Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 5

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-07 07:52:50

My item pointer table dumper shows that the valid items point to what they should.


Remember that because of Gen I's broken pointer arithmetic, item with ID $80 acts like $00, $81 like $01, $82 like $02, etc., and your pointer table dumper should take that into account. This would mean that $BB acts like $3B. $3B is an unused 'Coin' item, and that would explain everything, since it's programmed to do nothing.

Japanese Yellow has item $63 (''), which jumps to $D9B2 - number of Pokemon in the current box. Interestingly enough, on English Yellow, item $63 is 'ws m'…
My ROM (telling by the checksum) seems to be v1.0.

It has an improperly terminated name, so it causes all those wonderful Super Glitch effects, unless its name is made harmless (method of doing this is the same as in international releases)

<offtop>Suddenly, when I wasn't looking, my thread became popular like chocolate ;p</offtop>

Interesting, TheZZAZZGlitch. I never knew that.

Thanks for coming to the rescue! It's pretty cool that '' happens to be the equivalent of 'w sm' because that is one of the 'mysterious unused text' from Red/Green; ShellBadge.


Btw, I believe that in v1.1 and v1.2 it just locks up in battle on the items list with the white arrow pointer.


I just tested them now. It seems to have a completely different name on Rev A and B ('ぴま'), instead of  'ぐ(down arrow)へ' and viewing its name doesn't cause characters to be shown the bottom of the screen.

The battle corruption works in all versions, but you have to press A again after the cursor has gone white. Haven't tested if the Pokémon you get are the same.


Incidentally $BB has a pretty cool effect on my save. It causes some memory corruption in battle and turns the enemy into a level 127 hex: 38 Ketsuban


It has an improperly terminated name, so it causes all those wonderful Super Glitch effects, unless its name is made harmless (method of doing this is the same as in international releases)

<offtop>Suddenly, when I wasn't looking, my thread became popular like chocolate ;p</offtop>


It doesn't seem to have an improperly terminated name in Rev A and Rev B and it still causes corruption.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheZZAZZGlitch
Date: 2013-12-07 08:15:32
It doesn't seem to have an improperly terminated name in Rev A and Rev B and it still causes corruption.


It doesn't look like it, but it is improperly terminated. In v1.1 and v1.2, its glitched name contains a $00 character, which (for some unknown reason) causes the text engine to stop reading the name, making it look harmless. But it still does not have the $50 character which is used to terminate text strings, and causes all the Super Glitch-like effects.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-07 08:22:29

It doesn't seem to have an improperly terminated name in Rev A and Rev B and it still causes corruption.


It doesn't look like it, but it is improperly terminated. In v1.1 and v1.2, its glitched name contains a $00 character, which (for some unknown reason) causes the text engine to stop reading the name, making it look harmless. But it still does not have the $50 character which is used to terminate text strings, and causes all the Super Glitch-like effects.


Ah, OK.

edit: I'm still confused about something you have to try to use the item to get the corruption to work, unlike move 00 where glitches would occur by scrolling down (I still don't fully understand why that is though, but I know from your Super Glitch thread the game reads the invalid name from somewhere in battle but not on the summary).

edit2: By the way, your images on your Super Glitch thread no longer work. (Smartfeel gives a 404 Error File Not Found). I thought I'd let you know if you still have those images and want to replace them.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheZZAZZGlitch
Date: 2013-12-07 08:49:50
I'm still confused about something you have to try to use the item to get the corruption to work, unlike move 00 where glitches would occur by scrolling down (I still don't fully understand why that is, though but I know from your Super Glitch thread the game reads the invalid name from somewhere in battle but not on the summary).


The whole corruption effect occurs when the name is loaded into memory. For items, it is when the Use/Toss menu is displayed. For moves, it occurs when hovering the cursor over a glitched move.

For moves, the memory corruption actually occurs 2 times: Once after viewing the moveset/move list, and once when hovering the cursor over the move.

By the way, your images on your Super Glitch thread no longer works.


I should still have the images somewhere on my disk, replacing them shouldn't be a problem.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-07 08:59:38
OK, thanks!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 09:14:21

For items, it is when the Use/Toss menu is displayed.


So the nice freeze when the Use/Toss menu should be displayed makes sense…

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 10:35:29
And now for something completely different:

Enter the Hall of Fame with 8F:

Does what it says. This is for R/B English, offsets will be different everywhere else.

ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35d6
ret

[tt]0e 16 26 64 2e bb 41 40 cd d6 35 c9[/tt]

[tt]Awakening  x 22
Carbos    x100
X Accuracy x187
X Attack  x 64
TM05      x214
Revive    x201[/tt]

This basically calls a function labeled in the pokered disasm as "HallofFameRoomScript2". It basically changes some addresses, saves (using a function called "SaveSAVToSRAM"), and calls a function that does hall of fame and credits, then at "The End" waits for a button press and jumps to a function called "InitGame" (soft reset).

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-07 10:47:38
Here is a list of 'w sm' cheats I made for Pokémon Yellow. Most of them are simple but some could possibly be improved if no glitch items are required/key items with more than one quantity. Thanks TheZZAZZGlitch for the original versions of at least two of these codes.

The unused tune code is based on this video but Pokechu22 found that you can just change addresses C007, C009 and C00B to $68. I'm not sure if that allows for a better set-up.

I thought I'd post these after Wack0 posted his Hall of Fame code.
__________________________________
Walk through walls (ledge required):

EA 13 D7 C9

ld (D713), a
ret

TM34 x19
TM15 x201

___________________________________
Walk through walls (no ledge needed):

3E 01 EA 38 CD C9

ld a, 01
ld (CD38), a
ret

Lemonade x1
TM34 x56
TM05 x201

___________________________________

Play RBY unused tune:


93 8C F8 F7 02 40 CD 7D 2D C9


sub e
adc a,l
ld hl, sp
rst $30
ld (bc), a
ld b,b
call $7D2D
ret

Anywhere not specified: w sm
Item 3: Glitch item 93h x140
Item 4: TM48 x247
Item 5: Ultra Ball x64
Item 6: TM05 x125
Item 7: Bike Voucher x201
____________________________________________________________________________

Steal other Trainer's Pokémon/escape from Trainer battle:

3E 01 EA 56 D0 C9


ld a, 01
ld (D056), a
ret


Lemonade x1
TM34 x86
TM08 x201

___________________________________________________________________________________

Play Gym Leader music:

WRA1: D321 EA 5B D0              ld (D05B), a  : Put 63h into D05B
WRA1: D324 C9                    ret

Item 3 = TM34 x 91
Item 4 = TM08 x 201
___________________________________________________________________________________

Battle Safari Zone style:

WRA1: D321 3E 02                  ld a, 02 : Put 02h into a
WRA1: D324 EA 59 D0              ld (D059), a  : Put 02h into D059
WRA1: D327 C9   ret

Lemonade x2
TM34 x89
TM08 x201

___________________

Hurry, get away! battle:

WRA1: D321 3E 03                  ld a, 03 : Put 02h into a
WRA1: D323 EA 59 D0              ld (D059), a  : Put 03h into D059
WRA1: D326 C9   ret

Lemonade x3
TM34 x89
TM08 x201

___________________

Battle any Pokémon 1 : ID = item 3 quantity (level =last Pokémon battled/withdrawn)

3E xx EA 58 D0 C9

ld a, xx
ld (D058),a
ret

Lemonade x1
TM34 x88
TM08 x201

____________________________________________________________________________________

Battle any Pokémon 2 : ID = item 1 quantity (level =last Pokémon battled/withdrawn)


WRA1:D321 FA 1E D3        ld  a,(D31E)
WRA1:D324 04              inc  b
WRA1:D325 EA 58 D0        ld  (D058),a
WRA1:D328 C9              ret

TM50 x 30
TM11 x 04
TM34 x 88
TM08 x 201

_____________________________________________________________________________________

Battle any Pokémon (level = 1st item quantity. ID = 6th item quantity)

WRA1:D321 FA 1E D3        ld  a,(D31E)
WRA1:D324 EA 26 D1        ld  (D126),a

3E xx EA 58 D0 C9

ld a, (D31E)
ld (D126),a
ld a,02
ld (D058),a
ret

TM50 x30
TM11 x234
Carbos x209
Lemonade x (X)
TM34 x88
TM08 x201

_____________________________________________________________________________________


Change the second item +1

WRA1:D321 0C              inc  c
WRA1:D322 2B              dec  hl
WRA1:D323 0D              dec  c
WRA1:D324 2B              dec  hl
WRA1:D329 34              inc  (hl)
WRA1:D32A C9              ret

Burn Heal x43
Ice Heal x43
Full Heal x201

________________

Change the enemy species in battle

3E xx EA D7 CF C9

Lemonade x (X)
TM34 x 215
TM07 x 201

ld a, (xx)
ld (CFD7), a
ret

________________

Champion Blue's team

3E xx EA 14 D7 C9

ld a, xx
ld (D714), a
ret


Examples: 05 : one Gastly level 22, 77h: level 152 Q

Lemonade x (X)
TM34 x20
TM15 x201

________________

See the unused town's Town Map data (requires Town Map/Fly):

3E 0B EA 5D D3 C9

ld a, 0B
ld (D35D), a
ret

Lemonade x11
TM34 x93
TM11 x201

_______________

Map exit modifier:

3E xx EA 64 D3 C9

ld a, xx
ld (D36E), a
ret

Lemonade x (X)
TM34 x 100
TM11 x 201

______________

Make Pikachu stay:

06 16 | ld b -> 16
26 39 | ld h (39)
2E 64 | ld l (64)
CD 84 3E | call $3E84
C9 | ret

Bicycle x22
Carbos x57
X Accuracy x100
TM05 x132
Lemonade x201

_______________

Trigger Hall of Fame script (not recommended because you can walk up and get bad glitch text and maybe go off the boundaries. Additionally, you need two more glitch items):

3E 39 EA 6D D3 3E 64 EA 6E D3 3E 76 EA 5D D3 C9

ld a, 39
ld (D36D), a
ld a, 64
ld (D36E), a
ld a,76
ld (D35D), a
ret

Lemonade x57
TM34 x109
TM11 x62
glitch item 64h x234
glitch item 6Eh x211
Lemonade x118
TM34 x 93
TM11 x 201

_______________

Map color modifier:

3E xx EA 5C D3 C9

ld a, xx
ld (D35C), a
ret

Lemonade x (X)
TM34 x92
TM11 x201

_________________
Pikachu's happiness modifier:

3E xx EA 6F D4 C9

ld a, xx
ld (D46F), a
ret

Lemonade x (X)
TM34 x 111
TM12 x 201

__________________
Teach Pokémon 1 Surf (first move):

3E 39 EA 72 D1 C9

ld a, xx
ld (D172), a
ret

Lemonade x 57
TM34 x 114
TM09 x 201

__________________

Music tempo modifier:

3E xx EA E9 C0 C9

ld a, xx
ld (C0E9),a
ret

Lemonade x (X)
TM34 x 233
'small hiragana a' x 201

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 11:10:16
Enter the Hall of Fame with "ws m" in English Yellow:

[img]http://goput.it/4hc5.png[/img]

ld c,$16
ld h,$64
ld l,$56
ld b,c
ld b,b
call $3e84
ret

[tt]0e 16 26 64 2e 56 41 40 cd 84 3e c9

Awakening  x 22
Carbos    x100
X Accuracy x 86
X Attack  x 64
TM05      x132
Lemonade  x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 11:56:20
Play Pikachu's Beach in US Yellow:
Please note; the menus don't spawn when you exit Pikachu's Beach, just press B twice to exit them.

[img]http://goput.it/7cna.png[/img]

ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e84
ret

[tt]0e 3e 26 40 1D 6B 41 40 cd 84 3e c9

Awakening  x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x132
Lemonade    x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-07 12:05:17
For those who are curious, the Pikachu's Beach code starts at 3E:4000. That's 0xF8000.

Part of the Pikachu's Beach code starts at 3E:407A (0xF807A), but executing that alone will cause glitches, including the music not changing and the HP value not displayed correctly. (That pointer in Japanese Yellow can be found here.)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 13:09:44
Enter the Hall of Fame with 5kai in Japanese R/G v1.0:

ld c,$16
ld h,$7b
ld l,$e4
ld b,c
ld b,b
call $3620
ret

[tt]0e 16 26 7b 2e e4 41 40 cd 20 36 c9

Awakening  x 22
Carbos    x123
X Accuracy x228
X Attack  x 64
TM05      x 45
Max Revive x201[/tt]

…and in Japanese Blue:

[img]http://goput.it/c42w.png[/img]

ld c,$16
ld h,$7e
ld l,$29
ld b,c
ld b,b
call $3636
ret

[tt]0e 16 26 7e 2e 29 41 40 cd 36 36 c9

Awakening  x 22
Carbos    x126
X Accuracy x 41
X Attack  x 64
TM05      x 54
Max Revive x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 14:50:53
Enter the Hall of Fame with in Japanese Yellow v1.1 and v1.2:

[img]http://goput.it/0p76.png[/img]

ld c,$16
ld h,$7d
ld l,$c8
ld b,c
ld b,b
call $3e7e
ret

[tt]0e 16 26 7d 2e c8 41 40 cd 7e 3e c9

Awakening  x 22
Carbos    x125
X Accuracy x200
X Attack  x 64
TM05      x126
Lemonade  x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 14:56:44
Play Pikachu's Beach with in Japanese Yellow v1.1 and v1.2:

[img]http://goput.it/w716.png[/img]

ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e7e
ret

[tt]0e 3e 26 40 1D 6B 41 40 cd 7e 3e c9

Awakening  x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x126
Lemonade    x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 15:25:42
Enter the Hall of Fame with P7 in Spanish R/B:

[img]http://goput.it/w77h.png[/img]

ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35f5
ret

[tt]0e 16 26 64 2e bb 41 40 cd f5 35 c9

Awakening (Despertar)    x 22
Carbos (Carburante)      x100
X Accuracy (Precisión X) x187
X Attack (Ataque X)      x 64
TM05 (MT05)              x245
Revive (Revivir)        x201[/tt]