Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 26

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Ephraim225
Date: 2016-06-15 17:04:40
If there is a way to obtain a "Rival's effect"/"Jack effect" (walk through walls item) early such as "o" (hex:94) before Nugget Bridge, that could possibly be used to bypass the Nugget Rocket and the Rocket blocking the Dig TM NPC's house. It could also be used to bypass the Rocket blocking Fuchsia City's gym (though you might need to Teleport or Dig away after), also eliminating the need to battle Pokémon Tower's Jessie & James.


Yellow version speedruns get item underflow by setting up Trainer-Fly in Viridian Forest, having Misty be the most recent trainer battle and then blacking out back to Pewter to get the encounter. If Missingno. doesn't crash, what you can do is duplicate a Potion, use two of them, then capture Missingno. to duplicate them again. 255 Potions. Now you just need the right RAM values for Jack's item.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2016-06-15 17:26:24

If there is a way to obtain a "Rival's effect"/"Jack effect" (walk through walls item) early such as "o" (hex:94) before Nugget Bridge, that could possibly be used to bypass the Nugget Rocket and the Rocket blocking the Dig TM NPC's house. It could also be used to bypass the Rocket blocking Fuchsia City's gym (though you might need to Teleport or Dig away after), also eliminating the need to battle Pokémon Tower's Jessie & James.


Yellow version speedruns get item underflow by setting up Trainer-Fly in Viridian Forest, having Misty be the most recent trainer battle and then blacking out back to Pewter to get the encounter. If Missingno. doesn't crash, what you can do is duplicate a Potion, use two of them, then capture Missingno. to duplicate them again. 255 Potions. Now you just need the right RAM values for Jack's item.

That's true. However Shina69 was asking how we could do this without the expanded items pack.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Ephraim225
Date: 2016-06-16 13:43:15
Oh whoops. I didn't look at the previous page ^^;

In that case there's only one other way I can think of: Have the Rocket NPC on Nugget Bridge disappear through the Mew Glitch. For that you'd have to figure out what that NPC's "disappearing object number" is, start the Mew Glitch on a map with that many objects -1, start the Mew Glitch there, head to Nugget Bridge, lose to one of the trainers, then make sure not to cross through any maps with more disappearing objects than the number you want.

So…I suppose it comes down to the number of disappearing objects on Route 24 and which one the Rocket is.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Nostalgia
Date: 2016-06-26 17:32:42
In Pokemon Yellow using ws m is it possible to change the trainer ID?

I read somewhere that you could, but not sure and never seen a video showing it.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Ketchup901
Date: 2016-06-27 01:23:47
Is there a catch 'em all script for Yellow? Or at least RAM/ROM maps so I can try to convert it myself?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2016-06-27 14:36:31

Is there a catch 'em all script for Yellow? Or at least RAM/ROM maps so I can try to convert it myself?


Yes. The 'instant battle' catch 'em all script is the same as the Red/Blue catch 'em all script other than we change address D059 to D058 (this is the case with many addresses in Yellow; there is a subtraction of 1 and usually when you see an address in the DXXX you may be able to subtract 1 to get the Yellow address); hence we can use a TM34 x88 instead of TM34 x89.

Like this:

Item 3: Lemonade x(xx)
Item 4: TM34 x88
Item 5: TM08 x201


3E xx EA 58 D0 C9

ld a,xx
ld (D058),a
ret

(As always, this will only work with bootstrap code to item 3 such as this setup by Pigdevil2010)

In case you don't know more addresses can be found on the Pokémon Red RAM map and Pokémon Red disassembly/WRAM :) we can subtract 1 from them to get many of the Yellow addresses except for some such as CD38 (which when 1 allows us to walk through walls).

Additionally, if you want to receive the Pokémon as a gift; the code needs to be adjusted to account for the change of a location of a routine in the ROM:


Item 3: Repel x[SpeciesIndex]
Item 4: X Speed  x14
Item 5: Ultra Ball x64
Item 6: TM05  x89
Lemonade x201

Code:
1E 20 43 0E 02 40 CD 48 3E C9

ASM:

ld  e,[SpeciesIndex]
ld  b,e
ld  c,02
ld  b,b
call 3E48
ret


Hope this helps! ^_^

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2016-06-27 15:54:05

In Pokemon Yellow using ws m is it possible to change the trainer ID?

I read somewhere that you could, but not sure and never seen a video showing it.


Yes. Here is some code for that sole purpose. :)


ld a,xx
ld e,yy
ld h,d3
ld l,58
ldi (hl),a
ld (hl),e
ret


3E xx 1E xx 26 D3 2E 58 22 73 C9


Lemonade x (xx)
Repel x (yy)
Carbos x 211
X Accuracy x88
Water Stone x115
TM01 x(any)


(The X Accuracy is x89 in Red/Blue)

Where the quantity of the Lemonade is the first byte of your new Trainer ID (in hexadecimal) and the quantity of the Repel is the second byte of your Trainer ID (in hexadecimal). For example, if we want the Trainer ID 42965, we can go on Windows Calculator or use a converter and convert it to get hex:A7D5 (A7 for byte 1 or D5 for byte 2. A7 converts into 167 in decimal, while D5 converts into 213 in decimal). We cannot have Trainer IDs greater than 65535, sadly.

The changes are invisible until you capture a new Pokémon, because the Trainer Card doesn't display the Trainer ID in Generation I.

With the 'in-built GameShark code' in my earlier post designed for multiple tasks (note that for Yellow version we use X Accuracy x34), you can use use the Lemonade as your byte value (e.g. A7) and Carbos x 211, X Accuracy x 88 as the other parameters (h [address byte 1], and l [address byte 2]).

Additionally, if we activate the expanded items pack, your Trainer ID addresses can be found as item 30's quantity (byte 1) and item 31 (byte 2), which means that if you want to have a particular ID you can get most by tossing from item 30, and changing item 31. The ID 01234 (04D2 in hexadecimal) could be obtained with a quantity of 4 in item 30 and a 'D2 item' (TM10 according to The Big HEX List) in item 31. Glitch items can be obtained with the Celadon looping map trick, but if you want to do this make sure you carefully navigate the menu slowly with B; as a 'long name glitch item' can easily freeze your game (and there is a chance of Continue being removed from the options) if the A button is pressed on it.

Hope this helps. ^_^

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Nostalgia
Date: 2016-06-28 11:16:08
What's the TM01 for in that code? Because I don't have that TM anymore..

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-06-28 13:53:59

What's the TM01 for in that code? Because I don't have that TM anymore..


TM01 ends the code (Hex C9). Its availible in Celadon dept. store.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-06-29 08:13:10
If you don't use a C9, bad shit will happen  ;D

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Nostalgia
Date: 2016-06-30 13:02:10
Can you delete old key items with ws m?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-06-30 15:30:20
Yeah, you could use a code that mutates items for example. Such as (using pigdevil2010's bootstrap setup !)

8F / ws l m
Key item
Poké Ball x43
Great Ball x43
Revive x201


inc b
dec hl
inc bc
dec hl
dec (hl)
ret

You'll increase item #2's ID by one each time you use 8F / ws l m. It will be of quantity 1.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-07-02 05:18:53
So lately I have been looking into TheZZAZZGlitch's pong game. However, after trying to break down the code into map coordinates, I am left with a few questions wich I hope someone can help me with.

The first thing I am wondering about is the entry point. The code starts at $D901. Wich is the opponents 3rd Pokémon type 1. Does the opponent's Pokémon data reset to 0 after saving and restarting or does it persist? In other words, will the pong game still be there after saving?

A few other things I'm not to sure about is some opcodes.
Namely:
- ldi  (hl),a
I cant find this one on the cpu chart. But I'm pretty sure its opcode 22 (ld (hl+),a) wich i think loads a into (hl) and then increments the hl register. Is that correct?

- ld  a,($FF00+A2)
There are a few of these, I have no idea what to do with them  );

And finally, commands that take a 2 byte input. These require the lower byte first then the higher byte right? They already seem to be listed in the code with the lower byte first, but I'm not sure.

Any help on this is much appreciated.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-07-02 14:13:53

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-07-03 06:24:00
How did you get your own personal Game Freak?  :o