ItemDex/RB:093: Difference between revisions
→Usage
>Torchickens No edit summary |
(→Usage) |
||
| (15 intermediate revisions by 7 users not shown) | |||
Line 4:
|2=5D
|3=093
|4=01:d163 (WRAM1)
|5=No
|6=No
|7=0
|8=
|9=$fe, $85, $50}}
''8F redirects here. For other uses, see [[8F (disambiguation)]]''.
[[File:8F glitch item name.png|link=]] (hex:5D) is a [[glitch item]] in {{RB}}, with [[index number]] 93 (hex:5D).
This glitch item's effect pointer is $D163 in WRAM, which is the beginning of the party Pokémon data in memory, similar to Japanese Red/Green/Blue's [[ItemDexJP/RGB:090|5かい]]. As such it is very popular for [[arbitrary code execution]], as a bootstrap code to items can be written using the species of Pokémon in the party.
==Usage==
After setting up the bootstrap code and the payload, simply use 8F from the item list (either in the overworld or in combat) to execute arbitrary code. The quantity of 8F will not decrease, unless it is programmed to do so.
For example applications of 8F, see [[Generation I item codes]]. Notice that all applications involving an item list need a bootstrap code to work.
During the start of the execution of 8F, the following registers and stats are expected to be constant:
*a=63
*bc=00b8
*de=0001
*hl=d163
*Flags z, n, h, c are not set
*lcdc=E3
*ie=0D
*if=F0
*spd=0
*rom=3 (FFB8; loaded ROM bank)
*ime=1
*ima=1
==Bootstrapping==
There exists multiple different bootstrapping strategies with 8F. Most of them jump to $D322, which is the third item in the item pack. The advantage of using the third item slot is that this allows 8F to be the first item, and another item that is unrelated to the code to be the second (which is useful if the payload modifies the item).
=== 2–5 Pokémon "Tentacool PPs" setup ===
{{main|User:CytricAcid/Beginner's Guide To ACE/US Red and Blue Guide#Setup}}
An 8F setup can consist of as few as 2 Pokémon, with one of them having specific PP values:
# 2–5 Pokémon
# Tentacool as the first Pokémon
# Onix as the second Pokémon
# The Tentacool must have exactly the following amounts of remaining PP and number of PP Up used:
#* 33 for 1st move (0 PP Up used)
#* 34 for 2nd move (0 PP Up used)
#* 19 for 3rd move (3 PP Up used)
#* 41 for 4th move (3 PP Up used)
{{Explanation|title=ASM translation|contents=
<pre>
; Initial hl = 0xD163, a = 0x63, bc = 0x00B8
$D163 <- 02/03/04/05 || ld [bc], a / inc bc / inc b / dec b
$D164 <- 18 22 || jr 0x22 ; pc = $D166 + 0x22 = $D188
(...)
$D188 <- 21 22 D3 || ld hl, 0xD322
$D18B <- E9 || jp hl ; pc = $D322
</pre>
Here the register <code>a</code> was a temporary variable for reading out the jump destination $D163, and <code>bc</code> was the offset into <code>ItemUsePtrTable</code> (here (0x5D - 1) * 2, where 0x5D is the item ID of 8F).
* If the party contains only 2 Pokémon (i.e. nothing other than Tentacool and Onix), then the first instruction will try to write 0x63 to the ROM address $00B8, which [[SRAM|locks the SRAM]] instead.
** This is generally not a bad thing (it makes things safer in case there is something wrong with the item code), but it might stop you from writing to the SRAM with a simple memory writer, so in that case you probably want to have more than 2 Pokémon in your party to avoid this.
* The other possible first instructions do nothing as long as the item code jumped to does not make any assumption on the values of <code>a</code> and <code>bc</code>.
}}
=== Older setups ===
{{Explanation|title=Details|contents=
'''5 Pokémon "233 HP Pidgey" setup'''
The "233 HP Pidgey" setup used to be the most popular 8F setup, although it is considered outdated due to the difficulty of controlling the exact HP value of a Pokémon. It consists of 5 valid Pokémon, with one of them having a specific current HP value:
# 5 Pokémon
# Pidgey as the first Pokémon
# Parasect as the second Pokémon
# Onix as the third Pokémon
# Tentacool as the fourth Pokémon
# Kangaskhan as the fifth Pokémon
# Pidgey must have 233 current HP (it is okay to have a higher maximum HP)
To obtain such a Pidgey, Rare Candy it up to Lv100, apply up to 10 HP Ups. If the Pidgey still does not have 233 HP it has bad DVs. In this case either try another Pidgey or do many battles with this Pidgey (preferably Trainer battles, they are quicker than wild encounters) until depositing and withdrawing it gives it 233 HP (see [[bp:Box trick|box trick]]).
If the Pidgey's maximum HP is higher than 233, a reliable method to get it to 233 HP is to get it poisoned, walk until it has 233 HP, then cure the poison.
The bootstrap code translates to the following ASM:
<pre>
; Initial hl = D163
$D163 <- 05 || dec b
$D164 <- 24 || inc h ; h = D2
$D165 <- 2E ||
$D166 <- 22 || ld l, 22 ; hl = D222
$D167 <- 18 ||
$D168 <- 02 || jr 02 ; pc = D16B
$D169 <- FF ||
$D16A <- FF ||
$D16B <- 24 || inc h ; h = D3
$D16C <- 00 || nop
$D16D <- E9 || jp hl ; pc = D322
</pre>
Understanding the ASM will allow modifying the setup to suit different needs. For example, to make 8F run code starting from item 1 ($D31E), replace the Onix (0x22) with a Tangela (0x1E).
'''6 Pokémon "233 HP Pidgey" setup'''
A slight modification to the above setup allows a full team of 6 Pokémon, with any Pokémon at the front, which may be desirable when using an instant encounter script, for example (the lead Pokémon can be used to weaken the enemy Pokémon, and when the enemy is caught it's sent to the PC without messing up the setup).
# 6 Pokémon
# The first Pokémon does not matter
# Pidgey as the second Pokémon
# Parasect as the third Pokémon
# Onix as the fourth Pokémon
# Tentacool as the fifth Pokémon
# Arbok as the sixth Pokémon
# Pidgey must have 233 HP
ASM translation:
<pre>
$D163 <- 06 ||
$D164 <- ?? || ld b, ??
$D165 <- 24 || inc h ; h = D2
$D166 <- 2E ||
$D167 <- 22 || ld l, 22 ; hl = D222
$D168 <- 18 ||
$D169 <- 2D || jr 2D ; pc = D197
(...)
$D197 <- 24 || inc h ; h = D3
$D198 <- 00 || nop
$D199 <- E9 || jp hl ; pc = D322
</pre>
'''3 Pokémon super-compressed setup'''
It is possible to use a super-compressed setup, but it requires some difficult to obtain glitch Pokémon, namely [[GlitchDex/RB:195|h POKé (0xC3)]] and [[GlitchDex/RB:211|M p'u ゥ (0xD3)]].
# 3 to 5 Pokémon
# h POKé (0xC3) as the first Pokémon
# Onix as the second Pokémon
# M p'u ゥ (0xD3) as the third Pokémon
ASM translation:
<pre>
$D163 <- 03/04/05 || inc bc / inc b / dec b
$D164 <- C3 ||
$D165 <- 22 ||
$D166 <- D3 || jp $D322
</pre>
Notice that this setup doesn't set hl to $D322, which some common item setups assume. For those item setups, inserting two items will fix this problem:
# 8F
# Any item x[any qty]
# X Accuracy x34
# Carbos x211
# (Listed items)
(credits to [https://archives.glitchcity.info/forums/board-115/thread-6638/page-37.html#msg204534 NukingDragons] for this fix)
}}
===In other European versions===
In other European versions, the 8F item is named 7EME ETAGE (French) / S7 (German) / 7°P (Italian) / P7 (Spanish). It still executes code the same way, but the setup will be different due to differences in the memory layout, with the third item at $D327 rather than $D322.
The "Tentacool PPs" setup above can be adapted to those European versions by having 39 PP for the 2nd move instead of 34. For the three setups in the "Older setups" section, the common fix is to replace the Onix with a Graveler (or to replace the Tangela with a Fearow to run code starting from item 1).
==See also==
*[[8F Helper]]
*[[ItemDex/Y:099|ws m (hex:63)]]: A popular glitch item for arbitrary code execution in {{Y}}.
*[[ItemDexJP/RGB:090|5かい]]: A glitch item in {{RGB}} that executes the equivalent address ($D123, beginning of the party Pokémon data).
==External links==
*[
| |||