Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 443121 times)

0 Members and 3 Guests are viewing this topic.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #315 on: March 15, 2016, 04:53:08 pm »
Btw, here is a code (should work on all R/B, and I think it also worked with Yellow although I didn't test it) that allows toggling NoClip. Note that activating NoClip by conventional means then using this code won't deactivate NoClip. (Oh well, just enter a building / save&reset and it's okay)
Code: [Select]
X Accuracy x56
Carbon x205
Poké Ball x126 ; Super Balls also work.
Leaf Stone x119
TM01 x(any qty)

corresponding code :
ld l, #$38
ld h, #$CD
inc b ; or dec b. Whatevs.
ld a, [hl]
cpl
ld [hl], a
ret
Usually, $CD38 is zero, so this code puts #$FF into it, thus activating NoClip.
But triggering NoClip using the Safari Zone puts #$01, so when cpl'ed (xor #$FF) it gives #$FE, which is still nonzero.
Using the Pewter City Youngster to disable collision puts a non-FF value in $CD38, so it's the same deal.

I already posted that in another topic (here), but I figured out it would be nice to put it there too, maybe to add it to the first post's code list ?
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Flandre Scarlet

  • Mistress of Scarlet Devil Mansion
  • GCLF Member
  • *
  • Offline Offline
  • Role playing as my favorite character is fun
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #316 on: March 22, 2016, 01:55:09 pm »
Ok so I bought Yellow to screw around with some of its glitches and glitch Pokemon. I got ws m and its not working for me at all. Using the following bootstrap to try and do a basic item duplication code. I got my bootstrap from here http://glitchcity.info/wiki/index.php/Arbitrary_code_execution#Using_.22ws_m.22_.28Yellow.29 When I try to use the code the map reloads and I get stuck in a box where I can't move forever.
Pokemon in box 1 (also current box)
Seel with 233 HP
Parasect
Growlithe
Magikarp
Psyduck
Flareon
Tentacool
Nidoqueen
Missingno Aerodactyl (any pokemon 1)
Snorlax (any pokemon 2)
Gyarados (any pokemon 3)

items
ws m
rare candy x1
burn heal x43
ice heal x53
revive x201
I am a fan of Pokemon, Glitches, Touhou, Yugioh, Smash, Mario, Sonic, Kirby, (2D) Metroid, and MORE!

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #317 on: March 23, 2016, 05:58:46 am »
I never used that setup, can't understand how it works and I keep hearing people having trouble with it. Maybe some expert could do some troubleshooting on this. Anyway I would recommend this easier 10-Pokémon setup instead:

Tangela with 233 HP (actual)
Nidoking
Metapod
Haunter
Flareon
Parasect
Growlithe
Tentacool
Grimer
Any Pokémon

Your item code is alright so it should work.

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Flandre Scarlet

  • Mistress of Scarlet Devil Mansion
  • GCLF Member
  • *
  • Offline Offline
  • Role playing as my favorite character is fun
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #318 on: March 23, 2016, 12:24:52 pm »
by actual HP do you mean max or current?
I am a fan of Pokemon, Glitches, Touhou, Yugioh, Smash, Mario, Sonic, Kirby, (2D) Metroid, and MORE!

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #319 on: March 23, 2016, 02:56:18 pm »
Current. Max HP does not matter.

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Flandre Scarlet

  • Mistress of Scarlet Devil Mansion
  • GCLF Member
  • *
  • Offline Offline
  • Role playing as my favorite character is fun
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #320 on: March 23, 2016, 02:57:57 pm »
Thanks. Its working great now!
I am a fan of Pokemon, Glitches, Touhou, Yugioh, Smash, Mario, Sonic, Kirby, (2D) Metroid, and MORE!

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #321 on: March 26, 2016, 10:03:46 am »
Ok so I bought Yellow to screw around with some of its glitches and glitch Pokemon. I got ws m and its not working for me at all. Using the following bootstrap to try and do a basic item duplication code. I got my bootstrap from here http://glitchcity.info/wiki/index.php/Arbitrary_code_execution#Using_.22ws_m.22_.28Yellow.29 When I try to use the code the map reloads and I get stuck in a box where I can't move forever.
Pokemon in box 1 (also current box)
Seel with 233 HP
Parasect
Growlithe
Magikarp
Psyduck
Flareon
Tentacool
Nidoqueen
Missingno Aerodactyl (any pokemon 1)
Snorlax (any pokemon 2)
Gyarados (any pokemon 3)

items
ws m
rare candy x1
burn heal x43
ice heal x53
revive x201


Hello all,

I was just looking into that ws m bootstrap. Seems to me like the problem is Nidoqueen.

According to pigdevil2010 ASM here: http://forums.glitchcity.info/index.php/topic,6638.msg198107#msg198107

the command regarding Tentacool and Nidoqueen is:
$DA86 <- 18 10 || jr DA97 ; pc = DA97

I am pretty sure this actually jumps to $DA98. Wich in yellow would be Seels LVL instead of current HP. Changing Nidoqueen with Nidoran(female) should fix this. tho i have not tested this. (I'm also verry new at all this, so if im horribly wrong... sorry  :P)

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #322 on: March 27, 2016, 04:14:22 am »
8th Pokémon is $DA87 in Yellow, so jr 10 makes it jump to $DA97, Seel's hex ID. Probably not what we wanted indeed. I will rethink of all this.

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #323 on: March 27, 2016, 06:42:25 am »
8th Pokémon is $DA87 in Yellow, so jr 10 makes it jump to $DA97, Seel's hex ID. Probably not what we wanted indeed. I will rethink of all this.

How does that work? I was under the impression that the yellow adresses were the red/blue ones -1. Doesn't that make Seel's index nr $DA95?
Also, looking at relative jumps in other bootstraps they all seem to jump 1 adress further then the value given. So it was my idea that a relative jump takes the value in the following adress, jumps it and pick up from 1 adress further.

like this:
$DA86 <- Tentacool - index 18 = jr
$DA87 <- Nidoqueen - index 10 = jump 10 adresses
$DA97 <- end of jump
$DA98 <- continues reading

Am i missing something?   );

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #324 on: March 27, 2016, 07:03:08 am »
I am not such an assembler expert, you might be right about relative jumps, I have no idea. Maybe ISSOtm knows, I'll ask. However,

Quote
How does that work? I was under the impression that the yellow adresses were the red/blue ones

Yes they are decreased by 1 in some RAM section, such as this one. For most address you might change using 8F:
- if US Red/Blue = 0
- then US Yellow = -1
- European R/B = +5
- And European Y = +4
So here, Stored Pokémon 8 ($DA88) is $DA87 in Yellow.
« Last Edit: March 27, 2016, 07:04:48 am by Krys3000 »

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #325 on: March 27, 2016, 07:54:01 am »
Skeef, you are right, as most of (but not all, an example is $CD38) Yellow's RAM data is shifted from R/B by 1 byte. But beware, as this only means absolute jumps (jp, call) have to be changed, relative jumps (jr) should not change.

Take it like this :
jr $#XX means that the execution skips #XX bytes counting after jr's last byte.
Example for clarity :
hex:: 18 02 C0 DE C9
Code: [Select]
jr $02
.db $C0, $DE
ret
the "18 02 / jr $02" skips two bytes after itself, leading directly to the ret.
Say 18 is located at $DA86.
We have
$DA86:: 18
$DA87:: 02
$DA88:: C0
$DA89:: DE
$DA8A:: C9
Your reasoning would be "jr 02, so I take $DA87 and add $02, that is $DA89"
But you saw that the code jumps to the C9 at $DA8A, right ?
The flaw was that the byte the jump starts from is not the operand byte, but rather the byte after it.

In another way : remember jr $00 does nothing, i.e. it jumps right after itself.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #326 on: March 27, 2016, 11:19:43 am »
Skeef, you are right, as most of (but not all, an example is $CD38) Yellow's RAM data is shifted from R/B by 1 byte. But beware, as this only means absolute jumps (jp, call) have to be changed, relative jumps (jr) should not change.

Take it like this :
jr $#XX means that the execution skips #XX bytes counting after jr's last byte.
Example for clarity :
hex:: 18 02 C0 DE C9
Code: [Select]
jr $02
.db $C0, $DE
ret
the "18 02 / jr $02" skips two bytes after itself, leading directly to the ret.
Say 18 is located at $DA86.
We have
$DA86:: 18
$DA87:: 02
$DA88:: C0
$DA89:: DE
$DA8A:: C9
Your reasoning would be "jr 02, so I take $DA87 and add $02, that is $DA89"
But you saw that the code jumps to the C9 at $DA8A, right ?
The flaw was that the byte the jump starts from is not the operand byte, but rather the byte after it.

In another way : remember jr $00 does nothing, i.e. it jumps right after itself.


I considered that it could work like that, but since the result is the same it didn't really matter.

I am not such an assembler expert, you might be right about relative jumps, I have no idea. Maybe ISSOtm knows, I'll ask. However,

i'm not an expert either  :P before the release of the vc games last month i didn't know any of this...

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #327 on: March 27, 2016, 11:26:42 am »
So here isso, $DA86 is Tentacool (jr) and $DA87 is Nidoqueen (10) so the jump goes to $DA97 and reads $DA98? Aren't we supposed to read $DA99 since 233 HP is 00 ($DA98) E9 ($DA99) in Yellow?

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #328 on: March 27, 2016, 11:55:43 am »
So here isso, $DA86 is Tentacool (jr) and $DA87 is Nidoqueen (10) so the jump goes to $DA97 and reads $DA98? Aren't we supposed to read $DA99 since 233 HP is 00 ($DA98) E9 ($DA99) in Yellow?

Its like this:

$DA86 <- Tentacool - index 18 = jr
$DA87 <- Nidoqueen - index 10 = jump 10 adresses
$DA88 <- start the jump
$DA98 <- continues readin
A bit different from what i originally posted, but the result is the same.

Also, you seem to be doing +1 on you're yellow adresses insead of -1
$DA97-$DA98 = current hp in red/blue. That means $DA96-$DA97 = current hp in yellow (right?)

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #329 on: March 27, 2016, 11:57:47 am »
If the Nidoqueen is located at $DA87, the jump should land at $DA98.
If $DA98 is $00, that doesn't matter, it's just a NOP (No OPeration) instruction. It wastes 4 processor cycles. Boo.
So the poblem doesn't seem to be there, but it means that using the Pokémon with the following ID should also work.
Otherwise we are making a mistake somewhere ?
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)