Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Nothing seem to match - Page 1

Nothing seem to match

Posted by: PanCave
Date: 2017-03-08 08:33:36
Hey,

first of all: I hope this is the right place to ask this question, if not please forgive me.

The thing is, I'm new to this kind of "programming", but very interested!
I read some sources (mainly from this forum), but sadly nothing seems to match…

A few examples explaining my problem:
1)
This thread's first answer: http://forums.glitchcity.info/index.php?topic=7871.msg204526#msg204526
When i compare his(/her?)
Back into raw code using the Big List:


- Repel x index number of wanted Pokemon
- X Speed x14
- Ultra Ball x 64
- TM05 (Mega Kick) x72
- Lemonade x201

Becomes
1e xx 43 0e 02 40 cd 48 3e c9

I get the exact same Byte-String, using the Big List. So far so good. But when he shows how the Bytes should look like @3E59:
Now, CF91 is one of the addresses that is reduced by 1 in Yellow; so if we search for 78 ea 90 cf [ld a,b ld (cf90),a ld a,c] in a hex editor (I like to use HxD which is freeware) we can luckily find the beginning gift Pokémon routine in Yellow at 3E59.

78 EA 90 CF 79

So we need to change cd 48 3e to cd 59 3e (59 3e because the call routine expects big endian, which may mean highest value comes first; sadly not sure but remember it's the often the opposite byte order you would find in a memory viewer)

My Bytes (read with VBA's Memory viewer) are: CD 18 38 37 C9 78 EA 95 CF 79 EA 2B D1 AF EA 49
Why? :/

2)
In another thread there is linked the RAM map of red/blue: http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Items
When i search for yellow map, everyone tells me, it's just red/blue - 1. So according to that list my total item counter should be @(D31D - 1 = D31C), but it's actually @D321.
Reading from there on gives me the correct information about my items, but it's acutally +4 instead of -1. Why? :/

3)
Again in another thread is this link: http://aurellem.org/vba-clojure/html/rom.html#sec-9-1
0DE2F. Duration of Repel. A single byte, representing the number of steps you can take before the effect wears off. 100

But when I take a look @0DE2F and the nearby bytes, there is nowhere a 64, which should indicate the 100 steps of repel. Why? :/

I get the feeling, that i missed something important on how to find the location of any information in the memory…

My final goal to achieve is to write code in yellow to change the OT and ID of a specific pokemon (yes mew pokebank). I know, that there are guides out there either doing that in Red/Blue or changing OT/ID of the player in Yellow. But I want to change one specific pokemon in yellow and i can't find any guides/codes/hints on that. If someone knows one, please tell me, I'm very interested, but I really want also to learn how to read and write the code by myself, so the original question would still be a thing.

I hope i worked out, what my problem is and what i want to be able to learn/code.

Thank you,
PanCave

Re: Nothing seem to match

Posted by: Torchickens
Date: 2017-03-08 19:07:51
Hi PanCave :). This is a good place to ask but belongs better in the arbitrary code execution board so I'll move it there.


A few examples explaining my problem:
1)
This thread's first answer: http://forums.glitchcity.info/index.php?topic=7871.msg204526#msg204526
When i compare his(/her?)
Back into raw code using the Big List:


- Repel x index number of wanted Pokemon
- X Speed x14
- Ultra Ball x 64
- TM05 (Mega Kick) x72
- Lemonade x201

Becomes
1e xx 43 0e 02 40 cd 48 3e c9

I get the exact same Byte-String, using the Big List. So far so good. But when he shows how the Bytes should look like @3E59:
Now, CF91 is one of the addresses that is reduced by 1 in Yellow; so if we search for 78 ea 90 cf [ld a,b ld (cf90),a ld a,c] in a hex editor (I like to use HxD which is freeware) we can luckily find the beginning gift Pokémon routine in Yellow at 3E59.

78 EA 90 CF 79

So we need to change cd 48 3e to cd 59 3e (59 3e because the call routine expects big endian, which may mean highest value comes first; sadly not sure but remember it's the often the opposite byte order you would find in a memory viewer)

My Bytes (read with VBA's Memory viewer) are: CD 18 38 37 C9 78 EA 95 CF 79 EA 2B D1 AF EA 49
Why? :/


This byte sequence can be found in English Yellow using a hex editor and VBA's memory viewer (or BGB's memory viewer), so it's odd that you got different bytes. It may be possible that your ROM is not English Yellow or you're using a buggy version of VBA. The one I used for this was called v23.6 svn480, although BGB is great for accuracy so I recommend using that even though it doesn't have a recording feature that is as user friendly.


2)
In another thread there is linked the RAM map of red/blue: http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Items
When i search for yellow map, everyone tells me, it's just red/blue - 1. So according to that list my total item counter should be @(D31D - 1 = D31C), but it's actually @D321.
Reading from there on gives me the correct information about my items, but it's acutally +4 instead of -1. Why? :/


The French, German, Italian and Spanish versions of Pokémon Red and Blue use addresses -5 of the original English version address. So D31E in English Red/Blue is D31D in English Yellow and is D321 in non-English European Yellow.


3)
Again in another thread is this link: http://aurellem.org/vba-clojure/html/rom.html#sec-9-1
0DE2F. Duration of Repel. A single byte, representing the number of steps you can take before the effect wears off. 100

But when I take a look @0DE2F and the nearby bytes, there is nowhere a 64, which should indicate the 100 steps of repel. Why? :/


This appears to be an offset for English Yellow, which is 0x64 there as you thought. For looking up 0xDE2F keep in mind that viewing it in the memory editor would just bring up the value for WRAM memory address DE2F instead of ROM offset DE2F.


I get the feeling, that i missed something important on how to find the location of any information in the memory…


It seems like the only confusion was due to analyzing a non-English version (plus make sure you use a hex editor rather than a memory editor). Otherwise it looks like you're on the right track. :)


My final goal to achieve is to write code in yellow to change the OT and ID of a specific pokemon (yes mew pokebank). I know, that there are guides out there either doing that in Red/Blue or changing OT/ID of the player in Yellow. But I want to change one specific pokemon in yellow and i can't find any guides/codes/hints on that. If someone knows one, please tell me, I'm very interested, but I really want also to learn how to read and write the code by myself, so the original question would still be a thing.

I hope i worked out, what my problem is and what i want to be able to learn/code.

Thank you,
PanCave


For English Yellow you would need to change the X Accuracy x119 (ld l, 77) into an X Accuracy x118 (ld l, 76). But for a non-English European Yellow (which would require a different bootstrap code of stored Pokémon for non-English European versions that can be found here in the 8F thread) I think you'd need X Accuracy x123.

I hope this helps!

Re: Nothing seem to match

Posted by: PanCave
Date: 2017-03-08 20:32:12
Wow thank you very much for your answer!
Yes you are totally right, I'm using the german version of Pokemon Yellow, which seems to cause the problems/offsets.

I am going to keep that in mind, when writing/editing the code :)

But there are some questions left:
1)
Only double checking:
The French, German, Italian and Spanish versions of Pokémon Red and Blue use addresses -5 of the original English version address. So D31E in English Red/Blue is D31D in English Yellow and is D321 in non-English European Yellow.

Do you mean +5?
I'm not trying to bug you, I just want to make sure, that i fully unterstand, what you are saying :)

2)
This appears to be an offset for English Yellow, which is 0x64 there as you thought. For looking up 0xDE2F keep in mind that viewing it in the memory editor would just bring up the value for WRAM memory address DE2F instead of ROM offset DE2F.

I thought, the address space is fixed, such that:
0x0000 - 0x7FFF ROM
0x8000 - 0x9FFF VRAM
0xA000 - 0xBFFF SRAM
0xC000 - 0xCFFF RAM
0xD000 - 0xFEFF WRAM
0xFF00 - 0xFF7F I/O
0xFF80 - 0xFFFF RAM
So that would mean, that 0x0DE2F always refer to the ROM.
Is that wrong? Are there multiple memory chips, which use the same address space?

3)
plus make sure you use a hex editor rather than a memory editor

What benefit does the hex editor have in comparison to the memory viewer? I installed HxD (which I believe you mentioned in a thread), but then i first have to dump the memory. And messing with the memory viewer i can see the changes (both in memory and ingame) in real-time.

Thank you again for your time and help! And also for moving the thread in the right forum, I actually thought about posting the question in here, but somehow I thought maybe that's not a good idea. Anyways, this topic is really interesting!

Btw.: It seems to me, that 8F and ws m are turing complete… Maybe building a turing machine simulating pokemon INSIDE pokemon and… well, maybe not!

Thanks again,
PanCave

Re: Nothing seem to match

Posted by: ISSOtm
Date: 2017-03-10 05:47:01
I'd recommend you first make setups on US versions, because they are more documented, and then port them to German versions.
It makes it easier for us to help you, since there is a complete disassembly of the US versions.

Also, DON'T F*ING USE VBA. I'm sorry it pisses me so hard, but this thing is absolute garbage, has crappy emulation and poor debugging capabilities.
Once you understood how to use it because it's only 90% user-friendly, BGB is your best friend. Ask anyone doing Pokémon code research here, they use BGB and not VBA.

Anyways, answers.

1) He did mean +5.

2) Let's talk about offsets. The map you gave is right, except for a some things corrected below.
$0000 - $3FFF ROM bank 0
$4000 - $7FFF ROM bank $01 - $7F (switchable)
$8000 - $9FFF VRAM bank 0 or 1 (switchable)
$A000 - $BFFF SRAM bank 0 to 3 (switchable)
$C000 - $CFFF WRAM bank 0
$D000 - $DFFF WRAM bank 1 to 7 (switchable)
$E000 - $FDFF Echo RAM (mirrors $C000 - $DDFF)
$FE00 - $FE9F OAM
$FEA0 - $FEFF ???
$FF00 - $FF7F I/O registers
$FF80 - $FFFE HRAM
$FFFF Interrupt Enable (IE)

However, $0DE2F is NOT such an offset. It's a ROM offset, like $1DE2F. To use it, open the ROM in HxD, press Ctrl+G, and type "0DEDF".
The thing is very simple to understand : on your memory map, ROM is only present from $0000 to $7FFF. That's 32kB of ROM. However, Pokémon Red and Blue cartridges contain 1 MB of ROM ! But how is that trickery possible ? Using the same principle as a book. You select the page you want to open, then read a specific char.
Here it's the same : select a ROM bank, and read a specific address.
As such, there are two ways of referring to a byte in ROM : either "3:5EDF", which means "byte at offset $5EDF in GB / emulator when bank 5 is loaded", or "0DEDF" which means "byte at offset $DEDF in ROM file (using HxD for example)". Usually ROM offsets are 5-digit wide.
Don't ask me how to load a specific bank in VBA : you can't. Use BGB if you want to do that.

3) That's what she meant : use HxD and not a memory viewer / editor.

Re: Nothing seem to match

Posted by: Krys3000
Date: 2017-03-10 06:32:49
I like VBA. I feel uncomfortable with BGB's Memory viewing stuff. I should test mGBA someday since it's now considered the best GBA emulator

Re: Nothing seem to match

Posted by: camper
Date: 2017-03-10 08:34:17
I use VBA-RR simply because of easy AVI recordings that supports the Turbo button. (That means even if you use Turbo or speed up the game in any way the recordings will still be at the original speed)

The BAD thing about the recordings is that the dimensions also stay at the original size even if you make the window size 4x, which results in REALLY LOW QUALITY videos.

Re: Nothing seem to match

Posted by: Krys3000
Date: 2017-03-13 08:46:01

I use VBA-RR simply because of easy AVI recordings that supports the Turbo button. (That means even if you use Turbo or speed up the game in any way the recordings will still be at the original speed)

The BAD thing about the recordings is that the dimensions also stay at the original size even if you make the window size 4x, which results in REALLY LOW QUALITY videos.


I record using standard VBA (not M or RR) for PRAMA's videos, it also records at normal speed even with the turbo

Re: Nothing seem to match

Posted by: TheSixthItem
Date: 2017-06-21 13:32:23
VBA is a fucking awful emulator. just look at closed SRAM.
[img]https://image.prntscr.com/image/a2xwUZiHQ2GsGLdlBKAv8g.png[/img]
Use BGB, Gambatte or at least VBA-M and see if you can do things.

Re: Nothing seem to match

Posted by: TheZZAZZGlitch
Date: 2017-06-21 17:36:20
VBA sucks. But there are also VBA-RR and VBA-M, which suck less.
I sometimes use VBA-RR. Obviously not for first-time glitch research, because of rather bad emulation accuracy. But there are tiny features that make it worth using in some scenarios.

- Native video recording with little to no CPU load. It also doesn't need an external process for video encodes.
- Really fast turbo - with sound off and reduced resolution it can easily go up to 8000% on my computer, compared to 600% max on other emulators.
- Easily accessible and simplistic Lua scripting. Also, if you replace the DLL in VBA's working directory, it works with Lua version 5.3, which adds some really useful features (*cough* bitwise operators *cough*) - other emulators tend to have Lua compiled in and stuck at version 5.1.
- It can have multiple instances of memory viewer (aka hex editor) open at the same time. I can have multiple hex views, all centered on different addresses.
- The fact that the SRAM is never closed in the memory editor is sometimes useful, because it allows for direct save data editing without having to mess with the SAV file. Just change the SRAM and you're set.

I'd use VBA-M, but it doesn't have Lua scripting, so VBA-RR is the latest revision that has all of these features.

My preferences are:
- VBA-RR for video recording and "checking things out" in general
- BGB for more formal glitch research
- Bizhawk for TASing

I highly recommend to everyone using plain old VBA: Switch to VBA-RR.
It's really the same emulator, but it has Lua scripting and rudimentary TAS features.
And although VBA-RR's emulation accuracy is still bad, it's infinitely better than classic VBA - it properly handles wrong bank switches, VRAM accessiblity and echo RAM.

Re: Nothing seem to match

Posted by: Spoink
Date: 2017-06-23 07:07:52
BGB is the bane of my existence. Required due to its accuracy for stable unstable, but it freezes and doesn't let me close a lot, and also there's no way to set the keys as shift+F1 so I can make it more like VBA. Also in order to view the controls you have to click 'set keys' and/or check'set extra keys'. It's just a fucking mess. Someone needs to make a hybrid between BGB (accuracy) and VBA (layout)

Re: Nothing seem to match

Posted by: TheSixthItem
Date: 2017-06-23 12:50:36

BGB is the bane of my existence. Required due to its accuracy for stable unstable, but it freezes and doesn't let me close a lot, and also there's no way to set the keys as shift+F1 so I can make it more like VBA. Also in order to view the controls you have to click 'set keys' and/or check'set extra keys'. It's just a fucking mess. Someone needs to make a hybrid between BGB (accuracy) and VBA (layout)

Have you tried Gambatte?

Re: Nothing seem to match

Posted by: SatoMew
Date: 2017-06-23 15:58:03

Someone needs to make a hybrid between BGB (accuracy) and VBA (layout)


Gambatte and mGBA may fit your requirements.