Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
AreaDex
DexDex
ItemDex
MetascriptDex
TMHMDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man glitch
Celebi Egg glitch
SRAM glitch
Buffer overflow techniques
Pomeg glitch data corruption (Glitzer Popping)
Tweaking
Pokémon cloning
Select glitches (Japan)
Time Capsule exploit
Arbitrary code execution
More

Other Glitch Categories
Glitches by generation
Japan-only/language specific glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Recurring glitches
More

References
Pokémon GameShark codes
Pokémon Game Genie codes
Disassembly projects
The Big HEX List
GB programming
Curiosities
Debugging features
Error traps
Non-glitch exploits
Pokémon glitch terminology
Unused content and prerelease information
More

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 335640 times)

0 Members and 3 Guests are viewing this topic.

Aldrasio

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Our Lady of Perpetual Underflow
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #780 on: February 28, 2018, 12:32:40 pm »
I like to use this setup to arbitrarily write 2 bytes of data to any address. This code writes [AA] to XXYY and [BB] to XXYY + 1. XX goes to h, YY goes to l, so for the address 0xDAA2, you'd use [XX] = 0xDA = 218 and [YY] = 0xA2 = 162. I like this one because all of the items except the Max Revive can be purchased from the Celadon Mart, and there's a Max Revive on cycling road.

  • Carbos x[XX]
  • X Accuracy x[YY]
  • Lemonade x[AA]
  • Water Stone x04
  • Max Revive x[BB]
  • TM01 xany

Code: [Select]
ld h, [XX]
ld l, [YY]
ld a, [AA]
ld (hl+), a
inc b ; padding
ld (hl), [BB]
ret


As an example, you can make the first Pokemon in your current box shiny by loading 0xFAAA into 0xDAB1, which would correspond to:
  • XX = 0xDA = 218
  • YY = 0xB1 = 177
  • AA = 0xFA = 250
  • BB = 0xAA = 170

And so the inventory would be:
  • Carbos x218
  • X Accuracy x177
  • Lemonade x250
  • Water Stone x04
  • Max Revive x170
  • TM01 xany

Inkblot

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #781 on: March 08, 2018, 08:17:20 am »
I found this code on a post about how to get a legit mew in pokemon yellow. I didn't make it, but I tough i'd share as its pretty useful.

ws# #m# / any item
ws# #m# / any item
Repel x[SpeciesIndex] {e.g. x21 = Mew}
X Speed x64
Awakening x[Level] {e.g. x5 = Lv5}
TM05 x89
Lemonade x201

(I don't know if this is the case, but since the code on this post has tm05 being 72, maybe changing it to that will make it work with 8F? Don't know about the X Speed though.)

This code is a variation of the alternate catch-em-all code, which lets you chose the level it is gifted to you at. I don't know what you would need to change to make it work in red bule with 8F, but it does work in yellow!

Credit goes to chickenstickers on redit. The original post can be found here: https://www.reddit.com/r/pokemon/comments/5q8zlg/getting_gen_1_mew_in_yellow_guide_does_not_work/dd7bqfp/

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #782 on: March 17, 2018, 03:20:17 am »
What I think is the fastest possible route to get 8F is as follows:
Follow the NSC route up to item underflow, but make sure the item you underflow with is X Special x 255 (buy X Special x 1 instead of one of the other items) http://wiki.pokemonspeedruns.com/index.php?title=Pok%C3%A9mon_Red/Blue/Glitched_No_Save_Corruption/Route

Then walk to the bottom right corner of Celdaon (Using the fresh water/lemonade/soda pop you bought to trigger overflow on the way, of course), toss 254 x specials, swap X special x 1 with nugget x 1 in slot 35, walk right till the x special x 1 is an 8F, switch 8F with the nugget x 1 again, teleport away, store 8F in the pc, and then return your inventory to normal by buying/withdrawing items. Then withdraw 8F.

Basically it's a hybrid between the NSC route and the trick to get 8F.

P.S. Thanks to Sanqui for helping me out a bit with the NSC route stuff and Brock Through Walls, which I didn't really have a grasp of before.
« Last Edit: March 17, 2018, 03:24:25 am by Azarokkusu »

DocB

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • ws & m user
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #783 on: March 19, 2018, 05:55:25 pm »
I'm sorry if this is a question already solved but I wasn't able to find anything anywhere and there are 52 pages only of this thread to check so...

I'm playing a Pokémon Yellow ita ROM on 3Ds, i've got the ws m long ago, setted my last box in the slowpoke set up and prepeared my iteam but the ws m never worked :(

So I've decided to extract the savefile, put it in vba-m emulator and check the ram to find the problem. I've discovered that there is an offset before the asm code, i mean:

Code: [Select]
What shuld it be:                What it actually is:

[0xDA7F = 0x14]                [0xDA7F = 0x00]
[0xDA80 = 0x25]                [0xDA80 = 0x00]
[0xDA81 = 0x25]                [0xDA81 = 0x00]
[0xDA82 = 0x25]                [0xDA82 = 0x00]
[0xDA83 = 0x25]                [0xDA83 = 0x00]
[0xDA84 = 0x25]                [0xDA84 = 0x14]
[0xDA85 = 0x25]                [0xDA85 = 0x25]
[0xDA86 = 0x06]                [0xDA86 = 0x25]
[0xDA87 = 0x21]                [0xDA87 = 0x25]
[0xDA88 = 0x68]                [0xDA88 = 0x25]
[0xDA89 = 0xA9]                [0xDA89 = 0x25]
[0xDA8A = 0xA9]                [0xDA8A = 0x25]
[0xDA8B = 0xA9]                [0xDA8B = 0x06]
[0xDA8C = 0xA9]                [0xDA8C = 0x21]
[0xDA8D = 0xA9]                [0xDA8D = 0x68]
[0xDA8E = 0xA9]                [0xDA8E = 0xA9]
[0xDA8F = 0xA9]                [0xDA8F = 0xA9]
[0xDA90 = 0xA9]                [0xDA90 = 0xA9]
[0xDA91 = 0xA9]                [0xDA91 = 0xA9]
[0xDA92 = 0xA9]                [0xDA92 = 0xA9]
[0xDA93 = 0x06]                [0xDA93 = 0xA9]
[0xDA94 = 0xFF]                [0xDA94 = 0xA9]
[0xDA95 = 0x25]                [0xDA95 = 0xA9]
[0xDA96 = 0x00]                [0xDA96 = 0xA9]
[0xDA97 = 0xE9]                [0xDA97 = 0xA9]
                               [0xDA98 = 0x09]
                               [0xDA99 = 0xFF]
                               [0xDA9A = 0x25]
                               [0xDA9B = 0x00]
                               [0xDA9C = 0xE9]

Well, they're all a bunch of nope, so i don't think that this could ba a problem, the real problem imho is that there is an offset also for the iteam. For example i was tryng to use this code

ws m
Item
Burn Heal   x43
Ice Heal     x43
Full Heal    x201

Code: [Select]
What shuld it be:                What it actually is:

[0xD322 = 0x0C]               [0xD322 = 0x63]  <- the wsm, so it starts from the first element of the bag
[0xD322 = 0x2B]               [0xD323 = 0x01]
[0xD324 = 0x0D]               [0xD324 = 0x05]
[0xD325 = 0x2B]               [0xD325 = 0x01]
[0xD32A = 0x34]               [0xD326 = 0x0C]
[0xD32B = 0xC9]               [0xD327 = 0x2B]
                              [0xD328 = 0x0D]
                              [0xD329 = 0x2B]
                              [0xD32A = 0x34]
                              [0xD32B = 0xC9]

Also the disassembler of the emulator says that [0xDA9C = 0xE9] is a
Code: [Select]
LD PC,HL instead of a
Code: [Select]
JP HLBut maybe is just the same (i never heard of LD I program in other hardware usually) or is just the disassembler...

Can you help me very please?
« Last Edit: March 19, 2018, 05:59:40 pm by DocB »

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #784 on: March 19, 2018, 08:25:19 pm »
Very, very simple code to give you 0 of the item in the second slot

from slot 1:
8f
item you want 0 of
Lemonade x 1
soda pop x 234
thunderstone x 211
tm01 x any

Code: [Select]
ld a, 01
dec a
ld $d321,a
ret

All the items are buyable at the Celadon department store and can be cloned easily to get the amounts you need.

All fly locations (incase you skipped any to get 8F early such as using BTW to rush to it)

from item 3:
Lemonade x 255
TM34 x 11
TM15 x 234
Burn heal x 215
tm01 x any

Code: [Select]
ld a,255
ld d70b,a
ld d70c,a
ret

Though you'd probably just want to use Aldrasio's 2 byte writer to write the 2 consecutive bytes anyway. *Shrug*

Note this sets both flyable location bytes to ff, (ie d70b = ff, d70c = ff) but the regular value to unlock all locations is ff 07 (d70b = ff, d70c = 07). However, with valid bytes activated in d70c it seems to ignore the unused locations regardless. If you wanted to be really thorough and write ff 07 you would have to ld a,07 after the lod d70b,a but at that point it's definitely better to just use Aldrasio's 2 byte writer.

Though for something this simple as writing 2 consecutive bytes you would probably rather just use the two byte writer by aldrasio above,
« Last Edit: March 19, 2018, 10:23:24 pm by Azarokkusu »

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #785 on: March 19, 2018, 11:16:46 pm »
Opcode 0xE9 is `jp hl`, as per the most recent spec. `jp [hl]` is and old syntax, and `ld pc, hl` is another way to write it... but it's really stupid.

As for the offset, that's a specificity of EU versions, which have a +5 offset everywhere. Please refer to this post on our wiki for a EU-compatible box setup.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #786 on: March 19, 2018, 11:58:20 pm »
Well, just decided to quickly code something for 8F...

CHANGE ANY BYTE IN RAM TO ANYTHING
(or, psuedo-GameShark in software)

This code uses only 5 basic items, and will easily allow you to modify any byte in RAM one wants to.

Item 1: any item
Item 2: 8F
Item 3: Lemonade, quantity (byte to change to, or 2nd byte of GScode)
Item 4: X Accuracy, quantity (low byte of RAM address to change, or 3rd byte of GScode)
Item 5: Carbos, quantity (high byte of RAM address to change, or 4th byte of GScode)
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

ASM:
Code: [Select]
D322: 3E xx         ld a, xx
D324: 2E xx         ld l, xx
D326: 26 xx         ld h, xx
D328: 04            inc b
D329: 77            ld (hl), a
D32A: 3C            inc a
D32B: C9            ret

So, for GameShark code 011559D0, which would encounter a Mew after you close the menu (and yes, this is the one i tested it with -- on a real cart no less), use the following item list:

Item 1: any item (but I guess you'd want Master Balls here for this example!)
Item 2: 8F
Item 3: Lemonade, quantity 21
Item 4: X Accuracy, quantity 89
Item 5: Carbos, quantity 208
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

By the way, since no address is hardcoded, this *should* work on Yellow too; but I haven't tested it there. (obviously the example posted above won't!)

Why not tm01 x any rather than Fresh Water x 201? You don't need the inc a instruction, and tm01 is buyable at celadon too - you don't even have to dupe it!

Item 1: any item
Item 2: 8F
Item 3: Lemonade, quantity (byte to change to, or 2nd byte of GScode)
Item 4: X Accuracy, quantity (low byte of RAM address to change, or 3rd byte of GScode)
Item 5: Carbos, quantity (high byte of RAM address to change, or 4th byte of GScode)
Item 6: Poké Ball, quantity 119
Item 7: TM01 x any

Code: [Select]
D322: 3E xx         ld a, xx
D324: 2E xx         ld l, xx
D326: 26 xx         ld h, xx
D328: 04            inc b
D329: 77            ld (hl), a
D32A: c9            ret
D32B: anything            not read as code because already returned

Edit: you can also get the 4 glitch item (id $77) and cut out the pokeballs of course. But dealing with glitch items is annoying.

Item 1: any item x any qty
Item 2: 8f
Item 3: lemonade x XX
Item 4: X Accuracy x XX
Item 5: Carbos x XX
Item 6: 4 x 201

Code: [Select]
ld a,xx
ld l,xx
ld h,xx
ld (hl),a
ret
« Last Edit: March 24, 2018, 01:20:43 am by Azarokkusu »

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #787 on: March 20, 2018, 01:03:56 am »
Another writer for writing consecutive bytes! Based off of Wack0's write to any byte code. This is for people like me who have trouble keeping track of their map coordinates (for the old coordinate based memory writer) or step count (for the newer step counter based memory writer) when writing a memory editor in. Here, you can see exactly what you are writing and the addresses you are writing to (ZZYY or, number of Carbos in slot 5, number of X Accuracy in slot 4) Only problem is that you can't increase the high byte automatically so you would still have to do so manually (I'd say it could be modified to automatically detect when to increase the high byte, but I haven't gotten around to it and it might require more items than we can hold normally meaning we'd have to underflow) however this doesn't matter if you're writing less than 256 bytes (eg writing either version of theZZAZZglitch's memory editor)

from slot 3

lemonade x XX
X accuracy x YY
Carbos x ZZ
pokeball x 119
Burn heal x 125
Fresh water x 234
Iron x 211
Lemonade x 0
TM34 x 35
TM 11 x 201

Code: [Select]
;write XX to ZZYY

ld a, XX ;lemonade x XX (amount writing). bytes: 3E XX
ld l, YY ;X Accuracy x YY (low byte of address). Bytes: 2E YY
ld h, ZZ ;Carbos x ZZ (high byte of address) Bytes: 26 ZZ
inc b  ; pokeball (padding) Bytes: 04
ld (hl), a ; quantity of pokeballs (119) Bytes: 77
inc c ; burn heal (padding) Bytes: 0C

;inc quantity of item 4 by 1, thus increasing the low byte to the next one in sequence
ld a,l ;quantity of burn heal (125) bytes: 7D
inc a ; fresh water bytes: 3C
ld ($d325),a ; quantity of fresh water (234), Iron x 211 bytes: EA 25 D3

;set quantity of item 3 to 0 to allow to get any amount!
ld a, 00 ; lemonade x 00 bytes: 3E 00
ld ($d323),a ;TM34 x 35, TM11. bytes: EA 23 D3
ret ; TM11 quantity (201) bytes: c9

Bytes (if you want to write them using a memory editor, say, in bgb)

3E xx 2e yy 26 zz 04 77 0c 7d 3c ea 25 d3 3e 00 ea 23 d3 c9


So to write ISSOtm's version of theZZAZZglitch's memory editor (https://forums.glitchcity.info/index.php?topic=8200.0) you'd start with

lemonade x 229 (229 = $E5, the byte to write at DB01)
X accuracy x 1
Carbos x 219
pokeball x 119
Burn heal x 125
Fresh water x 234
Iron x 211
Lemonade x 0
TM34 x 35
TM 11 x 201

use 8f, which would write the value, set the quantity of lemonades to 0 and increase the quantity of X accuracies by 1, to 2. Throw lemonades until you had 17 (hex 11), use 8f, etc etc.
« Last Edit: March 20, 2018, 01:14:06 am by Azarokkusu »

DocB

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • ws & m user
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #788 on: March 20, 2018, 09:17:24 am »
Opcode 0xE9 is `jp hl`, as per the most recent spec. `jp [hl]` is and old syntax, and `ld pc, hl` is another way to write it... but it's really stupid.

As for the offset, that's a specificity of EU versions, which have a +5 offset everywhere. Please refer to this post on our wiki for a EU-compatible box setup.

Thank you for the reply, I followed that bootstrap before post my question but i wrongly didn't put a 10th pokemon in the box so... :-[
Now it work pretty well but it's a pretty unconfortable setup in the 3Ds for me, there is a way to edit the slowbre setup to jump to 0xD326 (i don't know if this bootstrap do actually this because the disassmler hasn't debug function so no interrupt function...)
« Last Edit: March 20, 2018, 09:22:33 am by DocB »

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #789 on: March 20, 2018, 09:47:25 am »
If you need a disassembler (and a proper emulator), use BGB.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

DocB

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • ws & m user
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #790 on: March 20, 2018, 12:25:24 pm »
Thank you dude, that's awesome
If someone like me already set the box in the slowpokesetup and play in the Eu non english version you just have to switch
Code: [Select]
Growlithe [0xDA87 = 0x21] with
Code: [Select]
kadabra [0xDA87 = 0x26]
« Last Edit: March 20, 2018, 12:45:47 pm by DocB »

Xavi

  • GCLF Member
  • Offline Offline
  • STATS ftw
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #791 on: March 21, 2018, 02:57:33 am »
I posted in a wrong thread, I think it is the correct one.

Quote
My first will was to have a legal shiny Mew for Crystal. I have no 3DS. But looking for arbitrary code, I discovered about the "legitimitation" and I said to me "let's try it". And if it's possible, share the Mew with friends that have a 3DS.


I was trying to legitimate Mew in a Spanish version of Red, and it did't work. I tried the same in an English and it worked fine.

Quote
Partys: 1. Mew, 2. Pidgey with 233 CURRENT HP (Max HP doesn't matter), 3. Parasect, 4. Onix, 5. Tentacool, 6. Arbok

Set up your bag as follows: 1. 8F, 2. Any item x89, 3. Dire Hit x58, 4. Iron x37, 5. X Accuracy x119, 6. Water Stone x62, 7. Burn Heal x50, 8. Poké Ball x43, 9. Antidote x43, 10. Protein x62, 11. PP Up x60, 12. Ice Heal x50, 13. Lemonade x133, 14. Great Ball x50, 15. Fresh Water x34 16. TM01 x[any #]
This is the combination I used; all that happened is that Mew's Pound became Guillotine.

I tried it following https://glitchcity.info/wiki/Arbitrary_code_execution#Using_7eme_etage_.2F_P7_.2F_S7_.28French_.26_Italian_.2F_Spanish_.2F_German_Red.2FBlue.29 to change Onix for a Graveler and for a Fearow, but nothing happened.

Someone can help me? Thanks!

I also shinied the Mew in a USA Red version. The settings doesn't work in spanish version. What's the difference? There's any way to translate from english to Spanish?

Thank you.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #792 on: March 21, 2018, 05:27:03 am »
The Pokémon setup isn't the cause (nothing / a crash would have happened if it was wrong). The item setup needs to be modified to account for the memory address change in EU versions.²
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Xavi

  • GCLF Member
  • Offline Offline
  • STATS ftw
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #793 on: March 21, 2018, 05:26:56 pm »
The Pokémon setup isn't the cause (nothing / a crash would have happened if it was wrong). The item setup needs to be modified to account for the memory address change in EU versions.²
I know I need to modify the items, but in what way?
Quoting myself: "There's any way to translate from english to Spanish?"

I'm a n00b in ACE, I understand it exploits de 8bits of the game and can copy the item and pokémon set up, but not create or undersant how to done them.

Thank you.

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #794 on: March 22, 2018, 12:53:26 am »
I'll try to help you as soon as i have a moment :)

(But for the future you should try to learn some basics :))

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov