Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 14

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2015-08-24 15:13:13

Does anyone know any gameshark code for changing the moves of pokemon IN THE BOX? There's gameshark codes for changing party pokemon moves that can I wanted to try to convert to code exec using Chickasaurus' post info but all I can find is codes for the party, not the box, which is useless since we're forced to use a full predefined party for the bootstrap.


Damn. I overlooked that we wouldn't be able to use the code in Red/Blue (with x115 instead of x114) because of 8F requiring specific party Pokémon (unless you wanted to change your Pidgey, Onix etc's moves). The code works in Yellow, but I didn't think about the party Pokémon problem for Red/Blue, sorry.

The code I made works in Pokémon Yellow with ws m because that requires specific stored Pokémon; so in Yellow you can manipulate the moves of party Pokémon.

The glitch item -g m (hex:6A) in Red/Blue can be used with a stored Pokémon bootstrap code akin Pokémon Yellow, provided there aren't bad values in Safari Balls, Day Care (if you have ever deposited a Pokémon in the Day Care this may not be an option as values stay even after withdrawing). Hence that can be used to alter party Pokémon moves in Red/Blue.

If you cannot find a memory address on DataCrystal, another good two places are the GameShark codes archive (as you know, if you reverse the order of the last two bytes you will get the memory address, e.g. 01??81DA 01??96DA means modify DA81 and DA96) as well as Pokémon Red disassembly.



Firstly Chickasaurus' post I linked in my previous post didn't work for me. Second, it requires a different item ID for each move which is slightly clunky. At first I had the idea of perhaps attempting a .j as a NOP to bring ID parity back and execute the instruction back in item amount instead of ID, but realised I was getting in way over my head since I would have to then figure out how to redirect to the address with another item and do not fully understand ASM instructions.


I'm not sure if you did something wrong if it requires a different item ID. You could use that skeleton to create this code to change stored Pokémon 1:

3E xx
EA 9E DA
C9

Lemonade x(move)
TM34 x158 (or 159 for changing move 2, 160 for move 3, 161 for move 4)
TM18 x209

There may be confusion because the endianness is different for this method (9EDA instead of DA9E)
compared to using the h and l registers (DA in h, 9E in l).


I then went to try and find the memory address with VBA's cheat maker. For reasons completely beyond me the cheat searcher finds the address CA9E as the location instead of DA9E, and obviously the cheat doesn't work. Why this is so baffles me. I'm using a modded VBA called VBA-M, svn926. I'm not sure if it's got a bug with memory offset representation but it lead me to a dead end.

Yeah, it is a bug. When you see a CXXX address in cheat searcher, make sure to try it as DXXX as well.


Have the Pokemon to be altered be the first one in the PC. Have its move to be altered be put in first slot.
8F
<any item>
X Accuracy x158 (changing this from 158 for first move to 161 for 4th move SHOULD change the move that's altered, though I have ONLY tested with the first move!)
Carbos x218
Max Revive x<MOVE ID>
Poke Ball x201
Where move ID obviously corresponds to the move's ID.
This will change the first move of the first Pokemon in your active box.


Congratulations on doing this yourself! I see you used l and h. Your code is a little more flexible than the earlier skeleton Wack0 posted for built in GameShark if used as:

X Accuracy x(address byte 2 e.g. 9E)
Carbos x(address byte 1 e.g. DA)
Max Revive x<MOVE ID>
Poke Ball x201

Because the value (move ID) and both address bytes depend on the quantity - you can access every quantity easily (plus 00 if you got the X Accuracy with item underflow because you can have y-block values (following x coordinate) of 00), though you can't edit 00XX as it is in ROM (though you could 'write' 0A to 0000 0A as that opens up SRAM (A000+) for write access, I'm not sure how that works exactly).

Plus, it's a bit messy, but we can use this altered code to set every quantity from item 3-5 to 0 (256, you can toss to get 1-255) upon use if you can force extra stacks of X Accuracy and Carbos and get two Water Stone stacks (by withdrawing two stacks of 99). This lets us change multiple addresses (even if you require a greater quantity) with multiple 8F uses.

X Accuracy x(address byte 2 e.g. 9E)
Carbos x(address byte 1 e.g. DA)
Max Revive x<MOVE ID>
Carbos x 211
X Accuracy x 35
Soda Pop x175
Water Stone x44
Poké Ball x34
Great Ball x44
Water Stone (or PP Up if you don't want two Water Stone stacks) x201

ASM for the footer (set item 3-5 quantities to 0):


ld h,D3
ld l,23
dec a
xor a
ldi (hl),a
inc l
inc b
ldi (hl),a
inc bc
inc l
ldd (hl),a

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Searinox
Date: 2015-08-24 16:36:24
Open up SRAM for write access? That sounds quite dangerous. I can do that with these instructions? Yikes. I don't wanna write to my save file!

Yes I have deposited Pokemon in daycare before. Then again we can make a code to blank out the daycare memory area right? A bit bothersome however, because I use the daycare to stabilize some glitch Pokemon.

Thanks for confirming the VBA Gameshark bug. I'll be updating VBA-M when I have time. Have you run into this before or is it strictly on my emulator build?

Why use code to underflow items to x0? Can't we just create a stack of x255, clone it by tossing something, then toss x254 out of one stack to bring it down to x1 and swap it with the other x255 to merge them into a single x0 stack? Am I misunderstanding?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2015-08-24 17:47:35

Open up SRAM for write access? That sounds quite dangerous. I can do that with these instructions? Yikes. I don't wanna write to my save file!


You do not have to. It is only if you do a 0A write to 0000 and then modify the code to write to a SRAM address of your choice. (These instructions won't have any unexpected side effects). With the old skeleton, you could use the start of it to write to 0000 too, it just required a hex:00 glitch item.

If you are careful, writing to SRAM can be useful because you can choose to write custom Hall of Fame entries.


Yes I have deposited Pokemon in daycare before. Then again we can make a code to blank out the daycare memory area right? A bit bothersome however, because I use the daycare to stabilize some glitch Pokemon.


Yes. You could use a program that alters itself (by means of increasing a quantity, etc.) modifying DA47 (number of Safari Balls) the first use, then DA48 (part of the Day Care the second use) and so on.

Alternatively, you could use the FillMemory (call 36E0) function. First you'd need to set 'a' as 00, bc as how many bytes to fill (DA80-DA47=39h) and hl as DA80. That might be a harder program to write and get reasonable items with.


Thanks for confirming the VBA Gameshark bug. I'll be updating VBA-M when I have time. Have you run into this before or is it strictly on my emulator build?


You're welcome. I've had it on my build too, which is VBA v24 svn422. I do not know if it has been fixed. Yes.


Why use code to underflow items to x0? Can't we just create a stack of x255, clone it by tossing something, then toss x254 out of one stack to bring it down to x1 and swap it with the other x255 to merge them into a single x0 stack? Am I misunderstanding?


Actually yes. You can do that. It would decrease your number of items each time, but if you're not going to use 8F 255 times, that's not such a problem.

My intention is if you want to easily make multiple memory modifications later, even ones that require a higher quantity. Say you edited DA9E; so you toss your X Accuracy until you have 158 but later decided you an wanted to edit DA9F too (x159). But you couldn't create an extra X Accuracy (buying won't add to the stack, the game will try to split the stacks in 99s max) without another duplication or generation - so by setting the quantity back to 0, we could toss 97 to get 159.

(Note, you could of course get 159 first and use 8F and then get 158 and not have to increase the quantity - but if you decided later you wanted to get 160 you'd be 'stuck')

If you can get the right items, the extended code is a straight forward and fast way that is more reliable, for the purpose of making many different modifications not restricted by quantity reducing, but it's not essential (you could do the x255 stack glitch to stockpile x255 items, or repeat item duplication, or fix your item pack then do item underflow again and item generation again).

Thinking about how you could do it with item stack glitch…

If you modified move 1 first but then later wanted to modify move 2 you could bring:

8F
(item)
X Accuracy x255
Max Revive x<MOVE ID>
Poke Ball x201
Carbos x(address byte 1 e.g. DA)
(…249 items)

1) Create an extra X Accuracy x255 in slot 2 by tossing the second item.
2) Get X Accuracy x158 in slot 3 and use 8F.
3) Put the X Accuracy x158 in slot 1. (not slot 2, as to avoid an item merge)
4) Put the X Accuracy x255 in slot 3.
5) Put the X Accuracy x158 in slot 2.
6) Toss the X Accuracy x158 to get an extra x255 and set up the list as above but with X Accuracy x159 instead.

..Repeat steps 2-6 with quantities of your choice for further modifications.

There may be a way that is logistically better.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2015-08-25 07:51:41

why do GS codes have 01xxB2B1 last 2 bytes reversed from how they are in RAM?


Because endianness. The Game Boy and GBC uses little-endian.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Searinox
Date: 2015-08-26 05:41:01
This is becoming too fun. Wheeeeeeeeeeee!

Perfect DVs for first Pokemon in active box:
8F
<any item>
X Accuracy x178(speed, special, half of hp), then again with 177(attack, defense, the other half of hp)
Carbos x218
Max Revive x255
Poke Ball x201

Tell me, the following code below can work right?

8F
<any item>
X Accuracy x178
Carbos x218
Max Revive x255
X Accuracy x177
Carbos x218
Max Revive x255
Poke Ball x201

To do it in one go.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2015-08-29 15:12:58
Yep! That will work.

Your code is like this.


ld l, B2
ld h, DA
ld (hl),FF
ld l, B1
ld h, DA
ld (hl),FF
inc b
ret

We can shorten it a little if we turn it into this:


ld l, B2
ld h, DA
ld a,FF
ldd (hl),a
ldi (hl),a
ret


2E B2 26 DA 3E FF 32 22 C9


As items, this is:
8F
(any item) x (any quantity)
X Accuracy x178
Carbos x218
Lemonade x255
PP Up x34
TM01 x(anything)

Note that if you don't want to use a PP Up, you can use this alternative which has all items you can buy from shops other than 8F. It is the same as the code above but has inc b (Poké Ball, 04) above ldd (hl),a (PP Up, 32) so that what was the PP Up is now expressed as a quantity (hex:32 in decimal or 50).

8F
(any item) x (any quantity)
X Accuracy x178
Carbos x218
Lemonade x255
Poke Ball x50
Water Stone x201

In this code we store FF into the a register for use later. Ldd (hl),a writes to the value of 'a' (FF) into DAB2, and then decrements the hl value to DAB1. Then we can use another ld (hl),a (I chose ldi (hl),a because it represents a good item) to write FF into DAB1.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Searinox
Date: 2015-09-01 07:41:15
How can this be converted easily into a way to write a given value from address X to address X+Y? As in, write a value to a total of Y addresses starting from X?

This one in particular benefits since it would be nice to write FF to all 8 bytes consecutively without filling the inventory ridiculously. This one is for Stat EXP./EVs of first pokemon in active box.
8F
<any item>
X Accuracy x175(Special), 173(Speed), 171(Defense), 169(Attack), 167(HP)
Carbos x218
Max Revive x255
Poke Ball x201
2nd byte doesn't matter, 65280 is enough for all 63 stat points at level 100.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-09-15 15:00:36
Hello everyone,

If you guys haven't seen it yet, I document in this thread a new method to trigger an underflow which does not require you to encounter MissingNo. It's called "partial PC underflow" and is inspired by a work TheZZAZZGlitch did a few monthes ago.

I don't know if we can say that it's an easier way, but it's very useful if you can't do the old man trick (e.g. playing in yellow), the ditto trick (e.g. no available trainer) and the cooltrainer trick (corruption not working).

Also this method allows you to get many glitch items, including ws'||lm||, without triggering the underflow so this is even quicker :)

It might be worth mentionning in the first post, it's up to you.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: The G-Meister
Date: 2015-09-16 10:43:50
I've been trying to do a bit of this myself recently, learning up on Gameboy code and the like, and I tried to write a script and (as assumed) it failed massively.

It seems to freeze (not crash, meaning I think I've got the right Pokémon in my box (and yes, I'm using ws m)) whenever I use the item, so I thought it might not be terminated correctly.

I was using the Pokémon arrangement as stated on the GCL page, and started the code at my 3rd item.

So, if I'm correct, is there any way I can make a blank script which simply terminates the moment it gets to my item pack? As in, what item should I put as my third to end the script?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-09-16 12:01:35
What you are searching for is a ret intruction. Your third item needs to be CT01 (any quantity) if you want to make this blank script.

Depending on the instructions on your code, you always have to finish your items with CT01 or an item in quantity 201 to terminate the code.

If you could speak french, I could advise you ISSOtm's GBZ80 to items compilator which makes things easier, but I don't think he plans an english version for now  :P

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: The G-Meister
Date: 2015-09-16 13:47:42
Ahhh looking at the big list this makes sense now. This converter that someone posted doesn't seem to use the right items. I'll do my own work instead of being lazy this time! Thanks!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: The G-Meister
Date: 2015-09-16 16:05:31
Wait, so if I have my item pack set as follows:

Bicycle
ws m
TM01  x01

It should just do nothing right? The menu should close and I can continue on my merry way? Because if so, I'm still getting the freeze. I'm sure I've got the Pokémon box set up correctly :/

[Edit]: Nevermind! My ineptitude strikes again, the Seel has to have 233 HP not 255

[Edit 2]: Aaaand I'm still getting the freeze >.<

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-09-16 16:40:17
Hello again,

Hmm I don't use that setup because I'm playing a french version. I need to check where the problem is. It's late here now, so give me some time and I'll work on this tomorrow :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-09-17 03:00:30
Now that I think about it, The G-Meister, I'm actually using this setup:

http://forums.glitchcity.info/index.php/topic,6638.msg194861.html#msg194861

with the slight modification that in european non-english games, you have to replace Growlithe with Kadabra.

So I can guarantee you that if you have this in your active box, it will jump to the third item. Then if you have a working code here, things should be OK  :D

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: The G-Meister
Date: 2015-09-17 10:48:37
Ah thanks, I'll go try that one.

So incase I'm not alone, can anyone else try the Pokémon box setup for ws m on the GCL page? Seen as I'm on console, I've got no emulator issues, and just to make sure I'm not being dumb (again), but I think it might not work :/