Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 52

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2018-01-17 15:33:57
It's unnecessary, all that's required it to wake up as soon as the user presses a button.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Parzival
Date: 2018-01-17 19:04:54
so this accounts for the user releasing a button late and button bounce (on console)?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2018-01-18 17:02:17
This doesn't, and as I said,

(Note : if the D-Pad is already held when the setup is ran, it will fail.)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Parzival
Date: 2018-01-18 21:08:38
How long does the user have to release the A button after running the code? It should be at least like 0.5 second to compensate for the previously mentioned scenarios.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2018-01-19 02:25:17
No, the user can release the A button at any moment. What matters is the D-Pad.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Parzival
Date: 2018-01-19 20:08:57
Oh. nvm then

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: WendyBettyJanice
Date: 2018-02-05 17:49:09
This is my first time trying to piece together something that works, normally what I want is already on here, but I'm really having a hard time with this, so if anyone can look over this and tell me where I'm being stupid, I'd be more than grateful. I've done my best to show where I obtained my info and how i got to what I got, hopefully will help someone see where I'm wrong.

I would like to make the typing of the Pokemon in box 1 of my current PC box, Psychic/Flying.

Type 1 - DA9B |DA= 218 |9B = 155  <– this is location of Pokemon typing in the current box slot 1. I separated and converted to get the decimals 218, 155/156.
Type 2 - DA9C |DA= 218 |9C = 156


Type 1 - Psychic

Any item
8F
lemonade*24 (Psychic Hex is 18, this becomes 24 in Decimal)
X-accuracy*155 (this is the "YY" part of the target location I want to change)
Carbos*218 (this is the "XX" part of the target location I want to change)
Pokeball*119
Fresh Water*201

Type 2 - Flying

Any item.
8F
lemonade*2 ( Flying Hex is 02, this becomes 2 in Decimal)
X-accuracy*156 (this is the "YY" part of the target location I want to change)
Carbos*218 (this is the "XX" part of the target location I want to change)
Pokeball*119
Fresh Water*201


Now, I know that even if this is working it wont show in the game, but will show in battle text, what i'm effective/not effective vs. but the issue I'm having, is that when ever I remove the Pokemon from the PC box, (assuming it's worked) It becomes a Rhydon. I take Rhydon to daycare, put him in, take him out, and my Pokemon reverts back to Missingno like I wanted, however the daycare "raises his level by 255" (impressively he's done this 4 times now) the DVs are all different, (basing this on the fact the stats of the Pokemon change when he goes from Missingno/Rhydon/Missingno.

So my questions now become:
- can I change the Pokemons types, and remove it from the box, without it becoming a big ugly Rhydon.
- when it becomes a Rhydon, has it reset my progress in changing it's types, as it says rock/ground, and wondering if it's over writing my work.
- When I used 8F to edit my Mew OT/ID so it would go through Pokemon bank, I recall using a bootstrap where Mew was in slot one of party and the strap used slots 2-6. I was going to try using that strap to leave the target Pokemon in my party and not use the PC box at all to get around my problem, anyone know the strap as I don't recall it, I just know it has Arbok instead of Kangaskhan, OR - anyone have a better solution to this?

Where I got my info if any of it is wrong-
This thread.
http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Stored_Pok.C3.A9mon
https://glitchcity.info/wiki/The_Big_HEX_List


Any help at all, is appreciated. Thanks in advance.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Couldntthinkofaname
Date: 2018-02-05 18:48:27

- can I change the Pokemons types, and remove it from the box, without it becoming a big ugly Rhydon.


This is an issue specific to Missingno. and other glitch Pokemon. It occurs when the user views the Pokemon's stats while the Pokemon is still in the box. Simply withdrawing the Pokemon without viewing it's stats prevents this.


- when it becomes a Rhydon, has it reset my progress in changing it's types, as it says rock/ground, and wondering if it's over writing my work.


It is not. The status screen simply displays the typing that is normal for that specific Pokemon. It does not display the actual typing.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: AcridBrimistic
Date: 2018-02-08 13:06:17
Trying to make my first script, to change the Map ID to lavender town, but it seems to crash the game instead. Here's the script and items:

Item 1: HM01 (if i'm correct, the first and second items do not matter)
Item 2: 8F
Item 3: Lemonade (x4)    (ld a,4)
Item 4: TM34 (x94)    (ld ($D35E), a)
Item 5: TM11 (x201)    (ret)

When I use 8F, the game simply crashes. Probably something very obvious that I'm missing, however I have no clue why this wouldn't work. Any advice?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Couldntthinkofaname
Date: 2018-02-08 13:23:32

Trying to make my first script, to change the Map ID to lavender town, but it seems to crash the game instead. Here's the script and items:

Item 1: HM01 (if i'm correct, the first and second items do not matter)
Item 2: 8F
Item 3: Lemonade (x4)    (ld a,4)
Item 4: TM34 (x94)    (ld ($D35E), a)
Item 5: TM11 (x201)    (ret)

When I use 8F, the game simply crashes. Probably something very obvious that I'm missing, however I have no clue why this wouldn't work. Any advice?


Setting the current map to 118 will crash the game. That's the Hall of Fame's ID anyway, Lavendar town's ID is $04

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2018-02-08 14:26:33


Trying to make my first script, to change the Map ID to lavender town, but it seems to crash the game instead. Here's the script and items:

Item 1: HM01 (if i'm correct, the first and second items do not matter)
Item 2: 8F
Item 3: Lemonade (x4)    (ld a,4)
Item 4: TM34 (x94)    (ld ($D35E), a)
Item 5: TM11 (x201)    (ret)

When I use 8F, the game simply crashes. Probably something very obvious that I'm missing, however I have no clue why this wouldn't work. Any advice?


Setting the current map to 118 will crash the game. That's the Hall of Fame's ID anyway, Lavendar town's ID is $04


Changing D35E directly is unsafe and the value you write to it must be kept active when loading a new warp. However changing D365 (item 36's quantity in the expanded items pack) is safe and should work. This works in the same way as the Safari Zone exit glitch for maps with exits that redirect you to 0xFF (last map; D365).

It does require you to be in a specific building like a Pokémon Center before using one of the exit mat's warps to warp to Lavender Town (0x04) though, and another variable involved is the map exit index which controls where on the map the game is going to place you. For example the Safari Zone exit uses exit 0x04, which is normally outside of the Safari Zone building, but if the map in D365 has less than 4 exits this could load a Glitch City instead.



Why the game freezes:

When you change D35E, you're only partially changing the map. If D35E is a value while walking through a door you'll indeed warp there, but it has to be set to that value constantly (your code only sets the value once).

Normally you have to be very careful though because D36E and D36F are responsible for the map script pointer (in little endian which means lowest byte first). Different maps use different banks for their scripts, hence why the game could freeze after closing the items menu unless D36E/F points to a ret.

For example, Pallet Town's script is 0x4E5B. This article tells us Pallet Town uses bank 6 and Lavender Town bank 4. If you were to switch to Lavender Town you would be executing 04:4E5B instead of 06:4E5B, which is at a different location in the ROM and could result in a freeze.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Masuta Satoshi
Date: 2018-02-21 10:35:28
Can anyone help me?

Is there any Arbitrary Code to control what DVs I want to change to a Pokemon? For example:

-15/15/15/15
-15/10/10/10

Ive been seen some videos but they just pust the neccesary items (and in different ways, so I cant find a pattern). Some examples:

https://www.youtube.com/watch?v=H8AgGp5cqPI&t=308s
https://www.youtube.com/watch?v=RCrzcqLEauQ

Ty.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Couldntthinkofaname
Date: 2018-02-21 12:23:39

Can anyone help me?

Is there any Arbitrary Code to control what DVs I want to change to a Pokemon? For example:

-15/15/15/15
-15/10/10/10

Ive been seen some videos but they just pust the neccesary items (and in different ways, so I cant find a pattern). Some examples:

https://www.youtube.com/watch?v=H8AgGp5cqPI&t=308s
https://www.youtube.com/watch?v=RCrzcqLEauQ

Ty.


The following codes are used to edit the DVs of box Pokemon 1.

You can use

8f
Any
Carbos x218 (hex:DA)
X Accuracy x178 (hex:B2)
Lemonade xDVOne
TM03 x55 (hex:37)
Elixer x71 (hex:47)
Awakening xDVTwo
Escape Rope x121 (hex:79)
Max Elixer x176 (hex:B0)
Ether x119 (hex:77)
TM01 x[Any qty]

To write to the Speed/Special IVS. Then, to write to attack/defense IVs, toss one X Accuracy.

Alternatively, you may also use this code, which writes to all DVs in one go. It takes a bit of math to use, however.


8f
Any
Thunderstone x177 (hex:B1)
TM18 x4 (hex:04)
Lemonade x#FirstNum
Water Stone x82 (hex:52)
Awakening x#SecondNum
Escape Rope x121 (hex:79)
Max Elixer x119 (hex:77)
TM01 x[Any qty]

To find the numbers, simply take the first DV * 16 + the second DV. For the second number, do this with the third and fourth DVs

So

15/10/10/10

…would be

Thunderstone x177 (hex:B1)
TM18 x4 (hex:04)
Lemonade x250 (hex:FA)
Water Stone x82 (hex:52)
Awakening x170 (hex:AA)
Escape Rope x121 (hex:79)
Max Elixer x119 (hex:77)
TM01 x[Any qty]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Masuta Satoshi
Date: 2018-02-24 12:39:41


Can anyone help me?

Is there any Arbitrary Code to control what DVs I want to change to a Pokemon? For example:

-15/15/15/15
-15/10/10/10

Ive been seen some videos but they just pust the neccesary items (and in different ways, so I cant find a pattern). Some examples:

https://www.youtube.com/watch?v=H8AgGp5cqPI&t=308s
https://www.youtube.com/watch?v=RCrzcqLEauQ

Ty.


The following codes are used to edit the DVs of box Pokemon 1.

You can use

8f
Any
Carbos x218 (hex:DA)
X Accuracy x178 (hex:B2)
Lemonade xDVOne
TM03 x55 (hex:37)
Elixer x71 (hex:47)
Awakening xDVTwo
Escape Rope x121 (hex:79)
Max Elixer x176 (hex:B0)
Ether x119 (hex:77)
TM01 x[Any qty]

To write to the Speed/Special IVS. Then, to write to attack/defense IVs, toss one X Accuracy.

Alternatively, you may also use this code, which writes to all DVs in one go. It takes a bit of math to use, however.


8f
Any
Thunderstone x177 (hex:B1)
TM18 x4 (hex:04)
Lemonade x#FirstNum
Water Stone x82 (hex:52)
Awakening x#SecondNum
Escape Rope x121 (hex:79)
Max Elixer x119 (hex:77)
TM01 x[Any qty]

To find the numbers, simply take the first DV * 16 + the second DV. For the second number, do this with the third and fourth DVs

So

15/10/10/10

…would be

Thunderstone x177 (hex:B1)
TM18 x4 (hex:04)
Lemonade x250 (hex:FA)
Water Stone x82 (hex:52)
Awakening x170 (hex:AA)
Escape Rope x121 (hex:79)
Max Elixer x119 (hex:77)
TM01 x[Any qty]

Thanks a lot, I'll test results. I have some doubts: what happens if you put numbers that surpass 16 (max DV is 15 in generation I and II). And…
Is it possible to make a generic ACE like generation II in this video?: https://www.youtube.com/watch?v=PsIb3OZaYAs
Finally: What discussion or theme/topic do u recommend me to learn about this kind of topics? I know generation I and II has a lot of glitches and they have many possibilities, and they use and hex system, but I cant understand at all so I can control the game in the way i want. I dont know if i let me understand, thanks in advance.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2018-02-24 12:58:19
Most DVs in Generations I/II are determined by the upper and lower nybble of bytes. There are two addresses which control the Attack/Defense DV and the Speed/Special DV respectively, with the HP DV being calculated in a different way based on the other DVs.

The nybble can be read from one digit of the DV byte. For example, if this value is D5 on the Attack/Defense DV address it means an Attack DV of D (13 in decimal) and a Defense DV of 5 respectively. Since hexadecimal only ranges between 0-F (15), it isn't possible to have a DV that exceeds 15.

For generic uses, the reusable RAM writer does the trick as long as you know the RAM addresses (which can be found on Datacrystal and the Pokémon Red disassembly). For the below code Lemonade's quantity controls the value, Carbos's quantity controls the first byte of the address and X Accuracy's quantity controls the second byte of the address.

If you wanted to write 0x15 to D059 then for example (giving a Mew encounter in Red/Blue), you would need Lemonade x 0x15 (x21 in game; decimal), Carbos x 0xD0 (x208 in game) and X Accuracy x 0x59 (x89 in game).

The reusable RAM writer is made so that it resets the quantities back to x0 afterwards. As x0 is in this sense x256 you can toss 1-255 of them without destroying the stacks, and access every possible byte.

At item 3:

3E xx 26 xx 2E xx 04 77 26 D3 3E 00 2E 23 04 22 23 22 23 22 C9

Lemonade x(xx)
Carbos x(yy)
X Accuracy x(zz)
Poké Ball x119
Carbos x211
Lemonade x0
X Accuracy x35 (x34 in Yellow)
Poké Ball x34
HP Up x34
HP Up x34
TM01 x0

ld a, 00 - a (value)=xx
ld h, 00 - h (address byte 1)=yy
ld l, 00 - l (address byte 2)=zz
inc b - useless code
ld (hl),a - load a into the address (e.g. D059)
ld h, D3 - we load the address byte 1 as D3 (item quantities are in the D3XX region)
ld a, 00 - we load 'a' as 0 (quantity of 0)
ld l,  23 - l=23, now our address is D323 (item 3 quantity)
inc b - useless code
ld (hli),a - means we put 'a' in D323, and then increase the hl value to D324
inc hl -  hl value=D325
ld (hli),a - means we will load a (0) into D325 (item 4 quantity), and increase hl to D326
inc hl - hl value =D327
ld (hli),a - means we put 'a' in D327 (item 5 quantity)