User:Zeroman/4F (0x59) memory write arbitrary code execution: Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
(started this memory write ACE for 4F (0x59)) |
(added note about my example) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 4: | Line 4: | ||
at DA65/DA64: |
at DA65/DA64: |
||
* C3 22 D3 ({{CRed|Red}}/{{CBlue|Blue}} |
* C3 22 D3 ({{CRed|Red}}/{{CBlue|Blue}} |
||
* C3 21 D3 ({{CYellow|Yellow}} |
* C3 21 D3 ({{CYellow|Yellow}}) |
||
at D322/D321: |
at D322/D321: |
||
| Line 12: | Line 12: | ||
at DA65/DA64: |
at DA65/DA64: |
||
* jp D322 ({{CRed|Red}}/{{CBlue|Blue}} |
* jp D322 ({{CRed|Red}}/{{CBlue|Blue}} |
||
* jp D321 ({{CYellow|Yellow}} |
* jp D321 ({{CYellow|Yellow}}) |
||
at D322/D321: |
at D322/D321: |
||
| Line 22: | Line 22: | ||
== items == |
== items == |
||
# 4F (0x59), quantity does not matter |
|||
# Master Ball (0x01), x99 |
|||
# Carbos (0x26), x205 |
|||
# X Accuracy (0x2E), x56 |
|||
# Lemonade (0x3E), x1 |
|||
# Item 0x77, x209 |
|||
end of list. |
end of list. |
||
In this example, we set the register "hl" as CD38 and the register "a" as 0x01. |
|||
Latest revision as of 13:23, 13 December 2023
In Pokémon Red, Blue, and Yellow, 4F (0x59) will execute FA65/FA64 (Echo RAM for DA65/DA64) when used, which makes it useful for arbitrary code execution. With the correct setup at DA65/DA64 and D322, it can be used to write to memory.
bytes needed
at DA65/DA64:
- C3 22 D3 (Red/Blue
- C3 21 D3 (Yellow)
at D322/D321:
- 26 CD 2E 38 3E 01 77 C9 FF
instructions
at DA65/DA64:
- jp D322 (Red/Blue
- jp D321 (Yellow)
at D322/D321:
- ld h, $CD
- ld l, $38
- ld a, $01
- ld [hl],a
- ret
items
- 4F (0x59), quantity does not matter
- Master Ball (0x01), x99
- Carbos (0x26), x205
- X Accuracy (0x2E), x56
- Lemonade (0x3E), x1
- Item 0x77, x209
end of list.
In this example, we set the register "hl" as CD38 and the register "a" as 0x01.