API tools faq
paste
Advertisement
M4n0z

Extra Scripts for BlipBlopMenu 2 or TimOS for Pokemon Yellow EN via Arbitrary Code Execution

M4n0z
Dec 7th, 2024 (edited)
297
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 6.95 KB | Source Code | 0 0
raw download clone embed print report
  1. /*
  2.  
  3. BBM2 Extras - Compatible with EN Yellow ONLY
  4.  
  5.  
  6. Description
  7.  
  8. Extra scripts for BlipBlopMenu 2 or TimOS. After installation TimOS scripts are incresed by 7 having the following effects:
  9.  
  10. #+1 ItemGiver: It gives any item, based on the selected internal ID.
  11. #+2 MonGiver: It gives any pokemon, based on the selected pokedex ID.
  12. #+3 MonEncounter: It encounters any pokemon, based on the selected pokedex ID.
  13. #+4 TrainerEncounter: It encounters any trainer, based on the selected internal ID.
  14. #+5 MoveTeacher: Teaches any move on the selected party pokemon.
  15. #+6 PokeDuplicator: It duplicates the pokemon in the first party slot to the second party slot.
  16. #+7 HealOnTheGo: Party heal on demand.
  17.  
  18.  
  19. Prerequirements
  20. - TimoVM's gen 1 ACE setup with a clean TimOS installation from:
  21.  https://glitchcity.wiki/wiki/Guides:SRAM_Glitch_ACE_Setups_(EN_Yellow)
  22.  
  23. - BlipBlopMenu 2 (optional):
  24.  https://pastebin.com/PhWgT7kY
  25.  
  26.  
  27. Instructions
  28. 1)  - Installation on actual hardware or emulator: You can use TimoVM's NicknameConverter and NicknameWriter from the given page.
  29.     - Installation on emulator with debugging features: Just copy and paste the HEX code into address $d8b4.
  30. 2) Run the code from NicknameWriter.
  31. 3) Verify new scripts are installed and work correctly.
  32.  
  33. Warning! Scripts are stored in addresses $c8c3++ inside TimOS region.
  34. Make sure you are not using this area before installation!
  35.  
  36.  
  37.  
  38. Code:
  39.  
  40. 21 e9 c6 46 3e 07 86 77 11 bb  
  41. c7 1c 1c 05 20 fb 0e 0e 21 d4  
  42. d8 cd b1 00 0e f0 11 c3 c8 c3  
  43. b1 00 e1 c8 2a c9 34 c9 41 c9  
  44. 63 c9 94 c9 ad c9 cd dd 16 c3  
  45. 1c 23 ea 96 cf cd 51 2c a7 fa  
  46. 95 cf c9 21 09 c4 11 6d cd cd  
  47. 16 38 2b 36 7f c9 cd c3 c8 3e  
  48. ff cd c9 c8 c0 f5 ea 1d d1 cd  
  49. c4 2e cd d4 c8 3e 63 cd c9 c8  
  50. c1 20 e5 4f cd 3f 3e 18 df cd  
  51. c3 c8 3e 97 cd c9 c8 28 01 c9  
  52. 11 1d d1 12 06 10 21 86 50 cd  
  53. 84 3e 1a f5 cd 93 2e cd d4 c8  
  54. 3e 64 cd c9 c8 c1 20 d9 c9 cd  
  55. 02 c9 c0 4f cd 59 3e 18 f6 cd  
  56. 02 c9 c0 ea 2e cd fa 1d d1 c3  
  57. 76 32 cd c3 c8 3e 2f cd c9 c8  
  58. c0 ea 30 d0 f5 cd bb 35 cd d4  
  59. c8 f1 c6 c8 ea 1d d1 3e 01 cd  
  60. c9 c8 20 e0 18 d5 cd c3 c8 3e  
  61. a5 cd c9 c8 c0 ea df d0 ea 1d  
  62. d1 cd 4d 2f cd d4 c8 21 4a cf  
  63. 1e 6d cd 16 38 fa 62 d1 cd c9  
  64. c8 20 db 3d ea 91 cf 21 c8 6b  
  65. cd 17 39 18 cf 21 63 d1 2a 77  
  66. 01 2c 00 11 96 d1 2e 6a cd b1  
  67. 00 11 b4 d2 21 bf d2 c3 16 38  
  68. 21 2b 75 c3 4b 07
  69.  
  70. Total Bytes: 286  
  71.  
  72.  
  73.  
  74. In case you want to go beyond the limits and get glitch items, pokemon, moves or trainers, you can input the following code afterwards:
  75.  
  76. af ea e5 c8 ea f5 c8 ea 06 c9  
  77. ea 22 c9 ea 45 c9 ea 5b c9 ea  
  78. 67 c9 c9  
  79.  
  80. Total Bytes: 23
  81.  
  82.  
  83.  
  84. Source is compiled with QuickRGBDS
  85. https://github.com/M4n0zz/QuickRGBDS
  86.  
  87. */
  88.  
  89.  
  90. SECTION "BlipBlopMenu2ExtrasY", ROM0
  91.  
  92. start:
  93. LOAD "Installer", WRAMX[$D8B4]
  94. ; ----------- Installer payload ------------
  95. Installer:
  96. ; increse no of scripts by 5
  97. ld hl, $c6e9
  98. ld b, [hl]
  99. ld a, (pointers.end-pointers)/2
  100. add a, [hl]
  101. ld [hl], a
  102.  
  103. ; write pointers to the correct position
  104. ld de, $c7bb        ; destination - script #1
  105. .pointerloop
  106. inc e
  107. inc e
  108. dec b
  109. jr nz, .pointerloop
  110.  
  111. ; Copy pointers
  112. ld c, pointers.end-pointers         ; b = 0 from previous operation
  113. ld hl, pointers     ; $d8d4 - origin
  114. call $00b1          ; CopyData
  115.  
  116. ; Copy payloads
  117. ld c, end-emptyscreen
  118. ld de, $c8c3        ; destination
  119. jp $00b1            ; CopyData
  120.  
  121.  
  122. ; ----------- Payload pointers ------------
  123. pointers:           ; it automatically calculates every script's starting point offsets
  124. db LOW(itemgiver),      HIGH(itemgiver)
  125. db LOW(dexgiver),       HIGH(dexgiver)
  126. db LOW(letsgetwild),    HIGH(letsgetwild)
  127. db LOW(hitrainer),      HIGH(hitrainer)
  128. db LOW(teachmemaster),  HIGH(teachmemaster)
  129. db LOW(duplicator),     HIGH(duplicator)
  130. db LOW(healer),         HIGH(healer)
  131. .end
  132. ENDL
  133.  
  134.  
  135. LOAD "payloads", WRAM0[$c8c3]
  136.  
  137. emptyscreen:
  138. call $16dd          ; ClearScreen
  139. jp $231c            ; UpdateSprites
  140.  
  141. selector:           ; 11 bytes - common function
  142. ld [$cf96], a       ; wMaxItemQuantity write
  143. call $2c51          ; DisplayChooseQuantityMenu
  144. and a, a            ; if a is 0, z flag is set
  145. ld a, [$cf95]       ; wItemQuantity read
  146. ret
  147.  
  148. copyname:           ; 13 bytes - common function
  149. ld hl, $c409        ; destination
  150. ld de, $cd6d        ; origin - wNameBuffer
  151. call $3816          ; CopyString
  152. dec hl
  153. ld [hl], $7f        ; blank last name byte
  154. ret
  155.  
  156. itemgiver:          ; 33 bytes
  157. call emptyscreen
  158. ld a, 255           ; total item IDs
  159. call selector
  160. ret nz              ; if B pressed, then ret
  161. push af
  162. ld [$d11d], a       ; wPokedexNum
  163. call $2ec4          ; GetItemName
  164. call copyname
  165. ld a, 99
  166. call selector
  167. pop bc
  168. jr nz, itemgiver    ; if B pressed go to the beginning, ln0
  169. ld c, a             ; bc = id, quantity
  170. call $3e3f          ; GiveItem
  171. jr itemgiver        ; jp to start, ln0
  172.  
  173. pokecommon:         ; 41 bytes - common function
  174. call emptyscreen
  175. ld a, 151           ; total species IDs
  176. call selector
  177. jr z, .continue     ; if B pressed, then ret
  178. ret
  179. .continue
  180. ld de, $d11d        ; wPokedexNum
  181. ld [de], a          ; pokemon id is stored in wPokedexNum
  182. ld b, $10           ; select bank 16
  183. ld hl, $5086        ; PokedexToIndex
  184. call $3e84          ; Bankswitch
  185. ld a, [de]          ; wPokedexNum
  186. push af
  187. call $2e93          ; GetMonName
  188. call copyname
  189. ld a, 100
  190. call selector
  191. pop bc
  192. jr nz, pokecommon   ; if B pressed go to the beginning, ln0
  193. ret
  194.  
  195.  
  196. dexgiver:           ; 10 bytes
  197. call pokecommon
  198. ret nz
  199. ld c, a             ; bc = id, level
  200. call $3e59          ; GivePokemon
  201. jr dexgiver         ; jp to start, ln0
  202.  
  203.  
  204. letsgetwild:        ; 5 bytes
  205. call pokecommon
  206. ret nz
  207. encounter:          ; 9 bytes - common function
  208. ld [$cd2e], a       ; wEnemyMonAttackMod - [wCurEnemyLevel]/[wTrainerNo]
  209. ld a, [$d11d]       ; wPokedexNum - pokemon/trainer id
  210. jp $3276            ; InitBattleEnemyParameters+$03
  211.  
  212.  
  213. hitrainer:          ; 34 bytes
  214. call emptyscreen
  215. ld a, 47            ; total encounter IDs
  216. call selector
  217. ret nz              ; if B pressed, then ret
  218. ld [$d030], a       ; wTrainerClass
  219. push af
  220. call $35bb          ; GetTrainerName
  221. call copyname
  222. pop af
  223. add a, $c8
  224. ld [$d11d], a       ; id is stored in wNamedObjectIndex
  225. ld a, 01
  226. call selector
  227. jr nz, hitrainer    ; if B pressed go to the beginning, ln0
  228. jr encounter
  229.  
  230.  
  231. teachmemaster:
  232. call emptyscreen    ; ClearScreen
  233. ld a, 165           ; total move IDs
  234. call selector
  235. ret nz              ; if B pressed, then ret
  236. ld [$d0df], a       ; wMoveNum
  237. ld [$d11d], a       ; wNamedObjectIndex
  238. call $2f4d          ; GetMoveName
  239. call copyname
  240. ld hl, $cf4a        ; destination (wStringBuffer)
  241. ld e, $6d           ; origin (wNameBuffer)
  242. call $3816          ; CopyString
  243. ld a, [$d162]       ; wPartyCount
  244. call selector
  245. jr nz, teachmemaster; if B pressed go to the beginning
  246. dec a
  247. ld [$cf91], a       ; wWhichPokemon
  248. ld hl, $6bc8        ; LearnMove
  249. call $3917          ; bankswitch bank1
  250. jr teachmemaster
  251.  
  252.  
  253. duplicator:         ; 25 bytes
  254. ; transfer pokemon id
  255. ld hl, $d163        ; poke 1 id
  256. ld a, [hli]
  257. ld [hl], a          ; hl = $d164
  258. ; transfer pokemon data
  259. ld bc, $002c        ; poke data length
  260. ld de, $d196        ; poke 2 data
  261. ld l, $6a           ; poke 1 data
  262. call $00b1          ; CopyData
  263. ; transfer pokemon nickname
  264. ld de, $d2b4        ; poke 1 nickname
  265. ld hl, $d2bf        ; poke 2 nickname
  266. jp $3816            ; CopyString
  267.  
  268.  
  269. healer:             ; 6 bytes
  270. ld hl, $752b        ; HealParty
  271. jp $074b            ; hardcoded rombankswitch 3
  272.  
  273. end:
  274. ENDL
  275.  
  276.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!