Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 53

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Aldrasio
Date: 2018-02-28 12:32:40
I like to use this setup to arbitrarily write 2 bytes of data to any address. This code writes [AA] to XXYY and [BB] to XXYY + 1. XX goes to h, YY goes to l, so for the address 0xDAA2, you'd use [XX] = 0xDA = 218 and [YY] = 0xA2 = 162. I like this one because all of the items except the Max Revive can be purchased from the Celadon Mart, and there's a Max Revive on cycling road.



ld h, [XX]
ld l, [YY]
ld a, [AA]
ld (hl+), a
inc b ; padding
ld (hl), [BB]
ret


As an example, you can make the first Pokemon in your current box shiny by loading 0xFAAA into 0xDAB1, which would correspond to:


And so the inventory would be:

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Inkblot
Date: 2018-03-08 08:17:20
I found this code on a post about how to get a legit mew in pokemon yellow. I didn't make it, but I tough i'd share as its pretty useful.

ws# #m# / any item
ws# #m# / any item
Repel x[SpeciesIndex] {e.g. x21 = Mew}
X Speed x64
Awakening x[Level] {e.g. x5 = Lv5}
TM05 x89
Lemonade x201

(I don't know if this is the case, but since the code on this post has tm05 being 72, maybe changing it to that will make it work with 8F? Don't know about the X Speed though.)

This code is a variation of the alternate catch-em-all code, which lets you chose the level it is gifted to you at. I don't know what you would need to change to make it work in red bule with 8F, but it does work in yellow!

Credit goes to chickenstickers on redit. The original post can be found here: https://www.reddit.com/r/pokemon/comments/5q8zlg/getting_gen_1_mew_in_yellow_guide_does_not_work/dd7bqfp/

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Azarokkusu
Date: 2018-03-17 04:20:17
What I think is the fastest possible route to get 8F is as follows:
Follow the NSC route up to item underflow, but make sure the item you underflow with is X Special x 255 (buy X Special x 1 instead of one of the other items) http://wiki.pokemonspeedruns.com/index.php?title=Pok%C3%A9mon_Red/Blue/Glitched_No_Save_Corruption/Route

Then walk to the bottom right corner of Celdaon (Using the fresh water/lemonade/soda pop you bought to trigger overflow on the way, of course), toss 254 x specials, swap X special x 1 with nugget x 1 in slot 35, walk right till the x special x 1 is an 8F, switch 8F with the nugget x 1 again, teleport away, store 8F in the pc, and then return your inventory to normal by buying/withdrawing items. Then withdraw 8F.

Basically it's a hybrid between the NSC route and the trick to get 8F.

P.S. Thanks to Sanqui for helping me out a bit with the NSC route stuff and Brock Through Walls, which I didn't really have a grasp of before.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: DocB
Date: 2018-03-19 18:55:25
I'm sorry if this is a question already solved but I wasn't able to find anything anywhere and there are 52 pages only of this thread to check so…

I'm playing a Pokémon Yellow ita ROM on 3Ds, i've got the ws m long ago, setted my last box in the slowpoke set up and prepeared my iteam but the ws m never worked :(

So I've decided to extract the savefile, put it in vba-m emulator and check the ram to find the problem. I've discovered that there is an offset before the asm code, i mean:

What shuld it be:                What it actually is:

[0xDA7F = 0x14]                [0xDA7F = 0x00]
[0xDA80 = 0x25]                [0xDA80 = 0x00]
[0xDA81 = 0x25]                [0xDA81 = 0x00]
[0xDA82 = 0x25]                [0xDA82 = 0x00]
[0xDA83 = 0x25]                [0xDA83 = 0x00]
[0xDA84 = 0x25]                [0xDA84 = 0x14]
[0xDA85 = 0x25]                [0xDA85 = 0x25]
[0xDA86 = 0x06]                [0xDA86 = 0x25]
[0xDA87 = 0x21]                [0xDA87 = 0x25]
[0xDA88 = 0x68]                [0xDA88 = 0x25]
[0xDA89 = 0xA9]                [0xDA89 = 0x25]
[0xDA8A = 0xA9]                [0xDA8A = 0x25]
[0xDA8B = 0xA9]                [0xDA8B = 0x06]
[0xDA8C = 0xA9]                [0xDA8C = 0x21]
[0xDA8D = 0xA9]                [0xDA8D = 0x68]
[0xDA8E = 0xA9]                [0xDA8E = 0xA9]
[0xDA8F = 0xA9]                [0xDA8F = 0xA9]
[0xDA90 = 0xA9]                [0xDA90 = 0xA9]
[0xDA91 = 0xA9]                [0xDA91 = 0xA9]
[0xDA92 = 0xA9]                [0xDA92 = 0xA9]
[0xDA93 = 0x06]                [0xDA93 = 0xA9]
[0xDA94 = 0xFF]                [0xDA94 = 0xA9]
[0xDA95 = 0x25]                [0xDA95 = 0xA9]
[0xDA96 = 0x00]                [0xDA96 = 0xA9]
[0xDA97 = 0xE9]                [0xDA97 = 0xA9]
                              [0xDA98 = 0x09]
                              [0xDA99 = 0xFF]
                              [0xDA9A = 0x25]
                              [0xDA9B = 0x00]
                              [0xDA9C = 0xE9]

Well, they're all a bunch of nope, so i don't think that this could ba a problem, the real problem imho is that there is an offset also for the iteam. For example i was tryng to use this code

ws m
Item
Burn Heal  x43
Ice Heal    x43
Full Heal    x201

What shuld it be:                What it actually is:

[0xD322 = 0x0C]              [0xD322 = 0x63]  <- the wsm, so it starts from the first element of the bag
[0xD322 = 0x2B]              [0xD323 = 0x01]
[0xD324 = 0x0D]              [0xD324 = 0x05]
[0xD325 = 0x2B]              [0xD325 = 0x01]
[0xD32A = 0x34]              [0xD326 = 0x0C]
[0xD32B = 0xC9]              [0xD327 = 0x2B]
                              [0xD328 = 0x0D]
                              [0xD329 = 0x2B]
                              [0xD32A = 0x34]
                              [0xD32B = 0xC9]

Also the disassembler of the emulator says that [0xDA9C = 0xE9] is a LD PC,HL instead of a JP HL
But maybe is just the same (i never heard of LD I program in other hardware usually) or is just the disassembler…

Can you help me very please?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Azarokkusu
Date: 2018-03-19 21:25:19
Very, very simple code to give you 0 of the item in the second slot

from slot 1:
8f
item you want 0 of
Lemonade x 1
soda pop x 234
thunderstone x 211
tm01 x any


ld a, 01
dec a
ld $d321,a
ret


All the items are buyable at the Celadon department store and can be cloned easily to get the amounts you need.

All fly locations (incase you skipped any to get 8F early such as using BTW to rush to it)

from item 3:
Lemonade x 255
TM34 x 11
TM15 x 234
Burn heal x 215
tm01 x any


ld a,255
ld d70b,a
ld d70c,a
ret


Though you'd probably just want to use Aldrasio's 2 byte writer to write the 2 consecutive bytes anyway. *Shrug*

Note this sets both flyable location bytes to ff, (ie d70b = ff, d70c = ff) but the regular value to unlock all locations is ff 07 (d70b = ff, d70c = 07). However, with valid bytes activated in d70c it seems to ignore the unused locations regardless. If you wanted to be really thorough and write ff 07 you would have to ld a,07 after the lod d70b,a but at that point it's definitely better to just use Aldrasio's 2 byte writer.

Though for something this simple as writing 2 consecutive bytes you would probably rather just use the two byte writer by aldrasio above,

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2018-03-20 00:16:46
Opcode 0xE9 is `jp hl`, as per the most recent spec. `jp [hl]` is and old syntax, and `ld pc, hl` is another way to write it… but it's really stupid.

As for the offset, that's a specificity of EU versions, which have a +5 offset everywhere. Please refer to this post on our wiki for a EU-compatible box setup.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Azarokkusu
Date: 2018-03-20 00:58:20

Well, just decided to quickly code something for 8F…

[size=12pt]CHANGE ANY BYTE IN RAM TO ANYTHING[/size]
[size=8pt](or, psuedo-GameShark in software)[/size]

This code uses only 5 basic items, and will easily allow you to modify any byte in RAM one wants to.

Item 1: any item
Item 2: 8F
Item 3: Lemonade, quantity (byte to change to, or 2nd byte of GScode)
Item 4: X Accuracy, quantity (low byte of RAM address to change, or 3rd byte of GScode)
Item 5: Carbos, quantity (high byte of RAM address to change, or 4th byte of GScode)
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

ASM:
D322: 3E xx        ld a, xx
D324: 2E xx        ld l, xx
D326: 26 xx        ld h, xx
D328: 04            inc b
D329: 77            ld (hl), a
D32A: 3C            inc a
D32B: C9            ret

So, for GameShark code 011559D0, which would encounter a Mew after you close the menu (and yes, this is the one i tested it with – on a real cart no less), use the following item list:

Item 1: any item (but I guess you'd want Master Balls here for this example!)
Item 2: 8F
Item 3: Lemonade, quantity 21
Item 4: X Accuracy, quantity 89
Item 5: Carbos, quantity 208
Item 6: Poké Ball, quantity 119
Item 7: Fresh Water, quantity 201

By the way, since no address is hardcoded, this *should* work on Yellow too; but I haven't tested it there. (obviously the example posted above won't!)


Why not tm01 x any rather than Fresh Water x 201? You don't need the inc a instruction, and tm01 is buyable at celadon too - you don't even have to dupe it!

Item 1: any item
Item 2: 8F
Item 3: Lemonade, quantity (byte to change to, or 2nd byte of GScode)
Item 4: X Accuracy, quantity (low byte of RAM address to change, or 3rd byte of GScode)
Item 5: Carbos, quantity (high byte of RAM address to change, or 4th byte of GScode)
Item 6: Poké Ball, quantity 119
Item 7: TM01 x any

D322: 3E xx        ld a, xx
D324: 2E xx        ld l, xx
D326: 26 xx        ld h, xx
D328: 04            inc b
D329: 77            ld (hl), a
D32A: c9            ret
D32B: anything            not read as code because already returned

Edit: you can also get the 4 glitch item (id $77) and cut out the pokeballs of course. But dealing with glitch items is annoying.

Item 1: any item x any qty
Item 2: 8f
Item 3: lemonade x XX
Item 4: X Accuracy x XX
Item 5: Carbos x XX
Item 6: 4 x 201


ld a,xx
ld l,xx
ld h,xx
ld (hl),a
ret

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Azarokkusu
Date: 2018-03-20 02:03:56
Another writer for writing consecutive bytes! Based off of Wack0's write to any byte code. This is for people like me who have trouble keeping track of their map coordinates (for the old coordinate based memory writer) or step count (for the newer step counter based memory writer) when writing a memory editor in. Here, you can see exactly what you are writing and the addresses you are writing to (ZZYY or, number of Carbos in slot 5, number of X Accuracy in slot 4) Only problem is that you can't increase the high byte automatically so you would still have to do so manually (I'd say it could be modified to automatically detect when to increase the high byte, but I haven't gotten around to it and it might require more items than we can hold normally meaning we'd have to underflow) however this doesn't matter if you're writing less than 256 bytes (eg writing either version of theZZAZZglitch's memory editor)

from slot 3

lemonade x XX
X accuracy x YY
Carbos x ZZ
pokeball x 119
Burn heal x 125
Fresh water x 234
Iron x 211
Lemonade x 0
TM34 x 35
TM 11 x 201


;write XX to ZZYY

ld a, XX ;lemonade x XX (amount writing). bytes: 3E XX
ld l, YY ;X Accuracy x YY (low byte of address). Bytes: 2E YY
ld h, ZZ ;Carbos x ZZ (high byte of address) Bytes: 26 ZZ
inc b  ; pokeball (padding) Bytes: 04
ld (hl), a ; quantity of pokeballs (119) Bytes: 77
inc c ; burn heal (padding) Bytes: 0C

;inc quantity of item 4 by 1, thus increasing the low byte to the next one in sequence
ld a,l ;quantity of burn heal (125) bytes: 7D
inc a ; fresh water bytes: 3C
ld ($d325),a ; quantity of fresh water (234), Iron x 211 bytes: EA 25 D3

;set quantity of item 3 to 0 to allow to get any amount!
ld a, 00 ; lemonade x 00 bytes: 3E 00
ld ($d323),a ;TM34 x 35, TM11. bytes: EA 23 D3
ret ; TM11 quantity (201) bytes: c9


Bytes (if you want to write them using a memory editor, say, in bgb)

3E xx 2e yy 26 zz 04 77 0c 7d 3c ea 25 d3 3e 00 ea 23 d3 c9


So to write ISSOtm's version of theZZAZZglitch's memory editor (https://forums.glitchcity.info/index.php?topic=8200.0) you'd start with

lemonade x 229 (229 = $E5, the byte to write at DB01)
X accuracy x 1
Carbos x 219
pokeball x 119
Burn heal x 125
Fresh water x 234
Iron x 211
Lemonade x 0
TM34 x 35
TM 11 x 201

use 8f, which would write the value, set the quantity of lemonades to 0 and increase the quantity of X accuracies by 1, to 2. Throw lemonades until you had 17 (hex 11), use 8f, etc etc.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: DocB
Date: 2018-03-20 10:17:24

Opcode 0xE9 is `jp hl`, as per the most recent spec. `jp [hl]` is and old syntax, and `ld pc, hl` is another way to write it… but it's really stupid.

As for the offset, that's a specificity of EU versions, which have a +5 offset everywhere. Please refer to this post on our wiki for a EU-compatible box setup.


Thank you for the reply, I followed that bootstrap before post my question but i wrongly didn't put a 10th pokemon in the box so… :-[
Now it work pretty well but it's a pretty unconfortable setup in the 3Ds for me, there is a way to edit the slowbre setup to jump to 0xD326 (i don't know if this bootstrap do actually this because the disassmler hasn't debug function so no interrupt function…)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2018-03-20 10:47:25
If you need a disassembler (and a proper emulator), use BGB.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: DocB
Date: 2018-03-20 13:25:24
Thank you dude, that's awesome
If someone like me already set the box in the slowpokesetup and play in the Eu non english version you just have to switch Growlithe [0xDA87 = 0x21] with kadabra [0xDA87 = 0x26]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Xavi
Date: 2018-03-21 03:57:33
I posted in a wrong thread, I think it is the correct one.

My first will was to have a legal shiny Mew for Crystal. I have no 3DS. But looking for arbitrary code, I discovered about the "legitimitation" and I said to me "let's try it". And if it's possible, share the Mew with friends that have a 3DS.


I was trying to legitimate Mew in a Spanish version of Red, and it did't work. I tried the same in an English and it worked fine.

Partys: 1. Mew, 2. Pidgey with 233 CURRENT HP (Max HP doesn't matter), 3. Parasect, 4. Onix, 5. Tentacool, 6. Arbok

Set up your bag as follows: 1. 8F, 2. Any item x89, 3. Dire Hit x58, 4. Iron x37, 5. X Accuracy x119, 6. Water Stone x62, 7. Burn Heal x50, 8. Poké Ball x43, 9. Antidote x43, 10. Protein x62, 11. PP Up x60, 12. Ice Heal x50, 13. Lemonade x133, 14. Great Ball x50, 15. Fresh Water x34 16. TM01 x[any #]

This is the combination I used; all that happened is that Mew's Pound became Guillotine.

I tried it following https://glitchcity.info/wiki/Arbitrary_code_execution#Using_7eme_etage_.2F_P7_.2F_S7_.28French_.26_Italian_.2F_Spanish_.2F_German_Red.2FBlue.29 to change Onix for a Graveler and for a Fearow, but nothing happened.

Someone can help me? Thanks!


I also shinied the Mew in a USA Red version. The settings doesn't work in spanish version. What's the difference? There's any way to translate from english to Spanish?

Thank you.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2018-03-21 06:27:03
The Pokémon setup isn't the cause (nothing / a crash would have happened if it was wrong). The item setup needs to be modified to account for the memory address change in EU versions.²

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Xavi
Date: 2018-03-21 18:26:56

The Pokémon setup isn't the cause (nothing / a crash would have happened if it was wrong). The item setup needs to be modified to account for the memory address change in EU versions.²

I know I need to modify the items, but in what way?
Quoting myself: "There's any way to translate from english to Spanish?"

I'm a n00b in ACE, I understand it exploits de 8bits of the game and can copy the item and pokémon set up, but not create or undersant how to done them.

Thank you.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2018-03-22 01:53:26
I'll try to help you as soon as i have a moment :)

(But for the future you should try to learn some basics :))