Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 409491 times)

0 Members and 4 Guests are viewing this topic.

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #330 on: March 27, 2016, 12:04:04 pm »
Oh yeah, sure. So Skeef is right, the reading continues at $DA98 instead of $DA97. Therefore, Nidoran (female) should do the job.

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

technocolor

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • ????????????
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #331 on: March 28, 2016, 12:47:04 am »
so I see 'homebrew' mentioned in the op ( ͡° ͜ʖ ͡°)
I know the gb and 3ds are like completely different but you think itd be possible? Itd probably have to involve 'breaking out' of the vc emulator in order to access sd card data. Theres plenty of ways to crash the emulator already but I havnt seen anyone talk about really bring this up.
Another thing I thought of along the same lines. Code execution via secret base in oras. Like having a qr code set up for a hacked secret base that will run code upon entering it. Im no programmer though, so maybe I sound ludicrous. But its been on my mind for a little bit recently and thought Id ask.

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #332 on: March 28, 2016, 06:07:57 am »
Several glitchers from here are thinking about emulator escaping. That would be great yes, unfortunately I can't help  :(

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Alzerek

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Top percentage of Rattata
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #333 on: March 28, 2016, 11:23:28 pm »
Im relatively new to this whole arbitrary code execution thing but i am looking into figuring out how to work with it on a larger scale. By larger scale, I mean the whole TheZZAZZGlitches' Pong in Pokemon Blue and Torchicken's rewritting of Pallet town to look like Twinleaf town. How reasonable would it be to apply those methods of writing arbitrary code in Pokemon Yellow, given that the bootstrapping code is already written using the PC box? Is there a setup that is optimal enough to leave a significant amount of memory space in the current box to do such code writing?

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #334 on: March 29, 2016, 11:12:07 am »
Im relatively new to this whole arbitrary code execution thing but i am looking into figuring out how to work with it on a larger scale. By larger scale, I mean the whole TheZZAZZGlitches' Pong in Pokemon Blue and Torchicken's rewritting of Pallet town to look like Twinleaf town. How reasonable would it be to apply those methods of writing arbitrary code in Pokemon Yellow, given that the bootstrapping code is already written using the PC box? Is there a setup that is optimal enough to leave a significant amount of memory space in the current box to do such code writing?

Most of the bootstraps posted here are ofcourse focussed on setting up 8F or WS M without using 8F or WS M to do so. But if you already have a working bootstrap, you could use that to make a more compact one if thats what you need. You can for instance change the EV and IV's from one pokémon to do what you need them to do.

Something like this:
3 pokemon (2 might work to, but i don't really know what the BC register does so loading A into (bc) could do anything)
Tentacool - 9939 hp EV / 11809 Att EV / 59648 def EV
Pidgey
Any

Code: [Select]
; Initial hl = DA7F
$DA7F <- 03    || inc bc
$DA80 <- 18 24 || jr DAA6
$DAA6 <- 26 D3 || ld h, D3 ; h = D3
$DAA8 <- 2E 21 || ld l, 21 ; l = 21
$DAAA <- E9    || jp [hl] ; hl = D321

I hope that's correct and helpfull ^.^ 

Alzerek

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Top percentage of Rattata
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #335 on: March 29, 2016, 02:19:03 pm »
Ah yes thats exactly what I was looking for! I did the basic "simple" setup with the 6 slowpokes and 10 geodudes but it didnt cross my mind to use wsm to make the pokemon for a smaller bootstrap. Thanks!

Edit: The only thing thats unclear to me at this point is rewriting those triggered events like the map pointer of pallet town in order to get the box code to execute.
« Last Edit: March 29, 2016, 02:20:52 pm by Alzerek »

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #336 on: March 30, 2016, 07:26:40 am »
Finally managed to test the ws m bootstraps. I can now confirm that Nidoran(female) instead of Nidoqueen works.
Also tested my 3 pokémon ws m bootstrap. Also works. :D

So that makes:

11 Pokémon in active box:
Seel with 233 HP
Parasect
Growlithe
Magikarp
Psyduck
Flareon
Tentacool
Nidoran (female) <--- instead of Nidoqueen
any
any
any

And a mini tutorial to make the Tentacool for the 3 pokémon bootstrap:

Having Tentacool as first pokémon in party needs to change these adresses with these value's.
Adress- Hex- Decimal
$D17B - 26 - (38)
$D17C - D3 - (211)
$D17D - 2E - (46)
$D17E - 21 - (33)
$D17F - E9 - (233)

Turned that into an item list bases on Wack0's template (Starting at $D17F):

ITEM LIST (starting from the first slot):
Ws m
Any
Lemonade x(233) <-- change this to match the numbers in the brackets for different adresses.
X Accuracy x127 (-1 each adress)
Carbos x209
Pokéball x119
TM01 x any <-- for sale in Celadon dept. store

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #337 on: March 30, 2016, 12:58:16 pm »
Nice job, Skeef! Maybe we can ask a wiki contributor to correct the mistake.

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #338 on: April 05, 2016, 10:36:32 am »
Just did it, although and admin's approval (usually torchicken's) is required for the change to appear.
« Last Edit: April 05, 2016, 10:45:09 am by ISSOtm »
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #339 on: April 06, 2016, 12:48:53 pm »
I did something... This has interested me for some time now.

http://forums.glitchcity.info/index.php/topic=6638.msg196498#msg196498

First thing I thought when I read it was "Why not use the daycare as a bootstrap?" So that's what I tried ^.^
Since the daycare data is not set back to 0 when you take out a pokémon my idea was to use 8F to make a pokémon i could put in and take back out instantly, loading its data into the adresses. But since the daycare has nickname and OT of the pokémon first, this proved to be... difficult.
The next idea was maybe I could just use Wack0 code to insert the value's into the adresses directly. This could work, but it kinda rules out using the daycare. Since then you'd have to Re-insert the data.
And then I realised i could combine the idea's! Instead of runnig a code made with items... run a code made with a pokémon! In other words using 8F to make a pokémon wich when using 8F inserts the data into the adresses! This fixes the first problem cuz we are not putting a pokemon directly into the daycare. And should you ever want to use the daycare again, afer you are done you can simply take the pre-made pokémon out the box and re-run 8F.
So here is what i worked out.

The pokémon list:
6 pokémon
any
Tentacool <- jumping powers!
Wigglytuff <- the actual pokémon
any
any
any

Wigglytuff specifications:
Move 2 - Roar (2E)
Move 3 - Leech Seed (49)
Move 4 - Double Edge (26)
Id: 55862 - (DA 36)
Xp: 2.501.686 - (26 2C 36)
HP EV: 54060 - (D3 2C)
Att EV: 13870 - (36 2E)
Def EV: 11318 - (2C 36)
Spd EV: 8748 - (22 2C)
Spec EV : 14057 - (36 E9)
Att, Def IVs: 12,9 - (C9)

Wich translates to the following asm:
Code: [Select]
; Initial hl = D163
$D163 <- 06 xx || ld b XX
$D165 <- 18 65 || jr D1CC
$D1CC <- 2E 49 || ld l, 49 ; l=49
$D1CE <- 26 DA || ld h, DA : h=DA
$D1D0 <- 36 26 || ld (hl), 26
$D1D2 <- 2C    || inc l ; l=4A
$D1D3 <- 36 D3 || ld (hl), D3
$D1D5 <- 2C    || inc l ; l=4B
$D1D6 <- 36 2E || ld (hl), 2E
$D1D8 <- 2C    || inc l ; l=4C
$D1D9 <- 36 22 || ld (hl), 22
$D1DB <- 2C    || inc l ; l=4D
$D1DC <- 36 E9 || ld (hl), E9
$D1DE <- C9    || ret

In other words, it loads the following value's in the following adresses:
DA49 <- 26
DA4A <- D3
DA4B <- 2E
DA4C <- 22
DA4D <- E9

Now you may have noticed that -gm starts reading at $DA47, but I start putting in data at $DA49, 2 adresses later.
Here's the first 2:
$DA47 is safari balls, this gets set to 0 when you get the "pa: ding dong" but stays at whatever amount you got left should you leave early.
$DA48 is daycare in use or not, this is 0 when there is no pokémon in the daycare.
In other words they do nothing. :D And there you have it. The -gm bootstrap is set up! Without needing any specific party or active box!

Code: [Select]
; Initial hl = DA47
$DA47 <- 00    || nop
$DA48 <- 00    || nop
$DA49 <- 26 D3 || ld h, D3 ; h=D3
$DA4B <- 2E 22 || ld l, 22 ; l=22
$DA4D <- E9    || jp [hl] ; hl = D322

Note: The daycare adresses used here are used to store the pokémon's name. But none of the value's inserted correspond to an actuall letter. I have no idea if thats safe or harmfull for a save file. (I felt i needed to mention that  :P)

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #340 on: April 07, 2016, 12:50:11 am »
Ever thought Tentacool could jump ? No ? YOU WERE SO WRONG.
That method you created is cool, but looks quite heavy to set up (c'mon, ID = DA36 ?)

Also, have you tried to use the game's copying routine ?
It is called CopyData in Pokéred, but I can't remember its ROM address.

The problems comes from that we cannot easily create Pokémon like that. We'd need easier methods of arbitrarily placing data wherever we want, but also simpler to set up.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. I want to be a mum. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #341 on: April 09, 2016, 03:30:03 am »
Just did it, although and admin's approval (usually torchicken's) is required for the change to appear.

Approved!

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #342 on: April 09, 2016, 10:29:09 am »
Ever thought Tentacool could jump ? No ? YOU WERE SO WRONG.
That method you created is cool, but looks quite heavy to set up (c'mon, ID = DA36 ?)

Also, have you tried to use the game's copying routine ?
It is called CopyData in Pokéred, but I can't remember its ROM address.

The problems comes from that we cannot easily create Pokémon like that. We'd need easier methods of arbitrarily placing data wherever we want, but also simpler to set up.

Hehe, you think the id nr is a bit far fetched? The xp puts it at lvl 146 :P

I have not cosidered to use the copy routine. No idea what that is O.o

An easyer way so set up would be to put the data into the daycare directly. If you don't use the daycare the value's wont change. The Wigglytuff i made is just an easyer way to set up the bootstrap again after using the daycare.
its 19 bytes to make Wigglytuff, but only 5 bytes need to be set to do it directly. As an added bonus, on a cartridge the daycare value's stay after starting a new game. Not sure if they do on VC tho.

Also, With both 8F and -gm. You can make one start reading at item 3 as usuall and make the other go to the stored items on the PC. That way you can run a code you use ofter (say walk through walls or mulitply items) from the computer. And run others from carried items.


ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #343 on: April 10, 2016, 01:54:32 am »
Uh, the copy routine is located somewhere in ROM bank 0 ; it copies a chunk of data from somewhere to elsewhere.
You have to call it like so :
ld hl, pointer_to_source
ld de, pointer_to_destination
ld bc, number_of_bytes_to_copy
call copy
(total : 12 bytes)

Still, I cannot find its ROM address.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

danny

  • Decamark Collector and Pokémaniac
  • Member+
  • *
  • Offline Offline
  • i hate being alive
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #344 on: April 11, 2016, 03:05:12 pm »
The rom address is 00b6
ralsei is my son.

discord: dani#5700