wh00hw
commented
5 months ago Same issue, if I understand correctly the exploit leverage the pkm id 0xce "name" to push 0xD7A3 as ret address in PlaceString: subroutine, so that the execution jumps 228 bytes before the Player2 name (0xD887) where it would jump to the shellcode. But so far so good, The execution crashes right because rst 38 is found. @vaguilar if you could please explain us what's missing, this stuff is totally new to me. Thanks
Hi there. Very interesting project!
I'm able to get this mostly working (the game brings me to the trade room and I'm able to open the menu). However, once the transfer completes and the menu opens, the game hangs. On real hardware (DMG-APAE-USA Pokemon Red cartridge; tried on a GBA and GBC), I can see the second trainer is named "2" and has a full party of Mews. When using BGB, I see the same thing briefly but then the graphics get corrupted and the game gets stuck in a
rst 38loop (crash):I tried using older commits but had the same problem. Is there something I'm missing? Let me know if I can provide more information.
Thanks!