Arbitrary code execution in Red/Blue using the "8F" item
Posted by: TheZZAZZGlitch
Date: 2013-04-25 08:57:48
[size=12pt]WHAT'S 8F?[/size]
8F is a Red/Blue equivalent of JP Red/Green's 5 - an item executing machine code starting from $D163 (Number of Pokemon) upon use. Its hex identifier is 0x5D, despite its hex-like name. 8F is treated by the game as a key item and it can't be tossed away or sold in the mart.
As address $D163 contains re-writeable data, it is possible to redirect the instruction pointer to the item list with relative jumps and easily run arbitrary code just by spelling the opcodes with items. With enough items, one could also make a program that reads key input continuously, writes it somewhere in the RAM and jumps to it after a while, allowing to even run your own homebrew software.
[size=12pt]HOW TO OBTAIN IT:[/size]
[size=12pt]OBTAINING 8F USING ITEM COUNTER UNDERFLOW GLITCH:[/size]
PREREQUISITES:
- Access to any event that removes an item from your inventory (Saffron guards, handing out a fossil in Cinnabar Lab, etc.)
- A following item list:
Any item x[Any qty]
X Special x255
Item you need to give away x1
If you don't have access to any item-removing event, you can still do the "dry variation" of the glitch, by following the steps described here.
EXECUTION:
1. Toss the first item. It should change to X Special x255
2. Continue tossing the first item until the item menu "stops responding"
3. Trigger an event that removes the item from your inventory
4. Now, you should have 255 items with you. Go to the eastmost corner of Celadon City:
[img]http://i34.tinypic.com/2me4qdl.png[/img]
5. Toss 254 of your X Specials. Then swap the 'X Special x1' with 'Nugget x1' (35th item)
6. Try walking to the right - the map should now loop back to the left side of Celadon City. The amount of steps you take to the right determines the item you will get, so position yourself properly to obtain 8F. Swap it with the first item, then fly back to Celadon.
7. Store one of your newly acquired glitch items into the PC. Then buy any 3 items to bring your inventory back to normal.
A video of this method (makes it a lot easier to understand): http://www.youtube.com/watch?v=98_azamLeh4
[size=12pt]OBTAINING 8F USING INVALID ENCOUNTER FLAGS (OBSOLETE):[/size]
PREREQUISITES:
- A Ditto with a Cooltrainer move, nicknamed "R:u"
- At least 1 Escape Rope
- Good Rod on your 4th item slot
- Exactly 10 Pokemon in your current box (this tremendously increases the chances of Cooltrainer move working properly)
- Preferably a Bicycle, to make things a little bit faster.
EXECUTION:
1. Heal your Pokemon in Fuchsia City's Pokemon Center.
2. Do the Safari Zone walk through walls glitch, with only Ditto in your party.
3. After you appear back at the Fuchsia City's Center with noclip activated, walk exactly:
a) 19 steps west
b) 28 steps north
c) 1 step west
d) 29 steps north
e) 11 steps east
4. Open your Pokemon menu and close it (important). You may want to use bicycle now to travel faster - you won't be able to do this later.
5. Go 11 steps west and keep walking south until you find yourself back on Route 18. Do not open your Start menu from now on.
6. Walk/bike to Seafoam Islands and enter the cave.
7. Encounter a wild Pokemon, and continuously try to use the Cooltrainer move. If it does not work after about 15 tries, quit the battle and start a new one. Do not open your Pokemon menu, Item menu or Start menu at all!
8. Eventually, the music will fade out, the move typing will become blank, and name of the opponent will get changed. Catch the resulting Pokemon - the game will state you caught a "98", and your Good Rod will turn into an 8F.
9. Use an Escape Rope, as there's a slight chance the game will crash after exiting the cave normally.
[size=12pt]OBTAINING 8F WITH A CORRUPTED ITEM PACK (OBSOLETE):[/size]
This method is not recommended - it has a lot of side effects and is terribly complicated. Use it only when any other method does not seem to work for you.
PREREQUISITES:
- A Pokemon on the first slot meeting very specific requirements:
> It needs to have a Super Glitch as a 4th move
> Its three moves besides the Super Glitch have to contain 25 characters in total
> One of its three moves needs to be 4 characters long
> This Pokemon needs to be able to learn Mega Kick through TM05
An example: ?L ||?M 4 (hex C6) with moves Body Slam, TM50, Quick Attack, [Super Glitch]
- Any Pokemon on the second slot you don't care about, nicknamed "cccccccc". It will be gone in the process, so don't use your L100 Charizard.
- A Pokemon on the third slot knowing Fly.
- Exactly 3 useless items in your Bag. They will get destroyed again, so don't pick anything important.
- TM05 (Mega Kick), deposited in the PC
- At least one free space in the PC to store your obtained 8F
- An empty Pokemon box currently selected, most likely box 12
SIDE EFFECTS:
Sadly, those side effects are actually quite annoying. But also, happily enough, one can fix them with 8F's arbitrary code execution.
1. Your player name will become blank (the game will save just fine though). However, with 8F's arbitrary code execution capabilities, one can change his name back to something nice.
2. Lower 5 Pokedex bytes will become corrupted, displaying some yet unseen species as caught. There's no easy way to fix this, but it's not a big deal unless you care about your Pokedex progression.
3. Your Pokemon box may get to a state where trying to release the glitch Pokemon inside will crash the game. This side effect does not happen every time, but if it does, again, this can be fixed with 8F's arbitrary code execution.
EXECUTION:
http://www.youtube.com/watch?v=Sw0h7ImFsAs
[size=12pt]BOOTSTRAPPING:[/size]
8F won't do anything amazing by itself. In order to make it execute code from $D322 (third item), we need to use the party Pokemon to spell out a short program. This program will redirect the instruction pointer to the item pack, so that the effects of 8F become easier to control. This process is referred to as bootstrapping.
There are several bootstrapping configurations that are easier or harder to set up. Below I listed the most commonly used ones.
Pigdevil2010's Pokémon Red/Blue 8F 5-Pokémon 233 HP bootstrap (recommended)
[tt]1. Exactly 5 Pokémon in the party [0xD163 = 0x05]
2. Pidgey as the first Pokémon [0xD164 = 0x24]
3. Parasect as the second Pokémon [0xD165 = 0x2E]
4. Onix as the third Pokémon [0xD166 = 0x22]
5. Tentacool as the fourth Pokémon [0xD167 = 0x18]
6. Kangaskhan as the fifth Pokémon [0xD168 = 0x02]
7. First Pokémon's current HP has to be exactly 233 [0xD16D = 0xE9][/tt]
TheZZAZZGlitch's Pokémon Red/Blue 8F 6-Pokémon 233 Attack bootstrap (outdated, but still popular)
[tt]1. Exactly 5 Pokémon in the party [0xD163 = 0x05]
2. Onix as the first Pokémon [0xD164 = 0x22]
3. Pidgey as the second Pokémon [0xD165 = 0x24]
4. Tentacool as the third Pokémon [0xD165 = 0x18]
5. Meowth as the fourth Pokémon [0xD166 = 0x4D]
6. 24 PP left on the second Pokémon's second move w/ 0 PP Ups used [0xD1B5 = 0x18]
7. 21 PP left on the second Pokémon's third move w/ 1 PP Up used [0xD1B6 = 0x55]
8. 36 PP left on the fourth Pokémon's first move w/ 0 PP Ups used [0xD20C = 0x24]
9. 24 PP left on the fourth Pokémon's second move w/ 0 PP Ups used [0xD20D = 0x18]
10. 20 PP left on the fourth Pokémon's third move w/ 0 PP Ups used [0xD20E = 0x14]
11. Double Team as the fifth Pokémon's first move [0xD223 = 0x68]
12. Double Kick as the fifth Pokémon's second move [0xD224 = 0x18]
13. Strength as the fifth Pokémon's third move [0xD225 = 0x46]
14. Sixth Pokémon's attack stat has to be exactly 233 [0xD26C = 0xE9][/tt]
Super-compressed 3-Pokémon setup (problematic because of hex D3 glitch Pokémon, which can be difficult to obtain; also, some item lists do not work with this setup)
[tt]1. Exactly 6 Pokémon in the party [0xD163 = 0x06]
2. Hex C3 glitch Pokémon as the first Pokémon [0xD164 = 0xC3]
3. Onix as the second Pokémon [0xD165 = 0x22]
4. Hex D3 glitch Pokémon as the third Pokémon [0xD166 = 0xD3][/tt]
There are other versions of the game (Yellow and foreign language localizations of R/B) where items similar to 8F exist. Most notable is the 'ws m' item in Yellow, which executes code starting from the current PC Pokémon storage box. For your convenience, here are several bootstrapping setups for Yellow:
Pigdevil2010's Pokémon Yellow 'ws m' 10-Pokémon 233 HP bootstrap (recommended)
TheZZAZZGlitch's Pokémon Yellow 'ws m' 20-Pokémon 233 HP bootstrap (also recommended, since a lot of the Pokémon on the list are Geodudes and Slowpokes, which are easy to catch)
Pigdevil2010's Pokémon Yellow 'ws m' 19-Pokémon bootstrap
[size=12pt]USING 8F TO OUR ADVANTAGE[/size]
Well, now we're done with all those preparations, let's try to actually do something with this item! Below I present some examples of what is possible.
[size=12pt]"CATCH 'EM ALL" SCRIPT[/size]
This is just K)ry's ASM for JP Red/Green ported on the international release. With those items, 8F will act like an item that forces a Pokemon encounter based on the quantity of item #1, allowing to catch all 151 Pokemon easily.
Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=782s
ITEM LIST (starting from the first slot):
[tt]* Preferably Master Balls
* 8F
TM50 x31
TM11 x4
TM34 x89
TM08 x201[/tt]
ASM:
WRA1:D322 FA 1F D3 ld a,(D31F)
WRA1:D325 04 inc b
WRA1:D326 EA 59 D0 ld (D059),a
WRA1:D329 C9 ret [size=12pt]ALTERNATIVE CATCH 'EM ALL[/size]
This version of the Catch 'Em All script requires more items, but gives the Pokemon instead of forcing an encounter (like: BLUE got EEVEE!), and allows for getting normally unobtainable glitch Pokemon without trading. The given Pokemon depends on the quantity of the 3rd item.
Remark: Avoid obtaining Missingno with this method. It will duplicate your 6th item and screw the opcodes up.
Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=865s
ITEM LIST (starting from the first slot):
[tt]* Any item
* 8F
Repel x[SpeciesIndex]
X Speed x14
Ultra Ball x64
TM05 x72
Lemonade x201[/tt]
ASM:
WRA1:D322 1E 20 ld e,[SpeciesIndex]
WRA1:D324 43 ld b,e
WRA1:D325 0E 02 ld c,02
WRA1:D327 40 ld b,b
WRA1:D328 CD 48 3E call 3E48
WRA1:D32B C9 ret [size=12pt]CHANGE THE PLAYER'S NAME[/size]
With this setup, you can change your name to the nickname of your first Pokemon. Using 8F will copy one letter from your first Pokemon's nickname to your player name. Use 8F (length of the name+1) times to copy all the name characters.
Warning: This code is self modifying, it will increase quantities of items #3 and #5 every use - remember to set those quantities back to 181 and 88 if you want to reset this. Also use carefully, as there's no memory protection implemented and you may cause save corruption if you're not careful.
Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=918s
ITEM LIST (starting from the first slot):
[tt]* Any item
* 8F
TM50 x181
TM10 x64
TM34 x88
TM09 x46
Calcium x52
X Accuracy x35
Full Heal x201[/tt]
ASM:
WRA1:D322 FA B5 D2 ld a,(D2B5)
WRA1:D325 40 ld b,b
WRA1:D326 EA 58 D1 ld (D158),a
WRA1:D329 2E 27 ld l,27
WRA1:D32B 34 inc (hl)
WRA1:D32C 2E 23 ld l,23
WRA1:D32E 34 inc (hl)
WRA1:D32F C9 ret [size=12pt]CHANGE THE SECOND ITEM[/size]
This easy code uses only 3 basic items, and it increases the first item's index by 1 every time 8F is used. You can obtain normally unobtainable items, glitch items or TMs so you can do other item configurations described.
Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=974s
ITEM LIST (starting from the first slot):
[tt]* 8F
* Item you want to morph
Burn Heal x43
Ice Heal x43
Full Heal x201[/tt]
ASM:
WRA1:D322 0C inc c
WRA1:D323 2B dec hl
WRA1:D324 0D dec c
WRA1:D325 2B dec hl
WRA1:D32A 34 inc (hl)
WRA1:D32B C9 ret [size=12pt]WALK THROUGH WALLS[/size]
Jump off a ledge after using 8F to walk through walls.
http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1020s
ITEM LIST (starting from the first slot):
[tt]* Any item
* 8F
TM34 x20
TM15 x201[/tt]
ASM:
WRA1:D322 EA 14 D7 ld (d714),a
WRA1:D325 C9 ret[size=12pt]ESCAPE FROM A TRAINER BATTLE[/size]
This turns 8F into an item which allows escaping from any battle, including trainer battles.
http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1048s
ITEM LIST (starting from the first slot):
[tt]* Any item
* 8F
TM34 x120
TM08 x201[/tt]
ASM:
WRA1:D322 EA 78 D0 ld (d078),a
WRA1:D325 C9 ret[size=12pt]CLEAR A POKEMON BOX[/size]
When 8F was first discovered, the method of obtaining it had a slight chance to corrupt Pokemon at the PC box, causing crashes when trying to release/withdraw them. One can either deal with it and switch to another box, or make the box empty with this item configuration.
Switch to the corrupted box, use 8F, done. Be careful though, you don't probably want to clear the box with your L100 legendaries.
Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=1104s
ITEM LIST (starting from the first slot):
[tt]* Any item
* 8F
Lemonade x1
Soda Pop x64
TM34 x128
TM18 x201[/tt]
ASM:
WRA1:D322 3E 01 ld a,01
WRA1:D324 3D dec a
WRA1:D325 40 ld b,b
WRA1:D326 EA 80 DA ld (da80),a
WRA1:D329 C9 ret[size=12pt]BUT WAIT, THERE'S MORE![/size]
Possibilities with 8F are unlimited. Here are some other item lists, posted by different people throughout the years (wow, this glitch is 3 years old now? I didn't realize).
Pseudo-GameShark (aka change any byte in RAM to any value) (by Wack0)
Instant Hall of Fame (by Wack0)
Pokémon Yellow US - play Pikachu's Beach (by Wack0)
Change OT of the first slot Pokémon (by blahpy)
Perpetually resetting save file (by Wack0)
Max stat Exp and DVs (by eironeia)
Set debug mode flag (by Rena)
Get 255 of second item (by lowena)
Daycare Pokémon cloning (by Skeef)
Set/unset badges (by Skeef)
Change a Pokémon's typing (by hashtag)
Reusable RAM writer (by Torchickens)
Make Pokémon shiny when traded to Gen II (by Krys3000 & thelinekioubeur)
List last updated on: 2016-07-04
[size=12pt]ENDING REMARK: BIG ITEM QUANTITIES?[/size]
All of those item lists will have at least one item with quantity bigger than 99. Obviously, it's possible to obtain those big quantities using the Missingno. item duplication glitch (duplicating a 99 item stack will result in a 227 item stack).
However, the numbers bigger than 9 are represented with glitch blobs, so it's normally impossible to read how many items you actually have. This short image guide below will help you with reading quantities of those big item stacks.
[img]http://i38.tinypic.com/2d8jgqg.png[/img]
* This image uses the Pokemon Center tileset