Anonymous user
OAM DMA hijacking: Difference between revisions
no edit summary
mNo edit summary |
No edit summary |
||
Line 5:
'''OAM DMA hijacking''' ('''Object Allocation Map Direct Memory Access hijacking''') is a means of changing the OAM DMA routine at FF80-FF89 (though the actual end can be extended e.g. FF89 could use two bytes for a relative jump, in which case FF8A is occupied) in Game Boy games by glitching or hacking. In this case, this article will describe how to do it with glitches in the Pokémon games.
This glitch works by hijacking the OAM DMA routine associated with sprites.
An easy means to perform OAM DMA hijacking in both {{RB}} and {{GS}} is to write to the HRAM region FF80, however care must be taken as this region will be executed every frame. For this reason it is safe to place a ret (0xC9) opcode at the beginning of this region, write the code after it and replace the ret with a nop (0x00) byte afterwards. This exploit was documented by Crystal_.
Line 12:
It can be used for both arbitrary code execution and adding custom OAM sprite entries.
==Normal behaviour==
During gameplay, FF80 is typically always executed and in [[Pokémon Red and Blue]], [[Pokémon Yellow]] the OAM DMA [[I/O]] register (represented by FF46 on the memory map) is altered by the following routine:
ld a,c3
ld (ff46),a
ld a,28
dec a
jr nz,ff86
ret
When C3 is written to FF46, it means that the OAM sprites will be mirrored at C3XX in RAM. The OAM sprites are stored at the sprite attribute table in FE00-FE9F. For more information, see [https://gbdev.io/pandocs/OAM.html#vram-sprite-attribute-table-oam this section in the Pan Docs].
==Setup (additional arbitrary code execution)==
|