God Egg glitch

From Glitch City Wiki
Jump to navigation Jump to search

The God Egg glitch is a glitch in Pokémon Crystal. It happens when the player receives the Odd Egg while the player's party count is 0.

Due to the unique way the Odd Egg event is implemented in game, this causes memory corruption, and also leaves the player's party species list with a 0xFF terminator in the wrong place.

Analysis

Generation II games have several distinct functions for giving the player an Egg[1]. In particular, the Odd Egg event, after determining the data of the Egg, calls the function AddMobileMonToParty, which was originally used for mobile functionalities in Japanese Pokémon Crystal. The coding of AddMobileMonToParty[2] is weird in that it uses loops, rather than arithmetic, to compute the memory addresses to write to. For example, in order to add the initial value of [wPartyCount] to the address wPartySpecies, the code does:

	ld hl, wPartyCount
	ld a, [hl]
	ld e, a               ; Store the initial party count in e
	inc [hl]              ; Increase the party count
	...
	ld bc, wPartySpecies
	ld d, e               ; Copy the party count into d
.loop1
	inc bc
	dec d
	jr nz, .loop1

If the player manages to execute AddMobileMonToParty with an empty party (i.e. a party count of 0), then the value of d will be set to 0 before the loop, and underflow to 255 in the first iteration of the loop. Since the code only checks whether d is 0 after the loop body, the loop will run for 255 more iterations, causing the value of bc to be increased by 256 in total. Essentially, the code treats a party count of 0 as if it were 256, writing the species byte of the Pokémon to add (Egg in this case) into the species byte of the "257th Pokémon in the party", and then an 0xFF party terminator into the next byte.

There are four more similar loops in AddMobileMonToParty to compute the addresses for the new Pokémon's main data, OT name, nickname, and mail message, each with the same underflow problem. As a result, the game writes the data for the Odd Egg into all the wrong addresses, and not into all the correct addresses. The latter aspect is arguably the more important and more exploitable part of the God Egg glitch.

Party terminator desync

With a "normal" empty party (e.g. at the beginning of the game, or after the Battle Tower SRAM glitch), the player's party count is 0, the species byte for party Pokémon 1 is the 0xFF terminator, and all other data for party Pokémon 1 are not properly initialized. The God Egg glitch increases the party count to 1, but does not actually write the data of a 1st Pokémon into the proper addresses. In particular, the species byte for party Pokémon 1 remains an 0xFF byte without an additional terminator. (A party representation similar to the effects of international 'dokokashira door glitch'). The party menu can be opened in which an unterminated name Pokémon ????? (0xFF)/????? (0x00) hybrid with no moves and all stats as 0 can be found.

The glitch Pokémon can be used for 0x1500 control code arbitrary code execution. Like other glitches that allow the player to obtain ?????, it can also be used for ????? party overloading to obtain hold items (such as key items for duplicate key items glitch and expanded Balls pocket) or to manipulate any (valid) Pokémon in the game.

Corrupted addresses

The God Egg glitch also directly corrupts memory by writing to the data of the "257th Pokémon in the party". The corrupted addresses are:

  • $DDD8 and $DDD9, which are somewhere in the main data of party Pokémon 6.
  • $0CDF ~ $0D0E, which are in the ROM. Writes to those addresses will be interpreted as disabling or enabling the SRAM, which does not matter since latter when writing the mail message the SRAM is opened and then closed anyway.
  • $E8FF ~ $E909, which are somewhere in the overworld map buffer, far out of bounds for the daycare map.
  • $E941 ~ $E94B, same as above.
  • $D500 ~ $D52E, which overlaps wObject1Struct and wObject2Struct. In the Day Care, those objects are the old man and the old lady.

The most obvious effect of this memory corruption is that the old man and the old lady disappears from the screen.

Videos

General use

YouTube video by ChickasaurusGL


In speedrun

YouTube video by entrpntr

(@2:25:30)

This article or section is a stub. You can help Glitch City Wiki wiki by expanding it. RB 234 fs crop.png

References

  1. Apart from the Crystal-exlusive AddMobileMonToParty, there is also GiveEgg (used for the Togepi Egg received in Violet City) and DayCare_GiveEgg (for Eggs produced by breeding).
  2. The function AddMobileMonToParty in the disassembly