Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Crystal_

Pages: [1] 2 3 4
Interesting, first time I've heard about this one.

It's actually two separate bugs in fact. The sprite hiding one is due to the game calling LoadScreenTilesFromBuffer1 in the mimic function despite the fact that the last time tiles were saved was at the beginning of a turn, so if the mimic user goes last, the screen will be restored to how it was at the beginning of the turn. This will more often turn out like, if you lost health to an attack, you will see the HUD and HP bar with the health you originally had at the beginning of the turn for a moment, until the HUD is properly drawn again. Notice also how, when the switch is also involved, the enemy's HUD becomes that of the old pokemon for a moment as well, which is indicative of when was the last time tiles were saved during the switch enemy function.

The slot mismatch one is due to setting current menu item to 1, thus losing the original value from when you selected mimic. Too bad, I was hoping it would be possible to manipulate somehow. The only remotely useful trick I can think of is to use a Pokemon that only knows mimic to have it learn the cooltrainer move similarly to how you'd do with the Ditto transform glitch. And well, the fact that you can use this to mimic four moves at the same time, by repeteadly swapping the mimiced move in the second position out of it with the select button in the battle menu. Even though mimic works differently in link battles (the move you get is random rather than selectable), you should still be able to do this to use mimic multiple times at once.

Edit: My bad, it's a non-link battle only thing, because the mimic effect during link battles doesn't read from wCurrentMenuItem.
I just haven't looked into making it compatible with the japanese version, but as far as I know, most memory addresses and some aspects of the engine are different, so this method would probably require a complete rework.
Great stuff. Definitely much better than what I came up with! The setup for other language version isn't too bad although taking away the necessity to care about the bag items could be convenient.
All my attempts to adapt the memory editor code to the french version have been in vain. There's always a missing instruction or some other kind of inconvenient on whichever I try. Granted, maybe I've just had a bad day, but I've been stuck for a while...

Anyway, the idea is to load x into yz, where x is [$f8f9] + [$f8fa], y is [$f8f5] + [$f8f6], and z is [$f8f7] + [$f8f8]. These addresses belong to box 7's name, so they can easily be manipulated and each sum can yield any given value. I thought they were the most convenient since you can't access the low $f9xx addresses with box name characters. Achieving this with mostly box names would be ideal, because with only PC items it's a complete abomination. It was relatively easy in all non-french european versions, but the lack of available instructions in the french version isn't helping.

Maybe someone with more patience than me wants to pick this up? Post #3 of this thread has the documentation of everything done so far.
Although, the destroyed stack might make it impossible to continue playing...

We were aware of this, so we proceeded differently. We use this ACE method to edit the save file to give ourselves a TM17 in the items pocket, which can trigger ACE more reliably. Then, just reseting the game restores everything to normal, except for the convenient save file hack.
Looking at this, the whole process to achieve ACE looks a bit too complicated. My own method requires to discard nearly 30 Pokemon though, so whatever. The attempt to obtain TM17 using box names ACE was a disaster anyway, I'm going to see if I can make it work reasonably with PC items.
REQUIREMENTS AND STEPS for spanish, italian, french and german Gold/Silver - Work in progress

Emulators: Working on BGB, not working on VBA. For the 3DS Virtual Console, you also must follow the additional points colored in red; if you are not playing on the 3DS VC, ignore (skip) them. Not tested on any other emulator.

Follow also the requirements and steps in blue if you want a "memory editor" setup for TM17. If you just want to obtain TM17, ignore (skip) them.

Initial requirements - Obtaining TM17, executing from D8C0 with TM17, D8C0 payload

- The first item of the items pocket of the bag must be Berry (any quantity)
- The second item of the items pocket of the bag must have a quantity of 36 (any item). You will lose 35 of them.
- As the third item of the items pocket of the bag, Potion x1. As the fifth item, Ylw Apricorn x1. Fourth item can be any item and items below the fifth are irrelevant.
- Box 3 and Box 4 must be renamed as show in this (spanish/italian) or this (french) or this (german) image. For 3DSVC, replace the last Ae with K4, regardless of the language.
- A specific PC item list* (items beyond the last one don't matter)
- As the first party Pokemon, a level 2 Pokemon with no status, no pokerus, with current HP and HP between 13-14, and all other stats between 6-7.
- As the second party Pokemon, a Quagsire holding TM02 with Return as the first move.
- As the third party Pokemon, a Quagsire holding HP Up with Sleep Talk as the first move.
- As the sixth party Pokemon, a bad clone (Pokemon 0x00).
- All your party Pokemon should be Pokemon that you don't care about. They will be in risk.
- A box (any) with 20 Pokemon that you don't care about. These Pokemon will be gone forever. In this box, the 20th (last) Pokemon must have a third move with 16/16 PP and a fourth move with 24/24 PP. These correspond to a 10 PP move and 15 PP move, both with 3 PP Ups applied, respectively.
- A box (any) with only 4 Pokemon that you don't care about. These Pokemon will be gone forever.
- ...

*PC Item list:
Any item - any amount
Antidote x4
Fresh water x32
Parlyz Heal x34
Awakening x1
Potion x1
Dire Hit x35
Everstone x1
Pokeball x1
TM08 (Rock Smash) x1

Steps - Obtaining TM17, executing from D8C0 with TM17, D8C0 payload
- Switch to the box with 4 Pokemon.
- Select the Move PkMn w/o mail option, and move the first Pokemon of the box with 4 Pokemon to the bottom of your party.
- Withdraw all Pokemon from the box with originally 4 and now 3 Pokemon.
- Withdraw all Pokemon from the box with 20 Pokemon.
- When you withdraw the last Pokemon, the game will reset in weird colors, but you will have TM17 as the first item in the items pocket. Restart the game a game to restore the normal colors. Important: Do not toss, sell, give or deposit the newly obtained TM17. You can however do anything you want with a TM17 that has been obtained through regular gameplay and is therefore stored in the TM/HM pocket of the bag.
- Execute the following steps depending on your version of the game:
  * Spanish/Italian:
    · In the item's pocket of the bag, swap TM17 x1 (first item) with Ylw Apricorn x1 (fifth item).
    · Rename boxes 1 to 5, as shown in this image.
  * French:
  * German:
    · In the items pocket of the bag, swap TM17 x1 (first item) with Ylw Apricorn x1 (fifth item).
    · Rename boxes 1 to 5, as shown in this image.
- Rename box 7 accordingly (...).
- Important: every time that you want to use TM17, your first five items in the items pocket of the bag, the first and second party Pokemon, and the name for boxes 1-5, must be exactly like they are now.

If you can't understand the sections below, chances are you only care about the above.

Code - Obtaining TM17

nop | ld d, b ; box 2 terminator
or $a4
and $a4
push af
pop hl
or $d0
ld d, b ; 0x50
and $d0
call nc, $a480
ld d, b ; 0x50

nop | ld d, b ; box 2 terminator
or $a4
and $a4
push af
pop hl
or $f1
ld d, b ; 0x50
and $d8
cp $fe
call c, $a480
ld d, b ; 0x50

nop | ld d, b ; box 2 terminator
or $a4
and $a4
push af
and $80
or $50 ; 0x50
pop hl
call nz, $a480
ld d, b ; 0x50

PC ITEMS (ALL FOUR LANGUAGES): A480 (entry point A481)
db $09
inc b
ld l, $20
dec c
ld [hli], a
inc c
ld bc, 0112
inc l
inc hl
ld [hl], b
ld bc, 0105
rst $00
db $01

Code -  Executing from D8C0 with TM17

jp $d8c0

Code -  D8C0 payload

BOX NAMES (SPANISH/ITALIAN): D8C0 (box 1, char 2)
ld a, [$f8f5]
push af
ld a, [$f8f6]
ld d, b
pop hl
add h
push af
ld a, [$f8f7]
push af
pop hl
ld d, b
ld a, [$f8f8]
add h
push af
ld a, [$f8f9]
ld d, b
push af
ld a, [$f8fa]
pop hl
add h
pop hl
bit 2, b
pop de
and a
call $f5b8
ld d, b

BOX NAMES (GERMAN): D8C0 (box 1, char 2)
ld a, [$f8f5]
push af
ld a, [$f8f6]
ld d, b
pop hl
add h
push af
ld a, [$f8f7]
push af
pop hl
ld d, b
ld a, [$f8f8]
add h
push af
ld a, [$f8f9]
ld d, b
push af
ld a, [$f8fa]
pop hl
add h
pop hl
pop bc
ld d, b
and a
jp $f5b8
ld d, b

ld e, h
ld bc, ?
ld [de], a
ld bc, ?
ret nc
ld bc, ?
OVERVIEW / EXPLANATION (for requirements and steps see the third post in this thread)

Step by step video (with updated and organized information in comparison to the third post):

I've tested this in an english Silver ROM and spanish Gold ROM and given that the essential elements and key memory addresses were the same in both games, I assumed that it would also be the same in all other localizations. However, futher testing, and of course, a lot of polishing, would be required. The english versions don't need ACE since we already have coin case, so the goal was to find a method compatible with all other localizations.

First we need a 0xFF Pokemon in order to be able to draw Pokemon beyond the sixth slot. I'm not going to get into the details of how to achieve it.

When the 30th Pokemon is withdrawn to the party, it corrupts addresses between DF9A and DFB9. In particular, when the Pokemon's data is being copied from SRAM to those WRAM addresses, the stack pointer is at DFB3, and the 3rd and 4th PP slots of the Pokemon are copied to DFB3 and DFB4, respectively. Returning from the memory copy routine will bring the game to whatever stack pointer was spelled out by those two PP fields. Using PP ups, we can come up with any given address that we want, for example one that points to somewhere in the box names buffer.

Of course, after doing this, the stack is absolutely destroyed and there are no realistic hope of restoring it to anything playable. We can still do something though. We can hack ourselves a TM into the medicine bag pocket in SRAM that we can utilize later. This may look way too complicated but it doesn't necessarily have to be. First of all, SRAM bank 1 is already opened right now. We only have to overwrite A420 (medicine pocket item 1) with the id of the desired TM and fix the checksum at AD69-AD6A. If we set a fixed item #1 as an initial requirement (e.g. a Berry), we can calculate the necessary checksum shift. If the id's are relatively close, we might even be able to skip checking the checksum's high byte to simplify the needed script and hope the low byte doesn't overflow (literally anything we do will change the checksum upon saving anyway, so we can just try again until it works). Finally, we can trigger a safe reset or freeze, and upon restarting the game, we will have our TM in the medicine pocket. Note that the SRAM addresses mentioned here refer to spanish Gold/Silver; they may be different in other localizations.

Now it's supposed to be similar to coin case ACE in concept. We find a TM that jumps to a suitable place in WRAM (I think ACE with TM33 transferred from Red/Blue has been done already), and when we have it, we create some bootstrap code that for example redirects execution to box names or PC items.

These are the TM pointers in spanish G/S:

Code: [Select]
14FE - TM01
9921 - TM10
20CA - TM20
FE2A - TM28_X
B90F - TM30
789F - TM40
10CB - TM50

Again, this obviously needs a lot of polishing and coming up with bootstrap codes yet, as well as adapting it to each other localization, each of which may have different SRAM addresses and different wrong pocket TM pointers, as well as a different set of assembly instructions that can be spelled out with box names. So far I haven't bothered to check beyond the english and spanish versions, but the 3rd and 4th move PP of the 30th Pokemon being written to the stack pointer (DFB3-DFB4) matched in both versions, so I assume it would also be the same in the other localizations. The other factors don't seem essential unless we're really unlucky with TM pointers.
Generation I Glitch Discussion / Re: Pokédex marker bytes
« on: June 20, 2017, 06:33:05 pm »

What do these "markers" do ?

Also I just created the article mainly by copy-pasting the post and formatting the table into a wiki table. :)

Thanks ISSOtm! I don't know either. It's possible that the marker bytes have no purpose at all other than as a tool for the developers to find which Pokémon they're dealing with.

Nothing. In fact, it's overwritten by the index number as soon as the mon header data is copied:
The thing is, VC is far more prone to being corrupted due to the fact that unknown opcodes or invalid stops don't halt the game like they do in a real GB/C. So in VC the game will usually run around for longer, and is more likely to corrupt (open) SRAM or to trigger a fatal rst 38 in the process. That said, a rst 38 shouldn't be able to change the SRAM bank so as TheZZAZZGlitch said making sure that SRAM bank 0 is loaded before doing anything dangerous is a good idea.
The base data of Pokemon beyond #251 is read from Pokemon names:

There are no pointers, since the length is fixed. Considering Pokemon names are uppercase, everything is either going to be 0x80-0x99, or 0x50 (padding byte used for Pokemon names).

However, egg's base data other than the sprite is not loaded at all, just like the fossils/ghost MissingNo in RBY indeed:
There is this reddit post explaining how to do all of this in Pokemon Yellow using ws m. Have not read/tested it but people in the comments below claim it works.
Using 8F to get PokeBank-compatible Mew and shiny Pokemon

Item lists (includes assembly code):
Encounter Mew with 8F:
Mew method #1 (change player IDNo. and name):
Mew method #2 (change Mew IDNo. and name):
One shiny Pokemon:
All current box shiny Pokemon:
Generation I Glitch Discussion / Re: Trainer-Fly plus Cycling Road
« on: January 16, 2017, 03:18:10 pm »
This probably:
Code: [Select]
ld a,[wFlags_D733]
bit 3,a ; check if a trainer wants a challenge
jr nz,.notForcedDownwards

Set when a trainer engages the played, before walking to him:
Code: [Select]
ld hl, wFlags_D733
set 3, [hl]

Reset only when a battle (any kind of battle) occurs:
Code: [Select]
ld hl,wFlags_D733
res 3,[hl]

The game is assuming that one of the trainers in route 17 has engaged the player, so it prevents the player from moving down as the trainer walks to him.
During the part 2 weeks I picked up my Game Boy Advance SP and my spanish Pokemon Crystal cart and was determined to do something cool with them now that we know so much about how to exploit ACE in these games. So I thought I'd pick up the code of my Snake program that I once implemented in Pokemon Silver using an emulator and ported it to spanish Crystal. Obviously, doing this stuff in real hardware isn't the same story since you can't memory hack your way into whatever you want to achieve, so I had to come up with more efficient ways to do different things.

So yeah, if you want to see how I did it, just follow this link! It includes a demonstration video and covers all the process with a lot of details. The end will seem familiar, since it's mostly what TheZZAZZGlitch did in order to implement Pong into Pokemon Blue. It was a bit harder considering that ACE in Gen 2 isn't as accessible though.

Or if you prefer, here's just the video with a ligher explanation:
Pages: [1] 2 3 4