Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 13

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-05-28 13:49:11
Happy that your problem is solved  ;)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Trevor
Date: 2015-06-04 04:07:22
one problem solved, next problem here  :P

Hi everybody,

I'm currently trying to obtain the 8F Item using invlid encounter flags (because i have no event that takes an item away and I dont feel like playing the main story all over again…).
The problem has to do with that ditto with the Cooltrainer attack, when trying to use the attack in game I need to click 3 times on "FIGHT" and then again 3 times to read the next "you have no moves for this attack left".
Also after a few tries the game crashes and I have to restart.

But normally as I read it just should do nothing, you should be able to do this as often as you want and also without crashes. Additionally you should only need to click one time on "FIGHT".

To get that Cooltrainer Ditto I just encountered a wild pokemon, transformed into it and then switched attack 1 and 2 and then ran away from the battle - thats it.

PS: I'm using Pokemon Blue

Thanks for help :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-06-04 09:41:27
I'm currently trying to obtain the 8F Item using invlid encounter flags (because i have no event that takes an item away and I dont feel like playing the main story all over again…).


Actually you don't need an event anymore. There is a "dry" variation of the item underflow glitch, for which all you need is a stack of 255 X Special. You can get it with MissingNo. using the glitch of your choice. Moreover, if the invalid encounter flag method works, it means the cooltrainer corruption works for you, so that you can encounter a MissingNo. This invalid encounter flag method is obsolete, you should not use it.

The item underflow glitch requires you to have this :
[img]http://www.prama-initiative.com/RBJ/iug1.png[/img]
French screen, Special + is X Special and the two first item are useless.

Toss the two first useless items, you will have this :
[img]http://www.prama-initiative.com/RBJ/iug2.png[/img]

Toss several 255x of the first item until you only have access to two items. Toss 253 of that first X Special stack and switch item 1 and 2 twice.  You should have X Special x0, like this :
[img]http://www.prama-initiative.com/RBJ/iug3.png[/img]

Item underflow will be active. Now go there (near Celadon) :
[img]http://www.prama-initiative.com/RBJ/iug4.png[/img]

Toss 255 X Special again, and switch the remaining X Special with the Nugget in 35th position. 5 steps right, 5 steps down, 20 steps right and open the item menu to see 8F, that you can switch to a "normal" place (eg : first place). Fly back to Celadon and buy items to fix the item menu.


If you still wanna use the invalid encounter flags, you don't need to USE the attack to trigger the corruption. Just enter/exit the FIGHT menu until it works.

Fact is, cooltrainer corruption doesn't always work, it depends on the values of some RAM addresses. You wil find here TheZZAZZGlitch's methods to maximize the chances. I can tell you that the "renaming party + open unused box" method works very well.

Good luck !

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Trevor
Date: 2015-06-05 17:10:08
Big thanks for your help!
I would suggest to add that to the first post, it can make users unsure if they thing they need to have access to an event, when its also possible without it.

But well, I now got the item, experimented with it a bit and "ported" some codes to the european non-english versions of pokemon red/blue by just adding 5 to every immediate value in the asm code(I tested it on the german version only)
Adding 5 works if only ram adresses are modified, but how could one figure out what the call adresses in other languages of the games are? Is there like a "call adress map" in addition to the ram map, or is debugging while playing in an emulator needed?
Is it also possible to make a script that plays the final rival battle music or the credits music at the next battle instead of the gym leaders? that music is more fun to listen to :P
And finally a code where you can modify the species and the level of the Pokemon you battle would be also nice (modified "CATCH 'EM ALL" SCRIPT) :)


Ported codes:
Codes for Inventory slot 2 item ID and item count modifier stay the same, because no imm. values are used.

[size=12pt]GYM LEADER MUSIC PLAYS FOR NEXT BATTLE R/B EUROPE(NON-ENGLISH)[/size]
Use this outside of battle to make the next battle play the Gym Leader theme.

ITEM LIST (starting from the first slot):
[tt]* Any item
* 8F
TM34                x97
TM08                x201[/tt]
ASM:
WRA1:D327 EA 61 D0        ld (d061),a
WRA1:D32A C9              ret


[size=12pt]"CATCH 'EM ALL" SCRIPT R/B EUROPE(NON-ENGLISH)[/size]

ITEM LIST (starting from the first slot):
[tt]* Preferably Master Balls
* 8F
TM50                x36
TM11                x4
TM34                x94
TM08                x201[/tt]
ASM:
WRA1:D327 FA 24 D3        ld  a,(D324)
WRA1:D32A 04              inc  b
WRA1:D32B EA 5E D0        ld  (D05E),a
WRA1:D32E C9              ret 


[size=12pt]WALK THROUGH WALLS R/B EUROPE(NON-ENGLISH)[/size]
Jump off a ledge after using 8F to walk through walls.

ITEM LIST (starting from the first slot):
[tt]* Any item
* 8F
TM34                x25
TM15                x201[/tt]
ASM:
WRA1:D327 EA 19 D7        ld (d719),a
WRA1:D32A C9              ret


[size=12pt]ESCAPE FROM A TRAINER BATTLE R/B EUROPE(NON-ENGLISH)[/size]
This turns 8F into an item which allows escaping from any battle, including trainer battles.

ITEM LIST (starting from the first slot):
[tt]* Any item
* 8F
TM34                x125
TM08                x201[/tt]
ASM:
WRA1:D327 EA 7D D0        ld (d07D),a
WRA1:D32A C9              ret


[size=12pt]CATCH OTHER TRAINER'S POKEMON R/B EUROPE(NON-ENGLISH)[/size]
Use this in a Trainer battle to enable the ability to catch the enemy Pokémon and escape from battle.
You can also use it to disable wild battles, but you can't use it to turn a Trainer into a Pokémon.

ITEM LIST (starting from the first slot):
[tt]* Any item
* 8F
Lemonade            x1
TM34                x92
TM08                x201[/tt]
ASM:
WRA1: D327 3E 01   ld a, 01
WRA1: D329 EA 5C D0   ld (D05C),a:
WRA1: D32C C9   ret

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-06-06 01:47:28

Big thanks for your help!
I would suggest to add that to the first post, it can make users unsure if they thing they need to have access to an event, when its also possible without it.


I guess this is the reason why TheZZAZZGlitch wrote a warning asking for newcomers to read beyond the first post. But, yes, I think it is necessary and would be useful to add the dry underflow to this post.


But well, I now got the item, experimented with it a bit and "ported" some codes to the european non-english versions of pokemon red/blue by just adding 5 to every immediate value in the asm code(I tested it on the german version only)
Adding 5 works if only ram adresses are modified, but how could one figure out what the call adresses in other languages of the games are? Is there like a "call adress map" in addition to the ram map, or is debugging while playing in an emulator needed?


I don't understand well what your problem is.

To create 8F codes for european versions, the only thing you need outside of the RAM Map (for which you need to add 5 to every address) is a list of gameboy opcodes. Their match with hex values is the same regardless of the game's localization. Understanding basic opcodes is not complicated, but you might find some help here and I have also wrote an article about it, but it's in french.

However, you must also know that, even if it's fun to create new codes, there is a very easier way to deal with 8F : Gameshark code simulation. Using it with the following items will trigger the gameshark code 01xxyyzz in european versions :

Any item
8F
Lemonade *xx
TM34 *yy
[item which hex value is zz] *201 (=> Comprehensive big list)

Don't forget quantities are decimal values. You must get 18 lemonades if your xx is 12. If the zz item appears to be a glitch item, or if you need high quantity of some item, you can use the underflow to get them (using Celadon loop, for example). You can also simulate the gameshark code which changes the first item :

Item you want to change (eg pokeball)
8F
Lemonade *hex value of the glitch item you want to get (in decimal of course)
TM34 *17
TM11 *201

By activating 8F, you will change the first item into your glitch item. Quantity remains the same. Another solution is to use the "morphing second item" code in its european version :

8F
Item which will be changed
Burn Heal x43
Ice Heal x43
Full Heal x201

Every time you activate 8F, the second item will lose a hex, and keep its quantity. With all this, you should not be facing any problem.


Is it also possible to make a script that plays the final rival battle music or the credits music at the next battle instead of the gym leaders? that music is more fun to listen to :P


This audio track is hex:F3 of bank hex:08 according to the RAM map. If you want to use a "normal" 8F code rather than gameshark simulation, there must be a way to do it by manipulating audio channel into thoses values.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2015-06-06 09:22:26

how could one figure out what the call adresses in other languages of the games are? Is there like a "call adress map" in addition to the ram map, or is debugging while playing in an emulator needed?


The call addresses are ROM pointers that contain existing code to execute (these functions are called routines). "Call" tells the game to execute this code and return to what it was doing (e.g. if your code has call 3E62 ld a,01; the game will run the code at ROM pointer 3E62 and go back to run ld a,01 after it has finished (unless where it goes back wasn't corrupted)).

Some of the pointers for routines can be found in the Pokémon Red disassembly (e.g. SetIshiharaTeam: ; 64ca (1:64ca).

Sadly there is no consistent way to port English ROM pointers to other languages. However, because the games are similar, you can with BGB debugger and a hex editor using the method I'll show below.

Let's try to find the equivalent of Red's 3E48 (give Pokémon) for German Red:

With English Red open, go on to BGB, right click on the game and choose Other>Debug. Then right click, select "Go to…" and enter 3E48.

You should get this, which is what code the give Pokémon routine is made up of.

[img]http://i3.minus.com/ibgOkC7BawA6ji.png[/img]

Leave the window open because we will need to remember the numbers (like 78) next to the ASM instructions (like ld a,b).

Now, open up a hex editor such as HxD (it's freeware) for German Red and use your hex editor's search function (search>find for HxD). Choose to find hex values and enter the values that you think will be shared for the other language's routine.

Note that the values greater than in brackets may be +5 in the non-English European version, except for things in the ROM (values lower than 8000) and specific memory addresses like CD38, C0EF, C0F0 - I'm not sure of the specifics of which addresses get changed and which addresses do not get changed, it may be earlier RAM (CXXX) values.

The start of the routine has 78 EA 91 CF 79; so we can try searching for 78 EA 96 CF 79 (EA 96 CF because there is a "ld (CF91),a").

[img]http://i1.minus.com/iY4rwMEhnK4l1.png[/img]

This resulted in one match which was at address 3E62.

[img]http://i2.minus.com/iETYma7vcV1vp.png[/img]

If the address in the hex editor is less than 0x3FFF, you don't have to do anything with it to turn it into a pointer(*) - and you don't have to use the bank switch routine.

So in TheZZAZZGlitch's alternative catch 'em all, CD 48 3E (call 3E48) must be replaced with CD 62 3E (call 3E62).

Sometimes a search may give more than one result, in which you could try checking what you think is the right routine with the most similar code in BGB debugger then test your code with S7, or you could try a search for different values.

These items from item 3 will work with the modified Pokémon set up (Graveler instead of Onix) for non-English European versions:

Schutz x(Pokémon index)
X-Tempo x14
Hyperball x64
TM05 x98
Lemonade x201

i.e. 1E xx 43 0E 02 40 CD 62 3E C9 FF


Is it also possible to make a script that plays the final rival battle music or the credits music at the next battle instead of the gym leaders? that music is more fun to listen to :P


Yes. You can do this either by calling a play music routine with the correct register values (register 'a'=tune and register 'c'=bank) or by modifying both the memory address CFCC (CFC7 in English Red) and the addresses C0EF, C0F0.

CFCC forces the game to play a tune based on the ID you choose. C0EF, C0F0 changes the music bank value (either 02, 08, 1F and 20 is used for a few tracks exclusively in Yellow).

Here are all the tune ID and bank ID values.

I originally made a sound test program using the former method. It resets the tune ID and bank ID values back to 0 after you play the tune, so you can select all other tunes afterwards by tossing the quantities.

https://www.youtube.com/watch?v=DZiMfJJT2So

The code for the English version:

Lemonade x(tune ID)
Awakening x(bank ID)
TM05 x161
HP Up x62
Ultra Ball x61
Soda Pop x5
TM34 x35
TM11 x4
Poké Ball x234
Iron x211
TM01 x(anything)

3e (add tune ID here) 0e (add bank ID here) cd a1 23 3e 02 3d 3d 05 ea 23 d3 04 04 ea 25 d3 c9

ld a, xx - tune
ld c, yy - bank
call 23A1 - play music
ld a, 02 - a=02
dec a - a=01
dec a - a=00
dec b
ld (D323),a - item 3 quantity =a (00)
inc b
inc b
ld (D325),a - item 4 quantity =a (00)
ret

The only things you have to do here is check the equivalent of 23A1 (using the debugger and hex editor) and change D323/D325 to D328/D32A, and there was one situational problem.

The situational problem: 2A was represented as a Helix Fossil and it's not good to have key items with quantities over one. So I used some alternate code without key items or duplicate stacks.

Often when you want to not use a key item, you can use a one byte opcode to manipulate some registers that you aren't using for your code so that they take the place of an item (e.g. inc b is represented as a good item; a Poké Ball). This page has a list of opcode IDs.

Equivalent pointer: Using the method I showed you above, it turns out that basically the same routine (ignoring memory address changes) is also at 23A1 in the German Red, so you don't have to change it.

(Note that this is not the case for every language; in the French version that routine is at 239D).

The following code will work for the German version:

3e (add tune ID here) 0e (add bank ID here) cd a1 23 3e 02 3d 3d 05 ea 28 d3 04 2e 2a 04 77 c9

Limonade x(tune ID)
Aufwecker x(bank ID)
TM05 x161
KP-Plus x62
Hyperball x61
Sprudel x05
TM34 x40
TM11 x04
X-Treffer x42
PokéBall x119
TM01 x(any)

ld a, xx - tune
ld c, yy - bank
call 23A1 - play music
ld a, 02 - a=02
dec a - a=01
dec a - a=00
dec b
ld (D328),a - item 3 quantity =a (00)
inc b
ld l,2A  - hl=D32A
inc b
ld (hl),a - item 4 quantity =a (00)
ret

So to play Champion music for example, this tells us the bank ID is 08 and the tune ID is $F3; hence you'd need Limonade x243 (hex:F3) and Aufwecker x8.


And finally a code where you can modify the species and the level of the Pokemon you battle would be also nice (modified "CATCH 'EM ALL" SCRIPT) :)


I was working on one but found it hard to get good items for execution, I'm afraid. I may come back to this another time, or maybe TheZZAZZGlitch can help. Sorry.


(*): About banks - the give Pokémon function does not require a bank switch (and knowledge of how to convert a Game Boy offset into a pointer):

If the address in the hex editor is greater than $3FFF, it has something called a bank (greater than 0); and our pointer (call/jump value) is no longer necessarily the same as a hex editor address (offset).

The game can run from "bank 0" (pointers $0000-3FFF e.g. "give Pokémon") all of the time, but not data from other banks without the game changing banks (in games that support it, Pokémon included) if it is currently on the wrong bank.

The bank is the same as this address modulo divided by $4000 rounded down to the nearest whole number, for example, offset $0F807A contains code that will run Pikachu's Beach in Yellow. $0F807A/$4000 rounded down equals 3E, so the bank is 3E.

If you wanted to run the code at $0F807A, you would have to make the game change banks before running it because the game won't be running on bank 3E when ws m is used.

The 3E is the first byte of a three byte pointer (3E:XXXX). There are two other bytes to the pointer (XXXX) and this represents the pointer you will call, like how we call 3E48 (3E62 on German version) for the give Pokémon function.

To work out bytes 2 and 3 of the pointer, you can do Offset-(0x4000*Bank)+0x4000; so for Pikachu's Beach: ($F807A-$F8000)+$4000; which is $407A.

Or you can use a pointer calculator (note that this tells you the second and third bytes the wrong way round; 3E7A40 instead of 3E407A, so you have to remember to swap them for execution).

To execute Pikachu's Beach (which we found has the pointer 3E407A), there is a routine to change ROM banks and jump to an address (the routine for each language can be found here thanks to Wack0 - in German Yellow it's $3E89).

Register purposes for this routine:
c=Bank
h=Pointer byte 2
l=Pointer byte 3

So you need to set c to 3E, h to 40, l to 7A then do a call $3E89. This would execute Pikachu's Beach.

(Wack0's German Pikachu's Beach code does this)

If you want to turn a three byte pointer back into an offset, you can do:
romAddress = (bankNumber * 0x4000) + (twoBytePointer - 0x4000)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Shina69
Date: 2015-08-14 14:10:52
Good evening, guys.
First of all, you people are absolute unrecognized geniuses for coming up with such amazing programming tricks for the eyes of this humble gamer who spent his childhood exploring the neat forests of pokemon yellow, not regretting knowing so little as i did. Although times change and nostalgia grabs us once again to pick the old dusty cartridges and face our old childhood enemies… a magnificent team starts to assemble. Glitches were learned, stats analyzed, moves tactical duplicated in order to fulfill the needs, but… there's one thing that wasn't forgotten - i can't delete the HM moves.
So i went deep and deeper, cause transfer my beloved X_-_x, to a Gen 2+ wasn't an option, and i decided to come to you guys, as i got so fascinated with the wonders of arbitrary code execution.

Is there any way to come up with a move deleter for HM's or simply overwrite this annoying Flash move of X_-_x, on Pokemon Yellow European Version (English)? [size=8pt](i believe this is the proper version, i'm from Portugal and i will try to find that old box!)[/size]

Not sure if this is the proper topic to send my request, but i'm deeply thankful for the attention.
Keep mesmerizing us with new knowledge applied to old technologies, you guys rock!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Spoink
Date: 2015-08-14 15:48:59
Shina69:
Catching above L:12 might erase the move, unless you want to keep your current one.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Shina69
Date: 2015-08-14 17:36:54

Shina69:
Catching above L:12 might erase the move, unless you want to keep your current one.


Oh i also tried that, forgot to mention  );
Managed to make ditto swords dance 3 times and actually got a L:13 one but the move was still there.
Some other guy got the same results as i read on a youtube video comment, that's why i run out of options  :'(
(by the way, Flash is the 2nd move on the Fight list, if it helps :o)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Misero
Date: 2015-08-17 13:42:06
Has anyone created a save state meant for this arbitrary code execution?
If not, I'll go with gamesharking my way through.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2015-08-21 13:06:31

Has anyone created a save state meant for this arbitrary code execution?
If not, I'll go with gamesharking my way through.


Here are save files that have 8F and ws m set up with code to get Mew upon using 8F/ws m and closing the menu.

English Red: https://mega.nz/#!8hF1XDiR!M-397Ob3EDtPlOHW3XUSO52FArph3Ork8Y_YXrJ45nQ
English Yellow: https://mega.nz/#!d8sGjZLT!yp1oMA5zGHOxI91I3qgweYZkY1Y6CzL2-m-MrxpSeyY

If you want to change the code the game ends up running after the Pokémon set ups (certain party Pokémon in Red/Blue, certain stored Pokémon in Yellow) you can edit D322 (Red/Blue) or D321 (Yellow) and onward, which represent the item 3 identifier and onward.

Edit: Here is a save file for Japanese Green to get Mew with 5 (with kattempla/pokebug's party Pokémon set up) or てへ.

If you want to get it with てへ you have to watch the old man's demonstration first.

The set ups have the code beginning at item 2 (D2A4). The Pokémon redirect the program counter to item 2 for use with 5. The name て (after watching the old man's demonstration) redirects the program counter to item 2 (D2A4) for use with てへ.

https://mega.nz/#!NtMjQYBJ!K8KFbfuo7jI0638BuJIxWm1GsjozVX2iDu1nYRu7GEg

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2015-08-21 14:59:46

Good evening, guys.
First of all, you people are absolute unrecognized geniuses for coming up with such amazing programming tricks for the eyes of this humble gamer who spent his childhood exploring the neat forests of pokemon yellow, not regretting knowing so little as i did. Although times change and nostalgia grabs us once again to pick the old dusty cartridges and face our old childhood enemies… a magnificent team starts to assemble. Glitches were learned, stats analyzed, moves tactical duplicated in order to fulfill the needs, but… there's one thing that wasn't forgotten - i can't delete the HM moves.
So i went deep and deeper, cause transfer my beloved X_-_x, to a Gen 2+ wasn't an option, and i decided to come to you guys, as i got so fascinated with the wonders of arbitrary code execution.

Is there any way to come up with a move deleter for HM's or simply overwrite this annoying Flash move of X_-_x, on Pokemon Yellow European Version (English)? [size=8pt](i believe this is the proper version, i'm from Portugal and i will try to find that old box!)[/size]

Not sure if this is the proper topic to send my request, but i'm deeply thankful for the attention.
Keep mesmerizing us with new knowledge applied to old technologies, you guys rock!


Sure. We can remove it with ws m!

The following items from item 3 will replace move 1 of Pokémon 1 with a move of your choice:

Lemonade x(move ID)
TM34 x114
TM09 x201

As code:


ld a,xx
ld (D172),a
ret


As bytes:


3E xx
EA 72 D1
C9


If you want to port this to Red/Blue, replace TM34 x114 with TM34 x115.

To execute the code, you can get the items and use ws m (obtainable with dry underflow and the looping map trick) with relevant stored Pokémon (example), or another means of arbitrary code. For example, replacing item 41 with Iron x 211 will make the game execute your code from item 5 in Yellow and does not require specific Pokémon.

Another non arbitrary code execution approach to getting X - x without Flash is by using the remaining HP glitch with a remaining HP of 196, if you can get Q (and this glitch only works if box 1 has never been filled completely). Since this glitch uses catch rate as an FF, data below it like moves are not affected during the data shift backs from each time you withdraw a Pokémon after the terminator is removed (step 6 in the video below and beyond).

This means you can have a Pokémon with the moves you want, then turn it into X - x and have the moves unchanged.

https://www.youtube.com/watch?v=9l1nuTS3VI0
(click video)

If you can obtain a PokéWTrainer in Pokémon Red (it unfortunately freezes the game on the opponent's side however), then you may be able to trade it to Yellow to become a X - x without Flash.

In theory, we might be able to get a level 255 X - x with the overworld Pokémon catch trick in a Glitch City, or some -gm trickery, and theoretically, it would appear with moves without Flash.



Shina69:
Catching above L:12 might erase the move, unless you want to keep your current one.

Oh i also tried that, forgot to mention  );
Managed to make ditto swords dance 3 times and actually got a L:13 one but the move was still there.
Some other guy got the same results as i read on a youtube video comment, that's why i run out of options  :'(
(by the way, Flash is the 2nd move on the Fight list, if it helps :o)


Yes, catching one at level 13 did not result in X - x having Flash for me either. All X - x level 1 through to level 13 had Flash. For reference, Flash is one of X - x's starting moves, not just a move learned at a low level, which means it always has it at the lowest level and cannot learn it through level up (unless Flash appears in the level up database as well).

For some reason, in the event that you catch  X - x at level 255 it will not know Flash. Instead it will know Mega Punch, Tail Whip, Scratch, Disable. According to the Bulbapedia article, Mega Punch, Scratch and Disable are among its last learnable moves, though for whatever reason, Tail Whip isn't one of the last ones. Note that the learned moves list on Bulbapedia has at least one error. At level 1 X - x will try to learn the arbitrarily named hex:00 move (which is the CoolTrainer[F] type in Red/Blue and supports move selection corruption too in Yellow) if you somehow raise X - x to that level.

I have some text databases with data extracted from the ROMs from various users including a level up database by Echinodermata. Unfortunately there seems to be an error because they note X - x as learning no moves which isn't true (even though much of the data is correct).

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Searinox
Date: 2015-08-22 06:02:58
Does anyone know any gameshark code for changing the moves of pokemon IN THE BOX? There's gameshark codes for changing party pokemon moves that can I wanted to try to convert to code exec using Chickasaurus' post info but all I can find is codes for the party, not the box, which is useless since we're forced to use a full predefined party for the bootstrap.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-08-23 09:37:24
To build a Gameshark code, the only thing you need is a ram map. This gives you the RAM addresses you need to deal with. In your case, RAM addresses for the moves of the first Pokémon in the active box are DA9E to DAA1.

That means you can modify this using the gameshark codes 01xx9EDA to 01xxA1DA with xx being the hex value of the wanted move  ;)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Searinox
Date: 2015-08-23 13:21:36
I managed this on my own albeit with some problems at first.

Firstly Chickasaurus' post I linked in my previous post didn't work for me. Second, it requires a different item ID for each move which is slightly clunky. At first I had the idea of perhaps attempting a .j as a NOP to bring ID parity back and execute the instruction back in item amount instead of ID, but realised I was getting in way over my head since I would have to then figure out how to redirect to the address with another item and do not fully understand ASM instructions.

I then went to try and find the memory address with VBA's cheat maker. For reasons completely beyond me the cheat searcher finds the address CA9E as the location instead of DA9E, and obviously the cheat doesn't work. Why this is so baffles me. I'm using a modded VBA called VBA-M, svn926. I'm not sure if it's got a bug with memory offset representation but it lead me to a dead end.

Finally I found the RAM layout, but on Bulbapedia. Now I had the correct address, tested the GS code made with it and it worked(why do GS codes have 01xxB2B1 last 2 bytes reversed from how they are in RAM? DA9E editing requires the code to be written as 01xxs9EDA, but anyways I digress…). Now I needed a way to get the code converted into 8F item representation and like I said, I had failed with Chickasaurus' post.

FINALLY I found your wiki which worked to convert the code into ACE!

You were mentioning earlier that you were trying to get Flash off some glitch Pokemon… well this may help.

Long story short…

Have the Pokemon to be altered be the first one in the PC. Have its move to be altered be put in first slot.
8F
<any item>
X Accuracy x158 (changing this from 158 for first move to 161 for 4th move SHOULD change the move that's altered, though I have ONLY tested with the first move!)
Carbos x218
Max Revive x<MOVE ID>
Poke Ball x201
Where move ID obviously corresponds to the move's ID.
This will change the first move of the first Pokemon in your active box.


This also makes it possible to put glitch moves not previously obtainable on Pokemon, or contrary, remove dangerous Super Glitch moves from Pokemon without having to stand on some obscure tile in Celadon City's residence. :D

You are going to end up doing a lot of Pokemon box swapping but also potential move swapping. If needed to get into battles to swap moves without entering an area that will load field data into Cinnabar(for item duping) I've found it feasable to teach Tentacool Surf and put the Pokemon to alter first in party while Surfing the east coast for item duplication, so you don't have to deposit your whole bootstrap party. Even in default setup, with Pokeball being in 6th slot, it's unaffected by potential 'M/Missingno. encounters as 201 doesn't roll in any way since the first bit is already 1 so it doesn't mess up the ret. Keeps things simple.