Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 24

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-04-14 10:59:10
Made a few random codes that i havent seen on this thread.

Cloning via daycare:
8F
Any
X Accuracy x72
Carbos x218
Max Revive x01
TM01 x(any)

Put the pokémon to clone in the daycare, take it back out. And run the 8F code. The pokémon is now in the daycare again, ready to be taken out.

$D322 <- 2E 72 || ld l, 72
$D324 <- 26 DA || ld h, DA
$D326 <- 36 01 || ld (hl), 01
$D328 <- C9    || ret


ATT, DEF, SPD and SPEC IV's 10:
8F
Any
X Accuracy x135(134) <— first 135, then 134.
Carbos x209
Max Revive x170
TM01 x(any)

This seems a bit random, but this IV spread makes it shiny in gen2 games. Not verry usefull atm unless you still play the cartridges. But if they release them on VC… :D

$D322 <- 2E 87(86) || ld l, 87(86)
$D324 <- 26 D1    || ld h, D1
$D326 <- 36 AA    || ld (hl), AA
$D328 <- C9        || ret


Turn Badges on/off
- 8F
- Any
- X Accuracy x86
- Carbos x211
- Max Revive x(XX) <- binary switches
- TM01 x(any)

Pretty straight forward. Just pick the badges you want (or don't want) and convert the byte to decimal to determine the Max Revive quantity.

Binary switches:
00000001 = boulder badge
00000010 = cascade badge
00000100 = thunder badge
00001000 = rainbow badge
00010000 = soul badge
00100000 = marsh badge
01000000 = volcano badge
10000000 = earth badge

$D322 <- 2E 56 || ld l, 56
$D324 <- 26 D3 || ld h, D3
$D326 <- 36 xx || ld (hl), xx
$D328 <- C9    || ret

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: realsamusaran
Date: 2016-04-22 17:05:33
I feel silly asking this, but just to clarify, it doesn't matter what you end your code with as long as it has a hex value of C9?

So every code can be ended with TM01 or any item x201?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-04-23 04:32:21
Yes  ;)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: realsamusaran
Date: 2016-04-23 05:45:50

I feel silly asking this, but just to clarify, it doesn't matter what you end your code with as long as it has a hex value of C9?

So every code can be ended with TM01 or any item x201?

hm. I tried this, but the codes worked slightly different from how they worked before.

The item duplication code turned my 1 Nugget into 0 (256), and the code to change the item into a different item went -1 instead of +1.

The only thing I changed was swapping the Revive x201 or Full Heal x201 with a TM01. I was very careful, double-checking my bootstrap and the items in the code. I'm not sure what I must have done wrong. Is the Revive read as part of the code before the x201 tells it to end? I guess that was more what I meant to ask.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-04-23 07:23:57
Yes, the Revive or Full Heal are both part of the code.

The duplication code basicly decreases the ammount of the second item by 2. So having 1 item - 2 rolls to 255. By replacing the
Revive with TM01 the code only does -1. Turning the second item to 00. (but you can still drop them so its not that big a deal)

Not sure what happens with the code to chance the second item tho. If you simply replaced Full Heal x201 with TM01 that code does nothing. If you replaced the Full Heal x201 with Revive x201 however it goes -1.

Either ways, if you don't want to use 201 item quantity, you could do Revive/Full Heal x04 followed by TM01

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: realsamusaran
Date: 2016-04-24 07:10:59
Yes, that must have been what I did for the code to change the item's index. Oopsies. I should pay more attention.

So then if I understand you correctly, the relevant item x 04 followed by TM01 x any would be suitable for any code requiring x 201 of the item at the end?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-04-24 08:42:07
Well, it's not that simple. The quantity of the 'relevant item' will be read as code. Skeef gave you the example of a quantity of x04, which is a very good example since 04 matches the opcode 'inc b'. Since you finished your code already and won't use b anymore (or never did), then it won't cause any harm.

However, your codes might be more complex than just a one-shot instruction. If you write a function which will, for example, increase something everytime the code is activated, and that function uses the value of b for some reason, it will mess up your code, so you have to find another quantity for your final item - one that matches an opcode that cannot mess with your code.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-04-24 12:55:15
Exactly. My 8F bootstrap code has 6 pokémon tho, so the first thing it does is ld b xx. Meaning b always resets when i use 8F.

I made a small adjustmen to pigdevil2010's bootstrap to better fit my needs:
Any <— woot!
Pidgey - 233 hp remaining
Parasect
Onix
Tentacool
Arbok

I can go out with my bootstrap and not mess up the opcodes when i catch a pokémon :D

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Spoink
Date: 2016-04-24 18:40:19
Step 1. Do the Mew glitch with 195 special to catch h POKé
Step 2. Catch Onix
Step 3. Do the Remaining HP glitch with HP of 211 to get M p'u
Step 4. Faint them all
Step 5. Put them in this order: h POKé, Onix, M p'u
Step 6. Now you have three free slots with the same effect as 5!

Yes, this requires glitches, but 8F is a glitch too.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-04-25 12:59:00
Why do you need to faint them? O.o

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Spoink
Date: 2016-04-25 15:44:33

Why do you need to faint them? O.o


so you can use any pokemon you want

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-04-26 10:57:22

Exactly. My 8F bootstrap code has 6 pokémon tho, so the first thing it does is ld b xx. Meaning b always resets when i use 8F.

I made a small adjustmen to pigdevil2010's bootstrap to better fit my needs:
Any <— woot!
Pidgey - 233 hp remaining
Parasect
Onix
Tentacool
Arbok

I can go out with my bootstrap and not mess up the opcodes when i catch a pokémon :D

I remeber posting this one a while ago on PRAMA's forums… However, you just made me realize I never added it to the wiki page ! Let's do this.
It won't show up right away tho, as it needs the approval of someone like Torchickens. My edits have to be approved by an "authorized user".

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-04-26 13:04:04
I also tried putting pidgey on the 4th place. To see if i could use a pokémon thats not version exlusive instead of Arbok. But apparantly relative jumps can only jump for 128 bytes, making the 4th pokémon out of range  :(.

Also, the change to the wsm bootstrap is still not visible either. It still says Nidoqueen instead of Nidoran (female).

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-04-26 17:25:16
Arbok is not version-exclusive. It can be caught easily using the Ditto Glitch (the bottommost Trainer in Route 14 does), check this out.
Cooltrainer may also help (I did make this setup on a Red cartridge, but without ever encountering an Abo or Arbok :P)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-04-27 05:56:50
Implying you can actually perform the Ditto Trick or Cooltrainer Trick, which might not be the case.

Of course, you can still rely on Old Man/GC RAM Manipulation to get a MissingNo., but it's true that having a setup with no version-exclusive or glitch Pokémon is an improvement.