Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 44

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Couldntthinkofaname
Date: 2017-07-03 08:47:03
[size=12pt]Rebattle Mewtwo[/size]

This code will force Mewtwo to reappear in Cerulean cave if you have already fought him. This can be used an infinite number of times for infinite Mewtwos.

8f
any item xany qnty
Lemonade x1
Soda Pop x4
Thunderstone x95
TM16 x119
TM34 x192
TM13 x201

ld a,01 ; a = 1
dec a ; a = 0, necessary because you can't have 0 of an item
inc b ; useless filler
ld hl,$d85f ; hl = d85f
ld (hl),a ; d85f = 0
ld ($d5c0),a ; d5c0 = 0
ret ; return

Sorry for longevity, I tried my best to avoid duplicate/glitch items. Enjoy!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2017-07-05 13:09:00

[size=12pt]Rebattle Mewtwo[/size]


ld a,01 ; a = 1
dec a ; a = 0, necessary because you can't have 0 of an item
inc b ; useless filler
ld hl,$d85f ; hl = d85f
ld (hl),a ; d85f = 0
ld ($d5c0),a ; d5c0 = 0
ret ; return



You can have 0 of an item actually.

- 8F
- Item you want 0 of x1
- Pokéball x43
- Revive x201


inc b ;junk
dec hl ;hl is now D321, thats item 2 quantity identifier.
dec (hl) ; decrease the quantity of (hl) by 1.
ret

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-07-05 14:07:11
It's indeed possible but I find it tedious. Personally I prefer to stick to non-zero quantities.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: GoldenPikachu
Date: 2017-07-08 11:35:56
Does this work on the spanish version of yellow? I got ws m and did the setup but it doesn't work

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: forsyz
Date: 2017-07-25 00:04:10
trying to change a Pokemon's item address with w sm i'm using this by Torchickens  I have the bootstrap and items correct but the Pokemon's item is still a berry when I see it on the trade.
Item 3: Lemonade x 217
Item 4: Carbos x 209
Item 5: X Accuracy x 113
Item 6: Water Stone x 201
[img]https://image.prntscr.com/image/cPlHyLluSj6ZrxcANjQOXQ.png[/img]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: natanelho
Date: 2017-07-25 09:40:20


[size=12pt]Rebattle Mewtwo[/size]


ld a,01 ; a = 1
dec a ; a = 0, necessary because you can't have 0 of an item
inc b ; useless filler
ld hl,$d85f ; hl = d85f
ld (hl),a ; d85f = 0
ld ($d5c0),a ; d5c0 = 0
ret ; return



You can have 0 of an item actually.

- 8F
- Item you want 0 of x1
- Pokéball x43
- Revive x201


inc b ;junk
dec hl ;hl is now D321, thats item 2 quantity identifier.
dec (hl) ; decrease the quantity of (hl) by 1.
ret


about that code for 0 quantity of item 2- you assume hl contains D322 before the execution, how can you know that?
more general question- what are the states of the registers before using 8f, and do I have to return them to that state for the game to work properly?
sorry I'm new in glitching, and I did a few codes already including one that changes item-1 quantity to 0, and it took me 3 items instead of 2 because I didn't know the values of the registers and had to insert the values manually…

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2017-07-25 14:43:02
It is D322 because of the boostrap code.

Remember the execution is done IN YOUR TEAM and you reroot it to item 3 (which is $D322)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: jfb1337
Date: 2017-07-25 14:48:12
Yep, the bootstrap code in your party is basically
- set hl to D322
- jump to hl

So in your items code you can always assume hl is D322.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: forsyz
Date: 2017-07-25 18:38:54
want a ws m code to change the ot and trainer id of a pokemon so pikachu will still exit its ball when i change the name and trainer id

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-07-26 06:53:26
@natanelho http://forums.glitchcity.info/index.php?topic=6638.msg189503#msg189503S
Though I wouldn't trust the value of b, because mainly of the 6-Pokémon setup.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: natanelho
Date: 2017-07-26 08:22:35

@natanelho http://forums.glitchcity.info/index.php?topic=6638.msg189503#msg189503S
Though I wouldn't trust the value of b, because mainly of the 6-Pokémon setup.

1. thanks! didnt see that for some reason. question is- did any of the values change since then because of changed bootstrap? (yes you already said about b, talking about the others)…
2. lots of 8f code seems to just load some data into registers and shit happens- like how does the catch 'em all code works?- it just loads some value to the "wCurOpponent" which is the species of the opponent in wild battle… there is no code to initiate the battle itself…. lots of item lists are like this- just put the right data in the right spot without calling any function like I would expect… can anybody explain that to me?
3. where are the in-game functions to write text to the lil window on the screen? I wanna write some text without consequences easily and without having to clear it out, like when I just write tiles to the right place in ram directly…
4. is there a code to buy more then 99 items from shops? it will be more convenient then just making those items myself (duping and stuff)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-07-26 12:05:30
1. I don't know. What's consistent, however, is the value of hl, because what most bootstraps essentially do is
ld hl, $D322
jp [hl]

(Most is actually "all but the glitched 3-Pokémon setup")

2. That's because codes interface with the game's engine. The way wCurOpponent works in the overworld is : if on one frame in the overworld, this value is non-zero, the game starts a battle with wCurOpponent as the opponent's ID. Thus, we write to that address, close the menu, and on the overworld frame that follows the menu's closing, the game starts the battle.

3. There are but OH BOY IT'S SHIT. This game's text engine is a NIGHTMARE. I'd have to look back a bit at it (I had researched it for my SRAM hack), because it's very not obvious what you have to do. Give me a moment. A long one.

4. There's none, because the game's programming doesn't allow going past 99 ($63) items. Using DMA hijacking it may actually be possible, but good luck on this one.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: natanelho
Date: 2017-07-27 06:45:04

1. I don't know. What's consistent, however, is the value of hl, because what most bootstraps essentially do is
ld hl, $D322
jp [hl]

(Most is actually "all but the glitched 3-Pokémon setup")

2. That's because codes interface with the game's engine. The way wCurOpponent works in the overworld is : if on one frame in the overworld, this value is non-zero, the game starts a battle with wCurOpponent as the opponent's ID. Thus, we write to that address, close the menu, and on the overworld frame that follows the menu's closing, the game starts the battle.

3. There are but OH BOY IT'S s**t. This game's text engine is a NIGHTMARE. I'd have to look back a bit at it (I had researched it for my SRAM hack), because it's very not obvious what you have to do. Give me a moment. A long one.

4. There's none, because the game's programming doesn't allow going past 99 ($63) items. Using DMA hijacking it may actually be possible, but good luck on this one.

ok thanks for the answers! about 2- so its basically uses the way the game was designed? ok great. is there a way to actually call a subroutine that starts a battle? would be fun starting a battle in the mid of the battle…or stuff. IDK..
about 3- so is there an easier way to write text? and then clean it easily? by easily I mean not backing up the tile map and restoring afterwards…

about the 3 pokemon bootstrap you mentioned- if it doesnt jp to D322 how does it work then? or does it just use another rp?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-07-27 07:05:36
There is a way to start a battle directly, but it's pointless to try nesting battles since the nested battle will overwrite the data for the nesting battle. So you'll end up finishing the nested battle twice.
The 3-Pokémon setup does jump to $D322, but it does so by directly writing the jump instruction, therefore leaving hl pointing at the party count (D1idon'tremember instead of D322)

Actually processing text shouldn't be too hard, you just have to call a proper offset, but figuring out what the hell to do was the hardest thing I ever did in this game.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Marv231
Date: 2017-08-10 04:49:31
I use this S7 Setup on my German Blue Version for Catch em all.
But instead of encountering a Mew, Level 5, it add 5 Calzium at the end of my Inventory.

S7
Any Item (I have a Ultra Ball there)
Repel x21 (Index Nr. for Mew)
Awekening x5
X-Speed 69
Lemonade x201

I tried a few other Setups, that I found here, but they have the same effect or do nothing.
Is there a working Setup for my Game ?