ItemDex/RB:085: Difference between revisions

(↑ Back to the ItemDex index.)

Name (transcribed): B1F Identifier (HEX): 55 Identifier (DEC): 085 Effect pointer: A7D0 Unterminated name glitch item?: No Tossable/Sellable?: Yes Buy Price: 0 Sell Price: 0 Name bytes: {{{9}}}

(hex:55) is a glitch item in Pokémon Red and Blue. Its name is taken from lists of lift destinations.

Using this glitch item will execute arbitrary code at A7D0 in the SRAM region. SRAM may be locked resulting in a rst $38 freeze; however, viewing a Pokémon summary in the party just before using the item will unlock the SRAM (in bank 0).

0:A7D0 under normal circumstances

Assuming the Hall of Fame was never corrupted, 0:A7D0 can be touched normally in a reliable way. Hall of Fame data starts at A598 and writes (6*0x10)*N bytes, where N is the number of inductions (up to 0x32/dec:50). Entering the Hall of Fame 6 times will write data up to A7D7, and D2F2 onward is moved into A7D0 onward. This begins from the nickname's seventh character of the sixth Pokémon in the party; so code can be written from there (and redirected with a jump or call for more space, if necessary). If the player has entered the Hall of Fame too many times or wants to skip to the sixth induction, they can change D5A2 (the number of inductions) from the expanded PC items.

However, the available opcodes are limited using a normal Pokémon nickname. It may still be possible to craft the Pokémon nickname for a useful code without arbitrary code execution or connection copier (connection copier serves as a pseudo-GameShark similar to a RAM write from arbitrary code execution) but a method to do this has not been published yet.

Hall of Fame corruptions

As demonstrated by TheZZAZZGlitch, with a series of Hall of Fame corruptions, it is possible to manipulate the data within the program counter area of B1F (beginning at SRAM:A7D0). If the corruptions are due to sprite decompressions from glitch Pokémon (as viewed from the Pokémon summary in the party; as this opens SRAM specifically in the un-banked area), the outcomes are chaotic (which while technically deterministic are based on the subroutine used to decompress a Pokémon sprite extrapolated further into SRAM than intended).

As the process is complex, viewing certain glitch Pokémon sprites without further knowledge can be viewed as an elaborate pseudo-random number generator, if the initial SRAM is interpreted as a 'seed' (pseudo-random as given the sprite pointer of a glitch Pokémon is not from RAM or SRAM itself, the input SRAM would in theory always produce the same output SRAM).

Coincidentally, the player may come across a desirable outcome after running B1F following these corruptions.

However, it is possible to calculate an exact series of corruptions required for a given result using TheZZAZZGlitch's SRAM corruption emulator.

First, a known series of bytes can be used for seeding the "SRAM RNG"; such as a series of FF bytes from resetting the game, or the game freeze from ゥ (0xC1) (itself, influenced by a front sprite pointer of VRAM:8E8F - which may effectively be the data on the screen just before battle; the font, map sub-tiles, process of the battle transitions to turn sub-tiles solid black can alter this) - in this case, it is sometimes able to fill a portion of the SRAM (including the region accessed by B1F) with a continuous 00 39 or 39 00 pattern.

This is due to a rst 38 (restart vector 0x38, opcode 0xFF which jumps to 0038 containing another rst 38 (0xFF) instruction; corrupting the memory downward from the stack (late DFXX area in WRAM), including potentially the SRAM) to match the pointer of the following address 00 39. The player can test if the desired area became 00 39 from checking the Hall of Fame following a game freeze by ゥ (0xC1) and viewing a series of Level 57 'M (00) in the Hall of Fame, because the decimal Level 57 corresponds with the hexadecimal 0x39, and these 'M have the index number 0 (0x00).

Next, TheZZAZZGlitch's SRAM corruption emulator can be used to calculate the required sequence of Hall of Fame corruptions from glitch Pokémon sprites from the party menu, leading to the desired sequence of bytes. A downside of the SRAM corruption emulator however, is that certain (or longer) sequences of bytes may result in an extremely very long computation time.

LM4 (0xC6) (relative upper area of the SRAM) and Glitch Pokémon (0xDC) (relative lower area of the SRAM) are examples of glitch Pokémon which corrupt the Hall of Fame, and were verified by TheZZAZZGlitch for use with the SRAM corruption emulator.

Note this method is not only useful for B1F. For example, the contents of Trainer (0x34)'s roster 1 (0xFC from 0xD059 and 0x01 from 0xD05D, hence the required Special stat is 252, and the required Attack stat modifier is -6. Specifically however, it is just the representation of $CD2D and $CD2E effectively) depends on the contents of pointer 0xA5A5 in SRAM. This is within the region that can be changed through glitch Pokémon sprite corruptions such as LM4. If the player is able to corrupt the sprite pointer region of a glitch Pokémon for those sourced in SRAM like ゥ₽ (F4) and its front sprite pointer of SRAM:A922, grinding (or calculating the series of corruptions) for an interesting front sprite is an option as well (see also: arbitrary sprites).

While Hall of Fame corruptions through glitch Pokémon sprites may be appealing in their own ways, they are not necessary if the player wants more control and efficiency, as the player could simply modify the SRAM with arbitrary code execution precisely in advance, nonetheless it can be desirable by some to grind for a desirable result in advance.

Theoretically, an even more relatively chaotic corruption of the SRAM could be achieved with arbitrary code execution as well; such as through the player's own pseudo-random number generator that they programmed themselves, or perhaps through grabbing environmental noise from the Game Boy Color's infrared port.

YouTube videos