Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 33

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-09-07 08:27:50
He first needs to fix the negative experience Pokémon then run the offset code.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Yeniaul
Date: 2016-09-07 10:38:21

He first needs to fix the negative experience Pokémon then run the offset code.
Well, yeah, but still…

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-09-07 11:21:40


Now trying to make the daycare cloning manipulation work (described here: http://forums.glitchcity.info/index.php?topic=6638.msg200226#msg200226). Just taken like this, it does not work for me. I though about which item / item number could represent the address to which I want to add +5, in order to reach 77. After reading the asm code, I think I have to add +5 to the number X Accuracy. I will try this, and come back to tell you whether it worked or not.

EDIT2: Nope, X Accuracy x77 did not work. I really will have to properly look into this.


Because english yellow has -1 offset to english red/blue. I think the +5 for european yellow is compared to english yellow. That makes +4 compared to english red/blue.

It would need 71 X Accuracy in english yellow. So 76 for european yellow?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Pavel
Date: 2016-09-07 13:03:17

It'd be kinda funny if in 5 years the Autism posts were still there… it'd be like talking about soup in the middle of a Master's essay to see if …whoever grades those things reads it or not.
Anyway, if the addresses are +5, why'd you lower the number of X Accuracy by more than 60?


I was now referring to me try to implement the 'daycare cloning' manipulation, not the 'force max DV and experience stat' manipulation anymore, since I finally succeeded in doing this one : )





Now trying to make the daycare cloning manipulation work (described here: http://forums.glitchcity.info/index.php?topic=6638.msg200226#msg200226). Just taken like this, it does not work for me. I though about which item / item number could represent the address to which I want to add +5, in order to reach 77. After reading the asm code, I think I have to add +5 to the number X Accuracy. I will try this, and come back to tell you whether it worked or not.

EDIT2: Nope, X Accuracy x77 did not work. I really will have to properly look into this.


Because english yellow has -1 offset to english red/blue. I think the +5 for european yellow is compared to english yellow. That makes +4 compared to english red/blue.

It would need 71 X Accuracy in english yellow. So 76 for european yellow?



Han, this explains that, I did not know ths relationship between the memory addresses of R/B, and those of Y, thanks for the information. Indeed, when using 76 X Accuracy, it works.
Now I just have to figure out if there is a way to implement a manipulation allowing to receive a pokemon of one's choice, but with the perfect stats already here. But this is just for convenience, because thanks to all of you, I now have the possibility to achieve all that I want to do with a save of Pokemon Yellow : ) !

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-09-08 01:46:52
Yes,
European R/B = English R/B + 5
English Y = English R/B - 1
European Y = European R/B - 1

So,

European Y = English Y + 5
European Y = English R/B + 4

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Ketsuban
Date: 2016-09-09 20:53:40
Y*?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-09-10 04:37:53
Yeah, sure. Sorry  :D

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Pavel
Date: 2016-09-11 06:15:12
Hello everyone,

Still trying to make the Catch Them All 2 procedure work (described at the end of the first post of the thread, here: http://forums.glitchcity.info/index.php?topic=6638.msg189501#msg189501). My first approach was to try to recognize what is a memory address in the asm code of the manipulation, increase it by 4, then convert it back into a couple item; nb of item using a sheet such as this one (https://dl.dropboxusercontent.com/u/54952583/tmp.html). If I understood well, the procedure aims to call the function beginning at the memory address 3E48 in US R/B. That means that the same function should be located at 3E4C in French Yellow (3E48 + 4). If I am not wrong, that means I should use TM05 x76 instead of TM05 x72. But it does not work, it makes my game freeze.

But something funny happened when I tried it with TM05 x99: it worked, and I got an lvl11 Omastar (I tried the procedure with Repel x40 to get a Chancey, for information). The quantity of repel does not seem to change the species of the pokemon: whether 39, 38 or 26, I always get a lvl11 Omastar. When TM x98, I still get a lvl11 Omastar. When TM05 x97, I get a lvl 211 Omastar. When TM05 x96, I get a lvl 2 Omastar. When using TM05 x95, my game freezes.

I thought that maybe the ld c, 02 part of the asm code was maybe also linked to a memory address definition down the line (in the called procedure, maybe), so I added +4 to it (that implied using the Bicycle rather than the Ultra Ball, and using first another item so as to be able to set the value to 64), but it changed nothing in particular (still froze when using TM05 x76 or x72, still lvl11 Omastar with TM05 x99), except than when I used TM05 x96, I got a lvl 6 Omastar rather than a Lvl 2, so I assume that this line in the asm procedure is used to set the lvl of the received pokemon to 2, so as to be able to train however one wants.


So I am a bit baffled by this, and I wonder what I still do not know / do not understand so as to be able to translate such a procedure between the different versions of the game.
Also, it would be interesting to have a resource that lists the different procedures stored in the games memory, as well as the addresses that allows to call them. Does such as resource exist? For example, how were you able to know that we must use to procedure stored at the address 3E48 for the US B/R version, in this case?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-09-11 07:11:02
Beware, not every byte in memory is shifted in EU localizations.

Memory is segmented into multiple segments ; namely ROM, VRAM, SRAM, WRAM, ERAM, OAM and HRAM.
ROM addresses differ in complex ways between US and EU localizations. Usually when using functions, keep the address.
VRAM is the same (since a US GB and a EU GB are the same)
SRAM didn't change at all.
WRAM has the +5 (between US R/B and EU R/B) shift, but ONLY past certain addresses (I think the line is near D100).
ERAM is basically a copy of WRAM, but it's… complicated. Avoid it.
Do NOT touch OAM. Srsly.
HRAM didn't change.

So, you should try NOT to modify the function address :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-09-11 10:29:44
The shift in european non-english games starts at CF00, I think. Well, I don't know for CEXX, but CDXX (battle addresses) are not shifted and CFXX (Mart addresses) definitively are.

Since European non-english R/B and Y are not shifted out of this area, I'm guessing there is no shift between english language R/B and Y either.

For what it's worth, PRAMA has a gameshark section with all the shifted WRAM addresses for everything :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-09-11 17:11:48
Shameless ad is shameless. But nevertheless, it's a good resource if you understand French.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Pavel
Date: 2016-09-12 01:37:22
Ah, ok, so its more complex that what I thought.
Thanks for the information, ISSOtm and Krys3000. I will look at the Gameshark section of PRAMA : )
Though if I could try to make the Catch Them All 2, it would be great too (I may have missed something on PRAMA's gameshark section, but I do not remember seing something like this; if I ever find it I will let you know for sure), so I will continue to look into it when I have some time!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: XTFOX
Date: 2016-09-15 18:04:38
Has anybody tried writing scripts to sections of pokemon data for easy storage? I'd like to be able to just use " call nn " to the address of the script rather than editing items each time.


call ZZYY
ret


Items:

Something like above would allow easy access to any script and changing the script would be as simple as swapping item YY x ZZ. For example if I were to have the following code as the first 3 items in the PC and wanted to copy it to Pokemon 4 in party's moves:


Box Items:

D53B-D53C: ld h, D3 ;Carbos x 211
D53D-D53E: ld l, 22 ;X Accuracy x 34
D53F:   jp hl ;TM 33 x Any



Start of destination WWVV (D1F7)
Start of target code UUTT (D53B)
End of target code ??ZZ +1 (D1FB+1 = D1FC)
Note that all inc b are filler.

Code Value Item Breakdown
inc b ; Pokeball
ld d, UU ;D5 x22 && TM13
inc b ; x04
ld e, TT ;3B Repel x59
ld h, WW ;D1 Carbos x209
ld l, VV ;F7 X Accuracy x247
inc b ; Pokeball
ld a, (de) ; x26
inc de ; Super Potion
ld (hl+),A ; x34
ld a, ZZ ;FC Lemonade x252
inc b ; Pokeball
cp l ; x189
jr nz, F7 ; Fire Stone x247
ret ; TM01


Your Items:


This is just a proof of concept, ideally anybody could change the values of X Accuracy, Carbos, Repel, and Lemonade to make a new destination or starting point for any length script. Note that if you are storing the script to be copied in your item box then TM13 (D5) will never need to change. Finally this current set up is used to copy a bootstrap to Tentacool when using the Pidgey (233 HP), Parasect, Onix, Tentacool, and Kangaskhan bootstrap. This will allow you to use the following pokemon as a bootstrap:


Note that 3, 4 or 5 pokemon can be used as long as the first 2 slots are correct. Anybody have ideas of where to store the scripts? Also does anybody know if hacked pokemon are tradeable on 3DS versions of RBY?

EDIT: Also I didn't think about this while I was writing but this could be used to copy any sections of ram, for example pokemon or item duplication.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Max
Date: 2016-09-15 21:54:41
I had a similar idea myself: to use the current box RAM for permanent subroutines. I haven't implemented this idea yet because I do not understand enough about the subject. The theory is as follows:

Assuming SRAM holds state due to the cartridge battery,
Assuming SRAM is written to by a "save" subroutine in ROM
Assuming the "save" subroutine copies an entire section of WRAM to SRAM, specifically, that the entire current box pokémon list data is copied to SRAM regardless the number of pokémon in the box

So we can have an empty box filled with subroutines instead of pokémon data.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-09-16 18:26:33

I had a similar idea myself: to use the current box RAM for permanent subroutines. I haven't implemented this idea yet because I do not understand enough about the subject. The theory is as follows:

Assuming SRAM holds state due to the cartridge battery,
Assuming SRAM is written to by a "save" subroutine in ROM
Assuming the "save" subroutine copies an entire section of WRAM to SRAM, specifically, that the entire current box pokémon list data is copied to SRAM regardless the number of pokémon in the box

So we can have an empty box filled with subroutines instead of pokémon data.

From what I know, the game does just that. However, to access SRAM, you must unlock it (write $0A in range 0000 - 1FFF). Plus, to prevent your save file from decaying, you should lock SRAM right after (either write any non-$0A to the memory range, or call some game code that just does that). Saving in any way (and accessing / updating the HoF too) should also lock SRAM.