Evie (ChickasaurusGL) 🌺 | The Pokédex rating for having 152 Pokémon actually runs arbitrary code execution ◕ᴗ◕✿ (Red/Green) @ChickasaurusGL | Uploaded December 2021 | Updated October 2024, 4 hours ago.
Notes:
(Just I don't know if anyone in the Japanese glitch community actually noticed haha..). Although we use it to access the Hall of Fame, we should be able to do anything we can normally do with ACE (like pseudo GameShark), but sometimes you'll have to manipulate the stack.
I don't know if this can be ported to Japanese Blue and the Japanese Yellow revisions yet. This likely won't work on Game Boy Tower in the Stadium games, due to Echo RAM access.
I haven't traced through the circumstances where the glitch text box causes arbitrary code execution, but at some point importantly the game runs F080. You can copy code you wrote elsewhere here with LWA. https://glitchcity.wiki/Text_pointer_manipulation_mart_buffer_overflow_glitch (but for quick testing, just entering a memory viewer and inputting the raw bytes at D080 or F080 will work too, like 0E 16 26 7B 2E E4 41 40 CD 20 36 C9; you also need to have 152 Pokémon in advance; D28D controls whether you own 145-152, and D2A0 if you've seen them - one approach to set it is with the SRAM glitch after some Pokémon swaps; which is the one popularised here youtube.com/watch?v=OyhEKG_g53o with different timing for the Japanese version). Another approach might be ハハバグ (this glitch https://glitchcity.wiki/ZZAZZ_glitch in Japanese versions) if you can touch those addresses as 0x99, because the eighth bit is set (that value is over 0x80); then see and obtain the rest of those Pokémon normally or with fifth etc. (Japanese Blue also has a glitch Pokémon called アノ゙(0xCC) who is No. 152, so in Japanese Blue you can obtain it; if Pokédex rating arbitrary code execution works there).
From Celadon City Pokémon Center;
*Have expanded inventory
*Have in items slot 1 and 2; Master Ball x 178 and TM17 x 157 (01 B2 D9 9D) (you can also use TM49).
*Swap item 1 and item 2 into item slots 37 and 38 respectively (may be below a ????? item, but I don't know if your version matters (which will be Red v1.0/Red v1.1 or Green v1.0/Green v1.1).
*Prepare from a previous arbitrary code execution your code at D9B2 (text pointers, followed by FE (mart text code) and some mart data. If you want to however take it from an inventory, adjust the earlier B2 D9 to A2 D2; which would mean changing the Master Ball to x 162 (or later if you want to land later in the inventory) and the other item to TM10.
At your code should be a 'header' so to speak; which is actually the aforementioned needed data to load the glitch text box for LWA.
(any) (any) (any) (any) (another pointer; here it is B8 D9 (so D9B8)) FE (tells the game it's a mart) FE (254 items in the mart I think, we can't use FF)
After the header, there can't be any bytes with FF.
At (pointer (the one that's B8 D9 here)+0x11F) so DAD7 in this example, you can finally place your code. However, keep in mind the state of the game/stack isn't just right to ret away. The Hall of Fame script is an exception that still works.
Talk to the lady in the video (the other NPCs won't work), to copy the data needed to F080 (the same as D080). Next, view the Pokédex rating without doing anything else. Certain actions can break the code, such as entering battle and viewing sprites.
The Hall of Fame script is as such (the code below is inventory item friendly if you start execution at the item).
v1.0
ld c,16
ld h,7b
ld l,e4
ld b,c
ld b,b
call 3620
ret
v1.1
ld c,$16
ld h,$7b
ld l,$e4
ld b,c
ld b,b
call $360e
ret
Notes:
(Just I don't know if anyone in the Japanese glitch community actually noticed haha..). Although we use it to access the Hall of Fame, we should be able to do anything we can normally do with ACE (like pseudo GameShark), but sometimes you'll have to manipulate the stack.
I don't know if this can be ported to Japanese Blue and the Japanese Yellow revisions yet. This likely won't work on Game Boy Tower in the Stadium games, due to Echo RAM access.
I haven't traced through the circumstances where the glitch text box causes arbitrary code execution, but at some point importantly the game runs F080. You can copy code you wrote elsewhere here with LWA. https://glitchcity.wiki/Text_pointer_manipulation_mart_buffer_overflow_glitch (but for quick testing, just entering a memory viewer and inputting the raw bytes at D080 or F080 will work too, like 0E 16 26 7B 2E E4 41 40 CD 20 36 C9; you also need to have 152 Pokémon in advance; D28D controls whether you own 145-152, and D2A0 if you've seen them - one approach to set it is with the SRAM glitch after some Pokémon swaps; which is the one popularised here youtube.com/watch?v=OyhEKG_g53o with different timing for the Japanese version). Another approach might be ハハバグ (this glitch https://glitchcity.wiki/ZZAZZ_glitch in Japanese versions) if you can touch those addresses as 0x99, because the eighth bit is set (that value is over 0x80); then see and obtain the rest of those Pokémon normally or with fifth etc. (Japanese Blue also has a glitch Pokémon called アノ゙(0xCC) who is No. 152, so in Japanese Blue you can obtain it; if Pokédex rating arbitrary code execution works there).
From Celadon City Pokémon Center;
*Have expanded inventory
*Have in items slot 1 and 2; Master Ball x 178 and TM17 x 157 (01 B2 D9 9D) (you can also use TM49).
*Swap item 1 and item 2 into item slots 37 and 38 respectively (may be below a ????? item, but I don't know if your version matters (which will be Red v1.0/Red v1.1 or Green v1.0/Green v1.1).
*Prepare from a previous arbitrary code execution your code at D9B2 (text pointers, followed by FE (mart text code) and some mart data. If you want to however take it from an inventory, adjust the earlier B2 D9 to A2 D2; which would mean changing the Master Ball to x 162 (or later if you want to land later in the inventory) and the other item to TM10.
At your code should be a 'header' so to speak; which is actually the aforementioned needed data to load the glitch text box for LWA.
(any) (any) (any) (any) (another pointer; here it is B8 D9 (so D9B8)) FE (tells the game it's a mart) FE (254 items in the mart I think, we can't use FF)
After the header, there can't be any bytes with FF.
At (pointer (the one that's B8 D9 here)+0x11F) so DAD7 in this example, you can finally place your code. However, keep in mind the state of the game/stack isn't just right to ret away. The Hall of Fame script is an exception that still works.
Talk to the lady in the video (the other NPCs won't work), to copy the data needed to F080 (the same as D080). Next, view the Pokédex rating without doing anything else. Certain actions can break the code, such as entering battle and viewing sprites.
The Hall of Fame script is as such (the code below is inventory item friendly if you start execution at the item).
v1.0
ld c,16
ld h,7b
ld l,e4
ld b,c
ld b,b
call 3620
ret
v1.1
ld c,$16
ld h,$7b
ld l,$e4
ld b,c
ld b,b
call $360e
ret
