Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Red/Blue using the "8F" item  (Read 410804 times)

0 Members and 2 Guests are viewing this topic.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #45 on: December 06, 2013, 04:21:05 pm »
OK.

Major new finding:

8F should work in FR/ES/IT/DE R/B.

In all of these, item $5D points to $D168 which in these games is where "Number of Pokémon" is.

But of course, there's a catch.

Seeing as the offsets are different...
The bootstrap code for English R/B won't work!

So using them there will have to wait until me, TheZZAZZGlitch, or a 3rd party goes and plays around with GB asm and makes a nice payload that can jump to $D327 (3rd item type).

And for all you players of Japanese Blue.. 5kai should work there just as well as it works in Japanese R/G.


For Yellow:

In ES/DE/FR/IT Yellow, item $63 calls DA84 (I think this is Number of Pokémon in Current Box, i have yet to confirm this.)

Of course, different bootstrap code is needed here thanks to the offset differences.

In JP yellow, item $BB calls $DB21, which I think is something in the middle of current box pokémon 7. Either Status, or Type 1. I'm not sure which. UPDATE: if I have my calculations correct, it's Type 1. (Thanks Torchickens!) UPDATE 2: It's actually Type 1 of Pokémon 11 in the current box, not Pokémon 7. (Thanks again Torchickens!)

This would require whole new bootstrap code, it cannot be based on any of the others.

Another update:

Here's bootstrap code for European R/B. TheZZAZZGlitch, thanks a lot for using relative jumps and making my life easier, it only requires one byte change! Please note that I haven't tested this yet and probably won't have a chance to today, but if it doesn't work, I will probably update this post with the working code.

OK, here we go...

1.  6 Pokémon                                                         [0xD168 = 0x06]
2.  Graveler as the first Pokémon                                     [0xD169 = 0x27]
3.  Pidgey as the second Pokémon                                      [0xD16A = 0x24]
4.  Tentacool as the third Pokémon                                    [0xD16B = 0x18]
5.  Meowth as the fourth Pokémon                                      [0xD16C = 0x4D]
6.  24 PP left on the second Pokémon's second move                    [0xD1BA = 0x18]
7.  21 PP left on the second Pokémon's third move w/ 1 PP Up used     [0xD1BB = 0x55]
8.  36 PP left on the fourth Pokémon's first move                     [0xD211 = 0x24]
9.  24 PP left on the fourth Pokémon's second move                    [0xD212 = 0x18]
10. 20 PP left on the fourth Pokémon's third move                     [0xD213 = 0x14]
11. Double Team as the fifth Pokémon's first move                     [0xD228 = 0x68]
12. Double Kick as the fifth Pokémon's second move                    [0xD229 = 0x18]
13. Strength as the fifth Pokémon's third move                        [0xD230 = 0x46]
14. Sixth Pokémon's attack stat has to be exactly 233                 [0xD271 = 0xE9]


Code: [Select]
; -- EU R/B
; -- hl: D168
D168: 06 27  ld b,27 ; b=27
D16A: 24     inc h   ; hl = D268
D16B: 18 4D  jr D1BA

D1BA: 18 55  jr D211

D211: 24     inc h   ; hl = D368
D212: 18 14  jr D228

D228: 68     ld l,b  ; hl = D327
D229: 18 46  jr D271

D271: E9     jp hl

EDIT: Just tested, and this payload works totally fine on FR Blue.

Yet another update:

And here's payload code for FR/ES/DE/IT Yellow. Thanks again to TheZZAZZGlitch, again I only need to change one byte!

1.  20 Pokémon in your PC box                                         [0xDA84 = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                 [0xDA85 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                 [0xDA86 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                 [0xDA87 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                 [0xDA88 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                 [0xDA89 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                 [0xDA8A = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xDA8B = 0x06]
9.  Scyther as the 8th Pokémon in the current PC box                  [0xDA8C = 0x26]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xDA8D = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                 [0xDA8E = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                 [0xDA8F = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                 [0xDA90 = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                 [0xDA91 = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                 [0xDA92 = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                 [0xDA93 = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                 [0xDA94 = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                 [0xDA95 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                 [0xDA96 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                 [0xDA97 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                 [0xDA98 = 0x06]
 :: END OF LIST MARKER [0xFF]                                         [0xDA99 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                 [0xDA9A = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                     [0xDA9B = 0x00]
                                               +-                     [0xDA9C = 0xE9]


Code: [Select]
; -- EU YELLOW
; initial value of hl = DA84
WRA1:DA84 14               inc  d      ; offset hack: 20 Pokémon in the box
WRA1:DA85 25               dec  h      ; hl = D984
WRA1:DA86 25               dec  h      ; hl = D884
WRA1:DA87 25               dec  h      ; hl = D784
WRA1:DA88 25               dec  h      ; hl = D684
WRA1:DA89 25               dec  h      ; hl = D584
WRA1:DA8A 25               dec  h      ; hl = D484
WRA1:DA8B 06 26            ld   b,26
WRA1:DA8D 68               ld   l,b    ; hl = D426
WRA1:DA8E A9               xor  c      ; offset hack: do nothing until ip=DA93
WRA1:DA8F A9               xor  c
WRA1:DA90 A9               xor  c
WRA1:DA91 A9               xor  c
WRA1:DA92 A9               xor  c
WRA1:DA93 A9               xor  c
WRA1:DA94 A9               xor  c
WRA1:DA95 A9               xor  c
WRA1:DA96 A9               xor  c
WRA1:DA97 A9               xor  c
WRA1:DA98 06 FF            ld   b,FF   ; offset hack: making an end of list FF byte an operand so it doesn't translate to [rst 38]
WRA1:DA9A 25               dec  h      ; hl = D326
WRA1:DA9B 00               nop 
WRA1:DA9C E9               jp   hl

Tested working with FR Yellow. :)
« Last Edit: December 07, 2013, 05:00:44 am by Wack0 »
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

blahpy

  • Yeah! Pomeg Berry!
  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #46 on: December 07, 2013, 03:33:54 am »
psst: Nothing major, but some of your memory addresses are a little off in the code box ;)

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #47 on: December 07, 2013, 04:59:17 am »
psst: Nothing major, but some of your memory addresses are a little off in the code box ;)

I know. I was tired last night. The code works though.

EDIT: fixed now.
« Last Edit: December 07, 2013, 05:01:23 am by Wack0 »
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

blahpy

  • Yeah! Pomeg Berry!
  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #48 on: December 07, 2013, 05:05:47 am »
psst: Nothing major, but some of your memory addresses are a little off in the code box ;)

I know. I was tired last night. The code works though.

EDIT: fixed now.
Hence "nothing major" :P

I just thought you might like to know.

Thanks for all the work you did :o I'm sure TheZZAZZGlitch will be happy if he sees it.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #49 on: December 07, 2013, 06:19:35 am »
Dammit, looks like it's a no go with item $BB on Japanese Yellow.

Namely, $BB's name is improperly terminated. And you can't even use it. When you press A on it, pc ends up at $CE01. And this is when the use/trash menu is supposed to come up.

EDIT: Wait a minute.. on Japanese Yellow 1.2 $BB's name IS properly terminated..

...but same result happens. Game freeze before use/trash menu comes up.

1.1 is the same as 1.2. :(

that's odd. During battle when that item is used, the bp at the jump at the end of UseItem is hit.. but hl=$2801 ?!?!??!
« Last Edit: December 07, 2013, 06:45:46 am by Wack0 »
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. I want to be a mum. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #50 on: December 07, 2013, 06:45:54 am »
Dammit, looks like it's a no go with item $BB on Japanese Yellow.

Namely, $BB's name is improperly terminated. And you can't even use it. When you press A on it, pc ends up at $CE01. And this is when the use/trash menu is supposed to come up.

EDIT: Wait a minute.. on Japanese Yellow 1.2 $BB's name IS properly terminated..

...but same result happens. Game freeze before use/trash menu comes up.

1.1 is the same as 1.2. :(

You can use $BB in battle without any use/toss menu as if it was a Poké Ball. Does this work?

edit: Oops, ninja'd by your edit xD.
« Last Edit: December 07, 2013, 06:58:21 am by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #51 on: December 07, 2013, 06:49:35 am »
funfact: was just starting to code a payload, and I decided to check if pc reached what I thought it was going to reach.

And it didn't, so.. dafuq's up with that.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. I want to be a mum. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #52 on: December 07, 2013, 06:56:23 am »
That's a shame. Maybe you calculated the wrong identifier and $DB21 is called for something else?

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #53 on: December 07, 2013, 07:02:08 am »
That's a shame. Maybe you calculated the wrong identifier and $DB21 is called for something else?

Maybe, but I doubt it. My item pointer table dumper shows that the valid items point to what they should.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. I want to be a mum. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #54 on: December 07, 2013, 07:13:21 am »
That's a shame. Maybe you calculated the wrong identifier and $DB21 is called for something else?

Maybe, but I doubt it. My item pointer table dumper shows that the valid items point to what they should.

Ah, OK. That's weird then.

Incidentally $BB has a pretty cool effect on my save. It causes some memory corruption in battle and turns the enemy into a level 127 hex: 38 Ketsuban, like one of those Cooltrainer♀ glitches. It also messes up Pikachu's sprite/position after battle. I'm not sure if all of this happens in the other version (revision) though, and I don't know mine.

Edit: On changing the 11th Pokémon to one of those level 127 Ketsuban, $BB worked the same but changed the opponent into a level 127 Pikachu, however, I'm pretty sure that this is just Japanese Yellow's equivalent of the level 127 Horsea that will appear instead if you mess up the graphics on your side after sending out any Missingno. into battle.
« Last Edit: December 07, 2013, 07:22:39 am by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #55 on: December 07, 2013, 07:16:27 am »
That's a shame. Maybe you calculated the wrong identifier and $DB21 is called for something else?

Maybe, but I doubt it. My item pointer table dumper shows that the valid items point to what they should.

Ah, OK. That's weird then.

Incidentally $BB has a pretty cool effect on my save. It causes some memory corruption in battle and turns the enemy into a level 127 hex: 38 Ketsuban, like one of those Cooltrainer♀ glitches. It also messes up Pikachu's sprite/position after battle. I'm not sure if all of this happens in the other version (revision) though, and I don't know mine.

What's the MD5 hash of your rom?

v1.0 is aa13e886a47fd473da63b7d5ddf2828d
v1.1 is 96c1f411671b6e1761cf31884dde0dbb
v1.2 is 5d9c071cf6eb5f3a697bbcd9311b4d04
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. I want to be a mum. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #56 on: December 07, 2013, 07:20:56 am »
What's the MD5 hash of your rom?

v1.0 is aa13e886a47fd473da63b7d5ddf2828d
v1.1 is 96c1f411671b6e1761cf31884dde0dbb
v1.2 is 5d9c071cf6eb5f3a697bbcd9311b4d04
AA13E886A47FD473DA63B7D5DDF2828D, so it's v1.0 then.

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #57 on: December 07, 2013, 07:22:59 am »
Btw, I believe that in v1.1 and v1.2 it just locks up in battle on the items list with the white arrow pointer.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #58 on: December 07, 2013, 07:36:43 am »
Quote
My item pointer table dumper shows that the valid items point to what they should.

Remember that because of Gen I's broken pointer arithmetic, item with ID $80 acts like $00, $81 like $01, $82 like $02, etc., and your pointer table dumper should take that into account. This would mean that $BB acts like $3B. $3B is an unused 'Coin' item, and that would explain everything, since it's programmed to do nothing.

Japanese Yellow has item $63 ('かいがらバッヂ'), which jumps to $D9B2 - number of Pokemon in the current box. Interestingly enough, on English Yellow, item $63 is 'ws m'...
My ROM (telling by the checksum) seems to be v1.0.

Quote
Incidentally $BB has a pretty cool effect on my save. It causes some memory corruption in battle and turns the enemy into a level 127 hex: 38 Ketsuban

It has an improperly terminated name, so it causes all those wonderful Super Glitch effects, unless its name is made harmless (method of doing this is the same as in international releases). Also, by accident I found that Japanese version of hooked Metapod is hooked Diglett :D
« Last Edit: February 03, 2015, 03:14:36 pm by TheZZAZZGlitch »
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Red/Blue using the "8F" item
« Reply #59 on: December 07, 2013, 07:38:29 am »
Japanese Yellow has item $63 ('かいがらバッヂ'), which jumps to $D9B2 - number of Pokemon in the current box. Interestingly enough, on English Yellow, item $63 is 'ws m'...

Thanks. If I'd have known that D9B2 is number of Pokémon in the current box in JP Yellow (and offsets are the same in 1.0, 1.1 and 1.2), I'd have found this out.

Will modify your payload to work with it now.

EDIT: Here. Again, only one byte needed to be changed.

1.  20 Pokémon in your PC box                                         [0xD9B2 = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                 [0xD9B3 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                 [0xD9B4 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                 [0xD9B5 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                 [0xD9B6 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                 [0xD9B7 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                 [0xD9B8 = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xD9B9 = 0x06]
9.  Raticate as the 8th Pokémon in the current PC box                 [0xD9BA = 0xA6]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xD9BB = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                 [0xD9BC = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                 [0xD9BD = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                 [0xD9BE = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                 [0xD9BF = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                 [0xD9C0 = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                 [0xD9C1 = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                 [0xD9C2 = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                 [0xD9C3 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                 [0xD9C4 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                 [0xD9C5 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                 [0xD9C6 = 0x06]
 :: END OF LIST MARKER [0xFF]                                         [0xD9C7 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                 [0xD9C8 = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                     [0xD9C9 = 0x00]
                                               +-                     [0xD9CA = 0xE9]


Code: [Select]
; -- JP YELLOW [1.0, 1.1 and 1.2]
; initial value of hl = D9B2
WRA1:D9B2 14               inc  d      ; offset hack: 20 Pokémon in the box
WRA1:D9B3 25               dec  h      ; hl = D884
WRA1:D9B4 25               dec  h      ; hl = D784
WRA1:D9B5 25               dec  h      ; hl = D684
WRA1:D9B6 25               dec  h      ; hl = D584
WRA1:D9B7 25               dec  h      ; hl = D484
WRA1:D9B8 25               dec  h      ; hl = D384
WRA1:D9B9 06 A6            ld   b,A6
WRA1:D9BB 68               ld   l,b    ; hl = D3A6
WRA1:D9BC A9               xor  c      ; offset hack: do nothing until ip=DA93
WRA1:D9BD A9               xor  c
WRA1:D9BE A9               xor  c
WRA1:D9BF A9               xor  c
WRA1:D9C0 A9               xor  c
WRA1:D9C1 A9               xor  c
WRA1:D9C2 A9               xor  c
WRA1:D9C3 A9               xor  c
WRA1:D9C4 A9               xor  c
WRA1:D9C5 A9               xor  c
WRA1:D9C6 06 FF            ld   b,FF   ; offset hack: making an end of list FF byte an operand so it doesn't translate to [rst 38]
WRA1:D9C8 25               dec  h      ; hl = D2A6
WRA1:D9C9 00               nop 
WRA1:D9CA E9               jp   hl
« Last Edit: December 07, 2013, 07:50:45 am by Wack0 »
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016