Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 38

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Yeniaul
Date: 2017-02-15 20:09:54
…broken.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-02-16 06:14:57
Works for me.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: SaneBane
Date: 2017-02-20 06:30:06
Hey you all!
Thank you so much for all the help and support in this forum! I managed to obtain the S7 in the german version of Red, but I'm struggling to figure out how to "convert" the item setups for the hacks to function.. it's kinda over my head.
Can you help me?

I want to change my Mew's Trainer ID(22796) and OT(GF) so I can transfer it over to Sun/Moon + change the DVs of a Pokemon so it will be shiny.

I followed this guide for my english version of the game and it worked fine:
https://www.youtube.com/watch?v=H8AgGp5cqPI&t=1080s
I'd love to do the same with my german version!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-02-20 11:27:08
Use to change your OT :

any item/ws# #m#
any item/ws# #m# (one of these has to be ws# #m# obviously)
TM50 x186
TM10 x3 (works with 64, but 3 should too)
TM34 x93
TM09 x35
Poké Ball x52
X Accuracy x44
Great Ball x52
TM01 x[any qty]


Use to change your TID :

any item/ws# #m#
any item/ws# #m#
Lemonade x89
Repel x12
Carbos x 211 (Should work even if you remove this item)
X Accuracy x94
Water Stone x115
TM01 x(any)


Didn't try, so if you could send me some feedback whether it worked or not I'd appreciate it a lot.
Also, if you want to keep your OT and TID, tell us, we'll do the job.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: NukingDragons
Date: 2017-02-26 17:26:15
I found a typo in the Super-compressed 3-Pokémon setup.


Super-compressed 3-Pokémon setup (problematic because of hex D3 glitch Pokémon, which can be difficult to obtain; also, some item lists do not work with this setup)

[tt]1.  Exactly 6 Pokémon in the party                                    [0xD163 = 0x06]
2.  Hex C3 glitch Pokémon as the first Pokémon                        [0xD164 = 0xC3]
3.  Onix as the second Pokémon                                        [0xD165 = 0x22]
4.  Hex D3 glitch Pokémon as the third Pokémon                        [0xD166 = 0xD3][/tt]


That setup has this code:

WRA1:D163 06 C3        ld b, 0xC3
WRA1:D165 22            ld (hl), a
WRA1:D166 D3            <Invalid Opcode>


Which does NOT jump to the third item in memory, because of the 6 Pokémon in the party.

However, a party of 3(Minimum) to 5, DOES work:

WRA1:D163 03              inc bc
WRA1:D164 C3 22 D3        jp 0xD322


With 4:

WRA1:D163 04              inc b
WRA1:D164 C3 22 D3        jp 0xD322


And with 5:

WRA1:D163 05              dec b
WRA1:D164 C3 22 D3        jp 0xD322


Also, for the "some item scripts wont work with this setup" issue, you can use this right before your main script if you don't want to rewrite it:
(Sets HL to 0xD322)

8F / first item (Depends on the script)
8F / second item (Depends on the script)
X Accuracy x34
Carbos x211
<Script>


Hope this helps :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-02-26 18:55:16
Nice ! I'm adding this to the wiki page right away !

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Anna Says Hi
Date: 2017-02-28 13:02:50
Hi, new poster here. I'm sharing one of my 8F setups.
(With the 5-pokemon 233 HP bootstrap)

Morphing item 2 with 2 items worth of code

8F
[Item to morph] x[any qty]
TM03 x141
Full Heal x201 / Revive x201

HL contains D322
D322: CB 8D
D324: 34 / 35
D325: C9

D322: RES 1, L
D324: INC (HL) / DEC (HL)
D325: RET

The advantage of this setup is that it's the same length as the "obtain 255 of item 2" setup, so only 2 Select presses are needed and the bag isn't disorganised. The disadvantage is that TM03 is not buyable and you have to use the 3-item morph setup if you've used or tossed it already.

One of the things I'm looking for is a memory viewer and editor GUI. I remember seeing a video that had a textbox that showed the contents of RAM at the time, and it might have been created by 8F. Unfortunately, we're probably limited by the fact we can only use 254 or so bytes, even for the extended 8F setup. So I wonder if we can bypass that limit. If we could write to different bytes when making our 8F setup (like 01:B524 in SRAM or C5D0 in WRAM) then we could have a way to make much longer programs, perhaps enough to code in a easy-to-use RAM editor GUI.
(FYI i'm thinking of something like this except with a bigger window)

*-------*
|D000 XX|
|D001 XX|
|D002 XX|
*-------*

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2017-02-28 16:08:20
Thanks for this Anna Says Hi!  :)

You're in luck, a memory editor GUI has fortunately already been made. It was originally created by offgao for Japanese versions but was ported by Cryo. See this post for the raw code.

Although TheZZAZZGlitch's memory editing method by default can only modify 256 bytes, you can write more than that and execute the program by following the instructions in the description of this video (link).

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: jfb1337
Date: 2017-03-13 06:06:26
What would be the fastest/easiest way to get a working 8F setup starting from a brand new save file?

I'm guessing it would start out like the standard speedrun route (Brock thru walls to Saffron, encounter missingno via Trainer Fly with Abra, then item underflow) but then use the undereflow to obtain 8F instead… Then what would be the optimal way to get all the pokémon required for the bootstrap? Regular encounters, or trainer fly?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2017-03-13 09:45:12
In Pokémon Yellow I used stable unstable MissingNo., dry underflow, Celadon looping map trick and Rival LOL glitch for the bootstrap Pokémon.

The Brock Through Walls/Trainer-Fly  with Abra sounds good for Red/Blue.

Rival LOL glitch is probably a good method for Pokémon Red and Blue as well if you have a six letter long Rival name, although you could also get your Pokémon by warping to places that have them (Route 1 for Pidgey, Safari Zone or Cerulean Cave [use Rival's item or enter Hall of Fame] for Parasect, Rock Tunnel or Victory Road for Onix, water for Tentacool [use ?????], Safari Zone for Kangaskhan.

I'm unsure if Trainer-Fly would be better as you'd need specific Special stats from specific Trainers or party Pokémon, so regular encounters/LOL glitch seems to be better.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-03-13 12:42:10

What would be the fastest/easiest way to get a working 8F setup starting from a brand new save file?

I'm guessing it would start out like the standard speedrun route (Brock thru walls to Saffron, encounter missingno via Trainer Fly with Abra, then item underflow) but then use the underflow to obtain 8F instead… Then what would be the optimal way to get all the pokémon required for the bootstrap? Regular encounters, or trainer fly?

For the level 100 Pidgey I recommend TFlying, fighting against FISHERMAN's level 27 GOLDEEN in Route 12, Growl x6, catch Pidgey, DON'T SAVE, level to 100, cancel evolution, use HP Ups and remove HP using poison then Antidote (1 HP each 4 steps) or Lv 2 Pokémon (2 HP per hit usually, ie when not Crit :P).
Note that some Pidgeys cannot reach 233 Max HP due to low stats, that's why you shouldn't save until after you made sure you caught a correct one.

I also prefer to catch Arbok from Trainer-Fly (if using the 6-Pokémon setup, the best IMO) ; for the Kangaskhan I recommend you go into a Safari part of the zone where Kangaskhans appear and get kicked out of the Safari challenge in this zone. Then do the usual Surf thingy without loading other grass Pokémon data, and you're good ([size=6pt]Note : doesn't work in Pokémon Yellow. Not suited for children under 3 IQ.[/size])

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: jfb1337
Date: 2017-03-19 12:50:53
Thanks! I obtained an 8F on VC blue and got the setup working yesterday, just using normal encounters, in about 3.5 hours.

I made a simple script to easily obtain any item, which s very useful for building other scripts:


ldd a, (hl)
ldd a, (hl)
ldi (hl), a
inc b ; filler
ld (hl), 1
dec (hl)
inc b ; filler
ret
which compiles to

Dire Hit x58
Water Stone x4
Max revive x1
Revive x4
TM01 x[Any qty]

This sets the index of the 2nd item to its quantity (make sure 8F is the first irem obviously), and it's quantity to 0 for easy tossing to any desired quantity.

This requires only items that can be bought from Celedon dept store, with no missingno duping.

Then, you can use it once to get a Max revive x0 stack, so you can get rid of the revive to compact the script slightly.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-03-20 07:09:50
You could remove the

ld a, [hli]
ld [hld], a

since it effectively does nothing.
Item pack :

8F
[item] x(Any)
Dire Hit x4
Max revive x1
Revive x4
TM01 x[Any qty]


A more efficient setup (IMO) is

8F
Item x[any qty]
Poké Ball (or Great Ball) x43
Revive x3
TM01 x[any qty]

Toss all of "Item" but one, then use. You now have 0 of that item :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: jfb1337
Date: 2017-03-20 15:32:21
The ld a, [hld] / ld [hli], a part is what copies the quantity of the item to its index, allowing access to any item index; your script just sets the quantity to 0. But since both are useful behaviours, then I swap the water stones (ld a [hli]) with HP ups (inc hl) if I want to reset the item quantity without setting the index too.

Another question: Is there an easy way to find the memory locations and ROM banks that corresponds to a particular label in the disassembly? I had an idea for a script to make tossing items a bit less tedious by copying the graphics for digits or letters over the place where the game reads tiles for glitch quantities from, so it would be easier to see at a glance how many items you have / are tossing, but I'd need the locations for CopyVideoData and FontGraphics

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-03-20 16:05:59
When you build the ROM, it generates two files which contain all the addresses.
I attached the file for Red.

I recommend you know how to use Ctrl+F :P