Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 50

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Misdreavus
Date: 2017-11-13 17:06:25
Actually,I sent you the wrong code by mistake. Sorry, here's the new code:

Hp EV:
Lemonade  x??
Thunderstone x124
TM 09    x34
Awakening  x??
Poke Ball    x121
Burn Heal    x119
TM 01      xAny

(My original code only allowed for both bytes to be changed to the same value)

To do the conversions, first convert the desired value into hex. In 40000, that would be $9C40. Then take the high byte ($9c), convert it to decimal (156), and have that value be the lemonade quantity. Do the same with the low byte, and put the result into the Awakening quantity.

So HP EV 40000 would be:
Lemonade    x156
Thunderstone    x124
TM 09      x34
Awakening    x64
Poke Ball    x121
Burn Heal    x119
TM 01        xAny
I'm trying to max my Special DV.  I have my pack set up as follows:

Bicycle
8F
Lemonade x255
Thunderstone x132
TM09 x34
Awakening x255
Poke Ball x121
Burn Heal x119
TM01 x1


Then I use 8F, but the Special stat of the L7 Chansey in my box (the only Pokémon in that box) doesn't change, when it should be changing from 21 (untrained) to 26 (maxed).

Do I have the right setup, or am I doing something wrong?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Couldntthinkofaname
Date: 2017-11-13 18:10:38
This isn't operator error, I made a mistake when writing the code. As opposed to affecting the stat of box Pokemon 1, it instead affects the first Pokemon in your party. What I failed to realize was that you needed 233 HP Pidgey at the front of your party for bootstrapping. This is why I need to stop doing things while tired.

Give me a moment and I will edit this comment when it's fixed.

Edit: Fixed. This will now edit Pokemon 1 in your current box.

Lemonade        x??
Thunderstone      x??
TM18        x34
Awakening    x??
Poké Ball      x122
Burn Heal      x119
TM01        x[Any qty]


Lemonade: Replace with the high byte of the desired value

Thunderstone:

X167 - HP EV
x169 - Attack EV
x171 - Defense EV
x173 - Speed EV
x175 - Special EV

Awakening: Replace with low byte of desired value

To max out your special EV, you would use:

Lemonade x255
Thunderstone x175
TM18 x34
Awakening x255
Poke Ball x122
Burn Heal x119
TM01 xAny


Agian, apologies for managing to mess this up 2 times in a row lol.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-11-14 01:48:49
Actually, the 6-Pokémon bootstrap (using Arbok instead of Kangaskhan) lets you have any Pokémon in slot 1, so your previous setup was perfectly fine.

By the way, always use the 6-Pokémon bootstrap. Nothing's more frustrating than your 233 HP Pidgey taking damage.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Str8rush
Date: 2017-11-14 17:16:00

Yup, that was the case. I put it into the daycare and got it back, it was a Missigno afterwards. By entering the TimeCapsule, it was shown as a shiny HoOh with Sacred Fire on Slot 3, with Fire/Flying Type. As I tried to trade there still was the Message that there seems to be something wrong with that Pokémon…

Edit: I re-read the topic in the forum where I first read about all this, the author of this thread stated that he was able to trade his generated Ho-Oh to his Silver but not his Lugia. Could this be a thing perhaps, as I am trying it with a Ho-Oh to a Gold Version?



After a few weeks with a little bit of stress and no time, I tried it again and it worked perfectly on my 3DS. I generated shiny Ho-Oh with Sacred Fire, Delibird, Phanpy and Skarmory with caught Missignos and I managed to modify a Pinsir to a Ledyba and a Pidgey to a Chikorita (both are Glitch-Mons).
Only the last one deals a bit of trouble:

I would like to modify a Drowzee (for little effort changing the types) to get Glitch-Pokemon #251 for Celebi using 8F.
I am using the same code which worked perfectly fine for Ledyba and Chikorita in Slot 1 of my current Box:

1. any item
2. 8F
3. Lemonade 251x
4. X Acc 155x
5. Carbos 218x
6. Pokeball 119x
7. Fresh Water 201x

Lemonade 251 is Celebi's index number as listed both on bulbapedia and in the Big Hex List (https://glitchcity.info/wiki/The_Big_HEX_List)

X-Acc 155 is to adress the first slotted pokemon ( $DA96 –> 96 = 150 + 5 because non-english game)
Carbos 218 same

For some reason the modified Pokemon is shwon as a Wobbufett in the Time Capsule.
Wobbufett's index number is 241, which is exactly 10 digits below the 251 of Celebi. I think this could be a reason, but I have no idea how this is possible. I had one Lemonade in Slot 6 of my bag, encountered Missigno (+128 = 129), tossed 6 (= 123) and encountered Missigno again (+128 = 251).

I tried it two times with different pokemon in different boxes and I double-checked my bag. I tried to encounter Missigno with 10 Lemonades in my bag (=138), tossed 6 and encountered Missigno again, which should then be 261, just to make sure I didn't mess anything up to get this difference of 10 to get a Wobbufett, but then I would have more 255 Lemonades in one slot, is that even possible? Where could be a mistake that I didn't see, because it worked for Pinsir –> Ledyba #204 and for Pidgey –> Chikorita #191?
Any idea on how to generate a #251 Glitch Mon otherwise?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2017-11-14 17:25:14
It sounds like you successfully got the glitch Pokémon FB on the Generation I game.

However, the reason why glitch Pokémon No. 251 doesn't convert into Celebi is that Celebi (and ????? 00, FC, FF Egg) isn't a value in the hard-coded conversion table, so no Generation I glitch Pokémon will ever convert into Celebi I'm afraid. :(

These are all the one-way conversions like this:

http://glitchcity.info/wiki/Time_Capsule_exploit#One-way_conversions

Interestingly the Wobbuffet for #251 and #252 actually appear to be hardcoded. Háčky who documented more complex details of the Time Capsule exploit including this wondered whether the Wobbuffet were an Easter egg and developer joke, as their Japanese name (Sonans) is a play on the phrase "that's the way it is".

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Xelrog T. Apocalypse
Date: 2017-11-22 13:29:36
Hello, hello… new guy here, sorry to just barge in. I was hoping I might be able to get a little help.

I just recently started using ACE on my Virtual Console version of Red to get myself some shinies for Pokemon Bank, using this old guide. So far, it's worked great, with one exception: Setting all the DV's to 10 does guarantee all pokemon are shinies, but it also forces them all to be male. I need female shinies as well for the species with gender differences.

Now, I know that because both shininess and gender are determined by the Attack IV in Gens 1 and 2, it's impossible for there to be a shiny female of a species with a 1:8 Male/Female ratio. I'd still like to get the non-1:8's, if possible, though. I don't understand the programming quite well enough for 8F Helper to be useful to me, though…

Does anyone know what item list I would need in order to set the first pokemon in the current box to have an Attack IV of 2? Or first in party, whatever… but I'm already set up for the version of the glitch I linked to above, which affects the first in the box.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Couldntthinkofaname
Date: 2017-11-22 13:51:17
Yes.

Use:
8f
Any item xany qnty
Thunderstone x177
TM18 x4
Lemonade x42
Ice Heal x34
Awakening x170
Poke ball x121
Max ether x119
TM01 xany

This is for stored Pokémon 1

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Xelrog T. Apocalypse
Date: 2017-11-22 14:07:11

Yes.

Use:
8f
Any item xany qnty
Thunderstone x177
TM18 x4
Lemonade x42
Ice Heal x34
Awakening x170
Poke ball x121
Max ether x119
TM01 xany

This is for stored Pokémon 1


8F in the first slot? Not the second? This is for the party listed in the thread I linked to?

1st: Pidgey (233HP)
2nd: Parasect
3rd: Onix
4th: Tentacool
5th: Kangaskhan
6th: (empty)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Couldntthinkofaname
Date: 2017-11-22 14:09:29
8f can be in the first or second slot, it has no regard on the code's effect.

And yes, that party will indeed work with this.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Xelrog T. Apocalypse
Date: 2017-11-22 15:02:12
Ah, all right, I get it. The code starts from the third item. I'll give it a shot, thanks a ton.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: forsyz
Date: 2017-11-23 02:44:55
Want an ace way of making the game glitch itself how would you run code that changes a random byte in the wram.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2017-11-23 10:04:24
Just use the "Gameshark code" with arbitrary values. Fuzz with them a bit !

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Couldntthinkofaname
Date: 2017-11-23 10:10:33

Just use the "Gameshark code" with arbitrary values. Fuzz with them a bit !


You could do that.

You could also do this:

8f
Any item xany
Poke ball x33
TM11 x255
Ice Heal x42
TM45 x42
X Attack x111
TM41 x103
TM40 x212
Max ether x119
TM01 xany

This writes an entirely random byte to an entirely random location. Be very careful, there is nothing stopping this thing from writing into SRAM and invalidating checksums.
Back up your save before using
Messing around with gameshark codes is fun too, you never know what you might find! :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2017-11-24 06:00:54

Ah, all right, I get it. The code starts from the third item. I'll give it a shot, thanks a ton.


It's not irrelevant to question the position of 8F in a given code. The code indeed starts at third item, but the identity and quantity of items 1 and 2 can actually be important, if the code uses their value to do something. The most common case of this is a code that uses a specific quantity of any item in position 2 and then stores this quantity into A for some utility later in the code (for example by starting the code with the opcode 'dec l' followed by 'ld a,(hl)', or by starting with 'ld a,(hld)' a.k.a. 'ld a,(hl-)' or 'ldd a,(hl)' which loads (HL) into A then decrement HL, then any opcode to load (HL) into A again).
Many tricks involving the second item exists, including codes to actually change what the second item is. None of this is the case in what Couldntthinkofaname gave you, but it's a good reaction to actually pay attention to the availability of item 2.

The best is always to understand codes, so you can be sure of what to do. It doesn't require insane programming skills most of the times. I say a lot that even though this board is made to help people (and we are very happy too) most questions asked about code execution could have been solved by the user if he just tried to understand a bit how it works by reading already available explanations. Your question was of course a bit technical, but if it can help, here is, for your information, how a '8F noob' could have solved this problem on its own:

You already did the whole difficult job by pointing out that:
- A Pokémon is shiny when all of its DV are 10, except for the Attack, which can be several values (but never lower than 2)
- Any Pokémon with an attack DV of 2 is female, except for the very specific class of Pokémon with a 7:1 male:female ratio.
- As a result, these Pokémon will never be shiny AND female, but any other shiny Pokémon with an attack DV of 2 will be female.

As pointed out in dozens of posts in this very thread (the last time was 14 days ago: http://forums.glitchcity.info/index.php?topic=6638.msg207657#msg207657) there is a generic 8F code that changes a game data. Using it, you would have found out that, for example, the Attack and Defense DV of Stored Pokémon 1 is controlled by $DAB1. Problem: it is not explained how to differenciate between Attack and Defense DV… Well, the answer is given two posts after the previous one: DVs are coded in half-bytes, meaning that the value of $DAB1 for both DV to be 10 would be AA (as A is 10 in hexadecimal) and therefore, 2A would give an attack DV of 2 and a defense DV of 10.

With this in mind, you could have figured out this item list for yourself:
Item 1: any item
Item 2: 8F
Item 3: Lemonade x42 (2 Attack, A [10] Defense)
Item 4: X Accuracy x177 (decimal equivalent of B1)
Item 5: Carbos x218 (decimal equivalent of DA)
Item 6: Poké Ball x119
Item 7: Fresh Water x201

Of course, this solves the problem by changing an already shinyfied Pokémon to a female. It doesn't change the Speed/Special DV, unlike the code given by Couldntthinkofaname which makes 2/10/10/10 (and therefore should not be used if you want a male shiny). I used no knowledge AT ALL in opcodes to write this to show that anyone could have done that, but to create a code like the one he did, you would indeed need some basics. Maybe I can advise you to read the relevant informations in section IV.10 of the newcomers guide to 2G ACE since opcodes are exactly the same in the first generation, obviously :)

A last note: in the generic code that changes ONE value, by having 34 Poké Ball and following with a quantity of Max Revive, you can directly change the value of the following address as well.
Item 1: any item
Item 2: 8F
Item 3: Lemonade x(value to give to address)
Item 4: X Accuracy x('last two numbers' of the address)
Item 5: Carbos x('first two numbers' of the address)
Item 6: Poké Ball x34
Item 7: Max Revive x(value to give to the following address)
Item 7: Fresh Water x201

Which in our case can be solved by using 42 Lemonade, 177 X Accuracy, 218 Carbos and 170 Max Revive so that it does the same thing than couldntthinkofaname's code.

Hope it helps. Have fun with ACE!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Xelrog T. Apocalypse
Date: 2017-11-25 11:28:18
The female shiny sequence worked perfectly. Thanks a bunch.