Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 403699 times)

0 Members and 2 Guests are viewing this topic.

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Aspiring mother. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #105 on: April 15, 2014, 12:55:50 pm »
Pigdevil2010 made a simpler version of the ws m (hex: 63) bootstrap code for Yellow and annotated it. He/she was going to post it on the forums, but had some trouble registering.

Here it is:

Notes: Though it's normally impossible for DA94 (end of list terminator, FF) to be E9, using ws m will change it to this value. This is perfectly safe. Only problem is if you withdrew a Pokémon and DA93 (20th Pokémon) was not FF, but this is not possible in normal gameplay.

(You must have exactly 19 Pokémon in the box.)

When you deposit a 20th Pokémon, after using w sm, DA94 gets changed back to FF again.


Pokémon:

Butterfree
Voltorb
Gyarados
Spearow
Golduck
Poliwrath
Voltorb
Pikachu
Clefairy
Golduck
Venomoth
Metapod
Tangela
Nidoking
Haunter
Flareon
Parasect
Growlithe
Voltorb

Which would make the RAM and ASM looked like this:
; Initial hl = DA7F
$DA7F <- 13 || inc de
$DA80 <- 7D || ld a, l ; a = 7F
$DA81 <- 06 ||
$DA82 <- 16 || ld b, 16 ; b = 16
$DA83 <- 05 || dec b ; b = 15 (since Mew is unobtainable)
$DA84 <- 80 || add a, b ; a = 94
$DA85 <- 6F || ld l, a ; l = 94
$DA86 <- 06 ||
$DA87 <- 54 || ld b, 54 ; b = 54
$DA88 <- 04 || inc b ; b = 55 (since Raichu is unobtainable in Yellow)
$DA89 <- 80 || add a, b ; a = E9
$DA8A <- 77 || ld (hl), a ; $DA94 <- E9
$DA8B <- 7C || ld a, h ; a = DA
$DA8C <- 1E ||
$DA8D <- 07 || ld e, 7 ; e = 7
$DA8E <- 93 || sub e ; a = D3
$DA8F <- 67 || ld h, a ; h = D3
$DA90 <- 2E ||
$DA91 <- 21 || ld l, 21 ; l = 21
$DA92 <- 06 ||
$DA93 <- FF || ld b, ff ; rst 38 prevention
$DA94 <- E9 || jp (hl) ; finally jumps to $D321!
« Last Edit: April 15, 2014, 01:03:53 pm by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #106 on: April 15, 2014, 05:26:46 pm »
Is it possible to rewrite ROM data with arbitrary code? If not, how many different sections of RAM can you use to use 8F/w sm?

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Aspiring mother. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #107 on: April 15, 2014, 06:21:23 pm »
Is it possible to rewrite ROM data with arbitrary code? If not, how many different sections of RAM can you use to use 8F/w sm?

Not possible; you can never rewrite the ROM (read only memory) without doing something like editing it with a hex editor, even though Game Genie makes temporary patches to the ROM. If you try to write to the ROM with w sm, nothing will happen. The Game Boy/machine alone cannot write to ROM.

You can write to VRAM (0x8000-0x9FFF), RAM (0xC000-0xCFFF), WRAM (0xD000-0xFEFF) and RAM (2) (0xFF80-0xFFFF) with wsm (haven't tested 8F on Red/Blue but I imagine things would work the same). Writing to SRAM and I/O apparently didn't work. I've never looked up what I/O is, but I'm a bit surprised at SRAM not being changed; as it is for data that is saved.
« Last Edit: April 15, 2014, 06:24:12 pm by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Nerator

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #108 on: April 15, 2014, 08:40:42 pm »
If you try to write to the ROM with w sm, nothing will happen.
To be perfectly precise, if i'm not mistaken, if you'll try to write something to ROM0($0000-$3FFF), then the game will switch ROM banks in $4000-$7FFF. For example if you'll execute
Code: [Select]
ld [$2000],a
then game will switch to bank, which number is in register a. For Red/Blue last bank is $2B i believe, for Yellow it's $3F. Not sure, what will happen, if we'll try to write to switchable ROM ($4000-$7FFF), or how it could be used at all.

EDIT:
Actually, what i whote above is not completely right. For the game to switch banks, we need to write in $2000-$2FFF area. Also we can switch the RAM banks (switchable RAM is at $A000-$BFFF) by writing in $4000-$5FFF area. It seems, that RAM contains 16 banks (0-F)
EDIT2:
Aslo i found in diassemby of Red many tries to write values to $6000 and $0000 usually 0 or 1. Have no idea what these are for.
« Last Edit: April 15, 2014, 09:18:36 pm by Nerator »

pigdevil2010

  • Member+
  • Offline Offline
  • Gender: Male
  • Welcome to the 40 ERROR.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #109 on: April 16, 2014, 02:46:26 am »
I can finally registered! Thanks Torchickens!

So, since I have a shorter bootstrapping code for w sm. Here is also my shorter bootstrapping code for 8F.

You must have exactly 5 Pokemon in a party, these are:
Pidgey with 233 HP
Parasect
Onix
Tentacool
Kangaskhan

Which would make the RAM and ASM looked like this:
Code: [Select]
; Initial hl = D163
$D163 <- 05 || dec b
$D164 <- 24 || inc h    ; h = D2
$D165 <- 2e ||
$D166 <- 22 || ld l, 22 ; l = 22
$D167 <- 18 ||
$D168 <- 02 || jr 2     ; pc = D16B
$D16B <- 24 || inc h    ; h = D3
$D16C <- 00 || nop
$D16D <- e9 || jp hl    ; pc = D322

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Aspiring mother. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #110 on: April 16, 2014, 07:49:53 am »
Well done! No more specific remaining PP, or moves.  :D

To get a Pidgey with that much HP at level 100 from being 'fresh' (just Rare Candied), use six HP Ups. This will always give it a max of 237 HP (because HP DVs don't exist in Generation I/II). Five HP Ups will give it 234 HP, but problem is the Pokémon on Route 1 tend to deal 2 or 3 damage. I don't know if it's possible for them to deal 1 HP, but you'd probably have to have stat experience/good DVs on the Pidgey's Defense.

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

pigdevil2010

  • Member+
  • Offline Offline
  • Gender: Male
  • Welcome to the 40 ERROR.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #111 on: April 16, 2014, 08:21:37 pm »
Five HP Ups will give it 234 HP, but problem is the Pokémon on Route 1 tend to deal 2 or 3 damage. I don't know if it's possible for them to deal 1 HP, but you'd probably have to have stat experience/good DVs on the Pidgey's Defense.
Just make it poisoned, heal it to 234 HP, then walk 4 steps.
« Last Edit: April 16, 2014, 08:23:05 pm by pigdevil2010 »

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Aspiring mother. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #112 on: April 17, 2014, 04:31:29 am »
Five HP Ups will give it 234 HP, but problem is the Pokémon on Route 1 tend to deal 2 or 3 damage. I don't know if it's possible for them to deal 1 HP, but you'd probably have to have stat experience/good DVs on the Pidgey's Defense.
Just make it poisoned, heal it to 234 HP, then walk 4 steps.

Oops, I forgot about poison. Thanks for mentioning it.

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

gskw

  • GCLF Member
  • Offline Offline
  • Do you think my avatar is glitched?
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #113 on: April 23, 2014, 01:37:28 am »
When I write Z80 ASM, how do I turn it into hex codes?

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #114 on: April 23, 2014, 12:54:25 pm »
When I write Z80 ASM, how do I turn it into hex codes?

http://iimarck.us/etc/asmopcodes.txt can help, or you can use a compiler and get the compiled result out of the object file.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

gskw

  • GCLF Member
  • Offline Offline
  • Do you think my avatar is glitched?
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #115 on: April 25, 2014, 09:36:56 am »
Thanks. I think I'm going to write my own assembler to make stuff easier...

EDIT: The compiler is live online!
« Last Edit: April 27, 2014, 11:33:23 pm by gskw »

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #116 on: April 28, 2014, 03:53:27 am »
Thanks. I think I'm going to write my own assembler to make stuff easier...

EDIT: The compiler is live online!

Heh, thanks. I've been meaning to write one myself actually.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

gskw

  • GCLF Member
  • Offline Offline
  • Do you think my avatar is glitched?
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #117 on: April 28, 2014, 09:35:46 am »
Why wouldn't we make the code jump into the PC items so we can get more space?

pigdevil2010

  • Member+
  • Offline Offline
  • Gender: Male
  • Welcome to the 40 ERROR.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #118 on: April 28, 2014, 11:17:54 am »
Why wouldn't we make the code jump into the PC items so we can get more space?
Yeah, I once have an idea about doing this too. ;)
« Last Edit: April 28, 2014, 11:20:08 am by pigdevil2010 »

PokeGlitchFanatic

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Female
  • Every great thing starts with a miniscule glitch.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #119 on: April 28, 2014, 07:14:02 pm »
Gosh.The  first gen was screwed up big time.