API tools faq
paste
Advertisement
M4n0z

Extra Scripts for BlipBlopMenu 2 or TimOS for Pokemon Yellow EN via Arbitrary Code Execution

M4n0z
Dec 7th, 2024 (edited)
201
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 6.91 KB | Source Code | 0 0
raw download clone embed print report
  1. /*
  2.  
  3. BBM2 Extras - Compatible with EN Yellow ONLY
  4.  
  5.  
  6. Description
  7.  
  8. Extra scripts for BlipBlopMenu 2 or TimOS. After installation TimOS scripts are incresed by 7 having the following effects:
  9.  
  10. #+1 ItemGiver: It gives any item, based on the selected internal ID.
  11. #+2 MonGiver: It gives any pokemon, based on the selected pokedex ID.
  12. #+3 MonEncounter: It encounters any pokemon, based on the selected pokedex ID.
  13. #+4 TrainerEncounter: It encounters any trainer, based on the selected internal ID.
  14. #+5 MoveTeacher: Teaches any move on the selected party pokemon.
  15. #+6 PokeDuplicator: It duplicates the pokemon in the first party slot to the second party slot.
  16. #+7 HealOnTheGo: Party heal on demand.
  17.  
  18.  
  19. Prerequirements
  20. - TimoVM's gen 1 ACE setup with a clean TimOS installation from:
  21.  https://glitchcity.wiki/wiki/Guides:SRAM_Glitch_ACE_Setups_(EN_Yellow)
  22.  
  23. - BlipBlopMenu 2 (optional):
  24.  https://pastebin.com/PhWgT7kY
  25.  
  26.  
  27. Instructions
  28. 1)  - Installation on actual hardware or emulator: You can use TimoVM's NicknameConverter and NicknameWriter from the given page.
  29.     - Installation on emulator with debugging features: Just copy and paste the HEX code into address $d8b4.
  30. 2) Run the code from NicknameWriter.
  31. 3) Verify new scripts are installed and work correctly.
  32.  
  33. Warning! Scripts are stored in addresses $c8c3++ inside TimOS region.
  34. Make sure you are not using this area before installation!
  35.  
  36.  
  37.  
  38. Code:
  39.  
  40. 21 e9 c6 46 3e 07 86 77 11 bb  
  41. c7 1c 1c 05 20 fb 0e 0e 21 d4  
  42. d8 cd b1 00 0e f0 11 c3 c8 c3  
  43. b1 00 e1 c8 2a c9 34 c9 41 c9  
  44. 63 c9 94 c9 ad c9 cd dd 16 c3  
  45. 1c 23 ea 96 cf cd 51 2c a7 fa  
  46. 95 cf c9 21 09 c4 11 6d cd cd  
  47. 16 38 2b 36 7f c9 cd c3 c8 3e  
  48. ff cd c9 c8 c0 f5 ea 1d d1 cd  
  49. c4 2e cd d4 c8 3e 63 cd c9 c8  
  50. c1 20 e5 4f cd 3f 3e 18 df cd  
  51. c3 c8 3e 97 cd c9 c8 28 01 c9  
  52. 11 1d d1 12 06 10 21 86 50 cd  
  53. 84 3e 1a f5 cd 93 2e cd d4 c8  
  54. 3e 64 cd c9 c8 c1 20 d9 c9 cd  
  55. 02 c9 c0 4f cd 59 3e 18 f6 cd  
  56. 02 c9 c0 ea 2e cd fa 1d d1 c3  
  57. 76 32 cd c3 c8 3e 2f cd c9 c8  
  58. c0 ea 30 d0 f5 cd bb 35 cd d4  
  59. c8 f1 c6 c8 ea 1d d1 3e 01 cd  
  60. c9 c8 20 e0 18 d5 cd c3 c8 3e  
  61. a5 cd c9 c8 c0 ea df d0 ea 1d  
  62. d1 cd 4d 2f cd d4 c8 21 4a cf  
  63. 1e 6d cd 16 38 fa 62 d1 cd c9  
  64. c8 20 db 3d ea 91 cf 21 c8 6b  
  65. cd 17 39 18 cf 21 63 d1 2a 77  
  66. 01 2c 00 11 96 d1 2e 6a cd b1  
  67. 00 11 b4 d2 21 bf d2 c3 16 38  
  68. 21 2b 75 c3 4b 07
  69.  
  70. Total Bytes: 286  
  71.  
  72.  
  73.  
  74. In case you want to go beyond the limits and get glitch items, pokemon, moves or trainers, you can input the following code afterwards:
  75.  
  76. af ea e5 c8 ea f5 c8 ea 06 c9  
  77. ea 22 c9 ea 45 c9 ea 5b c9 ea  
  78. 67 c9 c9  
  79.  
  80. Total Bytes: 23
  81.  
  82.  
  83.  
  84. Source is compiled with RGBDS
  85.  
  86. */
  87.  
  88.  
  89. SECTION "BlipBlopMenu2ExtrasY", ROM0
  90.  
  91. start:
  92. LOAD "Installer", WRAMX[$D8B4]
  93. ; ----------- Installer payload ------------
  94. Installer:
  95. ; increse no of scripts by 5
  96. ld hl, $c6e9
  97. ld b, [hl]
  98. ld a, (pointers.end-pointers)/2
  99. add a, [hl]
  100. ld [hl], a
  101.  
  102. ; write pointers to the correct position
  103. ld de, $c7bb        ; destination - script #1
  104. .pointerloop
  105. inc e
  106. inc e
  107. dec b
  108. jr nz, .pointerloop
  109.  
  110. ; Copy pointers
  111. ld c, pointers.end-pointers         ; b = 0 from previous operation
  112. ld hl, pointers     ; $d8d4 - origin
  113. call $00b1          ; CopyData
  114.  
  115. ; Copy payloads
  116. ld c, end-emptyscreen
  117. ld de, $c8c3        ; destination
  118. jp $00b1            ; CopyData
  119.  
  120.  
  121. ; ----------- Payload pointers ------------
  122. pointers:           ; it automatically calculates every script's starting point offsets
  123. db LOW(itemgiver),      HIGH(itemgiver)
  124. db LOW(dexgiver),       HIGH(dexgiver)
  125. db LOW(letsgetwild),    HIGH(letsgetwild)
  126. db LOW(hitrainer),      HIGH(hitrainer)
  127. db LOW(teachmemaster),  HIGH(teachmemaster)
  128. db LOW(duplicator),     HIGH(duplicator)
  129. db LOW(healer),         HIGH(healer)
  130. .end
  131. ENDL
  132.  
  133.  
  134. LOAD "payloads", WRAM0[$c8c3]
  135.  
  136. emptyscreen:
  137. call $16dd          ; ClearScreen
  138. jp $231c            ; UpdateSprites
  139.  
  140. selector:           ; 11 bytes - common function
  141. ld [$cf96], a       ; wMaxItemQuantity write
  142. call $2c51          ; DisplayChooseQuantityMenu
  143. and a, a            ; if a is 0, z flag is set
  144. ld a, [$cf95]       ; wItemQuantity read
  145. ret
  146.  
  147. copyname:           ; 13 bytes - common function
  148. ld hl, $c409        ; destination
  149. ld de, $cd6d        ; origin - wNameBuffer
  150. call $3816          ; CopyString
  151. dec hl
  152. ld [hl], $7f        ; blank last name byte
  153. ret
  154.  
  155. itemgiver:          ; 33 bytes
  156. call emptyscreen
  157. ld a, 255           ; total item IDs
  158. call selector
  159. ret nz              ; if B pressed, then ret
  160. push af
  161. ld [$d11d], a       ; wPokedexNum
  162. call $2ec4          ; GetItemName
  163. call copyname
  164. ld a, 99
  165. call selector
  166. pop bc
  167. jr nz, itemgiver    ; if B pressed go to the beginning, ln0
  168. ld c, a             ; bc = id, quantity
  169. call $3e3f          ; GiveItem
  170. jr itemgiver        ; jp to start, ln0
  171.  
  172. pokecommon:         ; 41 bytes - common function
  173. call emptyscreen
  174. ld a, 151           ; total species IDs
  175. call selector
  176. jr z, .continue     ; if B pressed, then ret
  177. ret
  178. .continue
  179. ld de, $d11d        ; wPokedexNum
  180. ld [de], a          ; pokemon id is stored in wPokedexNum
  181. ld b, $10           ; select bank 16
  182. ld hl, $5086        ; PokedexToIndex
  183. call $3e84          ; Bankswitch
  184. ld a, [de]          ; wPokedexNum
  185. push af
  186. call $2e93          ; GetMonName
  187. call copyname
  188. ld a, 100
  189. call selector
  190. pop bc
  191. jr nz, pokecommon   ; if B pressed go to the beginning, ln0
  192. ret
  193.  
  194.  
  195. dexgiver:           ; 10 bytes
  196. call pokecommon
  197. ret nz
  198. ld c, a             ; bc = id, level
  199. call $3e59          ; GivePokemon
  200. jr dexgiver         ; jp to start, ln0
  201.  
  202.  
  203. letsgetwild:        ; 5 bytes
  204. call pokecommon
  205. ret nz
  206. encounter:          ; 9 bytes - common function
  207. ld [$cd2e], a       ; wEnemyMonAttackMod - [wCurEnemyLevel]/[wTrainerNo]
  208. ld a, [$d11d]       ; wPokedexNum - pokemon/trainer id
  209. jp $3276            ; InitBattleEnemyParameters+$03
  210.  
  211.  
  212. hitrainer:          ; 34 bytes
  213. call emptyscreen
  214. ld a, 47            ; total encounter IDs
  215. call selector
  216. ret nz              ; if B pressed, then ret
  217. ld [$d030], a       ; wTrainerClass
  218. push af
  219. call $35bb          ; GetTrainerName
  220. call copyname
  221. pop af
  222. add a, $c8
  223. ld [$d11d], a       ; id is stored in wNamedObjectIndex
  224. ld a, 01
  225. call selector
  226. jr nz, hitrainer    ; if B pressed go to the beginning, ln0
  227. jr encounter
  228.  
  229.  
  230. teachmemaster:
  231. call emptyscreen    ; ClearScreen
  232. ld a, 165           ; total move IDs
  233. call selector
  234. ret nz              ; if B pressed, then ret
  235. ld [$d0df], a       ; wMoveNum
  236. ld [$d11d], a       ; wNamedObjectIndex
  237. call $2f4d          ; GetMoveName
  238. call copyname
  239. ld hl, $cf4a        ; destination (wStringBuffer)
  240. ld e, $6d           ; origin (wNameBuffer)
  241. call $3816          ; CopyString
  242. ld a, [$d162]       ; wPartyCount
  243. call selector
  244. jr nz, teachmemaster; if B pressed go to the beginning
  245. dec a
  246. ld [$cf91], a       ; wWhichPokemon
  247. ld hl, $6bc8        ; LearnMove
  248. call $3917          ; bankswitch bank1
  249. jr teachmemaster
  250.  
  251.  
  252. duplicator:         ; 25 bytes
  253. ; transfer pokemon id
  254. ld hl, $d163        ; poke 1 id
  255. ld a, [hli]
  256. ld [hl], a          ; hl = $d164
  257. ; transfer pokemon data
  258. ld bc, $002c        ; poke data length
  259. ld de, $d196        ; poke 2 data
  260. ld l, $6a           ; poke 1 data
  261. call $00b1          ; CopyData
  262. ; transfer pokemon nickname
  263. ld de, $d2b4        ; poke 1 nickname
  264. ld hl, $d2bf        ; poke 2 nickname
  265. jp $3816            ; CopyString
  266.  
  267.  
  268. healer:             ; 6 bytes
  269. ld hl, $752b        ; HealParty
  270. jp $074b            ; hardcoded rombankswitch 3
  271.  
  272. end:
  273. ENDL
  274.  
  275.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!