Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

A question about glitch item "B1F" (hex:55) - Page 1

A question about glitch item "B1F" (hex:55)

Posted by: metalmario32
Date: 2018-07-05 15:15:31
As described in this video: https://www.youtube.com/watch?v=JEEB41Lz59c, B1F executes code from SRAM, more specifically from $A7D0, which is Hall of Fame data if the SRAM bank currently loaded is zero. Starting from 5:51, TheZZAZZGlitch describes how the ACE is ran through the specific Pokemon in his team. What he doesn't say in the video is exactly what HoF entry $A7D0 is located at, which Pokemon number it is, etc. I just wanted to see if I could know where $A7D0 specifically is so I can set up ACE. Thanks!

Re: A question about glitch item "B1F" (hex:55)

Posted by: ISSOtm
Date: 2018-07-06 04:59:10
HoF data starts at $A598
$A7D0 - $A598 = $238 (568 bytes)
One HoF party is $60 bytes (96 bytes), and $238 = 5 * $60 + $58, so that 's the 88th byte of the fifth entry, that is the 8th byte of the 6th Pokémon.

tl;dr: $A598 is the 8th byte of the 6th Pokémon of the 5th entry in the HoF. :)

Re: A question about glitch item "B1F" (hex:55)

Posted by: metalmario32
Date: 2018-07-06 08:17:56
Thanks!

Re: A question about glitch item "B1F" (hex:55)

Posted by: Guy
Date: 2018-07-06 12:34:36
I think you mean $A7D0 is the 8th byte of that Pokémon, right? Also, a question from me, seeing this video for the first time: why is a HoF party $60 bytes if each entry is the Pokémon's ID, level, and nickname? That should add up to $0A per Pokémon and $3C per entry, plus maybe a terminator byte or something…so I don't get why it's $60.

Re: A question about glitch item "B1F" (hex:55)

Posted by: metalmario32
Date: 2018-07-15 08:19:51

I think you mean $A7D0 is the 8th byte of that Pokémon, right? Also, a question from me, seeing this video for the first time: why is a HoF party $60 bytes if each entry is the Pokémon's ID, level, and nickname? That should add up to $0A per Pokémon and $3C per entry, plus maybe a terminator byte or something…so I don't get why it's $60.


You know, you're right…

Re: A question about glitch item "B1F" (hex:55)

Posted by: Guy
Date: 2018-07-15 10:32:14
The answer's somewhere in the disassembly, but I couldn't find it. So, I'm still waiting for one of the actual knowledgeable staff members to respond. :P

Re: A question about glitch item "B1F" (hex:55)

Posted by: Torchickens
Date: 2018-07-15 14:18:52
Hello ^^

As ISSOtm said, A598 (bank 0) is part of the first induction, and is the first Pokémon's species.

This is a snippet of the data:

Pokémon 1:

91 06 82 87 80 91 8C 80 8D 83 84 91 50 00 00 00;

Charmander Level 6
"CHARMANDER"
Unknown 3 bytes

Pokémon 2:
24 03 8F 88 83 86 84 98 50 50 50 50 50 00 00 00

Pidgey Level 3
PIDGEY
Unknown 3 bytes

(Continues)

0:A7D0 however is sixth induction: 7th character of the sixth Pokémon.

11 characters make a Pokémon name (including 50 terminator at the end), so some space here on the sixth Pokémon is possible, or you may be able to use a special h POKé (jp $xxyy) to redirect the code in the seventh induction (which if you don't view its summary from the menu/possibly other things) I think you can successfully get a valid Hall of Fame entry other than with the h POKé.

SRAM may be closed, often resulting in a freeze due to FF bytes, however viewing a Pokémon's summary after you load your save file can open it. The Virtual Console version however may not allow you to execute SRAM as code.

Hope this answers your question.

Re: A question about glitch item "B1F" (hex:55)

Posted by: Guy
Date: 2018-07-15 15:48:52
Whoa! Thanks for the in-depth explanation!

Re: A question about glitch item "B1F" (hex:55)

Posted by: Torchickens
Date: 2018-07-15 15:52:11

Whoa! Thanks for the in-depth explanation!


You're welcome!  :)