Main Menu

Glitches

References/Resources

Affiliates

Technical

Search Wiki

Toolbox

Crystal box name codes
 Page | Discussion | View source | History

From Glitch City Laboratories

Revision as of 19:36, 3 September 2019 by Bbbbbbbbba (talk | contribs) (Moved a large chunk from 0x1500 control code arbitrary code execution to here.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Box name codes are assembly instructions encoded in the names of boxes. They are used as payloads of arbitrary code execution exploits, and are usually the most convenient for that purpose in Generation II, because the box names are easy to change, the available character set covers a large range of useful assembly instructions, and they are stored in a consecutive memory area (except the 0x50 terminators in between).

For a list of hex values for all available characters in Generation II and their corresponding assembly instructions, see the Big HEX List.

The following box codes are designed specifically for the 0x1500 control code arbitrary code execution exploit. As such, it may make some assumptions about the state of registers and the stack after the bootstrap process.

Get wrong pocket TM17 with code at DA47 to go to DB75 (i.e. set up TM17 ACE to go to box names by default):

When a TM or HM is used in the wrong pocket, it will execute an unintended code pointer. TM17 executes DA47, which is in WRAM and this data persists after save and reset. Using this code, upon executing DA47 the game redirects to box names (DB75; specifically the codes start from PC Box 1 character 1 unlike common Coin Case box name ACE cheats). Using TM17 once setup, is faster than 0x1500 control code arbitrary code execution as you don't need to do the Antidote x21 steps or have the bad name Lapras and view its summary - this way then;

i. With wrong pocket TM17, you are free to have whatever party Pokémon you like (DA47 in Crystal is related to Mobile GB Adapter variables that are fortunately saved, so it's apparent it won't be affected by party Pokémon at least while offline). ii. With wrong pocket TM17, it won't matter whether your inventory later becomes full/you can do it late in game. (Note there is another method to do 0x1500 control code arbitrary code execution late in game and with no trades, but it requires a specific type of bad clone (unterminated name clone) which may be a pain for some)


p0'déT2(Pk)5

p'vzéM5p5

'vd'v(éA45

p'vyé:5p5

'vLéB4p'vx

ém5p0555

éI4x'd

xor a

or a, d0

ld (f893),a

pop hl

ei

ld d,b

xor a

sub b9 ; 47

ld (fb8c),a

xor a

ei

ld d,b

sub a3

sub 9a ;c3

ld (fa80),a

ei

ld d,b

xor a

sub b8 ; 48

ld (fb9c),a

xor a

ei

ld d,b

sub 8b ; 75

ld (fa81),a

xor a

sub b7; 49

ld d,b

ld (fbac),a

xor a

or a, fb

ei

ei

ld d,b

ld (fa88),a

or a

ret nc

All badges:

p'viéI5p5

'vjéL5p09

éA2éB2(Pk)'d

xor a

sub a8

ld (fb88),a

xor a

ld d,b

ld d,b

sub a9

ld (fb8b),a

xor a

or a, ff

ld d,b

ld (f880),a

ld (f881),a

ld d,b

ld d,b

ld d,b

pop hl

or a

ret nc

Have Fly (DCE1 [move 1]=0x13):

p0T'vAé(Pk)6

(Pk)x'd

xor a or a, 93 sub 80 ld (fce1),a ld d,b pop hl or a ret nc ld d,b

Fly can go anywhere

p09ée655

éf6ég6(Pk)5

éh6éi6x'd

xor a

or a, ff

ld (fca4),a

ei

ei

ld d,b

ld (fca5),a

ld (fca6),a

pop hl

ei

ld d,b

ld (fca7),a

ld (fca8),a

or a

ret nc

ld d,b

Get GS Ball in Goldenrod City Pokémon Center

p'vséJ5p(Pk)

0B'vAéI55

éAAp0N'vA

ée5p0B'vA

éd5p0K'vA

éBBp'va'vc

55555555

55555555

é'l5p'v(male)'v't

é'd5p0L'vA

éIIx'd

xor a

sub b2 ;a=4e

ld (fb89),a

xor a

pop hl

ld d,b

or 81

sub 80 ;a=01

ld (fb88),a

ld d,b

ld d,b

ld (8080),a

xor a

or 8d

sub 80 ;0d

ld d,b

ld (fba4),a

xor a

or 81

sub 80

ld d,b

ld (fba3),a

xor a

or 8a

sub 80

ld d,b

ld (8181),a

xor a

sub a0

sub a2 ;be

ld d,b

ei

ei

ei

ei

ei

ei

ei

ei

ld d,b

ei

ei

ei

ei

ei

ei

ei

ei

ld d,b

ld (fbd1),a

xor a

sub ef

sub d5 ; 3c

ld d,b

ld (fbd0),a

xor a

or 8b

sub 80 ; 0b

ld d,b

ld (8888),a

or a

ret nc

ld d,b

ld d,b

--What this does basically:

ld a,01

ld (4e01),a ;change to SRAM bank 1

ld a, 0a

ld (0d01),a ;this enables writing to SRAM

ld a, 0b

ld (be3c),a ;enable Celebi GS Ball event

Get Master Ball items slot 2

p0B'vAéV2

(Pk)x'd

xor a

or 81

sub 80

ld (f895),a

ld d,b

pop hl

or a

ret nc

ld d,b


Get Rare Candy balls slot 1

p0i'vA'v

éI5p0a'vA

éA2x(Pk)'d

(fill box 1 name with 5 beforehand to prevent freeze)

xor a

or a8

sub 80

sub 50

ld d,b

ld d,b

ld (fb88),a

xor a

or a0

sub 80

ld d,b

ld (f880),a

or a

pop hl

ret nc

ld d,b


Make it a day+1 (D4B6 = 01)

p0B'vAéw,

xPk'd

xor a

or 81

sub 80

ld (f4b6),a

ld d,b

or a

pop hl

ret nc

ld d,b

Make it a day+2 (D4B6 = 02)

p0C'vAéw,

xPk'd

xor a

or 82

sub 80

ld (f4b6),a

ld d,b

or a

pop hl

ret nc

ld d,b


Get Mew (recommended Egg slot 1) DCDF=97

p0?'vH'vA5

éI5p0X55

éA6(Pk)x'd

xor a

or a, e6

sub 87

sub 80

ei

ld d,b

ld (fb88),a

xor a

or a,97

ei

ei

ld d,b

ld (fc80),a

pop hl

or a

ret nc

Hatch steps left = 1 cycle/1 happiness (DCFA=01)

p0B'vAé46

Pkx'd

xor a

or a, 81

sub 80

ld (fcfa),a

ld d,b

pop hl

or a

ret nc

ld d,b

Warp to Safari Zone

p0D'vAév6

(Pk)p'vhéw6x

'd

xor a

or a, 83

sub 80

ld (fcb5),a

ld d,b

pop hl

xor a

sub a7 (;59)

ld (fcb6),a

or a

ld d,b

ret nc

ld d,b