Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Epsilon

Pages: [1] 2 3 ... 14
1
Are there any hidden pokemon sprites in the code of any games that are pokemon that don't exist?

No. At least not in gen 1. All sprites in the code are used.

I can't speak for later generations, however, but I presume it to be the same.
2
CartSwap using button input

CartSwap currently uses a timer to delay frames until reboot, meaning the user must quickly pull out the cartridge and insert a new one before the timer ends.

This new version simply waits until the user presses START before rebooting.

8f
Any xAny
TM43 x4 (hex:04)
Lemonade x16 (hex:10)
Carbos x255 (hex:FF)
X Accuracy x1 (hex:01)
Ice Heal x45 (hex:2D)
Burn Heal x119 (hex:77)
Elixer x126 (hex:7E)
TM30 x15 (hex:0F)
Awakening x7 (hex:07)
Potion x185 (hex:B9)
Fire Stone x235 (hex:EB)
X Attack x101 (hex:65)
Protein x14 (hex:0E)
Master Ball x121 (hex:79)
TM33 x[Any qty]

ASM:
Code: [Select]
di ; Prevent the game from prematurely executing the other game's interrupts
inc b ; Filler
.loop
ld a,$10 ; a = $10
ld h,$ff ; hl = $FF22
ld l,$01 ; hl = $FF01
dec c ; Filler
dec l ; hl = $FF00, hardware register responsible for Joypad input
inc c ; Filler
ld (hl),a ; Enable polling for button inputs
ld d,d ; Filler
ld a,(hl) ; Grab current button inputs
and $0f ; Filter out unrelated upper nibble
ld c,$07 ; c = $07
inc d ; Filler
cp c ; compare a with c. In binary, this would check for %0111, as bit 3 is reset if START is pressed
jr nz,.loop ; Not Equal? Go to loop
ld b,c ; Filler
ld h,l ; hl = $0000
inc h ; hl = $0100 (GB booting point)
ld c,1 ; c = 1
ld a,c ; a = 1
jp hl ; Reboot
3
General Discussion / Re: Cool ASCII of my favorite word!
« on: January 12, 2018, 07:14:24 pm »
Though it may be different across browsers, I read "EMSMF".
4
Debate Wars / Re: Religion
« on: January 10, 2018, 01:25:28 pm »
Personally, I'm an atheist. I never bought into the idea of a higher power.
5
Note: This only allows for Red -> Red or Blue -> Blue duplications. Attempting an R -> B or vice versa will result in a glitch Pokemon center that you cannot escape from

Hey all! Not sure how useful this might be, but I made a save file (well, "made", meaning I saved the game) that allows you to duplicate and play the save file of the person you are trading with in Pokemon Red/Blue! It uses the RCE method discovered by Vagiular and documented here.

To Use

1. Have a Pokemon Red/Blue cartridge with the save file you wish to duplicate (This file needs no special prerequisites, outside of being able to use Cable club, meaning oak's parcel has been delivered)
2. Have a copy of the same game (Red/Blue wise), with it's respective duplication save file loaded (I have attached both saves to this thread)
2. Connect the two via link cable (If you're on BGB, you can do this with Right Click>Link>Listen on one and Right Click>Link>Connect on the other)
3. Go to the Trade Colosseum
4. Start a trade
5. Wait for save file transfer to complete
Few things to note: This is different from Mr.Cheeze's virus in that this needs to transfer all three banks. As such, this is going to take a minute or two. Be patient.

During this time, you will notice both screens will become glitched. This is the save file data you are duplicating, being represented as tiles.

6. Once they are finished, both Gameboys will restart
7. You should now be able to play the save file you duplicated!

Technical

As i mentioned earlier, this uses the exploit vaguilar discovered and documented.

As you might have guessed, this was inspired by "Mr.Cheeze's virus"

Basically what vaguilar's exploit does is since the subroutine that draws Pokemon names to the screen doesn't end until it reaches the $FF terminator, you can change bytes in your party to force the subroutine to write names to the stack, forcing the game to jump to a certain address upon reaching "ret". In order to force the buffer to go that far, and to not damage any other important parts of RAM, we use glitch Pokemon $E3 (or $E4), as it's name begins with an end terminator $50. Because of this, we can safely move the buffer forward.

Our party looks like this: (note: Referring to the game gameboy you are duplicating the save file from as "victim", the other gameboy with my save file will be referred to as "master")
Code: [Select]
06 ; # of Pokemon, completely irrelevant
00 x6  ; These six pokemon are irrelevant also
e3 x346 ; Advance the buffer to the "victim"'s stack
ce ; Write $CE's name to the victim's stack (EE 21 96 D7 CB 86 21 A3 D7 CB), "A3 D7" is what the game will read from when returning, causing it to jump to $D7A3 (nop slide to master's name)
e3 x7 ; Advance the buffer to the "master"'s stack
f1 ; Write $F1's name to the stack (40 40 40 FF FA 30 D7 CB 47 C0) "30 D7" is what the game reads from when returning, forcing a jump to $D730 (event flags)
ff ; Cause aforementioned buffer to return, forcing the jumps

---
ld a,8 ; a = 8
ldh [rIE],a ; Only allow serial int
ld hl,$0316 ; Garbage to send master in exchange for payload (starts with $FD to allow for transfer)
ld de,$dc00 ; Location to store payload
ld bc,$0110 ; Bytes to send (sends way more than necessary to account for $fd bytes)
call $216f ; Exchange data
ld hl,$dc00
ld b,$fd
.loop: ; Check for FD bytes
ldi a,[hl] ; Grab byte at hl
cp b ; Is it $fd?
jr z,.loop ; If it is, keep looking
dec hl ; Undo the ldi
ld a,$0d ; a = $0D
ldh [rIE],a ; Enable vblank,timer,and serial ints
jp hl ; Jump to payload sent by master

At this point, the victim Gameboy is executing code from the master's name. The code we have written there causes the victim Gameboy to wait for synchronization with the master, and display the "Waiting!" text on the screen. The master gameboy is executing code in a section of RAM that is normally used for event flags. It nop slides to $D743, which there we have written a jump instructon to $DA80, our "PC pokemon" (there we have written another payload). Aforementioned payload causes master to synchronize with the slave gameboy.

Once both gameboys are synchronized (using a subroutine at $226E, or $227F if we do not want to display the "Waiting!" text), we call a subroutine to delay for a few frames, and then we begin the transfer.

The master gameboy first transmits the payload we want the victim to execute. The victim then (after jumping to a payload written at the end of master's party) executes the aforementioned payload, which causes the victim to write 03:A000 - 03:AFFF to the tilemap buffer. Then, both gameboys synchronize once more, and the victim gameboy sends over that portion of the save file (receives garbage in return). The master then copies what it receives into it's own save file in it's respective location. It does this for each 256-byte portion of that SRAM banks before switching banks. Once all 4 banks have been copied (0 - 3), the game locks SRAM and then restarts.

Code executed by master at $DA80:
Code: [Select]
transmitpayload:
call $226e
call $3dd7
ld a,8
ldh [$ff],a
ld hl,$d53a
ld de,$c3a0
ld bc,$110
call $216f
ld a,$0d
ldh [$ff],a
Start:
ld b,4
push bc
ld a,$0a
ld h,a
swap a
push af
ld [hl],h
ld h,$40
dec b
ld [hl],b
ld h,$60
ld l,$01
ld [hl],l
transmit:
call $227f
call $3dd7
ld a,8
ldh [$ff],a
ld hl,$0316
ld bc,$10b
ld de,$c3a0
call $216f
ld a,$0d
ldh [$ff],a
findhl:
ld hl,$c3a0
ld b,$fd
.loop:
ldi a,[hl]
cp b
jr z,.loop
dec hl
Init:
pop af
ld d,a
push af
ld e,0
ld bc,$100
memcpy:
ldi a,[hl]
ld [de],a
inc de
dec bc
ld a,b
or c
jr nz,memcpy
determine:
pop af
inc a
ld b,$c0
cp b
jr z,bankswap
push af
jr transmit
bankswap:
pop bc
dec b
push bc
jr z,end
ld h,$40
dec b
ld [hl],b
ld a,$a0
push af
jr transmit
end:
ld h,$00
ld [hl],h
jp $100

Code executed by victim (near $dc00)
Code: [Select]
Start:
ld b,4
push bc
ld a,$0a
ld h,a
swap a
push af
ld [hl],h
ld h,$40
dec b
ld [hl],b
ld h,$60
ld l,$01
ld [hl],l

Init:
pop af
ld h,a
ld l,$ff
ld de,$c507
ld bc,$100
push af
backwardsmemcpy:
ldd a,[hl]
ld [de],a
dec de
dec bc
ld a,b
or c
jr nz,backwardsmemcpy
ld a,$fd
ld [de],a
transmit:
push de
call $227f
call $3dd7
pop hl
ld a,8
ldh [$ff],a
ld de,$c200
ld bc,$10b
call $216f
ld a,$0d
ldh [$ff],a
determine:
pop af
inc a

Sorry if I over/under explained. Enjoy!
6
is cloning not considered cheating by most?

That's entirely relative, and it would depend on who you ask. Personally, I do not consider the use of glitches to be cheating, but you may come across someone who disagrees

can you clone Events?

Any Pokemon can be cloned.
7
General Discussion / Re: The Member's Guide to Topiclessness
« on: January 06, 2018, 06:50:26 pm »
I only joined last summer.
8
(hmm except for RNG manipulation)

While useful, RNG manip isn't exclusive to gen V. In fact, I find it to be far easier on Gen III
I remember that luckytyphlosion was talking about how both Generation II and V support infrared. In theory an exploit from that could follow through similar to the GTS spoofing exploits that once worked without Action Replay prior to the shutdown of the GTS

Interesting that you mention that, as a small group of people (Wack0, ISSOtm, and luckytypholsion) have been discussing a potential emulator-escape exploit on VC for gameboy color ROMs. Maybe their findings there can allow for this?
9
I hate to tell you this, but it is unlikely such a glitch will be found in the near future, if at all. Research in Gen V is rather lax, considering we don't have a great/decent understanding of the game's code. In fact, I have yet to see a major or otherwise notable glitch from the generation.

I suppose all one can do is wait. I cannot research this myself due to a lack of resources to do so, also i'm busy with something else at the moment.
10
Again, I am very new to this, but where it says "requests save file" and "sends save file", are we talking about copying the whole thing?

Good question, you're right in the fact that the program only transfers a small portion of the save file, specifically $01:A500-$01:B700. Since there isn't too much free space in WRAM, the virus sends this portion in smaller portions at a time, as opposed to sending the whole save file.

If you would like to view Mr.cheese's source code, it's here :)
11
Hi!

As of now, methods of obtaining these Pokemon in generation 5 without the means of hacking has yet to be found.

By the way Happy New Year to all the Glitch City Labs Community

Happy new years!
12
Anytime! Glad I could be of service :)
13
General Discussion / Abwayaxmas 01/03/2018
« on: January 02, 2018, 10:31:45 pm »
Though it may be rather early (Current time being 11:31 PM in my timezone), happy birthday, Abwayax!
14
Generation VI Glitch Discussion / Re: Invalid pokemon "True stats"?
« on: January 02, 2018, 05:22:11 pm »
Fixed it. He also says he transferred gen 7 mons to gen 6 with PKSM, but that's wrong as the pokedex numbers are in the 900s

Knowing this, and having watched the video myself, I must question it's legitimacy
15
Is it possible to use a different code to achieve the same desired effect?

Funny you mention that, as I was planning on shortening the code to make it easier to use

ws m
Any xany
Lemonade x170 (hex:AA)
Thunderstone x134 (hex:86)
TM09 x50 (hex:32)
Ice Heal x62 (hex:3E)
TM50 x119 (hex:77)
TM01 x[Any qty]

This code does the exact same thing as the original code, but this time I was able to take advantage of the fact that $FA isn't a glitch item, so I could shorten the code to make it easier on the end-user.

In case you are curious, here's what the code translates to:
Code: [Select]
ld a,$aa ; Register a is now $AA
ld hl,$d186 ; Register h is now $D1, Register l is now $86
ldd (hl),a ; Loads "a" into the location at "hl" ($D186 controls the Speed and Special DV), decreases "hl" by one
dec c ; Padding to prevent duplicate Items, it's bad practice
ld a,$fa ; "a" is now $FA
ld (hl),a ; Loads "a" into "hl" ($D185 controls the Attack and Defense DV)
ret ; Return control to game

I tested this code repeatedly and had no issues with the save file, but I didn't have any issues with the prior code either.
Pages: [1] 2 3 ... 14