Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 415244 times)

0 Members and 2 Guests are viewing this topic.

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #390 on: July 03, 2016, 06:56:52 am »
I don't know if this was known, but here's a shinyzer code created by PRAMA board's member thelinekioubeur. It changes your first stored Pokémon so it will be shiny when traded to 2G games.

Code: [Select]
ld hl, $DAB1
ld a, $EA
ld (hl), a
sub a, $40
inc hl
ld c, a
inc b
ld (hl), c
ret

Code: [Select]
ThunderStone x177
TM18 x62
TM34 x119
TM14 x64
Hp Up x79
Poké Ball x113
TM01 x[whatever]

ThunderStone quantity goes -1 in US Yellow, +5 in european R/B, +4 in european Yellow.

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

U_Flame

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #391 on: July 04, 2016, 05:08:08 am »
I don't know if this was known, but here's a shinyzer code created by PRAMA board's member thelinekioubeur. It changes your first stored Pokémon so it will be shiny when traded to 2G games.

Code: [Select]
ld hl, $DAB1
ld a, $EA
ld (hl), a
sub a, $40
inc hl
ld c, a
inc b
ld (hl), c
ret

Code: [Select]
ThunderStone x177
TM18 x62
TM34 x119
TM14 x64
Hp Up x79
Poké Ball x113
TM01 x[whatever]

ThunderStone quantity goes -1 in US Yellow, +5 in european R/B, +4 in european Yellow.

This turned my 62 TM18s into 35 "ws m "s. Is that normal? I've double checked to make sure I'm using the right items. If it matters, I'm on US Blue  using 1 TM01 and the only Pokemon in box 1 is "'M 'N g" I haven't checked what gen 2 views it as yet. I did try leveling it up to see if the possibly changed DVs made a ddifference stats, but the game crashes when 'M 'N g levels up.
« Last Edit: July 04, 2016, 05:09:04 am by U_Flame »

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #392 on: July 04, 2016, 07:24:01 am »
The quantity of TM01 REALLY doesn't matter. I mean it.
And, uh, it seems everything is correct. The ws lm shouldn't be here, and I guess you didn't setup your bag properly.
The listing given by Krys3000 start from item #3 !
The full setup should be something like
Code: [Select]
Any item xAny qty
Any item xAny qty
Thunderstone x177
TM18 x62
(etc)
TM01 xAny qty
Any items (or nothing :P)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

U_Flame

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #393 on: July 04, 2016, 09:04:51 am »
Oh of course the 3rd item rule! I was so used to following list setups exactly that I forgot that was a thing. Thank you.

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #394 on: July 04, 2016, 09:47:18 am »
Yeah, sorry I did not mention item 1 and 8F/ws l'm, I just copy/pasted thelinekiouber's post and translated it to english. It seemed pretty obvious though  :P

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

U_Flame

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #395 on: July 04, 2016, 11:55:12 am »
Yeah in hindsight it kinda was. Oh well, I got a shiny glitch Pokemon now. Probably won't actually matter if I can't find a way to transfer it but its the thought that counts. Yay

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #396 on: July 04, 2016, 11:57:36 am »
    Okay, simple questions, simple answers.

    Unless it is saved then loaded, RAM doesn't persist. In that case it won't, but don't assume it will be zero.

    There is no official syntax for gb-specific z80 instructions, so here are some aliases :
    • ldi (hl), a
    • ld (hli), a
    • ld (hl+), a
    • ld [hli], a
    Same for ldd and ld-, etc.
    You are correct, ldi (hl), a is totally equivalent to ld (hl), a \ inc hl

    There is a special instruction in gb z80 : ld ($FF00 + imm8), a (as well as ld a, ($FF00 + imm8)
    It saves one byte (thus speed) over ld a, (mem16) and ld (mem16), a

    And the gb z80 is little-endian :
    call $C0DE is "CD DE C0"

    Gotcha ? I will be writing a gbz80 dev page on the wiki some day. Right now I'm spending a week with my gf, so I'm pretty much occupied :P

Thanks  :D

ld a,($FF00+A2)
So this would be "F0 A2"

About negative relative jumps... Took me a while to figure that out, but i think i got it.
Code: [Select]
D99B <- 18 || jr
D99C <- FC || jump to D999
This would be it right?

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #397 on: July 05, 2016, 05:04:47 am »
When I'm doubting about relative jumps, I remember this :
18 00 (jr @+0) does nothing.
18 FE (jr @-2) loops infinitely.

So what you do is :
  • Take the address of the jr opcode (the first byte, not its operand !)
  • Add two, call that "baseAddr"
  • Take the operandas a signed 8-bit integer, call that "offset"
  • Add offset to baseAddr
  • Now you got the destination address.
In your case, we have
* baseAddr = $D99B + 2 = $D99D
* offset = $FC = -$4 (negative, since its leftmost bit is 1 :P)
So you'd jump to $D99D - $4 because ($FC && $80) = $80
That is D999. You did right !

Oh hey, and a tip about negating :
hex * -1 = (hex XOR $FF) + 1
It's neat to know this if you didn't already.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #398 on: July 13, 2016, 01:44:05 pm »
Right, the last few days i have been working on the pong game. After a few small problems I finally got to a point where my game does not crash when I execute the program  :P. However its not exaclty the pong as it is in the video. There are 2 things not quite right.

The first thing is the screen color. Its not black. Its more vertical lines of grey and white. Something like this:
(its worth noting that I am trying this on vitual console.)



The second this is the game over... better yet, there is no game over. When the ball hits the bottom of the screen the ball just dissapears. However the sound of the ball bouncing still plays. Then after a while the ball comes back up from the bottom of the screen into play till I miss it with the pad and it goes under the screen again. So I took a closer look at the code. The "game-over" subroutine starts at $D918. But there are no jumps to that adress (neither relative nor absolute). My guess is thats a small mistake in the code? The following lines a from the code. I think this is where its supposed to jump to $D918 instead of $D976.

Code: [Select]
cp   a,$11
jp   z,D976_UpdateBallPosition ; If Y=$11 (DEC 17), the lower part of the screen, it's game over

Aldrasio

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Our Lady of Perpetual Underflow
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #399 on: July 14, 2016, 06:47:57 pm »
Here's one that gives you 1 of every TM in your PC box. Just make sure you're OK losing everything in your Item PC, because it overwrites all the items.
  • 8F
  • (any item)
  • X Accuracy x58
  • Carbos x213
  • Awakening x50
  • Super Potion x6
  • TM01 x121
  • Water Stone x120
  • Water Stone x175
  • Fresh Water x4
  • Ice Heal x32
  • TM47 x34
  • Max Revive x255
  • Potion x201

Code: [Select]
WRA1:d322 2e 3a            ld   l,3a
WRA1:d324 26 d5            ld   h,d5    ; Initiates HL to point to the Item PC
WRA1:d326 0e 32            ld   c,32    ; 50 Decimal, works as a counter and as a Item PC Number
WRA1:d328 13               inc  de      ; padding
WRA1:d329 06 c9            ld   b,c9    ; TM01
WRA1:d32b 79               ld   a,c     ; Loads 50 into A register
WRA1:d32c 22               ldi  (hl),a  ; First iteration, tells PC it has 50 items; after that, loads 1 into each Item Quantity address
WRA1:d32d 78               ld   a,b     ; Load TM value into A...
WRA1:d32e 22               ldi  (hl),a  ; ...then put that TM in the PC
WRA1:d32f af               xor  a
WRA1:d330 3c               inc  a       ; A = 1
WRA1:d331 04               inc  b       ; Next TM
WRA1:d332 0d               dec  c
WRA1:d333 20 f7            jr   nz,d32c ; Loop until C = 0
WRA1:d335 22               ldi  (hl),a  ; Final item's quantity
WRA1:d336 36 ff            ld   (hl),ff ; End of Item PC list
WRA1:d338 14               inc  d       ; padding
WRA1:d339 c9               ret
« Last Edit: July 14, 2016, 06:55:47 pm by Aldrasio »

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #400 on: July 15, 2016, 01:33:54 am »
Very cool  :D thanks!

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #401 on: July 15, 2016, 09:17:24 am »
The Potion x201 can be swapped with a TM01 x[any qty]... supposing you have one :D
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Aldrasio

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Our Lady of Perpetual Underflow
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #402 on: July 15, 2016, 09:42:20 am »
The Potion x201 can be swapped with a TM01 x[any qty]... supposing you have one :D

Yeah, but I figured I'd be likely to have potions on hand anyways in normal gameplay. I'm working on a speedrun route where the final goal is to have all the TMs, and the route centers around getting this inventory and using 8F.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #403 on: July 15, 2016, 01:44:57 pm »
The Potion x201 can be swapped with a TM01 x[any qty]... supposing you have one :D

Yeah, but I figured I'd be likely to have potions on hand anyways in normal gameplay. I'm working on a speedrun route where the final goal is to have all the TMs, and the route centers around getting this inventory and using 8F.

When I code 8F payloads I generally optimize them (adding junk code) to prevent requiring invalid items, multiple key items, multiple stacks of the same item, TMs, etc, where possible. Just so the itemlist is easier to obtain..
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #404 on: July 15, 2016, 05:04:09 pm »
The Potion x201 can be swapped with a TM01 x[any qty]... supposing you have one :D

Yeah, but I figured I'd be likely to have potions on hand anyways in normal gameplay. I'm working on a speedrun route where the final goal is to have all the TMs, and the route centers around getting this inventory and using 8F.

When I code 8F payloads I generally optimize them (adding junk code) to prevent requiring invalid items, multiple key items, multiple stacks of the same item, TMs, etc, where possible. Just so the itemlist is easier to obtain..
I know, and in my old GBZ80 compiler, I was planning to add such a feature... but I kinda dropped its development, so oh well.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)