Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Cryo

Pages: [1]
1
In addition to the two existing debug menus found on TCRF's Ruby/Sapphire Debug Menus article (Sound Test and Pokeblock Test), I've found a way to access three other debug menus in Pokemon Ruby and Sapphire. I've included the addresses where each debug menu can be found, as well as GameShark codes that can be used to access the menus on actual hardware.

Note: All addresses below are specific to Pokemon Ruby v1.0 (U).



SOGABE Menu

Function Address: 0814A414

This one isn't that impressive, but it's a debug menu nonetheless. The options are as follows:

1. 1st round
2. 2nd round
3. 3rd round
4. 4th round
5. 5th round
6. 6th round
7. 7th round
8. 8th round


I'm not really sure what these do, but it might be associated with badge limitations or something.



GameShark Code
A6696B14 E11802B1
872FAA40 5896C524

Press RIGHT+SELECT while paused
to access the SOGABE menu.




MORI Menu

Function Address: 08083F6C

This one's a bit more useful. The options are as follows:

1. Search a child
2. Egg
3. Egg (male)
4. 1000 steps
5. 10000 steps
6. MOVE TUTOR
7. Breed an egg
8. Long name
9. Pokeblock Case


Most are intuitive as to what they do, but #1, #8, and #9 might be confusing. "Search a child" shows the contents of an egg if it's at the front of your party, while "Long name" replaces the name of the first Pokemon in your party with a long, generic name (ながいなまえぽけもん, or "Long Pokemon name"). "Pokeblock Case" deletes all of the Pokeblocks in your Pokeblock Case.



GameShark Code
4734D246 90FE8764
CC42BB92 3A9D71F0

Press SELECT while paused
to access the MORI menu.




MATSUDA Menu

Function Address: 080A9B28

Lastly, there's the MATSUDA menu, which mostly deals with Contests. The options are as follows:

1. Contest
2. Contest results
3. Contest (comm.)
4. Init comm. data
5. Set highest score
6. Reset highest score
7. Set all art museum items




If you select the "Contest" or "Contest (comm.)" options, you'll be brought to an interesting interface. Here, you can set all of the parameters for a Contest (trainers, Pokemon, stats, rank, moves, etc.) and initiate the Contest by pressing the START button. The bottom-right option exits the interface.



GameShark Code
E7F53B53 68B223B0
4C529E3E 7EB9CBA6

Press LEFT+SELECT while paused
to access the MATSUDA menu.
2
Pokémon Glitch Discussion / Submissions for Gen IV Void Glitch FAQ
« on: February 17, 2017, 09:48:01 am »
Hey guys, I'm going to start working on a commentary-like video (similar to Stryder7x's videos, but a bit more user-friendly) this weekend explaining many aspects of the void in Pokemon Diamond and Pearl (what it is / how it works / what influences it / safety / etc.), but I've been out of the loop for 5+ years now and I'm not entirely sure what's been made common knowledge and what isn't yet known.

It'd help a ton to get some help from the GCL community by hearing what you're unfamiliar with, what you'd like to see more explanation or detail on, things that aren't entirely clear, and other stuff like that.

That being said, what questions do you have about the void, or what would you want explained better?


NOTE: I won't really respond to questions on this thread, but any questions/requests have a good chance of making it into the video.
3
By utilizing the L-shaped tweaking pattern in Pokemon Platinum, you're able to cause a bunch of weird stuff to happen, such as slowing everything in Jubilife City to a crawl or modifying the map right under your feet

The fact that the L-shaped tweaking pattern causes really weird effects has been known for a while now and was previously known as the "????? Glitch", but after analyzing the effects of the tweak, I decided to give it a more descriptive name that mirrors its effects—the "Cascade Glitch".


TRIGGERING THE CASCADE GLITCH

In order to trigger the glitch, all you need to do is tweak using any L-shaped pattern in the fastest gear of your bike.

No really, that's it.


THE EFFECTS

The reason it's called the Cascade Glitch is because of the one constant that always occurs each time this glitch is triggered—starting from the map data ID (0 - 665) that you refreshed the screen in, the map tile data, 3D model data, building data, et al. for each successive map data ID is written to RAM immediately after the tweak. The chaotic nature of such an effect means that freezes will occur a lot of the time.

However, because the data written to RAM depends on the map data ID that you refreshed the screen in, you're able to influence the data that gets written and, to a loose extent, where that data gets written. This means that altering progression flags is completely possible using this method.


EXAMPLE



So what exactly happened here?

As a little background information, the tile data for each map should be at least somewhat legible, such as the map tile data for lower Jubilife City below.

Code: [Select]
1111111111111111111111111111111111111111111111111100006900000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111110000000000111111111111111111111111111100000000000000
1100000000000000000000111111111111110000000000001100000000000000
1100000000000000000000111111111111110000000000001100000000000000
1100000000000000000000001111111111000000000000001100000000000000
00001111111100006E0000111111111111110000690000000000000000000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111111111111111111111111111111111111111111100000000000000
1111111111111111111111111111111111111111111111111100000000000000
0000000011111111111111111111111111111111111111111100000000000000
0000000011000000000011111111111111111111111111111100000000000000
0000000011000000000011111111111111111111111111111100000000000000
0000000000000000000011111111111111111111111111111100000000000000
0000000000000000000011111111111111111111111111111100000000000000
0000000000000000000011111111111111111111110000000000000000000000
0000000000000069000011111111111111111111110000000000000000000000
0000000011111111111111001111111111001111110000000000000000110000
0000000011111111111111111111111111111111110000000000000000110000
0000000011111111111111111111111111111111110000000000000000110000
0000000011111111111111111111111111111111110000000000000000110000
0000000011111111111111111111111111111111110000000000000000110000
0000000000000000000000111111111111110000000000000000000000000000
0000000000000000000000111111111111110000000000000000000000000000
0000000000000000110000111111111111110000000000000000000000000000
0000000000000000110000000011111100000000000000000000000000000000
0000000000000000111111111111111111110000000000000000000000000000
0000000000000000111111111111111111110000000000000000000000000000

Okay, so that's not the actual map tile data for lower Jubilife City, but it gets the point across that it should at least be somewhat legible and able to be discerned just from looking at the layout.

First, to pull off this tweak, you'll want to refresh your screen anywhere in the area below. You can do this by opening the Bag or performing any action that forces the graphics to be redrawn.



Next, perform the tweak as shown in the previous GIF. If you need help locating the loadlines in order to do this, you can find them here.

After performing the tweak, the map tile data for Route 202 will be replaced with the data below.

Code: [Select]
a0006c004094fd22220040009400e099d0222200e000990000e7ab2222000000
e700a0006c7e00222200a0006c004094fd22220040009400e099d0222200e000
990000e7ab2222000000e700a0006c7e00222200a0006c004094fd2222004000
9400e099d0222200e000990000e7ab2222000000e700a06c7e222200a0006c00
4094fd22220040009400e099d0222200e000990000e7ab2222000000e700a000
6c7e00222200a0006c004094fd22220040009400e099d0222200e000990000e7
ab2241000000e700004021030000007c07348022220000000000407707242630
800040000000802122ad062e800080800041220300c000009724250040400000
40c040212200470000404000802224c080006500e04080254000000300c00021
2200474000400000402224c04000970800404025210080c08000360820224140
8000000300222400000097084000002521004000400047080022220040008000
800065242508e000800000000040210300000000974000222200000040004000
47242528004040008000802122006528e0808080004122030000007c07242634
4000000000c0402122770730000040000022248080ad062ee000802640800003
00000021227c0734800000000022240040770730804040262100000080ad062e
80224180808080030022240000004734c0000025210040c04000973000222200
4000808080003624252e20008000000000402103000000004740002222000000
4000400097242528000040008000802122003628200080000041220100008014
0226258000000000400000262500000080800040802122004200804000400022
22c0000040c08000802226408000c20080400027254000c0000040c080272100
8000800042008022220000400000000040222200800080808080002222b0002c
c00000004022220080008000801402262580000000004060002624000080802e
e080802222b0002c4000000000222200808000008000c2262700800000400060
002524004080802e200080252700000000400000002527004000800080000040
210100280000f04040222228f8004038f8000022223800c00028000000242540
00380000403808252500402808000018c02122ad06c00000c000402222008000
001880c000222500000000000018002526004018800000008025210000280000
f040002222380000003808000022222808004018c0000724264b011810c00000
102526000000c00000280021220000004028f8c000222238f800003800004022
26280000f0000028f82525004038f8000038002521c0002800000040c0222238
0000403808004022222808000018c0ad062525c00000c0004000802625000018
80c000000021220000000018000040222218800000008000002227280000f040

Definitely not what it should be.

If you were to load the graphics for this area, it would look a little something like this:

(just a rough sketch; the actual visual data would probably look a lot cooler)




ADDITIONAL INFO

The section containing pointers to the currently-loaded map data (as well as the data that will be imminently loaded) can be found at Base + 0x8BAD0. This section has enough space for 3 areas, which is all that should ever need to be reserved within normal gameplay, since it's not possible to load 4 different areas in such quick succession. I'm guessing that's what the devs though, anyway.

I've created a visual representation of the pointer storage location as well as the pointers to the current map data for additional detail, found below.



The 4 pointers are arranged in the following order:
  • Top-Left
  • Top-Right
  • Bottom-Left
  • Bottom-Right

In this case, the 3rd pointer is the address of the garbled data. This means that the area we're currently in (Route 202) should be located in the bottom-left of the 4 currently loaded areas, which it is.




MISCELLANEOUS

Doing this in Valor Lakefront yields some pretty amazing results. Instead of simply writing the data for each successive map data ID, it completely annihilates your base pointers. The base pointers located at 0x02101D20 just get overwritten with zeroes.

The result?



Since there aren't any base pointers, the game just kind of gives up and crashes. It also messed up my ASLR calculations in the VET script and caused all of my values to return 0.

If that kind of thing is possible just by tweaking, then I think that this may very well be our best chance at ACE in Gen IV.


POSTSCRIPT

I should be receiving an IS-NITRO-DEBUGGER development kit through the mail within the next few days, and I highly plan to analyze this glitch further on actual hardware. It's hard to tell whether some of these results are due to emulation errors or whether these would actually happen on a console.
4
Well, kind of. It's not a TAS or even eligible to be one, since it doesn't start from an SRAM reset.

After a crazy amount of effort and debugging, I've finally nailed down a method to beat Pokemon R/B/Y in as little(-ish) time as possible, starting from the point Professor Oak ends his speech. I know I could've just immediately triggered the Hall of Fame entry part (after the whole champion speech), but I wanted to at least make it a little showy.

Video: https://www.youtube.com/watch?v=1pUj6u_nv88


Nothing really new here, just wanted to show that it was a thing.

It was also a great learning experience for me, especially since the only way I could get it to fully work on a physical console after cart swapping (without freezing) was to wait until it was in V-Blank. ( ̄▽ ̄*)ゞ
5
Generation IV Glitch Discussion / Obtaining Arceus via the Void Glitch
« on: January 10, 2017, 11:20:21 pm »
By using the RETIRE trick, it is possible to obtain Arceus via the Void glitch.

The steps below must be followed exactly. The RAM values being manipulated are loaded map data, and entering any map different than the ones you'd encounter by following the steps below may overwrite the data we need.

STEPS: (from the Poketch Co. door)

=======
Step 1
=======
1 S
17 W
14 N
2015 W
512 S
Save & Reset

=======
Step 2
=======
32 E
384 S
32 W
1792 S
128 W
32 S
192 W
64 S
160 W

=======
Step 3
=======
96 S
96 E
32 S
63 E
1 N
63 E (or 64 E if you've already been to Pal Park before)
191 N
1 N

=======
Step 4
=======
192 E
66 S
1 N

=======
Step 5
=======
192 W
64 N
64 W
32 N
128 W
64 N
64 W
96 N
226 E
Start -> RETIRE

=======
Step 6
=======
34 S
33 W
128 S
160 W
160 S
160 E
31 S
1 S
64 E
166 N
1 N
Start -> RETIRE


Video: https://www.youtube.com/watch?v=VrhHXG3cuAw


EXPLANATION

Each of the steps listed above loads a desired map property into memory, which we then travel to in order to encounter that property as our current map ID (in turn loading different map properties). Below are the target maps that get loaded—as well as the map property that determines the next map ID—in order to activate the RETIRE trick.


(2) Underground
    Sprite 1:
         X Coordinate: 392 (Route 221)

(392) Route 221
    Warp 1:
        Map ID: 393 (Pal Park entrance)

(393) Route 221 R1-01
    Warp 1:
        Map ID: 251 (Pal Park)


The maps and properties below lead to the Hall of Origin.


(45) Oreburgh City
    Sprite 13:
        X Coordinate: 316 (Lake Valor cavern)

(316) Lake Valor R1-03
    Sprite 0:
        Flag: 510 (Hall of Origin)


Once Arceus is captured, the only thing left to do is to disable Pal Park mode and exit the void, which is done by using RETIRE in the Pal Park map. This is the only way to initiate the StopGreatMarsh 1 function.

Note: Encountering maps with IDs greater than 558 will overwrite almost all of the map data, so RAM values 0x022F - 0xFFFF should be avoided.


THE RETIRE TRICK
Using the RETIRE option in Pal Park works as expected—asking if you'd like to leave, then either warping you out or doing nothing. However, when used anywhere else, the RETIRE option will immediately run the 4th script loaded in a given map.

An important distinction to make is that this does not refer to the script at index 3 of the map data. Instead, it refers to the order that the scripts are run. For example, the Hall of Origin has only 3 scripts, but the order that the scripts are run is as follows:

  • Script 2
  • Script 3
  • Script 1
  • Script 3

Since the 3rd script is loaded twice, using the RETIRE option runs Script 3, which happens to be the encounter script for Arceus.


EDIT: After doing research into a few rare cases of the game crashing after Arceus is caught, I noticed that the cause of the freeze was caused by users hacking the Shaymin event into their game. Specifically, the data at [Base + 0x23998] is permanently changed from 0x76 to 0x7A after using the Oak's Letter key item and opening up Seabreak Path.

This can be fixed by doing these steps in place of the 1792 S:

1152 S
32 E
64 S
32 W
576 S
6
Whew, it definitely took a few days, and the code may not look all that great, but I've finally come up with a method of using the GameBoy's joypad to write arbitrary bytes to RAM in as little time as possible with as few buttons as possible.

HOW IT WORKS:
When 8F is used, the screen and sound will function as normal, but the controls will lock up and you will now be in INPUT mode. During this mode, any button you press will add that button's value to the specified byte in memory, with two exceptions: If you press the same button twice in a row, it will move on to the next byte; and if you hold (or press) the START and SELECT buttons together at the same time, the program will jump to the specified offset and start executing your code.

This allows for a 1-to-1 mapping of buttons to values for optimal speed while still providing all necessary functionality.

NOTE: Due to space limitations, you must press A once before you enter anything on the joypad. When you press A to select the USE option on 8F, the game registers that as the initial value to be executed. Pressing A before you enter your own code skips this junk byte, and it's also why HL is initially set to $D3FE instead of $D400 in the code below.

ITEM LIST:
Item            Quantity
========================
8F              x1
[Any Item]      xAny
X Accuracy      x254
Escape Rope     x84
Potion          x213
HP Up           x205
TM50            x63
Soda Pop        x240
TM48            x254
Burn Heal       x200
TM40            x178
Guard Spec.     x183
Rare Candy      x241
X Speed         x185
X Defense       x40
TM35            x79
X Attack        x134
Ether           x119
X Special       x24
TM28            xAny


ASM:
Code: [Select]
Start:
    ld l,$FE            ; Destination = $D3FE
    dec e               ; Zero out E
    ld d,h              ; DE = $D300
    inc d               ; DE = $D400 (Code Start)
    push de             ; Push onto the stack for later RET

Next_Byte:
    inc hl              ; Go to the next byte

Check_Input:
    call $3FFA          ; Joypad polling subroutine
    dec a               ; - Padding -
    ldh a,($F8)         ; Get the current held button
    cp $0C              ; START + SELECT = exit
    ret z               ; Jump to arbitrary code ($D400)

Check_Released:
    ldh a,($B2)         ; Get the most recently released button
    scf                 ; - Padding -
    or a                ; Check whether a button was released
    jr z,Check_Input    ; If not, keep looping until one is

Check_Previous:
    ld b,e              ; - Padding -
    cp c                ; Check if the button was pressed twice
    ld b,d              ; - Padding -
    jr z,Next_Byte      ; Move to the next byte if so

Modify_Byte:
    ld c,a              ; Backup the previous button
    ld b,c              ; - Padding -
    add a,(hl)          ; Add button value to current value
    ld d,b              ; - Padding -
    ld (hl),a           ; Save new value in memory
    ld b,h              ; - Padding -
    jr Check_Input      ; Loop until manually RET
End:


EXAMPLE:
One of the things that I use this method for the most has to do with cartridge swapping capabilities. The setup below simply puts P14 to low and enters STOP mode, followed by a RET instruction to continue normal execution. This means that you can enter STOP mode, swap cartridges, then press any button on the D-Pad to return execution.

ASM:
Code: [Select]
ld a,$EF
ldh ($00),a
stop
ret

To execute the code above, simply use the 8F item, then press the buttons below in sequence. Each line represents a byte written to memory, with the first line skipping the junk byte and the last line jumping to the written program.

BUTTON INPUT:
A
LEFT RIGHT START SELECT B B
DOWN UP LEFT START SELECT B A A
DOWN UP LEFT LEFT
LEFT
RIGHT RIGHT
A A
DOWN UP START A A
START + SELECT


NOTE: If you pop the cartridge out, put the same cartridge back in, then exit STOP mode, then the game will continue executing as normally. However, the values written to RAM remain there, so in order to re-run the stop routine above, the only buttons you'd have to press are START + SELECT.

Putting in the same combination twice without resetting will effectively double the existing program's bytes in RAM, since this is an additive approach. One pretty rad workaround is the polymorphic aspect of the setup—you can alter the items in your bag (to remove padding, etc.) and save the game with your new RAM writing bulldozer. ;D


PS: This method was successfully tested on Pokemon Red and Pokemon Blue hardware; I'm not sure about Pokemon Yellow yet, but it should work just fine.
7
Heya guys,

After a good bit of going back-and-forth to the Wiki (and later back-and-forth to a text file) in order to look up values for the 8F glitch, I decided to write a program in C using lookup tables that could directly parse gbz80 assembly and machine code, then output the results to the console pretty quickly (~12 milliseconds) in a variety of outputs.

You can check it out over at its Github page, 8F Helper.

As an example of its output, I took the assembly instructions for the perpetually resetting save file by Wacko and converted them to 8F items with the utility.

test.asm:
Code: [Select]
ld l,$6E
ld (hl),$36
ld a,$D3
ld ($D36F),a
inc b
ld c,$1c
ld h,$78
ld l,$48 ; 1c:7848: SaveSAVtoSRAM
ld b,c
call $35d6 ; BankSwitch
jp nc,$1f49 ; SoftReset

Command and output:
Code: [Select]
root@gbdev:~# gbz80aid -o gen1 -f test_code.asm

Item            Quantity
========================
X Accuracy      x110
Max Revive      x54
Lemonade        x211
TM34            x111
TM11            x4
Awakening       x28
Carbos          x120
X Accuracy      x72
X Attack        x205
TM14            x53
TM10            x73
Old Amber       xAny

Hope it can be of use! ;D
Pages: [1]