Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Crystal_

Pages: [1]
1
OVERVIEW / EXPLANATION (for requirements and steps see the third post in this thread)

Step by step video (with updated and organized information in comparison to the third post): https://www.youtube.com/watch?v=b2tVVeZ7Th4

I've tested this in an english Silver ROM and spanish Gold ROM and given that the essential elements and key memory addresses were the same in both games, I assumed that it would also be the same in all other localizations. However, futher testing, and of course, a lot of polishing, would be required. The english versions don't need ACE since we already have coin case, so the goal was to find a method compatible with all other localizations.

First we need a 0xFF Pokemon in order to be able to draw Pokemon beyond the sixth slot. I'm not going to get into the details of how to achieve it.

When the 30th Pokemon is withdrawn to the party, it corrupts addresses between DF9A and DFB9. In particular, when the Pokemon's data is being copied from SRAM to those WRAM addresses, the stack pointer is at DFB3, and the 3rd and 4th PP slots of the Pokemon are copied to DFB3 and DFB4, respectively. Returning from the memory copy routine will bring the game to whatever stack pointer was spelled out by those two PP fields. Using PP ups, we can come up with any given address that we want, for example one that points to somewhere in the box names buffer.

Of course, after doing this, the stack is absolutely destroyed and there are no realistic hope of restoring it to anything playable. We can still do something though. We can hack ourselves a TM into the medicine bag pocket in SRAM that we can utilize later. This may look way too complicated but it doesn't necessarily have to be. First of all, SRAM bank 1 is already opened right now. We only have to overwrite A420 (medicine pocket item 1) with the id of the desired TM and fix the checksum at AD69-AD6A. If we set a fixed item #1 as an initial requirement (e.g. a Berry), we can calculate the necessary checksum shift. If the id's are relatively close, we might even be able to skip checking the checksum's high byte to simplify the needed script and hope the low byte doesn't overflow (literally anything we do will change the checksum upon saving anyway, so we can just try again until it works). Finally, we can trigger a safe reset or freeze, and upon restarting the game, we will have our TM in the medicine pocket. Note that the SRAM addresses mentioned here refer to spanish Gold/Silver; they may be different in other localizations.

Now it's supposed to be similar to coin case ACE in concept. We find a TM that jumps to a suitable place in WRAM (I think ACE with TM33 transferred from Red/Blue has been done already), and when we have it, we create some bootstrap code that for example redirects execution to box names or PC items.

These are the TM pointers in spanish G/S:

Code: [Select]
14FE - TM01
15CD
CA31
77F6
EAAF - TM04_X
D14F
02FA
FED0
C4B1
6E1E
9921 - TM10
CBD1
21A6
7857
5ECD
FA0F
D114
FA47
D119
03FE
20CA - TM20
FA6A
D002
01FE
20CA
FA6A
D002
214F
6C73
FE2A - TM28_X
28FF
B90F - TM30
0428
2323
F418
662A
116F
698A
E9D5
02FA
FED0
789F - TM40
12CA
786A
B8E0
FF21
46D0
4E23
5623
5E23
21CB
10CB - TM50

Again, this obviously needs a lot of polishing and coming up with bootstrap codes yet, as well as adapting it to each other localization, each of which may have different SRAM addresses and different wrong pocket TM pointers, as well as a different set of assembly instructions that can be spelled out with box names. So far I haven't bothered to check beyond the english and spanish versions, but the 3rd and 4th move PP of the 30th Pokemon being written to the stack pointer (DFB3-DFB4) matched in both versions, so I assume it would also be the same in the other localizations. The other factors don't seem essential unless we're really unlucky with TM pointers.
2
During the part 2 weeks I picked up my Game Boy Advance SP and my spanish Pokemon Crystal cart and was determined to do something cool with them now that we know so much about how to exploit ACE in these games. So I thought I'd pick up the code of my Snake program that I once implemented in Pokemon Silver using an emulator and ported it to spanish Crystal. Obviously, doing this stuff in real hardware isn't the same story since you can't memory hack your way into whatever you want to achieve, so I had to come up with more efficient ways to do different things.

So yeah, if you want to see how I did it, just follow this link! It includes a demonstration video and covers all the process with a lot of details. The end will seem familiar, since it's mostly what TheZZAZZGlitch did in order to implement Pong into Pokemon Blue. It was a bit harder considering that ACE in Gen 2 isn't as accessible though.

Or if you prefer, here's just the video with a ligher explanation:

https://www.youtube.com/watch?v=g2mCyh7Y2xM
3
This is a compilation of all Pokemon Red/Blue UE errors, bugs, and glitches (whichever term you prefer to use, but I believe error is the more generic one to describe all of them) that I know of. This list does not cover all the possible side effects or exploits of a given glitch, just the programming or design error that causes it. In other words, instead of covering all the possible outcomes of playing in a game state that wasn't intended (8F ACE, MissingNo. HoF corruption, WTW from exiting Safari Zone...), the error that makes possible achieving the unintended state is what you will see listed here. In addition, I also left out errors or oversights that have no relevance to normal gameplay (i.e. don't show up at all or without the abuse of another glitch, like the BCD addition oversight famous due to the ZZAZZ glitch or this one: https://hax.iimarck.us/topic/5519/), and also those that are so insignificant that have effectively no relevance (e.g. NPCs having a 1/128 chance of having a movement delay of 255 due to underflow).

Below each error you will see an Evidence field and an Error/Cause field. The former includes the link to a video or picture representing the glitch, as long as I was able to find any, while the second includes a link to the code that causes the error in the pokered disassembly if applicable, or otherwise a very simple explanation. I left this field empty for the glitches that I'm not very familiar with.

Feel free to suggest any glitches that I may have missed (as long as they follow what I said in the first paragraph) or to suggest what can I add or link to to complete any missing field.

P.S. The fact that there are exactly 100 glitches is just a coincidence.


A. MOVES, EFFECTS, STATS, AND STATUS CONDITIONS

1. Counter is able to bounce back damage from a previous turn, a non-active Pokemon, and a previous battle
      Evidence -
      Error/Cause - Last attack damage is not always cleared between turns/battles or after switching
2. Counter is able to bounce back your own damage
      Evidence -
      Error/Cause - The RAM address where the damage is stored is shared by both participants
3. Counter desynchronization error in a Link Battle due to selected move mismatch
      Evidence - https://www.youtube.com/watch?v=ftTalHMjPRY
      Error/Cause - Just hovering the cursor over a move in the selection menu marks the move as selected
4. A Pokemon that needs to recharge from Hyper Beam is always affected by a sleep inducing move
      Evidence - https://www.youtube.com/watch?v=x2AgAdQwyGI
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L7241-L7247
5. Crash damage of Jump Kick and Hi Jump Kick is always 1 damage
      Evidence -
      Error/Cause - Damage is zeroed after a move misses
6. Self-confusion damage and crash damage target the foe's Substitute if attacker is behind Substitute
      Evidence - https://www.youtube.com/watch?v=jw24URgBi5o
      Error/Cause - The momentary turn swap during these effects is not accounted for when a Substitute is up
7. Psywave desynchronization error in a Link Battle due to difference in damage range of player and enemy side
      Evidence - https://www.youtube.com/watch?v=5KmTCdnWzVI
      Error/Cause - Player's Psywave minimum damage is 1, while enemy's is 0
8. HP-draining moves don't fail against Substitute as intended
      Evidence - https://www.youtube.com/watch?v=eToUF3paDtU
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L5462-L5469
9. Healing move fails when user has 255 or 511 HP
      Evidence - https://www.youtube.com/watch?v=sqkBby1HlmY
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/moveEffects/heal_effect.asm#L13-L20
10. Permanent invulnerability due to full paralysis or self-confusion while using Dig or Fly
      Evidence - https://www.youtube.com/watch?v=bNzDmXbZ7kY
      Error/Cause - Charging up condition is removed after full paralysis/self confusion, but invulnerability isn't
11. Reflect and Light Screen stat overflow and potential game freeze
      Evidence - https://www.youtube.com/watch?v=fVtO_DKxIsI
      Error/Cause - The temporary stat boost provided by Reflect/Light Screen isn't capped at 999
12. Attack and Speed stat ups override Burn and Paralysis penalties respectively
      Evidence -
      Error/Cause - The stat is recalculated ignoring anything other than stat modifiers
13. Paralysis, Burn, and badge boost stat changes are reapplied after stat modifications
      Evidence - https://www.youtube.com/watch?v=GlhsYKeUt-w
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L7699-L7706
14. Rest doesn't clear Paralysis and Burn stat penalties or the Bad Poison condition
      Evidence - https://www.youtube.com/watch?v=4LpWNnfk6tA
      Error/Cause - Rest only removes the non-volatile status condition
15. Toxic and Leech Seed damage stacking
      Evidence - https://www.youtube.com/watch?v=bNjEFgsIIIY
      Error/Cause - Leech Seed is affected by and counts towards the Bad Poison ticks counter
16. Stat scaling with defending stat lower than 4 leads to game freeze
      Evidence - https://www.youtube.com/watch?v=V6iUlyS8GMU
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L4322-L4334
17. Rage, Thrash, and Petal Dance accuracy decreases progressively when used with negative Accuracy/Evasion ratio
      Evidence - https://www.youtube.com/watch?v=NC5gbJeExbs
      Error/Cause - The accuracy value of these moves is not reloaded every turn
18. Bide and Swift are able to hit a target in the invulnerable turn of Dig or Fly
      Evidence - https://www.youtube.com/watch?v=C6Hkos4vdsU&t=4m3s
      Error/Cause - Swift and Bide ignore all kind of hit tests
19. Bide is able to accumulate damage from a previous turn, a non-active Pokemon, and a previous battle
      Evidence - https://www.youtube.com/watch?v=IVxHGyNDW4g
      Error/Cause - Last attack damage is not always cleared between turns/battles or after switching (also A.1.)
20. Player side Bide accumulated damage isn't correctly zeroed on enemy faint, also may lead to desynchronization
      Evidence - https://www.youtube.com/watch?v=IVxHGyNDW4g&t=1m7s
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L837-L847
21. The Critical Hit rate with Focus Energy or Dire Hit is swapped with the regular Critical Hit rate
      Evidence -
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L4709-L4719
22. Automatic Hyper Beam use instead of recharging after an opposing side miss with a partial-trapping move
      Evidence - https://www.youtube.com/watch?v=I8AzgGoJbTs (in Yellow, but applies to Red/Blue)
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L8311-L8312
23. Partial-trapping moves' PP is able to underflow if last PP is used as other side switches Pokemon
      Evidence - https://www.youtube.com/watch?v=I8AzgGoJbTs&t=2m28s (in Yellow, but applies to Red/Blue)
      Error/Cause - A switch causes the partial-trapping move to restart and use PP, even if no PP left
24. Partial-trapping move and Mirror Move desynchronization error due to mismatch on move used
      Evidence - https://www.youtube.com/watch?v=E9GRg9xxZqk
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L447-L456
25. Combination of Haze, Sleep or Freeze status, and multi-turn move being able to make user unable to attack
      Evidence - https://www.youtube.com/watch?v=gXQlct-DvVg
      Error/Cause - Combinaiton of events
26. Combination of partial-trapping move, Sleep status, and item use being able to make user unable to attack
      Evidence - https://www.youtube.com/watch?v=fQF5Z5znLnc
      Error/Cause - Combinaiton of events
27. Quick Attack and Counter carry their priority over if no move is selected in the following turn or turns
      Evidence - https://www.youtube.com/watch?v=pvk_8yTyscU
      Error/Cause - Selected move remains Quick Attack or Counter until another is selected
28. Leech Seed always heals 1/8 of target's Max. HP, even if current HP is lower
      Evidence -
      Error/Cause - The HP damage stored isn't updated with the target's remaining HP
29. Leech Seed animation, damage and heal effect are applied if target fainted this turn due to Poison or Burn
      Evidence -
      Error/Cause - The Pokemon having fainted is tested prior to applying the Leech Seed effect
30. Mimic is able to copy a move already known by user, leading to duplicate moves
      Evidence -
      Error/Cause - There is no check for the move learned being already known
31. Special damaging moves are able to critically hit
      Evidence -
      Error/Cause - Any move that deals damage, even if fixed, triggers the critical hit check
32. 100% accurate moves have a 1/256 chance of missing
      Evidence -
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L5525-L5539
33. Automatic move use after thawing and potential desynchronization error in link battle
      Evidence - https://www.youtube.com/watch?v=iSSf4XaqGAU
      Error/Cause - Selected move is carried over while frozen and used automatically when defrosted
34. Substitute auto-faint when used with exactly 25% HP
      Evidence - https://www.youtube.com/watch?v=eyujkiNOVyg
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/moveEffects/substitute_effect.asm#L32-L43
35. Weak enough 0.25x effective attacks always missing due to dealing 0 damage
      Evidence - https://www.youtube.com/watch?v=fxNzPeLlPTU
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L5381-L5387
36. Breaking a Substitute terminates the secondary effects of most damaging moves
      Evidence - https://www.youtube.com/watch?v=lr05doU5oAQ
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L5106-L5112


B. OTHER BATTLE ENGINE

1. A transformed Pokemon is able to switch around temporal moves with consequence in actual moveset
      Evidence - https://www.youtube.com/watch?v=GIPAc2R43dg
      Error/Cause - Active Pokemon moves are considered rather than corresponding party Pokemon moves
2. A transformed Pokemon caught becomes Ditto, even if Transform was used due to Mirror Move
      Evidence - https://www.youtube.com/watch?v=zHHz-wQ1qFk (DE version but applies to UE)
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/items/items.asm#L470-L477
3. A transformed or Mimic-affected Pokemon gets back original moves after learning a new move
      Evidence -
      Error/Cause - All moves are reloaded from party data after learning a new move
4. Permanently changing a Pokemon's DVs with Transform use in both sides
      Evidence - https://www.youtube.com/watch?v=8Lb5pq0y6h8
      Error/Cause - The original DVs of a transformed Pokemon are stored in the same place for both participants
5. Ether and Elixer don't account for Transform or Mimic moveset changes
      Evidence - https://www.youtube.com/watch?v=l4Scz6Etg_c
      Error/Cause - Max PP of moves in party data rather than in active Pokemon data is considered
6. Ether and Elixer not detected as having no effect on moves with PP Ups
      Evidence - https://www.youtube.com/watch?v=pScBCRb9j58
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/items/items.asm#L2124-L2131
7. Exp. All provides less overall experience if 2 or more Pokemon took part in the battle
      Evidence -
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L913-L923
8. Item evolutions being triggered by Pokemon with matching IDs battling last
      Evidence - https://www.youtube.com/watch?v=C3H-zaU6GPs
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/evos_moves.asm#L95-L100
9. Level up moves not learned when a Pokemon grows by 2 or more levels at once
      Evidence - https://www.youtube.com/watch?v=Fvn7xHxb6BU
      Error/Cause - Only the resulting level after exp. gain is accounted for when learning level up moves
10. AI chooses action following a player switch or a player item use
      Evidence -
      Error/Cause - Battle logic design oversight
11. AI switches and AI item uses don't have turn priority
      Evidence -
      Error/Cause - Battle logic design oversight (similar to B.11.)
12. Blaine may use a Super Potion with his Pokemon at full health
      Evidence - https://www.youtube.com/watch?v=nrkI6U3WOFk
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/trainer_ai.asm#L483-L486
13. Forgetting multi-turn move and still continue using it
      Evidence -
      Error/Cause - Multi-turn move not terminated after being forgotten
14. Forgetting a disabled move and not being able to use the learned move until Disable wears off
      Evidence -
      Error/Cause - Disable condition is not cleared after forgetting the disabled move
15. Struggle isn't automatically used if a move is disabled and the remaining moves have PP Ups and no PP left
      Evidence - https://www.youtube.com/watch?v=1v9x4SgMggs (in G/S/C, but applies to Red/Blue)
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L2816-L2827
     

C. OVERWORLD SPRITES AND MOVEMENT

1. Movement ranges or movement cap of NPCs is broken
      Evidence - https://www.youtube.com/watch?v=9E1nAHmd380&t=2m42s
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/overworld/movement.asm#L635-L659
2. NPCs appearing misplaced if some kind of trigger occurs when loaded into the screen for the first time
      Evidence - https://www.youtube.com/watch?v=VOgVwNjTps4
      Error/Cause - Not enough time to set NPC to intended screen position
3. Able to press the Start button as long range trainer engages you
      Evidence - https://www.youtube.com/watch?v=1EDAyuWOriQ
      Error/Cause -
4. Trainers able to engage you when a wild encounter occurs
      Evidence - https://www.youtube.com/watch?v=r-aWS--eVec&t=3m12s
      Error/Cause -
5. Sprite corruption in Oak's Lab
      Evidence - https://www.youtube.com/watch?v=I_JjAIvG9zA
      Error/Cause - 11 sprites may appear at once, and are treated as a total of 26
6. NPCs able to move into doors and stairs
      Evidence - https://www.youtube.com/watch?v=EuD_Q8MhhxE
      Error/Cause - Doors and stairs aren't treated as collision for NPCs
7. Able to land on NPC after jumping a ledge
      Evidence - https://www.youtube.com/watch?v=ztlm3AuPBBI
      Error/Cause - No special collision check following a ledge tile
8. NPCs showing above text boxes
      Evidence - https://www.youtube.com/watch?v=Y8T7E_CsStY&t=3m49s
      Error/Cause - NPC not hidden until movement is fully finished
9. NPCs moving to adjacent maps and disappearing consequently
      Evidence -
      Error/Cause - Consequence of C.1. if movement cap was intended, else no collision check on map boundaries
10. Strength boulder animaiton changes direction if you move during it
      Evidence - https://www.youtube.com/watch?v=Y8T7E_CsStY
      Error/Cause -
11. Walk through NPC in Oak's Pallet Town scripted movement
      Evidence -
      Error/Cause - NPCs and walls not dodged during scripted movement, or consequence of C.1.
12. Collision with NPC at the top of Pallet Town during the Oak's scripted movement breaking it
      Evidence - http://pages.citebite.com/y5h5m2y4f8mox
      Error/Cause - Collisions checked during last step of scripted movement, or consequence of C.1.
13. Collision with NPC during the Cinnabar Gym closed door script
      Evidence - https://www.youtube.com/watch?v=m1mVu8XW4WI
      Error/Cause -
14. Surf to wrong direction after saving and resetting
      Evidence - http://www.youtube.com/watch?v=W_aI_AVwJMQ
      Error/Cause -
15. Able to override Cycling Road gate script and enter Cycling Road without a bike
      Evidence - https://www.youtube.com/watch?v=OCyYJHf-apw
      Error/Cause -
16. Able to override Pewter City-Route 3 script and skip Pewter Gym
      Evidence - http://www.youtube.com/watch?v=IL3dt06QpgI
      Error/Cause -
17. Lift Key may be dropped in the same tile as you are
      Evidence - http://www.youtube.com/watch?v=ykjE6rKWSug
      Error/Cause - No different Lift Key placement depending on the player's position
18. Player sprite corruption during Escape Rope animation
      Evidence - https://www.youtube.com/watch?v=2gD3c954DRg
      Error/Cause -
     

D. GRAPHICS

1. Mapping errors due to border block mismatch between adjacent maps
      Evidence - http://pages.citebite.com/s5i5y2y4m7pex (there are more similar errors)
      Error/Cause - Adjacent maps with boundaries visible from each other not using the same border block
2. Cutting a tall grass block and leaving the map while block still visible
      Evidence -
      Error/Cause - Able to enter a new map while grass block position still visible
3. Invisible Cut tree in Route 14
      Evidence - https://www.youtube.com/watch?v=dq1D1KT0mks&t=16m15s
      Error/Cause - Able to enter a new map while tree position still visible (also D.2.)
4. Invisible PC in Celadon Hotel
      Evidence - https://www.youtube.com/watch?v=TeSJSJs2-VI
      Error/Cause - Celadon Hotel uses Pokemon Center tileset, which has a PC programmed
5. Saving and restarting on a Cut tree.
      Evidence - https://www.youtube.com/watch?v=dq1D1KT0mks&t=15m16s
      Error/Cause - Cut tree is drawn if player continues game in a tile where a cut tree is programmed
6. Unfinished mountain in Nugget Bridge and Bill House
      Evidence -
      Error/Cause - Mountain tile border block is visible near water or trees (similar to D.1.)
7. Viewing status screen against a Ghost reveals its sprite
      Evidence - http://www.youtube.com/watch?v=UMIowBT4Fck
      Error/Cause - Enemy's actual sprite is reloaded even if Pokemon is Ghost
8. Minimize and Substitute sprite possibly reloaded in wrong side after viewing status screen
      Evidence - https://www.youtube.com/watch?v=RF-ZaKZKSFw
      Error/Cause - Sprite is reloaded based on whose turn it is, which is undefined during move selection
9. Bottom right tile of user sprite blanked during Softboiled animaiton
      Evidence - https://www.youtube.com/watch?v=Q-qpneajGEA
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/animations.asm#L1948-L1957
10. Top three lines of screen not animated during Psywave, Psychic and Night Shade animation
      Evidence - https://www.youtube.com/watch?v=purUT9X9bhY
      Error/Cause - Top lines not updated due to game still executing v-blank interrupt handler

     
E. AUDIO AND TEXT

1. Wild battle victory theme played during a blakout after a draw
      Evidence - https://www.youtube.com/watch?v=HDWoG2BCGbU
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/core.asm#L882-L892
2. Evolving Pokemon after battle against Champion Blue mutes the music
      Evidence - http://www.youtube.com/watch?v=KxMstD8iWNM
      Error/Cause -
3. Fall through hole in Victory Road while on the bicycle and bicycle theme is still played
      Evidence - https://www.youtube.com/watch?v=N87X9DE5-zk
      Error/Cause -
4. Wrong sound effects played after winning a Gym badge
      Evidence - https://www.youtube.com/watch?v=Y8T7E_CsStY&t=2m21s
      Error/Cause - Different sound effects used for each badge and wrong sound ROM bank loaded
5. Nidorino in introduction plays Nidorina's cry
      Evidence -
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/home/text.asm#L629
6. Dual-type effectiveness wrong text and sound
      Evidence - http://www.youtube.com/watch?v=yP6EhW2r57A
      Error/Cause - Effectiveness of second type matchup pair overwrites result of first pair
7. Overworld text errors during translation
      Evidence - http://pages.citebite.com/q5p5k2t4q9lfm (there are more similar errors)
      Error/Cause - Translation oversights
8. Using HM on a Pokemon says it's a TM
      Evidence - http://pages.citebite.com/y5d5f2x5d0vak
      Error/Cause - Both make use of the same text, which displays the word TM
9. Text delay deactivation in Bill's PC and Bike Shop
      Evidence - https://www.youtube.com/watch?v=dif2rP1hX8Y
      Error/Cause - Text delay not turned back on properly
     

F. DESIGN AND OTHER OVERSIGHTS

1. Use Pokedoll on Ghost Marowak to bypass it
      Evidence - https://www.youtube.com/watch?v=nM3HtpoOSlo
      Error/Cause -
2. Can deposit all but fainted Pokemon on PC
      Evidence - https://www.youtube.com/watch?v=6BrwUwn_wVg
      Error/Cause - Design oversight
3. Mismatch on wild encounters of shore blocks
      Evidence - https://www.youtube.com/watch?v=X078R9ujll0&t=3m2s
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/battle/wild_encounters.asm#L64-L73
4. Able to surf or fish on statues
      Evidence - http://www.youtube.com/watch?v=BgcDXeDaw0M
      Error/Cause -
5. Last item of bag or PC with quantity of 99
      Evidence - https://www.youtube.com/watch?v=OXzQ9rEEa0g
      Error/Cause -
6. Able to get stuck in certain trainer battles while using Rage
      Evidence - https://www.youtube.com/watch?v=Hfwm4ov_ZKc
      Error/Cause - Design oversight
7. Blacking out in Cable Club due to Poison
      Evidence - https://www.youtube.com/watch?v=JgVUZPTt21E
      Error/Cause - Design oversight
8. Wrong requirement balance for Fresh Water and Soda Pop in the vending machine
      Evidence - https://www.youtube.com/watch?v=kfwBgX1tVWQ
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/menu/vending_machine.asm#L39-L45
9. Saving game in an elevator doesn't preserve the floor number
      Evidence - https://www.youtube.com/watch?v=Y8T7E_CsStY&t=4m23s
      Error/Cause -
10. Vermilion Gym trash cans
      Evidence - https://www.youtube.com/watch?v=dyFA3gZMxrs
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/hidden_object_functions17.asm#L356-L373
11. Slot machine seven symbol odds in wheel 1 while spinning in 7/Bar mode
      Evidence -
      Error/Cause - https://github.com/pret/pokered/blob/d1162fec/engine/slot_machine.asm#L300-L310
12. Starting new game while in the Cycling Road
      Evidence - https://www.youtube.com/watch?v=YXa96wnSIOQ
      Error/Cause -
13. Can get trapped in Cinnabar Mansion
      Evidence - https://www.youtube.com/watch?v=c2pMRPeFDv8
      Error/Cause - Design oversight
14. Able to walk into a rock in Cerulean Cave after going through stairs
      Evidence - https://www.youtube.com/watch?v=OowDwRNyCK4
      Error/Cause -
15. Able to continue a Safari game outside the Safari Zone
      Evidence - https://www.youtube.com/watch?v=heLcmF29E5o
      Error/Cause - Safari Zone entrance script number backup not preserved on save
4
So I've been looking into this glitch...
https://www.youtube.com/watch?v=I_JjAIvG9zA

The thing is, there are a total of 11 sprites in the oak's lab before getting your first Pokemon: 2 Pokedex, Oak, Blue, 3 Pokeballs, a lady, 2 scientists, and yourself. That's one more than the number allowed to be displayed at once, as the OAM buffer can only hold data for 40 objects (fe00-fe9f) and each sprite is made of 4.

There is a 10-half-block vertical separation between the two dexes and the two scientists though, meaning they should never be all displayed at once, EXCEPT when you are four half-blocks above the scientists and walk up, or when you are four half-blocks below the dexes and walk down. In these cases, parts of all four sprites are on screen as the background map scrolls during your movement.

The issue comes from the clear unused OAM routine: https://github.com/pret/pokered/blob/2b2c6fe/engine/overworld/oam.asm#L147
If there are 11 sprites, hOAMBufferOffset is going to end up becoming $b0 given that PrepareOAMData is taking care of what would be a total of 44 objects ($00 to $af). Normally, it should be multiples of $10 from $00 through $a0. The game would then attempt to clear unused OAM data starting from what should be the last sprite in use, indicated by hOAMBufferOffset. If there are, say, 6 sprites on screen, every four bytes from $c360 to $c3a0 are set to $a0 in order to make all those sprites invisible in the wram sprite buffer (y coordinate of $a0 is just below the screen). If there are 11 sprites, however, every four bytes from $c3b0 through $c4a0 are going to become corrupted with $a0 because the game won't stop until the lower byte of the address equals $a0 (supposed to be the address of the last sprite when preceded by $c3). With the tilemap starting at $c3a0, this leads to the screen getting corrupted with character "a" every four tiles.

Most of the times, however, the scientists are alrealdy invisible by the time the pokedexes show up, so there are never more than 9 sprites overlapping. But it's not always, given that the glitch pops up every once in a while, which leaves me wondering, what is the timing factor that leads to the pokedex sprites appearing when the scientists are still considered to be visible?

Anyway, after that, some sprites seemingly at random became invisible, leaving only a total of five on screen, but I haven't really looked beyond that. So yeah, has anyone been able to figure out more than me about this mysterious glitch?

EDIT: Figured out why the sprites disappear. If they are above one of the corrupted tiles, the tile will have a value higher than $60 (because they were corrupted with $a0), so the game thinks they are hidden by a text box: https://github.com/pret/pokered/blob/master/engine/overworld/movement.asm#L508
5
Basically, out of unrelated data, hex 00's move effect turns out to be 0x74, which essentially makes its move effect pointer point to F928. The cooltrainer move will execute its move effect function at the end of the ExecuteMove routine, and only if the target isn't fainted. Since cooltrainer has a glitch move effect, it's not present in any of the special move effect arrays and thus falls into the last call to the move effect handling function, where all the move effects that have not been handled yet are supposed to be taken care of.

F928 is exactly the start of the enemy party Pokemon data. It's not the best place to end up at, but it's still RAM nonetheless.



After spending some time considering all the options, this is the best I could come up with:

Code: [Select]
add hl, hl
nop
jp [hl]

Which corresponds to Machoke with 233 current HP in the fourth position of the last fought opponent. This already makes access to the cable club with another player/game a necessity.

This makes us jump to F250, which is the move 2 of the sixth party Pokemon. It's more manageable but we still need to find a way to reach bag items, ideally. I came up with the following setup to reach F31E (item 1):

Party Pokemon #6: (Golbat)
- Hyper Beam as 2nd move
- Supersonic as 3rd move
- Leech Life as 4th move

which is:

Code: [Select]
ccf
jr nc, $8d

hl overflowed in the last ld hl, hl instruction so we will be jumping to F1E0 here, which is the move 1 PP of party Pokemon #3.

And then:

Party Pokemon #3:
- PP of move 1: C3 (3 PP, 3 PP ups)
- PP of move 2: 1E (30 PP, 0 PP ups)
- PP of move 3: D3 (19 PP, 3 PP ups)

Or jp D31E, which means that we finally made it to the item 1 of our bag.

Given how easy is to get a Ditto learn cooltrainer I was hoping that this could make a decent alternative to ACE with 8F as this item is not particularly easy to obtain. However this also has many inconveniences.

- Need to have someone else with a very high level Machoke (around 80) to battle with
- Need 6 PP Ups
- Need a lot coins to buy Hyper Beam

What's more, in order to keep the opponent's party Pokemon in RAM we must perform the cable club escape glitch or else the data will be gone when we reset. Sure, the first thing we could do with ACE is clear the flag that makes the game think we are in the cable club (is it wLinkState?, I'm too lazy to properly check right now) so we can actually save and end all the other side effects. But this inconvenience basically turned if off for me compared to 8F.

Also to note is the well know corrupting side effects of the cooltrainer move as well as the fact that cooltrainer ACE won't be as versatile as 8F since we can only use it during battle. I thought at first that cooltrainer ACE might make a decent alternative to hack yourself 8F but all the flaws considered it definitely doesn't appear to be the case

The ACE exploit is there though, in case someone can come up with a better bootstrap code.

EDIT: Made a typo, it's not D929, but D928. Fixed the screenshot too.
6
Thought I'd share these here too:

MissingNo. & Old Man Glitch: http://www.smogon.com/smog/issue44/missingno

Mew Glitch:
https://www.youtube.com/watch?v=1EDAyuWOriQ
7
Generation I Glitch Discussion / Gen I battle mechanics glitches
« on: December 10, 2014, 09:09:15 am »
Here are some in-battle glitches in Generation I that as far as I'm aware hadn't been documented


Division by 0 Defense:

If the attacker has over 255 Attack/Special and the defender less than 4 Defense/Special (possible only with a negative stat level), the stat would become 0 when divided by 4, and the game will freeze when trying to divide by 0 during damage calculation.

https://www.youtube.com/watch?v=V6iUlyS8GMU

There is another bug involving Reflect/Light Screen: since there's no cap after applying the Reflect/Light Screen boost, the stat can be as high as 999 * 2 = 1998 (with positive stat level); if it's higher than 1023, the defense value will become 256 points lower when modded by 256, leading to unusually high damage dealt. Moreover, Defense/Special stat of 512/513 will freeze the game during damage calculation (divide by 0 again) if Reflect/Light Screen is active.

https://www.youtube.com/watch?v=fVtO_DKxIsI


Substitute + Confusion / (High) Jump Kick:

If a Pokemon with a Substitute up hurts itself due to confusion, or due to Jump Kick's or High Jump Kick's side effect, damage will be dealt to the opponent's Substitute instead. If the opponent doesn't have a Substitute up no damage will be dealt to any Pokemon.

Quote
In Pokemon Red, Blue, and Yellow, there are two functions that handle the damage dealt to a non-substitute target; one applies damage to the player, and the other applies damage to the enemy. Normally, which function is called depends on whether the turn belongs to the player or to the enemy (if it's the player's turn, call the second function, and vice versa). But if the game needs to handle self-inflicted confusion damage, the opposite function is called.

However, there is only one function that handles the damage dealt to a substitute. This subroutine will be called by either of the two functions described above when the *target* has a substitute up. The 'whose turn' flag determines whether to deal damage to the player's or enemy's substitute. This overrides the fact that confusion damage should use the opposite logic in order to inflict damage to the attacker, leading to this interesting bug.

Notice how the *target* is the attacker if we are applying confusion damage, and the defender otherwise. This makes this bug even more intriguing because the subroutine will be called when the confused Pokemon has a substitute up, and thus damage will be "dealt" to the other Pokemon's substitute regardless of whether that Pokemon is actually under a substitute.

P.S.: Same applies to (High) Jump Kick's crash damage.

https://www.youtube.com/watch?v=jw24URgBi5o


Counter glitches:

These are the Counter mechanics:

- Counter misses if the opponent's last selected move's Base Power is 0.
- Counter misses if the opponent's last selected move's type is not Normal or Fighting, or if the move is Counter
- Counter misses if the last move used in the battle did no damage to its target.
- If these three tests were passed, damage dealt by Counter will be equal to twice the damage dealt by the last move used in battle.

 This means that it's possible to Counter non-Normal/Fighting type attacks, and even one's own attacks. For example:

Turn 1:
- Persian uses Slash and misses (doesn't affect) against Gengar
- Gengar uses Thunderbolt and deals e.g. 100 damage to Persian

Turn 2:
- Persian switches out and e.g. Snorlax enters
- Gengar uses Counter and deals 200 damage to Gengar

https://www.youtube.com/watch?v=COcd3i0GgPM (this is an unlisted video for a Pokemon Online bug report)

Counter desync glitches: https://www.youtube.com/watch?v=ftTalHMjPRY (caused due to Counter mechanics being also affected by the last position taken by the cursor in the battle menu, information that isn't shared with the opponent)


Deal 0 damage:

Not sure if this counts as a glitch, but it's possible to do 0 damage with a weak enough 4x resistant attack. If so, the move always misses (suggesting that it had missed for accuracy reasons instead)

https://www.youtube.com/watch?v=fxNzPeLlPTU


Some random curiosities:

- Mirror Move will fail if the opponent didn't use a move last turn due to a switch or due to being asleep or frozen, but it will succedd if it was because self confusion or full paralysis
- Fire Spin doesn't defrost the target
- Bide may hit Flying/underground targets (like Swift)
- If Counter somehow counters a hp draining move (e.g absorb), damage won't be doubled, but halved and then doubled.
- If a level 0, 1, or 171 Pokemon used Psywave, the game would freeze: https://www.youtube.com/watch?v=VyIFL_-l2o4
8
There is a very little routine that makes the whole trick possible, and that's the routine at 0:1383 in Pokemon Crystal.

Code: [Select]
Function1383:: ; 1383
ld a, $e6
ld [hli], a
call PrintLetterDelay
jp NextChar
; 138c

When a char is interpreted, the routine at 0:1087 analyzes which character we are dealing with in case it's an identifier with an special function (such as a new line, or the 'POK√Č' symbol) and jumps to 0:1383 if the char is 0. Function1383 then writes 0xE6 -which is the '?' character- in hl and we move on the next char. hl points to the corresponding tile in the tilemap so this routine is basically overwritting the "blank" character 00 directly in the tilemap.

Code: [Select]
PlaceString:: ; 1078
push hl

PlaceNextChar:: ; 1079
ld a, [de]
cp "@"
jr nz, CheckDict
ld b, h
ld c, l
pop hl
ret
pop de

NextChar:: ; 1083
inc de
jp PlaceNextChar

CheckDict:: ; 1087
cp $15
jp z, Function117b
cp $4f
jp z, Char4F
cp $4e
jp z, Function12a7
cp $16
jp z, Function12b9
and a
jp z, Function1383
        (...)

Since the bad clone's name is just a bunch of 00's without the terminator character (0x50), when the name is read from the string buffer 1 (WRAM:D072), the game will keep on reading bytes as characters and, for every 00, write the '?' symbol in the different tiles of the tile map, eventually going past the 10 tiles that make up the bad clone's name.

The buffer at D072 is the first buffer, meaning that if any of the other 3 buffers has been used before, there will be a terminator character somewhere, making the whole thing not work (this is why one of the requeriments for the trick is saving in front of the box and reseting the gameboy without doing anything else before performing the trick).

This is the result of for example changing 0:1384 to 0xE7:



Notice the '!' symbols as well as the Phanpy sprite (both have hex identifiers of 0xE7).

If, instead, you just NOP the ld [hli],a instruction, the bad clone trick won't work, as, apart from the '?' symbols not appearing, FF/CANCEL remains as Pokemon FF/CANCEL instead of becoming a withdrawable Kingdra.

I couldn't still find out where all the Pokemon (including FF/CANCEL) becoming Kingdra comes from though. It must be related to the spam of 0xE6 as well, but box pokemon data is located in SRAM (bank 1, from ram address AD10 on), but tracking it down with the debugger, I've seen that the 0xE6 bytes never get written in SRAM, and the data there always seems to be correct (matching the data of the Pokemon "behind" the Kingdra). So this has to come from somewhere else.
9
As a newbie GBC ROM hacker and glitch lover I have been messing about with a Pokemon Red ROM to experiment with MissingNo. and glitch Pokemon. I'd like to share some stuff and the conclusions I have come to.

First, on MissingNo.'s sprites. I suggest you have this page handy unless you know how does MissingNo.'s general Pokemon data come and stand from.

As you know, only dimensions of fontsprite of 5x5, 6x6 and 7x7 are used. There is no space in the screen for anything bigger than 7x7. So how does 8x8 affect MissingNo.'s fontsprite then? It seems that it causes MissingNo. to have the backwards-L shape it has. Different "invalid" dimensions cause MissingNo. to have other weird forms:

9x9: AxA: FxF: Cx9: BxD:

As you see, most tiles seem to coincide in the five sprites, but in a different order. I think the order in which tiles are displayed in a sprite is stored somewhere in the ROM, but I don't know what's the reason these dimension values make the sprite look like that.

Pointer to fontsprite is 0x19 0x00. This points to 0x1900 in the RAM and thus 0x1900 in the ROM too. This means that every MissingNo. has the same sprite despite differences in Index Number (sprites are located in different banks depending on the index number of the Pokemon). In fact, if we manage to edit some bytes around there without crashing the game we'll see a different MissingNo. fontsprite:



So the data that determines MissingNo.'s fontsprite is indeed taken from 0x1900

Anyway, what came to my mind next is that, had MissingNo.'s fontsprite pointer pointed to somewhere between 0x4000 and 0x7FFF, MissingNo. would have different sprites depending on its Index Number, since then the RAM area accessed would be the switchable ROM bank area. Since sprites are stored in different banks, considering MissingNo. can have different Index Numbers, this could lead to four different fontsprites.


Quote
id   bank
0x15    0x01
0xB6    0x0B
0x00 to 0x1E    0x09
0x1F to 0x49    0x0A
0x4A to 0x73    0x0B
0x74 to 0x98    0x0C
0x99 to 0xFF    0x0D


So I changed its pointer to fontsprite to 0x00 0x70 (so that it doesn't load data from other sprites like, say, 0x00 0x40 would) to see what happened:

This is MissingNo. 0x1F. This one accesses to ROM bank 0xA.


So then, my theory was that another Index Number would lead to a different sprite if the bank accessed was a different one. I tried with MissingNo. 0x50, which would load bank 0x0B. I didn't change the pointer:


And it's indeed different. This means, that since, MissingNo.'s pointer to fontsprite is after all random, had it had a different pointer which pointed to a ram area between 0x4000 and 0x7FFF, MissingNo. would have more than one sprite! (apart from Ghost and fossils that is). Moreover, certain pointer values would've made MissingNo. look like other real Pokemon, and share tiles with them. However, considering the Pokemon Bikers have (Voltorb, Koffing etc don't have index numbers in a range between 0x40 and 0x7F), all of that was unlikely to happen.

Pointer to backsprite is 0x8F37. This points to the Video Ram. This seems to be the reason MissingNo.'s backsprite changes depending on the opponent, since the VRAM data is not always the same.

 

It seems like, while RAM data around 0x8F37 to 0x9080 are always the same in a batlle regardless on the opponent, some bytes at around 0x9090 and onwards do change. I don't know what this data stands for, but must have to do with the sprite of the opponent. At first I thought 0x9090 was too far from 0x8F37 to be still MissingNo.'s backsprite data, but the only theory I have is that MissingNo.'s backsprite occupies that much space. I don't know how sprite data works anyway. According to this backsprites are around 0xA0 bytes long, but some are longer. 


Now, something on Glitch Pokemon learnsets and evolutions. Have a look at this first.

When I learned about how RAM is structured, my first thought was that the correction of 34000 has to do with the fact that a pointer of 0x00 0x1E points to 0x1E00 in RAM and thus it's the first ROM bank. So that's the reason Pokemon 0xBF takes its data from there. However, for example 0xC4, which has a pointer of 0x2B 0x40, would take data from the same bank the pointer is located at, since it points to the switchable ROM bank in the RAM. This pointer would then point to 0x3802B. And indeed data past the first 00 seems to match with 0xC4's learnset:
40 0 255 35 11 0 55 0 255 30 12 38 1 0 76 5 13 39 80 0 191 10 14 50 0

Then I thought about the possibility that a pointer leading to RAM areas with varying data would lead to Glitch Pokemon with varying evolutions/learnsets!

Quote
01E00 - BF
02317 - C0
02827 - C1
0301F - C2
03720 - C3
0402B - C4
00024 - C5
01A00 - C6
01F2C - C7
02427 - C8
02905 - C9
02E2B - CA
00092 - CB
01001 - CC
000A7 - CD
01E08 - CE
0280E - CF
07415 - D0
01F1D - D1
02024 - D2
0182B - D3
00200 - D4
0010A - D5
0008E - D6
02F0D - D7
00312 - D8
06B18 - D9
0761F - DA
06F27 - DB
07130 - DC
00100 - DD
02314 - DE
00900 - DF
00F2B - E0
0161F - E1
01D77 - E2
02441 - E3
00061 - E4
01E01 - E5
0008D - E6
03111 - E7
07816 - E8
0711D - E9
08124 - EA
0992B - EB

00000 - EC
01E08 - ED
0280E - EE
02517 - EF
00000 - F0
03212 - F1
01D16 - F2
02D1B - F3
03721 - F4
06E25 - F5
0852C - F6
05E37 - F7
00100 - F8
09A20 - F9
00700 - FA
00D49 - FB
01616 - FC
01E4D - FD
0264B - FE
02E4A - FF
0364F - 00

According to this (taken from a post in the thread I linked before) there are 4 Glitch Pokemon with pointers past 0x8000. All of them point to the VRAM (0x8000 to 0x9FFF). According to the glitchdex 3 of these pokemon learn no moves via level up which makes sense considering that, in the VRAM, when a byte with a 0x00 comes it's generally followed by many more 0x00.

0xEA is the Pokemon that is illustrated to learn moves by leveling up in the glitchdex and bulbapedia. Its pointer points to 0x8124. I assumed that the information about the moves learned by leveling up was taken by leveling up the Pokemon via Rare Candies. So I emulated that, with the Memory viewer open at address 0x8124. I was pretty excited when I saw that the data in the RAM in the moment the Pokemon leveled up matched the learnset of 0xEA in the glitchdex:




Look past the first 00 that makes learnset data to start. Before that, we can see it doesn't evolve. This data is the following: 02 F1 0F F2 0E FC 0C F0 10 A0 60 C0 C0 40 40 00 40 00 00. The last 00 is the terminator. 02 F1 means that it learns TM 41 at level 2, and then 0C F0 means that it learns TM 40 at level 12. I assumed the glicthdex is mistaken here saying that it learns TM 41 at level 12 instead, since every other move matches.

So what if I leveled up the Glitch Pokemon by gaining experience points in battle? The VRAM would be different then, and thus the learnset too! I tested it with the Glitch Pokemon 0xEA itself. I altered its base stats data so that its moves don't crash the game and it grows up quickly. I rare candied it until level 11. Then I leveled it up to lv 12 via battling. And it didn't learn any move!



So, depending on how you level it up, 0xEA's learnset is different.

Then I had a look at the other 3 Pokemon. I assumed the glitchdex and bulbapedia say that they not learn any move via level up because their pointer points to a vram data that makes them learn no moves via rare candies.

Unfortunately, while I haven't checked each Pokemon separately so I'm not 100% sure, the VRAM data during a level up via battling at addresses 0x992B, 0x852C and 0x9A20 stands for learning no moves via battling either. However, I don't know if leaving the Pokemon in the daycare and leveling it up that way could offer any possibility of modifying the learnset of the glitch Pokemon.
Pages: [1]