API tools faq
paste
Advertisement
Torchickens

Pokémon RBYGSC arbitrary code execution data mining

Torchickens
Dec 6th, 2019
335
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.29 KB | None | 0 0
raw download clone embed print report
  1. You can data-mine the ROM with ACE and view it with the existing memory viewer ACE programs.
  2. A common buffer to redirect to items is player party (D163 or D168 non EN EU ; or D123 all JP versions) for the '5kai/8F family'.
  3.  
  4. For more information specifically on how to set up ACE, see https://glitchcity.info/wiki/Arbitrary_code_execution
  5.  
  6. You can also write these bytes with GameShark; so at D163 something like (01C363D1, 012264D1, 01D365D1); at D322 the below bytes e.g. from the examples. So it would be 3+15 codes which is not too bad.
  7.  
  8. This allows you to data-mine even on cartridge. If you can't do the glitches, I recommend using Xploder GB if you can get one, and saving your data-mine code. Installing offgao/TheZZAZZGlitch editor however is tricky as that is at least 173 codes atm.
  9. If installing it is too much time/e.g. you make typos when entering the codes or your cheat device can't handle it, you can still deconstruct a region of the memory by hand with the table at https://glitchcity.info/wiki/The_Big_HEX_List e.g. if glitch item 0x80 is at the start of PC items, it's read as the "add a,b" opcode. If an operand follows (i.e. "xx", "yy", etc.) then the next byte is the operand; so Lemonade x 1 is 3E 01 or ld a,01 etc.
  10.  
  11. These methods currently give bad items (as some cannot be tossed); so until the code is rewritten, the only way to get (permanently) key items with specific quantities is to use another ACE code to get them or potentially find them at specific maps in the expanded inventory. Another way might be to trick the game with ACE into 'thinking' they are tossable?
  12.  
  13. ---
  14. Red/(Green research incomplete sorry; Japanese Red tested)/Blue/Yellow versions
  15. ---
  16.  
  17. EN, non English EU RBY versions
  18. ---
  19.  
  20. (4F ($59)/8F ($5D)/etc.)
  21.  
  22. (For Yellow, ACE has taken a different path to 8F. The primary exploit to bootstrap to items has been ws m ($63) which is at DA7F)
  23.  
  24. d322 3e (bank) 21 (source) 01 (bytes to copy; 2 bytes - end byte first e.g. 6400 is 0x64 bytes) 11 (destination) cd 9d 00 c9
  25.  
  26. Example (copy 0x64 bytes from 01:4000 to PC items)
  27.  
  28. 3E01210040016400113BD5CD9D00C9
  29.  
  30. FR, DE, IT, ES RB RBY are mainly the same; all sharing the same FarCopyData pointer at 009D (7eme etage etc.; S7; 7P; P7 respectively, are the $5D items. The 0x63 family is ws l' m (FR/DE) or ws & m (Italian/Spanish))
  31. Yellow. For Yellow, -1 of most of your addresses (so D53B becomes D53A etc.) and for non-English EU versions; +5 as well.
  32.  
  33.  
  34. d327 3e (bank) 21 (source) 01 (bytes to copy; 2 bytes - end byte first e.g. 6400 is 0x64 bytes) 11 (destination) cd 9d 00 c9
  35.  
  36. 3E012100400164001140D5CD9D00C9
  37.  
  38.  
  39. JP RGB
  40.  
  41. In JP RG, the FarCopyData pointer is now at 01a3. Between Japanese RGBY RAM not subject to address changes (generally), however offset differences sometimes exist (commonly with ROM addresses). You'll want something like D2A6 (instead of D322/D321) or whereever you want the code to start in items.
  42.  
  43. てへ and 5かい are examples that work, another is なかよしバッヂ (FriendBadge) which runs $D983. On GCL Wiki:
  44.  
  45. https://glitchcity.info/wiki/ItemDexJP/RG:123
  46. https://glitchcity.info/wiki/ItemDexJP/RGB:090
  47.  
  48. Use;
  49. 3E0121004001640011BAD4CDA301C9 for Red/Green v1.0 and v1.1
  50.  
  51. 3E0121004001640011BAD4CD0317C9 for JP B (FarCopyData at 1703)
  52.  
  53.  
  54. JP Yellow v1.0 through v1.3
  55.  
  56. In these versions, the 0x63 equivalent is かいがらバッヂ; where stored Pokémon begins at $D9B2. You can also use はやぶさバッヂ (FalconBadge) if this is not v1.0 to run PC item 9 ($D4CA) straight away, with no bootstrap necessary.
  57.  
  58. Use:
  59.  
  60. 3E0121004001640011BAD4CDD315C9
  61.  
  62.  
  63. for v1.0
  64. ;Rev A
  65.  
  66. ;Rev B
  67.  
  68. ;Rev 3
  69.  
  70.  
  71.  
  72. ---
  73. Gold/Silver/Crystal versions
  74. ---
  75.  
  76. EN/FR/DE/IT/ES Gold/Silver (Silver research incomplete sorry, EN Silver confirmed) (fa6a/da6a for tm25) d5b8 item 1=d8
  77. 3E01210040013200117ED5CDCD0DC9
  78.  
  79. EN (v1.0 and v1.1)/FR/DE/IT/ES Crystal (fa69/da69 for tm25) d893 item 1=d8
  80. 3E012100400132001159D8CD8D0EC9
  81.  
  82. KO Gold (Silver not tested sorry) (d6d2 for tm49) d66b item 1=f1 (copies duplicates of each byte for some reason; keep this in mind e.g. a 3E would appear in TMs as x64 followed by x64)
  83. 3E012100400132001131D6CDCB0DC9
  84.  
  85. JP Gold (v1.0 and v1.1) (fa6d/da6d for tm25) d5ab item 1=d8
  86.  
  87. 3E012100400132001171D5CDB60DC9
  88.  
  89. JP Crystal (fa10/da10 for tm10) d886 item 1=ce
  90.  
  91. 3E01210040013200114CD8CD770EC9
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!