Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Trainer-Fly/Box underflow available text boxes that execute arbitrary script  (Read 1346 times)

0 Members and 1 Guest are viewing this topic.

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody ✿(not really a mum but wanna be)
    • View Profile
List may be updated. Please feel free to add your finds by double clicking 0:2882 (Yellow) or 0:2992 (Red) in BGB and seeing what hl is after BGB brings up the debugger when you return to a Trainer-Fly route.

Below are text box sources for when you talk to something like an object (as opposed to your last text box being the start menu) and return to a route that you have a Trainer-Fly set up in.

If you can change the memory address in hl to start with 08, this will mean that your text box will activate arbitrary code followed by the 08! Or if you put a 00 followed by text characters there and a 57; it is possible to create a custom text box.

Yellow: PC and Trainer-Fly south of Saffron hl=D7C8

Yellow: Some place with PC as last text, I unfortunately cannot remember: hl=D7C8

Yellow: "Lots of Pokémon stuff" + Trainer-Fly north of Cinnabar: D2C3 (may be promising?)

Yellow: PC and Trainer-Fly south of Lavender: C331

Red: "Lots of Pokémon stuff" + Trainer-Fly north of Cinnabar: CD5F

Red: Cinnabar coach guy + Trainer-Fly north of Cinnabar: D7E9

Red: PC and Trainer-Fly west of Celadon:  D7DF

Red: "Tons of Pokémon stuff" in Celadon Mart + Trainer-Fly left of Celadon: D717

Non-text box opening map scripts:

Non-text box opening scripts are values for individual map scripts from D5F1 onward that are not relevant to maps with Trainers, and/or are not 01 (because 01 means a normal script that opens up a text box and gives an encounter like Trainer-Fly). They can only be accessed with stored item underflow, the walking lag glitch, or further arbitrary code execution.

I'm looking/checking if you can get any good script locations (such as in your items, I wish) with box item underflow or the walking lag glitch.

Route 4: Jack-Fly from the Paras Trainer, change boxes, reset, return, talk to her again, and beat her. This made the game execute F0F5 (i.e. D0F5).
« Last Edit: April 18, 2015, 12:18:34 pm by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
I am a legit yandere and I am ashamed.



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Just posting this here since it's relevant to the current topic, but it is possible to write any byte to any location using a custom text pointer.

Setup:
1. Walk to an NPC with TextID of 0 (I chose the boy talking to the girl on Route 6)
2. Change Text Pointer (endianness) to the location with your text pointers (For me, my text pointers were inserted in D371.)
3. At the location where the text pointer points to, put the same address of the text pointer + 2. (D373)
4. Place the following bytes starting from the address written above.

Code: [Select]
AAAA = Address to write bytes to. (with endianness)
03AAAA00<bytestowrite>5050

Unfortunately, it's impossible to copy bytes that correspond to text commands, so this may not be a suitable approach for writing bytes.

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody ✿(not really a mum but wanna be)
    • View Profile
Just posting this here since it's relevant to the current topic, but it is possible to write any byte to any location using a custom text pointer.

Setup:
1. Walk to an NPC with TextID of 0 (I chose the boy talking to the girl on Route 6)
2. Change Text Pointer (endianness) to the location with your text pointers (For me, my text pointers were inserted in D371.)
3. At the location where the text pointer points to, put the same address of the text pointer + 2. (D373)
4. Place the following bytes starting from the address written above.

Code: [Select]
AAAA = Address to write bytes to. (with endianness)
03AAAA00<bytestowrite>5050

Unfortunately, it's impossible to copy bytes that correspond to text commands, so this may not be a suitable approach for writing bytes.

Cool. Thanks for sharing.

Well, I just went through many (probably all but I'm unsure) routes with Trainers in Yellow, and the Route 4 one was the only one that executed arbitrary code for 'walking lag glitch' that isn't in a place like VRAM or SRAM. Aww.

I haven't been through absolutely every route with Trainers that can have the "!" yet. I tried Fighting Dojo and I got the script for beating the Fighting Dojo master without beating him. I tried the entrance of Victory Road and got a freeze. I tried the entrance to Rock Tunnel from Lavender Town and had to deal with many glitch sounds. Eventually the game jumped to A025; and BGB thought that was an FF, so you can probably guess what happened; a 00 39 freeze.
« Last Edit: April 18, 2015, 01:56:11 pm by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
I am a legit yandere and I am ashamed.



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3