Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 34

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: jfb1337
Date: 2016-09-22 15:49:42
I just watched this video, and I don't really understand how it works - How does the code get executed from the save file? I'm assuming there's some kind of buffer overflow exploit in the load routine, I'd be interested to know the details.

The link in the description was broken, after trying to fix it it just led to the first post on this topic.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Charmy
Date: 2016-09-23 00:21:03

The link in the description was broken, after trying to fix it it just led to the first post on this topic.

Recently, we had some maintaince.


I just watched this video, and I don't really understand how it works - How does the code get executed from the save file? I'm assuming there's some kind of buffer overflow exploit in the load routine, I'd be interested to know the details.


I semi-understand this.
8F executes code from somewhere around your party, then jumps to it, that's why you need a specific party, to form a jump instruction to jump to the third item data, then the code gets executed.
For larger codes you need to make a script I don't remember.
You can get stacks of items over 99 via 'M or Missingno. (all forms).
Yellow has w  s m, which is equal to 8F.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: jfb1337
Date: 2016-09-23 17:56:44


The link in the description was broken, after trying to fix it it just led to the first post on this topic.

Recently, we had some maintaince.


I just watched this video, and I don't really understand how it works - How does the code get executed from the save file? I'm assuming there's some kind of buffer overflow exploit in the load routine, I'd be interested to know the details.


I semi-understand this.
8F executes code from somewhere around your party, then jumps to it, that's why you need a specific party, to form a jump instruction to jump to the third item data, then the code gets executed.
For larger codes you need to make a script I don't remember.
You can get stacks of items over 99 via 'M or Missingno. (all forms).
Yellow has w  s m, which is equal to 8F.


I understand how 8F works, but I don't know how loading the save file after restarting caused arbitrary code to run (in order to display the text and stuff)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Pavel
Date: 2016-09-25 13:47:01
Hello everyone!

Still trying to get a working version of the Catch Them All 2 (http://forums.glitchcity.info/index.php?topic=6638.msg189501#msg189501, at the end of the first post) for a French Pokemon Yellow; Im still stuck with only being able to get an Omastar, with the following minimal code:
1: wsm
2: whatever
3: TM05 x96
4: Lemonade x201
which translates to the following asm code:
CD 60 3E <=> call 3E60
C9            <=> ret

I guess that the call action calls a function which begins at the specified location in memory, and that this function either uses the current value of some counter variables (such as c or b), or the current values located at some places in memory, in which case we use the counter to set the value specified by those memory locations.
I was wondering where you got the information about which memory location correspond to which function, and what are the arguments of a given function, and their corresponding counter / memory location. I read somewhere that things such as a decompilation project, such as 'https://github.com/pret/pokered'; can help, but in this case, even if I think I found what I was looking for (https://github.com/pret/pokered/blob/7c01509b6b69b4dc33f5d739589d50f26ffd65b0/engine/give_pokemon.asm), I am still no able to use this knowledge, because I do not know the memory addresses corresponding to the function or its arguments.
Well, I guess I may have found myself a starting memory address for this function that does not make the game freeze (the one I use above, 3E60), but I am not sure that it is the correct one (following the +4 offset between US B/R and European Y, it should have been 3E4C, but this one makes my game freeze), and I am still not able to parametrize the given pokemon species.

So that is why I am asking you: would it be possible for you to tell me you determine where the function you want to call begins in memory, and which are its corresponding arguments, and their respective memory representation / location, please?



I am sorry jfb1337, I do not know enough, I cannot help you : /

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2016-09-27 08:36:59


However, to access SRAM, you must unlock it (write $0A in range 0000 - 1FFF). Plus, to prevent your save file from decaying, you should lock SRAM right after (either write any non-$0A to the memory range, or call some game code that just does that). Saving in any way (and accessing / updating the HoF too) should also lock SRAM.


Actually, none of that is necessary in Gen I. SRAM is permanently unlocked there and can be accessed at any time. The programmers didn't decide to take advantage of SRAM locking until Generation II.

I don't agree. See https://github.com/pret/pokered/blob/2b2c6fefd311101c87845c8c498746dc74bd725f/engine/save.asm#L35 and https://github.com/pret/pokered/blob/2b2c6fefd311101c87845c8c498746dc74bd725f/engine/save.asm#L226
SRAM is enabled and disabled, so it is locked in normal gameplay. We would still need to write $0A.




The link in the description was broken, after trying to fix it it just led to the first post on this topic.

Recently, we had some maintaince.


I just watched this video, and I don't really understand how it works - How does the code get executed from the save file? I'm assuming there's some kind of buffer overflow exploit in the load routine, I'd be interested to know the details.


I semi-understand this.
8F executes code from somewhere around your party, then jumps to it, that's why you need a specific party, to form a jump instruction to jump to the third item data, then the code gets executed.
For larger codes you need to make a script I don't remember.
You can get stacks of items over 99 via 'M or Missingno. (all forms).
Yellow has w  s m, which is equal to 8F.


I understand how 8F works, but I don't know how loading the save file after restarting caused arbitrary code to run (in order to display the text and stuff)

There are several ways of achieving this, such as modifying D36E (the current map script) to run a code written somewhere in RAM (in the case of this creepypasta save file, the PC Pokémon data will largely suffice, I think). Then, you have some code that's automatically ran as the save file is loaded.
I don't know if there is a way to run custom code before selecting a file, but I heavily doubt it.

General method :

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Pavel
Date: 2016-09-27 14:06:28
Ok, I have found what I was looking for. I decided to get my hands dirty and look directly into the disassembly tool. I looked at the address 3E48, as specified in the code for the R/B USA version, saw what the asm code looked like, and found one similar not far from this in the French Yellow version memory: in this version, the recipe for receiving a pokemon starts at 3E5C, which correspond to x92 instead of x72 for the TM05 quantity.

Now the code works wonder, I can receive the pokemon of my choice at lvl2 : )

Thanks again for having taken the time to answer my questions and my messages : ) !

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Dudeopi
Date: 2016-10-11 12:16:24
Hi, I'm new here. I've been trying to learn 8F asm programming and I mostly want something in yellow that gives me max ivs and evs and is easy to set up. So I was wondering if there was a way to use pc Pokémon as the program and then have it apply to the last Pokémon in the pc. That way I could deposit a Pokémon, use w sm, then withdraw the Pokémon. All I've used so far to learn is this website ( http://wahackforo.com/t-25791/gb-gbc-asm-lenguaje-ensamblador-en-gb-gbc ) that explains programming, but it's in Spanish so I'm not sure I'm getting some of the more complex things. Could someone explain like ld and jr and also if someone had a set up for the thing above that'd be great. Thanks.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2016-10-11 13:41:47

Hi, I'm new here. I've been trying to learn 8F asm programming and I mostly want something in yellow that gives me max ivs and evs and is easy to set up. So I was wondering if there was a way to use pc Pokémon as the program and then have it apply to the last Pokémon in the pc. That way I could deposit a Pokémon, use w sm, then withdraw the Pokémon. All I've used so far to learn is this website ( http://wahackforo.com/t-25791/gb-gbc-asm-lenguaje-ensamblador-en-gb-gbc ) that explains programming, but it's in Spanish so I'm not sure I'm getting some of the more complex things. Could someone explain like ld and jr and also if someone had a set up for the thing above that'd be great. Thanks.


Hi Dudeopi. The best way to approach this may be to use the FillMemory routine at 36E0 in Red/Blue or the address 166E in Yellow to fill the structures (which are 12 bytes long and follow on from each other) with FF.

The FillMemory routine fills 'bc' bytes of 'a' to destination 'hl'.

If you are using a bootstrap set up where the last Pokémon is any Pokémon at storage box slot 10 (i.e. this), this means that you would have to use the address at hl as DBCF, which is DBD0 minus 1 (since many Yellow addresses are -1) or the beginning of the EV and IV structure. (HP EV, Attack EV…. Speed/Special IV)


ld a, FF [maximum value]
ld bc, 000C [copy hex:C i.e. 12 bytes]
ld hl, DBCF [destination]
inc d [useless; but used to represent the item as a Potion to avoid representing a CascadeBadge for the 16 later in the code]
call 166E [run the FillMemory routine]
ret [end of code]

3e ff 01 0c 00 21 cf db 14 cd 6e 16 c9


As items, the code you would need for English Yellow would be:
Lemonade x255
Master Ball x12
Item hex:00 (#x##) x33
TM07 x219 [can be replaced with another non-Pokémon 10 attribute destination for future uses]
Potion x205
Lg- (item 6E) x22
TM01 x(any)

These should be placed where the item code begins, such as at item 3 for the above linked bootstrap code.

The locations of routines such as FillMemory can differ between different versions, languages and non-ROM addresses like DBCF may be the value +5; DBD4 in non-English European Yellow.

If you want to do this without calling an internal function, then you may use this alternative code:

ld a,FF
ld h, DB
ld l, CF
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ld (hli),a
ret

3e ff 26 db 2e cf 22 22 22 22 22 22 22 22 22 22 22 22 c9

Lemonade x255
Carbos x219
X Accuracy x207
Water Stone x34
Water Stone x34
Water Stone x34
Water Stone x34
Water Stone x34
Water Stone x34
TM01 x(any)

Many items at quantities x0 can be obtained with the Celadon looping map trick. You can toss from this stack (which is effectively x256) to obtain most items at any quantity.

If you would like a code for another version or language and/or not for stored Pokémon 10 let me know and I'll post one! :)


Could someone explain like ld and jr and also if someone had a set up for the thing above that'd be great. Thanks.


Arbitrary code execution uses places to store data similar to memory addresses called registers. Registers include 'a', 'b', 'c', 'd', 'e', 'hl' and 'sp'. When we want to write data to an address, we may first place the value in the register and later to the memory address of your choice.

In ld (xxyy),(r) the register is placed into address xxyy. Similarly in ld (r), [xxyy]; the value from the memory address is stored into the register.

If we wanted to obtain a Mew we could write its value (hex:15) into D058; the stationary encounter address. To do this, you can do:

ld a, 15 ; a=hex:15
ld (d058),a ; put a into d058
ret ; end of code, needed so the game doesn't execute anything below it


What jr $xx does is cause the code to make a relative jump. To illustrate this, let's say we put a jr $xx at D321; which marks item 3, the first item for a bootstrap code that redirects the code flow from stored Pokémon to items.

A jr $05 here would make the game jump five extra bytes after the end of the instruction (i.e. D323 because jr $xx takes one opcode and one operand)+5; which equals D328.

Relative jump values which are $80 or above are considered as jumping backwards rather than forward beginning with the smaller minus values at $FF. For example, jr $FF would be jumping back by 1 to D322 and jr $80 would be jumping back by 128 to D2A3.

Hope this cleared up any details about writing code! :)

Further instructions are explained on this page, and to look up the opcode for an instruction (needed for representing code as items) we have a reference table here.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2016-10-12 04:13:27

Ok, I have found what I was looking for. I decided to get my hands dirty and look directly into the disassembly tool. I looked at the address 3E48, as specified in the code for the R/B USA version, saw what the asm code looked like, and found one similar not far from this in the French Yellow version memory: in this version, the recipe for receiving a pokemon starts at 3E5C, which correspond to x92 instead of x72 for the TM05 quantity.

Now the code works wonder, I can receive the pokemon of my choice at lvl2 : )

Thanks again for having taken the time to answer my questions and my messages : ) !


Congratz! Don't hesitate to post the whole code here (and on PRAMA if you can) for everyone to use it :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: NieDzejkob
Date: 2016-10-12 05:42:33
I have an idea for an ACE setup that doesn't require any specific pokemon, just items and underflowed menu, which I think are easier to obtain. I didn't test it yet, but you'd need the following items:

1. Fire Stone x211
2. (null) x124
3. Thunderstone x73
4. TM18 x3
5. Max Revive x195
6. HP Up x54
7. Water Stone x35
8. Great Ball x34
9. TM01 x(any)

You should have no pokemon in the daycare and you should leave the safari zone with 0, 3, 4, 5, 6, 7, 10, 11, 12, 13, 14, 15, 19, 20, 21, 22, 23, 26, 27, 28, 29 or 30 safari balls. Not entering the safari zone at all in the save file also works.

Swap fire stone for the map script pointer slot in the underflow. Close the menu, move to another map and reopen it. Now you can change the items and -gm (hex 6A i think) will execute code from the third item.

The items listed above write the bytes C3 22 D3 (jp D322) to DA49 (daycare nickname). This redirects the execution where we want.

I didn't look into it, but it might be possible to obtain -gm with the swap. To do it, setup should be initiated in a map with script address ending with 6A.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Dudeopi
Date: 2016-10-12 09:42:26
Thank you Torchickens and NieDzejkob for the speedy replies. I'm sorry I couldn't get back to you until now. The link to all of the commands helped a lot. I think I should be a little more clear in what I was wondering however. So I own a Pokémon Yellow cart and a GBC and I recently bought an n64 and stadium. I want to play ou with my friends on console. However, I don't have my n64 with me and I won't for another month, so I'm the mean time I've been messing around in Pokémon Red on my 3ds, where I already have 8F and the such. I'm trying to write a program to use with 8F in red that stores FF to the 12 bytes of a Pokémon, but I've run into some problems. First of all, I want the program to be easily executable, and I believe having 255 of an item causes glitches, and I don't know how to get multiple water stones. So since the 8F bootstrap requires a pidgey in the first spot, I tried writing something to store its catch rate to a pc Pokémon'S evs and ivs. I haven't done anything with item under flow yet, besides getting 8F, so I'm unsure how I do that.

So I really want to write a program for Yellow to do this, and best case senerio in my mind is I replace the w sm bootstrap with the whole program that makes out the poke in the spot after the ret. But for now, I want to learn as much as I can so I can write my own programs in the future. I have a feeling 3ds pokes will get randomized stars when traded forward but I wouldn't want to cheat like that in gen 7. I already wrote some stuff down, but I always find something that makes me go back and change stuff.

I don't know how to post code in a neat box but I can just write it out. This is for the English Red using items:
D322:ld DE,D172; 11 72 D1; store catch rate of pidgey to DE
D325:ld A,(DE);1A; A=255
D326:ld HL,DAC8; 21 C8 DA; HL=address of poke's first stat
D329:ldi (HL),A; 22; put the perfect 255 in the stat and increase to the next stat's address
D32A:Junk; 04; better for items
D32B:ld A,L; put address of poke's next stat in A
D32C:ld D327,A; EA D3 27; put that address as your item
D32F:ret; C9; return

Max Potion x114
Tm09 x26
Thunderstone x200
Tm18 x34
Pokeball x125
Tm34 x211
Calcium x201

You would use 8F 12 times and it would increase the number of thunder stones so you could immediately reuse it, but it uses a lot of  items and I've procrastinated duping all of them because there has to be a better way. Thanks for taking the time to help me with this. I really appreciate it.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2016-10-12 11:21:56
Try this to speed up duplicating items. It turns item nr 2 into a stack of 0, but 0 is actually 256 so you can drop them.

- 8F
- Item you want 256 (0) of x1
- Pokéball x43
- Revive x201


I don't know how to post code in a neat box but I can just write it out. This is for the English Red using items:


Random tip: If you press Quote on a post you can see in those posts how to do some things.


Look at me in a Quote.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Dudeopi
Date: 2016-10-12 11:58:31
Wow thanks! That'll help a ton!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: NieDzejkob
Date: 2016-10-12 12:07:24
Hi Dudeopi,

You can take D, which comes with a zero from the bootstrap/game code, and CPL it. That would give you FF in just two bytes, not depending on the bootstrap code you use:


D322  21 C8 DA  LD HL, DAC8
D325  7A        LD A, D
D326  2F        CPL
D327  22        LD (HL+), A
D328  04        INC B ; padding
D329  7D        LD A, L
D32A  EA 27 D3  LD (D327), A ; you assembled it the other way around. It takes practice to remember :)
D32D  C9        RET


I moved the HL load, because it removes the need for the padding (here: junk code to remove glitch items/key items/things like that, if you never heard that word before).

Thunderstone x200
TM18 x122
Leaf Stone x34
Pokeball x125
TM18 x39
TM11 x201

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2016-10-12 12:27:32
You're welcome Dudeopi. :)

If you still plan on using ws m, setting up the Celadon looping map trick is actually relatively simple if you have item underflow set up. You stand in the Celadon spot, swap the Nugget x1 with an ID greater than or equal to hex:33 x1 (if you don't have one you can try selling items to manipulate your money and create one) and then keep walking to the right until the x-position byte reads the item x0 (x255) of your choice. The Big List can be used to check the ID.

The item will either be x1 or x0, if it is x1 stepping up or down one step will change it to x0. The one thing that you must be really careful with is making sure you press B when navigating the menu all the time, because one A-press on a 'lag' item (these have unterminated names) can freeze the game and possibly erase the save file if you aren't careful.

If you want to avoid using a x255 quantity and are otherwise happy with the FillMemory code, you can replace ld a, FF with ld a, 01; dec a dec a.

This would change the code to:
3e 01 3d 3d 01 0c 00 21 cf db 14 cd 6e 16 c9

; which is:

Lemonade x1
Soda Pop x61
Master Ball x12
Item hex:00 (#x##) x33
TM07 x219 [can be replaced with another non-Pokémon 10 attribute destination for future uses]
Potion x205
Lg- (item 6E) x22
TM01 x(any)

(For a bootstrap code where the last Pokémon is any Pokémon 10 to have its EVs/IVs changed)

Handling items with a 255 quantity is safe as long as you don't toss all of an item above it, which would replace the item directly above it with the same item x255.

If you want to get the items without looping map trick, you may be able to use Skeef or NieDzejkob's code to duplicate the items and get Lg- by encountering a pPkMnp' ' with a Super Rod in the fifth position; turning it into a Lg-. I don't know off by heart any locations which may bring up an Lg- in the items pack without you having to convert the Super Rod sadly but will have a search later.

Hope that helps.