Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
AreaDex
DexDex
ItemDex
MetascriptDex
TMHMDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man glitch
Celebi Egg glitch
SRAM glitch
Buffer overflow techniques
Pomeg glitch data corruption (Glitzer Popping)
Tweaking
Pokémon cloning
Select glitches (Japan)
Time Capsule exploit
Arbitrary code execution
More

Other Glitch Categories
Glitches by generation
Japan-only/language specific glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Recurring glitches
More

References
Pokémon GameShark codes
Pokémon Game Genie codes
Disassembly projects
The Big HEX List
GB programming
Curiosities
Debugging features
Error traps
Non-glitch exploits
Pokémon glitch terminology
Unused content and prerelease information
More

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: New way to get Game Corner glitch Pokémon with text pointer manipulation  (Read 384 times)

0 Members and 1 Guest are viewing this topic.

Evie Torchic the Glitch Scientist

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Thank you for this lovely artwork Nyapon!
    • View Profile
0xF7, is the Game Corner text macro. In other words if a text box begins with 0xF7 and you have a Coin Case x1 or more in the inventory, you can load a Game Corner prize menu.

If you have access to the expanded items pack, this also gives you access to the text pointer table for the current map at D36C-D36D in Red/Blue (D36B-D36C in Yellow). This value stores a pointer that leads to a series of two byte pointers for each NPC. The text pointer table is controlled by item 40's ID (D36C) and quantity (D36D).

Following the pointers for each NPC, we can store our 0xF7 byte.

In practise, for example with NPC 2 on Route 1. We could do this:

1. Escape Rope x211 can be stored at item 40, so your text pointer table begins at D31D (item slot 1)
2. 21 D3 can be stored at D31F (ThunderStone x 211) which is our NPC 2 pointer
3. At D321 we can have the F7 byte (TM47)
4. Talking to the NPC with the Coin Case may allow us to purchase various glitch Pokémon

4 4 Hy, MissingNo. and 8 P ァ are here!



I've only just realised you can do this, and exiting the menu corrupted the player's name and party.

However, we could possibly research this more to avoid that side effect and/or get other glitch Pokémon.

As Game Corner coins are at D5A4, D5A5 if you need to have over 9999 coins to purchase a prize, you could possibly edit your coins from the expanded stored items pack in the PC (via a second dry underflow but in the PC).

Edit: The data for the prize box that appears may be based on the ID number of the NPC (the one stored at CF13).
« Last Edit: June 16, 2018, 06:00:07 pm by Torchickens »
Hi! I'm Evie. I'm a transgender person, but any pronouns are fine. She/her preferred.

Online I most often use the username Torchickens or Chickasaurus.

Contact:
http://www.youtube.com/user/ChickasaurusGL
https://www.vgcollect.com/Torchickens

Evie Torchic the Glitch Scientist

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Thank you for this lovely artwork Nyapon!
    • View Profile
Just made a video on this glitch:

https://www.youtube.com/watch?v=fdLx80jJ4eU

I noticed one of the texts in Lavender Town (this sign specifically) would give variable Pokémon, sometimes with Q and sometimes without. For that reason it's possible the list was taken from somewhere like VRAM, where VRAM inaccessibility applies.



If there is a menu that takes its data from a convenient place in RAM, then you could possibly use that to have more control over the Pokémon that appear (e.g. somewhere in the inventory or stored PC items).
« Last Edit: June 17, 2018, 03:18:18 pm by Torchickens »
Hi! I'm Evie. I'm a transgender person, but any pronouns are fine. She/her preferred.

Online I most often use the username Torchickens or Chickasaurus.

Contact:
http://www.youtube.com/user/ChickasaurusGL
https://www.vgcollect.com/Torchickens

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
A dump for Blue version I did a few months ago: Link

By pure coincidence, Game Corner 59 (decimal) derives its entries from modifiable data in Item Underflow, and the coin cost from SRAM (which can be manipulated with a carefully crafted crash). I created a route to catch (almost) all 151 Pokemon using this glitch (Link), and a video of someone else performing the route can be found here.

The corruption happens because for some reason, the prize Pokemon are copied using CopyString, which terminates the copy with $50 ("@"), rather than using a fixed length copy. Note that the menu will always have only three Pokemon regardless of how many Pokemon were copied.
« Last Edit: June 17, 2018, 09:22:53 pm by luckytyphlosion »

Evie Torchic the Glitch Scientist

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Thank you for this lovely artwork Nyapon!
    • View Profile
Great! Thanks lucky.

How could we load Game Corner 59 for general use? Is there a valid NPC/sign that can load it, or does it require some more item underflow trickery? Couldn't find text IDs in the Red/Blue map.
Hi! I'm Evie. I'm a transgender person, but any pronouns are fine. She/her preferred.

Online I most often use the username Torchickens or Chickasaurus.

Contact:
http://www.youtube.com/user/ChickasaurusGL
https://www.vgcollect.com/Torchickens

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
The method I used is a bit tricky and probably can't be used in a general case. Basically, when the game adds an item to your inventory, it'll first try to find if there's any item that matches the added item, otherwise it will continue searching until it finds a an instance of $ff in Item Underflow that's recognized as a terminator (so any even address starting from wNumBagItems/$d31e). Unfortunately, once the game recognizes the terminator, it uses the number of bag items as an offset from the start of the inventory to calculate the address to write the item to, meaning that you can only arbitrarily add items from $d31e to $d41c. However, we can abuse the other side effect of adding an item to the inventory by buying an item with an ID that corresponds to a sign text ID (reference in pokered/wram.asm), allowing us to modify the sign text ID after the sign text ID which matches the item ID with any value from 0 to 99 (as larger values would overflow into another slot).

EDIT: You can also use Connection Copier (another undocumented setup that was mostly hypothetical until now) to arbitrarily copy data from one place to another. I whipped up a barebones guide using the chat messages I saved a year ago when Connection Copier was discovered (Link), anyone with basic knowledge of Gameboy Memory should be able to understand it via hex editing, but there's no guide for practical application. The guide also does not explain how Connection Copier works.
« Last Edit: June 18, 2018, 11:24:16 am by luckytyphlosion »

Evie Torchic the Glitch Scientist

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Thank you for this lovely artwork Nyapon!
    • View Profile
Thanks lucky! Wow that connection copier sounds like a cool exploit.

I looked into alternative options a little and thought of two alternatives which abuse opening the Town Map in a house in Cerulean City (ID 0x3F) and having Trainer-escape glitch yields enabled (source: D5A5 which is in stored PC items and is better than nothing).

1. Wrong warp to map 0x18 (Route 13) with D61A as 01, and have D7D9 (I don't know what this is used for, possibly event flags) read 0xF7. It seems you may be able to get a glitch mart this way as well as it did it on my 'completed' file. It seems this can be changed from the stored PC items, but I don't know what requirements this would mean yet.
2. Wrong warp to map 0xC6 (Victory Road) without opening any more menus. Once there, you must have D640 as 01 beforehand and the game will bring up a text box sourced from F917 (D917), which via a Link Battle you could manipulate to 0xF7. However, these requirements make it overly complex and it doesn't seem you can get the expanded PC items to extend far enough to corrupt D640.


Edit: For 1. I have this incomplete flag reference for D7D9



Not sure if you can get bit 0x00, and Glitch City RAM Manipulation unfortunately wouldn't work as all possible conversions set bit 0x3.
« Last Edit: June 18, 2018, 01:09:27 pm by Torchickens »
Hi! I'm Evie. I'm a transgender person, but any pronouns are fine. She/her preferred.

Online I most often use the username Torchickens or Chickasaurus.

Contact:
http://www.youtube.com/user/ChickasaurusGL
https://www.vgcollect.com/Torchickens