Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Torchickens

Pages: [1] 2 3 ... 21
1
I created these for the Quagsire holding a TM02 with Return as first move setup for arbitrary code execution in English Gold/Silver. :) Let me know if you have any difficulties with them and I'll try to help.

Change Pokémon 1 codes:

Pokérus:

Ap0'd'vK55
é'm2p0955
éA455555
55555555
5555555p
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Shiny:

Ap0'd'vR55
é'm2pp045
éA4p0'd'vQ
é?2p0k55
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Max DVs:

Ap0'd'vR55
é'm2p0955
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Dark max Hidden Power:
Atk Def 15 15

Ap0'd'vR55
é'm2pp095
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Dragon max Hidden Power:
Atk Def 15 14

Ap0'd'vR55
é'm2pp085
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Ice max Hidden Power:
Atk Def 15 13

Ap0'd'vR55
é'm2pp075
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Psychic max Hidden Power:
Atk Def 15 12

Ap0'd'vR55
é'm2pp065
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Electric max Hidden Power:
Atk Def 14 15

Ap0'd'vR55
é'm2pp0(male)5
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Grass max Hidden Power:
Atk Def 14 14

Ap0'd'vR55
é'm2p0é'v6
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Water max Hidden Power:
Atk Def 14 13

Ap0'd'vR55
é'm2p0é'v7
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Fire max Hidden Power:
Atk Def 14 12

Ap0'd'vR55
é'm2p0é'v8
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Steel max Hidden Power:
Atk Def 13 15

Ap0'd'vR55
é'm2p0'v'v1
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555


Ghost max Hidden Power:
Atk Def 13 14

Ap0'd'vR55
é'm2p0'v'v2
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555


Bug max Hidden Power:
Atk Def 13 13

Ap0'd'vR55
é'm2p0'v'v3
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Rock max Hidden Power:
Atk Def 13 12

Ap0'd'vR55
é'm2p0'v'v4
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Ground max Hidden Power:
Atk Def 12 15

Ap0'd'vR55
é'm2p0z'vé
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Poison max Hidden Power:
Atk Def 12 14

Ap0'd'vR55
é'm2p0u'v?
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555


Flying max Hidden Power:
Atk Def 12 13

Ap0'd'vR55
é'm2p0u'v!
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Fighting max Hidden Power:
Atk Def 12 12

Ap0'd'vR55
é'm2p0u'v.
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Change Pokémon 5 codes:

First use:

[REQUIRED code by FMK] One-off code so all future codes don't need the 'return to game' code:
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: 5555péD9     (XOR A; LD [83ff], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)

Next you can use:

Max out stat experience, give experience for Level 100 after battle:

Box 1: Ap09é♀45
Box 2: é04é1455
Box 3: é24é3455
Box 4: é44é5455
Box 5: é64é7455
Box 6: é84é.455
Box 7+: 55555555
Box 13: Unchanged from before
Box 14: Unchanged from before

All TMs/HMs:

Requires above one-off code:

Box 1: Ap'vCé025
Box 2: 'vj'vué♀25
Box 3: 'v.é32p'v9r
Box 4: é22pé425
Box 5: 'vué62'v 5 (there is a space after the 'v and before the 5)
Box 6: é52'v:é72
Box 7: 55♀55555
Box 8-12: 55555555
Box 13, 14: Same as before, don't change them.
2
Pokémon Gold and Silver come out for 3DS Virtual Console on September 22, and as of now in Japan, Australia and New Zealand are already available to download.

Discuss glitches here.

Does the Coin Case glitch work? I'm waiting until the game comes out in Europe and will try it if the answer hasn't been found before.

3
It looks like an interesting new arbitrary code execution has been discovered, which with luck manipulation might be the fastest (and A-pressless) method so far. I don't know who discovered it though.

This method involves death-warping at the final Bug-Catcher in Viridian Forest. If you then return to the forest without pressing Start, it will trigger a battle with the Bug-Catcher again and activate meta-map script 06 (D618=06). Defeating him will trigger yet another battle, but if you win this one you're free to walk around with glitch script initiation active.


Then for some reason if you proceed to mash A in front of and defeat this Bug-Catcher;



The game will execute F8FF in Echo RAM, which falls through to F9AC (D9AC); a copy of your player's name. Then if your player's name is mMna.♀tF (ac e2 a0 f2 f5 b3 85 50), with some specific other requirements it is yet another way of entering the Hall of Fame.

I only just found out about this method today, but there is more information about this glitch in this document:
https://docs.google.com/document/d/1l10apKvZgTeOSEKeuhgHVGC73z9-f2FTkuUKHZaPVEA/edit

If we can modify this glitch for non-speedrunning purposes perhaps it could be useful for those wanting to do other things or obtain the expanded items pack without MissingNo.

Video by entrpntr:
https://www.youtube.com/watch?v=rhvyKspOsoo
4
I found out today that it's possible to manipulate the Day Care Pokémon from ????? party overloading. Specifically withdrawing a 24th Pokémon will modify the species of the stored Pokémon by the Day Care Lady (DC90 in Gold/Silver) based on the ninth character of the nickname of the Pokémon you withdraw. According to the Pokémon Crystal disassembly's WRAM map, the roamer data isn't far away from here.

Crystal:

wRoamMon1:: roam_struct wRoamMon1 ; dfcf
wRoamMon2:: roam_struct wRoamMon2 ; dfd6
wRoamMon3:: roam_struct wRoamMon3 ; dfdd


Is it therefore possible to create a custom roamer Pokémon? Perhaps it could even be a glitch Pokémon, which would be (one of, perhaps a battle could be triggered without cheating by an out of bounds Glitch City too) the only way(s) of encountering a glitch Pokémon in the wild without arbitrary code execution.

What is the roaming Pokémon structure like?

Wonder if anyone has any input on this. Thanks in advance!

Edit: It seems to have a structure like this.

(Species one byte) (Level one byte) (Location; two bytes) (Unknown three bytes)

Edit 2: Gold/Silver roamer addresses seem to start at DD1A.
5
A while ago now I picked up this interesting Japanese game called Monster Race (もんすたあ★レース) in which you collect and race with monsters.

It turns out saving twice in that game (or even once) on both BGB(!) and VBA may cause a 'glitch' that creates a Glitch City and allows you to skip parts of the game, but I haven't been able to get that to work on a real Game Boy Advance SP or a physical Super Game Boy.



Ryuto138 has a TAS video that exploits the error to complete the game quickly.

https://www.youtube.com/watch?v=xJ9RqF8KGV4
6
In Gold/Silver I have a party of 29 Pokémon I got from ????? party overloading. When I entered a battle I noticed something rather interesting:

Memory addresses near D0ED (the opposing Pokémon) including D0ED were replaced with values 0x31-0x33!



These are the same values in wild appeared corruption from Generation I, which TheZZAZZGlitch explains here.

Note though that in Generation I you could trigger it with 0 Pokémon. You can't do that in Generation II due to an error handler that makes sure the battle doesn't start. Furthermore in Generation I you needed 239 or more Pokémon (or 0 Pokémon) to corrupt the enemy Pokémon. Here in Generation II it seems like you can corrupt this with a lot less Pokémon.

Upon throwing a Master Ball the enemy Pokémon turned out to be a Dugtrio. At one point it appeared as a Dugtrio with Venomoth's sprite strangely, which I suspect may be because I think the battle addresses have two species bytes as well (and 0x31 Venomoth is one of the possible bytes).



I wonder what else you can corrupt with this and also if the FF terminator at the top only thing (international dokokashira door glitch) is in Generation II.
7
This is a way to beat Pokémon Yellow in 0x A-presses using an external device, and a theory on how to beat Pokémon Yellow with no A-presses without any external device.

1. Use cart-swap arbitrary code execution and OAM DMA hijacking to change C57E to 87. After "Game Freak" appears, the game should jump right into a file as if Continue or New Game was chosen.
2. Have other addresses manipulated at the same time to trigger the Hall of Fame script.

;as such:

D164: FF ('good' party to avoid many glitch Pokémon entries)
D36D: 1D D3 (map script is in inventory)

@D31D:
0E 16 26 64 2E 56 41 CD 84 3E C9

3. Mash B.
4. Congratulations, you just won Pokémon Yellow with no A-presses!

Maybe as well you could run the credits without having to press anything if we just use a different address to run at D31D.

Technically you need to press buttons on another game to set this up of course, but that's probably as far as we'll go without ROM hacking/physical hijacking of the game.

You can also use a GameShark and enter the following codes:

01FF64D1
01C927D3
013E26D3
018425D3
01CD24D3
014123D3
015622D3
012E21D3
016420D3
01261FD3
01161ED3
010E1DD3
01D36ED3
011D6DD3
01877EC5

Hope TheZZAZZGlitch likes this if he sees it. :)
8
I spoke with Abwayax yesterday about our dex extension, and due to persisting errors we decided to disable it. This has for a second time broken all of the dex pages that aren't already converted. However fortunately the data is still there other than base stats, which are relatively easy to find if you have the ROM and a hex editor (see this article by Stag019) and are also mainly documented on Bulbapedia.

Due to computer addiction however I've allocated a maximum of 5 hours each on Mondays and Thursdays to fill out Generation I glitch Pokémon data in the format below (the rest of the days are for my other projects (YouTube and Starfy 1 translation project) also with a five hour cap):

http://glitchcity.info/wiki/User:Torchickens/Sample_RBY_glitch_Pok%C3%A9mon

Even with this however, finishing the GlitchDex will likely still take a few weeks.

For this reason I'm asking whether if anybody like to team up and split the work please? :)

Here is an article that is already finished for further reference:

http://glitchcity.info/wiki/GlitchDex/Y:000

If you'd also want to work on the AttackDex or ItemDex and the newer TypeDex, UnownDex (e.g. wikifying and tidying individual move, item articles, adding more articles, finishing a front page with excel to wiki), I'd also be very grateful, I've wanted to get these finished as a priority before adding new glitch pages. Thanks in advance!
9
I've been looking online for glitch discussions in the Japanese Pokémon glitch community to see if there have been any new discoveries, and I found this:

http://nakayoshibaddi.hatenadiary.jp/entry/2017/08/02

According to the article, using the Bug-Catching Contest data copy glitch, we should be able to obtain a ????? by exploiting the glitch when you have never had any Pokémon in slot 6.

This is significant because obtaining a bad clone without Pokémon Stadium 2 can be very difficult, and soon Pocket Monsters Kin/Gin (the Japanese Gold/Silver) will be released on 3DS eShop in Japan, making this method an ideal way of potentially obtaining Celebi without the duplicate key items glitch (which outside of this or bad clone glitch would require a trade with Generation I).

I've been thinking the method to do this then could potentially be relatively easy, similar to the recently discovered way to get Celebi on English Gold/Silver with mainly just box names that eliminates the need of a complicated box item setup (hopefully this will work the same on the upcoming VC releases and I plan on testing it).

I would love to help the Japanese community get Celebi on the 3DS eShop version and if I get a legitimate Korean Gold/Silver cartridge or buy a Korean 3DS and purchase one of those, I may look into the easiest way to do it there as well.

This way of obtaining ????? in Japanese Gold/Silver isn't a new find, as Chain Sword documented in December 2014 how to get a ????? 00 using the Bug-Catching Contest data copy glitch in a video. It's very likely as well that Japanese players knew about this before then.

See https://www.youtube.com/watch?v=gblgYk6WEmI

We already know with a ????? 00 or FF that this is a gateway to ????? party overloading, which we can use for the party-based variation of the Celebi glitch.

We can't obtain a Sneasel with Beat Up early in the game (at least without shifting the experience, etc.), but we could trade one on to the game that obtained the ?????. In theory as well, we can probably adjust the glitch to work with total experience's least significant byte (6 more bytes from move 3), so that a total experience of 251 could be shifted into the second species byte; the one that is used for the Pokémon you get when you take it into the Day Care and out again.

Since an Egg can't normally have 251 experience, either some more work would have to be done for the total experience method to hatch a Celebi that registers in the Pokédex, or we would be left with a Celebi that isn't registered in the Pokédex.

Going deeper, if we can get ????? 00 this way we may also be able to set up the duplicate key items glitch and perform arbitrary code execution with wrong pocket TM/HMs or glitch Pokédex categories (by messing around with items in the expanded balls pocket; where stored items can be found, including TMs) to do whatever we want with box names, such as getting a Shiny Celebi that registers in the Pokédex. It would require some precise counting like in Japanese Crystal but is worth it.

Setting that up may be easier if it is possible for ????? 00 or FF to corrupt the inventory with ????? map corruption (Paco81 call this Missingning) in Japanese Gold/Silver as well.
10
Project "Gotta Document 'Em All" / Used glitch types
« on: July 06, 2017, 10:12:21 am »
I would like to make a TypeDex, so I decided to make a dump of all the types that are "used" on glitch Pokémon and glitch moves. It is very messy but hopefully the information should be available within a neater TypeDex listing soon.

"\" indicates that the glitch move has a real, non-glitch type.


Yellow blank (0x50)-type glitch Pokémon
Yellow blank (0x73)-type glitch Pokémon
Yellow blank (0x7D)-type glitch Pokémon
Yellow glitch (0x24)-type glitch Pokémon
Yellow glitch (0x25)-type glitch Pokémon
Yellow glitch (0x39)-type glitch Pokémon
Yellow glitch (0xA5)-type glitch Pokémon
Yellow glitch (0xCF)-type glitch Pokémon
Yellow ₽9? ゥ (0x59)-type glitch Pokémon



Red/Blue Poké BB (0xA9)-type glitch Pokémon
Red/Blue PokéManiac (0x61)-type glitch Pokémon
Red/Blue blank (0x50)-type glitch Pokémon
Red/Blue blank (0xE8)-type glitch Pokémon
Red/Blue blank 0x70-type glitch Pokémon
Red/Blue blank 0x7B-type glitch Pokémon
Red/Blue glitch (0x1C)-type glitch Pokémon
Red/Blue glitch (0x21)-type glitch Pokémon
Red/Blue glitch (0x27)-type glitch Pokémon
Red/Blue glitch (0x2B)-type glitch Pokémon
Red/Blue glitch (0x37)-type glitch Pokémon
Red/Blue glitch (0x3B)-type glitch Pokémon
Red/Blue glitch (0x9D)-type glitch Pokémon
Red/Blue glitch (0xA5)-type glitch Pokémon
Red/Blue glitch (0xC8)-type glitch Pokémon



Bird (0x06)-type glitch Pokémon
Flying (0x82)-type glitch Pokémon
Ghost (0x88)-type glitch Pokémon
Ground (0x84)-type glitch Pokémon
Normal (0x0B)-type glitch Pokémon
Normal (0x0E)-type glitch Pokémon
Normal (0x11)-type glitch Pokémon
Normal (0x12)-type glitch Pokémon
Normal (0x13)-type glitch Pokémon
Normal (0x80)-type glitch Pokémon
Normal (0x8D)-type glitch Pokémon
Normal (0x8E)-type glitch Pokémon
Normal (0x91)-type glitch Pokémon
Normal (0x92)-type glitch Pokémon
Normal (0x93)-type glitch Pokémon



On Moves Red/Blue (track CFD5):


00: 0x7A (CoolTrainerF)
A6: 0x31 (random)
A7: 0x40 (random)
A8: 0x21 (random)
\A9: 0x03 (Poison)
\AA: 0x00 (Normal)
AB: 0x50 (blank)
AC: 0x2B (random)
AD: 0x49 (random)
AE: 0xC0 (random)
AF: 0x50 (blank)
\B0: 0x03 (Poison)
B1: 0x97 (Electric-fake)
\B2: 0x03 (Poison)
\B3: 0x08 (Ghost)
B4: 0x2B (random)
B5: 0x41 (random)
B6: 0x0A (Normal-fake)
\B7: 0x03 (Poison)
B8: 0x00 (Normal)
B9: 0x41 (random)
BA: 0x0C (Normal-fake)
BB: 0x34 (random)
BC: 0xC8 (random)
BD: 0x4E (h RED)
\BE: 0x02 (Flying)
BF: 0x95 (Water-fake)
\C0: 0x03 (Poison)
\C1: 0x08 (Ghost)
C2: 0x41 (random)
C3: 0x42 (RED? POKé BB PIDGEY dé)
C4: 0x21 (random)
C5: 0x3F (random)
\C6: 0x00 (Normal)
C7: 0x41 (random)
C8: 0xB1 (random)
C9: 0x91 (Normal-fake)
CA: 0xC8 (random)
CB: 0x4F (blank)
\CC: 0x15 (Water)
CD: 0x51 (,KPkMnRED)
\CE: 0x03 (Poison)
\CF: 0x08 (Ghost)
D0: 0x23 (random)
D1: 0x35 (random)
D2: 0x21 (random)
\D3: 0x00 (Normal)
\D4: 0x00 (Normal)
\D5: 0x19 (Ice)
D6: 0x3A (Qi JT RED? POKé BBPIDGEY dé)
\D7: 0x00 (Normal)
\D8: 0x00 (Normal)
D9: 0x3C (i JT RED? POKé BBPIDGEY dé)
\DA: 0x02 (Flying)
DB: 0x0E (Normal-fake)
\DC: 0x00 (Normal)
DD: 0x28 (random)
DE: 0x1E (random)
DF: 0x34 (random)
E0: 0x28 (random)
\E1: 0x00 (Normal)
\E2: 0x00 (Normal)
E3: 0x19 (Ice)
E4: 0x77 (blank)
\E5: 0x00 (Normal)
\E6: 0x00 (Normal)
E7: 0x41 (random)
E8: 0x03 (Poison)
E9: 0x80 (Normal-fake)
\EA: 0x00 (Normal)
\EB: 0x08 (Ghost)
EC: 0x28 (random)
ED: 0x37 (random)
EE: 0x10 (Normal-fake)
\EF: 0x03 (Poison)
\F0: 0x00 Normal
F1: 0x32 (random)
F2: 0x0A (Normal-fake)
\F3: 0x00 (Normal-fake)
F4: 0xC0 (random)
F5: 0x53 (8 8 9)
\F6: 0x02 (Flying)
F7: 0x79 (CoolTrainerM)
\F8: 0x03 (Poison)
F9: 0x0C (Normal-fake)
FA: 0x23 (random)
FB: 0x39 (random)
FC: 0x21 (random)
FD: 0x2F (random)
\FE: 0x00 (Normal)
FF: 0x32 (random)

On Moves Yellow (track CFD4):

00: 0x31 (random)
A6: 0x31 (random)
A7: 0x40 (random)
A8: 0x21 (random)
\A9: 0x03 (Poison)
\AA: 0x00 (Normal)
AB: 0x50 (blank)
AC: 0xE9 (Swimmer)
AD: 0x49 (random)
AE: 0xC0 (random)
AF: 0x50 (blank)
\B0: 0x03 (Poison)
B1: 0x81 (Fighting-fake)
\B2: 0x03 (Poison)
\B3: 0x08 (Ghost)
B4: 0x2B (random)
B5: 0x41 (random)
B6: 0x0A (Normal-fake)
\B7: 0x03 (Poison)
\B8: 0x00 (Normal)
B9: 0x41 (random)
BA: 0xC8 (random)
BB: 0x34 (random)
BC: 0xC8 (random)
BD: 0x4E (3lゥ)
\BE: 0x02 (Flying)
\BF: 0x00 (Normal)
\C0: 0x03 (Poison)
\C1: 0x08 (Ghost)
C2: 0x41 (random)
C3: 0x42 (B)
C4: 0x21 (random)
C5: 0x3F (random)
\C6: 0x00 (Normal)
C7: 0x41 (random)
C8: 0x8E (Normal-fake)
C9: 0x91 (Normal-fake)
CA: 0xC8 (random)
CB: 0x4F (blank)
\CC: 0x15 (Water)
CD: 0x0B (Normal-fake)
\CE: 0x03 (Poison)
\CF: 0x08 (Ghost)
D0: 0x23 (random)
D1: 0x35 (random)
D2: 0x21 (random)
\D3: 0x00 (Normal)
\D4: 0x00 (Normal)
\D5: 0x19 (Ice)
D6: 0x41 (random)
\D7: 0x00 (Normal)
\D8: 0x00 (Normal)
D9: 0x3C (.s.a)
\DA: 0x02 (Flying)
DB: 0x34 (random)
\DC: 0x00 (Normal)
DD: 0x28 (random)
DE: 0x1E (random)
DF: 0x34 (random)
E0: 0x28 (random)
\E1: 0x00 (Normal)
\E2: 0x00 (Normal)
\E3: 0x19 (Ice)
\E4: 0x07 (Bug)
\E5: 0x00 (Normal)
\E6: 0x00 (Normal)
E7: 0x41 (random)
\E8: 0x03 (Poison)
E9: 0x2A (random)
\EA: 0x00 (Normal)
\EB: 0x08 (Ghost)
EC: 0x28 (random)
ED: 0x37 (random)
EE: 0x10 (Normal-fake)
\EF: 0x03 (Poison)
\F0: 0x00 (Normal)
F1: 0x32 (random)
F2: 0xC6 (random)
\F3: 0x00 (Normal)
F4: 0xC0 (random)
F5: 0x53 (V)
\F6: 0x02 (Flying)
F7: 0xD1 (TM)
\F8: 0x03 (Poison)
F9: 0x0C (Normal-fake)
FA: 0x23 (random)
FB: 0x39 (random)
FC: 0x21 (random)
FD: 0x2F (random)
\FE: 0x00 (Normal)
FF: 0x32 (random)

Edit: So as it turns out, there are arbitrary type names :). I have a list of type pointers here and uploaded a video:

https://pastebin.com/dYE9ZFNX
https://www.youtube.com/watch?v=6V6F-mtkFTc
12
This is something a little similar to this thread for move 00's type in Crystal: http://forums.glitchcity.info/index.php?topic=7704.0

Luckytyphlosion (I think, please correct me if someone else discovered this) found a way to execute arbitrary code execution with move 00's type in Gold/Silver. This type's identifier is 0xD0 (dec:208) and after analysis its type name seems to be sourced from 0x8350 in VRAM.

0x8350 can contain menu-sprite data for Pokémon on the Pokémon menu as well as possibly NPC sprites(?), but when I had exactly four Pokémon (two tailed Pokémon, bird, tailed Pokémon) I got different results that included freezes and arbitrary code execution which didn't occur otherwise when I had six Pokémon.

https://www.youtube.com/watch?v=TdxzLn0txFM

How exactly can we use this for arbitrary code execution outside of speedrunning?

I tried making the movement patterns in the video and at one point the game executed E9F0 (Echo RAM for C9F0). Perhaps that's what the route exploits for it to eventually touch box names at D8BF onward (but that would seem very far away).

An update! When the game executed E9F0, it eventually came across the following:

jr c, EC68(@EC2D)
jp c, FA9B (@EC70)

These may have only appeared when moving around in the pattern in the speedrun route.

At FA9B (DA9B) is the Speed experience byte 1 of the third slot Pokémon. We know from the Coin Case glitch that we can have this as a low level slide Pokémon, so perhaps following it could be a Quagsire holding an item with a specific move 1 (like Quagsire holding HP Up with Sleep Talk as the first move; jp D61A or Quagsire holding TM02 with Return; as the first move; jp D8C0) for us to jump to stored items or box names.

So it looks like we can possibly use this as an alternative to Coin Case glitch, but what would really be cool is if you can do it in Crystal as it's easy to just trade over a CoolTrainer Ditto from Red/Blue/Yellow. That way no 'pseudo-bad clone' would be required nor an unterminated name Pokémon from Red/Blue/Yellow.
13
For whatever reason in Japanese Crystal it seems using an X Accuracy (I later did it with another X item) and having glitch move 0xFD as the only move (may be possible by trading a glitch Pokémon from Generation I with TM53 on to Generation II) makes the game executes D800 in WRAM when you open the Fight menu.

It turn out that our items in the bag begin at D885, making this potentially manipulable. The only problem is opening the Fight menu seemed to cause a write to D809 to FF causing a rst 38 freeze, and there are other problematic areas of WRAM before D885.

Does anybody know if this freeze can be averted?
14
Generation I Glitch Discussion / Pokédex marker bytes
« on: June 16, 2017, 02:26:34 pm »
At the beginning of a glitch Pokémon's base stats data structure is a Pokédex marker. This byte according to Stag019 is supposed to be the same as the Pokémon's Pokédex number, but for many glitch Pokémon it is different. 'M (00) and MissingNo. in Red/Blue are exceptions. They have a Pokédex marker byte of 0x00, which is the same as their Pokédex number.

The location of a glitch Pokémon family's base stats data can be found using the following:

0x0383DE + (PkmnNo. − 1) × 0x1C


Yellow:
176: 39702 : 0xF9
000: 39FC2 : 0x28
159: 39526 : 0x3C
195: 39916 : 0x62
202: 399DA : 0x81
203: 399F6 : 0x87
205: 39A2E : 0x86
207: 39A66 : 0x92
215: 39B46 : 0xFE
229: 39CCE : 0x01
230: 39CEA : 0x5A
234: 39D5A : 0x05
245: 39E8E : 0x00
250: 39F1A : 0x00
254: 39F8A : 0x14
255: 39FA6 : 0x1E



Red/Blue:
000: 39FC2 : 0x00
174: 396CA : 0xCB
175: 396E6 : 0xC3
205: 39A2E : 0x91
209: 39A9E : 0x8F
211: 39AD6 : 0xF7
213: 39B0E : 0x82
224: 39C42 : 0x05
234: 39D5A : 0x60
240: 39E02 : 0x00
245: 39E8E : 0x00
250: 39F1A : 0x19
254: 39F8A : 0x6A
255: 39FA6 : 0x37

Presumably hybrid glitch Pokémon will have the same Pokédex marker byte as their Pokédex number, due to having their base data derived (with the possible exception of front sprite/back sprite) from real Pokémon.
15
Now in addition to arbitrary code execution and arbitrary learnsets/evolutions we have a glitch Pokémon with an arbitrary sprite!

In Pokémon Yellow glitch Pokémon 0xE6 ("9ゥ") has a variable backsprite which is taken from DAC9 in WRAM.

This is in the range of the stored Pokémon data. If a properly compressed sprite is placed here (such as with offgao's memory editor) it is possible to create a custom sprite.

Furthermore, on some occasions this glitch Pokémon's backsprite will freeze the game (e.g. if the data begins with 00 as this means the dimensions to its sprite are 0x0), but a freeze can be avoided by specifying proper dimensions at the beginning of the file.

Compressing the sprite and inserting it into the game is possible with a combination of this tool and Stag019's Pokémon sprite compressor tool.

(Follow similar steps to these instructions; specifying the size, block size and codec on Tile Molester, pasting the file there and saving it as a 2BPP file and compress the file with Stag019's tool)

Then open the compressed PIC file with a hex editor and copy the data to DAC9.

Here are a few examples. You should be able to make much better files but these are just for demonstration:

Note the Pokémon is "Pidgeot" because I modified a Pidgeot to the 0xE6 glitch Pokémon rather than obtaining one myself. You can do this with any 0xE6 glitch Pokémon in Yellow.






The palette of the sprite will be determined by the second species byte. While using the editor you could modify this byte (such as D16A for the first Pokémon to 80 for the Golduck palette).

I have not yet found a glitch Pokémon with a RAM front sprite but one may exist.

Here is the raw code for my smiley face example:

Code: [Select]
44 B6 55 54 E4 5A A3 0A A5 34 63 92 4C 18 B5 AA A9 4B 92 62 9A 34 A4 A8 62 58 86 89 6A 46 49 92 52 AA 26 48 91 4E 99
21 3B 53 24 94 DD A2 53 34 A6 88 62 16 4B 8A 92 2A 22 56 06 2A 19 2A 94 C1 68 A6 2A 4C 2A AA 30 63 29 4E 05 8D EA
55 55 6A 31 9F 96 74 4C 32 76 49 12 76 49 09 DB 9D AC 4A 71 F4 44 42 11 D5 0C 7E 16

BGB is really good for this as you can open up the debugger, go to DAC9, right click and paste the code.


Pages: [1] 2 3 ... 21