Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: Manipulate specific flags?  (Read 358 times)

0 Members and 1 Guest are viewing this topic.

suloku

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Manipulate specific flags?
« on: March 21, 2017, 05:05:58 am »
Hello,

I've been reading about gen 3 ACE and glitches trying to find a way to manipulate specific flags (specifically, Emerald's event islands for legendary pokémon) and after reading about the inner works of ACE and glitzzer popping I have some doubts:

- I've seen that via Glitzzer popping the flags to birth, faraway and southern island can be enabled, but for what I've read about the how the glitch works, those are only enabled because of the game recognizing the data as a corrupt pokémon and setting it as a bad egg, which results in the flags being enabled. The flags for the 4 islands are consecutive, but to my understanding there's no way to manipulate the address, in fact that there's a glitch pokémon that makes those two flags for the islands get enabled is quite lucky already. Am I wrong and can glitzzer popping be altered to manipulate any flag given we know where it is?

- Since I though I couldn't achieve what I wanted via glitzzer popping, I though ACE was the way to go as showcased here: https://www.youtube.com/watch?v=m9pvNYdhldo&t=31s
 The method seems promising as even with the 60 instruction limit, I think enabling 4 flags should fit, but as I don't know ASM I don't have a clue about how to write the payload for setup. I do know how to find the ASM in the rom for the setflag instruction scripting uses though, but without knowing how to use it, doesn't really make a difference.
Also, I don't know if the savegame being "aligned" (blocks 0-14 being in ascending order as seen here https://www.youtube.com/watch?v=1pb-6hMDQBs) is a requirement for this ACE method.

The ultimate goal is just a simple ACE that enables the 4 island flags, the items can be obtained via glitzzer popping so they aren't a problem. Being able to enable/disable flags could have other uses, like re-battling the legendaries, which might also be interesting.

I personally prefer the ACE way, since glitzzer popping corruption flag enabling also changes undesired flags in the process, so ACE should be a lot cleaner for the savefile imho.

Yeniaul

  • Guest
Re: Manipulate specific flags?
« Reply #1 on: March 21, 2017, 06:40:43 am »
You should look up Z80ASM guides for the TI-83+. It'll carry over nicely to the gbz80.
Anyway, 60 instructions may not be enough, because the game may check for such changes and null them or if you just save the flags and RET the hell out, you may not exit cleanly. You may even have to call the normal functions that handle special events. Ask ISSOtm, Wack0 or TheZZAZZGlitch.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Manipulate specific flags?
« Reply #2 on: March 21, 2017, 07:26:52 am »
You should look up Z80ASM guides for the TI-83+. It'll carry over nicely to the gbz80.
Anyway, 60 instructions may not be enough, because the game may check for such changes and null them or if you just save the flags and RET the hell out, you may not exit cleanly. You may even have to call the normal functions that handle special events. Ask ISSOtm, Wack0 or TheZZAZZGlitch.

GBA uses ARMv4...

Anyway, if you want code exec, and you have a Wii and a GC->GBA link cable, you can use the RCE I found and detailed here http://forums.glitchcity.info/index.php?topic=7861.0

You'll be able to write your payloads in C there, hopefully it's what you need (you'd be able to get the items with it as well, FYI, you'll have lots of space for your payload, about 124 KB...)
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

suloku

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Manipulate specific flags?
« Reply #3 on: March 21, 2017, 09:14:48 am »
The point would be to do it with only a GBA cartridge, as I pointed in the thread, If I only wanted to execute in-game script commands I could do it via wondercards (but your RCE method is way more powerful and has more possibilities). Would be interesting to see this implemented as a GBA to GBA hombrew, instead of GC/Wii to GBA, but that's another topic.

I went asked TheZZAZZGlitch on his video. I don't know if the flags are in the DMA regions, but if they aren't, would that 60 instruction limit allow to set a bit at a certain memory location given we know that exact memory address beforehand?

ps: sorry for any stupid question, but I don't really know anything about assembly

Yeniaul

  • Guest
Re: Manipulate specific flags?
« Reply #4 on: March 21, 2017, 09:58:49 am »
GBA uses ARMv4...
I am aware, but he should start with Z80ASM anyway, as skills he learns in Z80 can be transferred to ARM, and he can write Gen 1/2 ACE scripts.
Derp. :P

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Manipulate specific flags?
« Reply #5 on: March 21, 2017, 11:30:17 am »
Would be interesting to see this implemented as a GBA to GBA hombrew

Unfortunately, not possible. The GBA's JoyBus link support only allows for a GBA to be the slave.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

suloku

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Manipulate specific flags?
« Reply #6 on: March 24, 2017, 03:31:57 am »
Unfortunately, not possible. The GBA's JoyBus link support only allows for a GBA to be the slave.

I'm getting of topic, but the GBA 10ANNIV rom (and probably others) worked by sending a client application the GBA from another GBA. The leaked official SDK has an example about this too (by the way one of the 10ANNIV roms was made public recently).

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Manipulate specific flags?
« Reply #7 on: March 24, 2017, 05:50:07 am »
Unfortunately, not possible. The GBA's JoyBus link support only allows for a GBA to be the slave.

I'm getting of topic, but the GBA 10ANNIV rom (and probably others) worked by sending a client application the GBA from another GBA. The leaked official SDK has an example about this too (by the way one of the 10ANNIV roms was made public recently).

That uses the GBA BIOS multiboot, which is different from the multiboot implemented inside of R/S/E/FR/LG (which uses the JoyBus protocol over the link cable for communicaion with the GameCube games).
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Metarkrai

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • This is for you, Melodou !
    • View Profile
Re: Manipulate specific flags?
« Reply #8 on: March 31, 2017, 09:10:49 am »
Hello,

I've been reading about gen 3 ACE and glitches trying to find a way to manipulate specific flags (specifically, Emerald's event islands for legendary pokémon) and after reading about the inner works of ACE and glitzzer popping I have some doubts:

- I've seen that via Glitzzer popping the flags to birth, faraway and southern island can be enabled, but for what I've read about the how the glitch works, those are only enabled because of the game recognizing the data as a corrupt pokémon and setting it as a bad egg, which results in the flags being enabled. The flags for the 4 islands are consecutive, but to my understanding there's no way to manipulate the address, in fact that there's a glitch pokémon that makes those two flags for the islands get enabled is quite lucky already. Am I wrong and can glitzzer popping be altered to manipulate any flag given we know where it is?

Southern Island can be directly obtained by corrupting a word that manages the delivery man script, (its default script being Southern Island's one, while the others needed to be added through mystery cards), so that one is the easiest of them to obtain in Emerald (and this works on any emerald file).
Since the unlock flags for  the event islands aren't far from each other, there wasn't too much "luck" required to get at least one in a certain word (what was important was the location of that word inside its double-word because that word needs to be read as "Remaining HP" for a party Pokémon).
The criteria for having a Glitch Pokémon that gives the right party slot were also a bit large (the character that influences the party slot is around 8.000 and the maximal name lenght to make things possible is around 10.700 characters).
The fact that there is no Glitch Pokémon that has a name fitting these two requirements on US and JP Emerald seems for me to be the "unlucky" part as a certain amount of Glitch Pokémon could potentially work (but the required value never ended up in the right character).

The flags for Navel Rock, Faraway Island, and Birth Island also can't be corrupted via Pomeg Glitch Data Corruption (aka Glitzer Popping) because they aren't in the right location in their respective double-words.

Out of the few other ways to corrupt data induced by Pomeg Glitch or Glitch Stuff, none of them can set the bits for the islands flags and leave the game stable/playable. (With a longer glitch Pokémon name, you could set these bits to 1 but too much graphical-related data would have been corrupted and the game would crash once you would move).

This also holds true for RS and FrLg.
An effect from viewing certain Glitch Pokémon summaries in FrLg seemed promising (it messes up with the value that tells you how many summaries you can still see by pushing down) but you either end up freezing the game quite early or only having less than a dozen of additional summaries that you can see.


So as of now, ACE stands as the sole way to unlock the remaining event islands and some other stuff.

Things regarding ACE have progressed for a good amount towards procedures doable on console since the discovery of another entry point via Glitch Moves Animation Scripts by Wack0.

Writing a code that triggers a flag can be done, but the tough part is about the amount of stuff you would be required to do on console, especially with Glitch Items (they can't be distinguished from each other so once you start placing them you can only know if your "Glitch Items and placement" was good once you attempt your ACE.

The procedure with the least setup that I thought of to run an overworld script in Emerald is :
- Get the Bootstrap Pokémon (some EV training for the Poké + 1 Glitch Item)
- Write commands to set the event islands flags in the PC (4 Glitch Items, 1 per flag)
- Store some Glitch Items in Pyramid Bags to make a code (16 Glitch Items if I remember well)
- Make an ACE to execute the code made with Pyramid Bags Items : Copies the PC Items data to an area unaffected by DMA + changes the script adress of a NPC on the map to the adress of the area unaffected by DMA.
- Talk to the NPC to execute the commands stored there and unlock the islands.

Thus, that's ~20 Glitch Items you need to obtain without a single EV failure.