Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

simple WRITE command - Page 1

simple WRITE command

Posted by: PanCave
Date: 2017-03-09 09:23:53
Hey,

after figuring out, how to read the german Yellow version, I'm starting to think about coding.

Please note: All addresses are for the german Yellow version. Basically its 0x(address of english Yellow version) + 5 or 0x(adress of english Red/Blue version) + 4
All Items -> Codes are taken from: http://glitchcity.info/wiki/The_Big_HEX_List

I know, that 0xD17B and 0xD17C store the two Bytes of the TID of the first Pokémon in the party.
Let's assume, the Box is correctly setup, such that using ws m will cause the the sp to point at the third item in the bag.
Wouldn't writing a single Byte in RAM possible with:

Lemonade x89        // ld a, 89
TM34 x209
.(player) A A  // combined with line 2: ld D17B, a
TM01 xany              // ret

Shouldn't this code write '89' @D17B?

And I know that ".(player) A A" can't be bought in the market, but with this code:

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201

from this thread https://www.reddit.com/r/pokemon/comments/5q8zlg/getting_gen_1_mew_in_yellow_guide_does_not_work/
we should be able to have a Max Elixer and keep increasing it's ID until it's ".(player) A A".

Also:
I'm not sure, what the code exactly does:
Burn heal x43
Ice heal x43
Revive x201
should mean
inc c 43
dec c 43
dec (hl) 201
What is the purpose of the 43 and 201? And why is there no TM01 for return the sp?
EDIT: The 201 (which is C9 in hex) is obviously the ret statement!

Thank you,
PanCave

Re: simple WRITE command

Posted by: Krys3000
Date: 2017-03-09 10:06:21
Hello,
I did not check your opcodes, but everything is to be considered an instruction: both the item and its quantity are two different values.

You have three items, that means 6 hex values. In the case of 1-byte instructions, that would give 6 instructions. Here, 43 refers to the opcode with a hex value of 2B (dec:43) and 201 is of course, as you figured out, hex:C9, a ret instruction :)

Re: simple WRITE command

Posted by: Anna Says Hi
Date: 2017-03-10 18:09:43

And I know that ".(player) A A" can't be bought in the market, but with this code:

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201

from this thread https://www.reddit.com/r/pokemon/comments/5q8zlg/getting_gen_1_mew_in_yellow_guide_does_not_work/
we should be able to have a Max Elixer and keep increasing it's ID until it's ".(player) A A".

Also:
I'm not sure, what the code exactly does:
Burn heal x43
Ice heal x43
Revive x201
should mean
inc c 43
dec c 43
dec (hl) 201
What is the purpose of the 43 and 201? And why is there no TM01 for return the sp?
EDIT: The 201 (which is C9 in hex) is obviously the ret statement!

Thank you,
PanCave


That item code is designed to work with 8F, but coincidentally works with ws m. The reason is that after the ws m bootstrap is run, HL contains D321, which is the address containing the index of the third item in the pack. Then the bootstrap jumps to the address contained in HL. Since we want to get HL to contain D31F (second pack item's index number), we decrement L twice with opcode 0x2B (43 in decimal). However, item 2B is a key item, and thus we cannot obtain more than one of it which prevents a 2-line setup. So the code actually works like this:

(HL contains D321 in Yellow, D322 in Red/Blue)
inc C
dec L
dec C
dec L
inc (HL)
ret

On Red/Blue where item 3 is D322, there are several different ways to get HL to contain item 2's address. One of them is to reset bit 1 of L, which can be done with TM03 x141. (RES 1, L) Another way is to use X Accuracy x31 (x32 in Red/Blue), which is ld L, 1Fh(20h in Red/Blue). However, since a different amount of X Accuracy is used for the item duplication code, it's more efficient to use the TM03 setup in Red/Blue.

Re: simple WRITE command

Posted by: ISSOtm
Date: 2017-03-12 08:07:08
@PanCave :
If you want to do some compiling, I recommend you take a look the online compiler I wrote. All I need to add now is reversing item codes and fix a few lingering bugs.
(Shameless self-promotion is shameless)

Now I need to correct you on something vital : sp is the stack pointer (a registry that points to the top of the stack). You're mistaking it for pc, the program counter (a registry that holds a pointer to the byte being currently interpreted).
Also, the GB's stack is a Full, Ascending stack, ie sp is incremented as you push data, and sp points to the current entry.

Now, about your question.
Both items and quantities translate to bytes, which are then interpreted as instructions. So that's why Anna Says Hi's decompilation is correct.

Hope it helped !

Re: simple WRITE command

Posted by: PanCave
Date: 2017-03-14 09:44:30
Thank you both! You helped me a lot!

I think i missed something on my journey for writing arbitrary code… What is hl,c,l,…? Or are there references for these registers?

How would a simple write command look like in pokemon yellow german?
Such that I could jump to any address (using items or quantities) and write a value (again via item or quantity) to that specific byte?

Re: simple WRITE command

Posted by: ISSOtm
Date: 2017-03-14 15:34:09

I think i missed something on my journey for writing arbitrary code… What is hl,c,l,…? Or are there references for these registers?

http://glitchcity.info/wiki/GB Programming is your friend.


How would a simple write command look like in pokemon yellow german?
Such that I could jump to any address (using items or quantities) and write a value (again via item or quantity) to that specific byte?

Use this setup. Just adapt the memory destination :)

Re: simple WRITE command

Posted by: PanCave
Date: 2017-03-14 16:26:23
Wow, perfect answer! Thank you very much!

Re: simple WRITE command

Posted by: PanCave
Date: 2017-03-14 21:19:47
okay one final question:
To set everything up for the "write-a-single-byte"-command (which I sucessfully tested), I need 5 items with a quantity > 99:

- Any Item xAny
- ws m
- lemonade x170      59 XX = value
- X-Accuracy x139         7B YY = low-Byte of address
- Carbos x209         D1 ZZ = high-Byte of address
- Pokeball x119
- Fresh Water x201
Obviously I could encounter Missigno. multiple times, but i know that there is a code for decreasing the quantity of the second item by 1.

According to this link: https://youtu.be/jR5rov2e6PU?t=299 for english yellow the setup should lool like this:

-ws m
-item to decrease x1
-burn heal x43
-ice heal x53
-revive x201
This decompiles to:

inc c
dec hl
dec c
dec (hl)
dec (hl)
ret
Of course, this does not work in yellow version german. But I thought I simply had to increment hl four time instead of decrementing it once, in order to get to the correct address:

inc a
inc hl
dec a
inc hl
inc c
inc hl
dec c
inc hl
dec (hl)
dec (hl)
ret


Fresh Water  x35 (hex:23)
Soda Pop  x35 (hex:23)
Burn Heal  x35 (hex:23)
Ice Heal  x35 (hex:23)
Revive  x53 (hex:35)
TM01  x[Any qty]

I tested this code and i does not work :/
What am I doing wrong?

Re: simple WRITE command

Posted by: ISSOtm
Date: 2017-03-15 02:31:23
The English setup will work for German versions because of the way 8F bootstrapping works.
The most common way of doing so is to set hl to point to the entry point (ie, the third item in the bag) and then "jp [hl]".
That's why, on all versions, hl points to the third item in the bag, period.
Doing a "dec hl" will ALWAYS make hl point to the quantity of the second item in the bag.
Also remove the "Ice Heal x53". It's unnecessary, because quantities x00 aren't cleared from the bag (you're never supposed to have any) and when tossing, you can toss as if it were x256 (eg, tossing 1 at this point yields "Item x255" due to underflow.)

Re: simple WRITE command

Posted by: PanCave
Date: 2017-03-15 07:28:12
Hm, that's strange…
I made a screenshot:
[img]https://puu.sh/uJSC5/0cd837fc80.png[/img]

ws m
Rare Candy x1
Burn Heal x43
Revive x201
But when I use ws m, nothing happens.

My box setup is according to this page's first post("Yet another update"):
http://forums.glitchcity.info/index.php?topic=6638.45
The Box setup works 100%, as I'm able to perform the memory writing you showed me.

What am i doing wrong?

Re: simple WRITE command

Posted by: ISSOtm
Date: 2017-03-15 11:01:26
Save and attach your save here.

Re: simple WRITE command

Posted by: PanCave
Date: 2017-03-15 17:40:51
I set everything up and saved.

Re: simple WRITE command

Posted by: ISSOtm
Date: 2017-03-16 07:23:05
Okay, you did wrong on two things :
1. Your ws m setup is incorrect. It jumps to $D31A, but it should jump to $D326.
Solution : Replace Sichlor with Kadabra
2. Your item setup is incorrect. The setup you had on the screenshot is good, but the one on your save file is bad.
Solution : put that Sonderbonbon (or Carbon, on the svae you uploaded) back.

I tested it, and it works.
~ Panda

Re: simple WRITE command

Posted by: PanCave
Date: 2017-03-16 20:05:20
Thank you very much! Know i got everything i need to know!

I'm planning to write a detailed guide on how to prepare a glitch Mew for Pokébank in english and non-english version yellow.

Re: simple WRITE command

Posted by: ISSOtm
Date: 2017-03-17 09:41:43
I suggest you post it here before you publish it, we could correct stuff and add precisions, warnings etc.
You don't have to, though !