Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Professor Oak's Pokédex ratings 153-255 - Page 1

Professor Oak's Pokédex ratings 153-255

Posted by: Torchickens
Date: 2020-03-31 12:39:08
You may know that getting your Pokédex rating with 152 owned (possible without arbitrary code execution) will result in a glitch text box. Curiously, there are actually more glitch text boxes that you can get by altering the script 11:4169 (DisplayDexRating) with Game Genie. Theoretically, you can run a modified version of the script with arbitrary code execution to access the others as well.

At 11:41D1 is the DexRatingsTable; which is stored for each entry as (Number of Pokémon needed) followed by what appears to be the text pointer.

Game Genie codes:

XX1-80B-A2D
3E1-7FB-912 (Note: In Yellow it's 3E1-7FB-91E)
001-7EB-081

DexRatingsTable:
db 10
dw PokedexRatingText_44201
db 20
dw PokedexRatingText_44206
db 30
dw PokedexRatingText_4420b
db 40
dw PokedexRatingText_44210
db 50
dw PokedexRatingText_44215
db 60
dw PokedexRatingText_4421a
db 70
dw PokedexRatingText_4421f
db 80
dw PokedexRatingText_44224
db 90
dw PokedexRatingText_44229
db 100
dw PokedexRatingText_4422e
db 110
dw PokedexRatingText_44233
db 120
dw PokedexRatingText_44238
db 130
dw PokedexRatingText_4423d
db 140
dw PokedexRatingText_44242
db 150
dw PokedexRatingText_44247
db NUM_POKEMON + 1
dw PokedexRatingText_4424c


EN RB:

152-216 Pokémon : The same rating(?) 2559
217-249 Pokémon: C322
250-254 Pokémon: 0407
255 Pokémon: Unknown (Freeze before text)


EN Y:

152-227 Pokémon : The same rating(?) 2A54
228-254 Pokémon: A917
255 Pokémon: Unknown (Freeze before text)

JP G v1.0 11:42B9/XX2-A5B-A29 3E2-A4B-6E5 002-A3B-081

152 : 5630
(incomplete)

Notes:

RB - C322 is part of the C300 OAM buffer. You can have this have 08 at the beginning with extra glitching, and proceed to write your own custom rating script. As this is for OAM, codes like 01xx22C3 might not work.

Y - A917 is in SRAM, but unfortunately SRAM may be locked. If there is no way to unlock it before getting the dex rated, theoretically you could use OAM DMA hijacking to open SRAM too.

Below is a dump of 3 x 256 checks ([id][number of Pokémon; 1 byte][text pointer; 2 bytes]). (However, something different controls the glitch text boxes. By setting a breakpoint to 11:4194, you can find the text pointer from hl.)

001 0A0142
002 140642
003 1E0B42
004 281042
005 321542
006 3C1A42
007 461F42
008 502442
009 5A2942
010 642E42
011 6E3342
012 783842
013 823D42
014 8C4242
015 964742
016 984C42
017 175858
018 255017
019 935825
020 5017CC
021 582550
022 170359
023 255017
024 3D5925
025 50176D
026 592550
027 17B859
028 255017
029 D95925
030 501703
031 5A2550
032 172E5A
033 255017
034 605A25
035 5017A8
036 5A2550
037 17D95A
038 255017
039 0A5B25
040 501739
041 5B2550
042 176F5B
043 255006
044 0407DF
045 406342
046 5D4200
047 7742CD
048 FA22C3
049 3C3C6B
050 426C42
051 714276
052 42FF17
053 A15B25
054 5017E8
055 5B2550
056 F60002
057 070300
058 FF0704
059 00FF00
060 042905
061 07FFD0
062 011009
063 0EFE01
064 020707
065 08FFFF
066 032A06
067 0FFFD0
068 041EC7
069 07031F
070 C70704
071 160E0F
072 FE432C
073 43AF42
074 00A443
075 CDC542
076 CD3C3C
077 213443
078 112643
079 FA3AD6
080 CD6031
081 EA3AD6
082 C92126
083 D1CB6E
084 CBAEC8
085 FA96D7
086 CB4720
087 18010C
088 06CD0B
089 430108
090 03CD04
091 43010A
092 08CD04
093 43010D
094 0DC304
095 43010C
096 06CD04
097 430108
098 03CD0B
099 43010A
100 08CD0B
101 43010D
102 0DC30B
103 433E2D
104 EA9FD0
105 18053E
106 0EEA9F
107 D03E17
108 CD6D3E
109 C9FA09
110 C1FE04
111 C0AFE0
112 B43E04
113 E08CC3
114 202919
115 324C32
116 753241
117 43F424
118 F4245A
119 430130
120 98D74B
121 435543
122 504350
123 43FF08
124 213443
125 CDCC31
126 C3D724
127 17A847
128 285017
129 D54728
130 5017DC
131 472850
132 082195
133 43CD49
134 3CCDEC
135 35FA26
136 CCA720
137 223E01
138 EA3CCC
139 2126D1
140 CBEE21
141 9A43CD
142 493C3E
143 ADCDB1
144 232196
145 D7CB46
146 CBC628
147 0ACB86
148 180621
149 9F43CD
150 493CC3
151 D72417
152 0A4828
153 501726
154 482850
155 173448
156 28502E
157 081B04
158 00FF1B
159 0500FF
160 1B0600
161 FF1B07
162 00FF0A
163 0500D6
164 171500
165 D81B1A
166 00FF1B
167 1B00FF
168 000320
169 1515FF
170 D241E4
171 043D07
172 12FFFF
173 821D3D
174 1916FF
175 FF8326
176 11C81B
177 0411C8
178 1B0512
179 C81B06
180 12C81B
181 0769C7
182 0A05EF
183 C71715
184 1CC81B
185 1A1CC8
186 1B1B40
187 414141
188 414141
189 414141
190 414141
191 41425C
192 060E0E
193 530E11
194 111111
195 110E0E
196 0E5D5C
197 770E47
198 460E0E
199 0E0E0E
200 0E4063
201 0E5D44
202 0E430E
203 460E53
204 580E57
205 58550E
206 0E4650
207 494958
208 060746
209 0E0E0E
210 063847
211 0E5D44
212 113A3B
213 0A0E46
214 0E4343
215 31380E
216 315D44
217 113F3B
218 0A534A
219 494949
220 58060E
221 575144
222 113F3B
223 0A460E
224 0E0E06
225 070E0E
226 0E5D44
227 113F3B
228 0A460E
229 0E0E48
230 0E580E
231 575144
232 113F3B
233 0A460E
234 0B0B0B
235 0E0652
236 075D44
237 113F3B
238 0A460E
239 0E0E0E
240 0E0E44
241 0E4644
242 113F3B
243 0A460E
244 0B0B0B
245 4E0E44
246 0E4644
247 113F3B
248 0A460E
249 0E0E0E
250 0E0E06
251 0E4648
252 583F3B
253 574A49
254 494949
255 494906
256 0E0611