Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Torchickens

Pages: [1] 2 3 ... 20
1
Project "Gotta Document 'Em All" / Used glitch types
« on: July 06, 2017, 10:12:21 am »
I would like to make a TypeDex, so I decided to make a dump of all the types that are "used" on glitch Pokémon and glitch moves. It is very messy but hopefully the information should be available within a neater TypeDex listing soon.

"\" indicates that the glitch move has a real, non-glitch type.


Yellow blank (0x50)-type glitch Pokémon
Yellow blank (0x73)-type glitch Pokémon
Yellow blank (0x7D)-type glitch Pokémon
Yellow glitch (0x24)-type glitch Pokémon
Yellow glitch (0x25)-type glitch Pokémon
Yellow glitch (0x39)-type glitch Pokémon
Yellow glitch (0xA5)-type glitch Pokémon
Yellow glitch (0xCF)-type glitch Pokémon
Yellow ₽9? ゥ (0x59)-type glitch Pokémon



Red/Blue Poké BB (0xA9)-type glitch Pokémon
Red/Blue PokéManiac (0x61)-type glitch Pokémon
Red/Blue blank (0x50)-type glitch Pokémon
Red/Blue blank (0xE8)-type glitch Pokémon
Red/Blue blank 0x70-type glitch Pokémon
Red/Blue blank 0x7B-type glitch Pokémon
Red/Blue glitch (0x1C)-type glitch Pokémon
Red/Blue glitch (0x21)-type glitch Pokémon
Red/Blue glitch (0x27)-type glitch Pokémon
Red/Blue glitch (0x2B)-type glitch Pokémon
Red/Blue glitch (0x37)-type glitch Pokémon
Red/Blue glitch (0x3B)-type glitch Pokémon
Red/Blue glitch (0x9D)-type glitch Pokémon
Red/Blue glitch (0xA5)-type glitch Pokémon
Red/Blue glitch (0xC8)-type glitch Pokémon



Bird (0x06)-type glitch Pokémon
Flying (0x82)-type glitch Pokémon
Ghost (0x88)-type glitch Pokémon
Ground (0x84)-type glitch Pokémon
Normal (0x0B)-type glitch Pokémon
Normal (0x0E)-type glitch Pokémon
Normal (0x11)-type glitch Pokémon
Normal (0x12)-type glitch Pokémon
Normal (0x13)-type glitch Pokémon
Normal (0x80)-type glitch Pokémon
Normal (0x8D)-type glitch Pokémon
Normal (0x8E)-type glitch Pokémon
Normal (0x91)-type glitch Pokémon
Normal (0x92)-type glitch Pokémon
Normal (0x93)-type glitch Pokémon



On Moves Red/Blue (track CFD5):


00: 0x7A (CoolTrainerF)
A6: 0x31 (random)
A7: 0x40 (random)
A8: 0x21 (random)
\A9: 0x03 (Poison)
\AA: 0x00 (Normal)
AB: 0x50 (blank)
AC: 0x2B (random)
AD: 0x49 (random)
AE: 0xC0 (random)
AF: 0x50 (blank)
\B0: 0x03 (Poison)
B1: 0x97 (Electric-fake)
\B2: 0x03 (Poison)
\B3: 0x08 (Ghost)
B4: 0x2B (random)
B5: 0x41 (random)
B6: 0x0A (Normal-fake)
\B7: 0x03 (Poison)
B8: 0x00 (Normal)
B9: 0x41 (random)
BA: 0x0C (Normal-fake)
BB: 0x34 (random)
BC: 0xC8 (random)
BD: 0x4E (h RED)
\BE: 0x02 (Flying)
BF: 0x95 (Water-fake)
\C0: 0x03 (Poison)
\C1: 0x08 (Ghost)
C2: 0x41 (random)
C3: 0x42 (RED? POKé BB PIDGEY dé)
C4: 0x21 (random)
C5: 0x3F (random)
\C6: 0x00 (Normal)
C7: 0x41 (random)
C8: 0xB1 (random)
C9: 0x91 (Normal-fake)
CA: 0xC8 (random)
CB: 0x4F (blank)
\CC: 0x15 (Water)
CD: 0x51 (,KPkMnRED)
\CE: 0x03 (Poison)
\CF: 0x08 (Ghost)
D0: 0x23 (random)
D1: 0x35 (random)
D2: 0x21 (random)
\D3: 0x00 (Normal)
\D4: 0x00 (Normal)
\D5: 0x19 (Ice)
D6: 0x3A (Qi JT RED? POKé BBPIDGEY dé)
\D7: 0x00 (Normal)
\D8: 0x00 (Normal)
D9: 0x3C (i JT RED? POKé BBPIDGEY dé)
\DA: 0x02 (Flying)
DB: 0x0E (Normal-fake)
\DC: 0x00 (Normal)
DD: 0x28 (random)
DE: 0x1E (random)
DF: 0x34 (random)
E0: 0x28 (random)
\E1: 0x00 (Normal)
\E2: 0x00 (Normal)
E3: 0x19 (Ice)
E4: 0x77 (blank)
\E5: 0x00 (Normal)
\E6: 0x00 (Normal)
E7: 0x41 (random)
E8: 0x03 (Poison)
E9: 0x80 (Normal-fake)
\EA: 0x00 (Normal)
\EB: 0x08 (Ghost)
EC: 0x28 (random)
ED: 0x37 (random)
EE: 0x10 (Normal-fake)
\EF: 0x03 (Poison)
\F0: 0x00 Normal
F1: 0x32 (random)
F2: 0x0A (Normal-fake)
\F3: 0x00 (Normal-fake)
F4: 0xC0 (random)
F5: 0x53 (8 8 9)
\F6: 0x02 (Flying)
F7: 0x79 (CoolTrainerM)
\F8: 0x03 (Poison)
F9: 0x0C (Normal-fake)
FA: 0x23 (random)
FB: 0x39 (random)
FC: 0x21 (random)
FD: 0x2F (random)
\FE: 0x00 (Normal)
FF: 0x32 (random)

On Moves Yellow (track CFD4):

00: 0x31 (random)
A6: 0x31 (random)
A7: 0x40 (random)
A8: 0x21 (random)
\A9: 0x03 (Poison)
\AA: 0x00 (Normal)
AB: 0x50 (blank)
AC: 0xE9 (Swimmer)
AD: 0x49 (random)
AE: 0xC0 (random)
AF: 0x50 (blank)
\B0: 0x03 (Poison)
B1: 0x81 (Fighting-fake)
\B2: 0x03 (Poison)
\B3: 0x08 (Ghost)
B4: 0x2B (random)
B5: 0x41 (random)
B6: 0x0A (Normal-fake)
\B7: 0x03 (Poison)
\B8: 0x00 (Normal)
B9: 0x41 (random)
BA: 0xC8 (random)
BB: 0x34 (random)
BC: 0xC8 (random)
BD: 0x4E (3lゥ)
\BE: 0x02 (Flying)
\BF: 0x00 (Normal)
\C0: 0x03 (Poison)
\C1: 0x08 (Ghost)
C2: 0x41 (random)
C3: 0x42 (B)
C4: 0x21 (random)
C5: 0x3F (random)
\C6: 0x00 (Normal)
C7: 0x41 (random)
C8: 0x8E (Normal-fake)
C9: 0x91 (Normal-fake)
CA: 0xC8 (random)
CB: 0x4F (blank)
\CC: 0x15 (Water)
CD: 0x0B (Normal-fake)
\CE: 0x03 (Poison)
\CF: 0x08 (Ghost)
D0: 0x23 (random)
D1: 0x35 (random)
D2: 0x21 (random)
\D3: 0x00 (Normal)
\D4: 0x00 (Normal)
\D5: 0x19 (Ice)
D6: 0x41 (random)
\D7: 0x00 (Normal)
\D8: 0x00 (Normal)
D9: 0x3C (.s.a)
\DA: 0x02 (Flying)
DB: 0x34 (random)
\DC: 0x00 (Normal)
DD: 0x28 (random)
DE: 0x1E (random)
DF: 0x34 (random)
E0: 0x28 (random)
\E1: 0x00 (Normal)
\E2: 0x00 (Normal)
\E3: 0x19 (Ice)
\E4: 0x07 (Bug)
\E5: 0x00 (Normal)
\E6: 0x00 (Normal)
E7: 0x41 (random)
\E8: 0x03 (Poison)
E9: 0x2A (random)
\EA: 0x00 (Normal)
\EB: 0x08 (Ghost)
EC: 0x28 (random)
ED: 0x37 (random)
EE: 0x10 (Normal-fake)
\EF: 0x03 (Poison)
\F0: 0x00 (Normal)
F1: 0x32 (random)
F2: 0xC6 (random)
\F3: 0x00 (Normal)
F4: 0xC0 (random)
F5: 0x53 (V)
\F6: 0x02 (Flying)
F7: 0xD1 (TM)
\F8: 0x03 (Poison)
F9: 0x0C (Normal-fake)
FA: 0x23 (random)
FB: 0x39 (random)
FC: 0x21 (random)
FD: 0x2F (random)
\FE: 0x00 (Normal)
FF: 0x32 (random)

Edit: So as it turns out, there are arbitrary type names :). I have a list of type pointers here and uploaded a video:

https://pastebin.com/dYE9ZFNX
https://www.youtube.com/watch?v=6V6F-mtkFTc
3
This is something a little similar to this thread for move 00's type in Crystal: http://forums.glitchcity.info/index.php?topic=7704.0

Luckytyphlosion (I think, please correct me if someone else discovered this) found a way to execute arbitrary code execution with move 00's type in Gold/Silver. This type's identifier is 0xD0 (dec:208) and after analysis its type name seems to be sourced from 0x8350 in VRAM.

0x8350 can contain menu-sprite data for Pokémon on the Pokémon menu as well as possibly NPC sprites(?), but when I had exactly four Pokémon (two tailed Pokémon, bird, tailed Pokémon) I got different results that included freezes and arbitrary code execution which didn't occur otherwise when I had six Pokémon.

https://www.youtube.com/watch?v=TdxzLn0txFM

How exactly can we use this for arbitrary code execution outside of speedrunning?

I tried making the movement patterns in the video and at one point the game executed E9F0 (Echo RAM for C9F0). Perhaps that's what the route exploits for it to eventually touch box names at D8BF onward (but that would seem very far away).

An update! When the game executed E9F0, it eventually came across the following:

jr c, EC68(@EC2D)
jp c, FA9B (@EC70)

These may have only appeared when moving around in the pattern in the speedrun route.

At FA9B (DA9B) is the Speed experience byte 1 of the third slot Pokémon. We know from the Coin Case glitch that we can have this as a low level slide Pokémon, so perhaps following it could be a Quagsire holding an item with a specific move 1 (like Quagsire holding HP Up with Sleep Talk as the first move; jp D61A or Quagsire holding TM02 with Return; as the first move; jp D8C0) for us to jump to stored items or box names.

So it looks like we can possibly use this as an alternative to Coin Case glitch, but what would really be cool is if you can do it in Crystal as it's easy to just trade over a CoolTrainer Ditto from Red/Blue/Yellow. That way no 'pseudo-bad clone' would be required nor an unterminated name Pokémon from Red/Blue/Yellow.
4
For whatever reason in Japanese Crystal it seems using an X Accuracy (I later did it with another X item) and having glitch move 0xFD as the only move (may be possible by trading a glitch Pokémon from Generation I with TM53 on to Generation II) makes the game executes D800 in WRAM when you open the Fight menu.

It turn out that our items in the bag begin at D885, making this potentially manipulable. The only problem is opening the Fight menu seemed to cause a write to D809 to FF causing a rst 38 freeze, and there are other problematic areas of WRAM before D885.

Does anybody know if this freeze can be averted?
5
Generation I Glitch Discussion / Pokédex marker bytes
« on: June 16, 2017, 02:26:34 pm »
At the beginning of a glitch Pokémon's base stats data structure is a Pokédex marker. This byte according to Stag019 is supposed to be the same as the Pokémon's Pokédex number, but for many glitch Pokémon it is different. 'M (00) and MissingNo. in Red/Blue are exceptions. They have a Pokédex marker byte of 0x00, which is the same as their Pokédex number.

The location of a glitch Pokémon family's base stats data can be found using the following:

0x0383DE + (PkmnNo. − 1) × 0x1C


Yellow:
176: 39702 : 0xF9
000: 39FC2 : 0x28
159: 39526 : 0x3C
195: 39916 : 0x62
202: 399DA : 0x81
203: 399F6 : 0x87
205: 39A2E : 0x86
207: 39A66 : 0x92
215: 39B46 : 0xFE
229: 39CCE : 0x01
230: 39CEA : 0x5A
234: 39D5A : 0x05
245: 39E8E : 0x00
250: 39F1A : 0x00
254: 39F8A : 0x14
255: 39FA6 : 0x1E



Red/Blue:
000: 39FC2 : 0x00
174: 396CA : 0xCB
175: 396E6 : 0xC3
205: 39A2E : 0x91
209: 39A9E : 0x8F
211: 39AD6 : 0xF7
213: 39B0E : 0x82
224: 39C42 : 0x05
234: 39D5A : 0x60
240: 39E02 : 0x00
245: 39E8E : 0x00
250: 39F1A : 0x19
254: 39F8A : 0x6A
255: 39FA6 : 0x37

Presumably hybrid glitch Pokémon will have the same Pokédex marker byte as their Pokédex number, due to having their base data derived (with the possible exception of front sprite/back sprite) from real Pokémon.
6
Now in addition to arbitrary code execution and arbitrary learnsets/evolutions we have a glitch Pokémon with an arbitrary sprite!

In Pokémon Yellow glitch Pokémon 0xE6 ("9ゥ") has a variable backsprite which is taken from DAC9 in WRAM.

This is in the range of the stored Pokémon data. If a properly compressed sprite is placed here (such as with offgao's memory editor) it is possible to create a custom sprite.

Furthermore, on some occasions this glitch Pokémon's backsprite will freeze the game (e.g. if the data begins with 00 as this means the dimensions to its sprite are 0x0), but a freeze can be avoided by specifying proper dimensions at the beginning of the file.

Compressing the sprite and inserting it into the game is possible with a combination of this tool and Stag019's Pokémon sprite compressor tool.

(Follow similar steps to these instructions; specifying the size, block size and codec on Tile Molester, pasting the file there and saving it as a 2BPP file and compress the file with Stag019's tool)

Then open the compressed PIC file with a hex editor and copy the data to DAC9.

Here are a few examples. You should be able to make much better files but these are just for demonstration:

Note the Pokémon is "Pidgeot" because I modified a Pidgeot to the 0xE6 glitch Pokémon rather than obtaining one myself. You can do this with any 0xE6 glitch Pokémon in Yellow.






The palette of the sprite will be determined by the second species byte. While using the editor you could modify this byte (such as D16A for the first Pokémon to 80 for the Golduck palette).

I have not yet found a glitch Pokémon with a RAM front sprite but one may exist.

Here is the raw code for my smiley face example:

Code: [Select]
44 B6 55 54 E4 5A A3 0A A5 34 63 92 4C 18 B5 AA A9 4B 92 62 9A 34 A4 A8 62 58 86 89 6A 46 49 92 52 AA 26 48 91 4E 99
21 3B 53 24 94 DD A2 53 34 A6 88 62 16 4B 8A 92 2A 22 56 06 2A 19 2A 94 C1 68 A6 2A 4C 2A AA 30 63 29 4E 05 8D EA
55 55 6A 31 9F 96 74 4C 32 76 49 12 76 49 09 DB 9D AC 4A 71 F4 44 42 11 D5 0C 7E 16

BGB is really good for this as you can open up the debugger, go to DAC9, right click and paste the code.


7
I've been looking just a little into glitch color layers (known as glitch screens on Bulbapedia). Does anybody know what causes the glitch color layer effect for glitch Pokémon like X ゥ- xゥ,?

I wonder whether there is a data structure that dictates this for each family of some sort.

I found this in the disassembly but couldn't find anything else sadly.

Quote
; super game boy palettes
const_value = 0

   const PAL_ROUTE     ; $00
   const PAL_PALLET    ; $01
   const PAL_VIRIDIAN  ; $02
   const PAL_PEWTER    ; $03
   const PAL_CERULEAN  ; $04
   const PAL_LAVENDER  ; $05
   const PAL_VERMILION ; $06
   const PAL_CELADON   ; $07
   const PAL_FUCHSIA   ; $08
   const PAL_CINNABAR  ; $09
   const PAL_INDIGO    ; $0A
   const PAL_SAFFRON   ; $0B
   const PAL_TOWNMAP   ; $0C
   const PAL_LOGO1     ; $0D
   const PAL_LOGO2     ; $0E
   const PAL_0F        ; $0F
   const PAL_MEWMON    ; $10
   const PAL_BLUEMON   ; $11
   const PAL_REDMON    ; $12
   const PAL_CYANMON   ; $13
   const PAL_PURPLEMON ; $14
   const PAL_BROWNMON  ; $15
   const PAL_GREENMON  ; $16
   const PAL_PINKMON   ; $17
   const PAL_YELLOWMON ; $18
   const PAL_GREYMON   ; $19
   const PAL_SLOTS1    ; $1A
   const PAL_SLOTS2    ; $1B
   const PAL_SLOTS3    ; $1C
   const PAL_SLOTS4    ; $1D
   const PAL_BLACK     ; $1E
   const PAL_GREENBAR  ; $1F
   const PAL_YELLOWBAR ; $20
   const PAL_REDBAR    ; $21
   const PAL_BADGE     ; $22
   const PAL_CAVE      ; $23
   const PAL_GAMEFREAK ; $24
8
Wiki Discussion / Glitch Pokémon cries for the wiki
« on: May 11, 2017, 02:29:42 pm »
I've began work on re-recording all of (or samples of for the ones with variable cries) the glitch Pokémon cries.

First off is a ZIP file for glitch Pokémon cries in Yellow for every sound bank except Pikachu's Beach (02 overworld, 08 battle, 1F dungeon).

https://sites.google.com/site/torchickens2/glitch-cries

Abwayax, please can you use these when you fix the embedding on the GlitchDex?

The rest for Red/Blue should hopefully be ready tomorrow. :)

Edit: Finished it :D
9
Generation I Glitch Discussion / Yellow MissingNo.'s faces
« on: May 08, 2017, 09:08:25 am »
Yellow MissingNo. has two faces (see attachments). I wonder if there are any other glitch Pokémon which by chance, have faces like this.
10
The data for glitch Pokémon Pokédex is retrieved from a specific location in the Game Boy address BUS. In Pokémon Red, this address should be the value of register de when a breakpoint is set to 10:436D and the Pokémon's Pokédex entry is loaded.

A good number of glitch Pokémon take their data from writable memory, including:

BF: 9183
C0: 8B88
C6: 8F50
C7: 9180
C8: 8D84
CE: 8F50
CF: 888E
D0: 8E92
D2: 888F
D6: B417*
D8: 8550
D9: 8880
DA: 9891
DC: AA00*
E0: 8893
E1: 988D
E2: 817F
E3: 9188
E9: 8150
EA: 8B80
EE: CB17*
EF: 8350
F1: 8891
F2: 8B8B
F8: 8487
F9: 8C91
FA: 9388
FB: 9182
FC: 8180
FE: C203*

(You must have not set the glitch Pokémon's capture flag to see its Pokédex entry)

Thanks to the Pokémon Red disassembly, we know the data is formatted like this.

*(Species string terminated by 50).
*Four bytes apparently affecting height and weight.
*Text code.
*0x50

While the text code (usually?) begins with 17, which is apparently the "text far" command we could replace it with 08, which allows us to execute arbitrary code following the 08.

The addresses marked with an asterisk probably have the most potential to be abused. In particular D6 (B417) and DC (AA00), which is somewhere in the Hall of Fame data for SRAM bank 0.

When I caught a glitch Pokémon it appears that the SRAM was left open, so hopefully we may be able to add a bootstrap code here to items or a different location to execute arbitrary code, provided that we catch a 0xD6 or 0xDC with the LOL glitch.

Chances are if you are able to catch these glitch Pokémon using the LOL glitch you already have access to the expanded items pack, which sadly makes this glitch unnecessary as you could modify the map script in the expanded items pack or bring up an 8F for arbitrary code execution but it's still a nice glitch.

Edit: I checked Blue and nothing changed sadly, though just noticed I may have missed 0xF0 (8350).
11
As is known, the Japanese and English versions of Pokémon games cause communication errors when linked together.

However, something that got me wondering is it possible that we could abuse this to obtain a ?????, hence making the bad clone glitch easier for people who don't have Stadium 2 or don't want to use Coin Case/glitch TM/glitch Pokédex mode arbitrary code execution?

While I was linking up a Japanese Gold with an English Gold one of the versions interpreted some of the Pokémon as ?????. Sadly I couldn't trade it as it was deemed to be abnormal.

Thanks to the work of Háčky however, we know that if a Pokémon is not a hybrid, is not over level 100 and has matching types it can be traded without being interpreted as abnormal. I don't know for sure if this applies to ?????, but I seem to remember it does apply so we could potentially trade over the ?????.
12
Project "Gotta Document 'Em All" / GlitchDex errors/omissions
« on: April 11, 2017, 09:24:06 am »
This is a thread for noting errors/omissions in the GlitchDex that need to be resolved:

*The base 123 Defense for 4( h 4 ? should be base 128 according to the data.
*The base Attack for the Family 209 glitch Pokémon in Red/Blue (Base 255 Attack) is incorrect?
*Since some glitch Pokémon have ( in their names, this breaks the name system which thinks the bracket is part of the glitch Pokémon's family data (Pokédex number).
*Cries need to be added for glitch Pokémon due to the old links no longer working.
*Methods of obtaining glitch Pokémon need to be updated for a few remaining glitch Pokémon.
*TM/HM moves and Time Capsule exploit moves need to be added for a few remaining glitch Pokémon.
*Super Glitch moves should have their index numbers indicated in the data. Also a question worth raising is "are there any 'non-Super Glitch' moves which never cause Super Glitch corruption?".
*Add the index numbers for types for glitch Pokémon with glitch types and 'pseudo real' (is said to be a real type but is really a glitch type) types.
13
Generation I Glitch Discussion / Glitch Pikachu cries in Yellow
« on: March 23, 2017, 10:35:01 pm »
I'm considering recording all of the glitch Pikachu cries by ID.

If anyone else would like to help, you can enter the following code for ws m.

Valid values only range from 0x00 to 0x29, which leaves the rest of the values as glitch sound clips!

Code: [Select]
ld e,xx
ld b,3c
ld hl,4000
call 3e84
ret

If we want to represent this with reasonable items, prepare:

Repel x (cry ID)
Poké Ball x 6
Fresh Water x 33
Master Ball x 64
Soda Pop x 45
TM05 x 132
Lemonade x 201

(1e 02 04 06 3C 21 01 40 3d 2d CD 84 3E C9)

Hope this comes useful for anyone else who would like to experiment!  :)

Edit: (Some) may differ depending on the location you play them.
14
Generation II Glitch Discussion / Pursuit glitch
« on: March 22, 2017, 06:00:04 pm »
It looks like there is an obscure glitch involving the move Pursuit in Generation II that was documented by someone or a source named Uwasa Ishi (Japanese: 噂石). I'm unsure if it only works on the Japanese versions but from what I gather it seems like if you switch out a Pokémon with a status condition and it faints from Pursuit, the status condition will return upon reviving the Pokémon with a Revive.

http://hakuda2.web.fc2.com/wario/poke3/n8.html

I haven't tested this glitch yet though. Thoughts?
15
Pokémon Discussion / Pokémon Crystal unused character?
« on: March 22, 2017, 04:57:11 pm »
In Pokémon Crystal there is a character which I don't remember being used on any NPC, which I found listed on a list of character indices on the Pokémon Crystal disassembly (https://github.com/pret/pokecrystal/blob/master/constants/sprite_constants.asm).

This character can be viewed on BGB (v1.5.2) with the code 013F54D1 but the code working may be due to a presumable emulation error (as I tried the code on an Xploder GB with Pokémon Crystal on a real Game Boy Advance SP and it didn't work).

These are his sprites with the male character's palette.



Video of the code in action:
https://www.youtube.com/watch?v=9_oacF2y9pc
Pages: [1] 2 3 ... 20