Anonymous user
Pokémon Gold and Silver: Difference between revisions
Added a somewhat detailed description of main methods of breaking the game. "Checksum collision" should probably link to a more specific page but for now I'll just red link it to indicate that we want to have at least something on that topic.
m (Added a category for game overview pages.) |
(Added a somewhat detailed description of main methods of breaking the game. "Checksum collision" should probably link to a more specific page but for now I'll just red link it to indicate that we want to have at least something on that topic.) |
||
Line 5:
Another glitch that turns out to be highly exploitable is the [[Coin Case glitch]]. Although a significant amount of setup is needed for it to do anything nontrivial, the payoff is the most powerful kind of exploit possible, [[arbitrary code execution]] (ACE). Another popular ACE mechanism in Gold and Silver is [[wrong pocket TMs and HMs]], but they are relatively difficult to obtain: Even though they can be obtained using the bad clone, due to the difficulty of getting the bad clone, many players would rather first set up Coin Case ACE, and get wrong pocket TMs and HMs that way instead.
== Game-breaking glitches ==
For most players looking to break the game in Pokémon Gold and Silver, the [[Coin Case glitch]] is the go-to technique, as it does not require any precise input (on the controller or the power button), and directly leads to arbitrary code execution. However, the bootstrap is a bit involved:
* The direct jump destination of the Coin Case glitch is $E112 (Echo RAM address, equivalent to $C112), which points to some variables used by the audio engine, more specifically by audio channel 6. The values at $C112 can be controlled by listening to Pokémon cries, and by listening to the cry of Bellsprout or Machop (among other options), the game eventually jumps to $EB12.
* $EB12 (equivalent to $CB12) slides to some overworld data that can be manipulated in some complicated but consistent way. Known manipulation methods jump to either $FA98 or $FA99.
* $FA98–$FA99 (equivalent to $DA98–$DA99) falls in the main data of party Pokémon 3, more specifically the second byte of its Attack stat experience and the first byte of its Defense stat experience, respectively. As data in this memory region is mostly difficult to see and awkward to manipulate, the most popular approach is to use a "slide Pokémon" as party Pokémon 3, making the game run mostly inconsequential instructions before naturally reaching the main data of party Pokémon 4.
* Party Pokémon 4 is usually a Quagsire, since its species ID (195 = 0xC3) corresponds to the "jp $xxyy" instruction. The jump destination is controlled by the held item and first move of the Quagsire, and there are multiple possible destinations suitable for writing an ACE payload.
To simplify the bootstrap, many players would use this initial Coin Case ACE to prepare another more convenient and more robust ACE setup involving a [[Wrong pocket TMs and HMs|wrong pocket TM or HM]].
An alternative starting point for breaking the game is the [[bad clone glitch]]. If performed successfully, the bad clone glitch will give the player a Pokémon with all of its main data, importantly the second species byte, being 0x00. This "bad clone" can be easily stabilized into a [[GlitchDex/GS:000|????? (0x00)]]. The game engine, especially the Pokémon storage system, is not designed to be robust against the invalid species IDs 0x00 or 0xFF, and breaks down rather easily. In particular, [[????? party overloading]] can allow the player to add a seventh Pokémon into the party, which in turn allows removing the 0xFF party list terminator. Without the party terminator, removing Pokémon from the party or inserting (with "move PkMn w/o mail") Pokémon into the party will corrupt the player's entire party data, and potentially beyond, by shifting everything up or down a byte until a 0xFF byte is found. With carefully designed exploit procedures such as the [[Celebi Egg trick]], the player can basically create any Pokémon, item, etc. with this techniques.
With the above techniques, the player can even create Key items as held items, which enables the [[duplicate Key items glitch]], allowing the player to access an expanded Balls pocket and set up [[Wrong pocket TMs and HMs|wrong pocket TM/HM]] ACE. However, the biggest problem with this route of breaking the game is the bad clone glitch itself, which is dependent on sub-frame timing and also possibly missable (needs a box that has never been full, and also depends on SRAM data that is not necessarily initialized unless the player clears the save data beforehand). An alternative method to obtain a "bad clone", and thus follow the same route without executing the actual bad clone glitch, is the [[Hall of Fame SRAM glitch]], but that glitch can hardly be considered practical in any scenario: It involves entering the Hall of Fame without a save file, meaning that it does not work with any existing save file, and is too much work for breaking a brand-new save file, especially since the Coin Case route is always available.
There is a save corruption technique even harder than the bad clone glitch, [[checksum collision]]. Due to its dependence on both subframe-level timing and minor details of the save file, this technique is considered speedrun-only, and in fact it was thought to be TAS-only until the speedrunning circle came up with a route<ref>[https://pokemon-speedrunning.github.io/speedrun-routes/#/gen-2/gold-silver/main-any/gold-silver-backup-collision-route/ Pokemon Gold-Silver Any% Backup Collision Route]</ref> with ''some'' leeway (namely, 1/3 of a frame).
== External links ==
| |||