Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 2

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: camper
Date: 2013-04-27 12:40:50
The character before the MN symbol counts, not the one after.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheZZAZZGlitch
Date: 2013-04-27 12:58:41
Doing arbitrary code execution stuff, forgetting how the classic old man glitch works :P
But even when I take the character before as the level byte, I still keep getting the same roster.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-04-27 14:08:07

Due to having an invalid encounter flag, 94 and 94h's Pokédex number #213 means that they add 16 to the fourth item identifier provided that it is not  $X4 $X5 $X6 $X7 $XC $XD $XE $XF. If you put a Good Rod in the fourth position, and then use this glitch or the Cable Club escape glitch with a 94 or 94h, you can easily turn your Good Rod (4Dh) into an 8F (5Dh)


Well, that's amazing. However, it still requires having a right name. Also, no matter which roster (letter after the MN symbol) I try, Prof. Oak will throw a " 8" (hex C9) out. Maybe this roster on the video has something to do with that Rocket in Silph Co. the author of the video fought previously and lost to?


The second/fourth/sixth letters only change the wild Pokémon levels, not the Trainer rosters. Roster numbers are normally determined by the memory address D05D. The reason why " 8" (hex C9) is sent out as the first Pokémon is because the game doesn't update D05D with coast-glitch Trainers so the game loads roster 256 (00) if you haven't fought a previous Trainer.

In order to get Professor Oak to have a 94, you must get the game to load roster 28h. The Rocket on Silph Co. 11F just happens to use Rocket roster 28h. You don't have to lose to him to get the roster into memory, you can beat him too.


Anyways, thank you about all those information on encounter flags - maybe I will be able to use this to shorten up my first obtainment method.


You're welcome.


Few glitched rosters can be found by the Ditto trick. (2, to be exact, without the use of a Pokemon with Swords Dance)


I don't know what you mean. You can access 6 unique glitch rosters with Lance (as the roster number starts at 7 and can be reduced with Growls), and more with glitch Trainer classes (though they activate the ZZAZZ glitch).

In total this comes to 6 + 7*9 = 69 rosters.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-04-27 14:46:53

Due to having an invalid encounter flag, 94 and 94h's Pokédex number #213 means that they add 16 to the fourth item identifier provided that it is not  $X4 $X5 $X6 $X7 $XC $XD $XE $XF. If you put a Good Rod in the fourth position, and then use this glitch or the Cable Club escape glitch with a 94 or 94h, you can easily turn your Good Rod (4Dh) into an 8F (5Dh).


I assume this could also be done with RB:E8, RB:E2 and RB:E5, which have dex #245, and therefore do the same thing but to the sixth slot?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-04-27 15:13:04


Due to having an invalid encounter flag, 94 and 94h's Pokédex number #213 means that they add 16 to the fourth item identifier provided that it is not  $X4 $X5 $X6 $X7 $XC $XD $XE $XF. If you put a Good Rod in the fourth position, and then use this glitch or the Cable Club escape glitch with a 94 or 94h, you can easily turn your Good Rod (4Dh) into an 8F (5Dh).


I assume this could also be done with RB:E8, RB:E2 and RB:E5, which have dex #245, and therefore do the same thing but to the sixth slot?


In theory they should, however all the Pokémon you mention froze the game when I got them to appear on the opponent's side. You'd need to do the Cable Club blackout glitch in combination with the Johto guard glitch (or maybe the remaining HP glitch) to get them to appear as well.

The only known item mutation glitch Pokémon (when Paco81 and I researched them on the temporary forums) that can be seen without the Cable Club blackout glitch are 94 #213 (via Prof Oak roster 28h) and p PkMnp' ' #230 in Yellow which can be seen via the Ditto glitch with a Special stat of 194.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Vuroja5
Date: 2013-04-27 15:53:46
This must be the most significant discovery since the Mew glitch. You've enabled nearly all the useful Select button glitches for use on Red/Blue. Great job TheZZAZZGlitch.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: camper
Date: 2013-04-28 00:17:32


Few glitched rosters can be found by the Ditto trick. (2, to be exact, without the use of a Pokemon with Swords Dance)


I don't know what you mean. You can access 6 unique glitch rosters with Lance (as the roster number starts at 7 and can be reduced with Growls), and more with glitch Trainer classes (though they activate the ZZAZZ glitch).

In total this comes to 6 + 7*9 = 69 rosters.

I was too sleepy to think well. :-[
Yes, you can access 6 glitch rosters with Lance (02h - 07h). However, encountering ZZAZZ glitch trainers doesn't end up fighting the actual roster. The game fetches other data from elsewhere and replaces the roster during the blackout time. For instance, opening the Fly menu before the encounter makes the glitch entirely different.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheDarkAce
Date: 2013-04-28 09:37:26

will it work on yellow?


The shown method of obtaining 8F won't work in Yellow, as it uses Super Glitch, which works differently for this game.

Also, 8F does not execute code from $D163 in Yellow, but from $04FE instead - which has a less beneficial effect of teleporting you to a messed up version of a Pokemon Center.
Yellow has a relatively similar item "ws m" (hex 63), which executes code from $DA7F (number of Pokemon in the current box), but we still don't know how to obtain it though.


surely you can use p PKMN p to get the glitch item ws m?
can't remember how p PKMN p works though

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheZZAZZGlitch
Date: 2013-04-28 11:04:14
Actually, If I think more about it, doing it in Yellow is even easier than on Red/Blue.

Encountering p PkMn p' ' in Yellow will add 32 to the identifier of the fifth slot in bag if the item does not have one of the following hexadecimal identifiers: $2X $3X $6X $7X $AX $BX $EX $FX. Having X Speed on the fifth slot and encountering p PkMn p' ' is enough to get "ws m".

Also, bootstrapping code for "ws m" is a lot easier to deploy, as it only relies on Pokemon in the current box, and no specific moves/PP values/stats are needed. The requirements to make "ws m" execute code from 3rd item slot are as follows:

[tt]1.  20 Pokémon in your PC box                                        [0xDA7F = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                [0xDA80 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                [0xDA81 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                [0xDA82 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                [0xDA83 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                [0xDA84 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                [0xDA85 = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xDA86 = 0x06]
9.  Growlithe as the 8th Pokémon in the current PC box                [0xDA87 = 0x21]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xDA88 = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                [0xDA89 = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                [0xDA8A = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                [0xDA8B = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                [0xDA8C = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                [0xDA8D = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                [0xDA8E = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                [0xDA8F = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                [0xDA90 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                [0xDA91 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                [0xDA92 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                [0xDA93 = 0x06]
:: END OF LIST MARKER [0xFF]                                        [0xDA94 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                [0xDA95 = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                    [0xDA96 = 0x00]
                                              +-                    [0xDA97 = 0xE9][/tt]

ASM:
; initial value of hl = DA7F
WRA1:DA7F 14              inc  d      ; offset hack: 20 Pokémon in the box
WRA1:DA80 25              dec  h      ; hl = D97F
WRA1:DA81 25              dec  h      ; hl = D87F
WRA1:DA82 25              dec  h      ; hl = D77F
WRA1:DA83 25              dec  h      ; hl = D67F
WRA1:DA84 25              dec  h      ; hl = D57F
WRA1:DA85 25              dec  h      ; hl = D47F
WRA1:DA86 06 21            ld  b,21
WRA1:DA88 68              ld  l,b    ; hl = D423
WRA1:DA89 A9              xor  c      ; offset hack: do nothing until ip=DA93
WRA1:DA8A A9              xor  c
WRA1:DA8B A9              xor  c
WRA1:DA8C A9              xor  c
WRA1:DA8D A9              xor  c
WRA1:DA8E A9              xor  c
WRA1:DA8F A9              xor  c
WRA1:DA90 A9              xor  c
WRA1:DA91 A9              xor  c
WRA1:DA92 A9              xor  c
WRA1:DA93 06 FF            ld  b,FF  ; offset hack: making an end of list FF byte an operand so it doesn't translate to [rst 38]
WRA1:DA95 25              dec  h      ; hl = D323
WRA1:DA96 00              nop 
WRA1:DA97 E9              jp  hl

Note: All tricks from Red/Blue with an exception of "changing the second item" won't work in Yellow, as the addresses are different. They need to be modified in order to work.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-04-28 12:45:44
That's cool. Nice work.

Note in Yellow D323 is the identifier of item 4, not item 3. You could replace step 9 with having Growlithe (21h) as the 8th Pokémon instead of Fearow (23h) to get b = 21 (where D321 = item 3).

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-04-29 11:16:27
Now, i wonder if there is a similar item in JP Yellow, and in fr/de/es/it RBY.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: IceMans
Date: 2013-04-29 11:34:14
Interesting nice to hear that this can be done in yellow as well as Red and Blue.
Can't wait to try this :P

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Blaziken257
Date: 2013-04-29 22:42:01
This is all impressive, but there's one thing that's been puzzling me…

As for walking through walls and escaping from a trainer battle, it involves storing whatever is in register A into a memory address. However, what value does A happen to be when executing this code? A is never modified in the bootstrap code, and I don't see it anywhere else, either. Or am I missing something?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheZZAZZGlitch
Date: 2013-04-29 23:26:51
When execution gets to the item list, registers are guaranteed to have following values initially:

[tt]Red/Blue:

af = 6300 [a=63, f=00]
bc = 22B8
de = 0001 [d=00, e=01]
hl = D322 [h=D3, l=22]

Yellow:

af = 7F40 [a=7F, f=40]
bc = FFC4
de = 0101 [d=01, e=01]
hl = D321 [h=D3, l=21][/tt]

Note in Yellow D323 is the identifier of item 4, not item 3. You could replace step 9 with having Growlithe (21h) as the 8th Pokémon instead of Fearow (23h) to get b = 21 (where D321 = item 3).

That was a mistake, thank you for pointing that out.

Edit: Thanks to Torchickens and his information about encounter flags, I have found a new, easier and side-effect-less method of obtaining 8F in Red/Blue. It does not require having a specific name, unlike the previous Prof. Oak's glitch roster method.

Video: http://www.youtube.com/watch?v=WD_GVaQwn8o
Instructions/requirements/execution steps can be found in the first post in this thread.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-04-30 11:08:39
Well, just decided to quickly code something for 8F…

[size=12pt]CHANGE ANY BYTE IN RAM TO ANYTHING[/size]
[size=8pt](or, psuedo-GameShark in software)[/size]

This code uses only 5 basic items, and will easily allow you to modify any byte in RAM one wants to.

Item 1: any item
Item 2: 8F
Item 3: Lemonade, quantity (byte to change to, or 2nd byte of GScode)
Item 4: X Accuracy, quantity (low byte of RAM address to change, or 3rd byte of GScode)
Item 5: Carbos, quantity (high byte of RAM address to change, or 4th byte of GScode)
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

ASM:
D322: 3E xx        ld a, xx
D324: 2E xx        ld l, xx
D326: 26 xx        ld h, xx
D328: 04            inc b
D329: 77            ld (hl), a
D32A: 3C            inc a
D32B: C9            ret

So, for GameShark code 011559D0, which would encounter a Mew after you close the menu (and yes, this is the one i tested it with – on a real cart no less), use the following item list:

Item 1: any item (but I guess you'd want Master Balls here for this example!)
Item 2: 8F
Item 3: Lemonade, quantity 21
Item 4: X Accuracy, quantity 89
Item 5: Carbos, quantity 208
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

By the way, since no address is hardcoded, this *should* work on Yellow too; but I haven't tested it there. (obviously the example posted above won't!)