Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: "Void Knowledge Archive, by the members of HallofOrigin"  (Read 34559 times)

0 Members and 1 Guest are viewing this topic.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #60 on: September 26, 2015, 05:09:41 pm »
I guess that gen4 has a rudimentary ASLR, like gen3 does.

Has anyone bothered doing major reversing of gen4 yet, both static analysis and debugging (setting in-memory breakpoints etc)?
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

~Poke~

  • GCLF Member
  • Offline Offline
  • .o/
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #61 on: September 26, 2015, 06:04:47 pm »
I guess that gen4 has a rudimentary ASLR, like gen3 does.

Has anyone bothered doing major reversing of gen4 yet, both static analysis and debugging (setting in-memory breakpoints etc)?

While looking into it I found this list on Project Pokemon, and the 50 page gamefaq thread it links to. The Project Pokemon forum might have more threads where they researched this for their list, but I don't see them at a glance and their search is a bit annoying. It looks like they've moved on to 5th and 6th gen now.

There are tools available to change a lot on the ROM hacking side, but I'm not finding more than that about how the engine works.

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #62 on: September 26, 2015, 06:23:47 pm »
While wandering around in the void, I encountered a Battle Tower void with a negative map ID. I found interesting how the menu suddenly became far more limited, as if replicating a Battle Tower mode.


vowel

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #63 on: September 27, 2015, 07:27:59 am »
I've found something interesting while playing around in my Pearl version. I saved in front of the Oreburgh Pokemon Center, and then I used Pokesav to generate an AR code that would change my map coordinates to that of the HoO:
Code: [Select]
                  ;we start out with offset=0, obviously
94000130 FCFF0000 ;if we are holding L+R:
B21C4D28 00000000 ;offset = read(offset + 0x21C4D28)
B0000004 00000000 ;offset = read(offset + 0x4)
100014A4 000001FE ;write(offset+0x14A4,0x1FE) (0x1FE = dec 510 = HoO map id)
10002866 0000012F ;write(offset+0x2866,0x12F) (x coordinate)
1000286A 000002F5 ;write(offset+0x286A,0x2F5) (y coordinate)
1000286E 00000002 ;write(offset+0x286E,0x2) (z coordinate)
D2000000 00000000 ;terminate code (reset offset to 0)
(I've tried to annotate the generated code using data from here: http://doc.kodewerx.org/hacking_nds.html#action_replay )

Now, something extraordinarily interesting happens if you hold L+R with this code active and keep walking:
  • The game will keep reloading the overworld map, which means that it creates two or three copies of every walking NPC present (maybe it actually creates an infinite number of copies, but some are stacked on top of each other?);
  • If you walk through a door holding L+R, it will load the graphics, music, and camera of HoO, but you will otherwise be in the area you should have been in. This is exactly what happens in the void as well: if you save in a void that is named Jubilife City (but is not map id 3, but one of the many higher undefined map ids), you will load the tileset, music, camera of the undefined map you're really in (an invalid map, so you get nothing, just blackness), but if you reload these things by opening the pokedex or your bag, they are loaded from the location you're really in - the OW;
  • If you trigger script #1 (e.g. walk into the Oreburgh mine, talk to the first man you see) while holding L+R, the Arceus script is triggered! (If you trigger any other script, the script engine freezes - it's not a game freeze though, as the music keeps playing - and you have to reset.);
  • Don't walk into a building, because the game will hard-freeze trying to superimpose the HoO's 3D camera onto the forced 2D perspective inside buildings.

This means that Arceus might still be possible to find in the Void! If we happen to stumble upon an invalid map ID that the game considers to be HoO (just as many invalid OW map IDs are considered Jubilifes) in the void, and if this map contains at least one script (e.g. an NPC), then we can trigger a battle with Arceus!

Further investigation is needed.......

EDIT: well, that was easy... here's a lua script showing your current map id and x,y,z coordinates (PEARL ONLY, probably also works on Diamond? probably won't work on PT/HG/SS):
Code: [Select]
local function whereami()
local aslr_data_ptr = memory.readdword(0x021C4D28)
local mapdata_ptr = memory.readdword(aslr_data_ptr + 0x4)
local m = memory.readword(mapdata_ptr + 0x14A4)
local x = memory.readword(mapdata_ptr + 0x2866)
local y = memory.readword(mapdata_ptr + 0x286A)
local z = memory.readword(mapdata_ptr + 0x286E)
gui.text(1,184,string.format("Matrix: %d, X: %d, Y: %d, Z: %d",m,x,y,z))
end
gui.register(whereami)
it would be really really really awesome if someone could extend this to show the id of the map to your left, right, top, and bottom, and how many steps away those are...  );
« Last Edit: September 27, 2015, 08:40:52 am by vowel »

~Poke~

  • GCLF Member
  • Offline Offline
  • .o/
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #64 on: September 27, 2015, 11:07:46 pm »
This means that Arceus might still be possible to find in the Void! If we happen to stumble upon an invalid map ID that the game considers to be HoO (just as many invalid OW map IDs are considered Jubilifes) in the void, and if this map contains at least one script (e.g. an NPC), then we can trigger a battle with Arceus!
This doesn't really add up to me. To have the Arceus script loaded, you need to be in the real HoO. To run the script, you need an event (npc or etc) set to run the script.

The effects you're getting sound like they're from being "In" the real HoO (at least partially loading it) but having the rest of the data loaded from another map.

I'm not sure if that can be done through the void. The only scripts I've seen run are the ones that start immediately on entering the map (Hall of Fame, Cynthia battle, getting kicked out of the restaurant at night, receiving the Pal Pad) because while in the void there aren't any npcs/signs/etc to trigger other scripts. Once you save, backtrack and enter the map you're actually in that map with npc data and all, so there's no different person to talk to to trigger the script.

That said, I'd love to be proven wrong. Perhaps if a Hall of Origin void can be found directly next to a real place, a tweak could be used to displace it, so you can be "In" it and talk to an npc from that real place. I don't like the odds of that showing up though, and I'm not sure if any tweaks really work like that.

EDIT: well, that was easy... here's a lua script showing your current map id and x,y,z coordinates (PEARL ONLY, probably also works on Diamond? probably won't work on PT/HG/SS):
Code: [Select]
local function whereami()
local aslr_data_ptr = memory.readdword(0x021C4D28)
local mapdata_ptr = memory.readdword(aslr_data_ptr + 0x4)
local m = memory.readword(mapdata_ptr + 0x14A4)
local x = memory.readword(mapdata_ptr + 0x2866)
local y = memory.readword(mapdata_ptr + 0x286A)
local z = memory.readword(mapdata_ptr + 0x286E)
gui.text(1,184,string.format("Matrix: %d, X: %d, Y: %d, Z: %d",m,x,y,z))
end
gui.register(whereami)
it would be really really really awesome if someone could extend this to show the id of the map to your left, right, top, and bottom, and how many steps away those are...  );

Nice! I'm running it on Pearl and the map matrix works perfectly! On the other hand the coordinates only change when I save, so I don't think they're reading the right thing?

vowel

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #65 on: September 28, 2015, 10:14:55 am »
This doesn't really add up to me. To have the Arceus script loaded, you need to be in the real HoO. To run the script, you need an event (npc or etc) set to run the script.
You are completely right, but it depends on what the game considers to be 'in the real HoO'. My point was mostly intended to rebut the standard 'we can't get Arceus through tweaking because Arceus won't appear in the HoO unless its flag has been set'; I believe my findings show that we don't need to talk to the actual Arceus, we just need to talk to a script handler when the game thinks we're in the HoO. Doing this in the real HoO is impossible because the only script handler is Arceus, which isn't going to be present, but my findings open up the possibility that we might not need to be in the real HoO, just in an area that is *identified* as the HoO (just like many different areas are identified as Jubilife). Finding such an area, and also finding one that contains an NPC such as the seven star restaurant dude, is still an open, and perhaps impossible, challenge.

Quote
The effects you're getting sound like they're from being "In" the real HoO (at least partially loading it) but having the rest of the data loaded from another map.

I'm not sure if that can be done through the void. The only scripts I've seen run are the ones that start immediately on entering the map (Hall of Fame, Cynthia battle, getting kicked out of the restaurant at night, receiving the Pal Pad) because while in the void there aren't any npcs/signs/etc to trigger other scripts. Once you save, backtrack and enter the map you're actually in that map with npc data and all, so there's no different person to talk to to trigger the script.
You are completely correct, so for an actual 510 HoO, we would still have to talk to the real Arceus, which is impossible. However, if we can find a non-510 (or 511) HoO that just happens to contain a script somewhere, we're in business. We know from the events you cite that this is possible (but apparently extremely unlikely).

It would be interesting to find out what exactly are the requirements for a script to trigger. E.g., does the seven star restaurant dude kick you out when you're on a certain x,y position within the void, or do you also need to be on a certain invalid map id? Also, why do these scripts trigger automatically?

Quote
That said, I'd love to be proven wrong. Perhaps if a Hall of Origin void can be found directly next to a real place, a tweak could be used to displace it, so you can be "In" it and talk to an npc from that real place. I don't like the odds of that showing up though, and I'm not sure if any tweaks really work like that.
This is an interesting thought. I guess in terms of realism it's no less hopeful than my ideas  ;D

Quote
On the other hand the coordinates only change when I save, so I don't think they're reading the right thing?
Indeed! I've fixed x and y, but I wasn't sure where to find z. I've searched around and found six possible candidate RAM locations, and I picked the one closest by, but if my z reading appears off, it probably is  ;)
Code: [Select]
local function whereami()
local aslr_data_ptr = memory.readdword(0x021C4D28)
local mapdata_ptr = memory.readdword(aslr_data_ptr + 0x4)
local m = memory.readword(mapdata_ptr + 0x14A4)
local x = memory.readword(mapdata_ptr + 0x14A4 + 8)
local y = memory.readword(mapdata_ptr + 0x14A4 + 12)
local z = memory.readword(mapdata_ptr + 0x14A4 + 0x6C99A)
gui.text(1,184,string.format("Matrix: %d, X: %d, Y: %d, Z: %d",m,x,y,z))
end
gui.register(whereami)
This shows something interesting though: while the saved x,y,z coordinates versus your current x,y,z coordinates are stored in different RAM locations, the matrix id is only stored at one single location in RAM...
« Last Edit: September 28, 2015, 10:19:44 am by vowel »

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #66 on: September 28, 2015, 11:23:47 am »
Nice going, you two ;)

That said, I'd love to be proven wrong. Perhaps if a Hall of Origin void can be found directly next to a real place, a tweak could be used to displace it, so you can be "In" it and talk to an npc from that real place. I don't like the odds of that showing up though, and I'm not sure if any tweaks really work like that.

When you mean "real place", are you referring to an actual location or a void area with the same map ID as said location?

vowel

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #67 on: September 28, 2015, 12:55:17 pm »
Nice going, you two ;)

That said, I'd love to be proven wrong. Perhaps if a Hall of Origin void can be found directly next to a real place, a tweak could be used to displace it, so you can be "In" it and talk to an npc from that real place. I don't like the odds of that showing up though, and I'm not sure if any tweaks really work like that.

When you mean "real place", are you referring to an actual location or a void area with the same map ID as said location?
I think the hypothetical situation is if we were to find a new tweaking place (e.g. something other than Poketch HQ or Galactic HQ) where we end up with (real or fake, as long as they aren't Stickyman) HoOs, rather than, say, Veilstones (or Mt Starks - on my Pearl, I used to have a Mt Stark, then I received the Pal Pad inside the void and I've had the usual Veilstone department stores ever since) or Floaroma Meadows.

If you use pokesav to place yourself into the void surrounding the HoO and start walking, you run into Iron Islands and Solaceon Ruins. If only we knew where these areas were read from, we could extrapolate where we would need to enter the void in order to get HoOs.... (keep in mind we can enter the void from any building we want, even buildings that are untweakable, by performing the regular void glitch and saving behind the building's door when in FS).

EDIT: Figured something out. Walk into the Jubilife pokemon center, save your game, then use pokesav to change your map coordinates to 510,6,9,0. When you reload, you'll be in the HoO but with the Jubilife pokemon center's NPCs. Talk to the little girl in front of you to trigger a battle with Arceus. Now change your coordinates to 510,13,5,0. You're in front of a different person now, yet talking to him will also trigger Arceus.

This means that more than just one single script can trigger Arceus (but not all of them, e.g. Nurse Joy doesn't say 'Dodogyuuun' now :P ). Given that I just demonstrated that you keep the NPCs from the last map you save in, we will for sure trigger a battle with Arceus if, starting from a void area X, we manage to - without saving and resetting - find a HoO void when our x and y positions are at values that put us next to NPCs on our original map X.

If only we knew where the 'next map id' bits were stored in memory, we might be able to write a lua script that determines whether the HoO is reachable from any given position...
« Last Edit: September 28, 2015, 01:27:58 pm by vowel »

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #68 on: September 28, 2015, 01:35:56 pm »
Well, I asked for clarification because I have already reached a real Hall of Origin void (I posted about it earlier). But the voids surrounding it are the same ones bordering the Hall of Origin itself.

EDIT: Here's yet another real Hall of Origin void which may or may not be the same one I found earlier. I only went west and south of 319W this time around.

« Last Edit: September 28, 2015, 02:09:11 pm by SatoMew »

~Poke~

  • GCLF Member
  • Offline Offline
  • .o/
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #69 on: September 28, 2015, 10:57:43 pm »
3 hours after I started, I'm done writing this post. Sorry for the wall of text, I got carried away!
To clarify, when I said real/fake HoO earlier I meant 510/511. That was a silly choice of words when real/fake Sinnoh are a thing, sorry :P

EDIT: Figured something out. Walk into the Jubilife pokemon center, save your game, then use pokesav to change your map coordinates to 510,6,9,0. When you reload, you'll be in the HoO but with the Jubilife pokemon center's NPCs. Talk to the little girl in front of you to trigger a battle with Arceus. Now change your coordinates to 510,13,5,0. You're in front of a different person now, yet talking to him will also trigger Arceus.

This means that more than just one single script can trigger Arceus (but not all of them, e.g. Nurse Joy doesn't say 'Dodogyuuun' now :P ). Given that I just demonstrated that you keep the NPCs from the last map you save in, we will for sure trigger a battle with Arceus if, starting from a void area X, we manage to - without saving and resetting - find a HoO void when our x and y positions are at values that put us next to NPCs on our original map X.

Hey, I can explain that! Let's look at Spiky's DS Map Editor.


The Hall of Origin loads script file 232, which is:
Code: [Select]
Script #1

CheckFlag 0x8E
CompareLastResultJump 0x1 Function_#1
End


Script #2

LockAll
SetVar 0x4118 0x0
Call Function_#2
Call Function_#3
PlayCry 0x1ED 0x0
WaitCry
Call Function_#8
PlayCry 0x1ED 0x0
Message 0x0
CloseMessageOnKeyPress
ClearFlag 0x8E
WildBattle2 0x1ED 0x50
SetFlag 0x8E
CheckLost 0x800C
If 0x800C 0x0
CompareLastResultJump 0x1 Function_#9
CheckWildBattle2 0x800C
If 0x800C 0x1
CompareLastResultJump 0x1 Function_#10
ClearFlag 0x11E
ReleaseAll
End


Script #3

End


Script #4

UseScript_#2
There are also functions and movements as part of this script file, but they're less telling so I'll leave them out.

As you can see script 2 involves playing a cry and starting a battle, this would be the Arceus fight. All script 4 does is call script 2, which is nice since it doubles our chances of making this work.
In the event viewer, the HoO has 2 events. One overworld (Arceus) who is set to script 0 and one trigger set to script 2. The trigger has a flag associated - this probably means it only appears when that flag is set, that flag being the event? It's 16664 if anyone knows.

The 511 HoO doesn't have events, but it does have a script file. It turns out this is shared with a lot of Turnback Cave maps:
Code: [Select]
Script #1

End
Just a dummy. This is also set for EVERYWHERE and NOTHING Mystery Zones.

The level scripts sound important too, since in the GBA games they're the scripts that run automatically/on entering the area. But no matter which one I try to look at, it just contains:
Code: [Select]
Level Scripts FileMaybe I haven't checked a map that has them? That's what the restaurant has though, and it definitely kicks people out automatically. That's also what the Underground has and we know it can crash people on entering so I guess they're in a different format that SDSME can't read?

This functionality could probably be replicated with a trigger that covers the whole map, but the restaurant doesn't have any triggers. I don't think that would affect the void either, since the trigger has a specific X and Y location + area.

If only we knew where the 'next map id' bits were stored in memory, we might be able to write a lua script that determines whether the HoO is reachable from any given position...
A tip I can give you about that is that it's based on the map matrix. Matrix 0 is the overworld, It looks like this:

The selected place is at (0,0) so that's what 430N is north of, after resetting. If we can find where this is stored maybe we can see what incorrect data is loaded by incorrect coordinates? Alternately we could brute force it with a script that changes our X and/or Y by 32 at a time and records the results. (Maybe 31 at a time, then taking one step to make sure it's loading things correctly?).
(One note, I don't think the x and y that the new script fetches are settable? I'm not too experienced with RAM so I might be doing something wrong. The simplest way to do it manually seemed to be set a cheat then disable it, but the value reverts. Is this just a RAM mirror?)

Something else notable is that the overworld matrix has 3 "layers". One for headers (pictured), one for map height (only set for Mystery Zones around actual maps) and one for map files. We get a lot of junk data for headers but little or none for the rest? The "blackouts" referred to in the doc might be related to map height. The only map files seem to be Fake Sinnoh, when the coordinates loop. Perhaps that's handled differently.
Most other matrices only have a map file layer, so the headers must come from somewhere else. The Great Marsh has all 3 layers though, to allow different encounters in different parts. The matrix itself is much smaller, but perhaps it's void is as interesting as the overworld because of this? I'll have to explore this. There are no other 3 layer matrices in Pearl or Platinum.

HG/SS are also really interesting in that regard, since they have two 3 layer matrices being the overworld and the safari zone. That safari zone can be customised.

When you mean "real place", are you referring to an actual location or a void area with the same map ID as said location?

A HoO void next to (or 1 matrix space/32 tiles away from, or other distances useful in tweaking?) the loaded building that is the entry point. Thinking further on this, I don't think tweaking affects the map like that though. It moves/clears the terrain and movement permissions which are part of the map file itself, rather than scripts and events which are part of the map header. The only useful thing that stands out to me there is map re-entry without a walk anywhere code.

Here's yet another real Hall of Origin void which may or may not be the same one I found earlier. I only went west and south of 319W this time around.

The areas in the void for repeat to the North-East and South-West, or directly West where X underflows, North where Y underflows. The size of the matrix... might affect this? I kind of thought it did but now I'm not sure. The Poketch matrix is 1x1, and it's void looks like this in my save (allcaps is the Poketch that I entered from, with graphics and etc.):

Code: [Select]
[Mystery Z][Veilstone][Veilstone][Floaroma ]
[Veilstone][Floaroma ][Floaroma ][Poketch  ]
[Floaroma ][Poketch  ][Poketch  ][Mystery Z]
[Floaroma ][Poketch  ][POKETCH  ][Mystery Z]
[Poketch  ][Mystery Z][Mystery Z][Mystery Z]

Every [] is one cell of the matrix, and is 32x32 tiles.
The repeat on the underflow makes a bit of a mess of it, since you can see the diagonal pattern doesn't include the real Poketch Co.

Hall of Origin is a 2x2 matrix, and I'm seeing something like this?:

Code: [Select]
. . . . . . . . . . . . . . . . . . . . . . . . . . . . [Iron  Island][SolaceonRuin][SolaceonRuin][Iron  Island]
. . . . . . . . . . . . . . . . . . . . . . . . . . . . [Iron  Island][HallOfOrigin][HallOfOrigin][HallOfOrigin]
[Mystery Zone][Mystery Zone][SolaceonRuin][Iron  Island][HallOfOrigin][HallOfOrigin][HALLOFORIGIN][HALLOFORIGIN]
[SolaceonRuin][Iron  Island][HallOfOrigin][HallOfOrigin][HallOfOrigin][HallOfOrigin][HALLOFORIGIN][HALLOFORIGIN]
[Iron  Island][HallOfOrigin][HallOfOrigin][HallOfOrigin]
[HallOfOrigin][HallOfOrigin][Mystery Zone]
That looks like a mess so it probably isn't accurate. I'm not sure whether it's inconsistent depending on path, or I'm just losing track of it but I need to stop trying to count this out manually. The point is there's repetition, hopefully some lua can keep track of the specifics later.

I think this is may be because of the out of bounds coordinates on the matrix, eg:
[A1][B1][C1]
[A2][B2][C2]
[A3][B3][C3]
being stored as:
[A1][B1][C1][A2][B2][C2][A3][B3][C3]
Since the game knows the dimensions of the matrix, it knows where to read from. If you're outside that, everything breaks.

Either because it's so big, or because it's read differently, the overworld matrix doesn't seem to do this.

This post has been something like 4 hours to write so I'm going to stop it here. Sorry it's so big, there was so much to reply to then I got carried away testing things.
« Last Edit: September 29, 2015, 01:02:36 am by ~Poke~ »

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #70 on: September 29, 2015, 11:52:58 am »
Hello guys,

At PRAMA we are currently going back to a Tweaking project in order to find a more safe way to reach Darkrai. We had a few results on it but it's still early.

Anyway I follow your discussion which is becoming very interesting. It would be really, really great, if you could find a way to enter a void and make the battle with Arceus!

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

vowel

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #71 on: September 29, 2015, 12:14:35 pm »
As you can see script 2 involves playing a cry and starting a battle, this would be the Arceus fight. All script 4 does is call script 2, which is nice since it doubles our chances of making this work.
Well, that explains that then! So we do need to find the correct NPC, which is either #2 or #4.
Quote
In the event viewer, the HoO has 2 events. One overworld (Arceus) who is set to script 0 and one trigger set to script 2. The trigger has a flag associated - this probably means it only appears when that flag is set, that flag being the event? It's 16664 if anyone knows.
From my very small experience trying to hack Pokemon Ruby a decade ago, yes, you're probably right that 16664 is the flag it checks for to see whether you have the Azure Flute etc.

Quote
Alternately we could brute force it with a script that changes our X and/or Y by 32 at a time and records the results. (Maybe 31 at a time, then taking one step to make sure it's loading things correctly?).
(One note, I don't think the x and y that the new script fetches are settable? I'm not too experienced with RAM so I might be doing something wrong. The simplest way to do it manually seemed to be set a cheat then disable it, but the value reverts. Is this just a RAM mirror?)
You're a genius, and your observation on the settability of x and y is correct. You inspired me to change my lua script to the following - excuse the messiness, and note that I've only looked at the x id, though the y id should be 8 bytes after the x id's location in all cases:
Code: [Select]
function whereami()
aslr_data_ptr = memory.readdword(0x021C4D28)
mapdata_ptr = memory.readdword(aslr_data_ptr + 0x4)
m = memory.readword(mapdata_ptr + 0x14A4)
x = memory.readword(mapdata_ptr + 0x14A4 + 8)
y = memory.readword(mapdata_ptr + 0x14A4 + 12)
z = memory.readword(mapdata_ptr + 0x14A4 + 0x6C99A)

all_x = {0x226E7AC, 0x2291DE4, 0x2291DF0, 0x2291DFE,0x2333286,0x2333292,0x23332BA,0x2333E0A4}
for i = 1,8 do
-- The values above were taken from my own save state of Pearl. As such, we need to subtract my own map_data_ptr from them, and add the current session's:
all_x[i] = all_x[i] - 0x226D300 + mapdata_ptr
end

gui.text(1,104,string.format("Matrix: %d, X: %d, Y: %d, Z: %d",m,x,y,z))
gui.text(0,114,string.format("ASLR data: 0x%X / map data: 0x%X",aslr_data_ptr,mapdata_ptr))
gui.text(0,124,string.format("X: %d %d %d %d %d %d %d %d",memory.readword(all_x[1]),memory.readword(all_x[2]),memory.readword(all_x[3]),memory.readword(all_x[4]),memory.readword(all_x[5]),memory.readword(all_x[6]),memory.readword(all_x[7]),memory.readword(all_x[8])))

--force_x = 561+0
--memory.writeword(all_x[1],force_x) -- if this one is different from the others, the save file will be corrupted; if it is forced during save loading, the game will immediately crash when the save is loaded. This seems to actually move you collision-wise, but not visually.
--memory.writeword(all_x[2],force_x) -- the same; also if this one is forced, the save load screen will display a glitched white block. Does nothing live - perhaps this is the saved x position only?
--memory.writeword(all_x[3],force_x) -- changes map ID!!! but only live, not when loading save. Can be used to save inside a MZ (open start menu, change value to warp you into MZ), with bizarre results.
--memory.writeword(all_x[4],force_x) -- immediately snaps you into place, but without changing map id. Is saved when you save the game only if forced DURING the save, otherwise your new position is NOT saved. Interestingly, THIS IS ONLY GRAPHICAL
--memory.writeword(all_x[5],force_x) -- seems related to graphics loading
--memory.writeword(all_x[6],force_x) -- this one...
--memory.writeword(all_x[7],force_x) -- ...and this one are related; if one of them is flipped, the screen goes black and the other one starts counting like a madman. Counting resets when reloading the graphics. When forcing these to be set and taking a step, the perspective twists, showing this is contorlling the camera.
--memory.writeword(all_x[8],force_x) -- unknown?

end
gui.register(whereami)
In other words, we can read out what the next map ID is going to be by changing our x to x+32, reading the matrix that gives us, and going back. I don't really have time to code this, but it seems a good PoC would be if we could 'virtually' travel to Darkrai by manipulating this value in increments of 32 and to see if this indeed replicates the path to Darkrai we actually observe ourselves taking. Just a thought.

What can be observed from the above in any case, is that there are actually three separate x (and y, and z too? the zs are at a wildly different location in RAM compared to the xs and ys) values: let's call them x.collision (number 1 in the lua script above), x.graphics (number 3), and x.mapmatrix (number 4). I believe that x.graphics might in fact be the real one, since our Fake Sinnohs (which are very real :P ) have proper graphics, but improper collision data and map headers, and when we progress through FS we actually progress in reality.

I'm afraid I am pressed for time right now, so I'm sorry that I won't be able to treat your other points in depth at this time. I did read them though, but the only quick reply I can give you right now is that they're way over my head  ;D
« Last Edit: September 29, 2015, 12:18:22 pm by vowel »

Pawny

  • ༼ つ ◕‿◕ ༽つ
  • Member+
  • *
  • Offline Offline
  • Gender: Female
  • I'm sharp! :3
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #72 on: September 29, 2015, 12:31:07 pm »
Well, I asked for clarification because I have already reached a real Hall of Origin void (I posted about it earlier). But the voids surrounding it are the same ones bordering the Hall of Origin itself.

EDIT: Here's yet another real Hall of Origin void which may or may not be the same one I found earlier. I only went west and south of 319W this time around.



If you're on the Hall of Origin void, the areas are just repeating diagonally. It's explained on the doc.
Hug me~!

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #73 on: September 29, 2015, 12:52:39 pm »
To clarify, when I said real/fake HoO earlier I meant 510/511. That was a silly choice of words when real/fake Sinnoh are a thing, sorry :P

It's OK :)


The Hall of Origin loads script file 232, which is:
Code: [Select]
Script #1

CheckFlag 0x8E
CompareLastResultJump 0x1 Function_#1
End


Script #2

LockAll
SetVar 0x4118 0x0
Call Function_#2
Call Function_#3
PlayCry 0x1ED 0x0
WaitCry
Call Function_#8
PlayCry 0x1ED 0x0
Message 0x0
CloseMessageOnKeyPress
ClearFlag 0x8E
WildBattle2 0x1ED 0x50
SetFlag 0x8E
CheckLost 0x800C
If 0x800C 0x0
CompareLastResultJump 0x1 Function_#9
CheckWildBattle2 0x800C
If 0x800C 0x1
CompareLastResultJump 0x1 Function_#10
ClearFlag 0x11E
ReleaseAll
End


Script #3

End


Script #4

UseScript_#2
There are also functions and movements as part of this script file, but they're less telling so I'll leave them out.

As you can see script 2 involves playing a cry and starting a battle, this would be the Arceus fight. All script 4 does is call script 2, which is nice since it doubles our chances of making this work.
In the event viewer, the HoO has 2 events. One overworld (Arceus) who is set to script 0 and one trigger set to script 2. The trigger has a flag associated - this probably means it only appears when that flag is set, that flag being the event? It's 16664 if anyone knows.

Is this for Diamond and Pearl or Platinum? In Diamond and Pearl, the Arceus sprite will appear even if you don't have the Azure Flute (regardless of the state of the event flag) but this is not the case in Platinum, in which the Azure Flute is required to make the sprite appear.

A HoO void next to (or 1 matrix space/32 tiles away from, or other distances useful in tweaking?) the loaded building that is the entry point. Thinking further on this, I don't think tweaking affects the map like that though. It moves/clears the terrain and movement permissions which are part of the map file itself, rather than scripts and events which are part of the map header. The only useful thing that stands out to me there is map re-entry without a walk anywhere code.

[...]

The areas in the void for repeat to the North-East and South-West, or directly West where X underflows, North where Y underflows. The size of the matrix... might affect this? I kind of thought it did but now I'm not sure. The Poketch matrix is 1x1, and it's void looks like this in my save (allcaps is the Poketch that I entered from, with graphics and etc.):

Oh, I see.

If you're on the Hall of Origin void, the areas are just repeating diagonally. It's explained on the doc.

Is this the relevant part you're referring to?

Quote from: HallofOrigin void knowledge doc
Going 32 steps north from an area and then going east will result in you getting to the same area. The amount of steps required varies on the void. Sinnoh requires 960 steps east before you reach the same area while indoor areas require 32.

Pawny

  • ༼ つ ◕‿◕ ༽つ
  • Member+
  • *
  • Offline Offline
  • Gender: Female
  • I'm sharp! :3
    • View Profile
Re: "Void Knowledge Archive, by the members of HallofOrigin"
« Reply #74 on: September 29, 2015, 01:08:32 pm »
Yeah. It's thanks to that we'd be able to enter Hall of Origin without walk-through-walls cheat in case we found it in the void. I don't remember if this is the exact coordinates but going something like 65536 steps east, 65536 north and then 65536 east again you should enter a Fake HoO in an HoO area, assuming you're starting from its initial area (the steps would vary according from where you'd start from).
« Last Edit: September 29, 2015, 01:09:44 pm by Pawny »
Hug me~!