Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 18

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SnorLapraSuicuinEkans
Date: 2015-11-19 19:43:41
Exactly what I was looking for so I can make my own codes yes ? And if I was going to like change my sprite or something

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SnorLapraSuicuinEkans
Date: 2015-11-20 04:29:39
.. DXXX is that a hex and dec or hex and hex dec

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-11-20 06:27:01
Absolutely!

Let's say you want to get a Moon Stone in the 19th position of your stored items, for some reason. Look in the RAM Map and you will see this: D55F - Stored Item 19

So $D55F is the address you want to deal with. You also need to know the hex ID for the Moon Stone, that you can get in the big list. In this case it will be 0A.

Therefore, the gameshark code to "get a Moon Stone in the 19th position of the stored items" will be 010A5FD5. Note that the address is reversed in the gameshark code, 5F comes before D5.

Converted into an 8F code, you will have to get the following items:
Any Item
8F / ws*l||lm||
Lemonade x10 (0A)
X Accuracy x95 (5F)
Carbos x213 (D5)
Poké Ball x119
Fresh Water x201

And here you go: a Moon Stone appears in the 19th position of the stored items!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SnorLapraSuicuinEkans
Date: 2015-11-20 06:52:33
Amazing :D

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SnorLapraSuicuinEkans
Date: 2015-11-20 11:52:19
What is Debug new game in ram map

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2015-11-20 13:00:45
Well, that might be a little complicated to explain. Let's try. You know the value of an address is a hex number. For example, 00 or FF.

Translated into binary, FF is 1111 1111. Eight numbers, right? That means any hexadecimal number can be written with 8 binary numbers.
00 = 0000 0000
01 = 0000 0001
0F = 0000 1111
F0 = 1111 0000
A9 = 1010 1001
To properly translate a hex number into binary, you can use Windows' calculator (programmer mode).

Now, this is important because each bin number is a "bit". The bit can be set ("1") or removed ("0"). For any hex number, you can translate it in a series of 8 bits, either set or removed.

Before talking about the "Debug New Game" address, let's take an easier example. Address $D2F7 is "owning or not owning Pokémon 1 to 8". The owned Pokémon are determined by the bit of the value for this address. If the value is FF, all bits are set (1111 1111) so you have all eight Pokémon. If the value is A9, as you can see above, this means Pokémon 1, 4, 6 and 8 are owned, but 2, 3, 5 and 7, all having their bit to 0, are not.

Now, address $D732 triggers things according to which bits are set or not set.
If the first bit is set (we call this bit "bit 0" and it is actually the last in order; for example in 0000 0001, "bit 0" would be the 1) then play time is counted. That's why this bit is always set.

If bit 1 is set (XXXX XX1X, as with hex:02) when a new game is launched, it activates the debug mode. In this mode, Oak's speech will be shorter. The player's name is set to NINTEN and the rival's name to SONY. You don't start the game in your house, and you can avoid wild encounters by holding B. This is of course never triggered in a normal game.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SnorLapraSuicuinEkans
Date: 2015-11-20 13:14:35
That all you can do ? Not so great.. Binary is 1248 1632 right ?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: The G-Meister
Date: 2015-11-24 17:21:06
Gah, anyone know how EV's work in Gen I? To they give a fixed increase to a stat or is it done by a percentage? The first thing I'm trying to do on Red with ACE is max out my Pidgey's EV's (which I have done) but also make it so it's HP is always a max of 233 even when I happen to need to store / retrieve it from the PC. I've set it to 233, but whenever I deposit / withdraw, it becomes like 268 or something.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Háčky
Date: 2015-11-24 17:51:06

Gah, anyone know how EV's work in Gen I? To they give a fixed increase to a stat or is it done by a percentage? The first thing I'm trying to do on Red with ACE is max out my Pidgey's EV's (which I have done) but also make it so it's HP is always a max of 233 even when I happen to need to store / retrieve it from the PC. I've set it to 233, but whenever I deposit / withdraw, it becomes like 268 or something.

Take the square root of the EVs, and then the calculation is the same as in later generations (4 EVs = 1 stat point at level 100). The maximum of 65535 EVs grants (65535)/4 64 stat points at level 100. If your (presumably level 100) Pidgey has 268 HP with maximum EVs, and you want it to have 233 HP, then youd need to reduce its HP EVs to around 13456, since (13456)/4 = 29 points at level 100. (You might have to adjust that for rounding errors.)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: The G-Meister
Date: 2015-11-25 01:25:13
Ahhh thanks a bunch. As my purpose was rather that it didn't gain any EV's from battle, I'll set it to 169, and see if I get 233

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: XTFOX
Date: 2016-01-27 17:58:19
Ok that 8F Bootstrap is too complicated.  I made a new (simplified) one based off the original one.  Could someone confirm my work?

Pokemon with values in hex after:

6 pokemon [06]
Onix [22]
Pidgey [24]
Pidgey [24]
Jolteon [68]
Tentacool [18]
Pick a pokemon based off Onix's stats

Onix 233 attack > Kadabra [26]
Onix 233 defense > Chansey [28] (Used Below)
Onix 233 speed > Mr. Mime [2A]
Onix 233 Special > Hitmonchan [2C]

Realistically any of the first 4 Pokemon with a 233 stat could work assuming the corresponding hex offset exists as a pokemon.  For example using the 2nd Pidgey's speed doesn't work because the 6th pokemon would need a hex value of 56 which is a MissingNo.


; -- Initial value of hl: D163
WRA1:D163 06 22            ld  b,22    ;  b = 22
WRA1:D165 24              inc  h      ; hl = D263
WRA1:D166 24              inc  h      ; hl = D363
WRA1:D167 68              ld  l,b    ; hl = D322
WRA1:D168 18 28            jr  D16A + 28 = D192

WRA1:D192 E9              jp  hl



Just a note I only read the first post, if I am recreating somebody's work and claiming it as my own I apologize.

EDIT: Found the wiki! Looks like a similar one has already been made that also only requires one specific stat.  Though the ability to choose any stat and just change the 6th pokemon is still cool seeing as the wiki one requires Pidgey 233 hp because it uses Pidgey's ID a 2nd time to Inc H. 

Also has anybody tried to figure out why 8F accesses D163?  I looked at the pokemon red dissasembly item page and couldn't figure it out.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2016-02-02 06:46:05

Also has anybody tried to figure out why 8F accesses D163?  I looked at the pokemon red dissasembly item page and couldn't figure it out.


The index bounds are not checked when using an item, the game happily gets the 16-bit integer at [tt]ItemUsePtrTable + (2*0x5d)[/tt] and calls it, which happens to be the [tt]wPartyCount[/tt] from [tt]ld a,[wPartyCount][/tt].

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: lowena
Date: 2016-02-13 05:57:17
I had several problems while trying to do the dry item underflow glitch to get P7 (7F/8F) in my Spanish Pokemon Blue. Once I got to the step to switch the X Special with the Nugget, scrolling down past Exit the item menu would freeze, but I realized that if I pressed B I could keep going down, and I had to do that several times to get down to the Nugget, and the same to switch the P7 back. The next problem was fixing the item menu. If i bought one item in Celadon, nothing happened. If I bought two, the P7 and everything else was erased. So I had to put the P7 in my PC, fix the menu, then take it back out. Hopefully that doesn't cause any problems. I haven't been able to bootstrap it yet to see if it actually works, but hopefully I don't run into many more problems. I'm probably going to do the compact one with Electabuzz, but unfortunately it's Red only so I'll have to Ditto glitch getting one :') I'll report back with what I find out.

Also, as a note if anyone else trying to get P7 on the Spanish game or some of the other European versions where you can't do the Old Man glitch, in order to get 255x X Special I did the Ditto glitch to encounter a Missingno. which solved the problem. The easiest way to do that is to get up to Fuchsia City, use any long-range trainer you want, consult the usual hex ID table, and encounter a Ditto in the grass immediately east upon leaving Fuchsia City.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-02-13 16:42:10
The "long name items" generating "locks" while going down the items in the item menu is a common issue. Spamming B and Down is a good solution to go through indeed, I think what cause this is that some items might match RAM addresses controlling the player's position, and the value of these addresses matches an item with a glitched long name. This would be why if you move to another spot, you might not encounter the problem anymore. Sometimes when I face this, I just move from a few steps and problem solved.

About the menu fixing issue, the first item fixes and errazes the menu, but sometimes you don't see it and need to get a second item. I think it depends of how you trigger the glitch, but anyway you definitively have to store your P7 item before fixing the menu.

In french games, we can perform the Old Man Trick but we can't encounter pixel MissingNo. In this case, using the Ditto Trick to have a ghost/fossil MissingNo. is also our favorite solution. Also remember that you can use the Cooltrainer Trick to encounter a Pokémon, and more simply use the Glitch City RAM Manipulation to give yourself an item x255 without encountering MissingNo. at all.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: lowena
Date: 2016-02-13 18:48:22
Well I got my P7 bootstrapped (using GCL's setup) and it works! So happy all that work didn't go to waste.

Thanks for the tip about long name items, I'll keep that in mind if I need to do the underflow glitch again. Maybe you could add a note to the underflow glitch guide about the long name and storing 8F to help others in the future? I haven't tried the Cooltrainer glitch yet, nor the Safari Zone glitch. I hadn't even heard of the RAM manipulation glitch but it sounds really cool, I'll have to check that out :)

EDIT: I made an 8F script to give you 255 of an item, useful in conjunction with the Change Second Item script to get any item you need for other scripts. I don't think this should cause any problems but I'm just a beginner, so please someone let me know if this is flawed.

[size=12pt]GET 255 OF SECOND ITEM[/size]

This code, which is based off of the Change the Second Item code and likewise only requires 3 basic items, will give you 255 of the second item in slot 2. It simply decreases the item by 2, wrapping around backwards from 1 to 255 (0x01 - 0x02 = 0xff in 8 bit math). It is necessary to have only 1 of the item in slot 2.

[size=10pt]ITEM LIST (starting from the first slot):[/size]
* 8F
* Item you want 255 of x1
Burn Heal x43
Ice Heal x53
Revive      x201

inc c ;0c = Burn Heal
dec hl ;2b = 43
dec c ;0d = Ice Heal
dec [hl] ;35 = 53
dec [hl] ;35 = Revive
ret ;c9 = 201

Also as a bonus, if you use the Revive x201 instead of Full Heall x201 for the Change the Second Item code in the first post of the thread, the item hex ID will go down instead of up. :)