Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - ISSOtm

Pages: [1] 2 3 ... 37
Now THAT is really interesting !

E7 runs code from D007, which is wEnemyMonBaseExp.
Right then is the player Pokémon's name, so no problem ! Having a nick with a perfect number of characters means the first executed byte will be the player Pokémon's HP (low byte). Making this $08 is easy.
Setup that would work, though it's not the only one :
- "Box level" (?) 1-byte instruction that doesn't crash
- No status problem
- The Pokémon's type #1 should be $01 (FIGHT-type ?)
And then the Pokémon's moves onwards will be ran as code.

F1's C808 is in the middle of a "LY override buffer". No idea what this is, but if the first read byte is $08, then this may NOP-slide into some printer-related data. Might lead to ACE ?

F403 : is in the middle of some warp data. As Torchickens pointed it out, this could be manipulated..!
We can re-route execution to the item pack (either direct jump, or set hl then jp hl)
Pokémon sprites aren't managed by the OAM. They are written on the tilemap (otherwise they'd take all sprite slots and there would be nothing remaining for attack animations)

Also, C203 ACE (Pokémon FE) has a slim chance of being possible (I personally doubt it, but... let's cross fingers !) and CB17 ACE may be possible, it runs code based on map data and lastly drawn tiles, and eventually on menu data (<- this one almost always crashes due to bad luck).

VRAM should be locked when data is pulled from it, so I doubt about all non-* entries.

The two SRAM candidates (B417 for hex:D6 and AA00 for hex:DC) may yield ACE, but we need to study what locks and what unlocks SRAM more. And then they may require ridiculous setups to yield ACE, but that'd be the 13th (maybe 14th ? I lost count) ACE exploit in these games.

Yes, we have more than 10 different ACE exploits.
Nice research Caveat !

You mention it learns Super Glitch (four times, at levels 3, 5, 195 and 212), but could you indicate which IDs of Super Glitch are learned ? Thanks !

Keep going, this is some good work :)
General Discussion / Re: Yeniaul's Discord Server (and rules)
« on: April 20, 2017, 01:53:04 pm »
And I confirm it works :)
Because why not :)
This is useful, for example, when making custom save files (poke @TheZZAZZGlitch :P). Or if you want to be an ugly troll to your friends ^^

This is based off DMA hijacking, a technique that allows "automatic" ACE on each frame.
First off, you will want to write this piece of code somewhere :
Code: [Select]
ld a, [$C3AA]
cp $79
jr nz, .ok
ld hl, $0014
add hl, sp
ld [hl], $E8
inc hl
ld [hl], $29
ld a, $C3
ld c, $46
And for those who want hex :
Code: [Select]
FAAAC3 FE79 2009 211400 39 36E8 23 3629 3EC3 0E46 C9
Then, you will want to write
Code: [Select]
CDYYXX E2at $FF80, where the address of the above function is $XXYY (be careful of the order, it's in reverse !)
For example, if NoStart is at $CAFE you will write
Code: [Select]
But be careful, those four bytes have to be written in one frame ! Otherwise you will almost certainly crash :D

Now, if everything is in place, the START menu will pop up when you press START, but will close immediately, without even printing any text inside
Until you reset the console, actually. This doesn't persist through resets :3 (although it is possible to make it permanent)
But this can make challenge runs where you aren't allowed to save (unless you change boxes), use items out of battle, re-order your Pokémon (outside of the PC). Or just have fun screwing around :P

How does it work ?

$C3AA is a part of the game's WRAM tilemap, and this is where tiles are written to before being copied to VRAM (because of access restrictions)
Specifically, the game writes a $79 there (top-left menu tile) when opening the START menu. As far as I know, no other text box in the game does this.
If such a tile is detected, the script knows the game is attempting to open the START menu. Specifically, due to how text boxes work, the game is processing the DisplayTextIDInit function, which consistently waits for a few frames.
What we do is manipulate this function's return address so instead of displaying the menu, it will directly go to the function that closes it.
Code: [Select]
ld hl, $0014
add hl, sp
makes hl point to the aforementioned return address, which we overwrite with $29E8 (CloseTextDisplay) which undoes everything. Pop :P
All that remains of the menu is the blank text box, which is displayed by DisplayTextIDInit. It would be possible to avoid it, but that would be heavier. Besides, if you want to troll a friend, he will probably freak out a bit more :D

Note that this doesn't affect any other text box ;)

I'd like to make a demonstration video but I don't have any working screen recorder.
General Discussion / Re: Yeniaul's Discord Server (and rules)
« on: April 19, 2017, 06:34:53 pm »
I don't know ! Give me your Discord tag and I'll try to add it.
General Discussion / Re: Yeniaul's Discord Server (and rules)
« on: April 19, 2017, 05:55:50 pm »
Oh, I think I see. Try this one instead :
General Discussion / Re: Yeniaul's Discord Server (and rules)
« on: April 19, 2017, 05:50:35 pm »
Here is a new one, someone needs to edit the first post to add it.
Introductions / Re: welcome to the jungle, we have fun and games
« on: April 19, 2017, 05:21:44 pm »
Nous avons aussi des mèmes de partout et un Discord !

No worries about your autism, we already have autist people here and they didn't blow a nuke yet, so all is merry and fine !
Welcome to GCL ! (And nice icon, btw :D)
Yeah, I think it would be possible using cartswap ACE. We could use the DMA-hijacking-based GameShark emulator, I think there's a GameShark code to manipulate starters.
Writing is done usually on Notepad or a sheet of paper. I'm not even joking :P
Then we compile it either by hand or using some nifty tools created by the community (for example these two)

To test them, most of us prefer the BGB emulator and its amazing debugger, but some other emulators such as BizHawk are good options.
Some even take the time to build the setup on console to verify. But it's more rare.
Tech Help / Re: Editing A000 to BFFF
« on: April 16, 2017, 02:35:47 am »
The trade should work, IIRC the problem with JP and non-JP is the differing data structures (for example, non-JP versions' longer Trainer name means the OT field is larger than in JP).
Plus, data structures are the same between US and EU : no problems.
camper pointed out the first problem. Although the example might be incorrect (having seen the latest Yellow TAS playing "still alive"... :P)
But, for example, you can't make a higher-resolution display. The hardware simply doesn't allow it.

The second thing you can't do with ACE is modify ROM. You can emulate modifications (see SMB3 "total control" TAS) but they aren't permanent.
The next problem is the possible lack of RAM : the space where you can store your custom code can be very restricted, which means payloads too large aren't possible.
What you need first, and it is essential, is solid knowledge of assembly.
The Game Boy's processor is similar to the z80, so I recommend reading ASM in 28 Days (a Day in this tutorial is simply a lesson, not a full day :P) to learn the z80 assembly. The tutorial is for TI 8X+ calculators, so there are some things there that don't matter for Game Boy stuff, but read it all, it'll make you practice.

Once you have good knowledge of z80 assembly, read the Pan Docs to get the basics of the GB's internals.

And then get familiar with Gen I's engine, and you can start coding !
Pages: [1] 2 3 ... 37