Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 35

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: NieDzejkob
Date: 2016-10-12 12:35:27
Wait, whaaat? When did I post about item duplication? If you think about that, then this is a -gm + map script ACE setup that doesn't require catching pokemons.

1. Fire Stone x211
2. (null) x124
3. Thunderstone x73
4. TM18 x3
5. Max Revive x195
6. HP Up x54
7. Water Stone x35
8. Great Ball x34
9. TM01 x(any)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: NieDzejkob
Date: 2016-10-12 12:45:09
And sorry for the double post, but I have an even shorter max IV/EV code, that has to be run only once:


D322  21 C8 DA  LD HL, DAC8
D325  7A        LD A, D
D326  2F        CPL
D327  0E 0C    LD C, 0C
D329  C3 E0 36  JP FillMemory/36E0

Thunderstone x200
TM18 x122
Leaf Stone x14
Burn Heal x195
TM24 x54

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2016-10-12 15:28:45
Oh, I think I may have gotten confused somewhere, NieDzejkob. I was under the impression your code was for item duplication because you mentioned getting FF (note: for some reason on my Red it replaces item 3 quantity with C9) but I don't know what the code is used for and I shouldn't have assumed. Sorry if I made the wrong conclusion.



D322  21 C8 DA  LD HL, DAC8
D325  7A        LD A, D
D326  2F        CPL
D327  22        LD (HL+), A
D328  04        INC B ; padding
D329  7D        LD A, L
D32A  EA 27 D3  LD (D327), A ; you assembled it the other way around. It takes practice to remember :)
D32D  C9        RET

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: NieDzejkob
Date: 2016-10-12 17:31:25
It's a shorter version of Dudeopi's code for perfect stats. So the change was intended :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Dudeopi
Date: 2016-10-13 15:57:55
Thanks everyone who helped out. I've learned a ton! If I have any more questions I know where to go.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Pavel
Date: 2016-10-16 08:01:40


Ok, I have found what I was looking for. I decided to get my hands dirty and look directly into the disassembly tool. I looked at the address 3E48, as specified in the code for the R/B USA version, saw what the asm code looked like, and found one similar not far from this in the French Yellow version memory: in this version, the recipe for receiving a pokemon starts at 3E5C, which correspond to x92 instead of x72 for the TM05 quantity.

Now the code works wonder, I can receive the pokemon of my choice at lvl2 : )

Thanks again for having taken the time to answer my questions and my messages : ) !


Congratz! Don't hesitate to post the whole code here (and on PRAMA if you can) for everyone to use it :)



Gotcha Krys3000, here is a recap of what I found to work with Pokemon Yellow French version:
Those are the result of browsing this forum (thanks to the original authors of the codes!), the help of various members on this forum (thanks again!) and a bit of tinkering an research of mine to make it work on French Yellow version.


Cloning via daycare:
1: wsm
2: any item
3: X Accuracy x76
4: Carbos x218
5: Max Revive x01
6: TM01 x(any)
Put the pokemon in the daycare, retrieve it, then use wsm; now you can retrieve the pokemon one more time


Force encounter with a pokemon of a specified species (lvl is not guaranteed, for me it was lvl11 usually) :
1: Any item
2: wsm
3: Lemonade x[SpeciesIndex] (http://glitchcity.info/wiki/The_Big_HEX_List)
4: TM34 x93
5: TM08 x201


Receive a lvl 2 pokemon of a specified species (as if a NPC was giving it to the character):
1: Any item
2: wsm
3: Repel x[SpeciesIndex] (http://glitchcity.info/wiki/The_Big_HEX_List)
4: X Speed x14
5: Ultra Ball x64
6: TM05 x92
7: Lemonade x201
Note : the lvl is equal to the hex ID (http://glitchcity.info/wiki/The_Big_HEX_List) of the item in the fifth position (here, the Ultra Ball)


Make the first pokemon of the team learn any attack:
1: wsm
2: Any
3: X Accuracy x122/121/120 (slot n°4, 3 and 2 respectively)
4: Carbos x209
5: Max Revive x[MoveIndex] (http://glitchcity.info/wiki/The_Big_HEX_List)
6: TM01 x(any)



Apply max DV and stats experience to first pokemon of the team: (http://www.prama-initiative.com/index.php?page=modification-rbj)
1: Any item
2: wsm
3: Lemonade x255
4: X Accuracy x139
5: Carbos x209
6: Poke Ball x119
7: Fresh Water x201
This will modify the stats of the first pokemon of the team.
First, use wsm once.
Second, toss one X Accuracy, then use wsm. Repeat this second step 11 times, until the number of X Accuracy equals 128.
Now store in and retrieve from the PC the first pokemon of your team, in order to force the game to compute its stats anew.
Beware of the item duplicating glitch with Lemonade x255: do not remove / store an item that is above Lemonade x255, lest you want one item below it to be lost forever. To prevent this, switch Lemonade x255 with the first item when you do not use the code. If the duplicating glitch happened, buy one object to fix the inventory.

Second Pokemon: X Accuracy from x183 to x172, Carbos x209
Third Pokemon: X Accuracy from x227 to x216, Carbos x209
Fourth Pokemon: X Accuracy from x15 to x4, Carbos x210
Fifth Pokemon: X Accuracy from x59 to x48, Carbos x210
Sixth Pokemon: X Accuracy from x103 to x92, Carbos x210

Max Pokemon Lvl:
First Pokemon: X Accuracy x144, Carbos x209
Second Pokemon: X Accuracy x188, Carbos x209
Third Pokemon: X Accuracy x232, Carbos x209
Fourth Pokemon: X Accuracy x20, Carbos x210
Fifth Pokemon: X Accuracy x64, Carbos x210
Sixth Pokemon: X Accuracy x108, Carbos x210

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-01-15 17:33:04
[size=14pt]European Pokémon Yellow ws m bootstrap setup[/size]
The US setup doesn't work because of a 5-byte offset. As such, two more Pokémon are needed, and we replace another one.

All the listed Pokémon must be in the correct order in the active PC box when running ws m.


Initial hl = DA84
$DA85 <- 3A || ld/ldi/ldd a, (hl) ; a = 0B
$DA86 <- 0F || rrca ; a = 05
$DA87 <- 3C || inc a : a = 06
$DA88 <- 2E ||
$DA89 <- 26 || ld l, 26
$DA8A <- 85 || add l ; a = 2C
$DA8B <- 2F || cpl ; a = D3
$DA8C <- 67 || ld h,a ; hl = D326
$DA8D <- 18 ||
$DA8E <- 0C || jr 0C ; pc = DA9C
(...)
$DA9C <- E9 || jp (hl) ; pc = D326


[EDIT] If getting Tauros is too much of a pain, remove it an place a Slowbro right after Flareon. Slowbro can be obtained via Trainer-Fly, Tauros cannot. Also easier to catch legitimately,  I guess.

I would like to know if an eleventh Pokémon really is needed (since the ld a, [bc] is cancelled by the following ld(i/d) a, [hl]. This could save one A press Pokémon from both US and EU setups.
Plus, since we overwrite hl during the setup, doing add hl, bc shouldn't be an issue, so 9 Pokémon could be enough for the US setup, saving an extra slot. EU still requires 10, though :P
[EDIT] NVM, 11 Pokémon are required for the US Setup, but the EU one can have only 10.

Also, does ws m work in EU ? Since 8F doesn't in EU R/B, I'm a little bit doubtful.

Thanks in advance !

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-01-16 03:06:07
Also, I think we should make a separate thread for ws m and move posts there. Since this thread is about 8F, I think it would make more sense…

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Yeniaul
Date: 2017-01-16 06:09:16
However, things like R/B to Yellow script conversions would become a pain to collaborate with and talk about, as you would end up posting it in both locations.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2017-01-16 07:42:05

Also, does ws m work in EU ? Since 8F doesn't in EU R/B, I'm a little bit doubtful.


It should do. I ported the bootstrap payload what seems like forever ago; however I did cheat and poked the values directly to memory when porting.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-01-16 16:16:04
Like, WOW.
I tried my setup with
Mr. Mime with 233 HP
Female Nidoran
Parasect
Kadabra
Magikarp
Arbok
Psyduck
Flareon
Tentacool
Grimer
Pikachu (11th Pokémon)


This threw a ball that wiggled twice, failed, gave me a "Pas d'bol, hein ?" ("Tough luck, eh ?")
And then I had no more ws m. WOW.

[EDIT] I messed up big time, this setup jumped to $D425. Epic fail.

We need to remove Arbok and put a Slowpoke right after Flareon.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-01-17 11:38:31
Bumpity bump, the Slowpoke version of the setup works fine, it should be added to the wiki alongside Wack0's. I don't have enough DETERMINATION to do so, since I'm locked on my phone and I really miss a PC.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: jelome1989
Date: 2017-01-25 00:48:01


Apply max DV and stats experience to first pokemon of the team: (http://www.prama-initiative.com/index.php?page=modification-rbj)
1: Any item
2: wsm
3: Lemonade x255
4: X Accuracy x139
5: Carbos x209
6: Poke Ball x119
7: Fresh Water x201
This will modify the stats of the first pokemon of the team.
First, use wsm once.
Second, toss one X Accuracy, then use wsm. Repeat this second step 11 times, until the number of X Accuracy equals 128.
Now store in and retrieve from the PC the first pokemon of your team, in order to force the game to compute its stats anew.
Beware of the item duplicating glitch with Lemonade x255: do not remove / store an item that is above Lemonade x255, lest you want one item below it to be lost forever. To prevent this, switch Lemonade x255 with the first item when you do not use the code. If the duplicating glitch happened, buy one object to fix the inventory.

Second Pokemon: X Accuracy from x183 to x172, Carbos x209
Third Pokemon: X Accuracy from x227 to x216, Carbos x209
Fourth Pokemon: X Accuracy from x15 to x4, Carbos x210
Fifth Pokemon: X Accuracy from x59 to x48, Carbos x210
Sixth Pokemon: X Accuracy from x103 to x92, Carbos x210



Is there any other way to manipulate DVs — meaning not just max them out?
For example, I want a specific combination, say I want to make the Pokemon shiny when transferred to Gen 7. I want the DVs to be:
Atk Spe Spc = 10 and Def = 2

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-01-25 01:09:42
You can use the Gameshark-like code to write each DV manually. That's quite easy.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: jelome1989
Date: 2017-01-25 01:27:28
Sorry, not familiar with these at all, but can you link me that Gameshark-like code? I do know how to convert that to items list but don't know which item holds the data address for the DVs.