Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: Glitch Pokémon Pokédex ACE in Generation I  (Read 993 times)

0 Members and 1 Guest are viewing this topic.

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Glitch Pokémon Pokédex ACE in Generation I
« on: April 23, 2017, 02:26:32 pm »
The data for glitch Pokémon Pokédex is retrieved from a specific location in the Game Boy address BUS. In Pokémon Red, this address should be the value of register de when a breakpoint is set to 10:436D and the Pokémon's Pokédex entry is loaded.

A good number of glitch Pokémon take their data from writable memory, including:

BF: 9183
C0: 8B88
C6: 8F50
C7: 9180
C8: 8D84
CE: 8F50
CF: 888E
D0: 8E92
D2: 888F
D6: B417*
D8: 8550
D9: 8880
DA: 9891
DC: AA00*
E0: 8893
E1: 988D
E2: 817F
E3: 9188
E9: 8150
EA: 8B80
EE: CB17*
EF: 8350
F1: 8891
F2: 8B8B
F8: 8487
F9: 8C91
FA: 9388
FB: 9182
FC: 8180
FE: C203*

(You must have not set the glitch Pokémon's capture flag to see its Pokédex entry)

Thanks to the Pokémon Red disassembly, we know the data is formatted like this.

*(Species string terminated by 50).
*Four bytes apparently affecting height and weight.
*Text code.
*0x50

While the text code (usually?) begins with 17, which is apparently the "text far" command we could replace it with 08, which allows us to execute arbitrary code following the 08.

The addresses marked with an asterisk probably have the most potential to be abused. In particular D6 (B417) and DC (AA00), which is somewhere in the Hall of Fame data for SRAM bank 0.

When I caught a glitch Pokémon it appears that the SRAM was left open, so hopefully we may be able to add a bootstrap code here to items or a different location to execute arbitrary code, provided that we catch a 0xD6 or 0xDC with the LOL glitch.

Chances are if you are able to catch these glitch Pokémon using the LOL glitch you already have access to the expanded items pack, which sadly makes this glitch unnecessary as you could modify the map script in the expanded items pack or bring up an 8F for arbitrary code execution but it's still a nice glitch.

Edit: I checked Blue and nothing changed sadly, though just noticed I may have missed 0xF0 (8350).
« Last Edit: April 26, 2017, 09:39:26 am by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Caveat

  • The Metropolitan Mutant of Ark
  • GCLF Member
  • *
  • Offline Offline
  • Wrrrooooooaaaar! Peeko!
    • View Profile
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #1 on: April 23, 2017, 04:06:52 pm »
I know there are glitch Pokemon with movesets and evolutions read from writable memory, but what do all the other ones do?

Is there a Pokemon that takes its stats or TM moves from writable memory? That could be fun to tinker with...
HOLD ME, I'M A PALE MACHINE
LIFE IS JUST OKAY OUT HERE, ANYONE CAN SEE
I'M LONELY, WITH MY PALE MACHINE
EYES WILL RUN WITH TIRED TEARS, LIVING LIKE A DREAM


Japanese Glitchdex
Petscop Thread

Twitter
(warning: contains bad grammar and copious rambling)

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #2 on: April 23, 2017, 04:47:40 pm »
I know there are glitch Pokemon with movesets and evolutions read from writable memory, but what do all the other ones do?

Is there a Pokemon that takes its stats or TM moves from writable memory? That could be fun to tinker with...

Technically, Fossil and Ghost MissingNo. can be manipulated to have different base stats and/or a different TM/HM learnset but it has to be taken from an existing Pokémon or glitch Pokémon.

https://www.youtube.com/watch?v=JnwN-uIVliA

Otherwise I don't think so as all data (except for pointers within the data) for Pokédex numbers (where the TM/HM data is stored) end up in ROM, and the TM/HM data is just a series of eight bytes wherever in the ROM the game ends up (TM/HM flags).

However, there is the possibility of a glitch Pokémon with a sprite from RAM. If so there is a slim chance we might even be able to assign a custom sprite without OAM hacking, but it would also have to have the dimensions data (not manipulable and from the ROM) assigned to that glitch Pokémon. In other words it seems there could be a size limit for that sprite, and for glitch Pokémon with a x0 dimension their sprites could still freeze the game.
« Last Edit: April 23, 2017, 04:56:16 pm by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #3 on: April 24, 2017, 03:31:43 am »
Pokémon sprites aren't managed by the OAM. They are written on the tilemap (otherwise they'd take all sprite slots and there would be nothing remaining for attack animations)

Also, C203 ACE (Pokémon FE) has a slim chance of being possible (I personally doubt it, but... let's cross fingers !) and CB17 ACE may be possible, it runs code based on map data and lastly drawn tiles, and eventually on menu data (<- this one almost always crashes due to bad luck).

VRAM should be locked when data is pulled from it, so I doubt about all non-* entries.

The two SRAM candidates (B417 for hex:D6 and AA00 for hex:DC) may yield ACE, but we need to study what locks and what unlocks SRAM more. And then they may require ridiculous setups to yield ACE, but that'd be the 13th (maybe 14th ? I lost count) ACE exploit in these games.


Yes, we have more than 10 different ACE exploits.
QUALITY PROGRAMMING, GAME FREAK
« Last Edit: April 24, 2017, 03:33:04 am by ISSOtm »
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #4 on: April 24, 2017, 07:32:38 am »
Updated with Yellow pointers:

(Set a breakpoint to 10:4405 and check de)

00: 9288
BF: 8492
C0: 8384
C2: 9604
C6: 8492
C7: 8384
CD: 8492
CE: 8384
D0: A207/FREEZE
D4: 888B
D5: 8099
D6: 8391
D8: BE00
DC: 8B85
DD: 8C80
E1: 8417
E3: 8550
E4: 808B
E5: 848C
E7: D007
EB: 8893
EC: 988D
ED: 9493
EE: 9391
EF: 848B
F1: C808
F5: 9493
F6: 9391
F7: 848B
F9: F403 (!!)
FD: 8792
FE: 8B84
FF: 858B

F403 is Echo RAM for D403, which can be manipulated by changing item 116+ in the expanded items pack, although you don't have that much space because items 129-256 represent items 1-128 again.
« Last Edit: April 24, 2017, 11:28:07 am by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #5 on: April 24, 2017, 09:56:49 am »
Now THAT is really interesting !

E7 runs code from D007, which is wEnemyMonBaseExp.
Right then is the player Pokémon's name, so no problem ! Having a nick with a perfect number of characters means the first executed byte will be the player Pokémon's HP (low byte). Making this $08 is easy.
ACE HYPEEEEEEEEEEEE
Setup that would work, though it's not the only one :
- "Box level" (?) 1-byte instruction that doesn't crash
- No status problem
- The Pokémon's type #1 should be $01 (FIGHT-type ?)
And then the Pokémon's moves onwards will be ran as code.

F1's C808 is in the middle of a "LY override buffer". No idea what this is, but if the first read byte is $08, then this may NOP-slide into some printer-related data. Might lead to ACE ?

F403 : is in the middle of some warp data. As Torchickens pointed it out, this could be manipulated..!
We can re-route execution to the item pack (either direct jump, or set hl then jp hl)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

VaeporSage

  • Custom Title
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • Personal Text
    • View Profile
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #6 on: April 24, 2017, 07:38:58 pm »
If this works out, how many 1st Gen ACE methods would that make now?  ;D

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #7 on: April 25, 2017, 02:07:39 am »
- Glitch item ACE
- Custom map script ACE
- Glitch map's map script ACE
- Normal map glitched map script ACE
- Glitch move ACE
- Glitch text boxes ACE
- Pikachu off-screen ACE
- Pikachu glitch emote ACE
- CartSwap ACE
- ZZAZZ Trainer ACE
- Glitch Pokédex entries ACE

That'd make it the 11th ACE exploit. Unless I forgot one in this list, which would make it 12th.
¯\_(ツ)_/¯
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #8 on: April 25, 2017, 08:00:44 am »
I think you forgot remote code execution in the Trade Center (the exploit MrCheeze did for the R/B virus), so that makes at least 12.

https://www.youtube.com/watch?v=h5Igc18hc2Q
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Parzival

  • The Betrayed, The Cleansed, The Reborn
  • GCLF Member
  • *
  • Offline Offline
  • It begins.
    • View Profile
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #9 on: April 25, 2017, 12:09:43 pm »
- Glitch item ACE
- Custom map script ACE
- Glitch map's map script ACE
- Normal map glitched map script ACE
- Glitch move ACE
- Glitch text boxes ACE
- Pikachu off-screen ACE
- Pikachu glitch emote ACE
- CartSwap ACE
- ZZAZZ Trainer ACE
- Glitch Pokédex entries ACE

That'd make it the 11th ACE exploit. Unless I forgot one in this list, which would make it 12th.
¯\_(ツ)_/¯
Game Freak's FailTrain just doesn't stop, does it?
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #10 on: April 25, 2017, 01:37:34 pm »
Yeah, it's quite unfortunate for Game Freak.

Interestingly, if you call Wack0's Hall of Fame script using 0xF9 ACE, the Hall of Fame sequence runs without any problems but upon choosing continue you don't receive the Pokémon (which would have been a Rhydon).

« Last Edit: April 25, 2017, 02:51:23 pm by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Parzival

  • The Betrayed, The Cleansed, The Reborn
  • GCLF Member
  • *
  • Offline Offline
  • It begins.
    • View Profile
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #11 on: April 25, 2017, 03:31:36 pm »
Nice find!
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

Caveat

  • The Metropolitan Mutant of Ark
  • GCLF Member
  • *
  • Offline Offline
  • Wrrrooooooaaaar! Peeko!
    • View Profile
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #12 on: April 25, 2017, 06:44:06 pm »
Much like science in general, glitching seems to not be based on the principle of "why", but the principle of "why NOT?"

Do we need 12 ways to execute arbitrary code? Hell no, but that won't stop any of us.
HOLD ME, I'M A PALE MACHINE
LIFE IS JUST OKAY OUT HERE, ANYONE CAN SEE
I'M LONELY, WITH MY PALE MACHINE
EYES WILL RUN WITH TIRED TEARS, LIVING LIKE A DREAM


Japanese Glitchdex
Petscop Thread

Twitter
(warning: contains bad grammar and copious rambling)

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #13 on: April 26, 2017, 07:51:59 am »
The two SRAM candidates (B417 for hex:D6 and AA00 for hex:DC) may yield ACE, but we need to study what locks and what unlocks SRAM more. And then they may require ridiculous setups to yield ACE, but that'd be the 13th (maybe 14th ? I lost count) ACE exploit in these games.

Looking into Red/Blue's now and will hopefully include it with Yellow ACE in a video.

I almost did this with 0xDC (AA00) using Pokémon 5 with a 50 terminator in the right place and Pokémon 6 as a Level 8 Pokémon with an invalid nickname but then it seems the SRAM data got corrupted because of 0xDC's sprite on the Pokédex entry and that might be why it didn't work.

I'm not sure if you can do it with 0xD6 without another ACE or Hall of Fame corruption as it lands on one of the 00s, and even with a 0x50 directly following it you can't use the 08 text code five bytes later.
« Last Edit: April 26, 2017, 07:55:36 am by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Parzival

  • The Betrayed, The Cleansed, The Reborn
  • GCLF Member
  • *
  • Offline Offline
  • It begins.
    • View Profile
Re: Glitch Pokémon Pokédex ACE in Generation I
« Reply #14 on: April 26, 2017, 08:06:48 am »
Correct me if I'm wrong, but isn't SRAM unlocked by writing any byte ending in a 0xA nybble to 0000-1FFF?
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.