Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 25

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: realsamusaran
Date: 2016-04-29 06:27:14
Has anyone thought about making a comprehensive list of codes in a single post? My memory is not great and I've got a bit of a learning disability so I'm having trouble doing this on my own without writing down specific instructions others already made. It's a bit time-consuming to comb through 25 pages too.

Maybe a separate list for each one, like a ws m list and an 8F list, etc.

I might as well ask if anyone wants to be generous, has anyone made codes for changing Trainer ID numbers or names? both for the player character and for Pokémon. I want to change my ID number to 01996 in the English Pokémon Yellow with ws m, for when I transfer my Pokémon to Gen 7 from the virtual console.

Changing an owned Pokémon's catch rate would also be useful, if they give Gen 1 Pokémon held items based on that like they did in Gen 2. And being able to overwrite moves 2-4 without going into battle to swap with move 1 would be a time-saver. And I might want to change my Trainer's name too possibly, to RED or Red.

If anyone can help it would be very much appreciated, though only if you have the time and want to do it.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-04-29 11:19:24
If you want to change something in your game, just use the general single-address change code. You don't need to remember anything since you have all the addresses you need in either the RAM Map or the Disassembly.

If you don't get how to use this, ask for details  ;)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-04-29 14:00:52
Or use these instead.

Change id nr to 01996 on yellow(2 codes):
wsm
Any
X Accuracy x89
Carbos x211
Max Revive x204
TM01 x(any)
-
wsm
Any
X Accuracy x88
Carbos x211
Max Revive x07
TM01 x(any)

Note: Remember this does not change the ID of any pokémon already owned.


Changing moves of the fist pokémon in party on yellow:
wsm
Any
X Accuracy x 117/116/115 (move 4, 3 and 2 respecively)
Carbos x 209
Max Revive x Index nr of wanted move
TM01 x(any)

Note: The pokémon may need to have a move in the respective slot before it can be overwritten.


Change trainer name to the first pokémon's nickname on yellow:
wsm
Any
TM50 x180
TM10 x64
TM34 x87
TM09 x46
Carbos x52
X Accuracy x34
Full Heal x201

Note1: Change the nickname of pokémon 1 to RED (or red) and press 8F exaclty 4 times.(or lenght of the pokémons nickname +1)
Note2: This is TheZZAZZGlitch's code from red adapted for yellow. Credit to him.

I didn't do a code to change catch rate cuz i don't know if its a good idea to change that and send them to another generation. Also, if you need the codes for red/blue. For theID nr and changing move 2,3,4. All you need to do is +1 to X Accuracy. The code for changing the players name in red/blue is in the first post.

I tested all these codes on yellow. (on a real cartridge to!) My name on yellow is now RED <– :P

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: realsamusaran
Date: 2016-04-30 09:02:36
@Skeef: thanks a bunch! As far as catch rate goes I was only planning on changing them for Pokémon evolutions who aren't legitimately available to be caught, such as Alakazam or Gengar, since a legal Gengar would have the catch rate of Haunter or Gastly because catch rate stays the same after evolving a Pokémon you own.

I was also considering changing catch rates for Pokémon whose values changed from Red/Blue to Yellow, such as Kadabra or Dragonair. The starter Pikachu also has a unique catch rate when you receive it that no other Pikachu has, even when forcing an encounter with a wild one in Yellow. I messed up my PC box data somehow and lost my starter Pikachu actually…

@Krys3000: I looked at those and I'm having trouble understanding them right now but I'll try figuring something out on my own and when I've got something I'll come here to ask if I've got it right (I don't wanna mess up my save trying it out on my own).

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-04-30 09:46:15
Hmm, as far as messing up save data goes… If you are playing virtual console, wouln't backing up your SD card also back up the pokémon save?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-05-05 06:18:43

Of course, you can still rely on Old Man/GC RAM Manipulation to get a MissingNo., but it's true that having a setup with no version-exclusive or glitch Pokémon is an improvement.

Took me a while to figure this out, but oh well. Still worth posting, I guess.
Well, if your first Pokémon's Special Stat is in the following list, you can use Hitmonchan instead of Arbok.
That will make the game read the lower byte of the first Pokémon's Special Stat, and all of these were selected to be harmless, 1-byte instructions.
0, 3, 4, 5, 7, 10, 11, 12, 13, 15, 19, 20, 21, 23, 26, 27, 28, 29, 31, 39, 47, 56, 60, 61, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 118, 120, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195,
(Note : if the stat is higher than 255, subtract 256 and look up the value in this list.

If the stat is in the list and is less than 256, then Hitmonlee will work too.

Under certain circumstances (depending on the Speed Stat, actually), Mr. Mime will also work, but it is more complicated.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Shina69
Date: 2016-05-13 15:42:54
Hi, guys! Thanks for helping me on changing the moves on yellow a few months ago, really helped!

I was wondering if it's possible to get HM Fly before getting to Celadon City by arbitrary code execution on pallet town, since only a few glitch pokemons level up learning Fly and that's probably not an option. After i receive the pikachu, maybe he could get it? I saw this video of a guy saving at 0:00 and instantly spawn at the end, maybe i could spawn near the HM Fly little house, although i probably wouldn't be able to leave from there that easily. Although if i was able to walk through walls, it would be easy. But then, how to disable it? I read about the youngster method but my lvl 100 nidoking doesn't really apply, that 4th move pp is difficult to get.

Thanks for the attention, guys! Maybe there's already a way to do it and i don't know.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2016-05-13 16:31:52

Hi, guys! Thanks for helping me on changing the moves on yellow a few months ago, really helped!

I was wondering if it's possible to get HM Fly before getting to Celadon City by arbitrary code execution on pallet town, since only a few glitch pokemons level up learning Fly and that's probably not an option. After i receive the pikachu, maybe he could get it? I saw this video of a guy saving at 0:00 and instantly spawn at the end, maybe i could spawn near the HM Fly little house, although i probably wouldn't be able to leave from there that easily. Although if i was able to walk through walls, it would be easy. But then, how to disable it?

Thanks for the attention, guys! Maybe there's already a way to do it and i don't know.


Yes. Getting to anywhere without arbitrary code execution and/or obtaining HM02 Fly can be done with the expanded items pack warping.

You can obtain the expanded items pack at the beginning of the game with the SRAM glitch after doing a swap such as Pokémon 1>Pokémon 10 if you have knowledge of the internal memory layout (which is the glitch you saw).

It may be possible to capture a Pokémon to obtain 49-51 total Pokémon instead of 255 (this happens because you normally capture a Golem (Red/Blue) or Magmar (Yellow) with the decimal index number of 49 or 51 respectively, due to the "wild appeared" glitch); from then on depositing them all is easy, unless for some reason the Pokémon you deposit or withdraw do not have terminated names (PRAMA encountered this on non-English versions, and in English Yellow a workaround might be to view a Pokémon with a specific move 4 such as Counter (like in the glitch "oobLG") but I don't know if this applies to every version). In Red and Blue, the Golem must be caught in a certain place to avoid a freeze. Diglett's Cave works; then you should open the menu to avoid a freeze if you exit by the stairs.

If you keep the expanded items pack, you can warp around as you please; although I'm afraid I don't know of a way how you could obtain items to keep in this way although it's likely very possible, because with the looping map trick (described below and on the first post) you may become trapped without a Pokémon to Teleport away.

If you've obtained an expanded items pack (such as the 255 items pack from dry underflow glitch); then you can warp to Celadon City by entering a Pokémon Center, swapping the Ultra Ball x0 at item 32 into Master Ball (left of the exit mat) or "!j" (Red/Blue) or "x" (Yellow) (right of the exit mat)  x(exit place ID) at item 36, and tossing how many you want. x0 actually represents x256. If you toss 250, then you can warp to Celadon City.

Regular Missingno. for obtaining a x255 stack (by obtaining x129 Potions, using two, capturing the Missingno. to obtain x255) can appear from doing the Trainer escape glitch/Mew glitch with Misty's Starmie (This will work in English Red/Blue but likely not French or Italian Red/Blue. Additionally in English Yellow (unsure about Spanish Yellow), if you have cleared your save file with Up+Select+B there is a way to encounter a "stable unstable Missingno." which is believed to never freeze the game).

Special Missingno. 182-184 are alternatives to regular Missingno. if your version's Missingno. freezes the game (and for people using the French and Italian versions of Red/Blue you could possibly use the Pokémon menu>Cooltrainer glitch described in the link above). They can be encountered by having Ditto transform into a Pokémon with one of those Special stats.

Alternatively, you can have a 1/8 chance of obtaining one from a double Trainer-Fly involving talking to the Cubone trade girl on Underground Path to encounter a level 80 Starmie first. This was first used in a Pokémon speedrunning route.

(Click to view video)
[youtube]https://www.youtube.com/watch?v=73fAlzIbi9k[/youtube]

TheZZAZZGlitch's looping map trick to obtain 8F or ws m allows you to bring up every item into the regular items to keep, except for possibly the non-functionable PP Up copy (32h) and TM55 (FFh, but you can keep the key item HM05 which works the same). You can dig up items of your choice and keep them if you bring them up with Select and then Teleport away.

Steps:

1) Walk to this place.
[img]http://i.imgur.com/mwJ0mb7.png[/img]
2) Swap an item with an ID of hex:33 or greater into the Nugget x1 found at item position 35, such as Poké Doll or X Special.
3) Keep walking right (to increase the item ID by 1 each step) or left (to decrease it by 1 each step) to change the item, until you find a HM02: Fly.
4) Press Select to bring it up to the top of the items pack and then Teleport away.

Hope that helps and let me know if you have any other questions!  :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Shina69
Date: 2016-05-14 17:55:55
Thanks a lot for the wise and meticulous explanation, Torchickens!
Sure it's a wonder the possibilities that Item Underflow brings as well as glitch items, i followed all the steps on SRAM glitch topic and it's a all new world. But, recently, i got more interested on these new recent challenges like the no save corruption speedruns and others that avoid the usage of expanded items pack. I looked through the forum archives and also found players trying to beat the game without battling team rocket members and that made me wonder: is it actually possible to complete pokemon yellow on such conditions plus without time cable exploits of any kind? I followed their topic (http://forums.glitchcity.info/index.php/topic,7448.0.html), but answers stopped a few months ago :(

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: hashtag
Date: 2016-05-19 18:05:24
Hey, first post!
Using the Wack0's simple Gameshark script to do a couple things, and i'm curious as to what you are supposed to do when the code requires you to enter a 00

for example I have a code that modifies the typing of the current box slot one pokemon. it should look like this

any item
8f
Lemonade * number corresponding to type
X-accuracy * 155 for primary type and 156 for secondary type
Carbos * 218
Pokeball * 119
Fresh Water * 201

This code works perfectly, and i have used it to replace Aerodactyl's flying typing with ghost as a proof of concept. the only problem is that when i want to make something a normal type i would have to have 0 lemonades because 00 is the hex that corresponds with normal. I have tried it just without any lemonades and it freezes the game, as expected. Is it possible to make the game read as having 0 lemonades by somehow rolling it over to 256, or anything like that? Thanks!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Flandre Scarlet
Date: 2016-05-19 18:36:01
First this code was sort of already made but that's not a big deal since you are new here. To get 0 Lemonades try using this 8F code by lowena

8F
Item you want X2 to get 0 or 1 to get 255
Burn Heal X43
Ice Heal X53
Revive X201

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: hashtag
Date: 2016-05-19 18:41:10
oh sweet thanks!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2016-05-19 18:42:53

First this code was sort of already made but that's not a big deal since you are new here. To get 0 Lemonades try using this 8F code by lowena

8F
Item you want X2 to get 0 or 1 to get 255
Burn Heal X43
Ice Heal X53
Revive X201


Alternatively have lemonade x1 followed by Soda Pop x4.

this is:


ld a,01
dec a
inc b

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: camper
Date: 2016-05-20 13:26:41
You can also get a x0 stack by tossing a whole stack above a x255 stack (which becomes a copy of the x255 stack), tossing 254 of the copy, and swapping the resulting x1 stack with the x255 stack. As a side effect, your item counter will decrease by 2 so you'll lose the stack you tossed and the last stack in your bag.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2016-06-10 17:31:37

Thanks a lot for the wise and meticulous explanation, Torchickens!
Sure it's a wonder the possibilities that Item Underflow brings as well as glitch items, i followed all the steps on SRAM glitch topic and it's a all new world. But, recently, i got more interested on these new recent challenges like the no save corruption speedruns and others that avoid the usage of expanded items pack. I looked through the forum archives and also found players trying to beat the game without battling team rocket members and that made me wonder: is it actually possible to complete pokemon yellow on such conditions plus without time cable exploits of any kind? I followed their topic (http://forums.glitchcity.info/index.php/topic,7448.0.html), but answers stopped a few months ago :(


You're welcome! I don't know the answer to that I'm afraid. Though it's possible to avoid at least some of the Rockets, including:

1) Regular Mt. Moon Rockets (you don't need to fight them).
2) Jessie & James on Mt. Moon (but note in Paco81's video he escapes from a long-range Rocket in Mt. Moon using an Escape Rope).
3) Rocket HQ rockets: Poké Doll Pokémon Tower skip.
4) Silph Co. Rockets: Removing the gym NPC with the Trainer escape glitch(??)

If there is a way to obtain a "Rival's effect"/"Jack effect" (walk through walls item) early such as "o" (hex:94) before Nugget Bridge, that could possibly be used to bypass the Nugget Rocket and the Rocket blocking the Dig TM NPC's house. It could also be used to bypass the Rocket blocking Fuchsia City's gym (though you might need to Teleport or Dig away after), also eliminating the need to battle Pokémon Tower's Jessie & James.



If you want to use 8F or ws m for many tasks, it's worth it to turn it into an in-built GameShark so you can use it without re-obtain items for different uses (in the case you tossed a quantity but need a higher quantity than what you have left to do something else).

This long code will load the quantity of Lemonade into the address represented by the quantity of Carbos (address first byte) and X Accuracy (address second byte) and reset the quantities back to 0 (actually 256 and tossable to obtain any quantity), so you can truly write whatever you want in RAM, WRAM as many times as you like without having to obtain items again if a quantity is too low.

You can get all of the items below with the Celadon looping map trick.

3E xx 26 xx 2E xx 04 77 26 D3 3E 00 2E 23 04 22 23 22 23 22 C9

Lemonade x(xx)
Carbos x(yy)
X Accuracy x(zz)
Poké Ball x119
Carbos x211
Lemonade x0
X Accuracy x35 (x34 in Yellow)
Poké Ball x34
HP Up x34
HP Up x34
TM01 x0

ld a, 00 - a (value)=xx
ld h, 00 - h (address byte 1)=yy
ld l, 00 - l (address byte 2)=zz
inc b - useless code
ld (hl),a - load a into the address (e.g. D059)
ld h, D3 - we load the address byte 1 as D3 (item quantities are in the D3XX region)
ld a, 00 - we load 'a' as 0 (quantity of 0)
ld l,  23 - l=23, now our address is D323 (item 3 quantity)
inc b - useless code
ld (hli),a - means we put 'a' in D323, and then increase the hl value to D324
inc hl -  hl value=D325
ld (hli),a - means we will load a (0) into D325 (item 4 quantity), and increase hl to D326
inc hl - hl value =D327
ld (hli),a - means we put 'a' in D327 (item 5 quantity)