Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
StatDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg data corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 289280 times)

0 Members and 2 Guests are viewing this topic.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #765 on: January 17, 2018, 03:33:57 pm »
It's unnecessary, all that's required it to wake up as soon as the user presses a button.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Parzival

  • Buyer beware: House comes with 3 free skeletons in a closet of your choice.
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • This box intentionally left blank. ...wait...
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #766 on: January 17, 2018, 07:04:54 pm »
so this accounts for the user releasing a button late and button bounce (on console)?
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

ALERT: WE ONLY NEED ONE MORE VOTE TO GAIN BACK NET NEUTRALITY! CLICK THE BANNER BELOW TO JOIN THE FIGHT!

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #767 on: January 18, 2018, 05:02:17 pm »
This doesn't, and as I said,
(Note : if the D-Pad is already held when the setup is ran, it will fail.)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Parzival

  • Buyer beware: House comes with 3 free skeletons in a closet of your choice.
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • This box intentionally left blank. ...wait...
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #768 on: January 18, 2018, 09:08:38 pm »
How long does the user have to release the A button after running the code? It should be at least like 0.5 second to compensate for the previously mentioned scenarios.
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

ALERT: WE ONLY NEED ONE MORE VOTE TO GAIN BACK NET NEUTRALITY! CLICK THE BANNER BELOW TO JOIN THE FIGHT!

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #769 on: January 19, 2018, 02:25:17 am »
No, the user can release the A button at any moment. What matters is the D-Pad.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Parzival

  • Buyer beware: House comes with 3 free skeletons in a closet of your choice.
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • This box intentionally left blank. ...wait...
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #770 on: January 19, 2018, 08:08:57 pm »
Oh. nvm then
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

ALERT: WE ONLY NEED ONE MORE VOTE TO GAIN BACK NET NEUTRALITY! CLICK THE BANNER BELOW TO JOIN THE FIGHT!

WendyBettyJanice

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #771 on: February 05, 2018, 05:49:09 pm »
This is my first time trying to piece together something that works, normally what I want is already on here, but I'm really having a hard time with this, so if anyone can look over this and tell me where I'm being stupid, I'd be more than grateful. I've done my best to show where I obtained my info and how i got to what I got, hopefully will help someone see where I'm wrong.

I would like to make the typing of the Pokemon in box 1 of my current PC box, Psychic/Flying.

Type 1 - DA9B |DA= 218 |9B = 155   <-- this is location of Pokemon typing in the current box slot 1. I separated and converted to get the decimals 218, 155/156.
Type 2 - DA9C |DA= 218 |9C = 156


Type 1 - Psychic

Any item
8F
lemonade*24 (Psychic Hex is 18, this becomes 24 in Decimal)
X-accuracy*155 (this is the "YY" part of the target location I want to change)
Carbos*218 (this is the "XX" part of the target location I want to change)
Pokeball*119
Fresh Water*201

Type 2 - Flying

Any item.
8F
lemonade*2 ( Flying Hex is 02, this becomes 2 in Decimal)
X-accuracy*156 (this is the "YY" part of the target location I want to change)
Carbos*218 (this is the "XX" part of the target location I want to change)
Pokeball*119
Fresh Water*201


Now, I know that even if this is working it wont show in the game, but will show in battle text, what i'm effective/not effective vs. but the issue I'm having, is that when ever I remove the Pokemon from the PC box, (assuming it's worked) It becomes a Rhydon. I take Rhydon to daycare, put him in, take him out, and my Pokemon reverts back to Missingno like I wanted, however the daycare "raises his level by 255" (impressively he's done this 4 times now) the DVs are all different, (basing this on the fact the stats of the Pokemon change when he goes from Missingno/Rhydon/Missingno.

So my questions now become:
- can I change the Pokemons types, and remove it from the box, without it becoming a big ugly Rhydon.
- when it becomes a Rhydon, has it reset my progress in changing it's types, as it says rock/ground, and wondering if it's over writing my work.
- When I used 8F to edit my Mew OT/ID so it would go through Pokemon bank, I recall using a bootstrap where Mew was in slot one of party and the strap used slots 2-6. I was going to try using that strap to leave the target Pokemon in my party and not use the PC box at all to get around my problem, anyone know the strap as I don't recall it, I just know it has Arbok instead of Kangaskhan, OR - anyone have a better solution to this?

Where I got my info if any of it is wrong-
This thread.
http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Stored_Pok.C3.A9mon
https://glitchcity.info/wiki/The_Big_HEX_List


Any help at all, is appreciated. Thanks in advance.
« Last Edit: February 06, 2018, 09:47:09 am by WendyBettyJanice »

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #772 on: February 05, 2018, 06:48:27 pm »
- can I change the Pokemons types, and remove it from the box, without it becoming a big ugly Rhydon.

This is an issue specific to Missingno. and other glitch Pokemon. It occurs when the user views the Pokemon's stats while the Pokemon is still in the box. Simply withdrawing the Pokemon without viewing it's stats prevents this.

- when it becomes a Rhydon, has it reset my progress in changing it's types, as it says rock/ground, and wondering if it's over writing my work.

It is not. The status screen simply displays the typing that is normal for that specific Pokemon. It does not display the actual typing.
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

AcridBrimistic

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #773 on: February 08, 2018, 01:06:17 pm »
Trying to make my first script, to change the Map ID to lavender town, but it seems to crash the game instead. Here's the script and items:

Item 1: HM01 (if i'm correct, the first and second items do not matter)
Item 2: 8F
Item 3: Lemonade (x4)    (ld a,4)
Item 4: TM34 (x94)    (ld ($D35E), a)
Item 5: TM11 (x201)    (ret)

When I use 8F, the game simply crashes. Probably something very obvious that I'm missing, however I have no clue why this wouldn't work. Any advice?
« Last Edit: February 08, 2018, 01:16:11 pm by AcridBrimistic »

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #774 on: February 08, 2018, 01:23:32 pm »
Trying to make my first script, to change the Map ID to lavender town, but it seems to crash the game instead. Here's the script and items:

Item 1: HM01 (if i'm correct, the first and second items do not matter)
Item 2: 8F
Item 3: Lemonade (x4)    (ld a,4)
Item 4: TM34 (x94)    (ld ($D35E), a)
Item 5: TM11 (x201)    (ret)

When I use 8F, the game simply crashes. Probably something very obvious that I'm missing, however I have no clue why this wouldn't work. Any advice?

Setting the current map to 118 will crash the game. That's the Hall of Fame's ID anyway, Lavendar town's ID is $04
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • ⛄🦋
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #775 on: February 08, 2018, 02:26:33 pm »
Trying to make my first script, to change the Map ID to lavender town, but it seems to crash the game instead. Here's the script and items:

Item 1: HM01 (if i'm correct, the first and second items do not matter)
Item 2: 8F
Item 3: Lemonade (x4)    (ld a,4)
Item 4: TM34 (x94)    (ld ($D35E), a)
Item 5: TM11 (x201)    (ret)

When I use 8F, the game simply crashes. Probably something very obvious that I'm missing, however I have no clue why this wouldn't work. Any advice?

Setting the current map to 118 will crash the game. That's the Hall of Fame's ID anyway, Lavendar town's ID is $04

Changing D35E directly is unsafe and the value you write to it must be kept active when loading a new warp. However changing D365 (item 36's quantity in the expanded items pack) is safe and should work. This works in the same way as the Safari Zone exit glitch for maps with exits that redirect you to 0xFF (last map; D365).

It does require you to be in a specific building like a Pokémon Center before using one of the exit mat's warps to warp to Lavender Town (0x04) though, and another variable involved is the map exit index which controls where on the map the game is going to place you. For example the Safari Zone exit uses exit 0x04, which is normally outside of the Safari Zone building, but if the map in D365 has less than 4 exits this could load a Glitch City instead.



Why the game freezes:

When you change D35E, you're only partially changing the map. If D35E is a value while walking through a door you'll indeed warp there, but it has to be set to that value constantly (your code only sets the value once).

Normally you have to be very careful though because D36E and D36F are responsible for the map script pointer (in little endian which means lowest byte first). Different maps use different banks for their scripts, hence why the game could freeze after closing the items menu unless D36E/F points to a ret.

For example, Pallet Town's script is 0x4E5B. This article tells us Pallet Town uses bank 6 and Lavender Town bank 4. If you were to switch to Lavender Town you would be executing 04:4E5B instead of 06:4E5B, which is at a different location in the ROM and could result in a freeze.
« Last Edit: February 08, 2018, 02:32:12 pm by Princess Torchic ❤ »
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Give love, receive love, repeat. But in order to love others you must first love yourself unconditionally, even if it means abandoning pressure from projects or taking time off work and empathise with the self as you are your own best friend. The key often is simply to follow your heart, your urges and have faith they are valid; use them to do what you want to do as long as it doesn't harm anyone, and/or sympathise and respect it as we all have bad days (even the prettiest rose has thorns but is still beautiful).