Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 29

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-07-17 07:31:03
Not all Missingno become Rhydons. Only the one that triggers the Pokédex entry.

Also, European versions have more trouble getting a Missingno, since it automatically crashes the game when encountered. Since we have to Cooltrainer him, we need a Ditto, and for that :
* either we obtain it legit east of Fuchsia City, which implies going to the Cycling Road which implies getting the Poké Flute ;
* or we Trainer-Fly the bottom-left Channeler in Sabrina's Gym, which implies getting Cut and beating Silph Co. (unless we find a way to remove the corresponding Rocket using TFly object removal manipulation).

The best solution I can see is the first one.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-07-17 07:32:40
Remove snorlax glitch? no pokeflute required  8)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-07-17 07:35:19
Yep, forgot about that one. Is it that Snorlax that is removed ? Or the other ?

Also, here are replacements for Rhydon.
Cubone :

WRA1:d163 06 0f            ld  b,0f
WRA1:d165 24              inc  h
WRA1:d166 24              inc  h
WRA1:d167 2e 22            ld  l,22
WRA1:d169 11 ff 0f        ld  de,0fff
WRA1:d16c 00              nop 
WRA1:d16d e9              jp  hl


Voltorb :

WRA1:d163 06 0f            ld  b,0f
WRA1:d165 24              inc  h
WRA1:d166 24              inc  h
WRA1:d167 2e 22            ld  l,22
WRA1:d169 06 ff            ld b, ff
WRA1:d16b 0f              rrca
WRA1:d16c 00              nop 
WRA1:d16d e9              jp  hl


Gengar :

WRA1:d163 06 0f            ld  b,0f
WRA1:d165 24              inc  h
WRA1:d166 24              inc  h
WRA1:d167 2e 22            ld  l,22
WRA1:d169 0e ff            ld c, ff
WRA1:d16b 0f              rrca
WRA1:d16c 00              nop 
WRA1:d16d e9              jp  hl


Gyarados :

WRA1:d163 06 0f            ld  b,0f
WRA1:d165 24              inc  h
WRA1:d166 24              inc  h
WRA1:d167 2e 22            ld  l,22
WRA1:d169 16 ff            ld d, ff
WRA1:d16b 0f              rrca
WRA1:d16c 00              nop 
WRA1:d16d e9              jp  hl


Chansey :

WRA1:d163 06 0f            ld  b,0f
WRA1:d165 24              inc  h
WRA1:d166 24              inc  h
WRA1:d167 2e 22            ld  l,22
WRA1:d169 28 ff            jr z, d16a ; never occurs because inc h resets this flag
WRA1:d16b 0f              rrca
WRA1:d16c 00              nop 
WRA1:d16d e9              jp  hl


Either Drowzee or hex:38 Missingno will work (if the carry flag is unset, it will be Missingno, otherwise Drowzee)

Drowzee / Missingno :

WRA1:d163 06 0f            ld  b,0f
WRA1:d165 24              inc  h
WRA1:d166 24              inc  h
WRA1:d167 2e 22            ld  l,22
WRA1:d169 30/38 ff        jr nc/c, ff ; Drowzee/Missingno
WRA1:d16b 0f              rrca
WRA1:d16c 00              nop 
WRA1:d16d e9              jp  hl


hex:3E Missingno :

WRA1:d163 06 0f            ld  b,0f
WRA1:d165 24              inc  h
WRA1:d166 24              inc  h
WRA1:d167 2e 22            ld  l,22
WRA1:d169 3e ff            ld a, ff
WRA1:d16b 0f              rrca
WRA1:d16c 00              nop 
WRA1:d16d e9              jp  hl


Other Pokémon work, but they are all glitch Pokémon, so I didn't mention them.

Cubone is Trainer-Flyable in Routes 6, 9, 24, 25, and in Mt. Moon as well as the Rock Tunnel.
Voltorb seems not to be obtained through TFly, but maybe by Ditto tricing.
Gengar is Trainer-Flyable in from Brock, and also in Routes 3, 24 and 25.
Gyarados can be TFlyed in Routes 9, 13 and Mt. Moon.
Chansey can be TFlyed in Routes 8, 13 and Erika's Gym as well as Lavender Town.
Drowzee can be TFlyed in Routes 11, 12, and 14.

I may have missed some TFly spots, but I can guarantee that Voltorb cannot be obtained.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-07-17 07:38:46
You can remove both of them with the glitch. I Don't think you can remove the rocket infront of sabrina's gym with the glitch tho. You could use the safari zone walk through wall glitch to walk through him, but thats alot of work.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-07-17 08:20:19
I guess it is better to just go to the Cycling Road.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Aldrasio
Date: 2016-07-17 09:44:23


For the Nidoran, you can use trainer-fly to get one at level 1 and then EXP underflow it to 100.

Also, how do you know which trainers result in the pokemon you want in Trainer-Fly? I found http://puu.sh/257S but it is terrible. Mostly because you can't search on images automatically.


That's actually exactly what I used, lol. I had this list open, and for higher-valued indices I looked in places where you'd find higher-level trainers. I also zoomed the image out and kinda scanned for the Pokemon I was looking for. Took a while, but I found what I was looking for.


Either Drowzee or hex:38 Missingno will work (if the carry flag is unset, it will be Missingno, otherwise Drowzee)

Drowzee / Missingno :

WRA1:d163 06 0f            ld  b,0f
WRA1:d165 24              inc  h
WRA1:d166 24              inc  h
WRA1:d167 2e 22            ld  l,22
WRA1:d169 30/38 ff        jr nc/c, ff ; Drowzee/Missingno
WRA1:d16b 0f              rrca
WRA1:d16c 00              nop 
WRA1:d16d e9              jp  hl



I just checked, all flags are unset once you jump to the items with 8F. It'd have to be Missingno(38).

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-07-17 10:01:09
I used the same method for my overly long post. I searched for Pokémons around the world (while having the image zoomed, of course :P), and wrote my results.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-07-17 12:30:08

Also, European versions have more trouble getting a Missingno, since it automatically crashes the game when encountered.


To be perfectly correct, you should have said "Non-english european R/B versions have more trouble getting a non-Ghost/Fossil MissingNo. by either Ditto or Old Man glitch" [img]http://forum.saintseiyapedia.com/Smileys/custom/aloy.jpg[/img]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Aldrasio
Date: 2016-07-17 12:54:21
Came up with another script: Change the background music.


WRA1:d322 0e xx            ld  c,xx    ; xx for sound bank
WRA1:d324 3e yy            ld  a,yy    ; yy for music index number
WRA1:d326 cd a1 23        call 23a1    ; PlayMusic function
WRA1:d329 c9              ret

And I couldn't find a list of song indices anywhere from googling, so here's one I made from the ROM map on Datacrystal a while ago:

Bank 02 (2):

Bank 08 (8):

Bank 1F (31):


So, if for example you wanted to play the SS Anne music, you'd need 2 Awakenings and 216 Lemonades. If you wanted to play the Pokemon Tower music, you'd need 31 Awakenings and 240 Lemonades.

Something to note, if you use anything from Bank 02 or Bank 1F in battle, it'll mess with the other battle sound effects. If you use anything from Bank 08 on the overworld, it'll also mess with other sound effects.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-07-17 12:55:41


Also, European versions have more trouble getting a Missingno, since it automatically crashes the game when encountered.


To be perfectly correct, you should have said "Non-english european R/B versions have more trouble getting a non-Ghost/Fossil MissingNo. by either Ditto or Old Man glitch" [img]http://forum.saintseiyapedia.com/Smileys/custom/aloy.jpg[/img]


Tru, My english european red cartidge has no problems with missingno. Nor does my english virtual console. (wich im pretty sure is availible worldwide)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-07-17 16:25:17
Also, my French Rouge (Red) 3DS VC has trouble with Missingno. It crashed on me with a single "beep" when I believe it tried to load its sprite.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Aldrasio
Date: 2016-07-25 14:34:54
Something occurred to me today: Creating a bootstrapping program that takes input from the Gameboy's serial port would be both short to write with items and pretty fast to execute, assuming you had something specifically designed for it attached to the serial port. You could probably make a simple datalink device with an Arduino or something. Has anyone tried this?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-07-25 19:40:15
You named it.
[youtube]http://www.youtube.com/watch?v=3UnB1fomvAw[/youtube]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Aldrasio
Date: 2016-07-25 20:34:05
Yeah, but that TAS's bootstrapper uses the 8 buttons on the Gameboy as 8 bits for input, and it just reads an input each frame. Best you can do with that is 60B/s. With the serial port, if you use the internal clock at its lowest setting you get 1024B/s.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Spoink
Date: 2016-07-25 21:07:40
2:48 is CGOL
2:54 is foreshadowing

And I know 60(+8 or something idkaidc) digits of pi