Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation I Glitch Discussion

ItemDexJP/B:000 theory - Page 1

ItemDexJP/B:000 theory

Posted by: Torchickens
Date: 2018-12-06 13:49:03
As danny found, this glitch item in Japanese Blue has a randomized name. Could it be possible to use this to our advantage for LOL glitch combined with a screen data saving glitch item?

Re: ItemDexJP/B:000 theory

Posted by: Couldntthinkofaname
Date: 2018-12-18 00:06:38
Before I can answer this, lets do a brief recap of exactly how the LOL glitch works, that way we have context:

- The player enters the overworld loop during batte, tricking the game into beleiving that the player is sill in battle
- The player opens the items menu, causing the game to save it's current tilemap to wTileMapBackup2
- The player presses "a" on an item that does not have a 0x50 in it's name within 20 bytes. This causes CopyData to write the unterminated string in a buffer neaby wTileMapBuffer, which CopyString will then read into. It will then write to it's own buffer, eventually overwriting wEnemyMonSpecies2, which determines which pokemon we get after throwing the master ball.

So by that logic, if we wanted to perform the LOL glitch by using a tile from B:000's name, we would need:
- An item that jumps back to the overworld loop in battle
- An item that jumps back to the overworld loop outside (in Eng-Red, both are satisfied by 9f)
- A means of backing up the tilemap to buffer2 with B:000's name on screen (Recall that the last time the game normally does this is before the items menu opens!)

And thankfully, in Jp-Blue,we have all of theese!    …except the first one.

0x63


0x63 is a glitch item in Jp-Blue that, through a miracle of code flow, jumps us back to the overworld loop!

So why can't we use it during battle? Well, part of the reason why it reaches the overworld loop in the first place is because, shortly after it's execution, it performs three pops, and then a ret. When not in battle, after the three pops, the ret instruction will take you to a part of the ROM that eventually leads to the overworld loop.But it seems that, during battle, the stack is not so in our favor. Once it reaches the ret instruction, it points to a location in ROM that eventually leads to an invalid opcode. Bummer.


Because if the abnormality with the stack, we can't use 63 to reach the overworld loop during battle. IIRC, I had luck with another glitch item that reached the overworld loop, but that I believe executed code from memory, so it's reliability may be called into question.

Backing up tile data to buffer 2


combined with a screen data saving glitch item?


No need!

In Jp-Blue, the tile that gets written into wEnemyMonSpecies2 is at X=2 Y=5. This is well out of the way of the Start menu, and it gets changed occasionally by B:000's name. Because of this, we able to trigger a backup of X=2 Y=5 to wTilemapBackup2 by jumping back to the overworld loop, and re-opening the items menu!

We're out of battle here, so 0x63 should work juuuust fine  8).



In conclusion, the setup would go as follows:

- Get 0x00 and put in the first slot. Also grab 0x63 and some Master Balls.
- Get into a battle
- By some means, get into the overworld loop. (when testing, I used an item, breakpointed before the item was used, and then forced a jump to the overworld loop. Hopefuy a way can be found!)
- Correct the graphics using a warp
-  Open and close the items menu (with 0x00 in your first slot), until you are comfortable with the tile at X=2,Y=5 (sometimes 0x00's random name wont corrupt it,just be patient!)
- Make sure there is an 0x50 subtile close to, but not before, X=2,Y=5
- Use 0x60
- Open the items menu (backs up X=2,Y=5 to buffer2)
- Press "A" on 0x00 (not guaranteed to be unterminated) or another unterminated glitch item
- Throw a Master Ball


Will look into how reaching the overworld loop in battle might be possible.

Re: ItemDexJP/B:000 theory

Posted by: Torchickens
Date: 2018-12-19 11:00:37
Thank you for your lovely thorough reply Epsilon.

Yes, I had tested item 0x63 before and got the same results as you; item 0x63 was the only potential LOL glitch compatible item not executing a writable memory region.

About there being no need of a screen data saving glitch item (for 0x00/0x63 LG), this may not be true; as in the English games a copy of the screen without the Start menu being open is saved into memory once opening the menu. The purpose of the screen data saving glitch item (e.g. EN 9F) is to save what is on the menu into memory rather than from the overworld. However, I don't know for sure whether this also applies to the JP Blue Version.

Hopefully we can find away to avoid the freeze when the item is used in battle.

Re: ItemDexJP/B:000 theory

Posted by: Couldntthinkofaname
Date: 2018-12-19 11:21:49

Thank you for your lovely thorough reply Epsilon.

Yes, I had tested item 0x63 before and got the same results as you; item 0x63 was the only potential LOL glitch compatible item not executing a writable memory region.


If I recall correctly, there was one that, albeit jumping into memory, was able to jump back into the overworld loop. The memory it jumped into I believe was late HRAM, which may be somewhat predictable? I'll see if I can dig it back up to find out what exactly happened there.



About there being no need of a screen data saving glitch item (for 0x00/0x63 LG), this may not be true; as in the English games a copy of the screen without the Start menu being open is saved into memory once opening the menu. The purpose of the screen data saving glitch item (e.g. EN 9F) is to save what is on the menu into memory rather than from the overworld. However, I don't know for sure whether this also applies to the JP Blue Version.


I knew that. What I meant by "we need not an item that backups the screen data to buffer 2", is that we need not an item that does "exactly that"

Example:

The tile at X=2 Y=5 is at C406 in the main tilemap buffer and CDE2 in buffer2. Let's just say that, after the player opened the items menu, the values at both addresses were 0x38. We'll just say that 0x00's random name corrupted the value at C406 to C8. While there are no direct ways to write C406 to CDE2, we can force another backup to buffer 2 by using item 0x63 and reopening the items menu. After that, both values, C406 and CDE2 would be C8 in this hypothetical scenario.

Re: ItemDexJP/B:000 theory

Posted by: Torchickens
Date: 2018-12-19 11:39:35
I see, sounds great. :) Sorry I misunderstood :(