Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 23

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-03-27 13:04:04
Oh yeah, sure. So Skeef is right, the reading continues at $DA98 instead of $DA97. Therefore, Nidoran (female) should do the job.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: technocolor
Date: 2016-03-28 01:47:04
so I see 'homebrew' mentioned in the op ( ͡° ͡°)
I know the gb and 3ds are like completely different but you think itd be possible? Itd probably have to involve 'breaking out' of the vc emulator in order to access sd card data. Theres plenty of ways to crash the emulator already but I havnt seen anyone talk about really bring this up.
Another thing I thought of along the same lines. Code execution via secret base in oras. Like having a qr code set up for a hacked secret base that will run code upon entering it. Im no programmer though, so maybe I sound ludicrous. But its been on my mind for a little bit recently and thought Id ask.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-03-28 07:07:57
Several glitchers from here are thinking about emulator escaping. That would be great yes, unfortunately I can't help  :(

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Alzerek
Date: 2016-03-29 00:23:28
Im relatively new to this whole arbitrary code execution thing but i am looking into figuring out how to work with it on a larger scale. By larger scale, I mean the whole TheZZAZZGlitches' Pong in Pokemon Blue and Torchicken's rewritting of Pallet town to look like Twinleaf town. How reasonable would it be to apply those methods of writing arbitrary code in Pokemon Yellow, given that the bootstrapping code is already written using the PC box? Is there a setup that is optimal enough to leave a significant amount of memory space in the current box to do such code writing?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-03-29 12:12:07

Im relatively new to this whole arbitrary code execution thing but i am looking into figuring out how to work with it on a larger scale. By larger scale, I mean the whole TheZZAZZGlitches' Pong in Pokemon Blue and Torchicken's rewritting of Pallet town to look like Twinleaf town. How reasonable would it be to apply those methods of writing arbitrary code in Pokemon Yellow, given that the bootstrapping code is already written using the PC box? Is there a setup that is optimal enough to leave a significant amount of memory space in the current box to do such code writing?


Most of the bootstraps posted here are ofcourse focussed on setting up 8F or WS M without using 8F or WS M to do so. But if you already have a working bootstrap, you could use that to make a more compact one if thats what you need. You can for instance change the EV and IV's from one pokémon to do what you need them to do.

Something like this:
3 pokemon (2 might work to, but i don't really know what the BC register does so loading A into (bc) could do anything)
Tentacool - 9939 hp EV / 11809 Att EV / 59648 def EV
Pidgey
Any


; Initial hl = DA7F
$DA7F <- 03    || inc bc
$DA80 <- 18 24 || jr DAA6
$DAA6 <- 26 D3 || ld h, D3 ; h = D3
$DAA8 <- 2E 21 || ld l, 21 ; l = 21
$DAAA <- E9    || jp [hl] ; hl = D321


I hope that's correct and helpfull ^.^ 

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Alzerek
Date: 2016-03-29 15:19:03
Ah yes thats exactly what I was looking for! I did the basic "simple" setup with the 6 slowpokes and 10 geodudes but it didnt cross my mind to use wsm to make the pokemon for a smaller bootstrap. Thanks!

Edit: The only thing thats unclear to me at this point is rewriting those triggered events like the map pointer of pallet town in order to get the box code to execute.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-03-30 08:26:40
Finally managed to test the ws m bootstraps. I can now confirm that Nidoran(female) instead of Nidoqueen works.
Also tested my 3 pokémon ws m bootstrap. Also works. :D

So that makes:

11 Pokémon in active box:
Seel with 233 HP
Parasect
Growlithe
Magikarp
Psyduck
Flareon
Tentacool
Nidoran (female) <— instead of Nidoqueen
any
any
any

And a mini tutorial to make the Tentacool for the 3 pokémon bootstrap:

Having Tentacool as first pokémon in party needs to change these adresses with these value's.
Adress- Hex- Decimal
$D17B - 26 - (38)
$D17C - D3 - (211)
$D17D - 2E - (46)
$D17E - 21 - (33)
$D17F - E9 - (233)

Turned that into an item list bases on Wack0's template (Starting at $D17F):

ITEM LIST (starting from the first slot):
Ws m
Any
Lemonade x(233) <– change this to match the numbers in the brackets for different adresses.
X Accuracy x127 (-1 each adress)
Carbos x209
Pokéball x119
TM01 x any <– for sale in Celadon dept. store

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-03-30 13:58:16
Nice job, Skeef! Maybe we can ask a wiki contributor to correct the mistake.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-04-05 11:36:32
Just did it, although and admin's approval (usually torchicken's) is required for the change to appear.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-04-06 13:48:53
I did something… This has interested me for some time now.

http://forums.glitchcity.info/index.php/topic=6638.msg196498#msg196498

First thing I thought when I read it was "Why not use the daycare as a bootstrap?" So that's what I tried ^.^
Since the daycare data is not set back to 0 when you take out a pokémon my idea was to use 8F to make a pokémon i could put in and take back out instantly, loading its data into the adresses. But since the daycare has nickname and OT of the pokémon first, this proved to be… difficult.
The next idea was maybe I could just use Wack0 code to insert the value's into the adresses directly. This could work, but it kinda rules out using the daycare. Since then you'd have to Re-insert the data.
And then I realised i could combine the idea's! Instead of runnig a code made with items… run a code made with a pokémon! In other words using 8F to make a pokémon wich when using 8F inserts the data into the adresses! This fixes the first problem cuz we are not putting a pokemon directly into the daycare. And should you ever want to use the daycare again, afer you are done you can simply take the pre-made pokémon out the box and re-run 8F.
So here is what i worked out.

The pokémon list:
6 pokémon
any
Tentacool <- jumping powers!
Wigglytuff <- the actual pokémon
any
any
any

Wigglytuff specifications:
Move 2 - Roar (2E)
Move 3 - Leech Seed (49)
Move 4 - Double Edge (26)
Id: 55862 - (DA 36)
Xp: 2.501.686 - (26 2C 36)
HP EV: 54060 - (D3 2C)
Att EV: 13870 - (36 2E)
Def EV: 11318 - (2C 36)
Spd EV: 8748 - (22 2C)
Spec EV : 14057 - (36 E9)
Att, Def IVs: 12,9 - (C9)

Wich translates to the following asm:

; Initial hl = D163
$D163 <- 06 xx || ld b XX
$D165 <- 18 65 || jr D1CC
$D1CC <- 2E 49 || ld l, 49 ; l=49
$D1CE <- 26 DA || ld h, DA : h=DA
$D1D0 <- 36 26 || ld (hl), 26
$D1D2 <- 2C    || inc l ; l=4A
$D1D3 <- 36 D3 || ld (hl), D3
$D1D5 <- 2C    || inc l ; l=4B
$D1D6 <- 36 2E || ld (hl), 2E
$D1D8 <- 2C    || inc l ; l=4C
$D1D9 <- 36 22 || ld (hl), 22
$D1DB <- 2C    || inc l ; l=4D
$D1DC <- 36 E9 || ld (hl), E9
$D1DE <- C9    || ret


In other words, it loads the following value's in the following adresses:
DA49 <- 26
DA4A <- D3
DA4B <- 2E
DA4C <- 22
DA4D <- E9

Now you may have noticed that -gm starts reading at $DA47, but I start putting in data at $DA49, 2 adresses later.
Here's the first 2:
$DA47 is safari balls, this gets set to 0 when you get the "pa: ding dong" but stays at whatever amount you got left should you leave early.
$DA48 is daycare in use or not, this is 0 when there is no pokémon in the daycare.
In other words they do nothing. :D And there you have it. The -gm bootstrap is set up! Without needing any specific party or active box!


; Initial hl = DA47
$DA47 <- 00    || nop
$DA48 <- 00    || nop
$DA49 <- 26 D3 || ld h, D3 ; h=D3
$DA4B <- 2E 22 || ld l, 22 ; l=22
$DA4D <- E9    || jp [hl] ; hl = D322


Note: The daycare adresses used here are used to store the pokémon's name. But none of the value's inserted correspond to an actuall letter. I have no idea if thats safe or harmfull for a save file. (I felt i needed to mention that  :P)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-04-07 01:50:11
Ever thought Tentacool could jump ? No ? YOU WERE SO WRONG.
That method you created is cool, but looks quite heavy to set up (c'mon, ID = DA36 ?)

Also, have you tried to use the game's copying routine ?
It is called CopyData in Pokéred, but I can't remember its ROM address.

The problems comes from that we cannot easily create Pokémon like that. We'd need easier methods of arbitrarily placing data wherever we want, but also simpler to set up.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2016-04-09 04:30:03

Just did it, although and admin's approval (usually torchicken's) is required for the change to appear.


Approved!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-04-09 11:29:09

Ever thought Tentacool could jump ? No ? YOU WERE SO WRONG.
That method you created is cool, but looks quite heavy to set up (c'mon, ID = DA36 ?)

Also, have you tried to use the game's copying routine ?
It is called CopyData in Pokéred, but I can't remember its ROM address.

The problems comes from that we cannot easily create Pokémon like that. We'd need easier methods of arbitrarily placing data wherever we want, but also simpler to set up.


Hehe, you think the id nr is a bit far fetched? The xp puts it at lvl 146 :P

I have not cosidered to use the copy routine. No idea what that is O.o

An easyer way so set up would be to put the data into the daycare directly. If you don't use the daycare the value's wont change. The Wigglytuff i made is just an easyer way to set up the bootstrap again after using the daycare.
its 19 bytes to make Wigglytuff, but only 5 bytes need to be set to do it directly. As an added bonus, on a cartridge the daycare value's stay after starting a new game. Not sure if they do on VC tho.

Also, With both 8F and -gm. You can make one start reading at item 3 as usuall and make the other go to the stored items on the PC. That way you can run a code you use ofter (say walk through walls or mulitply items) from the computer. And run others from carried items.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-04-10 02:54:32
Uh, the copy routine is located somewhere in ROM bank 0 ; it copies a chunk of data from somewhere to elsewhere.
You have to call it like so :
ld hl, pointer_to_source
ld de, pointer_to_destination
ld bc, number_of_bytes_to_copy
call copy
(total : 12 bytes)

Still, I cannot find its ROM address.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Spoink
Date: 2016-04-11 16:05:12
The rom address is 00b6