Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Princess Torchic ❤

Pages: [1] 2 3 ... 177
1
Thanks Krys3000.

That is awesome :). Had no idea there were so many interesting effects.

In English versions 0xFF finishes the Hall of Fame when called in the morning as well. Love that you can fight ????? (0x00) in French versions this way so may try that too.

I've found that even if the data at F7CD is safe, the game can still freeze after receiving the Master Balls, but not always. Curiously when I called the 0xAF number again following a non-freeze I received a TM, and when called a third time a Nugget if I remember rightly.

Some of the glitch contacts also have variable names. I wonder if it's possible to give them custom names like how Crystal_ got a call from Rick Astley for an April Fool's joke?
2
If you somehow register glitch contact 0xAF (01AFC6D9) and call them in the morning (not during the day or at night), it's possible to contact them without getting a message that they are out of the area, and will give you a Master Ball.

In the past it was reported that you'd get a Glitch Dimension after the message. However the game will actually execute F7CD (D7CD; somewhere in the event flags). This may actually be reachable from the expanded Balls pack. If there is a 0xC9 around here (I placed mine at D7CE) then you can actually get a Master Ball with no freeze. A whopping 52 in fact!

It's a shame glitch contacts are arbitrary code execution only for now, but maybe in the future we can put this to use without arbitrary code execution (even though Balls pocket corruption allows for those many Master Balls already).

3
Back to report both the memory editor (party setup) and editing SRAM bank 1 to change the stored Pokémon worked on Virtual Console :)



Also edited the Trainer House (SRAM bank 0) to fight a Mewtwo over Level 100. I didn't have many items so I got owned.
4
The only downside with this method is you're stuck with one party Pokémon. Catching a new one will break the code. Going to try this on Virtual Console shortly. Do you know if you can still edit stored Pokémon in the box on those versions with no issues? That could make it useful for Pokémon farming.

Unfortunately, I lack a functional 3ds, and as such I am unable to use 3dsVC

OK, thanks anyway Epsilon. I'm signing off now to get some sleep after testing so will (if possible) report back tomorrow.
5
Ah, I see. I will rebuild my code with the new base address and update the source.

Thank you for trying that address!

You're welcome. :) Happy to have helped.

The only downside with this method is you're stuck with one party Pokémon. Catching a new one will break the code. Going to try this on Virtual Console shortly. Do you know if you can still edit stored Pokémon in the box on those versions with no issues? That could make it useful for Pokémon farming.

The memory editor simply takes the character hex and subtracts 246. If that set the carry flag, the editor then subtracts 128. It then swaps the result and loads it into "b". This process is then repeated for the next nybble, but then rather than swap the nybbles it bitwise OR's the result and "b". It does this twice to get the least significant byte (big-endian)

So "&123" would be $3723

Ah OK, that makes sense. Thanks. ^^
6
Arbitrary Code Execution Discussion / Re: 8F script request
« on: February 12, 2018, 05:36:01 pm »
A setup that triggers an encounter after N steps ? That's not possible with a 8F code, you would need heavier memory editing.

Could you use 8F to change the map script pointer to check D13B though (with something like conditional jumps)? D13B counts down every step and we can set it to whatever we like first.
7
OK. Using rgbasm and rgblink to generate a code for use at DA8D (Pokémon 3 move 2) works fine.

My setup for TM25 now has the same Quagsire in slot 3 with Attract as move 1 holding a Lucky Egg. At D57E (TMs/HMs) is a jp DA8D, and at DA8D is the following code:

11 80 FF 0E 00 AF E0 26 3C E0 D6 F3 21 BB C3 D5 06 0B C5 7A CD 32 DB 7B CD 32 DB 3E 25 22 1A CD 32 DB 13 01 0D 00 09 C1 05 20 E7 21 BF C3 79 A7 28 07 57 AF C6 14 15 20 FB 16 00 5F 19 36 ED CD 47 DB D1 F0 A5 47 CB 77 28 08 79 A7 28 03 0D 18 01 1B 78 CB 7F 28 09 79 FE 0A 28 03 0C 18 01 13 78 CB 4F 28 05 AF 3D E0 26 D9 78 CB 67 28 06 21 10 00 19 54 5D 78 CB 6F 28 06 21 F0 FF 19 54 5D 78 CB 57 28 0D AF E0 D6 3D E0 26 FB 62 6B 06 00 09 E9 78 CB 5F 28 03 CD 56 DB 78 CB 47 28 03 CD 8C DB C3 99 DA C5 0E 02 47 CB 37 E6 0F C6 F6 30 02 C6 80 22 78 0D 20 F3 C1 C9 E5 C5 D5 F5 CD BB 14 CD E6 08 F1 D1 C1 E1 C9 C5 E5 3E 0E EA AB CE AF E0 DA FB 21 C0 7E 3E 38 CF F3 0E 01 21 34 D9 CD 84 DB CB 37 47 CD 84 DB B0 47 0D 20 03 50 18 EF 58 E1 C1 AF 4F C9 2A D6 F6 30 02 D6 80 C9 D5 AF 47 C5 3E EC 22 E5 62 6B 09 54 5D E1 1A 4F CD 47 DB F0 A5 47 CB 6F 28 01 0D CB 67 28 01 0C CB 7F 28 04 79 D6 10 4F 78 CB 77 28 04 79 C6 10 4F 78 CB 4F 20 08 79 E5 CD 32 DB E1 18 D2 79 12 C1 D1 C9

I decided to set de as FF80 with OAM DMA hijacking being one of the most powerful glitches.

Before using TMs/HM quantities to write the jump to DA8D at D57E, you could set up a code injection program beginning in the TM/HM quantities. If you set DA22 (number of Pokémon counter) to 01, DA34 (second Pokémon) to FF you won't ever be touching Pokémon 3+'s happiness and healing Pokémon is safe. It may be wise too to give your first Pokémon HM moves by modifying DA2C-DA2F.

The 0x00 bytes and address values may be problematic for creating a reusable memory editor, but there must be a convenient way.

After finishing writing to DA8D would go the jp DA8D, and fortunately that's all there is to it, though the logistics of writing all the data may be long and prove interesting.

8
Arbitrary Code Execution Discussion / Re: 8F script request
« on: February 12, 2018, 04:21:09 pm »
I am looking for an 8F script that will allow me to encounter a Pokemon after x amount of steps. I've just started 8F and don't know much about code in general so help would be appreciated. I figure you have to load something into D059 but i don't have a clue on how to do the rest. Also one that disables map connections would be nice. Thanks in advance

You're in luck as D13B is already a step counter that counts down every step.

So putting this together could involve setting D13B to your desired value and using a condition (such as (not ASM language but logic-wise) if D31B - 1 <1 , set D059 to (Pokémon). Here you could use a D13B value of 6, so 5 steps are required before it reaches 0). If I have time tomorrow will check it out for you. :)

As for map connections I'm not sure how exactly to do that but you can lock your coordinates at the same value (D361, D362) to get a similar effect where map connections never load.
9
I have an idea. Your memory editor seems to be 322 bytes.

Before (according to ISSOtm) the unused memory addresses at DF00-DF80 are multiple structures, but the first two don't seem to be that important.

Quote from: Pokémon Gold disassembly
wOTPartyMons::
wOTPartyMon1:: party_struct wOTPartyMon1 ; dd5d
wOTPartyMon2:: party_struct wOTPartyMon2 ; dd8d
wOTPartyMon3:: party_struct wOTPartyMon3 ; ddbd
wOTPartyMon4:: party_struct wOTPartyMon4 ; dded
wOTPartyMon5:: party_struct wOTPartyMon5 ; de1d
wOTPartyMon6:: party_struct wOTPartyMon6 ; de4d

wOTPartyMonOT::
wOTPartyMon1OT:: ds NAME_LENGTH ; de7d
wOTPartyMon2OT:: ds NAME_LENGTH ; de88
wOTPartyMon3OT:: ds NAME_LENGTH ; de93
wOTPartyMon4OT:: ds NAME_LENGTH ; de9e
wOTPartyMon5OT:: ds NAME_LENGTH ; dea9
wOTPartyMon6OT:: ds NAME_LENGTH ; deb4

wOTPartyMonNicknames::
wOTPartyMon1Nickname:: ds PKMN_NAME_LENGTH ; debf
wOTPartyMon2Nickname:: ds PKMN_NAME_LENGTH ; deca
wOTPartyMon3Nickname:: ds PKMN_NAME_LENGTH ; ded5
wOTPartyMon4Nickname:: ds PKMN_NAME_LENGTH ; dee0
wOTPartyMon5Nickname:: ds PKMN_NAME_LENGTH ; deeb
wOTPartyMon6Nickname:: ds PKMN_NAME_LENGTH ; def6
ENDU

If the code begins at DD5D it should finish at DE95. If the labels are accurate it seems only the OT data is overwritten, which is not a problem if you keep your party the same (ideally with 6 Pokémon) and don't mind about those Pokémon.

Edit: Sorry, this is enemy Trainer related and is overwritten after facing a Trainer. Though food for thought maybe you could link with another game with a corrupted party to set this up. Will edit this post with more ideas.

Edit 2: The only other idea I have is perhaps you can use the party data. It's not very friendly and breaks the gameplay but is large enough. To avoid freezes it would probably be best to also set DA22 to 0 and not use that address as part of the code, which means all battles will be won and the Pokémon menu will have no effect. There's the fact you would need another wrong pocket TM, but we could probably write to another address to get it to work. Pokémon Crystal has a useful wrong pocket TM that points somewhere in the expanded Balls pocket (where the address does not change), so maybe there could be something like that in Gold/Silver too.
10
You have a name for this memory editor or are you all right with me just calling it Epsilon's Generation II memory editor?

Lol, that's fine :)

OK cool. ^^

Hmm, wonder why some characters appear normally wheras some characters appear red? Oh well, I suppose it's a minor problem, and fixing it would be a waste of bytes :P

Hmm that's interesting. Wonder if it's related to the red border around the text "Balls". Seems that's true though, so far the memory editor is working perfectly on my side.

I did all of my tests on DMG mode. Since you're on CGB mode, would you mind testing the Address lookup feature? I'm sure it will still work, but I just want to make sure.

It works perfectly so far. Entered the addresses in their normal big endian form and jumped back to the TM/HM pocket. I also tried jumping to phone numbers and decorations. Had a lot of fun with it and did some OAM DMA hijacking with the memory editor to get Celebi later. :) Not sure what's meant to happen with strings that aren't addresses (like "&123") but I tried it once and the memory editor sent me somewhere to VRAM (or possibly ROM, SRAM, I can't remember the details sorry) to modify.
11
Wow! This looks amazing. ^^

Thank you!

I forgot to mention that this is meant to be used with TM exec. Any box name code that unlocks SRAM, switches to bank 1, and jumps to $B002 will do.

Unfortunately i'm a bit busy at the moment and cannot write this box name code right now.

You're welcome.

That's OK.

Remember the TM/HM method where you fill the TM/HM pocket first and then use a Lucky Egg Attract Quagsire? It seems like we can write the code there without the need of any padding. I think this is ideal for writing to SRAM byte by byte as well as you could theoretically adjust one-two quantities each write (start with later addresses and then toss to write to earlier addresses, or something similar).

I forgot exactly how enabling SRAM works, but in the past I used this method to enable SRAM bank 1 for obtaining the GS Ball for Celebi in Crystal (which looking back is now not very useful for Virtual Console users as the same address is enabled after beating the Elite Four). The specific addresses below may not matter, but it still works on Gold/Silver thankfully.

ld a,01   ; 3e 01
ld (4e01),a  ; ea 01 4e change to SRAM bank 1
ld a, 0a ; 3e 01
ld (0d01),a  ; ea 01 0d ;this enables writing to SRAM
ld a, 0b ; 3e 0b
ld (be3c),a  ;enable Celebi GS Ball event

We can ignore the GS Ball Celebi part and instead have a jp B002 (c3 02 b0) there.

I inserted your memory editor and it was a success (I don't know if the ret at the end was needed, but I added it just to be safe).



You have a name for this memory editor or are you all right with me just calling it Epsilon's Generation II memory editor?
12
Wow! This looks amazing. ^^

Thanks Epsilon.

Perhaps hopefully somebody will be able to shorten it for use on WRAM.

I'll try to showcase this in a YouTube video tomorrow.
13
Wiki Discussion / How to work around the loss of session data error
« on: February 12, 2018, 11:52:27 am »
(Stickied)

Sometimes when you try to upload a file on our wiki, it will say "Sorry! We could not process your edit due to a loss of session data."

There is a simple solution to this. Edit any non-file page to get the error message once. Try to submit the page a second time and it should work.

Then the next time you upload a file it should upload properly.

Note: This has only been tested by me on Chrome. Since I'm a sysop it's possible that it doesn't work for non-sysops. Could anyone without sysop or QC rights test this please? Thanks.
14
Mew

The tileset for Diglett's Cave contains blocks which contain both 0x15 and 0x50 sub-tiles.

Block 0xEF satisfies the 0x15 sub-tile, which can be arranged on a suitable row, perfect for Mew.

Block 0xA1 satisfies the 0x50 sub-tile; containing a glitch tile "ì゙" that is normally never used for this tileset.

Requirements:

In the Pokémon storage system, you will need Pokémon 3 nickname character 6 to be "♂" and Pokémon 6 character 2 to be "b". These are addresses DE20 and DE3D, respectively.

Enter a battle in Diglett's Cave. Again, swap specific items into item 33 and item 34; this time Poké Doll x6 and TM22 (representing pointer DE06), which will warp you to the safe same bank map script-Viridian Forest afterwards.

Flash the Pokédex, open the items menu and scroll the 'empty' Fight menu. Throw a Master Ball and Mew should be yours. Use an Escape Rope to escape the Glitch City.

Testing should be coming shortly.

Edit: It works :). You possibly need to have the first six Pokémon's names mainly be "A" with 5 characters, rather than random letters but the only way to test it may be to look up/extract(?) problematic map blocks with 0x50 in them.

The box names:


The items:


Encounter here:


Swapping the items into slot 34, 35:


Note: Items in expanded pack may vary.

Pokédex flash/items menu flash:


Getting Mew:


Escaping the Glitch City:


Our sweet magical Mew (≧∇≦*):
15
(Edit: I overlooked that you can stabilize the glitch Pokémon from Pokémon Bank hex:FF glitch into a 3TrainerPoké, so rather this is a way to get 3TrainerPoké with moves specific to it)

This makes use of Yellow 'Pokédex' glitch item move 0x00 corruption. While technically possible with expanded party encounter table manipulation (a glitch I put together mainly just for the purpose of finding 3TrainerPoké in the wild), it is easier and less complicated.

If you're like me (and Abwayax if I remember correctly) 3TrainerPoké is one of my favourite glitch Pokémon and it's a bit of a shame it could only be obtained without trading with arbitrary code execution.

Do note this glitch may suffer the same issues as Red/Blue move 0x00, where eventually due to how its internal name is found (0x50 bytes into RAM) the glitch may stop working with no definite way to fix it other than maybe adjusting the 0x50 bytes in memory.

Getting 3TrainerPoké is normally not possible with Rival LOL glitch because 0x00 double serves as a control character there.

Initial requirements:

You will need a Pokémon with move 0x00 as move 1.

This is possible without arbitrary code execution with one of at least three glitches:

1. Level up a glitch Pokémon (refer to http://glitchcity.info/wiki/-_(Generation_I_move)#In_Pok.C3.A9mon_Yellow). In order for it to learn move 0x00 as move 1, it must already have four moves.

One of these glitch Pokémon (♀ . (C1)) learns it at Level 16 and Level 22. Note it does have a solid black glitch screen, so in order to see what's happening on the items and Pokémon menu better you may play the game in Super Game Boy mode (or DMG mode?).


1i) Before you raise it (such as with Rare Candies) it's best to use the items pack in the safe spot to avoid any potential move 0x00 corruption that could freeze the game (and possibly destroy the save file).



2. The Pokémon Bank hex:FF glitch will give you a Q (FF) with no moves. If I remember rightly Struggle can be avoided by giving the glitch move PP. I'm not sure if it has since been patched however.

3. Trade a Ditto from the swapping Transform moves glitch from Red/Blue to Yellow (as this glitch does not work in Yellow).

4. Byte shift glitches (unconfirmed, I tried the large storage box data shift glitch but there was an issue; possibly problematic experience points?)

5. Expanded party from Super Glitch or the SRAM glitch at the beginning of the game (unconfirmed but should be possible)

You will also need to have set up the expanded items pack and obtained the Pokédex (hex:09) glitch item.

Method

1. Prepare a box with at least 17 Pokémon. Pokémon slot 16 must be 0x91 (Marowak), because 0x91 is an 'empty' map building block in the TileBlockDex. Pokémon slot 17 must be Magmar (0x33), which is not normally available but can be obtained with Trainer escape glitch or Rival LOL glitch (you will need to have obtained the expanded items pack for the Pokédex glitch item by this point).

2. Prepare Rare Candy x127 and TM18 (this will spell out your map pointer as DA7F).

3. Get a wild Pokémon encounter here (you may need to open up the Pokémon menu here too):



4. Open the items pack and swap the Rare Candy x127 into item 33 and TM18 into item 34. It's easiest to do item 34 first because you can press Select on item 33 on the way back up and save a bit of time/navigate the menu better. Item 34 should initially be a HM04, so if you spot one you've probably found it.

5. Open the Pokédex and close it. The battle should now look something like this. Depending on your Pokémon count and the Pokémon up to slot 17/18, as well as data after those addresses the screen will look different. However the essential part is in the rectangle in the image below. If it doesn't have those tiles in that position (from BGB coordinates x=01, y=06; note greater y values are further down here), something must have gone wrong.



6. Open the items menu again (really important) and keep scrolling the Fight menu until (possibly) the music fades out. Exit the fight menu (but don't run away) and throw a Master Ball.



Congratulations! 3TrainerPoké is yours. :)

Escaping the Glitch City:

After the battle finishes, we will be placed in a Professor Oak's Lab Glitch City.



Using the expanded items pack however, we can change the map type to allow us to Fly away.

All you need to do is access item 37 and then swap it with any item x0, with a Pokémon with Fly already prepared.
Pages: [1] 2 3 ... 177