Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 16

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2015-10-13 09:26:43
The event flag is used so you don't battle Sabrina again after you beat her.

The barrier in Pokemon League goes against "number of badges", which is at D356.

To set this so you have all the badges, you can use an item list like:

Item 3: Lemonade x255
Item 4: X Accuracy x86
Item 5: Carbos x211
Item 6: Poké Ball x119
Item 7: Fresh Water x201

which is based from this template I made 2.5 years(!) ago.

This sets $D356 to $FF which gives you all the badges.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SatoMew
Date: 2015-10-15 12:05:05

The event flag for beating Sabrina is bit 1 of 0xD7B3, but this won't give you her badge. Do you want to make the game think you beat Sabrina, or do you want her badge?


Huh, so what exactly happens in Red and Green that causes the "win even if lost" bug?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SnorLapraSuicuinEkans
Date: 2015-11-15 19:57:47
Do you have to set up bootstrap + item setup or just one of them also is it supposed to crash if no setup is done

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-11-16 03:30:06
Hello,

The glitch item 8F / Wslm reads code from your Team / box.
The standard setup we use redirects the reading to the items.
You could do your codes with Pokémon data only, but it's hard, so we prefer this way.

If you don't have the Team / box setup, it won't work. Depending of the Pokémon, it will most likely freeze.

So unless you feel in the mood to code with Pokémon, you need both.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SnorLapraSuicuinEkans
Date: 2015-11-16 12:13:45
Thank you, I wasn't sure if I wanted to spend the time to get the setup because on the emulator I use (meboy 2.2) when I used 8f an error would pop up instanly stating I was out of bounds, but now you have said that it crashes the game depending on the pokemon you have that could be why it crashes, so I will set it up and hopefully it will fix the problem :D

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-11-16 12:43:00
No problem ;)
If you're in trouble getting your code to work, don't hesitate to come here and we'll try to help  :P

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SnorLapraSuicuinEkans
Date: 2015-11-16 12:52:03
Will do, thanks again 8)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SnorLapraSuicuinEkans
Date: 2015-11-17 09:46:41
Done, works well at least I know 8f is capable for my emulator is there anwhere I can go to find more interesting codes :D How to use Jack properly, what does 4848 do an 8__8 also thanks

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SnorLapraSuicuinEkans
Date: 2015-11-17 11:28:32
Also can you do gameshark codes having the hex iitems ?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-11-17 13:43:04
I'm not sure to understand your question.

To execute a gameshark code only using 8F, given a Gameshark code is structured this way: AABBCCDD
You can do this :
Any item
8F / ws*l||lm||
Lemonade xBB (decimaled)
TM34 xCC (decimaled)
hex:DD item x201

To get the DD item, if it is a glitch item, you can use this code:
8F / ws*l||lm||
Item you want to morph
Burn Heal x43
Ice Heal x43
Full Heal x201

The second item gains 1 hex each time you use the code.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SnorLapraSuicuinEkans
Date: 2015-11-17 15:59:13
Yes, being BB CC and DD being being byte 1-3 right ? I am confused as I have seen this code Walk through walls  010138CD but is it wrongly corrosponded to their items (max revive x accuracy carbos) because I checked their hex in the big list and it dosn't match I am probably checking the wrong place, so could you tell me what I'm doing wrong ? I'm very confused at the moment haha , I have done the catch em all code and any item code and I am just trying to understand how to work it. Thanks for helping :D

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-11-17 16:54:36
In the Gameshark code you mention,
AA = 01
BB = 01
CC = 38
DD = CD

So the corresponding code is:
Any item
8F / ws*l||lm||
Lemonade x1
TM34 x56
TM05 x201

Because 38, in decimal, is 56, and TM05 is the item with a hex value of CD.
Then use 8F / ws*l||lm|| and you will walk through walls. Proceed this way with any gameshark code you would like to use.

Please note RAM address $CD38 is in a memory section which doesn't change between versions AND localizations. You will not have to change this code if you use it in Yellow version, nor if you use a foreign game.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SnorLapraSuicuinEkans
Date: 2015-11-17 17:53:53
Ok right what about 1 lemonade and tm 34 where do they come in ?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2015-11-17 18:52:56

In the Gameshark code you mention,
AA = 01
BB = 01
CC = 38
DD = CD

So the corresponding code is:
Any item
8F / ws*l||lm||
Lemonade x1
TM34 x56
TM05 x201

Because 38, in decimal, is 56, and TM05 is the item with a hex value of CD.
Then use 8F / ws*l||lm|| and you will walk through walls. Proceed this way with any gameshark code you would like to use.

Please note RAM address $CD38 is in a memory section which doesn't change between versions AND localizations. You will not have to change this code if you use it in Yellow version, nor if you use a foreign game.


why use that when this is easier? (all that's needed is 5 items you can get from Celadon department store)

Optimise your code to use only non-glitch/non-key items if possible guys, I always tried to do this…

http://forums.glitchcity.info/index.php/topic,6638.msg189609.html#msg189609

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-11-18 03:51:33
Thanks, Wack0, I wasn't aware of this new version. I probably missed it while reading the thread. That's really a great code! I will add it to PRAMA too  ;)


Ok right what about 1 lemonade and tm 34 where do they come in ?


To answer this question: I told you earlier using 8F gets the game to read code from party, and having the specific setup redirects the reading to the THIRD item.
Now the third item is Lemonade x1. Third item memory address in english R/B is $D322. Lemonade's hex ID in the Big List is 3E so that's the value for this address.
The following address would be the quantity of Lemonade, then the hex ID of the fourth item, its quantity, fifth item, etc.

Here, we have the following read code:
3E (Lemonade) 01 (x1) EA (TM34) 38 (x56) CD (TM05) C9 (x201)

To understand what it means you need to know how these hex numbers are interpreted as game instructions.

Here's something you could use: http://www.pastraiser.com/cpu/gameboy/gameboy_opcodes.html
In this table, every hex number matches an instruction. The instructions pour the above numbers are:
3E : ld A, d8
This puts the following number into an in-game "A" value. So from now on, A = 01.
Since 01 was integrated to this instruction, we continue with the third one.
EA : LD (a16),A
This specific instructions takes the memory address composed by the next TWO hex numbers and affects A as its value. Note the numbers are read in reverse order here; the memory address will be $CD38. So this instruction gets $CD38 to take the value 1. This is what the gameshark code does, since having 1 as value of this address will get you to walk through walls.
38 and CD having been used here, we conclude this with the last number.
C9 : ret
This is an "end" instruction, that stops the reading of the code. It is very important to place it, otherwise the game will continue to read the following addresses as code… and God knows what can happen then.

Click on Wack0's link and read the ASM (instructions) of its code. You would be able to understand it, if I tell you "inc" is an increase instruction.