Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 443151 times)

0 Members and 2 Guests are viewing this topic.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #600 on: June 20, 2017, 04:26:03 am »
The offsetting logic is this :
0000-7FFFOffsetting is complex, but things 0000-3FFF shouldn't be offset
8000-9FFFNo offsetting
A000-BFFFNo offsetting either
C000-D1XX (I think ?)No offsetting
D1XX-DFFFOffset +5
FF80-FFFENo offsetting
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #601 on: June 20, 2017, 03:33:16 pm »
The offsetting logic is this :
0000-7FFFOffsetting is complex, but things 0000-3FFF shouldn't be offset
8000-9FFFNo offsetting
A000-BFFFNo offsetting either
C000-D1XX (I think ?)No offsetting
D1XX-DFFFOffset +5
FF80-FFFENo offsetting

The offset +5 is before D1XX because D059 the instant encounter address is D05E in non-English European versions. I wonder where it begins (and the -1 for Yellow)?
« Last Edit: June 20, 2017, 03:33:41 pm by Torchickens »
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

Problems with 8F

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #602 on: June 21, 2017, 01:52:08 am »
Thx guys for your very detailed answers. Even if I didnt understand everything I will try your suggestions and post the results :)

asphere

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #603 on: June 24, 2017, 04:34:40 am »
well i readed a lot of posts in these days on this spectacular forum. I am using a pokemon yellow italian version and all i can notice and say to you for receve help is that:
http://forums.glitchcity.info/index.php?topic=6638.msg192543#msg192543 this i think is correct box party i must use:
And here's payload code for FR/ES/DE/IT Yellow. Thanks again to TheZZAZZGlitch, again I only need to change one byte!

1.  20 Pokémon in your PC box                                         [0xDA84 = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                 [0xDA85 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                 [0xDA86 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                 [0xDA87 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                 [0xDA88 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                 [0xDA89 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                 [0xDA8A = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xDA8B = 0x06]
9.  Scyther as the 8th Pokémon in the current PC box                  [0xDA8C = 0x26]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xDA8D = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                 [0xDA8E = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                 [0xDA8F = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                 [0xDA90 = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                 [0xDA91 = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                 [0xDA92 = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                 [0xDA93 = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                 [0xDA94 = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                 [0xDA95 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                 [0xDA96 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                 [0xDA97 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                 [0xDA98 = 0x06]
 :: END OF LIST MARKER [0xFF]                                         [0xDA99 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                 [0xDA9A = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                     [0xDA9B = 0x00]
                                               +-                     [0xDA9C = 0xE9]
(quote from Wack0)
well now i need to know how use the items and what items i need to use, the correct order. if you can please post it for create items and multiply them x255 becouse im trying to make a legit mew with OT and ID event.
after i have question... i read about 7em etage, should be item replace to ws m in italian and fench version? sry i don t understand if u best can help me i apretice a lot.
thanks and sry if i wrong to ask in this section or about my last posts...
thanks in advance

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #604 on: June 24, 2017, 06:35:13 am »
7em etage is for French/Italian Red/Blue, ws m is for Yellow. Tho I don't know if its called that in italian games. Nor if you get it the same way as in english.
The list of Pokémon list is indeed the one you need.

This is how to get w sm in english games. May be the same in italian games. Worth a try i guess.
Do the trainer escape glitch and defeat a Ditto transformed into a Pokémon that has 194 special stat and have X Speed as your 5th item.

And some codes:
Change the second item:

- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)
- TM01 x(any)

This one should turn item 2 into what ever the quantity of the Max Revive corresponds with from the big hex list.
http://glitchcity.info/wiki/The_Big_HEX_List

I don't have a euro-language game to test it, but its what i use on my english Red/Blue +4 X Accuracy.
-------------

Change item 2 ammount to 256 (0) (actually decreases item ammount by 1)

- 8F
- Item you want 256 of x1
- Pokéball x43
- Revive x201

This one should work on any game.

asphere

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #605 on: June 24, 2017, 08:55:54 am »
7em etage is for French/Italian Red/Blue, ws m is for Yellow. Tho I don't know if its called that in italian games. Nor if you get it the same way as in english.
The list of Pokémon list is indeed the one you need.

This is how to get w sm in english games. May be the same in italian games. Worth a try i guess.
Do the trainer escape glitch and defeat a Ditto transformed into a Pokémon that has 194 special stat and have X Speed as your 5th item.

And some codes:
Change the second item:

- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)
- TM01 x(any)

This one should turn item 2 into what ever the quantity of the Max Revive corresponds with from the big hex list.
http://glitchcity.info/wiki/The_Big_HEX_List

I don't have a euro-language game to test it, but its what i use on my english Red/Blue +4 X Accuracy.
-------------

Change item 2 ammount to 256 (0) (actually decreases item ammount by 1)

- 8F
- Item you want 256 of x1
- Pokéball x43
- Revive x201

This one should work on any game.

Well on pokemon yellow italian version i have this item http://imgur.com/a/bs5sY
than i try as you sayed
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...
about
- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

Anyway it don t work... i used box with 6 slowpoke voltorb shyter jolteon 10x geodude and voltorb where 1st slowpoke have 233hp.
i wait answer anyway thanks for your help mate

EDIT 1-
To get any item, use this code:
ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201
and if u give me correct is correct use this for choiche item i need? http://glitchcity.info/biglist.htm
BUT IT DON T WORK


than this too
To get any item quantity, set up your items like so:
ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201 (You should already have this)
DONT WORK.


at last i must use this for change my ID
he item code to change trainer ID is:
any item/ws# #m#
any item/ws# #m#
Lemonade x (xx)
Repel x (yy)
Carbos x 211
X Accuracy x88
Water Stone x115
TM01 x(any)
as we are going for an ID of the GF mew, we want 89 lemonades, and 12 repels. If you want to change your ID back afterward, you need to get it from one of your previously captured pokes (look at summary) and convert it into hexidecimal (there's tonnes of converters online.). Then, split the four digit hexidecimal number into two chunks, the first two digits, and the last two. Then convert those individual chunks back into decimal to find out how many repels and lemonades you need. First chunk is for lemonades, second for repels. Just use ws# #m# to change your ID.

but is this correct?
« Last Edit: June 24, 2017, 09:18:48 am by asphere »

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #606 on: June 24, 2017, 05:12:52 pm »
What happens when you try to execute a code? Nothing or does the game crash?

Anything else I can advise is to double check your box to see if the Pokémon are all in the correct order. And to make sure the first Slowpoke has 233 hp left, its max hp does not matter.

Also, I just compared the euro Bootstrap code with the english and i think Scyter may be incorrect there. Replacing Scyter with Kadabra could fix it. Cuz Scyter is dec 26 on the big list, but we need hex 26 <--- Thus Kadabra.


Quote
- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

First, look at the big hex list here: http://glitchcity.info/biglist.htm
See the R/B/Y Item column? Say you want to change item 2 into Rare Candy, look in that column for Rare Candy. Now Look in the "Decimal" column on the same row as Rare Candy. As you see its 40, so you need 40 Max Revive to turn item 2 into Rare Candy.

Parzival

  • The Laziest Malware Enthusiast
  • Banned
  • *
  • Offline Offline
  • Gender: Male
  • who posted nudes in upstream
    • View Profile
    • (null)
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #607 on: June 24, 2017, 05:58:03 pm »
What happens when you try to execute a code? Nothing or does the game crash?
What happens when you try to execute a code?
try to execute a code?
execute a code


Anyway... I have nothing useful to add.

please don't ban me Abwayax-sama I swear I'll change please no don't cave my account in with your ban hammer
« Last Edit: June 24, 2017, 06:03:11 pm by Parzival »

i'm also on keybase and bitchute but i don't have nifty buttons for those. Bitchute isn't ready yet, but will be eventually.

mood

asphere

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #608 on: June 25, 2017, 03:14:25 am »
What happens when you try to execute a code? Nothing or does the game crash?

Anything else I can advise is to double check your box to see if the Pokémon are all in the correct order. And to make sure the first Slowpoke has 233 hp left, its max hp does not matter.

Also, I just compared the euro Bootstrap code with the english and i think Scyter may be incorrect there. Replacing Scyter with Kadabra could fix it. Cuz Scyter is dec 26 on the big list, but we need hex 26 <--- Thus Kadabra.


Quote
- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

First, look at the big hex list here: http://glitchcity.info/biglist.htm
See the R/B/Y Item column? Say you want to change item 2 into Rare Candy, look in that column for Rare Candy. Now Look in the "Decimal" column on the same row as Rare Candy. As you see its 40, so you need 40 Max Revive to turn item 2 into Rare Candy.
thanks for last explain i understand all.
anyway about real big problem i tryed right now to change kadabra with shyter and i try
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201
BUT IT DON T WORK

ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201
DONT WORK.

well or box party for italian version is wrong or setting items are wrong
About question if my game crash or nothing happen when i try execute a code the answer is NOTHING HAPPEN.
thansk for future helps.

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #609 on: June 25, 2017, 06:44:08 am »
What happens when you try to execute a code? Nothing or does the game crash?

Anything else I can advise is to double check your box to see if the Pokémon are all in the correct order. And to make sure the first Slowpoke has 233 hp left, its max hp does not matter.

Also, I just compared the euro Bootstrap code with the english and i think Scyter may be incorrect there. Replacing Scyter with Kadabra could fix it. Cuz Scyter is dec 26 on the big list, but we need hex 26 <--- Thus Kadabra.


Quote
- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

First, look at the big hex list here: http://glitchcity.info/biglist.htm
See the R/B/Y Item column? Say you want to change item 2 into Rare Candy, look in that column for Rare Candy. Now Look in the "Decimal" column on the same row as Rare Candy. As you see its 40, so you need 40 Max Revive to turn item 2 into Rare Candy.
thanks for last explain i understand all.
anyway about real big problem i tryed right now to change kadabra with shyter and i try
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201
BUT IT DON T WORK

ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201
DONT WORK.

well or box party for italian version is wrong or setting items are wrong
About question if my game crash or nothing happen when i try execute a code the answer is NOTHING HAPPEN.
thansk for future helps.

Darn, yes. Like Skeef said we need to replace Scyther with Kadabra. This will make the execution start at item 3. It looks like Wack0 confused decimal:26 (Scyther) with hexadecimal:26 (Kadabra). Sorry for the inconvenience.

You shouldn't have to change the codes in your previous post as they don't specify an absolute memory address.
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

asphere

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #610 on: June 25, 2017, 08:57:19 am »
What happens when you try to execute a code? Nothing or does the game crash?

Anything else I can advise is to double check your box to see if the Pokémon are all in the correct order. And to make sure the first Slowpoke has 233 hp left, its max hp does not matter.

Also, I just compared the euro Bootstrap code with the english and i think Scyter may be incorrect there. Replacing Scyter with Kadabra could fix it. Cuz Scyter is dec 26 on the big list, but we need hex 26 <--- Thus Kadabra.


Quote
- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

First, look at the big hex list here: http://glitchcity.info/biglist.htm
See the R/B/Y Item column? Say you want to change item 2 into Rare Candy, look in that column for Rare Candy. Now Look in the "Decimal" column on the same row as Rare Candy. As you see its 40, so you need 40 Max Revive to turn item 2 into Rare Candy.
thanks for last explain i understand all.
anyway about real big problem i tryed right now to change kadabra with shyter and i try
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201
BUT IT DON T WORK

ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201
DONT WORK.

well or box party for italian version is wrong or setting items are wrong
About question if my game crash or nothing happen when i try execute a code the answer is NOTHING HAPPEN.
thansk for future helps.

Darn, yes. Like Skeef said we need to replace Scyther with Kadabra. This will make the execution start at item 3. It looks like Wack0 confused decimal:26 (Scyther) with hexadecimal:26 (Kadabra). Sorry for the inconvenience.

You shouldn't have to change the codes in your previous post as they don't specify an absolute memory address.

Well i ll go to replace shyter with kadabra but please can you say me for To get any item quantity, how i must set up my items items?
example : 1st ws m
2nd item x255 x 1
burn heal x43
revive x201
??? which is the setting? this i post not work i need setting for get any item quantity(x255) and to get any item.
thanks again

in the end can u explain how to get ws m? maybe i wrong something
« Last Edit: June 25, 2017, 09:04:50 am by asphere »

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #611 on: June 25, 2017, 11:24:42 am »
We call the item ws m, but it can also show up as ws l m, so this is the correct item.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

asphere

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #612 on: June 25, 2017, 11:56:18 am »
We call the item ws m, but it can also show up as ws l m, so this is the correct item.

mine is ws & m, is correct? and anyway can answer the other question please?
What happens when you try to execute a code? Nothing or does the game crash?

Anything else I can advise is to double check your box to see if the Pokémon are all in the correct order. And to make sure the first Slowpoke has 233 hp left, its max hp does not matter.

Also, I just compared the euro Bootstrap code with the english and i think Scyter may be incorrect there. Replacing Scyter with Kadabra could fix it. Cuz Scyter is dec 26 on the big list, but we need hex 26 <--- Thus Kadabra.


Quote
- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

First, look at the big hex list here: http://glitchcity.info/biglist.htm
See the R/B/Y Item column? Say you want to change item 2 into Rare Candy, look in that column for Rare Candy. Now Look in the "Decimal" column on the same row as Rare Candy. As you see its 40, so you need 40 Max Revive to turn item 2 into Rare Candy.
thanks for last explain i understand all.
anyway about real big problem i tryed right now to change kadabra with shyter and i try
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201
BUT IT DON T WORK

ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201
DONT WORK.

well or box party for italian version is wrong or setting items are wrong
About question if my game crash or nothing happen when i try execute a code the answer is NOTHING HAPPEN.
thansk for future helps.

Darn, yes. Like Skeef said we need to replace Scyther with Kadabra. This will make the execution start at item 3. It looks like Wack0 confused decimal:26 (Scyther) with hexadecimal:26 (Kadabra). Sorry for the inconvenience.

You shouldn't have to change the codes in your previous post as they don't specify an absolute memory address.

Well i ll go to replace shyter with kadabra but please can you say me for To get any item quantity, how i must set up my items items?
example : 1st ws m
2nd item x255 x 1
burn heal x43
revive x201
??? which is the setting? this i post not work i need setting for get any item quantity(x255) and to get any item.
thanks again

in the end can u explain how to get ws m? maybe i wrong something

TheSixthItem

  • Game breaker
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • ZZAZZDZZGZZUZZKZZ#ZZXZZUZZ7ZZ#ZZ
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #613 on: June 25, 2017, 01:17:03 pm »
please don't ban me Abwayax-sama I swear I'll change please no don't cave my account in with your ban hammer
I SAW THAT!
OK but anyway, what is the asm for thezzazzglitch's 20 pokemon ws m bootstrap?
I do things

asphere

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #614 on: June 25, 2017, 02:37:56 pm »
???? i need settings for create and multiply items