Messages

1

Generation III Glitch Discussion / Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

« on: March 19, 2018, 01:35:27 pm »

Even though the move's name is short, the name the game uses when the move is used in battle is longer (I don't really know where he pulls the other name off)

I've mentioned this in the past. This comes from some code that substitutes a placeholder name for when the move is used in battle, which is used if the move index is above the last valid move (0x162).

The code is basically something like this:

if ( *ptrSelectedMoveIndex <= 0x162 )
   strcpy(UsedMoveName, &MoveNames[13 * *ptrSelectedMoveIndex]);
else
   strcpy(UsedMoveName, ptrGenericTypeMoveStrings[SelectedMoveType]);


..you should easily be able to see, how if the move type is invalid, a pointer from past the end of the array of pointers is used, and strcpy()'d over, classic buffer overflow.

2

Generation IV Glitch Discussion / Re: How to catch glitch Pokémon in D/P(Pl?)

« on: March 15, 2018, 02:21:32 pm »

Reminds me of this, which was the same effect (well, seems so anyway) caused by editing a save file with 0 Pokémon in the party to have partycount=6: https://forums.glitchcity.info/index.php?topic=7168.0

3

Emulation & ROM Hacking / Re: 3DS and 2DS homebrew via 8F in Virtual Console editions?

« on: February 15, 2018, 09:08:04 am »

There are emulator bugs that allow for potential emulator escape

4

Generation II Glitch Discussion / Re: IPS patch for VC Crystal vs. original Crystal?

« on: January 28, 2018, 09:52:32 pm »

The Celebi thing is in the patches. It's just a very specific patch type that has been made specifically for this game, for the VC.

Right, the emulator hooks a function return and modifies SRAM itself (ie, it's done by ARM11 code, not interpreted LR35902 code).

5

Generation II Glitch Discussion / Re: IPS patch for VC Crystal vs. original Crystal?

« on: January 27, 2018, 02:54:09 pm »

I downloaded but it wouldn't let me open the file correctly. Is it possible to post here what the patches are?

Just open the .patch files in your favourite text editor.

6

Generation II Glitch Discussion / Re: IPS patch for VC Crystal vs. original Crystal?

« on: January 27, 2018, 11:05:00 am »

here are all of the Gen II patches from VC Crystal: https://cdn.discordapp.com/attachments/281954166698672128/406856923942748161/CrystalVC_patches.zip

7

Generation II Glitch Discussion / Re: New cloning glitch with Poke Transporter

« on: January 13, 2018, 06:41:23 pm »

https://github.com/pret/pokecrystal/blob/82a05a1752b476caab8951fe03f539dcc1a63669/engine/save.asm#L41

Current box contents are saved to SRAM, then the box number in WRAM is changed and the new box loaded from SRAM.

Interestingly I don't think the box number in SRAM ever gets touched by simply changing boxes.

8

General Discussion / Re: Cool ASCII of my favorite word!

« on: January 13, 2018, 04:07:47 pm »

with a proper monospace font used, it reads "ENIGMA".

9

The Dumpster Out Back / Re: Does anyone have an unused Flipnote Studios 3D code?

« on: January 08, 2018, 02:28:41 pm »

I'm unsure what you're requesting. I have Flipnote Studio 3D on my 3DS if that helps..?

10

Generation I Glitch Discussion / Re: Moving Q: Appears as Map Corruption? Debug Yellow

« on: November 22, 2017, 02:11:26 pm »

the 4-step thing reminds me of the (international) dokokashira door glitch - doesn't it have a similar cause?

11

Pokémon Discussion / Re: Crystal: Unused party sanitisation function

« on: October 03, 2017, 08:32:55 pm »

Pretty sure it is debug code now.

I searched for other places where the string validity check function is called.

It's called in three places. One of those seems to be unused, and all incorporate parts of the checks detailed in the OP.

The unused occurrence and first used occurrence are in Battle Tower code, sanitising Battle Tower Pokémon after they are read. (The unused occurrence seems to have just been dummied out, as it is directly after the used code ends.)

This code sanitises Pokémon nicknames, replaces any OT name with bad characters with "CHRIS" (only one terminator this time), makes sure all nicknames and the OT name are terminated, and sanitises invalid moves in the same way as detailed in the OP (except here, move $00 is never considered invalid).

The unused half of this function replaces invalid Pokémon species ($FD being considered invalid) with Smeargle ($EB). Instead of a simple greater-than-or-equal check, it checks for equality against each invalid species value in turn. Pokémon levels are also checked, but the maximum level instead of being hardcoded is taken from SRAM at 5:B2FB.

The last occurrence is inside mobile-related code. Every single string (nickname, OT, mail, mail author) is checked for invalid bytes and termination (where the terminator is $4E for some reason) within the correct length, by bankswitched calls. If one of these checks fails, the offending string is replaced with a default string by a bankswitched call.

Here's a list of default strings used:
OT name, mail author: "クりス" Chris followed by two terminators
Pokémon nickname: "?????" unterminated(!!!)
Mail text: "こんにちは" "Konnichiwa" Hello followed by one terminator

The default strings are terminated by $50 as usual.

After checking the strings, an "item" at $C60E is checked, if it's $FF it gets replaced by $00. Finally, the exact same level checks as in the OP are performed.

12

Pokémon Discussion / Crystal: Unused party sanitisation function

« on: October 03, 2017, 10:37:50 am »

I was looking in pokecrystal for something unrelated and this caught my eye.

As the filename would have you expect, it's in EN Crystal at $13A47 (4:7A47). (It's in JP Crystal at $13BB3 (4:7BB3)). That's near the end of the bank, located after some Bug-Catching Contest-related stuff, and before a function that uses a lookup table to find square roots. It appears to not be in G/S (and given that it calls a function in a bank related to mobile code, that's not unexpected).

It is completely unreferenced and unused in at least JP and EN Crystal.

Here's what it does:

• If the number of Pokémon in the party is over 6, set it to 6
• The party species bytes are checked. If a byte is an invalid species ($00, $FC, $FE, $FF), change that species byte and the first species byte of that Pokémon structure to Smeargle ($EB).
• For all Pokémon in the party:
  • If the second species byte in the Pokémon structure is invalid ($FD (Egg) is also considered invalid here), change it to Smeargle.
  • If the Pokémon's level is below 2, set it to 2; if it is over 100, set it to 100. Recalculate the Pokémon's stats, no matter whether or not the level was modified.
  • If the Pokémon's nickname is unterminated after 6 bytes, terminate it by setting the 6th byte to $50; if the nickname has any invalid characters (defined here as anything that is not $00, $05 - $13, $19 - $1C, $26 - $34, $3A - $3E, $40 - $48, $60 - $FF; a function in a bank related to mobile functionality is called to do this), set it to the Pokémon species name (if the Pokémon is an Egg, then set it to "タマゴ" ("Tamago"/Egg) followed by 50 50 50 instead)
  • If the Pokémon's Original Trainer name is unterminated after 6 bytes, terminate it by setting the 6th byte to $50; if it has any invalid characters, set it to the player's name
  • If the Pokémon has an invalid move in slot 1 ($00, $FC, $FD, $FE, $FF), replace it with Pound. If there is an invalid move in slot 2, 3, or 4, delete all moves starting from that slot(!!!).

Note that this code is only half localised in non-JP - it assumes nicknames and OT names are 6 bytes long, the list of characters considered valid assumes a Japanese game, and if an Egg's nickname contains invalid characters, it gets set to "タマゴ"; however, when removing a Pokémon's nickname, or changing its OT name, it copies the correct number of bytes for the localisation.

Given that this calls a function in a mobile-related bank, this function may have been intended to have been used to force the legitimacy of party Pokémon when using mobile-related features. Of course, it may have just been debug code.

13

Generation II Glitch Discussion / Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

« on: October 01, 2017, 03:16:23 pm »

Might as well just sticky this now.

14

Generation II Glitch Discussion / Re: Pokémon Gold/Silver Virtual Console glitch confirmation

« on: September 24, 2017, 04:01:02 pm »

According to the disassembly, it can not (the Time Capsule exploit only bypasses the species check).

15

Generation II Glitch Discussion / Re: Pokémon Gold/Silver Virtual Console glitch confirmation

« on: September 21, 2017, 12:32:26 pm »

Here's a mirror: https://cdn.discordapp.com/attachments/229019211366793216/360481979357200394/GSCpatches.7z