Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Manipulate specific flags? - Page 1

Manipulate specific flags?

Posted by: suloku
Date: 2017-03-21 06:05:58
Hello,

I've been reading about gen 3 ACE and glitches trying to find a way to manipulate specific flags (specifically, Emerald's event islands for legendary pokémon) and after reading about the inner works of ACE and glitzzer popping I have some doubts:

- I've seen that via Glitzzer popping the flags to birth, faraway and southern island can be enabled, but for what I've read about the how the glitch works, those are only enabled because of the game recognizing the data as a corrupt pokémon and setting it as a bad egg, which results in the flags being enabled. The flags for the 4 islands are consecutive, but to my understanding there's no way to manipulate the address, in fact that there's a glitch pokémon that makes those two flags for the islands get enabled is quite lucky already. Am I wrong and can glitzzer popping be altered to manipulate any flag given we know where it is?

- Since I though I couldn't achieve what I wanted via glitzzer popping, I though ACE was the way to go as showcased here: https://www.youtube.com/watch?v=m9pvNYdhldo&t=31s
The method seems promising as even with the 60 instruction limit, I think enabling 4 flags should fit, but as I don't know ASM I don't have a clue about how to write the payload for setup. I do know how to find the ASM in the rom for the setflag instruction scripting uses though, but without knowing how to use it, doesn't really make a difference.
Also, I don't know if the savegame being "aligned" (blocks 0-14 being in ascending order as seen here https://www.youtube.com/watch?v=1pb-6hMDQBs) is a requirement for this ACE method.

The ultimate goal is just a simple ACE that enables the 4 island flags, the items can be obtained via glitzzer popping so they aren't a problem. Being able to enable/disable flags could have other uses, like re-battling the legendaries, which might also be interesting.

I personally prefer the ACE way, since glitzzer popping corruption flag enabling also changes undesired flags in the process, so ACE should be a lot cleaner for the savefile imho.

Re: Manipulate specific flags?

Posted by: Yeniaul
Date: 2017-03-21 07:40:43
You should look up Z80ASM guides for the TI-83+. It'll carry over nicely to the gbz80.
Anyway, 60 instructions may not be enough, because the game may check for such changes and null them or if you just save the flags and RET the hell out, you may not exit cleanly. You may even have to call the normal functions that handle special events. Ask ISSOtm, Wack0 or TheZZAZZGlitch.

Re: Manipulate specific flags?

Posted by: Stackout
Date: 2017-03-21 08:26:52

You should look up Z80ASM guides for the TI-83+. It'll carry over nicely to the gbz80.
Anyway, 60 instructions may not be enough, because the game may check for such changes and null them or if you just save the flags and RET the hell out, you may not exit cleanly. You may even have to call the normal functions that handle special events. Ask ISSOtm, Wack0 or TheZZAZZGlitch.


GBA uses ARMv4…

Anyway, if you want code exec, and you have a Wii and a GC->GBA link cable, you can use the RCE I found and detailed here http://forums.glitchcity.info/index.php?topic=7861.0

You'll be able to write your payloads in C there, hopefully it's what you need (you'd be able to get the items with it as well, FYI, you'll have lots of space for your payload, about 124 KB…)

Re: Manipulate specific flags?

Posted by: suloku
Date: 2017-03-21 10:14:48
The point would be to do it with only a GBA cartridge, as I pointed in the thread, If I only wanted to execute in-game script commands I could do it via wondercards (but your RCE method is way more powerful and has more possibilities). Would be interesting to see this implemented as a GBA to GBA hombrew, instead of GC/Wii to GBA, but that's another topic.

I went asked TheZZAZZGlitch on his video. I don't know if the flags are in the DMA regions, but if they aren't, would that 60 instruction limit allow to set a bit at a certain memory location given we know that exact memory address beforehand?

ps: sorry for any stupid question, but I don't really know anything about assembly

Re: Manipulate specific flags?

Posted by: Yeniaul
Date: 2017-03-21 10:58:49

GBA uses ARMv4…

I am aware, but he should start with Z80ASM anyway, as skills he learns in Z80 can be transferred to ARM, and he can write Gen 1/2 ACE scripts.
Derp. :P

Re: Manipulate specific flags?

Posted by: Stackout
Date: 2017-03-21 12:30:17

Would be interesting to see this implemented as a GBA to GBA hombrew


Unfortunately, not possible. The GBA's JoyBus link support only allows for a GBA to be the slave.

Re: Manipulate specific flags?

Posted by: suloku
Date: 2017-03-24 04:31:57

Unfortunately, not possible. The GBA's JoyBus link support only allows for a GBA to be the slave.


I'm getting of topic, but the GBA 10ANNIV rom (and probably others) worked by sending a client application the GBA from another GBA. The leaked official SDK has an example about this too (by the way one of the 10ANNIV roms was made public recently).

Re: Manipulate specific flags?

Posted by: Stackout
Date: 2017-03-24 06:50:07


Unfortunately, not possible. The GBA's JoyBus link support only allows for a GBA to be the slave.


I'm getting of topic, but the GBA 10ANNIV rom (and probably others) worked by sending a client application the GBA from another GBA. The leaked official SDK has an example about this too (by the way one of the 10ANNIV roms was made public recently).


That uses the GBA BIOS multiboot, which is different from the multiboot implemented inside of R/S/E/FR/LG (which uses the JoyBus protocol over the link cable for communicaion with the GameCube games).

Re: Manipulate specific flags?

Posted by: Metarkrai
Date: 2017-03-31 10:10:49

Hello,

I've been reading about gen 3 ACE and glitches trying to find a way to manipulate specific flags (specifically, Emerald's event islands for legendary pokémon) and after reading about the inner works of ACE and glitzzer popping I have some doubts:

- I've seen that via Glitzzer popping the flags to birth, faraway and southern island can be enabled, but for what I've read about the how the glitch works, those are only enabled because of the game recognizing the data as a corrupt pokémon and setting it as a bad egg, which results in the flags being enabled. The flags for the 4 islands are consecutive, but to my understanding there's no way to manipulate the address, in fact that there's a glitch pokémon that makes those two flags for the islands get enabled is quite lucky already. Am I wrong and can glitzzer popping be altered to manipulate any flag given we know where it is?


Southern Island can be directly obtained by corrupting a word that manages the delivery man script, (its default script being Southern Island's one, while the others needed to be added through mystery cards), so that one is the easiest of them to obtain in Emerald (and this works on any emerald file).
Since the unlock flags for  the event islands aren't far from each other, there wasn't too much "luck" required to get at least one in a certain word (what was important was the location of that word inside its double-word because that word needs to be read as "Remaining HP" for a party Pokémon).
The criteria for having a Glitch Pokémon that gives the right party slot were also a bit large (the character that influences the party slot is around 8.000 and the maximal name lenght to make things possible is around 10.700 characters).
The fact that there is no Glitch Pokémon that has a name fitting these two requirements on US and JP Emerald seems for me to be the "unlucky" part as a certain amount of Glitch Pokémon could potentially work (but the required value never ended up in the right character).

The flags for Navel Rock, Faraway Island, and Birth Island also can't be corrupted via Pomeg Glitch Data Corruption (aka Glitzer Popping) because they aren't in the right location in their respective double-words.

Out of the few other ways to corrupt data induced by Pomeg Glitch or Glitch Stuff, none of them can set the bits for the islands flags and leave the game stable/playable. (With a longer glitch Pokémon name, you could set these bits to 1 but too much graphical-related data would have been corrupted and the game would crash once you would move).

This also holds true for RS and FrLg.
An effect from viewing certain Glitch Pokémon summaries in FrLg seemed promising (it messes up with the value that tells you how many summaries you can still see by pushing down) but you either end up freezing the game quite early or only having less than a dozen of additional summaries that you can see.


So as of now, ACE stands as the sole way to unlock the remaining event islands and some other stuff.

Things regarding ACE have progressed for a good amount towards procedures doable on console since the discovery of another entry point via Glitch Moves Animation Scripts by Wack0.

Writing a code that triggers a flag can be done, but the tough part is about the amount of stuff you would be required to do on console, especially with Glitch Items (they can't be distinguished from each other so once you start placing them you can only know if your "Glitch Items and placement" was good once you attempt your ACE.

The procedure with the least setup that I thought of to run an overworld script in Emerald is :
- Get the Bootstrap Pokémon (some EV training for the Poké + 1 Glitch Item)
- Write commands to set the event islands flags in the PC (4 Glitch Items, 1 per flag)
- Store some Glitch Items in Pyramid Bags to make a code (16 Glitch Items if I remember well)
- Make an ACE to execute the code made with Pyramid Bags Items : Copies the PC Items data to an area unaffected by DMA + changes the script adress of a NPC on the map to the adress of the area unaffected by DMA.
- Talk to the NPC to execute the commands stored there and unlock the islands.

Thus, that's ~20 Glitch Items you need to obtain without a single EV failure.