Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 7

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: rortik
Date: 2013-12-19 14:49:53

will it work on yellow?


The shown method of obtaining 8F won't work in Yellow, as it uses Super Glitch, which works differently for this game.

Also, 8F does not execute code from $D163 in Yellow, but from $04FE instead - which has a less beneficial effect of teleporting you to a messed up version of a Pokemon Center.
Yellow has a relatively similar item "ws m" (hex 63), which executes code from $DA7F (number of Pokemon in the current box), but we still don't know how to obtain it though.


First let me say I haven't read the entire thread. If you've already found ws m in Yellow, this post is useless to you. But I have had one of these things forever- didn't know what it did though. I'm not fully understanding all this thread, but I'll tell you how to get ws m. Do the Mew Glitch with a special stat of 194 to run into pPkMnp ' ' (which changes the 5th item slot). And have a Super Rod in the 5th item slot. That gives you ws m. As far as I can tell it simply crashes the game though… I have it stored away in my pc.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-19 17:45:29


will it work on yellow?


The shown method of obtaining 8F won't work in Yellow, as it uses Super Glitch, which works differently for this game.

Also, 8F does not execute code from $D163 in Yellow, but from $04FE instead - which has a less beneficial effect of teleporting you to a messed up version of a Pokemon Center.
Yellow has a relatively similar item "ws m" (hex 63), which executes code from $DA7F (number of Pokemon in the current box), but we still don't know how to obtain it though.


First let me say I haven't read the entire thread. If you've already found ws m in Yellow, this post is useless to you. But I have had one of these things forever- didn't know what it did though. I'm not fully understanding all this thread, but I'll tell you how to get ws m. Do the Mew Glitch with a special stat of 194 to run into pPkMnp ' ' (which changes the 5th item slot). And have a Super Rod in the 5th item slot. That gives you ws m. As far as I can tell it simply crashes the game though… I have it stored away in my pc.


Yes. This was already known. Thanks for trying to help though.

TheZZAZZGlitch posted the exact same method you mentioned to obtain w sm. See this post. w sm runs code from the number of Pokémon in the current box, and he wrote a bootsrapping code to redirect the program to item 3. If you use it without a proper setup it might freeze the game.

Incidentally, as you probably know, item mutation is one of the easier methods of obtaining 8F. I'm not sure if you'll find this useful, but I'll repeat my initial idea. Paco81 found out in 2011 that a  coast glitch Trainer's (happens to be for Trainer class 256) roster 28h has a 94; an item mutating Pokémon that adds 16 to the identifier of the fourth slot in the player's bag if the item does not have one of the following hexadecimal identifiers: $1X $3X $5X $7X $9X $BX $DX $FX because of its Pokédex number, 213. Coincidentally, a Rocket on Silph Co. 11F loads it. If you do the Old Man glitch with a letter that gives a Trainer in the third/fifth/seventh position, you can encounter this Trainer, and having a Good Rod (hex: 4D) in this position converts it into 8F (hex: 5D) but their Pokémon are strong, they have glitch Pokémon with Super Glitch and the TMTRAINER effect can make them keeping sending out the same Pokémon.

That method was obsoleted (see first post) because TheZZAZZGlitch used Super Glitch to convert the opponent into a 94 without having to have a specific name or strong Pokémon but then that method was obsoleted once again for the item number underflow glitch.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: rortik
Date: 2013-12-19 21:18:19



will it work on yellow?


The shown method of obtaining 8F won't work in Yellow, as it uses Super Glitch, which works differently for this game.

Also, 8F does not execute code from $D163 in Yellow, but from $04FE instead - which has a less beneficial effect of teleporting you to a messed up version of a Pokemon Center.
Yellow has a relatively similar item "ws m" (hex 63), which executes code from $DA7F (number of Pokemon in the current box), but we still don't know how to obtain it though.


First let me say I haven't read the entire thread. If you've already found ws m in Yellow, this post is useless to you. But I have had one of these things forever- didn't know what it did though. I'm not fully understanding all this thread, but I'll tell you how to get ws m. Do the Mew Glitch with a special stat of 194 to run into pPkMnp ' ' (which changes the 5th item slot). And have a Super Rod in the 5th item slot. That gives you ws m. As far as I can tell it simply crashes the game though… I have it stored away in my pc.


Yes. This was already known. Thanks for trying to help though.

TheZZAZZGlitch posted the exact same method you mentioned to obtain w sm. See this post. w sm runs code from the number of Pokémon in the current box, and he wrote a bootsrapping code to redirect the program to item 3. If you use it without a proper setup it might freeze the game.

Incidentally, as you probably know, item mutation is one of the easier methods of obtaining 8F. I'm not sure if you'll find this useful, but I'll repeat my initial idea. Paco81 found out in 2011 that a  coast glitch Trainer's (happens to be for Trainer class 256) roster 28h has a 94; an item mutating Pokémon that adds 16 to the identifier of the fourth slot in the player's bag if the item does not have one of the following hexadecimal identifiers: $1X $3X $5X $7X $9X $BX $DX $FX because of its Pokédex number, 213. Coincidentally, a Rocket on Silph Co. 11F loads it. If you do the Old Man glitch with a letter that gives a Trainer in the third/fifth/seventh position, you can encounter this Trainer, and having a Good Rod (hex: 4D) in this position converts it into 8F (hex: 5D) but their Pokémon are strong, they have glitch Pokémon with Super Glitch and the TMTRAINER effect can make them keeping sending out the same Pokémon.

That method was obsoleted (see first post) because TheZZAZZGlitch used Super Glitch to convert the opponent into a 94 without having to have a specific name or strong Pokémon but then that method was obsoleted once again for the item number underflow glitch.


Yes, (most of) that made sense to me and I think it get it. I just prefer Yellow :D
Thanks!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: rortik
Date: 2013-12-19 22:00:34
So what you're saying is, on Yellow, if I get the ws m item and put it in my first slot, then get a combination of items (Ex: steal trainer's pokemon, Lemonade x1, TM34 x86, TM08 x201) and start that in the third item slot, THEN put, in my current PC box:


1. 20 pokemon in the current box
2.  Slowpoke as the 1st Pokémon in the current PC box  with 233 hp,
3.  Slowpoke as the 2nd Pokémon in the current PC box 
4.  Slowpoke as the 3rd Pokémon in the current PC box
5.  Slowpoke as the 4th Pokémon in the current PC box 
6.  Slowpoke as the 5th Pokémon in the current PC box   
7.  Slowpoke as the 6th Pokémon in the current PC box
8.  Voltorb as the 7th Pokémon in the current PC box         
9.  Growlithe as the 8th Pokémon in the current PC box     
10. Jolteon as the 9th Pokémon in the current PC box       
11. Geodude as the 10th Pokémon in the current PC box   
12. Geodude as the 11th Pokémon in the current PC box         
13. Geodude as the 12th Pokémon in the current PC box         
14. Geodude as the 13th Pokémon in the current PC box       
15. Geodude as the 14th Pokémon in the current PC box 
16. Geodude as the 16th Pokémon in the current PC box     
17. Geodude as the 15th Pokémon in the current PC box 
18. Geodude as the 17th Pokémon in the current PC box 
19. Geodude as the 18th Pokémon in the current PC box
20. Geodude as the 19th Pokémon in the current PC box 
21. Voltorb as the 20th Pokémon in the current PC box


Then use ws m the said effect will occur?

Did I get all that right?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-20 08:01:56
Yep, you're right! The order doesn't matter as long as you meet the requirements once you use w sm, so you could also have those Pokémon in a PC box before obtaining the items but note if you change boxes to something that doesn't have that exact Pokémon setup, it won't work until you change boxes back to the right box again.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: shutterbug2000
Date: 2013-12-22 15:58:50
Now, this may make me sound silly, but I'm not sure how to input code for 8F. For example, I need to know how to find coordinates, how to input all values of the code, etc. I'm not new to simple glitches, like how to find missingno., but I am to glitches like this. Anyone willing to help would be awesome :D!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: OwnageMuch
Date: 2013-12-22 16:19:43

Now, this may make me sound silly, but I'm not sure how to input code for 8F. For example, I need to know how to find coordinates, how to input all values of the code, etc. I'm not new to simple glitches, like how to find missingno., but I am to glitches like this. Anyone willing to help would be awesome :D!


If you want to write your own code to execute using 8F, you're going to need the following things:



I hope this helps!

edit: The guide that turned up a 403 error above can be found here: https://courses.engr.illinois.edu/ece390/books/artofasm/artofasm.html

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: shutterbug2000
Date: 2013-12-22 16:23:32
blahpy, thanks for the info! However, there are 2 things I still wonder: how do I find the coordinates, and how to input the code(for example, the 1 Player pong)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: OwnageMuch
Date: 2013-12-22 16:44:27

blahpy, thanks for the info! However, there are 2 things I still wonder: how do I find the coordinates, and how to input the code(for example, the 1 Player pong)


If it's specifically pong that you want, TheZZAZZGlitch wrote the item list for the bootstrapping program in his video description:

Item list:
* Bicycle
* 8F
X Accuracy, x97
Burn Heal, x126
Parlyz Heal, x15
HP UP, x15
Ice Heal, x15
Potion, x134
TM34, x20
TM17, x46
Leaf Stone, x52
Great Ball, x201
TM10, x1
TM15, x46

Swap TM17 x46 with TM15 x46, use 8F and jump off a ledge to walk through walls.
Then swap TM17 and TM15 back, toss TM34 until only one of them remains and use a Bicycle. The program is now in entering mode, and upon using 8F one byte is written, with its value depending on your X and Y positions.
To run the created code, swap TM10 x1 with TM34 and use 8F.

It is possible to run custom "applications", with the maximum size of 254 bytes.
Unlike previous attempts of reprogramming the game, no TASing is required, so this can be done by a human on a cartridge just fine.


Then you can program pong itself with the following code:  http://pastebin.com/raw.php?i=GByyfPeA

You will need to use the opcode map from my previous post.  You should be able to find the coordinates for the first few bytes (TheZZAZZGlitch has annotated them) from the video and work out other coordinates relative to them fairly easily.  It will be very time consuming though.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: shutterbug2000
Date: 2013-12-22 16:52:24
Ok, thanks for all your help! :D! Currently reading over the assembly webpage in your first post.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-23 08:17:39

Now, this may make me sound silly, but I'm not sure how to input code for 8F. For example, I need to know how to find coordinates, how to input all values of the code, etc. I'm not new to simple glitches, like how to find missingno., but I am to glitches like this. Anyone willing to help would be awesome :D!


You only need to find coordinates for TheZZAZZGlitch's 'Pong' program or another large program up to 254 bytes long because you likely can't hold enough items/it would be impractical to go about obtaining them all. Note that I've never tried this myself, so I don't know how long it will take, sorry.

If you are using an emulator, you can check x and y coordinates by looking up memory address D361: (y position) and D362: (x position). Going one step north decreases y by 1 and going one step south increases y by 1. Going one step west decreases x by 1 and going one step increases x by 1. Remember that X and Y coordinates are also relative to the location, so while the north-most point of Vermilion City is $00, the south-most point of Route 6 is $23; it doesn't underflow to $FF.

Personally I prefer this list of opcodes but it's up to you which one you use. Blaphy's link might be better because it's in a table that makes it easier to look up a certain identifier.

If you just want to cheat, the bootstrapping code and item lists (for specific cheats) should be enough. Most of the time, you'll only need to refer to a few opcodes, such as $3E: ld a, xx [i.e. make 'a' the value in xx] and $EA: ld (memory address), a [i.e. put a into a given memory address]. Those things like 'a' are called registers. They're basically things you can store values in so you can put their values in memory addresses (writable memory only like WRAM) or jump to the address in hl (opcode: E9) in the middle of the operation.

Registers change a lot, and when you use items they are set at certain values by default but you can always change them.

These are:

af = 6300 [a=63, f=00]
bc = 22B8 [b=22, c=B8]
de= 0001 [d=00, e=01]
hl= D322 [h=D3, l=22]
All flags reset

Remember, for TheZZAZZGlitch's bootstrap code, the code must be spelled out from item 3. As TheZZAZZGlitch redirected the code to item 3, that's why hl is D322 (item 3 identifier).

Here are three cheats I made for 8F in Red/Blue. They are easily changeable. The memory address is stored with the lowest byte first (GameShark code order) and all you have to do is change the value that follows 3E (Lemonade): the value you want and EA (TM34): the memory address that follows.

Example: Gym Leader battle plays for the next battle

As a = 63 by default, we don't need to change the value, but you can do it with a 3E xx (Lemonade x XX) anyway.

So:

Item 3 = TM34 x 92
Item 4 = TM08 x 201

ASM:


WRA1: D322 EA 5C D0              ld (D05C), a  : Put 63h into D05C
WRA1: D325 C9


If you look at Datacrystal, you'll see that 5CD0 (Item 3 x92, Item 4=TM08) is the byte that determines whether Gym Leader battle music plays or not in battle, with a value greater than 00 meaning it's on. Change it to CFD8 (D8CF), i.e. (Item 3 x216, Item 4=TM07) and you'll change the species in battle to whatever 'a' is.

To convert hex values to decimal (required to see the right item quantities), you can use Windows Calculator on Programmer mode, enter a value in Hex, then switch it to Dec. Remember to use the big list to check what items have which hexadecimal identifier. Alternatively, you can check with the GameShark code 01xx1ED3, which changes the first item identifier to xx.

In order to obtain item quantities larger than 128, you need to do the Old Man glitch or Ditto glitch to encounter a Pokémon like Missingno. or 'M (that makes getting the right items more difficult in Yellow but fossil and ghost Missingno. never freeze the game). Missingno. and 'M increase the sixth item quantity by 128 only if it's less than 128, so in order to duplicate the sixth item a second time, you have to toss the quantity under 128, e.g. having 127 will give you 255 of an item. Dec:00 Pokémon duplicate the sixth item two times: 1) when you encounter them 2) when you catch them.

If you have any questions, feel free to ask. :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: OwnageMuch
Date: 2013-12-23 18:28:53
Blaphy


::)

I swear more people read it like this than how it actually is, serves me right for using such an obscure name (believe it or not there is a story behind it though!)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2013-12-24 07:28:19

Blaphy


::)

I swear more people read it like this than how it actually is, serves me right for using such an obscure name (believe it or not there is a story behind it though!)


Oops, sorry! The 'blah' part helped me remember your name actually, but I still made a typo.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: shutterbug2000
Date: 2014-02-26 15:41:08
Ok, so I'm still a little confused. I think I know pretty much how to do it, but for example, when it says "D920_EntryPoint", how do I input that? Thanks in advance!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheZZAZZGlitch
Date: 2014-02-26 16:28:15
It's a label, it defines a place where the code should jump to.
Trying to translate opcodes into bytes by hand requires too much effort and can be quite complicated, especially when dealing with relative jumps. You're better off using a memory dump below - it already contains all the code:

[tt]00D901:  18 1D 14 C9 15 C9 34 AF C9 35 AF C9 47 79 AE 77
00D911:  3E AF CD B1 23 78 C9 3E A6 CD B1 23 CD 48 37 16
00D921:  0E 21 A2 FF 72 2C 72 3E FF CD B1 23 15 01 68 01
00D931:  21 A0 C3 3E 10 E5 CD E0 36 E1 D5 E5 21 E0 C4 7D
00D941:  82 6F AF 22 22 22 22 21 A0 FF 0E 0F F0 A2 A7 CC
00D951:  0D D9 FE 13 CC 0D D9 0E F0 F0 A3 A7 CC 0D D9 FE
00D961:  11 CA 18 D9 FE 0F 20 0D 5A 06 04 F0 A2 BB CC 0D
00D971:  D9 1C 05 20 F8 7E 2C 2C 47 E6 0F CC 07 D9 C4 0A
00D981:  D9 2C 78 E6 F0 CC 07 D9 C4 0A D9 E1 F0 A2 85 6F
00D991:  F0 A3 01 14 00 A7 28 04 09 3D 20 FC 77 D1 7A FE
00D9A1:  10 28 07 F0 F8 E6 10 C4 03 D9 7A A7 28 07 F0 F8
00D9B1:  E6 20 C4 05 D9 76 76 76 76 76 C3 2E D9[/tt]

Just enter all these bytes in order (starting from $18, $1D, $14 …), and everything should work perfectly.