ItemDex/RB:093: Difference between revisions

From Glitch City Wiki
Jump to navigation Jump to search
Content added Content deleted
VisualWikitext
>Bbbbbbbbba
(→‎Bootstrapping: Aligned comments; changed "jp (hl)" to "jp hl".)
 
(7 intermediate revisions by 4 users not shown)
Line 4: Line 4:
|2=5D
|2=5D
|3=093
|3=093
|4=01:d163 (WRAM1)
|4=D163
|5=No
|5=No
|6=No
|6=No
|7=0
|7=0
|8=N/A}}
|8=0
|9=$fe, $85, $50}}
''8F redirects here. For other uses, see [[8F (disambiguation)]]''.
''8F redirects here. For other uses, see [[8F (disambiguation)]]''.


[[File:8F glitch item name.png|link=]] (hex:5D) is a [[glitch item]] in {{RB}}, with [[index number]] 93 (hex:5D). The actual use of the item is for use in the Silph Co. elevator.
[[File:8F glitch item name.png|link=]] (hex:5D) is a [[glitch item]] in {{RB}}, with [[index number]] 93 (hex:5D). The actual use of the item is for use in the Silph Co. elevator.


This glitch item's effect pointer is D163 in WRAM, which is the beginning of the party Pokémon data in memory, similar to Japanese Red/Green/Blue's [[ItemDexJP/RGB:090|5かい]]. As such it is very popular for [[arbitrary code execution]], as a bootstrap code to items can be written using the species of Pokémon in the party.
This glitch item's effect pointer is $D163 in WRAM, which is the beginning of the party Pokémon data in memory, similar to Japanese Red/Green/Blue's [[ItemDexJP/RGB:090|5かい]]. As such it is very popular for [[arbitrary code execution]], as a bootstrap code to items can be written using the species of Pokémon in the party.


==Usage==
==Usage==
Line 20: Line 21:


For example applications of 8F, see [[Generation I item codes]]. Notice that all applications involving an item list need a bootstrap code to work.
For example applications of 8F, see [[Generation I item codes]]. Notice that all applications involving an item list need a bootstrap code to work.

During the start of the execution of 8F, the following registers and stats are expected to be constant:

*a=63
*bc=00b8
*de=0001
*hl=d163
*Flags z, n, h, c are not set
*lcdc=E3
*ie=0D
*if=F0
*spd=0
*rom=3 (FFB8; loaded ROM bank)
*ime=1
*ima=1


==Bootstrapping==
==Bootstrapping==
There exists multiple different bootstrapping strategies with 8F. Most of them jump to $D322, which is the third item in the item pack. The advantage of using the third item slot is that this allows 8F to be the first item, and another item that is unrelated to the code to be the second (which is useful if the payload modifies the item).
There exists multiple different bootstrapping strategies with 8F. Most of them jump to $D322, which is the third item in the item pack. The advantage of using the third item slot is that this allows 8F to be the first item, and another item that is unrelated to the code to be the second (which is useful if the payload modifies the item).


===5 Pokémon "233 HP Pidgey" setup===
=== 2–5 Pokémon "Tentacool PPs" setup ===
{{main|User:CytricAcid/Beginner's Guide To ACE/US Red and Blue Guide#Setup}}
The most popular 8F setup consists of 5 valid Pokémon, with one of them having a specific current HP value:
An 8F setup can consist of as few as 2 Pokémon, with one of them having specific PP values:
# 2–5 Pokémon
# Tentacool as the first Pokémon
# Onix as the second Pokémon
# The Tentacool must have exactly the following amounts of remaining PP and number of PP Up used:
#* 33 for 1st move (0 PP Up used)
#* 34 for 2nd move (0 PP Up used)
#* 19 for 3rd move (3 PP Up used)
#* 41 for 4th move (3 PP Up used)

{{Explanation|title=ASM translation|contents=
<pre>
; Initial hl = 0xD163, a = 0x63, bc = 0x00B8
$D163 <- 02/03/04/05 || ld [bc], a / inc bc / inc b / dec b
$D164 <- 18 22 || jr 0x22 ; pc = $D166 + 0x22 = $D188
(...)
$D188 <- 21 22 D3 || ld hl, 0xD322
$D18B <- E9 || jp hl ; pc = $D322
</pre>
Here the register <code>a</code> was a temporary variable for reading out the jump destination $D163, and <code>bc</code> was the offset into <code>ItemUsePtrTable</code> (here (0x5D - 1) * 2, where 0x5D is the item ID of 8F).
* If the party contains only 2 Pokémon (i.e. nothing other than Tentacool and Onix), then the first instruction will try to write 0x63 to the ROM address $00B8, which [[SRAM|locks the SRAM]] instead.
** This is generally not a bad thing (it makes things safer in case there is something wrong with the item code), but it might stop you from writing to the SRAM with a simple memory writer, so in that case you probably want to have more than 2 Pokémon in your party to avoid this.
* The other possible first instructions do nothing as long as the item code jumped to does not make any assumption on the values of <code>a</code> and <code>bc</code>.
}}

=== Older setups ===
{{Explanation|title=Details|contents=
'''5 Pokémon "233 HP Pidgey" setup'''

The "233 HP Pidgey" setup used to be the most popular 8F setup, although it is considered outdated due to the difficulty of controlling the exact HP value of a Pokémon. It consists of 5 valid Pokémon, with one of them having a specific current HP value:
# 5 Pokémon
# 5 Pokémon
# Pidgey as the first Pokémon
# Pidgey as the first Pokémon
Line 39: Line 85:


The bootstrap code translates to the following ASM:
The bootstrap code translates to the following ASM:
<pre>

; Initial hl = D163
; Initial hl = D163
$D163 <- 05 || dec b
$D163 <- 05 || dec b
$D164 <- 24 || inc h ; h = D2
$D164 <- 24 || inc h ; h = D2
$D165 <- 2E ||
$D165 <- 2E ||
$D166 <- 22 || ld l, 22 ; hl = D222
$D166 <- 22 || ld l, 22 ; hl = D222
$D167 <- 18 ||
$D167 <- 18 ||
$D168 <- 02 || jr 02 ; pc = D16B
$D168 <- 02 || jr 02 ; pc = D16B
$D169 <- FF ||
$D169 <- FF ||
$D16A <- FF ||
$D16A <- FF ||
$D16B <- 24 || inc h ; h = D3
$D16B <- 24 || inc h ; h = D3
$D16C <- 00 || nop
$D16C <- 00 || nop
$D16D <- E9 || jp hl ; pc = D322
$D16D <- E9 || jp hl ; pc = D322
</pre>


Understanding the ASM will allow modifying the setup to suit different needs. For example, to make 8F run code starting from item 1 ($D31E), replace the Onix (0x22) with a Tangela (0x1E).
Understanding the ASM will allow modifying the setup to suit different needs. For example, to make 8F run code starting from item 1 ($D31E), replace the Onix (0x22) with a Tangela (0x1E).


===6 Pokémon "233 HP Pidgey" setup===
'''6 Pokémon "233 HP Pidgey" setup'''

A slight modification to the above setup allows a full team of 6 Pokémon, with any Pokémon at the front, which may be desirable when using an instant encounter script, for example (the lead Pokémon can be used to weaken the enemy Pokémon, and when the enemy is caught it's sent to the PC without messing up the setup).
A slight modification to the above setup allows a full team of 6 Pokémon, with any Pokémon at the front, which may be desirable when using an instant encounter script, for example (the lead Pokémon can be used to weaken the enemy Pokémon, and when the enemy is caught it's sent to the PC without messing up the setup).


Line 68: Line 116:


ASM translation:
ASM translation:
<pre>
$D163 <- 06 ||
$D164 <- ?? || ld b, ??
$D165 <- 24 || inc h ; h = D2
$D166 <- 2E ||
$D167 <- 22 || ld l, 22 ; hl = D222
$D168 <- 18 ||
$D169 <- 2D || jr 2D ; pc = D197
(...)
$D197 <- 24 || inc h ; h = D3
$D198 <- 00 || nop
$D199 <- E9 || jp hl ; pc = D322
</pre>


'''3 Pokémon super-compressed setup'''
$D163 <- 06 ||
$D164 <- ?? || ld b, ??
$D165 <- 24 || inc h ; h = D2
$D166 <- 2E ||
$D167 <- 22 || ld l, 22 ; hl = D222
$D168 <- 18 ||
$D169 <- 2D || jr 2D ; pc = D197
(...)
$D197 <- 24 || inc h ; h = D3
$D198 <- 00 || nop
$D199 <- E9 || jp hl ; pc = D322


===3 Pokémon super-compressed setup===
It is possible to use a super-compressed setup, but it requires some difficult to obtain glitch Pokémon, namely [[GlitchDex/RB:195|h POKé (0xC3)]] and [[GlitchDex/RB:211|M p'u ゥ (0xD3)]].
It is possible to use a super-compressed setup, but it requires some difficult to obtain glitch Pokémon, namely [[GlitchDex/RB:195|h POKé (0xC3)]] and [[GlitchDex/RB:211|M p'u ゥ (0xD3)]].
# 3 to 5 Pokémon
# 3 to 5 Pokémon
Line 89: Line 139:


ASM translation:
ASM translation:
<pre>

$D163 <- 03/04/05 || inc bc / inc b / dec b
$D163 <- 03/04/05 || inc bc / inc b / dec b
$D164 <- C3 ||
$D164 <- C3 ||
$D165 <- 22 ||
$D165 <- 22 ||
$D166 <- D3 || jp $D322
$D166 <- D3 || jp $D322
</pre>


Notice that this setup doesn't set hl to $D322, which some common item setups assume. For those item setups, inserting two items will fix this problem:
Notice that this setup doesn't set hl to $D322, which some common item setups assume. For those item setups, inserting two items will fix this problem:
Line 101: Line 152:
# Carbos x211
# Carbos x211
# (Listed items)
# (Listed items)
(credits to [http://forums.glitchcity.info/index.php?topic=6638.msg204534#msg204534 NukingDragons] for this fix)
(credits to [https://archives.glitchcity.info/forums/board-115/thread-6638/page-37.html#msg204534 NukingDragons] for this fix)
}}


===In other European versions===
===In other European versions===
In other European versions, the 8F item is named 7EME ETAGE (French) / S7 (German) / 7°P (Italian) / P7 (Spanish). It still executes code the same way, but the setup will be different due to differences in the memory layout, with the third item at $D327 rather than $D322.
In other European versions, the 8F item is named 7EME ETAGE (French) / S7 (German) / 7°P (Italian) / P7 (Spanish). It still executes code the same way, but the setup will be different due to differences in the memory layout, with the third item at $D327 rather than $D322.


For the above three setups, the common fix is to replace the Onix with a Graveler (or to replace the Tangela with a Fearow to run code starting from item 1).
The "Tentacool PPs" setup above can be adapted to those European versions by having 39 PP for the 2nd move instead of 34. For the three setups in the "Older setups" section, the common fix is to replace the Onix with a Graveler (or to replace the Tangela with a Fearow to run code starting from item 1).


==See also==
==See also==
*[[8F Helper]]
*[[8F Helper]]
*[[ItemDex/Y:099|ws m (hex:63)]]: A popular glitch item for arbitrary code execution in {{Y}}.
*[[ItemDexJP/RGB:090]]: Glitch item "5かい" in Japanese Red/Green/Blue. Executes D123; also the beginning of the party Pokémon list.
*[[ItemDexJP/RGB:090|5かい]]: A glitch item in {{RGB}} that executes the equivalent address ($D123, beginning of the party Pokémon data).


==External links==
==External links==
*[http://forums.glitchcity.info/index.php?topic=6638.0 Forums thread by TheZZAZZGlitch].
*[https://forums.glitchcity.info/index.php?topic=6638.0 Forums thread by TheZZAZZGlitch].
*[[ItemDex/Y:099|ws m (hex:63)]]: A popular glitch item for arbitrary code execution in {{Y}}.
*[[ItemDexJP/RG:090|5かい]]; a [[glitch item]] that executes the equivalent address in {{RG}}.
*[[ItemDexJP/B:090|5かい]]; a glitch item that executes the equivalent address in {{JB}}.




Latest revision as of 20:07, 29 February 2024

(↑ Back to the ItemDex index.)

Name (transcribed): 8F

Identifier (HEX): 5D
Identifier (DEC): 093
Effect pointer: 01:d163 (WRAM1)
Unterminated name glitch item?: No
Tossable/Sellable?: No
Buy Price: 0
Sell Price: 0
Name bytes: $fe, $85, $50

8F redirects here. For other uses, see 8F (disambiguation).

(hex:5D) is a glitch item in Pokémon Red and Blue, with index number 93 (hex:5D). The actual use of the item is for use in the Silph Co. elevator.

This glitch item's effect pointer is $D163 in WRAM, which is the beginning of the party Pokémon data in memory, similar to Japanese Red/Green/Blue's 5かい. As such it is very popular for arbitrary code execution, as a bootstrap code to items can be written using the species of Pokémon in the party.

Usage

After setting up the bootstrap code and the payload, simply use 8F from the item list (either in the overworld or in combat) to execute arbitrary code. The quantity of 8F will not decrease, unless it is programmed to do so.

For example applications of 8F, see Generation I item codes. Notice that all applications involving an item list need a bootstrap code to work.

During the start of the execution of 8F, the following registers and stats are expected to be constant:

  • a=63
  • bc=00b8
  • de=0001
  • hl=d163
  • Flags z, n, h, c are not set
  • lcdc=E3
  • ie=0D
  • if=F0
  • spd=0
  • rom=3 (FFB8; loaded ROM bank)
  • ime=1
  • ima=1

Bootstrapping

There exists multiple different bootstrapping strategies with 8F. Most of them jump to $D322, which is the third item in the item pack. The advantage of using the third item slot is that this allows 8F to be the first item, and another item that is unrelated to the code to be the second (which is useful if the payload modifies the item).

2–5 Pokémon "Tentacool PPs" setup

Main article: User:CytricAcid/Beginner's Guide To ACE/US Red and Blue Guide#Setup

An 8F setup can consist of as few as 2 Pokémon, with one of them having specific PP values:

  1. 2–5 Pokémon
  2. Tentacool as the first Pokémon
  3. Onix as the second Pokémon
  4. The Tentacool must have exactly the following amounts of remaining PP and number of PP Up used:
    • 33 for 1st move (0 PP Up used)
    • 34 for 2nd move (0 PP Up used)
    • 19 for 3rd move (3 PP Up used)
    • 41 for 4th move (3 PP Up used)
ASM translation 
; Initial hl = 0xD163, a = 0x63, bc = 0x00B8
$D163 <- 02/03/04/05 || ld [bc], a / inc bc / inc b / dec b
$D164 <- 18 22       || jr 0x22       ; pc = $D166 + 0x22 = $D188
(...)
$D188 <- 21 22 D3    || ld hl, 0xD322
$D18B <- E9          || jp hl         ; pc = $D322

Here the register a was a temporary variable for reading out the jump destination $D163, and bc was the offset into ItemUsePtrTable (here (0x5D - 1) * 2, where 0x5D is the item ID of 8F).

  • If the party contains only 2 Pokémon (i.e. nothing other than Tentacool and Onix), then the first instruction will try to write 0x63 to the ROM address $00B8, which locks the SRAM instead.
    • This is generally not a bad thing (it makes things safer in case there is something wrong with the item code), but it might stop you from writing to the SRAM with a simple memory writer, so in that case you probably want to have more than 2 Pokémon in your party to avoid this.
  • The other possible first instructions do nothing as long as the item code jumped to does not make any assumption on the values of a and bc.

Older setups

Details

5 Pokémon "233 HP Pidgey" setup

The "233 HP Pidgey" setup used to be the most popular 8F setup, although it is considered outdated due to the difficulty of controlling the exact HP value of a Pokémon. It consists of 5 valid Pokémon, with one of them having a specific current HP value:

  1. 5 Pokémon
  2. Pidgey as the first Pokémon
  3. Parasect as the second Pokémon
  4. Onix as the third Pokémon
  5. Tentacool as the fourth Pokémon
  6. Kangaskhan as the fifth Pokémon
  7. Pidgey must have 233 current HP (it is okay to have a higher maximum HP)

To obtain such a Pidgey, Rare Candy it up to Lv100, apply up to 10 HP Ups. If the Pidgey still does not have 233 HP it has bad DVs. In this case either try another Pidgey or do many battles with this Pidgey (preferably Trainer battles, they are quicker than wild encounters) until depositing and withdrawing it gives it 233 HP (see box trick).

If the Pidgey's maximum HP is higher than 233, a reliable method to get it to 233 HP is to get it poisoned, walk until it has 233 HP, then cure the poison.

The bootstrap code translates to the following ASM: 

; Initial hl = D163
$D163 <- 05 || dec b
$D164 <- 24 || inc h    ; h = D2
$D165 <- 2E ||
$D166 <- 22 || ld l, 22 ; hl = D222
$D167 <- 18 ||
$D168 <- 02 || jr 02    ; pc = D16B
$D169 <- FF ||
$D16A <- FF ||
$D16B <- 24 || inc h    ; h = D3
$D16C <- 00 || nop
$D16D <- E9 || jp hl    ; pc = D322

Understanding the ASM will allow modifying the setup to suit different needs. For example, to make 8F run code starting from item 1 ($D31E), replace the Onix (0x22) with a Tangela (0x1E).

6 Pokémon "233 HP Pidgey" setup

A slight modification to the above setup allows a full team of 6 Pokémon, with any Pokémon at the front, which may be desirable when using an instant encounter script, for example (the lead Pokémon can be used to weaken the enemy Pokémon, and when the enemy is caught it's sent to the PC without messing up the setup).

  1. 6 Pokémon
  2. The first Pokémon does not matter
  3. Pidgey as the second Pokémon
  4. Parasect as the third Pokémon
  5. Onix as the fourth Pokémon
  6. Tentacool as the fifth Pokémon
  7. Arbok as the sixth Pokémon
  8. Pidgey must have 233 HP

ASM translation: 

$D163 <- 06 ||
$D164 <- ?? || ld b, ??
$D165 <- 24 || inc h    ; h = D2
$D166 <- 2E ||
$D167 <- 22 || ld l, 22 ; hl = D222
$D168 <- 18 ||
$D169 <- 2D || jr 2D    ; pc = D197
(...)
$D197 <- 24 || inc h    ; h = D3
$D198 <- 00 || nop
$D199 <- E9 || jp hl    ; pc = D322

3 Pokémon super-compressed setup

It is possible to use a super-compressed setup, but it requires some difficult to obtain glitch Pokémon, namely h POKé (0xC3) and M p'u ゥ (0xD3).

  1. 3 to 5 Pokémon
  2. h POKé (0xC3) as the first Pokémon
  3. Onix as the second Pokémon
  4. M p'u ゥ (0xD3) as the third Pokémon

ASM translation: 

$D163 <- 03/04/05 || inc bc / inc b / dec b
$D164 <- C3       || 
$D165 <- 22       || 
$D166 <- D3       || jp $D322

Notice that this setup doesn't set hl to $D322, which some common item setups assume. For those item setups, inserting two items will fix this problem:

  1. 8F
  2. Any item x[any qty]
  3. X Accuracy x34
  4. Carbos x211
  5. (Listed items)

(credits to NukingDragons for this fix)

In other European versions

In other European versions, the 8F item is named 7EME ETAGE (French) / S7 (German) / 7°P (Italian) / P7 (Spanish). It still executes code the same way, but the setup will be different due to differences in the memory layout, with the third item at $D327 rather than $D322.

The "Tentacool PPs" setup above can be adapted to those European versions by having 39 PP for the 2nd move instead of 34. For the three setups in the "Older setups" section, the common fix is to replace the Onix with a Graveler (or to replace the Tangela with a Fearow to run code starting from item 1).

See also

External links



Retrieved from "https://glitchcity.wiki/wiki/ItemDex/RB:093?oldid=43995"