Type 0xD0 move glitch: Difference between revisions
→Technical information: Reorganized the text a little.
No edit summary |
(→Technical information: Reorganized the text a little.) |
||
(3 intermediate revisions by 3 users not shown) | |||
Line 12:
[[File:Type 0xD0 path.png]]
▲1i) The first Pokémon has move 0x00 (e.g. a "CoolTrainer" Ditto).
▲1ii) The third Pokémon is a low level 'slide' Pokémon you caught in the wild (whether it will work is up to chance but if you find one that works it will always work, possibly the same one compatible for Coin Case ACE without bad DVs etc.)
▲1iii) To be safe have Pokémon 2 and 3 have the bird and tailed creature menu sprites and have no Pokémon hold an item except for Pokémon 4.
▲2. Pokémon 4 is a Quagsire with TM02 and Return as its first move (for box name ACE at D8C0 (box 1 character 2)) or a Quagsire with HP Up and Sleep Talk as its first move (for stored items ACE at D61A (second item quantity)).
Before you move one step up and four steps right from picture 3, save the game. Afterwards view Pokémon 1's moves from the move description menu and close it repeatedly until your code works.
==Example box name code==
This box name code,
The box names for that are as
<pre>
Box 1: p 0 5 é ! 6 ? z
Box 2: H é '
</pre>
▲Box 3: é!Ap'v/'v)
==Technical information==
When viewing the party screen or the move screen, the game displays small
The glitch type 0xD0 (the type of move 0x00) can overwrite $C51E by overflowing the tile data when its name is printed on the move screen, if said name is long enough. The source of the type name is 0x8350 in VRAM, hence affected by what is or was displayed on the screen; in particular, the party screen may affect 0x8350 if you have enough Pokémon menu sprites and/or held items in the party{{fact}}. This also means that the name is susceptible to VRAM accessibility: if the game attempts to read a character while VRAM is inaccessible it will read value $FF and print a '9' instead of the expected character. This means that the effects of the glitch can differ depending on the exact timing of the name being printed on screen.
▲Due to the structure of the code located right after the jumptable, a reasonable amount of pointers will land in the vicinity of either the $C9xx region or the $E9xx region (echo RAM for the $C9xx region). For smaller maps, execution will safely slide until it reaches three regions:
* $CC20 contains wBGMapBuffer, which temporarily buffers newly inserted tile IDs.
* $CC48 contains wBGMapPalBuffer, which temporarily buffers newly inserted tile palettes.
Line 65 ⟶ 49:
As $DA9B is Pokémon 3's Speed DVs, we can make the data slide over to Pokémon 4. Using Quagsire, the code can be redirected to somewhere else (such as box names or stored items) where we can spell out code.
The consistency of the glitch can be increased by having a specific player name consisting of a single kind of character (eg. "RRRRRRR"). When the game encounters a 0x52 control code character, it will print the player's name, filling a 7-byte range with the same value and increasing the odds of writing the desired value to $C51E.
The effect pointers are sourced from DoSpriteAnimFrame.Jumptable ($23:5473 in EN G/S). This ROM bank contains several minor version differences, leading to some version-exclusive effect pointers.
Here is the assembly code for the box name code to obtain Celebi:
<pre>
AF xor a ; a = $00
F6 FB or $FB ; a = $FB, Celebi species ID
EA E7 FC ld [wContestMon],a
E6 B9 and $B9 ; a = $B9
87 add a, a ; a = $72
EA D2 F8 ld [F8D2],a
AF xor a ; a = $00
D6 FC sub $FC ; a = $04
FB ei
EA 72 D5 ld [wStatusFlags2],a ; located at $D8D2, $72 written by earlier code
A7 and a, a ; reset carry flag
D0 ret nc
</pre>
==YouTube video==
|