Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Torchickens

Pages: [1] 2 3 ... 155
What happens when you try to execute a code? Nothing or does the game crash?

Anything else I can advise is to double check your box to see if the Pokémon are all in the correct order. And to make sure the first Slowpoke has 233 hp left, its max hp does not matter.

Also, I just compared the euro Bootstrap code with the english and i think Scyter may be incorrect there. Replacing Scyter with Kadabra could fix it. Cuz Scyter is dec 26 on the big list, but we need hex 26 <--- Thus Kadabra.

- 8F
- Item to morph x(any)
- X accuracy x36
- Carbos x211
- Max Revive x(decimal index nr of item the you want)<---------- i don t understand what u mean with this... how many i should have?
- TM01 x(any)

First, look at the big hex list here:
See the R/B/Y Item column? Say you want to change item 2 into Rare Candy, look in that column for Rare Candy. Now Look in the "Decimal" column on the same row as Rare Candy. As you see its 40, so you need 40 Max Revive to turn item 2 into Rare Candy.
thanks for last explain i understand all.
anyway about real big problem i tryed right now to change kadabra with shyter and i try
-ws m
-item you want 256 of x1
-pokeball x43
-revive x201
and don t work...

ws# #m#
Item you want to change x any
Burn heal x 43
Ice heal x 43
Revive x 201

ws# #m#
Item you want to increase x 1
Burn or ice heal x 43
Revive x 201

well or box party for italian version is wrong or setting items are wrong
About question if my game crash or nothing happen when i try execute a code the answer is NOTHING HAPPEN.
thansk for future helps.

Darn, yes. Like Skeef said we need to replace Scyther with Kadabra. This will make the execution start at item 3. It looks like Wack0 confused decimal:26 (Scyther) with hexadecimal:26 (Kadabra). Sorry for the inconvenience.

You shouldn't have to change the codes in your previous post as they don't specify an absolute memory address.
Hi! Unfortunately ISSOtm made a mistake and his bootstrap code in the forums list above will not work for non-English European versions.

However, the following bootstrap code to item 3 by Wack0 for non-English European versions should work:

And here's payload code for FR/ES/DE/IT Yellow. Thanks again to TheZZAZZGlitch, again I only need to change one byte!

1.  20 Pokémon in your PC box                                         [0xDA84 = 0x14]
2.  Slowpoke as the 1st Pokémon in the current PC box                 [0xDA85 = 0x25]
3.  Slowpoke as the 2nd Pokémon in the current PC box                 [0xDA86 = 0x25]
4.  Slowpoke as the 3rd Pokémon in the current PC box                 [0xDA87 = 0x25]
5.  Slowpoke as the 4th Pokémon in the current PC box                 [0xDA88 = 0x25]
6.  Slowpoke as the 5th Pokémon in the current PC box                 [0xDA89 = 0x25]
7.  Slowpoke as the 6th Pokémon in the current PC box                 [0xDA8A = 0x25]
8.  Voltorb as the 7th Pokémon in the current PC box                  [0xDA8B = 0x06]
9.  Scyther as the 8th Pokémon in the current PC box                  [0xDA8C = 0x26]
10. Jolteon as the 9th Pokémon in the current PC box                  [0xDA8D = 0x68]
11. Geodude as the 10th Pokémon in the current PC box                 [0xDA8E = 0xA9]
12. Geodude as the 11th Pokémon in the current PC box                 [0xDA8F = 0xA9]
13. Geodude as the 12th Pokémon in the current PC box                 [0xDA90 = 0xA9]
14. Geodude as the 13th Pokémon in the current PC box                 [0xDA91 = 0xA9]
15. Geodude as the 14th Pokémon in the current PC box                 [0xDA92 = 0xA9]
16. Geodude as the 16th Pokémon in the current PC box                 [0xDA93 = 0xA9]
17. Geodude as the 15th Pokémon in the current PC box                 [0xDA94 = 0xA9]
18. Geodude as the 17th Pokémon in the current PC box                 [0xDA95 = 0xA9]
19. Geodude as the 18th Pokémon in the current PC box                 [0xDA96 = 0xA9]
20. Geodude as the 19th Pokémon in the current PC box                 [0xDA97 = 0xA9]
21. Voltorb as the 20th Pokémon in the current PC box                 [0xDA98 = 0x06]
 :: END OF LIST MARKER [0xFF]                                         [0xDA99 = 0xFF]
22. Slowpoke as the 1st Pokémon in the current PC box                 [0xDA9A = 0x25]
23. First PC box Pokémon needs to have 233 HP -+-                     [0xDA9B = 0x00]
                                               +-                     [0xDA9C = 0xE9]

Code: [Select]
; initial value of hl = DA84
WRA1:DA84 14               inc  d      ; offset hack: 20 Pokémon in the box
WRA1:DA85 25               dec  h      ; hl = D984
WRA1:DA86 25               dec  h      ; hl = D884
WRA1:DA87 25               dec  h      ; hl = D784
WRA1:DA88 25               dec  h      ; hl = D684
WRA1:DA89 25               dec  h      ; hl = D584
WRA1:DA8A 25               dec  h      ; hl = D484
WRA1:DA8B 06 26            ld   b,26
WRA1:DA8D 68               ld   l,b    ; hl = D426
WRA1:DA8E A9               xor  c      ; offset hack: do nothing until ip=DA93
WRA1:DA8F A9               xor  c
WRA1:DA90 A9               xor  c
WRA1:DA91 A9               xor  c
WRA1:DA92 A9               xor  c
WRA1:DA93 A9               xor  c
WRA1:DA94 A9               xor  c
WRA1:DA95 A9               xor  c
WRA1:DA96 A9               xor  c
WRA1:DA97 A9               xor  c
WRA1:DA98 06 FF            ld   b,FF   ; offset hack: making an end of list FF byte an operand so it doesn't translate to [rst 38]
WRA1:DA9A 25               dec  h      ; hl = D326
WRA1:DA9B 00               nop 
WRA1:DA9C E9               jp   hl

Tested working with FR Yellow. :)

Since the codes to change your Trainer OT and ID use addresses that are +5 in non-English European Yellow, you must make slight adjustments here, listed after "becomes". ISSOtm describes how to do this in this thread's post.

;and clarified code for non-English European versions here:

Hope that helps! :)
I decided to research this subject and made some really interesting finds.

When displaying items in a list, the game first has to decide what type of list it is, like is it an item and quantity list or are we just displaying items in sequence?

This is controlled by memory address CF94 (CF93 in Yellow) and these are the menu type IDs:

00: Your Pokémon in the current box with levels. If forced in the inventory the Pokémon will still act like the items you have.
01: Move IDs in sequence. If you had Master Ball x97 this would appear as Pound (dec:01), Agility (dec:97). If forced in the inventory they will act as the items as if entry 1 was item 1 and entry 2 was item 1's quantity but as an item and so on. Curiously entries may act as unterminated name glitch items and thus require that you use them where a 0x50 sub-tile is on the screen.
02: Items in sequence, no quantities. We can thus convert quantities into items you can use if you replace the items pack with it. Used by Poké Marts.
03: Regular items pack. Key items have their quantities hidden. Used by the inventory and item PC.
04(+?): Items in sequence, no quantities (again).

When you talk to the badge man or use a lift (Celadon Department Store, Rocket Hideout, Silph Co.) the game uses list type 04, although these may be interpreted as key items hence not have quantities even if the list type was 03.

List types do not apply to the fossil list if you talk to the scientist in Cinnabar Lab with more than one fossil, so seem to be handled differently.

CF8B (CF8A in Yellow) also controls the pointer to the entries in the list. For inventory items CF8B is 1D D3 (D31D) because that is where our items begin. For stored PC items CF8B is 3A D5 (D53A). For box entries it's 80 DA (DA80), which likewise is where stored Pokémon in the current box begin.

For Poké Marts, the badge man and lifts the pointer is 7B CF (CF7B), and the data here gets written to beforehand depending on which list you opened. Notice that the Poké Mart first item code is 01xx7CCF. This is why using the code will change the badge man's list entries and lift list entries as well.

If you use an invalid entry in a lift list it doesn't matter as only the position counts, so if you replaced entry 2 and it was 2F with a Master Ball it would still take you to the second floor.

However, it turns out invalid badge man entries can bring up glitch text boxes, and this is actually the subject of a glitch in Japanese Red/Green/Blue. In that glitch the badge items are represented in the code as such:

Code: [Select]
15 16 17 18 19 1A 1B 1C FF

グレーバッジ [0x15]
ブルーバッジ [0x16]
オレンジバッジ [0x17]
レインボーバッジ [0x18]
ピンクバッジ [0x19]
ゴールドバッジ [0x1A]
クリムゾンバッジ [0x1B]
グリーンバッジ [0x1C]

What happens when you swap one of these entries with another is similar to how the duplicate key items glitch works in Generation II. The game will 'pretend' that the list was an item+quantity list, like this:

グレーバッジ x 22
オレンジバッジ x 24
ピンクバッジ x 26
クリムゾンバッジ x 28

It's hard to picture how this will affect the actual list, but let's say we pretend the items list has quantities and we swapped グレーバッジ x 22 with オレンジバッジ x 24, we would get

オレンジバッジ x 24
グレーバッジ x 22
ピンクバッジ x 26
クリムゾンバッジ x 28

Back into a list of entries only this would be:

オレンジバッジ [0x17]
レインボーバッジ [0x18]
グレーバッジ [0x15]
ブルーバッジ [0x16]
ピンクバッジ [0x19]
ゴールドバッジ [0x1A]
クリムゾンバッジ [0x1B]
グリーンバッジ [0x1C]

And this is what actually happens in game, explaining why the グレーバッジ [0x15] and ブルーバッジ [0x16] were shifted down two slots instead of just swapping places.

But you can get glitch entries like this too:

The reason why seems to be because the game is pretending that the entries we're swapping have quantities then there are only a limited number of 'item+quantity' pairs until we go past the end of the buffer and corrupt unrelated data. We can bring up glitch entries this way or even corrupt the lower byte of the list pointer, which could bring a lot more glitch entries to select and allow us to access more than eight entries.

This could even theoretically result in the corruption of CFBF, so if you escaped from battle using a partial escape glitch item beforehand then maybe you could catch any(!) Pokémon and glitch Pokémon (except maybe for FF; you can't anything the game would interpret as Cancel and bad/division by 0 growth rate glitch Pokémon) without CoolTrainer/unterminated glitch item with specific screen data, and this could probably be more convenient than Fossil conversion glitch.

Maybe you could corrupt D036 (instant encounter) as well just by swapping entries around.

Something that still stands though is this; what happens when non-badge entries are selected? I'll be researching this as it could allow for arbitrary code execution if it allows for text code, and the text code is in WRAM and you can place an 08 at the beginning of the text code, marking that bytes after it are executed as assembly.

Edit: I put together a way to get Mew but it's ridiculously difficult in practise. Will upload a video soon.
The offsetting logic is this :
0000-7FFFOffsetting is complex, but things 0000-3FFF shouldn't be offset
8000-9FFFNo offsetting
A000-BFFFNo offsetting either
C000-D1XX (I think ?)No offsetting
D1XX-DFFFOffset +5
FF80-FFFENo offsetting

The offset +5 is before D1XX because D059 the instant encounter address is D05E in non-English European versions. I wonder where it begins (and the -1 for Yellow)?
For whatever reason in Japanese Crystal it seems using an X Accuracy (I later did it with another X item) and having glitch move 0xFD as the only move (may be possible by trading a glitch Pokémon from Generation I with TM53 on to Generation II) makes the game executes D800 in WRAM when you open the Fight menu.

It turn out that our items in the bag begin at D885, making this potentially manipulable. The only problem is opening the Fight menu seemed to cause a write to D809 to FF causing a rst 38 freeze, and there are other problematic areas of WRAM before D885.

Does anybody know if this freeze can be averted?
Thx for the answer, so Ive got the 8F Item :)
It seems that I used the wrong one:

1. Pidgey with 233 hp
2. Parasect
3. Onix
4. Tentacool
5. Kanghaskan

I will try the other one on page 4, thx!

PS: Ive used this video as a guide for the people that are interested.

Yeah, in non-English European versions you will likely need to use a different bootstrap code.

Note before you use the change player ID items code you will also need to alter it as memory addresses in non-English European versions are +5 of the original.

In the code below (the one you may have tried using to change your Trainer ID part 1) you will just need to change the X Accuracy x89 into an X Accuracy x94, and similar logic applies to the rest.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM11/TM43   x1   ; D3/F3 + ld bc,
Any Item    xAny ; ????
X Accuracy  x89  ; ld l, 59
Lemonade    x89  ; ld a, 59
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret

For the second code (trainer ID change part 2 below), change X Accuracy x90 to X Accuracy x95.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM11/TM43   x1   ; D3/F3 + ld bc,
Any Item    xAny ; ????
X Accuracy  x90  ; ld l, 5A
Lemonade    x12  ; ld a, 0C
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret

For the third code (player name letter 1 change) change X Accuracy x88 to X Accuracy x93.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM09/TM41   x1   ; D1/F1 + ld bc,
Any Item    xAny ; ????
X Accuracy  x88  ; ld l, 58
Lemonade    x134 ; ld a, 86
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret

For the fourth code (player name letter 2 change) change X Accuracy x89 to X Accuracy x94.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM09/TM41   x1   ; D1/F1 + ld bc,
Any Item    xAny ; ????
X Accuracy  x89  ; ld l, 59
Lemonade    x133 ; ld a, 85
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret

For the fifth code (player name terminator in position 3) code, change X Accuracy x90 to X Accuracy x95.

Code: [Select]
8F          x1
Any Item    xAny
Antidote    x38  ; dec bc + ld h,
TM09/TM41   x1   ; D1/F1 + ld bc,
Any Item    xAny ; ????
X Accuracy  x90  ; ld l, 5A
Lemonade    x80  ; ld a, 50
Water Stone x1   ; ld (hli),a + ld bc,
Any Item    xAny ; ????
TM01        xAny ; ret

When certain memory addresses are defined in the code, such as many in the DXXX region (but not for instance CD38, which when set to 1 allows you to walk through walls) most of the time you will just need to change them to be +5 of the original (which you can do using a calculator that supports hexadecimal such as Windows Calculator or just regard digits beyond 9 as A-F as you count up by five).

Note that this logic doesn't apply to addresses that use "call" or "jp" to run a routine in the ROM, such as the gift Pokémon code. For that you will have to locate the routine in the original English version in a debugger, converting the address from a pointer to an offset if necessary (only for addresses between 4000-7FFF) then use a hex editor to look for similar byte code in the non-English European version, then convert it back into a pointer and this will be your address following call, jp.

My explanation isn't adequate though as it doesn't explain things like how to use a hex editor, how to convert a pointer to an offset or how you may have to swap the byte order ("endianness") due to an address following call or jp being formatted yyxx rather than xxyy. So if you ever need to convert a code that uses call or jp in such a way let me know and I'll walk you through it and convert it for you.

Hope this helps!  :)
Hmm, I don't know if it is something unrelated but when I use the offgao memory editor on VC Yellow and Red A000-BFFF appears to be filled with FF, which may suggest that the SRAM is locked.

Me too though, save wipes seem to be a lot more common to me on VC (which is why I thank Wack0 for encouraging me to switch to custom firmware to restore save files).
Generation I Glitch Discussion / Re: Pokédex marker bytes
« on: June 18, 2017, 07:44:10 am »
This needs to go here, dontcha think?

Yeah. I made the basic list to add them to GlitchDex pages later. :)

I feel a lot of things need to go on the wiki though.

What do these "markers" do ?

Also I just created the article mainly by copy-pasting the post and formatting the table into a wiki table. :)

Thanks ISSOtm! I don't know either. It's possible that the marker bytes have no purpose at all other than as a tool for the developers to find which Pokémon they're dealing with.
I was trying to build an 8F script on VC Blue, and accidentally created a glitch item (think it was 0x86). Without really thinking, I clicked on it, and my game crashed into a stripey screen. But when I restarted, the save file was gone - it didn't give any error message or anything, the continue option was just removed from the menu. As far as I'm aware, this can only happen when the player name gets corrupted in SRAM with no terminator. What happened here? Is there any point where the game opens SRAM without closing it? Or did the glitch item open SRAM by itself? This has happened to me before when I used 8F without the correct setup and must have hit an rst 38, but I've also done that before without my save file deleting.
I think I have a hypothesis on what could have happened, but haven't tested this: The item in question could have had a super glitch name, which causes things to be copied stuff from CD6D to CF4B. But if there were NO 0x50 bytes in this range, this would cause it to eventually start reading from where it was written to, causing the entire memory to be hosed, until it wraps around to ROM in which 0x50 byte gets found since it can't be overwritten. This corrupts both the stack and the OAM procedure, either of which can cause unpredictable code to run, which is likely to hit an rst38, possibly after happening to open SRAM, causing it to be hosed.

This is exactly what happens. For this reasons it's always a good idea to only do menu scrolling with the B button and to only select unterminated name glitch items when a 0x50 tile is on the screen.
Generation I Glitch Discussion / Pokédex marker bytes
« on: June 16, 2017, 02:26:34 pm »
At the beginning of a glitch Pokémon's base stats data structure is a Pokédex marker. This byte according to Stag019 is supposed to be the same as the Pokémon's Pokédex number, but for many glitch Pokémon it is different. 'M (00) and MissingNo. in Red/Blue are exceptions. They have a Pokédex marker byte of 0x00, which is the same as their Pokédex number.

The location of a glitch Pokémon family's base stats data can be found using the following:

0x0383DE + (PkmnNo. − 1) × 0x1C

176: 39702 : 0xF9
000: 39FC2 : 0x28
159: 39526 : 0x3C
195: 39916 : 0x62
202: 399DA : 0x81
203: 399F6 : 0x87
205: 39A2E : 0x86
207: 39A66 : 0x92
215: 39B46 : 0xFE
229: 39CCE : 0x01
230: 39CEA : 0x5A
234: 39D5A : 0x05
245: 39E8E : 0x00
250: 39F1A : 0x00
254: 39F8A : 0x14
255: 39FA6 : 0x1E

000: 39FC2 : 0x00
174: 396CA : 0xCB
175: 396E6 : 0xC3
205: 39A2E : 0x91
209: 39A9E : 0x8F
211: 39AD6 : 0xF7
213: 39B0E : 0x82
224: 39C42 : 0x05
234: 39D5A : 0x60
240: 39E02 : 0x00
245: 39E8E : 0x00
250: 39F1A : 0x19
254: 39F8A : 0x6A
255: 39FA6 : 0x37

Presumably hybrid glitch Pokémon will have the same Pokédex marker byte as their Pokédex number, due to having their base data derived (with the possible exception of front sprite/back sprite) from real Pokémon.
Pokémon Discussion / Re: Scrapped Pokémon from Gold and Silver
« on: June 16, 2017, 11:04:33 am »
Wow,that screenshot,if it's real,is really awesome ^^

I like all of these beta pokemon.They really should reuse these concepts.

I agree :), it would be really cool and I wonder if the unused turtle seen on MicroGroup Game Review volume 14's cover inspired Tirtouga! I remember Ken Sugimori re-released (at least some of, I can't check my book right now sadly) that artwork in Ken Sugimori Works but nothing new concerning them.
Hi everyone.

I was attempting to get 8F but am running into a problem I'm hoping someone could help me with.

In order to get the 255 x specials needed, I used the 6th item trick with MissingNo, however after doing so I am unable to get the inventory required to do the trick. This is because attempting to toss or deposit the extra items just turns them into X Special x 255 and therefore I can't get the inventory required to receive 8F.

Any ideas how I can fix this?

E: So I tried it anyway and must've messed up towards the end because the game crashed and lost my save so does anyone know a quick way to set myself up for getting 8F? In the save I just lost I used brock through walls to get HM Fly and Surf as well as going to cerulean cave to get a high level pokemon to defeat the two gym leaders in order to access the Old Man trick but is there a quicker method?

Hi 8F! What you need to do is obtain three stacks of the X Special x255 (by putting the initial x255 in slot 3 and then tossing all of slot 2 and slot 1) but have only one item registered; so there are three X Specials at the top but you can only scroll down to the first two and the second acts as a Cancel. Afterwards tossing 253 of the first X Special and swapping the X Special x2 with the second stack and then the third with give you an X Special x0 and underflow the inventory.

An early way to get a x255 stack is this:

1) Use Brock Through Walls to go to Saffron City then heal at Saffron City Pokémon Center
2) Go west to Celadon City to buy an Abra using the coins on the ground at the Game Corner
3) Head to Route 6 and set up a Trainer-Fly using Abra's Teleport.
4) Lose to the first Black Belt at Saffron Fighting Dojo.
5) Return to Route 6 after flashing the Start menu to encounter MissingNo. to get x129 of an item in slot 6.
6) Toss two of the item, run from MissingNo. and repeat steps 3-5 to encounter another MissingNo. and get x255.

(Note: It may also be possible to use up two of the item in slot 6 once you get x129 and then catch MissingNo. to get x255 (e.g. if it's an X Attack but the item in slot 6 shouldn't be a Poké Ball)

If you have another 3DS with Red/Blue you can also obtain a CoolTrainer Ditto on Red/Blue (use Transform, swap first move with second move and run), enter battle with it in Diglett's Cave, flash the Pokémon menu (important) and then scroll through Ditto's move until the music fades. Afterwards, the Pokémon will turn into MissingNo. and catching it will duplicate the slot 6 item if there are under 128.

Hope that helps and sorry for late response!  :)
Pokémon Discussion / Re: Pokemon Direct - June 6th, 2017
« on: June 06, 2017, 08:12:32 am »
Interesting! :) I may not get Pokkén Tournament DX but I'm curious about Ultra Sun and Ultra Moon.

I also love that Gold and Silver are coming for 3DS Virtual Console as would rather have them without the save battery problem and a completed Pokédex dying due to a dead battery. They didn't show Crystal for some reason though, hopefully that will be coming eventually.
For the OAM DMA method it seems you may also have to do it in front of the exhibition and attach 3E 01 E0 F8 (or 3E 01 EA F8 FF) to simulate an A-press to the end of the code as luckytyphlosion's exploit with a write to the dimensions and Pokémon sprite ID seems to lock up the controls if you don't write to this address.

Interestingly would that count as an A-press?
How much space is required to store the Marill sprite?

The space required varies from picture to picture but thanks to compression it's usually not too large.

For the Marill backsprite it was a 4x4 [32x32 px] picture with data of $80 (128) bytes.

The Marill frontsprite in my previous post is a 7x7 [56x56 px] picture that takes up $FE (254) bytes.

I oversaw this but when you store data at DAC9 you may be overwriting offgao's memory editor and you won't be able to complete writing the data if you are using offgao's memory editor to add the sprite. However this can be worked around with using the following method:

1. Store sprite at numboxitems (d53a) instead.
2. Use call copydata to copy d53a to dac9.

ld bc,(spritesize ;xxyy)
ld hl,d53a
ld de,dac9
call 00b1

01 yy xx 21 3A D5 11 C9 DA CD B1 00 C9

Thankfully it doesn't matter if you replace DA7F with jp d321 [c3 21 d3] with offgao's memory editor (it doesn't mess up the GUI) where you can store your code to copy the data and copy by using ws m again.

It looks awesome !
Oh, but, this strangely reminds me of a certain Pikablu cheat code... ( ͡° ͜ʖ ͡° )

Thanks! Yeah ^^. For my video it was different as I just copied the Marill sprite into VRAM. Cool that this is a method to permanently store a backsprite until you change box data though.
Pages: [1] 2 3 ... 155