ItemDex/RB:093: Difference between revisions

← Older edit

ItemDex/RB:093 (view source)

Revision as of 20:07, 29 February 2024

2,043 bytes added , 2 months ago

→‎Usage

VisualWikitext

Evie (Torchickens)

243

edits

Revision as of 20:32, 19 March 2019 (view source) >Sherkel mNo edit summary ← Older edit		Latest revision as of 20:07, 29 February 2024 (view source) Evie (Torchickens) (talk \| contribs) (→‎Usage)
(8 intermediate revisions by 4 users not shown)
Line 4: \|2=5D \|3=093 \|4=01:d163 (WRAM1) ~~\|4=D163~~ \|5=No \|6=No \|7=0 \|8=~~N/A}}~~0 \|9=$fe, $85, $50}} ''8F redirects here. For other uses, see [[8F (disambiguation)]]''. [[File:8F glitch item name.png\|link=]] (hex:5D) is a [[glitch item]] in {{RB}}, with [[index number]] 93 (hex:5D). The actual use of the item is for use in the Silph Co. elevator. This glitch item's effect pointer is $D163 in WRAM, which is the beginning of the party Pokémon data in memory, similar to Japanese Red/Green/Blue's [[ItemDexJP/RGB:090\|5かい]]. As such it is very popular for [[arbitrary code execution]], as a bootstrap code to items can be written using the species of Pokémon in the party. ==Usage== Line 20 ⟶ 21: For example applications of 8F, see [[Generation I item codes]]. Notice that all applications involving an item list need a bootstrap code to work. During the start of the execution of 8F, the following registers and stats are expected to be constant: a=63 bc=00b8 de=0001 hl=d163 Flags z, n, h, c are not set lcdc=E3 ie=0D if=F0 spd=0 rom=3 (FFB8; loaded ROM bank) ime=1 ima=1 ==Bootstrapping== There exists multiple different bootstrapping strategies with 8F. Most of them jump to $D322, which is the third item in the item pack. The advantage of using the third item slot is that this allows 8F to be the first item, and another item that is unrelated to the code to be the second (which is useful if the payload modifies the item). ===5 2–5 Pokémon "~~233~~Tentacool ~~HP Pidgey~~PPs" setup === {{main\|User:CytricAcid/Beginner's Guide To ACE/US Red and Blue Guide#Setup}} ~~The most popular~~An 8F setup ~~consists~~can consist of 5as ~~valid~~few as 2 Pokémon, with one of them having a specific ~~current HP~~PP ~~value~~values: # 2–5 Pokémon # Tentacool as the first Pokémon # Onix as the second Pokémon # The Tentacool must have exactly the following amounts of remaining PP and number of PP Up used: #* 33 for 1st move (0 PP Up used) #* 34 for 2nd move (0 PP Up used) #* 19 for 3rd move (3 PP Up used) #* 41 for 4th move (3 PP Up used) {{Explanation\|title=ASM translation\|contents= <pre> ; Initial hl = 0xD163, a = 0x63, bc = 0x00B8 $D163 <- 02/03/04/05 \|\| ld [bc], a / inc bc / inc b / dec b $D164 <- 18 22 \|\| jr 0x22 ; pc = $D166 + 0x22 = $D188 (...) $D188 <- 21 22 D3 \|\| ld hl, 0xD322 $D18B <- E9 \|\| jp hl ; pc = $D322 </pre> Here the register <code>a</code> was a temporary variable for reading out the jump destination $D163, and <code>bc</code> was the offset into <code>ItemUsePtrTable</code> (here (0x5D - 1) * 2, where 0x5D is the item ID of 8F). * If the party contains only 2 Pokémon (i.e. nothing other than Tentacool and Onix), then the first instruction will try to write 0x63 to the ROM address $00B8, which [[SRAM\|locks the SRAM]] instead. ** This is generally not a bad thing (it makes things safer in case there is something wrong with the item code), but it might stop you from writing to the SRAM with a simple memory writer, so in that case you probably want to have more than 2 Pokémon in your party to avoid this. * The other possible first instructions do nothing as long as the item code jumped to does not make any assumption on the values of <code>a</code> and <code>bc</code>. }} === Older setups === {{Explanation\|title=Details\|contents= ~~===3~~'''5 Pokémon ~~super-compressed~~"233 HP Pidgey" setup~~===~~'''▼ The "233 HP Pidgey" setup used to be the most popular 8F setup, although it is considered outdated due to the difficulty of controlling the exact HP value of a Pokémon. It consists of 5 valid Pokémon, with one of them having a specific current HP value: # 5 Pokémon # Pidgey as the first Pokémon Line 39 ⟶ 85: The bootstrap code translates to the following ASM: <~~code~~pre> ; Initial hl = D163~~<br/>~~ $D163 <- 05 \|\| dec b~~<br/>~~ $D164 <- 24 \|\| inc h ; h = D2~~<br/>~~ $D165 <- 2E \|\|~~<br/>~~ $D166 <- 22 \|\| ld l, 22 ; hl = D222 ~~<br/>~~ $D167 <- 18 \|\| ~~<br/>~~ $D168 <- 02 \|\| jr 2 02 ; pc = D16B~~<br/>~~ $D169 <- FF \|\|~~<br/>~~ $D16A <- FF \|\|~~<br/>~~ $D16B <- 24 \|\| inc h ; h = D3~~<br/>~~ $D16C <- 00 \|\| nop~~<br/>~~ $D16D <- e9E9 \|\| jp (hl) ; pc = D322~~<br/>~~ </~~code~~pre> Understanding the ASM will allow modifying the setup to suit different needs. For example, to make 8F run code starting from item 1 ($D31E), replace the Onix (0x22) with a Tangela (0x1E). ~~===~~'''6 Pokémon "233 HP Pidgey" setup~~===~~''' A slight modification to the above setup allows a full team of 6 Pokémon, with any Pokémon at the front, which may be desirable when using an instant encounter script, for example (the lead Pokémon can be used to weaken the enemy Pokémon, and when the enemy is caught it's sent to the PC without messing up the setup). Line 69 ⟶ 116: ASM translation: <pre> ~~<code><br/>~~ $D163 <- 06 \|\|~~<br/>~~ $D164 <- ?? \|\| ld b, ??~~<br/>~~ $D165 <- 24 \|\| inc h ; h = D2~~<br/>~~ $D166 <- 2E \|\|~~<br />~~ $D167 <- 22 \|\| ld l, 22 ; hl = D222~~<br/>~~ $D168 <- 18 \|\|~~<br/>~~ $D169 <- 2D \|\| jr 2D ; pc = D197~~<br/>~~ (...)~~<br/>~~ $D197 <- 24 \|\| inc h ; h = D3~~<br/>~~ $D198 <- 00 \|\| nop~~<br/>~~ $D199 <- E9 \|\| jp (hl) ; pc = D322 </~~code~~pre> '''3 Pokémon super-compressed setup''' ▲===3 Pokémon super-compressed setup=== It is possible to use a super-compressed setup, but it requires some difficult to obtain glitch Pokémon, namely [[GlitchDex/RB:195\|h POKé (0xC3)]] and [[GlitchDex/RB:211\|M p'u ゥ (0xD3)]]. # 3 to 5 Pokémon Line 91 ⟶ 139: ASM translation: <pre> ~~<code><br/>~~ $D163 <- 03/04/05 \|\| inc bc / inc b / dec b~~<br/>~~ $D164 <- C3 \|\| ~~<br/>~~ $D165 <- 22 \|\| ~~<br/>~~ $D166 <- D3 \|\| jp $D322 ~~<br />~~ </~~code~~pre> Notice that this setup doesn't set hl to $D322, which some common item setups assume. For those item setups, inserting two items will fix this problem: Line 104 ⟶ 152: # Carbos x211 # (Listed items) (credits to [~~http~~https://~~forums~~archives.glitchcity.info/~~index.php?topic=~~forums/board-115/thread-6638/page-37.~~msg204534~~html#msg204534 NukingDragons] for this fix) }} ===In other European versions=== In other European versions, the 8F item is named 7EME ETAGE (French) / S7 (German) / 7°P (Italian) / P7 (Spanish). It still executes code the same way, but the setup will be different due to differences in the memory layout, with the third item at $D327 rather than $D322. ~~For~~The ~~the~~"Tentacool PPs" setup above can be adapted to those European versions by having 39 PP for the 2nd move instead of 34. For the three setups in the "Older setups" section, the common fix is to replace the Onix with a Graveler (or to replace the Tangela with a Fearow to run code starting from item 1). ==See also== [[8F Helper]] [[ItemDex/Y:099\|ws m (hex:63)]]: A popular glitch item for arbitrary code execution in {{Y}}.▼ [[ItemDexJP/RGB:090\|５かい]]: ~~Glitch~~A glitch item ~~"５かい"~~ in ~~Japanese~~{{RGB}} ~~Red/Green/Blue.~~that ~~Executes~~executes ~~D123;~~the ~~also~~equivalent ~~the~~address ($D123, beginning of the party Pokémon ~~list~~data). ==External links== [~~http~~https://forums.glitchcity.info/index.php?topic=6638.0 Forums thread by TheZZAZZGlitch]. ▲[[ItemDex/Y:099\|ws m (hex:63)]]: A popular glitch item for arbitrary code execution in {{Y}}. [[ItemDexJP/RG:090\|５かい]]; a [[glitch item]] that executes the equivalent address in {{RG}}. *[[ItemDexJP/B:090\|５かい]]; a glitch item that executes the equivalent address in {{JB}}.