Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 420884 times)

0 Members and 1 Guest are viewing this topic.

pigdevil2010

  • Member+
  • Offline Offline
  • Gender: Male
  • Welcome to the 40 ERROR.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #120 on: April 28, 2014, 10:50:54 pm »
I discovered an even more shorter w sm bootstrapping code. It requires just 10 Pokemon in the box, these are

Tangela with 233 HP
Nidoking
Metapod
Haunter
Flareon
Parasect
Growlithe
Tentacool
Grimer
Any Pokemon

Code: [Select]
; Initial hl = DA7F
$DA7F <- 0A || ld a, (bc)
$DA80 <- 1E ||
$DA81 <- 07 || ld e, 7  ; e = 7
$DA82 <- 7C || ld a, h  ; a = DA
$DA83 <- 93 || sub e    ; a = D3
$DA84 <- 67 || ld h, a  ; h = D3
$DA85 <- 2E ||
$DA86 <- 21 || ld l, 21 ; l = 21
$DA87 <- 18 ||
$DA88 <- 0D || jr D     ; pc = DA96
$DA96 <- 00 || nop
$DA97 <- E9 || jp (hl)  ; pc = D321

I also finally discovered the code to make it jump to the first stored item.

8F

You must have exactly 5 Pokemon in a party, these are

Lv. 25 Pidgey with 24 HP, 36 PP left on the first and second move, 24 PP left on the third move and 13 PP left on the forth move
Parasect with 233 HP
Diglett
Tentacool
Kangaskhan

Code: [Select]
; Initial hl = D163
$D163 <- 05 || dec b
$D164 <- 24 || inc h    ; h = D2
$D165 <- 2E ||
$D166 <- 3B || ld l, 3B ; l = 3B
$D167 <- 18 ||
$D168 <- 02 || jr 2     ; pc = D16B
$D16B <- 24 || inc h    ; h = D3
$D16C <- 00 || nop
$D16D <- 18 ||
$D16E <- 19 || jr 19    ; pc = D188
$D188 <- 24 || inc h    ; h = D4
$D189 <- 24 || inc h    ; h = D5
$D18A <- 18 ||
$D18B <- 0D || jr D     ; pc = D199
$D199 <- E9 || jp (hl)  ; pc = D53B

w sm

You must have exactly 10 Pokemon in the box, these are

Tangela with 233 HP
Spearow
Metapod
Haunter
Flareon
Parasect
Seel
Tentacool
Grimer
Any Pokemon

Code: [Select]
; Initial hl = DA7F
$DA7F <- 0A || ld a, (bc)
$DA80 <- 1E ||
$DA81 <- 05 || ld e, 5  ; e = 5
$DA82 <- 7C || ld a, h  ; a = DA
$DA83 <- 93 || sub e    ; a = D5
$DA84 <- 67 || ld h, a  ; h = D5
$DA85 <- 2E ||
$DA86 <- 3A || ld l, 3A ; l = 3A
$DA87 <- 18 ||
$DA88 <- 0D || jr D     ; pc = DA96
$DA96 <- 00 || nop
$DA97 <- E9 || jp (hl)  ; pc = D53A

camper

  • aka GlitcherRed, azum4roll
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • 975642dx║'r DExsfoF▓1 error.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #121 on: April 29, 2014, 01:04:05 am »
Sometimes it's better to have it jump to the third item, for example when we put Master Balls and 8F in the first and second slot and for Catch-em-all purpose.
Youtube
 

Guess where this is?

pigdevil2010

  • Member+
  • Offline Offline
  • Gender: Male
  • Welcome to the 40 ERROR.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #122 on: April 29, 2014, 01:18:57 am »
Sometimes it's better to have it jump to the third item, for example when we put Master Balls and 8F in the first and second slot and for Catch-em-all purpose.
Which code did you mean? Address D322 (D321 in Yellow) is the third item in the pocket.

gskw

  • GCLF Member
  • Offline Offline
  • Do you think my avatar is glitched?
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #123 on: April 29, 2014, 02:56:00 am »
He is talking about the 8F code.
And no, it actually jumps to the first item on the PC.
http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Stored_Items
At the point of jp (hl), hl is $D53B, which is the address of the first item on the PC.
« Last Edit: April 29, 2014, 02:58:01 am by gskw »

Radixan

  • GCLF Member
  • Offline Offline
  • But I have a ws╝ ║m▓. :D
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #124 on: July 15, 2014, 08:57:30 am »
Hello, I just found a way to get the "ws m" item through a corrupted save data in R/B/Y non japanese releases.



Once you get a corrupted save data, toss Master Ball x255 and leave your home.
You'll be teleported to Viridian city. Just get into the Pokémon Center, open the bag and swap the ws m with the first Master Ball.
Finally deposit ws m in your PC and will be safe to withdraw it later.

However, I can't continue the game as usual since Pokédex is completed by corruption and Oak will never give me the Pokédex. :/

Regards. :)

Zheria

  • GCLF Member
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #125 on: August 22, 2014, 11:17:46 pm »
I was wondering if anyone knew how to and would please convert this code from r/b to yellow for me. I have been using ws m on cart and its been really cool. I wanted to try and catch some of the pokemon that you can't obtain with the mew glitch, but unfortunately this code doesn't work on yellow.

Orginally posted by TheZZAZZGlitch for r/b 's 8F:
ALTERNATIVE CATCH 'EM ALL

This version of the Catch 'Em All script requires more items, but gives the Pokemon instead of forcing an encounter (like: BLUE got EEVEE!), and allows for getting normally unobtainable glitch Pokemon without trading. The given Pokemon depends on the quantity of the 3rd item.

Remark: Avoid obtaining Missingno with this method. It will duplicate your 6th item and screw the opcodes up.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=865s

ITEM LIST (starting from the first slot):
* Any item
* 8F
Repel                x[SpeciesIndex]
X Speed              x14
Ultra Ball           x64
TM05                 x72
Lemonade             x201

ASM:
Code: [Select]

WRA1:D322 1E 20            ld   e,[SpeciesIndex]
WRA1:D324 43               ld   b,e
WRA1:D325 0E 02            ld   c,02
WRA1:D327 40               ld   b,b
WRA1:D328 CD 48 3E         call 3E48
WRA1:D32B C9               ret

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #126 on: August 23, 2014, 12:10:58 am »
Addresses to internal functions are different in Yellow. The GivePokemon subroutine is at $3E59, not at $3E48.
The solution is to replace 'TM05 x72' with 'TM05 x89' to update the function address.
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

Zheria

  • GCLF Member
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #127 on: August 23, 2014, 04:19:29 pm »
Thank you! It works really well and makes obtaining these glitch pokemon easy!

nixnyte

  • GCLF Member
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #128 on: September 01, 2014, 04:05:22 am »
hi folks!

i've been having fun exploring glitch possibilities in pokemon yellow lately, and i was interested in seeing how quickly arbitrary code execution could be reached off a fresh save file, without using save corruption or item underflow. the two major steps are of course to encounter p PkMn p to get ws m and to have a specific sequence of pokemon in your active box. to do this from a new game, i had to come up with easier setups for each of the steps, so sharing these is my main intention of this post.

in order to encounter p PkMn p, i used a trainer-fly completed by a ditto who transformed into my pokemon with 194 special. the ditto in my route was a result of another trainer fly (two silph co scientists' last pokemon have a special stat of 76), but of course you can find plenty of these in yellow's cinnbar mansion. to get a pokemon with 194 special, i chose to use a kadabra, as i could also use it for my bootstrap code. depending on its DVs, which are made evident at level 50 due to the stat formula, you can use a combination of rare candies and calcium to guarentee 194 special, assuming no previous stat exp.

Code: [Select]
Kadabra
Check Special at level 50 (Special - 125 = DVs)
00 DVs    Level 70    6 Calcium
01 DVs    Level 70    5 Calcium
02 DVs    Level 69    6 Calcium
03 DVs    Level 69    5 Calcium
04 DVs    Level 68    6 Calcium
05 DVs    Level 68    5 Calcium
06 DVs    Level 67    6 Calcium
07 DVs    Level 67    5 Calcium
08 DVs    Level 66    6 Calcium
09 DVs    Level 67    4 Calcium
10 DVs    Level 65    6 Calcium
11 DVs    Level 66    4 Calcium
12 DVs    Level 65    5 Calcium
13 DVs    Level 65    4 Calcium
14 DVs    Level 64    5 Calcium
15 DVs    Level 63    6 Calcium

now for the bootstrap code, i focused on improving pigdevil2010's code posted in reply #105, as it was the only one that didn't require a pokemon with 233 hp. instead, it wrote E9 into the address immediately following the rest of the code. as i've already had trouble deciding how to format this post, i'll mention each block i'm about to paste up front. first is the code i came up with after staring for hours at an opcode table and the big hex list for which pokemon would be easly obtainable. it does successfully allow arbitrary code to be executed from your inventory, but are there side effects due to shortcuts? after that is the order of pokemon in your box to achieve these values, and then where you can find those pokemon very early in the game. for the "anything" slot, i had exactly 1 extra pokemon - pikachu!

Code: [Select]
; initial hl = DA7F
$DA7F <- 0F || rrca
$DA80 <- 2E ||
$DA81 <- 8E || ld l, 8E    ; l = 8E
$DA82 <- 7C || ld a, h     ; a = DA
$DA83 <- 16 ||
$DA84 <- 0F || ld d, 0F    ; d = 0F
$DA85 <- 82 || add a, d    ; a = E9
$DA86 <- 22 || ld (hl+), a ; $DA8E <- E9, l = 8F
$DA87 <- 7C || ld a, h     ; a = DA
$DA88 <- 26 ||
$DA89 <- 07 || ld h, 07    ; h = 07
$DA8A <- 94 || sub h       ; a = D3
$DA8B <- 67 || ld h, a     ; h = D3
$DA8C <- 2E ||
$DA8D <- 21 || ld l, 21    ; l = 21
$DA8E <- E9 || jp (hl)     ; goto $D321

Quote
Parasect
Clefable
Metapod
Gyarados
NidoranF
Golbat
Onix
Metapod
Kadabra
Nidoking
Abra
Flareon
Parasect
Growlithe
(anything)

Quote
Route 2
- Catch 1 NidoranF
- Catch 1 NidoranM (10-12 Rare Candy, Moon Stone)

Virdian Forest
- Catch 2 Metapod

Route 4
- Buy 1 Magikarp (15 Rare Candy)

Mt. Moon
- Catch 2 Paras (22-30 Rare Candy)
- Catch 1 Clefairy (Moon Stone)
- Catch 1 Zubat (9-16 Rare Candy)
- Find 2 Moon Stone

Route 8
- Trainer-Fly 1 Onix
- Trainer-Fly 1 Growlithe

Celadon
- Buy 1 Abra (1 Rare Candy) http://i.imgur.com/EFnPsLp.png
- Receive 1 Eevee (Fire Stone)
- Buy 1 Fire Stone

the other abra was caught on route 6 since i opened the route similarly to the no save corruption speedrun in order to duplicate rare candies and nuggets. i had streamed my first attempt of this to a couple friends on twitch, which the video can be referenced here for any visual demonstrations. there is audio "commentary", but it's mostly me chatting with the viewers and mumbling about how its going, so it's not at all important to listen to. i am also not correct about everything i say in the video :) if you're eager enough to continue off the route i used in that video to then actually execute specific bits of arbitrary code, just remember tm 1 will be your best friend for accessing the return opcode.

anyway, hopefully someone finds these references useful!

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody ✿(not really a mum but wanna be)
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #129 on: September 01, 2014, 06:58:34 am »
Hey nixnyte. Thanks for your info and welcome to the forums!

I enjoyed your set up.

That was a creative way to see Ghost Missingno. early on (with the Special stat of the level 80 Starmie from Cubone for Machoke trade)! Did you think of that or another speedrunner? (I'm out of touch with the speedrunning community other than the published tricks)

For what it's worth, I also did an arbitrary code execution run (a catch em all one), but it was on Red/Green with trading allowed. It was pretty slow and it could have probably been done without trading with enough effort and probably an improved bootstrap code. I'm considering doing a Red/Green catch em all run without arbitrary code or trading.
« Last Edit: September 01, 2014, 07:01:23 am by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

nixnyte

  • GCLF Member
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #130 on: September 01, 2014, 02:31:52 pm »
the early ghost (or kabutops fossil) missingno technique is credited to ExtraTricky on the no save corruption page on the pokemonspeedruns wiki. the puu.sh of trainer pokemon yields for trainer-fly also served useful, but as i desperately found myself wanting to ctrl+f for pokemon on the image, i found a dump of trainers in pokemon yellow on upokecenter. with this key-value special stat support file and this simple ruby script i wrote, it helped me narrow down which trainers would have favorable special stats. upokecenter also has a trainer list for red and blue if anyone wants to make use of the script for that game. a gameboy opcode table felt more useful than a list in this instance as well.

other than that, all i did myself was write some custom asm, make some pretty charts, and piece it all together. the asm was the main thing i wanted to share since i believe it's more efficient than the other methods for arbitrary code in yellow. unless i'm forgetting something, that should cover all of the credits and references. i certainly didn't come up with every part on my own :P
« Last Edit: September 01, 2014, 02:33:35 pm by nixnyte »

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody ✿(not really a mum but wanna be)
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #131 on: September 01, 2014, 02:58:55 pm »
Cool. Yes, I've heard of the puu.sh file too. Its useful for Red/Blue, but not as useful for Yellow, as some Trainers (except Blue as that's fairly obvious) differ between Red/Blue and Yellow.

I tried to upload it to the wiki here, but it was too big xD.

This is the list of opcodes I use.
« Last Edit: September 01, 2014, 03:03:47 pm by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

memdump

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #132 on: September 18, 2014, 12:38:53 pm »
Connect Bootstrap Code Between Red/Blue and Yellow

First I will make this mention. It is easier to set up a bootstrap code in Yellow than it is in Red/Blue. In Yellow you simply trainer fly many Pokemon using Dittos for any opcode since it read 20 from list before complex data structures instead of 6. Red/Blue needs specific PP and limits party. This post tells how to make Red/Blue bootstrap more like Yellow, not other way around. It does not look possible to do other way around anyway.

I introduce item -gm or in game in Vermilion PokeMart. Characters in green change based on map tileset but -gm is fixed . This item is x6A or 106 decimal. Like 8F it points to an address in WRAM at wDA47. This address is x39 or 57 decimal bytes before the beginning of the PC list, wDA80. What lies between is follows: W_NUMSAFARIBALLS, W_DAYCARE_IN_USE, W_DAYCAREMONNAME, W_DAYCAREMONOT, wDayCareMon. These values very easily are set to x00 and are x00 by default which is simply skipped opcode. This item can be obtain like 8F, just do procedure for x6A instead of x5D.

In conclusion -gm can be used like ws m to run initial code from PC list which is W_NUMINBOX, wBoxSpecies (x14 or 20 bytes), xFF, then data for individual Pokemon. The cost is -gm must go through many x00 codes before intended code, but this is 228 CPU cycles and is very minimal.

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody ✿(not really a mum but wanna be)
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #133 on: September 19, 2014, 12:19:31 pm »
Thanks memdump, this works wonderfully.

Do note that if the bootstrap code contains absolute jumps though, you'll have to change them to get the exact same item location.

So with Pigdevil2010's latest first item pack ws m code

Quote
Tangela with 233 HP
Nidoking
Metapod
Haunter
Flareon
Parasect
Growlithe
Tentacool
Grimer
Any Pokemon

...You'd need to change the Growlithe (21) to Onix (22) to get to item 3 (D322), but it would still work with Growlithe, only your item code would start at item 2's quantity.

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

memdump

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #134 on: September 19, 2014, 11:30:41 pm »
More info I found to share. In Red/Blue item x7E (long glitch name) points to address wD887. Do you know this address? It is start of wild Pokemon data... and Old Man glitch writes your name to that space in memory! But, English character set does not give characters that relate to any good opcode value. Maybe corrupt name then perform steps to take advantage of this. Just food for thought.

I said English character set. In Japanese character set, you can name player with more variety of characters. In fact in Midori 1.0 there too exist an item for this. It is x7B instead of x7E and this item is called てヘ (tehe). It points to wD806 which is wild Pokemon data in that game exactly as well. Here is example: You name your player アてルぬ (aterunu). First value is overwritten by x00, the Tokiwa encounter rate, when Old Man ends so does not matter. But next 3 character have values xC3 xA6 xD2 which in ASM is jp wD2A6. This is address of third item in bag in that game! So you name player _てルぬ, obtain てヘ, talk to Old Man, use てヘ, and your name is all that is needed for bootstrap code, and now you run arbitrary code from inventory like before!

I have tested and it works. No Pokemon needed at all for bootstrap. Very cool.