Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 414817 times)

0 Members and 2 Guests are viewing this topic.

Isaac356

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #435 on: July 27, 2016, 08:23:45 pm »
Hi,

I'm new here having only recently gotten into Pokémon glitching, but like many others I was frustrated with trying to use the giant image to find the Pokémon that I wanted, so I took it upon myself to create this: https://www.exocron.me/tfly

Simply choose the Pokémon that you want in the dropdown box and the page will list out all the trainers that you can obtain them from, as well as what Pokémon in their party is the one that yields the necessary special stat, and what route/gym/other place they are located in. It's currently very ugly (think early alpha) and only gives a general idea of the trainer's location, but it does work, and since I've already found it helpful I figured I'd throw it out there now and improve it over time. I parsed all the necessary data from the Pokémon Red disassembly (https://github.com/pret/pokered) and the few trainers that I manually verified were correct, but some data is linked up incorrectly (in particular, the Rival data), which I'll need to fix up manually over time.

In addition, if any web designers that are watching this thread want to fork the project and pretty it up, it would be much appreciated.  ;D

Something occurred to me today: Creating a bootstrapping program that takes input from the Gameboy's serial port would be both short to write with items and pretty fast to execute, assuming you had something specifically designed for it attached to the serial port. You could probably make a simple datalink device with an Arduino or something. Has anyone tried this?

Not exactly the same thing, but very similar, someone buffer overflowed the Cable Club and ran some shellcode that way: [youtube]https://www.youtube.com/watch?v=m3e_SyhE3xc[/youtube]

danny

  • Decamark Collector and Pokémaniac
  • Member+
  • *
  • Offline Offline
  • i hate being alive
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #436 on: July 27, 2016, 09:24:26 pm »
Welcome Isaac356! This is the wrong topic for your site, but it should come in handy for some people!

I noticed on your site it says "undefined" for some Pokémon (e.g. Marowak and B7). I don't know why that happens
ralsei is my son.

discord: dani#5700

Isaac356

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #437 on: July 27, 2016, 11:36:59 pm »
I noticed on your site it says "undefined" for some Pokémon (e.g. Marowak and B7). I don't know why that happens

There are quite a few trainer party entries that don't have any actual map objects linked to them (i.e. Professor Oak). In addition, the rival's entries don't appear to be linked at all (except for the first one - the level 5 starter - in two different places), but I presume that is because the game handles him differently (doesn't show up on map after completion; party data depends on starter choice). For Oak and the rival, I'll be able to designate those separately (they're labeled in the disassembly, and the rival only shows up in a few places so I can mark those down manually), but for the others, I won't know if they're unused data or if Game Freak just pulled some shenanigans (the code is filled with interesting one-off situations that don't match up to the rest of the game, so it's possible that the scripts I wrote to parse the data and re-structure it just missed something).

TL;DR - Probably glitch trainers or rival. I'm leaving them in for now, but I'll be sure to make it more clear what's going on in the future (maybe hide them behind an "Include glitch trainers" checkbox).

At some point, I'm hoping to screen shot all the maps, so hopefully by then I'll notice if the trainer count doesn't match up.

Welcome Isaac356! This is the wrong topic for your site, but it should come in handy for some people!

Yeah, now that I think about it, it probably is. Sorry about that. I was just following the thread since I was starting the arbitrary code execution stuff, and I got too excited about this project.

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #438 on: July 28, 2016, 12:54:29 am »
The same method of arbitrary code execution through the link cable is possible in Gen II. This (similarly to the Gen I version) works by overflowing the trade partner Pokemon list and overwriting a return address on the stack.

https://www.youtube.com/watch?v=e8CO_e_rKd8

There is also a writeup about the Gen I link cable exploit, so if you want to know exactly how this works, visit: http://vaguilar.js.org/posts/1/
The process is pretty much the same for Gen II.
« Last Edit: July 28, 2016, 12:58:16 am by TheZZAZZGlitch »
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

Aldrasio

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Our Lady of Perpetual Underflow
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #439 on: July 28, 2016, 08:58:42 am »
There is also a writeup about the Gen I link cable exploit, so if you want to know exactly how this works, visit: http://vaguilar.js.org/posts/1/
The process is pretty much the same for Gen II.

Thanks, this is exactly what I was looking for! I kind of want to use this method to dump or load SRAM data to physical carts. On a DMG I think it would take a bit more than 30 seconds to funnel all of SRAM through the serial port, but I admit I've never really coded for serial communication. And hey, if that works, just for lolz I could probably dump the whole ROM through the serial port.

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #440 on: July 28, 2016, 09:31:03 am »
Welcome to the forums Isaac356! :)

Thanks for the amazing Trainer-Fly database. Is it all right if I link to it on the wiki sidebar?
« Last Edit: July 28, 2016, 09:32:25 am by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Isaac356

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #441 on: July 28, 2016, 02:05:42 pm »
Thanks Torchickens! It would absolutely be all right if you linked it, and that would be awesome!

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #442 on: July 28, 2016, 03:46:53 pm »
Thanks Torchickens! It would absolutely be all right if you linked it, and that would be awesome!

All right then, cool! I've gone ahead and added it to the sidebar. ^_^

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Isaac356

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #443 on: August 09, 2016, 08:39:30 pm »
We're back!  ;D

I spent the last few days experimenting with loading serial data via 8F. I went through a couple of iterations on the shellcode, trying to eliminate key items and glitch items, before I settled for this:

  • (any item)
  • 8F
  • TM43 x33
  • j. (null) x192
  • j. (null) x0
  • TM24 x1
  • Lemonade x128
  • TM24 x2
  • TM40 x2
  • TM30 x128
  • Fire Stone x250
  • TM40 x1
  • Water Stone x24
  • TM37 x(any)

Technically, the nulls could be eliminated, but that would make the code longer and they're easy enough to obtain.

Code: [Select]
WRA1:D322 F3               di   
WRA1:D323 21 00 C0         ld   hl,C000
Loop::
WRA1:D326 00               nop 
WRA1:D327 00               nop 
WRA1:D328 E0 01            ld   (ff00+01),a
WRA1:D32A 3E 80            ld   a,80
WRA1:D32C E0 02            ld   (ff00+02),a
Wait_Serial::
WRA1:D32E F0 02            ld   a,(ff00+02)
WRA1:D330 E6 80            and  a,80
WRA1:D332 20 FA            jr   nz,Wait_Serial
Serial_Received::
WRA1:D334 F0 01            ld   a,(ff00+01)
WRA1:D336 22               ldi  (hl),a
WRA1:D337 18 ED            jr   Loop

The code will store bytes received from the serial port (in slave mode, because it's easier for synchronization and we can drive the serial faster than normal) starting at address C000 and never ending...or so it may seem. The nop's are key here. Originally I limited how many bytes to receive, then jumped directly to address C000, but the resulting code barely fit into the item list. Instead, I opted to allow the serial receive to overwrite the loop code, causing the instructions to be changed. Fortunately, jr 0 (18 00) behaves like a nop, therefore when the writing gets to the address D326, you have to send a 18 over the serial port, then on the next byte send a relative offset. When testing, I used FB to rel-jump to D323, which already contained a non-relative jump instruction to C000, but in reality any valid address in the range could be used.

In other words, your serial data sender has to look something like this (in a very Python-esque pseudocode):

Code: [Select]
for byte in program:
send_serial_data(byte)

for i in range((0xD323 - 0xC000) - len(program)):
send_serial_data(0)

for byte in b"\xC3\x00\xC0\x18\xFB":
send_serial_data(byte)

Aldrasio

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Our Lady of Perpetual Underflow
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #444 on: August 10, 2016, 05:58:08 pm »
Instead, I opted to allow the serial receive to overwrite the loop code, causing the instructions to be changed. Fortunately, jr 0 (18 00) behaves like a nop, therefore when the writing gets to the address D326, you have to send a 18 over the serial port, then on the next byte send a relative offset. When testing, I used FB to rel-jump to D323, which already contained a non-relative jump instruction to C000, but in reality any valid address in the range could be used.

Huh, that's a really interesting approach. I like it. I wouldn't have thought to do that. I figured the best way to get around the item quantity bottleneck is to just allow a set number of bytes over serial at first, then send an intermediate bootstrapper, then use that bootstrapper to start receiving the full payload.
« Last Edit: August 10, 2016, 05:58:53 pm by Aldrasio »

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #445 on: September 02, 2016, 02:41:14 pm »
I was watching some Japanese Pokémon glitch videos on Niconico when looking for information about the SRAM glitch in Japanese versions and I found a really interesting video (view without having to create a Niconico account) by tabaさん that discusses arbitrary code execution.

It mentioned arbitrary code execution items in Red/Green discussed here such as 5かい (hex: 5A) the Japanese version of 8F; executing D123 (found since long ago), てへ (hex:7B executing D806; the grass encounter table which can be manipulated to the player's name by watching the old man documented by memdump), but also an arbitrary code execution item I wasn't aware of called なかよしバッヂ (Friend Badge), hex:67; as well as TM18 in Japanese Crystal (I will talk about that in another thread).

For those curious about the name なかよしバッヂ (Friend Badge) is one of the unexplained unused list texts).



なかよしバッヂ  (Friend Badge) executes code at D983; which stores the number of Safari Balls. This should mean that you can make it work like "-gm" in English Red/Blue; the item which memdump found executes code from DA47 (also the number of Safari Balls). Following D983 is the Day Care in use byte D984 (0 or 1), and the beginning of the structure for the Day Care Pokémon's nickname D985.

What's notable about  なかよしバッヂ  (Friend Badge) is that you can use a nickname as the data from D985, and this is good because you can give a Pokémon a nickname at any time whilst with the player name you can normally only set your name at the beginning of the game (although this raises the question if we can change our names in desirable ways with a Select glitch).

Like with てへ, the different mapping for selectable characters in Japanese games allow us to use C3 A6 D2 (てルめ) to jump directly to item 3.

With Friend Badge and no Safari Balls, you can either put a Pokémon named "てルめ" into the Day Care and out again (Day Care data stays after taking the Pokémon out, and for this nickname taking it out is an important step) or deposit a Pokémon with a name such as "ガガてルめ" (you can take this Pokémon out if you like, but don't need to). The former method works in this way because having an 1 value (in Safari Ball) at D984 is interpreted as a ld bc, $aabb instruction and this causes D985 and D986 (nickname characters 1 and 2) to be interpreted as operands.

Additionally as illustrated in the video, if you have 30 Safari Balls in memory, then D983 will be 1E; the ld e, $xx instruction. This would cause D984 (is the Pokémon in the Day Care byte) to be interpreted as an operand; meaning theoretically "てルめ" will work if you had 30 Safari Balls and put the Pokémon named "てルめ" into Day Care even if you leave it in.

Friend Badge also works in Japanese Blue.

So remember for Japanese R/G/B Friend Badge is your bff. :)... or worst nightmare if you set things up wrong.
« Last Edit: September 02, 2016, 02:50:24 pm by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Pavel

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #446 on: September 04, 2016, 07:52:32 am »
Hello everyone!

First, I would like to say ‘thank you’ and ‘amazing job’ to everyone who has been working on those glitch in the early Pokemon games : ) !

I found this forum while looking for a way to get new exemplaries of TM28 and TM48 that I had used up in my French Pokemon Yellow version (played on Nintendo Virtual Console on a 3DS), and was dumbfounded when I read what one is able to do thanks to the 8F / wsm glitch!

So I attempted to use it, but unfortunately it hasn’t worked up until now.
I was able to get the wsm item by using the ditto glitch.
I also got all the pokemon specified at the end of this post of Wack0 (http://forums.glitchcity.info/index.php?topic=6638.msg192543#msg192543), i.e.  the six slowpoke, the voltorb, scyther, jolteon, ten geodude and finally voltorb in this order (the first slowpoke having total and current HP equal to 233).
Finally, using again the ditto glitch, I was able to complete the item quantities requirements:  I wanted to use the ‘change the 2nd item’ script, so as to get another TM48, whose corresponding item list is described near the end of the first post of this topic (http://forums.glitchcity.info/index.php?topic=6638.msg189501#msg189501).
But when the time comes to select and use the wsm item, then the game freezes.

So I wonder about what I am doing that is wrong, and would like to know if you had some insight about this, if possible.

I thought that maybe those ‘corresponding items list’ were designed for Pokemon Blue / Red, and did not work for Pokemon Yellow, or maybe because mine is a French version instead of a US one. Maybe it’s because I’m doing something wrong about the bootstrapping step, but I checked again, and its seems to me I have the setting just as Wach0 described in his post (though I wonder about setp 22: why does he repeat ‘Slowpoke as the 1st Pokémon in the current PC box’? I guess it is meaningful when describing the corresponding byte state (at the end of the line), but does it translate to something I have to do?), and he said he tested it, and that it worked for him, so I don’t know. In your opinion, how did he proceed to test it, and determined that it worked? I want to know so as to be able to determine whether the problem comes from the 'bootstrapping' part, or from the 'item list recipe' part.

It was also mentioned that there could be changes between versions with regards to the item placeholder from which the game starts to read the program, during the processing of the glitch. I read on this topic that the game starts to read from the third place, which is why we can place the wsm item, and possible another item to affect (like in the script I am trying to carry out), in the first and second place; but that for some bootstrapping requirement it could start reading from the first item. I also read something about the game reading from the item storage in the PC instead of in the bag of the player.

So, would it be possible for someone here to help me understand what I did wrong / which one of my assumptions regarding the bootstrapping recipe, the ‘start reading item position’, and whether or not we are talking about the bag or the PC, are correct or not for a French Pokemon Yellow version, please?

Again, thanks for all your work, and you sharing it, it’s wonderful one can do once one understands the inner working of such a game : )

Yeniaul

  • Guest
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #447 on: September 04, 2016, 08:27:18 am »
There's 2 or 3 items with a variant on the name "ws m". Make sure it's the right hex value. I can't remember much, try the page on ws m for inventory photos. Oh, and ws m is Yellow and has a different bootstrap setup, as it runs from boxed PKMN data instead of party PKMN data. Oh, and both need the Daycare to never be used OR the extra leftover data from the last Pokémon expunged from the save, which I can do in a week or so én masse when my Arduinos get here in like 10 days.

EDIT: You're on a French version? Well, there you go. That's the problem. Read the ACE article on the wiki to see the equivalent item.
« Last Edit: September 04, 2016, 08:35:51 am by Yeniaul »

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #448 on: September 04, 2016, 08:32:45 am »
It was also mentioned that there could be changes between versions with regards to the item placeholder from which the game starts to read the program, during the processing of the glitch. I read on this topic that the game starts to read from the third place, which is why we can place the wsm item, and possible another item to affect (like in the script I am trying to carry out), in the first and second place; but that for some bootstrapping requirement it could start reading from the first item. I also read something about the game reading from the item storage in the PC instead of in the bag of the player.

So, would it be possible for someone here to help me understand what I did wrong / which one of my assumptions regarding the bootstrapping recipe, the ‘start reading item position’, and whether or not we are talking about the bag or the PC, are correct or not for a French Pokemon Yellow version, please?

Again, thanks for all your work, and you sharing it, it’s wonderful one can do once one understands the inner working of such a game : )

Hi Pavel, welcome to the forums! :)

You are using a correct bootstrap code for the French version (in non-English version European versions the code indeed has to be tweaked, because the addresses are offset by +5).

It's odd that ws m isn't working because if you meet all the item and stored Pokémon requirements the code should work.

Regarding the item position; one thing that may be the problem is if the beginning of your code begins from an item position other than slot 3; as Wack0's bootstrap code is designed to execute your code from slot 3 only; so make sure your item list begins at slot 3.

The place that the item execution begins depends solely on the bootstrap code (how we redirect the code flow from stored Pokémon); so you don't have to worry about ws m executing from the item storage box because that would need a completely different bootstrap code. Using an English language bootstrap code to redirect the code flow to item 3 instead of a French/German/Spanish Italian one may mean that the game would still run the code from D322, which due to the address differences is effectively English Red/Blue's D31E (item 1 quantity).

Additionally make sure that your item quantities/items are correct and the current box loaded is the same storage box as where you stored your 20 Pokémon (the Slowpoke with 233 HP followed by five Slowpoke, Voltorb, Scyther, Jolteon, ten Geodude, Voltorb).

Hope that helps!

‘Slowpoke as the 1st Pokémon in the current PC box’? I guess it is meaningful when describing the corresponding byte state (at the end of the line), but does it translate to something I have to do?), and he said he tested it, and that it worked for him, so I don’t know. In your opinion, how did he proceed to test it, and determined that it worked? I want to know so as to be able to determine whether the problem comes from the 'bootstrapping' part, or from the 'item list recipe' part.

You don't need to do anything else (unless your Slowpoke is an unstable hybrid Pokémon) and the reason Slowpoke appears again because after the list of six Pokémon (+the FF end of list)  marks the beginning of Pokémon one's data which contains a copy of the Pokémon's species byte. These bytes would only not match if your Pokémon is a hybrid obtained from a glitch obtained such as Pokémon merge glitch, in which you would fuse a different Pokémon with Slowpoke.

Hnch Pokemon Yellow version, please?

Again, thanks for all your work, and you sharing it, it’s wonderful one can do once one understands the inner working of such a game : )

Thank you for the kind words and glad you like our findings! :)

There's 2 or 3 items with a variant on the name "ws m". Make sure it's the right hex value. I can't remember much, try the page on ws m for inventory photos. Oh, and ws m is Yellow and has a different bootstrap setup, as it runs from boxed PKMN data instead of party PKMN data. Oh, and both need the Daycare to never be used OR the extra leftover data from the last Pokémon expunged from the save, which I can do in a week or so én masse when my Arduinos get here in like 10 days.

Actually the Day Care information is only true for items like -g m in Red/Blue and theoretically なかよしバッヂ if you decide to use a stored Pokémon setup in Japanese Red/Green/Blue because 8F and ws m jump directly to D163 (party Pokémon) and DA7F (stored Pokémon) respectively; not running the Day Care data.
« Last Edit: September 04, 2016, 08:46:04 am by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Yeniaul

  • Guest
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #449 on: September 04, 2016, 08:49:12 am »
There's 2 or 3 items with a variant on the name "ws m". Make sure it's the right hex value. I can't remember much, try the page on ws m for inventory photos. Oh, and ws m is Yellow and has a different bootstrap setup, as it runs from boxed PKMN data instead of party PKMN data. Oh, and both need the Daycare to never be used OR the extra leftover data from the last Pokémon expunged from the save, which I can do in a week or so én masse when my Arduinos get here in like 10 days.

Actually the Day Care information is only true for items like -g m in Red/Blue and theoretically なかよしバッヂ if you decide to use a stored Pokémon setup in Japanese Red/Green/Blue because 8F and ws m jump directly to D163 (party Pokémon) and DA7F (stored Pokémon) respectively; not running the Day Care data.
Makes no mention of the many items with a variant of the name "ws m" nor how I know this.