Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Torchickens

Pages: [1] 2 3 ... 20
1
For whatever reason in Japanese Crystal it seems using an X Accuracy (I later did it with another X item) and having glitch move 0xFD as the only move (may be possible by trading a glitch Pokémon from Generation I with TM53 on to Generation II) makes the game executes D800 in WRAM when you open the Fight menu.

It turn out that our items in the bag begin at D885, making this potentially manipulable. The only problem is opening the Fight menu seemed to cause a write to D809 to FF causing a rst 38 freeze, and there are other problematic areas of WRAM before D885.

Does anybody know if this freeze can be averted?
2
Generation I Glitch Discussion / Pokédex marker bytes
« on: June 16, 2017, 02:26:34 pm »
At the beginning of a glitch Pokémon's base stats data structure is a Pokédex marker. This byte according to Stag019 is supposed to be the same as the Pokémon's Pokédex number, but for many glitch Pokémon it is different. 'M (00) and MissingNo. in Red/Blue are exceptions. They have a Pokédex marker byte of 0x00, which is the same as their Pokédex number.

The location of a glitch Pokémon family's base stats data can be found using the following:

0x0383DE + (PkmnNo. − 1) × 0x1C


Yellow:
176: 39702 : 0xF9
000: 39FC2 : 0x28
159: 39526 : 0x3C
195: 39916 : 0x62
202: 399DA : 0x81
203: 399F6 : 0x87
205: 39A2E : 0x86
207: 39A66 : 0x92
215: 39B46 : 0xFE
229: 39CCE : 0x01
230: 39CEA : 0x5A
234: 39D5A : 0x05
245: 39E8E : 0x00
250: 39F1A : 0x00
254: 39F8A : 0x14
255: 39FA6 : 0x1E



Red/Blue:
000: 39FC2 : 0x00
174: 396CA : 0xCB
175: 396E6 : 0xC3
205: 39A2E : 0x91
209: 39A9E : 0x8F
211: 39AD6 : 0xF7
213: 39B0E : 0x82
224: 39C42 : 0x05
234: 39D5A : 0x60
240: 39E02 : 0x00
245: 39E8E : 0x00
250: 39F1A : 0x19
254: 39F8A : 0x6A
255: 39FA6 : 0x37

Presumably hybrid glitch Pokémon will have the same Pokédex marker byte as their Pokédex number, due to having their base data derived (with the possible exception of front sprite/back sprite) from real Pokémon.
3
Now in addition to arbitrary code execution and arbitrary learnsets/evolutions we have a glitch Pokémon with an arbitrary sprite!

In Pokémon Yellow glitch Pokémon 0xE6 ("9ゥ") has a variable backsprite which is taken from DAC9 in WRAM.

This is in the range of the stored Pokémon data. If a properly compressed sprite is placed here (such as with offgao's memory editor) it is possible to create a custom sprite.

Furthermore, on some occasions this glitch Pokémon's backsprite will freeze the game (e.g. if the data begins with 00 as this means the dimensions to its sprite are 0x0), but a freeze can be avoided by specifying proper dimensions at the beginning of the file.

Compressing the sprite and inserting it into the game is possible with a combination of this tool and Stag019's Pokémon sprite compressor tool.

(Follow similar steps to these instructions; specifying the size, block size and codec on Tile Molester, pasting the file there and saving it as a 2BPP file and compress the file with Stag019's tool)

Then open the compressed PIC file with a hex editor and copy the data to DAC9.

Here are a few examples. You should be able to make much better files but these are just for demonstration:

Note the Pokémon is "Pidgeot" because I modified a Pidgeot to the 0xE6 glitch Pokémon rather than obtaining one myself. You can do this with any 0xE6 glitch Pokémon in Yellow.






The palette of the sprite will be determined by the second species byte. While using the editor you could modify this byte (such as D16A for the first Pokémon to 80 for the Golduck palette).

I have not yet found a glitch Pokémon with a RAM front sprite but one may exist.

Here is the raw code for my smiley face example:

Code: [Select]
44 B6 55 54 E4 5A A3 0A A5 34 63 92 4C 18 B5 AA A9 4B 92 62 9A 34 A4 A8 62 58 86 89 6A 46 49 92 52 AA 26 48 91 4E 99
21 3B 53 24 94 DD A2 53 34 A6 88 62 16 4B 8A 92 2A 22 56 06 2A 19 2A 94 C1 68 A6 2A 4C 2A AA 30 63 29 4E 05 8D EA
55 55 6A 31 9F 96 74 4C 32 76 49 12 76 49 09 DB 9D AC 4A 71 F4 44 42 11 D5 0C 7E 16

BGB is really good for this as you can open up the debugger, go to DAC9, right click and paste the code.


4
I've been looking just a little into glitch color layers (known as glitch screens on Bulbapedia). Does anybody know what causes the glitch color layer effect for glitch Pokémon like X ゥ- xゥ,?

I wonder whether there is a data structure that dictates this for each family of some sort.

I found this in the disassembly but couldn't find anything else sadly.

Quote
; super game boy palettes
const_value = 0

   const PAL_ROUTE     ; $00
   const PAL_PALLET    ; $01
   const PAL_VIRIDIAN  ; $02
   const PAL_PEWTER    ; $03
   const PAL_CERULEAN  ; $04
   const PAL_LAVENDER  ; $05
   const PAL_VERMILION ; $06
   const PAL_CELADON   ; $07
   const PAL_FUCHSIA   ; $08
   const PAL_CINNABAR  ; $09
   const PAL_INDIGO    ; $0A
   const PAL_SAFFRON   ; $0B
   const PAL_TOWNMAP   ; $0C
   const PAL_LOGO1     ; $0D
   const PAL_LOGO2     ; $0E
   const PAL_0F        ; $0F
   const PAL_MEWMON    ; $10
   const PAL_BLUEMON   ; $11
   const PAL_REDMON    ; $12
   const PAL_CYANMON   ; $13
   const PAL_PURPLEMON ; $14
   const PAL_BROWNMON  ; $15
   const PAL_GREENMON  ; $16
   const PAL_PINKMON   ; $17
   const PAL_YELLOWMON ; $18
   const PAL_GREYMON   ; $19
   const PAL_SLOTS1    ; $1A
   const PAL_SLOTS2    ; $1B
   const PAL_SLOTS3    ; $1C
   const PAL_SLOTS4    ; $1D
   const PAL_BLACK     ; $1E
   const PAL_GREENBAR  ; $1F
   const PAL_YELLOWBAR ; $20
   const PAL_REDBAR    ; $21
   const PAL_BADGE     ; $22
   const PAL_CAVE      ; $23
   const PAL_GAMEFREAK ; $24
5
Wiki Discussion / Glitch Pokémon cries for the wiki
« on: May 11, 2017, 02:29:42 pm »
I've began work on re-recording all of (or samples of for the ones with variable cries) the glitch Pokémon cries.

First off is a ZIP file for glitch Pokémon cries in Yellow for every sound bank except Pikachu's Beach (02 overworld, 08 battle, 1F dungeon).

https://sites.google.com/site/torchickens2/glitch-cries

Abwayax, please can you use these when you fix the embedding on the GlitchDex?

The rest for Red/Blue should hopefully be ready tomorrow. :)

Edit: Finished it :D
6
Generation I Glitch Discussion / Yellow MissingNo.'s faces
« on: May 08, 2017, 09:08:25 am »
Yellow MissingNo. has two faces (see attachments). I wonder if there are any other glitch Pokémon which by chance, have faces like this.
7
The data for glitch Pokémon Pokédex is retrieved from a specific location in the Game Boy address BUS. In Pokémon Red, this address should be the value of register de when a breakpoint is set to 10:436D and the Pokémon's Pokédex entry is loaded.

A good number of glitch Pokémon take their data from writable memory, including:

BF: 9183
C0: 8B88
C6: 8F50
C7: 9180
C8: 8D84
CE: 8F50
CF: 888E
D0: 8E92
D2: 888F
D6: B417*
D8: 8550
D9: 8880
DA: 9891
DC: AA00*
E0: 8893
E1: 988D
E2: 817F
E3: 9188
E9: 8150
EA: 8B80
EE: CB17*
EF: 8350
F1: 8891
F2: 8B8B
F8: 8487
F9: 8C91
FA: 9388
FB: 9182
FC: 8180
FE: C203*

(You must have not set the glitch Pokémon's capture flag to see its Pokédex entry)

Thanks to the Pokémon Red disassembly, we know the data is formatted like this.

*(Species string terminated by 50).
*Four bytes apparently affecting height and weight.
*Text code.
*0x50

While the text code (usually?) begins with 17, which is apparently the "text far" command we could replace it with 08, which allows us to execute arbitrary code following the 08.

The addresses marked with an asterisk probably have the most potential to be abused. In particular D6 (B417) and DC (AA00), which is somewhere in the Hall of Fame data for SRAM bank 0.

When I caught a glitch Pokémon it appears that the SRAM was left open, so hopefully we may be able to add a bootstrap code here to items or a different location to execute arbitrary code, provided that we catch a 0xD6 or 0xDC with the LOL glitch.

Chances are if you are able to catch these glitch Pokémon using the LOL glitch you already have access to the expanded items pack, which sadly makes this glitch unnecessary as you could modify the map script in the expanded items pack or bring up an 8F for arbitrary code execution but it's still a nice glitch.

Edit: I checked Blue and nothing changed sadly, though just noticed I may have missed 0xF0 (8350).
8
As is known, the Japanese and English versions of Pokémon games cause communication errors when linked together.

However, something that got me wondering is it possible that we could abuse this to obtain a ?????, hence making the bad clone glitch easier for people who don't have Stadium 2 or don't want to use Coin Case/glitch TM/glitch Pokédex mode arbitrary code execution?

While I was linking up a Japanese Gold with an English Gold one of the versions interpreted some of the Pokémon as ?????. Sadly I couldn't trade it as it was deemed to be abnormal.

Thanks to the work of Háčky however, we know that if a Pokémon is not a hybrid, is not over level 100 and has matching types it can be traded without being interpreted as abnormal. I don't know for sure if this applies to ?????, but I seem to remember it does apply so we could potentially trade over the ?????.
9
Project "Gotta Document 'Em All" / GlitchDex errors/omissions
« on: April 11, 2017, 09:24:06 am »
This is a thread for noting errors/omissions in the GlitchDex that need to be resolved:

*The base 123 Defense for 4( h 4 ? should be base 128 according to the data.
*The base Attack for the Family 209 glitch Pokémon in Red/Blue (Base 255 Attack) is incorrect?
*Since some glitch Pokémon have ( in their names, this breaks the name system which thinks the bracket is part of the glitch Pokémon's family data (Pokédex number).
*Cries need to be added for glitch Pokémon due to the old links no longer working.
*Methods of obtaining glitch Pokémon need to be updated for a few remaining glitch Pokémon.
*TM/HM moves and Time Capsule exploit moves need to be added for a few remaining glitch Pokémon.
*Super Glitch moves should have their index numbers indicated in the data. Also a question worth raising is "are there any 'non-Super Glitch' moves which never cause Super Glitch corruption?".
*Add the index numbers for types for glitch Pokémon with glitch types and 'pseudo real' (is said to be a real type but is really a glitch type) types.
10
Generation I Glitch Discussion / Glitch Pikachu cries in Yellow
« on: March 23, 2017, 10:35:01 pm »
I'm considering recording all of the glitch Pikachu cries by ID.

If anyone else would like to help, you can enter the following code for ws m.

Valid values only range from 0x00 to 0x29, which leaves the rest of the values as glitch sound clips!

Code: [Select]
ld e,xx
ld b,3c
ld hl,4000
call 3e84
ret

If we want to represent this with reasonable items, prepare:

Repel x (cry ID)
Poké Ball x 6
Fresh Water x 33
Master Ball x 64
Soda Pop x 45
TM05 x 132
Lemonade x 201

(1e 02 04 06 3C 21 01 40 3d 2d CD 84 3E C9)

Hope this comes useful for anyone else who would like to experiment!  :)

Edit: (Some) may differ depending on the location you play them.
11
Generation II Glitch Discussion / Pursuit glitch
« on: March 22, 2017, 06:00:04 pm »
It looks like there is an obscure glitch involving the move Pursuit in Generation II that was documented by someone or a source named Uwasa Ishi (Japanese: 噂石). I'm unsure if it only works on the Japanese versions but from what I gather it seems like if you switch out a Pokémon with a status condition and it faints from Pursuit, the status condition will return upon reviving the Pokémon with a Revive.

http://hakuda2.web.fc2.com/wario/poke3/n8.html

I haven't tested this glitch yet though. Thoughts?
12
Pokémon Discussion / Pokémon Crystal unused character?
« on: March 22, 2017, 04:57:11 pm »
In Pokémon Crystal there is a character which I don't remember being used on any NPC, which I found listed on a list of character indices on the Pokémon Crystal disassembly (https://github.com/pret/pokecrystal/blob/master/constants/sprite_constants.asm).

This character can be viewed on BGB (v1.5.2) with the code 013F54D1 but the code working may be due to a presumable emulation error (as I tried the code on an Xploder GB with Pokémon Crystal on a real Game Boy Advance SP and it didn't work).

These are his sprites with the male character's palette.



Video of the code in action:
https://www.youtube.com/watch?v=9_oacF2y9pc
13
As Crystal_ documented (thread, video), not every Pokémon's level-up and evolution data is taken from the ROM, and there are exactly four glitch Pokémon each in both Red and Yellow who actually take their evolution data from VRAM (graphics data).

This is the list of applicable glitch Pokémon, copy and pasted from the wiki article I have just written:

http://glitchcity.info/wiki/Arbitrary_learnset_glitch_Pok%C3%A9mon

Red/Blue

Beginning of pointer table=$3B05C

A (0xEA) (VRAM $8124) — It learns certain moves when levelled up with Rare Candies but no moves when levelled up in battle.
Glitch (0xEB) (VRAM $992B)
G'Mp (0xF6) (VRAM $852C)
94 h (0xF9) (VRAM $9A20)

Yellow

Beginning of pointer table= $3B1E5

'r ゥ (0xEA) (VRAM $8124)
4 h 4 (0xEB) (VRAM $992B)
ゥ ₽ A (0xF6) (VRAM $852C)
₽ (0xF9) (VRAM $9A20)

According to Okk and echinodermata, level up evolutions are read when there is data in the form "01 [level] Pokémon ID]".

http://forums.glitchcity.info/index.php?topic=5217.0

In Yellow, after entering a map or saving and resetting, the location of $9A20 may be taken from one of the screen tiles.

Very fortunately, 01 01 15 can be represented by block 09 in Cinnabar Mansion, and when it is at the bottom-left corner of the screen in this spot on 2F you have a chance of evolving ₽ (0xF9) into Mew at Level 1 due to the VRAM data representing evolution code to evolve it into Mew. (You must save and reset the game at this spot with your ₽ (0xF9))



Sadly for unknown reasons it's only a chance and a rather low chance at that it seems; your ₽ (0xF9) may evolve into Q or Nidoran♂ many times but never Mew, until you reset and try again hopefully to get a successful attempt. I don't know why and wonder whether it's to do with VRAM banks.

What's left to do now is test the other locations and whether this works on Red/Blue.

Edit: OK, you should be able to do this with 0xEB too except the data has to be in this green block and I'm not sure how easy that is to do as I couldn't align the 01 tiles and then that tree in the aforementioned map here.



Edit 2: 0xF9 confirmed on Red in addition to Yellow.
15
I have a policy of owning every game I emulate. Does anybody know any Korean redirection services for buying Pokémon Geum and Eun on a Korean shopping/auction site?

I'm willing to invest some money to buy one even if the price is a little expensive.

Thanks in advance!
Pages: [1] 2 3 ... 20