Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 54

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Marv231
Date: 2018-03-25 16:55:06


The Pokémon setup isn't the cause (nothing / a crash would have happened if it was wrong). The item setup needs to be modified to account for the memory address change in EU versions.²

I know I need to modify the items, but in what way?
Quoting myself: "There's any way to translate from english to Spanish?"

I'm a n00b in ACE, I understand it exploits de 8bits of the game and can copy the item and pokémon set up, but not create or undersant how to done them.

Thank you.


To make your Item Setup work, add 5 X-Accuracy to the stack, so you have 124 of them

https://pastebin.com/JBjzuGeS

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: maskedkoopa
Date: 2018-04-01 04:39:01
Heya, is it possible to create a code which fills your first box with a pokemon (preferably all shiny but thats probs asking too much), or would that take too much space in the bag to do?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2018-04-01 05:47:06
Depends. If you only want to duplicate a Pokémon, it's doable, otherwise, it's not possible.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: spamviech
Date: 2018-04-01 07:25:35

Heya, is it possible to create a code which fills your first box with a pokemon (preferably all shiny but thats probs asking too much), or would that take too much space in the bag to do?


luckytyphlosion made one, but it requires a bit more setup than just item code.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Azarokkusu
Date: 2018-04-01 08:24:26

Depends. If you only want to duplicate a Pokémon, it's doable, otherwise, it's not possible.


It'd be much easier to have a code that just transformed all the pokemon already in the box to a shiny version of a pokemon, rather than actually c reating each pokemon from scratch, too - basically you catch a box full of any pokemon then transform them with 8F

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: maskedkoopa
Date: 2018-04-01 11:20:01
My main aim here is to have the first box be filled with shiny mewtwos, they can be duplicates for all I care, the issue right now is that I have to manually make them all shiny and manually use the get pokemon code and whatnot. If I can clone an existing pokemon into every slot in box 1 that works too.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Xavi
Date: 2018-04-03 05:59:31



The Pokémon setup isn't the cause (nothing / a crash would have happened if it was wrong). The item setup needs to be modified to account for the memory address change in EU versions.²

I know I need to modify the items, but in what way?
Quoting myself: "There's any way to translate from english to Spanish?"

I'm a n00b in ACE, I understand it exploits de 8bits of the game and can copy the item and pokémon set up, but not create or undersant how to done them.

Thank you.


To make your Item Setup work, add 5 X-Accuracy to the stack, so you have 124 of them

https://pastebin.com/JBjzuGeS


Thank you, it worked.
What about make them shiny?
I tried adding x5 to in both X-Accuracy but it didn't worked. (I get the IVS 13, 0 13, 0 instead). Can someone help me?
Thanks and sorry for the inconvenience.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: maskedkoopa
Date: 2018-04-03 07:54:42
Actually, now that I think about it, an option that would be better is if I could dupe the contents of another box to also be in box 1, since that's just copying one existing set of data to another. OFC idk if thats actually how it works…

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Masuta Satoshi
Date: 2018-04-04 20:41:21


Can anyone help me?

Is there any Arbitrary Code to control what DVs I want to change to a Pokemon? For example:

-15/15/15/15
-15/10/10/10

Ive been seen some videos but they just pust the neccesary items (and in different ways, so I cant find a pattern). Some examples:

https://www.youtube.com/watch?v=H8AgGp5cqPI&t=308s
https://www.youtube.com/watch?v=RCrzcqLEauQ

Ty.


The following codes are used to edit the DVs of box Pokemon 1.

You can use

8f
Any
Carbos x218 (hex:DA)
X Accuracy x178 (hex:B2)
Lemonade xDVOne
TM03 x55 (hex:37)
Elixer x71 (hex:47)
Awakening xDVTwo
Escape Rope x121 (hex:79)
Max Elixer x176 (hex:B0)
Ether x119 (hex:77)
TM01 x[Any qty]

To write to the Speed/Special IVS. Then, to write to attack/defense IVs, toss one X Accuracy.

Alternatively, you may also use this code, which writes to all DVs in one go. It takes a bit of math to use, however.


8f
Any
Thunderstone x177 (hex:B1)
TM18 x4 (hex:04)
Lemonade x#FirstNum
Water Stone x82 (hex:52)
Awakening x#SecondNum
Escape Rope x121 (hex:79)
Max Elixer x119 (hex:77)
TM01 x[Any qty]

To find the numbers, simply take the first DV * 16 + the second DV. For the second number, do this with the third and fourth DVs

So

15/10/10/10

…would be

Thunderstone x177 (hex:B1)
TM18 x4 (hex:04)
Lemonade x250 (hex:FA)
Water Stone x82 (hex:52)
Awakening x170 (hex:AA)
Escape Rope x121 (hex:79)
Max Elixer x119 (hex:77)
TM01 x[Any qty]

It's me again. Thanks for this information. I was able to manipulate at 100% and now I have all the 151 Pokémon with MAX DV, sometimes i make the DVs 15/10/10/10 so I could get a shiny when I trade to Gen II, but i am already using Coin case glitch there, so i was just checking.

I noticed there are different ACEs but the order of items are the same. At least I'm using Pidgey 233 current HP, Paras, Onix, Tentacool and Kangaskhan in my party in that order. In Yellow, i had to fullfill a box with slowpokes voltorb, jolteon and geodudes to manipulate the DVs of the first pokemon of my party, i'm wondering if there will be a simpler ACE in Yellow with ws&m.

Before I forget, can someone pass me the list of items to get max stat experience in every DV using 8F?

Before u answer all my doubts, thanks in advance. I really appreciate your support.

EDIT: and any item setup to make Pokemon level 100 instead of training of using rare candies? and any item setup to make any item x255 to not use the missingno glitch? I have already the setup to have any item I want (transform the second item in another item with the next index number) but I watch a video using ws&m to get x255 of the second item, what about 8F?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Azarokkusu
Date: 2018-04-11 07:36:20
Enemies constantly have 0 hp (insta fainting enemy pokemon) in R/B. In two parts:

inventory (from item 3):
awakening x 128
lemonade x 195
carbos x 59
repel x 213
tm26 x 12
great ball x 124
tm26 x 12
fresh water x 123
tm26 x 201
(any items can be from here on)


ld c,$80
ld a,$C3
ld h,$3b
ld e,$d5
ld ($FF00+c),a
inc c 
inc b
ld a,h
ld ($FF00+c),a
inc c
inc a
ld a,e
ld ($FF00+c),a
ret


Stored items: (from stored item 1):
Thunderstone x 230
TM07 x 54
Master Ball x 53
poke ball x 44
max revive x 1
revive x 201
(any items can be from here on)


ld hl,$cfe6
ld (hl),$01
dec (hl)
inc b
inc l
ld (hl),$01
dec (hl)
ret


Basically, the boxed items are the code that sets $cfe6=0 and $cfe7=0, and the inventory items set $ff80 through $ff82 so it jumps to the boxed items, meaning the code in the boxed items is executed every frame (OAM DMA hijacking)

The boxed item code is intentionally padded so you don't have to have two stacks of the same item in the  box because that can get messy if you aren't careful.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2018-04-11 12:09:16
The problem with this code is that sprites will cease to be updated anymore. Here's a replacement :

Carbos x255 (hex:FF)
X Accuracy x128 (hex:80)
Lemonade x205 (hex:CD)
Water Stone x62 (hex:3E)
Max Repel x60 (hex:3C)
Fresh Water x34 (hex:22)
Parlyz Heal x198 (hex:C6)
Super Repel x34 (hex:22)
Awakening x13 (hex:0D)
Poké Ball x129 (hex:81)
Great Ball x34 (hex:22)
TM01 x[Any qty]


Box items :

Awakening x70
Thunderstone x230
TM07 x175
Water Stone x34
Lemonade x165
TM01 x[any qty]



Code :

ld h, $FF
ld l, $80
ld a, $CD
ld [hli], a
ld a, $39
inc a
inc a
ld [hli], a
rrca ; a = $9D
add a, $38 ; a = $D5
ld [hli], a
ld c, $0D
inc b
add a, c
inc bc
ld [hli], a
ret

; Code written :
; call D53B (wBoxItems)
; ld [c], a
; CD 3B D5 E2

Box items :

ld c, $46
ld hl, $CFE6
xor a
ld [hli], a
ld [hli], a
ld a, $C3
ret



Btw, here are some precautions that must be taken while this is active :

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: lel
Date: 2018-04-12 12:22:01

I noticed there are different ACEs but the order of items are the same. At least I'm using Pidgey 233 current HP, Paras, Onix, Tentacool and Kangaskhan in my party in that order. In Yellow, i had to fullfill a box with slowpokes voltorb, jolteon and geodudes to manipulate the DVs of the first pokemon of my party, i'm wondering if there will be a simpler ACE in Yellow with ws&m.


There are other somewhat easier ones in my opinion. Rather than the filled box, you could use the other one in the OP, which is only 10 Pokémon (most of which aren't too hard to catch).

You can also use 4F, which isn't awful. https://forums.glitchcity.info/index.php?topic=8056.0 . (Note below that I think Krys got an address wrong here).

Another possible bootstrap for 4F would be this one I came up with a few nights ago, which I think is a lot better because it allows you to get everything required without any glitches (because I don't think it's possible to get a Nidorina unevolved from a NidoranF without Ditto glitch):

Put in daycare a Hitmonlee with these moves (you can take it out afterward if you want):
* Any move.
* Any move that won't crash the game when used on its own (I use Meditate for this).
* Double Kick.
* Mega Kick.

Then you just need to box:
* Any pokemon with current pp as follows:
1) Any PP
2) 33
3) 33 (you can do this method in Red/Blue too, but if you do you just need to change this to 34)
4) 19 with 3 PP Up used
* Clefairy (or anything else that won't crash the game or alter h or l registers) at 233 hp
* Anything
* Tentacool
* Parasect

Unless both BGB and the disassembly are giving me the wrong values (and believe me, I've double-checked myself on this more than 20 times to make absolutely sure), the value at FA64 is *not* the catch rate of the Daycared Pokémon, it's the secondary type of the Daycared Pokémon. Since Krys was using Nidorinas, the opcode executed was "inc bc" because Nidorina has type POISON POISON, so DA64=03. This meant that nothing of interest happened and the next byte was executed, which was the catch rate, which is why assuming it jumped to the catch rate didn't have any harmful effects. I use a Hitmonlee because it's convenient and learns the moves we need pretty easily, but I think a ton more Pokémon will work as a result, because if you use Fighting type, that's 01, which means that it eats the next two bytes, the catch rate and the first move. (And other types presumably could be used for other effects. I'm not a fan of the type constants, so I'm not looking any further than this.)

So here's the ASM for this:
WRA1:DA64: 01 2D 1B ld bc,$1B2D
WRA1:DA67: 60 ld h,b
WRA1:DA68: 24 inc h
WRA1:DA69: 18 19 jr DA83
WRA1:DA83: 18 2E jr DAB3
WRA1:DAB3: 21 21 D3 ld hl,D321
WRA1:DAB6: 04 inc b
WRA1:DAB7: 00 nop
WRA1:DAB8: E9 jp [hl]

I mean unless BGB's debugger is giving me the wrong information and I'm counting in the disassembly wrong. But it works when I do it. And the breakpoints I'm setting claim that the things being executed are the things I'm saying are being executed.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: HumptyAce
Date: 2018-04-12 19:46:34
Hello everyone, I'm new here, and it's now been a while since I started experimenting with ACE. I'd like to step up my knowledge a bit as I'm not much of a programmer myself, and it's very hard for me to follow everything you guys say here.
My goal was to make a setup to be used with ws m in US yellow to set the text speed to 0 (and yes, I know with item underflow this would probably be easier, but oh well).
At first I thought id use the "standard" gameshark->ACE conversion to get to the setup, but cant find any code that does that in yellow. How would i have to proceed? How do I locate the correct part of ram to edit? is there some kind of Register dump of the game?
Again, sorry if I'm asking something obvious but again, im pretty much new to this stuff :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: lel
Date: 2018-04-12 20:20:23

At first I thought id use the "standard" gameshark->ACE conversion to get to the setup, but cant find any code that does that in yellow. How would i have to proceed? How do I locate the correct part of ram to edit? is there some kind of Register dump of the game?
Again, sorry if I'm asking something obvious but again, im pretty much new to this stuff :)


There is! There's a complete disassembly of the game at https://github.com/pret/pokeyellow. This contains literally everything in the entire game (you can use an assembler and turn this disassembly into a perfect, bootable ROM, so it sorta by definition has everything).

Then there's the perhaps more user friendly but somewhat less complete RAM map at https://datacrystal.romhacking.net/wiki/Pokémon_Red/Blue:RAM_map. It's for Red and Blue, though, but it works for Yellow because most Yellow RAM addresses are exactly 1 less than those in Red/Blue. So if it says the third bag item is D322 in this list, it actually is D321 in Yellow.

So I just control+f'd "text speed" in there, and found that D355 is options, which means $D354 in Yellow. So if you look at that, it says the lower nibble is the text speed, which means the last 4 bits of the byte, which effectively means if you're representing each byte as a two-digit hex number, the second digit of that hex number is the text speed. It also says that lower numbers in this nibble are faster.

In my current settings, it's set to C1. That is the fastest you can set it by default, because, as you see, the second digit in that is 1. But we could always use ACE to set it to 0, so it would say C0 there.

So you'd wanna do something like this:

* ws m or something
* ws m or something
* lemonade x 64
* tm34 x 85
* tm11 x 201

That's:
WRA1:D321: 3E 40 ld a,40
WRA1:D323: EA 55 D3 ld D355,a
WRA1:D326: C9 ret

This is what you're talking about, right? If you're talking about like bootstraps to even make ws m work, then there are some in the OP, or you could use like 4F or something using the Krys3000 bootstrap or the one I just posted a few hours ago in this thread.

Really, if you want to get started making your own ACE scripts, you just gotta know like the absolute basics about gb z80 asm (really just what the registers are and what the most common mnemonics are and how to use them, like "ld", "ret", "jp", "jr", "inc", "dec", you'll pick up more as you go along) and just sort of know how to find a particular RAM/ROM address in a RAM/ROM map or the disassembly. You'll pick up more after that, but that's enough to get started understanding how a lot of the stuff in this thread works.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: HumptyAce
Date: 2018-04-12 20:34:47
That's exactly what I needed, I dont know how to thank you. I'll get into work and let you know if I come up with something at least fun, cause it probably wont be any useful  8)