Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 404713 times)

0 Members and 2 Guests are viewing this topic.

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #150 on: March 01, 2015, 02:00:36 pm »
Posting this here since it seems like it's worth it:

http://gameboy.mongenel.com/asmschool.html is a website that teaches you the basics of GBZ80. However, it's incomplete, so there isn't every important thing about Game Boy Programming in the tutorial. Still, it's good for learning the basic gb opcodes to make simple arbitrary code hacks.

rortik

  • GCLF Member
  • Offline Offline
  • Gender: Female
  • Crystal <3
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #151 on: March 02, 2015, 06:37:14 am »
After seeing all the problems with 8F... I think I'll stick to Yellow.

Anyway, with the (fairly) new 3DS exploit allowing me to run GBC games, I now have a working mobile version of Pokemon Yellow again, and am going to try to do some research on the crazy glitch items Yellow has to offer. I don't like emulators on computers.


With ws m, once you've got the following setup:

Anything x [XX] (index number) <-- Slot 1 of inventory
[blank. Not used. I've put ws m here]
TM 50 x 30
TM 11 x 04
TM 34 x 88
TM 08 x 201

You can run into anything you like, based on the number of items you have in Slot 1. I just keep a slot of 183x Pokeballs (just a random item I had) for whenever I need to run into a Missingno. to increase my item count. When I need to do this, I use ws m, then before closing the bag swap the TM 08s with whatever I want to dupe... then close the bag, immediately run from the Aerodactyl Missingno., and swap the TM 08s back. Was kind of a pain to set up without cheating, but now it's incredibly quick and easy.

I haven't read through the entire thread, so my apologies if someone already created this particular code. As usual, it looks like I'm far behind the crowd. I'll post back here if I find anything interesting among the glitch items. I'll be first just gettin' em and probably crashing the game a lot, then I'll look at the code for it later. This game is incredibly broken.
~Rortik

FMK

  • GCLF Member
  • Offline Offline
  • Mysterious
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #152 on: March 04, 2015, 01:55:31 am »
So because I'm crazy and was bored, I decided to figure out how to compress pigdevil2010's 8F bootstrap into only requiring two Pokemon, as well as making it so you can have anything in slot 1.

Required Party Count: 6
* Slot 2: Tentacool, with 9262 (242E) HP Stat EXP, 8704 (2200) Atk Stat EXP, 9449 (24E9) Def Stat EXP
Slot 3: Venonat

* 54 Dittos, 42 Tentacools, 31 Poliwhirls, 25 Voltorbs, 15 Seels, 8 Pidgeys, 7 Cubones, and 6 Nidoran (F)s need to be killed to reach those exact values.

54 Dittos = 2592 HP, 2592 Atk, 2592 Def
42 Tentacools = 1680 HP, 1680 Atk, 1470 Def
31 Poliwhirls = 2015 HP, 2015 Atk, 2015 Def
25 Voltorbs = 1000 HP, 750 Atk, 1250 Def
15 Seels = 975 HP, 675 Atk, 825
8 Pidgeys = 320 HP, 360 Atk, 320 Def
7 Cubones = 350 HP, 350 Atk, 665 Def
6 Nidoran (F)s = 330 HP, 282 Atk, 312 Def

I'm pretty sure my math is correct, anyways.


Code ends up being
Code: [Select]
; Initial hl = D163
$D163 06 ?? || ld   b,??
$D165 <- 18 ||
$D166 <- 41 || jr 41     ; pc = D1A8
$D1A8 <- 24 || inc h    ; h = D2
$D1A9 <- 2e ||
$D1AA <- 22 || ld l, 22 ; l = 22
$D1AB <- 00 || nop
$D1AC <- 24 || inc h    ; h = D3
$D1AD <- e9 || jp hl    ; pc = D322

rortik

  • GCLF Member
  • Offline Offline
  • Gender: Female
  • Crystal <3
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #153 on: March 05, 2015, 10:17:13 pm »

________________

Change the enemy species in battle

3E xx EA D7 CF C9

Lemonade x (X)
TM34 x 215
TM07 x 201

Code: [Select]
ld a, (xx)
ld (CFD7), a
ret


For some reason this one isn't working for me. I just use ws m and nothing happens; it just skips my turn. Using it before battle seems to do nothing too.

I'm not the greatest with this stuff, but it seems like it should work... I'm doing nothing differently than I did with all the other bits of code.
~Rortik

camper

  • aka GlitcherRed, azum4roll
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • 975642dx║'r DExsfoF▓1 error.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #154 on: March 05, 2015, 11:19:12 pm »

________________

Change the enemy species in battle

3E xx EA D7 CF C9

Lemonade x (X)
TM34 x 215
TM07 x 201

Code: [Select]
ld a, (xx)
ld (CFD7), a
ret


For some reason this one isn't working for me. I just use ws m and nothing happens; it just skips my turn. Using it before battle seems to do nothing too.

I'm not the greatest with this stuff, but it seems like it should work... I'm doing nothing differently than I did with all the other bits of code.

I don't know if that's supposed to work correctly, since iirc items have different effects in battle.
Youtube
 

Guess where this is?

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Aspiring mother. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #155 on: March 06, 2015, 11:19:28 am »
You can execute arbitrary code with 8F and w sm from within a battle too.

That code is working for me. But what I did not know is that the enemy Pokémon's palette doesn't change (indicating the species changed) until you use a ball or open and close the Pokémon menu so it probably worked without you knowing it.

Also ensure that your code starts at item 3 if you are using TheZZAZZGlitch's or Pigdevil2010's item pack bootstrap codes and that you have the relevant stored Pokémon in the current box. I think I may have forgotten to do that in the past even though it may sound obvious.

I don't know if that's supposed to work correctly, since iirc items have different effects in battle.

I know that at least for one item that the 'in battle' check is part of the item's execution code itself (quote, below), so I'm unsure of whether being in battle is entirely relevant; unless you use a code that depends on initial register values which may differ from inside of battle instead of outside of battle or a code that relies on you being in a battle or not:

i.e.
Quote
ItemUseRepelCommon: ; 6005
   ld a,[W_ISINBATTLE]
   and a
   jp nz,ItemUseNotTime

   ld a,b
   ld [$d0db],a
   jp PrintItemUseTextAndRemoveItem
« Last Edit: March 06, 2015, 11:25:27 am by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

rortik

  • GCLF Member
  • Offline Offline
  • Gender: Female
  • Crystal <3
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #156 on: March 06, 2015, 08:34:49 pm »
You can execute arbitrary code with 8F and w sm from within a battle too.

That code is working for me. But what I did not know is that the enemy Pokémon's palette doesn't change (indicating the species changed) until you use a ball or open and close the Pokémon menu so it probably worked without you knowing it.

Also ensure that your code starts at item 3 if you are using TheZZAZZGlitch's or Pigdevil2010's item pack bootstrap codes and that you have the relevant stored Pokémon in the current box. I think I may have forgotten to do that in the past even though it may sound obvious.

I don't know if that's supposed to work correctly, since iirc items have different effects in battle.

I know that at least for one item that the 'in battle' check is part of the item's execution code itself (quote, below), so I'm unsure of whether being in battle is entirely relevant; unless you use a code that depends on initial register values which may differ from inside of battle instead of outside of battle or a code that relies on you being in a battle or not:

i.e.
Quote
ItemUseRepelCommon: ; 6005
   ld a,[W_ISINBATTLE]
   and a
   jp nz,ItemUseNotTime

   ld a,b
   ld [$d0db],a
   jp PrintItemUseTextAndRemoveItem

Yep... It just wasn't updating the sprite/name. It works perfectly.

This is actually a wonderful way to encounter Yellow Missingno. as it doesn't ever have to load the sprite. On the other hand, if you've set up arbitrary code execution it's rather useless, as you can simply run into Fossil/Ghost form.

iirc the only use of Yellow Missingno. is to get stuff like permanent lv 255 hC4 via merging. Agatha Ultima, watch out! I can 6-0 you with hC4!!!

This is also (in my opinion) much better of a method than the Johto Guard Glitch, as it allows you to run into things that the Mew Glitch doesn't.

~Rortik

pigdevil2010

  • Member+
  • Offline Offline
  • Gender: Male
  • Welcome to the 40 ERROR.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #157 on: March 09, 2015, 10:01:08 am »
I discovered an even more shorter w sm bootstrapping code now.

You must have 11 'mons in the box, which are:
Seel with 233 HP
Parasect
Growlithe
Magikarp
Psyduck
Flareon
Tentacool
Nidoqueen
(Any 'mon x3)

This method results in this code:
Code: [Select]
; Initial hl = DA7F
$DA7F <- 0B    || dec bc
$DA80 <- 3A    || ld a, [hld] ; a = 0B
$DA81 <- 2E 21 || ld l, 21 ; l = 21
$DA83 <- 85    || add a, l ; a = 2C
$DA84 <- 2F    || cpl ; a = D3
$DA85 <- 67    || ld h, a ; h = D3
$DA86 <- 18 10 || jr DA97 ; pc = DA97
$DA97 <- E9    || jp [hl] ; pc = D321

Now it's a half required compared to the old one! :D
« Last Edit: March 09, 2015, 11:11:15 am by pigdevil2010 »

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Aspiring mother. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #158 on: March 09, 2015, 10:35:55 am »
Awesome. Thanks for your efforts in always improving the 8F and ws m bootstrap codes, pigdevil. :)
« Last Edit: March 09, 2015, 10:38:57 am by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

SwedishDragon

  • GCLF Member
  • Offline Offline
  • My name is エリク
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #159 on: March 10, 2015, 02:13:42 am »
This part:

"Sprite RAM Bug
--------------
There is a flaw in the GameBoy hardware that causes
 trash to be written to OAM RAM if the following commands
 are used while their 16-bit content is in the range
 of $FE00 to $FEFF:

  inc xx     (xx = bc,de, or hl)
  dec xx

  ldi a,(hl)
  ldd a,(hl)

  ldi (hl),a
  ldd (hl),a

 Only sprites 1 & 2 ($FE00 & $FE04) are not affected
 by these instructions."

from http://gameboy.mongenel.com/dmg/gbspec.txt seems interesting, could it be the cause for any glitches? (I indeed do not really know what i am talking about, i just wanted to note it, just in case.)

pigdevil2010

  • Member+
  • Offline Offline
  • Gender: Male
  • Welcome to the 40 ERROR.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #160 on: March 10, 2015, 11:29:09 am »
This part:

"Sprite RAM Bug
--------------
There is a flaw in the GameBoy hardware that causes
 trash to be written to OAM RAM if the following commands
 are used while their 16-bit content is in the range
 of $FE00 to $FEFF:

  inc xx     (xx = bc,de, or hl)
  dec xx

  ldi a,(hl)
  ldd a,(hl)

  ldi (hl),a
  ldd (hl),a

 Only sprites 1 & 2 ($FE00 & $FE04) are not affected
 by these instructions."

from http://gameboy.mongenel.com/dmg/gbspec.txt seems interesting, could it be the cause for any glitches? (I indeed do not really know what i am talking about, i just wanted to note it, just in case.)

I think it is not a cause for normal gameplay. Pokemon Gen 1+2 always access OAM by DMA transfer and never read/write the data directly from it. There is almost no chance that 16-bit registers are loaded with that data unless the game increment/decrement them so hard that it falls in that range.

SwedishDragon

  • GCLF Member
  • Offline Offline
  • My name is エリク
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #161 on: March 10, 2015, 11:34:41 am »
oh, ok.

Sherkel

  • Ringsome on the aquaface
  • Administrator
  • *****
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #162 on: April 01, 2015, 05:51:57 pm »
I'm late to the party, but I just have to pop in and say this is mindblowingly amazing. Great work to everyone who helped discover this. I found the "Pong" injection especially amusing. :D
« Last Edit: April 01, 2015, 05:53:23 pm by Sherkel »

Sticking to quality control and moderation until I sort some IRL matters out. I check in here almost daily and will answer questions, but not all of them.
I don't have a habit of keeping Discord open, so direct inquiries are preferred through here.

blahpy

  • Yeah! Pomeg Berry!
  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #163 on: April 02, 2015, 12:03:21 am »
I'm late to the party, but I just have to pop in and say this is mindblowingly amazing. Great work to everyone who helped discover this. I found the "Pong" injection especially amusing. :D

Nice to see you're alive!  :)

minderr

  • 01010111 01010100 01000110
  • GCLF Member
  • Offline Offline
  • Gender: Male
  • My mind has an error, error! My mind !!!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #164 on: April 26, 2015, 05:17:25 am »
Hello,
I'm new here, I'm very impressed of what we can do in pokémon, especially about the pong game.
And I think, instead of writing the code using the bag or the pc inventory (witch's long and booooring to setup and code), we could write the code with the keys like in TAS but with 4 keys only and at an human speed: 4 bits/ 1.5 sec or 4 bits/ 2 sec. The very limited amount of bytes possible in the bootstrap code should be a problem to include a delay. Also, I have almost no experience with asm code (except theoretically) and gb/pokemon addresses (there is no good tutorial) so I don't really know how to write an efficient bootstrap code.
Help me, please !

edit: I think a bootstrap code isn't what I want to do, I just want to make a code that save the asm code modifying the inventory ~_~
« Last Edit: April 26, 2015, 10:29:27 am by minderr »
_|           _|  _|_|_|_| _|_|_|_|_| 
_|           _|      _|       _|       
_|    _|    _|      _|       _|_|_|   
  _|  _|  _|        _|       _|       
     _|  _|          _|       _|