Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Player Coordinates RAM Writer question - Page 1

Player Coordinates RAM Writer question

Posted by: metalmario32
Date: 2018-08-07 16:19:19
On the Player coordinates RAM writer page (https://glitchcity.info/wiki/Player_coordinates_RAM_writer) items are detailed in which you can write to memory. However, I have no idea where the memory write starts from, and I want the memory writer to start from DA80 so I can write offgao's memory editor to execute with glitch item -g m (hex:6A). If the memory writer doesn't start from DA80, is there a way to change that so it does start from DA80?

Edit: The first byte wrote is to D901, I looked harder on the page. I still want to change this to DA80, so is there a way?

Re: Player Coordinates RAM Writer question

Posted by: Torchickens
Date: 2018-08-07 17:51:47

On the Player coordinates RAM writer page (https://glitchcity.info/wiki/Player_coordinates_RAM_writer) items are detailed in which you can write to memory. However, I have no idea where the memory write starts from, and I want the memory writer to start from DA80 so I can write offgao's memory editor to execute with glitch item -g m (hex:6A). If the memory writer doesn't start from DA80, is there a way to change that so it does start from DA80?

Edit: The first byte wrote is to D901, I looked harder on the page. I still want to change this to DA80, so is there a way?


I think there's definitely a way as I believe I changed the starting point before. I'm afraid I don't know from memory how to do it though, sorry. The best way may be to set up the items in BGB emulator and then view the code or convert the items into ASM by hand and analyse where it gets the D9 and 01 from. The TM17 in slot 10 looks suspicious because TM17 has the ID D9, so that may be where it gets D9 from, but as for the 01 I'm less sure.

Worst case scenario though you can possibly use CopyData (call 00B5 for Blue/(Red?) according to my notes) to move the data to DA80, where bc is the bytes to copy, hl is the source and de is the destination.

Hope this helps, and hope you're able to find the answer!

Re: Player Coordinates RAM Writer question

Posted by: metalmario32
Date: 2018-08-12 14:48:50
I'll just use CopyData, thanks! Also what is CopyData in Yellow?

Edit: On my "Alternate Catch 'em All" question, I found that CopyData is 00:00B1 in Yellow. But what is CopyData.copybytes (at 00:00C1) and FarCopyData (at 00:009D)?

Re: Player Coordinates RAM Writer question

Posted by: Torchickens
Date: 2018-08-12 14:57:08

I'll just use CopyData, thanks! Also what is CopyData in Yellow?


All right then!

It's 00B1.

Template:

ld bc,(number of bytes)
ld hl,(source)
ld de,(destination)
call 00b1
ret


Edit: On my "Alternate Catch 'em All" question, I found that CopyData is 00:00B1 in Yellow. But what is CopyData.copybytes (at 00:00C1) and FarCopyData (at 00:009D)?


Good question. CopyData.copybytes confused me too. I'm unsure but it seems like it's in the middle somewhere of the CopyData routine. I think FarCopyData might be used if copying the data requires a bank switch (i.e. if it's in region 4000-7FFF).

Re: Player Coordinates RAM Writer question

Posted by: metalmario32
Date: 2018-08-12 15:30:24
Hmm. Perhaps copybytes is what actually copies the data.

Re: Player Coordinates RAM Writer question

Posted by: ISSOtm
Date: 2018-08-30 15:48:29
https://github.com/pret/pokeyellow/blob/67229ff7571f7216d899f81b5cacd55d476cd6f6/home/copy.asm#L13-L34
CopyData copies a 16-bit amount of bytes, CopyData.copybytes only copies an 8-bit amount of bytes.

FarCopyData is used to copy data across ROM banks.