Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 40

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: DrManowar
Date: 2017-05-18 22:04:15
This past week, I have been learning about arbitrary code execution. I started off with simple scripts in Pokemon Yellow, and I am currently working on creating Pong in Pokemon Blue using TheZZAZZGlitch's code. Currently, the program is running when I use 8F, but unlike in the video by TheZZAZZGlitch, my ball is always starting off by going in the top left direction instead of the top right direction. This is causing the ball to phase through the left wall and causing the ball to phase through the paddle on its way down.

I finally noticed a workaround: First, I changed the last "0D" byte in the seventh row to a "0A", waited for the ball to continuously hit the paddle and the top left corner repeatedly, and then I changed that "0A" byte back to a "0D". After changing it back to the 0D while the program is running, it functions completely as intended. I should mention that I am trying this on VBA which is how I am editing the memory.

I am looking for a workaround to this that would allow me to not have to manually change the memory while the program is running. Would anyone know how to change the bytes around to allow the ball to start off moving in the top right direction rather than the top left? I am not sure if this would be the solution though. Any help is greatly appreciated.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-05-19 06:53:56
Well, VBA is a pretty bad emulator (even more for the GB than the GBA), so first of all I think you should switch to either BGB, Gambatte, or at the very least VBA-M.
I'm not sure this will fix the error, though.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Laffeyh
Date: 2017-06-07 10:56:10
Hey there,

I am searching for a modified Alternative Catch 'Em All glitch.
I would like to add the Pokemon I want to the current active box not to my team and change the obtained Pokemon's DVs to the shiny values in the same step. It is pretty annoying to change the whole setup and doing the item duplication glitch for every 20 pokemon.

Furthermore, is there any general explanation on some of the Items? Do Items like Lemonade, fresh water, the X items, Carbos and so on have a general function in EVERY code, or are they for exampe only doing certain things in different setups?
For example I see, that many glitches regarding the boxes have carbos and many codes use X-Acc or X-Speed.

Thanks for the nice guide and the huge discussion here on this forum,
Laffeyh

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheSixthItem
Date: 2017-06-07 14:53:00
@Laffeyh

Addresses to internal functions are different in Yellow. The GivePokemon subroutine is at $3E59, not at $3E48.
The solution is to replace 'TM05 x72' with 'TM05 x89' to update the function address.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: jfb1337
Date: 2017-06-08 15:19:50


Furthermore, is there any general explanation on some of the Items? Do Items like Lemonade, fresh water, the X items, Carbos and so on have a general function in EVERY code, or are they for exampe only doing certain things in different setups?
For example I see, that many glitches regarding the boxes have carbos and many codes use X-Acc or X-Speed.

Thanks for the nice guide and the huge discussion here on this forum,
Laffeyh


The items basically correspond to certain opcodes (instructions) in Z80 assembly. You can learn about it by this guide on the site, or by plenty of other resources online too. The game stores items by an ID number followed by the number of them you have, and ACE takes odvantage of that by making the game reinterpret that list of numbers as code to be run. A list of which items items correspond to which opcdes is here.

The items you see a lot in scripts basically correspond to commonly used opcodes, for example Lemonade is "ld a, $xx" (where xx is the next number n memory, the quantity of this item stack), which sets the "a" register to whatever you want, which is very useful since that can then be written to somewhere in memory or you could do arithmetic to it or whatever. Carbos and X accuracy correspond to "ld h, $xx" and "ld l, $xx" respectively, which are used most often to determine where something should be written in memory, or sometimes where to jump to.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: 8F
Date: 2017-06-15 08:46:56
Hi everyone.

I was attempting to get 8F but am running into a problem I'm hoping someone could help me with.

In order to get the 255 x specials needed, I used the 6th item trick with MissingNo, however after doing so I am unable to get the inventory required to do the trick. This is because attempting to toss or deposit the extra items just turns them into X Special x 255 and therefore I can't get the inventory required to receive 8F.

Any ideas how I can fix this?

E: So I tried it anyway and must've messed up towards the end because the game crashed and lost my save so does anyone know a quick way to set myself up for getting 8F? In the save I just lost I used brock through walls to get HM Fly and Surf as well as going to cerulean cave to get a high level pokemon to defeat the two gym leaders in order to access the Old Man trick but is there a quicker method?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Parzival
Date: 2017-06-15 17:59:35
There's already-set-up saves for 8F and ws m… somewhere… I think Torchickens uploaded them, try asking her.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: 8F
Date: 2017-06-16 03:31:55
Sorry, I should've  mentioned that I'm playing on the 3DS

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: jfb1337
Date: 2017-06-16 08:26:20
The fastest way to get the 8F setup would be to encounter missingno via Trainer Fly, not Old Man Trick. This can be done by losing to the 2nd trainer's machop in Saffron dojo after setting up the TFly.

What do you mean by not having the right inventory? Once you have 255 x specials, all you need are two of any tossable item to do the dry variant of Item Underflow.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-06-16 10:17:14
You can also lose to Misty to get the correct encounter Special.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2017-06-16 11:57:05

Hi everyone.

I was attempting to get 8F but am running into a problem I'm hoping someone could help me with.

In order to get the 255 x specials needed, I used the 6th item trick with MissingNo, however after doing so I am unable to get the inventory required to do the trick. This is because attempting to toss or deposit the extra items just turns them into X Special x 255 and therefore I can't get the inventory required to receive 8F.

Any ideas how I can fix this?

E: So I tried it anyway and must've messed up towards the end because the game crashed and lost my save so does anyone know a quick way to set myself up for getting 8F? In the save I just lost I used brock through walls to get HM Fly and Surf as well as going to cerulean cave to get a high level pokemon to defeat the two gym leaders in order to access the Old Man trick but is there a quicker method?


Hi 8F! What you need to do is obtain three stacks of the X Special x255 (by putting the initial x255 in slot 3 and then tossing all of slot 2 and slot 1) but have only one item registered; so there are three X Specials at the top but you can only scroll down to the first two and the second acts as a Cancel. Afterwards tossing 253 of the first X Special and swapping the X Special x2 with the second stack and then the third with give you an X Special x0 and underflow the inventory.

An early way to get a x255 stack is this:

1) Use Brock Through Walls to go to Saffron City then heal at Saffron City Pokémon Center
2) Go west to Celadon City to buy an Abra using the coins on the ground at the Game Corner
3) Head to Route 6 and set up a Trainer-Fly using Abra's Teleport.
4) Lose to the first Black Belt at Saffron Fighting Dojo.
5) Return to Route 6 after flashing the Start menu to encounter MissingNo. to get x129 of an item in slot 6.
6) Toss two of the item, run from MissingNo. and repeat steps 3-5 to encounter another MissingNo. and get x255.

(Note: It may also be possible to use up two of the item in slot 6 once you get x129 and then catch MissingNo. to get x255 (e.g. if it's an X Attack but the item in slot 6 shouldn't be a Poké Ball)

If you have another 3DS with Red/Blue you can also obtain a CoolTrainer Ditto on Red/Blue (use Transform, swap first move with second move and run), enter battle with it in Diglett's Cave, flash the Pokémon menu (important) and then scroll through Ditto's move until the music fades. Afterwards, the Pokémon will turn into MissingNo. and catching it will duplicate the slot 6 item if there are under 128.

Hope that helps and sorry for late response!  :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Problems with 8F
Date: 2017-06-19 06:07:03
Hello guys,
Ive got a problem in getting the 8F Item. I tried the item undeflow glitch (dry version without an item event giveaway) several times but every time Im searching for it, I only find an Item called 7S in the place of 8F shown in several YT Videos. So I thought thats the german version of the 8F Item (Playing German version of pokemon Red on the VC). I tried the item morphing glitch but nothing happened, I even tried to change my TID to get the ideal TID for exchanging my mew to pokemonbank but still no effects. Did I get something wrong or are there other methods for obtaining the 8F Item? Thanks in advance for the help guys :)

Edit: Its S7 not 7S sorry!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2017-06-19 14:40:41
Are you using the correct bootstrap? The German version requires a different party set-up then the English. There is one posted on page 4 (the first post, easy to find). But its a pretty old one. Othere European players may have a less complicated one.

PS: S7 is indeed the german 8F.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Problems with 8F
Date: 2017-06-19 15:16:51
Thx for the answer, so Ive got the 8F Item :)
It seems that I used the wrong one:

1. Pidgey with 233 hp
2. Parasect
3. Onix
4. Tentacool
5. Kanghaskan

I will try the other one on page 4, thx!

PS: Ive used this video as a guide for the people that are interested.
https://youtu.be/H8AgGp5cqPI

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2017-06-19 21:52:23

Thx for the answer, so Ive got the 8F Item :)
It seems that I used the wrong one:

1. Pidgey with 233 hp
2. Parasect
3. Onix
4. Tentacool
5. Kanghaskan

I will try the other one on page 4, thx!

PS: Ive used this video as a guide for the people that are interested.
https://youtu.be/H8AgGp5cqPI


Yeah, in non-English European versions you will likely need to use a different bootstrap code.

Note before you use the change player ID items code you will also need to alter it as memory addresses in non-English European versions are +5 of the original.

In the code below (the one you may have tried using to change your Trainer ID part 1) you will just need to change the X Accuracy x89 into an X Accuracy x94, and similar logic applies to the rest.


8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM11/TM43  x1  ; D3/F3 + ld bc,
Any Item    xAny ; ????
X Accuracy  x89  ; ld l, 59
Lemonade    x89  ; ld a, 59
Water Stone x1  ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret


For the second code (trainer ID change part 2 below), change X Accuracy x90 to X Accuracy x95.


8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM11/TM43  x1  ; D3/F3 + ld bc,
Any Item    xAny ; ????
X Accuracy  x90  ; ld l, 5A
Lemonade    x12  ; ld a, 0C
Water Stone x1  ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret


For the third code (player name letter 1 change) change X Accuracy x88 to X Accuracy x93.


8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM09/TM41  x1  ; D1/F1 + ld bc,
Any Item    xAny ; ????
X Accuracy  x88  ; ld l, 58
Lemonade    x134 ; ld a, 86
Water Stone x1  ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret



For the fourth code (player name letter 2 change) change X Accuracy x89 to X Accuracy x94.


8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM09/TM41  x1  ; D1/F1 + ld bc,
Any Item    xAny ; ????
X Accuracy  x89  ; ld l, 59
Lemonade    x133 ; ld a, 85
Water Stone x1  ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret


For the fifth code (player name terminator in position 3) code, change X Accuracy x90 to X Accuracy x95.


8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM09/TM41  x1  ; D1/F1 + ld bc,
Any Item    xAny ; ????
X Accuracy  x90  ; ld l, 5A
Lemonade    x80  ; ld a, 50
Water Stone x1  ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret


When certain memory addresses are defined in the code, such as many in the DXXX region (but not for instance CD38, which when set to 1 allows you to walk through walls) most of the time you will just need to change them to be +5 of the original (which you can do using a calculator that supports hexadecimal such as Windows Calculator or just regard digits beyond 9 as A-F as you count up by five).

Note that this logic doesn't apply to addresses that use "call" or "jp" to run a routine in the ROM, such as the gift Pokémon code. For that you will have to locate the routine in the original English version in a debugger, converting the address from a pointer to an offset if necessary (only for addresses between 4000-7FFF) then use a hex editor to look for similar byte code in the non-English European version, then convert it back into a pointer and this will be your address following call, jp.

My explanation isn't adequate though as it doesn't explain things like how to use a hex editor, how to convert a pointer to an offset or how you may have to swap the byte order ("endianness") due to an address following call or jp being formatted yyxx rather than xxyy. So if you ever need to convert a code that uses call or jp in such a way let me know and I'll walk you through it and convert it for you.

Hope this helps!  :)