Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 8

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2014-04-15 13:55:50
Pigdevil2010 made a simpler version of the ws m (hex: 63) bootstrap code for Yellow and annotated it. He/she was going to post it on the forums, but had some trouble registering.

Here it is:

Notes: Though it's normally impossible for DA94 (end of list terminator, FF) to be E9, using ws m will change it to this value. This is perfectly safe. Only problem is if you withdrew a Pokémon and DA93 (20th Pokémon) was not FF, but this is not possible in normal gameplay.

(You must have exactly 19 Pokémon in the box.)

When you deposit a 20th Pokémon, after using w sm, DA94 gets changed back to FF again.


Pokémon:

Butterfree
Voltorb
Gyarados
Spearow
Golduck
Poliwrath
Voltorb
Pikachu
Clefairy
Golduck
Venomoth
Metapod
Tangela
Nidoking
Haunter
Flareon
Parasect
Growlithe
Voltorb

Which would make the RAM and ASM looked like this:
; Initial hl = DA7F
$DA7F <- 13 || inc de
$DA80 <- 7D || ld a, l ; a = 7F
$DA81 <- 06 ||
$DA82 <- 16 || ld b, 16 ; b = 16
$DA83 <- 05 || dec b ; b = 15 (since Mew is unobtainable)
$DA84 <- 80 || add a, b ; a = 94
$DA85 <- 6F || ld l, a ; l = 94
$DA86 <- 06 ||
$DA87 <- 54 || ld b, 54 ; b = 54
$DA88 <- 04 || inc b ; b = 55 (since Raichu is unobtainable in Yellow)
$DA89 <- 80 || add a, b ; a = E9
$DA8A <- 77 || ld (hl), a ; $DA94 <- E9
$DA8B <- 7C || ld a, h ; a = DA
$DA8C <- 1E ||
$DA8D <- 07 || ld e, 7 ; e = 7
$DA8E <- 93 || sub e ; a = D3
$DA8F <- 67 || ld h, a ; h = D3
$DA90 <- 2E ||
$DA91 <- 21 || ld l, 21 ; l = 21
$DA92 <- 06 ||
$DA93 <- FF || ld b, ff ; rst 38 prevention
$DA94 <- E9 || jp (hl) ; finally jumps to $D321!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: luckytyphlosion
Date: 2014-04-15 18:26:46
Is it possible to rewrite ROM data with arbitrary code? If not, how many different sections of RAM can you use to use 8F/w sm?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2014-04-15 19:21:23

Is it possible to rewrite ROM data with arbitrary code? If not, how many different sections of RAM can you use to use 8F/w sm?


Not possible; you can never rewrite the ROM (read only memory) without doing something like editing it with a hex editor, even though Game Genie makes temporary patches to the ROM. If you try to write to the ROM with w sm, nothing will happen. The Game Boy/machine alone cannot write to ROM.

You can write to VRAM (0x8000-0x9FFF), RAM (0xC000-0xCFFF), WRAM (0xD000-0xFEFF) and RAM (2) (0xFF80-0xFFFF) with wsm (haven't tested 8F on Red/Blue but I imagine things would work the same). Writing to SRAM and I/O apparently didn't work. I've never looked up what I/O is, but I'm a bit surprised at SRAM not being changed; as it is for data that is saved.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Nerator
Date: 2014-04-15 21:40:42

If you try to write to the ROM with w sm, nothing will happen.

To be perfectly precise, if i'm not mistaken, if you'll try to write something to ROM0($0000-$3FFF), then the game will switch ROM banks in $4000-$7FFF. For example if you'll execute

ld [$2000],a

then game will switch to bank, which number is in register a. For Red/Blue last bank is $2B i believe, for Yellow it's $3F. Not sure, what will happen, if we'll try to write to switchable ROM ($4000-$7FFF), or how it could be used at all.

EDIT:
Actually, what i whote above is not completely right. For the game to switch banks, we need to write in $2000-$2FFF area. Also we can switch the RAM banks (switchable RAM is at $A000-$BFFF) by writing in $4000-$5FFF area. It seems, that RAM contains 16 banks (0-F)
EDIT2:
Aslo i found in diassemby of Red many tries to write values to $6000 and $0000 usually 0 or 1. Have no idea what these are for.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: pigdevil2010
Date: 2014-04-16 03:46:26
I can finally registered! Thanks Torchickens!

So, since I have a shorter bootstrapping code for w sm. Here is also my shorter bootstrapping code for 8F.

You must have exactly 5 Pokemon in a party, these are:
Pidgey with 233 HP
Parasect
Onix
Tentacool
Kangaskhan

Which would make the RAM and ASM looked like this:

; Initial hl = D163
$D163 <- 05 || dec b
$D164 <- 24 || inc h    ; h = D2
$D165 <- 2e ||
$D166 <- 22 || ld l, 22 ; l = 22
$D167 <- 18 ||
$D168 <- 02 || jr 2    ; pc = D16B
$D16B <- 24 || inc h    ; h = D3
$D16C <- 00 || nop
$D16D <- e9 || jp hl    ; pc = D322

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2014-04-16 08:49:53
Well done! No more specific remaining PP, or moves.  :D

To get a Pidgey with that much HP at level 100 from being 'fresh' (just Rare Candied), use six HP Ups. This will always give it a max of 237 HP (because HP DVs don't exist in Generation I/II). Five HP Ups will give it 234 HP, but problem is the Pokémon on Route 1 tend to deal 2 or 3 damage. I don't know if it's possible for them to deal 1 HP, but you'd probably have to have stat experience/good DVs on the Pidgey's Defense.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: pigdevil2010
Date: 2014-04-16 21:21:37

Five HP Ups will give it 234 HP, but problem is the Pokémon on Route 1 tend to deal 2 or 3 damage. I don't know if it's possible for them to deal 1 HP, but you'd probably have to have stat experience/good DVs on the Pidgey's Defense.

Just make it poisoned, heal it to 234 HP, then walk 4 steps.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2014-04-17 05:31:29


Five HP Ups will give it 234 HP, but problem is the Pokémon on Route 1 tend to deal 2 or 3 damage. I don't know if it's possible for them to deal 1 HP, but you'd probably have to have stat experience/good DVs on the Pidgey's Defense.

Just make it poisoned, heal it to 234 HP, then walk 4 steps.


Oops, I forgot about poison. Thanks for mentioning it.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: gskw
Date: 2014-04-23 02:37:28
When I write Z80 ASM, how do I turn it into hex codes?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2014-04-23 13:54:25

When I write Z80 ASM, how do I turn it into hex codes?


http://iimarck.us/etc/asmopcodes.txt can help, or you can use a compiler and get the compiled result out of the object file.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: gskw
Date: 2014-04-25 10:36:56
Thanks. I think I'm going to write my own assembler to make stuff easier…

EDIT: The compiler is live online!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Stackout
Date: 2014-04-28 04:53:27

Thanks. I think I'm going to write my own assembler to make stuff easier…

EDIT: The compiler is live online!


Heh, thanks. I've been meaning to write one myself actually.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: gskw
Date: 2014-04-28 10:35:46
Why wouldn't we make the code jump into the PC items so we can get more space?

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: pigdevil2010
Date: 2014-04-28 12:17:54

Why wouldn't we make the code jump into the PC items so we can get more space?

Yeah, I once have an idea about doing this too. ;)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: PokeGlitchFanatic
Date: 2014-04-28 20:14:02
Gosh.The  first gen was screwed up big time.