Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Evie ✿

Pages: [1] 2 3 ... 21
1
Generation II Glitch Discussion / Nickname outsider Pokémon and Eggs
« on: November 02, 2017, 03:26:07 pm »
Wrong pocket HM01 (hex:F3) in many versions of Pokémon Gold allows you to nickname a party Pokémon.

Sadly this freezes the game on English, Spanish and Italian versions but works on French, German (although I'm unsure if my ROM is a bad dump, "Gold" with both uppercase "G" and lowercase other characters is a default name) and Korean Gold. In Japanese Gold the wrong pocket HM01 appears to have a different effect and seemingly 'nothing happens'.

I noticed I was able to use this to nickname an Egg. When the Egg was in the last slot of the party, I was able to nickname it. If I didn't view the summary of the Egg, its species (Togepi) would be revealed on the nickname screen, while if I viewed its summary beforehand it would be named Oeuf (Egg).





I wonder how this would work in an expanded party? Would you be able to change the nickname of Pokémon beyond slot 6, hence modifying an unrelated memory address? Also this seems to work for nicknaming outsider Pokémon which is really useful alone.
2
Today all of the articles in the GlitchDex for Generations I and II have been updated and completely re-structured to have proper MediaWiki formatting.

In addition, we have included various obscure technical details about these glitch Pokémon for you to enjoy. :)

This does not mean the English GlitchDex is entirely complete, as we still have to create a database for glitch palette attribute bytes and input the data, and there are bound to be errors and omissions elsewhere.

I will begin work from now on finishing the AttackDex and ItemDex, starting with the ItemDex. As always any help no matter how small is certainly welcome.
3
I created these for the Quagsire holding a TM02 with Return as first move setup for arbitrary code execution in English Gold/Silver. :) Let me know if you have any difficulties with them and I'll try to help.

Change Pokémon 1 codes:

Pokérus:

Ap0'd'vK55
é'm2p0955
éA455555
55555555
5555555p
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Shiny:

Ap0'd'vR55
é'm2pp045
éA4p0'd'vQ
é?2p0k55
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Max DVs:

Ap0'd'vR55
é'm2p0955
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Dark max Hidden Power:
Atk Def 15 15

Ap0'd'vR55
é'm2pp095
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Dragon max Hidden Power:
Atk Def 15 14

Ap0'd'vR55
é'm2pp085
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Ice max Hidden Power:
Atk Def 15 13

Ap0'd'vR55
é'm2pp075
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Psychic max Hidden Power:
Atk Def 15 12

Ap0'd'vR55
é'm2pp065
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Electric max Hidden Power:
Atk Def 14 15

Ap0'd'vR55
é'm2pp0(male)5
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Grass max Hidden Power:
Atk Def 14 14

Ap0'd'vR55
é'm2p0é'v6
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Water max Hidden Power:
Atk Def 14 13

Ap0'd'vR55
é'm2p0é'v7
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Fire max Hidden Power:
Atk Def 14 12

Ap0'd'vR55
é'm2p0é'v8
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Steel max Hidden Power:
Atk Def 13 15

Ap0'd'vR55
é'm2p0'v'v1
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555


Ghost max Hidden Power:
Atk Def 13 14

Ap0'd'vR55
é'm2p0'v'v2
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555


Bug max Hidden Power:
Atk Def 13 13

Ap0'd'vR55
é'm2p0'v'v3
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Rock max Hidden Power:
Atk Def 13 12

Ap0'd'vR55
é'm2p0'v'v4
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Ground max Hidden Power:
Atk Def 12 15

Ap0'd'vR55
é'm2p0z'vé
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Poison max Hidden Power:
Atk Def 12 14

Ap0'd'vR55
é'm2p0u'v?
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555


Flying max Hidden Power:
Atk Def 12 13

Ap0'd'vR55
é'm2p0u'v!
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Fighting max Hidden Power:
Atk Def 12 12

Ap0'd'vR55
é'm2p0u'v.
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Change Pokémon 5 codes:

First use:

[REQUIRED code by FMK] One-off code so all future codes don't need the 'return to game' code:
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: 5555péD9     (XOR A; LD [83ff], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)

Next you can use:

Max out stat experience, give experience for Level 100 after battle:

The old code had an error.

I made a new code that will modify Pokémon 5's experience.


Box 1: Ap0x'v955  (multiply small x from the uppercase field only)
Box 2: e'm2p0955
Box 3: éA455555
Box 4-Box 12 (or possibly just box up to all of box 6 in your case): 55555555

Spamviech has also offered an alternative solution.

Just tried this code (well, a variant for usage with wrong pocket TM execution) and the experience is not granted.
Reason is probably that the . character is not 0xf2, but instead 0xe8 (different dot character, only looks the same). Therefore, instead of maximizing Exp gained we are corrupting the SpDef stat of Pokémon 4 (harmless; can be fixed by depositing and re-withdrawing).

Adjusted version that should work; TM variant:
Code: [Select]
Box 1: Ap0(mult)'v955
Box 2: é3209é14
Box 3: é24é3455
Box 4: é44é5455
Box 5: é64é7455
Box 6: é84é0455
Box 7: é♀4éé4x'd
Coin Case Variant (untested):
Code: [Select]
Box 1: Ap0(mult)'v955
Box 2: é3209é14
Box 3: é24é3455
Box 4: é44é5455
Box 5: é64é74'l'l
Box 6: é84é04'l'l
Box 7: é♀4éé455
Box 8: péZ(mult)x'd

All TMs/HMs:

Requires above one-off code:

Box 1: Ap'vCé025
Box 2: 'vj'vué♀25
Box 3: 'v.é32p'v9r
Box 4: é22pé425
Box 5: 'vué62'v 5 (there is a space after the 'v and before the 5)
Box 6: é52'v:é72
Box 7: 55♀55555
Box 8-12: 55555555
Box 13, 14: Same as before, don't change them.
4
Pokémon Gold and Silver come out for 3DS Virtual Console on September 22, and as of now in Japan, Australia and New Zealand are already available to download.

Discuss glitches here.

Does the Coin Case glitch work? I'm waiting until the game comes out in Europe and will try it if the answer hasn't been found before.

5
It looks like an interesting new arbitrary code execution has been discovered, which with luck manipulation might be the fastest (and A-pressless) method so far. I don't know who discovered it though.

This method involves death-warping at the final Bug-Catcher in Viridian Forest. If you then return to the forest without pressing Start, it will trigger a battle with the Bug-Catcher again and activate meta-map script 06 (D618=06). Defeating him will trigger yet another battle, but if you win this one you're free to walk around with glitch script initiation active.


Then for some reason if you proceed to mash A in front of and defeat this Bug-Catcher;



The game will execute F8FF in Echo RAM, which falls through to F9AC (D9AC); a copy of your player's name. Then if your player's name is mMna.♀tF (ac e2 a0 f2 f5 b3 85 50), with some specific other requirements it is yet another way of entering the Hall of Fame.

I only just found out about this method today, but there is more information about this glitch in this document:
https://docs.google.com/document/d/1l10apKvZgTeOSEKeuhgHVGC73z9-f2FTkuUKHZaPVEA/edit

If we can modify this glitch for non-speedrunning purposes perhaps it could be useful for those wanting to do other things or obtain the expanded items pack without MissingNo.

Video by entrpntr:
https://www.youtube.com/watch?v=rhvyKspOsoo
6
I found out today that it's possible to manipulate the Day Care Pokémon from ????? party overloading. Specifically withdrawing a 24th Pokémon will modify the species of the stored Pokémon by the Day Care Lady (DC90 in Gold/Silver) based on the ninth character of the nickname of the Pokémon you withdraw. According to the Pokémon Crystal disassembly's WRAM map, the roamer data isn't far away from here.

Crystal:

wRoamMon1:: roam_struct wRoamMon1 ; dfcf
wRoamMon2:: roam_struct wRoamMon2 ; dfd6
wRoamMon3:: roam_struct wRoamMon3 ; dfdd


Is it therefore possible to create a custom roamer Pokémon? Perhaps it could even be a glitch Pokémon, which would be (one of, perhaps a battle could be triggered without cheating by an out of bounds Glitch City too) the only way(s) of encountering a glitch Pokémon in the wild without arbitrary code execution.

What is the roaming Pokémon structure like?

Wonder if anyone has any input on this. Thanks in advance!

Edit: It seems to have a structure like this.

(Species one byte) (Level one byte) (Location; two bytes) (Unknown three bytes)

Edit 2: Gold/Silver roamer addresses seem to start at DD1A.
7
A while ago now I picked up this interesting Japanese game called Monster Race (もんすたあ★レース) in which you collect and race with monsters.

It turns out saving twice in that game (or even once) on both BGB(!) and VBA may cause a 'glitch' that creates a Glitch City and allows you to skip parts of the game, but I haven't been able to get that to work on a real Game Boy Advance SP or a physical Super Game Boy.



Ryuto138 has a TAS video that exploits the error to complete the game quickly.

https://www.youtube.com/watch?v=xJ9RqF8KGV4
8
In Gold/Silver I have a party of 29 Pokémon I got from ????? party overloading. When I entered a battle I noticed something rather interesting:

Memory addresses near D0ED (the opposing Pokémon) including D0ED were replaced with values 0x31-0x33!



These are the same values in wild appeared corruption from Generation I, which TheZZAZZGlitch explains here.

Note though that in Generation I you could trigger it with 0 Pokémon. You can't do that in Generation II due to an error handler that makes sure the battle doesn't start. Furthermore in Generation I you needed 239 or more Pokémon (or 0 Pokémon) to corrupt the enemy Pokémon. Here in Generation II it seems like you can corrupt this with a lot less Pokémon.

Upon throwing a Master Ball the enemy Pokémon turned out to be a Dugtrio. At one point it appeared as a Dugtrio with Venomoth's sprite strangely, which I suspect may be because I think the battle addresses have two species bytes as well (and 0x31 Venomoth is one of the possible bytes).



I wonder what else you can corrupt with this and also if the FF terminator at the top only thing (international dokokashira door glitch) is in Generation II.
9
This is a way to beat Pokémon Yellow in 0x A-presses using an external device, and a theory on how to beat Pokémon Yellow with no A-presses without any external device.

1. Use cart-swap arbitrary code execution and OAM DMA hijacking to change C57E to 87. After "Game Freak" appears, the game should jump right into a file as if Continue or New Game was chosen.
2. Have other addresses manipulated at the same time to trigger the Hall of Fame script.

;as such:

D164: FF ('good' party to avoid many glitch Pokémon entries)
D36D: 1D D3 (map script is in inventory)

@D31D:
0E 16 26 64 2E 56 41 CD 84 3E C9

3. Mash B.
4. Congratulations, you just won Pokémon Yellow with no A-presses!

Maybe as well you could run the credits without having to press anything if we just use a different address to run at D31D.

Technically you need to press buttons on another game to set this up of course, but that's probably as far as we'll go without ROM hacking/physical hijacking of the game.

You can also use a GameShark and enter the following codes:

01FF64D1
01C927D3
013E26D3
018425D3
01CD24D3
014123D3
015622D3
012E21D3
016420D3
01261FD3
01161ED3
010E1DD3
01D36ED3
011D6DD3
01877EC5

Hope TheZZAZZGlitch likes this if he sees it. :)
10
I spoke with Abwayax yesterday about our dex extension, and due to persisting errors we decided to disable it. This has for a second time broken all of the dex pages that aren't already converted. However fortunately the data is still there other than base stats, which are relatively easy to find if you have the ROM and a hex editor (see this article by Stag019) and are also mainly documented on Bulbapedia.

Due to computer addiction however I've allocated a maximum of 5 hours each on Mondays and Thursdays to fill out Generation I glitch Pokémon data in the format below (the rest of the days are for my other projects (YouTube and Starfy 1 translation project) also with a five hour cap):

http://glitchcity.info/wiki/User:Torchickens/Sample_RBY_glitch_Pok%C3%A9mon

Even with this however, finishing the GlitchDex will likely still take a few weeks.

For this reason I'm asking whether if anybody like to team up and split the work please? :)

Here is an article that is already finished for further reference:

http://glitchcity.info/wiki/GlitchDex/Y:000

If you'd also want to work on the AttackDex or ItemDex and the newer TypeDex, UnownDex (e.g. wikifying and tidying individual move, item articles, adding more articles, finishing a front page with excel to wiki), I'd also be very grateful, I've wanted to get these finished as a priority before adding new glitch pages. Thanks in advance!
11
I've been looking online for glitch discussions in the Japanese Pokémon glitch community to see if there have been any new discoveries, and I found this:

http://nakayoshibaddi.hatenadiary.jp/entry/2017/08/02

According to the article, using the Bug-Catching Contest data copy glitch, we should be able to obtain a ????? by exploiting the glitch when you have never had any Pokémon in slot 6.

This is significant because obtaining a bad clone without Pokémon Stadium 2 can be very difficult, and soon Pocket Monsters Kin/Gin (the Japanese Gold/Silver) will be released on 3DS eShop in Japan, making this method an ideal way of potentially obtaining Celebi without the duplicate key items glitch (which outside of this or bad clone glitch would require a trade with Generation I).

I've been thinking the method to do this then could potentially be relatively easy, similar to the recently discovered way to get Celebi on English Gold/Silver with mainly just box names that eliminates the need of a complicated box item setup (hopefully this will work the same on the upcoming VC releases and I plan on testing it).

I would love to help the Japanese community get Celebi on the 3DS eShop version and if I get a legitimate Korean Gold/Silver cartridge or buy a Korean 3DS and purchase one of those, I may look into the easiest way to do it there as well.

This way of obtaining ????? in Japanese Gold/Silver isn't a new find, as Chain Sword documented in December 2014 how to get a ????? 00 using the Bug-Catching Contest data copy glitch in a video. It's very likely as well that Japanese players knew about this before then.

See https://www.youtube.com/watch?v=gblgYk6WEmI

We already know with a ????? 00 or FF that this is a gateway to ????? party overloading, which we can use for the party-based variation of the Celebi glitch.

We can't obtain a Sneasel with Beat Up early in the game (at least without shifting the experience, etc.), but we could trade one on to the game that obtained the ?????. In theory as well, we can probably adjust the glitch to work with total experience's least significant byte (6 more bytes from move 3), so that a total experience of 251 could be shifted into the second species byte; the one that is used for the Pokémon you get when you take it into the Day Care and out again.

Since an Egg can't normally have 251 experience, either some more work would have to be done for the total experience method to hatch a Celebi that registers in the Pokédex, or we would be left with a Celebi that isn't registered in the Pokédex.

Going deeper, if we can get ????? 00 this way we may also be able to set up the duplicate key items glitch and perform arbitrary code execution with wrong pocket TM/HMs or glitch Pokédex categories (by messing around with items in the expanded balls pocket; where stored items can be found, including TMs) to do whatever we want with box names, such as getting a Shiny Celebi that registers in the Pokédex. It would require some precise counting like in Japanese Crystal but is worth it.

Setting that up may be easier if it is possible for ????? 00 or FF to corrupt the inventory with ????? map corruption (Paco81 call this Missingning) in Japanese Gold/Silver as well.
12
Project "Gotta Document 'Em All" / Used glitch types
« on: July 06, 2017, 10:12:21 am »
I would like to make a TypeDex, so I decided to make a dump of all the types that are "used" on glitch Pokémon and glitch moves. It is very messy but hopefully the information should be available within a neater TypeDex listing soon.

"\" indicates that the glitch move has a real, non-glitch type.


Yellow blank (0x50)-type glitch Pokémon
Yellow blank (0x73)-type glitch Pokémon
Yellow blank (0x7D)-type glitch Pokémon
Yellow glitch (0x24)-type glitch Pokémon
Yellow glitch (0x25)-type glitch Pokémon
Yellow glitch (0x39)-type glitch Pokémon
Yellow glitch (0xA5)-type glitch Pokémon
Yellow glitch (0xCF)-type glitch Pokémon
Yellow ₽9? ゥ (0x59)-type glitch Pokémon



Red/Blue Poké BB (0xA9)-type glitch Pokémon
Red/Blue PokéManiac (0x61)-type glitch Pokémon
Red/Blue blank (0x50)-type glitch Pokémon
Red/Blue blank (0xE8)-type glitch Pokémon
Red/Blue blank 0x70-type glitch Pokémon
Red/Blue blank 0x7B-type glitch Pokémon
Red/Blue glitch (0x1C)-type glitch Pokémon
Red/Blue glitch (0x21)-type glitch Pokémon
Red/Blue glitch (0x27)-type glitch Pokémon
Red/Blue glitch (0x2B)-type glitch Pokémon
Red/Blue glitch (0x37)-type glitch Pokémon
Red/Blue glitch (0x3B)-type glitch Pokémon
Red/Blue glitch (0x9D)-type glitch Pokémon
Red/Blue glitch (0xA5)-type glitch Pokémon
Red/Blue glitch (0xC8)-type glitch Pokémon



Bird (0x06)-type glitch Pokémon
Flying (0x82)-type glitch Pokémon
Ghost (0x88)-type glitch Pokémon
Ground (0x84)-type glitch Pokémon
Normal (0x0B)-type glitch Pokémon
Normal (0x0E)-type glitch Pokémon
Normal (0x11)-type glitch Pokémon
Normal (0x12)-type glitch Pokémon
Normal (0x13)-type glitch Pokémon
Normal (0x80)-type glitch Pokémon
Normal (0x8D)-type glitch Pokémon
Normal (0x8E)-type glitch Pokémon
Normal (0x91)-type glitch Pokémon
Normal (0x92)-type glitch Pokémon
Normal (0x93)-type glitch Pokémon



On Moves Red/Blue (track CFD5):


00: 0x7A (CoolTrainerF)
A6: 0x31 (random)
A7: 0x40 (random)
A8: 0x21 (random)
\A9: 0x03 (Poison)
\AA: 0x00 (Normal)
AB: 0x50 (blank)
AC: 0x2B (random)
AD: 0x49 (random)
AE: 0xC0 (random)
AF: 0x50 (blank)
\B0: 0x03 (Poison)
B1: 0x97 (Electric-fake)
\B2: 0x03 (Poison)
\B3: 0x08 (Ghost)
B4: 0x2B (random)
B5: 0x41 (random)
B6: 0x0A (Normal-fake)
\B7: 0x03 (Poison)
B8: 0x00 (Normal)
B9: 0x41 (random)
BA: 0x0C (Normal-fake)
BB: 0x34 (random)
BC: 0xC8 (random)
BD: 0x4E (h RED)
\BE: 0x02 (Flying)
BF: 0x95 (Water-fake)
\C0: 0x03 (Poison)
\C1: 0x08 (Ghost)
C2: 0x41 (random)
C3: 0x42 (RED? POKé BB PIDGEY dé)
C4: 0x21 (random)
C5: 0x3F (random)
\C6: 0x00 (Normal)
C7: 0x41 (random)
C8: 0xB1 (random)
C9: 0x91 (Normal-fake)
CA: 0xC8 (random)
CB: 0x4F (blank)
\CC: 0x15 (Water)
CD: 0x51 (,KPkMnRED)
\CE: 0x03 (Poison)
\CF: 0x08 (Ghost)
D0: 0x23 (random)
D1: 0x35 (random)
D2: 0x21 (random)
\D3: 0x00 (Normal)
\D4: 0x00 (Normal)
\D5: 0x19 (Ice)
D6: 0x3A (Qi JT RED? POKé BBPIDGEY dé)
\D7: 0x00 (Normal)
\D8: 0x00 (Normal)
D9: 0x3C (i JT RED? POKé BBPIDGEY dé)
\DA: 0x02 (Flying)
DB: 0x0E (Normal-fake)
\DC: 0x00 (Normal)
DD: 0x28 (random)
DE: 0x1E (random)
DF: 0x34 (random)
E0: 0x28 (random)
\E1: 0x00 (Normal)
\E2: 0x00 (Normal)
E3: 0x19 (Ice)
E4: 0x77 (blank)
\E5: 0x00 (Normal)
\E6: 0x00 (Normal)
E7: 0x41 (random)
E8: 0x03 (Poison)
E9: 0x80 (Normal-fake)
\EA: 0x00 (Normal)
\EB: 0x08 (Ghost)
EC: 0x28 (random)
ED: 0x37 (random)
EE: 0x10 (Normal-fake)
\EF: 0x03 (Poison)
\F0: 0x00 Normal
F1: 0x32 (random)
F2: 0x0A (Normal-fake)
\F3: 0x00 (Normal-fake)
F4: 0xC0 (random)
F5: 0x53 (8 8 9)
\F6: 0x02 (Flying)
F7: 0x79 (CoolTrainerM)
\F8: 0x03 (Poison)
F9: 0x0C (Normal-fake)
FA: 0x23 (random)
FB: 0x39 (random)
FC: 0x21 (random)
FD: 0x2F (random)
\FE: 0x00 (Normal)
FF: 0x32 (random)

On Moves Yellow (track CFD4):

00: 0x31 (random)
A6: 0x31 (random)
A7: 0x40 (random)
A8: 0x21 (random)
\A9: 0x03 (Poison)
\AA: 0x00 (Normal)
AB: 0x50 (blank)
AC: 0xE9 (Swimmer)
AD: 0x49 (random)
AE: 0xC0 (random)
AF: 0x50 (blank)
\B0: 0x03 (Poison)
B1: 0x81 (Fighting-fake)
\B2: 0x03 (Poison)
\B3: 0x08 (Ghost)
B4: 0x2B (random)
B5: 0x41 (random)
B6: 0x0A (Normal-fake)
\B7: 0x03 (Poison)
\B8: 0x00 (Normal)
B9: 0x41 (random)
BA: 0xC8 (random)
BB: 0x34 (random)
BC: 0xC8 (random)
BD: 0x4E (3lゥ)
\BE: 0x02 (Flying)
\BF: 0x00 (Normal)
\C0: 0x03 (Poison)
\C1: 0x08 (Ghost)
C2: 0x41 (random)
C3: 0x42 (B)
C4: 0x21 (random)
C5: 0x3F (random)
\C6: 0x00 (Normal)
C7: 0x41 (random)
C8: 0x8E (Normal-fake)
C9: 0x91 (Normal-fake)
CA: 0xC8 (random)
CB: 0x4F (blank)
\CC: 0x15 (Water)
CD: 0x0B (Normal-fake)
\CE: 0x03 (Poison)
\CF: 0x08 (Ghost)
D0: 0x23 (random)
D1: 0x35 (random)
D2: 0x21 (random)
\D3: 0x00 (Normal)
\D4: 0x00 (Normal)
\D5: 0x19 (Ice)
D6: 0x41 (random)
\D7: 0x00 (Normal)
\D8: 0x00 (Normal)
D9: 0x3C (.s.a)
\DA: 0x02 (Flying)
DB: 0x34 (random)
\DC: 0x00 (Normal)
DD: 0x28 (random)
DE: 0x1E (random)
DF: 0x34 (random)
E0: 0x28 (random)
\E1: 0x00 (Normal)
\E2: 0x00 (Normal)
\E3: 0x19 (Ice)
\E4: 0x07 (Bug)
\E5: 0x00 (Normal)
\E6: 0x00 (Normal)
E7: 0x41 (random)
\E8: 0x03 (Poison)
E9: 0x2A (random)
\EA: 0x00 (Normal)
\EB: 0x08 (Ghost)
EC: 0x28 (random)
ED: 0x37 (random)
EE: 0x10 (Normal-fake)
\EF: 0x03 (Poison)
\F0: 0x00 (Normal)
F1: 0x32 (random)
F2: 0xC6 (random)
\F3: 0x00 (Normal)
F4: 0xC0 (random)
F5: 0x53 (V)
\F6: 0x02 (Flying)
F7: 0xD1 (TM)
\F8: 0x03 (Poison)
F9: 0x0C (Normal-fake)
FA: 0x23 (random)
FB: 0x39 (random)
FC: 0x21 (random)
FD: 0x2F (random)
\FE: 0x00 (Normal)
FF: 0x32 (random)

Edit: So as it turns out, there are arbitrary type names :). I have a list of type pointers here and uploaded a video:

https://pastebin.com/dYE9ZFNX
https://www.youtube.com/watch?v=6V6F-mtkFTc
14
This is something a little similar to this thread for move 00's type in Crystal: http://forums.glitchcity.info/index.php?topic=7704.0

Luckytyphlosion (I think, please correct me if someone else discovered this) found a way to execute arbitrary code execution with move 00's type in Gold/Silver. This type's identifier is 0xD0 (dec:208) and after analysis its type name seems to be sourced from 0x8350 in VRAM.

0x8350 can contain menu-sprite data for Pokémon on the Pokémon menu as well as possibly NPC sprites(?), but when I had exactly four Pokémon (two tailed Pokémon, bird, tailed Pokémon) I got different results that included freezes and arbitrary code execution which didn't occur otherwise when I had six Pokémon.

https://www.youtube.com/watch?v=TdxzLn0txFM

How exactly can we use this for arbitrary code execution outside of speedrunning?

I tried making the movement patterns in the video and at one point the game executed E9F0 (Echo RAM for C9F0). Perhaps that's what the route exploits for it to eventually touch box names at D8BF onward (but that would seem very far away).

An update! When the game executed E9F0, it eventually came across the following:

jr c, EC68(@EC2D)
jp c, FA9B (@EC70)

These may have only appeared when moving around in the pattern in the speedrun route.

At FA9B (DA9B) is the Speed experience byte 1 of the third slot Pokémon. We know from the Coin Case glitch that we can have this as a low level slide Pokémon, so perhaps following it could be a Quagsire holding an item with a specific move 1 (like Quagsire holding HP Up with Sleep Talk as the first move; jp D61A or Quagsire holding TM02 with Return; as the first move; jp D8C0) for us to jump to stored items or box names.

So it looks like we can possibly use this as an alternative to Coin Case glitch, but what would really be cool is if you can do it in Crystal as it's easy to just trade over a CoolTrainer Ditto from Red/Blue/Yellow. That way no 'pseudo-bad clone' would be required nor an unterminated name Pokémon from Red/Blue/Yellow.
15
For whatever reason in Japanese Crystal it seems using an X Accuracy (I later did it with another X item) and having glitch move 0xFD as the only move (may be possible by trading a glitch Pokémon from Generation I with TM53 on to Generation II) makes the game executes D800 in WRAM when you open the Fight menu.

It turn out that our items in the bag begin at D885, making this potentially manipulable. The only problem is opening the Fight menu seemed to cause a write to D809 to FF causing a rst 38 freeze, and there are other problematic areas of WRAM before D885.

Does anybody know if this freeze can be averted?
Pages: [1] 2 3 ... 21