Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Pokémon Crystal: Better ACE through Key Items Glitch  (Read 11710 times)

0 Members and 1 Guest are viewing this topic.

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Pokémon Crystal: Better ACE through Key Items Glitch
« on: December 26, 2014, 12:40:02 pm »
I've looked at the key items glitch that hacky found, and now that crystal has a way to mess with important memory parts, I'm thinking if there's a way to beat Pokémon Crystal as fast as possible.

My current route was to go through the game as normal, catching a sentret as well for a cut slave and another important part of the glitch.

I'd pick up tm39 swift, because swift's index number corresponds to an Egg Ticket, which has an index value greater than 100.

Water Gun has an index value lower than 100 and corresponds to an Itemfinder, and you get water gun in the normal crystal route.

After teaching cut to Sentret, I would also teach Mud-Slap (filler move) and Swift to Sentret to get Swift in the fourth slot.

At the Daycare, I would start duplicating Croconaw until I get a bad clone, and I would perform the celebi trick to get a Pokémon with an Itemfinder. Then, I would do the same to sentret to get an Egg Ticket.

I'd duplicate Sentret and Crocanaw to get enough Key items, then I would perform the key items glitch.

Unfortunately, I'm not so familiar with the prerequisites of the Key Items glitch for crystal (how many balls you need in your balls pocket, what do you need in your balls pocket) and I haven't tested this out because I can't get a bad clone.

The route after achieving Key Items Glitch would possibly be:

  • Set your party count to 0 using $FF's "Masking" ability
  • Somehow get to Kanto, either by:
    • (Better Option) Distorting to Magnet Train
    • (Worse Option) going to the Fast Ship and setting the flag for allowing you to sail to Vermillion
  • Distorting around Snorlax to get to Route 2
  • Biking to Mt. Silver, bypassing guards through more map distortion/something else
  • Setting the flag to make Red Appear at Mt Silver? (not sure if you could access that point, otherwise just beat e4
  • Biking through Mt. Silver and "beating" Red

If someone can give me a code to set the number of balls to 255, that would be very appreciated. ;)
« Last Edit: December 27, 2014, 12:04:49 am by luckytyphlosion »

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Aspiring mother. 🦋 ✿
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #1 on: December 26, 2014, 02:40:49 pm »
If someone can give me a code to set the number of balls to 255, that would be very appreciated. ;)

You can set D8D7 to FF (01FFD7D8).

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #2 on: December 26, 2014, 02:49:46 pm »
Also, does it matter if I'm using Version 1.0 or Version 1.1 to get bad clones?
« Last Edit: December 26, 2014, 02:50:05 pm by luckytyphlosion »

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Aspiring mother. 🦋 ✿
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #3 on: December 26, 2014, 03:00:46 pm »
Also, does it matter if I'm using Version 1.0 or Version 1.1 to get bad clones?

Ah. I don't know, sorry, but I'm going to guess no. The only known differences between them is a fix in how the "Pokédex details submenu" works, and Unix to Windows newlines in data that isn't supposed to be text, according to Tauwasser.

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #4 on: December 26, 2014, 04:50:36 pm »
Finally figured out where the Pokedex Mode byte is (D959) although I realized Torchickens already found it. :P

Interestingly, Glitch Mode 6 Runs code from "somewhere" and landed into echo ram, which it then hit a corrupted stop. (the corrupted stop was at FB4E). FB4E is actually in event flags somewhere, so could we possibly execute Arbitrary code  :o?

EDIT: Pokédex Mode $0B ran code to CF6A (another corrupted stop)
EDIT2: Mode $11 also runs to FB4E. If only there was a way to figure out the start of execution. (Can't use bizhawk's trace logger it's way too laggy) Some of the modes crash when I try to look at them, other modes crash when I hit select in the Pokedex. (some of them crash because of bad access to oam dma) I know it couldn't have ran from before FAC7 (assuming no jumps/calls/returns etc.), because there was another corrupted stop there.

EDIT3: Found the exact point where the code starts (trial and error with corrupted stops), which is at $FB20. Unfortunately this is out of our reach to edit with key items glitch though :(
« Last Edit: December 26, 2014, 05:40:03 pm by luckytyphlosion »

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Aspiring mother. 🦋 ✿
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #5 on: December 26, 2014, 06:36:12 pm »
The PC box names begin at DB75 (the same as FB75). Could you could make the code fall through to there?

Edit: There are some potentially dangerous opcodes at FB20 (rst 38), FB22 (call nz FF1F), FB26 (ld (hl), 7F) :(. Any idea what these addresses represent?
Edit 2: Even though this region is 00 from a new game, there is more 'dangerous' code starting at FB49 after you start a new game.

Your glitch Pokédex mode execution of arbitrary code idea sounds brilliant (except it may mess up the stack like Coin Case and there may be problems exiting the Pokédex, but we could probably make a workaround)

EDIT2: Mode $11 also runs to FB4E. If only there was a way to figure out the start of execution. (Can't use bizhawk's trace logger it's way too laggy) Some of the modes crash when I try to look at them, other modes crash when I hit select in the Pokedex. (some of them crash because of bad access to oam dma) I know it couldn't have ran from before FAC7 (assuming no jumps/calls/returns etc.), because there was another corrupted stop there.
If you use BGB, then you can go to debug>access breakpoints and enter 8000-FEFF and check execute. The game will tell you if it's executing code from memory; and it should do this from the start. You could adjust this to whatever memory range you want.

Edit: I may as well make a RAM DexDex.

Here goes (I'll be editing this a lot):
05 - C6D0
06 - FB0E
09 - FA20
0B - C94C
0C - D021
0D - 9000
11 - FB20
13 - C94C
14 - CA21
17 - EA3A
18 - D265
19 - D0CD
1E - D2EA
1F - C9C7
20 - EAAF
21 - C7D2
22 - D021
« Last Edit: December 26, 2014, 07:33:25 pm by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #6 on: December 26, 2014, 07:17:21 pm »
Underflowing the Key Items pocket should be faster than overflowing it, since it only requires a few duplicate items. I started working out a method for this a while back, but then moved on to other things.

You can get three Itemfinders at once with a variation of the Celebi trick. Put two Pokémon in the party with Water Gun as their first move. (Catching Wooper on Route 32 is an easy way to get these, so I’ll just call them Wooper.) Give the bad clone to the Day Care, take it back, and put it at the front of the party, then move a third Wooper from the PC into the front of the party. Give the bad clone back to the Day Care, and the first Wooper will be holding an Itemfinder. Take the item, and deposit that Wooper into the PC, and now the other two Wooper will be holding Itemfinders. (For best results, you’ll need to ensure that the Pokémon data doesn’t contain an $FF byte, which could appear in their IVs or your OT ID. A slightly longer method would be needed to get around that.)

After depositing all Key Items into the PC other than the three Itemfinders, swap the second Itemfinder with the third. The Key Items pocket now has 2 items, and a Coin Case in place of the Cancel button. Deposit the Coin Case into the PC. Now you have 1 item, and an Itemfinder in place of the Cancel button. Swapping the two Itemfinders will leave the pocket with 0 items, an Itemfinder in place of the Cancel button (first slot), and a Coin Case in the second slot which you can’t access. Deposit the Itemfinder into the PC, and now the pocket has 255 items.

Making use of this is a bit tricky, because in a pocket with 255 items, the cursor always jumps back to the top of the list after any operation (I don’t know why this happens, but it does), which makes it impossible to move out-of-bounds items around without viewing ? ($00)’s glitch description. There’s now a Coin Case in the first slot, and depositing it would leave 254 items in the pocket. But that won’t help, because then all the accessible items would be Cancel buttons ($FF), which the Select button doesn’t work on.

Instead, buy 54 Poké Balls of any type. (54 is the index number of the Coin Case.) Put another type of Poké Ball with index < 100 (Master Ball, Ultra Ball, Great Ball, or Poké Ball) in the slot after those 54 balls. Go into the Key Items pocket, press Select on the Coin Case, and scroll down just past your 54 balls, where a Coin Case will appear to be. Press A to merge the two Coin Cases.

Now the Key Items pocket has 254 items, with only Cancels in the first few slots followed by ?s. Move the remaining Coin Case to the position of the first ?. This ensures that there is one movable item that you can press Select on to scroll past the ?s. All the ?s will move down one slot, so the last one will now be the number of items in the Balls pocket (i.e., 0 items), and the original number of items in the pocket will now be the index of the first item. If the original number of items was 1, 2, 4, or 5, then depositing or tossing the resulting ball will underflow the Balls pocket to 255 items.

When used outside the TM/HM pocket, TM15 executes code from $FA10, TM17 from $FA47, and TM21 and TM25 from $FA69, any of which can be modified from the Balls pocket. Of those, TM21 is the most easily obtained: it’s given by an NPC at the Goldenrod Department Store on Sunday. The idea of using a glitch Pokédex mode is new to me, so I don’t know if that might work better.
« Last Edit: December 26, 2014, 10:02:24 pm by Háčky »

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Aspiring mother. 🦋 ✿
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #7 on: December 26, 2014, 07:22:41 pm »
I'll be updating my last post with execution locations for glitch Pokédex modes.

Does anyone want to team up and work FF-80?
« Last Edit: December 26, 2014, 07:27:34 pm by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #8 on: December 26, 2014, 07:30:23 pm »
I'll be updating my last post with execution locations for glitch Pokédex modes.

Does anyone want to team up and work FF-80?
No, I just want to tell you that the pointer table is at $40BF0. :)

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Aspiring mother. 🦋 ✿
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #9 on: December 26, 2014, 07:33:47 pm »
I'll be updating my last post with execution locations for glitch Pokédex modes.

Does anyone want to team up and work FF-80?
No, I just want to tell you that the pointer table is at $40BF0. :)

OK, thanks :D.

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #10 on: December 26, 2014, 07:38:49 pm »
TM21 seems like the best method for now (but there could be new memory locations for glitched dex values). You can simply get an item with 0 quantity, toss it to get 195 (jp $xxyy) and have an item with a good quantity that can represent an address corresponding to box names. The start of box names is $db75. The quantity of the item represents the high byte of the address and the item identifier equals the low byte of the address.

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #11 on: December 26, 2014, 07:52:53 pm »
TM21 seems like the best method for now (but there could be new memory locations for glitched dex values). You can simply get an item with 0 quantity, toss it to get 195 (jp $xxyy) and have an item with a good quantity that can represent an address corresponding to box names. The start of box names is $db75. The quantity of the item represents the high byte of the address and the item identifier equals the low byte of the address.
But you can only decrease the quantity of an item if it belongs in that—Huh. You can toss items while they’re in the PC? I never even knew that.

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #12 on: December 26, 2014, 08:29:53 pm »
Actually, glitch mode 9 would be best for execution, as it's somewhere in the glitched inventory (sample code to jump there):
http://puu.sh/dKMog/82f09cf2ca.png (link because it's too big)

I need to think of box names suitable for Crystal (and I'm not even sure where I return with the ret opcodes).

It's cool that we now have an easy way to execute arbitrary code in Crystal though :D

Sanqui will also be so proud that there's a Coin Case and Box Names in the "current" route

EDIT: Does anyone know what the flag for setting red on the map is?
EDIT2: A ret simply displays a blank dex data, which makes execution much easier. Not sure if if messing with the registers does anything to the return address, but I'll test it out.
« Last Edit: December 26, 2014, 09:28:46 pm by luckytyphlosion »

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #13 on: December 26, 2014, 09:15:25 pm »
EDIT: Does anyone know what the flag for setting red on the map is?
Looking at the map script in the disassembly, it appears to be event flag $762, which is bit 2 of $DB5E.

I’d convinced myself that using 4 Itemfinders wouldn’t make it any easier to get the Key Items pocket down to 254 items, but now I’ve realized that it can: Swap the 3rd Itemfinder with the 4th; deposit the Coin Case; sway the 2nd Itemfinder with the 3rd; swap the 1st Itemfinder with the 2nd; deposit the Itemfinder; deposit one of the two Coin Cases. Then there are 254 items in the pocket and a Coin Case left in the first slot. That doesn’t do anything to the Balls pocket, but you could then store a high-index-number item (such as TM49) in the PC and move it into the Balls quantity byte from the Key Items pocket.
No, I was right the first time. That fourth step doesn’t work, because there’s a Coin Case rather than a Cancel button as the “quantity” of the second Itemfinder.
« Last Edit: December 26, 2014, 10:01:38 pm by Háčky »

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Pokémon Crystal "Glitched" Speedrun.
« Reply #14 on: December 26, 2014, 11:15:47 pm »
Well, assuming we can get the key items glitch to work, here's the method I used to beat the game quickly!
(this assumes you jump to the first character of the first box, or before that)

Code: [Select]
; BOX 1
; p 0 'v 0 B é A 5
xor a
or $d6
or $81; get $d7
ld $fb80,a

; BOX 2
; p é é* 6 'v c
xor a
ld $fc(d7),a ; 0 pkmn in party
sub $a2 ; get $5e

; BOX 3
; é M 5 p é é* 5
ld $fb8c,a ; load letter into later box letter
xor a
ld $fb(5e),a ; make red appear

; BOX 4
; 'v 7 é v 6 'v x
sub $fd ; get $03
ld $fcb5,a ; change map group to $03
sub $b7 ; get $4c

; BOX 5
; é w 6 x 'd
ld $fcb6,a ; change map to silver cave
or a ; unset carry flag
ret nc

Big thanks to the people that made the current coin case route so I'd have a sense of what I was doing, Sanqui for this awesome pastebin here so I could easily convert characters to opcodes, Hacky for giving me the address for the Red Flag, this so I could figure out each address in Gold, and I could get an idea of what addresses in the Gold Coin Case Route would I need to change for crystal, and the Pokemon Crystal Disassembly

EDIT: Could I use a Bicycle for Key Items Glitch instead, because it has a lower index value so I'd need to buy less Poke Balls?
« Last Edit: December 27, 2014, 10:59:28 am by luckytyphlosion »