Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 420977 times)

0 Members and 1 Guest are viewing this topic.

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #840 on: October 01, 2018, 05:23:57 am »
There is a Daycare cloning script, which is easy to set up. Store the Pokemon you want to clone into the Daycare, take it out, use 8F, take it out again, repeat to infinity.
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

wadusher

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #841 on: October 01, 2018, 12:31:00 pm »
There is a Daycare cloning script, which is easy to set up. Store the Pokemon you want to clone into the Daycare, take it out, use 8F, take it out again, repeat to infinity.

The problem with that is the daycare reduces you pokemon's EXP to the bare minimum needed to be at a given level once you take it out, at least according to bulbapedia. Is there a way to remedy this EXP storage issue? If not then the only advantage it has over just using the Catch Em All scripts is it presumably stores the mon's moves, which does help since what I need is an army of Mega Kick Snorlaxes, in the hopes that one of them has a speed IV of 0 on transfer for trick room purposes.

Quote
Something like ld hl,a16 ; ld a,(hl) ; sub d8 ; ld (hl),a will do the trick if you want to remove less than 256.

That'll work, since I only care about the last two digits of the EXP. What does that translate into in terms of items?
« Last Edit: October 01, 2018, 06:09:58 pm by wadusher »

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #842 on: October 01, 2018, 12:48:00 pm »
Well, I don't have much time to work on it and test it, but I guess that, starting from item 3, if the Pokémon to edit is in the first slot of the PC,

Thunderstone x166
TM18 x126
TM14 x(Exp to remove)
Poké Ball x119
TM01 x[Any qty]

May remove (Exp to remove) to this Pokémon.

Corresponding ASM is
Code: [Select]
WRA1:D322 21 A6 DA         ld   hl,DAA6
WRA1:D325 7E               ld   a,(hl)
WRA1:D326 D6 01            sub  a,(Exp to remove)
WRA1:D328 04               inc  b
WRA1:D329 77               ld   (hl),a
WRA1:D32A C9               ret 

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

wadusher

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #843 on: October 01, 2018, 12:58:20 pm »
Well, I don't have much time to work on it and test it, but I guess that, starting from item 3, if the Pokémon to edit is in the first slot of the PC,

Thunderstone x166
TM18 x126
TM14 x(Exp to remove)
Poké Ball x119
TM01 x[Any qty]

May remove (Exp to remove) to this Pokémon.

Corresponding ASM is
Code: [Select]
WRA1:D322 21 A6 DA         ld   hl,DAA6
WRA1:D325 7E               ld   a,(hl)
WRA1:D326 D6 01            sub  a,(Exp to remove)
WRA1:D328 04               inc  b
WRA1:D329 77               ld   (hl),a
WRA1:D32A C9               ret 

Thanks, although I want to add EXP rather than remove it. Can I use some other item in place of TM14 to do that?

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #844 on: October 01, 2018, 01:52:30 pm »
Then sub a,d8 has to be replaced by add a,d8 (hex:C6, which is HM03). It's annoying because you won't see its quantity. There are plenty of workaround that you think of to fix this, but I still think it's a better idea to make a code that replaces exp last byte by the value you want instead of adding to the current xp, don't you think?

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

wadusher

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #845 on: October 01, 2018, 02:03:39 pm »
Then sub a,d8 has to be replaced by add a,d8 (hex:C6, which is HM03). It's annoying because you won't see its quantity. There are plenty of workaround that you think of to fix this, but I still think it's a better idea to make a code that replaces exp last byte by the value you want instead of adding to the current xp, don't you think?

ah good point - HM03 would be iffy to work with, but I can simply shift its index to something that isn't a key item, manipulate the quantity to what I need, then shift it back to to HM03. Or just have the HM03 item quantity be 1 and activate the script 9 times, since I only need exactly 9 EXP added. But yeah, replacing the byte instead of adding/subtracting is probably less of a hassle, so how would you go about that?
« Last Edit: October 01, 2018, 02:07:52 pm by wadusher »

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #846 on: October 01, 2018, 02:33:13 pm »
What about this, to give (Exp) as last byte of exp for stored Pokémon 1 in english games:

Thunderstone x166
TM18 x4
Max Revive x(Exp)
TM01x[Any qty]

It translate into:

Code: [Select]
WRA1:D322 21 A6 DA         ld   hl,DAA6
WRA1:D325 04               inc  b
WRA1:D326 77 (Exp)         ld   (hl),(Exp)
WRA1:D32A C9               ret 

On a much more theorical note, if I understand well how conditional returns work, a code like this:

Code: [Select]
WRA1:D322 21 A6 DA         ld   hl,DAA6
WRA1:D325 01 2C 00         ld   bc,002C
WRA1:D328 3E (Exp)         ld   a,(Exp)
WRA1:D32A 16 (Nb)          ld   d,(Nb)
WRA1:D32C 77               ld   (hl),a
WRA1:D32D 09               add  hl,bc
WRA1:D32E 15               dec  d
WRA1:D32F C8               ret  z
WRA1:D330 C3 2C D3         jp   D32C

With (Nb) as number of Pokémon to change in box, would give that exp to this number of Pokémon starting with Pokémon 1. But in this form it would use many glitch items, so this is something that can be worked on.
« Last Edit: October 01, 2018, 02:34:56 pm by Krys3000 »

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

wadusher

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #847 on: October 01, 2018, 03:10:04 pm »
Alright, that first code worked perfectly, thanks. :)

What sort of glitch items are in the other script? If they're not the ones that force you to press B a bunch of times just to use your item menu, I can probably handle it.
« Last Edit: October 02, 2018, 01:10:31 am by wadusher »

Sherkel

  • Hierarchitectitiptitoploftical
  • Administrator
  • *****
  • Offline Offline
  • Gender: Male
  • PSYNCIN' IN THE VaiN
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #848 on: October 02, 2018, 12:42:03 pm »
From the Big List:
You'd need 4 (RB:119) for the ld (hl),a instead of the Max Revive used for ld (hl),$xx, an in-bag Boulder Badge for dec d, and RB:195 for jp $xxyy. If I recall correctly, RB:119 requires a B press or two to scroll past.

Want to help with the wiki?
I don't have a habit of keeping Discord open, so direct inquiries are preferred through here.

wadusher

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #849 on: October 02, 2018, 03:31:42 pm »
From the Big List:
You'd need 4 (RB:119) for the ld (hl),a instead of the Max Revive used for ld (hl),$xx, an in-bag Boulder Badge for dec d, and RB:195 for jp $xxyy. If I recall correctly, RB:119 requires a B press or two to scroll past.

So that's the only unterminated name glitch item in the code? If so I can just obtain it last, after getting the rest of the items, which isn't a big deal. Speaking of which, what items are the rest of the code made of?
« Last Edit: October 02, 2018, 04:31:22 pm by wadusher »

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #850 on: October 02, 2018, 11:26:18 pm »
You can easily answer that by copying my code into GBZ80toitems.

But i've never done conditional returns before so I'm not sure it will work. Given enough time I could try it.

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

wadusher

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #851 on: October 03, 2018, 12:19:44 am »
You can easily answer that by copying my code into GBZ80toitems.

That website seems to be broken - no matter what I paste into the the input box the corresponding items box always tells me to type something in the input box. The compile button also doesn't do anything - the corresponding item box does not change and I get this error message after pasting your second code in.

Code: [Select]
codeElem.innerText is undefined (line 1635)
Stack trace :
compile@https://eldred.fr/gbz80toitems3/compiler.js:1635:3
@https://eldred.fr/gbz80toitems3/compiler.js:1879:4
n.event.dispatch@https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js:3:12392
n.event.add/r.handle@https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js:3:9156

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #852 on: October 03, 2018, 06:38:51 am »
You need to remove the addresses in order to make it work. It just accepts opcodes.

In other words,



Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Sherkel

  • Hierarchitectitiptitoploftical
  • Administrator
  • *****
  • Offline Offline
  • Gender: Male
  • PSYNCIN' IN THE VaiN
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #853 on: October 03, 2018, 10:16:54 am »
You can easily answer that by copying my code into GBZ80toitems.
It seems to refer directly to the Big List and not lose count like I do, so that's a good tool. :)

Want to help with the wiki?
I don't have a habit of keeping Discord open, so direct inquiries are preferred through here.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #854 on: October 03, 2018, 10:39:23 am »
You can easily answer that by copying my code into GBZ80toitems.

That website seems to be broken - no matter what I paste into the the input box the corresponding items box always tells me to type something in the input box. The compile button also doesn't do anything - the corresponding item box does not change and I get this error message after pasting your second code in.

Code: [Select]
codeElem.innerText is undefined (line 1635)
Stack trace :
compile@https://eldred.fr/gbz80toitems3/compiler.js:1635:3
@https://eldred.fr/gbz80toitems3/compiler.js:1879:4
n.event.dispatch@https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js:3:12392
n.event.add/r.handle@https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js:3:9156
Oh crap dang s**t oh no shoot, an internal error. Luckily it's been reported properly, I could try debugging it. :p
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)