Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Epsilon

Pages: [1] 2 3 ... 14
1
Debate Wars / Re: Best Famous Youtuber.
« on: Yesterday at 09:52:12 am »
I tend to stay away from the Youtube community if at all possible, especially the atrocious gaming community, which consists of grown adults playing a game and screaming at the camera in an attempt to muster followers.

If I do visit youtube, it's for political content. I tend to watch Hunter Avallone on these occasions.
2
General Discussion / Re: The Glitchy Thread of Topiclessness (#3)
« on: January 19, 2018, 06:19:19 pm »
2017 was a rather boring year on my end. I did get to see my sister on Colorado, though, so that was nice.
3
Multimedia Discussion / Re: What song are you listening to right now?
« on: January 19, 2018, 12:53:32 pm »
Foster the People - Best Friend

Absolutely legendary song, though the music video may not be for the faint of heart.
4
Amazing :)

Thanks!

If you were to modify an SRAM address other than B0C1 or B0D3 (stored Pokémon), would you need to modify the code in any other way for Red/Blue (I notice you have to adjust the B523 checksum)

Modifiying $A598-$B522 would require a checksum fix at $B523. Though i'm not certain if this is checked, the box data in banks 2-3 have their own checksums. These need not be modified if you only care about the current box, however.

How would you do this for Yellow and Crystal?

In Yellow, I believe SRAM data is not shifted.Don't quote me on that, though, because I'm not 100% certain. I just checked Pokeyellow, and it seems my setup for Mew will still work! :)

As for Crystal, i'm not certain. I don't think data is shifted in Crystal to an extent that would prevent this from working but once more i'm not 100% certain as I currently lack a crystal ROM
5
Here, have a CartSwap setup!

Code: [Select]
A p é 7 2 é ? 2

é & 2 'v 9 é 8 2

p 'v * é (male) 2 / /

é * 2 / / / / p

0 (pk) é A 9 4 A 9

/ / ? A 8 A / /

'm (pk) 2 p 's A (female) 'm

This is compatible with either the Coin case setup or Wrong Pocket

In gbz80, that's:
Code: [Select]
xor a ; a = 0
ld ($f8fd),a ; self-mod
ld ($f8e6),a ; self-mod
ld d,b ; end-terminator
ld ($f8e9),a ; self-mod
sub $FF ; a = 1
ld ($f8fe),a ; self-mod
ld d,b ; end-termiantor
xor a ; a = 0
sub $F1 ; a = $0f
ld ($f8ef),a ; self-mod
di ; Disable ints. If they are active during cartswap, and an int is requested, unwanted code may be executed
di ; padding
ld d,b
ld ($f8f1),a ; self-mod
di ; padding
di ; padding
di ; padding
di ; padding
.loop:
xor a ; a = 0
ld d,b ; end-terminator
or $e1 ; a = $e1
ld ($ff00),a ;  Enable polling for Directional buttons. Didn't use "ldh", as it isn't char-representable
ld a,($ff00) ; Recieve results of poll
ld d,b ; end-terminator
di ; padding
di ; padding
and $0f ; I don't care about the upper nibble
cp $0f ; Compare with $0f
di ; padding
di ; padding
ld d,b ; end-terminator
jp nc, .loop ; If the carry flag wasn't set by the compare, jump back. (Didn't use "jr", not char-representable)
xor a ; a = 0, reset flags
call nc,$F580 ; Call the third TM quantity. ENSURE THE CARRY FLAG IS NOT SET IN YOUR FUNCTION
jp nc,$0100 ; Boot into whatever game is loaded now

Basically what this does is it waits for any button on the D-Pad to be pressed, call a function written starting at TM03, and then reboots the game. During this time, you can swap the cartridges and write to SRAM.

"So what do I write to TM03?" - That's where you come in!

In gen2, TM quantities (Starting from TM03) grants you 48 bytes to write your own code to alter the SRAM of other games.

Not sure what to do? Here's an example:
Code: [Select]
TMs    Keep/Deposit
TM01   Any
TM02   Any
TM03   38/217
TM04   10/245
TM05   116/139
TM06   38/217
TM07   64/191
TM08   46/209
TM09   1/254
TM10   117/138
TM11   62/193
TM12   21/234
TM13   234/21
TM14   193/62
TM15   176/79
TM16   234/21
TM17   211/44
TM18   176/79
TM19   22/233
TM20   1/254
TM21   21/234
TM22   1/254
TM23   139/116
TM24   15/240
TM25   33/222
TM26   152/103
TM27   165/90
TM28   42/213
TM29   130/125
TM30   87/168
TM31   11/244
TM32   120/135
TM33   177/78
TM34   32/223
TM35   248/7
TM36   122/133
TM37   47/208
TM38   234/21
TM39   35/220
TM40   181/74
TM41   201/54

Raw bytes:
Code: [Select]
$D580 / 26 0a 74 26 40 2e 01 75 3e 15 ea c1 b0 ea d3 b0
16 01 15 01 8b 0f 21 98 a5 2a 82 57 0b 78 b1 20
f8 7a 2f ea 23 b5 c9

To use:

1. In Pokemon Red/Blue, ensure you have the first pokemon in your current box be a disposable one
2. Setup your box name and TM quantities as above
3. Use the coin case or wrong pocket
4. (On BGB, this is accomplished with "Load ROM without reset") Swap into Pokemon Red/Blue (maybe Yellow, i'm not sure)
5. Press any button on the D-Pad

When you boot into Pokemon R/B, the first Pokemon in your box should now be Mew. (The name will remain unchanged)

In my opinion, this is a bit easier to deal with then Gen 1 cartswap.

Enjoy!
6
General Discussion / Re: The Glitchy Thread of Topiclessness (#3)
« on: January 19, 2018, 07:15:18 am »
I spent a solid 5 minutes pondering what to post here. This 5 minutes could have been used to do my assignment. What have I become

Anyways, it's supposed to be 50 degrees fahrenheit today and this weekend. Noice.
7
Are there any hidden pokemon sprites in the code of any games that are pokemon that don't exist?

No. At least not in gen 1. All sprites in the code are used.

I can't speak for later generations, however, but I presume it to be the same.
8
CartSwap using button input

CartSwap currently uses a timer to delay frames until reboot, meaning the user must quickly pull out the cartridge and insert a new one before the timer ends.

This new version simply waits until the user presses START before rebooting.

8f
Any xAny
TM43 x4 (hex:04)
Lemonade x16 (hex:10)
Carbos x255 (hex:FF)
X Accuracy x1 (hex:01)
Ice Heal x45 (hex:2D)
Burn Heal x119 (hex:77)
Elixer x126 (hex:7E)
TM30 x15 (hex:0F)
Awakening x7 (hex:07)
Potion x185 (hex:B9)
Fire Stone x235 (hex:EB)
X Attack x101 (hex:65)
Protein x14 (hex:0E)
Master Ball x121 (hex:79)
TM33 x[Any qty]

ASM:
Code: [Select]
di ; Prevent the game from prematurely executing the other game's interrupts
inc b ; Filler
.loop
ld a,$10 ; a = $10
ld h,$ff ; hl = $FF22
ld l,$01 ; hl = $FF01
dec c ; Filler
dec l ; hl = $FF00, hardware register responsible for Joypad input
inc c ; Filler
ld (hl),a ; Enable polling for button inputs
ld d,d ; Filler
ld a,(hl) ; Grab current button inputs
and $0f ; Filter out unrelated upper nibble
ld c,$07 ; c = $07
inc d ; Filler
cp c ; compare a with c. In binary, this would check for %0111, as bit 3 is reset if START is pressed
jr nz,.loop ; Not Equal? Go to loop
ld b,c ; Filler
ld h,l ; hl = $0000
inc h ; hl = $0100 (GB booting point)
ld c,1 ; c = 1
ld a,c ; a = 1
jp hl ; Reboot
9
General Discussion / Re: Cool ASCII of my favorite word!
« on: January 12, 2018, 07:14:24 pm »
Though it may be different across browsers, I read "EMSMF".
10
Debate Wars / Re: Religion
« on: January 10, 2018, 01:25:28 pm »
Personally, I'm an atheist. I never bought into the idea of a higher power.
11
Note: This only allows for Red -> Red or Blue -> Blue duplications. Attempting an R -> B or vice versa will result in a glitch Pokemon center that you cannot escape from

Hey all! Not sure how useful this might be, but I made a save file (well, "made", meaning I saved the game) that allows you to duplicate and play the save file of the person you are trading with in Pokemon Red/Blue! It uses the RCE method discovered by Vagiular and documented here.

To Use

1. Have a Pokemon Red/Blue cartridge with the save file you wish to duplicate (This file needs no special prerequisites, outside of being able to use Cable club, meaning oak's parcel has been delivered)
2. Have a copy of the same game (Red/Blue wise), with it's respective duplication save file loaded (I have attached both saves to this thread)
2. Connect the two via link cable (If you're on BGB, you can do this with Right Click>Link>Listen on one and Right Click>Link>Connect on the other)
3. Go to the Trade Colosseum
4. Start a trade
5. Wait for save file transfer to complete
Few things to note: This is different from Mr.Cheeze's virus in that this needs to transfer all three banks. As such, this is going to take a minute or two. Be patient.

During this time, you will notice both screens will become glitched. This is the save file data you are duplicating, being represented as tiles.

6. Once they are finished, both Gameboys will restart
7. You should now be able to play the save file you duplicated!

Technical

As i mentioned earlier, this uses the exploit vaguilar discovered and documented.

As you might have guessed, this was inspired by "Mr.Cheeze's virus"

Basically what vaguilar's exploit does is since the subroutine that draws Pokemon names to the screen doesn't end until it reaches the $FF terminator, you can change bytes in your party to force the subroutine to write names to the stack, forcing the game to jump to a certain address upon reaching "ret". In order to force the buffer to go that far, and to not damage any other important parts of RAM, we use glitch Pokemon $E3 (or $E4), as it's name begins with an end terminator $50. Because of this, we can safely move the buffer forward.

Our party looks like this: (note: Referring to the game gameboy you are duplicating the save file from as "victim", the other gameboy with my save file will be referred to as "master")
Code: [Select]
06 ; # of Pokemon, completely irrelevant
00 x6  ; These six pokemon are irrelevant also
e3 x346 ; Advance the buffer to the "victim"'s stack
ce ; Write $CE's name to the victim's stack (EE 21 96 D7 CB 86 21 A3 D7 CB), "A3 D7" is what the game will read from when returning, causing it to jump to $D7A3 (nop slide to master's name)
e3 x7 ; Advance the buffer to the "master"'s stack
f1 ; Write $F1's name to the stack (40 40 40 FF FA 30 D7 CB 47 C0) "30 D7" is what the game reads from when returning, forcing a jump to $D730 (event flags)
ff ; Cause aforementioned buffer to return, forcing the jumps

---
ld a,8 ; a = 8
ldh [rIE],a ; Only allow serial int
ld hl,$0316 ; Garbage to send master in exchange for payload (starts with $FD to allow for transfer)
ld de,$dc00 ; Location to store payload
ld bc,$0110 ; Bytes to send (sends way more than necessary to account for $fd bytes)
call $216f ; Exchange data
ld hl,$dc00
ld b,$fd
.loop: ; Check for FD bytes
ldi a,[hl] ; Grab byte at hl
cp b ; Is it $fd?
jr z,.loop ; If it is, keep looking
dec hl ; Undo the ldi
ld a,$0d ; a = $0D
ldh [rIE],a ; Enable vblank,timer,and serial ints
jp hl ; Jump to payload sent by master

At this point, the victim Gameboy is executing code from the master's name. The code we have written there causes the victim Gameboy to wait for synchronization with the master, and display the "Waiting!" text on the screen. The master gameboy is executing code in a section of RAM that is normally used for event flags. It nop slides to $D743, which there we have written a jump instructon to $DA80, our "PC pokemon" (there we have written another payload). Aforementioned payload causes master to synchronize with the slave gameboy.

Once both gameboys are synchronized (using a subroutine at $226E, or $227F if we do not want to display the "Waiting!" text), we call a subroutine to delay for a few frames, and then we begin the transfer.

The master gameboy first transmits the payload we want the victim to execute. The victim then (after jumping to a payload written at the end of master's party) executes the aforementioned payload, which causes the victim to write 03:A000 - 03:AFFF to the tilemap buffer. Then, both gameboys synchronize once more, and the victim gameboy sends over that portion of the save file (receives garbage in return). The master then copies what it receives into it's own save file in it's respective location. It does this for each 256-byte portion of that SRAM banks before switching banks. Once all 4 banks have been copied (0 - 3), the game locks SRAM and then restarts.

Code executed by master at $DA80:
Code: [Select]
transmitpayload:
call $226e
call $3dd7
ld a,8
ldh [$ff],a
ld hl,$d53a
ld de,$c3a0
ld bc,$110
call $216f
ld a,$0d
ldh [$ff],a
Start:
ld b,4
push bc
ld a,$0a
ld h,a
swap a
push af
ld [hl],h
ld h,$40
dec b
ld [hl],b
ld h,$60
ld l,$01
ld [hl],l
transmit:
call $227f
call $3dd7
ld a,8
ldh [$ff],a
ld hl,$0316
ld bc,$10b
ld de,$c3a0
call $216f
ld a,$0d
ldh [$ff],a
findhl:
ld hl,$c3a0
ld b,$fd
.loop:
ldi a,[hl]
cp b
jr z,.loop
dec hl
Init:
pop af
ld d,a
push af
ld e,0
ld bc,$100
memcpy:
ldi a,[hl]
ld [de],a
inc de
dec bc
ld a,b
or c
jr nz,memcpy
determine:
pop af
inc a
ld b,$c0
cp b
jr z,bankswap
push af
jr transmit
bankswap:
pop bc
dec b
push bc
jr z,end
ld h,$40
dec b
ld [hl],b
ld a,$a0
push af
jr transmit
end:
ld h,$00
ld [hl],h
jp $100

Code executed by victim (near $dc00)
Code: [Select]
Start:
ld b,4
push bc
ld a,$0a
ld h,a
swap a
push af
ld [hl],h
ld h,$40
dec b
ld [hl],b
ld h,$60
ld l,$01
ld [hl],l

Init:
pop af
ld h,a
ld l,$ff
ld de,$c507
ld bc,$100
push af
backwardsmemcpy:
ldd a,[hl]
ld [de],a
dec de
dec bc
ld a,b
or c
jr nz,backwardsmemcpy
ld a,$fd
ld [de],a
transmit:
push de
call $227f
call $3dd7
pop hl
ld a,8
ldh [$ff],a
ld de,$c200
ld bc,$10b
call $216f
ld a,$0d
ldh [$ff],a
determine:
pop af
inc a

Sorry if I over/under explained. Enjoy!
12
is cloning not considered cheating by most?

That's entirely relative, and it would depend on who you ask. Personally, I do not consider the use of glitches to be cheating, but you may come across someone who disagrees

can you clone Events?

Any Pokemon can be cloned.
13
General Discussion / Re: The Member's Guide to Topiclessness
« on: January 06, 2018, 06:50:26 pm »
I only joined last summer.
14
(hmm except for RNG manipulation)

While useful, RNG manip isn't exclusive to gen V. In fact, I find it to be far easier on Gen III
I remember that luckytyphlosion was talking about how both Generation II and V support infrared. In theory an exploit from that could follow through similar to the GTS spoofing exploits that once worked without Action Replay prior to the shutdown of the GTS

Interesting that you mention that, as a small group of people (Wack0, ISSOtm, and luckytypholsion) have been discussing a potential emulator-escape exploit on VC for gameboy color ROMs. Maybe their findings there can allow for this?
15
I hate to tell you this, but it is unlikely such a glitch will be found in the near future, if at all. Research in Gen V is rather lax, considering we don't have a great/decent understanding of the game's code. In fact, I have yet to see a major or otherwise notable glitch from the generation.

I suppose all one can do is wait. I cannot research this myself due to a lack of resources to do so, also i'm busy with something else at the moment.
Pages: [1] 2 3 ... 14