Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 415714 times)

0 Members and 1 Guest are viewing this topic.

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #135 on: September 20, 2014, 06:30:25 am »
Excellent find. That makes my 5かい linked 151 run look silly. Ha ha.

I guess I'll start thinking about how a Midori v1.0 151 ACE speedrun would go.

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #136 on: November 08, 2014, 05:31:16 pm »
There's a new way to get 8F with 94, thanks to luckytyphlosion's discovery of "double distort CoolTrainers".

It does not use:

*Item underflow glitch
*An out of bounds Glitch City (previously used by TheZZAZZGlitch for a 94 CoolTrainer).
*Silph Co. 11F Rocket and a Trainer inducing old man glitch name (Paco81's trick to battle a 94 Trainer)
*Walk through walls. (for the out of bounds Glitch City)

The only problems that come to mind is that you seem to need a 7 letter long name, and the fact that CoolTrainer may stop working. I haven't tested all name sizes, but a 6 letter name with an even third character didn't work, and the 7 letter name BBBBBBB (all odd digits) worked contrary to Dabomstew's explanation that the third character has to be even.

Steps:

Get a Pokémon with CoolTrainer as the first move first. You can have Ditto transform then swap move 1 with another move, then run. Keep this Pokémon in the first position. Have a Good Rod as the fourth item.

1) Name a Pokémon or a Ditto "[ANYTHING]×". The × is a multiplication sign.
2) Do a CoolTrainer (keep viewing CoolTrainer move by scrolling/opening closing the fight menu) after opening the items screen here. Don't open the item/Pokémon/Pokédex menu after.
.
3) Enter a battle and do a CoolTrainer, but don't catch the enemy yet.
4) Switch to the nicknamed Pokémon (or other Pokémon) and you'll notice a copy of its name will be printed on the screen.
5) Full Heal Ditto (this also updates the screen data), then switch to Ditto.
6) Do a CoolTrainer again, and this time catch the Pokémon to get what you want. If your Ditto has × as the second character, you can open the items menu after sending it into battle before doing the second CoolTrainer; to get 94 with Ditto's name.
7) Your Good Rod will turn into 8F.

Unfortunately, memdump's better ACE item "-g m" cannot be obtained with this CoolTrainer trick, but food for thought, maybe there's another useful item conversion glitch Pokémon that could be used to get it. (from here)

Videos:
Dabomstew's video
My vid
« Last Edit: November 08, 2014, 05:46:53 pm by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Glitch Genie

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • The file data is confused!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #137 on: November 10, 2014, 08:03:50 pm »
Newcomers: I highly recommend you read beyond this thread's first post. Thanks to the later posts you will learn how to do the described glitch on Yellow, Japanese Red/Green/Yellow or other international releases, and you'll find many different item lists for performing different tasks.

WHAT'S 8F?

8F is a Red/Blue equivalent of JP Red/Green's 5かい - an item executing machine code starting from $D163 (Number of Pokemon) upon use. Its hex identifier is 0x5D, despite its hex-like name. 8F is treated by the game as a key item and it can't be tossed away or sold in the mart.

As address $D163 contains re-writeable data, it is possible to redirect the instruction pointer to the item list with relative jumps and easily run arbitrary code just by spelling the opcodes with items. With enough items, one could also make a program that reads key input continuously, writes it somewhere in the RAM and jumps to it after a while, allowing to even run your own homebrew software (jailbreaking the gameboy, lolz).

HOW TO OBTAIN IT:

OBTAINING 8F USING ITEM COUNTER UNDERFLOW GLITCH:

PREREQUISITES:

 - Access to any event that removes an item from your inventory (Saffron guards, handing out a fossil in Cinnabar Lab, giving Gold Teeth to the Warden etc.)
 - A following item list:
   Any item x[Any qty]
   X Special x255
   Item you need to give away x1

EXECUTION:

1. Toss the first item. It should change to X Special x255
2. Continue tossing the first item until the item menu "stops responding"
3. Trigger an event that removes the item from your inventory (example: get Kabuto, omanyte, or Aerodactyl down in Cinnabar)
4. Now, you should have 255 items with you. Go to the eastmost corner of Celadon City:



5. Toss 254 of your X Specials. Then swap the 'X Special x1' with 'Nugget x1' (35th item)
6. Try walking to the right - the map should now loop back to the left side of Celadon City. The amount of steps you take to the right determines the item you will get, so position yourself properly to obtain 8F. Swap it with the first item, then fly back to Celadon.
7. Store one of your newly acquired glitch items into the PC. Then buy any 3 items to bring your inventory back to normal.

A video of this method (makes it a lot easier to understand): http://www.youtube.com/watch?v=98_azamLeh4

OBTAINING 8F USING INVALID ENCOUNTER FLAGS (OBSOLETE):

PREREQUISITES:

 - A Ditto with a Cooltrainer move, nicknamed "R:u"  (Get Cooltrainer by transforming into a pokemon with 4 moves. swap the second move with the 1st, run, and Ditto's move will be cooltrainer)
 - At least 1 Escape Rope
 - Good Rod on your 4th item slot
 - Exactly 10 Pokemon in your current box (this tremendously increases the chances of Cooltrainer move working properly) (sometimes the Cooltrainer move refuses to work, so if 10 pokemon doesn't work out, try 9 pokemon, and then 8, etc.)
 - Preferably a Bicycle, to make things a little bit faster.

EXECUTION:

1. Heal your Pokemon in Fuchsia City's Pokemon Center.
2. Do the Safari Zone walk through walls glitch, with only Ditto in your party.
3. After you appear back at the Fuchsia City's Center with noclip activated, walk exactly:
 a) 19 steps west
 b) 28 steps north
 c) 1 step west
 d) 29 steps north
 e) 11 steps east
4. Open your Pokemon menu and close it (important). You may want to use bicycle now to travel faster - you won't be able to do this later.
5. Go 11 steps west and keep walking south until you find yourself back on Route 18. Do not open your Start menu from now on.
6. Walk/bike to Seafoam Islands and enter the cave.
7. Encounter a wild Pokemon, and continuously try to use the Cooltrainer move. If it does not work after about 15 tries, quit the battle and start a new one. Do not open your Pokemon menu, Item menu or Start menu at all!
8. Eventually, the music will fade out, the move typing will become blank, and name of the opponent will get changed. Catch the resulting Pokemon - the game will state you caught a "94", and your Good Rod will turn into an 8F.
9. Use an Escape Rope, as there's a slight chance the game will crash after exiting the cave normally.

OBTAINING 8F WITH A CORRUPTED ITEM PACK (OBSOLETE):

This method is not recommended - it has a lot of side effects and is terribly complicated. Use it only when the encounter flag method does not seem to work for you.

PREREQUISITES:

 - A Pokemon on the first slot meeting very specific requirements:
    > It needs to have a Super Glitch as a 4th move
    > Its three moves besides the Super Glitch have to contain 25 characters in total
    > One of its three moves needs to be 4 characters long
    > This Pokemon needs to be able to learn Mega Kick through TM05
    An example: ゥL ||ゥM 4 (hex C6) with moves Body Slam, TM50, Quick Attack, [Super Glitch]
 - Any Pokemon on the second slot you don't care about, nicknamed "cccccccc". It will be gone in the process, so don't use your L100 Charizard.
 - A Pokemon on the third slot knowing Fly.
 - Exactly 3 useless items in your Bag. They will get destroyed again, so don't pick anything important.
 - TM05 (Mega Kick), deposited in the PC
 - At least one free space in the PC to store your obtained 8F
 - An empty Pokemon box currently selected, most likely box 12

SIDE EFFECTS:

Sadly, those side effects are actually quite annoying. But also, happily enough, one can fix them with 8F's arbitrary code execution.

1. Your player name will become blank (the game will save just fine though). However, with 8F's arbitrary code execution capabilities, one can change his name back to something nice.
2. Lower 5 Pokedex bytes will become corrupted, displaying some yet unseen species as caught. There's no easy way to fix this, but it's not a big deal unless you care about your Pokedex progression.
3. Your Pokemon box may get to a state where trying to release the glitch Pokemon inside will crash the game. This side effect does not happen every time, but if it does, again, this can be fixed with 8F's arbitrary code execution.

EXECUTION:

The process is a little bit complicated, but after around 15 minutes of hard work, you should be able to claim your own 8F without a cheating device.

1. Go to the exact spot shown on the screenshot below (second to last house on Celadon's south-east). Open up and close immediately your Pokemon menu while still standing on that spot.



2. Go into a patch of grass and encounter a wild Pokemon. Do not open your start menu while going there.
3. Open and close your fight menu a few times, then run from the battle.
4. Open your Start menu. Your name should be glitched. If it isn't, repeat step 3.
5. Now you should have 16 Pokemon. Go to the Celadon's Pokemon Center and talk to Nurse Joy, but don't heal.
6. Go to the exact spot shown on the screenshot below:



7. Open up your Pokemon menu, swap the 2nd Pokemon with the 10th.
8. Now your item pack should have 162 items, with the first item being "RIVAL's" and the second being Ether.
9. If you have more than 1 Ether on the second position, toss them so only 1 remains.
10. Swap the Ether (2nd item) with the 35th one (for this location this should be a Nugget)
11. Try walking to the right - the map should now loop back to the left side of Celadon City.
12. Keep walking to the right until you find the spot below:



13. Open your item pack here - the Ether should turn into 8F. Switch it back with the second item to keep it.
14. Fly away to any town. Go to the Pokemon Center.
15. Store one of your 8Fs in the PC. 8F is treated like a key item and depositing more than one will clutter your PC.
16. (Optional) You can also deposit "RIVAL's" into the PC to get 2 glitch items for the price of one.
17. Swap the 10th Pokemon back with the 2nd. This will clear all your items.
18. Withdraw TM05 from your PC.
19. Swap the 2nd Pokemon with the 5th to avoid crashing in the next few steps.
20. Swap the 3rd Pokemon with the 2nd so your Pokemon with Fly won't get obliterated by Charizard 'Ms
21. Deposit your LM4 and your Pokemon with Fly.
22. From now on keep depositing Pokemon into your empty box until you're left with just one Pokemon in your party.
23. Withdraw LM4 and the Pokemon with Fly.
24. Exit out the PC and move the first Pokemon (Charizard 'M) to the last slot.
25. Deposit the Charizard 'M. You should now have only LM4 and the flyer in your team.
26. Because of the Super Glitch, your LM4 became an unstable hybrid of Krabby. Fly to Cerulean City, bring your LM4 into Daycare and take it out to change it back to LM4.
27. Fly back to Celadon City, stand in the spot below:



28. Teach your LM4 Mega Kick (use TM05). Replace the move with 4 characters in its name, otherwise stuff won't work as intended.
29. Fly to Cerulean City again, stand in the spot shown below:



30. Open your Pokemon menu here (important). If your LM4 is now the second Pokemon in your party, switch it back to the first slot.
31. Fight a wild Pokemon. Open up and close your fight menu a few times, then run from the battle.
32. Your name should be now blank. If it isn't, repeat step 30.
33. Fly to any Pokemon Center and heal your Pokemon.
34. And finally, you're done! You are now free to save the game if you're brave enough. Withdraw your 8F and have fun.

Full video presenting this done step by step: http://www.youtube.com/watch?v=Sw0h7ImFsAs

BOOTSTRAPPING

8F won't do anything amazing by itself - in order to make it execute code from $D322 (third item), we need to use the party Pokemon to spell out a short bootstrapping program, which will redirect the instruction pointer to your item pack. The requirements are as follows:

1.  6 Pokémon                                                         [0xD163 = 0x06]
2.  Onix as the first Pokémon                                         [0xD164 = 0x22]
3.  Pidgey as the second Pokémon                                      [0xD165 = 0x24]
4.  Tentacool as the third Pokémon                                    [0xD165 = 0x18]
5.  Meowth as the fourth Pokémon                                      [0xD166 = 0x4D]
6.  24 PP left on the second Pokémon's second move                    [0xD1B5 = 0x18]
7.  21 PP left on the second Pokémon's third move w/ 1 PP Up used     [0xD1B6 = 0x55]
8.  36 PP left on the fourth Pokémon's first move                     [0xD20C = 0x24]
9.  24 PP left on the fourth Pokémon's second move                    [0xD20D = 0x18]
10. 20 PP left on the fourth Pokémon's third move                     [0xD20E = 0x14]
11. Double Team as the fifth Pokémon's first move                     [0xD223 = 0x68]
12. Double Kick as the fifth Pokémon's second move                    [0xD224 = 0x18]
13. Strength as the fifth Pokémon's third move                        [0xD225 = 0x46]
14. Sixth Pokémon's attack stat has to be exactly 233                 [0xD26C = 0xE9]


(11/12/13: Hitmonlee is probably the only Pokémon that can learn all of those moves)

Resulting ASM:
Code: [Select]
; -- Initial value of hl: D163
WRA1:D163 06 22            ld   b,22    ;  b = 22
WRA1:D165 24               inc  h       ; hl = D263
WRA1:D166 18 4D            jr   D1B5

WRA1:D1B5 18 55            jr   D20C

WRA1:D20C 24               inc  h       ; hl = D363
WRA1:D20D 18 14            jr   D223

WRA1:D223 68               ld   l,b     ; hl = D322
WRA1:D224 18 46            jr   D26C

WRA1:D26C E9               jp   hl



Sadly, we can't use K)ry's original code from Pokemon Green, as in international versions the opcodes [jp imm16] and [call imm16] can't be represented in a Pokemon's nickname, foiling our evil plan.

Well, now we're done with all those preparations, let's try to actually do something with this item! Below I present some examples of what is possible.

USING 8F TO OUR ADVANTAGE

"CATCH 'EM ALL" SCRIPT

This is just K)ry's ASM for JP Red/Green ported on the international release. With those items, 8F will act like an item that forces a Pokemon encounter based on the quantity of item #1, allowing to catch all 151 Pokemon easily.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=782s

ITEM LIST (starting from the first slot):
* Preferably Master Balls
* 8F
TM50                 x31
TM11                 x4
TM34                 x89
TM08                 x201


ASM:
Code: [Select]
WRA1:D322 FA 1F D3         ld   a,(D31F)
WRA1:D325 04               inc  b
WRA1:D326 EA 59 D0         ld   (D059),a
WRA1:D329 C9               ret 

ALTERNATIVE CATCH 'EM ALL

This version of the Catch 'Em All script requires more items, but gives the Pokemon instead of forcing an encounter (like: BLUE got EEVEE!), and allows for getting normally unobtainable glitch Pokemon without trading. The given Pokemon depends on the quantity of the 3rd item.

Remark: Avoid obtaining Missingno with this method. It will duplicate your 6th item and screw the opcodes up.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=865s

ITEM LIST (starting from the first slot):
* Any item
* 8F
Repel                x[SpeciesIndex]
X Speed              x14
Ultra Ball           x64
TM05                 x72
Lemonade             x201


ASM:
Code: [Select]
WRA1:D322 1E 20            ld   e,[SpeciesIndex]
WRA1:D324 43               ld   b,e
WRA1:D325 0E 02            ld   c,02
WRA1:D327 40               ld   b,b
WRA1:D328 CD 48 3E         call 3E48
WRA1:D32B C9               ret

FIX THE PLAYER'S NAME

One of the side effects of obtaining 8F is blanking out your name. However, with this setup, you can change your name to the nickname of your first Pokemon. Using 8F will copy one letter from your first Pokemon's nickname to your player name. Use 8F (length of the name+1) times to copy all the name characters and bring your name back to normal.
Warning: This code is self modifying, it will increase quantities of items #3 and #5 every use - remember to set those quantities back to 181 and 88 if you want to reset this. Also use carefully, as there's no memory protection implemented and you may cause save corruption if you're not careful.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=918s

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM50                 x181
TM10                 x64
TM34                 x88
TM09                 x46
Calcium              x52
X Accuracy           x35
Full Heal            x201


ASM:
Code: [Select]
WRA1:D322 FA B5 D2         ld   a,(D2B5)
WRA1:D325 40               ld   b,b
WRA1:D326 EA 58 D1         ld   (D158),a
WRA1:D329 2E 27            ld   l,27
WRA1:D32B 34               inc  (hl)
WRA1:D32C 2E 23            ld   l,23
WRA1:D32E 34               inc  (hl)
WRA1:D32F C9               ret 

CHANGE THE SECOND ITEM

This easy code uses only 3 basic items, and it increases the first item's index by 1 every time 8F is used. You can obtain normally unobtainable items, glitch items or TMs so you can do other item configurations described.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=974s

ITEM LIST (starting from the first slot):
* 8F
* Item you want to morph
Burn Heal            x43
Ice Heal             x43
Full Heal            x201


ASM:
Code: [Select]
WRA1:D322 0C               inc  c
WRA1:D323 2B               dec  hl
WRA1:D324 0D               dec  c
WRA1:D325 2B               dec  hl
WRA1:D32A 34               inc  (hl)
WRA1:D32B C9               ret


WALK THROUGH WALLS

Jump off a ledge after using 8F to walk through walls.

http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1020s

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x20
TM15                 x201


ASM:
Code: [Select]
WRA1:D322 EA 14 D7         ld (d714),a
WRA1:D325 C9               ret

ESCAPE FROM A TRAINER BATTLE

This turns 8F into an item which allows escaping from any battle, including trainer battles.

http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1048s

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x120
TM08                 x201


ASM:
Code: [Select]
WRA1:D322 EA 78 D0         ld (d078),a
WRA1:D325 C9               ret

CLEAR A POKEMON BOX

While obtaining 8F there's a slight chance Pokemon at your box will get corrupted and will crash the game upon releasing. One can either deal with it and switch to another box, or make the box empty with this item configuration.

Switch to the corrupted box, use the 8F, done. Be careful though, you don't probably want to clear the box with your L100 legendaries.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1104s

ITEM LIST (starting from the first slot):
* Any item
* 8F
Lemonade             x1
Soda Pop             x64
TM34                 x128
TM18                 x201


ASM:
Code: [Select]
WRA1:D322 3E 01            ld a,01
WRA1:D324 3D               dec a
WRA1:D325 40               ld b,b
WRA1:D326 EA 80 DA         ld (da80),a
WRA1:D329 C9               ret

ENDING REMARK: BIG ITEM QUANTITIES?

All of those item lists will have at least one item with quantity bigger than 99. Obviously, it's possible to obtain those big quantities using the Missingno. item duplication glitch (duplicating a 99 item stack will result in a 227 item stack).
However, the numbers bigger than 9 are represented with glitch blobs, so it's normally impossible to read how many items you actually have. This short image guide below will help you with reading quantities of those big item stacks.


* This image uses the Pokemon Center tileset

Yuzihax

  • two jimmy carters in a trenchcoat
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • yee(t)
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #138 on: November 10, 2014, 08:17:05 pm »
I honestly thought you'd just quoted the OP verbatim. You might want to state outright that you're suggesting changes, it's a little confusing!

At least, it is for me, and that's what I'm fairly sure that post is about. Admittedly, I haven't actually read this thread before now!.

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #139 on: November 10, 2014, 11:56:37 pm »
I really don't see anything different about the post, and it looks like he just quoted the whole original post.

Edit: He added "(example: get Kabuto, omanyte, or Aerodactyl down in Cinnabar)" to the Item Counter Underflow Section, and added more information to the CoolTrainer section. It would also be good to add the much easier Cooltrainer method using Double-Distort, but Item Underflow is probably the best method because you can easily get any item for each script.
« Last Edit: November 11, 2014, 12:01:11 am by luckytyphlosion »

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #140 on: November 13, 2014, 04:47:59 am »
I really don't see anything different about the post, and it looks like he just quoted the whole original post.

Edit: He added "(example: get Kabuto, omanyte, or Aerodactyl down in Cinnabar)" to the Item Counter Underflow Section, and added more information to the CoolTrainer section. It would also be good to add the much easier Cooltrainer method using Double-Distort, but Item Underflow is probably the best method because you can easily get any item for each script.

>TFW someone thinks a forum is a wiki.

I saw the giant quote and nothing else, and was going to delete the post entirely before I saw the replies to it.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

eironeia

  • GCLF Member
  • Offline Offline
  • how is babby formed
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #141 on: November 17, 2014, 12:10:54 am »
Maybe someone finds a use for this. This code maxes out stat exp and DVs for all stats of the first Pokémon in the current PC box. It uses an absolute address and works only for the European versions of the game, but has only been tested using the German version.

It does use copious amounts of throwaway inc b instructions to make expressing it in items easier, so there's a good chance it can be optimized in size or require less items with high quantities.

Code: [Select]
; In C without throwaway increments:
; a = 0xb8;
; h = 0xda;
; l = 0xac;
; do {
;     *((h << 8) | l) = 0xff;
;     l++;
; } while (l != a);

ld a, $b8    ; 3E B8
ld h, $da    ; 26 DA
ld l, $ac    ; 2E AC

ld (hl), $ff ; 36 FF
inc b        ; 04, throwaway (Poké Ball)
inc l        ; 2C
inc b        ; 04, throwaway (Poké Ball)

cp l         ; BD
jr nz, $f8   ; 20 F8
inc b        ; 04, throwaway (Poké Ball)
ret          ; C9

Or expressed in items:
  • Lemonade x184 (3E B8)
  • Carbos x218 (26 DA)
  • X Accuracy x172 (2E AC)
  • Max Revive x255 (36 FF)
  • Poké Ball x44 (04 2C: inc b, inc l)
  • Poké Ball x189 (04 BD: inc b, cp l)
  • Fire Stone x248 (20 F8)
  • Poké Ball x201 (04 C9: inc b, ret)
« Last Edit: November 17, 2014, 12:12:18 am by eironeia »

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #142 on: November 17, 2014, 10:55:18 am »
works only for the European versions of the game, but has only been tested using the German version.

To convert from a DE/FR/IT/ES WRAM address to an EN one, subtract 5.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Rena

  • Sentient Glitch
  • GCLF Member
  • Offline Offline
  • Object event.
    • View Profile
Debug Mode
« Reply #143 on: December 25, 2014, 04:56:52 am »
Here's a fun one, based on Wack0's "set any address to anything":
Debug Mode:

Code: [Select]
ld a,$03
ld l,$32
ld h,$D7
inc b
ld (hl),a
inc a
ret

3E 03 2E 32 26 D7 04 77 3C C9

Starting from item #1:
Any Item    xAny
8F          xAny
Lemonade    x  3
X Accuracy  x 50
Carbos      x215
Poké Ball   x119
Fresh Water x201


This sets a flag in address $D732 (bit 1) that enables some nice debug functions:

  • When starting a new game, skips most of Oak's opening sequence. (Uses the default names NINTEN and SONY.)
  • When starting a new game, you start outside your house instead of in your room.
  • Holding B prevents random encounters.
The last one is the only one we really can see because unfortunately the flag gets reset at new game. It saves, though, so after executing this and saving the game, the effect remains indefinitely. As far as I know, the only things that reset this flag are starting a link battle or starting a new game. (Possibly forced bike/surf areas might affect it too?)

BTW, does ws m work in Red/Blue? When I use it, it says the PC box is full.
« Last Edit: December 25, 2014, 05:03:10 am by Rena »
2 ERROR.

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #144 on: December 25, 2014, 12:31:52 pm »
Cool, thanks Rena. The more 8F codes the merrier :D.

No, ws m can't be used to activate arbitrary code in Red and Blue, because its effect pointer is 65B1 (in ROM). It can only be used to activate arbitrary code in Yellow, where it runs WRAM DA7F.

However, as memdump shared, there is an item called -g m that executes code from WRAM DA47 in Red/Blue, and if you don't have bad Day Care data or number of Safari Balls data; you can make the code fall through to DA80 and use Pigdevil2010's latest Yellow stored party Pokémon bootstrap code, but with one small change; Onix instead of Growlithe so the code goes to D322 instead of D321.
« Last Edit: December 25, 2014, 12:34:07 pm by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #145 on: December 25, 2014, 04:23:24 pm »
By using map script pointer, would it be possible to create a code to make mew appear under the truck :o? (actually it is possible, it's just no one has made a code yet)

EDIT: This code won't work because you can't walk while the game is running through your custom script pointer. Possibly replace it with a "check sprite" piece of code instead?

I have some code for a "make mew appear under the truck" code here, but I need help on sprite related aspects and a text pointer.

Code: [Select]
; make mew appear under the truck
ld a,[$d35e] ; make sure that you're on the ss anne map with the truck
cp a,$5e
ret nz
ld hl, $d728 ; used strength address
bit 0,(hl)
ret z ; return if not using strength
ld hl,$c109 ; player facing direction
ld a,(hl) ; load address value into a
cp a,$08 ; is player facing right?
ret nz ; return if not facing right
ld a,[$d35f] ; top left pointer blocks comparison because I can't
cp a,$08 ; figure out how GetCoordsAndTileinFrontOfPlayer works (help pls)
ret nz
ld a,[$d360]
cp a,$c6
ret nz
xor a
ld b,[$d363] ; compare block coords
cp a,b
ret nz
ld b,[$d364]
cp a,b
ret nz
call $0bd1 ; collision check
ret nc ; return if no collision (collision check sets carry)
; insert sprite data and stuff here
; replace truck block with regular dock block, then make the truck into two sprites
; move each sprite one left
; place a slowbro sprite on the empty space where the truck is
; text pointer for slowbro sprite points to "Mew!"
; starts battle after (can be cheap and set W_ISINBATTLE/d057 to 1)
; set W_CUROPPONENT to $15
; end text pointer
« Last Edit: December 25, 2014, 05:13:08 pm by luckytyphlosion »

Rena

  • Sentient Glitch
  • GCLF Member
  • Offline Offline
  • Object event.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #146 on: December 26, 2014, 03:14:10 am »
That would be a pretty sophisticated hack to pull off with ACE. You'd need to store that all somewhere; it'd probably be longer than the inventory, so you'd need a second stage bootstrap to read values into some other buffer (maybe save RAM?) and then resume execution as normal.

You could save some space by reusing Mewtwo's text (when you speak to him, he says "Mew!") and by not bothering to turn the truck into a sprite (just update the map to move the truck tiles, or even just flash the screen and have Mew appear as soon as you push the truck). It might not look quite as good but it'd probably be much easier to pull off. Also it's enough to set W_CUROPPONENT (D059 in Red/Blue) to trigger an encounter; you don't have to set W_ISINBATTLE. (You'd want to set their level, though.)

IIRC, the map script pointer in gen 1 is just a pointer to code that gets called every frame (and maybe a counter?), so you'd have to point that to your new function (and maybe also call the original script after yours finishes). I don't know about walking while the script is running; there's probably a flag that you can set. Or you might be able to take over the animation function; IIRC that's also just a pointer to a function.

Also, see here for an example of GetTileAndCoordsInFrontOfPlayer(). (It just sets some global variables. I don't remember if it also returns something in the registers.)
« Last Edit: December 26, 2014, 03:16:29 am by Rena »
2 ERROR.

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #147 on: December 26, 2014, 10:58:01 am »
you could probably use box data for the code, I don't think it'll be that long. You could also use a custom text pointer manip from ram (but I don't know exactly how that would work), and have it put values into "W_CUROPPONENT" through script mode.

I don't think there's any special map script pointer for SS anne (maybe when you leave the boat and you have the boat cutscene) and space isn't much of a problem either, because of box data.

Panda

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #148 on: January 28, 2015, 12:44:06 pm »
I'm new here, but I thought I'd register to let you know about this:

http://gbatemp.net/threads/injecting-roms-into-vc-with-only-the-web-browser-sure.379760/

With this knowledge of injecting roms into vc games, what would happen if we were to trigger arbitrary code in a rom swapped Pokemon Blue?

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #149 on: January 28, 2015, 02:05:55 pm »
I'm new here, but I thought I'd register to let you know about this:

http://gbatemp.net/threads/injecting-roms-into-vc-with-only-the-web-browser-sure.379760/

With this knowledge of injecting roms into vc games, what would happen if we were to trigger arbitrary code in a rom swapped Pokemon Blue?

You'd get arbitrary code execution in the emulator. That's it.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016