Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Torchickens

Pages: [1] 2 3 ... 20
1
Now in addition to arbitrary code execution and arbitrary learnsets/evolutions we have a glitch Pokémon with an arbitrary sprite!

In Pokémon Yellow glitch Pokémon 0xE6 ("9ゥ") has a variable backsprite which is taken from DAC9 in WRAM.

This is in the range of the stored Pokémon data. If a properly compressed sprite is placed here (such as with offgao's memory editor) it is possible to create a custom sprite.

Furthermore, on some occasions this glitch Pokémon's backsprite will freeze the game (e.g. if the data begins with 00 as this means the dimensions to its sprite are 0x0), but a freeze can be avoided by specifying proper dimensions at the beginning of the file.

Compressing the sprite and inserting it into the game is possible with a combination of this tool and Stag019's Pokémon sprite compressor tool.

(Follow similar steps to these instructions; specifying the size, block size and codec on Tile Molester, pasting the file there and saving it as a 2BPP file and compress the file with Stag019's tool)

Then open the compressed PIC file with a hex editor and copy the data to DAC9.

Here are a few examples. You should be able to make much better files but these are just for demonstration:

Note the Pokémon is "Pidgeot" because I modified a Pidgeot to the 0xE6 glitch Pokémon rather than obtaining one myself. You can do this with any 0xE6 glitch Pokémon in Yellow.






The palette of the sprite will be determined by the second species byte. While using the editor you could modify this byte (such as D16A for the first Pokémon to 80 for the Golduck palette).

I have not yet found a glitch Pokémon with a RAM front sprite but one may exist.

Here is the raw code for my smiley face example:

Code: [Select]
44 B6 55 54 E4 5A A3 0A A5 34 63 92 4C 18 B5 AA A9 4B 92 62 9A 34 A4 A8 62 58 86 89 6A 46 49 92 52 AA 26 48 91 4E 99
21 3B 53 24 94 DD A2 53 34 A6 88 62 16 4B 8A 92 2A 22 56 06 2A 19 2A 94 C1 68 A6 2A 4C 2A AA 30 63 29 4E 05 8D EA
55 55 6A 31 9F 96 74 4C 32 76 49 12 76 49 09 DB 9D AC 4A 71 F4 44 42 11 D5 0C 7E 16

BGB is really good for this as you can open up the debugger, go to DAC9, right click and paste the code.


2
I've been looking just a little into glitch color layers (known as glitch screens on Bulbapedia). Does anybody know what causes the glitch color layer effect for glitch Pokémon like X ゥ- xゥ,?

I wonder whether there is a data structure that dictates this for each family of some sort.

I found this in the disassembly but couldn't find anything else sadly.

Quote
; super game boy palettes
const_value = 0

   const PAL_ROUTE     ; $00
   const PAL_PALLET    ; $01
   const PAL_VIRIDIAN  ; $02
   const PAL_PEWTER    ; $03
   const PAL_CERULEAN  ; $04
   const PAL_LAVENDER  ; $05
   const PAL_VERMILION ; $06
   const PAL_CELADON   ; $07
   const PAL_FUCHSIA   ; $08
   const PAL_CINNABAR  ; $09
   const PAL_INDIGO    ; $0A
   const PAL_SAFFRON   ; $0B
   const PAL_TOWNMAP   ; $0C
   const PAL_LOGO1     ; $0D
   const PAL_LOGO2     ; $0E
   const PAL_0F        ; $0F
   const PAL_MEWMON    ; $10
   const PAL_BLUEMON   ; $11
   const PAL_REDMON    ; $12
   const PAL_CYANMON   ; $13
   const PAL_PURPLEMON ; $14
   const PAL_BROWNMON  ; $15
   const PAL_GREENMON  ; $16
   const PAL_PINKMON   ; $17
   const PAL_YELLOWMON ; $18
   const PAL_GREYMON   ; $19
   const PAL_SLOTS1    ; $1A
   const PAL_SLOTS2    ; $1B
   const PAL_SLOTS3    ; $1C
   const PAL_SLOTS4    ; $1D
   const PAL_BLACK     ; $1E
   const PAL_GREENBAR  ; $1F
   const PAL_YELLOWBAR ; $20
   const PAL_REDBAR    ; $21
   const PAL_BADGE     ; $22
   const PAL_CAVE      ; $23
   const PAL_GAMEFREAK ; $24
3
Wiki Discussion / Glitch Pokémon cries for the wiki
« on: May 11, 2017, 02:29:42 pm »
I've began work on re-recording all of (or samples of for the ones with variable cries) the glitch Pokémon cries.

First off is a ZIP file for glitch Pokémon cries in Yellow for every sound bank except Pikachu's Beach (02 overworld, 08 battle, 1F dungeon).

https://sites.google.com/site/torchickens2/glitch-cries

Abwayax, please can you use these when you fix the embedding on the GlitchDex?

The rest for Red/Blue should hopefully be ready tomorrow. :)

Edit: Finished it :D
4
Generation I Glitch Discussion / Yellow MissingNo.'s faces
« on: May 08, 2017, 09:08:25 am »
Yellow MissingNo. has two faces (see attachments). I wonder if there are any other glitch Pokémon which by chance, have faces like this.
5
The data for glitch Pokémon Pokédex is retrieved from a specific location in the Game Boy address BUS. In Pokémon Red, this address should be the value of register de when a breakpoint is set to 10:436D and the Pokémon's Pokédex entry is loaded.

A good number of glitch Pokémon take their data from writable memory, including:

BF: 9183
C0: 8B88
C6: 8F50
C7: 9180
C8: 8D84
CE: 8F50
CF: 888E
D0: 8E92
D2: 888F
D6: B417*
D8: 8550
D9: 8880
DA: 9891
DC: AA00*
E0: 8893
E1: 988D
E2: 817F
E3: 9188
E9: 8150
EA: 8B80
EE: CB17*
EF: 8350
F1: 8891
F2: 8B8B
F8: 8487
F9: 8C91
FA: 9388
FB: 9182
FC: 8180
FE: C203*

(You must have not set the glitch Pokémon's capture flag to see its Pokédex entry)

Thanks to the Pokémon Red disassembly, we know the data is formatted like this.

*(Species string terminated by 50).
*Four bytes apparently affecting height and weight.
*Text code.
*0x50

While the text code (usually?) begins with 17, which is apparently the "text far" command we could replace it with 08, which allows us to execute arbitrary code following the 08.

The addresses marked with an asterisk probably have the most potential to be abused. In particular D6 (B417) and DC (AA00), which is somewhere in the Hall of Fame data for SRAM bank 0.

When I caught a glitch Pokémon it appears that the SRAM was left open, so hopefully we may be able to add a bootstrap code here to items or a different location to execute arbitrary code, provided that we catch a 0xD6 or 0xDC with the LOL glitch.

Chances are if you are able to catch these glitch Pokémon using the LOL glitch you already have access to the expanded items pack, which sadly makes this glitch unnecessary as you could modify the map script in the expanded items pack or bring up an 8F for arbitrary code execution but it's still a nice glitch.

Edit: I checked Blue and nothing changed sadly, though just noticed I may have missed 0xF0 (8350).
6
As is known, the Japanese and English versions of Pokémon games cause communication errors when linked together.

However, something that got me wondering is it possible that we could abuse this to obtain a ?????, hence making the bad clone glitch easier for people who don't have Stadium 2 or don't want to use Coin Case/glitch TM/glitch Pokédex mode arbitrary code execution?

While I was linking up a Japanese Gold with an English Gold one of the versions interpreted some of the Pokémon as ?????. Sadly I couldn't trade it as it was deemed to be abnormal.

Thanks to the work of Háčky however, we know that if a Pokémon is not a hybrid, is not over level 100 and has matching types it can be traded without being interpreted as abnormal. I don't know for sure if this applies to ?????, but I seem to remember it does apply so we could potentially trade over the ?????.
7
Project "Gotta Document 'Em All" / GlitchDex errors/omissions
« on: April 11, 2017, 09:24:06 am »
This is a thread for noting errors/omissions in the GlitchDex that need to be resolved:

*The base 123 Defense for 4( h 4 ? should be base 128 according to the data.
*The base Attack for the Family 209 glitch Pokémon in Red/Blue (Base 255 Attack) is incorrect?
*Since some glitch Pokémon have ( in their names, this breaks the name system which thinks the bracket is part of the glitch Pokémon's family data (Pokédex number).
*Cries need to be added for glitch Pokémon due to the old links no longer working.
*Methods of obtaining glitch Pokémon need to be updated for a few remaining glitch Pokémon.
*TM/HM moves and Time Capsule exploit moves need to be added for a few remaining glitch Pokémon.
*Super Glitch moves should have their index numbers indicated in the data. Also a question worth raising is "are there any 'non-Super Glitch' moves which never cause Super Glitch corruption?".
*Add the index numbers for types for glitch Pokémon with glitch types and 'pseudo real' (is said to be a real type but is really a glitch type) types.
8
Generation I Glitch Discussion / Glitch Pikachu cries in Yellow
« on: March 23, 2017, 10:35:01 pm »
I'm considering recording all of the glitch Pikachu cries by ID.

If anyone else would like to help, you can enter the following code for ws m.

Valid values only range from 0x00 to 0x29, which leaves the rest of the values as glitch sound clips!

Code: [Select]
ld e,xx
ld b,3c
ld hl,4000
call 3e84
ret

If we want to represent this with reasonable items, prepare:

Repel x (cry ID)
Poké Ball x 6
Fresh Water x 33
Master Ball x 64
Soda Pop x 45
TM05 x 132
Lemonade x 201

(1e 02 04 06 3C 21 01 40 3d 2d CD 84 3E C9)

Hope this comes useful for anyone else who would like to experiment!  :)

Edit: (Some) may differ depending on the location you play them.
9
Generation II Glitch Discussion / Pursuit glitch
« on: March 22, 2017, 06:00:04 pm »
It looks like there is an obscure glitch involving the move Pursuit in Generation II that was documented by someone or a source named Uwasa Ishi (Japanese: 噂石). I'm unsure if it only works on the Japanese versions but from what I gather it seems like if you switch out a Pokémon with a status condition and it faints from Pursuit, the status condition will return upon reviving the Pokémon with a Revive.

http://hakuda2.web.fc2.com/wario/poke3/n8.html

I haven't tested this glitch yet though. Thoughts?
10
Pokémon Discussion / Pokémon Crystal unused character?
« on: March 22, 2017, 04:57:11 pm »
In Pokémon Crystal there is a character which I don't remember being used on any NPC, which I found listed on a list of character indices on the Pokémon Crystal disassembly (https://github.com/pret/pokecrystal/blob/master/constants/sprite_constants.asm).

This character can be viewed on BGB (v1.5.2) with the code 013F54D1 but the code working may be due to a presumable emulation error (as I tried the code on an Xploder GB with Pokémon Crystal on a real Game Boy Advance SP and it didn't work).

These are his sprites with the male character's palette.



Video of the code in action:
https://www.youtube.com/watch?v=9_oacF2y9pc
11
As Crystal_ documented (thread, video), not every Pokémon's level-up and evolution data is taken from the ROM, and there are exactly four glitch Pokémon each in both Red and Yellow who actually take their evolution data from VRAM (graphics data).

This is the list of applicable glitch Pokémon, copy and pasted from the wiki article I have just written:

http://glitchcity.info/wiki/Arbitrary_learnset_glitch_Pok%C3%A9mon

Red/Blue

Beginning of pointer table=$3B05C

A (0xEA) (VRAM $8124) — It learns certain moves when levelled up with Rare Candies but no moves when levelled up in battle.
Glitch (0xEB) (VRAM $992B)
G'Mp (0xF6) (VRAM $852C)
94 h (0xF9) (VRAM $9A20)

Yellow

Beginning of pointer table= $3B1E5

'r ゥ (0xEA) (VRAM $8124)
4 h 4 (0xEB) (VRAM $992B)
ゥ ₽ A (0xF6) (VRAM $852C)
₽ (0xF9) (VRAM $9A20)

According to Okk and echinodermata, level up evolutions are read when there is data in the form "01 [level] Pokémon ID]".

http://forums.glitchcity.info/index.php?topic=5217.0

In Yellow, after entering a map or saving and resetting, the location of $9A20 may be taken from one of the screen tiles.

Very fortunately, 01 01 15 can be represented by block 09 in Cinnabar Mansion, and when it is at the bottom-left corner of the screen in this spot on 2F you have a chance of evolving ₽ (0xF9) into Mew at Level 1 due to the VRAM data representing evolution code to evolve it into Mew. (You must save and reset the game at this spot with your ₽ (0xF9))



Sadly for unknown reasons it's only a chance and a rather low chance at that it seems; your ₽ (0xF9) may evolve into Q or Nidoran♂ many times but never Mew, until you reset and try again hopefully to get a successful attempt. I don't know why and wonder whether it's to do with VRAM banks.

What's left to do now is test the other locations and whether this works on Red/Blue.

Edit: OK, you should be able to do this with 0xEB too except the data has to be in this green block and I'm not sure how easy that is to do as I couldn't align the 01 tiles and then that tree in the aforementioned map here.



Edit 2: 0xF9 confirmed on Red in addition to Yellow.
13
I have a policy of owning every game I emulate. Does anybody know any Korean redirection services for buying Pokémon Geum and Eun on a Korean shopping/auction site?

I'm willing to invest some money to buy one even if the price is a little expensive.

Thanks in advance!
14
Although valid source Glitch Cities like those from the Safari Zone exit glitch are well-known, not too much research has been into the 'pure' glitch maps with their own map IDs.

These are the current glitch maps with articles.

http://glitchcity.info/wiki/Category:Glitch_areas

Practically it's probably not going to be viable to make an article about every non-freezing map, since there are a huge number of possible maps in Gold/Silver/Crystal (65536 for each version) unless a tool is created to find the glitch maps that do not freeze the game.

If you find a glitch map that doesn't freeze the game in any revision of Red/Blue/Yellow, Gold/Silver/Crystal let me know and I will make an article about it, and have fun glitching!  :) Do note these maps do not seem to be that common, although not many have been researched.

Codes to find glitch maps:

Generation I

Activate in a Pokémon Center then step out.

EN Red/Blue: 01xx65D3
EN Yellow: 01xx64D3
Japanese versions: 01xxE4D2
Non-English European Red/Blue: 01xx6AD3
Non-English European Yellow: 01xx69D3

See http://bulbapedia.bulbagarden.net/wiki/List_of_locations_by_index_number_(Generation_I) for a list of real maps.

Generation II

Activate before entering a door.

EN Gold/Silver: 01xx44D0, 01xx45D0
JP Gold/Silver: 01xx3ED0, 01xx3FD0
KO Gold/Silver: 01xxFFD0, 01xx00D1
Non-English European Gold/Silver: (Unknown)

Activate in a Pokémon Center, go the floor 2 and down the stairs again.

EN Crystal: 01xxB5DC, 01xxB6DC
JP Crystal: 01xx7BDC, 01xx7CDC
Non-English European Crystal: (Unknown)

See https://hax.iimarck.us/topic/176/ for a list of real maps.

Walk through walls (for stepping out of bounds into glitch maps)

EN Gold/Silver:
0108A3CE
0108A4CE
0108A5CE
0108A6CE

JP Gold/Silver:
010897CE
010898CE
010899CE
01089ACE

Non-English European Gold/Silver:
(Unknown)

Korean Gold/Silver:
010078CE
010079CE
01007ACE
01007BCE
15
Generation VII Glitch Discussion / Pokémon Bank transfer bugs
« on: January 26, 2017, 05:53:31 am »
Apparently there are a number of bugs in how Pokémon Bank works, according to this post on Reddit.

Quote from: ChezMere
Discovered so far:
In Generation 2, shininess is determined by IVs - specifically, Speed/Defense/Special must be equal to 10, and Attack must be 2/3/6/7/10/11/14/15. (Note that IVs only go up to 15 in the Game Boy games). Pokebank attemps to take this into account, but gets the role of the Attack and Defense IVs exactly backwards. Meaning, Pokemon that would be shiny in GSC lose their shininess, and other pokemon will gain shininess.
Pokemon will not be allowed to transfer if they have moves that can be learned in one Gen 1 game, but not another. For example, your friend can transfer his Charizard with Fly that he taught it in Yellow, but if he trades it to your copy of Red it cannot be transferred.
Gender when transferring is completely random, rather than based on the Attack IV like in gen 2. Considering the above (failed attempt at) shiny compatibility, they obviously are trying to keep everything consistent with GSC, but random genders mean that - once GSC is released for VC - a Pokemon traded from gen 2 to gen 1 to gen 7 will lose its gender.
There's also a few other... oddities, shall we say, with how the conversion is done. Ones that aren't outright bugs like the above, but are surprising.
Nature is generated from - of all things - the Pokemon's EXP. This means that 1) catching the same Pokemon at the same level and immediately transferring will always get you the same nature, and 2) it is simple to choose the nature you want by only transferring when the experience is right.
EVs are simply set to zero, the Pokemon's previous stat exp is ignored entirely. This is actually the only thing on the list that makes sense, since the two systems are fundamentally incompatible.
The original IVs are also ignored entirely. After being used for the (incorrect) shiny calculation mentioned above, they are simply regenerated from scratch. All Pokemon will automatically have 3 perfect IVs, except for Mew which will automatically have 5.
Kudos to SciresM for discovering most of this.

Zai Redwinters also stated in a comment on my latest video that legal moves are based on a Yellow version whitelist. This goes against the claim that Charizard knowing Fly cannot be transferred over from a Red/Blue, but they give the example of Mewtwo knowing Pay Day (in all Generation I games except for Yellow) being unable to be transferred over in a certain version (or possibly both versions).
Pages: [1] 2 3 ... 20