User:Zeroman/4F (0x59) memory write arbitrary code execution: Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
No edit summary |
(added note about my example) |
||
Line 4: | Line 4: | ||
at DA65/DA64: |
at DA65/DA64: |
||
* C3 22 D3 ({{CRed|Red}}/{{CBlue|Blue}} |
* C3 22 D3 ({{CRed|Red}}/{{CBlue|Blue}} |
||
* C3 21 D3 ({{CYellow|Yellow}} |
* C3 21 D3 ({{CYellow|Yellow}}) |
||
at D322/D321: |
at D322/D321: |
||
Line 12: | Line 12: | ||
at DA65/DA64: |
at DA65/DA64: |
||
* jp D322 ({{CRed|Red}}/{{CBlue|Blue}} |
* jp D322 ({{CRed|Red}}/{{CBlue|Blue}} |
||
* jp D321 ({{CYellow|Yellow}} |
* jp D321 ({{CYellow|Yellow}}) |
||
at D322/D321: |
at D322/D321: |
||
Line 29: | Line 29: | ||
# Item 0x77, x209 |
# Item 0x77, x209 |
||
end of list. |
end of list. |
||
In this example, we set the register "hl" as CD38 and the register "a" as 0x01. |
Latest revision as of 13:23, 13 December 2023
In Pokémon Red, Blue, and Yellow, 4F (0x59) will execute FA65/FA64 (Echo RAM for DA65/DA64) when used, which makes it useful for arbitrary code execution. With the correct setup at DA65/DA64 and D322, it can be used to write to memory.
bytes needed
at DA65/DA64:
- C3 22 D3 (Red/Blue
- C3 21 D3 (Yellow)
at D322/D321:
- 26 CD 2E 38 3E 01 77 C9 FF
instructions
at DA65/DA64:
- jp D322 (Red/Blue
- jp D321 (Yellow)
at D322/D321:
- ld h, $CD
- ld l, $38
- ld a, $01
- ld [hl],a
- ret
items
- 4F (0x59), quantity does not matter
- Master Ball (0x01), x99
- Carbos (0x26), x205
- X Accuracy (0x2E), x56
- Lemonade (0x3E), x1
- Item 0x77, x209
end of list.
In this example, we set the register "hl" as CD38 and the register "a" as 0x01.