Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 398621 times)

0 Members and 1 Guest are viewing this topic.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #75 on: December 07, 2013, 03:46:27 pm »
Enter the Hall of Fame with S7 in German R/B:



Code: [Select]
ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35f0
ret

0e 16 26 64 2e bb 41 40 cd f0 35 c9

Awakening (Aufwecker)  x 22
Carbos (Carbon)        x100
X Accuracy (X-Treffer) x187
X Attack (X-Angriff)   x 64
TM05                   x240
Revive (Beleber)       x201
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #76 on: December 07, 2013, 04:01:45 pm »
Enter the Hall of Fame with 7eme Etage in French R/B:



Code: [Select]
ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35f3
ret

0e 16 26 64 2e bb 41 40 cd f3 35 c9

Awakening (Reveil)       x 22
Carbos (Carbone)         x100
X Accuracy (Precision +) x187
X Attack (Attaque +)     x 64
TM05 (CT05)              x243
Revive (Rappel)          x201
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #77 on: December 07, 2013, 04:23:24 pm »
Enter the Hall of Fame with 7ºP in Italian R/B:



Code: [Select]
ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35ee
ret

0e 16 26 64 2e bb 41 40 cd ee 35 c9

Awakening (Sveglia)       x 22
Carbos (Carburante)       x100
X Accuracy (Precisione X) x187
X Attack (Attacco X)      x 64
TM05 (MT05)               x238
Revive (Revitaliz.)       x201
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #78 on: December 07, 2013, 04:35:06 pm »
Enter the Hall of Fame with ws m in Spanish and German Yellow:



Code: [Select]
ld c,$16
ld h,$64
ld l,$56
ld b,c
ld b,b
call $3e89
ret

0e 16 26 64 2e 56 41 40 cd 89 3e c9

Awakening  x 22
Carbos     x100
X Accuracy x 86
X Attack   x 64
TM05       x137
Lemonade   x201
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #79 on: December 07, 2013, 04:40:25 pm »
Play Pikachu's Beach with ws m in Spanish and German Yellow:



Code: [Select]
ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e89
ret

0e 3e 26 40 1D 6B 41 40 cd 89 3e c9

Awakening   x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x137
Lemonade    x201
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #80 on: December 07, 2013, 04:48:23 pm »
Enter the Hall of Fame with ws m in French Yellow:



Code: [Select]
ld c,$16
ld h,$64
ld l,$56
ld b,c
ld b,b
call $3e87
ret

0e 16 26 64 2e 56 41 40 cd 87 3e c9

Awakening  x 22
Carbos     x100
X Accuracy x 86
X Attack   x 64
TM05       x135
Lemonade   x201
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #81 on: December 07, 2013, 04:53:14 pm »
Play Pikachu's Beach with ws m in French Yellow:



Code: [Select]
ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e87
ret

0e 3e 26 40 1D 6B 41 40 cd 87 3e c9

Awakening   x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x135
Lemonade    x201
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #82 on: December 07, 2013, 04:59:04 pm »
Enter the Hall of Fame with ws m in Italian Yellow:



Code: [Select]
ld c,$16
ld h,$64
ld l,$56
ld b,c
ld b,b
call $3e82
ret

0e 16 26 64 2e 56 41 40 cd 82 3e c9

Awakening  x 22
Carbos     x100
X Accuracy x 86
X Attack   x 64
TM05       x130
Lemonade   x201
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #83 on: December 07, 2013, 05:03:11 pm »
Play Pikachu's Beach with ws m in Italian Yellow:



Code: [Select]
ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e82
ret

0e 3e 26 40 1D 6B 41 40 cd 82 3e c9

Awakening   x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x130
Lemonade    x201


..finally, HoF code done for all languages R/G/B/Y! And Pikachu's Beach done for all languages of Yellow!
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

blahpy

  • Yeah! Pomeg Berry!
  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #84 on: December 07, 2013, 10:47:44 pm »
Humourous note: I just went to rename my Onix to what I wanted to change my name to after testing the code at and calling my trainer "ONIX".  Of course, naturally, I now had a different OT and couldn't rename it :D Silly me.

So, I've devised a way to fix this in spirit of this thread!  It's rather useless, but this program can be used to set the OT of your Onix, allowing you to change its nickname so that you can rename your trainer again (or you could just catch another Onix ;D).  Here's the item list:

Take caution:  Use 8F exactly (name length+1) times to ensure that the trainer name is terminated correctly.
This code is also self-modifying, so make sure that you reset the item quantities if you need to use it again.

Any item (any quantity)
8F
TM50                 x88
TM09                 x64 (x73, x82, x91, x100, x109, x127 should also all work fine here)
TM34                 x115
TM10                 x46
HP Up                x52
X Accuracy           x39
Full Heal            x201


Code: [Select]
WRA1:D322 FA 58 D1         ld a,(D158)
WRA1:D325 40               ld b,b
WRA1:D326 EA 73 D2         ld (D273),a
WRA1:D329 2E 23            ld l,23h
WRA1:D32B 34               inc (hl)
WRA1:D32C 2E 27            ld l,27h
WRA1:D32D 34               inc (hl)
WRA1:D32F C9               ret

For more general use on other Pokémon this can easily be modified to change the OT of the first Pokémon in the box: Simply change the (initial) quantity of TM34 from 115 to 42, and use TM21 in place of TM10.

Note: I haven't actually tested any of this but it all works perfectly theoretically...
« Last Edit: December 07, 2013, 10:59:41 pm by blahpy »

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I want to be a mother. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #85 on: December 08, 2013, 08:18:48 am »
Both your code and the modification works.

So the OT of the first boxed Pokémon starts at DD2A? Never knew that!

Matthew Robinson's code archive strangely says 01xx2ADD modifies part of the 16th PC Pokémon's experience. Is this an error?
« Last Edit: December 08, 2013, 08:38:21 am by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

War does not determine who is right or wrong; only who is loudest.
Athena follower. I know that some people view it as idolism, but I follow the spirit in relation to her and God too.

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #86 on: December 08, 2013, 09:34:10 am »
So.. I just found out that the bankswitch function's offset changed between JP R/G 1.0 and 1.1, and between JP Yellow 1.0 and 1.1 (it remains the same between JP Yellow 1.1 and 1.2 tho).

Time for more porting and testing.. *sigh*

Enter the Hall of Fame with 5kai in Japanese R/G v1.1:


Code: [Select]
ld c,$16
ld h,$7b
ld l,$e4
ld b,c
ld b,b
call $360e
ret

0e 16 26 7b 2e e4 41 40 cd 0e 36 c9

Awakening  x 22
Carbos     x123
X Accuracy x228
X Attack   x 64
TM05       x 14
Max Revive x201


Enter the Hall of Fame with かいがらバッヂ in Japanese Yellow v1.0:
Code: [Select]
ld c,$16
ld h,$7d
ld l,$c8
ld b,c
ld b,b
call $3e7d
ret

0e 16 26 7d 2e c8 41 40 cd 7d 3e c9

Awakening  x 22
Carbos     x125
X Accuracy x200
X Attack   x 64
TM05       x125
Lemonade   x201


Play Pikachu's Beach with かいがらバッヂ in Yellow 1.0:

Code: [Select]
ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e7d
ret

0e 3e 26 40 1D 6B 41 40 cd 7d 3e c9

Awakening   x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x125
Lemonade    x201
« Last Edit: December 08, 2013, 09:46:44 am by Wack0 »
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

blahpy

  • Yeah! Pomeg Berry!
  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #87 on: December 08, 2013, 03:11:42 pm »
Both your code and the modification works.

So the OT of the first boxed Pokémon starts at DD2A? Never knew that!

Matthew Robinson's code archive strangely says 01xx2ADD modifies part of the 16th PC Pokémon's experience. Is this an error?

What RAM map are you using? I was using this one: http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Stored_Pok.C3.A9mon

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I want to be a mother. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #88 on: December 08, 2013, 04:04:40 pm »
I use DataCrystal too, as well as this for GameShark codes and occasionally our GameShark codes page for Red/Blue but I can't find DD2A (OT of the first boxed Pokémon) on any, even though it does work.

Edit 1: Re 16th Pokémon's experience: Looks like it doesn't match up with DataCrystal's addresses (DC93-DC95).
Edit 2: DataCrystal's memory addresses for that are correct.
« Last Edit: December 08, 2013, 04:12:28 pm by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

War does not determine who is right or wrong; only who is loudest.
Athena follower. I know that some people view it as idolism, but I follow the spirit in relation to her and God too.

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #89 on: December 11, 2013, 02:13:00 pm »
Screw your English R/B save file using 8F!

Little bit of malicious fun. I was bored.
Basically, we set the current map's script pointer (at $D36E) to $D336, then we call SaveSAVtoSRAM (to save the game without warning). Then we reach $D336 which is a conditional jump (it only jumps when the carry flag isn't set, which in practise is all the time, this is done because unconditional jump here means glitch item or more than 1 of a key item is required) to $1f49 (which soft resets.)
And because the current map's script pointer in the save file is now $D336.. trying to continue just soft resets.
I think this is kinda more trolly than ZZAZZ's creepypasta thing, and in only 23 bytes too!

Here's a video. I may port this to Yellow if I can be bothered.

Unfortunately, you need two stacks of X Accuracy, but it's easy to get two stacks of an item anyway (have one 99 stack and purchase or find one more) and it's something very basic that can be found in most (if not all) Poké Marts.

Code: [Select]
ld l,$6E
ld (hl),$36
ld a,$D3
ld ($D36F),a
inc b
ld c,$1c
ld h,$78
ld l,$48 ; 1c:7848: SaveSAVtoSRAM
ld b,c
call $35d6 ; BankSwitch
jp nc,$1f49 ; SoftReset

2E 6E 36 36 3E D3 EA 6F D3 04 0E 1C 26 78 2E 48 41 CD D6 35 D2 49 1F

X Accuracy x110
Max Revive x 54
Lemonade   x211
TM34       x111
TM11       x  4
Awakening  x 28
Carbos     x120
X Accuracy x 72
X Attack   x205
TM14       x 53
TM10       x 73
Old Amber  x  1
« Last Edit: December 11, 2013, 02:33:04 pm by Wack0 »
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016