Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation I Glitch Discussion

New way to get Game Corner glitch Pokémon with text pointer manipulation - Page 1

New way to get Game Corner glitch Pokémon with text pointer manipulation

Posted by: Torchickens
Date: 2018-06-16 18:21:12
0xF7, is the Game Corner text macro. In other words if a text box begins with 0xF7 and you have a Coin Case x1 or more in the inventory, you can load a Game Corner prize menu.

If you have access to the expanded items pack, this also gives you access to the text pointer table for the current map at D36C-D36D in Red/Blue (D36B-D36C in Yellow). This value stores a pointer that leads to a series of two byte pointers for each NPC. The text pointer table is controlled by item 40's ID (D36C) and quantity (D36D).

Following the pointers for each NPC, we can store our 0xF7 byte.

In practise, for example with NPC 2 on Route 1. We could do this:

1. Escape Rope x211 can be stored at item 40, so your text pointer table begins at D31D (item slot 1)
2. 21 D3 can be stored at D31F (ThunderStone x 211) which is our NPC 2 pointer
3. At D321 we can have the F7 byte (TM47)
4. Talking to the NPC with the Coin Case may allow us to purchase various glitch Pokémon

4 4 Hy, MissingNo. and 8 P are here!

[img]https://i.imgur.com/jxGWUi7.png[/img]

I've only just realised you can do this, and exiting the menu corrupted the player's name and party.

However, we could possibly research this more to avoid that side effect and/or get other glitch Pokémon.

As Game Corner coins are at D5A4, D5A5 if you need to have over 9999 coins to purchase a prize, you could possibly edit your coins from the expanded stored items pack in the PC (via a second dry underflow but in the PC).

Edit: The data for the prize box that appears may be based on the ID number of the NPC (the one stored at CF13).

Re: New way to get Game Corner glitch Pokémon with text pointer manipulation

Posted by: Torchickens
Date: 2018-06-17 16:17:06
Just made a video on this glitch:

https://www.youtube.com/watch?v=fdLx80jJ4eU

I noticed one of the texts in Lavender Town (this sign specifically) would give variable Pokémon, sometimes with Q and sometimes without. For that reason it's possible the list was taken from somewhere like VRAM, where VRAM inaccessibility applies.

[img]https://i.imgur.com/RglAfK4.png[/img]

If there is a menu that takes its data from a convenient place in RAM, then you could possibly use that to have more control over the Pokémon that appear (e.g. somewhere in the inventory or stored PC items).

Re: New way to get Game Corner glitch Pokémon with text pointer manipulation

Posted by: luckytyphlosion
Date: 2018-06-17 21:50:26
A dump for Blue version I did a few months ago: Link

By pure coincidence, Game Corner 59 (decimal) derives its entries from modifiable data in Item Underflow, and the coin cost from SRAM (which can be manipulated with a carefully crafted crash). I created a route to catch (almost) all 151 Pokemon using this glitch (Link), and a video of someone else performing the route can be found here.

The corruption happens because for some reason, the prize Pokemon are copied using CopyString, which terminates the copy with $50 ("@"), rather than using a fixed length copy. Note that the menu will always have only three Pokemon regardless of how many Pokemon were copied.

Re: New way to get Game Corner glitch Pokémon with text pointer manipulation

Posted by: Torchickens
Date: 2018-06-18 05:53:11
Great! Thanks lucky.

How could we load Game Corner 59 for general use? Is there a valid NPC/sign that can load it, or does it require some more item underflow trickery? Couldn't find text IDs in the Red/Blue map.

Re: New way to get Game Corner glitch Pokémon with text pointer manipulation

Posted by: luckytyphlosion
Date: 2018-06-18 11:59:53
The method I used is a bit tricky and probably can't be used in a general case. Basically, when the game adds an item to your inventory, it'll first try to find if there's any item that matches the added item, otherwise it will continue searching until it finds a an instance of $ff in Item Underflow that's recognized as a terminator (so any even address starting from wNumBagItems/$d31e). Unfortunately, once the game recognizes the terminator, it uses the number of bag items as an offset from the start of the inventory to calculate the address to write the item to, meaning that you can only arbitrarily add items from $d31e to $d41c. However, we can abuse the other side effect of adding an item to the inventory by buying an item with an ID that corresponds to a sign text ID (reference in pokered/wram.asm), allowing us to modify the sign text ID after the sign text ID which matches the item ID with any value from 0 to 99 (as larger values would overflow into another slot).

EDIT: You can also use Connection Copier (another undocumented setup that was mostly hypothetical until now) to arbitrarily copy data from one place to another. I whipped up a barebones guide using the chat messages I saved a year ago when Connection Copier was discovered (Link), anyone with basic knowledge of Gameboy Memory should be able to understand it via hex editing, but there's no guide for practical application. The guide also does not explain how Connection Copier works.

Re: New way to get Game Corner glitch Pokémon with text pointer manipulation

Posted by: Torchickens
Date: 2018-06-18 13:23:14
Thanks lucky! Wow that connection copier sounds like a cool exploit.

I looked into alternative options a little and thought of two alternatives which abuse opening the Town Map in a house in Cerulean City (ID 0x3F) and having Trainer-escape glitch yields enabled (source: D5A5 which is in stored PC items and is better than nothing).

1. Wrong warp to map 0x18 (Route 13) with D61A as 01, and have D7D9 (I don't know what this is used for, possibly event flags) read 0xF7. It seems you may be able to get a glitch mart this way as well as it did it on my 'completed' file. It seems this can be changed from the stored PC items, but I don't know what requirements this would mean yet.
2. Wrong warp to map 0xC6 (Victory Road) without opening any more menus. Once there, you must have D640 as 01 beforehand and the game will bring up a text box sourced from F917 (D917), which via a Link Battle you could manipulate to 0xF7. However, these requirements make it overly complex and it doesn't seem you can get the expanded PC items to extend far enough to corrupt D640.


Edit: For 1. I have this incomplete flag reference for D7D9

[img]https://i.imgur.com/9KunoG7.png[/img]

Not sure if you can get bit 0x00, and Glitch City RAM Manipulation unfortunately wouldn't work as all possible conversions set bit 0x3.