Glitch City Laboratories Forums

Lab γ: Video Games and Glitches Discussion => Generation I Glitch Discussion => Pokémon Glitch Discussion => Arbitrary Code Execution Discussion => Topic started by: Evie the Bird Mother 🌸 ☽ on April 23, 2017, 02:26:32 pm

Title: Glitch Pokémon Pokédex ACE in Generation I
Post by: Evie the Bird Mother 🌸 ☽ on April 23, 2017, 02:26:32 pm
The data for glitch Pokémon Pokédex is retrieved from a specific location in the Game Boy address BUS. In Pokémon Red, this address should be the value of register de when a breakpoint is set to 10:436D and the Pokémon's Pokédex entry is loaded.

A good number of glitch Pokémon take their data from writable memory, including:

BF: 9183
C0: 8B88
C6: 8F50
C7: 9180
C8: 8D84
CE: 8F50
CF: 888E
D0: 8E92
D2: 888F
D6: B417*
D8: 8550
D9: 8880
DA: 9891
DC: AA00*
E0: 8893
E1: 988D
E2: 817F
E3: 9188
E9: 8150
EA: 8B80
EE: CB17*
EF: 8350
F1: 8891
F2: 8B8B
F8: 8487
F9: 8C91
FA: 9388
FB: 9182
FC: 8180
FE: C203*

(You must have not set the glitch Pokémon's capture flag (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9dex_flags) to see its Pokédex entry)

Thanks to the Pokémon Red disassembly, we know the data is formatted like this.

*(Species string terminated by 50).
*Four bytes apparently affecting height and weight.
*Text code.
*0x50

While the text code (usually?) begins with 17, which is apparently the "text far" command we could replace it with 08, which allows us to execute arbitrary code following the 08.

The addresses marked with an asterisk probably have the most potential to be abused. In particular D6 (B417) and DC (AA00), which is somewhere in the Hall of Fame data for SRAM bank 0.

When I caught a glitch Pokémon it appears that the SRAM was left open, so hopefully we may be able to add a bootstrap code here to items or a different location to execute arbitrary code, provided that we catch a 0xD6 or 0xDC with the LOL glitch.

Chances are if you are able to catch these glitch Pokémon using the LOL glitch you already have access to the expanded items pack, which sadly makes this glitch unnecessary as you could modify the map script in the expanded items pack or bring up an 8F for arbitrary code execution but it's still a nice glitch.

Edit: I checked Blue and nothing changed sadly, though just noticed I may have missed 0xF0 (8350).
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Caveat on April 23, 2017, 04:06:52 pm
I know there are glitch Pokemon with movesets and evolutions read from writable memory, but what do all the other ones do?

Is there a Pokemon that takes its stats or TM moves from writable memory? That could be fun to tinker with...
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Evie the Bird Mother 🌸 ☽ on April 23, 2017, 04:47:40 pm
I know there are glitch Pokemon with movesets and evolutions read from writable memory, but what do all the other ones do?

Is there a Pokemon that takes its stats or TM moves from writable memory? That could be fun to tinker with...

Technically, Fossil and Ghost MissingNo. can be manipulated to have different base stats and/or a different TM/HM learnset but it has to be taken from an existing Pokémon or glitch Pokémon.

https://www.youtube.com/watch?v=JnwN-uIVliA

Otherwise I don't think so as all data (except for pointers within the data) for Pokédex numbers (where the TM/HM data is stored) end up in ROM, and the TM/HM data is just a series of eight bytes wherever in the ROM the game ends up (TM/HM flags).

However, there is the possibility of a glitch Pokémon with a sprite from RAM. If so there is a slim chance we might even be able to assign a custom sprite without OAM hacking, but it would also have to have the dimensions data (not manipulable and from the ROM) assigned to that glitch Pokémon. In other words it seems there could be a size limit for that sprite, and for glitch Pokémon with a x0 dimension their sprites could still freeze the game.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: ISSOtm on April 24, 2017, 03:31:43 am
Pokémon sprites aren't managed by the OAM. They are written on the tilemap (otherwise they'd take all sprite slots and there would be nothing remaining for attack animations)

Also, C203 ACE (Pokémon FE) has a slim chance of being possible (I personally doubt it, but... let's cross fingers !) and CB17 ACE may be possible, it runs code based on map data and lastly drawn tiles, and eventually on menu data (<- this one almost always crashes due to bad luck).

VRAM should be locked when data is pulled from it, so I doubt about all non-* entries.

The two SRAM candidates (B417 for hex:D6 and AA00 for hex:DC) may yield ACE, but we need to study what locks and what unlocks SRAM more. And then they may require ridiculous setups to yield ACE, but that'd be the 13th (maybe 14th ? I lost count) ACE exploit in these games.


Yes, we have more than 10 different ACE exploits.
QUALITY PROGRAMMING, GAME FREAK
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Evie the Bird Mother 🌸 ☽ on April 24, 2017, 07:32:38 am
Updated with Yellow pointers:

(Set a breakpoint to 10:4405 and check de)

00: 9288
BF: 8492
C0: 8384
C2: 9604
C6: 8492
C7: 8384
CD: 8492
CE: 8384
D0: A207/FREEZE
D4: 888B
D5: 8099
D6: 8391
D8: BE00
DC: 8B85
DD: 8C80
E1: 8417
E3: 8550
E4: 808B
E5: 848C
E7: D007
EB: 8893
EC: 988D
ED: 9493
EE: 9391
EF: 848B
F1: C808
F5: 9493
F6: 9391
F7: 848B
F9: F403 (!!)
FD: 8792
FE: 8B84
FF: 858B

F403 is Echo RAM for D403, which can be manipulated by changing item 116+ in the expanded items pack, although you don't have that much space because items 129-256 represent items 1-128 again.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: ISSOtm on April 24, 2017, 09:56:49 am
Now THAT is really interesting !

E7 runs code from D007, which is wEnemyMonBaseExp.
Right then is the player Pokémon's name, so no problem ! Having a nick with a perfect number of characters means the first executed byte will be the player Pokémon's HP (low byte). Making this $08 is easy.
ACE HYPEEEEEEEEEEEE
Setup that would work, though it's not the only one :
- "Box level" (?) 1-byte instruction that doesn't crash
- No status problem
- The Pokémon's type #1 should be $01 (FIGHT-type ?)
And then the Pokémon's moves onwards will be ran as code.

F1's C808 is in the middle of a "LY override buffer". No idea what this is, but if the first read byte is $08, then this may NOP-slide into some printer-related data. Might lead to ACE ?

F403 : is in the middle of some warp data. As Torchickens pointed it out, this could be manipulated..!
We can re-route execution to the item pack (either direct jump, or set hl then jp hl)
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: VaeporSage on April 24, 2017, 07:38:58 pm
If this works out, how many 1st Gen ACE methods would that make now?  ;D
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: ISSOtm on April 25, 2017, 02:07:39 am
- Glitch item ACE
- Custom map script ACE
- Glitch map's map script ACE
- Normal map glitched map script ACE
- Glitch move ACE
- Glitch text boxes ACE
- Pikachu off-screen ACE
- Pikachu glitch emote ACE
- CartSwap ACE
- ZZAZZ Trainer ACE
- Glitch Pokédex entries ACE

That'd make it the 11th ACE exploit. Unless I forgot one in this list, which would make it 12th.
¯\_(ツ)_/¯
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Evie the Bird Mother 🌸 ☽ on April 25, 2017, 08:00:44 am
I think you forgot remote code execution in the Trade Center (the exploit MrCheeze did for the R/B virus), so that makes at least 12.

https://www.youtube.com/watch?v=h5Igc18hc2Q
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Parzival on April 25, 2017, 12:09:43 pm
- Glitch item ACE
- Custom map script ACE
- Glitch map's map script ACE
- Normal map glitched map script ACE
- Glitch move ACE
- Glitch text boxes ACE
- Pikachu off-screen ACE
- Pikachu glitch emote ACE
- CartSwap ACE
- ZZAZZ Trainer ACE
- Glitch Pokédex entries ACE

That'd make it the 11th ACE exploit. Unless I forgot one in this list, which would make it 12th.
¯\_(ツ)_/¯
Game Freak's FailTrain just doesn't stop, does it?
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Evie the Bird Mother 🌸 ☽ on April 25, 2017, 01:37:34 pm
Yeah, it's quite unfortunate for Game Freak.

Interestingly, if you call Wack0's Hall of Fame script using 0xF9 ACE, the Hall of Fame sequence runs without any problems but upon choosing continue you don't receive the Pokémon (which would have been a Rhydon).

(http://i.imgur.com/on31H7N.gif)
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Parzival on April 25, 2017, 03:31:36 pm
Nice find!
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Caveat on April 25, 2017, 06:44:06 pm
Much like science in general, glitching seems to not be based on the principle of "why", but the principle of "why NOT?"

Do we need 12 ways to execute arbitrary code? Hell no, but that won't stop any of us.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Evie the Bird Mother 🌸 ☽ on April 26, 2017, 07:51:59 am
The two SRAM candidates (B417 for hex:D6 and AA00 for hex:DC) may yield ACE, but we need to study what locks and what unlocks SRAM more. And then they may require ridiculous setups to yield ACE, but that'd be the 13th (maybe 14th ? I lost count) ACE exploit in these games.

Looking into Red/Blue's now and will hopefully include it with Yellow ACE in a video.

I almost did this with 0xDC (AA00) using Pokémon 5 with a 50 terminator in the right place and Pokémon 6 as a Level 8 Pokémon with an invalid nickname but then it seems the SRAM data got corrupted because of 0xDC's sprite on the Pokédex entry and that might be why it didn't work.

I'm not sure if you can do it with 0xD6 without another ACE or Hall of Fame corruption as it lands on one of the 00s, and even with a 0x50 directly following it you can't use the 08 text code five bytes later.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Parzival on April 26, 2017, 08:06:48 am
Correct me if I'm wrong, but isn't SRAM unlocked by writing any byte ending in a 0xA nybble to 0000-1FFF?
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: jfb1337 on April 26, 2017, 09:47:28 am
Does HRAM manipulation also count as ACE? Or not because the only way to get it is by already having ACE in the first place?

Anyway, I decided to do a search for jp [hl] to find other potential ACE entry points (besides the ones that mess with the stack such as trade centre RCE, or exotic stuff like cartswap and HRAm manip, or potentially anything that messes with the ROM bank in an unexpected manor, or anything which pushes something to the stack and then rets to it, though I don't know if the game ever does this):

Code: [Select]
pokered$ git grep "jp \[hl\]"
engine/battle/animations.asm:   jp [hl] ; jump to special effect function
engine/battle/animations.asm:   jp [hl]
engine/battle/animations.asm:   jp [hl]
engine/battle/animations.asm:   jp [hl]
engine/battle/battle_transitions.asm:   jp [hl]
engine/battle/core.asm: jp [hl]
engine/battle/core.asm: jp [hl]
engine/battle/core.asm: jp [hl] ; jump to special effect handler
engine/battle/trainer_ai.asm:   jp [hl]       ; execute modification function
engine/battle/trainer_ai.asm:   jp [hl]
engine/cable_club.asm:  jp [hl]
engine/items/items.asm: jp [hl]
engine/menu/start_sub_menus.asm:        jp [hl]
engine/menu/text_box.asm:       jp [hl] ; jump to the function
engine/overworld/player_state.asm:      jp [hl]
engine/overworld/ssanne.asm:    jp [hl]
engine/palettes.asm:    jp [hl]
engine/slot_machine.asm:        jp [hl]
engine/trade.asm:       jp [hl] ; call trade func, which will return to the top of the loop
home.asm:       jp [hl]
home.asm:       jp [hl]
home.asm:       jp [hl]
home/overworld.asm:     jp [hl] ; jump to script
home/predef.asm:        jp [hl]

OK so that's 24 possibilities (for R/B at least, haven't checked Y):

- The 4 in animations.asm look like they're either non-manipulable, or fall under Glitch Move ACE (via animation pointers)

- The 1 in battle_transitions.asm is non-manipulable (only influenced by bc which is set to 0, then only set by a few functions that never set bc to something invalid)

- The 3 in core.asm are either non manipulable or fall under Glitch Move ACE (via move effects)

- The 1 in trainer_ai.asm is the ZZAZZ trainer ACE (are there other glitch trainers that trigger ACE too?)

- The 1 in cable_club.asm is seemed interesting, but it turns out that the address it reads from to determine the jump, CC38 aka wTradeCenterPointerTableIndex, is set right before every time the function that contains the jump is called, so it's unmanipulable.

- The 1 in items.asm is Glitch Item ACE, the 8F that we all know and love

- The 1 in start_submenus.asm is for out of battle moves, which seemed interesting since there is an unused field move $B4, but it would just act like surf since in its place is an extra pointer to the surf function. But maybe $cd3d AKA wFieldMoves could be manipulated somehow? Though this is very unlikely.

- The 1 in text_box.asm doesn't seem manipulable since it searches through a table that is properly terminated by $FF

- The 1 in player_state.asm looks interesting: It's determined by wSpriteStateData1 + 9, aka $C109, the player's current direction. Could that be potentially manipulated somehow?

- The 1 in ssanne.asm is ALSO based on wSpriteStateData1 + 9

- The 1 is palletes.asm is about SGB pallete commands. But it seems like every time RunPaletteCommand is called, b is set to a valid palette command already, so there doesn't seem to be room for manipulation.

- The 1 in slot_machine.asm is for a pointer to a reward function that's based on the symbol on the wheel that matched. Unfortunately that doesn't seem possible to manipulate.

- The 1 in trade.asm is non manipulable, as the pointer it uses is only ever set to a valid trade animation function which just follows a fixed sequence defined entirely in ROM.

- The 3 in home.asm are in Bankswitch, CallFunctionInTable, and CheckForHiddenObjectOrBookshelfOrCardKeyDoor.
--The latter is non manipulable since it searches for a pointer in a well-terminated array so it only loads valid hidden object pointers.
--Bankswitch is also non manipulable since it always sets hl properly before being called.
--CallFunctionInTable is only used in scripts (which would fall under the map script ACE methods) and a couple of places in home.asm, one also to do with map scripts, and the other for NPC movement scripts, which after a quick glance over where the addresses involved are used, they seem to all be only set to constant values, unless $CC57 or $CF10 could be manipulated somehow.

- The 1 in overworld.asm is the map script, which covers 3 types of map pointer ACEs.

- Finally, the one in Predef.asm is for Predef pointers. Probably not manipulable since a predef ID is always set before calling Predef.

I was surprised that TextCommandProcessor doesn't show up, but I discovered that actually uses "jp hl" instead of "jp [hl]" like I was searching for.

There are 2 other instances of "jp hl": One also in text.asm to a non manipulable function table, since it's only used when a < 0xE [even if this were manipulable, it wouldn't be very useful since it's part of the text command processor which you can already use 08 to turn into ACE anyway]. The other is in naming_screen.asm, on a non-manipulable table for button input.

Anyway, the next interesting thing to search for is TextCommandProcessor itself:

Code: [Select]
pokered$ git grep TextCommandProcessor
engine/cable_club.asm:  call TextCommandProcessor
engine/menu/pokedex.asm:        call TextCommandProcessor ; print pokedex description text
home.asm:       call TextCommandProcessor
home.asm:       jp TextCommandProcessor
home/text.asm:  call TextCommandProcessor
home/text.asm:TextCommandProcessor::
home/text.asm:  call TextCommandProcessor
The calls in text.asm are the handlers for TX_FAR, and Char55, which points to a fixed text in ROM.
The call in cable_club.asm is also a fixed text string.
The call in pokedex.asm is this ACE method!
The calls in home.asm are part of PrintText, which gives us something else to search for, and TrainerEndBattletext. Could we possibly manipulate the win/lose text pointers at d08c from within battle?

At this point I searched for PrintText... and there are TONS of results., too many to list here and more than I'm willing to check at the moment. They probably fall into the category of glitch text box ACE though.

But if anyone wants to add a 13th method to the list, PrintText is a good place to start.

Also, note that ACE doesn't necessarily need to point to RAM - Maybe there's something which points somewhere in ROM that's in the middle of a function that messes with the push/pop balance, causing the game to jump again to somewhere else when it hits a ret? A bit like how Coin Case ACE works.

Also, research into what unlocks SRAM would be nice, since sometimes when I hit an rst 38 I lose my save, and sometimes I don't, with no pattern I can see, so it would be nice to know what unlocks SRAM so I could take precautions.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Parzival on April 26, 2017, 09:56:26 am
Several (read: most) of the invalid Predefs in Yellow over... it's like $80 or so... execute data from WRAM (thanks to whoever wrote the Wiki article for bringing those to my attention!) so we could probably start there in RB as well.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Evie the Bird Mother 🌸 ☽ on April 26, 2017, 12:01:00 pm
Wow, thanks for this jfb1337.

I suppose HRAM ACE counts as the Pikachu glitch emote ACE was included on the list as well.

I'll look into your finds to see if any other methods are possible.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: ISSOtm on April 26, 2017, 02:44:48 pm
@Parzival : calling invalid predefs without ACE is currently impossible. I might become wrong at some point.

@jfb1337 : Nice grep ! :P
$C109 isn't manipulable on its own, BUT Glitch Pokémon sprites (like Yellow's "pixel" Missingno.) can scramble this. This might be an entry point for ACE !
$CD3D should be overwritten by Brock Through Walls or the NoClip "Museum guy" method. This could also be an entry point ^^
If I overlooked other entries you marked as "potential", please tell me and I'll look at those too !

I didn't see you "git grep "jp hl", though ? And I can't do it because lack of Linux etc.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Evie the Bird Mother 🌸 ☽ on April 26, 2017, 03:18:13 pm
@Parzival : calling invalid predefs without ACE is currently impossible. I might become wrong at some point.

@jfb1337 : Nice grep ! :P
$C109 isn't manipulable on its own, BUT Glitch Pokémon sprites (like Yellow's "pixel" Missingno.) can scramble this. This might be an entry point for ACE !
$CD3D should be overwritten by Brock Through Walls or the NoClip "Museum guy" method. This could also be an entry point ^^
If I overlooked other entries you marked as "potential", please tell me and I'll look at those too !

I didn't see you "git grep "jp hl", though ? And I can't do it because lack of Linux etc.

$D08C can theoretically be manipulated with CoolTrainer to any reasonable address represented by map tiles at BGB coordinate x=03 y=0F, or the blue tile here:

(http://i.imgur.com/iUGvGex.png)

..but you'd need to not touch address $D078 or anything else that could lead the battle to freeze/end. If Glitch Cities alone aren't enough a tile printing glitch item combined with 9F to save the screen data may help.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: ISSOtm on April 26, 2017, 03:52:49 pm
This address should be zero to be non-crashing, as far as a quick look into pokered could tell me. Maybe doable by Glitch Cities.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: jfb1337 on April 26, 2017, 05:09:24 pm

I didn't see you "git grep "jp hl", though ? And I can't do it because lack of Linux etc.

Here:
Code: [Select]
pokered$ git grep "jp hl"
engine/menu/naming_screen.asm:  jp hl
home/text.asm:  jp hl
home/text.asm:  jp hl



Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: ISSOtm on April 26, 2017, 05:29:08 pm
Thanks ! These don't look like they can serve our purposes.
Oh well, at least you checked out :)
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: jfb1337 on April 26, 2017, 05:30:44 pm
Also, I don't think CD3D would actually be possible since it gets written to when you select a pokemon, at which point there's no way to change it before the point it is read when you select one of the feild moves. I was originally thinking about super glitch corruption from the unused field move, but the game stores names of field moves separately so this one is just a properly terminated empty string.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Evie the Bird Mother 🌸 ☽ on May 02, 2017, 11:10:36 am
I briefly looked at the indices for C109 in Yellow and already found some really interesting behaviour:

0E, 0F: Execute DA41 - This can fall through to wDayCareInUse and then the manipulable wNumInBox.
12, 13: Execute D367 - This can be manipulated via the expanded items pack.
20: Enable "Blind Pikachu" effect. Another fun way to do it!

Sadly simply changing the value doesn't seem to be sufficient as it will reset back to a normal value, and the value must remain the same while walking on the exit mat.

As ISSOtm said we might be able to get a glitch Pokémon corruption (Yellow MissingNo.'s sprite corruption if it doesn't freeze the game can do it after you run away, are there any others?) that sets this and hopefully to an exploitable value. If we use a save file that has never encountered a glitch Pokémon and corrupted the SRAM there may be a point in which x number of encounters always results in the exploitable value.

Edit: If you use Lg- then you can execute 0E's arbitrary code (or theoretically another ID's script) that way, bingo!

Here are the other execution points that execute C000-FDFF.

2C - DFE6
2D - DFE6
3A - FA0A
3B - FA0A
3E - D368
3F - D368
50 - C9A7
51 - C9A7
54 - C937
55 - C937
56 - E5C9
57 - E5C9
58 - D5E5
59 - D5E5
5A - C5D5
5B - C5D5
5C - CDC5
5D - CDC5
5E - D4CD
5F - D4CD
62 - FA42
63 - FA42
66 - D35D
67 - D35D
70 - FA35
71 - FA35
74 - C109
75 - C109
76 - CBC1
77 - CBC1
82 - C021
83 - C021
8E - FA6F
8F - FA6F
90 - C5FA
91 - C5FA
92 - CFC5
93 - CFC5
9A - CD00
9B - CD00
A0 - C13D
A1 - C13D
A2 - D1C1
A3 - D1C1
A4 - E1D1
A5 - E1D1
A6 - C9E1
A7 - C9E1
A8 - C8C9
A9 - C8C9
AC - D041
AD - D041
B0 - D341
B1 - D341
B4 - D641
B5 - D641
C7 - D0E4
DA - FAFF
DB - FAFF
DC - C5FA
DD - C5FA
DE - CFC5
DF - CFC5
EC - D918
ED - D918
F2 - D618
F3 - D618
F4 - E5D6
F5 - E5D6
F6 - D5E5
F7 - D5E5
F8 - C5D5
F9 - C5D5

The only task now is finding out which series of corruptions would bring up a suitable execution point.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Evie the Bird Mother 🌸 ☽ on May 02, 2017, 03:09:06 pm
OK done!

From a save file with wiped SRAM data view 0xEC's summary sprite three times and then encounter Yellow MissingNo three times in Viridian Forest.

You may get this wonderful piece of art (C109=0F). :)

(http://i.imgur.com/UfNsIVI.png)

Then use Lg- and the game will execute DA41. Let this fall through to DA7F and use Pigdevil2010's bootstrap code (see http://forums.glitchcity.info/index.php?topic=6638.msg194861#msg194861) to redirect to item 3 and then add your code there.

Do note that DA41 is WPlayTimeMaxed and wPlayTimeMinutes and wPlayTimeSeconds, wPlayTimeFrames follow. This means PlayTimeMinutes must not be a value that writes to h, causes a freeze, causes a jump so that DA7F isn't accessed, and you must be lucky enough to not get a freeze from the seconds and frames value.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Caveat on May 02, 2017, 03:35:33 pm
OK done!

From a save file with wiped SRAM data view 0xEC's summary sprite three times and then encounter Yellow MissingNo three times in Viridian Forest.

You may get this wonderful piece of art (C109=0F). :)

(http://i.imgur.com/UfNsIVI.png)

Then use Lg- and the game will execute DA41. Let this fall through to DA7F and use Pigdevil2010's bootstrap code (see http://forums.glitchcity.info/index.php?topic=6638.msg194861#msg194861) to redirect to item 3 and then add your code there.

Do note that DA41 is WPlayTimeMaxed and wPlayTimeMinutes and wPlayTimeSeconds, wPlayTimeFrames follow. This means PlayTimeMinutes must not be a value that writes to h, causes a freeze, causes a jump so that DA7F isn't accessed, and you must be lucky enough to not get a freeze from the seconds and frames value.

Is this the most complex setup for ACE yet?

I don't know how complicated most of the other methods are, but this is still ridiculous.
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Evie the Bird Mother 🌸 ☽ on May 03, 2017, 02:26:04 pm
OK done!

From a save file with wiped SRAM data view 0xEC's summary sprite three times and then encounter Yellow MissingNo three times in Viridian Forest.

You may get this wonderful piece of art (C109=0F). :)

(http://i.imgur.com/UfNsIVI.png)

Then use Lg- and the game will execute DA41. Let this fall through to DA7F and use Pigdevil2010's bootstrap code (see http://forums.glitchcity.info/index.php?topic=6638.msg194861#msg194861) to redirect to item 3 and then add your code there.

Do note that DA41 is WPlayTimeMaxed and wPlayTimeMinutes and wPlayTimeSeconds, wPlayTimeFrames follow. This means PlayTimeMinutes must not be a value that writes to h, causes a freeze, causes a jump so that DA7F isn't accessed, and you must be lucky enough to not get a freeze from the seconds and frames value.

Is this the most complex setup for ACE yet?

I don't know how complicated most of the other methods are, but this is still ridiculous.

Turns out this may work if you open your menu at Viridian City's PC before going to Viridian Forest and have never seen MissingNo. before, so it seems this is less hard to set up than previously thought, although there are some unknown complications that would prevent C109 becoming 0F.

MissingNo. can be taken from one of the Trainers that do not differ in Yellow from this image (https://puu.sh/257S). Notably you can Rival's effect through Lorelei's door and Selfdestruct to Bruno's second Pokémon, lose the match and guarantee infinite MissingNo. To enable the Special encounter you can be guided by the Pewter City museum NPC.

I successfully got this to work on console, but that was with a MissingNo.>0xEC back-sprite>MissingNo. method so there is a chance the new Viridian City PC method may not work.

Even with this, this is a bit harder than map script and 8F/ws m arbitrary code execution due to the luck element (if the play time data is problematic you'd have to delete the save file because you can't save the C109 value), having to have never seen a glitch Pokémon sprite (I suppose Fossil/Ghost MissingNo. won't count) and importantly having to obtain the glitch item Lg- (hex:6E). If you're able to obtain glitch items you probably will have set up dry underflow and could just use custom map script ACE/LOL glitch with items with quantities over 99 from Celadon looping map trick or MissingNo. to set up the storage box bootstrap code.

It's nice that this seems not to be a too unreasonable method of ACE however.

Pikachu glitch emote and HRAM ACE could be seen as examples of more difficult methods as they already require arbitrary code execution to begin with.

Quote from: Torchickens
I successfully got this to work on console, but that was with a MissingNo.>0xEC back-sprite>MissingNo. method so there is a chance the new Viridian City PC method may not work.

Does seem to work on real console. :)
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Parzival on May 03, 2017, 05:11:26 pm
(IIRC) ACE Counter: 14.
Holy hell, so much s**t coding.
FAILTRAIN COUNTER: OVERFLOW
Title: Re: Glitch Pokémon Pokédex ACE in Generation I
Post by: Caveat on May 03, 2017, 05:18:13 pm
(IIRC) ACE Counter: 14.
Holy hell, so much s**t coding.
FAILTRAIN COUNTER: OVERFLOW
I think this game may legitimately be one of the buggiest games ever.

Move over, Superman 64...