Recent Posts

 

11

Art / Re: Random doodles

« Last post by Evie (retired from head adminship) on February 26, 2020, 03:11:57 am »

Clefairvictini!!

12

Non-Core Game Glitch Discussion / Re: Can someone give me a technical explanation

« Last post by greentyphlosion on February 26, 2020, 02:52:40 am »

Yeah, you can do this as early as BW with infrared trading during the E4. That's a good point about a potential game over, I hadn't considered that. For that matter, I wonder if the Pokemon League counts as a Center... have to try that at some point.

13

Forum Discussion / The reasons why I stepped down

« Last post by Evie (retired from head adminship) on February 26, 2020, 01:28:44 am »

There were two main reasons:

1. I think I may have felt overwhelmed a little with stress (and sometimes I get very shy on Discord, as of recent YouTube too as I get an exponential number of comments now - I used to get on top of them all until it reached 99+ and I stopped replying. For this reason I have regrets like (thoughts about myself): "she ignores comments". This has correlated with me being a little apathetic at times and having less enthusiasm for taking on an editorial role.
->On hindsight, now I seem to feel clearer I wonder if I should just be a global moderator/staff here. I'm worried though as I left with short notice and Photon-Phoenix isn't as active as he used to either, and Abwayax stepped down too. I'm unsure of how Photon-Phoenix feels or his circumstances, but I'm worried this site is in risk of not having a head admin.

2. The banning of Sherkel and Sasara, the disturbances they caused in the community (but also I feel to scapegoat is wrong, I welcome people but not actions that make people feel unsafe), and claims; as well as this separate situation. This left me feel unsafe and not wanting to take the role of head admin any longer.

(3. I'm not as good with glitches as I used to be; in combination with apathy and decision to step down from emulation to be safe, data-mining now takes a lot more time. Additionally, I posted a YouTube video for a short while that I wouldn't be doing arbitrary code execution, but removed it later. Fortunately there is a way to datamine without using ROM hacks with my limited programming knowledge and the existing memory editor GUI arbitrary code execution programs, which I got working earlier. From what happened with the historical Game Genie case, reverse engineering/playaround(?) is at least a grey area; though Nintendo have took action against emulation/unauthorised copies moreso now, and I wanted to step down from that as well. Additionally lots of people want a Pokémon Bank Celebi, which still leaves me unsure what to do, as (if from Nintendo's terms of use against cheating online) people can get banned for that; maybe tell them how to do it but warn them Nintendo don't like it (and I personally don't like it either and release my hackmons).

14

Video Games Discussion / The Legend of Zelda: Ocarina of Time prerelease VHScontents surfaced

« Last post by Evie (retired from head adminship) on February 25, 2020, 11:33:59 pm »

Found this in my feed. https://www.youtube.com/watch?v=Y41A7mzAQ-4 Quite interesting, I believe there was a similar VHS for Pokémon Red too, though unrelated to the Ocarina of Time one https://www.youtube.com/watch?v=b96CiRlrZtI

15

Emulation & ROM Hacking / JumpTable patch idea/dumping ACE pointers with no emulator with Game Genie?

« Last post by Evie (retired from head adminship) on February 25, 2020, 05:22:20 pm »

There isn't a mistake, for whatever reason, that section of ROM actually has a JP D6D2 right in that spot (like, no other unintended code executed, just jp D6D2).

Also, just to note, if you're using breakpoints, you could just do a breakpoint at 0032, since the game uses rst JumpTable for item execution (although you could just go to where it has a list of the execution pointers... which will be in little endian and the unusable items have execution pointers too (they're just unusable) so you have to make sure to skip those).

EDIT: Also, 21CB is big endian, CB21 is little endian. It doesn't point to RAM, it points to ROM (which then jumps to RAM).

I'm wondering if the JumpTable (s) in Generations I/II could be patched with Game Genie to not run code but dump it in RAM; for instance, whenever you use an arbitrary code execution, it instead replacing your items with the effect pointer, so that 8F prints D1 63 as TM09 x99 or similar.

16

Generation II Glitch Discussion / Gold/Silver trainer pointers (work in progress)

« Last post by Evie (retired from head adminship) on February 25, 2020, 05:17:22 pm »

All are in bank 0xE, from 03993E (0E:593E). I think they may represent party_pointers.asm in the disassembly; but unsure, and taking a gamble on that (if anyone knows would be grateful to hear). If the copy was successful and this is the correct table, perhaps we can use it (with the sprite pointers - different to this database) to make custom glitch trainers. I'm actually doing this by hand on real hardware (no emulator, just Epsilon's memory editor to read the values). I'll be adding the pointers as they appear one by one in edits.

(I'm using code 3e 0e 21 3e 59 01 00 02 11 41 DC CD CD 0D C9 to temporarily dump into DC41.)

I'm unsure why some glitch trainers freeze the game, could it be because the roster data isn't terminated, the sprite, something else or both?

Little endian pointers (actual pointer is reverse, so 59C2, 59D8 etc.)

01 | C259 dw FalknerGroup
02 | D859 dw WhitneyGroup
03 | EE59     dw BugsyGroup
04 | 085A   dw MortyGroup
05 | 285A   dw PryceGroup
06 | 425A   dw JasmineGroup
07 | 5E5A   dw ChuckGroup
08 | 725A   dw ClairGroup
09 | 925A   dw Rival1Group
0a | F45B   dw PokemonProfGroup
0b | F45B   dw WillGroup
0c | 195C   dw PKMNTrainerGroup
0d | 3D5C   dw BrunoGroup
0e | 635C   dw KarenGroup
0f | 895C   dw KogaGroup
10 | AE5C   dw ChampionGroup
11 | DA5C   dw BrockGroup
12 | 005D   dw MistyGroup
13 | 205D   dw LtSurgeGroup
14 | 495D   dw ScientistGroup
15 | 845D   dw ErikaGroup
16 | A45D   dw YoungsterGroup
17 | 2E5E   dw SchoolboyGroup
18 | 055F   dw BirdKeeperGroup
19 | DC5F   dw LassGroup
1A | B860   dw JanineGroup
1B | DF60   dw CooltrainerMGroup
1C | 2362   dw CooltrainerFGroup
1D | 3F63   dw BeautyGroup
1E | 1E64   dw PokemaniacGroup
1F | B264   dw GruntMGroup
20 | 3E66   dw GentlemanGroup
21 | 7B66   dw SkierGroup
22 | 9466   dw TeacherGroup
23 | BA66   dw SabrinaGroup
24 | D666   dw BugCatcherGroup
25 | 7767   dw FisherGroup
26 | A868   dw SwimmerMGroup
27 | C769   dw SwimmerFGroup
28 | AC6A   dw SailorGroup
29 | 4C6B   dw SuperNerdGroup
2A | D86B   dw Rival2Group
2B | C86C   dw GuitaristGroup
2C | E46C   dw HikerGroup
2D | FC6D   dw BikerGroup
2E | 706E   dw BlaineGroup
2F | 8B6E   dw BurglarGroup
30 | BE6E   dw FirebreatherGroup
31 | 166F   dw JugglerGroup
32 | 656F   dw BlackbeltGroup
33 | DF6F   dw ExecutiveMGroup
34 | 5170   dw PsychicGroup
35 | 0771   dw PicnickerGroup
36 | FF71   dw CamperGroup
37 | E872   dw ExecutiveFGroup
38 | 2473   dw SageGroup
39 | 9173   dw MediumGroup
3A | E873   dw BoarderGroup
3B | 1274   dw PokefanMGroup
3C | BF74   dw KimonoGirlGroup
3D | FB74   dw TwinsGroup
3E | 8B75   dw PokefanFGroup
3F | D575   dw RedGroup
40 | FF75   dw BlueGroup
41 | 2A76   dw OfficerGroup

; Glitch trainer classes begin here.

42 | 3F76
43 | 8580
43 | 8B8A
44 | 8D84
45 | 9150
46 | 0107
47 | 1021
48 | BD00
49 | 0009
4A | 1121
4B | BD10
4C | 00FF
4D | 9687
4E | 8893
4F | 8D84
50 | 9850
51 | 0112
52 | 2303
53 | 66E3 (!)
54 | 7614
55 | F1CD (!)
56 | D517
57 | D0FF
58 | 8194
59 | 8692
5A | 9850
5B | 010E
5C | 0B21
5D | 516A
5E | 000E
5F | 0E28
60 | 516A
61 | 0010
62 | 7B62

(To be continued)

17

Generation II Glitch Discussion / 0x1508 exploit help question (also easy battle/no weather ACE)?

« Last post by Evie (retired from head adminship) on February 25, 2020, 01:00:20 pm »

Hi. As I don't use ROMs anymore, I'm unfortunately struggling to troubleshoot this problem I'm having (e.g. the state of the stack and program counter). I'm using EN Crystal, however my save battery doesn't seem to work at all anymore, and don't want to try it on Virtual Console until it works.

From the wiki thanks to pfero:

If the player has the ability to put arbitrary data in a string, then both the setup and the bootstrap can actually both be done from within the string itself:

Instead of setting up "0x15 0x00" after the string buffer, 0x15 followed by 0x00 in the string itself could be used to trigger this glitch.
By putting carefully constructed byte sequences between 0x15 and 0x00, valid mobile functions can be triggered and modify the value at $CD52.
This principle can be used after the player has already achieved ACE, to make subsequent execution of arbitrary code easier. Alternatively, they might be used to setup ACE by trading with another game, or with a game-altering device.

The following self-contained setups are designed by pfero:

4F 15 08 05 C9 00 (code) 37 C9
This works in any unverified string, notably including Pokémon nickname and mail messages. This means that it can be transferred from any Generation I game (with just enough space to jump to a more convenient location) or Generation II game (with more space to possibly write a "built-in" payload).

Question here: If you use this setup, are there any other setups you need with it? Is it that all I need to do is have this nickname, and any secondary bootstrapping, followed by the actual code at (code)?
I had a thought with this but don't know if it would work, that if all you need is the nickname could we perform arbitrary code execution in battle?

For this I used 18 87 in code in Pokémon 1's nickname. (redirection to DDD0); party Pokémon 6's held item.  There I placed C3 75 DB (to TM/HM pocket) and finally in TM/HM pocket, I tried ld a,fb ld (d204),a ret  (3E FB EA 04 D2 C9) - which is code to turn the enemy Pokémon into Celebi. This way theoretically it would make a properly terminated name that still makes use of Crystal's $15 character exploit.

Unfortunately however, it didn't work. After one version of my code that omitted it, I added a pop [hl] in case that was needed, but it wouldn't work either. For reference, here is my code in GameShark format, so you can enter these and select "go to" de41, "go to" ddd0 and "go to" db75 if you use emulators.

014F41de
011542de
010843de
010544de
01c945de
010046de
011847de
018748de
013749de
01c94ade
01504bde

01c3d0dd
0175d1dd
01dbd2dd

013e75db
01fb76db
01ea77db
010478db
01d279db
01e17adb
01c97bdb

All I get so far is freezes or resets. Could anyone help please? Thanks

18

Non-Core Game Glitch Discussion / Re: Can someone give me a technical explanation

« Last post by Evie (retired from head adminship) on February 25, 2020, 12:34:19 pm »

...of why, when trading between a GBA game and one of the Gamecube titles, the player on the GBA game has to be in a Pokemon Center?

I'm curious as to why this is the case, especially since inter-generational communication for later games (Pal Park, Poketransfer, My Pokemon Ranch) doesn't follow this rule. Is it a hardware limitation?

Wondering if it may have been because hypothetically you could trade while facing a challenge like one of the Elite Four members, allowing you to cheat (e.g. all your Pokémon are fainted, you trade the fainted ones back to Colosseum/XD to heal them, then trade them back while you're still facing the Elite Four). In X/Y you could actually do something like this with random online battles (to heal your team) if I remember rightly, and Game Freak may have addressed this in a later generation.

Another idea is that it could prevent a potential 'game over', but don't have any context for this latter idea except that there are Pokémon games that say something like "(X) was worried about you./came back. Did it miss you?" if you try to release all your Pokémon with a HM (very sorry, my memory sucks nowadays).

19

Non-Core Game Glitch Discussion / Can someone give me a technical explanation

« Last post by greentyphlosion on February 25, 2020, 11:43:58 am »

...of why, when trading between a GBA game and one of the Gamecube titles, the player on the GBA game has to be in a Pokemon Center?

I'm curious as to why this is the case, especially since inter-generational communication for later games (Pal Park, Poketransfer, My Pokemon Ranch) doesn't follow this rule. Is it a hardware limitation?

20

Generation II Glitch Discussion / Re: Korean TM Wrong Pocket Pointer List

« Last post by Evie (retired from head adminship) on February 24, 2020, 03:33:13 pm »

There isn't a mistake, for whatever reason, that section of ROM actually has a JP D6D2 right in that spot (like, no other unintended code executed, just jp D6D2).

Also, just to note, if you're using breakpoints, you could just do a breakpoint at 0032, since the game uses rst JumpTable for item execution (although you could just go to where it has a list of the execution pointers... which will be in little endian and the unusable items have execution pointers too (they're just unusable) so you have to make sure to skip those).

EDIT: Also, 21CB is big endian, CB21 is little endian. It doesn't point to RAM, it points to ROM (which then jumps to RAM).

I see, thanks. Good point (Just hypothetically ACE could be the result of a call or a different jp not from JumpTable sometimes). I remember someone did an experiment too; but for Generation I which was a search for where "jp [hl]" occurs in the ROM. I wonder if more exploits could be found for Generation II that way?

Yeah (actually this how me and a friend learned about wrong pocket TM/HMs really long ago before any exploits with them were published on these forums - we took a tool that edited item effect pointers and noticed the TMs/HM pointers on it were the actual ones when you use the item). Do you know the offset/pointer to the pointer table?

On that note, what would you have to do in the RAM to force the execution of things like HM07 and Teru-Sama? (and possibly re-enable the use option) Is it possible with simple RAM locking, or would you have to restructure things? As was well documented, some Teru-Sama have different effects including unused effects like unfinished unused Poké Flute code. I do wonder whether we can use existing ACE to enable those, to access other undocumented item effect pointers.

I might have a look at the pointers and the disassembly to see if there are any Korean specific ROM pointers I disregarded as 'at a glance nothing seems to happen'.