Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Fast sequential RAM writer - Page 1

Fast sequential RAM writer

Posted by: jfb1337
Date: 2019-04-15 10:50:54
Hi, I have designed another sequential RAM writer, for inputting large amounts of data such as a memory editor. The existing setups I know of are either slow (like having to toss down to the required quantity for every individual byte) and/or error prone (easy to transpose the nibbles of a byte, or miss a byte). This attempts to solve these issues, by displaying the current location being written and allowing bytes to be entered quickly and easily; though the drawback is that it's a bit longer and so takes longer to set up; in fact it requires using PC items due to its length.

This will only work on English R/B.

The items required in the PC:
There are some glitch items, but they are all properly terminated, and tossable


Lemonade x218 (hex:DA)
Repel x128 (hex:80)
Awakening x0 (hex:00)
2F (hex:57) x4 (hex:04)
Thunderstone x160 (hex:A0)
H# (hex:C3) x122 (hex:7A)
TM05 x116 (hex:74)
TM13 x123 (hex:7B)
TM05 x116 (hex:74)
TM13 x35 (hex:23)
$ (hex:79) x4 (hex:04)
TM05 x116 (hex:74)
TM13 x240 (hex:F0)
TM48 x167 (hex:A7)
Fire Stone x251 (hex:FB)
#### (hex:76) x240 (hex:F0)
TM48 x47 (hex:2F)
Poké Ball x135 (hex:87)
TM08 x135 (hex:87)
Super Repel x1 (hex:01)
Burn Heal x135 (hex:87)
Super Repel x3 (hex:03)
TM03 x33 (hex:21)
Poké Ball x135 (hex:87)
Super Repel x5 (hex:05)
$ (hex:79) x18 (hex:12)
Super Potion x14 (hex:0E)
#j. (hex:00) x24 (hex:18)
TM07 x245 (hex:F5)
TM03 x55 (hex:37)
TM05 x123 (hex:7B)
TM13 x241 (hex:F1)
TM30 x15 (hex:0F)
Poké Ball x198 (hex:C6)
TM46 x48 (hex:30)
Ultra Ball x198 (hex:C6)
11F (hex:60) x34 (hex:22)
TM01 x[Any qty]


Corresponding ASM code:


ld a, $da
ld e, $80
ld c, 0
ld d, a
inc b ; filler

.draw
ld hl, $c3a0
ld a, d
call .writehex
ld a, e
call .writehex
inc hl
ld a, c
inc b ; filler
call .writehex

.wait
ldh a, ($fff8) ; hJoypadInput
and a
jr nz, .wait

halt
ldh a, ($fff8)

cpl ; so we can do jr c instead of jr nc (the latter is a key item)
Inc b ; filler

add a,a ;
ret nc ; if down pressed
add a,a
jr c, .no_up
inc c
.no_up
add a,a
jr c, .no_left
sla c
inc b ; filler
.no_left
add a,a
jr c, .no_right
ld a, c
ld (de), a
inc de
ld c, 0
.no_right
jr .draw

.writehex
push af
swap a
call .writedigit
pop af

.writedigit
and a, $0f
Inc b
add a, $f6
jr nc, .no_add
add a, $60
.no_add
ldi (hl), a
ret


Raw bytes:

3eda1e800e00570421a0c37acd74d57bcd74d5237904cd74d5f0f8a720fb76f0f82f0487d08738010c873803cb21048738057912130e0018cff5cb37cd7bd5f1e60f04c6f63002c66022c9


This will edit from DA80 (PC data) onwards; if you'd like to change this, just change the  quantities of the first two items accordingly.


To set this up, you'll need to write the above items to the PC. To do do, first create each item and deposit in the PC. For items that there are more than one stack of, deposit 99 of them.

Then, use the following script to set all PC quantities to 0:



Carbos x213 (hex:D5)
X Accuracy x60 (hex:3C)
Awakening x50
Lemonade x0
Water Stone x35
Ice Heal x32
TM51 (hex:FB) x4
TM01x[Any qty]

ld h, $D5
ld l, $3C
ld c, 50
ld a, 0
.loop
ld (hli), a
inc hl
dec c
jr nz, .loop
inc b
ret


Then, toss items from the PC until all the quantities are correct.

Finally, you can use the following code to jump to the PC items:



Carbos x213 (hex:D5)
X Accuracy x59 (hex:3B)
TM33 x[Any qty]

ld h, $D5
ld l, $3B
jp hl


This will start the writer. In the top left of the screen, you will see the address you are currently writing to, followed by the byte you are writing.

Controls are:

- Up: Increment the current byte
- Left: Shift the current byte left (i.e. double it)
- Right: Save the current byte, and increment the address
- Down: Exit the writer. The address currently displayed on the screen will not be modified.

Using up and left can allow you to enter any byte in at most 16 inputs, by converting it to binary. If you make a mistake, pressing left 8 times will set the current byte to 0.

Re: Fast sequential RAM writer

Posted by: Torchickens
Date: 2019-04-16 06:53:56
This once set up, sounds extremely intuitive and simple. Thank you so much for this! :) The older methods were a little slow/error prone like you said.

Re: Fast sequential RAM writer

Posted by: ISSOtm
Date: 2019-04-22 13:47:19
I'm not sure about the intuitiveness, but maybe it could be used to write a more complex writer to memory. Good job with the ASM, though, and I'll definitely have to fix that GBz80 to Items bug… but I lack time >.<

Re: Fast sequential RAM writer

Posted by: Torchickens
Date: 2019-04-23 21:53:51

I'm not sure about the intuitiveness, but maybe it could be used to write a more complex writer to memory. Good job with the ASM, though, and I'll definitely have to fix that GBz80 to Items bug… but I lack time >.<


I like it and use -g m (item 0x6A) to run the code (requires no Day Care/Safari Zone data). You could also use 4F (item (0x59), including if this is ported to Yellow. There could be a few tricks in doubling numbers for speed.

00
01>02>04>08>10>20>40>80
03>06>0C>24>48>96>C0
05>0A>14>28>50>A0
07>0E>1C>38>70>E0
09>12
0B>16>2C>58>B0
0D>1A>34>68>D0
0F>1E>3C>78>F0
11>22>44>88
13>26>4C>98
15>2A>54>A8
17>2E>5C>B8
18>30>60
19>32>64>C8

(and so on :) )

A save file for Pokémon Red with this set up (originally created by Sherkel for Pokémon Blue) is now available on my Google Sites.

https://sites.google.com/site/torchickens2/pokemon-save-files

Question: Some glitch items can alternate between being key items (no tossing) and regular items. In my video $ (hex:79) is a key item. Is it possible for it to appear as a regular item in the PC, and if so, how does it work?

Re: Fast sequential RAM writer

Posted by: Sherkel
Date: 2019-04-24 03:23:23
This is excellent work!! :D Here's the video of it in action.

[size=6pt]Those little mods to the save are nice, by the way![/size]

Re: Fast sequential RAM writer

Posted by: Torchickens
Date: 2019-04-24 04:16:24

This is excellent work!! :D Here's the video of it in action.

[size=6pt]Those little mods to the save are nice, by the way![/size]


Thanks Sherkel! ^^ Umm.. literally all I did though was I just made the minor fix to your save file so the RAM writer worked, loaded the save file on Pokémon Red and modified D367 to 00, set all badges and Fly destinations to Fly away from the Pokémon Center Glitch City so I didn't do that much, hehe. I never knew why loading the opposite version can cause a Glitch City, which is worth investigating. :)

Re: Fast sequential RAM writer

Posted by: jfb1337
Date: 2019-04-24 10:20:25



Question: Some glitch items can alternate between being key items (no tossing) and regular items. In my video $ (hex:79) is a key item. Is it possible for it to appear as a regular item in the PC, and if so, how does it work?

I was going by the ItemDex, which (apparently incorrectly) claims that all the items used are tossable. It turns out that the game decides what is a key item by copying a 15 byte bitfield to a 30 byte buffer at CEE9 then reading it, so items with index over 15*8 = 120 = 0x78  have their key item status determined by the previous contents of the buffer. I must have got lucky when I was testing since they were all tossable for me.

Re: Fast sequential RAM writer

Posted by: Torchickens
Date: 2019-04-24 12:38:24




Question: Some glitch items can alternate between being key items (no tossing) and regular items. In my video $ (hex:79) is a key item. Is it possible for it to appear as a regular item in the PC, and if so, how does it work?

I was going by the ItemDex, which (apparently incorrectly) claims that all the items used are tossable. It turns out that the game decides what is a key item by copying a 15 byte bitfield to a 30 byte buffer at CEE9 then reading it, so items with index over 15*8 = 120 = 0x78  have their key item status determined by the previous contents of the buffer. I must have got lucky when I was testing since they were all tossable for me.


Thanks for the explanation! ^^ Yes, I was able to get the items to be tossable again later. I always wondered about this, and seem to have a very vague memory of a speedrunner doing actions to make them tossable again. I'm sorry about the fallacy in the ItemDex for those pages.

Re: Fast sequential RAM writer

Posted by: Sherkel
Date: 2019-04-24 14:32:19




Question: Some glitch items can alternate between being key items (no tossing) and regular items. In my video $ (hex:79) is a key item. Is it possible for it to appear as a regular item in the PC, and if so, how does it work?

I was going by the ItemDex, which (apparently incorrectly) claims that all the items used are tossable. It turns out that the game decides what is a key item by copying a 15 byte bitfield to a 30 byte buffer at CEE9 then reading it, so items with index over 15*8 = 120 = 0x78  have their key item status determined by the previous contents of the buffer. I must have got lucky when I was testing since they were all tossable for me.
That brings up more to reconsider for the ItemDex. Thanks for your contribution again! Do you know offhand if the same applies for Yellow?