Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 47

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Str8rush
Date: 2017-09-27 12:09:33
Hello guys,

I just started with 8F and ACE today on a German Pokemon Blue game, let me shortly explain what I would like to know:

I am planning to use 8F to generate legit Pokémon on the Blue to trade over to my Gold, mostly Pokémon that are Version exclusive to Pokémon Silver. The thing is that I bought Gold VC on my 3DS and nobody near me owns Silver, and having to buy another game for only about 4 Pokémon is nonsense in my opinion. However, my brother already owns a Blue VC on his 3DS, (but does not really care for Gen2), so trading between both games is no problem.

I already managed to get myself a 8F item and also generated a Index 52 Missigno (Ho-Oh) on Blue.

In some post in this topic I read that it would be possible to change the Pokémons types with the help of 8F, which is necessary to get the TimeCapsule working right. The Gold Version identifies Missigno as Ho-Oh, but hence its typing is 99/Normal, it gets rejected. I found Someone in another forum who wrote that he was able to transfer his Ho-Oh after modifying the types.

Ill link the reply down here, so hopefully my problem can be solved with your help. As the author states, I need a certain amount of lemonades, corresponding to the Pokémons types it should get, but how do I know how many lemonades are equivalent to which Type?

The pokemon i want to generate are most importantly Phanpy (Ground, Missigno Index 122), Skarmory (Steel/Flying, Missigno Index 94), Ledyba (Bug/Flying, Index 204) and Delibird (Ice/Flying, Index 86).

I dont know if it is relevant or not, since I am using German Version, if I wanted to change the OT of Mew to GF, I read that it would be recommended to use Graveler over Onix in the party, so my question is if and adaptions have to be made to make any other code working using a German Version? Especially the Shiny-Code of further interest to me, having a Shiny Ho-Oh would be very very nice.

I hope someone can aid me in the process of generating these pokemons via 8F and successfully trade them over to my Gold Version :)



Hey, first post!
Using the Wack0's simple Gameshark script to do a couple things, and i'm curious as to what you are supposed to do when the code requires you to enter a 00

for example I have a code that modifies the typing of the current box slot one pokemon. it should look like this

any item
8f
Lemonade * number corresponding to type
X-accuracy * 155 for primary type and 156 for secondary type
Carbos * 218
Pokeball * 119
Fresh Water * 201

This code works perfectly, and i have used it to replace Aerodactyl's flying typing with ghost as a proof of concept. the only problem is that when i want to make something a normal type i would have to have 0 lemonades because 00 is the hex that corresponds with normal. I have tried it just without any lemonades and it freezes the game, as expected. Is it possible to make the game read as having 0 lemonades by somehow rolling it over to 256, or anything like that? Thanks!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2017-09-27 12:51:00
Here is the hex ID of every type.

00 : Normal
01 : Fighting
02 : Flying
03 : Poison
04 : Ground
05 : Rock
07 : Bug
08 : Ghost
14 : Fire
15 : Water
16 : Grass
17 : Electric
18 : Psychic
19 : Ice
1A : Dragon

As you can guess, you must convert it into decimal for use as the quantity of an item in a 8F code, and you can use the full list to help you. Also, since you're not playing an english game, you should also convert your code for it to work in the german game. It's better to explain rather than give the answer, so here's what you have to do.

- Go there: http://datacrystal.romhacking.net/wiki/Pokemon_Red:RAM_map and note the address you want to change. Let's say that if would be D170 and D171, the types of your current first Pokémon. Note that an address can be represented as a XXYY couple.
- Because you play a european non-english game, add 5 to those. You get D175 and D176.
- Determine the value you want for these. Let's say you want your Pokémon to be Flying type, so the value is 02.
- Use the following items in an 8F code
Anything
8F
Lemonade *(decimal convertion of the value, in this case of the type's hex - flying would be 2, but fire, would then be 20)
X-accuracy *(decimal convertion of YY, in this case 117 for the first type and 118 for the second)
Carbos *(decimal convertion of XX, in this case 209)
Pokeball * 119
Fresh Water * 201

That should do the job. Now if you want the exact equivalent of the code you quote, which modifies the first Pokémon in your PC, then you could apply this to find it!  ;)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Str8rush
Date: 2017-09-27 16:36:15
Thank you, that was really helpful. Ill look deeper into that tomorrow. Did I understand it right that I have to have certain Pokémon in my party or do I just need to have these Items in my bag?

Edit: since all of the Pokémon I would want to have have two types except for Phanpy being a Ground-only Pokémon, what do I do to remove a second type?

By scrolling through the list you linked, I came across the Move section to modify attacks. How does this work, especially for Gen2 Moves, like Sacred Fire for Ho-Oh or Extreme Speed/Curse Dratini? Is there a list of move Indexes or something like that?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: DoubleNegative
Date: 2017-09-27 20:45:06

Thank you, that was really helpful. Ill look deeper into that tomorrow. Did I understand it right that I have to have certain Pokémon in my party or do I just need to have these Items in my bag?

Edit: since all of the Pokémon I would want to have have two types except for Phanpy being a Ground-only Pokémon, what do I do to remove a second type?

By scrolling through the list you linked, I came across the Move section to modify attacks. How does this work, especially for Gen2 Moves, like Sacred Fire for Ho-Oh or Extreme Speed/Curse Dratini? Is there a list of move Indexes or something like that?


The big hex list provides a translation from hex to certain moves shown here: https://glitchcity.info/wiki/The_Big_HEX_List. Gen-2 specific moves can be put on pokemon prior to trade (tested this with a hidden power alakazam from blue). For single types, the game stores a copy of the type in the second slot, so a ground type looks like  Ground/Ground in terms of bytes. if you want 0 of an item, just point your memory loader into the quantity of lemonades, then insert an escape rope x 175 right after the carbos.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: DoubleNegative
Date: 2017-09-27 20:47:59
Two more things to note, the bootstrap for 8F is written in party pokemon, so your party has to be one of the few that actually work. Also, some gen 2 moves correspond to superglitch moves, so do not view the moves of pokemon you give gen-2 moves to.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2017-09-28 04:34:22
As said, there is no such thing as "having only one type". In fact, you have the same type both, that's it! So you have to use the same quantity of lemonade with both codes.

Please make sure to use a european non-english bootstrap code in your Party. An example would be:
Pidgey with 233 HPs currently (not necessarily max)
Parasect
Graveler
Tentacool
Kangaskhan
no Pokémon

With the informations provided by DoubleNegative, you should be able to write item codes to change a Pokémon's attacks also, in order to put the 1G glitch equivalent of the 2G legit move on it, before trading. His warning about Super Glitch moves is very important because if you look at a Super Glitch move (hex:A6 to hex:C3, either through a battle or the summary of the Pokémon) without taking some precautions, it will cause a global corruption of your game.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Str8rush
Date: 2017-09-28 05:00:02
Okay, I think I got it know, mostly. I found this for making Pokémon Shiny by modifying their IVs, using this 8F Item list:

any item (any #),
8F,
Lemonade x170,
X Acc x178/177,
Carbos x218,
Pokeball x119,
Fresh Water x201

As Carbos and X Acc are refering to XXYY, which would be DA and B1/2. Do I simply add +5 to that, so it would be DA and B6/7? Which would mean I would have to have 182 respectively 183 X Accs?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-09-28 05:13:22
To make a Pokémon have a Normal type, you can have 1 Lemonade, and, either you replace the Poké Balls with a Soda Pop, or you add a "Soda Pop x3" stack between the Lemonades and the Poké Balls (anywhere is fine, just in-between both), or you add a "Great Ball x61" stack with the same position requirement as the Soda Pop x3 stack.

(Lemonade x1 sets a to 1, and 61 items/Soda Pop decrements it. Thus, 0 !)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2017-09-28 08:26:03

Okay, I think I got it know, mostly. I found this for making Pokémon Shiny by modifying their IVs, using this 8F Item list:

any item (any #),
8F,
Lemonade x170,
X Acc x178/177,
Carbos x218,
Pokeball x119,
Fresh Water x201

As Carbos and X Acc are refering to XXYY, which would be DA and B1/2. Do I simply add +5 to that, so it would be DA and B6/7? Which would mean I would have to have 182 respectively 183 X Accs?


Yes, that would be the way to translate your code to a non-english european game :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Str8rush
Date: 2017-09-28 13:26:13
One last thing before I get started with everything:

Would the code for the attacks be:

Any item
8F
Lemonades * 221 (Sacred Fire e.g.)
X Acc * 128 (75 +5 for Move 3)
Carbos * 209 (D1)
Pokéball * 119
Fresh Water * 201


And while checking the different values for the typings, I noticed that due to the fact that the Steel Type of Skarmory did not exist in Gen1, there is no value. What do I do with this special case?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: DoubleNegative
Date: 2017-09-28 16:43:12
I think it should be 122 not 128. Correct me if i'm wrong, im not used to non-english versions. I think you could replace the steel type with the gen 1 corresponding glitch type. Also, you're lucky you can actually view the name of sacred fire without superglitch effects. Moves with index between sketch and perish song are the superglitch moves.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Str8rush
Date: 2017-09-28 17:16:39
It seems I got a little bit confused, I used the wrong code. I dont want pidgey to learn a certain Move but the Pokémon stored in Slot 1. So it would be DAA0 for Move 3 in english and DAA5 in non-english games, resultiert in 218x Carbos and 165 X-Accs. Ill definetely give it a try tomorrow and let you know if it worked or not :-)


Edit: Which Type corresponds to the Steel Type in Gen1? I didnt find anything in the lists linked above that made any sense to me.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2017-09-29 04:54:38
These are the hex ID of types in 2G games.

01-Fighting   
02-Flying   
03-Poison   
04-Ground   
05-Rock   
06-Bird (why the heck is this thing still available?)
07-Bug   
08-Ghost   
09-Steel   
0A-Normal   
14-Fire   
15-Water   
16-Grass   
17-Electric   
18-Psychic   
19-Ice   
1A-Dragon   
1B-Dark 

So an educated guess would be that putting 09 as a type in a 1G game (which would be a glitched type appearing as NORMAL) and trading that Pokémon to 2G would make him Steel.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Str8rush
Date: 2017-09-29 13:57:35
Hmm, for some reason it did not work… I set everything up properly:
Pidgey Level 94 with 233 HP (Max)
Parasect
Graveler
Tentacool
Kangaskan,

Missigno (52) in the First Slot of my current Box,

TM01
8F
Lemonade *20 for Fire
X Acc * 117
Carbos * 209
Pokéball *199
Fresh Water * 201

I used 8F in my Bag and nothing happend. When I checked Missignos Status in the box, it was still shown as a 99/Normal Pokémon… any ideas?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Flandre Scarlet
Date: 2017-09-29 14:02:17
The displayed name doesn't change but you can test if it worked by battling with the pokemon.