Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Evie ❤✿

Pages: [1] 2 3 ... 27
1
This is something I read on our affiliates at Legendary Star Blob 2 a long time ago but didn't properly look into myself.

It appears in the Japanese versions of Red/Green/Blue/Yellow, the Safari Zone warden spoke in broken Japanese; with their phonemes corrupted. This was a mystery for some time, but it appears someone named Momiji Aoyama suggested maybe that Team Rocket stole his Gold Teeth.

So at some point, the author of http://hakuda2.web.fc2.com/wario/poke1/k40.html came up with the following script:

「大変や、ロケット団に入れ歯とられてしもうたッ!たっ、助けてくれ!」
「よろしく頼みますわ!ヤツはサファリゾーンや!」
「なに?(微妙にこの部分は不明)そうか・・・いい、お前には頼まんわッ!!」

From the original;
「ふぁいへんひゃ ふへほ はんひ ひへは ほはへへ ひほうはッ! はッ はふへへ ふへ!」
「よほひふ はほひまふは! はふは はふぁりほーんひゃ!」

The gist is like: "This is terrible! Team Rocket have taken my dentures!  Help me! I'm depending on you! That idiot is in the Safari Zone somewhere! What? All right, that's fine, but I beg that you can help me."

There is more to this. It appears the game's story was altered at some point. In the original Japanese versions, due to an oversight, there is hidden normally unused text in the Safari Zone about Silph's Chief. Silph Chief is the Japanese name of the unused Chief Trainer class (who uses Scientist's sprite due to a technicality (it's not the real sprite)). One of these texts is "SILPH's manager is hiding in the SAFARI ZONE." (Japanese: シルフのチーフが サファリゾーンの どこかに かくれてるんだって!). For more information, see this thread.

Thoughts/does anyone have any further information?

I will try to translate the whole article and analyse it further, but it will take some time and my Japanese skills are only elementary-low intermediate with help, or maybe someone on pret/TCRF (such as GlitterBerri) or Legends of Localisation may want to look into it. I also want to do a video about this in depth at some point. ✿
2
Video Games Discussion / Chee-Chai Alien franchise
« on: January 04, 2019, 02:40:08 pm »
Creatures Inc. (The Pokémon Company affiliate) have their own series featuring tiny little aliens known as Chaliens. It's not as good as Pokémon, and outside of the minigames it can get a little boring in my opinion, but I have recently started a wiki to learn more about it. It's very quirky as well, so if you like that aesthetic you may enjoy it. There are only three games in this series, and the series has been dormant for a while. It will be interesting if it returns though.

I recommend Nonono Puzzle Chalien over Chee-Chai Alien, because in Chee-Chai Alien you need to grind to unlock each Chalien's minigame (unlocking the Chaliens from light sources from the Game Boy Color's infrared port and interacting with them in a Polariton to gain sufficient points for the minigame). Nintendo did release the only localized game in the series, Spin Six for Nintendo DSiWare (also available on eShop). It is only a portion of Nonono Puzzle Chalien (specifically Spin Six mode) though, so if you can get Nonono Puzzle Chalien I recommend that. The trivia you unlock after each puzzle will still be in Japanese though, so that's a reason to buy Spin Six instead.

Another really obscure fact is that Chee-Chai Alien had a manga known as Mi Kakunin Uchuu Seimei-tai GoGo! Chalien or "Unidentified Space Life Form GoGo! Chalien" (see below).



It probably didn't appear outside of Bessatsu Coro Coro Comic where it was originally serialised in 2001, but it looks like it would be interesting to see.

Here is the recently created wiki if you'd like to learn more about the series, because the available information about it is poor.

http://chee-chai-alien.shoutwiki.com/wiki/Main_Page
3
This has been available with Game Genie for a while now (Wack0 provided the theory and I generated the codes), but the trouble with this is that the physical Game Genie doesn't like Pokémon Yellow's cartridge type; bringing up a blank screen if you use it. For reference however, the Game Genie codes to do this are: 3E0-2E9-B31 XX0-2F9-C49 (where XX is the Trainer class you want, equivalent to Trainer escape glitch ID minus 200). All you have to do for this method is battle any Trainer, and it will become the desired Trainer or glitch Trainer.

Now however, you can do this with ACE eliminating the need for Game Genie or ROM hacking.

Requirements:

0) To have mastered Celadon looping map glitch and to know how to destroy Cancel buttons.
1) ws m (0x63) bootstrapped to D321. C3 21 D3 at 0xDA7F will do the trick. You can use map script abuse or connection copier to write these values.
2) 4F (0x59) bootstrapped to D330. C3 30 D3 at 0xDA64 (technically 0xFA64; this might matter if you're using a bad emulator) will do this. This can be achieved with the same methods as 1).
3) The following code beginning from item 3 (no unterminated-name or lag glitch items, however those should be avoided with B-Button when you encounter them with Celadon looping map glitch):

Steps (code/items from below must be stored in the memory):

1) Use ws m. It appears 'nothing happened', but it actually copied data from ROM into RAM at DA7F (stored Pokémon).
2) Adjust Lemonade x0's quantity and use 4F immediately after using ws m to enter the battle with a Trainer class based on Lemonade's quantity.

@D321 (item 3) (routine copier)

ld a,3d
ld hl,5ff2
ld bc,0244
ld de,da7f
call 009d
ret

: Calls FarCopyData with source as 3D:5FF2, bytes to copy as 0x244 and destination as DA7F (modifies ws m)

@D330 (item 10 quantity) (pseudo-Game Genie and battle activator)

ld hl,dabb
ld a,3e
ldi (hl),a
inc b
ld a,(desired trainer class; d338)
ldi (hl),a
inc b
ld a,ff
ld (d058),a
inc b
inc b
ld b,3d
ld hl,da7f
call 3e84
ret

: 'Patches' DABB. This should be sub a,c8 (take the Trainer escape ID and subtract 200 to get Trainer class) but instead we change it to ld a, xx; allowing us to battle any Trainer class we want. D058 is set to a non-00 value, the bank is switched back to 0x3D and we run the code we copied to DA7F and modified with the patch.

The entirety of this code fills the item pack and touches money byte 1, so don't win any money from the trainer if you want to battle more than one in one session. The unique Trainer AIs you can access this way however may stop you and result in a freeze. TM55 (Trainer (actual):255) has an interesting AI which sends you to Victory Road.

The item list from item 3 is as such:

i3: Lemonade x61
i4: Thunderstone x242
i5: 10F x1
i6: X Special x2
i7: Max Potion x127
i8: TM18 x205
i9: Item 0x9D (#ァPkMn p#ゥ ##ゥK▶E '#4ゥ) x0
i10: TM01 x33
i11: Item 0xBB (#……#) x218
i12: Lemonade x62
i13: Water Stone x4
i14: Lemonade x(desired (real) Trainer class ID)
i15: Water Stone x4
i16: Lemonade x255
i17: TM34 x88
i18: TM08 x4
i19: Poké Ball x6
i20: Soda Pop x33
i21 (normal end/money 1): Item 0x7F (#ぇ #### ### #####u#) x 218
i22 (money 2/3): TM05 x132
i23 (rival name 1/2) : Lemonade x201

You may also download the "all glitch trainers" save from my Google Sites, import it, and modify item 14's quantity to explore all 256 Trainers. Note the Lemonade x0 means Lemonade x256. You can toss from this quantity as if it was valid, to access roster 256 (no tossing) or rosters 1-255 (tossing).

Link: https://sites.google.com/site/torchickens2/pokemon-save-files

Unfortunately rosters are unsupported as of now. I'm unsure how to implement them but it may be possible.

Have fun glitching! :)
4
Generation I Glitch Discussion / What is this sprite?
« on: January 04, 2019, 10:04:04 am »
While playing around with the code 01FFE0D4 set in Yellow, I came across this circled sprite. It was walking down as if it was an NPC. Is it a glitched sprite, is it used somewhere, or is it an unused sprite?



Also on the same subject, I've encountered a sprite various times resembling rock debris or something like that. I unfortunately forgot how to replicate it but I'll post it if I find it again.

Edit: I found it! Just perform CoolTrainer in Victory Road. ✿


5
After looking into the BGLSG glitch that LanceAndMissingno. found; it appears you can load glitch text boxes for certain texts when D4E0=FF (with the exact same Trainer as LanceAndMissingNo. the value of D4F0 will also influence the text box, with D4F0 as 00 providing the "BGLSG" glitch text box).

The idea then is to set up Pikachu off-screen glitch (which can easily be done with the Lg- (0x6E) glitch item) until D4E0 is corrupted, and then bring Pikachu back on the screen to change all the values you corrupted, including D4F0, to 0xFF.

An example is this sign in Celadon Mansion, which we can in theory manipulate to regard DBCD as the source text box:



DBCD is the second experience byte of stored Pokémon 10. Having exactly 2072, 67608, 133144, 198680, 264216, 329,752 (... anything expressed as 2072 + (65536*n)) experience on this Pokémon will spell 08 18.  The 08 tells the game to begin executing code, and the 18 indicates the jr instruction. Following this, we can have a parameter for the jr instruction. An easy one is 0x14 which requires using two HP Ups on an untrained Pokémon and will make the PC interpret jr DBE4.

At DBE4 is the typing of the Pokémon. For this method, we will use ♀ . (C1), hence these values will be 0x93 and 0x80 (sub e, add b). This is followed by its catch rate constant/held item of 0x8C, which is the adc h instruction. These instructions do not freeze the game.

Finally at DBE8, ♀ . (C1) should have the following moves: Glitch Move 0xC3, Tackle, TM11 (C3 21 D3) to redirect the PC to item 3. These are all viable choices, and fortunately this glitch Pokémon may be obtained with Trainer escape glitch. Unfortunately, the minimum level for this glitch Pokémon to learn TM11 is Level 93, but this is no issue if you have the expanded items pack as you can spawn Rare Candies from Celadon City. According to the Bulbapedia experience table, 643,485 is the amount of experience this glitch Pokémon (part of the Fast experience group) will have at Level 93. Hence, our closest compatible experience is 2072+(65536*10)=657432, which is still at Level 93.

At item 3, you can have any set up you like, such as the widely used 'set d058 to 0x15 (Mew) setups'. Remember to change hl to 01FE, or any unbanked pointer with a 0x50 byte. I think this should secure that the resulting text box does not freeze the game.

This sign is not the only access point. By setting a breakpoint to 0:2882, you can read the source pointer of most texts you read from the hl registers. The only other promising pointer I've found so far was somewhere in the event flags beyond stored items, but unfortunately it seems out of reach with expanded PC items. With the large number of possibilities we never know, there could (and is likely) to be a better setup than the one above. As LanceAndMissingno. demonstrated, Lg- may not be required; you may be able to execute arbitrary code with walk through walls glitch, which can be done infinitely and does not require the expanded items pack. ✿
6
The Dumpster Out Back / Re: ItemDexJP/B:000 theory
« on: December 19, 2018, 11:02:08 am »
Thank you for your lovely thorough reply Epsilon.

Yes, I had tested item 0x63 before and got the same results as you; item 0x63 was the only potential LOL glitch compatible item not executing a writable memory region.

About there being no need of a screen data saving glitch item (for 0x00/0x63 LG), this may not be true; as in the English games a copy of the screen without the Start menu being open is saved into memory once opening the menu. The purpose of the screen data saving glitch item (e.g. EN 9F) is to save what is on the menu into memory rather than from the overworld.

Hopefully we can find away to avoid the freeze when the item is used in battle. ✿
7
Debate Wars / Space debris dilemma
« on: December 15, 2018, 01:34:01 pm »
The space debris dilemma addresses the way in how, while sending an object into space there is the risk of junk escaping into the vacuum of space. The more times we send people into space, the higher risk that space debris may cause a collision with something like a spacecraft or a seriously damaging a satellite.

While something like this for small particles would normally be relatively harmless on planet Earth, the high accelerations give them extremely high velocities, with the chances of piercing a hole in the spacecraft or a satellite.

This is a particular concern for humanity if more and more satellites begin to break down due to space debris. With many technologies using satellites, it would appear we may not be able to use technologies such as satellite Internet or TV connections, or satellite navigation software. The huge amount of space debris in the air may also make space travel less and less viable, trapping us on our home planet for future journeys with no solution.

Furthermore, this relationship is not a long, steady one, but rather may increase exponentially; because one satellite breaking creates more debris, which could cause a domino effect which causes multiple satellites to go down in succession. For this reason the space debris dilemma is a concern we cannot ignore.

There are solutions to this problem with multiple approaches. One of them may be to create a space net built to gather the space debris and send them back to Earth. Another concept may be to attract the space debris in the vacuum using magnets. 

What are our thoughts on this? ✿
8
If CC57/8 reads DD 00, the game will execute arbitrary code at F5D5 not just once but continuously. This is in the expanded PC items and can be changed to C3 XX D3. The general idea might be to use 4F/-g m/8F, etc. to set CC57 to DD and set CC58 to 00 if it isn't 00 already.

An advantage to this over D36E/D36F ACE is that it stays even after changing maps. Unfortunately have to go so can't do anymore testing right now, but I wonder if it works in battle?
9
Generation I Glitch Discussion / "5 ERROR forever"
« on: December 08, 2018, 11:12:01 pm »
With the glitch I've recently documented, set CC57 to 0D (Red). Or just set it to 0D with arbitrary code execution.

https://forums.glitchcity.info/index.php?topic=8582.msg211746#msg211746

This causes "5 ERROR" (which may be a number greater than 5 or it could just be a glitch character before the 5) to appear continuously, even after changing maps.



Furthermore, battles seem to be disabled and the game will lock if you jump off a ledge.

The effect can be removed by abusing a frame where you can open the Start menu to save and reset the game.

Maybe this could be used for skipping trainer battles.

In theory, if you're doing this with glitch item name overflow, you may want to send out a glitch Pokémon with a 0x0D character in its name. You will also need to set CC47 to 01 (there are various glitch Pokémon with 01 bytes in their name) to avoid a freeze. Not sure whether this would be good for a speedrun except maybe a no warp one.

Edit: CC57 as 2A is better but disables Bicycle and causes music to constantly repeat.
10
If the current map contains a lot of 0x53 tiles, map distortion glitch items like 0x87 will print the Rival's name instead of the player's name. As we know through item underflow glitch (and Rival LOL glitch), it is possible to change the values (and length) of this string by modifying items and quantities.

The Rival's name can also represent a control character, such as a Pokémon name or the player's name (less ideal because Super Glitch, ACE and obscure things like connection copier are the only glitches which let you do that). This then, in theory, allows you to corrupt much more of the memory.

For the purpose of this post, we shall use a Rival name which contains the 0x59 control character.

Steps (theory):

1) First enter a battle and run. This loads 0x59 as (your Pokémon)

2) Fill the current map data with 0D building blocks. You can do this by having 50 Ice Heal x13 in the stored PC items and setting D35F to 3B D5. In the expanded inventory, this is represented by (item) x 59 followed by TM13. I looked to see if there is a place with many 0D bytes in the ROM. Unfortunately I couldn't spot any except in banked ROM, which I had trouble displaying for custom D35F values (even if the map bank is the same as the ROM bank for the source, it won't bring up those blocks).



Note!: You don't need 50 Ice Heal x13 and the actual amount needed is for now unknown. I'll edit this post with the minimum number needed after the theory is out.

3) Set your Rival name to 59 59 59 59 59 50

4) Open the menu with glitch item 0x87 at the top of the list

5) Profit!

I don't know how long this corruption was, but it was definitely powerful, corrupting cursor related data and sending us to a Glitch City (with entrance warp animation) with a Trainer encounter theme playing after leaving the menu.





It didn't quite corrupt map connections, so what you can do to escape is move up to go back to Viridian City. However I got stuck with the Start menu cursor glitched so I can't use a Rival's effect item. Darn...

Doing this with a different source map may give a different result though. :)



Note: With this glitch, you can heal out of bounds Pokémon if you use a healing item. This could potentially lead to the corruption of other memory addresses.

What I'm going to try and do is find a 'safe' way of corrupting CD38 so you have a replicable way to walk through walls without ACE. I will update this thread with my findings.

Update 1: If you keep spamming up, eventually the cursor will be in a normal range. This lets you escape and Fly away.

Update 2: I've tried corrupting CD38, which was successful, but so far I keep getting freezes upon closing the menu and I don't know what causes them. I can save and reset the game to disable the freeze, but that resets CD38 to 0 (and the enemy Pokémon addresses CFD8 and D059 for that matter), so that's no good. :(

Update 3: Invalid CC47 values cause a freeze after closing Start.  00 and 01 are fine. Maybe we can set it to 00 or 01 and still change later addresses in some way.

Update 4: CC57 comes into play too; bad CC57 values can freeze or execute RAM. This seems like another access point for ACE interestingly enough. Non-freezing values: 0x0D (5 ERROR forever), 0x16, 0x17, 0x2A (dismount Bicycle forever)
11
Arbitrary Code Execution Discussion / Blind mode
« on: December 08, 2018, 10:56:16 am »
A silly exploit that requires arbitrary code execution (see attached files). You can use it to set challenges like going through the whole of Viridian Forest without knowing what's going on. There are different types of blinds modes including those that make it harder to know where you are or (without additional knowledge) impossible without pressing Start or entering a battle.

The glitch corrupts the screen in a way that it no longer shows exactly where you are, and this effect lasts even after you change maps, Fly away or end a battle.

I found something like a blind mode years ago, but it required cheats https://www.youtube.com/watch?v=XxGD2R0vgWI

General idea:

Pikachu's Beach ACE method (partial blind mode):

With Pikachu's Beach ACE, call 02FA so you can open the Start menu and then Fly away.

Other menus like trade screen:

Run the following code in Red/Blue:

ld b,10
ld hl,5245
call 35d6
ret

A blind mode should activate afterwards.
12
Arbitrary Code Execution Discussion / ACE within Pikachu's Beach
« on: December 07, 2018, 07:22:17 pm »
C5D1 controls the Pikachu's Beach script. Some values cause arbitrary code execution. The best one I could find was value 0x5B, which executes D3EA. This is within wWarpEntries, but it can be accessed with the expanded items pack from item 103's quantity and will usually stay even after saving/changing maps.

You can place any code you like at item 103's quantity. If the effects of the code apply outside of the minigame, simply press Select to leave the minigame and return to the overworld (you may need to have played the minigame at least once, not sure?). You can still do things like writing 0x15 (Mew encounter) to D058, so that you encounter a Mew immediately after leaving the minigame.

There may be more than one approach to doing this. Unfortunately a modified C5D1 value isn't kept before Pikachu's Beach, but in theory you could just run a modified Pikachu's Beach routine (likely from another ACE method) that only runs script 0x5B. Another approach would be to use OAM DMA hijacking to lock C5D1 to 0x5B.

Though we already have ACE and this likely requires ACE to begin with, this could be a cool way of causing arbitrary code execution if you wanted to do something in the minigame (like the creation of a cheat mode).
13
It seems the Pokémon doesn't actually require excessive HP, however something unknown needs to be invalid about it.

Decamark 0x88A6 summary (without scrolling)



Next we view Kyogre's summary and scroll up to the Decamark:



Voila, we get the tile corruption (see the glitch tile on "Met in a trade" text) and freeze after closing the menu caused by summary screen glitch, despite the fact that it has non-glitched HP:



This behaviour was similar to a glitched Kyogre with 65535 HP summary, although I got a corrupted blue screen after closing the menu which is really interesting:



More tests:

In fact, hacking my Kyogre to simply have more HP than its maximum HP is causing a black screen upon viewing its summary. I wonder why this is?


14
Generation I Glitch Discussion / ItemDexJP/B:000 theory
« on: December 06, 2018, 01:49:03 pm »
As danny found, this glitch item in Japanese Blue has a randomized name. Could it be possible to use this to our advantage for LOL glitch combined with a screen data saving glitch item? ✿
15
I came across this video in German of someone named Blizzeatos battling with glitch Eggs.

https://www.youtube.com/watch?v=I52fzg0i0C4

In the video the glitch Eggs have the nickname "MISSINGNO". Do we know whether this is just a nickname or indeed the actual name? ✿
Pages: [1] 2 3 ... 27