Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: The reason for the Kingdras and '?' symbols in the bad clone trick  (Read 841 times)

0 Members and 1 Guest are viewing this topic.

Crystal_

  • Distinguished Member
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
The reason for the Kingdras and '?' symbols in the bad clone trick
« on: September 12, 2014, 07:56:28 am »
There is a very little routine that makes the whole trick possible, and that's the routine at 0:1383 in Pokemon Crystal.

Code: [Select]
Function1383:: ; 1383
ld a, $e6
ld [hli], a
call PrintLetterDelay
jp NextChar
; 138c

When a char is interpreted, the routine at 0:1087 analyzes which character we are dealing with in case it's an identifier with an special function (such as a new line, or the 'POKÉ' symbol) and jumps to 0:1383 if the char is 0. Function1383 then writes 0xE6 -which is the '?' character- in hl and we move on the next char. hl points to the corresponding tile in the tilemap so this routine is basically overwritting the "blank" character 00 directly in the tilemap.

Code: [Select]
PlaceString:: ; 1078
push hl

PlaceNextChar:: ; 1079
ld a, [de]
cp "@"
jr nz, CheckDict
ld b, h
ld c, l
pop hl
ret
pop de

NextChar:: ; 1083
inc de
jp PlaceNextChar

CheckDict:: ; 1087
cp $15
jp z, Function117b
cp $4f
jp z, Char4F
cp $4e
jp z, Function12a7
cp $16
jp z, Function12b9
and a
jp z, Function1383
        (...)

Since the bad clone's name is just a bunch of 00's without the terminator character (0x50), when the name is read from the string buffer 1 (WRAM:D072), the game will keep on reading bytes as characters and, for every 00, write the '?' symbol in the different tiles of the tile map, eventually going past the 10 tiles that make up the bad clone's name.

The buffer at D072 is the first buffer, meaning that if any of the other 3 buffers has been used before, there will be a terminator character somewhere, making the whole thing not work (this is why one of the requeriments for the trick is saving in front of the box and reseting the gameboy without doing anything else before performing the trick).

This is the result of for example changing 0:1384 to 0xE7:



Notice the '!' symbols as well as the Phanpy sprite (both have hex identifiers of 0xE7).

If, instead, you just NOP the ld [hli],a instruction, the bad clone trick won't work, as, apart from the '?' symbols not appearing, FF/CANCEL remains as Pokemon FF/CANCEL instead of becoming a withdrawable Kingdra.

I couldn't still find out where all the Pokemon (including FF/CANCEL) becoming Kingdra comes from though. It must be related to the spam of 0xE6 as well, but box pokemon data is located in SRAM (bank 1, from ram address AD10 on), but tracking it down with the debugger, I've seen that the 0xE6 bytes never get written in SRAM, and the data there always seems to be correct (matching the data of the Pokemon "behind" the Kingdra). So this has to come from somewhere else.
« Last Edit: September 12, 2014, 08:15:32 am by Crystal_ »

Crystal_

  • Distinguished Member
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
Re: The reason for the Kingdras and '?' symbols in the bad clone trick
« Reply #1 on: September 13, 2014, 12:52:44 pm »
So I've found where the Kingdras come from. The routine at 38:6DEF reads the pokedex number of the pokemon in the box from address C800 +3*PkmnPos. Yes, C800 is the start of the Overworld map, but it also seems to store the species of the Pokemon in the box at this point. I didn't bother to keep tracking down things at this point, but the thing is that the species of FF/CANCEL has to be located between C800 and around C840 depending on the number of pokemon in the box, and in one of my tests I saw addresses up to C863 (from C599) get corrupted. While irrelevant, the species of the pokemon in the box we are dealing with gets then written to D265 and finally to D108. From that address is where I started tracking everything down.

Code: [Select]
Functione2def: ; e2def (38:6def)
ld a, [$cb2b]
ld hl, $cb2a
add [hl]
ld e, a
ld d, $0
ld hl, OverworldMap ; $c800
add hl, de
add hl, de
add hl, de
ld a, [hl]
ret
 

CB2B contains the position of the pokemon the cursor points to. I have no idea what CB2A is for; it always seems to be 00.

Here is a video of everything: https://www.youtube.com/watch?v=acUjiWcMAcc
« Last Edit: September 13, 2014, 01:35:49 pm by Crystal_ »

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french pokemon glitch website
Re: The reason for the Kingdras and '?' symbols in the bad clone trick
« Reply #2 on: November 12, 2016, 11:33:56 am »
Hello Crystal_, well this thread has been dead for a long time, but I'm currently writing a full guide for this glitch. I was just wondering about the in-depth mechanics, so thanks for this!

Do you know more about this glitch? I can figure that it all comes from a shifting in memory addresses, since we lose 1 letter in every clone's name, and since the egg trick is based on shifting the hex ID for a move to the RAM address for the Pokémon's hex ID. But why exactly does this happen starting from the moment when we withdraw the CANCEL/Kingdra?

Thanks!

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: The reason for the Kingdras and '?' symbols in the bad clone trick
« Reply #3 on: November 14, 2016, 04:38:58 pm »
Because we remove the hex:FF terminator for the party list.

Basically, Gen II boxes have data arranged as first, a list of Pokémon IDs.
Then, the list of Pokémon data.

When withdrawing Pokémon number X in the list, the game does this :
1. Copy Pokémon number X data to party
2. Copy Pokémon ID number (X+1) to Pokémon ID number X (in the first list)
3. If we copied a FF, end here. Otherwise, continue.
4. Copy Pokémon data number (X+1) to Pokémon data number X (in the second list)
5. Increment X, and go to step 2.

When you retrieve a Pokémon, the game copies one FF one slot backwards, but leaves the other FF in place.
Consider the following box :
Ivysaur (ID 02)
Weedle (ID 0C)
Venusaur (ID 03)
CANCEL (ID FF)
(some uninitialized data, let's say 00)
(Pokémon data, doesn't matter right now)

Let's retrieve Ivysaur. The game copies his data to our party, then replaces Ivysaur's ID (number 0 in the list) with Weedle's (number 1 in the list). Then it copies Weedle's data over Ivysaur's.
Then it repeats with Venusaur, and CANCEL (note that in this case step 4 is never reached).

We then have, considering only the first four IDs :
Weedle (0C)
Venusaur (03)
CANCEL (FF)
CANCEL (FF)


Now, what would possibly happen if all CANCELs were taken away ? Then the game would keep shifting bytes, thinking they are Pokémon IDs. Now remember what is right after Pokémon IDs ? Pokémon data ! And thus, all the data is shifted left by one byte.
This also means huge chunks of data are moved around.



My explanation may be wrong in places (I'm too tired to check against code right now :3), but the general idea is just that.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Yeniaul

  • The start of something... GLORIOUS!
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • Digital/Corporeal Hybrid Being
    • View Profile
    • SourceForge Profile
Re: The reason for the Kingdras and '?' symbols in the bad clone trick
« Reply #4 on: November 14, 2016, 06:28:46 pm »
This is correct. And a very good explanation!

RIP Omnicron (2004-2016)
Nighthawk seems to be working okay.
And yes, I name my routers.
My autism lets me see the future in my dreams.
Glitch-inspired music!
I'm also the proud owner of the GCLF Discord server!

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: The reason for the Kingdras and '?' symbols in the bad clone trick
« Reply #5 on: November 14, 2016, 08:30:29 pm »
Oi, thanks ! That's also an article that's wanted... twice ?

There's still a ton of work to do on the wiki. Just look at this ! T_T


I'm not familiar with Generation II, so I expect Crystal_ to correct me next time he pops up :P
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french pokemon glitch website
Re: The reason for the Kingdras and '?' symbols in the bad clone trick
« Reply #6 on: November 15, 2016, 01:11:17 am »
Yeah, that's exactly what I thought, but I just needed to be sure. It behaves exactly the same way than in Gen I, in which such behaviour is the basis for the Duplicate Items Trick :)

Since I didn't have the memory addresses for Crystal, I couldn't check by myself (but then I realized it's $AD10) but I did now and that's fine  :P

Still can't get why the corruption provoked by the Bad Clone's name would allow the withdrawing of FF/Cancel though. Is this just because the sprite buffer gets corrupted and by attributing a Kingdra sprite to the Cancel Button, you're forcing him to "be a withdrawable Pokémon"?

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: The reason for the Kingdras and '?' symbols in the bad clone trick
« Reply #7 on: November 15, 2016, 11:27:15 am »
Yeah, that's exactly what I thought, but I just needed to be sure. It behaves exactly the same way than in Gen I, in which such behaviour is the basis for the Duplicate Items Trick :)
If you're thinking to the Gen II glitch, yup, that's right.
But if you're thinking to the variation of the Expanded item pack glitch that allows duplication of 255 item stacks, that's not right.

I assume you thought of the former.

Still can't get why the corruption provoked by the Bad Clone's name would allow the withdrawing of FF/Cancel though. Is this just because the sprite buffer gets corrupted and by attributing a Kingdra sprite to the Cancel Button, you're forcing him to "be a withdrawable Pokémon"?
Exactly. The game makes a buffer in WRAM that gets corrupted when the game attempts to manually put a "?" instead of char $00 while displaying the Bad Clone's name.
But ultimately, the game manipulates data in SRAM.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french pokemon glitch website
Re: The reason for the Kingdras and '?' symbols in the bad clone trick
« Reply #8 on: November 15, 2016, 01:04:53 pm »
No, I was thinking about the Gen I glitch, but not on the glitch itself, rather the mechanism of dealing with items. I mean, the normal behaviour of the game is to copy the item n+1 into the address of the item n, and so on until it copies FF and stops. Which is also what it happens here.

In the Duplicate Items Trick, we take advantage of this by using quantities of FF to duplicate items, which is the exact opposite of what we do here, but I was not comparing them :)