Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Sending input via joypad using 8F - Page 2

Re: Sending input via joypad using 8F

Posted by: Exegutt0r
Date: 2016-08-27 00:28:17
This can be pretty useful for people who are more advanced in this. But its not really n00b compatible, but otherwise, great work!  ;D

Re: Sending input via joypad using 8F

Posted by: ISSOtm
Date: 2016-09-11 07:05:51
I've thought of a better option (in my opinion) to write custom code : use SRAM !
According to Datacrystal, there are tons of unused stuff there !

So, here would be a nice strategy to use 8F joypad RTA code injection (injecting code by humans - ie not via TAS - through the joypad using 8F) :
# Set up first 8F payload
# Run it :
## Switch to SRAM bank 0
## Open SRAM (I think it is better to switch first, this way we're sure we won't screw saved data up :))
## Write code starting at A000 (or, if sprite decompression is a must, B858 and its ~16kbytes seem nice.
## Run it
### ENJOY

I've been thinking, though : any code that requires saving will switch to SRAM bank 1 ! So, what would be cool is this :
# The SRAM code must :
## Write some code to WRAM. Where ? Maybe in the "opponent Pokémon region", if outside of battle ?
## Call the WRAM code
# The WRAM code must :
## Call the save routine
## Switch to SRAM bank 0
## Return to SRAM
# Everything should be fine, right ?


The only remaining question is : how to write the payload ? I'm thinking about having part of it as bag items (the SRAM switch + opening almost has to, since it should be ran only once), and another part maybe as PC items. But, I need to know which of these options is best :

SAVE THE ANIMALS
Aldrasio suggested we only need to double / increment ; this leaves nothing for Down and Right to do.
If you think we should leave Down and Right unused, you want to save the animals

SAVE THE FRAMES
However, leaving Down and Right unused wastes two bytes ; plus, it would be extra nice if these were NOT there, for convenience reasons.
If you think moving the SELECT and START features to Down and Right is not a problem, you want to save the frames.

Let me know which one is best ! I'll work on making a viable 8F setup for this to work.

Re: Sending input via joypad using 8F

Posted by: ISSOtm
Date: 2016-09-11 10:30:49
I know this is double-posting, but… yeah.

!!!! WIP !!!!

I've made a few design choices as far as the script is concerned :
* Since inc b, etc. are heavily used as filler operations, I'll use d instead to hold the target hex code.
* The code will be written to SRAM (B858 and onwards) as the previous post stated, not in WRAM as the first post stated.
* This gives us a nicey 1920 bytes to play with. :D Let's write that Flappy Bird in Pokémon Red !

But wait !!! There is something VERY IMPORTANT you need to know if you try this on your console :
DO NOT TURN THIS OFF UNTIL SRAM IS LOCKED AGAIN ! YOU CAN LOSE YOUR SAVE FILE !!

So, here is that bad boy :

; When loading the game, only SRAM bank 0 can be accessed, and all ROM banks can be reached. (MBC1 is on banking mode 0)
; We just need to open up the SRAM edition. That's doable, I s'pose.
; No function in the game simply opens SRAM ; they all close it later on :(

ld a, $0A ; Any non-$0A value locks SRAM. That's safe, but unfortunately that isn't quite nice for us >.>
; Right now, hl = D322. We need to write to anywhere between 0000 and 1FFF to enable SRAM.
ld h, $01 ; Now, hl = 0122, which is in the above range.
ld [hli], a ; *Zelda item get theme* You got the SRAM PASS ! You can now sail to the A000 - BFFF range !
; hl = 0123 now.

inc b ; filler !
ld hl, ??58
inc b
adc a, $AE ; All flags should be reset : a = B8
inc/dec h ; Doesn't matter.
ld h, a ; hl = B858. Phew.

; d should be 0. Convenience !


; Now, THIS is the main loop.
mainloop:
call Joypad ; Joypad is at 019A. That means MASTER BALL ?? Crap.
; WARNING : destroys a, b and e !
inc b
ld a, [$FF00 + $B3] ; We fetch hJoyPressed (the keys pressed since the last Joypad call).

inc b ; Filleeeerrrrr !!1
rla ; Down
INSERT FILLER
jr nc, $+4
ld e, a
ld a, d
ld [hli], a ; Push one byte down the stream !
ld a, e

rla ; Up
jr nc, $+2
inc d ; Increment d

rla ; Left
jr nc, $+2
sla d ; Double d

rla ; Right



Item setup :
BAG ITEMS

Anything x[any qty] ; Really, it does NOT (NOT (NOT matter)) at this point.
8F
Lemonade x10
Carbos x1
Water Stone x4
Thunder Stone x88
[any item] x4
TM06 x174
Protein/Iron x103 ; here, the bootstrap is complete. We still have 11 items to go !

; mainloop
TM05 x154
Master Ball x4 ; C'mon, don't tell me you didn't dupe them ???
TM40 x179

Poké Ball x22
INSERT FILLER