Type 0xD0 move glitch: Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
No edit summary |
|||
Line 12: | Line 12: | ||
[[File:Type 0xD0 path.png]] |
[[File:Type 0xD0 path.png]] |
||
#You have exactly four Pokémon. |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
Before you move one step up and four steps right from picture 3, save the game. Afterwards view Pokémon 1's moves from the move description menu and close it repeatedly until your code works. |
Before you move one step up and four steps right from picture 3, save the game. Afterwards view Pokémon 1's moves from the move description menu and close it repeatedly until your code works. |
||
Sometimes this will not execute arbitrary code. At times it is possible to get a flashing color 'disco' effect as well. |
|||
==Example box name code== |
==Example box name code== |
||
This box name code |
This box name code, conceptualized by Crystal_ and optimized by TimoVM, allows us to warp to the Bug-Catching Contest and obtain Celebi. |
||
The box names for that are as follows |
The box names for that are as follows: |
||
<pre> |
|||
Box 1: p 0 5 é ! 6 ? z |
|||
# <pre>é'r2p'vA'vF</pre> |
|||
Box 2: H é 'm 2 p 'v 6 5 |
|||
# <pre>é!Ap'v/'v)</pre> |
|||
Box 3: é A 't h 'd |
|||
# <pre>é?2p'v5'vA</pre> |
|||
</pre> |
|||
# <pre>'v[é×2</pre> |
|||
==Technical information== |
==Technical information== |
||
Line 47: | Line 40: | ||
When we have 'good' data at 0x8350 the name of the glitch type causes text to print beyond the end of screen tile data, reaching far enough to corrupt address $C51E, wSpriteAnim1AnimSeqID. Depending on the text character written into this fiels, this indexes the animation jumptable out of bounds, potentially triggering ACE. |
When we have 'good' data at 0x8350 the name of the glitch type causes text to print beyond the end of screen tile data, reaching far enough to corrupt address $C51E, wSpriteAnim1AnimSeqID. Depending on the text character written into this fiels, this indexes the animation jumptable out of bounds, potentially triggering ACE. |
||
Type 0xD0's name is susceptible to VRAM accessibility. Since the name is read from VRAM, if the game attempts to read a character while VRAM is inaccessible it will read value $FF and print a '9' instead of the expected character. This means that the effects of the glitch can differ depending on the exact timing of the name being printed on screen. |
|||
Due to the structure of the code located right after the jumptable, a reasonable amount of pointers will land in the vicinity of either the $C9xx region or the $E9xx region (echo RAM for the $C9xx region). For smaller maps, execution will safely slide until it reaches three regions: |
Due to the structure of the code located right after the jumptable, a reasonable amount of pointers will land in the vicinity of either the $C9xx region or the $E9xx region (echo RAM for the $C9xx region). For smaller maps, execution will safely slide until it reaches three regions: |
||
Line 58: | Line 53: | ||
As $DA9B is Pokémon 3's Speed DVs, we can make the data slide over to Pokémon 4. Using Quagsire, the code can be redirected to somewhere else (such as box names or stored items) where we can spell out code. |
As $DA9B is Pokémon 3's Speed DVs, we can make the data slide over to Pokémon 4. Using Quagsire, the code can be redirected to somewhere else (such as box names or stored items) where we can spell out code. |
||
The consistency of the glitch can be increased by having a specific player name consisting of a single kind of character (eg. "RRRRRRR"). When the game encounters a 0x52 control code character, it will print the player's name, filling a 7-byte range with the same value and increasing the odds of writing the desired value to $C51E. |
|||
The effect pointers are sourced from DoSpriteAnimFrame.Jumptable ($23:5473 in EN G/S). This ROM bank contains several minor version differences, leading to some version-exclusive effect pointers. |
|||
Here is the assembly code for the box name code to obtain Celebi: |
Here is the assembly code for the box name code to obtain Celebi: |
||
<pre> |
|||
xor a |
|||
AF xor a ; a = $00 |
|||
sub 99 |
|||
F6 FB or $FB ; a = $FB, Celebi species ID |
|||
sub 8b |
|||
EA E7 FC ld [wContestMon],a |
|||
ei |
|||
E6 B9 and $B9 ; a = $B9 |
|||
ei |
|||
50 ld d,b |
|||
87 add a, a ; a = $72 |
|||
ld [f8d3],a |
|||
EA D2 F8 ld [F8D2],a |
|||
xor a |
|||
AF xor a ; a = $00 |
|||
sub 80 |
|||
D6 FC sub $FC ; a = $04 |
|||
sub 85 |
|||
FB ei |
|||
ld d,b |
|||
50 ld d,b |
|||
EA 72 D5 ld [wStatusFlags2],a ; located at $D8D2, $72 written by earlier code |
|||
xor a |
|||
A7 and a, a ; reset carry flag |
|||
sub f3 |
|||
D0 ret nc |
|||
sub 9b |
|||
</pre> |
|||
ld d,b |
|||
ld [f8e6],a |
|||
xor a |
|||
sub fb |
|||
sub 80 |
|||
ld d,b |
|||
sub 81 |
|||
ld [d580],a |
|||
xor a |
|||
sub 99 |
|||
ld d,b |
|||
sub 9e |
|||
ld [f8f1],a |
|||
ld d,b |
|||
ld d,b |
|||
ld d,b |
|||
ld d,b |
|||
==YouTube video== |
==YouTube video== |