Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation I Glitch Discussion

Arbitrary glitch Pokémon sprites - 'Permanent' custom sprites - Page 1

Arbitrary glitch Pokémon sprites - 'Permanent' custom sprites

Posted by: Torchickens
Date: 2017-05-24 18:35:15
Now in addition to arbitrary code execution and arbitrary learnsets/evolutions we have a glitch Pokémon with an arbitrary sprite!

In Pokémon Yellow glitch Pokémon 0xE6 ("9") has a variable backsprite which is taken from DAC9 in WRAM.

This is in the range of the stored Pokémon data. If a properly compressed sprite is placed here (such as with offgao's memory editor) it is possible to create a custom sprite.

Furthermore, on some occasions this glitch Pokémon's backsprite will freeze the game (e.g. if the data begins with 00 as this means the dimensions to its sprite are 0x0), but a freeze can be avoided by specifying proper dimensions at the beginning of the file.

Compressing the sprite and inserting it into the game is possible with a combination of this tool and Stag019's Pokémon sprite compressor tool.

(Follow similar steps to these instructions; specifying the size, block size and codec on Tile Molester, pasting the file there and saving it as a 2BPP file and compress the file with Stag019's tool)

Then open the compressed PIC file with a hex editor and copy the data to DAC9.

Here are a few examples. You should be able to make much better files but these are just for demonstration:

Note the Pokémon is "Pidgeot" because I modified a Pidgeot to the 0xE6 glitch Pokémon rather than obtaining one myself. You can do this with any 0xE6 glitch Pokémon in Yellow.

[img]http://i.imgur.com/m9fY7Tp.png[/img]
[img]http://i.imgur.com/ZWtxvnN.png[/img]
[img]http://i.imgur.com/L617B8K.png[/img][img]http://i.imgur.com/ebu5KVV.png[/img]
[img]http://i.imgur.com/CZ52Oi3.png[/img]

The palette of the sprite will be determined by the second species byte. While using the editor you could modify this byte (such as D16A for the first Pokémon to 80 for the Golduck palette).

I have not yet found a glitch Pokémon with a RAM front sprite but one may exist.

Here is the raw code for my smiley face example:


44 B6 55 54 E4 5A A3 0A A5 34 63 92 4C 18 B5 AA A9 4B 92 62 9A 34 A4 A8 62 58 86 89 6A 46 49 92 52 AA 26 48 91 4E 99
21 3B 53 24 94 DD A2 53 34 A6 88 62 16 4B 8A 92 2A 22 56 06 2A 19 2A 94 C1 68 A6 2A 4C 2A AA 30 63 29 4E 05 8D EA
55 55 6A 31 9F 96 74 4C 32 76 49 12 76 49 09 DB 9D AC 4A 71 F4 44 42 11 D5 0C 7E 16

BGB is really good for this as you can open up the debugger, go to DAC9, right click and paste the code.

[img]http://i.imgur.com/8JbdWed.png[/img]

Re: Arbitrary glitch Pokémon sprites - 'Permanent' custom sprites

Posted by: Caveat
Date: 2017-05-24 18:55:36
Cool stuff here!

You know that Pidgeotto hybrid in R/B that has a volatile fromt sprite? Could you maybe figure out where it takes its sprite data from?

Re: Arbitrary glitch Pokémon sprites - 'Permanent' custom sprites

Posted by: Torchickens
Date: 2017-05-25 08:00:19

Cool stuff here!

You know that Pidgeotto hybrid in R/B that has a volatile fromt sprite? Could you maybe figure out where it takes its sprite data from?


Thanks!

Do you mean Yellow? Both p [CB] and Glitch Pokémon [DC] are both Pidgeotto hybrids in Red/Blue but they don't have volatile front sprites.

In Yellow ?/ [EC] and p [F4] take their front sprite from 76C6. This is because Pidgeotto's actual sprite is sourced from the same two byte pointer, but at bank 0x0C. Hence 0C:76C6 (or offset 336C6) is the location of Pidgeotto's sprite, which has the beginning byte specify dimensions of 0x66 (6x6).

However all Pokémon with index numbers between 0x99 to 0xFF except for 0xB6 take their sprite from bank 0x0D instead. This means the sprite is instead taken from 0D:76C6 (or offset 376C6), and here the beginning byte specifies dimensions of 0x00 (0x0), so presumably because the game is trying to draw a 256x256 sprite it corrupts the sound bank and similar.

Re: Arbitrary glitch Pokémon sprites - 'Permanent' custom sprites

Posted by: Torchickens
Date: 2017-05-25 11:10:11
Glitch Pokémon family attribute list:


Yellow
——-

D0BF and summary


Family 176: Catch rate 04; Base exp 1A; Sprite Dim A7; Front sprite 20 01
Backsprite 77 7E

Family 000: Catch rate 00; Base exp 0B; Sprite Dim AD; Front sprite 06 00
Backsprite 0C 0D

Family 159: Catch rate 1D; Base exp E0; Sprite Dim E0; Front sprite 80 0B
Backsprite BB 01

Family 195: Catch rate 00; Base exp 99; Sprite Dim 63; Front sprite 00 99
            Backsprite 00 7A

Family 202: Catch rate 84; Base exp 8D; Sprite Dim 86; Front sprite 88 8D
Backsprite 84 84

Family 203: Catch rate 96; Base exp 88; Sprite Dim 8C; Front sprite 8C 84
Backsprite: 91 50

Family 205: Catch rate 8C; Base exp 84; Sprite Dim 91; Front sprite 50 81
Backsprite 88 91

Family 207: Catch rate 93; Base exp 50; Sprite Dim 86; Front sprite 88 8E
Backsprite 95 80

Family 215: Catch rate 18; Base exp F0; Sprite Dim 3E; Front sprite 50 12
Backsprite C9 FA**

Family 229: Catch rate 00; Base exp 28; Sprite Dim 01; Front sprite 01 01
Backsprite 94 02

Family 230: Catch rate 03; Base exp 57; Sprite Dim 04; Front sprite 01 59
Backsprite 04 02

Family 234: Catch rate 52; Base exp 02; Sprite Dim 01; Front sprite 56 02
Backsprite 03 55

Family 245: Catch rate 00; Base exp 12; Sprite Dim 7C; Front sprite 7B 41
Backsprite 00 13

Family 250: Catch rate 14; Base exp B1; Sprite Dim 00; Front sprite 10 05
Backsprite A6 00

Family 254: Catch rate A5; Base exp BC; Sprite Dim 00; Front sprite 1C BA
Backsprite B9 B9

Family 255: Catch rate 1E; Base exp 12; Sprite Dim 0B; Front sprite 00 14
Backsprite 11 25


Red/Blue
———

D0C0 and summary

Family 000: Catch rate 1D; Base exp 8F; Sprite Dim 88; Front sprite 00 19
Backsprite 37 8F
Family 174 [E7]: Catch rate C9; Base exp AF; Sprite Dim EA; Front sprite D8 CF*
Backsprite 06 01
Family 175 [E4]: Catch rate 16; Base exp 00; Sprite Dim C5; Front sprite E5 CD* [CF91 controls museum sprite]
Backsprite 07 57
Family 205: Catch rate 91; Base exp F5; Sprite Dim 50; Front sprite 8F 8E
Backsprite 8A BA
Family 209: Catch rate 91; Base exp 8E; Sprite Dim 82; Front sprite 8A 84
Backsprite 91 50
Family 211: Catch rate 80; Base exp 8A; Sprite Dim 50; Front sprite 82 87
Backsprite 88 84
Family 213: Catch rate 8D; Base exp 84; Sprite Dim 91; Front sprite F5 50
Backsprite 81 91
Family 224: Catch rate D8; Base exp 16; Sprite Dim 00; Front sprite 19 7E
Backsprite EA 91
Family 234: Catch rate 61; Base exp 30; Sprite Dim 61; Front sprite 51 61
Backsprite 6B 61
Family 240: Catch rate 41; Base exp 00; Sprite Dim 09; Front sprite 24 24
Backsprite 00 0A
Family 245: Catch rate 6C; Base exp 60; Sprite Dim 00; Front sprite 1D 03
Backsprite A7 00
Family 250: Catch rate 17; Base exp 11; Sprite Dim 25; Front sprite 00 0B
Backsprite AD 06
Family 254: Catch rate 00; Base exp 14; Sprite Dim 22; Front sprite 22 A9
Backsprite 00 15
Family 255: Catch rate 0D; Base exp 8F; Sprite Dim 00; Front sprite 1D 0D
Backsprite 37 00


Family 175 can be manipulated in theory if you lock CF91 (Pewter Museum sprite) to E4 or another Family 175 glitch Pokémon and D0C2 (sprite dimensions) to your sprite dimension value. Memory address D0C3-4 (front sprite pointer) also exists and indeed locking it WRAM (such as 80DA for DA80) allows you to view a custom front sprite but only on a Pokémon's summary and to wild Pokémon in battle.

Re: Arbitrary glitch Pokémon sprites - 'Permanent' custom sprites

Posted by: Caveat
Date: 2017-05-25 11:52:25
Interesting.

BEHOLD, WE HAVE… something?

Re: Arbitrary glitch Pokémon sprites - 'Permanent' custom sprites

Posted by: Torchickens
Date: 2017-05-25 12:30:15

Interesting.

BEHOLD, WE HAVE… something?


Yes :)

Basically two WRAM arbitrary front sprites exist in Red/Blue. The CDE5 [screen data] one can be manipulated. But it seems DMA hijacking to write the dimension and change the Pewter Museum sprite is a must, unless your sprite has the dimensions it does use which I'm not sure yet.

This is an example of what you can do.

[img]http://i.imgur.com/h1euudJ.png[/img]

We can also write to the front sprite pointer (and possibly backsprite pointer) with DMA hijacking in Red/Blue directly, and this way you can see the sprite in a wild Pokémon battle.

Yellow seemingly doesn't have any arbitrary front sprites but it has the arbitrary back sprite in PC Pokémon data described in the first post of this thread for glitch Pokémon 0xE6, which can be manipulated in game with ws m, specifically with TheZZAZZGlitch's coordinates program writer or offgao's memory editor.

This one is permanent provided you save the game after modifying box data. The aforementioned front sprite in Red/Blue is not.

Re: Arbitrary glitch Pokémon sprites - 'Permanent' custom sprites

Posted by: ISSOtm
Date: 2017-05-25 12:37:44
It looks awesome !
Oh, but, this strangely reminds me of a certain Pikablu cheat code… ( ͡° ͡° )

Re: Arbitrary glitch Pokémon sprites - 'Permanent' custom sprites

Posted by: jfb1337
Date: 2017-05-25 14:37:05
How much space is required to store the Marill sprite?

Re: Arbitrary glitch Pokémon sprites - 'Permanent' custom sprites

Posted by: Torchickens
Date: 2017-05-25 15:17:55

How much space is required to store the Marill sprite?


The space required varies from picture to picture but thanks to compression it's usually not too large.

For the Marill backsprite it was a 4x4 [32x32 px] picture with data of $80 (128) bytes.

The Marill frontsprite in my previous post is a 7x7 [56x56 px] picture that takes up $FE (254) bytes.

I oversaw this but when you store data at DAC9 you may be overwriting offgao's memory editor and you won't be able to complete writing the data if you are using offgao's memory editor to add the sprite. However this can be worked around with using the following method:

1. Store sprite at numboxitems (d53a) instead.
2. Use call copydata to copy d53a to dac9.

ld bc,(spritesize ;xxyy)
ld hl,d53a
ld de,dac9
call 00b1
ret

01 yy xx 21 3A D5 11 C9 DA CD B1 00 C9

Thankfully it doesn't matter if you replace DA7F with jp d321 [c3 21 d3] with offgao's memory editor (it doesn't mess up the GUI) where you can store your code to copy the data and copy by using ws m again.


It looks awesome !
Oh, but, this strangely reminds me of a certain Pikablu cheat code… ( ͡° ͡° )


Thanks! Yeah ^^. For my video it was different as I just copied the Marill sprite into VRAM. Cool that this is a method to permanently store a backsprite until you change box data though.

Re: Arbitrary glitch Pokémon sprites - 'Permanent' custom sprites

Posted by: Torchickens
Date: 2017-05-25 17:16:37
For the OAM DMA method it seems you may also have to do it in front of the exhibition and attach 3E 01 E0 F8 (or 3E 01 EA F8 FF) to simulate an A-press to the end of the code as luckytyphlosion's exploit with a write to the dimensions and Pokémon sprite ID seems to lock up the controls if you don't write to this address.

Interestingly would that count as an A-press?