Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 22

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-03-15 17:53:08
Btw, here is a code (should work on all R/B, and I think it also worked with Yellow although I didn't test it) that allows toggling NoClip. Note that activating NoClip by conventional means then using this code won't deactivate NoClip. (Oh well, just enter a building / save&reset and it's okay)

X Accuracy x56
Carbon x205
Poké Ball x126 ; Super Balls also work.
Leaf Stone x119
TM01 x(any qty)

corresponding code :
ld l, #$38
ld h, #$CD
inc b ; or dec b. Whatevs.
ld a, [hl]
cpl
ld [hl], a
ret

Usually, $CD38 is zero, so this code puts #$FF into it, thus activating NoClip.
But triggering NoClip using the Safari Zone puts #$01, so when cpl'ed (xor #$FF) it gives #$FE, which is still nonzero.
Using the Pewter City Youngster to disable collision puts a non-FF value in $CD38, so it's the same deal.

I already posted that in another topic (here), but I figured out it would be nice to put it there too, maybe to add it to the first post's code list ?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Flandre Scarlet
Date: 2016-03-22 14:55:09
Ok so I bought Yellow to screw around with some of its glitches and glitch Pokemon. I got ws m and its not working for me at all. Using the following bootstrap to try and do a basic item duplication code. I got my bootstrap from here http://glitchcity.info/wiki/index.php/Arbitrary_code_execution#Using_.22ws_m.22_.28Yellow.29 When I try to use the code the map reloads and I get stuck in a box where I can't move forever.
Pokemon in box 1 (also current box)
Seel with 233 HP
Parasect
Growlithe
Magikarp
Psyduck
Flareon
Tentacool
Nidoqueen
Missingno Aerodactyl (any pokemon 1)
Snorlax (any pokemon 2)
Gyarados (any pokemon 3)

items
ws m
rare candy x1
burn heal x43
ice heal x53
revive x201

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-03-23 06:58:46
I never used that setup, can't understand how it works and I keep hearing people having trouble with it. Maybe some expert could do some troubleshooting on this. Anyway I would recommend this easier 10-Pokémon setup instead:

Tangela with 233 HP (actual)
Nidoking
Metapod
Haunter
Flareon
Parasect
Growlithe
Tentacool
Grimer
Any Pokémon

Your item code is alright so it should work.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Flandre Scarlet
Date: 2016-03-23 13:24:52
by actual HP do you mean max or current?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-03-23 15:56:18
Current. Max HP does not matter.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Flandre Scarlet
Date: 2016-03-23 15:57:57
Thanks. Its working great now!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-03-26 11:03:46

Ok so I bought Yellow to screw around with some of its glitches and glitch Pokemon. I got ws m and its not working for me at all. Using the following bootstrap to try and do a basic item duplication code. I got my bootstrap from here http://glitchcity.info/wiki/index.php/Arbitrary_code_execution#Using_.22ws_m.22_.28Yellow.29 When I try to use the code the map reloads and I get stuck in a box where I can't move forever.
Pokemon in box 1 (also current box)
Seel with 233 HP
Parasect
Growlithe
Magikarp
Psyduck
Flareon
Tentacool
Nidoqueen
Missingno Aerodactyl (any pokemon 1)
Snorlax (any pokemon 2)
Gyarados (any pokemon 3)

items
ws m
rare candy x1
burn heal x43
ice heal x53
revive x201



Hello all,

I was just looking into that ws m bootstrap. Seems to me like the problem is Nidoqueen.

According to pigdevil2010 ASM here: http://forums.glitchcity.info/index.php/topic,6638.msg198107#msg198107

the command regarding Tentacool and Nidoqueen is:
$DA86 <- 18 10 || jr DA97 ; pc = DA97

I am pretty sure this actually jumps to $DA98. Wich in yellow would be Seels LVL instead of current HP. Changing Nidoqueen with Nidoran(female) should fix this. tho i have not tested this. (I'm also verry new at all this, so if im horribly wrong… sorry  :P)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-03-27 05:14:22
8th Pokémon is $DA87 in Yellow, so jr 10 makes it jump to $DA97, Seel's hex ID. Probably not what we wanted indeed. I will rethink of all this.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-03-27 07:42:25

8th Pokémon is $DA87 in Yellow, so jr 10 makes it jump to $DA97, Seel's hex ID. Probably not what we wanted indeed. I will rethink of all this.


How does that work? I was under the impression that the yellow adresses were the red/blue ones -1. Doesn't that make Seel's index nr $DA95?
Also, looking at relative jumps in other bootstraps they all seem to jump 1 adress further then the value given. So it was my idea that a relative jump takes the value in the following adress, jumps it and pick up from 1 adress further.

like this:
$DA86 <- Tentacool - index 18 = jr
$DA87 <- Nidoqueen - index 10 = jump 10 adresses
$DA97 <- end of jump
$DA98 <- continues reading

Am i missing something?  );

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-03-27 08:03:08
I am not such an assembler expert, you might be right about relative jumps, I have no idea. Maybe ISSOtm knows, I'll ask. However,

How does that work? I was under the impression that the yellow adresses were the red/blue ones


Yes they are decreased by 1 in some RAM section, such as this one. For most address you might change using 8F:
- if US Red/Blue = 0
- then US Yellow = -1
- European R/B = +5
- And European Y = +4
So here, Stored Pokémon 8 ($DA88) is $DA87 in Yellow.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-03-27 08:54:01
Skeef, you are right, as most of (but not all, an example is $CD38) Yellow's RAM data is shifted from R/B by 1 byte. But beware, as this only means absolute jumps (jp, call) have to be changed, relative jumps (jr) should not change.

Take it like this :
jr $#XX means that the execution skips #XX bytes counting after jr's last byte.
Example for clarity :
hex:: 18 02 C0 DE C9

jr $02
.db $C0, $DE
ret

the "18 02 / jr $02" skips two bytes after itself, leading directly to the ret.
Say 18 is located at $DA86.
We have
$DA86:: 18
$DA87:: 02
$DA88:: C0
$DA89:: DE
$DA8A:: C9
Your reasoning would be "jr 02, so I take $DA87 and add $02, that is $DA89"
But you saw that the code jumps to the C9 at $DA8A, right ?
The flaw was that the byte the jump starts from is not the operand byte, but rather the byte after it.

In another way : remember jr $00 does nothing, i.e. it jumps right after itself.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-03-27 12:19:43

Skeef, you are right, as most of (but not all, an example is $CD38) Yellow's RAM data is shifted from R/B by 1 byte. But beware, as this only means absolute jumps (jp, call) have to be changed, relative jumps (jr) should not change.

Take it like this :
jr $#XX means that the execution skips #XX bytes counting after jr's last byte.
Example for clarity :
hex:: 18 02 C0 DE C9

jr $02
.db $C0, $DE
ret

the "18 02 / jr $02" skips two bytes after itself, leading directly to the ret.
Say 18 is located at $DA86.
We have
$DA86:: 18
$DA87:: 02
$DA88:: C0
$DA89:: DE
$DA8A:: C9
Your reasoning would be "jr 02, so I take $DA87 and add $02, that is $DA89"
But you saw that the code jumps to the C9 at $DA8A, right ?
The flaw was that the byte the jump starts from is not the operand byte, but rather the byte after it.

In another way : remember jr $00 does nothing, i.e. it jumps right after itself.



I considered that it could work like that, but since the result is the same it didn't really matter.


I am not such an assembler expert, you might be right about relative jumps, I have no idea. Maybe ISSOtm knows, I'll ask. However,


i'm not an expert either  :P before the release of the vc games last month i didn't know any of this…

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-03-27 12:26:42
So here isso, $DA86 is Tentacool (jr) and $DA87 is Nidoqueen (10) so the jump goes to $DA97 and reads $DA98? Aren't we supposed to read $DA99 since 233 HP is 00 ($DA98) E9 ($DA99) in Yellow?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-03-27 12:55:43

So here isso, $DA86 is Tentacool (jr) and $DA87 is Nidoqueen (10) so the jump goes to $DA97 and reads $DA98? Aren't we supposed to read $DA99 since 233 HP is 00 ($DA98) E9 ($DA99) in Yellow?


Its like this:

$DA86 <- Tentacool - index 18 = jr
$DA87 <- Nidoqueen - index 10 = jump 10 adresses
$DA88 <- start the jump
$DA98 <- continues readin
A bit different from what i originally posted, but the result is the same.

Also, you seem to be doing +1 on you're yellow adresses insead of -1
$DA97-$DA98 = current hp in red/blue. That means $DA96-$DA97 = current hp in yellow (right?)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-03-27 12:57:47
If the Nidoqueen is located at $DA87, the jump should land at $DA98.
If $DA98 is $00, that doesn't matter, it's just a NOP (No OPeration) instruction. It wastes 4 processor cycles. Boo.
So the poblem doesn't seem to be there, but it means that using the Pokémon with the following ID should also work.
Otherwise we are making a mistake somewhere ?