Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

The reason for the Kingdras and '?' symbols in the bad clone trick - Page 1

The reason for the Kingdras and '?' symbols in the bad clone trick

Posted by: Crystal_
Date: 2014-09-12 08:56:28
There is a very little routine that makes the whole trick possible, and that's the routine at 0:1383 in Pokemon Crystal.

Function1383:: ; 1383
ld a, $e6
ld [hli], a
call PrintLetterDelay
jp NextChar
; 138c

When a char is interpreted, the routine at 0:1087 analyzes which character we are dealing with in case it's an identifier with an special function (such as a new line, or the 'POK' symbol) and jumps to 0:1383 if the char is 0. Function1383 then writes 0xE6 -which is the '?' character- in hl and we move on the next char. hl points to the corresponding tile in the tilemap so this routine is basically overwritting the "blank" character 00 directly in the tilemap.

PlaceString:: ; 1078
push hl

PlaceNextChar:: ; 1079
ld a, [de]
cp "@"
jr nz, CheckDict
ld b, h
ld c, l
pop hl
ret
pop de

NextChar:: ; 1083
inc de
jp PlaceNextChar

CheckDict:: ; 1087
cp $15
jp z, Function117b
cp $4f
jp z, Char4F
cp $4e
jp z, Function12a7
cp $16
jp z, Function12b9
and a
jp z, Function1383
        (...)


Since the bad clone's name is just a bunch of 00's without the terminator character (0x50), when the name is read from the string buffer 1 (WRAM:D072), the game will keep on reading bytes as characters and, for every 00, write the '?' symbol in the different tiles of the tile map, eventually going past the 10 tiles that make up the bad clone's name.

The buffer at D072 is the first buffer, meaning that if any of the other 3 buffers has been used before, there will be a terminator character somewhere, making the whole thing not work (this is why one of the requeriments for the trick is saving in front of the box and reseting the gameboy without doing anything else before performing the trick).

This is the result of for example changing 0:1384 to 0xE7:

[img]http://i.imgur.com/4AfN6F7.png[/img]

Notice the '!' symbols as well as the Phanpy sprite (both have hex identifiers of 0xE7).

If, instead, you just NOP the ld [hli],a instruction, the bad clone trick won't work, as, apart from the '?' symbols not appearing, FF/CANCEL remains as Pokemon FF/CANCEL instead of becoming a withdrawable Kingdra.

I couldn't still find out where all the Pokemon (including FF/CANCEL) becoming Kingdra comes from though. It must be related to the spam of 0xE6 as well, but box pokemon data is located in SRAM (bank 1, from ram address AD10 on), but tracking it down with the debugger, I've seen that the 0xE6 bytes never get written in SRAM, and the data there always seems to be correct (matching the data of the Pokemon "behind" the Kingdra). So this has to come from somewhere else.

Re: The reason for the Kingdras and '?' symbols in the bad clone trick

Posted by: Crystal_
Date: 2014-09-13 13:52:44
So I've found where the Kingdras come from. The routine at 38:6DEF reads the pokedex number of the pokemon in the box from address C800 +3*PkmnPos. Yes, C800 is the start of the Overworld map, but it also seems to store the species of the Pokemon in the box at this point. I didn't bother to keep tracking down things at this point, but the thing is that the species of FF/CANCEL has to be located between C800 and around C840 depending on the number of pokemon in the box, and in one of my tests I saw addresses up to C863 (from C599) get corrupted. While irrelevant, the species of the pokemon in the box we are dealing with gets then written to D265 and finally to D108. From that address is where I started tracking everything down.

Functione2def: ; e2def (38:6def)
ld a, [$cb2b]
ld hl, $cb2a
add [hl]
ld e, a
ld d, $0
ld hl, OverworldMap ; $c800
add hl, de
add hl, de
add hl, de
ld a, [hl]
ret 

CB2B contains the position of the pokemon the cursor points to. I have no idea what CB2A is for; it always seems to be 00.

Here is a video of everything: https://www.youtube.com/watch?v=acUjiWcMAcc

Re: The reason for the Kingdras and '?' symbols in the bad clone trick

Posted by: Krys3000
Date: 2016-11-12 11:33:56
Hello Crystal_, well this thread has been dead for a long time, but I'm currently writing a full guide for this glitch. I was just wondering about the in-depth mechanics, so thanks for this!

Do you know more about this glitch? I can figure that it all comes from a shifting in memory addresses, since we lose 1 letter in every clone's name, and since the egg trick is based on shifting the hex ID for a move to the RAM address for the Pokémon's hex ID. But why exactly does this happen starting from the moment when we withdraw the CANCEL/Kingdra?

Thanks!

Re: The reason for the Kingdras and '?' symbols in the bad clone trick

Posted by: ISSOtm
Date: 2016-11-14 16:38:58
Because we remove the hex:FF terminator for the party list.

Basically, Gen II boxes have data arranged as first, a list of Pokémon IDs.
Then, the list of Pokémon data.

When withdrawing Pokémon number X in the list, the game does this :
1. Copy Pokémon number X data to party
2. Copy Pokémon ID number (X+1) to Pokémon ID number X (in the first list)
3. If we copied a FF, end here. Otherwise, continue.
4. Copy Pokémon data number (X+1) to Pokémon data number X (in the second list)
5. Increment X, and go to step 2.

When you retrieve a Pokémon, the game copies one FF one slot backwards, but leaves the other FF in place.
Consider the following box :
Ivysaur (ID 02)
Weedle (ID 0C)
Venusaur (ID 03)
CANCEL (ID FF)
(some uninitialized data, let's say 00)
(Pokémon data, doesn't matter right now)

Let's retrieve Ivysaur. The game copies his data to our party, then replaces Ivysaur's ID (number 0 in the list) with Weedle's (number 1 in the list). Then it copies Weedle's data over Ivysaur's.
Then it repeats with Venusaur, and CANCEL (note that in this case step 4 is never reached).

We then have, considering only the first four IDs :
Weedle (0C)
Venusaur (03)
CANCEL (FF)
CANCEL (FF)


Now, what would possibly happen if all CANCELs were taken away ? Then the game would keep shifting bytes, thinking they are Pokémon IDs. Now remember what is right after Pokémon IDs ? Pokémon data ! And thus, all the data is shifted left by one byte.
This also means huge chunks of data are moved around.



My explanation may be wrong in places (I'm too tired to check against code right now :3), but the general idea is just that.

Re: The reason for the Kingdras and '?' symbols in the bad clone trick

Posted by: Yeniaul
Date: 2016-11-14 18:28:46
This is correct. And a very good explanation!

Re: The reason for the Kingdras and '?' symbols in the bad clone trick

Posted by: ISSOtm
Date: 2016-11-14 20:30:29
Oi, thanks ! That's also an article that's wantedtwice ?

There's still a ton of work to do on the wiki. Just look at this ! T_T


I'm not familiar with Generation II, so I expect Crystal_ to correct me next time he pops up :P

Re: The reason for the Kingdras and '?' symbols in the bad clone trick

Posted by: Krys3000
Date: 2016-11-15 01:11:17
Yeah, that's exactly what I thought, but I just needed to be sure. It behaves exactly the same way than in Gen I, in which such behaviour is the basis for the Duplicate Items Trick :)

Since I didn't have the memory addresses for Crystal, I couldn't check by myself (but then I realized it's $AD10) but I did now and that's fine  :P

Still can't get why the corruption provoked by the Bad Clone's name would allow the withdrawing of FF/Cancel though. Is this just because the sprite buffer gets corrupted and by attributing a Kingdra sprite to the Cancel Button, you're forcing him to "be a withdrawable Pokémon"?

Re: The reason for the Kingdras and '?' symbols in the bad clone trick

Posted by: ISSOtm
Date: 2016-11-15 11:27:15

Yeah, that's exactly what I thought, but I just needed to be sure. It behaves exactly the same way than in Gen I, in which such behaviour is the basis for the Duplicate Items Trick :)

If you're thinking to the Gen II glitch, yup, that's right.
But if you're thinking to the variation of the Expanded item pack glitch that allows duplication of 255 item stacks, that's not right.

I assume you thought of the former.


Still can't get why the corruption provoked by the Bad Clone's name would allow the withdrawing of FF/Cancel though. Is this just because the sprite buffer gets corrupted and by attributing a Kingdra sprite to the Cancel Button, you're forcing him to "be a withdrawable Pokémon"?

Exactly. The game makes a buffer in WRAM that gets corrupted when the game attempts to manually put a "?" instead of char $00 while displaying the Bad Clone's name.
But ultimately, the game manipulates data in SRAM.

Re: The reason for the Kingdras and '?' symbols in the bad clone trick

Posted by: Krys3000
Date: 2016-11-15 13:04:53
No, I was thinking about the Gen I glitch, but not on the glitch itself, rather the mechanism of dealing with items. I mean, the normal behaviour of the game is to copy the item n+1 into the address of the item n, and so on until it copies FF and stops. Which is also what it happens here.

In the Duplicate Items Trick, we take advantage of this by using quantities of FF to duplicate items, which is the exact opposite of what we do here, but I was not comparing them :)