Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 399109 times)

0 Members and 2 Guests are viewing this topic.

SnorLapraSuicuinEkans

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • 8f lol
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #255 on: November 19, 2015, 07:43:41 pm »
Exactly what I was looking for so I can make my own codes yes ? And if I was going to like change my sprite or something
« Last Edit: November 20, 2015, 04:20:12 am by SnorLapraSuicuinEkans »
How to use 8f... 8__8

SnorLapraSuicuinEkans

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • 8f lol
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #256 on: November 20, 2015, 04:29:39 am »
.. DXXX is that a hex and dec or hex and hex dec
How to use 8f... 8__8

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #257 on: November 20, 2015, 06:27:01 am »
Absolutely!

Let's say you want to get a Moon Stone in the 19th position of your stored items, for some reason. Look in the RAM Map and you will see this: D55F - Stored Item 19

So $D55F is the address you want to deal with. You also need to know the hex ID for the Moon Stone, that you can get in the big list. In this case it will be 0A.

Therefore, the gameshark code to "get a Moon Stone in the 19th position of the stored items" will be 010A5FD5. Note that the address is reversed in the gameshark code, 5F comes before D5.

Converted into an 8F code, you will have to get the following items:
Any Item
8F / ws*l’||lm||
Lemonade x10 (0A)
X Accuracy x95 (5F)
Carbos x213 (D5)
Poké Ball x119
Fresh Water x201

And here you go: a Moon Stone appears in the 19th position of the stored items!
« Last Edit: November 20, 2015, 06:27:36 am by Krys3000 »

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

SnorLapraSuicuinEkans

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • 8f lol
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #258 on: November 20, 2015, 06:52:33 am »
Amazing :D
How to use 8f... 8__8

SnorLapraSuicuinEkans

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • 8f lol
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #259 on: November 20, 2015, 11:52:19 am »
What is Debug new game in ram map
How to use 8f... 8__8

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #260 on: November 20, 2015, 01:00:45 pm »
Well, that might be a little complicated to explain. Let's try. You know the value of an address is a hex number. For example, 00 or FF.

Translated into binary, FF is 1111 1111. Eight numbers, right? That means any hexadecimal number can be written with 8 binary numbers.
00 = 0000 0000
01 = 0000 0001
0F = 0000 1111
F0 = 1111 0000
A9 = 1010 1001
To properly translate a hex number into binary, you can use Windows' calculator (programmer mode).

Now, this is important because each bin number is a "bit". The bit can be set ("1") or removed ("0"). For any hex number, you can translate it in a series of 8 bits, either set or removed.

Before talking about the "Debug New Game" address, let's take an easier example. Address $D2F7 is "owning or not owning Pokémon 1 to 8". The owned Pokémon are determined by the bit of the value for this address. If the value is FF, all bits are set (1111 1111) so you have all eight Pokémon. If the value is A9, as you can see above, this means Pokémon 1, 4, 6 and 8 are owned, but 2, 3, 5 and 7, all having their bit to 0, are not.

Now, address $D732 triggers things according to which bits are set or not set.
If the first bit is set (we call this bit "bit 0" and it is actually the last in order; for example in 0000 0001, "bit 0" would be the 1) then play time is counted. That's why this bit is always set.

If bit 1 is set (XXXX XX1X, as with hex:02) when a new game is launched, it activates the debug mode. In this mode, Oak's speech will be shorter. The player's name is set to NINTEN and the rival's name to SONY. You don't start the game in your house, and you can avoid wild encounters by holding B. This is of course never triggered in a normal game.
« Last Edit: November 20, 2015, 01:01:57 pm by Krys3000 »

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

SnorLapraSuicuinEkans

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • 8f lol
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #261 on: November 20, 2015, 01:14:35 pm »
That all you can do ? Not so great.. Binary is 1248 1632 right ?
How to use 8f... 8__8

The G-Meister

  • Your bog-standard spotty British teenager
  • GCLF Member
  • Offline Offline
  • Gender: Male
  • That's no Pokémon, Ash.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #262 on: November 24, 2015, 05:21:06 pm »
Gah, anyone know how EV's work in Gen I? To they give a fixed increase to a stat or is it done by a percentage? The first thing I'm trying to do on Red with ACE is max out my Pidgey's EV's (which I have done) but also make it so it's HP is always a max of 233 even when I happen to need to store / retrieve it from the PC. I've set it to 233, but whenever I deposit / withdraw, it becomes like 268 or something.
Pixel Professor Oak is a spitting image of my physics teacher. Lab coat and all.

Proudly glitching on console, just pop me a message if you want me to do any research.

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #263 on: November 24, 2015, 05:51:06 pm »
Gah, anyone know how EV's work in Gen I? To they give a fixed increase to a stat or is it done by a percentage? The first thing I'm trying to do on Red with ACE is max out my Pidgey's EV's (which I have done) but also make it so it's HP is always a max of 233 even when I happen to need to store / retrieve it from the PC. I've set it to 233, but whenever I deposit / withdraw, it becomes like 268 or something.
Take the square root of the EVs, and then the calculation is the same as in later generations (4 EVs = 1 stat point at level 100). The maximum of 65535 EVs grants √(65535)/4 ≈ 64 stat points at level 100. If your (presumably level 100) Pidgey has 268 HP with maximum EVs, and you want it to have 233 HP, then you’d need to reduce its HP EVs to around 13456, since √(13456)/4 = 29 points at level 100. (You might have to adjust that for rounding errors.)

The G-Meister

  • Your bog-standard spotty British teenager
  • GCLF Member
  • Offline Offline
  • Gender: Male
  • That's no Pokémon, Ash.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #264 on: November 25, 2015, 01:25:13 am »
Ahhh thanks a bunch. As my purpose was rather that it didn't gain any EV's from battle, I'll set it to 169, and see if I get 233
Pixel Professor Oak is a spitting image of my physics teacher. Lab coat and all.

Proudly glitching on console, just pop me a message if you want me to do any research.

XTFOX

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #265 on: January 27, 2016, 05:58:19 pm »
Ok that 8F Bootstrap is too complicated.  I made a new (simplified) one based off the original one.  Could someone confirm my work?

Pokemon with values in hex after:

6 pokemon [06]
Onix [22]
Pidgey [24]
Pidgey [24]
Jolteon [68]
Tentacool [18]
Pick a pokemon based off Onix's stats

Onix 233 attack > Kadabra [26]
Onix 233 defense > Chansey [28] (Used Below)
Onix 233 speed > Mr. Mime [2A]
Onix 233 Special > Hitmonchan [2C]

Realistically any of the first 4 Pokemon with a 233 stat could work assuming the corresponding hex offset exists as a pokemon.  For example using the 2nd Pidgey's speed doesn't work because the 6th pokemon would need a hex value of 56 which is a MissingNo.

Code: [Select]
; -- Initial value of hl: D163
WRA1:D163 06 22            ld   b,22    ;  b = 22
WRA1:D165 24               inc  h       ; hl = D263
WRA1:D166 24               inc  h       ; hl = D363
WRA1:D167 68               ld   l,b     ; hl = D322
WRA1:D168 18 28            jr   D16A + 28 = D192

WRA1:D192 E9               jp   hl


Just a note I only read the first post, if I am recreating somebody's work and claiming it as my own I apologize.

EDIT: Found the wiki! Looks like a similar one has already been made that also only requires one specific stat.  Though the ability to choose any stat and just change the 6th pokemon is still cool seeing as the wiki one requires Pidgey 233 hp because it uses Pidgey's ID a 2nd time to Inc H. 

Also has anybody tried to figure out why 8F accesses D163?  I looked at the pokemon red dissasembly item page and couldn't figure it out.
« Last Edit: January 28, 2016, 04:40:24 pm by XTFOX »

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #266 on: February 02, 2016, 06:46:05 am »
Also has anybody tried to figure out why 8F accesses D163?  I looked at the pokemon red dissasembly item page and couldn't figure it out.

The index bounds are not checked when using an item, the game happily gets the 16-bit integer at ItemUsePtrTable + (2*0x5d) and calls it, which happens to be the wPartyCount from ld a,[wPartyCount].
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

lowena

  • GCLF Member
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #267 on: February 13, 2016, 05:57:17 am »
I had several problems while trying to do the dry item underflow glitch to get P7 (7F/8F) in my Spanish Pokemon Blue. Once I got to the step to switch the X Special with the Nugget, scrolling down past Exit the item menu would freeze, but I realized that if I pressed B I could keep going down, and I had to do that several times to get down to the Nugget, and the same to switch the P7 back. The next problem was fixing the item menu. If i bought one item in Celadon, nothing happened. If I bought two, the P7 and everything else was erased. So I had to put the P7 in my PC, fix the menu, then take it back out. Hopefully that doesn't cause any problems. I haven't been able to bootstrap it yet to see if it actually works, but hopefully I don't run into many more problems. I'm probably going to do the compact one with Electabuzz, but unfortunately it's Red only so I'll have to Ditto glitch getting one :') I'll report back with what I find out.

Also, as a note if anyone else trying to get P7 on the Spanish game or some of the other European versions where you can't do the Old Man glitch, in order to get 255x X Special I did the Ditto glitch to encounter a Missingno. which solved the problem. The easiest way to do that is to get up to Fuchsia City, use any long-range trainer you want, consult the usual hex ID table, and encounter a Ditto in the grass immediately east upon leaving Fuchsia City.

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #268 on: February 13, 2016, 04:42:10 pm »
The "long name items" generating "locks" while going down the items in the item menu is a common issue. Spamming B and Down is a good solution to go through indeed, I think what cause this is that some items might match RAM addresses controlling the player's position, and the value of these addresses matches an item with a glitched long name. This would be why if you move to another spot, you might not encounter the problem anymore. Sometimes when I face this, I just move from a few steps and problem solved.

About the menu fixing issue, the first item fixes and errazes the menu, but sometimes you don't see it and need to get a second item. I think it depends of how you trigger the glitch, but anyway you definitively have to store your P7 item before fixing the menu.

In french games, we can perform the Old Man Trick but we can't encounter pixel MissingNo. In this case, using the Ditto Trick to have a ghost/fossil MissingNo. is also our favorite solution. Also remember that you can use the Cooltrainer Trick to encounter a Pokémon, and more simply use the Glitch City RAM Manipulation to give yourself an item x255 without encountering MissingNo. at all.

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

lowena

  • GCLF Member
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #269 on: February 13, 2016, 06:48:22 pm »
Well I got my P7 bootstrapped (using GCL's setup) and it works! So happy all that work didn't go to waste.

Thanks for the tip about long name items, I'll keep that in mind if I need to do the underflow glitch again. Maybe you could add a note to the underflow glitch guide about the long name and storing 8F to help others in the future? I haven't tried the Cooltrainer glitch yet, nor the Safari Zone glitch. I hadn't even heard of the RAM manipulation glitch but it sounds really cool, I'll have to check that out :)

EDIT: I made an 8F script to give you 255 of an item, useful in conjunction with the Change Second Item script to get any item you need for other scripts. I don't think this should cause any problems but I'm just a beginner, so please someone let me know if this is flawed.

GET 255 OF SECOND ITEM

This code, which is based off of the Change the Second Item code and likewise only requires 3 basic items, will give you 255 of the second item in slot 2. It simply decreases the item by 2, wrapping around backwards from 1 to 255 (0x01 - 0x02 = 0xff in 8 bit math). It is necessary to have only 1 of the item in slot 2.

ITEM LIST (starting from the first slot):
* 8F
* Item you want 255 of x1
Burn Heal x43
Ice Heal   x53
Revive      x201

Code: [Select]
inc c ;0c = Burn Heal
dec hl ;2b = 43
dec c ;0d = Ice Heal
dec [hl] ;35 = 53
dec [hl] ;35 = Revive
ret ;c9 = 201

Also as a bonus, if you use the Revive x201 instead of Full Heall x201 for the Change the Second Item code in the first post of the thread, the item hex ID will go down instead of up. :)
« Last Edit: February 16, 2016, 08:41:28 pm by lowena »