Turning Splash into a One-hit-KO move (exclamation point arbitrary code execution, Pokémon Red/Blue)

Turning Splash into a One-hit-KO move (exclamation point arbitrary code execution, Pokémon Red/Blue)

Channel:
Evie (ChickasaurusGL) 🌺
Subscribers:
17,700
Published on ● Video Link: https://www.youtube.com/watch?v=Rtj2iMg9ROE


Game:
Pokémon Red and Blue (1996)
Duration: 8:47
1,799 views
91

Notes: In this video after using 4F, Magikarp's Splash turns into a one-hit KO move, which proceeds to KO the first Pokémon of each Elite Four member and the Champion, causing them to surrender and accuse us of cheating. ^^


The 'exclamation point arbitrary code execution' (or move text box end-part ACE) works because of a leftover from Japanese Red/Green/Blue; whenever you used a move, the sentence would differ depending on the group of the move;


00-

(Pokémon)は
(Move)を つかった! Ending 1 #f:5d97

01-
(Pokémon)は
(Move)を した! Ending 2 #f:5da0

02-
(Pokémon)は
(Move)した! Ending 3 #f:5da7

03-
(Pokémon)の
(Move) こうげき! Ending 4 #f:5dac

04-
(Pokémon)の
(Move)! Ending 5 #f:5db4



05+ Glitch text pointer endings


In the case of the English version, the code was left as it is but all five entries were replaced with "!" as the ending, for some reason. By locking D11E (D0E3) in the Japanese versions, you can manipulate the ID to a glitch one above 04 which will have a glitch pointer (in Red/Green v1.0, 0x05 is the convenient DD00, Red/Blue's 0x40 is also D311 (in the Pokédex flags)). This text begins with a text command, so making it 08 enables arbitrary code execution at D312.


From there on, I could run my own code to enable a OHKO effect (Sing sound effect, followed by Hyper Beam animation and sound effect with the one-hit KO text) and give the illusion that Splash did it (if you experiment with the save file, other moves may work too; as I didn't add a check specifically for Splash, although that should be possible). My code also modifies the enemy Trainer's victory text, gives them one Pokémon, and in an earlier version I changed the Trainer class in case the opponent used a Super Potion when their Pokémon fainted etc. but I may have removed it in this version of the save.


4F is responsible for OAM DMA hijacking (this time without breaking the sprites, as I used a relative jump at FF89 to an earlier part of HRAM with code I added) to lock D11E to 0x40. Note: Locking this is also a starter modifier ^^ (like 01xx1ED1).


I used a relative jump to avoid Gengar's Pokédex flag from messing up the code. You can use 4F to fix any other Pokédex flags that might have got affected (D311-D31C), additionally it will reset your inventory because 4F will assume you haven't touched it.


Save file:

https://drive.google.com/file/d/1Zv0VtxqMwa9FGEqiBg367lClITSrn-h2/view?usp=sharing


Disassembly project relevant notes:
"

https://github.com/pret/pokered/blob/2954013da1f10e11db4ec96f9586b7c01706ae1a/data/moves/grammar.asm




0F:5B62 - ExclamationPointPointerTable


; this function does nothing useful
; if the move being used is in set [1-4] from ExclamationPointMoveSets,
; use ExclamationPoint[1-4]Text
; otherwise, use ExclamationPoint5Text
; but all five text strings are identical
; this likely had to do with Japanese grammar that got translated,
; but the functionality didn't get removed
DetermineExclamationPointTextNum:"



Other Videos By Evie (ChickasaurusGL) 🌺


2021-12-12Replacing X's (エックス) "Nintendo presents" screen w/Pokémon Yellow cart swap arbitrary code execution
2021-12-12Game Boy Printer bad serial/opcode arbitrary/remote code proof of concept (Pokémon Yellow)
2021-12-04Randomly select your moves in battle save file (Pokémon Yellow)
2021-12-03Pokémon Yellow 'fusion Pokémon names' save file
2021-11-12Create your own glitch hedge maze puzzle ^-^ (Pokémon Yellow)
2021-11-12How to make unstable Yellow MissingNo. not freeze every time with arbitrary code execution ^-^
2021-11-11How to beat Pokémon Red without moving, without arbitrary code execution and no Trainer ID manip ^-^
2021-11-08Surf on an artificial water tile originating from glitch item text (Pokémon Red and Blue)
2021-11-04HiddenItemCoords's 0 x or y coordinate design flaw (Generation I)
2021-11-04CoolTrainer♀ 10-20% HP switch chance coding flaw (Generation I)
2021-11-02Turning Splash into a One-hit-KO move (exclamation point arbitrary code execution, Pokémon Red/Blue)
2021-10-31Using submerge glitch to encounter Mew in water-grass (no ACE challenge) (Red/Green) (ポケモン バグ)
2021-10-24How to glitch the Japanese GF Mew (ゲーフリミュウ 22796) in Red/Green (ポケットモンスター 赤・ 緑) (from start, no ACE)
2021-10-24Raising an Egg akin Pomeg glitch after the Randy mail over 0 HP on an Egg workaround (Generation II)
2021-10-24Small hybrid Pokémon display detail which was not in Generation I/four-types visible (Generation II)
2021-09-27(WiP Demo): Flying Pikachu minigame created w arbitrary code execution. ^-^ (Pokémon Yellow)
2021-09-25Sound bank arbitrary code execution (0A:58EA's stack corruption) - Save file modification (Red/Blue)
2021-09-25Another take on Rival LG with hex:7C item (0x50 sub-tile and previous encounter not needed) (Yellow)
2021-09-16Glitch subroutine (sound bank) 0E:6BF8 continuation; two applications (Pokémon Yellow EN VC)
2021-09-16Automatic walking caused by glitch subroutine at 0E:6BF8; sound bank 0x0E (Pokémon Yellow EN VC)
2021-09-14Perpetually diagonally moving Pokémon sprites x)


Other Statistics

Pokémon Red and Blue Statistics For Evie (ChickasaurusGL) 🌺

Currently, Evie (ChickasaurusGL) 🌺 has 1,628,878 views for Pokémon Red and Blue across 241 videos. There's over 1 day worth of watchable video for Pokémon Red and Blue published on his channel, or 21.83% of the total watchable video on Evie (ChickasaurusGL) 🌺's YouTube channel.