Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 28

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Spoink
Date: 2016-07-15 21:21:35
Speaking of which does anybody know how to check if address YYZZ is XX, and what the output will be

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheUnReturned
Date: 2016-07-15 22:49:01
On an other hand, is it possible to switch to invalid sound bank using 8F?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Aldrasio
Date: 2016-07-15 23:49:44

Speaking of which does anybody know how to check if address YYZZ is XX, and what the output will be


You could load that value into the quantity of the second item using the following inventory:

8F
(quantifiable item, e.g. Ice Heal)
Poke Ball x 43
Awakening x YY
Repel x ZZ
Max Ether x 26
Burn Heal x 119
TM01 x any


04          inc b
2b          dec hl
0e YY      ld c, YY
1e ZZ      ld e, ZZ
51          ld d, c
1a          ld a, [de]
0c          inc c
77          ld [hl], a
C9          ret

I haven't tested it yet, but I think that would work.

EDIT: Minor adjustment, decrementing HL is way more efficient than loading the value in directly

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-07-16 06:21:41

On an other hand, is it possible to switch to invalid sound bank using 8F?

That'd just require writing to C0EF and C0F0.
This should work :
    Lemonade x[sound bank]
    Carbos x 192
    X Accuracy x239
    Water Stone x119
    TM01 x[any qty] OR Poké Ball x201

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheUnReturned
Date: 2016-07-16 07:51:26


On an other hand, is it possible to switch to invalid sound bank using 8F?

That'd just require writing to C0EF and C0F0.
This should work :
    Lemonade x[sound bank]
    Carbos x 192
    X Accuracy x239
    Water Stone x119
    TM01 x[any qty] OR Poké Ball x201
what could possibly happen if we use this code before enountering 4 4?
Hell if we know

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2016-07-16 09:19:53



On an other hand, is it possible to switch to invalid sound bank using 8F?

That'd just require writing to C0EF and C0F0.
This should work :
    Lemonade x[sound bank]
    Carbos x 192
    X Accuracy x239
    Water Stone x119
    TM01 x[any qty] OR Poké Ball x201
what could possibly happen if we use this code before enountering 4 4?
Hell if we know


absolutely nothing, encountering 4 4 would modify it.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Spoink
Date: 2016-07-16 09:36:14
C0EF and C0F0.


Actually, you just need to mod C0EF.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-07-16 12:03:33
What is C0F0, then ?

New code :
    Lemonade x[sound bank]
    Carbos x 192
    X Accuracy x239
    Water Stone x201
(unsure, but should be okay)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: NieDzejkob
Date: 2016-07-16 13:14:36
I was trying to setup the bootstrap party for 8F, and each I found in this post has some flaws. Kangaskhan is tedious to catch and specific stats are difficult to obtain. Because of that, I wrote one that uses only pokemons which are already available when you can obtain 8F (with the celadon looping map/item counter underflow method at least):

6 Pokemons:
1. Onix
2. Jolteon w/ 233 current HP
3. Pidgey
4. Pidgey
5. Tentacool (if you want, you can use mew glitch with clefairy lass in Mt. Moon - near the route 3 exit)
6. Parasect/Psyduck

Code:
[tt]
D163  06 22  LD B, $22
D165  68    LD L, B          ; HL = D122
D166  24    INC H            ; HL = D222
D167  24    INC H            ; HL = D322
D168  18 2E  JR D198 (parasect)
D169  18 2F  JR D199 (psyduck)

D198  00    NOP
D199  E9    JP (HL)
[/tt]

Also, you can use male nidoran in slot 6 and have 233 HP on Onix, but it is only 5% on blue.

PS. Now I have an idea on how to make it use only one pidgey, but Pidgeys are easy to catch and using Catch 'em all will screw up any bootstrap which isn't 6 pokemon.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-07-16 14:26:27
Seems quite legit. According to Bulbapedia (and with some extremely rough approximations), 233 HP could be achieved near level 90 (level 99 always has more than 233 max HP).
Pidgey could be caught by Trainer-Fly, and Arbok is obtainable through Trainer-Fly. The post you have looked at must have been quite old.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-07-16 18:46:56
Actually, Pidgey can have as little as 190 hp at lvl 100. HP does have IV's in gen 1 and 2 games. They just depend on if the other stats have even or odd IV. Thats why HP IV's arnt on the ram map.

Odd attack IV = +8 hp IV
Odd defence IV = +4 hp IV
Odd speed IV = +2 hp IV
Odd special IV = +1 hp IV

So if all are odd the HP IV would be 15.

Edit: Or did you mean Jolteon always has atleast 233 HP at lvl 99?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Aldrasio
Date: 2016-07-16 23:36:47

Actually, Pidgey can have as little as 190 hp at lvl 100. HP does have IV's in gen 1 and 2 games.


Yeah, with min IVs and no StatXP Pidgey will be stuck at 190 at the worst case. Also, if you use 10 HP UPs on Pidgey, it'll only bring it to 230 HP. It'd need another 3642 StatXP HP points, or 15 Chansey fights at minimum, to bring it up to 233.

That said I'm not a big fan of using Jolteon simply because you can't underflow him to 100 like you can with Pidgey. I'm looking at some other Pokemon in the Medium Slow group to see if I can use one of them for a new bootstrap that can be set up relatively easily using the any% item underflow route.

EDIT: So I came up with a similar team that could be used for bootstrapping:
6 Pokemon:


WRA1:d163 06 0f            ld  b,0f
WRA1:d165 24              inc  h
WRA1:d166 24              inc  h
WRA1:d167 2e 22            ld  l,22
WRA1:d169 01 ff 0f        ld  bc,0fff
WRA1:d16c 00              nop 
WRA1:d16d e9              jp  hl

This is slightly different because the program counter doesn't JR past the FF marker at the end of the list; instead, it just rolls past it using a 16-bit load.

For the Nidoran, you can use trainer-fly to get one at level 1 and then EXP underflow it to 100. There's a Youngster before the entrance of Mt Moon that has a Spearow and nothing else (He's the male trainer between 2 ledges; he can only be approached by jumping over a ledge). Trainer-fly before going to see the Youngster, Growl at his Spearow 6 times before defeating it (or being defeated by it), then go back to the trainer-fly location and capture your Nidoran. Underflow it to level 100, use 1 or 2 HP UPs, and it'll have more than 233 HP.

Parasect can be obtained through trainer-fly as well. The first trainer in Blaine's gym has a Pokemon that corresponds to Parasect, so just lose to him to get one. You may need to use some item underflow trickery to get here if you don't have a Secret Key.

The Onix can be replaced with a Pidgey, which would jump to the 4th item in your list instead of the 3rd; Pidgey might be faster to obtain than Onix.

As for Rhydon, you can use the Old Man glitch to catch an 'M off the coast of Cinnabar. The first time you catch an 'M, it gets added to your Pokedex. After it plays the Pokedex entry, 'M magically becomes Rhydon.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: NieDzejkob
Date: 2016-07-17 03:42:54

For the Nidoran, you can use trainer-fly to get one at level 1 and then EXP underflow it to 100.


Never thought about it. I always got my money to ??28?? by selling Ultra Balls from brightness slot and spammed rare candies obtained that way.

Also, how do you know which trainers result in the pokemon you want in Trainer-Fly? I found http://puu.sh/257S but it is terrible. Mostly because you can't search on images automatically.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-07-17 05:13:24
Well, we usually use that. You can't search for images, but the same Pokémon tends to appear multiple times in an area, so…
And if you find better, let us know !

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-07-17 07:02:24


Parasect can be obtained through trainer-fly as well. The first trainer in Blaine's gym has a Pokemon that corresponds to Parasect, so just lose to him to get one. You may need to use some item underflow trickery to get here if you don't have a Secret Key.

The Onix can be replaced with a Pidgey, which would jump to the 4th item in your list instead of the 3rd; Pidgey might be faster to obtain than Onix.

As for Rhydon, you can use the Old Man glitch to catch an 'M off the coast of Cinnabar. The first time you catch an 'M, it gets added to your Pokedex. After it plays the Pokedex entry, 'M magically becomes Rhydon.


Paras evolves at lvl 24, might be simpler to just lvl it up instead of going to cinebar gym.
And wouln't any missingno turn into Rhydon when you box it? Since 'M evolves into Kangashkan its not alot more efficient.
Missingno is easy to trainer fly since just talking to most ingame trade NPC's turns the resulting pokémon into one. <- multiply rare candy's at the same time and you can easily lvl Paras to 24.