Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Torchickens

Pages: [1] 2 3 ... 154
1
For the OAM DMA method it seems you may also have to do it in front of the exhibition and attach 3E 01 E0 F8 (or 3E 01 EA F8 FF) to simulate an A-press to the end of the code as luckytyphlosion's exploit with a write to the dimensions and Pokémon sprite ID seems to lock up the controls if you don't write to this address.

Interestingly would that count as an A-press?
2
How much space is required to store the Marill sprite?

The space required varies from picture to picture but thanks to compression it's usually not too large.

For the Marill backsprite it was a 4x4 [32x32 px] picture with data of $80 (128) bytes.

The Marill frontsprite in my previous post is a 7x7 [56x56 px] picture that takes up $FE (254) bytes.

I oversaw this but when you store data at DAC9 you may be overwriting offgao's memory editor and you won't be able to complete writing the data if you are using offgao's memory editor to add the sprite. However this can be worked around with using the following method:

1. Store sprite at numboxitems (d53a) instead.
2. Use call copydata to copy d53a to dac9.

ld bc,(spritesize ;xxyy)
ld hl,d53a
ld de,dac9
call 00b1
ret

01 yy xx 21 3A D5 11 C9 DA CD B1 00 C9

Thankfully it doesn't matter if you replace DA7F with jp d321 [c3 21 d3] with offgao's memory editor (it doesn't mess up the GUI) where you can store your code to copy the data and copy by using ws m again.

It looks awesome !
Oh, but, this strangely reminds me of a certain Pikablu cheat code... ( ͡° ͜ʖ ͡° )

Thanks! Yeah ^^. For my video it was different as I just copied the Marill sprite into VRAM. Cool that this is a method to permanently store a backsprite until you change box data though.
3
Interesting.

BEHOLD, WE HAVE... something?

Yes :)

Basically two WRAM arbitrary front sprites exist in Red/Blue. The CDE5 [screen data] one can be manipulated. But it seems DMA hijacking to write the dimension and change the Pewter Museum sprite is a must, unless your sprite has the dimensions it does use which I'm not sure yet.

This is an example of what you can do.



We can also write to the front sprite pointer (and possibly backsprite pointer) with DMA hijacking in Red/Blue directly, and this way you can see the sprite in a wild Pokémon battle.

Yellow seemingly doesn't have any arbitrary front sprites but it has the arbitrary back sprite in PC Pokémon data described in the first post of this thread for glitch Pokémon 0xE6, which can be manipulated in game with ws m, specifically with TheZZAZZGlitch's coordinates program writer or offgao's memory editor.

This one is permanent provided you save the game after modifying box data. The aforementioned front sprite in Red/Blue is not.
4
Glitch Pokémon family attribute list:


Yellow
-------

D0BF and summary


Family 176: Catch rate 04; Base exp 1A; Sprite Dim A7; Front sprite 20 01
         Backsprite 77 7E
         
Family 000: Catch rate 00; Base exp 0B; Sprite Dim AD; Front sprite 06 00
         Backsprite 0C 0D
         
Family 159: Catch rate 1D; Base exp E0; Sprite Dim E0; Front sprite 80 0B
         Backsprite BB 01

Family 195: Catch rate 00; Base exp 99; Sprite Dim 63; Front sprite 00 99
            Backsprite 00 7A
         
Family 202: Catch rate 84; Base exp 8D; Sprite Dim 86; Front sprite 88 8D
         Backsprite 84 84
         
Family 203: Catch rate 96; Base exp 88; Sprite Dim 8C; Front sprite 8C 84
         Backsprite: 91 50
         
Family 205: Catch rate 8C; Base exp 84; Sprite Dim 91; Front sprite 50 81
         Backsprite 88 91

Family 207: Catch rate 93; Base exp 50; Sprite Dim 86; Front sprite 88 8E
         Backsprite 95 80
         
Family 215: Catch rate 18; Base exp F0; Sprite Dim 3E; Front sprite 50 12
         Backsprite C9 FA**
         
Family 229: Catch rate 00; Base exp 28; Sprite Dim 01; Front sprite 01 01
         Backsprite 94 02
         
Family 230: Catch rate 03; Base exp 57; Sprite Dim 04; Front sprite 01 59
         Backsprite 04 02

Family 234: Catch rate 52; Base exp 02; Sprite Dim 01; Front sprite 56 02
         Backsprite 03 55

Family 245: Catch rate 00; Base exp 12; Sprite Dim 7C; Front sprite 7B 41
         Backsprite 00 13

Family 250: Catch rate 14; Base exp B1; Sprite Dim 00; Front sprite 10 05
         Backsprite A6 00
         
Family 254: Catch rate A5; Base exp BC; Sprite Dim 00; Front sprite 1C BA
         Backsprite B9 B9
         
Family 255: Catch rate 1E; Base exp 12; Sprite Dim 0B; Front sprite 00 14
         Backsprite 11 25
         
         
Red/Blue
---------

D0C0 and summary

Family 000: Catch rate 1D; Base exp 8F; Sprite Dim 88; Front sprite 00 19
         Backsprite 37 8F
Family 174 [E7]: Catch rate C9; Base exp AF; Sprite Dim EA; Front sprite D8 CF*
         Backsprite 06 01
Family 175 [E4]: Catch rate 16; Base exp 00; Sprite Dim C5; Front sprite E5 CD* [CF91 controls museum sprite]
         Backsprite 07 57
Family 205: Catch rate 91; Base exp F5; Sprite Dim 50; Front sprite 8F 8E
         Backsprite 8A BA
Family 209: Catch rate 91; Base exp 8E; Sprite Dim 82; Front sprite 8A 84
         Backsprite 91 50
Family 211: Catch rate 80; Base exp 8A; Sprite Dim 50; Front sprite 82 87
         Backsprite 88 84
Family 213: Catch rate 8D; Base exp 84; Sprite Dim 91; Front sprite F5 50
         Backsprite 81 91
Family 224: Catch rate D8; Base exp 16; Sprite Dim 00; Front sprite 19 7E
         Backsprite EA 91
Family 234: Catch rate 61; Base exp 30; Sprite Dim 61; Front sprite 51 61
         Backsprite 6B 61
Family 240: Catch rate 41; Base exp 00; Sprite Dim 09; Front sprite 24 24
         Backsprite 00 0A
Family 245: Catch rate 6C; Base exp 60; Sprite Dim 00; Front sprite 1D 03
         Backsprite A7 00
Family 250: Catch rate 17; Base exp 11; Sprite Dim 25; Front sprite 00 0B
         Backsprite AD 06
Family 254: Catch rate 00; Base exp 14; Sprite Dim 22; Front sprite 22 A9
         Backsprite 00 15
Family 255: Catch rate 0D; Base exp 8F; Sprite Dim 00; Front sprite 1D 0D
         Backsprite 37 00


Family 175 can be manipulated in theory if you lock CF91 (Pewter Museum sprite) to E4 or another Family 175 glitch Pokémon and D0C2 (sprite dimensions) to your sprite dimension value. Memory address D0C3-4 (front sprite pointer) also exists and indeed locking it WRAM (such as 80DA for DA80) allows you to view a custom front sprite but only on a Pokémon's summary and to wild Pokémon in battle.
5
Cool stuff here!

You know that Pidgeotto hybrid in R/B that has a volatile fromt sprite? Could you maybe figure out where it takes its sprite data from?

Thanks!

Do you mean Yellow? Both p [CB] and Glitch Pokémon [DC] are both Pidgeotto hybrids in Red/Blue but they don't have volatile front sprites.

In Yellow ?/ [EC] and ♂ p ゥ [F4] take their front sprite from 76C6. This is because Pidgeotto's actual sprite is sourced from the same two byte pointer, but at bank 0x0C. Hence 0C:76C6 (or offset 336C6) is the location of Pidgeotto's sprite, which has the beginning byte specify dimensions of 0x66 (6x6).

However all Pokémon with index numbers between 0x99 to 0xFF except for 0xB6 take their sprite from bank 0x0D instead. This means the sprite is instead taken from 0D:76C6 (or offset 376C6), and here the beginning byte specifies dimensions of 0x00 (0x0), so presumably because the game is trying to draw a 256x256 sprite it corrupts the sound bank and similar.
6
Now in addition to arbitrary code execution and arbitrary learnsets/evolutions we have a glitch Pokémon with an arbitrary sprite!

In Pokémon Yellow glitch Pokémon 0xE6 ("9ゥ") has a variable backsprite which is taken from DAC9 in WRAM.

This is in the range of the stored Pokémon data. If a properly compressed sprite is placed here (such as with offgao's memory editor) it is possible to create a custom sprite.

Furthermore, on some occasions this glitch Pokémon's backsprite will freeze the game (e.g. if the data begins with 00 as this means the dimensions to its sprite are 0x0), but a freeze can be avoided by specifying proper dimensions at the beginning of the file.

Compressing the sprite and inserting it into the game is possible with a combination of this tool and Stag019's Pokémon sprite compressor tool.

(Follow similar steps to these instructions; specifying the size, block size and codec on Tile Molester, pasting the file there and saving it as a 2BPP file and compress the file with Stag019's tool)

Then open the compressed PIC file with a hex editor and copy the data to DAC9.

Here are a few examples. You should be able to make much better files but these are just for demonstration:

Note the Pokémon is "Pidgeot" because I modified a Pidgeot to the 0xE6 glitch Pokémon rather than obtaining one myself. You can do this with any 0xE6 glitch Pokémon in Yellow.






The palette of the sprite will be determined by the second species byte. While using the editor you could modify this byte (such as D16A for the first Pokémon to 80 for the Golduck palette).

I have not yet found a glitch Pokémon with a RAM front sprite but one may exist.

Here is the raw code for my smiley face example:

Code: [Select]
44 B6 55 54 E4 5A A3 0A A5 34 63 92 4C 18 B5 AA A9 4B 92 62 9A 34 A4 A8 62 58 86 89 6A 46 49 92 52 AA 26 48 91 4E 99
21 3B 53 24 94 DD A2 53 34 A6 88 62 16 4B 8A 92 2A 22 56 06 2A 19 2A 94 C1 68 A6 2A 4C 2A AA 30 63 29 4E 05 8D EA
55 55 6A 31 9F 96 74 4C 32 76 49 12 76 49 09 DB 9D AC 4A 71 F4 44 42 11 D5 0C 7E 16

BGB is really good for this as you can open up the debugger, go to DAC9, right click and paste the code.


7
General Discussion / Re: So i read this thread
« on: May 24, 2017, 08:46:32 am »
Well I bear no grudge against you, maybe what annoys me the most in your posts are your smileys (but that's just my taste :D).
You're not a bad person. I think we've met way worse (like the Prism Discord, anyone ?). It's cool to be what you are.

Also, we know you love Korrina x9000001019911909191, you can stop saying it now. I'm starting to find it creepy. It's fine if you do, but please, stop spamming ^^'

I think it's rude to call anyone bad. Arguably in essence no one is a bad person, we don't know their circumstances.

Jchu can say that re: Korrina if she wants to, that's freedom of speech, but I think the policies here are like as long as what is posted is relevant to the topic (unless in a thread like the member's guide to topiclessness) and isn't bot spam or just advertising, then we can post what we want (although it doesn't specifically say in the rules it might be worth adding a note). This is relevant here because it's about the thread and how Jchu feels.
8
General Discussion / Re: So i read this thread
« on: May 24, 2017, 06:37:46 am »
Yeah, i don't think a lot of the people i met on kh13 were 'real friends'. ); Members there seemed to have a cruel streak to them. Honestly it feels like the type of forum that could hurt one's trust in people as a whole BIG time. o___O;;;

Sorry to hear that.  :(
9
General Discussion / Re: So i read this thread
« on: May 24, 2017, 04:01:56 am »
I'm a dude and I love cute things. It's okay to be who you are, and if anyone hates you for it, then it's their problem and not yours :)

You can like whatever, or whomever you like. It's all good.

Exactly this. :)

It's not like you're being abusive or aggressive, you are just expressing your passions and interests. Take pride in that and remember that if anyone is going to judge you for how you are they're not real friends.
10
General Discussion / Re: I made a MissingNo. blingeee :P
« on: May 23, 2017, 04:46:26 pm »
Neat!  :)
11
Pokémon Glitch Discussion / Re: List of Japan only tricks
« on: May 23, 2017, 02:59:19 pm »
You're welcome ^^
12
Pokémon Glitch Discussion / Re: List of Japan only tricks
« on: May 23, 2017, 07:43:36 am »
...That one old man glitch interests me greatly.

I wonder if it effect's your encounter with MissingNo. and the other glitches on cinnabar at all? I may...wanna look for a japanese r/b/g/y pokemon rom to learn such o.o;

The old man trick for encountering Pokémon on the coast doesn't work in Japanese Red/Green/Blue/Yellow sadly.
13
Forum Discussion / Re: Does Abwayax still check on this place?
« on: May 23, 2017, 07:41:33 am »
Yeah, Abwayax still checks/looks after here on occasion.  :)
14
You're welcome!  Glad it was helpful ^^

If you want to get into big ACE things, I recommend you use the BGB emulator. Once you get used to its not very intuitive UI, you'll love its powerful debugger, memory watcher, etc.

And if you already got it, then you made a very good choice :D

I got it recently, experimenting with cheats rn, and then I'll start getting into the debugger, etc.

Do you have a save compatible with the BGB emulator with 8F, and/or a bootstrap party (if possible), with all locations discovered or something or another. I heard torchickens has one, but...

Yes, on my Google Sites I have a save files page where you can find save files with 8F or ws m set up.

https://sites.google.com/site/torchickens2/pokemon-save-files

If you go to D322 (or D321) on BGB Debugger you can see the raw code, and then right click and modify it to write the code you'd like.

Quick update with my progress on ACE: I made a quick thing with ACE that puts PK at the start of your rival's name, as a proof-of-concept
I also did a version with your name

Rival Name:

ASM:
Code: [Select]
WRA1:D321 3E E1                  ld a, 225
WRA1:D323 EA 4A                  ld ($D34A), a
WRA1:D326 C9                     ret

Item List:
Lemonade x225
TM34 x74
TM11 x201

Player name:

ASM:
Code: [Select]
WRA1:D321 3E E1                  ld a, 225
WRA1:D323 EA 4A                  ld ($D158), a
WRA1:D326 C9                     ret

Item List:
Lemonade x225
TM34 x88
TM09 x201

They should both work (the player one works, so the rival one should work, too, atleast I assume)

Change the lemonade quantity to a different number for a different letter (these can be found on the Big HEX List (http://glitchcity.info/wiki/The_Big_HEX_List), but I assume you already knew that)

This is my ACE script, so of course it's simple, but is it good for a first script?

Yes :). There's just a small error in the raw code (to make sure things are correct if you're copy and pasting it into a memory viewer/debugger).  EA 4A for the first code should be EA 4A D3, and EA 4A for the second code should be EA 58 D1.
15
When executing arbitrary code it's about converting the GBZ80 (where you can find a list of opcodes here and on the wiki's Big HEX List) into a representable form.

To do this for 8F and ws m redirected to the items pack you need to do is know the hex code and form for an ASM instruction and then use the item or quantities with the same hex IDs (you can use the Big HEX List or Windows Calculator to convert if necessary).

But importantly a little knowledge of GBZ80 is needed. Personally I feel it's good to start with things like understanding the registers like a, b, c, d, e, hl (from the hardware, you can view them as storage bytes like memory addresses but used everywhere) and basic instructions (read, write, etc).

This page is a good place to learn about the instructions in the context of what they do.

Here are a few examples of basic arbitrary code execution with an explanation for every line (read the comments in the square brackets [ ]):

Code to encounter Mew.

ld a, 15 [when you see ld [register] first, it means we're storing a value into a register. In this case we're storing hex:15 (the value of Mew) into the register 'a'.
ld (d059),a [when the register is on the right side of the instruction it means it will be moved elsewhere. In this case we're storing a (which was changed to hex:15) into D059 (the memory address for an instant encounter)]
ret [ret is needed to end the flow of the code or else the game will carry on executing the data beyond it as if it was code, which would likely freeze the game]

In hexadecimal this is the following:
Code: [Select]
3E 15 EA 59 D0 C9
So to represent it in items we just need item hex:3E (Lemonade) x 21 (hex:15), followed by item hex:EA (TM34) x 89 (hex:59), followed by TM08 (D0) x 201 (hex:C9).

Pseudo-GameShark (change anything in RAM to anything) (copied from this post)

ld a, xx [as before, we add a value into register a, in this case the value we want to write for our pseudo-GameShark]
ld l, xx [the second byte in a Datacrystal order memory address is also put into register l]
ld h, xx [the first byte in a Datacrystal order memory address is put into register h]
inc b [add 1 to register b. Technically useless but sometimes this is helpful so that you can avoid using a bad item and instead use a quantity]
ld (hl), a [when the register pair on the left side is in brackets, it means you're putting the value into the address represented by those registers; so if h and l were D0 and 59 we would be storing a into D059]
inc a [see inc b]
ret [end of code as usual]


In items it ends up as this:

Lemonade, quantity (byte to change to, or 2nd byte of GScode)
X Accuracy, quantity (low byte of RAM address to change, or 3rd byte of GScode)
Carbos, quantity (high byte of RAM address to change, or 4th byte of GScode)
Poké Ball, quantity 119
Fresh Water, quantity 201

Code: [Select]
3E xx 2E xx 26 xx 04 77 3C C9

If you just want to edit the contents of the memory these two examples are all you need to work on, and it's where I started but if you want to do more things here is a more complex example:

Enter the Hall of Fame with 8F: (copied from this post)

Before we begin, this code uses call. This basically causes the game to execute code from elsewhere and return back to where it was later, and anything from 0000-7FFF is in the ROM (unlike 8000-FFFF which is in [generally] writable memory like RAM) according to the Game Boy BUS. This is different to jp ('jump') which redirects the flow of code without returning to where we originally were.

0000-3FFF will be an offset (what you would find in a hex editor like the program "HxD"), while 4000-7FFF in the Pokémon games are banked [also known as "three-byte"] pointers. For more information about banked pointers see the section on this article).

This code runs the code at 16:64BB in GBZ80 (which according to Game Boy Pointer Calculator is 5A4BB in a hex editor by using the 35D6 function which is used to run a script anywhere in the ROM.

ld c,16 [c is now 16 for bank 16]
ld h,64 [h is now 64 for 64XX]
ld l, bb [l is now BB. HL now=64BB]
ld b,c [c is moved into b, which serves as the bank for the below function]
ld b,b [technically not needed]
call 35d6 [run the bank switch function, which runs the script as b:hl]
ret [end of code]

Code: [Select]
0e 16 26 64 2e bb 41 40 cd d6 35 c9
Awakening  x 22
Carbos     x100
X Accuracy x187
X Attack   x 64
TM05       x214
Revive     x201

To find the locations of other routines in the game you can download a SYM file which is a list of routines and their locations, but you may need to refer to the Pokémon Red (etc.) disassembly project to find out how they work (so what registers before the code will do what).

Hope that helps, and if you have any further questions let me know and I'll try to help! :)
Pages: [1] 2 3 ... 154