Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation I Glitch Discussion

Trainer-Fly/Box underflow available text boxes that execute arbitrary script - Page 1

Trainer-Fly/Box underflow available text boxes that execute arbitrary script

Posted by: Torchickens
Date: 2015-04-18 11:17:38
List may be updated. Please feel free to add your finds by double clicking 0:2882 (Yellow) or 0:2992 (Red) in BGB and seeing what hl is after BGB brings up the debugger when you return to a Trainer-Fly route.

Below are text box sources for when you talk to something like an object (as opposed to your last text box being the start menu) and return to a route that you have a Trainer-Fly set up in.

If you can change the memory address in hl to start with 08, this will mean that your text box will activate arbitrary code followed by the 08! Or if you put a 00 followed by text characters there and a 57; it is possible to create a custom text box.

Yellow: PC and Trainer-Fly south of Saffron hl=D7C8

Yellow: Some place with PC as last text, I unfortunately cannot remember: hl=D7C8

Yellow: "Lots of Pokémon stuff" + Trainer-Fly north of Cinnabar: D2C3 (may be promising?)

Yellow: PC and Trainer-Fly south of Lavender: C331

Red: "Lots of Pokémon stuff" + Trainer-Fly north of Cinnabar: CD5F

Red: Cinnabar coach guy + Trainer-Fly north of Cinnabar: D7E9

Red: PC and Trainer-Fly west of Celadon:  D7DF

Red: "Tons of Pokémon stuff" in Celadon Mart + Trainer-Fly left of Celadon: D717

Non-text box opening map scripts:

Non-text box opening scripts are values for individual map scripts from D5F1 onward that are not relevant to maps with Trainers, and/or are not 01 (because 01 means a normal script that opens up a text box and gives an encounter like Trainer-Fly). They can only be accessed with stored item underflow, the walking lag glitch, or further arbitrary code execution.

I'm looking/checking if you can get any good script locations (such as in your items, I wish) with box item underflow or the walking lag glitch.

Route 4: Jack-Fly from the Paras Trainer, change boxes, reset, return, talk to her again, and beat her. This made the game execute F0F5 (i.e. D0F5).

Re: Trainer-Fly/Box underflow available text boxes that execute arbitrary script

Posted by: luckytyphlosion
Date: 2015-04-18 13:04:06
Just posting this here since it's relevant to the current topic, but it is possible to write any byte to any location using a custom text pointer.

Setup:
1. Walk to an NPC with TextID of 0 (I chose the boy talking to the girl on Route 6)
2. Change Text Pointer (endianness) to the location with your text pointers (For me, my text pointers were inserted in D371.)
3. At the location where the text pointer points to, put the same address of the text pointer + 2. (D373)
4. Place the following bytes starting from the address written above.


AAAA = Address to write bytes to. (with endianness)
03AAAA00<bytestowrite>5050


Unfortunately, it's impossible to copy bytes that correspond to text commands, so this may not be a suitable approach for writing bytes.

Re: Trainer-Fly/Box underflow available text boxes that execute arbitrary script

Posted by: Torchickens
Date: 2015-04-18 13:13:00

Just posting this here since it's relevant to the current topic, but it is possible to write any byte to any location using a custom text pointer.

Setup:
1. Walk to an NPC with TextID of 0 (I chose the boy talking to the girl on Route 6)
2. Change Text Pointer (endianness) to the location with your text pointers (For me, my text pointers were inserted in D371.)
3. At the location where the text pointer points to, put the same address of the text pointer + 2. (D373)
4. Place the following bytes starting from the address written above.


AAAA = Address to write bytes to. (with endianness)
03AAAA00<bytestowrite>5050


Unfortunately, it's impossible to copy bytes that correspond to text commands, so this may not be a suitable approach for writing bytes.


Cool. Thanks for sharing.

Well, I just went through many (probably all but I'm unsure) routes with Trainers in Yellow, and the Route 4 one was the only one that executed arbitrary code for 'walking lag glitch' that isn't in a place like VRAM or SRAM. Aww.

I haven't been through absolutely every route with Trainers that can have the "!" yet. I tried Fighting Dojo and I got the script for beating the Fighting Dojo master without beating him. I tried the entrance of Victory Road and got a freeze. I tried the entrance to Rock Tunnel from Lavender Town and had to deal with many glitch sounds. Eventually the game jumped to A025; and BGB thought that was an FF, so you can probably guess what happened; a 00 39 freeze.