Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 410546 times)

0 Members and 1 Guest are viewing this topic.

Ephraim225

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #375 on: June 15, 2016, 04:04:40 pm »
If there is a way to obtain a "Rival's effect"/"Jack effect" (walk through walls item) early such as "o" (hex:94) before Nugget Bridge, that could possibly be used to bypass the Nugget Rocket and the Rocket blocking the Dig TM NPC's house. It could also be used to bypass the Rocket blocking Fuchsia City's gym (though you might need to Teleport or Dig away after), also eliminating the need to battle Pokémon Tower's Jessie & James.

Yellow version speedruns get item underflow by setting up Trainer-Fly in Viridian Forest, having Misty be the most recent trainer battle and then blacking out back to Pewter to get the encounter. If Missingno. doesn't crash, what you can do is duplicate a Potion, use two of them, then capture Missingno. to duplicate them again. 255 Potions. Now you just need the right RAM values for Jack's item.

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. I want to be a mum. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #376 on: June 15, 2016, 04:26:24 pm »
If there is a way to obtain a "Rival's effect"/"Jack effect" (walk through walls item) early such as "o" (hex:94) before Nugget Bridge, that could possibly be used to bypass the Nugget Rocket and the Rocket blocking the Dig TM NPC's house. It could also be used to bypass the Rocket blocking Fuchsia City's gym (though you might need to Teleport or Dig away after), also eliminating the need to battle Pokémon Tower's Jessie & James.

Yellow version speedruns get item underflow by setting up Trainer-Fly in Viridian Forest, having Misty be the most recent trainer battle and then blacking out back to Pewter to get the encounter. If Missingno. doesn't crash, what you can do is duplicate a Potion, use two of them, then capture Missingno. to duplicate them again. 255 Potions. Now you just need the right RAM values for Jack's item.
That's true. However Shina69 was asking how we could do this without the expanded items pack.

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Ephraim225

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #377 on: June 16, 2016, 12:43:15 pm »
Oh whoops. I didn't look at the previous page ^^;

In that case there's only one other way I can think of: Have the Rocket NPC on Nugget Bridge disappear through the Mew Glitch. For that you'd have to figure out what that NPC's "disappearing object number" is, start the Mew Glitch on a map with that many objects -1, start the Mew Glitch there, head to Nugget Bridge, lose to one of the trainers, then make sure not to cross through any maps with more disappearing objects than the number you want.

So...I suppose it comes down to the number of disappearing objects on Route 24 and which one the Rocket is.

Nostalgia

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • ?
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #378 on: June 26, 2016, 04:32:42 pm »
In Pokemon Yellow using ws m is it possible to change the trainer ID?

I read somewhere that you could, but not sure and never seen a video showing it.

Ketchup901

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #379 on: June 27, 2016, 12:23:47 am »
Is there a catch 'em all script for Yellow? Or at least RAM/ROM maps so I can try to convert it myself?

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. I want to be a mum. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #380 on: June 27, 2016, 01:36:31 pm »
Is there a catch 'em all script for Yellow? Or at least RAM/ROM maps so I can try to convert it myself?

Yes. The 'instant battle' catch 'em all script is the same as the Red/Blue catch 'em all script other than we change address D059 to D058 (this is the case with many addresses in Yellow; there is a subtraction of 1 and usually when you see an address in the DXXX you may be able to subtract 1 to get the Yellow address); hence we can use a TM34 x88 instead of TM34 x89.

Like this:
Code: [Select]
Item 3: Lemonade x(xx)
Item 4: TM34 x88
Item 5: TM08 x201

Code: [Select]
3E xx EA 58 D0 C9
Code: [Select]
ld a,xx
ld (D058),a
ret

(As always, this will only work with bootstrap code to item 3 such as this setup by Pigdevil2010)

In case you don't know more addresses can be found on the Pokémon Red RAM map and Pokémon Red disassembly/WRAM :) — we can subtract 1 from them to get many of the Yellow addresses except for some such as CD38 (which when 1 allows us to walk through walls).

Additionally, if you want to receive the Pokémon as a gift; the code needs to be adjusted to account for the change of a location of a routine in the ROM:

Code: [Select]
Item 3: Repel x[SpeciesIndex]
Item 4: X Speed  x14
Item 5: Ultra Ball x64
Item 6: TM05  x89
Lemonade x201

Code:
Code: [Select]
1E 20 43 0E 02 40 CD 48 3E C9
ASM:
Code: [Select]
ld   e,[SpeciesIndex]
ld   b,e
ld   c,02
ld   b,b
call 3E48
ret

Hope this helps! ^_^
« Last Edit: June 27, 2016, 01:38:04 pm by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. I want to be a mum. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #381 on: June 27, 2016, 02:54:05 pm »
In Pokemon Yellow using ws m is it possible to change the trainer ID?

I read somewhere that you could, but not sure and never seen a video showing it.

Yes. Here is some code for that sole purpose. :)

Code: [Select]
ld a,xx
ld e,yy
ld h,d3
ld l,58
ldi (hl),a
ld (hl),e
ret

Code: [Select]
3E xx 1E xx 26 D3 2E 58 22 73 C9
Code: [Select]
Lemonade x (xx)
Repel x (yy)
Carbos x 211
X Accuracy x88
Water Stone x115
TM01 x(any)

(The X Accuracy is x89 in Red/Blue)

Where the quantity of the Lemonade is the first byte of your new Trainer ID (in hexadecimal) and the quantity of the Repel is the second byte of your Trainer ID (in hexadecimal). For example, if we want the Trainer ID 42965, we can go on Windows Calculator or use a converter and convert it to get hex:A7D5 (A7 for byte 1 or D5 for byte 2. A7 converts into 167 in decimal, while D5 converts into 213 in decimal). We cannot have Trainer IDs greater than 65535, sadly.

The changes are invisible until you capture a new Pokémon, because the Trainer Card doesn't display the Trainer ID in Generation I.

With the 'in-built GameShark code' in my earlier post designed for multiple tasks (note that for Yellow version we use X Accuracy x34), you can use use the Lemonade as your byte value (e.g. A7) and Carbos x 211, X Accuracy x 88 as the other parameters (h [address byte 1], and l [address byte 2]).

Additionally, if we activate the expanded items pack, your Trainer ID addresses can be found as item 30's quantity (byte 1) and item 31 (byte 2), which means that if you want to have a particular ID you can get most by tossing from item 30, and changing item 31. The ID 01234 (04D2 in hexadecimal) could be obtained with a quantity of 4 in item 30 and a 'D2 item' (TM10 according to The Big HEX List) in item 31. Glitch items can be obtained with the Celadon looping map trick, but if you want to do this make sure you carefully navigate the menu slowly with B; as a 'long name glitch item' can easily freeze your game (and there is a chance of Continue being removed from the options) if the A button is pressed on it.

Hope this helps. ^_^

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Nostalgia

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • ?
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #382 on: June 28, 2016, 10:16:08 am »
What's the TM01 for in that code? Because I don't have that TM anymore..

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #383 on: June 28, 2016, 12:53:59 pm »
What's the TM01 for in that code? Because I don't have that TM anymore..

TM01 ends the code (Hex C9). Its availible in Celadon dept. store.

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #384 on: June 29, 2016, 07:13:10 am »
If you don't use a C9, bad s**t will happen  ;D

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Nostalgia

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • ?
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #385 on: June 30, 2016, 12:02:10 pm »
Can you delete old key items with ws m?

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #386 on: June 30, 2016, 02:30:20 pm »
Yeah, you could use a code that mutates items for example. Such as (using pigdevil2010's bootstrap setup !)
Code: [Select]
8F / ws l m
Key item
Poké Ball x43
Great Ball x43
Revive x201
Code: [Select]
inc b
dec hl
inc bc
dec hl
dec (hl)
ret
You'll increase item #2's ID by one each time you use 8F / ws l m. It will be of quantity 1.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #387 on: July 02, 2016, 04:18:53 am »
So lately I have been looking into TheZZAZZGlitch's pong game. However, after trying to break down the code into map coordinates, I am left with a few questions wich I hope someone can help me with.

The first thing I am wondering about is the entry point. The code starts at $D901. Wich is the opponents 3rd Pokémon type 1. Does the opponent's Pokémon data reset to 0 after saving and restarting or does it persist? In other words, will the pong game still be there after saving?

A few other things I'm not to sure about is some opcodes.
Namely:
- ldi  (hl),a
I cant find this one on the cpu chart. But I'm pretty sure its opcode 22 (ld (hl+),a) wich i think loads a into (hl) and then increments the hl register. Is that correct?

- ld   a,($FF00+A2)
There are a few of these, I have no idea what to do with them  );

And finally, commands that take a 2 byte input. These require the lower byte first then the higher byte right? They already seem to be listed in the code with the lower byte first, but I'm not sure.

Any help on this is much appreciated.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #388 on: July 02, 2016, 01:13:53 pm »
    Okay, simple questions, simple answers.

    Unless it is saved then loaded, RAM doesn't persist. In that case it won't, but don't assume it will be zero.

    There is no official syntax for gb-specific z80 instructions, so here are some aliases :
    • ldi (hl), a
    • ld (hli), a
    • ld (hl+), a
    • ld [hli], a
    Same for ldd and ld-, etc.
    You are correct, ldi (hl), a is totally equivalent to ld (hl), a \ inc hl

    There is a special instruction in gb z80 : ld ($FF00 + imm8), a (as well as ld a, ($FF00 + imm8)
    It saves one byte (thus speed) over ld a, (mem16) and ld (mem16), a

    And the gb z80 is little-endian :
    call $C0DE is "CD DE C0"

    Gotcha ? I will be writing a gbz80 dev page on the wiki some day. Right now I'm spending a week with my gf, so I'm pretty much occupied :P
« Last Edit: July 03, 2016, 04:37:02 pm by ISSOtm »
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #389 on: July 03, 2016, 05:24:00 am »
How did you get your own personal Game Freak?  :o

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov