Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 20

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-02-29 09:51:44

I actually do have carbos before the Pokeball I made a mistake and didn't catch it. My bootstrap is
Onix
Pidgey 24 pp 2nd move 0 pp up 21 pp 3rd move 1 pp up
Tentacool
Meowth 36 pm 1st move 0 pp up 24 pp 2nd move 0 pp up 20 pp 3rd move 0 pp up
Hitmonlee double team, double kick, strength in that order
Zapdos 233 attack
I have successfully used other codes with this setup before without healing them after getting the right pp.


Seems to be correct also. I'll try today on my own game to change a Pokémon's type and I'll tell you if I succeed.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-02-29 12:34:40
Your code works perfectly, as you can see if you watch things happen with a Memory Viewer. Your Pokémon now IS a Dragon-Type Pokémon. But yes indeed, the type text in the profile of your Pokémon isn't changed. Why? I don't know, maybe the game displays the type that matches with the species byte, no matter what the type actually is.

But you now for sure have a Fire/Dragon Charizard!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Flandre Scarlet
Date: 2016-02-29 13:48:12
I'll test against some electric types at the power plant and will make a edit if it worked. EDIT: It did success!!! Proof video (Potato Cam Quality sorry) https://www.youtube.com/watch?v=2XfrKW1EdgI&;

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-02-29 14:41:53
Nice!  ;D

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Overheat
Date: 2016-02-29 17:28:05


Is this confirmed to work on the VC release? I cannot seem to get the codes to max DVs of the first pokemon in the active box to work, but the game does not crash when I use 8F, it just appears to have no effect.

Thank you.


I can confirm that all of these should theoretically work on the VC release the same way as on cart or another emulator. I have 8F on my 3DS Blue and have successfully used the "change 2nd item" code. The changes made to the VC version do not appear to have made ANY glitches inaccessible as far as we know. I'm going to be trying to get max DVs later today as well so I'll PM you about it if you'd like.

EDIT: I just successfully obtained a max DV/Stat exp Snorlax on by VC Blue. Be sure to start at the X accuracy number listed in the main code and decrease by 1 each time you use 8F until you reach 167 so you max out all the stats. If that and your bootstrap team are intact, I'm not sure what else could be an issue.


Sorry for the noobish questions. I am away from my game now, but the bootstrap with 233 HP Pidgey, Onix, Kanga, Parasect, and Tentacool (in whatever order listed upthread) would work on VC Red?

I did decrement X-Acc in between 8F uses, but I cannot get a single variable to change.

Thank you for your help!



EDIT:

I got it to work. It turns out my glitched character reading abilities suck and I had 10 too few Carbos.

Thank you.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Azarokkusu
Date: 2016-03-01 03:13:47
Yeah, that's why I usually save, then throw out the item enough times that I should have exactly 99 (throw out 79 x X accuracy for example, to get from 178 to 99) then if the numbers check out I'm right, and I can just reset and reload my save to be back to the right amount. Of course if you get it wrong, you have to do more messing around with duping, or use another setup to set the item amount to what you want, which is a pain either way, but it's good to have a way to make sure you have the right amounts.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: rortik
Date: 2016-03-01 16:45:33
I've encountered an error while trying to recreate Chickasaurus's Twinleaf Town in R/B glitch.

I've followed the pastebin (http://pastebin.com/UarVudWr) and successfully gotten the first program down, so walking into Pallet displays Twinleaf town. However, I can't get the second program (warps, sign) to work. I've tried it twice on the 3DS version of the game (where I executed the first program flawlessly) and once on an emulator. When I finish the program, then switch TM10 with TM34 and use 8F, going to Pallet crashes the game (this step is not listed in the Pastebin, but is done in the video). When I don't swap them/use 8F, going into Pallet does nothing.

Anyone know what I could be doing wrong?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: GeneraLight
Date: 2016-03-03 10:14:40
Is it possible to change my Trainer ID to 65535 using 8F? What is the code for that? Can you go above 66535 using 8F? Any side effects, like not being able to nickname your Pokemon? I'm looking for a method to get a TID of 65535, preferably before I get my starter.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-03-03 11:22:54
Hi GeneraLight,

Trainer ID is encoded by RAM addresses $D359 and $D35A in US/UK games. Every RAM address has an hexadecimal value ranging from 00 to FF. Since we have two addresses, the value for trainer ID can be anything from 0000 to FFFF.

If you don't know how to convert hexadecimal to decimal, note that Windows' Calculator can do that for you. hex:FFFF is dec:65535, so yes, that's the maximal value for a Trainer ID, and since it's as simple as changing WRAM values, you can do that with 8F using Wack0's Change any byte code for example. If you prefer I tried to explain the procedure with colors here  ;D

If Trainer ID was read as BCD (basically meaning hex:99 would mean dec:99 and not dec:153) like it is the case for Money or Casino Chips, it would be possible to go above the maximum under certain conditions, but you can't do that in this case.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Flandre Scarlet
Date: 2016-03-03 14:10:15
While Wack0's Change any byte code is extremely useful how do I learn to make codes like the ones TheZZAZZGlitch made in the OP post like the catch em all or walk through walls scripts or of course the time he made pong?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-03-04 04:31:32
What the 8F item basically does is reading the hex values from the RAM addresses controlling your party as assembler code. The party we use then serves as a bootstrap codes which redirect the reading of hex values as code to the RAM section controlling the item menu (specifically from item 3 onwards)

So what you need to know is:
- What does every single assembler code
- Which assembler opcode is called by which item/quantity

Well I'm definitively not an expert in assembler, but I know enough to do things  ;D

First, you need to see in this RAM Map that item 3's value is address $D322 and the following addresses control one item, then its quantity, then the following item, then its quantity, etc. So the first opcode called here will be according to the hex value of item 3, then second opcode will match the hexadecimal conversion on the quantity of item 3, then the third opcode will be related to the hex value of item 4, and so on.

You can find the hex value of each item in GCL's Big List. Therefore, the following inventory:
- Poké Ball x1
- 8F
- Master Ball x35
- Carbos x47
- Fresh Water x7

Will give the following hex sequence once 8F is used: 01 23 1D 2F 2E 07.

Now this page will tell you which opcode matches which hex value. So you can build your item menu according to the opcodes you'd like to call. Here are the basics:
- LD D,d8 means that the following hex value shall become the value of the variable D. This 'second value' does not give any opcode, then, you will skip to the third one.
- Inc D would mean that the value of D is increased by 1.
- Dec D would decrease it by 1.
- LD D,H would change the value of D for the value of H.
- LD D,(HL) consults the RAM address $HL, takes its current value and affects it as the value of D.
- LD (HL),A changes the value of address $HL to the value of variable A.
- jp HL jumps the code-reading to address $HL (this is what the party boostrap does)
- ret stops the reading activity.

Sometimes to get easy items, you need to add placeholders codes that will not do anything.
Let's take Wack0's code as an example.

Item 3: Lemonade, quantity dec:xx
Item 4: X Accuracy, quantity dec:yy
Item 5: Carbos, quantity dec:zz
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

Gives the following code:
D322: 3E xx        ld a, xx => a becomes the hex conversion of Lemonade's quantity
D324: 2E xx        ld l, yy => l becomes the hex conversion of X Accuracy's quantity
D326: 26 xx        ld h, zz => h becomes the hex conversion of Carbos' quantity
D328: 04            inc b => b is increased (typical placeholder since we're not using b here)
D329: 77            ld (hl), a => The value of address $HL (currently $YYZZ) is now a => $YYZZ gets the value XX which is exactly what you wanted!
D32A: 3C            inc a => a is inceased (typical placeholder since the code is finished)
D32B: C9            ret => end

Note that ISSOtm developed a cool thing in which you chose your opcodes and it gives you the items. But it's in French.

About the way TheZZAZZGlitch did its Pong, it's a specific code that allows you to create a 254 bytes program. Once active, you can write an opcode by using 8F in specific spots as illustrates this image done by Torchickens.

In Torchickens' videos where he uses this to do things like recreating Twinleaf town, I think there's a pastbin with the code and the instructions to use it.

Have fun!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Flandre Scarlet
Date: 2016-03-04 11:20:51
This is great but how exactly do I figure out what the opcodes do? For a code I want to make I would want to change the text of NPCs and what they do EX give me a pokemon or enter a battle like when you talk to the elite four? This seems like really good information I just don't understand it. I am running on 3DS VC/Cartridge so I don't have access to a memory editor (might change that soon).

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-03-04 12:16:49
I gave you the function of classical basic opcodes that I know and use to do very simple things; What you are asking for is way beyond my knowledge and capacities regarding GBZ80 assembler. You could use such opcodes to jump to addresses (like the ones involved in NPC's texts and scripts) to modify them, but I don't know what those addresses are. There's a disassembly that might help you, otherwise you should contact people like TheZZAZZGlitch, Torchickens, Hacky etc. because they are the top bosses of that kind of things :p

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2016-03-05 05:59:45

This is great but how exactly do I figure out what the opcodes do? For a code I want to make I would want to change the text of NPCs and what they do EX give me a pokemon or enter a battle like when you talk to the elite four? This seems like really good information I just don't understand it. I am running on 3DS VC/Cartridge so I don't have access to a memory editor (might change that soon).


If you want to figure out what some opcodes do, this page should help: http://z80-heaven.wikidot.com/opcode-reference-chart (please note that the full Z80 has some additional/changed opcodes to what the GB's CPU has, but it should be enough to help anyway)

And if you want to see what some NPCs do, you should be able to check out the pokered disassembly.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Spoink
Date: 2016-03-06 12:50:07


This is great but how exactly do I figure out what the opcodes do? For a code I want to make I would want to change the text of NPCs and what they do EX give me a pokemon or enter a battle like when you talk to the elite four? This seems like really good information I just don't understand it. I am running on 3DS VC/Cartridge so I don't have access to a memory editor (might change that soon).


If you want to figure out what some opcodes do, this page should help: http://z80-heaven.wikidot.com/opcode-reference-chart (please note that the full Z80 has some additional/changed opcodes to what the GB's CPU has, but it should be enough to help anyway)

And if you want to see what some NPCs do, you should be able to check out the pokered disassembly.


I think this is better: http://www.pastraiser.com/cpu/gameboy/gameboy_opcodes.html