Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 443123 times)

0 Members and 3 Guests are viewing this topic.

The G-Meister

  • Your bog-standard spotty British teenager
  • GCLF Member
  • Offline Offline
  • Gender: Male
  • That's no Pokémon, Ash.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #210 on: September 18, 2015, 01:50:54 pm »
Dang! So I got the code working finally, and even though IssoTM's coder is French, you only need to be able to 1. understand the code itself, and 2. know translations of the items (a lot of which are similar to the English as well).

It seems that even if we modify the "Bike speed" byte, we STILL can't cycle indoors... It seems Ash abides by the rules even when he's not told to >.<

Aside from that, you can use this code to get onto/off of a bicycle without changing the music, so if you feel like you're getting bored of the bike music, you can just use the first code to get on your bike and keep the music of the area you're in! I'm sure there's much better ways of changing the soundtrack if you're that preoccupied about it though. The amusing side effect is, when you go into a different area, the music has an abrupt key change as it fades out... but that's about it ;-;

Incase anyone feels like compacting this worthless dump, don't bother, seen as it's completely useless... as of yet, anyway.

Anyway, code:

Get OFF your bike, without music change (ws m)

Code: [Select]
ld a, $02
ld ($D6FF), a
ret

3E 02 EA FF D6 C9

Lemonade x2 (technically this can be anything that isn't 1)
TM34 x255
TM14 x201

Get ON your bike, without music change (ws m)

Code: [Select]
ld a, $01
ld ($D6FF), a
ret

3E 01 EA FF D6 C9

Lemonade x1
TM34 x255
TM14 x201
Pixel Professor Oak is a spitting image of my physics teacher. Lab coat and all.

Proudly glitching on console, just pop me a message if you want me to do any research.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #211 on: September 19, 2015, 06:56:54 am »
Dang! So I got the code working finally, and even though IssoTM's coder is French, you only need to be able to 1. understand the code itself, and 2. know translations of the items (a lot of which are similar to the English as well).
Wow, finally a feedback ! (I thought nobody else than me used it :P)
Well, you just motivated me to release an English version. Okay, I'll get into it.
* ISSOtm begins working...
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

The G-Meister

  • Your bog-standard spotty British teenager
  • GCLF Member
  • Offline Offline
  • Gender: Male
  • That's no Pokémon, Ash.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #212 on: October 09, 2015, 03:03:43 pm »
I was setting the stats of my Mew using some ACE and set both bytes to 255 for each stat (HP, ATK, DEF, SPD, & Special) and every time the value ended up as "F35" with the F not changing when I move into a different area. Does that equate to 13335? And if so, why does pound still not one-hit KO everything? For example, an Onix, where it isn't super effective. It feels like I've either massively overestimated the value, the calculation for not-very-effective damage really cuts down a lot or the glitch numbers don't work correctly. Or something else I've completely overlooked.
Pixel Professor Oak is a spitting image of my physics teacher. Lab coat and all.

Proudly glitching on console, just pop me a message if you want me to do any research.

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #213 on: October 09, 2015, 03:13:22 pm »
I was setting the stats of my Mew using some ACE and set both bytes to 255 for each stat (HP, ATK, DEF, SPD, & Special) and every time the value ended up as "F35" with the F not changing when I move into a different area. Does that equate to 13335? And if so, why does pound still not one-hit KO everything? For example, an Onix, where it isn't super effective. It feels like I've either massively overestimated the value, the calculation for not-very-effective damage really cuts down a lot or the glitch numbers don't work correctly. Or something else I've completely overlooked.

0x0F35 = 3893. It's probably just garbled text, though.

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #214 on: October 09, 2015, 03:56:37 pm »
I already had F35 values when I used gameshark codes to put FF FF in a stat. It that is what you did then it probably equals 65 535, in fact  :P

But why doesn't it makes your Pokémon a real bad ass? I'm not sure about how this works. Maybe you have to change Exp. Stats too?

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

The G-Meister

  • Your bog-standard spotty British teenager
  • GCLF Member
  • Offline Offline
  • Gender: Male
  • That's no Pokémon, Ash.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #215 on: October 09, 2015, 03:59:13 pm »
0x0F35 = 3893

What I meant was the "F" was displayed as an "F" in game, as well as the "35" after it. I interpreted that as decimal 133 as the hex list takes the "F" RBY character as 133

I already had F35 values when I used gameshark codes to put FF FF in a stat. It that is what you did then it probably equals 65 535, in fact  :P

But why doesn't it makes your Pokémon a real bad ass? I'm not sure about how this works. Maybe you have to change Exp. Stats too?

Yeah that's exactly what I did.
Pixel Professor Oak is a spitting image of my physics teacher. Lab coat and all.

Proudly glitching on console, just pop me a message if you want me to do any research.

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #216 on: October 09, 2015, 04:18:32 pm »
I was setting the stats of my Mew using some ACE and set both bytes to 255 for each stat (HP, ATK, DEF, SPD, & Special) and every time the value ended up as "F35" with the F not changing when I move into a different area. Does that equate to 13335?
No, it’s 65535. “F” is tile number 133, but that doesn’t mean it represents the number 133. To display a digit, the game starts counting from “0”, which is tile 246. After the digit “9” (character code 255), it reaches the end of the table and wraps around, so tile 0 represents the digit 10. The letter “F” would be used for the digit 143 (10 + 133), but since there are only 256 tiles, it can also represent a digit 399 (10 + 256 + 133) or, in your case, 655 (10 + 256 + 256 + 133).

And if so, why does pound still not one-hit KO everything? For example, an Onix, where it isn't super effective. It feels like I've either massively overestimated the value, the calculation for not-very-effective damage really cuts down a lot or the glitch numbers don't work correctly. Or something else I've completely overlooked.
I don’t know all the specifics, but a stat of 65535 would almost certainly cause an overflow in the damage calculation. A more reasonable number like 5000 might work out better.

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #217 on: October 09, 2015, 05:04:03 pm »
I don’t know all the specifics, but a stat of 65535 would almost certainly cause an overflow in the damage calculation. A more reasonable number like 5000 might work out better.

Aaaaaah of course. I remember now that when I reduced the stat I was under the impression I was doing more damage. Thanks, Háčky!

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

The G-Meister

  • Your bog-standard spotty British teenager
  • GCLF Member
  • Offline Offline
  • Gender: Male
  • That's no Pokémon, Ash.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #218 on: October 10, 2015, 02:05:27 am »
I don’t know all the specifics, but a stat of 65535 would almost certainly cause an overflow in the damage calculation. A more reasonable number like 5000 might work out better.

It makes sense really. Thanks a bunch. Now I'm off to go look up how damage works
Pixel Professor Oak is a spitting image of my physics teacher. Lab coat and all.

Proudly glitching on console, just pop me a message if you want me to do any research.

Crystal_

  • Distinguished Member
  • *
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #219 on: October 12, 2015, 09:59:22 am »
Quote
And if so, why does pound still not one-hit KO everything? For example, an Onix, where it isn't super effective. It feels like I've either massively overestimated the value, the calculation for not-very-effective damage really cuts down a lot or the glitch numbers don't work correctly. Or something else I've completely overlooked.
Prior to damage calculation:
- Grab the two-byte attack (or special) value of the attacker and the two-byte defense (or special) value of the defender
- Apply Reflect / Light Screen if active and appropriate
- Divide both the attacker's attacking stat and the defender's defensive stat by 4, if either of the two is higher than 255
- Grab the lowerst byte of the resulting stat values to use them for damage calculation

Since your attack stat (65535) is higher than 255, it gets divided by four (so would Onix's defense). 65535 divided by 4 equals 0x3FFF (16383 in decimal). Because only the lowest byte of the result is used for damage calculation, your Mew's attack becomes 0xFF or 255. Since the enemy's defense also got quartered in the process it essentially means that your effective attack is 255 x 4 = 1020.

Darkkis

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • POKEWTRAINER - me IRL
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #220 on: October 12, 2015, 10:07:40 am »
Does anyone mind breaking one of the 8F codes down? I'm REALLY interested in this kind of stuff and I'd love to learn to create a code myself. My life goal after finding about this stuff is to succeed in coding 8F so that by pressing it it brings up a smiley face. Or even succeeding in writing a basic message such as "Hello, World!" would be nice. (if anyone knows how to do this, please let me know!)

For example, could someone break down this code? I don't quite understand how it works.

Code: [Select]
ITEM LIST (starting from the first slot):
* 8F
* Item you want to morph
Burn Heal            x43
Ice Heal             x43
Full Heal            x201

ASM:
WRA1:D322 0C               inc  c
WRA1:D323 2B               dec  hl
WRA1:D324 0D               dec  c
WRA1:D325 2B               dec  hl
WRA1:D32A 34               inc  (hl)
WRA1:D32B C9               ret


I tried to make it so that the game would think I beat Sabrina with this setup, but it didn't work:

Code: [Select]
random item
8F
TM34 x215
ASH (0xB3 item) x201

The data from DataCrystal suggested that the data for beating Sabrina is at D7B3. D7 corresponds to 215 and I decided to use TM34 because it seems to be used a lot in this type of hacks (probably my first screw-up) and B3 corresponds to the item ASH, so I determined it'd work with that setup, since apparently the default value is 63 and it should think I beat Sabrina with any value higher than 1. Where I got the number 201 is that it also seems to be used a lot in this type of hacks, possibly acting as a "stop" for the code? (my second screw-up, I assume.)

Also, I don't understand the opcodes at all: what do stuff like ld and inc even mean? I tried looking up some guides for ASM but there wasn't really any good explanations for them. Please help an interested newbie out.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Banned
  • *
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #221 on: October 12, 2015, 10:47:18 am »
About the code you mentioned: this payload takes advantage of the register hl containing the address of item 3 (the initial payloads put the address of item 3's identifier in the hl register, then transfers execution there with jp hl).

I'll try to break it down for you, line by line:

inc c - increases the value of the c register by 1. Used here as junk code, so we can use the item quantity to represent the opcode we want to execute, instead of the item identifier.
dec hl - decreases the value of the hl register by 1. The hl register did contain the address of item 3's identifier, after this line it contains the address of item 2's quantity.
dec c - decreases the value of the c register by 1, the same register that was decreased 2 lines ago. Again, this is junk code, used so we can represent the next opcode as a quantity, rather than an item. I'll take the time to explain why this is needed: if you look at the Big List, if you express the quantity 43 as an item, it represents the Secret Key. It's possible (albeit a little annoying) to have two stacks of a regular item, but not so without cheating, or manipulating memory some other way, for a key item.
dec hl - As before, the value of the hl register is decreased. After this line, the hl register contains the address of item 2's identifier.
inc (hl) - The brackets around hl mean "the memory address contained in the register"; so, this line increases the value contained in the memory address that is the value of the hl register by 1. As mentioned, at this point, the hl register contains the address of item 2's identifier; so, this line increases item 2's identifier by 1.
ret - This line returns from the function that the game called to use the 8F item, and therefore returns control back to the game.

About why your attempted payload didn't work: you ALMOST got it right. Different CPUs use different byte orders, known as "endianness". You specified the memory address in your payload as big endian, where the most significant byte comes first, that is, D7 B3 corresponds to the address 0xD7B3. However, the Game Boy's CPU, which is a modified version of the Z80, uses little endian format, where the least significant byte comes first, that is, B3 D7 corresponds to the address 0xD7B3.

Stuff like "ld" and "inc" are assembler mnemorics. In this instance, "ld" is short for "load" and "inc" short for "increment". I mentioned earlier that the Game Boy uses a modified Z80. So, if you want to learn about the assembler, you can look up Z80 assembly/assembler; Google can help you there. Another thing that will help is this hexadecimal to Game Boy CPU mapping and, of course, the BIG List.

Hopefully this has helped you!
« Last Edit: October 12, 2015, 11:54:48 am by Wack0 »
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Darkkis

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • POKEWTRAINER - me IRL
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #222 on: October 12, 2015, 11:31:03 am »
About the code you mentioned: this payload takes advantage of the register hl containing the address of item 3 (the initial payloads put the address of item 3's identifier in the hl[/t] register, then transfers execution there with jp hl).

I'll try to break it down for you, line by line:

inc c - increases the value of the c register by 1. Used here as junk code, so we can use the item quantity to represent the opcode we want to execute, instead of the item identifier.
dec hl - decreases the value of the hl register by 1. The hl register did contain the address of item 3's identifier, after this line it contains the address of item 2's quantity.
dec c - decreases the value of the c register by 1, the same register that was decreased 2 lines ago. Again, this is junk code, used so we can represent the next opcode as a quantity, rather than an item. I'll take the time to explain why this is needed: if you look at the Big List, if you express the quantity 43 as an item, it represents the Secret Key. It's possible (albeit a little annoying) to have two stacks of a regular item, but not so without cheating, or manipulating memory some other way, for a key item.
dec hl - As before, the value of the hl register is decreased. After this line, the hl register contains the address of item 2's identifier.
inc (hl) - The brackets around hl mean "the memory address contained in the register"; so, this line increases the value contained in the memory address that is the value of the hl register by 1. As mentioned, at this point, the hl register contains the address of item 2's identifier; so, this line increases item 2's identifier by 1.
ret - This line returns from the function that the game called to use the 8F item, and therefore returns control back to the game.

About why your attempted payload didn't work: you ALMOST got it right. Different CPUs use different byte orders, known as "endianness". You specified the memory address in your payload as big endian, where the most significant byte comes first, that is, D7 B3 corresponds to the address 0xD7B3. However, the Game Boy's CPU, which is a modified version of the Z80, uses little endian format, where the least significant byte comes first, that is, B3 D7 corresponds to the address 0xD7B3.

Stuff like "ld" and "inc" are assembler mnemorics. In this instance, "ld" is short for "load" and "inc" short for "increment". I mentioned earlier that the Game Boy uses a modified Z80. So, if you want to learn about the assembler, you can look up Z80 assembly/assembler; Google can help you there. Another thing that will help is this hexadecimal to Game Boy CPU mapping and, of course, the BIG List.

Hopefully this has helped you!

Wow, you don't know how helpful that was, I actually understand the code somewhat now. The only thing I can't comprehend is the junk code: why wouldn't the code work without the junk code? Are we not allowed to have two 'dec hl's in a row? EDIT: Never mind, I got it: the code wouldn't be possible without the junk code because there has to be some data for the item identifiers, lol.

Also, I changed my setup according to the little endian format, and it looks like this now:

Code: [Select]
random item
8F
TM34 x179
TM15 x201

The third item's amount should correspond to B3 and the TM15's identifier should correspond to D7 according to the big list, so the whole thing should correspond to 0xD7B3 and it's still not working. Why?

« Last Edit: October 12, 2015, 11:39:41 am by Darkkis »

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Banned
  • *
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #223 on: October 12, 2015, 11:57:49 am »
The third item's amount should correspond to B3 and the TM15's identifier should correspond to D7 according to the big list, so the whole thing should correspond to 0xD7B3 and it's still not working. Why?

The event flag for beating Sabrina is bit 1 of 0xD7B3, but this won't give you her badge. Do you want to make the game think you beat Sabrina, or do you want her badge?
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Darkkis

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • POKEWTRAINER - me IRL
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #224 on: October 12, 2015, 12:04:04 pm »
The third item's amount should correspond to B3 and the TM15's identifier should correspond to D7 according to the big list, so the whole thing should correspond to 0xD7B3 and it's still not working. Why?

The event flag for beating Sabrina is bit 1 of 0xD7B3, but this won't give you her badge. Do you want to make the game think you beat Sabrina, or do you want her badge?

I figured that if the game thinks I beat Sabrina, it'd let me pass the Soulbadge barrier in Pokemon League, but it didn't. So, where is the event flag even used then?

I would like to get her badge and possibly all badges with this method, since apparently getting event flags for the 3 remaining Gym Leaders was not enough. But DataCrystal says something about "binary switches" in the badges: what are those?


Also, I didn't see this code anywhere, so I decided to post it: it allows you to clone items without using MissingNo or M.

Code: [Select]
8F
Item you want to multiply
Fresh Water x43
Soda Pop x54
TM54 (or any item with the quantity you wish, TM54 has a identifier of 254) x201

And in ASM:
Code: [Select]
inc a
dec hl
dec a
ld (hl),xx ;(with TM54, xx = FE)
rtrn
« Last Edit: October 12, 2015, 01:41:06 pm by Darkkis »