Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Princess Torchic ❤

Pages: [1] 2 3 ... 173
General Discussion / Re: The Glitchy Thread of Topiclessness (#3)
« on: Yesterday at 04:21:28 am »
Um. 2017 was a horrible year for me. Otherwise, fantastic.

Sorry to hear that.
That's good though.
A user named DaWoblefet (who also has an account on these forums if I remember correctly) recorded this glitch previously documented by DragonWhale93. It has been known for quite a while now since July 2017, but I haven't noticed many people talking about it.

Apparently in Pokémon Sun/Moon if you save at the exact position in a Pokémon Center that the delivery man would appear, obtain a new Mystery Gift (you could possibly do it with a Pokémon Bank subscription) it is then possible to walk out of bounds into the void. However it's not known if there is anything extra you can do with this glitch.
General Discussion / Re: The Glitchy Thread of Topiclessness (#3)
« on: January 19, 2018, 04:05:17 pm »
It's nice to see you back Sasara. :)

How have things been going with you?

(I used to be the user called Torchickens)
For me Ultra Sun/Moon seemed a little too similar to Sun/Moon at first for the first few hours, and it was only until later in the game the new features/plot-line started coming in with the exception of the Ultra Recon Squad appearing (but not doing much). This disappointed me a little as I was expecting the game, being pairs to feel more like Black 2/White 2 (which were more different from the start).

I felt similar about the rental part in the post-game, but not as much after learning it was only for a short time, the battle isn't that hard and it doesn't matter if you lose it. I feel they still should have allowed you to save (and/or not sure.. cancel to get out and get your Pokémon back even though that could mess with the plot) though.
Amazing :)

So, a couple of questions as I've never done much cartswapping before.

If you were to modify an SRAM address other than B0C1 or B0D3 (stored Pokémon), would you need to modify the code in any other way for Red/Blue (I notice you have to adjust the B523 checksum)? How would you do this for Yellow and Crystal?

Well, did this against Champion Blue in Yellow and oh boy...
Every turn the game plays a drum and faded to black before either continuing the battle, exiting it, or crashing all together, (I once got a "4 4's true cry"-like effect but that never happened again.
If the game doesn't crash then the screen stays black if I don't use a move that modifies the pallete. And if I don't KO the foe then it exists the battle or freezes. I once got the game to jump to the Pikachu sequence before the title screen, freezing shortly after.
And once the music just glitched our a bit.
Could this be useful and manipulated in some way?
Also I couldn't get past his Jolteon in any way with the code active, I needed to change his class to something valid before finishing the battle then change it back once I knocked out his Jolteon...
And lastly, I managed to trigger the unused text for losing against him.
And yes I did use Debug Yellow for this but I didn't have any other Yellow ROM on hand...

And then I tried d058-ing a random trainer (a Sailor in this case) and I got an occurrence of the battle restarting and my Pokémon 2-6 having their names be corrupted.

Wow, that's interesting. Nice and cool you got the unused text. Which name did you use, is it the 0x77 one?

I may play around with this re: losing the fight too. Thanks for sharing Charmy. :)

By the way I finished a B1F code (which you have in the inventory from RB 0x32) for escaping the Glitch City and making the game still playable, and I managed to get the fossil 'M (FF). This code runs the Hall of Fame script, fixes your name, leaves you in Cinnabar Island after, fixes some event addresses and possibly all the meta-map scripts:

(B1F executes A7D0)

ld a,50
ld (d158),a
ld a,41
ld (d36e),a
ld a,12
ld (d36f),a
ld a,08
ld (d35e),a
xor a
ld (d639),a
ld (d72e),a
ld (d72c),a
ld (d736),a
ld (d732),a
ld (d733),a
ld (d5a0),a
ld hl,d5f0
ld bc,011b
xor a
call 36e0
ld hl,d35f
ld a,5e
ld (hli),a
ld a,c7
ld (hli),a
ld a,0c
ld (hli),a
ld a,0b
ld (hli),a
xor a
ld (hli),a
inc a
ld (hli),a
ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35d6

Still, if this can be set up without arbitrary code execution, I feel using arbitrary code execution with B1F could take away some of the charm. I do wonder if there is a way to escape the Glitch City with no arbitrary code or cheats (I remember a walk through walls route that worked, I entered a building in Saffron but that would require the 0xFF from inaccessible VRAM and no freeze or theoretically VRAM data that's wrong for a battle). The bad map script for Cinnabar Island could possibly be removed with the expanded stored PC items.

Actually if you can jump off a ledge, that should activate walk through walls, but you'd have to find a way to fix the map.
>Hopefully we can escape the trashed-RAM Glitch City
change coordinates to somewhere normal with expanded pack
change map id with expanded pack and expanded party
use 9F
hope and pray

9F only works that way in Yellow sadly, thanks though.

If you want to do the same thing as 9F in Red/Blue you may place an X Attack x18 (41 12) in the map script pointer at D36E-D36F after setting your map and coordinates right.

A problem with getting glitch items is (at least some) seem to fall in the 9800 region of the BG map, which is full of 0x7F. However in actuality the items menu doesn't become full of 0x7F or 0xFF, and other items are available.

The menu is also likely invisible, though I found a weird way to get it visible again by using "7 6" (hex:7F) with a 0x50 sub-tile in the screen data, twice. (D35F must be a quantity x127 and Master Ball 01 and you've got to flash the Trainer card) Maybe it's taking 8 8 (hex:7C)'s effect.

(Believe it or not the game is still running and you can still scroll the menu)

I tested writing to D059 (instant encounter) out of interest and it froze the game, so you can't try anything in battle.

I did find B1F in the expanded items pack (which executes SRAM A7D0) so you could in theory use that, because the SRAM is untouched. Beforehand you could use 8F to write to the SRAM, or use many many SRAM corruptions like TheZZAZZGlitch did.

Another idea may be to manipulate D163 as 0xFF from the VRAM inaccessibility, swap Pokémon 62 with 63 to walk through walls, then load a map connection to fix the map, where you may be able to go into the PC to fix meta-map scripts in the expanded PC items.

Unfortunately the only time this has happened the game would freeze after battle.
Fossil Charizard 'M get! :)

(This is with name 0x32)

Too bad almost all of the RAM is trashed, making escape from Glitch City very difficult. :(
But you could work with the items you're given in the expanded items pack in theory.

If you combine this with things that print tiles in battle (double distort CoolTrainer can do it) and avoid VRAM inaccessibility, then as VRAM is within the range of the BG Map (9C00-9E33) in theory if 9C2A is 0x15 this is another way to get Mew (or any other Pokémon/glitch Pokémon) as a fossil.

Will look into finding a way to escape the Glitch City (and potentially glitched meta-map scripts) and posting it here. :)
The types of already documented buffer overflow techniques that allow memory manipulation from the screen data so far include:

1. Super Glitch: Corruption of data from $CF4B, $D0E1
2. - (move): Corruption of data from $CF4B
3. Unterminated name glitch item: Corruption of data from $CF4B
4. Glitch location names on the Fly menu. This is an obscure one and I'm unsure how it works.
5. Unterminated name glitch Pokémon (when selected from a box): Also corruption of $CF4B onward if I remember rightly. Used in oobLG.

I think I found another one for us to look into, this time with glitch Trainer class names.

D031 (Red/Blue) and D030 (Yellow) partially control the opposing trainer class in battle. I found a Trainer name in Yellow (hex:77) which may have an extremely long trainer name. If you defeat the foe with this value set on D031/D030 (may require avoiding a problematic AI) and they have victory text, their name will be printed on the screen, and it appears that like the other buffer overflows what is corrupted after battle depends on the screen data.

I noticed 9153 in VRAM would control CFD7 (enemy Pokémon), and that this happens to be part of the foe's sprite that is displayed after you beat them. With Lorelei I get FF. Not sure whether this is due to VRAM inaccessibility or if that address is really FF but what's good about this is that the picture pointer of the opposing Trainer can be modified by manipulating the two bytes at D033 (D032 in Yellow). This doesn't have to include valid sprite pointers, hence in theory you can get many more CFD7 values by trying out different pictures and glitch pictures (which could even be in RAM).

The glitch pictures can also be used for their own unique corruption effects (possibly related to things like their dimensions). I tried 99 99 (pointing to VRAM) and it interestingly also corrupted the name you get at the end of the battle, but then I got this lovely corruption:

(I tried this two times and the first time it flew me to a glitch location, but didn't screenshot it, sorry)

Despite the fact that during experimenting the CFD7 value would stay at its corrupted value, it seems D056 (and D058 as well so instant encounter may not be possible either) is reset back to 00 meaning you can't capture Q (or theoretically Charizard 'M if this works similarly in Red/Blue) this way, which is a little sad.

Hopefully we can still exploit this to do useful things though, even though in Yellow the only way I know is through arbitrary code execution (and in Red/Blue possibly with Super Glitch as well).
News! It turns out artificial trainer classes aren't so hard to access after all (at least partially). Address D031 (Red/Blue)/D030 (Yellow) controls the actual Trainer class ID in battle according to the game. Code 01FF30D0 won't change the picture and name of the trainer, nor parties but does seem to change the AI to match the relevant trainer.

Still haven't been able to replicate this effect without Game Genie (perhaps it's very specific) but now we have a way of replicating the escape battle and warp to Victory Road effect without having to run part of the battle script. This may even be possible with Super Glitch (however normally in Red/Blue and not Yellow due to screen data updating when you enter battle) without the need for arbitrary code execution.

Edit: I did it!!! :DD

You can just force 01FF30D0 on the Lorelei battle to get the brown Glitch Dimension. Now it's time to test that with OAM DMA hijacking.

Edit 2: Setting it to FF each time will also suffice, so you can use this item code with an item 3 bootstrap.

Item 3: Lemonade x255
Item 4: Carbos x208
Item 5: X Accuracy x48
Item 6: Poké Ball x119

Edit 3:

01FD30D0 on Lorelei. It's luck dependent and I don't know if it works for every save.

Update: This is the closest I've got so far.


ld b,3D
ld hl,DA87
call 3E84
ld a,2E
ld (D63F),a
ld a,FF
call 6030

;After selecting a move, we warp to map 0xC6 (a Victory Road map), which uses the meta-map script represented by a byte at D63F. 0x2E is an out of bounds value that executes F3CD (D3CD).

@D3CD: jp DA7F

This causes the battle to restart immediately, like keeping the Game Genie codes on but with the glitch meta-map script instead. Sadly this resulted in a freeze after 5 battles or so.
Something similar happened to me once. After using 8F to activate walk through walls I walked out of bounds on accident. Somehow the game ended up resetting rather than crashing and everything was blue (I was in the indigo plateau if that could have affected it). I unfortunately didn't record it and this occurred quite a while ago. So this glitch or at least a variation of it is possible on console but I'm convinced it was luck that it ever happened in the first place.

Interesting. Good to know. Thanks for this Flandre Scarlet. :)

Yeah, other colours are possible. With cheats once I got "Pokémon White", which isn't very useful but still interesting.

I have found out how to encounter TM55 (Trainer FF) with ws m.

ld b,3d
ld hl,(another address in RAM goes here)
call 3e84

@hl address (unbanked RAM?):
ld a,ff
call 6030

I tried using the bank switch function (3e84) as it is meant to be used intentionally (load ROM address hl at bank b) but the value for the 'a' register was changed during this routine. This workaround means you're still on bank 3D, but the game has a chance to call 3D:6030 with a modified a register by executing code in RAM where the bank is irrelevant.

Unfortunately I can't replicate the effect this way yet. D058 is normally 0 outside of battle, and if you change it to another value you'll just encounter a regular trainer after attempting to attack. Trying to work around this with things like forcing the map 0xFE and having code in its script to redirect back to itself (maybe still wouldn't give a Glitch Dimension however, and likely not a brown one as the cave is brown).
Generation I Glitch Discussion / 'Pokémon Brown Mode' (Pokémon Yellow)
« on: January 16, 2018, 03:27:33 pm »
This is a 'glitch' in Yellow I may have discovered that allows you to start a Glitch Dimension with brown colours, possibly derived from unused Trainer 0xFF ("TM55")'s AI. Currently it is Game Genie only, but may be possible with ws m with the help of modified Trainer battle routine.

It also doesn't seem to be RAM dependent (other than possibly from what Game Boy mode you're using) as I tested it on two save files and set breakpoints for RAM, but I don't know for sure.

On Pokémon Yellow, enter the following Game Genie codes:


As well as GameShark code 01C958D0 (rosters loaded from other trainers and/or non-roster 00s may not work the same).

Try to fight the glitch Trainer that appears and the battle will restart with you in a cave. Do this six more times and the game may suddenly reset.

It's an amazing coincidence this exists, but I guess with so many things that can happen in the game something like this would eventually happen.

Note: You may have to be on Game Boy Color mode for this to work. This didn't seem to do the reset on Super Game Boy mode (nor Game Boy mode, though I don't know if effects would be visible if it did) for some reason.
Wiki Discussion / Re: Dex status/ideas for the wiki
« on: January 16, 2018, 03:07:41 pm »
Kind of unrelated, but is there any RAM address that allows controlling trainer class? (Obviously not $D058/$D059, because those don't allow trainer class trainers above $37)

CD2D stores this according to the disassembly. However from my understanding CD2D stores a lot of things and GameShark code 01xx2DCD won't modify the trainer class (at least not on VBA v24 svn422).

However, if you just want an easy way to modify the Trainer class the following Game Genie codes should do the trick:



These Game Genie codes were created by changing part of how a subroutine works that looks up a value (Trainer class) and subtracts 200 to instead use a constant value represented by XX. As Wack0 pointed out then in theory if you run a modified version of the routine with 8F or ws m you can encounter 'artificial Trainer classes' without a Game Genie or ROM hack.

With a physical Game Genie it probably isn't possible to do this on Yellow though, due to the device working with original Game Boy games rather than Game Boy Color compatible games. I'm not 100% sure though.

Hope this helps. :)
It looks like a Mail glitch was documented recently that meant the Pokémon Ruby any% category was split into any% and any% glitchless, and it allows you to take many Rare Candy hold items from a Pokémon (wondering if its part of the Mail and Trick glitches)

I don't know how this particular glitch works though, would anyone like to elaborate? Thanks.

Edit: Maybe it's not exactly the same glitch, epicdudeguy said the Japanese community thought it was only possible with a move "really hard to obtain" which could be Trick.

Edit 2: They use Twins Amy & Liv (クミとルミ) on Route 103 to start a Double Battle with Harbor Mail attached to Pokémon 1, 3, 5, 6, Abra (Pokémon 2) uses Thief on the first of your Pokémon (holding a Harbor Mail), then Thief on the opposing Minun. The mail is taken off of Abra and into the PC. A Rare Candy is equipped to a Wingull with one-character name (Pokémon 4) like Pokémon 1. Then a Harbor Mail is attached to Pokémon 1 and the phrase Geodude (イシツブテ) is entered. Then another mail is attached to Pokémon 2 (also イシツブテ name). Then you attempt to attach a Mail to the Wingull holding a Rare Candy, causing you to take away one mail in the pack and obtain one Rare Candy each time, and this can be repeated many (how many mails you have) times.

I wonder then whether the length of Pokémon 1 and Pokémon 4's name is important. On our wiki article it says to "repeat steps 2. and 4. five times" but it could be related to Kadabra's five character name (ユンゲラー). In the video Wingull and Marshtomp only have a one character name.
Pages: [1] 2 3 ... 173