God Egg glitch
Due to the unique way the Odd Egg event is implemented in game, this causes memory corruption, and also leaves the player's party species list with a 0xFF terminator in the wrong place.
Generation II games have several distinct functions for giving the player an Egg. In particular, the Odd Egg event, after determining the data of the Egg, calls the function
AddMobileMonToParty, which was originally used for mobile functionalities in Japanese Pokémon Crystal. The coding of
AddMobileMonToParty is weird in that it uses loops, rather than arithmetic, to compute the memory addresses to write to. For example, in order to add the initial value of
[wPartyCount] to the address
wPartySpecies, the code does:
ld hl, wPartyCount ld a, [hl] ld e, a ; Store the initial party count in e inc [hl] ; Increase the party count ... ld bc, wPartySpecies ld d, e ; Copy the party count into d .loop1 inc bc dec d jr nz, .loop1
If the player manages to execute
AddMobileMonToParty with an empty party (i.e. a party count of 0), then the value of
d will be set to 0 before the loop, and underflow to 255 in the first iteration of the loop. Since the code only checks whether
d is 0 after the loop body, the loop will run for 255 more iterations, causing the value of
bc to be increased by 256 in total. Essentially, the code treats a party count of 0 as if it were 256, writing the species byte of the Pokémon to add (Egg in this case) into the species byte of the "257th Pokémon in the party", and then an 0xFF party terminator into the next byte.
There are four more similar loops in
AddMobileMonToParty to compute the addresses for the new Pokémon's main data, OT name, nickname, and mail message, each with the same underflow problem. As a result, the game writes the data for the Odd Egg into all the wrong addresses, and not into all the correct addresses. The latter aspect is arguably the more important and more exploitable part of the God Egg glitch.
Party terminator desync
With a "normal" empty party (e.g. at the beginning of the game, or after the Battle Tower SRAM glitch), the player's party count is 0, the species byte for party Pokémon 1 is the 0xFF terminator, and all other data for party Pokémon 1 are not properly initialized. The God Egg glitch increases the party count to 1, but does not actually write the data of a 1st Pokémon into the proper addresses. In particular, the species byte for party Pokémon 1 remains an 0xFF byte without an additional terminator. (A party representation similar to the effects of international 'dokokashira door glitch'). The party menu can be opened in which an unterminated name Pokémon ????? (0xFF)/????? (0x00) hybrid with no moves and all stats as 0 can be found.
The glitch Pokémon can be used for 0x1500 control code arbitrary code execution. Like other glitches that allow the player to obtain ?????, it can also be used for ????? party overloading to obtain hold items (such as key items for duplicate key items glitch and expanded Balls pocket) or to manipulate any (valid) Pokémon in the game.
The God Egg glitch also directly corrupts memory by writing to the data of the "257th Pokémon in the party". The corrupted addresses are:
- $DDD8 and $DDD9, which are somewhere in the main data of party Pokémon 6.
- $0CDF ~ $0D0E, which are in the ROM. Writes to those addresses will be interpreted as disabling or enabling the SRAM, which does not matter since latter when writing the mail message the SRAM is opened and then closed anyway.
- $E8FF ~ $E909, which are somewhere in the overworld map buffer, far out of bounds for the daycare map.
- $E941 ~ $E94B, same as above.
- $D500 ~ $D52E, which overlaps
wObject2Struct. In the Day Care, those objects are the old man and the old lady.
The most obvious effect of this memory corruption is that the old man and the old lady disappears from the screen.
|This article or section is a stub. You can help Glitch City Wiki wiki by expanding it.|
- Apart from the Crystal-exlusive
AddMobileMonToParty, there is also
GiveEgg(used for the Togepi Egg received in Violet City) and
DayCare_GiveEgg(for Eggs produced by breeding).
- The function
AddMobileMonToPartyin the disassembly