Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 443122 times)

0 Members and 3 Guests are viewing this topic.

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #645 on: July 03, 2017, 07:47:03 am »
Rebattle Mewtwo

This code will force Mewtwo to reappear in Cerulean cave if you have already fought him. This can be used an infinite number of times for infinite Mewtwos.

8f
any item xany qnty
Lemonade x1
Soda Pop x4
Thunderstone x95
TM16 x119
TM34 x192
TM13 x201

Code: [Select]
ld a,01 ; a = 1
dec a ; a = 0, necessary because you can't have 0 of an item
inc b ; useless filler
ld hl,$d85f ; hl = d85f
ld (hl),a ; d85f = 0
ld ($d5c0),a ; d5c0 = 0
ret ; return

Sorry for longevity, I tried my best to avoid duplicate/glitch items. Enjoy!
grouchy

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #646 on: July 05, 2017, 12:09:00 pm »
Rebattle Mewtwo

Code: [Select]
ld a,01 ; a = 1
dec a ; a = 0, necessary because you can't have 0 of an item
inc b ; useless filler
ld hl,$d85f ; hl = d85f
ld (hl),a ; d85f = 0
ld ($d5c0),a ; d5c0 = 0
ret ; return

You can have 0 of an item actually.

- 8F
- Item you want 0 of x1
- Pokéball x43
- Revive x201

Code: [Select]
inc b ;junk
dec hl ;hl is now D321, thats item 2 quantity identifier.
dec (hl) ; decrease the quantity of (hl) by 1.
ret

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #647 on: July 05, 2017, 01:07:11 pm »
It's indeed possible but I find it tedious. Personally I prefer to stick to non-zero quantities.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

GoldenPikachu

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #648 on: July 08, 2017, 10:35:56 am »
Does this work on the spanish version of yellow? I got ws m and did the setup but it doesn't work

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #649 on: July 24, 2017, 11:04:10 pm »
trying to change a Pokemon's item address with w sm i'm using this by Torchickens  I have the bootstrap and items correct but the Pokemon's item is still a berry when I see it on the trade.
Item 3: Lemonade x 217
Item 4: Carbos x 209
Item 5: X Accuracy x 113
Item 6: Water Stone x 201
« Last Edit: July 25, 2017, 05:36:52 am by forsyz »

natanelho

  • >_> Nothing to see here <_<
  • GCLF Member
  • Offline Offline
  • hey!WHAT THIS BOX DOES????
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #650 on: July 25, 2017, 08:40:20 am »
Rebattle Mewtwo

Code: [Select]
ld a,01 ; a = 1
dec a ; a = 0, necessary because you can't have 0 of an item
inc b ; useless filler
ld hl,$d85f ; hl = d85f
ld (hl),a ; d85f = 0
ld ($d5c0),a ; d5c0 = 0
ret ; return

You can have 0 of an item actually.

- 8F
- Item you want 0 of x1
- Pokéball x43
- Revive x201

Code: [Select]
inc b ;junk
dec hl ;hl is now D321, thats item 2 quantity identifier.
dec (hl) ; decrease the quantity of (hl) by 1.
ret
about that code for 0 quantity of item 2- you assume hl contains D322 before the execution, how can you know that?
more general question- what are the states of the registers before using 8f, and do I have to return them to that state for the game to work properly?
sorry I'm new in glitching, and I did a few codes already including one that changes item-1 quantity to 0, and it took me 3 items instead of 2 because I didn't know the values of the registers and had to insert the values manually...

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #651 on: July 25, 2017, 01:43:02 pm »
It is D322 because of the boostrap code.

Remember the execution is done IN YOUR TEAM and you reroot it to item 3 (which is $D322)

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

jfb1337

  • ACE trainer
  • Member+
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #652 on: July 25, 2017, 01:48:12 pm »
Yep, the bootstrap code in your party is basically
- set hl to D322
- jump to hl

So in your items code you can always assume hl is D322.

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #653 on: July 25, 2017, 05:38:54 pm »
want a ws m code to change the ot and trainer id of a pokemon so pikachu will still exit its ball when i change the name and trainer id

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #654 on: July 26, 2017, 05:53:26 am »
@natanelho http://forums.glitchcity.info/index.php?topic=6638.msg189503#msg189503S
Though I wouldn't trust the value of b, because mainly of the 6-Pokémon setup.
« Last Edit: July 26, 2017, 05:54:46 am by ISSOtm »
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

natanelho

  • >_> Nothing to see here <_<
  • GCLF Member
  • Offline Offline
  • hey!WHAT THIS BOX DOES????
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #655 on: July 26, 2017, 07:22:35 am »
@natanelho http://forums.glitchcity.info/index.php?topic=6638.msg189503#msg189503S
Though I wouldn't trust the value of b, because mainly of the 6-Pokémon setup.
1. thanks! didnt see that for some reason. question is- did any of the values change since then because of changed bootstrap? (yes you already said about b, talking about the others)...
2. lots of 8f code seems to just load some data into registers and s**t happens- like how does the catch 'em all code works?- it just loads some value to the "wCurOpponent" which is the species of the opponent in wild battle... there is no code to initiate the battle itself.... lots of item lists are like this- just put the right data in the right spot without calling any function like I would expect... can anybody explain that to me?
3. where are the in-game functions to write text to the lil window on the screen? I wanna write some text without consequences easily and without having to clear it out, like when I just write tiles to the right place in ram directly...
4. is there a code to buy more then 99 items from shops? it will be more convenient then just making those items myself (duping and stuff)

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #656 on: July 26, 2017, 11:05:30 am »
1. I don't know. What's consistent, however, is the value of hl, because what most bootstraps essentially do is
Code: [Select]
ld hl, $D322
jp [hl]
(Most is actually "all but the glitched 3-Pokémon setup")

2. That's because codes interface with the game's engine. The way wCurOpponent works in the overworld is : if on one frame in the overworld, this value is non-zero, the game starts a battle with wCurOpponent as the opponent's ID. Thus, we write to that address, close the menu, and on the overworld frame that follows the menu's closing, the game starts the battle.

3. There are but OH BOY IT'S s**t. This game's text engine is a NIGHTMARE. I'd have to look back a bit at it (I had researched it for my SRAM hack), because it's very not obvious what you have to do. Give me a moment. A long one.

4. There's none, because the game's programming doesn't allow going past 99 ($63) items. Using DMA hijacking it may actually be possible, but good luck on this one.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

natanelho

  • >_> Nothing to see here <_<
  • GCLF Member
  • Offline Offline
  • hey!WHAT THIS BOX DOES????
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #657 on: July 27, 2017, 05:45:04 am »
1. I don't know. What's consistent, however, is the value of hl, because what most bootstraps essentially do is
Code: [Select]
ld hl, $D322
jp [hl]
(Most is actually "all but the glitched 3-Pokémon setup")

2. That's because codes interface with the game's engine. The way wCurOpponent works in the overworld is : if on one frame in the overworld, this value is non-zero, the game starts a battle with wCurOpponent as the opponent's ID. Thus, we write to that address, close the menu, and on the overworld frame that follows the menu's closing, the game starts the battle.

3. There are but OH BOY IT'S s**t. This game's text engine is a NIGHTMARE. I'd have to look back a bit at it (I had researched it for my SRAM hack), because it's very not obvious what you have to do. Give me a moment. A long one.

4. There's none, because the game's programming doesn't allow going past 99 ($63) items. Using DMA hijacking it may actually be possible, but good luck on this one.
ok thanks for the answers! about 2- so its basically uses the way the game was designed? ok great. is there a way to actually call a subroutine that starts a battle? would be fun starting a battle in the mid of the battle...or stuff. IDK..
about 3- so is there an easier way to write text? and then clean it easily? by easily I mean not backing up the tile map and restoring afterwards...

about the 3 pokemon bootstrap you mentioned- if it doesnt jp to D322 how does it work then? or does it just use another rp?

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #658 on: July 27, 2017, 06:05:36 am »
There is a way to start a battle directly, but it's pointless to try nesting battles since the nested battle will overwrite the data for the nesting battle. So you'll end up finishing the nested battle twice.
The 3-Pokémon setup does jump to $D322, but it does so by directly writing the jump instruction, therefore leaving hl pointing at the party count (D1idon'tremember instead of D322)

Actually processing text shouldn't be too hard, you just have to call a proper offset, but figuring out what the hell to do was the hardest thing I ever did in this game.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Marv231

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #659 on: August 10, 2017, 03:49:31 am »
I use this S7 Setup on my German Blue Version for Catch em all.
But instead of encountering a Mew, Level 5, it add 5 Calzium at the end of my Inventory.

S7
Any Item (I have a Ultra Ball there)
Repel x21 (Index Nr. for Mew)
Awekening x5
X-Speed 69
Lemonade x201

I tried a few other Setups, that I found here, but they have the same effect or do nothing.
Is there a working Setup for my Game ?