[R/B] Getting 8F using ZZAZZ $FC Arbitrary Code Execution
Posted by: Stackout
Date: 2014-02-10 10:02:53
So, I saw TheZZAZZGlitch's video on a ZZAZZ trainer causing arbitrary code execution.
I decided I should find a way to get 8F with it.
And I managed it.. (even though there's plenty of easier ways to get it haha)
First thing you need is the following Pokémon in the current box:
Voltorb lv 28
Kadabra lv 211
Parasect lv 34
Jigglypuff lv 233
…which corresponds to a small stub of ASM to set a register to a value that's required for a following call, and to jump to Item 3:
inc b ; (4 Pokémon)
ld b,$1c ; because ld b,$xx = Bicycle, easier to do it here
ld h,$d3
ld l,$22
ld h,h
jp (hl) ; jump to Item #3Of course, that means you need the correct items from Item 3 onward:
Carbos x117
X Accuracy x235
TM05 x214
Revive x175
TM34 x44
TM09 x64
Lemonade x93
Awakening x1
Elixer x205
Leaf Stone x62
TM32 x12
Repel x15
X Speed x195
TM29 x53
This corresponds to the following ASM:
; reload the save file to remove ZZAZZ effects
ld h,$75
ld l,$eb ; LoadSAV+3 (don't clear the screen)
call $35d6 ; Bankswitch
; fix boxset
xor a
ld ($d12c),a
ld b,b
; give 8F
ld a,$5D
ld c,1
ld d,d
call $3e2f ; GiveItem+1 (no need to ld a,b when we put $5D in a)
; get out of battle
add sp,$c
ld e,$f
ld b,e
jp $35e5You need to get these items, set the current box to the box with the above Pokémon, and save. This is critical because to recover from ZZAZZ we load the save file again and if you don't have the correct Bag saved, the code following the save file load corresponds to the items in SRAM.
After you've saved, encounter ZZAZZ trainer $FC (special stat 252). You'll obviously get ZZAZZ'd: just use any of your attacks and after a couple of seconds you'll go back to the overworld (with weird Glitch Dimension-esque colouring), and you'll have 8F in your bag.
Now, there's still some ZZAZZ effects active. Notably, the "Death Trainer". So save and reset. After you continue you'll have 8F, and you'll have also been ZZAZZ'd and lived to tell the tale :)
If you just want to modify RAM to try this out:
put 04 06 1c 26 d3 2e 22 64 e9 ff at $DA80
and put 10 26 75 2e eb cd d6 35 af ea 2c d1 40 3e 5d 0e 01 52 cd 2f 3e e8 0c 1e 0f 43 c3 e5 35 ff at $D322
save, then put FC in $D059
EDIT to add the extra steps required thanks to a little more experimentation. Sure, I could fix the boxset programatically (call $35ff), or just save programatically (a little harder since i'd need to switch banks) but I cba :p
EDIT 2 to change the code to fix the boxset too, in the same amount of bytes :)