Anonymous user
God Egg glitch: Difference between revisions
Added an analysis of the cause of this glitch. This probably still needs a lot of cleanup (in particular the sections "Party terminator desync" and "Corrupted addresses"); hopefully I could find some time to return to this.
>Bbbbbbbbba (Welp, I said that I was trying to sleep. Thanks for the fast research work Evie!) |
(Added an analysis of the cause of this glitch. This probably still needs a lot of cleanup (in particular the sections "Party terminator desync" and "Corrupted addresses"); hopefully I could find some time to return to this.) |
||
Line 3:
Due to the unique way the Odd Egg event is implemented in game, this causes memory corruption, and also leaves the player's party species list with a 0xFF terminator in the wrong place.
==
Generation II games have several distinct functions for giving the player an Egg<ref>Apart from the Crystal-exlusive <code>AddMobileMonToParty</code>, there is also <code>GiveEgg</code> (used for the Togepi Egg received in Violet City) and <code>DayCare_GiveEgg</code> (for Eggs produced by breeding).</ref>. In particular, the Odd Egg event, after determining the data of the Egg, calls the function <code>AddMobileMonToParty</code>, which was originally used for mobile functionalities in Japanese Pokémon Crystal. The coding of <code>AddMobileMonToParty</code><ref>[https://github.com/pret/pokecrystal/blob/8b429e2a545e87407a3b8c7b92f7ceafc455e390/mobile/mobile_46.asm#L7515 The function <code>AddMobileMonToParty</code> in the disassembly]</ref> is weird in that it uses loops, rather than arithmetic, to compute the memory addresses to write to. For example, in order to add the initial value of <code>[wPartyCount]</code> to the address <code>wPartySpecies</code>, the code does:
After [[Battle Tower SRAM glitch]], the player's party count is changed to 0 followed by an 0xFF terminator in slot 1 like at the beginning of the game. When the player receives the Odd Egg, the party count is changed to 1, however, slot 1 remains an 0xFF byte without an additional terminator. (A party representation similar to the effects of [[international 'dokokashira door glitch']]). This causes memory corruption that removes the Day Care couple from the screen. The party menu can be opened in which an [[unterminated name Pokémon]] [[GlitchDex/C:255|????? (0xFF)]]/[[GlitchDex/C:000|????? (0x00)]] hybrid with no moves and all stats as 0 can be found.▼
<pre>
ld hl, wPartyCount
ld a, [hl]
ld e, a ; Store the initial party count in e
inc [hl] ; Increase the party count
...
ld bc, wPartySpecies
ld d, e ; Copy the party count into d
.loop1
inc bc
dec d
jr nz, .loop1
</pre>
If the player manages to execute <code>AddMobileMonToParty</code> with an empty party (i.e. a party count of 0), then the value of <code>d</code> will be set to 0 before the loop, and underflow to 255 in the first iteration of the loop. Since the code only checks whether <code>d</code> is 0 ''after'' the loop body, the loop will run for 255 more iterations, causing the value of <code>bc</code> to be increased by 256 in total. Essentially, the code treats a party count of 0 as if it were 256, writing the species byte of the Pokémon to add (Egg in this case) into the species byte of the "257th Pokémon in the party", and then an 0xFF party terminator into the next byte.
There are four more similar loops in <code>AddMobileMonToParty</code> to compute the addresses for the new Pokémon's main data, OT name, nickname, and mail message, each with the same underflow problem. As a result, the game writes the data for the Odd Egg into all the wrong addresses, and ''not into all the correct addresses''. The latter aspect is arguably the more important and more exploitable part of the God Egg glitch.
=== Party terminator desync ===
▲
The glitch Pokémon can be used for [[0x1500 control code arbitrary code execution]]. Like other glitches that allow the player to obtain ?????, it can also be used for [[????? party overloading]] to obtain hold items (such as key items for [[duplicate key items glitch]] and expanded Balls pocket) or to manipulate any (valid) Pokémon in the game.
=== Corrupted addresses ===
The God Egg glitch also directly corrupts memory by writing to the data of the "257th Pokémon in the party". The corrupted addresses are:
* $DDD8 and $DDD9, which are somewhere in the main data of party Pokémon 6.
* $0CDF ~ $0D0E, which are in the ROM. Writes to those addresses will be interpreted as disabling or enabling the SRAM, which does not matter since latter when writing the mail message the SRAM is opened and then closed anyway.
* $E8FF ~ $E909, which are somewhere in the overworld map buffer, far out of bounds for the daycare map.
* $E941 ~ $E94B, same as above.
* $D500 ~ $D52E, which overlaps <code>wObject1Struct</code> and <code>wObject2Struct</code>. In the Day Care, those objects are the old man and the old lady.
The most obvious effect of this memory corruption is that the old man and the old lady disappears from the screen.
==Videos==
Line 16 ⟶ 45:
(@2:25:30)
{{stub}}
== References ==
<references />
[[Category:Generation II glitches]]
| |||