Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
StatDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg data corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Recent Posts

Pages: 1 ... 8 9 [10]
91
Arbitrary Code Execution Discussion / Re: 8F script request
« Last post by Princess Torchic ❤ on February 12, 2018, 04:21:09 pm »
I am looking for an 8F script that will allow me to encounter a Pokemon after x amount of steps. I've just started 8F and don't know much about code in general so help would be appreciated. I figure you have to load something into D059 but i don't have a clue on how to do the rest. Also one that disables map connections would be nice. Thanks in advance

You're in luck as D13B is already a step counter that counts down every step.

So putting this together could involve setting D13B to your desired value and using a condition (such as (not ASM language but logic-wise) if D31B - 1 <1 , set D059 to (Pokémon). Here you could use a D13B value of 6, so 5 steps are required before it reaches 0). If I have time tomorrow will check it out for you. :)

As for map connections I'm not sure how exactly to do that but you can lock your coordinates at the same value (D361, D362) to get a similar effect where map connections never load.
92
Arbitrary Code Execution Discussion / 8F script request
« Last post by 0ErrorYT on February 12, 2018, 03:39:41 pm »
I am looking for an 8F script that will allow me to encounter a Pokemon after x amount of steps. I've just started 8F and don't know much about code in general so help would be appreciated. I figure you have to load something into D059 but i don't have a clue on how to do the rest. Also one that disables map connections would be nice. Thanks in advance
93
I have an idea. Your memory editor seems to be 322 bytes.

Before (according to ISSOtm) the unused memory addresses at DF00-DF80 are multiple structures, but the first two don't seem to be that important.

Quote from: Pokémon Gold disassembly
wOTPartyMons::
wOTPartyMon1:: party_struct wOTPartyMon1 ; dd5d
wOTPartyMon2:: party_struct wOTPartyMon2 ; dd8d
wOTPartyMon3:: party_struct wOTPartyMon3 ; ddbd
wOTPartyMon4:: party_struct wOTPartyMon4 ; dded
wOTPartyMon5:: party_struct wOTPartyMon5 ; de1d
wOTPartyMon6:: party_struct wOTPartyMon6 ; de4d

wOTPartyMonOT::
wOTPartyMon1OT:: ds NAME_LENGTH ; de7d
wOTPartyMon2OT:: ds NAME_LENGTH ; de88
wOTPartyMon3OT:: ds NAME_LENGTH ; de93
wOTPartyMon4OT:: ds NAME_LENGTH ; de9e
wOTPartyMon5OT:: ds NAME_LENGTH ; dea9
wOTPartyMon6OT:: ds NAME_LENGTH ; deb4

wOTPartyMonNicknames::
wOTPartyMon1Nickname:: ds PKMN_NAME_LENGTH ; debf
wOTPartyMon2Nickname:: ds PKMN_NAME_LENGTH ; deca
wOTPartyMon3Nickname:: ds PKMN_NAME_LENGTH ; ded5
wOTPartyMon4Nickname:: ds PKMN_NAME_LENGTH ; dee0
wOTPartyMon5Nickname:: ds PKMN_NAME_LENGTH ; deeb
wOTPartyMon6Nickname:: ds PKMN_NAME_LENGTH ; def6
ENDU

If the code begins at DD5D it should finish at DE95. If the labels are accurate it seems only the OT data is overwritten, which is not a problem if you keep your party the same (ideally with 6 Pokémon) and don't mind about those Pokémon.

Edit: Sorry, this is enemy Trainer related and is overwritten after facing a Trainer. Though food for thought maybe you could link with another game with a corrupted party to set this up. Will edit this post with more ideas.

Edit 2: The only other idea I have is perhaps you can use the party data. It's not very friendly and breaks the gameplay but is large enough. To avoid freezes it would probably be best to also set DA22 to 0 and not use that address as part of the code, which means all battles will be won and the Pokémon menu will have no effect. There's the fact you would need another wrong pocket TM, but we could probably write to another address to get it to work. Pokémon Crystal has a useful wrong pocket TM that points somewhere in the expanded Balls pocket (where the address does not change), so maybe there could be something like that in Gold/Silver too.
94
You have a name for this memory editor or are you all right with me just calling it Epsilon's Generation II memory editor?

Lol, that's fine :)

OK cool. ^^

Hmm, wonder why some characters appear normally wheras some characters appear red? Oh well, I suppose it's a minor problem, and fixing it would be a waste of bytes :P

Hmm that's interesting. Wonder if it's related to the red border around the text "Balls". Seems that's true though, so far the memory editor is working perfectly on my side.

I did all of my tests on DMG mode. Since you're on CGB mode, would you mind testing the Address lookup feature? I'm sure it will still work, but I just want to make sure.

It works perfectly so far. Entered the addresses in their normal big endian form and jumped back to the TM/HM pocket. I also tried jumping to phone numbers and decorations. Had a lot of fun with it and did some OAM DMA hijacking with the memory editor to get Celebi later. :) Not sure what's meant to happen with strings that aren't addresses (like "&123") but I tried it once and the memory editor sent me somewhere to VRAM (or possibly ROM, SRAM, I can't remember the details sorry) to modify.
95
Generation II Glitch Discussion / Re: Powerful (but large!) memory editor for G/S
« Last post by Epsilon on February 12, 2018, 01:46:29 pm »
You have a name for this memory editor or are you all right with me just calling it Epsilon's Generation II memory editor?

Lol, that's fine :)



Hmm, wonder why some characters appear normally wheras some characters appear red? Oh well, I suppose it's a minor problem, and fixing it would be a waste of bytes :P

I did all of my tests on DMG mode. Since you're on CGB mode, would you mind testing the Address lookup feature? I'm sure it will still work, but I just want to make sure.
96
Wow! This looks amazing. ^^

Thank you!

I forgot to mention that this is meant to be used with TM exec. Any box name code that unlocks SRAM, switches to bank 1, and jumps to $B002 will do.

Unfortunately i'm a bit busy at the moment and cannot write this box name code right now.

You're welcome.

That's OK.

Remember the TM/HM method where you fill the TM/HM pocket first and then use a Lucky Egg Attract Quagsire? It seems like we can write the code there without the need of any padding. I think this is ideal for writing to SRAM byte by byte as well as you could theoretically adjust one-two quantities each write (start with later addresses and then toss to write to earlier addresses, or something similar).

I forgot exactly how enabling SRAM works, but in the past I used this method to enable SRAM bank 1 for obtaining the GS Ball for Celebi in Crystal (which looking back is now not very useful for Virtual Console users as the same address is enabled after beating the Elite Four). The specific addresses below may not matter, but it still works on Gold/Silver thankfully.

ld a,01   ; 3e 01
ld (4e01),a  ; ea 01 4e change to SRAM bank 1
ld a, 0a ; 3e 01
ld (0d01),a  ; ea 01 0d ;this enables writing to SRAM
ld a, 0b ; 3e 0b
ld (be3c),a  ;enable Celebi GS Ball event

We can ignore the GS Ball Celebi part and instead have a jp B002 (c3 02 b0) there.

I inserted your memory editor and it was a success (I don't know if the ret at the end was needed, but I added it just to be safe).



You have a name for this memory editor or are you all right with me just calling it Epsilon's Generation II memory editor?
97
Generation II Glitch Discussion / Re: Powerful (but large!) memory editor for G/S
« Last post by Epsilon on February 12, 2018, 01:08:12 pm »
Wow! This looks amazing. ^^

Thank you!

I forgot to mention that this is meant to be used with TM exec. Any box name code that unlocks SRAM, switches to bank 1, and jumps to $B002 will do.

Unfortunately i'm a bit busy at the moment and cannot write this box name code right now.
98
Wow! This looks amazing. ^^

Thanks Epsilon.

Perhaps hopefully somebody will be able to shorten it for use on WRAM.

I'll try to showcase this in a YouTube video tomorrow.
99
Generation II Glitch Discussion / Powerful (but large!) memory editor for G/S
« Last post by Epsilon on February 12, 2018, 12:46:11 pm »
It's a lot larger than I was hoping/anticipating, but here it is anyway! It is, admittedly, a bit of a pain to setup if you are not on emulator.
Code: [Select]
f3 11 bc da af e0 26 4f 3c e0 d6 21 bb c3 d5 06
0b c5 7a cd 38 db 7b cd 38 db 3e 25 22 1a cd 38
db 13 01 0d 00 09 c1 05 20 e7 21 bf c3 79 a7 28
07 57 af c6 14 15 20 fb 16 00 5f 19 36 ed cd 4d
db d1 f0 a5 47 cb 47 c4 90 db 78 cb 77 28 08 79
a7 28 03 0d 18 01 1b 78 cb 7f 28 09 79 fe 0a 28
03 0c 18 01 13 78 cb 4f 28 05 af 3d e0 26 d9 78
cb 67 28 06 21 10 00 19 54 5d 78 cb 6f 28 06 21
f0 ff 19 54 5d 78 cb 57 28 0d af e0 d6 3d e0 26
fb 62 6b 06 00 09 e9 78 cb 5f c4 5a db c3 a3 da
c5 0e 02 47 cb 37 e6 0f c6 f6 30 02 c6 80 22 78
0d 20 f3 c1 c9 e5 c5 d5 cd bb 14 cd e6 08 d1 c1
e1 c9 c5 e5 3e 0e ea ab ce af e0 da fb 21 c0 7e
3e 38 cf f3 0e 01 21 34 d9 cd 88 db cb 37 47 cd
88 db b0 47 0d 20 03 50 18 ef 58 e1 c1 af 4f c9
2a d6 f6 30 02 d6 80 c9 d5 af 47 c5 3e ec 22 e5
62 6b 09 54 5d e1 1a 4f cd 4d db f0 a5 47 cb 6f
28 01 0d cb 67 28 01 0c cb 7f 28 04 79 d6 10 4f
78 cb 77 28 04 79 c6 10 4f 78 cb 4f 20 08 79 e5
cd 38 db e1 18 d2 79 12 c1 d1 c9

This is meant to be written to $DA98
Controls

A - Enter write mode
Up - Scroll cursor up
Down - Scroll cursor down
Select - Jump to address
Start - Address Lookup (more on that later)
B - Exit memory editor

Write Mode

Up - Increment upper nybble
Down - Decrement upper nybble
Left - Increment lower nybble
Right - Decrement lower nybble
B - Write byte, exit write mode

Address lookup is a feature I added that eliminates the need for scrolling through the memory editor. Simply press start, type in the address you want to go to, and the memory editor will place the cursor on the address.

Disadvantages & Notes:

- Using the Address Lookup feature writes to Box 14's name
- Unlike TheZZAZZglitch's R/B memory editor, this performs writes after the player presses "B" to exit out of write mode. Sorry.

I tried to pack as much power into this as I could (with the time I had), but if you feel you can shrink the byte size for more space, I've attached the RGBDS syntax ASM to this post. Feel free to try to optimize it! (To change where this is written, change "BaseAddress")

Enjoy!

Edit: Princess Torchic checked, and determined that this payload can fit into $DA98 without conflict. I have rebuilt the source with the new base address. Thanks!

Edit2: Shrank the payload by 8 bytes, and also fixed a bug that occurred when pressing "a" and L/R at the same time

ISSOtm shrank the payload by an impressive 32 bytes, however this optimization unfortunately does not work. If I can fix it, it would be a great byte shave though!
100
Wiki Discussion / How to work around the loss of session data error
« Last post by Princess Torchic ❤ on February 12, 2018, 11:52:27 am »
(Stickied)

Sometimes when you try to upload a file on our wiki, it will say "Sorry! We could not process your edit due to a loss of session data."

There is a simple solution to this. Edit any non-file page to get the error message once. Try to submit the page a second time and it should work.

Then the next time you upload a file it should upload properly.

Note: This has only been tested by me on Chrome. Since I'm a sysop it's possible that it doesn't work for non-sysops. Could anyone without sysop or QC rights test this please? Thanks.
Pages: 1 ... 8 9 [10]