Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 392390 times)

0 Members and 2 Guests are viewing this topic.

Quibz

  • GCLF Member
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #165 on: May 21, 2015, 07:49:36 pm »
I was messing around with WS M and found something new that works with it. Every time you use it, it increases the quantity of the second item in your inventory by one.

WS M
(Item you want to increase quantity of)
Ice Heal x43 or Burn Heal x43 (Both seem to work)
Full Heal x201

I'm not an expert at programming, so I don't know if this might have some side effects that make it not worth it, but it works for me, so I thought I'd put it here. Does anyone know if it would have side effects? It would be really useful if it didn't because you could clone items without having to encounter Missingno.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #166 on: May 22, 2015, 11:12:16 am »
I was messing around with WS M and found something new that works with it. Every time you use it, it increases the quantity of the second item in your inventory by one.

WS M
(Item you want to increase quantity of)
Ice Heal x43 or Burn Heal x43 (Both seem to work)
Full Heal x201

I'm not an expert at programming, so I don't know if this might have some side effects that make it not worth it, but it works for me, so I thought I'd put it here. Does anyone know if it would have side effects? It would be really useful if it didn't because you could clone items without having to encounter Missingno.

In hex this is: (0C/0D) 2B 34 C9

and in gb asm (which I helpfully commented):

Code: [Select]
inc c / dec c ; does nothing useful
dec hl ; decrease hl - it did contain a pointer to item #3 index*, it now contains a pointer to item #2 quantity
inc [hl] ; increase the memory address pointed to by hl - in this case item #2 quantity
ret

* All bootstrap code to jump to item #3 that i've seen puts <address of item #3> in hl and then does jp hl.

If you had Ice Heal x43, Burn Heal x43, Full Heal x201 it'd increase the index number of item #2.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Quibz

  • GCLF Member
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #167 on: May 22, 2015, 09:05:21 pm »
Thanks Wack0. So it's safe to use then?

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #168 on: May 23, 2015, 04:15:12 am »
Thanks Wack0. So it's safe to use then?
Yes.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #169 on: May 25, 2015, 02:07:46 am »
Hello,

I was thinking about the invalid encounter flag method to get 8F. Obviously you turn hex:4D (Good Rod) to hex:5D (8F). This method to get an item seems a little rough (especially if you can perform the cooltrainer corruption, that means you should be able to trigger item underflow which is an easier way to get an item) but it still have some interest. Does that mean you could use the cooltrainer corruption to get ANY item ?

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #170 on: May 25, 2015, 10:08:28 am »
The Pokemon used to get 8F through Cooltrainer distort can only mutate items up to index 0x5F, or the glitch item 10F. So no, you cannot use Cooltrainer corruption to get any item.

Doom Mortal

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #171 on: May 25, 2015, 12:20:14 pm »
Hello everyone,

first I want to thank all of you guys who contributed to that amazing discovery, especially TheZZAZZGlitch I want to thank.

Im currently trying to manipulate the move of the first Pokemon in the Box.
But it doesnt work. After using the 8S the first move of the Pokemon is Tm08.

The GSCode to do that I have successfully tested with an Emulator.
Im playing the german Pokemon Blue Version.

Here are the GSCodes:
01|69|9E|DA English
01|69|A3|DA German

I have converted the GSCode into the Pattern that Wack0 http://forums.glitchcity.info/index.php/topic,6638.msg189609.html#msg189609 has posted.

Here is my code:
Code: [Select]
Any Item
8F
Lemonade       x105
X-Accuracy       x163
Carbon         x218
Pokeball         x119
Fresh Water x201

What is wrong with with the code ?

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #172 on: May 25, 2015, 01:32:31 pm »
You're definitely using the right quantity of Lemonades?
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Doom Mortal

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #173 on: May 25, 2015, 01:47:42 pm »
Yes it is the right quantity of Lemonade.   :(

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #174 on: May 25, 2015, 05:04:06 pm »
Yes it is the right quantity of Lemonade.   :(

That's odd.

0x69 = 0b01101001
0xD0 (identifier of TM08 move) = 0b11010000

Are you able to set a breakpoint on write to $DAA3 and then use 8F?
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #175 on: May 26, 2015, 05:20:35 pm »
Found part of the problem.

The address for wNumBagItems is $d31d in English Pokemon Red/Blue. In the German version, it seems to be $d322.

The pseudo-gameshark code jumps to d322, which is wNumBagItems in German. I don't have a method to change the bootstrap to jump to the third item, however.

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #176 on: May 26, 2015, 07:40:31 pm »
Also something unrelated to the above problem: A very compact 8F bootstrap that can be achieved WITHOUT ACE!

Compact 8F Setup

Pokémon in Party:
6 Pokemon
<Anything>
Tentacool
Electabuzz
<Anything from here on>


Once you have the necessary Pokémon, do either one of the below options:

Cheating method:
Set D91C/E/F to C324D3

Not Cheating method:
* Setup Inventory to this, from the top:

Code: [Select]
Great Ball x155
TM09 x0
Antidote x195
Protein x211
Ether x80

TEXTCODE:
Code: [Select]
WRA1:D320 03 9B D1         ; repoint text to address d19b
WRA1:D323 00               ; print a string
WRA1:D324 0A C3 24 D3 ; print characters 0A, C3, 24, and D3 to address d19b. 0A does not matter.
WRA1:D328 50       ; end text printing mode
WRA1:D329 50       ; end text command mode 

* Then, acquire item underflow, either with the Dry Underflow method or the Fresh Water/Fossil Method.

* Go to Route 6.

* Swap a Repel x211 into the Text Pointer slot (Represented by TM01 x80)

* Talk to the guy talking to the girl.

* You now have a working compact 8F setup, as long as you have 6 Pokemon in the Party, and the specially crafted Tentacool and the Electabuzz are in the 2nd and 3rd slot respectively.
« Last Edit: May 26, 2015, 07:51:01 pm by luckytyphlosion »

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #177 on: May 27, 2015, 01:51:56 am »
Found part of the problem.

The address for wNumBagItems is $d31d in English Pokemon Red/Blue. In the German version, it seems to be $d322.

The pseudo-gameshark code jumps to d322, which is wNumBagItems in German. I don't have a method to change the bootstrap to jump to the third item, however.

I posted one earlier in the thread
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #178 on: May 27, 2015, 04:19:14 am »
I had the same problem with my french game. See this post by Torchickens about the fact that you have to add 5 to any RAM address in european versions :)

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Doom Mortal

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #179 on: May 27, 2015, 12:00:24 pm »
Sorry for that delay. I was preparing the Pokemon team and items on my PC for testing with the debugger.

But I see you were all on the right way.

I substituded Onix by Graveler and now it works.

It is weird because I tested the old constelation successfully with an MAX DV/ EV Item List.

Thank you very much Wack0, luckytyphlosion, Krys3000.  :D