Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 45

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2017-08-10 07:57:00
Not sure what your code is supposed to be, but it doesn't seem to be what you think.

You can use the standard Single-addresse value changing code to trigger the encounter of a Mew in the grass, but the level is variable.

Modified code for european games is:

Anything
8F
Lemonade x21
X Accuracy x221 (x220 if yellow)
Carbos x207
Poké Ball x119
Cool Water x201

Another solution is the fake Ditto Trick:

Anything
8F
ThunderStone x45
TM05 x4
Max Revive x21
Awakening x8
Max Ether x4
Repel x254 (253 if Yellow)
Poké Ball x25
Lemonade x1
Antidote x119
TM01 xany

Then you'll encounter mew by going on Route 16 from Celadon and closing the START Menu. There's a way to modify it to change the level, I'll try to do that later.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Marv231
Date: 2017-08-10 11:18:08
Thanks.  The Celadon- Route 16 Code works fine.


I found another Setup, where the Level is the same, like the last seen Pokemon.
In my case, Level of Arbok, that I took out of the PC to have my Bottrap complete.
With leveling Arbok, I can set the Level of the Pokemon, I like to have.

Any Item x Indexnumber of the Pokemon, you want
S7
TM 50 x 36
TM 11 x9
TM 34 x94
TM08  x201

After using S7 and closing the menue, the Battle with the Pokemon starts

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: DoubleNegative
Date: 2017-08-18 12:58:53
Is there a quick cloning method known in red and blue? I found an easy way, but I wanted to know if it's common knowledge by now.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Parzival
Date: 2017-08-18 13:21:09

Is there a quick cloning method known in red and blue? I found an easy way, but I wanted to know if it's common knowledge by now.

http://glitchcity.info/wiki/Pok%C3%A9mon_cloning_(Generation_I)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: DoubleNegative
Date: 2017-08-18 16:53:41


Is there a quick cloning method known in red and blue? I found an easy way, but I wanted to know if it's common knowledge by now.

http://glitchcity.info/wiki/Pok%C3%A9mon_cloning_(Generation_I)


I found an 8F setup that can be used for cloning. It's way safer than save corruption and also probably faster. Should I post it here?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-08-19 05:44:38
Totally.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: DoubleNegative
Date: 2017-08-19 09:46:51
Easy (ish) cloning:
Prerequisite: box 1 is empty and the pokemon to clone is in another box. The pokemon to clone also cannot have any HMs.
You will also need the standard 5 pokemon 8F setup.

Inventory:
* any item x any
* 8F
* Lemonade x 19
* X accuracy x 128    (127 if using yellow, but then I don't know how wsm works.)
* Carbos x 218
* Poke ball x 119
* TM01 x any

Procedure:
* Change to box 1 and use 8F
* Move the pokemon to clone into box 1
* Release all the pokemon in box 1 by releasing from the top of the list repeatedly until the box is empty.
* Use 8F again. The box is now filled with unstable hybrids of your pokemon and 'M (FF)
* Withdraw as many as you want and use the daycare to stablize the hybrids. They should all stablize to be the originally deposited pokemon.

The last step is not necessary if you want to transfer the clones to sun/moon. Just transfer the box, toss 18 lemonade, use 8F, and withdraw the original pokemon.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: natanelho
Date: 2017-08-20 15:20:26

Easy (ish) cloning:
Prerequisite: box 1 is empty and the pokemon to clone is in another box. The pokemon to clone also cannot have any HMs.
You will also need the standard 5 pokemon 8F setup.

Inventory:
* any item x any
* 8F
* Lemonade x 19
* X accuracy x 128    (127 if using yellow, but then I don't know how wsm works.)
* Carbos x 218
* Poke ball x 119
* TM01 x any

Procedure:
* Change to box 1 and use 8F
* Move the pokemon to clone into box 1
* Release all the pokemon in box 1 by releasing from the top of the list repeatedly until the box is empty.
* Use 8F again. The box is now filled with unstable hybrids of your pokemon and 'M (FF)
* Withdraw as many as you want and use the daycare to stablize the hybrids. They should all stablize to be the originally deposited pokemon.

The last step is not necessary if you want to transfer the clones to sun/moon. Just transfer the box, toss 18 lemonade, use 8F, and withdraw the original pokemon.
can you please write the asm code? I really dont understand why people dont do it… that's very easy to do, pretty useful for the ones who want to know what exactly it does and it doesn't do any harm to anyone…

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Parzival
Date: 2017-08-20 16:44:24

can you please write the asm code? I really dont understand why people dont do it… that's very easy to do, pretty useful for the ones who want to know what exactly it does and it doesn't do any harm to anyone…
He… did.
The items script is LITERALLY GBz80ASM.
It's a simple conversion with ISSOtm's converter, which can be found in the "Useful Tools" section of the sidebar, or here.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: DoubleNegative
Date: 2017-08-20 16:47:35

can you please write the asm code? I really dont understand why people dont do it… that's very easy to do, pretty useful for the ones who want to know what exactly it does and it doesn't do any harm to anyone…


lemonade x 19      ld a,$13 ; box capacity is $14 so use that - 1 to bring box to near full
X accuracy x 128    ld l,$80  ; low byte of box size address
Carbos x 218        ld h,$DA ; high byte of box size address
Poke ball x 119      inc b ; not important                                ld (hl),a ; make box 1 currently have 19 pokemon
TM01 x any          ret

This setup is explained in an earlier post and is called the pseudo-gameshark.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: DoubleNegative
Date: 2017-08-24 12:52:14
Is there a simple memory hex editor script for English Blue yet? I saw a version of one on a Japanese game which worked by reading from a toss item menu. Also, I want to use it to edit box pokemon data, so it can't be stored there.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Parzival
Date: 2017-08-24 18:34:24
IIRC there is, but it's long and requires too many glitch items. Not particularly worth it.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-08-25 04:44:57
There's the old memory writer setup. It's a bit long, but it works.
Look for TheZZAZZGlitch's "Jailbreaking the Gameboy" video, and edit the setup a bit to repoint the written data.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2017-08-25 09:41:21

There's the old memory writer setup. It's a bit long, but it works.
Look for TheZZAZZGlitch's "Jailbreaking the Gameboy" video, and edit the setup a bit to repoint the written data.


Alternatively as well there is the reusable RAM writer which you can then use to set up offgao's memory editor and similar. :)

It works in a simple way and uses 11 items (not that hard to get), and when you write a value to the address you want the quantities reset back to 0 (256), which can be tossed from without any issues to get any value to write or RAM address to write to.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: DoubleNegative
Date: 2017-08-25 10:14:30
I didn't see that post so I rewrote the ram writer in the mean time, but with a slightly different setup.

Lemonade x ??
Carbos x ??
X Accuracy x ??
Poké Ball x 119
Thunderstone x 35
TM10 x 36
Escape Rope x 175
Great Ball x 119
HP Up x 35
Elixer x 119
Antidote x 44
Super Potion x 44
Ice Heal x 119
TM01 x 1

It would be helpful if there was a way to switch between using it like this and using it as a sequential editor. As if the X accuracy is incremented each use, and incrementing carbos when it reaches 0.