Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Arbitrary code execution in Red/Blue using the "8F" item - Page 9

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: pigdevil2010
Date: 2014-04-28 23:50:54
I discovered an even more shorter w sm bootstrapping code. It requires just 10 Pokemon in the box, these are

Tangela with 233 HP
Nidoking
Metapod
Haunter
Flareon
Parasect
Growlithe
Tentacool
Grimer
Any Pokemon


; Initial hl = DA7F
$DA7F <- 0A || ld a, (bc)
$DA80 <- 1E ||
$DA81 <- 07 || ld e, 7  ; e = 7
$DA82 <- 7C || ld a, h  ; a = DA
$DA83 <- 93 || sub e    ; a = D3
$DA84 <- 67 || ld h, a  ; h = D3
$DA85 <- 2E ||
$DA86 <- 21 || ld l, 21 ; l = 21
$DA87 <- 18 ||
$DA88 <- 0D || jr D    ; pc = DA96
$DA96 <- 00 || nop
$DA97 <- E9 || jp (hl)  ; pc = D321


I also finally discovered the code to make it jump to the first stored item.

[size=12pt]8F[/size]

You must have exactly 5 Pokemon in a party, these are

Lv. 25 Pidgey with 24 HP, 36 PP left on the first and second move, 24 PP left on the third move and 13 PP left on the forth move
Parasect with 233 HP
Diglett
Tentacool
Kangaskhan


; Initial hl = D163
$D163 <- 05 || dec b
$D164 <- 24 || inc h    ; h = D2
$D165 <- 2E ||
$D166 <- 3B || ld l, 3B ; l = 3B
$D167 <- 18 ||
$D168 <- 02 || jr 2    ; pc = D16B
$D16B <- 24 || inc h    ; h = D3
$D16C <- 00 || nop
$D16D <- 18 ||
$D16E <- 19 || jr 19    ; pc = D188
$D188 <- 24 || inc h    ; h = D4
$D189 <- 24 || inc h    ; h = D5
$D18A <- 18 ||
$D18B <- 0D || jr D    ; pc = D199
$D199 <- E9 || jp (hl)  ; pc = D53B


[size=12pt]w sm[/size]

You must have exactly 10 Pokemon in the box, these are

Tangela with 233 HP
Spearow
Metapod
Haunter
Flareon
Parasect
Seel
Tentacool
Grimer
Any Pokemon


; Initial hl = DA7F
$DA7F <- 0A || ld a, (bc)
$DA80 <- 1E ||
$DA81 <- 05 || ld e, 5  ; e = 5
$DA82 <- 7C || ld a, h  ; a = DA
$DA83 <- 93 || sub e    ; a = D5
$DA84 <- 67 || ld h, a  ; h = D5
$DA85 <- 2E ||
$DA86 <- 3A || ld l, 3A ; l = 3A
$DA87 <- 18 ||
$DA88 <- 0D || jr D    ; pc = DA96
$DA96 <- 00 || nop
$DA97 <- E9 || jp (hl)  ; pc = D53A

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: camper
Date: 2014-04-29 02:04:05
Sometimes it's better to have it jump to the third item, for example when we put Master Balls and 8F in the first and second slot and for Catch-em-all purpose.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: pigdevil2010
Date: 2014-04-29 02:18:57

Sometimes it's better to have it jump to the third item, for example when we put Master Balls and 8F in the first and second slot and for Catch-em-all purpose.

Which code did you mean? Address D322 (D321 in Yellow) is the third item in the pocket.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: gskw
Date: 2014-04-29 03:56:00
He is talking about the 8F code.
And no, it actually jumps to the first item on the PC.
http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Stored_Items
At the point of [tt]jp (hl)[/tt], [tt]hl[/tt] is [tt]$D53B[/tt], which is the address of the first item on the PC.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Radixan
Date: 2014-07-15 09:57:30
Hello, I just found a way to get the "ws m" item through a corrupted save data in R/B/Y non japanese releases.

[img]http://i.gyazo.com/8eaf84c3cef09f525f6c09fba27278fa.png[/img]

Once you get a corrupted save data, toss Master Ball x255 and leave your home.
You'll be teleported to Viridian city. Just get into the Pokémon Center, open the bag and swap the ws m with the first Master Ball.
Finally deposit ws m in your PC and will be safe to withdraw it later.

However, I can't continue the game as usual since Pokédex is completed by corruption and Oak will never give me the Pokédex. :/

Regards. :)

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Zheria
Date: 2014-08-23 00:17:46
I was wondering if anyone knew how to and would please convert this code from r/b to yellow for me. I have been using ws m on cart and its been really cool. I wanted to try and catch some of the pokemon that you can't obtain with the mew glitch, but unfortunately this code doesn't work on yellow.

Orginally posted by TheZZAZZGlitch for r/b 's 8F:
ALTERNATIVE CATCH 'EM ALL

This version of the Catch 'Em All script requires more items, but gives the Pokemon instead of forcing an encounter (like: BLUE got EEVEE!), and allows for getting normally unobtainable glitch Pokemon without trading. The given Pokemon depends on the quantity of the 3rd item.

Remark: Avoid obtaining Missingno with this method. It will duplicate your 6th item and screw the opcodes up.

Video: http://www.youtube.com/watch?v=Sw0h7ImFsAs#t=865s

ITEM LIST (starting from the first slot):
* Any item
* 8F
Repel                x[SpeciesIndex]
X Speed              x14
Ultra Ball          x64
TM05                x72
Lemonade            x201

ASM:
Code: [Select]

WRA1:D322 1E 20            ld  e,[SpeciesIndex]
WRA1:D324 43              ld  b,e
WRA1:D325 0E 02            ld  c,02
WRA1:D327 40              ld  b,b
WRA1:D328 CD 48 3E        call 3E48
WRA1:D32B C9              ret

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: TheZZAZZGlitch
Date: 2014-08-23 01:10:58
Addresses to internal functions are different in Yellow. The GivePokemon subroutine is at $3E59, not at $3E48.
The solution is to replace 'TM05 x72' with 'TM05 x89' to update the function address.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Zheria
Date: 2014-08-23 17:19:29
Thank you! It works really well and makes obtaining these glitch pokemon easy!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: nixnyte
Date: 2014-09-01 05:05:22
hi folks!

i've been having fun exploring glitch possibilities in pokemon yellow lately, and i was interested in seeing how quickly arbitrary code execution could be reached off a fresh save file, without using save corruption or item underflow. the two major steps are of course to encounter p PkMn p to get ws m and to have a specific sequence of pokemon in your active box. to do this from a new game, i had to come up with easier setups for each of the steps, so sharing these is my main intention of this post.

in order to encounter p PkMn p, i used a trainer-fly completed by a ditto who transformed into my pokemon with 194 special. the ditto in my route was a result of another trainer fly (two silph co scientists' last pokemon have a special stat of 76), but of course you can find plenty of these in yellow's cinnbar mansion. to get a pokemon with 194 special, i chose to use a kadabra, as i could also use it for my bootstrap code. depending on its DVs, which are made evident at level 50 due to the stat formula, you can use a combination of rare candies and calcium to guarentee 194 special, assuming no previous stat exp.

Kadabra
Check Special at level 50 (Special - 125 = DVs)
00 DVs    Level 70    6 Calcium
01 DVs    Level 70    5 Calcium
02 DVs    Level 69    6 Calcium
03 DVs    Level 69    5 Calcium
04 DVs    Level 68    6 Calcium
05 DVs    Level 68    5 Calcium
06 DVs    Level 67    6 Calcium
07 DVs    Level 67    5 Calcium
08 DVs    Level 66    6 Calcium
09 DVs    Level 67    4 Calcium
10 DVs    Level 65    6 Calcium
11 DVs    Level 66    4 Calcium
12 DVs    Level 65    5 Calcium
13 DVs    Level 65    4 Calcium
14 DVs    Level 64    5 Calcium
15 DVs    Level 63    6 Calcium

now for the bootstrap code, i focused on improving pigdevil2010's code posted in reply #105, as it was the only one that didn't require a pokemon with 233 hp. instead, it wrote E9 into the address immediately following the rest of the code. as i've already had trouble deciding how to format this post, i'll mention each block i'm about to paste up front. first is the code i came up with after staring for hours at an opcode table and the big hex list for which pokemon would be easly obtainable. it does successfully allow arbitrary code to be executed from your inventory, but are there side effects due to shortcuts? after that is the order of pokemon in your box to achieve these values, and then where you can find those pokemon very early in the game. for the "anything" slot, i had exactly 1 extra pokemon - pikachu!

; initial hl = DA7F
$DA7F <- 0F || rrca
$DA80 <- 2E ||
$DA81 <- 8E || ld l, 8E    ; l = 8E
$DA82 <- 7C || ld a, h    ; a = DA
$DA83 <- 16 ||
$DA84 <- 0F || ld d, 0F    ; d = 0F
$DA85 <- 82 || add a, d    ; a = E9
$DA86 <- 22 || ld (hl+), a ; $DA8E <- E9, l = 8F
$DA87 <- 7C || ld a, h    ; a = DA
$DA88 <- 26 ||
$DA89 <- 07 || ld h, 07    ; h = 07
$DA8A <- 94 || sub h      ; a = D3
$DA8B <- 67 || ld h, a    ; h = D3
$DA8C <- 2E ||
$DA8D <- 21 || ld l, 21    ; l = 21
$DA8E <- E9 || jp (hl)    ; goto $D321

Parasect
Clefable
Metapod
Gyarados
NidoranF
Golbat
Onix
Metapod
Kadabra
Nidoking
Abra
Flareon
Parasect
Growlithe
(anything)


Route 2
- Catch 1 NidoranF
- Catch 1 NidoranM (10-12 Rare Candy, Moon Stone)

Virdian Forest
- Catch 2 Metapod

Route 4
- Buy 1 Magikarp (15 Rare Candy)

Mt. Moon
- Catch 2 Paras (22-30 Rare Candy)
- Catch 1 Clefairy (Moon Stone)
- Catch 1 Zubat (9-16 Rare Candy)
- Find 2 Moon Stone

Route 8
- Trainer-Fly 1 Onix
- Trainer-Fly 1 Growlithe

Celadon
- Buy 1 Abra (1 Rare Candy) http://i.imgur.com/EFnPsLp.png
- Receive 1 Eevee (Fire Stone)
- Buy 1 Fire Stone


the other abra was caught on route 6 since i opened the route similarly to the no save corruption speedrun in order to duplicate rare candies and nuggets. i had streamed my first attempt of this to a couple friends on twitch, which the video can be referenced here for any visual demonstrations. there is audio "commentary", but it's mostly me chatting with the viewers and mumbling about how its going, so it's not at all important to listen to. i am also not correct about everything i say in the video :) if you're eager enough to continue off the route i used in that video to then actually execute specific bits of arbitrary code, just remember tm 1 will be your best friend for accessing the return opcode.

anyway, hopefully someone finds these references useful!

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2014-09-01 07:58:34
Hey nixnyte. Thanks for your info and welcome to the forums!

I enjoyed your set up.

That was a creative way to see Ghost Missingno. early on (with the Special stat of the level 80 Starmie from Cubone for Machoke trade)! Did you think of that or another speedrunner? (I'm out of touch with the speedrunning community other than the published tricks)

For what it's worth, I also did an arbitrary code execution run (a catch em all one), but it was on Red/Green with trading allowed. It was pretty slow and it could have probably been done without trading with enough effort and probably an improved bootstrap code. I'm considering doing a Red/Green catch em all run without arbitrary code or trading.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: nixnyte
Date: 2014-09-01 15:31:52
the early ghost (or kabutops fossil) missingno technique is credited to ExtraTricky on the no save corruption page on the pokemonspeedruns wiki. the puu.sh of trainer pokemon yields for trainer-fly also served useful, but as i desperately found myself wanting to ctrl+f for pokemon on the image, i found a dump of trainers in pokemon yellow on upokecenter. with this key-value special stat support file and this simple ruby script i wrote, it helped me narrow down which trainers would have favorable special stats. upokecenter also has a trainer list for red and blue if anyone wants to make use of the script for that game. a gameboy opcode table felt more useful than a list in this instance as well.

other than that, all i did myself was write some custom asm, make some pretty charts, and piece it all together. the asm was the main thing i wanted to share since i believe it's more efficient than the other methods for arbitrary code in yellow. unless i'm forgetting something, that should cover all of the credits and references. i certainly didn't come up with every part on my own :P

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2014-09-01 15:58:55
Cool. Yes, I've heard of the puu.sh file too. Its useful for Red/Blue, but not as useful for Yellow, as some Trainers (except Blue as that's fairly obvious) differ between Red/Blue and Yellow.

I tried to upload it to the wiki here, but it was too big xD.

This is the list of opcodes I use.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: memdump
Date: 2014-09-18 13:38:53
Connect Bootstrap Code Between Red/Blue and Yellow

First I will make this mention. It is easier to set up a bootstrap code in Yellow than it is in Red/Blue. In Yellow you simply trainer fly many Pokemon using Dittos for any opcode since it read 20 from list before complex data structures instead of 6. Red/Blue needs specific PP and limits party. This post tells how to make Red/Blue bootstrap more like Yellow, not other way around. It does not look possible to do other way around anyway.

I introduce item -gm or [img]http://i.imgur.com/V5GUs6b.png[/img] in game in Vermilion PokeMart. Characters in green change based on map tileset but -gm is fixed [img]http://i.imgur.com/WrE8aAH.png[/img]. This item is x6A or 106 decimal. Like 8F it points to an address in WRAM at wDA47. This address is x39 or 57 decimal bytes before the beginning of the PC list, wDA80. What lies between is follows: W_NUMSAFARIBALLS, W_DAYCARE_IN_USE, W_DAYCAREMONNAME, W_DAYCAREMONOT, wDayCareMon. These values very easily are set to x00 and are x00 by default which is simply skipped opcode. This item can be obtain like 8F, just do procedure for x6A instead of x5D.

In conclusion -gm can be used like ws m to run initial code from PC list which is W_NUMINBOX, wBoxSpecies (x14 or 20 bytes), xFF, then data for individual Pokemon. The cost is -gm must go through many x00 codes before intended code, but this is 228 CPU cycles and is very minimal.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: Torchickens
Date: 2014-09-19 13:19:31
Thanks memdump, this works wonderfully.

Do note that if the bootstrap code contains absolute jumps though, you'll have to change them to get the exact same item location.

So with Pigdevil2010's latest first item pack ws m code

Tangela with 233 HP
Nidoking
Metapod
Haunter
Flareon
Parasect
Growlithe
Tentacool
Grimer
Any Pokemon


…You'd need to change the Growlithe (21) to Onix (22) to get to item 3 (D322), but it would still work with Growlithe, only your item code would start at item 2's quantity.

Re: Arbitrary code execution in Red/Blue using the "8F" item

Posted by: memdump
Date: 2014-09-20 00:30:41
More info I found to share. In Red/Blue item x7E (long glitch name) points to address wD887. Do you know this address? It is start of wild Pokemon data… and Old Man glitch writes your name to that space in memory! But, English character set does not give characters that relate to any good opcode value. Maybe corrupt name then perform steps to take advantage of this. Just food for thought.

I said English character set. In Japanese character set, you can name player with more variety of characters. In fact in Midori 1.0 there too exist an item for this. It is x7B instead of x7E and this item is called て (tehe). It points to wD806 which is wild Pokemon data in that game exactly as well. Here is example: You name your player てぬ (aterunu). First value is overwritten by x00, the Tokiwa encounter rate, when Old Man ends so does not matter. But next 3 character have values xC3 xA6 xD2 which in ASM is jp wD2A6. This is address of third item in bag in that game! So you name player _てぬ, obtain て, talk to Old Man, use て, and your name is all that is needed for bootstrap code, and now you run arbitrary code from inventory like before!

I have tested and it works. No Pokemon needed at all for bootstrap. Very cool.