API tools faq
paste
Advertisement
M4n0z

Extra Scripts for BlipBlopMenu 2 or TimOS for Pokemon Red and Blue EN via Arbitrary Code Execution

M4n0z
Dec 17th, 2024 (edited)
344
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 6.84 KB | Gaming | 0 0
raw download clone embed print report
  1. /*
  2.  
  3. BBM2 Extras - Compatible with EN Red and Blue ONLY
  4.  
  5.  
  6. Description
  7.  
  8. Extra scripts for BlipBlopMenu 2 or TimOS. After installation TimOS scripts are incresed by 7 having the following effects:
  9.  
  10. #+1 ItemGiver: It gives any item, based on the selected internal ID.
  11. #+2 MonGiver: It gives any pokemon, based on the selected pokedex ID.
  12. #+3 MonEncounter: It encounters any pokemon, based on the selected pokedex ID.
  13. #+4 TrainerEncounter: It encounters any trainer, based on the selected internal ID.
  14. #+5 MoveTeacher: Teaches any move on the selected party pokemon.
  15. #+6 PokeDuplicator: It duplicates the pokemon in the first party slot to the second party slot.
  16. #+7 HealOnTheGo: Party heal on demand.
  17.  
  18. Prerequirements
  19. - TimoVM's gen 1 ACE setup with a clean TimOS installation from:
  20.  https://glitchcity.wiki/wiki/Guides:SRAM_Glitch_ACE_Setups_(EN)
  21.  
  22. - BlipBlopMenu 2 (optional):
  23.  https://pastebin.com/H7v1fP2s
  24.  
  25.  
  26. Instructions
  27. 1)  - Installation on actual hardware or emulator: You can use TimoVM's NicknameConverter and NicknameWriter from the given page.
  28.     - Installation on emulator with debugging features: Just copy and paste the HEX code into address $d8b4.
  29. 2) Run the code from NicknameWriter.
  30. 3) Verify new scripts are installed and work correctly.
  31.  
  32. Warning! Scripts are stored in addresses $c8c3++ inside TimOS region.
  33. Make sure you are not using this area before installation!
  34.  
  35.  
  36.  
  37. Code:
  38.  
  39. 21 e9 c6 46 3e 07 86 77 11 c2  
  40. c7 1c 1c 05 20 fb 0e 0e 21 d5  
  41. d8 cd b5 00 0e f0 11 c3 c8 c3  
  42. b5 00 e1 c8 2a c9 34 c9 41 c9  
  43. 63 c9 94 c9 ad c9 cd 0f 19 c3  
  44. 29 24 ea 97 cf cd 57 2d a7 fa  
  45. 96 cf c9 21 09 c4 11 6d cd cd  
  46. 29 38 2b 36 7f c9 cd c3 c8 3e  
  47. ff cd c9 c8 c0 f5 ea 1e d1 cd  
  48. cf 2f cd d4 c8 3e 63 cd c9 c8  
  49. c1 20 e5 4f cd 2e 3e 18 df cd  
  50. c3 c8 3e 97 cd c9 c8 28 01 c9  
  51. 11 1e d1 12 06 10 21 f9 4f cd  
  52. d6 35 1a f5 cd 9e 2f cd d4 c8  
  53. 3e 64 cd c9 c8 c1 20 d9 c9 cd  
  54. 02 c9 c0 4f cd 48 3e 18 f6 cd  
  55. 02 c9 c0 ea 2e cd fa 1e d1 c3  
  56. da 32 cd c3 c8 3e 2f cd c9 c8  
  57. c0 ea 31 d0 f5 cd 9e 35 cd d4  
  58. c8 f1 c6 c8 ea 1e d1 3e 01 cd  
  59. c9 c8 20 e0 18 d5 cd c3 c8 3e  
  60. a5 cd c9 c8 c0 ea e0 d0 ea 1e  
  61. d1 cd 58 30 cd d4 c8 21 4b cf  
  62. 1e 6d cd 29 38 fa 63 d1 cd c9  
  63. c8 20 db 3d ea 92 cf 21 43 6e  
  64. cd 22 39 18 cf 21 64 d1 2a 77  
  65. 01 2c 00 11 97 d1 2e 6b cd b5  
  66. 00 11 b5 d2 21 c0 d2 c3 29 38  
  67. 21 a5 76 c3 1a 09
  68.  
  69. Total Bytes: 286
  70.  
  71.  
  72.  
  73. In case you want to go beyond the limits and get glitch items, pokemon, moves or trainers, you can input the following code afterwards:
  74.  
  75. af ea e5 c8 ea f5 c8 ea 06 c9  
  76. ea 22 c9 ea 45 c9 ea 5b c9 ea  
  77. 67 c9 c9  
  78.  
  79. Total Bytes: 23
  80.  
  81.  
  82.  
  83. Source is compiled with QuickRGBDS
  84. https://github.com/M4n0zz/QuickRGBDS
  85.  
  86. */
  87.  
  88.  
  89. SECTION "BlipBlopMenu2ExtrasRB", ROM0
  90.  
  91. start:
  92. LOAD "Installer", WRAMX[$D8B5]
  93. ; ----------- Installer payload ------------
  94. Installer:
  95. ; increse no of scripts by 5
  96. ld hl, $c6e9
  97. ld b, [hl]
  98. ld a, (pointers.end-pointers)/2
  99. add a, [hl]
  100. ld [hl], a
  101.  
  102. ; write pointers to the correct position
  103. ld de, $c7c2        ; destination - script #1
  104. .pointerloop
  105. inc e
  106. inc e
  107. dec b
  108. jr nz, .pointerloop
  109.  
  110. ; Copy pointers
  111. ld c, pointers.end-pointers ; b = 0 from previous operation
  112. ld hl, pointers     ; $d8d5 - origin
  113. call $00b5          ; CopyData
  114.  
  115. ; Copy payloads
  116. ld c, end-emptyscreen
  117. ld de, $c8c3        ; destination
  118. jp $00b5            ; CopyData
  119.  
  120.  
  121. ; ----------- Payload pointers ------------
  122. pointers:
  123. db LOW(itemgiver),      HIGH(itemgiver)
  124. db LOW(dexgiver),       HIGH(dexgiver)
  125. db LOW(letsgetwild),    HIGH(letsgetwild)
  126. db LOW(hitrainer),      HIGH(hitrainer)
  127. db LOW(teachmemaster),  HIGH(teachmemaster)
  128. db LOW(duplicator),     HIGH(duplicator)
  129. db LOW(healer),         HIGH(healer)
  130. .end
  131. ENDL
  132.  
  133.  
  134. LOAD "payloads", WRAM0[$c8c3]
  135.  
  136. emptyscreen:
  137. call $190f          ; ClearScreen
  138. jp $2429            ; UpdateSprites
  139.  
  140. selector:           ; 11 bytes - common function
  141. ld [$cf97], a       ; wMaxItemQuantity write
  142. call $2d57          ; DisplayChooseQuantityMenu
  143. and a, a            ; if a is 0, z flag is set
  144. ld a, [$cf96]       ; wItemQuantity read
  145. ret
  146.  
  147. copyname:           ; 13 bytes - common function
  148. ld hl, $c409        ; destination
  149. ld de, $cd6d        ; origin - wNameBuffer
  150. call $3829          ; CopyString
  151. dec hl
  152. ld [hl], $7f        ; blank last name byte
  153. ret
  154.  
  155. itemgiver:          ; 33 bytes
  156. call emptyscreen
  157. ld a, 255           ; total item IDs
  158. call selector
  159. ret nz              ; if B pressed, then ret
  160. push af
  161. ld [$d11e], a       ; wPokedexNum
  162. call $2fcf          ; GetItemName
  163. call copyname
  164. ld a, 99
  165. call selector
  166. pop bc
  167. jr nz, itemgiver    ; if B pressed go to the beginning, ln0
  168. ld c, a             ; bc = id, quantity
  169. call $3e2e          ; GiveItem
  170. jr itemgiver        ; jp to start, ln0
  171.  
  172. pokecommon:         ; 41 bytes - common function
  173. call emptyscreen
  174. ld a, 151           ; total species IDs
  175. call selector
  176. jr z, .continue     ; if B pressed, then ret
  177. ret
  178. .continue
  179. ld de, $d11e        ; wPokedexNum
  180. ld [de], a          ; pokemon id is stored in wPokedexNum
  181. ld b, $10           ; select bank 16
  182. ld hl, $4ff9        ; PokedexToIndex
  183. call $35d6          ; Bankswitch
  184. ld a, [de]          ; wPokedexNum
  185. push af
  186. call $2f9e          ; GetMonName
  187. call copyname
  188. ld a, 100
  189. call selector
  190. pop bc
  191. jr nz, pokecommon       ; if B pressed go to the beginning, ln0
  192. ret
  193.  
  194. dexgiver:           ; 10 bytes
  195. call pokecommon
  196. ret nz
  197. ld c, a             ; bc = id, level
  198. call $3e48          ; GivePokemon
  199. jr dexgiver         ; jp to start, ln0
  200.  
  201.  
  202. letsgetwild:        ; 5 bytes
  203. call pokecommon
  204. ret nz
  205. encounter:          ; 9 bytes - common function
  206. ld [$cd2e], a       ; wEnemyMonAttackMod - [wCurEnemyLevel]/[wTrainerNo]
  207. ld a, [$d11e]       ; wPokedexNum - pokemon/trainer id
  208. jp $32da            ; InitBattleEnemyParameters+$03
  209.  
  210.  
  211. hitrainer:          ; 34 bytes
  212. call emptyscreen
  213. ld a, 47            ; total encounter IDs
  214. call selector
  215. ret nz              ; if B pressed, then ret
  216. ld [$d031], a       ; wTrainerClass
  217. push af
  218. call $359e          ; GetTrainerName
  219. call copyname
  220. pop af
  221. add a, $c8
  222. ld [$d11e], a       ; id is stored in wNamedObjectIndex
  223. ld a, 01
  224. call selector
  225. jr nz, hitrainer    ; if B pressed go to the beginning, ln0
  226. jr encounter
  227.  
  228.  
  229. teachmemaster:
  230. call emptyscreen    ; ClearScreen
  231. ld a, 165           ; total move IDs
  232. call selector
  233. ret nz              ; if B pressed, then ret
  234. ld [$d0e0], a       ; wMoveNum
  235. ld [$d11e], a       ; wNamedObjectIndex
  236. call $3058          ; GetMoveName
  237. call copyname
  238. ld hl, $cf4b        ; destination (wStringBuffer)
  239. ld e, $6d           ; origin (wNameBuffer)
  240. call $3829          ; CopyString
  241. ld a, [$d163]       ; wPartyCount
  242. call selector
  243. jr nz, teachmemaster; if B pressed go to the beginning
  244. dec a
  245. ld [$cf92], a       ; wWhichPokemon
  246. ld hl, $6e43        ; LearnMove
  247. call $3922          ; bankswitch bank1
  248. jr teachmemaster
  249.  
  250.  
  251. duplicator:         ; 25 bytes
  252. ; transfer pokemon id
  253. ld hl, $d164        ; poke 1 id
  254. ld a, [hli]
  255. ld [hl], a          ; hl = $d165
  256. ; transfer pokemon data
  257. ld bc, $002c        ; poke data length
  258. ld de, $d197        ; poke 2 data
  259. ld l, $6b           ; poke 1 data
  260. call $00b5          ; CopyData
  261. ; transfer pokemon nickname
  262. ld de, $d2b5        ; poke 1 nickname
  263. ld hl, $d2c0        ; poke 2 nickname
  264. jp $3829            ; CopyString
  265.  
  266.  
  267. healer:             ; 6 bytes
  268. ld hl, $76a5        ; HealParty
  269. jp $091a            ; hardcoded rombankswitch 3
  270.  
  271. end:
  272. ENDL
  273.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!