Pokémon Red, Green, Blue, Yellow - Unused trade script ACE

1. How to access the unused trades with arbitrary code execution:
2.  
3. English Pokémon Yellow:
4. -----
5. Steps:
6.  
7. 1) Obtain a "ws m" (hex:63) with the x-coordinate looping map trick (https://www.youtube.com/watch?v=98_azamLeh4), which requires a glitch that expands the items pack such as dry underflow (https://www.youtube.com/watch?v=ZyppANEvnh8). "ws m" initially runs from DA7F+ (number of stored PC Pokémon). ws m executing arbitrary code was documented by TheZZAZZGlitch.
8.  
9. 2) Use a payload that redirects the code flow to inventory item 3.
10.  
11. Example:
12. (Made by pigdevil2010)
13.  
14. Have exactly 10 Pokémon in the current box as follows:
15.  
16. Tangela with 233 HP
17. Nidoking
18. Metapod
19. Haunter
20. Flareon
21. Parasect
22. Growlithe
23. Tentacool
24. Grimer
25. Any Pokemon
26.  
27. (Note: In this video I used TheZZAZZGlitch's older longer payload with a Slowpoke that has 233 HP http://forums.glitchcity.info/index.php/topic,6638.msg189586.html#msg189586)
28.  
29. 3) Have the following items in item 3, and then use ws m to run the code.
30.  
31. Lemonade x(trade ID you want)
32. TM34 x61
33. TM05 x 4
34. Repel x 84
35. Poké Ball x123
36. TM05 x180
37. Lemonade x195
38. TM10 x35
39. TM01 x01
40.  
41. This represents the following code:
42. ld a, xx
43. ld (CD3D),a
44. inc b
45. ld e,54
46. inc b
47. ld a,e
48. call 3EB4
49. jp 23D2
50. ret
51.  
52. As opcodes and operands, this reads:
53. 3E XX EA 3D CD 04 1E 54 04 7B CD B4 3E C3 D2 23 C9 (01)
54.  
55. English Pokémon Red:
56. -----
57. Since 8F relies on your current party Pokémon, it may not be a good idea to use 8F for this (as you may not be able to have Pokémon to trade or trading could mess up the payload) unless you have a compact set up that could be set up first with a more advanced set up (e.g. three-five Pokémon, Pokémon 1 as h Poké (hex:C3), Pokémon 2 as Onix (hex:22), Pokémon 3 as the hex:D3 or hex:F3 glitch Pokémon D322, Pokémon 4 and 5 do not matter).
58.  
59. This is a compact set up by luckytyphlosion that requires 6 Pokémon and redirects the code flow to Item 4, which could be used to set up the compact three Pokémon set up. http://forums.glitchcity.info/index.php/topic,6638.msg198585.html#msg198585
60.  
61. Alternatively, we can use the glitch item "-g m" (hex:6A) which runs through stored Pokémon like Yellow's "ws m".
62. -g m executing arbitrary code was documented by a Glitch City Laboratories user named "memdump" (http://forums.glitchcity.info/index.php/topic,6638.msg196498.html#msg196498). (Another video showing "-g m": https://www.youtube.com/watch?v=B1E4msXNaYY)
63.  
64. Steps:
65.  
66. 1) Obtain a "-g m" (hex:6A) with the x-coordinate looping map trick (https://www.youtube.com/watch?v=98_azamLeh4), which requires a glitch that expands the items pack such as dry underflow (https://www.youtube.com/watch?v=ZyppANEvnh8). "-g m" executes code from DA47, which is 0x39 bytes before the beginning of the PC list, DA80.
67.  
68. 2) Values including W_NUMSAFARIBALLS, W_DAYCARE_IN_USE, W_DAYCAREMONNAME, W_DAYCAREMONOT, wDayCareMon between DA47-DA80 should be 00 or harmless code for the game to run through to DA80.
69.  
70. 3) Use a payload that redirects the code flow to inventory item 3:
71.  
72. Example (modified from Pigdevil2010's ws m payload, Growlithe>Onix):
73.  
74. Tangela with 233 HP
75. Nidoking
76. Metapod
77. Haunter
78. Flareon
79. Parasect
80. Onix
81. Tentacool
82. Grimer
83. Any Pokemon
84.  
85. 4) Have the following items in item 3, and then use -g m to run the code.
86.  
87. Lemonade x(trade ID you want)
88. TM34 x61
89. TM05 x 4
90. Repel x 84
91. Poké Ball x123
92. TM05 x109
93. Lemonade x195
94. TM15 x36
95. TM01 x01
96.  
97. This represents the following code:
98. ld a, xx
99. ld (CD3D),a
100. inc b
101. ld e,54
102. inc b
103. ld a,e
104. call 3E6D
105. jp 24D7
106. ret
107.  
108. As opcodes and operands, this reads:
109. 3E XX EA 3D CD 04 1E 54 04 7B CD 6D 3E C3 D7 24 C9 (01)
110.  
111. Japanese Pokémon Green v1.0:
112. -----
113. In Pokémon Green v1.0 and v1.1, てへ (hex:7B) executes code from D806 which is wild encounter data.
114.  
115. Note that in Green v1.1 (where the below items code may have to be adjusted if any addresses, or if the PreDef value is different), it must be used when there is a 50h tile early on the screen (e.g. here the bottom-left corner of a bush tile in overworld places due to its name being slightly different. This is a suitable place to use the item http://i.imgur.com/vXbRIKc.png (the picture applies to all other Generation I games and "long-name glitch items" as well) to avoid a freeze.
116.  
117. When the player talks to the old man; their name is stored in this region before D806 (containing the first letter) is replaced with 00 after the battle. Hence, with a specific player name the player can create a short payload to item 3.
118.  
119. てへ was documented by memdump in this post. http://forums.glitchcity.info/index.php/topic,6638.msg196500.html#msg196500
120. (Another video showing "てへ": https://www.youtube.com/watch?v=B1E4msXNaYY)
121.  
122. Steps:
123. 1) Have the player name as "(any character)てルめ" (jp D2A6). This acts as a payload to item 3.
124. 2) Obtain a "てへ" (hex:7B) by digging it up from Cycling Road with a y-coordinate of 123.
125. 3) Talk to the old man in Viridian City and say いいえ ("no") to watch his catching demonstration.
126.  
127. 4) Have the following items in item 3, then use てへ to run the code.
128.  
129. Lemonade x(trade ID you want)
130. TM34 x61
131. TM05 x 4
132. Repel x 84
133. Poké Ball x123
134. TM05 x157
135. Lemonade x195
136. Gold Badge (Hex:6A; "ゴールドバッヂ", not ゴールドバッジ) x15
137. TM01 x 1
138.  
139. This represents the following code:
140. ld a, xx
141. ld (CD3D),a
142. inc b
143. ld e,54
144. inc b
145. ld a,e
146. call 3E9D
147. jp 0F6A
148. ret
149.  
150. As opcodes and operands, this reads:
151. 3E xx EA 3D CD 04 1E 54 04 7B CD 9D 3E C3 6A 0F C9 (01)
152.  
153. Japanese Pokémon Blue:
154. -----
155. In Japanese Blue, the long name item (hex:7B) executes code from D806 just like in Japanese Green. However, it must be used when there is a 50h tile early on the screen (e.g. here the bottom-left corner of a bush tile in overworld places. This is a suitable place to use the item http://i.imgur.com/vXbRIKc.png) to avoid a freeze.
156.  
157. Steps:
158. 1) Have the player name as "(any character)てルめ" (jp D2A6). This acts as a payload to item 3.
159. 2) Obtain a hex:7B item by digging it up from Cycling Road with a y-coordinate of 123.
160. 3) Talk to the old man in Viridian City and say いいえ ("no") to watch his catching demonstration.
161.  
162. 4) Have the following items in item 3, then use hex:7B to run the code.
163.  
164. Lemonade x(trade ID you want)
165. TM34 x61
166. TM05 x 4
167. Repel x 84
168. Poké Ball x123
169. TM05 x 177
170. Lemonade x195
171. イﾞピま (hex:B7) x36 (available with make your own items glitch with the second character as "き" https://www.youtube.com/watch?v=L16bVsyZI10; and character ID greater than $24, http://hax.iimarck.us/topic/274/ then the item can be tossed to obtain the correct quantity. Possibly accessible with a y-position looping map trick as well [swap an item with an ID greater than the y boundary into the y-coordinate item and move down].
172. TM01 x1
173.  
174. This represents the following code:
175. ld a, xx
176. ld (CD3D),a
177. inc b
178. ld e,54
179. inc b
180. ld a,e
181. call 3EB1
182. jp 24B7
183. ret
184.  
185. As opcodes and operands, this reads:
186. 3E XX EA 3D CD 04 1E 54 04 7B CD B1 3E C3 B7 24 C9 (01)
187.  
188. Japanese Pokémon Yellow v1.0:
189. -----
190. In Japanese Yellow v1.0, Japanese Yellow Rev A, Rev B and Rev 3, the item "かいがらバッヂ" (hex:63) activates code at D9B2 (number of stored Pokémon in the box), just like in English Pokémon Yellow.
191.  
192. In 2013, Wack0 was looking into arbitrary code execution items for Japanese Yellow and found the execution pointer. TheZZAZZGlitch explained that hex:63 executed D9B2 and that D9B2 was the number of stored Pokémon in the box. http://forums.glitchcity.info/index.php/topic,6638.msg192561.html#msg192561
193.  
194. Steps:
195. 1) Obtain a hex:63 item by digging it up from Cycling Road with a y-coordinate of 99.
196. 2) Use a payload that redirects the code flow to inventory item 3.
197.  
198. Example (presented by Wack0, modified from TheZZAZZGlitch's English "ws m" payload):
199.  
200. 1. 20 Pokémon in your PC box [0xD9B2 = 0x14]
201. 2. Slowpoke as the 1st Pokémon in the current PC box [0xD9B3 = 0x25]
202. 3. Slowpoke as the 2nd Pokémon in the current PC box [0xD9B4 = 0x25]
203. 4. Slowpoke as the 3rd Pokémon in the current PC box [0xD9B5 = 0x25]
204. 5. Slowpoke as the 4th Pokémon in the current PC box [0xD9B6 = 0x25]
205. 6. Slowpoke as the 5th Pokémon in the current PC box [0xD9B7 = 0x25]
206. 7. Slowpoke as the 6th Pokémon in the current PC box [0xD9B8 = 0x25]
207. 8. Voltorb as the 7th Pokémon in the current PC box [0xD9B9 = 0x06]
208. 9. Raticate as the 8th Pokémon in the current PC box [0xD9BA = 0xA6]
209. 10. Jolteon as the 9th Pokémon in the current PC box [0xD9BB = 0x68]
210. 11. Geodude as the 10th Pokémon in the current PC box [0xD9BC = 0xA9]
211. 12. Geodude as the 11th Pokémon in the current PC box [0xD9BD = 0xA9]
212. 13. Geodude as the 12th Pokémon in the current PC box [0xD9BE = 0xA9]
213. 14. Geodude as the 13th Pokémon in the current PC box [0xD9BF = 0xA9]
214. 15. Geodude as the 14th Pokémon in the current PC box [0xD9C0 = 0xA9]
215. 16. Geodude as the 16th Pokémon in the current PC box [0xD9C1 = 0xA9]
216. 17. Geodude as the 15th Pokémon in the current PC box [0xD9C2 = 0xA9]
217. 18. Geodude as the 17th Pokémon in the current PC box [0xD9C3 = 0xA9]
218. 19. Geodude as the 18th Pokémon in the current PC box [0xD9C4 = 0xA9]
219. 20. Geodude as the 19th Pokémon in the current PC box [0xD9C5 = 0xA9]
220. 21. Voltorb as the 20th Pokémon in the current PC box [0xD9C6 = 0x06]
221. :: END OF LIST MARKER [0xFF] [0xD9C7 = 0xFF]
222. 22. Slowpoke as the 1st Pokémon in the current PC box [0xD9C8 = 0x25]
223. 23. First PC box Pokémon needs to have 233 HP [0xD9C9 = 0x00]
224. [0xD9CA = 0xE9]
225.  
226. 3) Have the following items in item 3, and then use かいがらバッヂ to run the code.
227.  
228. Lemonade x(trade ID you want)
229. TM34 x61
230. TM05 x 4
231. Repel x 84
232. Poké Ball x123
233. TM05 x 173
234. Lemonade x 4
235. TM10 x255
236. HP Up x201
237.  
238. This represents the following code:
239. ld a, xx
240. ld (CD3D),a
241. inc b
242. ld e,54
243. inc b
244. ld a,e
245. call 3EAD
246. jp nc,23FF
247. ret
248.  
249. As opcodes and operands, this reads:
250. 3E XX EA 3D CD 04 1E 54 04 7B CD AD 3E 04 D2 FF 23 C9
251.  
252.  
253. Basis
254. -----
255.  
256. This is an original in-game trade script from Pokémon Red:
257.  
258. Route2HouseText2: ; 0x1def9
259. db $08 ; asm
260. ld a, $1
261. ld [W_WHICHTRADE], a
262. ld a, $54
263. call Predef
264. jp TextScriptEnd
265.  
266. The register "a" is written as $01 to be written to $CD3D; which then controls the NPC's text if execution of the predefined command $54 follows.
267.  
268. For these arbitrary code executions we run the same code with the exception that $08 is omitted ($08 is a text command that indicates a normal text box to execute code, and we don't need it because the game is not in normal text mode and we are already executing code), some minor adjustments to make the code representable as items that are OK, and we write our own value for 'a' manipulable by altering item 3 quantity to access any trade.
269.  
270. The code is not the same between versions because the locations of the Predef and TextScriptEnd routines are different, whereas the W_WHICHTRADE address remains as CD3D and the Predef command ID remains at $54 between all five versions I have tested.
271.  
272. Predef pointers:
273. Yellow - 3EB4
274. Red - 3E6D
275. Green v1.0 - 3E9D
276. Japanese Blue - 3EB1
277. Japanese Yellow v1.0 - 3EAD
278.  
279. TextScriptEnd pointers:
280. Yellow - 23D2
281. Red - 24D7
282. Green v1.0 - 0F6A
283. Japanese Blue - 24B7
284. Japanese Yellow v1.0 - 23FF