Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Offgao's memory viewer and Tetris ACE exploits - Page 2

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: Cryo
Date: 2017-01-12 15:02:34
Hehe, yeah, I actually wasn't sure how the game would handle itself if you viewed the box when having an invalid sequence for the number of Pokemon, so I played it safe and set up the box as it expects for testing purposes.

Guess I forgot the part about optimization. :D

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: Torchickens
Date: 2017-01-12 15:21:13
I see, I think generally you'll have no trouble when viewing the contents of a box as far as the list.

However I remember when experimenting with player name IDs there was a control character (not player name) that caused a freeze, hence there may be a chance a problematic nickname could cause the game to freeze.

Additionally, when you try to withdraw a Pokémon with an unterminated name the game may freeze if you didn't view the summary of a Pokémon with a specific move 4, such as Counter beforehand.

Plus if a Pokémon has 0 max HP and greater than 0 current HP on the summary and/or knows Super Glitch viewing its summary may be problematic.

So you can view the box list but should never try press A on a Pokémon on the Withdraw screen or risk a freeze that could erase your save due to 00 39 corruption (although you would be destroying the memory editor code you set up).

This is what my box looks like:
[img]http://i.imgur.com/z3mi9Nu.png[/img]

And what I got when I tried yours:
[img]http://i.imgur.com/UMxkZc1.png[/img]

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: Flandre Scarlet
Date: 2017-01-18 08:55:30
Would it be possible to have the code in SRAM Bank 0 Hall of Fame data? According the Datacrystal's RAM MAP it is about 4.8KB of space (http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Bank_0) and would also allow you to use your boxes without corrupting them.

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: Yeniaul
Date: 2017-01-21 02:20:45

Would it be possible to have the code in SRAM Bank 0 Hall of Fame data? According the Datacrystal's RAM MAP it is about 4.8KB of space (http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Bank_0) and would also allow you to use your boxes without corrupting them.

Didn't we do this with one or another member's video on 9F?

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: Unused Trainer
Date: 2017-01-21 03:17:35
Yeah, this is a nice awesome finding!

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: ISSOtm
Date: 2017-02-17 08:39:25

Would it be possible to have the code in SRAM Bank 0 Hall of Fame data? According the Datacrystal's RAM MAP it is about 4.8KB of space (http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Bank_0) and would also allow you to use your boxes without corrupting them.

I'm trying to fit this into "unused" SRAM segments. If it works, I'll also post a 8F walkthrough on how to build this.

[EDIT] It is possible, but since you need to do SRAM unlocking and locking I believe it's not torth it.

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: Torchickens
Date: 2017-02-17 09:51:47

Would it be possible to have the code in SRAM Bank 0 Hall of Fame data? According the Datacrystal's RAM MAP it is about 4.8KB of space (http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Bank_0) and would also allow you to use your boxes without corrupting them.


Mm, that may work but you might have to add code to open the SRAM as SRAM may be closed; filled with FF/or apparently values that are hard to predict.

I was originally under the impression another good location might be the Day Care data from DA48 onward, but the current versions of the code are too many bytes long for that.

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: jfb1337
Date: 2017-03-13 05:27:17
I presume there's not enough space in unused event flags for this right? If not then MrCheese's virus shows that it is at least possible to fit in unused event flags a script that opens SRAM, copies some data from it, and jumps to it; would that be worth doing? Since even if you reset the save file then the memory editor should still still there, you just need to re-do the loading code.

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: ISSOtm
Date: 2017-03-13 14:27:33


Would it be possible to have the code in SRAM Bank 0 Hall of Fame data? According the Datacrystal's RAM MAP it is about 4.8KB of space (http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Bank_0) and would also allow you to use your boxes without corrupting them.


Mm, that may work but you might have to add code to open the SRAM as SRAM may be closed; filled with FF/or apparently values that are hard to predict.

Closed SRAM is read as $FF bytes (unless ur playin VBA lel)


I presume there's not enough space in unused event flags for this right? If not then MrCheese's virus shows that it is at least possible to fit in unused event flags a script that opens SRAM, copies some data from it, and jumps to it; would that be worth doing? Since even if you reset the save file then the memory editor should still still there, you just need to re-do the loading code.


ld hl, $0060
inc [hl]
jp $XXXX

Enables SRAM and jumps to wherever you want in a mere 7 bytes !
The trick is inc [hl], which reads a $D9 @ $0060, and writes back a $DA to $0060.
Enabling SRAM usually works by writing $0A in memory range $0000 - $1FFF ; during testing, I found - by accident - that writing anything that has its lower nibble as $A also works, at least on BGB. I'd like to try on hardware.
Disabling SRAM is as simple as writing anything that doesn't have its lower nibble as $A in the above memory range. It can also be done by saving the game, though :P
I don't know what happens when powering the console off while SRAM is open, but documents imply that this might decay its contents.

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: Terry
Date: 2017-04-08 19:15:02
So, I've been browsing here for years but never really needed to sign up until now, and I'm pretty lost.  I've inserted the code into my game from the quoted post below, and have a working 8f bootstrap, but how do I make it redirect to the PC box 1? I have the wrong item list/bootsrap, right? I've scoured this thread high and low several times and I feel like I'm missing something simple.

pls halp!

edit: also, my box looks a bit different, and I'm pretty sure I put everything in right, but for some reason my mons don't have any names like yours do.
Can I not use spoilers or collapse on this forum? oh well.
https://cdn.discordapp.com/attachments/239495793487118336/300434755227222017/20170408_175856.jpg
I am using a physical gameshark to do this though, 25 addresses at a time, so there is defiantly a chance I messed up somewhere.


Amazing. Thank you Cryo! :)

I worked out another way to do it but your version looks a lot shorter.

Edit: Mine is shorter but it needs the code at DBF0.

@DA80:

01 00 DA C5 0B 0B 16 12 21 AA
C3 CD 25 DB 03 C5 01 0A 00 09
C1 15 20 F3 C1 3E ED EA D3 C3
3E FF E0 B7 76 C5 CD 31 38 C1
F0 B5 FE 02 C8 FE 03 20 02 C5
C9 FE 40 20 01 0B FE 80 20 01
03 FE 20 20 06 21 F0 FF 09 44
4D FE 10 20 06 21 10 00 09 44
4D FE 24 20 06 21 00 FF 09 44
4D FE 14 20 06 21 00 01 09 44
4D 16 00 FE 88 20 02 16 FF FE
48 20 02 16 01 FE 28 20 02 16
F0 FE 18 20 02 16 10 60 69 FE
44 20 08 F5 3A F5 2A 32 F1 77
F1 FE 84 20 08 F5 2A F5 3A 22
F1 77 F1 44 4D 7A A7 28 03 0A
82 02 C3 83 DA 3E 7C 22 3E 7F
22 78 CD 3E DB 79 CD 3E DB 3E
E3 22 0A CD 3E DB 3E 7C 22 C9
F5 CB 37 CD 45 DB F1 E5 26 DB
F6 F0 6F 7E E1 22 C9

@DBF0:

F6 F7 F8 F9 FA FB FC FD FE FF
60 61 62 63 64 65

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: jfb1337
Date: 2017-04-11 08:48:25
The required 8F bootstrap would be jp $DA80, which is H# (glitch item $C3) x128 / TM18 x any.
Or if you don't like the glitch item, it could be replaced with either TM18 or TM10, for jp c, xxxx or jp nc, xxxx respectively, one of those should work but I'm not sure which. It might be a good idea to make the any quantity x201 or put a TM01 afterwards, so if the wrong one is used then nothing happens (instead of a crash).

As for the nicknames, was there ever previous data on the cart in that box? If so then it might be left over from that, but I'm not sure.

Do the nicknames even matter? It looks like the code isn't long enough to reach them, so would it be safe for me to overwrite them with properly terminated nicknames? And would this make it safe to view the stat pages, to allow for easy comparison between console and emulator?

For Cryo's version, do the 7 pokemon in the box matter? It seems like only the ones that encode the jp instruction should do.

Also, it seems possible to avoid having to write out the tiles elsewhere in memory by replacing the GetChar function with

GetChar:
and a, $0F
add a, $F6 ; '0'
jr nc , .digit
add a, $60 ; 'A'
.digit
ld (hl+), a
ret

which 2 bytes shorter than it is in Cryo's version (don't know about Torchicken's version), and saves 16 bytes of tile IDs.

Edit: I tried this with Torchicken's version on BGB and it worked. (I also had my nicknames be blank spaces instead of 9s both when using box 1 on BGB and box 12 on VC. Don't know why)

Edit2: I think I figured out the nickname thing: From a fresh cart, SRAM will be initialised with (mostly?) 00. However, the ClearSAV function fills SRAM with FF, which corresponds to the 9 character. So if you've ever cleared the save file with the button combo that clears it, your uninitialised nicknames are all 9, otherwise they're blank spaces.

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: Torchickens
Date: 2017-04-20 10:46:57
After a related question I decided to look up the equivalent of 3831 (JoyPadLowSensitivity) in non-English European versions.

This is the code you have to place at DA80 for each version with the equivalent address in brackets to get the memory editor to work in those versions.

English Red:

07 F6 01 00 FE 01 18 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00
F6 F7 F8 F9 FA FB FC FD FE FF 60 61 62 63 64 65 66 01 00 DA C5 0B 0B 16 12 21 AA C3 CD 4F DB 03 C5
01 0A 00 09 C1 15 20 F3 C1 3E ED EA D3 C3 3E FF E0 B7 76 C5 CD 31 38 C1 F0 B5 FE 02 C8 FE 03 20 03
00 C5 C9 FE 40 20 01 0B FE 80 20 01 03 FE 20 20 06 21 F0 FF 09 44 4D FE 10 20 06 21 10 00 09 44 4D
FE 24 20 06 21 00 FF 09 44 4D FE 14 20 06 21 00 01 09 44 4D 16 00 FE 88 20 02 16 FF FE 48 20 02 16
01 FE 28 20 02 16 F0 FE 18 20 02 16 10 60 69 FE 44 20 08 F5 3A F5 2A 32 F1 77 F1 FE 84 20 0A F5 2A
18 00 F5 3A 22 F1 77 F1 44 4D 7A A7 28 03 0A 82 02 C3 AA DA 3E 7C 22 3E 7F 22 78 CD 6A DB 79 1E 1F
CD 6A DB 3E E3 22 0A CD 6A DB 3E 7C 22 C9 F5 CB 37 CD 71 DB F1 E5 26 DA E6 0F C6 96 6F 7E E1 22 C9


(Joypad function address: 3138)

French Red:

07 F6 01 00 FE 01 18 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00
F6 F7 F8 F9 FA FB FC FD FE FF 60 61 62 63 64 65 66 01 00 DA C5 0B 0B 16 12 21 AA C3 CD 4F DB 03 C5
01 0A 00 09 C1 15 20 F3 C1 3E ED EA D3 C3 3E FF E0 B7 76 C5 CD 4E 38 C1 F0 B5 FE 02 C8 FE 03 20 03
00 C5 C9 FE 40 20 01 0B FE 80 20 01 03 FE 20 20 06 21 F0 FF 09 44 4D FE 10 20 06 21 10 00 09 44 4D
FE 24 20 06 21 00 FF 09 44 4D FE 14 20 06 21 00 01 09 44 4D 16 00 FE 88 20 02 16 FF FE 48 20 02 16
01 FE 28 20 02 16 F0 FE 18 20 02 16 10 60 69 FE 44 20 08 F5 3A F5 2A 32 F1 77 F1 FE 84 20 0A F5 2A
18 00 F5 3A 22 F1 77 F1 44 4D 7A A7 28 03 0A 82 02 C3 AA DA 3E 7C 22 3E 7F 22 78 CD 6A DB 79 1E 1F
CD 6A DB 3E E3 22 0A CD 6A DB 3E 7C 22 C9 F5 CB 37 CD 71 DB F1 E5 26 DA E6 0F C6 96 6F 7E E1 22 C9

(Joypad function address: 4E38)

German Red:

07 F6 01 00 FE 01 18 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00
F6 F7 F8 F9 FA FB FC FD FE FF 60 61 62 63 64 65 66 01 00 DA C5 0B 0B 16 12 21 AA C3 CD 4F DB 03 C5
01 0A 00 09 C1 15 20 F3 C1 3E ED EA D3 C3 3E FF E0 B7 76 C5 CD 4B 38 C1 F0 B5 FE 02 C8 FE 03 20 03
00 C5 C9 FE 40 20 01 0B FE 80 20 01 03 FE 20 20 06 21 F0 FF 09 44 4D FE 10 20 06 21 10 00 09 44 4D
FE 24 20 06 21 00 FF 09 44 4D FE 14 20 06 21 00 01 09 44 4D 16 00 FE 88 20 02 16 FF FE 48 20 02 16
01 FE 28 20 02 16 F0 FE 18 20 02 16 10 60 69 FE 44 20 08 F5 3A F5 2A 32 F1 77 F1 FE 84 20 0A F5 2A
18 00 F5 3A 22 F1 77 F1 44 4D 7A A7 28 03 0A 82 02 C3 AA DA 3E 7C 22 3E 7F 22 78 CD 6A DB 79 1E 1F
CD 6A DB 3E E3 22 0A CD 6A DB 3E 7C 22 C9 F5 CB 37 CD 71 DB F1 E5 26 DA E6 0F C6 96 6F 7E E1 22 C9

(Joypad function address: 4B38)

Spanish Red:

07 F6 01 00 FE 01 18 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00
F6 F7 F8 F9 FA FB FC FD FE FF 60 61 62 63 64 65 66 01 00 DA C5 0B 0B 16 12 21 AA C3 CD 4F DB 03 C5
01 0A 00 09 C1 15 20 F3 C1 3E ED EA D3 C3 3E FF E0 B7 76 C5 CD 50 38 C1 F0 B5 FE 02 C8 FE 03 20 03
00 C5 C9 FE 40 20 01 0B FE 80 20 01 03 FE 20 20 06 21 F0 FF 09 44 4D FE 10 20 06 21 10 00 09 44 4D
FE 24 20 06 21 00 FF 09 44 4D FE 14 20 06 21 00 01 09 44 4D 16 00 FE 88 20 02 16 FF FE 48 20 02 16
01 FE 28 20 02 16 F0 FE 18 20 02 16 10 60 69 FE 44 20 08 F5 3A F5 2A 32 F1 77 F1 FE 84 20 0A F5 2A
18 00 F5 3A 22 F1 77 F1 44 4D 7A A7 28 03 0A 82 02 C3 AA DA 3E 7C 22 3E 7F 22 78 CD 6A DB 79 1E 1F
CD 6A DB 3E E3 22 0A CD 6A DB 3E 7C 22 C9 F5 CB 37 CD 71 DB F1 E5 26 DA E6 0F C6 96 6F 7E E1 22 C9


(Joypad function address: 5038)

Italian Red:

07 F6 01 00 FE 01 18 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00
F6 F7 F8 F9 FA FB FC FD FE FF 60 61 62 63 64 65 66 01 00 DA C5 0B 0B 16 12 21 AA C3 CD 4F DB 03 C5
01 0A 00 09 C1 15 20 F3 C1 3E ED EA D3 C3 3E FF E0 B7 76 C5 CD 49 38 C1 F0 B5 FE 02 C8 FE 03 20 03
00 C5 C9 FE 40 20 01 0B FE 80 20 01 03 FE 20 20 06 21 F0 FF 09 44 4D FE 10 20 06 21 10 00 09 44 4D
FE 24 20 06 21 00 FF 09 44 4D FE 14 20 06 21 00 01 09 44 4D 16 00 FE 88 20 02 16 FF FE 48 20 02 16
01 FE 28 20 02 16 F0 FE 18 20 02 16 10 60 69 FE 44 20 08 F5 3A F5 2A 32 F1 77 F1 FE 84 20 0A F5 2A
18 00 F5 3A 22 F1 77 F1 44 4D 7A A7 28 03 0A 82 02 C3 AA DA 3E 7C 22 3E 7F 22 78 CD 6A DB 79 1E 1F
CD 6A DB 3E E3 22 0A CD 6A DB 3E 7C 22 C9 F5 CB 37 CD 71 DB F1 E5 26 DA E6 0F C6 96 6F 7E E1 22 C9

(Joypad function address: 4938)

English Yellow:

07 F6 01 00 FE 01 18 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00
F6 F7 F8 F9 FA FB FC FD FE FF 60 61 62 63 64 65 66 01 00 DA C5 0B 0B 16 12 21 AA C3 CD 4F DB 03 C5
01 0A 00 09 C1 15 20 F3 C1 3E ED EA D3 C3 3E FF E0 B7 76 C5 CD 1E 38 C1 F0 B5 FE 02 C8 FE 03 20 03
00 C5 C9 FE 40 20 01 0B FE 80 20 01 03 FE 20 20 06 21 F0 FF 09 44 4D FE 10 20 06 21 10 00 09 44 4D
FE 24 20 06 21 00 FF 09 44 4D FE 14 20 06 21 00 01 09 44 4D 16 00 FE 88 20 02 16 FF FE 48 20 02 16
01 FE 28 20 02 16 F0 FE 18 20 02 16 10 60 69 FE 44 20 08 F5 3A F5 2A 32 F1 77 F1 FE 84 20 0A F5 2A
18 00 F5 3A 22 F1 77 F1 44 4D 7A A7 28 03 0A 82 02 C3 AA DA 3E 7C 22 3E 7F 22 78 CD 6A DB 79 1E 1F
CD 6A DB 3E E3 22 0A CD 6A DB 3E 7C 22 C9 F5 CB 37 CD 71 DB F1 E5 26 DA E6 0F C6 96 6F 7E E1 22 C9

(Joypad function address: 1E38)

French Yellow:

07 F6 01 00 FE 01 18 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00
F6 F7 F8 F9 FA FB FC FD FE FF 60 61 62 63 64 65 66 01 00 DA C5 0B 0B 16 12 21 AA C3 CD 4F DB 03 C5
01 0A 00 09 C1 15 20 F3 C1 3E ED EA D3 C3 3E FF E0 B7 76 C5 CD 21 38 C1 F0 B5 FE 02 C8 FE 03 20 03
00 C5 C9 FE 40 20 01 0B FE 80 20 01 03 FE 20 20 06 21 F0 FF 09 44 4D FE 10 20 06 21 10 00 09 44 4D
FE 24 20 06 21 00 FF 09 44 4D FE 14 20 06 21 00 01 09 44 4D 16 00 FE 88 20 02 16 FF FE 48 20 02 16
01 FE 28 20 02 16 F0 FE 18 20 02 16 10 60 69 FE 44 20 08 F5 3A F5 2A 32 F1 77 F1 FE 84 20 0A F5 2A
18 00 F5 3A 22 F1 77 F1 44 4D 7A A7 28 03 0A 82 02 C3 AA DA 3E 7C 22 3E 7F 22 78 CD 6A DB 79 1E 1F
CD 6A DB 3E E3 22 0A CD 6A DB 3E 7C 22 C9 F5 CB 37 CD 71 DB F1 E5 26 DA E6 0F C6 96 6F 7E E1 22 C9

(Joypad function address: 2138)

German Yellow:

07 F6 01 00 FE 01 18 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00
F6 F7 F8 F9 FA FB FC FD FE FF 60 61 62 63 64 65 66 01 00 DA C5 0B 0B 16 12 21 AA C3 CD 4F DB 03 C5
01 0A 00 09 C1 15 20 F3 C1 3E ED EA D3 C3 3E FF E0 B7 76 C5 CD 23 38 C1 F0 B5 FE 02 C8 FE 03 20 03
00 C5 C9 FE 40 20 01 0B FE 80 20 01 03 FE 20 20 06 21 F0 FF 09 44 4D FE 10 20 06 21 10 00 09 44 4D
FE 24 20 06 21 00 FF 09 44 4D FE 14 20 06 21 00 01 09 44 4D 16 00 FE 88 20 02 16 FF FE 48 20 02 16
01 FE 28 20 02 16 F0 FE 18 20 02 16 10 60 69 FE 44 20 08 F5 3A F5 2A 32 F1 77 F1 FE 84 20 0A F5 2A
18 00 F5 3A 22 F1 77 F1 44 4D 7A A7 28 03 0A 82 02 C3 AA DA 3E 7C 22 3E 7F 22 78 CD 6A DB 79 1E 1F
CD 6A DB 3E E3 22 0A CD 6A DB 3E 7C 22 C9 F5 CB 37 CD 71 DB F1 E5 26 DA E6 0F C6 96 6F 7E E1 22 C9

(Joypad function address: 2338)

Spanish Yellow:

07 F6 01 00 FE 01 18 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00
F6 F7 F8 F9 FA FB FC FD FE FF 60 61 62 63 64 65 66 01 00 DA C5 0B 0B 16 12 21 AA C3 CD 4F DB 03 C5
01 0A 00 09 C1 15 20 F3 C1 3E ED EA D3 C3 3E FF E0 B7 76 C5 CD 23 38 C1 F0 B5 FE 02 C8 FE 03 20 03
00 C5 C9 FE 40 20 01 0B FE 80 20 01 03 FE 20 20 06 21 F0 FF 09 44 4D FE 10 20 06 21 10 00 09 44 4D
FE 24 20 06 21 00 FF 09 44 4D FE 14 20 06 21 00 01 09 44 4D 16 00 FE 88 20 02 16 FF FE 48 20 02 16
01 FE 28 20 02 16 F0 FE 18 20 02 16 10 60 69 FE 44 20 08 F5 3A F5 2A 32 F1 77 F1 FE 84 20 0A F5 2A
18 00 F5 3A 22 F1 77 F1 44 4D 7A A7 28 03 0A 82 02 C3 AA DA 3E 7C 22 3E 7F 22 78 CD 6A DB 79 1E 1F
CD 6A DB 3E E3 22 0A CD 6A DB 3E 7C 22 C9 F5 CB 37 CD 71 DB F1 E5 26 DA E6 0F C6 96 6F 7E E1 22 C9

(Joypad function address: 2338)

Italian Yellow:

07 F6 01 00 FE 01 18 1F FF 00 00 00 00 00 00 00 00 00 00 00 00 00
F6 F7 F8 F9 FA FB FC FD FE FF 60 61 62 63 64 65 66 01 00 DA C5 0B 0B 16 12 21 AA C3 CD 4F DB 03 C5
01 0A 00 09 C1 15 20 F3 C1 3E ED EA D3 C3 3E FF E0 B7 76 C5 CD 1C 38 C1 F0 B5 FE 02 C8 FE 03 20 03
00 C5 C9 FE 40 20 01 0B FE 80 20 01 03 FE 20 20 06 21 F0 FF 09 44 4D FE 10 20 06 21 10 00 09 44 4D
FE 24 20 06 21 00 FF 09 44 4D FE 14 20 06 21 00 01 09 44 4D 16 00 FE 88 20 02 16 FF FE 48 20 02 16
01 FE 28 20 02 16 F0 FE 18 20 02 16 10 60 69 FE 44 20 08 F5 3A F5 2A 32 F1 77 F1 FE 84 20 0A F5 2A
18 00 F5 3A 22 F1 77 F1 44 4D 7A A7 28 03 0A 82 02 C3 AA DA 3E 7C 22 3E 7F 22 78 CD 6A DB 79 1E 1F
CD 6A DB 3E E3 22 0A CD 6A DB 3E 7C 22 C9 F5 CB 37 CD 71 DB F1 E5 26 DA E6 0F C6 96 6F 7E E1 22 C9

(Joypad function address: 1C38)

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: TheSixthItem
Date: 2017-05-18 20:25:23
I've been trying to bootstrap to DA80 with pokemon for a while but I'm not very good with asm so it involves a pokemon with 128218 defence
I'm not even kidding…
Once GBA4IOS comes back I'll be able to test this and post it as a proof of concept.

Re: Offgao's memory viewer and Tetris ACE exploits

Posted by: ISSOtm
Date: 2017-05-19 06:57:30

I've been trying to bootstrap to DA80 with pokemon for a while but I'm not very good with asm so it involves a pokemon with 128218 defence
I'm not even kidding…
Once GBA4IOS comes back I'll be able to test this and post it as a proof of concept.

It's not possible for a Pokémon to have 128218 DEF stat. (Hardware) maximum is 65535.

Also, this has been PoC'd already on GB, GBC and GBA, and it works fine. You can still get such a save for your personal use, though.