Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Creating custom roamers with beyond slot 6 corruption in Generation II? - Page 1

Creating custom roamers with beyond slot 6 corruption in Generation II?

Posted by: Torchickens
Date: 2017-09-08 22:34:05
I found out today that it's possible to manipulate the Day Care Pokémon from ????? party overloading. Specifically withdrawing a 24th Pokémon will modify the species of the stored Pokémon by the Day Care Lady (DC90 in Gold/Silver) based on the ninth character of the nickname of the Pokémon you withdraw. According to the Pokémon Crystal disassembly's WRAM map, the roamer data isn't far away from here.

Crystal:

wRoamMon1:: roam_struct wRoamMon1 ; dfcf
wRoamMon2:: roam_struct wRoamMon2 ; dfd6
wRoamMon3:: roam_struct wRoamMon3 ; dfdd


Is it therefore possible to create a custom roamer Pokémon? Perhaps it could even be a glitch Pokémon, which would be (one of, perhaps a battle could be triggered without cheating by an out of bounds Glitch City too) the only way(s) of encountering a glitch Pokémon in the wild without arbitrary code execution.

What is the roaming Pokémon structure like?

Wonder if anyone has any input on this. Thanks in advance!

Edit: It seems to have a structure like this.

(Species one byte) (Level one byte) (Location; two bytes) (Unknown three bytes)

Edit 2: Gold/Silver roamer addresses seem to start at DD1A.

Re: Creating custom roamers with beyond slot 6 corruption in Generation II?

Posted by: Krys3000
Date: 2017-09-09 05:17:50
In my Gold game in which no roamer has been caught, I have indeed this structure.

F3 28 (Raikou lvl40) followed by localization and the three bytes. Then, F4 28, localization, three bytes, F5 28, localization, three bytes. No clue about what they are (obviously not the moves), they are different for all three roamers.

Things are however different in Crystal, and as of now we can only try to guess things. Indeed, in my Crystal, Entei and Suicune are caught but not Raikou. Thus, the structure is F3 28, localization, three bytes (which are 00 00 00 - it may be related to previous encounters?). Then, it says 00 28 FF FF instead of Entei (F4). It is possible than once caught, the Pokémon's species goes to 00 and the localization goes to FF.
Interestingly enough, Suicune's structure is 00 00 FF FF ; the level also does not appear. Suicune is not a roamer in Crystal, suggesting that this data is unused. It is however worth noting that it has values on the three unknown bytes.

Re: Creating custom roamers with beyond slot 6 corruption in Generation II?

Posted by: Torchickens
Date: 2017-09-09 10:18:06
Thanks for looking into it Krys3000.

I set a breakpoint to DFD6, DFDD, DFDF on Crystal.

For some reason after withdrawing a 16th Pokémon, the game moved the value of FFB6 to DFD6.

I believe at one point I got a Squirtle, but this time DFD6 became 14, DFDD became 00 and DFDF became 00.

Upon viewing Raticate (0x14)'s Pokédex entry, it seems like it worked and Raticate's location values became 00 0D.

[img]http://i.imgur.com/hmSwfbX.png[/img]

These were taken from the values of FFB5, FFB6 during the 16th Pokémon withdrawal.

This Raticate doesn't want to move when I change routes though.

I wonder if you can manipulate what FFB5 and FFB6 are during the withdrawal.

Edit: I was able to get the location values to change again after flying away, so the location shouldn't be an issue (maybe unless registered as caught or defeated).

Edit 2: Level 0 roamer Raticate. I manually edited the location value but it may be possible without the need to do that. The legendary beast music was playing. It had no moves upon capture and it had 23/10 HP.

[img]http://i.imgur.com/VYmyQh3.png[/img]

Edit 3: Wow! DFD6 is based on the Pokémon's Attack stat, meaning we should be able to encounter roaming Egg (possibly other ????? variants now) in the wild.

So interestingly it seems we can encounter every ????? as well as Egg this way, or get another Mew/Celebi etc. even though 00 appears as a species value in the structure.

Re: Creating custom roamers with beyond slot 6 corruption in Generation II?

Posted by: Charmy
Date: 2017-09-10 05:31:18
So, yet another way to get Celebi? How many different ways is that, like 10?
I actually want to know
a)how many Pokémon do you need to withdraw to cause roamer corruption blame me for not reading the first post
b) how the withdrawn Pokémon's data structure translates to the roamer structure…

Re: Creating custom roamers with beyond slot 6 corruption in Generation II?

Posted by: Krys3000
Date: 2017-09-10 05:49:29
If I understand correctly, you might be able to change the species of the roamer using the Attack Stat of another Pokémon? That would be a truely nice finding!

Re: Creating custom roamers with beyond slot 6 corruption in Generation II?

Posted by: Charmy
Date: 2017-09-10 06:01:36
So, a Pokémon with 251 Attack, I may try that when I can.

Re: Creating custom roamers with beyond slot 6 corruption in Generation II?

Posted by: Caveat
Date: 2017-09-10 09:39:04
I love it when you can basically perform brain surgery on the game like this.

I would try it, but I'm currently iPad-bound… Maybe when VC comes out?

Re: Creating custom roamers with beyond slot 6 corruption in Generation II?

Posted by: Stackout
Date: 2017-09-10 11:37:08
BTW, roamer struct is:

byte species; byte level; byte map_group; byte map_number; byte HP; word DVs;

source: https://github.com/pret/pokecrystal/blob/700321a7fb2d6c852ffc91cc0b8867526cb76813/macros/wram.asm#L201

When moving roamers, the code checks if map_group is $FF, this means the roamer is no longer available to catch; the roamer-encounter code only checks if you're on the same map as it (so it seems that you can indeed encounter a roaming ????? (00)) - this basically means that if you've caught at least one roamer, glitch map [tt]FF FF[/tt] has at least one roaming ????? (00) in it: https://github.com/pret/pokecrystal/blob/700321a7fb2d6c852ffc91cc0b8867526cb76813/engine/wildmons.asm#L722

And, even more hilariously, there's a function that sanity checks a wild Pokémon's species, returning with carry on if it's invalid (00, > FC); unfortunately, Game Freak forgot a [tt]ld a,b[/tt] before calling it (alternatively, they wrote [tt]ld b,[hl][/tt] instead of [tt]ld a,[hl][/tt]), so what is checked isn't the wild Pokémon's species, but its level! https://github.com/pret/pokecrystal/blob/700321a7fb2d6c852ffc91cc0b8867526cb76813/engine/wildmons.asm#L825

Not that this matters; the sanity check is done on the in-ROM wild Pokémon data before the battle starts, and besides, the only call to this function is done with code dealing with wild Pokémon data, which is completely skipped in the case of a roamer anyway. https://github.com/pret/pokecrystal/blob/700321a7fb2d6c852ffc91cc0b8867526cb76813/engine/wildmons.asm#L332

Torchickens: did you try Flying away to reset the location value to something random? Just moving routes wouldn't work because the game won't find the location in the roamer-moving data (it does this before anything else), whereas Flying just checks if map_group if $FF or not.

Re: Creating custom roamers with beyond slot 6 corruption in Generation II?

Posted by: Torchickens
Date: 2017-09-10 14:26:39
Thanks for the research Wack0. :)


Torchickens: did you try Flying away to reset the location value to something random? Just moving routes wouldn't work because the game won't find the location in the roamer-moving data (it does this before anything else), whereas Flying just checks if map_group if $FF or not.


That's right, I thought it was interesting how it didn't update without flying/teleporting.