Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AreaDex
AttackDex
DexDex
ItemDex
StatDex
TMHMDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg data corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 302190 times)

0 Members and 2 Guests are viewing this topic.

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #180 on: May 28, 2015, 12:49:11 pm »
Happy that your problem is solved  ;)

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Trevor

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #181 on: June 04, 2015, 03:07:22 am »
one problem solved, next problem here  :P

Hi everybody,

I'm currently trying to obtain the 8F Item using invlid encounter flags (because i have no event that takes an item away and I dont feel like playing the main story all over again...).
The problem has to do with that ditto with the Cooltrainer attack, when trying to use the attack in game I need to click 3 times on "FIGHT" and then again 3 times to read the next "you have no moves for this attack left".
Also after a few tries the game crashes and I have to restart.

But normally as I read it just should do nothing, you should be able to do this as often as you want and also without crashes. Additionally you should only need to click one time on "FIGHT".

To get that Cooltrainer Ditto I just encountered a wild pokemon, transformed into it and then switched attack 1 and 2 and then ran away from the battle - thats it.

PS: I'm using Pokemon Blue

Thanks for help :)
« Last Edit: June 04, 2015, 03:17:38 am by Trevor »

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #182 on: June 04, 2015, 08:41:27 am »
Quote
I'm currently trying to obtain the 8F Item using invlid encounter flags (because i have no event that takes an item away and I dont feel like playing the main story all over again...).

Actually you don't need an event anymore. There is a "dry" variation of the item underflow glitch, for which all you need is a stack of 255 X Special. You can get it with MissingNo. using the glitch of your choice. Moreover, if the invalid encounter flag method works, it means the cooltrainer corruption works for you, so that you can encounter a MissingNo. This invalid encounter flag method is obsolete, you should not use it.

The item underflow glitch requires you to have this :

French screen, Special + is X Special and the two first item are useless.

Toss the two first useless items, you will have this :


Toss several 255x of the first item until you only have access to two items. Toss 253 of that first X Special stack and switch item 1 and 2 twice.  You should have X Special x0, like this :


Item underflow will be active. Now go there (near Celadon) :


Toss 255 X Special again, and switch the remaining X Special with the Nugget in 35th position. 5 steps right, 5 steps down, 20 steps right and open the item menu to see 8F, that you can switch to a "normal" place (eg : first place). Fly back to Celadon and buy items to fix the item menu.


If you still wanna use the invalid encounter flags, you don't need to USE the attack to trigger the corruption. Just enter/exit the FIGHT menu until it works.

Fact is, cooltrainer corruption doesn't always work, it depends on the values of some RAM addresses. You wil find here TheZZAZZGlitch's methods to maximize the chances. I can tell you that the "renaming party + open unused box" method works very well.

Good luck !

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Trevor

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #183 on: June 05, 2015, 04:10:08 pm »
Big thanks for your help!
I would suggest to add that to the first post, it can make users unsure if they thing they need to have access to an event, when its also possible without it.

But well, I now got the item, experimented with it a bit and "ported" some codes to the european non-english versions of pokemon red/blue by just adding 5 to every immediate value in the asm code(I tested it on the german version only)
Adding 5 works if only ram adresses are modified, but how could one figure out what the call adresses in other languages of the games are? Is there like a "call adress map" in addition to the ram map, or is debugging while playing in an emulator needed?
Is it also possible to make a script that plays the final rival battle music or the credits music at the next battle instead of the gym leaders? that music is more fun to listen to :P
And finally a code where you can modify the species and the level of the Pokemon you battle would be also nice (modified "CATCH 'EM ALL" SCRIPT) :)


Ported codes:
Codes for Inventory slot 2 item ID and item count modifier stay the same, because no imm. values are used.

GYM LEADER MUSIC PLAYS FOR NEXT BATTLE R/B EUROPE(NON-ENGLISH)
Use this outside of battle to make the next battle play the Gym Leader theme.

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x97
TM08                 x201

ASM:
Code: [Select]
WRA1:D327 EA 61 D0         ld (d061),a
WRA1:D32A C9               ret


"CATCH 'EM ALL" SCRIPT R/B EUROPE(NON-ENGLISH)

ITEM LIST (starting from the first slot):
* Preferably Master Balls
* 8F
TM50                 x36
TM11                 x4
TM34                 x94
TM08                 x201

ASM:
Code: [Select]
WRA1:D327 FA 24 D3         ld   a,(D324)
WRA1:D32A 04               inc  b
WRA1:D32B EA 5E D0         ld   (D05E),a
WRA1:D32E C9               ret 


WALK THROUGH WALLS R/B EUROPE(NON-ENGLISH)
Jump off a ledge after using 8F to walk through walls.

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x25
TM15                 x201

ASM:
Code: [Select]
WRA1:D327 EA 19 D7         ld (d719),a
WRA1:D32A C9               ret


ESCAPE FROM A TRAINER BATTLE R/B EUROPE(NON-ENGLISH)
This turns 8F into an item which allows escaping from any battle, including trainer battles.

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM34                 x125
TM08                 x201

ASM:
Code: [Select]
WRA1:D327 EA 7D D0         ld (d07D),a
WRA1:D32A C9               ret


CATCH OTHER TRAINER'S POKEMON R/B EUROPE(NON-ENGLISH)
Use this in a Trainer battle to enable the ability to catch the enemy Pokémon and escape from battle.
You can also use it to disable wild battles, but you can't use it to turn a Trainer into a Pokémon.

ITEM LIST (starting from the first slot):
* Any item
* 8F
Lemonade             x1
TM34                 x92
TM08                 x201

ASM:
Code: [Select]
WRA1: D327 3E 01   ld a, 01
WRA1: D329 EA 5C D0   ld (D05C),a:
WRA1: D32C C9   ret
« Last Edit: June 05, 2015, 04:29:35 pm by Trevor »

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #184 on: June 06, 2015, 12:47:28 am »
Big thanks for your help!
I would suggest to add that to the first post, it can make users unsure if they thing they need to have access to an event, when its also possible without it.

I guess this is the reason why TheZZAZZGlitch wrote a warning asking for newcomers to read beyond the first post. But, yes, I think it is necessary and would be useful to add the dry underflow to this post.

But well, I now got the item, experimented with it a bit and "ported" some codes to the european non-english versions of pokemon red/blue by just adding 5 to every immediate value in the asm code(I tested it on the german version only)
Adding 5 works if only ram adresses are modified, but how could one figure out what the call adresses in other languages of the games are? Is there like a "call adress map" in addition to the ram map, or is debugging while playing in an emulator needed?

I don't understand well what your problem is.

To create 8F codes for european versions, the only thing you need outside of the RAM Map (for which you need to add 5 to every address) is a list of gameboy opcodes. Their match with hex values is the same regardless of the game's localization. Understanding basic opcodes is not complicated, but you might find some help here and I have also wrote an article about it, but it's in french.

However, you must also know that, even if it's fun to create new codes, there is a very easier way to deal with 8F : Gameshark code simulation. Using it with the following items will trigger the gameshark code 01xxyyzz in european versions :

Any item
8F
Lemonade *xx
TM34 *yy
[item which hex value is zz] *201 (=> Comprehensive big list)

Don't forget quantities are decimal values. You must get 18 lemonades if your xx is 12. If the zz item appears to be a glitch item, or if you need high quantity of some item, you can use the underflow to get them (using Celadon loop, for example). You can also simulate the gameshark code which changes the first item :

Item you want to change (eg pokeball)
8F
Lemonade *hex value of the glitch item you want to get (in decimal of course)
TM34 *17
TM11 *201

By activating 8F, you will change the first item into your glitch item. Quantity remains the same. Another solution is to use the "morphing second item" code in its european version :

8F
Item which will be changed
Burn Heal x43
Ice Heal x43
Full Heal x201

Every time you activate 8F, the second item will lose a hex, and keep its quantity. With all this, you should not be facing any problem.

Is it also possible to make a script that plays the final rival battle music or the credits music at the next battle instead of the gym leaders? that music is more fun to listen to :P

This audio track is hex:F3 of bank hex:08 according to the RAM map. If you want to use a "normal" 8F code rather than gameshark simulation, there must be a way to do it by manipulating audio channel into thoses values.

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • ⛄🦋
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #185 on: June 06, 2015, 08:22:26 am »
how could one figure out what the call adresses in other languages of the games are? Is there like a "call adress map" in addition to the ram map, or is debugging while playing in an emulator needed?

The call addresses are ROM pointers that contain existing code to execute (these functions are called routines). "Call" tells the game to execute this code and return to what it was doing (e.g. if your code has call 3E62 ld a,01; the game will run the code at ROM pointer 3E62 and go back to run ld a,01 after it has finished (unless where it goes back wasn't corrupted)).

Some of the pointers for routines can be found in the Pokémon Red disassembly (e.g. SetIshiharaTeam: ; 64ca (1:64ca).

Sadly there is no consistent way to port English ROM pointers to other languages. However, because the games are similar, you can with BGB debugger and a hex editor using the method I'll show below.

Let's try to find the equivalent of Red's 3E48 (give Pokémon) for German Red:

With English Red open, go on to BGB, right click on the game and choose Other>Debug. Then right click, select "Go to..." and enter 3E48.

You should get this, which is what code the give Pokémon routine is made up of.



Leave the window open because we will need to remember the numbers (like 78) next to the ASM instructions (like ld a,b).

Now, open up a hex editor such as HxD (it's freeware) for German Red and use your hex editor's search function (search>find for HxD). Choose to find hex values and enter the values that you think will be shared for the other language's routine.

Note that the values greater than in brackets may be +5 in the non-English European version, except for things in the ROM (values lower than 8000) and specific memory addresses like CD38, C0EF, C0F0 - I'm not sure of the specifics of which addresses get changed and which addresses do not get changed, it may be earlier RAM (CXXX) values.

The start of the routine has 78 EA 91 CF 79; so we can try searching for 78 EA 96 CF 79 (EA 96 CF because there is a "ld (CF91),a").



This resulted in one match which was at address 3E62.



If the address in the hex editor is less than 0x3FFF, you don't have to do anything with it to turn it into a pointer(*) - and you don't have to use the bank switch routine.

So in TheZZAZZGlitch's alternative catch 'em all, CD 48 3E (call 3E48) must be replaced with CD 62 3E (call 3E62).

Sometimes a search may give more than one result, in which you could try checking what you think is the right routine with the most similar code in BGB debugger then test your code with S7, or you could try a search for different values.

These items from item 3 will work with the modified Pokémon set up (Graveler instead of Onix) for non-English European versions:

Schutz x(Pokémon index)
X-Tempo x14
Hyperball x64
TM05 x98
Lemonade x201

i.e. 1E xx 43 0E 02 40 CD 62 3E C9 FF

Is it also possible to make a script that plays the final rival battle music or the credits music at the next battle instead of the gym leaders? that music is more fun to listen to :P

Yes. You can do this either by calling a play music routine with the correct register values (register 'a'=tune and register 'c'=bank) or by modifying both the memory address CFCC (CFC7 in English Red) and the addresses C0EF, C0F0.

CFCC forces the game to play a tune based on the ID you choose. C0EF, C0F0 changes the music bank value (either 02, 08, 1F and 20 is used for a few tracks exclusively in Yellow).

Here are all the tune ID and bank ID values.

I originally made a sound test program using the former method. It resets the tune ID and bank ID values back to 0 after you play the tune, so you can select all other tunes afterwards by tossing the quantities.

https://www.youtube.com/watch?v=DZiMfJJT2So

The code for the English version:

Lemonade x(tune ID)
Awakening x(bank ID)
TM05 x161
HP Up x62
Ultra Ball x61
Soda Pop x5
TM34 x35
TM11 x4
Poké Ball x234
Iron x211
TM01 x(anything)

3e (add tune ID here) 0e (add bank ID here) cd a1 23 3e 02 3d 3d 05 ea 23 d3 04 04 ea 25 d3 c9

Code: [Select]
ld a, xx - tune
ld c, yy - bank
call 23A1 - play music
ld a, 02 - a=02
dec a - a=01
dec a - a=00
dec b
ld (D323),a - item 3 quantity =a (00)
inc b
inc b
ld (D325),a - item 4 quantity =a (00)
ret

The only things you have to do here is check the equivalent of 23A1 (using the debugger and hex editor) and change D323/D325 to D328/D32A, and there was one situational problem.

The situational problem: 2A was represented as a Helix Fossil and it's not good to have key items with quantities over one. So I used some alternate code without key items or duplicate stacks.

Often when you want to not use a key item, you can use a one byte opcode to manipulate some registers that you aren't using for your code so that they take the place of an item (e.g. inc b is represented as a good item; a Poké Ball). This page has a list of opcode IDs.

Equivalent pointer: Using the method I showed you above, it turns out that basically the same routine (ignoring memory address changes) is also at 23A1 in the German Red, so you don't have to change it.

(Note that this is not the case for every language; in the French version that routine is at 239D).

The following code will work for the German version:

3e (add tune ID here) 0e (add bank ID here) cd a1 23 3e 02 3d 3d 05 ea 28 d3 04 2e 2a 04 77 c9

Limonade x(tune ID)
Aufwecker x(bank ID)
TM05 x161
KP-Plus x62
Hyperball x61
Sprudel x05
TM34 x40
TM11 x04
X-Treffer x42
PokéBall x119
TM01 x(any)

Code: [Select]
ld a, xx - tune
ld c, yy - bank
call 23A1 - play music
ld a, 02 - a=02
dec a - a=01
dec a - a=00
dec b
ld (D328),a - item 3 quantity =a (00)
inc b
ld l,2A  - hl=D32A
inc b
ld (hl),a - item 4 quantity =a (00)
ret

So to play Champion music for example, this tells us the bank ID is 08 and the tune ID is $F3; hence you'd need Limonade x243 (hex:F3) and Aufwecker x8.

And finally a code where you can modify the species and the level of the Pokemon you battle would be also nice (modified "CATCH 'EM ALL" SCRIPT) :)

I was working on one but found it hard to get good items for execution, I'm afraid. I may come back to this another time, or maybe TheZZAZZGlitch can help. Sorry.


(*): About banks - the give Pokémon function does not require a bank switch (and knowledge of how to convert a Game Boy offset into a pointer):

If the address in the hex editor is greater than $3FFF, it has something called a bank (greater than 0); and our pointer (call/jump value) is no longer necessarily the same as a hex editor address (offset).

The game can run from "bank 0" (pointers $0000-3FFF e.g. "give Pokémon") all of the time, but not data from other banks without the game changing banks (in games that support it, Pokémon included) if it is currently on the wrong bank.

The bank is the same as this address modulo divided by $4000 rounded down to the nearest whole number, for example, offset $0F807A contains code that will run Pikachu's Beach in Yellow. $0F807A/$4000 rounded down equals 3E, so the bank is 3E.

If you wanted to run the code at $0F807A, you would have to make the game change banks before running it because the game won't be running on bank 3E when ws m is used.

The 3E is the first byte of a three byte pointer (3E:XXXX). There are two other bytes to the pointer (XXXX) and this represents the pointer you will call, like how we call 3E48 (3E62 on German version) for the give Pokémon function.

To work out bytes 2 and 3 of the pointer, you can do Offset-(0x4000*Bank)+0x4000; so for Pikachu's Beach: ($F807A-$F8000)+$4000; which is $407A.

Or you can use a pointer calculator (note that this tells you the second and third bytes the wrong way round; 3E7A40 instead of 3E407A, so you have to remember to swap them for execution).

To execute Pikachu's Beach (which we found has the pointer 3E407A), there is a routine to change ROM banks and jump to an address (the routine for each language can be found here thanks to Wack0 - in German Yellow it's $3E89).

Register purposes for this routine:
c=Bank
h=Pointer byte 2
l=Pointer byte 3

So you need to set c to 3E, h to 40, l to 7A then do a call $3E89. This would execute Pikachu's Beach.

(Wack0's German Pikachu's Beach code does this)

If you want to turn a three byte pointer back into an offset, you can do:
romAddress = (bankNumber * 0x4000) + (twoBytePointer - 0x4000)
« Last Edit: June 06, 2015, 03:37:09 pm by Torchickens »
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Always be yourself.

Shina69

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #186 on: August 14, 2015, 01:10:52 pm »
Good evening, guys.
First of all, you people are absolute unrecognized geniuses for coming up with such amazing programming tricks for the eyes of this humble gamer who spent his childhood exploring the neat forests of pokemon yellow, not regretting knowing so little as i did. Although times change and nostalgia grabs us once again to pick the old dusty cartridges and face our old childhood enemies... a magnificent team starts to assemble. Glitches were learned, stats analyzed, moves tactical duplicated in order to fulfill the needs, but... there's one thing that wasn't forgotten - i can't delete the HM moves.
So i went deep and deeper, cause transfer my beloved X_ゥ-_xゥ, to a Gen 2+ wasn't an option, and i decided to come to you guys, as i got so fascinated with the wonders of arbitrary code execution.

Is there any way to come up with a move deleter for HM's or simply overwrite this annoying Flash move of X_ゥ-_xゥ, on Pokemon Yellow European Version (English)? (i believe this is the proper version, i'm from Portugal and i will try to find that old box!)

Not sure if this is the proper topic to send my request, but i'm deeply thankful for the attention.
Keep mesmerizing us with new knowledge applied to old technologies, you guys rock!

danny

  • Decamark Collector and Pokémaniac
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • i hate being alive
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #187 on: August 14, 2015, 02:48:59 pm »
Shina69:
Catching above L:12 might erase the move, unless you want to keep your current one.
i ain't happy, i'm feeling glad
i got N E B B Y in a bag
also depression

discord: big man dan#3383

Shina69

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #188 on: August 14, 2015, 04:36:54 pm »
Shina69:
Catching above L:12 might erase the move, unless you want to keep your current one.

Oh i also tried that, forgot to mention  );
Managed to make ditto swords dance 3 times and actually got a L:13 one but the move was still there.
Some other guy got the same results as i read on a youtube video comment, that's why i run out of options  :'(
(by the way, Flash is the 2nd move on the Fight list, if it helps :o)
« Last Edit: August 14, 2015, 05:07:38 pm by Shina69 »

Misero

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #189 on: August 17, 2015, 12:42:06 pm »
Has anyone created a save state meant for this arbitrary code execution?
If not, I'll go with gamesharking my way through.

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • ⛄🦋
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #190 on: August 21, 2015, 12:06:31 pm »
Has anyone created a save state meant for this arbitrary code execution?
If not, I'll go with gamesharking my way through.

Here are save files that have 8F and ws m set up with code to get Mew upon using 8F/ws m and closing the menu.

English Red: https://mega.nz/#!8hF1XDiR!M-397Ob3EDtPlOHW3XUSO52FArph3Ork8Y_YXrJ45nQ
English Yellow: https://mega.nz/#!d8sGjZLT!yp1oMA5zGHOxI91I3qgweYZkY1Y6CzL2-m-MrxpSeyY

If you want to change the code the game ends up running after the Pokémon set ups (certain party Pokémon in Red/Blue, certain stored Pokémon in Yellow) you can edit D322 (Red/Blue) or D321 (Yellow) and onward, which represent the item 3 identifier and onward.

Edit: Here is a save file for Japanese Green to get Mew with 5かい (with kattempla/pokebug's party Pokémon set up) or てへ.

If you want to get it with てへ you have to watch the old man's demonstration first.

The set ups have the code beginning at item 2 (D2A4). The Pokémon redirect the program counter to item 2 for use with 5かい. The name アてヨめ (after watching the old man's demonstration) redirects the program counter to item 2 (D2A4) for use with てへ.

https://mega.nz/#!NtMjQYBJ!K8KFbfuo7jI0638BuJIxWm1GsjozVX2iDu1nYRu7GEg
« Last Edit: August 21, 2015, 12:23:37 pm by Torchickens »
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Always be yourself.

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • ⛄🦋
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #191 on: August 21, 2015, 01:59:46 pm »
Good evening, guys.
First of all, you people are absolute unrecognized geniuses for coming up with such amazing programming tricks for the eyes of this humble gamer who spent his childhood exploring the neat forests of pokemon yellow, not regretting knowing so little as i did. Although times change and nostalgia grabs us once again to pick the old dusty cartridges and face our old childhood enemies... a magnificent team starts to assemble. Glitches were learned, stats analyzed, moves tactical duplicated in order to fulfill the needs, but... there's one thing that wasn't forgotten - i can't delete the HM moves.
So i went deep and deeper, cause transfer my beloved X_ゥ-_xゥ, to a Gen 2+ wasn't an option, and i decided to come to you guys, as i got so fascinated with the wonders of arbitrary code execution.

Is there any way to come up with a move deleter for HM's or simply overwrite this annoying Flash move of X_ゥ-_xゥ, on Pokemon Yellow European Version (English)? (i believe this is the proper version, i'm from Portugal and i will try to find that old box!)

Not sure if this is the proper topic to send my request, but i'm deeply thankful for the attention.
Keep mesmerizing us with new knowledge applied to old technologies, you guys rock!

Sure. We can remove it with ws m!

The following items from item 3 will replace move 1 of Pokémon 1 with a move of your choice:

Lemonade x(move ID)
TM34 x114
TM09 x201

As code:

Code: [Select]
ld a,xx
ld (D172),a
ret

As bytes:

Code: [Select]
3E xx
EA 72 D1
C9

If you want to port this to Red/Blue, replace TM34 x114 with TM34 x115.

To execute the code, you can get the items and use ws m (obtainable with dry underflow and the looping map trick) with relevant stored Pokémon (example), or another means of arbitrary code. For example, replacing item 41 with Iron x 211 will make the game execute your code from item 5 in Yellow and does not require specific Pokémon.

Another non arbitrary code execution approach to getting X ゥ- xゥ without Flash is by using the remaining HP glitch with a remaining HP of 196, if you can get Q (and this glitch only works if box 1 has never been filled completely). Since this glitch uses catch rate as an FF, data below it like moves are not affected during the data shift backs from each time you withdraw a Pokémon after the terminator is removed (step 6 in the video below and beyond).

This means you can have a Pokémon with the moves you want, then turn it into X ゥ- xゥ and have the moves unchanged.

https://www.youtube.com/watch?v=9l1nuTS3VI0
(click video)

If you can obtain a PokéWTrainer in Pokémon Red (it unfortunately freezes the game on the opponent's side however), then you may be able to trade it to Yellow to become a X ゥ- xゥ without Flash.

In theory, we might be able to get a level 255 X ゥ- xゥ with the overworld Pokémon catch trick in a Glitch City, or some -gm trickery, and theoretically, it would appear with moves without Flash.

Shina69:
Catching above L:12 might erase the move, unless you want to keep your current one.
Oh i also tried that, forgot to mention  );
Managed to make ditto swords dance 3 times and actually got a L:13 one but the move was still there.
Some other guy got the same results as i read on a youtube video comment, that's why i run out of options  :'(
(by the way, Flash is the 2nd move on the Fight list, if it helps :o)

Yes, catching one at level 13 did not result in X ゥ- xゥ having Flash for me either. All X ゥ- xゥ level 1 through to level 13 had Flash. For reference, Flash is one of X ゥ- xゥ's starting moves, not just a move learned at a low level, which means it always has it at the lowest level and cannot learn it through level up (unless Flash appears in the level up database as well).

For some reason, in the event that you catch  X ゥ- xゥ at level 255 it will not know Flash. Instead it will know Mega Punch, Tail Whip, Scratch, Disable. According to the Bulbapedia article, Mega Punch, Scratch and Disable are among its last learnable moves, though for whatever reason, Tail Whip isn't one of the last ones. Note that the learned moves list on Bulbapedia has at least one error. At level 1 X ゥ- xゥ will try to learn the arbitrarily named hex:00 move (which is the CoolTrainer[F] type in Red/Blue and supports move selection corruption too in Yellow) if you somehow raise X ゥ- xゥ to that level.

I have some text databases with data extracted from the ROMs from various users including a level up database by Echinodermata. Unfortunately there seems to be an error because they note X ゥ- xゥ as learning no moves which isn't true (even though much of the data is correct).
« Last Edit: August 21, 2015, 02:32:24 pm by Torchickens »
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Always be yourself.

Searinox

  • Hobby Programmer
  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Do you like fire? I'm full of it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #192 on: August 22, 2015, 05:02:58 am »
Does anyone know any gameshark code for changing the moves of pokemon IN THE BOX? There's gameshark codes for changing party pokemon moves that can I wanted to try to convert to code exec using Chickasaurus' post info but all I can find is codes for the party, not the box, which is useless since we're forced to use a full predefined party for the bootstrap.

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #193 on: August 23, 2015, 08:37:24 am »
To build a Gameshark code, the only thing you need is a ram map. This gives you the RAM addresses you need to deal with. In your case, RAM addresses for the moves of the first Pokémon in the active box are DA9E to DAA1.

That means you can modify this using the gameshark codes 01xx9EDA to 01xxA1DA with xx being the hex value of the wanted move  ;)

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Searinox

  • Hobby Programmer
  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Do you like fire? I'm full of it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #194 on: August 23, 2015, 12:21:36 pm »
I managed this on my own albeit with some problems at first.

Firstly Chickasaurus' post I linked in my previous post didn't work for me. Second, it requires a different item ID for each move which is slightly clunky. At first I had the idea of perhaps attempting a .j as a NOP to bring ID parity back and execute the instruction back in item amount instead of ID, but realised I was getting in way over my head since I would have to then figure out how to redirect to the address with another item and do not fully understand ASM instructions.

I then went to try and find the memory address with VBA's cheat maker. For reasons completely beyond me the cheat searcher finds the address CA9E as the location instead of DA9E, and obviously the cheat doesn't work. Why this is so baffles me. I'm using a modded VBA called VBA-M, svn926. I'm not sure if it's got a bug with memory offset representation but it lead me to a dead end.

Finally I found the RAM layout, but on Bulbapedia. Now I had the correct address, tested the GS code made with it and it worked(why do GS codes have 01xxB2B1 last 2 bytes reversed from how they are in RAM? DA9E editing requires the code to be written as 01xxs9EDA, but anyways I digress...). Now I needed a way to get the code converted into 8F item representation and like I said, I had failed with Chickasaurus' post.

FINALLY I found your wiki which worked to convert the code into ACE!

You were mentioning earlier that you were trying to get Flash off some glitch Pokemon... well this may help.

Long story short...

Quote
Have the Pokemon to be altered be the first one in the PC. Have its move to be altered be put in first slot.
Code: [Select]
8F
<any item>
X Accuracy x158 (changing this from 158 for first move to 161 for 4th move SHOULD change the move that's altered, though I have ONLY tested with the first move!)
Carbos x218
Max Revive x<MOVE ID>
Poke Ball x201
Where move ID obviously corresponds to the move's ID.
This will change the first move of the first Pokemon in your active box.

This also makes it possible to put glitch moves not previously obtainable on Pokemon, or contrary, remove dangerous Super Glitch moves from Pokemon without having to stand on some obscure tile in Celadon City's residence. :D

You are going to end up doing a lot of Pokemon box swapping but also potential move swapping. If needed to get into battles to swap moves without entering an area that will load field data into Cinnabar(for item duping) I've found it feasable to teach Tentacool Surf and put the Pokemon to alter first in party while Surfing the east coast for item duplication, so you don't have to deposit your whole bootstrap party. Even in default setup, with Pokeball being in 6th slot, it's unaffected by potential 'M/Missingno. encounters as 201 doesn't roll in any way since the first bit is already 1 so it doesn't mess up the ret. Keeps things simple.
« Last Edit: August 24, 2015, 07:34:40 am by Searinox »