Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Quantity only ACE - Page 1

Quantity only ACE

Posted by: Torchickens
Date: 2019-04-09 10:04:39
The idea of only using quantities in Generation I ACE occurred to me last night. I'm not sure if it's been a thing before, but like box names; although these are harder to program they could be a lot easier to set up.

The only application I have so far is a simple RAM writer setup:

nop
ld bc,xx??
nop
ld hl,xx??
nop
ld de,xx??
nop
ld l,d
nop
ld (hl),b
nop
ret

This maps as the following items:

(hex:00 item) x1
(any item you want) x(value e.g. 21; Mew)
(hex:00 item) x33
(any item you want) x(address byte 1; big endian e.g. 208)
(hex:00 item) x17
(any item you want) x(address byte 2; big endian e.g. 88)
(hex:00 item) x106
(hex:00 item) x112
(hex:00 item) x201

I know it took 9 items just to write to one RAM address, but counter-intuitively this may actually be more reliable as old methods need you to get specific items, while expanded PC items/bag gives you loads of hex:00 x 00 (which means x256) already.

Where you place these items depends on your bootstrap setup. For things like 4F, 8F we have usually made it at bag item 3. However, with this setup using your stored items as the destination is probably more ideal; we would just have to adjust the bootstrap pointer/party/etc. to the D53B+ region so that it maps to PC items.

Notes:

I recently applied this for a fast method of obtaining the GF 22796 Mew (which if still possible, can be transferred to Pokémon Bank) in Yellow using the SRAM glitch and D36D-D36E (the map script) with Ether x213 as item 42 (you can get Ethers from your Rival name); mapping to D550 (PC item 13 quantity in Yellow, item 14 in Red/Blue).

This was combined with naming the player "GF" and a way of getting Burn Heal x0 (for the 0x0C byte in 0x580C (the representation of 22796 in hexadecimal)) as item 30 quantity and item 31 control your player ID. Using dry underflow glitch we can access the stored PC items. It only took about 10 minutes to get the Mew, but you need more time to fix everything else (i.e. bag and PC inventories, rival name, get rid of your last Q, get Pokédex).

https://www.youtube.com/watch?v=RrfAzewhLW4

Thoughts/any program for this like calling an address?

Edit: Answering my own question, one solution (but probably not the best) may be to just use the RAM writer five times to write below in the same item structure:

ld b,(00)
ld h,(00)
ld l,(00)
call item(00)  [little endian]
(ret)

The parameters/instructions in brackets indicate what needs to be adjusted from a x0 quantity. Once this is done, the full routine would fill out.

e.g. the Yellow script for running Hall of Fame

ld b,$16
ld h,$64
ld l,$56
call $3e84
ret

(Thanks Wack0!)

Once that is done, you could probably swap the items up to run them.

Edit 2: Just the only issue with that one is that ld b, is a Bicycle but you could still write x22 to it using the RAM writer (just it would require 6 uses instead of 5).

Re: Quantity only ACE

Posted by: Sherkel
Date: 2019-04-10 13:09:09
The SRAM glitch and 255 Pokémon glitch must not be very well-documented, because I don't get how exactly they're being used to the event-identical Mew. Are there better sources for it that could be used to improve the articles, or am I missing something?

I like the idea of quantity-only ACE, but by the time you can get -gm/8F, which will still be necessary for it, won't you be at a point where you can just as easily get other glitch items?

Re: Quantity only ACE

Posted by: Torchickens
Date: 2019-04-11 14:06:56

The SRAM glitch and 255 Pokémon glitch must not be very well-documented, because I don't get how exactly they're being used to the event-identical Mew. Are there better sources for it that could be used to improve the articles, or am I missing something?

I like the idea of quantity-only ACE, but by the time you can get -gm/8F, which will still be necessary for it, won't you be at a point where you can just as easily get other glitch items?


Yeah we seems to have only really used it for things like getting the expanded inventory (e.g. through 2>10 swap), warping to the Hall of Fame using the expanded items pack and (I believe Krys3000 did this) setting up English Fossil conversion glitch, and other details like Safari Zone warp/walk through walls through Pokémon switches/unexplained glitches. So I agree it could do with updating. As for sources, these are a couple https://glitchcity.info/wiki/Walk_through_walls_glitch_(international_Select_glitch_method) ; https://glitchcity.info/wiki/Expanded_party_Safari_Zone_warp https://glitchcity.info/wiki/Expanded_party_encounter_table_manipulation (re: https://forums.glitchcity.info/index.php?topic=8721.0 )

For the 'event Mew glitch', SRAM/255 Pokémon glitch is not the culprit in this case, but rather the expanded items pack you can get from it, and its ability to setup the expanded PC list through dry underflow glitch.

This uses D36D/D36E "map script when menu is closed" ACE from the expanded inventory (controlled by item 42 and item 42 quantity and our modifications to these items), so you don't actually need -gm/8F/4F (or ws m/4F) but you do need an Ether x213 (which you can just get from the 0x50 (END) byte in your Rival's name and modify the quantity as x0 is x256) to place in item 42 so the pointer goes to PC items. The only other detail is that the Burn Heal (used to modify the second Trainer ID byte at item 31) only appears at a certain spot in Pallet Town (from the x-coordinate byte 1), and the TM30 from "?" in the Rival's name lets you teach Teleport to Q and escape after modifying the x-coordinate. The player is named "GF" so we don't have to adjust the name with the PC items ACE (really from D36D/D36E).

Hope this helps.

Re: Quantity only ACE

Posted by: ISSOtm
Date: 2019-04-13 14:17:49
Using multiple stacks of the same item is a total crapshoot, because you can't move them around without them merging, which breaks the setup horribly; this also severely limits what can be done, for two reasons:
1. Multi-byte opcodes are a no-go now, which can *sometimes* be bypassed but hardly (consider a lot of setups do use 2-byte `ld reg8, imm8`)
2. Space efficiency is halved (assuming every other item in a "normal" payload is a filler item, which is more than in practice), making non-trivial setups impossible.

Re: Quantity only ACE

Posted by: Torchickens
Date: 2019-04-13 14:53:07

Using multiple stacks of the same item is a total crapshoot, because you can't move them around without them merging, which breaks the setup horribly; this also severely limits what can be done, for two reasons:
1. Multi-byte opcodes are a no-go now, which can *sometimes* be bypassed but hardly (consider a lot of setups do use 2-byte `ld reg8, imm8`)
2. Space efficiency is halved (assuming every other item in a "normal" payload is a filler item, which is more than in practice), making non-trivial setups impossible.


Yes that's true. I just feel these are faster to setup for one-time setups though as expanded PC has loads of 0x00 items (but not as useful in the long run). Yeah, it reduces space, possibly isn't good for bigger programs, but can do a basic RAM write including to the following code it is executing itself.

Re: Quantity only ACE

Posted by: ISSOtm
Date: 2019-04-22 13:43:37
Expanded PC has a lot of 0x00 items… that correspond to more of the game's RAM, and it's saved. So that's useless aside of speedruns or "heavy" setups that require clearing afterwards.
SMC is horribly space-inefficient, on top of this at least halving capabilities…

Re: Quantity only ACE

Posted by: Torchickens
Date: 2019-04-22 13:55:23

Expanded PC has a lot of 0x00 items… that correspond to more of the game's RAM, and it's saved. So that's useless aside of speedruns or "heavy" setups that require clearing afterwards.
SMC is horribly space-inefficient, on top of this at least halving capabilities…


Yes, this was why it was used for speed catching GF Mew at the beginning of the game. However, you're right.