Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Generation II's item 00h  (Read 5023 times)

0 Members and 1 Guest are viewing this topic.

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Generation II's item 00h
« on: January 31, 2015, 01:17:21 pm »
"?" (hex:00) crashes English Crystal when forced into the Bag and the player accesses it, while it loads fine in Japanese Crystal, where it has a garbled and meaningless description too.

Can anyone reproduce this or is it just me? I'm using BGB 1.5.1.

Japanese Crystal codes:
01xx85D8 (specifies the number of items in the Items pocket of the Bag; for this case, let's consider xx=01)
010086D8 (adds 00h item as first in the list)
01xx87D8 (specifies the amount for the first item on the list; using xx=01 here as example)
01FFxxD8 (ends the list; xx=88 in this particular situation)

The codes for English Crystal are already on the wiki.

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Generation II's item 00h
« Reply #1 on: January 31, 2015, 03:04:15 pm »
It’s not just you.

The pointer table of item descriptions is at $02C02D in Japanese Crystal or $1C8987 in English Crystal. In Gold and Silver, this table had 256 entries, giving a dummy description for every glitch item, but for some reason in Crystal it only has 255 entries, so the pointer to item $00’s description is taken from the first two bytes after the end of the table, which is the first two characters of the text for the Master Ball’s description.

In English, that description is “The best BALL. It never misses.”, which is read as a pointer to $A793 (“T” = $93, “h” = $A7), an SRAM location with undefined behavior. In Japanese, that description is 「ポケモンを かならず つかまえられる さいこうの ボール」, which is read as a pointer to $1F54 (「ポケモン」 = $54, 「を 」 = $1F), in ROM bank 0. The data at this location provides the nonsensical, but surprisingly short description 「ヘ・を こうげきこうげきご……。」

pokechu22

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Generation II's item 00h
« Reply #2 on: January 31, 2015, 03:18:56 pm »
Tested with English version on console (using 91 versions of codes, not 01).  It crashes basically the same way it does on BGB.

I used these codes for that:

Code: [Select]
910192D8
910093D8

Note that unlike BGB, on-console it did the normal reset and then "HEY YOU NEED A CGB" screen.

I then did this:

Code: [Select]
910292D8
910193D8
910095D8
010594D8
010196D8

(that 05 in the 4th code was a typo, but it was what I typed on-console.  Same effect)

This causes a crash, but only once I scroll down.  It first it writes a bunch of stuff to the text box, then does the low-hp sound, and then does the CGB screen crash.

It's much easier to test this when walking out of bounds at the start of the game, since you happen to get a ?. 
When I underline text, that usualy means I am using the [‍acroynm] tag to provide aditional information.  Hover over it to view.
My youtube channel

Bert

  • Local Shitposter
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • Enemy FERALIGATR can't receive the gift!
    • View Profile
Re: Generation II's item 00h
« Reply #3 on: January 31, 2015, 04:24:30 pm »
Tested with English version on console (using 91 versions of codes, not 01).  It crashes basically the same way it does on BGB.

I used these codes for that:

Code: [Select]
910192D8
910093D8

Note that unlike BGB, on-console it did the normal reset and then "HEY YOU NEED A CGB" screen.

I then did this:

Code: [Select]
910292D8
910193D8
910095D8
010594D8
010196D8

(that 05 in the 4th code was a typo, but it was what I typed on-console.  Same effect)

This causes a crash, but only once I scroll down.  It first it writes a bunch of stuff to the text box, then does the low-hp sound, and then does the CGB screen crash.

It's much easier to test this when walking out of bounds at the start of the game, since you happen to get a ?. 

Changing 05 in line 4 of the second code changes the Master Ball's value; 55 gives you 85 of 'em.

You can get rid of the "?" item by changing the 00 in line 3 to a different value, but I don't imagine that's the point.

Line 1 really fucks up your scrolling, though, since the cursor won't go past the 2nd item; changing it to a value greater than what's currently in your ITEMS pocket will let you keep scrolling down, until it starts showing information from the KEY ITEMS area.

This batch of information you probably already know was brought to you by SCIENCE!

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Generation II's item 00h
« Reply #4 on: January 31, 2015, 05:45:05 pm »
@Háčky, thanks for the explanation. I guess this also would explain the differences in the descriptions of HM08-10 and 12 between Gold/Silver and Crystal, which according to Bulbapedia, changed from "?" in Gold/Silver to the descriptions of other moves in Crystal.

@pokechu22, how far did you scroll down? Did you end the list using 01FFxxD8?

pokechu22

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Generation II's item 00h
« Reply #5 on: January 31, 2015, 05:50:53 pm »
@pokechu22, how far did you scroll down? Did you end the list using 01FFxxD8?

I scrolled down only one, and then the game froze when it attempted to load 00h's description.

I didn't terminate the list (though I probably should have).  Probably wouldn't make a difference though, since my goal was only to test what happen when viewing 00h's description. 
When I underline text, that usualy means I am using the [‍acroynm] tag to provide aditional information.  Hover over it to view.
My youtube channel

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Generation II's item 00h
« Reply #6 on: January 31, 2015, 07:46:30 pm »
@Háčky, thanks for the explanation. I guess this also would explain the differences in the descriptions of HM08-10 and 12 between Gold/Silver and Crystal, which according to Bulbapedia, changed from "?" in Gold/Silver to the descriptions of other moves in Crystal.
Actually, there’s a simple explanation for that—in Crystal, the Move Tutor’s moves are treated as HM08–HM10. Even though the item descriptions table has entries for all the TMs and HMs (which all point to several copies of the description “?”), the game looks up which move is taught by the TM/HM and uses that move’s description instead. (For whatever reason, the list of TM/HM moves ends with HM11, and HM12 is read as Rollout in all Generation II games.)

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Generation II's item 00h
« Reply #7 on: February 01, 2015, 09:34:11 am »
I didn't terminate the list (though I probably should have).  Probably wouldn't make a difference though, since my goal was only to test what happen when viewing 00h's description.

Well, if you don't terminate the list, it'll always crash after you scroll down to a position without a valid item, regardless of the item in question (this is my experience in BGB). But yes, it doesn't change in 00h's case.

Actually, there’s a simple explanation for that—in Crystal, the Move Tutor’s moves are treated as HM08–HM10. Even though the item descriptions table has entries for all the TMs and HMs (which all point to several copies of the description “?”), the game looks up which move is taught by the TM/HM and uses that move’s description instead. (For whatever reason, the list of TM/HM moves ends with HM11, and HM12 is read as Rollout in all Generation II games.)

Oh, I see. That means HM08-HM10 are similar to the Badge items of the Generation I games (which are used on the list shown by the man in Cerulean IIRC), correct?

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Generation II's item 00h
« Reply #8 on: March 29, 2015, 06:45:37 pm »
It occurred to me to try using arbitrary code execution to read some data from $A793 on a real English Crystal cartridge, to see exactly how it’s different when done on a GBC or GBA. I wrote this program to read fifty bytes and store them as the quantities of items in the PC:

Code: [Select]
ld de, $A793  ; address of item $00 description

ld hl, $D8F1  ; quantity of PC items
ld a, $32     ; set it to 50
ld [hli], a

.readByte
ld a, $B4     ; overwrite all PC items with Brick Pieces, just to
ld [hli], a   ; make sure they all exist and will show a quantity

ld a, [de]
ld [hli], a   ; set item quantities to data from $A793 et seq.
inc de

ld a, l
cp $56        ; $D956 = end of PC items
jr nz, .readByte

ld [hl], $FF  ; be nice and give the PC items a terminator
ret

I used the following GameShark codes to put TM15 in my Items pocket and write the code to $DA10, where TM15 will execute it. (This is an unused area of WRAM between the end of the trainer rematch data and the start of the event flags. You can safely stash up to 98 bytes of code here.) Since external devices seem to affect how item $00’s description behaves, I saved the game, then removed the GameShark before executing my program.

01CE93D8 011110DA 019311DA 01A712DA 012113DA 01F114DA 01D815DA 013E16DA 013217DA 012218DA 013E19DA 01B41ADA 01221BDA 011A1CDA 01221DDA 01131EDA 017D1FDA 01FE20DA 015621DA 012022DA 01F523DA 013624DA 01FF25DA 01C926DA

Anticlimactically, this program always reads fifty $FFs, regardless of whether it’s run in BGB, or on a GBC or GBA, or even with the GameShark plugged in. It seems there must be some difference between what happens when SRAM addresses are accessed through TM arbitrary code execution, and when they’re accessed to read the item description. The game is clearly reading something that’s not all $FFs when it displays reams of glitch text on a GBA.

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Generation II's item 00h
« Reply #9 on: April 24, 2015, 12:05:15 am »
If at first you don’t succeed…try calling a ROM function?

Code: [Select]
; Copy 20×18 bytes of item $00’s description into tilemap
ld de, TileMap              ; destination ($C4A0)
ld hl, $A793                ; source (address of item $00 description)
ld bc, TileMapEnd - TileMap ; length ($0168)
call CopyBytes              ; $3026
ld a, $1
ld [hBGMapMode], a          ; $FFD4

.waitForB:
; Keep displaying it until the B button is pressed
ld a, [hJoypadDown]         ; $FFA4
bit 1, a                    ; B button
jr z, .waitForB
ret

As before, I placed this program at $DA10 and executed it with TM15. GameShark codes:

011110DA 01A011DA 01C412DA 012113DA 019314DA 01A715DA 010116DA 016817DA 010118DA 01CD19DA 01261ADA 01301BDA 013E1CDA 01011DDA 01E01EDA 01D41FDA 01F020DA 01A421DA 01CB22DA 014F23DA 012824DA 01FA25DA 01C926DA

The result in BGB is to fill the screen with “9”, which is tile number $FF. (Don’t mind the colors; they’re left over from the items menu.) This matches the behavior of a Game Boy Color:



On a Game Boy Advance, this program produces something more intriguing:



The pattern is different each time, but the same handful of tiles always show up. Their hex values are:

🅿: $2A (this tile is part of the word “POCKET” on the items menu)
S: $6A
k: $AA
l: $AB
é: $EA
➡: $EB

Bits 0, 6, and 7 of these numbers vary, but bits 1–5 are the same: $2A. Opcode $2A is ld a, [hli], which happens to be the instruction used in the CopyBytes function I’ve called to read from disabled SRAM.

This is totally different from what is displayed when actually viewing the item’s description:



Item descriptions are written into the tilemap using the PlaceString function ($1078, in pokecrystal’s home/text.asm). That function uses a different instruction to read the string: ld a, [de], which is opcode $1A. And indeed, the first few characters shown in the description can be derived from $1A by flipping a few bits from 0 to 1:

═: $7A
4: $FA
5: $FB

It seems what’s happening is that the GBA reads the opcode from the cartridge ROM, executes it, tries to read a byte from the cartridge SRAM, and doesn’t get a response (because it’s disabled), but picks up a residual signal of the last byte sent on the data bus, which is the opcode. This explains why my last experiment didn’t show anything useful: my code was executed from WRAM, which isn’t in the cartridge, so there was no signal on the cartridge data lines and everything was read as $FF, even on a GBA.

Since bits are apparently only flipped from 0 to 1, and not from 1 to 0, it is impossible for the item description to include the string terminator $50 (until it runs past the end of SRAM and into WRAM, but it’s bound to crash the game or hit an infinite loop of text commands before then). But it can—and inevitably will—include the text command $5A, which is supposed to display the name of the attacking Pokémon in battle. Based on the value of hBattleTurn ($FFE4), it prints either BattleMonNick ($C621), or “Enemy ” followed by EnemyMonNick ($C616).

Outside of battle, $C608–C7E7 is some sort of scrolling tile buffer for the overworld map; its contents shift each time you cross a 2×2 map block boundary. Thus, standing in different locations changes how item $00’s description is displayed on a GBA. In some places, the description will contain a line or paragraph separator which allows it to be paged through indefinitely. When it doesn’t, it’ll usually crash the game in one way or another. (In one instance, it actually managed to corrupt my save file! Which is funny, since this glitch only happens because SRAM is locked to prevent save corruption…)

In many places, the description will overflow the tilemap buffer and trashes enough of WRAM to crash the game. In other places, it will contain a line or paragraph separator which allows the text to be paged through indefinitely.

Text command $57 terminates a string from within another text command. (You may recall its improper use in the English Gold/Silver, where it isn’t within another text command.) By standing in a location where tile $57 is near the top edge of the screen—such as the 2×2 space between the bookshelves in Prof. Elm’s lab (tile $57 is part of the healing machine)—it is sometimes possible to properly terminate item $00’s description on a GBA, and be able to scroll over the item, move it with the Select button, or open its Give/Toss menu:



Unfortunately, this isn’t reliable, because the locations read by text command $5A are just past the end of the onscreen tilemap buffer ($C4A0–C607) where the description is being printed. If the description overflows the tilemap buffer, it can overwrite the $57 byte and prevent itself from being terminated.


By the way, I checked the European localizations of Crystal, and they all have the same truncated pointer table that causes item $00’s description pointer to be read from the first two bytes of the Master Ball text. As in the English version, the resulting addresses are in SRAM, so they should behave likewise:

German: $A483 (Der beste BALL. Erfolg garantiert!)
French: $A08B (La meilleure BALL. Ne rate jamais.)
Italian: $A08B (La BALL migliore: infallibile.)
Spanish: $B284 (Es la mejor BALL. Nunca falla.)

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Generation II's item 00h
« Reply #10 on: June 08, 2015, 01:57:58 pm »
Just to make sure, did you remember to enable SRAM? (Write $0A to Address $0000)

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Generation II's item 00h
« Reply #11 on: June 08, 2015, 02:07:39 pm »
Just to make sure, did you remember to enable SRAM? (Write $0A to Address $0000)
The game reads item $00’s description from $A793 while SRAM is disabled. The point of my experiments was to understand what happens when it does that, so, obviously, I didn’t enable SRAM.

TheICTLiker4

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Generation II's item 00h
« Reply #12 on: August 14, 2019, 12:37:38 pm »
If the item would have an English description, then it would be ”  ᆨtzxᆨtzx ……., which is a mojibake for the Japanese description ヘ・を こうげきこうげきご……。.

Sherkel

  • Ringsome on the aquaface
  • Administrator
  • *****
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Generation II's item 00h
« Reply #13 on: August 15, 2019, 10:44:26 pm »
Is that meant to be some sort of neko no ko koneko type thing? :P

Kind of on hiatus for the next few weeks at least, but I always come back and in the meantime would like to encourage discussion on how the site is organized so as to let visitors find the most useful info (whatever that may be) in a clean and efficient fashion.
I don't have a habit of keeping Discord open, so direct inquiries are still preferred through here.

TheICTLiker4

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Generation II's item 00h
« Reply #14 on: August 18, 2019, 11:23:26 am »
Hey! What is that 'neko no ko koneko' thing?