Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 6

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 15:46:27
Enter the Hall of Fame with S7 in German R/B:

[img]http://goput.it/m6p2.png[/img]

ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35f0
ret

[tt]0e 16 26 64 2e bb 41 40 cd f0 35 c9

Awakening (Aufwecker)  x 22
Carbos (Carbon)        x100
X Accuracy (X-Treffer) x187
X Attack (X-Angriff)  x 64
TM05                  x240
Revive (Beleber)      x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 16:01:45
Enter the Hall of Fame with 7eme Etage in French R/B:

[img]http://goput.it/34y8.png[/img]

ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35f3
ret

[tt]0e 16 26 64 2e bb 41 40 cd f3 35 c9

Awakening (Reveil)      x 22
Carbos (Carbone)        x100
X Accuracy (Precision +) x187
X Attack (Attaque +)    x 64
TM05 (CT05)              x243
Revive (Rappel)          x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 16:23:24
Enter the Hall of Fame with 7ºP in Italian R/B:

[img]http://goput.it/v30e.png[/img]

ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35ee
ret

[tt]0e 16 26 64 2e bb 41 40 cd ee 35 c9

Awakening (Sveglia)      x 22
Carbos (Carburante)      x100
X Accuracy (Precisione X) x187
X Attack (Attacco X)      x 64
TM05 (MT05)              x238
Revive (Revitaliz.)      x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 16:35:06
Enter the Hall of Fame with ws m in Spanish and German Yellow:

[img]http://goput.it/3tka.png[/img]

ld c,$16
ld h,$64
ld l,$56
ld b,c
ld b,b
call $3e89
ret

[tt]0e 16 26 64 2e 56 41 40 cd 89 3e c9

Awakening  x 22
Carbos    x100
X Accuracy x 86
X Attack  x 64
TM05      x137
Lemonade  x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 16:40:25
Play Pikachu's Beach with ws m in Spanish and German Yellow:

[img]http://goput.it/ujyu.png[/img]

ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e89
ret

[tt]0e 3e 26 40 1D 6B 41 40 cd 89 3e c9

Awakening  x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x137
Lemonade    x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 16:48:23
Enter the Hall of Fame with ws m in French Yellow:

[img]http://goput.it/i6fa.png[/img]

ld c,$16
ld h,$64
ld l,$56
ld b,c
ld b,b
call $3e87
ret

[tt]0e 16 26 64 2e 56 41 40 cd 87 3e c9

Awakening  x 22
Carbos    x100
X Accuracy x 86
X Attack  x 64
TM05      x135
Lemonade  x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 16:53:14
Play Pikachu's Beach with ws m in French Yellow:

[img]http://goput.it/bdvt.png[/img]

ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e87
ret

[tt]0e 3e 26 40 1D 6B 41 40 cd 87 3e c9

Awakening  x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x135
Lemonade    x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 16:59:04
Enter the Hall of Fame with ws m in Italian Yellow:

[img]http://goput.it/r9qq.png[/img]

ld c,$16
ld h,$64
ld l,$56
ld b,c
ld b,b
call $3e82
ret

[tt]0e 16 26 64 2e 56 41 40 cd 82 3e c9

Awakening  x 22
Carbos    x100
X Accuracy x 86
X Attack  x 64
TM05      x130
Lemonade  x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-07 17:03:11
Play Pikachu's Beach with ws m in Italian Yellow:

[img]http://goput.it/ko4d.png[/img]

ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e82
ret

[tt]0e 3e 26 40 1D 6B 41 40 cd 82 3e c9

Awakening  x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x130
Lemonade    x201[/tt]

..finally, HoF code done for all languages R/G/B/Y! And Pikachu's Beach done for all languages of Yellow!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: OwnageMuch
Date: 2013-12-07 22:47:44

Humourous note: I just went to rename my Onix to what I wanted to change my name to after testing the code at and calling my trainer "ONIX".  Of course, naturally, I now had a different OT and couldn't rename it :D Silly me.


So, I've devised a way to fix this in spirit of this thread!  It's rather useless, but this program can be used to set the OT of your Onix, allowing you to change its nickname so that you can rename your trainer again (or you could just catch another Onix ;D).  Here's the item list:

Take caution:  Use 8F exactly (name length+1) times to ensure that the trainer name is terminated correctly.
This code is also self-modifying, so make sure that you reset the item quantities if you need to use it again.

[tt]Any item (any quantity)
8F
TM50                x88
TM09                x64 (x73, x82, x91, x100, x109, x127 should also all work fine here)
TM34                x115
TM10                x46
HP Up                x52
X Accuracy          x39
Full Heal            x201[/tt]

WRA1:D322 FA 58 D1        ld a,(D158)
WRA1:D325 40              ld b,b
WRA1:D326 EA 73 D2        ld (D273),a
WRA1:D329 2E 23            ld l,23h
WRA1:D32B 34              inc (hl)
WRA1:D32C 2E 27            ld l,27h
WRA1:D32D 34              inc (hl)
WRA1:D32F C9              ret

For more general use on other Pokémon this can easily be modified to change the OT of the first Pokémon in the box: Simply change the (initial) quantity of TM34 from 115 to 42, and use TM21 in place of TM10.

Note: I haven't actually tested any of this but it all works perfectly theoretically…

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-08 08:18:48
Both your code and the modification works.

So the OT of the first boxed Pokémon starts at DD2A? Never knew that!

Matthew Robinson's code archive strangely says 01xx2ADD modifies part of the 16th PC Pokémon's experience. Is this an error?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-08 09:34:10
So.. I just found out that the bankswitch function's offset changed between JP R/G 1.0 and 1.1, and between JP Yellow 1.0 and 1.1 (it remains the same between JP Yellow 1.1 and 1.2 tho).

Time for more porting and testing.. *sigh*

Enter the Hall of Fame with 5kai in Japanese R/G v1.1:

[img]http://goput.it/7lsa.png[/img]
ld c,$16
ld h,$7b
ld l,$e4
ld b,c
ld b,b
call $360e
ret

[tt]0e 16 26 7b 2e e4 41 40 cd 0e 36 c9

Awakening  x 22
Carbos    x123
X Accuracy x228
X Attack  x 64
TM05      x 14
Max Revive x201[/tt]

Enter the Hall of Fame with in Japanese Yellow v1.0:
ld c,$16
ld h,$7d
ld l,$c8
ld b,c
ld b,b
call $3e7d
ret

[tt]0e 16 26 7d 2e c8 41 40 cd 7d 3e c9

Awakening  x 22
Carbos    x125
X Accuracy x200
X Attack  x 64
TM05      x125
Lemonade  x201[/tt]

Play Pikachu's Beach with in Yellow 1.0:

ld c,$3e
ld h,$40
dec e
ld l,e
ld a,a
ld b,c
ld b,b
call $3e7d
ret

[tt]0e 3e 26 40 1D 6B 41 40 cd 7d 3e c9

Awakening  x 62
Carbos      x 64
Escape Rope x107
X Attack    x 64
TM05        x125
Lemonade    x201[/tt]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: OwnageMuch
Date: 2013-12-08 15:11:42

Both your code and the modification works.

So the OT of the first boxed Pokémon starts at DD2A? Never knew that!

Matthew Robinson's code archive strangely says 01xx2ADD modifies part of the 16th PC Pokémon's experience. Is this an error?


What RAM map are you using? I was using this one: http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Stored_Pok.C3.A9mon

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-08 16:04:40
I use DataCrystal too, as well as this for GameShark codes and occasionally our GameShark codes page for Red/Blue but I can't find DD2A (OT of the first boxed Pokémon) on any, even though it does work.

Edit 1: Re 16th Pokémon's experience: Looks like it doesn't match up with DataCrystal's addresses (DC93-DC95).
Edit 2: DataCrystal's memory addresses for that are correct.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2013-12-11 14:13:00
Screw your English R/B save file using 8F!

Little bit of malicious fun. I was bored.
Basically, we set the current map's script pointer (at $D36E) to $D336, then we call SaveSAVtoSRAM (to save the game without warning). Then we reach $D336 which is a conditional jump (it only jumps when the carry flag isn't set, which in practise is all the time, this is done because unconditional jump here means glitch item or more than 1 of a key item is required) to $1f49 (which soft resets.)
And because the current map's script pointer in the save file is now $D336.. trying to continue just soft resets.
I think this is kinda more trolly than ZZAZZ's creepypasta thing, and in only 23 bytes too!

Here's a video. I may port this to Yellow if I can be bothered.

Unfortunately, you need two stacks of X Accuracy, but it's easy to get two stacks of an item anyway (have one 99 stack and purchase or find one more) and it's something very basic that can be found in most (if not all) Poké Marts.

ld l,$6E
ld (hl),$36
ld a,$D3
ld ($D36F),a
inc b
ld c,$1c
ld h,$78
ld l,$48 ; 1c:7848: SaveSAVtoSRAM
ld b,c
call $35d6 ; BankSwitch
jp nc,$1f49 ; SoftReset

[tt]2E 6E 36 36 3E D3 EA 6F D3 04 0E 1C 26 78 2E 48 41 CD D6 35 D2 49 1F

X Accuracy x110
Max Revive x 54
Lemonade  x211
TM34      x111
TM11      x  4
Awakening  x 28
Carbos    x120
X Accuracy x 72
X Attack  x205
TM14      x 53
TM10      x 73
Old Amber  x  1[/tt]