Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 48

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2017-09-29 14:06:26
Yeah. I haven't checked your code, though altering the stored type byte doesn't change the types shown on the summary screen, and only changes the type effectiveness/type the game thinks the Pokémon is in Generation II (which is possibly not shown on the Generation II game either). For that reason it's possible the code still worked.

If not however, make sure your Pidgey also has 233 current HP (rather than max HP though 233 current and max HP still works) if it doesn't.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Str8rush
Date: 2017-09-29 15:05:15
Ok, I tried it again and at least the Shiny Code worked and the move TM21 is in the 3rd slot which would be Sacred Fire.
For whatever reason the Missigno is now displayed in the TimeCapsule as Rhydon being Shiny and having Sacred fire as 3rd move :D


Edit: What confuses me the most is that in the one list linked in a post above HoOh is listed as the Pokémon with the code FA (250, which would be equal to HoOhs Dex number), but on Bulbapedias Index list HoOh is listed as Missigno 52 ( https://bulbapedia.bulbagarden.net/wiki/List_of_Pokémon_by_index_number_(Generation_I) )
After catching a Missigno 52 with the Ditto Glitch, a HoOh was shown in the TimeCapsule. Which value is now the correct one?

Edit 2: The Missigno I caught was on Level 7 originally, and this rhydon now is on Level 8, and I dont know what I could have done to do so :D

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Flandre Scarlet
Date: 2017-09-29 16:04:00
Most likely your first Missingno morphed into a Rhydon which is a common glitch see https://bulbapedia.bulbagarden.net/wiki/Rhydon_glitch for more info.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Str8rush
Date: 2017-09-29 16:21:06
Yup, that was the case. I put it into the daycare and got it back, it was a Missigno afterwards. By entering the TimeCapsule, it was shown as a shiny HoOh with Sacred Fire on Slot 3, with Fire/Flying Type. As I tried to trade there still was the Message that there seems to be something wrong with that Pokémon…

Edit: I re-read the topic in the forum where I first read about all this, the author of this thread stated that he was able to trade his generated Ho-Oh to his Silver but not his Lugia. Could this be a thing perhaps, as I am trying it with a Ho-Oh to a Gold Version?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Couldntthinkofaname
Date: 2017-10-06 09:54:22
I haven't seen this documented elsewhere, so I'm just gonna leave this here…

Button Values:
Buttons:
a == $01
b == $02
up == $40
left == $20
Right == $10
down == $80
SELECT == $04
START == $08

The joypad subroutine is at $3FFA. Call it to add joypad functionality to your code.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Skeef
Date: 2017-10-09 11:25:12

Yup, that was the case. I put it into the daycare and got it back, it was a Missigno afterwards. By entering the TimeCapsule, it was shown as a shiny HoOh with Sacred Fire on Slot 3, with Fire/Flying Type. As I tried to trade there still was the Message that there seems to be something wrong with that Pokémon…

Edit: I re-read the topic in the forum where I first read about all this, the author of this thread stated that he was able to trade his generated Ho-Oh to his Silver but not his Lugia. Could this be a thing perhaps, as I am trying it with a Ho-Oh to a Gold Version?



Hmm, for some reason it did not work… I set everything up properly:
Pidgey Level 94 with 233 HP (Max)
Parasect
Graveler
Tentacool
Kangaskan,

Missigno (52) in the First Slot of my current Box,

TM01
8F
Lemonade *20 for Fire
X Acc * 117
Carbos * 209
Pokéball *199
Fresh Water * 201

I used 8F in my Bag and nothing happend. When I checked Missignos Status in the box, it was still shown as a 99/Normal Pokémon… any ideas?


Did you manage to get to the bottom of this? I noticed that the code you used for changing the types points to the first Pokémon in your party. That may be the reason the time capsule rejects the missingno. Don't be fooled about what the status screen says on gen 2 either. Missingno with the wrong types will still show as fire/flying on the gen 2 trade screen.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: jfb1337
Date: 2017-10-10 09:56:43
I made a simple checksum system to verify that large amounts of data have been entered correctly on hardware:

I'm currently using (a version of) it to enter MrCheeze's virus, but it could be used to verify other things such as offago's memory editor:

Awakening x??  ; length of bytes you want to verify
X accuracy x??  ; low byte of address to verify from
Calcium x ??      ; high byte
Lemonade x1   
Poke ball x174 
HP Up x13         
Fire stone x251
X accuracy x33 
Calcium x217   
Poke ball x119 
Calcium x45     
Poke ball x126 
TM38 x40         
Poke ball x119   
TM01 x any     

ld c, ??
ld l, ??
ld h, ??
ld a, 1
inc b
.loop
xor a,(hl)
inc hl
dec c
jr nz, .loop
ld l, $21
ld h, $D9 ; hl now points to 1st item quantity
inc b
ld (hl), a
ld l, $2D ; hl now points to .loop (7th item quantity)
inc b
ld a,(hl)
xor a,$28 ; change xor a,(hl) into add a,(hl) and vice-versa
inc b
ld (hl),a
ret

This runs in 2 modes, "add mode" and "xor mode", changing between them on each run, to make it more foolproof, as it would catch errors that may "cancel each other out" under one mode alone. The result of the checksum is written to the quantity of the first item, which can be compared against what you see in an emulator running the same code.

This has NOT been tested. However, following code, which it is based on, has been. This is designed to run through the offago memory editor, from DA00 (where it starts be default). The only differences between the two versions are different addresses, and filler code inserted to avoid glitch items.

ld c,??
ld hl, ????
ld a, 1
.loop
xor (hl)
inc hl
dec c
jp z .loop
ld hl, $D9FF ; or wherever we want to put the output
ld (hl), a
ld hl, .loop ; DA07
ld a, (hl)
xor $28; change add a,(hl) to xor a,(hl) and vice-versa
ld (hl), a
jp $DA80; where the memory editor is stored

; compiled: 0E002100C83E00AE230D20FB21FFD9772107DA7EEE2877C380DA


Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Misdreavus
Date: 2017-10-24 09:02:56
Is there a code to change the stat experience of one of my Pokémon's stats to a number of my choice (not max)?

Also, how exactly do I use this to change my Trainer ID and name to something custom?  In particular, I want to change my name to TRAINER and change my ID to 05375 and 36437 and so I can re-nickname some Pokémon from in-game trades.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: spamviech
Date: 2017-10-24 10:14:18
From the initial post:
CHANGE THE PLAYER'S NAME

With this setup, you can change your name to the nickname of your first Pokemon. Using 8F will copy one letter from your first Pokemon's nickname to your player name. Use 8F (length of the name+1) times to copy all the name characters.
Warning: This code is self modifying, it will increase quantities of items #3 and #5 every use - remember to set those quantities back to 181 and 88 if you want to reset this. Also use carefully, as there's no memory protection implemented and you may cause save corruption if you're not careful.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=918s

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM50                x181
TM10                x64
TM34                x88
TM09                x46
Calcium              x52
X Accuracy          x35
Full Heal            x201


To change your ID you don't even need ACE since it's directly accessable in underflow. It's the 9th item count and 10th item type in underflow.
If you start counting from your first item it should be entry 30 (count) and 31 (type).

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Couldntthinkofaname
Date: 2017-10-24 10:16:54

Is there a code to change the stat experience of one of my Pokémon's stats to a number of my choice (not max)?

Also, how exactly do I use this to change my Trainer ID and name to something custom?  In particular, I want to change my name to TRAINER and change my ID to 05375 and 36437 and so I can re-nickname some Pokémon from in-game trades.


Which stat experience would you like to change?

Here's one for HP EV:

Lemonade  x??
Thunderstone x124
TM 09      x34
Poke Ball  x119
TM 01    xAny

Replace ?? with the desired value.

Replace Thunderstone x124 with Thunderstone x126 for attack EV.

Thundersatone x128 for Defense EV

Thunderstone x130 for Speed EV

Thunderstone x132 for Special EV

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Misdreavus
Date: 2017-10-26 02:48:56

From the initial post:
CHANGE THE PLAYER'S NAME

With this setup, you can change your name to the nickname of your first Pokemon. Using 8F will copy one letter from your first Pokemon's nickname to your player name. Use 8F (length of the name+1) times to copy all the name characters.
Warning: This code is self modifying, it will increase quantities of items #3 and #5 every use - remember to set those quantities back to 181 and 88 if you want to reset this. Also use carefully, as there's no memory protection implemented and you may cause save corruption if you're not careful.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=918s

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM50                x181
TM10                x64
TM34                x88
TM09                x46
Calcium              x52
X Accuracy          x35
Full Heal            x201


To change your ID you don't even need ACE since it's directly accessable in underflow. It's the 9th item count and 10th item type in underflow.
If you start counting from your first item it should be entry 30 (count) and 31 (type).
Thanks.  So If I want to temporarily set my name to TRAINER, I'd use 8F with this item setup 8 times, and when I want my name to revert to normal, I'd simply toss 8 quantities each of TM50 and TM34?



Is there a code to change the stat experience of one of my Pokémon's stats to a number of my choice (not max)?

Also, how exactly do I use this to change my Trainer ID and name to something custom?  In particular, I want to change my name to TRAINER and change my ID to 05375 and 36437 and so I can re-nickname some Pokémon from in-game trades.


Which stat experience would you like to change?

Here's one for HP EV:

Lemonade  x??
Thunderstone x124
TM 09      x34
Poke Ball  x119
TM 01    xAny

Replace ?? with the desired value.

Replace Thunderstone x124 with Thunderstone x126 for attack EV.

Thundersatone x128 for Defense EV

Thunderstone x130 for Speed EV

Thunderstone x132 for Special EV
Thanks.  Pardon my ignorance, but is there some type of conversion between the actual decimal EV number I want (say 40000) and the number of Lemonades?  I'm guessing I don't actually need 40000 Lemonades. (or if that's even possible).

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: spamviech
Date: 2017-10-26 05:19:09


From the initial post:
CHANGE THE PLAYER'S NAME

With this setup, you can change your name to the nickname of your first Pokemon. Using 8F will copy one letter from your first Pokemon's nickname to your player name. Use 8F (length of the name+1) times to copy all the name characters.
Warning: This code is self modifying, it will increase quantities of items #3 and #5 every use - remember to set those quantities back to 181 and 88 if you want to reset this. Also use carefully, as there's no memory protection implemented and you may cause save corruption if you're not careful.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=918s

ITEM LIST (starting from the first slot):
* Any item
* 8F
TM50                x181
TM10                x64
TM34                x88
TM09                x46
Calcium              x52
X Accuracy          x35
Full Heal            x201


To change your ID you don't even need ACE since it's directly accessable in underflow. It's the 9th item count and 10th item type in underflow.
If you start counting from your first item it should be entry 30 (count) and 31 (type).
Thanks.  So If I want to temporarily set my name to TRAINER, I'd use 8F with this item setup 8 times, and when I want my name to revert to normal, I'd simply toss 8 quantities each of TM50 and TM34?


Seems right.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Couldntthinkofaname
Date: 2017-10-26 07:37:52

Thanks.  Pardon my ignorance, but is there some type of conversion between the actual decimal EV number I want (say 40000) and the number of Lemonades?  I'm guessing I don't actually need 40000 Lemonades. (or if that's even possible).


Actually,I sent you the wrong code by mistake. Sorry, here's the new code:

Hp EV:
Lemonade  x??
Thunderstone x124
TM 09    x34
Awakening  x??
Poke Ball    x121
Burn Heal    x119
TM 01      xAny

(My original code only allowed for both bytes to be changed to the same value)

To do the conversions, first convert the desired value into hex. In 40000, that would be $9C40. Then take the high byte ($9c), convert it to decimal (156), and have that value be the lemonade quantity. Do the same with the low byte, and put the result into the Awakening quantity.

So HP EV 40000 would be:
Lemonade    x156
Thunderstone    x124
TM 09      x34
Awakening    x64
Poke Ball    x121
Burn Heal    x119
TM 01        xAny

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Misdreavus
Date: 2017-10-29 05:33:27
A few beginner's questions:

1. Do the items listed in the codes here need to be the only items in my pack, or can I have more items after them?  If 8F is not specifically listed as an item in the code, where do I position it in my pack?

2. In order to use the codes, I set up my party as listed in the "Bootstrapping" section, set up my item pack as listed in the particular code, use 8F once, and then I'm finished (unless otherwise specified)?

3. Is this (http://forums.glitchcity.info/index.php?topic=6638.msg199859;topicseen#msg199859) the best code for max DVs and stat experience in the English versions?  Am I correct in understanding that I use 8F, toss an X Accuracy, and repeat until my X Accuracy count is 167?

4. How easy is it to corrupt my save file using 8F and these codes?  The first post says that the "change your name" code can do that if not careful; when using it, what should I make sure that I do or avoid doing in order to keep my save intact?

Thanks!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-10-29 06:51:29
1. You can have any items in your bag, all that matters is that item 3 onwards are the items specified (some setups require specific item 1 and/or 2 as well, but that's always specified then.)
Thus, you can have items after the code items.
Furthermore, 8F can be anywhere. For convenience reasons, usually people put 8F in the first slot, and something handy in the second one (such as Master Balls :p).
When 8F is not indicated in the list, though, this usually means that the list starts from item 3 (ie. you should have two item slots filled before putting the items in the list)

2. Yes. All that matters is that the requirements are met the instant you select "USE" on 8F. Once done, you can store, release, catch Pokémon, toss items, whatever you want.

3. It's the simplest that can be done, I'd say, so yes it's the best. And yes, you are correct.

4. Corrupting your save file is definitely possible, though quite unlikely. Well, actually it depends.
I'll begin with a method to make it almost impossible to corrupt your save : 1. View a Pokémon's STATS screen. 2. Do NOT save. 3. Use 8F. 4. You can save now (which I'd recommend to do anyways to overwrite any data that could be corrupted, EXCEPT if your name was corrupted).
Then, if you screw up very badly, I'd say you have less than a 1/1024 chance to corrupt your save file. And only if you screw up very badly, which is impossible with most setups, and quite unlikely with the rest).
tl;dr : Yeah, you can screw up. It's quite a low chance, BUT :
- You make it higher by saving before using 8F
- You make it WAY lower by viewing a Pokémon's stats before using 8F
(The last one that occurred overriding the effect of the previous one)


Explanation :
Save data is stored in a memory location known as SRAM (Save RAM). SRAM can be "locked" or "unlocked". If it's locked, notably, you cannot write to it. Unlocking is done by writing one of 16 values (out of 256 possible ones) in a region of memory that spans 1/256 of the total address space. So in theory you'd have a 1/4096 chance to unlock SRAM (more on that below if you're interested).
Then, even if you unlock SRAM, things aren't still done yet ; SRAM has banks (for different technical reasons), 4 banks in RBY. Bank 0 is used for Hall of Fame data and sprite decompression. Bank 1 stores your "main" save. Banks 2 and 3 contain the inactive Pokémon boxes. Corrupting banks 1, 2 or 3 will corrupt your save.
Pokémon sprites are stored compressed to fit in the cartridge's ROM. However, they need to be decompressed before being displayed, which is a memory-intensive process. Due to lack of memory in the Game Boy, the developers chose to use SRAM (it's still RAM before being Save RAM :p) to do that.
Saving the game will prompt it to switch SRAM banks to bank 1, meaning that if SRAM is unlocked, your save data will be directly exposed. Bad thing.
Viewing a Pokémon's stats makes the game decompress a sprite, thus switch to SRAM bank 0. This is an extra layer of "protection" : to corrupt save data, you'd have to first unlock SRAM AND switch to bank 1, 2 or 3.

That's the theory. However, some crap emulators (I'm looking at you, VBA and VC) don't emulate SRAM locking, and it appears that you can corrupt save data much easily on these pieces of sh*t.


About unlocking SRAM -> That 1/4096 chance to unlock SRAM would be if you had a random pointer and a random value, and hit an instruction that accidentally caused a write to that pointer. However, randomness isn't a viable option to model this. Actually, there are a few more options than just writing that value, such as "incrementing" a value ending is $X9. I don't really feel like calculating the actual odds, so I'd say that the actual probability can be reasonably considered to be less than 1/1024. And, as I said, that would be if you screwed up huge time.