Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - ISSOtm

Pages: [1] 2 3
Wiki Discussion / Reducing the side bar
« on: February 03, 2019, 05:49:40 am »
Let's be real: the site's sidebar is way, WAY too long.

Here's what there is on the forums:
Main menu
- Main page (redundant with the `Home` button)
- Forums (we're already on them)
- Recent changes
- Random page
- Help

List of "dexes" (shouldn't they all be grouped under a single "Databases" link instead?)

Major glitches
A list of the glitches (shouldn't they also all be grouped into one page? This one already exists, even - Category:Major glitches)

Other glitch categories
I guess those are fine, just Major glitches should be one of those

- GS codes
- GG codes (should be one link for those two)
- Disasm projects
- The Big HEX list
- GB programming
- Curiosities (how is this a reference? Same with what's below)
- Debugging features
- Error traps
- Non-glitch exploits
- Pokémon glitch terminology (this one is fine)
- Unused content and prerelease information (how is the a reference?)
- More

Useful tools
- 8F Helper
- GBz80 to items
- Old man trick name generator
- Save file editors
- Special stat / Pokémon converter
Trainer Escape Trainer Pokémon finder

List of affiliates. I believe those should be left as-is.

Site source code (shouldn't be in its own category, imo)

Search wiki
Search forums <-- That one is redundant with the search box at the top-left of the page.

IIRC the list is different when on the wiki, but let's focus on one at a time, shall we?
TheZZAZZGlitch made a pretty cool memory editor, which nicely fits in 200 bytes. You can check it out in this video.
Given that the setup's duration basically depends on its length, I made a "1.1" version, which retains the same functionality, but fits it only 173 bytes !

Here is the byte list :
Note that you will need to start with 173 X Accuracies instead of 200.

If you want to check out the source, which is even more messy (but also more commented) than the original :
Krys3000 asked me to take a look at "????? party overloading". Since that glitch has quite some potential, I figured it would be a good idea to check out how it works, to make developing techniques using it easier.

First, let's quickly recap how it's done :
- Have a ????? (species FF) at the top of a 6-Pokémon party (Example below)

- Use "Move Pkmn w/o Mail" to place a Pokémon on the first party slot
- Select "Withdraw" and start withdrawing Pokémon, which can be done even though there are more than 6.
Each Pokémon withdraw will overwrite an area of memory, such as roaming Pokémon structs, etc.

Now, I'm going to explain how it works, so you can get an idea on this glitch's internals.

I'll use Crystal as a reference because it's way more documented (disassembly-wise) than Gold/Silver, and the glitch works there too.
As to how the glitch works, there are two culprits :

The first culprit is CopyBoxmonSpecies. This function copies the target "box" (the party is considered a box there), and updates wBillsPC_NumMonsInBox to contain the correct number of Pokémon. Problem is, the function stops its copy as soon as it finds a $00 or $FF byte (I'm not sure why the programmers decided that both of these would be terminators, but... that's how it works !). Thus, only the $FF Pokémon's species is copied into the buffer, which tricks BillsPC_CheckSpaceInDestination into thinking there are exactly 0 Pokémon into our party.
Because this function is meant to allow or refuse transfers to our party, it will let us obtain a party containing more than 6 Pokémon. This lets us slide into part 2...
(I didn't investigate more "Move PkMn w/o Mail", and I don't think it would yield a very different corruption than Withdrawing. I may be wrong, though.)

The second culprit is SentGetPkmnIntoFromBox (names like that can't be made up), which is called by TryWithdrawPokemon.
This function is responsible for moving Pokémon around (party, boxes, Daycare). Here, it's called with wPokemonWithdrawDepositParameter being 0, which prompts it to check if the party isn't full. Unfortunately (for the programmers), the check only checks if there are EXACTLY 6 Pokémon in the party !
Because "part 1" allowed us to obtain a 7-Pokémon party, the check returns non-zero and we are allowed to nicely proceed.

For the rest of this explanation, I'll use a small shortcut : N will represent the number of Pokémon in the party prior to withdrawing.

So, what happens when we withdraw a Pokémon ?
First, the game writes the Pokémon's species at (DCD8 + N).
Then it writes a $FF at (DCD8 + N + 1) to properly terminate the list.
Then, it copies the boxed Pokémon's data (0x20 bytes) to (DCDF + N * 0x30)
[Aparté : a boxed Pokémon is 0x20 bytes large ; a party Pokémon is 0x30 bytes large, the first 0x20 being the same bytes as its boxed counterpart, with the remaining 0x10 bytes being the status, an unused byte, and the stats]
Then, it copies the Pokémon's OT name (11 bytes) to (DDFF + N * 11).
Then it copies the Pokémon nickname (11 bytes) to (DE41 + N * 11).
The game then calculates its level, resets its status, and writes its stats. It also sets its HP to its max HP (except if it's an egg, then it sets HP to 0).

SO ! Let's recap the corruption that occurs. Here's a handy list of all the writes that occur, by order of appearance (meaning some could override others !!) :
(Note : I'm not certain about endianness, but assume big-endian unless otherwise stated)
Start| End| Content
DCD8 + N| DCD8 + N| Species
DCD8 + N + 1| DCD8 + N + 1| $FF
DCDF + N * 0x30| DCDF + N * 0x30| Species
DCDF + N * 0x30 + 1| DCDF + N * 0x30 + 1| Held item
DCDF + N * 0x30 + 2| DCDF + N * 0x30 + 2| Move 1
DCDF + N * 0x30 + 3| DCDF + N * 0x30 + 3| Move 2
DCDF + N * 0x30 + 4| DCDF + N * 0x30 + 4| Move 3
DCDF + N * 0x30 + 5| DCDF + N * 0x30 + 5| Move 4
DCDF + N * 0x30 + 6| DCDF + N * 0x30 + 7| OT ID
DCDF + N * 0x30 + 8| DCDF + N * 0x30 + 10| Experience
DCDF + N * 0x30 + 11| DCDF + N * 0x30 + 12| HP stat experience
DCDF + N * 0x30 + 13| DCDF + N * 0x30 + 14| ATK stat experience
DCDF + N * 0x30 + 15| DCDF + N * 0x30 + 16| DEF stat experience
DCDF + N * 0x30 + 17| DCDF + N * 0x30 + 18| SPD stat experience
DCDF + N * 0x30 + 19| DCDF + N * 0x30 + 20| SPE stat experience
DCDF + N * 0x30 + 21| DCDF + N * 0x30 + 22| DVs
DCDF + N * 0x30 + 23| DCDF + N * 0x30 + 23| Move 1 PP
DCDF + N * 0x30 + 24| DCDF + N * 0x30 + 24| Move 2 PP
DCDF + N * 0x30 + 25| DCDF + N * 0x30 + 25| Move 3 PP
DCDF + N * 0x30 + 26| DCDF + N * 0x30 + 26| Move 4 PP
DCDF + N * 0x30 + 27| DCDF + N * 0x30 + 27| Happiness
DCDF + N * 0x30 + 28| DCDF + N * 0x30 + 28| Pokérus status
DCDF + N * 0x30 + 29| DCDF + N * 0x30 + 30| Caught data
DDFF + N * 11| DDFF + N * 11 + 10| OT name
DE41 + N * 11| DE41 + N * 11 + 10| Nickname
DCDF + N * 0x30 + 31| DCDF + N * 0x30 + 31| Level
DCDF + N * 0x30 + 32| DCDF + N * 0x30 + 32| Status
DCDF + N * 0x30 + 34| DCDF + N * 0x30 + 35| Max HP (or 0 if Egg)
DCDF + N * 0x30 + 36| DCDF + N * 0x30 + 37| Max HP
DCDF + N * 0x30 + 38| DCDF + N * 0x30 + 39| Attack stat
DCDF + N * 0x30 + 40| DCDF + N * 0x30 + 41| Defense stat
DCDF + N * 0x30 + 42| DCDF + N * 0x30 + 43| Speed stat
DCDF + N * 0x30 + 44| DCDF + N * 0x30 + 45| Special attack stat
DCDF + N * 0x30 + 46| DCDF + N * 0x30 + 47| Special def stat

This is quite interesting in Crystal, because these are located very near the end of WRAM, thus near the beginning of Echo RAM. At the beginning of Echo RAM is the stack, which could allow for another ACE method ! My next goal is to research ACE on Crystal using this.

Shoutouts to SMF for not allowing borders on their tables. Geniuses.
Welcome to the ACE Guide !

ACE is the most powerful and dangerous glitch of them all, and some questions come up often.
If you want to ask a question, please read this thread, if the answer is there please don't post about it.

NOTE : This guide is a WIP, I'm going to add new questions as they come up. Please don't post unless it's for this purpose :)
Emulation & ROM Hacking / Pokemon Red - Stryder7x edition
« on: April 27, 2017, 05:44:58 pm »
If you don't know Stryder7x, he makes videos about Paper Mario glitches. They generated a ton of memes, and this hack is a tribute to him. Now, it's not a ROM hack !

Teaser :
Download the save :
Open with English Pokemon Red or Blue (Should crash otherwise, so... :D)

Tech talk :
It's too long. Really too long.
Because why not :)
This is useful, for example, when making custom save files (poke @TheZZAZZGlitch :P). Or if you want to be an ugly troll to your friends ^^

This is based off DMA hijacking, a technique that allows "automatic" ACE on each frame.
First off, you will want to write this piece of code somewhere :
Code: [Select]
ld a, [$C3AA]
cp $79
jr nz, .ok
ld hl, $0014
add hl, sp
ld [hl], $E8
inc hl
ld [hl], $29
ld a, $C3
ld c, $46
And for those who want hex :
Code: [Select]
FAAAC3 FE79 2009 211400 39 36E8 23 3629 3EC3 0E46 C9
Then, you will want to write
Code: [Select]
CDYYXX E2at $FF80, where the address of the above function is $XXYY (be careful of the order, it's in reverse !)
For example, if NoStart is at $CAFE you will write
Code: [Select]
But be careful, those four bytes have to be written in one frame ! Otherwise you will almost certainly crash :D

Now, if everything is in place, the START menu will pop up when you press START, but will close immediately, without even printing any text inside
Until you reset the console, actually. This doesn't persist through resets :3 (although it is possible to make it permanent)
But this can make challenge runs where you aren't allowed to save (unless you change boxes), use items out of battle, re-order your Pokémon (outside of the PC). Or just have fun screwing around :P

How does it work ?

$C3AA is a part of the game's WRAM tilemap, and this is where tiles are written to before being copied to VRAM (because of access restrictions)
Specifically, the game writes a $79 there (top-left menu tile) when opening the START menu. As far as I know, no other text box in the game does this.
If such a tile is detected, the script knows the game is attempting to open the START menu. Specifically, due to how text boxes work, the game is processing the DisplayTextIDInit function, which consistently waits for a few frames.
What we do is manipulate this function's return address so instead of displaying the menu, it will directly go to the function that closes it.
Code: [Select]
ld hl, $0014
add hl, sp
makes hl point to the aforementioned return address, which we overwrite with $29E8 (CloseTextDisplay) which undoes everything. Pop :P
All that remains of the menu is the blank text box, which is displayed by DisplayTextIDInit. It would be possible to avoid it, but that would be heavier. Besides, if you want to troll a friend, he will probably freak out a bit more :D

Note that this doesn't affect any other text box ;)

I'd like to make a demonstration video but I don't have any working screen recorder.
Arbitrary Code Execution Discussion / Easy tool to make 8F setups
« on: February 25, 2017, 12:31:39 pm »
GBz80 to Items : Making 8F setups easier

GBz80 to Items is an online tool that allows you to write 8F item setups very easily.
You just type your code, click a button, and you get an item list. Easy as cake !
It's currently available online at

Knowledge of Gameboy assembly is required, this is only intended to replace using The Big HEX List and speed up the process of writing setups.

No problem ! I have you covered.
If you have a GitHub account, I suggest you go here and create a new issue.
Otherwise, just post your request in the thread. I visit the forums quite often, so I'll probably work on it shortly.

#002  "ld (mem16), a" throws "Line undefined : Invalid operand (mem16) !" Fixed in 3.0.1
#003  "ld a, (mem16)" throws "Line 1 : mem16 isn't a valid 16-bit number !" Fixed in 3.0.1
#004  ldh doesn't work and throws "memAccess is undefined" internal (!) errors Fixed in 3.0.1
#005  Bit rotation instructions throw "reg8.indexof is not a function !" Fixed in 3.0.1
#006  jp mem16 throws "invalid operand $36e0 !"

Legacy stuff :
This is the third version of the compiler I make, and the second I publish.
The old v2 version can be checked out at (version 2.1) and (version 2.2, never finished because shitty code)
Arbitrary Code Execution Discussion / Using 8F to ACE other games
« on: February 11, 2017, 10:52:57 am »
This is a method to perform ACE on each game frame - provided it uses OAM DMA. I guess all games use it, so, yeah.
It also has the bonus of being cartswap-friendly.
Need no more to be convinced ? Then here is the thing !

This works only on Pokémon Red or Blue.
You need to place the following hex data at the following locations.
Use your favorite emulator's (or BGB if you intend to do cartswap) memory viewer to do that.
Alternatively, you can use an in-game memory editor such as offgao's (see this thread)
Also, make sure all data at FF80 is not executed until it is complete. It's very sensitive data executed on each frame, and you don't wanna crash.
One way to do it is to write a $C9 at $FF80 first, and write the $CD last.

These two pieces of data don't persist after saving and resetting.
Code: [Select]
At DF00 : (WRITE FIRST !!)


Once both pieces of code are in place, go into any house, exit it and o surprise, Hall of Fame !
Tech details are below.

If you want to try the cartswap-based funky badass-showoff version (Pokémon Blue "cartswap wrong warp%"), then set up DF00 and FF80 as above, and then this.
Code: [Select]
At D163 :

At D31D :

At D53A :
Now, open your bag (surprise, there's 8F in there), use 8F. The game will then freeze, so use "Load ROM without reset" on BGB and load Pokémon Blue (or Red, works fine too).
Press any direction on the D-Pad, and the game will start. You can then choose to start a new game, and you will soon find out your house leads directly to the Hall of Fame ! Nice.

I attached a BGB save state to be tried on Pokémon Red that has all set up. This was hex edited, but is doable legitimately. You just have to load it in BGB, then use the above method or just close the menus and walk out of your house.

Tech stuff
On each LCD frame, the game has to run a small routine in RAM to transfer sprites from a temporary buffer to the location the GB uses. However, we hijack this routine to run custom code.
The trick is simple : hijack usual code flow, run our code, and make sure everything else goes as intended.

At $FF80 is this code :
Code: [Select]
ld a, $C3
ldh [$FF46], a
which we overwrite with
Code: [Select]
call $DF00
ld [hl], a

Pokémon R/B/Y allocate $DF00 to $DFFF to be stack space. However, during usual play, I never experienced the game using more than ~100 bytes at once. This leaves us with more than 128 bytes for code storage !
Code: [Select]
ld a, $76 ; Hall of Fame map ID
ld [$D365], a ; Door mats exit
ld hl, $FF46 ; OAM DMA
ld a, $C3
This code essentially sets all door mats exits to warp Red to the Hall of Fame. Pretty neato, huh ?
This is a half gameshark emulator, because it can't set a value mid-frame. However, it is cartswap-friendly, using for example the following setup :

The data at $D163 and $D31D set up 8F properly, I'll just skip explaining them.

The code at $D53B is a bigger deal.
Code: [Select]
PartialInit:: ; $D53B
  ld hl, Init
; Real init function. We copy it to RAM for patching.
  ld de, $DF0B
; Routine copy location.
  ld bc, $0049
; How large the target code is : 73 bytes !
; We will append a jump to end it later.
  call CopyData
  ld a, $10
  ldh [$FFFF], a
; Only enable joypad interrupt.
; It should pop instantly, but it doesn't crash, phew !
; a = $20
  ldh [$FF00], a
; Select Dpad
  dec a
; a = $1F
; Patch WRAM clear size to not clear $DF00 onwards.
  ld [$DF0B+$2B], a
; Write part of the "return" address.
  ld [$DF0B+$3F], a
  ld a, $8A
; Patch HRAM clear code to not clear patched DMA code.
  ld [$DF0B+$38], a
; It will clear past HRAM, but no problem.
  ld a, $C3
; JP instruction.
  ld [$DF0B+$3D], a
  ld a, $A1
  ld [$DF0B+$3E], a
; Patch DMA writing with returning to ROM code.
  jp $DF0B
; Jump to patched init. Cartswap is complete.
Generation I Glitch Discussion / WTW and battles
« on: January 26, 2017, 11:30:36 am »
The game actually checks whether you're being guided by the game before sending you into a battle, be it Trainer or wild.

The called function resides here :

Notes that it returns non-zero is bit 7 of $D730 is set.
This bit is used by the game when a sprite is following scripted movement.
But did you know the Pewter Museum and Brock Through Walls of activating NoClip actually set this flag ? Yeah, no kidding !
After testing (setting $CD38 to $FF, $CD3B to $FF and $D730 to $80 enables NoClip and makes you being controlled by the game unless you hold any button), I found out two interesting things.
First, wild battles do NOT trigger. Like when you enable bit 1 of $D732 and hold down B.
Second, Trainer battles... stuff. First, Trainers do notice you, and bring their text properly. They don't have to walk to you. However, when you close their text... no battles begins until $D730 bit 7 is zero, which happens when $CD38 hits zero.

tl;dr : using Pewter Museum Guy NoClip or Browk Through Walls disables wild battles as long as the glitch stays active (eg it cancels when entering any building). Trainers don't begin their battle until CD38 has hit 0, which may take a couple seconds, but you can't avoid Trainers that way. Too bad !
General Discussion / GCLf member sprites
« on: January 23, 2017, 10:00:25 am »
Anyone that wants to can submit here a 16x16 pixel image that represents them. 4 levels of grayscale are allowed (yep it's for gray GB). I accept anything that can be safely shown to anyone under 18.
Non-Core Game Glitch Discussion / Pokémon Stadium - N64 ACE HYPE !
« on: January 21, 2017, 07:34:10 am »
MrCheeze did it. Basically, attempting to use Pokémon Stadium to trade Pokémon to a Gen I cartridge with more than 20 Pokémon, you get a buffer overflow.
Demonstration video
Tech stuff

Get hyped guys, if we manage to make cartswap real on the N64, we basically pwn the fifth generation of consoles.

I'm going to send a R.O.B to Game Freak at this point. Via mail.
The Dumpster Out Back / Re: Who can approve wiki edits ?
« on: January 20, 2017, 01:39:09 am »
Bump, but I still can't approve edits :(

[EDIT] Thanks Torchickens !
Wiki Discussion / Improving the homepage
« on: January 20, 2017, 01:24:51 am »
The homepage doesn't link to wiki articles, except in the sidebar, which I find not that easy to browse.
I suggest we put some thing along the lines of "If you want to start browsing glitches, then here is the [[glitch list]]" right before "Want to help?"

[[glitch list]] should contain links to glitch categories, such as a "Browse per generation" section, a "Getting Mew" section, a "Catch'em all" section, etc.
I don't want to start working on the page unless it gets approved by the community.
Video Games / Routing a "Pokémon Red Playaround" TAS
« on: January 16, 2017, 12:03:56 pm »
The principle of a TAS, for those that don't know, is basically to program an emulator to play a game "perfectly". To do so, tools such as frame advance, rewind and save states are allowed, hence the name Tool-Assisted Speedrun. The goal is usually to finish the game as fast as possible, using glitches most of the time but not always.

Here, I would like the discuss a route for a TAS that doesn't aim at finishing Pokémon Red as fast as possible - others do that already and way better than me - but instead to showcase glitches in an entertaining way.

The goal I planned for this TAS is to obtain 8F ACE, use WTW to skip all Victory Road, then 8F-induced WTW to skip the whole Elite Four. I think winning by pure ACE or underflow somewhat sucks.

Here is the current planned route :
1. Maybe manipulate the female NPC to trigger the Oak softlock ?
2. Trigger the sprite overflow in the lab
3. Manipulate Charmander's stats for Brock Through Walls (BTW) later
4. Open the START menu after the Rival battle, just for fun
5. Go and heal in Viridian
6. Get and deliver the Parcel
6 1/2. Buy items to have 6 item slots filled. The highest-selling must be bought last
7. Set up the death Trainer-Fly in Viridian Forest
8. Battle the Rival
9. Get Oak's glitched text (pause on it for like a second, have slow text speed)
10. On the way back, get the level 3 Pidgey encounter, Growl 6 times
11. Capture Nidoking 8)
12. Level it up in the forest to speed future battles up
13. Heal at Pewter to set Teleport destination
14. Perform Brock Skip
15. Reload the map to respawn the NPC
16. Perform BTW
17. Reach Cerulean, skipping Mt. Moon
18. Catch an Abra for Teleport
19. Go to Celadon while making a detour through Lavender and Vermilion to add to the Fly list
20. Obtain Fly HM
21. Go back to Pewter using Teleport
22. Perform BTW again
23. Set up a Trainer-Fly on Route 24 using Teleport
24. Save at the PC then reset
25. Return to Cerulean by BTW
26. Engage the swimmer in Misty's Gym
27. Let Charmander against his second Pokémon to showcase the dumb AI
28. Obtain level 1 Mew, if possible we should remove Snorlax to save another BTW later
29. Set up another Teleport TFly
30. Save at the PC, then reset
31. Perform BTW still again
32. Beat Misty, levelling Mew up in the process. If not possible, it has to be levelled up ASAP since we need to deposit it later, and that crashes if it has negative XP
33. Encounter Missingno, rearrange items and catch it to make maximal profit
34. Teach Fly to Mew
35. Fly to Celadon
36. Sell the 256 cloned items
37. Buy a Water Stone and an X Special. The X Special should land in the inventory's sixth slot
38. Go to Cycling Road. If Snorlax cannot be removed by TFly, do another BTW
39. Bypass the bike requirement. If doing BTW, pass through the loading zone (described at the end of this post) and go on the road without a bike to showcase downwards movement being applied anyways, but go back to be forced on the (faster) bike
40. Go to Fuchsia to set on Fly list
41. Catch Ditto and set it up for Cooltrainer (faster item duplication than TFly)
42. Fly to Vermilion
43. Enter Diglett's Cave
44. Duplicate X Specials. Might as well dupe Water Stones if possible
45. Fly to Celadon
46. Obtain 8F. Deposit items in the PC instead of tossing (avoid wasting the Water Stone(s) and buy items to stabilize the inventory)
47. Fly to Cerulean
48. Deposit 8F, withdraw items to stabilize the inventory
49. Set up a Trainer-Fly, going to Lavender
50. Engage the guy that yields a Pidgey, Growl 6 times with Charmander and finish with Mew
51. Fly to Cerulean
52. Capture Pidgey at level 1, manipulating its stats so it will have 233 Max HP later
53. Teach Fly to Pidgey (can open START menu for TFly, teach then fly)
54. Get it to level 100 and cancel the evolution
55. Set up TFly again, going to Celadon
56. Go to the PC, deposit Abra, Nidoking and Mew, then save and reset
57. Set up another TFly using the famous Gambler, going to Pewter
58. Trigger BTW again
59. Fly to Fuchsia, this doesn't cancel the glitch
60. Go on the water to catch a Tentacool
61. Go east of Fuchsia and fight an Arbok-yielding Trainer
62. Fly back to Cerulean
63. Obtain Arbok through the warp
64. Battle the guy to the Gambler's left to get a Parasect yield (other Trainers may be faster, though, but I found none)
65. Go back to Cerulean to get it

Now what is left is :
- getting Onix (or another Pokémon to tweak where ACE will begin in the pack)
- getting the required items
- optimizing the route
- doing the thing
- being showcased at AGDQ

Removing Snorlax
TheZZAZZGlitch explained it in one of his videos. Basically we need to load Snorlax's map right before doing a TFly, and due to the glitch's properties, this will remove Snorlax.

Passing through loading zones
If a warp is triggered not by stepping on a door, it can be passed through. To do so, NoClip (aka WTW) is required. Then, the player must be on the title that he should stand on to trigger the warp, but not facing the warp. By pressing and holding towards the warp, he will pass right through.

An example will be given on the Cycling Road gate west of Celadon City. The player should stand one step north of where exiting the gate puts him, with NoClip active. Then, move one step down. Pressing and holding left will have the player step on the gate. Tapping left to turn, releasing then holding will have the player enter the gate, however.
Pages: [1] 2 3