Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
AreaDex
DexDex
ItemDex
TMHMDex
TypeDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
SRAM glitch
Buffer overflow techniques
Pomeg glitch data corruption (Glitzer Popping)
Tweaking
Pokémon cloning
Select glitches (Japan)
Time Capsule exploit
Arbitrary code execution
More

Other Glitch Categories
Glitches by generation
Japan-only/language specific glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Recurring glitches
More

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Error traps
Non-glitch exploits
Pokémon glitch terminology
Unused content and prerelease information
More

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 323677 times)

0 Members and 1 Guest are viewing this topic.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #765 on: January 17, 2018, 03:33:57 pm »
It's unnecessary, all that's required it to wake up as soon as the user presses a button.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Parzival

  • Buyer beware: House comes with 3 free skeletons in a closet of your choice.
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • This box intentionally left blank. ...wait...
    • View Profile
    • (null)
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #766 on: January 17, 2018, 07:04:54 pm »
so this accounts for the user releasing a button late and button bounce (on console)?
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

ALERT: THE CRA TO TAKE BACK NET NEUTRALITY IS CURRENTLY IN CONGRESS!!! CLICK THE BANNER BELOW TO JOIN THE FIGHT!

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #767 on: January 18, 2018, 05:02:17 pm »
This doesn't, and as I said,
(Note : if the D-Pad is already held when the setup is ran, it will fail.)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Parzival

  • Buyer beware: House comes with 3 free skeletons in a closet of your choice.
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • This box intentionally left blank. ...wait...
    • View Profile
    • (null)
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #768 on: January 18, 2018, 09:08:38 pm »
How long does the user have to release the A button after running the code? It should be at least like 0.5 second to compensate for the previously mentioned scenarios.
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

ALERT: THE CRA TO TAKE BACK NET NEUTRALITY IS CURRENTLY IN CONGRESS!!! CLICK THE BANNER BELOW TO JOIN THE FIGHT!

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #769 on: January 19, 2018, 02:25:17 am »
No, the user can release the A button at any moment. What matters is the D-Pad.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Parzival

  • Buyer beware: House comes with 3 free skeletons in a closet of your choice.
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • This box intentionally left blank. ...wait...
    • View Profile
    • (null)
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #770 on: January 19, 2018, 08:08:57 pm »
Oh. nvm then
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

ALERT: THE CRA TO TAKE BACK NET NEUTRALITY IS CURRENTLY IN CONGRESS!!! CLICK THE BANNER BELOW TO JOIN THE FIGHT!

WendyBettyJanice

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #771 on: February 05, 2018, 05:49:09 pm »
This is my first time trying to piece together something that works, normally what I want is already on here, but I'm really having a hard time with this, so if anyone can look over this and tell me where I'm being stupid, I'd be more than grateful. I've done my best to show where I obtained my info and how i got to what I got, hopefully will help someone see where I'm wrong.

I would like to make the typing of the Pokemon in box 1 of my current PC box, Psychic/Flying.

Type 1 - DA9B |DA= 218 |9B = 155   <-- this is location of Pokemon typing in the current box slot 1. I separated and converted to get the decimals 218, 155/156.
Type 2 - DA9C |DA= 218 |9C = 156


Type 1 - Psychic

Any item
8F
lemonade*24 (Psychic Hex is 18, this becomes 24 in Decimal)
X-accuracy*155 (this is the "YY" part of the target location I want to change)
Carbos*218 (this is the "XX" part of the target location I want to change)
Pokeball*119
Fresh Water*201

Type 2 - Flying

Any item.
8F
lemonade*2 ( Flying Hex is 02, this becomes 2 in Decimal)
X-accuracy*156 (this is the "YY" part of the target location I want to change)
Carbos*218 (this is the "XX" part of the target location I want to change)
Pokeball*119
Fresh Water*201


Now, I know that even if this is working it wont show in the game, but will show in battle text, what i'm effective/not effective vs. but the issue I'm having, is that when ever I remove the Pokemon from the PC box, (assuming it's worked) It becomes a Rhydon. I take Rhydon to daycare, put him in, take him out, and my Pokemon reverts back to Missingno like I wanted, however the daycare "raises his level by 255" (impressively he's done this 4 times now) the DVs are all different, (basing this on the fact the stats of the Pokemon change when he goes from Missingno/Rhydon/Missingno.

So my questions now become:
- can I change the Pokemons types, and remove it from the box, without it becoming a big ugly Rhydon.
- when it becomes a Rhydon, has it reset my progress in changing it's types, as it says rock/ground, and wondering if it's over writing my work.
- When I used 8F to edit my Mew OT/ID so it would go through Pokemon bank, I recall using a bootstrap where Mew was in slot one of party and the strap used slots 2-6. I was going to try using that strap to leave the target Pokemon in my party and not use the PC box at all to get around my problem, anyone know the strap as I don't recall it, I just know it has Arbok instead of Kangaskhan, OR - anyone have a better solution to this?

Where I got my info if any of it is wrong-
This thread.
http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Stored_Pok.C3.A9mon
https://glitchcity.info/wiki/The_Big_HEX_List


Any help at all, is appreciated. Thanks in advance.
« Last Edit: February 06, 2018, 09:47:09 am by WendyBettyJanice »

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #772 on: February 05, 2018, 06:48:27 pm »
- can I change the Pokemons types, and remove it from the box, without it becoming a big ugly Rhydon.

This is an issue specific to Missingno. and other glitch Pokemon. It occurs when the user views the Pokemon's stats while the Pokemon is still in the box. Simply withdrawing the Pokemon without viewing it's stats prevents this.

- when it becomes a Rhydon, has it reset my progress in changing it's types, as it says rock/ground, and wondering if it's over writing my work.

It is not. The status screen simply displays the typing that is normal for that specific Pokemon. It does not display the actual typing.
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

AcridBrimistic

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #773 on: February 08, 2018, 01:06:17 pm »
Trying to make my first script, to change the Map ID to lavender town, but it seems to crash the game instead. Here's the script and items:

Item 1: HM01 (if i'm correct, the first and second items do not matter)
Item 2: 8F
Item 3: Lemonade (x4)    (ld a,4)
Item 4: TM34 (x94)    (ld ($D35E), a)
Item 5: TM11 (x201)    (ret)

When I use 8F, the game simply crashes. Probably something very obvious that I'm missing, however I have no clue why this wouldn't work. Any advice?
« Last Edit: February 08, 2018, 01:16:11 pm by AcridBrimistic »

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #774 on: February 08, 2018, 01:23:32 pm »
Trying to make my first script, to change the Map ID to lavender town, but it seems to crash the game instead. Here's the script and items:

Item 1: HM01 (if i'm correct, the first and second items do not matter)
Item 2: 8F
Item 3: Lemonade (x4)    (ld a,4)
Item 4: TM34 (x94)    (ld ($D35E), a)
Item 5: TM11 (x201)    (ret)

When I use 8F, the game simply crashes. Probably something very obvious that I'm missing, however I have no clue why this wouldn't work. Any advice?

Setting the current map to 118 will crash the game. That's the Hall of Fame's ID anyway, Lavendar town's ID is $04
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Evie Torchic the Glitch Scientist

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • "Hens can't be scientists"..However I disagree! 🦋
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #775 on: February 08, 2018, 02:26:33 pm »
Trying to make my first script, to change the Map ID to lavender town, but it seems to crash the game instead. Here's the script and items:

Item 1: HM01 (if i'm correct, the first and second items do not matter)
Item 2: 8F
Item 3: Lemonade (x4)    (ld a,4)
Item 4: TM34 (x94)    (ld ($D35E), a)
Item 5: TM11 (x201)    (ret)

When I use 8F, the game simply crashes. Probably something very obvious that I'm missing, however I have no clue why this wouldn't work. Any advice?

Setting the current map to 118 will crash the game. That's the Hall of Fame's ID anyway, Lavendar town's ID is $04

Changing D35E directly is unsafe and the value you write to it must be kept active when loading a new warp. However changing D365 (item 36's quantity in the expanded items pack) is safe and should work. This works in the same way as the Safari Zone exit glitch for maps with exits that redirect you to 0xFF (last map; D365).

It does require you to be in a specific building like a Pokémon Center before using one of the exit mat's warps to warp to Lavender Town (0x04) though, and another variable involved is the map exit index which controls where on the map the game is going to place you. For example the Safari Zone exit uses exit 0x04, which is normally outside of the Safari Zone building, but if the map in D365 has less than 4 exits this could load a Glitch City instead.



Why the game freezes:

When you change D35E, you're only partially changing the map. If D35E is a value while walking through a door you'll indeed warp there, but it has to be set to that value constantly (your code only sets the value once).

Normally you have to be very careful though because D36E and D36F are responsible for the map script pointer (in little endian which means lowest byte first). Different maps use different banks for their scripts, hence why the game could freeze after closing the items menu unless D36E/F points to a ret.

For example, Pallet Town's script is 0x4E5B. This article tells us Pallet Town uses bank 6 and Lavender Town bank 4. If you were to switch to Lavender Town you would be executing 04:4E5B instead of 06:4E5B, which is at a different location in the ROM and could result in a freeze.
« Last Edit: February 08, 2018, 02:32:12 pm by Princess Torchic ❤ »
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thanks Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).




Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

The issue with spirituality I feel is that people try to learn ideology, which while valid is not the whole picture and can lead to 'spiritual materialism' (masking), when a large component is that as children we're already our genuine selves or 'spiritual masters'.

Masuta Satoshi

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #776 on: February 21, 2018, 10:35:28 am »
Can anyone help me?

Is there any Arbitrary Code to control what DVs I want to change to a Pokemon? For example:

-15/15/15/15
-15/10/10/10

Ive been seen some videos but they just pust the neccesary items (and in different ways, so I cant find a pattern). Some examples:

https://www.youtube.com/watch?v=H8AgGp5cqPI&t=308s
https://www.youtube.com/watch?v=RCrzcqLEauQ

Ty.

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #777 on: February 21, 2018, 12:23:39 pm »
Can anyone help me?

Is there any Arbitrary Code to control what DVs I want to change to a Pokemon? For example:

-15/15/15/15
-15/10/10/10

Ive been seen some videos but they just pust the neccesary items (and in different ways, so I cant find a pattern). Some examples:

https://www.youtube.com/watch?v=H8AgGp5cqPI&t=308s
https://www.youtube.com/watch?v=RCrzcqLEauQ

Ty.

The following codes are used to edit the DVs of box Pokemon 1.

You can use

8f
Any
Carbos x218 (hex:DA)
X Accuracy x178 (hex:B2)
Lemonade xDVOne
TM03 x55 (hex:37)
Elixer x71 (hex:47)
Awakening xDVTwo
Escape Rope x121 (hex:79)
Max Elixer x176 (hex:B0)
Ether x119 (hex:77)
TM01 x[Any qty]

To write to the Speed/Special IVS. Then, to write to attack/defense IVs, toss one X Accuracy.

Alternatively, you may also use this code, which writes to all DVs in one go. It takes a bit of math to use, however.


8f
Any
Thunderstone x177 (hex:B1)
TM18 x4 (hex:04)
Lemonade x#FirstNum
Water Stone x82 (hex:52)
Awakening x#SecondNum
Escape Rope x121 (hex:79)
Max Elixer x119 (hex:77)
TM01 x[Any qty]

To find the numbers, simply take the first DV * 16 + the second DV. For the second number, do this with the third and fourth DVs

So

15/10/10/10

...would be

Thunderstone x177 (hex:B1)
TM18 x4 (hex:04)
Lemonade x250 (hex:FA)
Water Stone x82 (hex:52)
Awakening x170 (hex:AA)
Escape Rope x121 (hex:79)
Max Elixer x119 (hex:77)
TM01 x[Any qty]
« Last Edit: February 21, 2018, 12:54:19 pm by Epsilon »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Masuta Satoshi

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #778 on: February 24, 2018, 12:39:41 pm »
Can anyone help me?

Is there any Arbitrary Code to control what DVs I want to change to a Pokemon? For example:

-15/15/15/15
-15/10/10/10

Ive been seen some videos but they just pust the neccesary items (and in different ways, so I cant find a pattern). Some examples:

https://www.youtube.com/watch?v=H8AgGp5cqPI&t=308s
https://www.youtube.com/watch?v=RCrzcqLEauQ

Ty.

The following codes are used to edit the DVs of box Pokemon 1.

You can use

8f
Any
Carbos x218 (hex:DA)
X Accuracy x178 (hex:B2)
Lemonade xDVOne
TM03 x55 (hex:37)
Elixer x71 (hex:47)
Awakening xDVTwo
Escape Rope x121 (hex:79)
Max Elixer x176 (hex:B0)
Ether x119 (hex:77)
TM01 x[Any qty]

To write to the Speed/Special IVS. Then, to write to attack/defense IVs, toss one X Accuracy.

Alternatively, you may also use this code, which writes to all DVs in one go. It takes a bit of math to use, however.


8f
Any
Thunderstone x177 (hex:B1)
TM18 x4 (hex:04)
Lemonade x#FirstNum
Water Stone x82 (hex:52)
Awakening x#SecondNum
Escape Rope x121 (hex:79)
Max Elixer x119 (hex:77)
TM01 x[Any qty]

To find the numbers, simply take the first DV * 16 + the second DV. For the second number, do this with the third and fourth DVs

So

15/10/10/10

...would be

Thunderstone x177 (hex:B1)
TM18 x4 (hex:04)
Lemonade x250 (hex:FA)
Water Stone x82 (hex:52)
Awakening x170 (hex:AA)
Escape Rope x121 (hex:79)
Max Elixer x119 (hex:77)
TM01 x[Any qty]
Thanks a lot, I'll test results. I have some doubts: what happens if you put numbers that surpass 16 (max DV is 15 in generation I and II). And...
Is it possible to make a generic ACE like generation II in this video?: https://www.youtube.com/watch?v=PsIb3OZaYAs
Finally: What discussion or theme/topic do u recommend me to learn about this kind of topics? I know generation I and II has a lot of glitches and they have many possibilities, and they use and hex system, but I cant understand at all so I can control the game in the way i want. I dont know if i let me understand, thanks in advance.

Evie Torchic the Glitch Scientist

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • "Hens can't be scientists"..However I disagree! 🦋
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #779 on: February 24, 2018, 12:58:19 pm »
Most DVs in Generations I/II are determined by the upper and lower nybble of bytes. There are two addresses which control the Attack/Defense DV and the Speed/Special DV respectively, with the HP DV being calculated in a different way based on the other DVs.

The nybble can be read from one digit of the DV byte. For example, if this value is D5 on the Attack/Defense DV address it means an Attack DV of D (13 in decimal) and a Defense DV of 5 respectively. Since hexadecimal only ranges between 0-F (15), it isn't possible to have a DV that exceeds 15.

For generic uses, the reusable RAM writer does the trick as long as you know the RAM addresses (which can be found on Datacrystal and the Pokémon Red disassembly). For the below code Lemonade's quantity controls the value, Carbos's quantity controls the first byte of the address and X Accuracy's quantity controls the second byte of the address.

If you wanted to write 0x15 to D059 then for example (giving a Mew encounter in Red/Blue), you would need Lemonade x 0x15 (x21 in game; decimal), Carbos x 0xD0 (x208 in game) and X Accuracy x 0x59 (x89 in game).

The reusable RAM writer is made so that it resets the quantities back to x0 afterwards. As x0 is in this sense x256 you can toss 1-255 of them without destroying the stacks, and access every possible byte.

At item 3:

Code: [Select]
3E xx 26 xx 2E xx 04 77 26 D3 3E 00 2E 23 04 22 23 22 23 22 C9
Lemonade x(xx)
Carbos x(yy)
X Accuracy x(zz)
Poké Ball x119
Carbos x211
Lemonade x0
X Accuracy x35 (x34 in Yellow)
Poké Ball x34
HP Up x34
HP Up x34
TM01 x0

ld a, 00 - a (value)=xx
ld h, 00 - h (address byte 1)=yy
ld l, 00 - l (address byte 2)=zz
inc b - useless code
ld (hl),a - load a into the address (e.g. D059)
ld h, D3 - we load the address byte 1 as D3 (item quantities are in the D3XX region)
ld a, 00 - we load 'a' as 0 (quantity of 0)
ld l,  23 - l=23, now our address is D323 (item 3 quantity)
inc b - useless code
ld (hli),a - means we put 'a' in D323, and then increase the hl value to D324
inc hl -  hl value=D325
ld (hli),a - means we will load a (0) into D325 (item 4 quantity), and increase hl to D326
inc hl - hl value =D327
ld (hli),a - means we put 'a' in D327 (item 5 quantity)
« Last Edit: February 24, 2018, 01:07:03 pm by Princess Torchic ❤ »
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thanks Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).




Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

The issue with spirituality I feel is that people try to learn ideology, which while valid is not the whole picture and can lead to 'spiritual materialism' (masking), when a large component is that as children we're already our genuine selves or 'spiritual masters'.