Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 12

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Quibz
Date: 2015-05-21 20:49:36
I was messing around with WS M and found something new that works with it. Every time you use it, it increases the quantity of the second item in your inventory by one.

WS M
(Item you want to increase quantity of)
Ice Heal x43 or Burn Heal x43 (Both seem to work)
Full Heal x201

I'm not an expert at programming, so I don't know if this might have some side effects that make it not worth it, but it works for me, so I thought I'd put it here. Does anyone know if it would have side effects? It would be really useful if it didn't because you could clone items without having to encounter Missingno.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2015-05-22 12:12:16

I was messing around with WS M and found something new that works with it. Every time you use it, it increases the quantity of the second item in your inventory by one.

WS M
(Item you want to increase quantity of)
Ice Heal x43 or Burn Heal x43 (Both seem to work)
Full Heal x201

I'm not an expert at programming, so I don't know if this might have some side effects that make it not worth it, but it works for me, so I thought I'd put it here. Does anyone know if it would have side effects? It would be really useful if it didn't because you could clone items without having to encounter Missingno.


In hex this is: (0C/0D) 2B 34 C9

and in gb asm (which I helpfully commented):

inc c / dec c ; does nothing useful
dec hl ; decrease hl - it did contain a pointer to item #3 index*, it now contains a pointer to item #2 quantity
inc [hl] ; increase the memory address pointed to by hl - in this case item #2 quantity
ret

* All bootstrap code to jump to item #3 that i've seen puts <address of item #3> in hl and then does jp hl.

If you had Ice Heal x43, Burn Heal x43, Full Heal x201 it'd increase the index number of item #2.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Quibz
Date: 2015-05-22 22:05:21
Thanks Wack0. So it's safe to use then?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2015-05-23 05:15:12

Thanks Wack0. So it's safe to use then?

Yes.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-05-25 03:07:46
Hello,

I was thinking about the invalid encounter flag method to get 8F. Obviously you turn hex:4D (Good Rod) to hex:5D (8F). This method to get an item seems a little rough (especially if you can perform the cooltrainer corruption, that means you should be able to trigger item underflow which is an easier way to get an item) but it still have some interest. Does that mean you could use the cooltrainer corruption to get ANY item ?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: luckytyphlosion
Date: 2015-05-25 11:08:28
The Pokemon used to get 8F through Cooltrainer distort can only mutate items up to index 0x5F, or the glitch item 10F. So no, you cannot use Cooltrainer corruption to get any item.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Doom Mortal
Date: 2015-05-25 13:20:14
Hello everyone,

first I want to thank all of you guys who contributed to that amazing discovery, especially TheZZAZZGlitch I want to thank.

Im currently trying to manipulate the move of the first Pokemon in the Box.
But it doesnt work. After using the 8S the first move of the Pokemon is Tm08.

The GSCode to do that I have successfully tested with an Emulator.
Im playing the german Pokemon Blue Version.

Here are the GSCodes:
01|69|9E|DA English
01|69|A3|DA German

I have converted the GSCode into the Pattern that Wack0 http://forums.glitchcity.info/index.php/topic,6638.msg189609.html#msg189609 has posted.

Here is my code:

Any Item
8F
Lemonade      x105
X-Accuracy      x163
Carbon         x218
Pokeball         x119
Fresh Water x201


What is wrong with with the code ?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2015-05-25 14:32:31
You're definitely using the right quantity of Lemonades?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Doom Mortal
Date: 2015-05-25 14:47:42
Yes it is the right quantity of Lemonade.  :(

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2015-05-25 18:04:06

Yes it is the right quantity of Lemonade.  :(


That's odd.

0x69 = 0b01101001
0xD0 (identifier of TM08 move) = 0b11010000

Are you able to set a breakpoint on write to $DAA3 and then use 8F?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: luckytyphlosion
Date: 2015-05-26 18:20:35
Found part of the problem.

The address for wNumBagItems is $d31d in English Pokemon Red/Blue. In the German version, it seems to be $d322.

The pseudo-gameshark code jumps to d322, which is wNumBagItems in German. I don't have a method to change the bootstrap to jump to the third item, however.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: luckytyphlosion
Date: 2015-05-26 20:40:31
Also something unrelated to the above problem: A very compact 8F bootstrap that can be achieved WITHOUT ACE!

[font=verdana][size=16pt]Compact 8F Setup[/size][/font]

Pokémon in Party:
[tt]6 Pokemon
<Anything>
Tentacool
Electabuzz
<Anything from here on>
[/tt]

Once you have the necessary Pokémon, do either one of the below options:

[font=verdana]Cheating method:[/font]
Set D91C/E/F to C324D3

[font=verdana]Not Cheating method:[/font]
* Setup Inventory to this, from the top:

Great Ball x155
TM09 x0
Antidote x195
Protein x211
Ether x80

TEXTCODE:
WRA1:D320 03 9B D1        ; repoint text to address d19b
WRA1:D323 00              ; print a string
WRA1:D324 0A C3 24 D3 ; print characters 0A, C3, 24, and D3 to address d19b. 0A does not matter.
WRA1:D328 50      ; end text printing mode
WRA1:D329 50      ; end text command mode 

* Then, acquire item underflow, either with the Dry Underflow method or the Fresh Water/Fossil Method.

* Go to Route 6.

* Swap a Repel x211 into the Text Pointer slot (Represented by TM01 x80)

* Talk to the guy talking to the girl.

* You now have a working compact 8F setup, as long as you have 6 Pokemon in the Party, and the specially crafted Tentacool and the Electabuzz are in the 2nd and 3rd slot respectively.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2015-05-27 02:51:56

Found part of the problem.

The address for wNumBagItems is $d31d in English Pokemon Red/Blue. In the German version, it seems to be $d322.

The pseudo-gameshark code jumps to d322, which is wNumBagItems in German. I don't have a method to change the bootstrap to jump to the third item, however.


I posted one earlier in the thread

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-05-27 05:19:14
I had the same problem with my french game. See this post by Torchickens about the fact that you have to add 5 to any RAM address in european versions :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Doom Mortal
Date: 2015-05-27 13:00:24
Sorry for that delay. I was preparing the Pokemon team and items on my PC for testing with the debugger.

But I see you were all on the right way.

I substituded Onix by Graveler and now it works.

It is weird because I tested the old constelation successfully with an MAX DV/ EV Item List.

Thank you very much Wack0, luckytyphlosion, Krys3000.  :D