Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 39

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: jfb1337
Date: 2017-03-20 16:12:32
Ah, thanks, I was wondering what the .sym files were for, for some reason it didn't occur to me to look inside them!

Edit: And here is said script:

Carbos x90
Master Ball x14
Poké Ball x84
Repel x128
Carbos x24
X Accuracy x134
TM29 x0
Carbos x144
X Accuracy x0
TM01x[Any qty]


ld h, $5A
ld bc, $040E ; b = BANK(FontGraphics), c = 14 = how many tiles to copy
ld d, h
ld e, $80 ; de = FontGraphics
ld h, $18
ld l, $86
push hl ; hl = CopyVideoDataDouble
nop
ld h, $90
ld l, $0 ; hl = the tiles in VRAM that come after the digits
ret ; jumps to CopyVideoDataDouble (done this way to avoid glitch items and key items that would result from directly using call or jp)


This turns the tiles beyond the numbers that glitch quantities read from into the letters A through P, so it's easier to see how many items you have / are tossing. (There will also be a bunch of letters all over the background).

The effect goes away when entering/leaving a building, entering/leaving a battle, resetting the game, or closing the PC item menu, and maybe a few other things.

Tested with English blue on BGB.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-03-26 13:20:49
Since x0 quantities are a bit of a pain to get, I'd recommend this :

Carbos x90
Master Ball x13
Poké Ball x84
Repel x128
Carbos x24
X Accuracy x134
TM29 x3
Carbos x144
X Accuracy x0
TM01x[Any qty]



ld h, $5A
ld bc, $040D ; b = BANK(FontGraphics), c = 14 - 1 = how many tiles to copy - 1
ld d, h
ld e, $80 ; de = FontGraphics
ld h, $18
ld l, $86
push hl ; hl = CopyVideoDataDouble
inc bc
ld h, $90
ld l, $0 ; hl = the tiles in VRAM that come after the digits
ret ; jumps to CopyVideoDataDouble (done this way to avoid glitch items and key items that would result from directly using call or jp)


(Didn't test it though)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: atav32
Date: 2017-04-13 16:38:58
Hey everyone! Just discovered the wonders of 8F! Still got a lot to learn.

I've been using the "Alternative Catch'Em All" code in the original post to receive any Pokemon and it's amazing how well it works!


ITEM LIST (starting from the first slot):
* Any item
* 8F
Repel                x[SpeciesIndex]
X Speed              x14
Ultra Ball          x64
TM05                x72
Lemonade            x201


ASM:
Code: [Select]
WRA1:D322 1E 20            ld  e,[SpeciesIndex]
WRA1:D324 43              ld  b,e
WRA1:D325 0E 02            ld  c,02
WRA1:D327 40              ld  b,b
WRA1:D328 CD 48 3E        call 3E48
WRA1:D32B C9              ret



But when I started transferring them to Pokemon Bank, I've hit a couple snatches.

The main problem is that the Pokemon you receive are all Lvl 2. But PokeTransporter has level checks for


Just wondering if there's an easy way to modify the setup to generate a variable Pokemon level. Or maybe hard-coded at Lvl 70 or something.

- - - - -

Unrelated, but just curious: I've read that TM 01 x(any) and [any item] x201 represent the C9 byte which stops code execution. How do they differ? I tried using TM 01 x129 instead of Lemonade x201 in the above setup and it froze the game.

Thanks everyone!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: camper
Date: 2017-04-14 03:38:29
The Lemonade represents 3E in "call 3E48". Without the Lemonade it translates to "call C948". Even if C948 returns properly (it probably doesn't), it'll still treat the rest of your items as code until it finds a ret.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: jfb1337
Date: 2017-04-15 05:40:15
Here is a script that should work for an arbitrary encounter level:

Repel x[Species index]  ; ld e, [species index]
Awakening x[Level]      ; ld c, [level]
X speed x64                ; ld b, e / ld b, b
TM05 x72         
Lemonade x201          ; call 3E38 / ret

Replacing the lemonade x201 with a lemonade x4 followed by a TM01 x[any] would also work. (x4 corresponds to inc b which basically does nothing at this point). But the lemonade is important.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2017-04-16 03:48:12

Hey everyone! Just discovered the wonders of 8F! Still got a lot to learn.

I've been using the "Alternative Catch'Em All" code in the original post to receive any Pokemon and it's amazing how well it works!


ITEM LIST (starting from the first slot):
* Any item
* 8F
Repel                x[SpeciesIndex]
X Speed              x14
Ultra Ball          x64
TM05                x72
Lemonade            x201


ASM:
Code: [Select]
WRA1:D322 1E 20            ld  e,[SpeciesIndex]
WRA1:D324 43              ld  b,e
WRA1:D325 0E 02            ld  c,02
WRA1:D327 40              ld  b,b
WRA1:D328 CD 48 3E        call 3E48
WRA1:D32B C9              ret



But when I started transferring them to Pokemon Bank, I've hit a couple snatches.

The main problem is that the Pokemon you receive are all Lvl 2. But PokeTransporter has level checks for

    [li]starters & evolutions[/li]
    [li]Ditto[/li]
    [li]Dratini & evolutions[/li]
    [li]legendary birds[/li]
    [li]Mewtwo[/li]


Just wondering if there's an easy way to modify the setup to generate a variable Pokemon level. Or maybe hard-coded at Lvl 70 or something.

- - - - -

Unrelated, but just curious: I've read that TM 01 x(any) and [any item] x201 represent the C9 byte which stops code execution. How do they differ? I tried using TM 01 x129 instead of Lemonade x201 in the above setup and it froze the game.

Thanks everyone!



The Ultra Ball (index 2) actually represents the lvl. For instance using X Accuracy x64 instead of Ultra Ball x64 gives a lvl 46 Pokémon.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: atav32
Date: 2017-04-16 12:41:47
Wow! That's awesome! What tools do you guys use to write and test your code?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-04-16 13:35:47
Writing is done usually on Notepad or a sheet of paper. I'm not even joking :P
Then we compile it either by hand or using some nifty tools created by the community (for example these two)

To test them, most of us prefer the BGB emulator and its amazing debugger, but some other emulators such as BizHawk are good options.
Some even take the time to build the setup on console to verify. But it's more rare.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheSixthItem
Date: 2017-04-22 09:51:51
In yellow, morph second item gives adds 1 to the quantity of item 2. If you have 255 and you use it, you get 0. Is there a way to convert that from ws[glitch]m to 8F?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2017-04-22 14:16:23

In yellow, morph second item gives adds 1 to the quantity of item 2. If you have 255 and you use it, you get 0. Is there a way to convert that from ws[glitch]m to 8F?


Yes. The following code which is a modified version of TheZZAZZGlitch's change second item code (see this thread's first post) should work for changing the item quantity. It should on both Yellow (when using ws m redirected to item 3) and Red/Blue (when using 8F redirected to item 3) because no absolute memory addresses are specified.

* 8F
* Item with quantity you want to morph
Burn Heal            x43
Full Heal            x201

ASM:
WRA1:D322 0C              inc  c
WRA1:D323 2B              dec  hl
WRA1:D32A 34              inc  (hl)
WRA1:D32B C9              ret

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2017-04-23 14:43:16

In yellow, morph second item gives adds 1 to the quantity of item 2. If you have 255 and you use it, you get 0. Is there a way to convert that from ws[glitch]m to 8F?


This is wat I use to get 0 of a certain item.

- 8F
- Item you want 0 of x1
- Pokéball x43
- Revive x201

More convinient to turn 1 item into 0 then turning 255 into 0. Its also worth noting that 0 is actually 256, so you can toss them to get any quantity you need.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Blaki
Date: 2017-04-25 17:22:46
It's my first 8F script ever, it's not practical by any means, but still a bit fun. It displays a Pokedex entry based on the quantity of the stack of Lemonade !

Lemonade x[Pokemon index value]
TM05 x155 (hex:9B)
Full Heal x201 (hex:C9)

ASM
ld a, [Pokemon index value]
call $349B
ret

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Caveat
Date: 2017-04-25 19:42:35

It's my first 8F script ever, it's not practical by any means, but still a bit fun. It displays a Pokedex entry based on the quantity of the stack of Lemonade !

Lemonade x[Pokemon index value]
TM05 x155 (hex:9B)
Full Heal x201 (hex:C9)

ASM
ld a, [Pokemon index value]
call $349B
ret

This could potentially be useful for the Pokedex ACE that was discovered recently…

Even if it only displays complete entries after catching the Pokemon, it could still be used to easily execute the code in that manner.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Parzival
Date: 2017-04-25 20:04:45


It's my first 8F script ever, it's not practical by any means, but still a bit fun. It displays a Pokedex entry based on the quantity of the stack of Lemonade !

Lemonade x[Pokemon index value]
TM05 x155 (hex:9B)
Full Heal x201 (hex:C9)

ASM
ld a, [Pokemon index value]
call $349B
ret

This could potentially be useful for the Pokedex ACE that was discovered recently…

Even if it only displays complete entries after catching the Pokemon, it could still be used to easily execute the code in that manner.

Well, well, a newcomer might've made history…

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: camper
Date: 2017-04-26 00:21:41
Except if you already have 8F you can already do ACE.