Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Epsilon

Pages: [1] 2 3 ... 17
What Wack0 said is true. But in regards to cartswap, no.

Cartswap works by cutting off contact with the ROM, letting the user load a new one, and booting into the new cartridge. However, this is all done within the system itself. Alone, you cannot use this to escape VC itself.
Really nice work!

Will edit this post with test results.

Edit: Confirmed not to work
Arbitrary Code Execution Discussion / Re: 8F script request
« on: February 13, 2018, 04:24:14 pm »
I figured out what went wrong, in the post you said 77 thunder stones in the bag, but in the save you gave me its 57.
I made the video (but won't upload it till April fools), however if you guys want to see it I can make it unlisted

The program I used to develop these scripts, Gbz80 to items, currently suffers a bug in which it incorrectly calculates the code relative to Labels. I have reported this to the developer of Gbz80 to items, sorry for the confusion!
Arbitrary Code Execution Discussion / Re: 8F script request
« on: February 13, 2018, 11:47:17 am »
In the attached save, just use 8f, walk 16 steps, and Mew will appear. You can use the PC in the room to check the item list.

On this particular save, the game will softlock if you attempt to open the party menu/when you encounter Mew. This is simply because I lazily edited the bootstrapper rather than set it up properly, setting this up correctly in game should have no issues.
Arbitrary Code Execution Discussion / Re: 8F script request
« on: February 13, 2018, 09:36:16 am »
Oops, a couple things went wrong. I've edited the post, try it now.

I confirmed that the new version does work.
Back to report both the memory editor (party setup) and editing SRAM bank 1 to change the stored Pokémon worked on Virtual Console :)

Also edited the Trainer House (SRAM bank 0) to fight a Mewtwo over Level 100. I didn't have many items so I got owned.

Good to hear, and thank you for testing!
Arbitrary Code Execution Discussion / Re: 8F script request
« on: February 12, 2018, 08:47:00 pm »
After re-reading your first post, I now understand what you wanted out of this. Sorry!

What you want is a little bit more complicated, as we need to return control to the game. Thankfully, with OAM DMA hijacking, this problem can be resolved, granted with a few extra steps.

First, you'll need to setup you're store PC items like so:

TM50 x59 (hex:3B)
TM09 x61 (hex:3D)
Leaf Stone x13 (hex:0D)
Repel x(# of steps)
Elixer x187 (hex:BB)
Fire Stone x5 (hex:05)
Lemonade x(Pokemon Index)
TM34 x89 (hex:59)
TM08 x62 (hex:3E)
Thunderstone x4 (hex:04)
Awakening x70 (hex:46)
HM03 x162 (hex:A2)
TM01 x[Any qty]

Then, setup an 8f script like so

Any xany
Thunderstone x57 (hex:37)
TM11 x4 (hex:04)
Awakening x255 (hex:FF)
Repel x128 (hex:80)
Max Ether x14 (hex:0E)
Poké Ball x42 (hex:2A)
Hyper Potion x19 (hex:13)
Ice Heal x32 (hex:20)
TM50 x201 (hex:C9)
TM05 x59 (hex:3B)
TM13 x226 (hex:E2)

Then, use 8f. After walking a certain amount of steps, you should encounter your Pokemon!
Arbitrary Code Execution Discussion / Re: 8F script request
« on: February 12, 2018, 07:05:04 pm »
I'm not sure what ISSO is talking about, ofc you can use wStepCounter to encounter a Pokemon

Any xany
TM50 x59 (hex:3B)
TM09 x61 (hex:3D)
Leaf Stone x38 (hex:26)
TM08 x4 (hex:04)
X Accuracy x89 (hex:59)
Elixer x119 (hex:77)
TM01 x[Any qty]

To use:

1.Enter/exit a building or room
2. Take steps that are equivalent to the hex identifier of the desired Pokemon. (e.g Mew would be 21 steps)
3. Use 8f
4. Dance
The only downside with this method is you're stuck with one party Pokémon. Catching a new one will break the code. Going to try this on Virtual Console shortly. Do you know if you can still edit stored Pokémon in the box on those versions with no issues? That could make it useful for Pokémon farming.

Unfortunately, I lack a functional 3ds, and as such I am unable to use 3dsVC
Ah, I see. I will rebuild my code with the new base address and update the source.

Thank you for trying that address!

Not sure what's meant to happen with strings that aren't addresses (like "&123") but I tried it once and the memory editor sent me somewhere to VRAM (or possibly ROM, SRAM, I can't remember the details sorry) to modify.

The memory editor simply takes the character hex and subtracts 246. If that set the carry flag, the editor then subtracts 128. It then swaps the result and loads it into "b". This process is then repeated for the next nybble, but then rather than swap the nybbles it bitwise OR's the result and "b". It does this twice to get the least significant byte (big-endian)

So "&123" would be $3723
You have a name for this memory editor or are you all right with me just calling it Epsilon's Generation II memory editor?

Lol, that's fine :)

Hmm, wonder why some characters appear normally wheras some characters appear red? Oh well, I suppose it's a minor problem, and fixing it would be a waste of bytes :P

I did all of my tests on DMG mode. Since you're on CGB mode, would you mind testing the Address lookup feature? I'm sure it will still work, but I just want to make sure.
Wow! This looks amazing. ^^

Thank you!

I forgot to mention that this is meant to be used with TM exec. Any box name code that unlocks SRAM, switches to bank 1, and jumps to $B002 will do.

Unfortunately i'm a bit busy at the moment and cannot write this box name code right now.
It's a lot larger than I was hoping/anticipating, but here it is anyway! It is, admittedly, a bit of a pain to setup if you are not on emulator.
Code: [Select]
f3 11 bc da af e0 26 4f 3c e0 d6 21 bb c3 d5 06
0b c5 7a cd 38 db 7b cd 38 db 3e 25 22 1a cd 38
db 13 01 0d 00 09 c1 05 20 e7 21 bf c3 79 a7 28
07 57 af c6 14 15 20 fb 16 00 5f 19 36 ed cd 4d
db d1 f0 a5 47 cb 47 c4 90 db 78 cb 77 28 08 79
a7 28 03 0d 18 01 1b 78 cb 7f 28 09 79 fe 0a 28
03 0c 18 01 13 78 cb 4f 28 05 af 3d e0 26 d9 78
cb 67 28 06 21 10 00 19 54 5d 78 cb 6f 28 06 21
f0 ff 19 54 5d 78 cb 57 28 0d af e0 d6 3d e0 26
fb 62 6b 06 00 09 e9 78 cb 5f c4 5a db c3 a3 da
c5 0e 02 47 cb 37 e6 0f c6 f6 30 02 c6 80 22 78
0d 20 f3 c1 c9 e5 c5 d5 cd bb 14 cd e6 08 d1 c1
e1 c9 c5 e5 3e 0e ea ab ce af e0 da fb 21 c0 7e
3e 38 cf f3 0e 01 21 34 d9 cd 88 db cb 37 47 cd
88 db b0 47 0d 20 03 50 18 ef 58 e1 c1 af 4f c9
2a d6 f6 30 02 d6 80 c9 d5 af 47 c5 3e ec 22 e5
62 6b 09 54 5d e1 1a 4f cd 4d db f0 a5 47 cb 6f
28 01 0d cb 67 28 01 0c cb 7f 28 04 79 d6 10 4f
78 cb 77 28 04 79 c6 10 4f 78 cb 4f 20 08 79 e5
cd 38 db e1 18 d2 79 12 c1 d1 c9

This is meant to be written to $DA98

A - Enter write mode
Up - Scroll cursor up
Down - Scroll cursor down
Select - Jump to address
Start - Address Lookup (more on that later)
B - Exit memory editor

Write Mode

Up - Increment upper nybble
Down - Decrement upper nybble
Left - Increment lower nybble
Right - Decrement lower nybble
B - Write byte, exit write mode

Address lookup is a feature I added that eliminates the need for scrolling through the memory editor. Simply press start, type in the address you want to go to, and the memory editor will place the cursor on the address.

Disadvantages & Notes:

- Using the Address Lookup feature writes to Box 14's name
- Unlike TheZZAZZglitch's R/B memory editor, this performs writes after the player presses "B" to exit out of write mode. Sorry.

I tried to pack as much power into this as I could (with the time I had), but if you feel you can shrink the byte size for more space, I've attached the RGBDS syntax ASM to this post. Feel free to try to optimize it! (To change where this is written, change "BaseAddress")


Edit: Princess Torchic checked, and determined that this payload can fit into $DA98 without conflict. I have rebuilt the source with the new base address. Thanks!

Edit2: Shrank the payload by 8 bytes, and also fixed a bug that occurred when pressing "a" and L/R at the same time

ISSOtm shrank the payload by an impressive 32 bytes, however this optimization unfortunately does not work. If I can fix it, it would be a great byte shave though!
Edit: Hmm yeah, for me I tried inputting 15 into D058, but the game placed it three addresses afterwards instead. A workaround to that was to input 15 into the D055 field, which writes the value to D058.
Yeah, I had mistyped an address before compiling. Should be fixed now.
I know this might sound pessimistic, but the ZZAZZglitch has been missing for a long time and I don't think he is likely to return soon, if at all.

I went ahead and ported this for you
Code: [Select]
54 5d d5 21 f8 ff 19 54 5d f0 f5 a7 20 fb 21 a0
c3 36 7c 23 7a cd a9 db 7b cd a9 db 36 e3 23 1a
cd a9 db 36 7c 01 0c 00 09 13 7d fe 08 20 e2 21
45 c4 36 ed d1 76 f0 f5 47 cb 58 28 04 7a c6 10
57 cb 50 28 01 14 cb 48 c0 cb 40 20 24 cb 70 28
01 1b cb 78 28 01 13 cb 68 28 06 21 f0 ff 19 54
5d cb 60 28 06 21 10 00 19 54 5d 18 95 79 12 18
fa 36 ec 1a 4f 76 f0 f5 a7 28 f2 47 cb 70 28 04
79 c6 10 4f cb 78 28 04 79 d6 10 4f cb 68 28 01
0d cb 60 28 01 0c 2e 46 79 cd a9 db f0 f5 fe 0d
28 19 e6 fe 20 f6 18 cd 47 cb 37 e6 0f cd b2 db
78 e6 0f c6 f6 30 02 c6 60 22 c9 21 c9 db 73 23
72 cd d7 3e fa 4e cc c3
To be written at $DB01, with the same item setup as used in Red

Edit: It's bugged ATM

Edit2: Fixed. 'Twas a silly mistake
Pages: [1] 2 3 ... 17