;
; h = 0xda;
; l = 0xac;
; do {
;     *((h << 8) | l) = 0xff;
;     l++;
; } while (l != a);

ld a, $b8    ; 3E B8
ld h, $da    ; 26 DA
ld l, $ac    ; 2E AC

ld (hl), $ff ; 36 FF
inc b        ; 04, throwaway (Poké Ball)
inc l        ; 2C
inc b        ; 04, throwaway (Poké Ball)

cp l         ; BD
jr nz, $f8   ; 20 F8
inc b        ; 04, throwaway (Poké Ball)
ret          ; C9

Or expressed in items:
  • Lemonade x184 (3E B8)
  • Carbos x218 (26 DA)
  • X Accuracy x172 (2E AC)
  • Max Revive x255 (36 FF)
  • Poké Ball x44 (04 2C: inc b, inc l)
  • Poké Ball x189 (04 BD: inc b, cp l)
  • Fire Stone x248 (20 F8)
  • Poké Ball x201 (04 C9: inc b, ret)

works only for the European versions of the game, but has only been tested using the German version.

To convert from a DE/FR/IT/ES WRAM address to an EN one, subtract 5.

For have pokemon shiny when i trasnfer it from pokemon yellow to pokemon 7 gen, i must use this code or is different for italian version?
ps. idk what mean subtract 5 xD. can you say me the right code of items?
thanks

edit: i find this code on youtube but it don t work for ita version https://www.youtube.com/watch?v=5uDQLUi0ZEo&t=44s

thanks
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 02, 2017, 08:31:26 am
Memory-wise, all EU versions are the same. So use the code eironeia posted, it will work.
"Subtracting 5" means "Subtract 5 from the absolute address". If you don't understand that learn GBz80 ASM lol :p

Furthermore, this code will not turn a Pokémon shiny. Just max out its DVs.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Epsilon on July 03, 2017, 07:47:03 am
Rebattle Mewtwo

This code will force Mewtwo to reappear in Cerulean cave if you have already fought him. This can be used an infinite number of times for infinite Mewtwos.

8f
any item xany qnty
Lemonade x1
Soda Pop x4
Thunderstone x95
TM16 x119
TM34 x192
TM13 x201

Code: [Select]
ld a,01 ; a = 1
dec a ; a = 0, necessary because you can't have 0 of an item
inc b ; useless filler
ld hl,$d85f ; hl = d85f
ld (hl),a ; d85f = 0
ld ($d5c0),a ; d5c0 = 0
ret ; return

Sorry for longevity, I tried my best to avoid duplicate/glitch items. Enjoy!
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Skeef on July 05, 2017, 12:09:00 pm
Rebattle Mewtwo

Code: [Select]
ld a,01 ; a = 1
dec a ; a = 0, necessary because you can't have 0 of an item
inc b ; useless filler
ld hl,$d85f ; hl = d85f
ld (hl),a ; d85f = 0
ld ($d5c0),a ; d5c0 = 0
ret ; return

You can have 0 of an item actually.

- 8F
- Item you want 0 of x1
- Pokéball x43
- Revive x201

Code: [Select]
inc b ;junk
dec hl ;hl is now D321, thats item 2 quantity identifier.
dec (hl) ; decrease the quantity of (hl) by 1.
ret
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 05, 2017, 01:07:11 pm
It's indeed possible but I find it tedious. Personally I prefer to stick to non-zero quantities.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: GoldenPikachu on July 08, 2017, 10:35:56 am
Does this work on the spanish version of yellow? I got ws m and did the setup but it doesn't work
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: forsyz on July 24, 2017, 11:04:10 pm
trying to change a Pokemon's item address with w sm i'm using this by Torchickens  I have the bootstrap and items correct but the Pokemon's item is still a berry when I see it on the trade.
Item 3: Lemonade x 217
Item 4: Carbos x 209
Item 5: X Accuracy x 113
Item 6: Water Stone x 201
(https://image.prntscr.com/image/cPlHyLluSj6ZrxcANjQOXQ.png)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: natanelho on July 25, 2017, 08:40:20 am
Rebattle Mewtwo

Code: [Select]
ld a,01 ; a = 1
dec a ; a = 0, necessary because you can't have 0 of an item
inc b ; useless filler
ld hl,$d85f ; hl = d85f
ld (hl),a ; d85f = 0
ld ($d5c0),a ; d5c0 = 0
ret ; return

You can have 0 of an item actually.

- 8F
- Item you want 0 of x1
- Pokéball x43
- Revive x201

Code: [Select]
inc b ;junk
dec hl ;hl is now D321, thats item 2 quantity identifier.
dec (hl) ; decrease the quantity of (hl) by 1.
ret
about that code for 0 quantity of item 2- you assume hl contains D322 before the execution, how can you know that?
more general question- what are the states of the registers before using 8f, and do I have to return them to that state for the game to work properly?
sorry I'm new in glitching, and I did a few codes already including one that changes item-1 quantity to 0, and it took me 3 items instead of 2 because I didn't know the values of the registers and had to insert the values manually...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on July 25, 2017, 01:43:02 pm
It is D322 because of the boostrap code.

Remember the execution is done IN YOUR TEAM and you reroot it to item 3 (which is $D322)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: jfb1337 on July 25, 2017, 01:48:12 pm
Yep, the bootstrap code in your party is basically
- set hl to D322
- jump to hl

So in your items code you can always assume hl is D322.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: forsyz on July 25, 2017, 05:38:54 pm
want a ws m code to change the ot and trainer id of a pokemon so pikachu will still exit its ball when i change the name and trainer id
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 26, 2017, 05:53:26 am
@natanelho http://forums.glitchcity.info/index.php?topic=6638.msg189503#msg189503S
Though I wouldn't trust the value of b, because mainly of the 6-Pokémon setup.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: natanelho on July 26, 2017, 07:22:35 am
@natanelho http://forums.glitchcity.info/index.php?topic=6638.msg189503#msg189503S
Though I wouldn't trust the value of b, because mainly of the 6-Pokémon setup.
1. thanks! didnt see that for some reason. question is- did any of the values change since then because of changed bootstrap? (yes you already said about b, talking about the others)...
2. lots of 8f code seems to just load some data into registers and s**t happens- like how does the catch 'em all code works?- it just loads some value to the "wCurOpponent" which is the species of the opponent in wild battle... there is no code to initiate the battle itself.... lots of item lists are like this- just put the right data in the right spot without calling any function like I would expect... can anybody explain that to me?
3. where are the in-game functions to write text to the lil window on the screen? I wanna write some text without consequences easily and without having to clear it out, like when I just write tiles to the right place in ram directly...
4. is there a code to buy more then 99 items from shops? it will be more convenient then just making those items myself (duping and stuff)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 26, 2017, 11:05:30 am
1. I don't know. What's consistent, however, is the value of hl, because what most bootstraps essentially do is
Code: [Select]
ld hl, $D322
jp [hl]
(Most is actually "all but the glitched 3-Pokémon setup")

2. That's because codes interface with the game's engine. The way wCurOpponent works in the overworld is : if on one frame in the overworld, this value is non-zero, the game starts a battle with wCurOpponent as the opponent's ID. Thus, we write to that address, close the menu, and on the overworld frame that follows the menu's closing, the game starts the battle.

3. There are but OH BOY IT'S s**t. This game's text engine is a NIGHTMARE. I'd have to look back a bit at it (I had researched it for my SRAM hack), because it's very not obvious what you have to do. Give me a moment. A long one.

4. There's none, because the game's programming doesn't allow going past 99 ($63) items. Using DMA hijacking it may actually be possible, but good luck on this one.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: natanelho on July 27, 2017, 05:45:04 am
1. I don't know. What's consistent, however, is the value of hl, because what most bootstraps essentially do is
Code: [Select]
ld hl, $D322
jp [hl]
(Most is actually "all but the glitched 3-Pokémon setup")

2. That's because codes interface with the game's engine. The way wCurOpponent works in the overworld is : if on one frame in the overworld, this value is non-zero, the game starts a battle with wCurOpponent as the opponent's ID. Thus, we write to that address, close the menu, and on the overworld frame that follows the menu's closing, the game starts the battle.

3. There are but OH BOY IT'S s**t. This game's text engine is a NIGHTMARE. I'd have to look back a bit at it (I had researched it for my SRAM hack), because it's very not obvious what you have to do. Give me a moment. A long one.

4. There's none, because the game's programming doesn't allow going past 99 ($63) items. Using DMA hijacking it may actually be possible, but good luck on this one.
ok thanks for the answers! about 2- so its basically uses the way the game was designed? ok great. is there a way to actually call a subroutine that starts a battle? would be fun starting a battle in the mid of the battle...or stuff. IDK..
about 3- so is there an easier way to write text? and then clean it easily? by easily I mean not backing up the tile map and restoring afterwards...

about the 3 pokemon bootstrap you mentioned- if it doesnt jp to D322 how does it work then? or does it just use another rp?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on July 27, 2017, 06:05:36 am
There is a way to start a battle directly, but it's pointless to try nesting battles since the nested battle will overwrite the data for the nesting battle. So you'll end up finishing the nested battle twice.
The 3-Pokémon setup does jump to $D322, but it does so by directly writing the jump instruction, therefore leaving hl pointing at the party count (D1idon'tremember instead of D322)

Actually processing text shouldn't be too hard, you just have to call a proper offset, but figuring out what the hell to do was the hardest thing I ever did in this game.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Marv231 on August 10, 2017, 03:49:31 am
I use this S7 Setup on my German Blue Version for Catch em all.
But instead of encountering a Mew, Level 5, it add 5 Calzium at the end of my Inventory.

S7
Any Item (I have a Ultra Ball there)
Repel x21 (Index Nr. for Mew)
Awekening x5
X-Speed 69
Lemonade x201

I tried a few other Setups, that I found here, but they have the same effect or do nothing.
Is there a working Setup for my Game ?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Krys3000 on August 10, 2017, 06:57:00 am
Not sure what your code is supposed to be, but it doesn't seem to be what you think.

You can use the standard Single-addresse value changing code to trigger the encounter of a Mew in the grass, but the level is variable.

Modified code for european games is:

Anything
8F
Lemonade x21
X Accuracy x221 (x220 if yellow)
Carbos x207
Poké Ball x119
Cool Water x201

Another solution is the fake Ditto Trick:

Anything
8F
ThunderStone x45
TM05 x4
Max Revive x21
Awakening x8
Max Ether x4
Repel x254 (253 if Yellow)
Poké Ball x25
Lemonade x1
Antidote x119
TM01 xany

Then you'll encounter mew by going on Route 16 from Celadon and closing the START Menu. There's a way to modify it to change the level, I'll try to do that later.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Marv231 on August 10, 2017, 10:18:08 am
Thanks.  The Celadon- Route 16 Code works fine.


I found another Setup, where the Level is the same, like the last seen Pokemon.
In my case, Level of Arbok, that I took out of the PC to have my Bottrap complete.
With leveling Arbok, I can set the Level of the Pokemon, I like to have.

Any Item x Indexnumber of the Pokemon, you want
S7
TM 50 x 36
TM 11 x9
TM 34 x94
TM08  x201

After using S7 and closing the menue, the Battle with the Pokemon starts
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: DoubleNegative on August 18, 2017, 11:58:53 am
Is there a quick cloning method known in red and blue? I found an easy way, but I wanted to know if it's common knowledge by now.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Parzival on August 18, 2017, 12:21:09 pm
Is there a quick cloning method known in red and blue? I found an easy way, but I wanted to know if it's common knowledge by now.
http://glitchcity.info/wiki/Pok%C3%A9mon_cloning_(Generation_I)
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: DoubleNegative on August 18, 2017, 03:53:41 pm
Is there a quick cloning method known in red and blue? I found an easy way, but I wanted to know if it's common knowledge by now.
http://glitchcity.info/wiki/Pok%C3%A9mon_cloning_(Generation_I)

I found an 8F setup that can be used for cloning. It's way safer than save corruption and also probably faster. Should I post it here?
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: ISSOtm on August 19, 2017, 04:44:38 am
Totally.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: DoubleNegative on August 19, 2017, 08:46:51 am
Easy (ish) cloning:
Prerequisite: box 1 is empty and the pokemon to clone is in another box. The pokemon to clone also cannot have any HMs.
You will also need the standard 5 pokemon 8F setup.

Inventory:
* any item x any
* 8F
* Lemonade x 19
* X accuracy x 128    (127 if using yellow, but then I don't know how wsm works.)
* Carbos x 218
* Poke ball x 119
* TM01 x any

Procedure:
* Change to box 1 and use 8F
* Move the pokemon to clone into box 1
* Release all the pokemon in box 1 by releasing from the top of the list repeatedly until the box is empty.
* Use 8F again. The box is now filled with unstable hybrids of your pokemon and 'M (FF)
* Withdraw as many as you want and use the daycare to stablize the hybrids. They should all stablize to be the originally deposited pokemon.

The last step is not necessary if you want to transfer the clones to sun/moon. Just transfer the box, toss 18 lemonade, use 8F, and withdraw the original pokemon.
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: natanelho on August 20, 2017, 02:20:26 pm
Easy (ish) cloning:
Prerequisite: box 1 is empty and the pokemon to clone is in another box. The pokemon to clone also cannot have any HMs.
You will also need the standard 5 pokemon 8F setup.

Inventory:
* any item x any
* 8F
* Lemonade x 19
* X accuracy x 128    (127 if using yellow, but then I don't know how wsm works.)
* Carbos x 218
* Poke ball x 119
* TM01 x any

Procedure:
* Change to box 1 and use 8F
* Move the pokemon to clone into box 1
* Release all the pokemon in box 1 by releasing from the top of the list repeatedly until the box is empty.
* Use 8F again. The box is now filled with unstable hybrids of your pokemon and 'M (FF)
* Withdraw as many as you want and use the daycare to stablize the hybrids. They should all stablize to be the originally deposited pokemon.

The last step is not necessary if you want to transfer the clones to sun/moon. Just transfer the box, toss 18 lemonade, use 8F, and withdraw the original pokemon.
can you please write the asm code? I really dont understand why people dont do it... that's very easy to do, pretty useful for the ones who want to know what exactly it does and it doesn't do any harm to anyone...
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item
Post by: Parzival on August 20, 2017, 03:44:24 pm
can you please write the asm code? I really dont understand why people dont do it... that's very easy to do, pretty useful for the ones who want to know what exactly it does and it doesn't do any harm to anyone...
He... did.
The items script is LITERALLY GBz80ASM.
It's a simple conversion with ISSOtm's converter, which can be found in the "Useful Tools" section of the sidebar, or here (http://glitchcity.info/wiki/GBz80%20to%20Items).
Title: Re: Arbitrary code execution in Red/Blue using the "8F" item