Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

ACE via Bad Clones in Crystal. - Page 1

ACE via Bad Clones in Crystal.

Posted by: Charmy
Date: 2016-11-16 11:24:30
Recently, Werster "found" (it actually wasn't him, but he was the one of the first people to speedrun this route) a new way to execute albitary code via PC box names and a bad clone. Here's the video (Skip to 11:50 for the interesting part)
https://youtu.be/Gj7m4vh18c8
Now, we need to bring it to it's full potencial.

Re: ACE via Bad Clones in Crystal.

Posted by: Torchickens
Date: 2016-11-16 11:43:35

Recently, Werster "found" (it actually wasn't him, but he was the one of the first people to speedrun this route) a new way to execute albitary code via PC box names and a bad clone. Here's the video (Skip to 11:50 for the interesting part)
https://youtu.be/Gj7m4vh18c8
Now, we need to bring it to it's full potencial.


Oh my goodness. This makes a joke of the older TM/HM glitch Pokédex mode speedruns. Congratulations to werster if you're reading this.  :)

I wonder how it works, who discovered it and if this has previously been published anywhere publicly? The Trainer ID 09947 looks suspiciously like an address to jump to (in hexadecimal it's 26DB) which is near DB75, the beginning of the box names.

Edit: And I assume the constant exiting the title screen and re-entering it may be a form of RNG manipulation for the ID when you make it so that the same inputs are done prior. In the past there was research done into this which allow for obtaining Generation I Pokémon with specific DVs, such as this.

Re: ACE via Bad Clones in Crystal.

Posted by: Charmy
Date: 2016-11-16 12:16:49
I assume it works like this.
1.Box names are code (of course).
2.The Bad Clone's name is shortened by triggering a potion's Pokémon selection, so you can whichdraw the Bad Clone.
3. Looking at the Bad Clone's summary jumps to the trainer ID which jumps to the middle of the box name data and executes the code.
4. …
5.Profit!

Re: ACE via Bad Clones in Crystal.

Posted by: Krys3000
Date: 2016-11-17 06:23:19
Oh yeah, I saw that two or three days ago on PRAMA's Skype Group but I didn't have time to watch thoroughly, and it seemed complicated. I definitively need to look further into it.

Re: ACE via Bad Clones in Crystal.

Posted by: Torchickens
Date: 2016-11-17 09:29:44
I did some research into this as couldn't find a Pastebin describing it. I haven't searched much at all so there likely may still be a description given speedrunners need to know what to do.

When you perform the cloning glitch, you have a chance of getting a Pokémon with a corrupted nickname. This Pokémon doesn't have a 50 in its first eleven characters. Pressing A on an item first for some reason allows you to have the game print a nickname which doesn't freeze the game.

For some reason, when you have exactly three times in the pack and save and reset (in werster's route it was an Antidote x21) the game may jump to RAM at CD52 when you view the corrupted Pokémon's summary. However there are further complications because the game has to safely reach the box names (DB75) and return to the overworld, and I haven't been able to get the glitch to work so far.

I ran into a few memory addresses that may be problematic when they are at the following values, although werster did the glitch in the Pokémon Center so there must be a way to avoid those issues.

D151=FF (player step direction)
D1A9=FF (north map connection)
D1B5=FF (south map connection)
D1C1=FF (west map connection)
D1CD=FF (east map connection)
D1E2=E7 (tileset animation)
D1EC=10 (current HP animation old HP)

It may be of note that in the speedrun the player was given the pre-set name "MAT". Additionally, one level 3 Hoothoot was defeated with its experience shared with a caught Hoothoot and one level 2 Hoothoot was defeated by Cyndaquil alone.

Edit: To get to CD52, the game apparently followed this Mobile GB Adapter routine in the 5F bank (5F:705E). The destination for jp [hl] was CD52:


.crash_loop
cp $31
jr nc, .crash_loop
ld e, a
ld d, 0
ld hl, Jumptable17d72a
add hl, de
add hl, de
ld a, [hli]
ld h, [hl]
ld l, a
jp [hl]

Re: ACE via Bad Clones in Crystal.

Posted by: Charmy
Date: 2016-11-17 09:54:21
Great! :)
Now update the ACE page on our wiki to include the latest research results.

Re: ACE via Bad Clones in Crystal.

Posted by: Torchickens
Date: 2016-11-17 10:09:12
Yeah :). Only want to do that when all the requirements/what you must avoid are cleared up though.

I found a Pastebin by werster that says Cyndaquil needs exactly 28 experience on Cyndaquil in addition to the first Rival battle (which would be 70 http://pastebin.com/Mt0BZnDm). This ends up with Cyndaquil having 233 experience, which is the E9 opcode (jp [hl]) so it's possible that you've got to get the PC to end up on Cyndaquil's experience (DD49?) and make hl an address near or at DB75 (PC box names).

Despite this, I still haven't been able to get the glitch to work with the "MAT" name, ID of 09947, semi-bad clone Cyndaquil in slot 3, Potion x1, Antidote x21 and Cyndaquil with an experience of 233 and all that happens are 'GBC only' messages. I noticed that the name of Cynadquil when withdrawing it was different to what werster obtained (still something like "??????POTION" but less question marks) although it was still an unterminated name.

It seems the code at 26DB might be not for a jump but actually to make the 'h' register DB (ld h, DB) and it can be loaded at wOTMonSelection at CD75 possibly.

Edit: I'm trying to create a fake bad clone with Cyndaquil named "I" (last time it had no nickname which may have been the problem) but I forgot how you can set a breakpoint at the exact location with BGB (and that method was for real bad clones).

Re: ACE via Bad Clones in Crystal.

Posted by: Torchickens
Date: 2016-12-02 22:22:53
I figured out more about this trick. In order to execute CD52, you should have a "21" be read for some particular reason, and save and reset before viewing the name of the unterminated nickname Pokémon.

In order to do this you can have a Pokémon with 21 maximum HP, or an item x21 (possibly in the second position next to a Cancel). However, the item x21 method seems to make it more likely you won't encounter any bad opcodes like rst 38.

Select the item x21 and try to toss it, cancel with B, and exit the menu after pressing Cancel with A (important: if you exit the menu with B it may not work). Afterwards the game will execute CD52. A ret nz at CF6F may make the game go to D10E, which is in the middle of a buffer which is being used for the current Pokémon.

In the speedruns, it appears 26 DB and 26 FB are used as an ID to represent ld h, DB; and the 233 experience is later used to represent a jp hl (E9) but if we want to adapt this for non speedrunning purposes, it may be ideal to use a Pokémon knowing the following moves:

1) Perish Song
2) Bide
3) Safeguard
4) Any move

; representing jp DB75 (box 1 name).

Lapras should be a Pokémon with a safe Pokémon ID (83; representing add a, e) who can learn all of these moves. In order to know Bide it can be taught TM34 in Generation I. To learn Safeguard it may be taught TM20 in Generation II. If we want it as a bad nickname Pokémon we could possibly try to use 9F stack corruption in Generation I to corrupt its nickname.

If this works out suddenly we only need 9F and an unterminated name Lapras (if it can be transferred to Generation II) with specific moves, which is simpler than TM33 ACE, and instead of using items as code we can choose to write box name codes.

Re: ACE via Bad Clones in Crystal.

Posted by: Torchickens
Date: 2016-12-06 15:52:10
I confirmed the Lapras trick on console. :D

This glitch is very good and I recommend it over TM33 ACE if you want an Ilex Forest Celebi!

If you have three Pokémon games (two Generation II games, one Generation I game) you can trade the glitched Lapras with a bad nickname with Bide as move two on to a Generation II game with Time Capsule enabled (i.e. meet Bill in Ecruteak City and wait one day), raise it to level 50 (preferably with Rare Candies as we gave it a bad nickname) so it learns Perish Song and Safeguard as move 1 and 3, and then trade it on to a Pokémon Crystal which only got access to the Pokédex.

It's recommended to use a fresh Crystal like this because there could be bad data after CD52 which makes the glitch refuse to work. When Lapras is on the fresh Crystal, save and reset with a box name code, go to toss the Antidote x21, press B, press A on Cancel (important you press A on it) and view its summary. Your code should activate.

In this Pastebin, I have prepared many box name codes including all badges, have Fly, all Fly destinations, infinite Master Balls, infinite Rare Candies and a code to get TM17 with proper bootstrap code (which I recommend using first because it is faster to use it).

Additionally I have included a code to get the GS Ball for Celebi from the Goldenrod Pokémon Center (as well as a 'go to next day code' so you don't have to wait a day after Kurt inspects it), and a code to modify Pokémon 1's species byte 2 to Mew. You can have Pokémon 1 as the Egg you receive for free at the Pokémon Day Care, use another code to change its remaining Egg cycles to 1, and then walk/cycle around until it hatches into a level 5 Mew (although it may become level 4 or another level if you deposit and withdraw it again).

If you want to warp to the Safari Zone, you can do that with a code in the Pastebin too! :)

Although it may be a little difficult to make box name codes with the limited number of available opcodes, I recommend that now over box items because all you have to do to prepare the code is name your boxes whereas certain items may be difficult to get/it takes time to prepare them in a particular order.

I am preparing a video for the trick and it might be commentated for a change. I'm conscious of my voice (its not always clear and I can have trouble with the sound) but it would be nice to have a more personal touch to my videos and it is easy to communicate through the spoken word.

Re: ACE via Bad Clones in Crystal.

Posted by: Charmy
Date: 2016-12-06 16:22:17

I confirmed the Lapras trick on console. :D

This glitch is very good and I recommend it over TM33 ACE if you want an Ilex Forest Celebi!

If you have three Pokémon games (two Generation II games, one Generation I game) you can trade the glitched Lapras with a bad nickname with Bide as move two on to a Generation II game with Time Capsule enabled (i.e. meet Bill in Ecruteak City and wait one day), raise it to level 50 (preferably with Rare Candies as we gave it a bad nickname) so it learns Perish Song and Safeguard as move 1 and 3, and then trade it on to a Pokémon Crystal which only got access to the Pokédex.

It's recommended to use a fresh Crystal like this because there could be bad data after CD52 which makes the glitch refuse to work. When Lapras is on the fresh Crystal, save and reset with a box name code, go to toss the Antidote x21, press B, press A on Cancel (important you press A on it) and view its summary. Your code should activate.

In this Pastebin, I have prepared many box name codes including all badges, have Fly, all Fly destinations, infinite Master Balls, infinite Rare Candies and a code to get TM17 with proper bootstrap code (which I recommend using first because it is faster to use it).

Additionally I have included a code to get the GS Ball for Celebi from the Goldenrod Pokémon Center (as well as a 'go to next day code' so you don't have to wait a day after Kurt inspects it), and a code to modify Pokémon 1's species byte 2 to Mew. You can have Pokémon 1 as the Egg you receive for free at the Pokémon Day Care, use another code to change its remaining Egg cycles to 1, and then walk/cycle around until it hatches into a level 5 Mew (although it may become level 4 or another level if you deposit and withdraw it again).

If you want to warp to the Safari Zone, you can do that with a code in the Pastebin too! :)

Although it may be a little difficult to make box name codes with the limited number of available opcodes, I recommend that now over box items because all you have to do to prepare the code is name your boxes whereas certain items may be difficult to get/it takes time to prepare them in a particular order.

I am preparing a video for the trick and it might be commentated for a change. I'm conscious of my voice (its not always clear and I can have trouble with the sound) but it would be nice to have a more personal touch to my videos and it is easy to communicate through the spoken word.

Great, I didn't think most ACE stuff would be already ported.
Anyway, we want to hear your voice.
Also, maybe make a commentated version, and a uncommentated version?

Re: ACE via Bad Clones in Crystal.

Posted by: Torchickens
Date: 2016-12-06 16:31:34
Thanks! OK then, I'll give it a go.

Yeah, I may make an uncommentated version as an unlisted video but with a link to it in the description. Thanks for the suggestion.

Re: ACE via Bad Clones in Crystal.

Posted by: luckytyphlosion
Date: 2016-12-06 18:48:54
[size=14pt]Explanation of the glitch:[/size]
Basically, it's the cause of poor error checking by GameFreak. When the game has to print the Fake Bad Clone's name through the PlaceString function, it encounters 0x00 characters which aren't supposed to be printed.

In Gold/Silver, encountering a 0x00 character would cause the game to stop processing the string (and also terminate a call from the text processing engine, although that's irrelevant in this case). However, in Crystal, for whatever reason GameFreak replaced this error checking so encountering a 0x00 character would print a ? instead. This can lead to PlaceString writing past the tilemap in WRAM and into other RAM (as seen in Crystal_'s Bad Clone/Kingdra video).

This new error checking has another consequence; being able to read invalid characters. Normally this would not be too destructive; the only thing you could do at best (worst?) is overflowing text into other portions of RAM, as seen above. However, due to another instance of bad error checking, the <DAY> control code (0x15) can jump to a fairly exploitable portion of RAM, 0xcd52.

The code for control code 0x15 jumps to a mobile function, Function17f036, which then calls Function17f036 leading to a jumptable, which reads the next byte from the source as the jumptable index. While there's error checking implemented, GameFreak missed one invalid index, 0x00. The maximum index check checks if the index is greater than the upper bound, but then decrements the a register after the error check. This can allow a 0x00 index to pass through the error check, but then underflow to 0xFF, thereby reading an invalid address from ROM, which conveniently points to WRAM, and a fairly manipulable portion. This is why you need the byte combination 0x15 0x00 to jump to 0xcd52.

From there, you can do whatever setup you want to achieve ACE. Conveniently, Gamefreak pushed the source address onto the stack before jumping to the specified address, so the return address will point to whatever was after the 0x15 0x00. In the Crystal Any% speedrun case, this is an immense help as the memory after is a temporary buffer for storing a Pokemon struct (which stores the Pokémon with the corrupted nickname), allowing us to use the moves and trainer ID as a bootstrap to reach box names.

It might be possible to find other locations for a bootstrap. The address where the game jumps is similar to the address where Coin Case jumps in Gold/Silver, so you could potentially manipulate the BG Map buffers to jump to a more suitable place. (The jump to the middle of party data would not work, as the address of party data had shifted in Crystal).

Interestingly, I found this ACE exploit a while ago when attempting to do regular cloning, but I dismissed it as the result of a crash. (When I was doing some testing regarding cloning, I encountered this glitch again and actually decided to look into it).

EDIT: Forgot to mention, the preset MAT name was purely a speedrun decision as I assumed the player name wasn't seen enough to warrant using a 1-character name (and choosing a preset name is faster).

Re: ACE via Bad Clones in Crystal.

Posted by: Crystal_
Date: 2016-12-10 08:51:26
My take at adapting this ACE exploit to be useful outside of speedruns. Instead of manipulating the player ID number, specific Pokemon/item data are used with the ultimate goal of reaching the PC items data (as in the Coin Case glitch). More information in the video below.

https://www.youtube.com/watch?v=YqD68-2aAjg

Re: ACE via Bad Clones in Crystal.

Posted by: Nostalgia
Date: 2016-12-10 13:44:17
So is there a way to change the trainer ID to anything you want (as you mention you can manipulate it)? Torchickens showed me how you can change the ID to anything you want on Pokemon Yellow with ws m, and I figure something similar could work given it's Arbitrary code Execution, just in a different game.

Great video though Crystal, just watched it. Amazing the discoveries still being found out after all these years.

Re: ACE via Bad Clones in Crystal.

Posted by: Crystal_
Date: 2016-12-10 15:21:49
Yeah, the player ID number is at d47b-d47c in Crystal. You can use ACE to write whichever you want into those addresses.