Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 57

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheZZAZZGlitch
Date: 2018-10-01 06:23:57
There is a Daycare cloning script, which is easy to set up. Store the Pokemon you want to clone into the Daycare, take it out, use 8F, take it out again, repeat to infinity.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: wadusher
Date: 2018-10-01 13:31:00

There is a Daycare cloning script, which is easy to set up. Store the Pokemon you want to clone into the Daycare, take it out, use 8F, take it out again, repeat to infinity.


The problem with that is the daycare reduces you pokemon's EXP to the bare minimum needed to be at a given level once you take it out, at least according to bulbapedia. Is there a way to remedy this EXP storage issue? If not then the only advantage it has over just using the Catch Em All scripts is it presumably stores the mon's moves, which does help since what I need is an army of Mega Kick Snorlaxes, in the hopes that one of them has a speed IV of 0 on transfer for trick room purposes.

Something like ld hl,a16 ; ld a,(hl) ; sub d8 ; ld (hl),a will do the trick if you want to remove less than 256.


That'll work, since I only care about the last two digits of the EXP. What does that translate into in terms of items?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2018-10-01 13:48:00
Well, I don't have much time to work on it and test it, but I guess that, starting from item 3, if the Pokémon to edit is in the first slot of the PC,

Thunderstone x166
TM18 x126
TM14 x(Exp to remove)
Poké Ball x119
TM01 x[Any qty]

May remove (Exp to remove) to this Pokémon.

Corresponding ASM is
WRA1:D322 21 A6 DA        ld  hl,DAA6
WRA1:D325 7E              ld  a,(hl)
WRA1:D326 D6 01            sub  a,(Exp to remove)
WRA1:D328 04              inc  b
WRA1:D329 77              ld  (hl),a
WRA1:D32A C9              ret 

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: wadusher
Date: 2018-10-01 13:58:20

Well, I don't have much time to work on it and test it, but I guess that, starting from item 3, if the Pokémon to edit is in the first slot of the PC,

Thunderstone x166
TM18 x126
TM14 x(Exp to remove)
Poké Ball x119
TM01 x[Any qty]

May remove (Exp to remove) to this Pokémon.

Corresponding ASM is
WRA1:D322 21 A6 DA        ld  hl,DAA6
WRA1:D325 7E              ld  a,(hl)
WRA1:D326 D6 01            sub  a,(Exp to remove)
WRA1:D328 04              inc  b
WRA1:D329 77              ld  (hl),a
WRA1:D32A C9              ret 


Thanks, although I want to add EXP rather than remove it. Can I use some other item in place of TM14 to do that?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2018-10-01 14:52:30
Then sub a,d8 has to be replaced by add a,d8 (hex:C6, which is HM03). It's annoying because you won't see its quantity. There are plenty of workaround that you think of to fix this, but I still think it's a better idea to make a code that replaces exp last byte by the value you want instead of adding to the current xp, don't you think?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: wadusher
Date: 2018-10-01 15:03:39

Then sub a,d8 has to be replaced by add a,d8 (hex:C6, which is HM03). It's annoying because you won't see its quantity. There are plenty of workaround that you think of to fix this, but I still think it's a better idea to make a code that replaces exp last byte by the value you want instead of adding to the current xp, don't you think?


ah good point - HM03 would be iffy to work with, but I can simply shift its index to something that isn't a key item, manipulate the quantity to what I need, then shift it back to to HM03. Or just have the HM03 item quantity be 1 and activate the script 9 times, since I only need exactly 9 EXP added. But yeah, replacing the byte instead of adding/subtracting is probably less of a hassle, so how would you go about that?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2018-10-01 15:33:13
What about this, to give (Exp) as last byte of exp for stored Pokémon 1 in english games:

Thunderstone x166
TM18 x4
Max Revive x(Exp)
TM01x[Any qty]

It translate into:

WRA1:D322 21 A6 DA        ld  hl,DAA6
WRA1:D325 04              inc  b
WRA1:D326 77 (Exp)        ld  (hl),(Exp)
WRA1:D32A C9              ret 

On a much more theorical note, if I understand well how conditional returns work, a code like this:

WRA1:D322 21 A6 DA        ld  hl,DAA6
WRA1:D325 01 2C 00        ld  bc,002C
WRA1:D328 3E (Exp)        ld  a,(Exp)
WRA1:D32A 16 (Nb)          ld  d,(Nb)
WRA1:D32C 77              ld  (hl),a
WRA1:D32D 09              add  hl,bc
WRA1:D32E 15              dec  d
WRA1:D32F C8              ret  z
WRA1:D330 C3 2C D3        jp  D32C

With (Nb) as number of Pokémon to change in box, would give that exp to this number of Pokémon starting with Pokémon 1. But in this form it would use many glitch items, so this is something that can be worked on.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: wadusher
Date: 2018-10-01 16:10:04
Alright, that first code worked perfectly, thanks. :)

What sort of glitch items are in the other script? If they're not the ones that force you to press B a bunch of times just to use your item menu, I can probably handle it.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Sherkel
Date: 2018-10-02 13:42:03
From the Big List:
You'd need 4 (RB:119) for the ld (hl),a instead of the Max Revive used for ld (hl),$xx, an in-bag Boulder Badge for dec d, and RB:195 for jp $xxyy. If I recall correctly, RB:119 requires a B press or two to scroll past.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: wadusher
Date: 2018-10-02 16:31:42

From the Big List:
You'd need 4 (RB:119) for the ld (hl),a instead of the Max Revive used for ld (hl),$xx, an in-bag Boulder Badge for dec d, and RB:195 for jp $xxyy. If I recall correctly, RB:119 requires a B press or two to scroll past.


So that's the only unterminated name glitch item in the code? If so I can just obtain it last, after getting the rest of the items, which isn't a big deal. Speaking of which, what items are the rest of the code made of?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2018-10-03 00:26:18
You can easily answer that by copying my code into GBZ80toitems.

But i've never done conditional returns before so I'm not sure it will work. Given enough time I could try it.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: wadusher
Date: 2018-10-03 01:19:44

You can easily answer that by copying my code into GBZ80toitems.


That website seems to be broken - no matter what I paste into the the input box the corresponding items box always tells me to type something in the input box. The compile button also doesn't do anything - the corresponding item box does not change and I get this error message after pasting your second code in.

codeElem.innerText is undefined (line 1635)
Stack trace :
compile@https://eldred.fr/gbz80toitems3/compiler.js:1635:3
@https://eldred.fr/gbz80toitems3/compiler.js:1879:4
n.event.dispatch@https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js:3:12392
n.event.add/r.handle@https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js:3:9156

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Krys3000
Date: 2018-10-03 07:38:51
You need to remove the addresses in order to make it work. It just accepts opcodes.

In other words,
[img]http://image.noelshack.com/fichiers/2018/40/3/1538570267-capture.png[/img]

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Sherkel
Date: 2018-10-03 11:16:54

You can easily answer that by copying my code into GBZ80toitems.
It seems to refer directly to the Big List and not lose count like I do, so that's a good tool. :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: ISSOtm
Date: 2018-10-03 11:39:23


You can easily answer that by copying my code into GBZ80toitems.


That website seems to be broken - no matter what I paste into the the input box the corresponding items box always tells me to type something in the input box. The compile button also doesn't do anything - the corresponding item box does not change and I get this error message after pasting your second code in.

codeElem.innerText is undefined (line 1635)
Stack trace :
compile@https://eldred.fr/gbz80toitems3/compiler.js:1635:3
@https://eldred.fr/gbz80toitems3/compiler.js:1879:4
n.event.dispatch@https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js:3:12392
n.event.add/r.handle@https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js:3:9156

Oh crap dang shit oh no shoot, an internal error. Luckily it's been reported properly, I could try debugging it. :p