Crystal box name codes: Difference between revisions
>Bbbbbbbbba (Moved a large chunk from 0x1500 control code arbitrary code execution to here.) |
m (Text replacement - "(\bld(?:|i|l|d|h) (?:.+, ?)?)\((.+)\)" to "$1[$2]") |
||
| Line 31: | Line 31: | ||
or a, d0 |
or a, d0 |
||
ld |
ld [f893],a |
||
pop hl |
pop hl |
||
| Line 43: | Line 43: | ||
sub b9 ; 47 |
sub b9 ; 47 |
||
ld |
ld [fb8c],a |
||
xor a |
xor a |
||
| Line 55: | Line 55: | ||
sub 9a ;c3 |
sub 9a ;c3 |
||
ld |
ld [fa80],a |
||
ei |
ei |
||
| Line 65: | Line 65: | ||
sub b8 ; 48 |
sub b8 ; 48 |
||
ld |
ld [fb9c],a |
||
xor a |
xor a |
||
| Line 75: | Line 75: | ||
sub 8b ; 75 |
sub 8b ; 75 |
||
ld |
ld [fa81],a |
||
xor a |
xor a |
||
| Line 83: | Line 83: | ||
ld d,b |
ld d,b |
||
ld |
ld [fbac],a |
||
xor a |
xor a |
||
| Line 95: | Line 95: | ||
ld d,b |
ld d,b |
||
ld |
ld [fa88],a |
||
or a |
or a |
||
| Line 115: | Line 115: | ||
sub a8 |
sub a8 |
||
ld |
ld [fb88],a |
||
xor a |
xor a |
||
| Line 125: | Line 125: | ||
sub a9 |
sub a9 |
||
ld |
ld [fb8b],a |
||
xor a |
xor a |
||
| Line 133: | Line 133: | ||
ld d,b |
ld d,b |
||
ld |
ld [f880],a |
||
ld |
ld [f881],a |
||
ld d,b |
ld d,b |
||
| Line 160: | Line 160: | ||
or a, 93 |
or a, 93 |
||
sub 80 |
sub 80 |
||
ld |
ld [fce1],a |
||
ld d,b |
ld d,b |
||
pop hl |
pop hl |
||
| Line 181: | Line 181: | ||
or a, ff |
or a, ff |
||
ld |
ld [fca4],a |
||
ei |
ei |
||
| Line 189: | Line 189: | ||
ld d,b |
ld d,b |
||
ld |
ld [fca5],a |
||
ld |
ld [fca6],a |
||
pop hl |
pop hl |
||
| Line 199: | Line 199: | ||
ld d,b |
ld d,b |
||
ld |
ld [fca7],a |
||
ld |
ld [fca8],a |
||
or a |
or a |
||
| Line 240: | Line 240: | ||
sub b2 ;a=4e |
sub b2 ;a=4e |
||
ld |
ld [fb89],a |
||
xor a |
xor a |
||
| Line 252: | Line 252: | ||
sub 80 ;a=01 |
sub 80 ;a=01 |
||
ld |
ld [fb88],a |
||
ld d,b |
ld d,b |
||
| Line 258: | Line 258: | ||
ld d,b |
ld d,b |
||
ld |
ld [8080],a |
||
xor a |
xor a |
||
| Line 268: | Line 268: | ||
ld d,b |
ld d,b |
||
ld |
ld [fba4],a |
||
xor a |
xor a |
||
| Line 278: | Line 278: | ||
ld d,b |
ld d,b |
||
ld |
ld [fba3],a |
||
xor a |
xor a |
||
| Line 288: | Line 288: | ||
ld d,b |
ld d,b |
||
ld |
ld [8181],a |
||
xor a |
xor a |
||
| Line 334: | Line 334: | ||
ld d,b |
ld d,b |
||
ld |
ld [fbd1],a |
||
xor a |
xor a |
||
| Line 344: | Line 344: | ||
ld d,b |
ld d,b |
||
ld |
ld [fbd0],a |
||
xor a |
xor a |
||
| Line 354: | Line 354: | ||
ld d,b |
ld d,b |
||
ld |
ld [8888],a |
||
or a |
or a |
||
| Line 369: | Line 369: | ||
ld a,01 |
ld a,01 |
||
ld |
ld [4e01],a ;change to SRAM bank 1 |
||
ld a, 0a |
ld a, 0a |
||
ld |
ld [0d01],a ;this enables writing to SRAM |
||
ld a, 0b |
ld a, 0b |
||
ld |
ld [be3c],a ;enable Celebi GS Ball event |
||
==Get Master Ball items slot 2== |
==Get Master Ball items slot 2== |
||
| Line 392: | Line 392: | ||
sub 80 |
sub 80 |
||
ld |
ld [f895],a |
||
ld d,b |
ld d,b |
||
| Line 430: | Line 430: | ||
ld d,b |
ld d,b |
||
ld |
ld [fb88],a |
||
xor a |
xor a |
||
| Line 440: | Line 440: | ||
ld d,b |
ld d,b |
||
ld |
ld [f880],a |
||
or a |
or a |
||
| Line 466: | Line 466: | ||
sub 80 |
sub 80 |
||
ld |
ld [f4b6],a |
||
ld d,b |
ld d,b |
||
| Line 492: | Line 492: | ||
sub 80 |
sub 80 |
||
ld |
ld [f4b6],a |
||
ld d,b |
ld d,b |
||
| Line 528: | Line 528: | ||
ld d,b |
ld d,b |
||
ld |
ld [fb88],a |
||
xor a |
xor a |
||
| Line 540: | Line 540: | ||
ld d,b |
ld d,b |
||
ld |
ld [fc80],a |
||
pop hl |
pop hl |
||
| Line 562: | Line 562: | ||
sub 80 |
sub 80 |
||
ld |
ld [fcfa],a |
||
ld d,b |
ld d,b |
||
| Line 590: | Line 590: | ||
sub 80 |
sub 80 |
||
ld |
ld [fcb5],a |
||
ld d,b |
ld d,b |
||
| Line 600: | Line 600: | ||
sub a7 (;59) |
sub a7 (;59) |
||
ld |
ld [fcb6],a |
||
or a |
or a |
||
Revision as of 21:02, 19 January 2021
Box name codes are assembly instructions encoded in the names of boxes. They are used as payloads of arbitrary code execution exploits, and are usually the most convenient for that purpose in Generation II, because the box names are easy to change, the available character set covers a large range of useful assembly instructions, and they are stored in a consecutive memory area (except the 0x50 terminators in between).
For a list of hex values for all available characters in Generation II and their corresponding assembly instructions, see the Big HEX List.
The following box codes are designed specifically for the 0x1500 control code arbitrary code execution exploit. As such, it may make some assumptions about the state of registers and the stack after the bootstrap process.
Get wrong pocket TM17 with code at DA47 to go to DB75 (i.e. set up TM17 ACE to go to box names by default):
When a TM or HM is used in the wrong pocket, it will execute an unintended code pointer. TM17 executes DA47, which is in WRAM and this data persists after save and reset. Using this code, upon executing DA47 the game redirects to box names (DB75; specifically the codes start from PC Box 1 character 1 unlike common Coin Case box name ACE cheats). Using TM17 once setup, is faster than 0x1500 control code arbitrary code execution as you don't need to do the Antidote x21 steps or have the bad name Lapras and view its summary - this way then;
i. With wrong pocket TM17, you are free to have whatever party Pokémon you like (DA47 in Crystal is related to Mobile GB Adapter variables that are fortunately saved, so it's apparent it won't be affected by party Pokémon at least while offline). ii. With wrong pocket TM17, it won't matter whether your inventory later becomes full/you can do it late in game. (Note there is another method to do 0x1500 control code arbitrary code execution late in game and with no trades, but it requires a specific type of bad clone (unterminated name clone) which may be a pain for some)
p0'déT2(Pk)5
p'vzéM5p5
'vd'v(éA45
p'vyé:5p5
'vLéB4p'vx
ém5p0555
éI4x'd
xor a
or a, d0
ld [f893],a
pop hl
ei
ld d,b
xor a
sub b9 ; 47
ld [fb8c],a
xor a
ei
ld d,b
sub a3
sub 9a ;c3
ld [fa80],a
ei
ld d,b
xor a
sub b8 ; 48
ld [fb9c],a
xor a
ei
ld d,b
sub 8b ; 75
ld [fa81],a
xor a
sub b7; 49
ld d,b
ld [fbac],a
xor a
or a, fb
ei
ei
ld d,b
ld [fa88],a
or a
ret nc
All badges:
p'viéI5p5
'vjéL5p09
éA2éB2(Pk)'d
xor a
sub a8
ld [fb88],a
xor a
ld d,b
ld d,b
sub a9
ld [fb8b],a
xor a
or a, ff
ld d,b
ld [f880],a
ld [f881],a
ld d,b
ld d,b
ld d,b
pop hl
or a
ret nc
Have Fly (DCE1 [move 1]=0x13):
p0T'vAé(Pk)6
(Pk)x'd
xor a or a, 93 sub 80 ld [fce1],a ld d,b pop hl or a ret nc ld d,b
Fly can go anywhere
p09ée655
éf6ég6(Pk)5
éh6éi6x'd
xor a
or a, ff
ld [fca4],a
ei
ei
ld d,b
ld [fca5],a
ld [fca6],a
pop hl
ei
ld d,b
ld [fca7],a
ld [fca8],a
or a
ret nc
ld d,b
Get GS Ball in Goldenrod City Pokémon Center
p'vséJ5p(Pk)
0B'vAéI55
éAAp0N'vA
ée5p0B'vA
éd5p0K'vA
éBBp'va'vc
55555555
55555555
é'l5p'v(male)'v't
é'd5p0L'vA
éIIx'd
xor a
sub b2 ;a=4e
ld [fb89],a
xor a
pop hl
ld d,b
or 81
sub 80 ;a=01
ld [fb88],a
ld d,b
ld d,b
ld [8080],a
xor a
or 8d
sub 80 ;0d
ld d,b
ld [fba4],a
xor a
or 81
sub 80
ld d,b
ld [fba3],a
xor a
or 8a
sub 80
ld d,b
ld [8181],a
xor a
sub a0
sub a2 ;be
ld d,b
ei
ei
ei
ei
ei
ei
ei
ei
ld d,b
ei
ei
ei
ei
ei
ei
ei
ei
ld d,b
ld [fbd1],a
xor a
sub ef
sub d5 ; 3c
ld d,b
ld [fbd0],a
xor a
or 8b
sub 80 ; 0b
ld d,b
ld [8888],a
or a
ret nc
ld d,b
ld d,b
--What this does basically:
ld a,01
ld [4e01],a ;change to SRAM bank 1
ld a, 0a
ld [0d01],a ;this enables writing to SRAM
ld a, 0b
ld [be3c],a ;enable Celebi GS Ball event
Get Master Ball items slot 2
p0B'vAéV2
(Pk)x'd
xor a
or 81
sub 80
ld [f895],a
ld d,b
pop hl
or a
ret nc
ld d,b
Get Rare Candy balls slot 1
p0i'vA'v
éI5p0a'vA
éA2x(Pk)'d
(fill box 1 name with 5 beforehand to prevent freeze)
xor a
or a8
sub 80
sub 50
ld d,b
ld d,b
ld [fb88],a
xor a
or a0
sub 80
ld d,b
ld [f880],a
or a
pop hl
ret nc
ld d,b
Make it a day+1 (D4B6 = 01)
p0B'vAéw,
xPk'd
xor a
or 81
sub 80
ld [f4b6],a
ld d,b
or a
pop hl
ret nc
ld d,b
Make it a day+2 (D4B6 = 02)
p0C'vAéw,
xPk'd
xor a
or 82
sub 80
ld [f4b6],a
ld d,b
or a
pop hl
ret nc
ld d,b
Get Mew (recommended Egg slot 1) DCDF=97
p0?'vH'vA5
éI5p0X55
éA6(Pk)x'd
xor a
or a, e6
sub 87
sub 80
ei
ld d,b
ld [fb88],a
xor a
or a,97
ei
ei
ld d,b
ld [fc80],a
pop hl
or a
ret nc
Hatch steps left = 1 cycle/1 happiness (DCFA=01)
p0B'vAé46
Pkx'd
xor a
or a, 81
sub 80
ld [fcfa],a
ld d,b
pop hl
or a
ret nc
ld d,b
Warp to Safari Zone
p0D'vAév6
(Pk)p'vhéw6x
'd
xor a
or a, 83
sub 80
ld [fcb5],a
ld d,b
pop hl
xor a
sub a7 (;59)
ld [fcb6],a
or a
ld d,b
ret nc
ld d,b