Name: Using ws m/8F to create custom Pokémon sprites (Generation I) @ChickasaurusGL
Uploaded: 2024-10-23T08:17:00-05:00
Duration: 8 min 17 s
Description: Using ws m/8F to create custom Pokémon sprites (Generation I)

Using ws m/8F to create custom Pokémon sprites (Generation I)

Evie (ChickasaurusGL) 🌺 2024-10-23 | Using ws m/8F to create custom Pokémon sprites (Generation I)

Cinnabar man shows rotating Porygon/optional Virtual Boy mode (Yellow) (save file in description)

Evie (ChickasaurusGL) 🌺 2022-11-26 | An explanation and download to the save file will be in this Pastebin and the pinned comment. Enjoy :] pastebin.com/XpiFpfgz

The last video was coded differently using a conditional check and didn't work properly, so I rewrote it. Also the last video, didn't work on a save file causing a fun corruption after reloading the game.

Note this version is self-modifying, and the only way to leave the recurring menus might be to turn off the game. I tried closing the menus through testing but apparently I couldn't bring them up again because of some memory corruption.

Arbitrary sprites sequence concept but my code is glitchy (Pokémon Yellow)

Evie (ChickasaurusGL) 🌺 2022-11-25 | How to do it:

I may explain this later and release a working save file, after I get this to work properly.

1. Write your sprites in the save file (SRAM).
2. Bring a modified version of DisplayMonFrontSpriteInBox into the text engine to grab from the SRAM rather than the monster header and set hl (next text box) to loop back on itself.
2. In your code, make it self-modifying to display the next sprite in the sequence afterwards (A000, A15A, A2B4, etc.) like what we did with the rotating Porygon (it's really just eight static sprites).
3. Get it to work, but unfortunately I haven't been able to get past Porygon's sprite 5 yet; it goes in a loop between earlier sprites.

Also it seems the target for this ACE doesn't carry over after saving, so as a bonus you can see the corruption of the sound and tiles with glitch sprites afterwards. Enjoy. ^^

Glitch Super Game Boy palette command 0x5E (Pokémon Yellow)

Evie (ChickasaurusGL) 🌺 2022-11-14 | The Super Game Boy is a SNES peripheral which enhances Game Boy games. Though it had many functions, most enhancements were an added border. Routine 3E05 is RunPaletteCommand in the disassembly.

To access this palette command, run ASM:
ld b,5E
call 3E05
ret

All 256 possible Super Game Boy palettes (Pokémon Yellow EN)

Evie (ChickasaurusGL) 🌺 2022-11-05 | The Game Genie code to replace Bruno's room's SGB palette is xxf-f7a-6e2.

Turning NPCs into animated glitch characters (Pokémon Yellow Video RAM corruption experiment)

Evie (ChickasaurusGL) 🌺 2022-11-05 | call 3E6D ; Grab a random value
ld hl,8000 (start of video RAM)
ld bc,yyxx (size of corruption)
call 166E ; fill the memory hl of size bc
ret

VRAM is 0x2000 bytes long, so 2000 will span the VRAM. However, the effect of VRAM inaccessibility will result in black lines. You can also change hl to somewhere else on the memory map, e.g. to fill the RAM with random values. gbdev.io/pandocs/Memory_Map.html

NPC sprites are 8000-8FFF (size 0x1000)
Map tiles are 9000-9800 (size 0x0801)

A save file is coming shortly

Unexplained faulty laptop (screen intermittent colours error) (Halloween special) ^^

Evie (ChickasaurusGL) 🌺 2022-10-25 | Oh dear. Dark humour comforts the soul~ It's like that Professor Layton and the Mysterious Woman meme -_-. The black wire on the right is missing. The white wire is not. The left is attached without connecting wires.

Furthermore, this laptop is an Acer running Windows 10. Specs Aspire A315-54K Intel (R) Core (TM) i3-7020U CPU @ 2.30GHz , 4GB RAM (3.88 GB usable) (yeah 4GB I want to improve it) 64-bit OS. Note one day the battery failed, so I replaced that battery also after taking the laptop apart with a screwdriver.

I/O stands for input/output. ^^ Enjoy :]
en.wikipedia.org/wiki/Input/output

DecompressRequestPikaPicAnimGFX w/bad (glitch) sprites from DE (arbitrary code execution experiment)

Evie (ChickasaurusGL) 🌺 2022-10-21 | Typically we've relied on fixed pointers in glitch sprite corruptions (such as Yellow MissingNo.'s sprite), but we can create a similar chaotic change in the system with 65536 possibilities from the DE register pair with bank a (discounting RAM pointers).

Have this at FA64 and use 4F:
11YYXXFAD3FF063F212861CD843EC9

ld de,XXYY
ld a,(FFD3)
ld b,3F
ld hl,6128
call 3E84
ret

Two observations when forcing the Trade/Cancel boxset outside the Cable Club (Pokémon Red/Blue)

Evie (ChickasaurusGL) 🌺 2022-10-20 | First flaw - The border is glitchy outside of the actual Trade Corner screen (probably because the tileset is different there and those border sub-tiles are the equivalents for the overworld tileset).
Second flaw - It's possible to cause the box to stay on the screen after closing it. (maybe changing D12C does not account for clearing the video tiles from a larger size and the game only clears those concerning Yes/No) (1:13 in the video)

Long Pokémon cries may be cut off in field move sequences (Generation V)

Evie (ChickasaurusGL) 🌺 2022-10-15 | Notes: I've replicated this in English revisions of Pokémon White and Pokémon White 2 for Lopunny and moves Strength, Dig, where the full cry doesn't play during the field move sequence.

In earlier generations, this quirk seemingly does not occur.

Trapping NPCs after dokokashira door glitch block corruption (Red/Green/Blue JP)

Evie (ChickasaurusGL) 🌺 2022-10-15 | Notes: In Celadon City Pokémon Center, you can exploit this glitch with the lady by having her walk into the block that changes every four steps. Some of the glitch tileblocks hide the NPC sprite (while others don't, and she appears above those tileblocks), making it impossible to talk to her.

Celadon City Pokémon Center void lady (Pokémon Red/Green JP)

Evie (ChickasaurusGL) 🌺 2022-10-10 | Notes: Rarely, entering the Celadon City Pokémon Center and walking to the right will cause her to walk out of bounds, and then loop around. Previously on this save file I set up the corruption effect from dokokashira door glitch, in case this matters. I don't know if this occurs in other versions.

Pokémon Pinball (EU) - Lets catch the glitch Pokémon (Part 2: 0xA8-0xFF)

Evie (ChickasaurusGL) 🌺 2022-09-30 | Notes: It's a continuation to a video I did last year. ^^ Simply use GameShark code 01xx79D5, then catch a Pokémon, to load the Pokémon/glitch Pokémon in xx. This video shows the last 88, which get their names from Pokémon in another language. It then continues with an 00 Bulbasaur and 01 Ivysaur again (and curiously the Ivysaur is glitched).
youtube.com/watch?v=umgsNB6AQh8

Cheat-only curiosity if you try to obtain Elms aides Potions with full Bag (HeartGold/SoulSilver)

Evie (ChickasaurusGL) 🌺 2022-09-28 | Read description for more information:
If you cheat to try and receive Elm's aide's Potion with too many Potions (i.e. 999 in this video) after receiving the starter Pokémon at the beginning of the game, the game will interrupt you to tell you the bag is full, as expected. However, as the player moves again the script for Elm's aide to give you the Potion will occur once more for any of the coordinates where the script may normally occur, but the aide does not move back to his original position. This leads to him walking out of bounds from the left boundary.

Hold L+R to activate to receive 999 of every healing item (based on pokemoncoders.com/pokemon-heart-gold-cheats for HeartGold US version).

94000130 fcff0000
62111880 00000000
b2111880 00000000
d5000000 03E70011
c0000000 00000025
d6000000 00000b74
d4000000 00000001
d2000000 00000000

Text move (command 03) abuse example: Copying Mew from x21 quantity (Generation I)

Evie (ChickasaurusGL) 🌺 2022-09-28 | Read description for more information:
This glitch (in both Red/Blue and Yellow), was mentioned by luckytyphlosion here. tasvideos.org/5910S

Like connection copier, it is an arbitrary RAM modification glitch, enabling you to copy data into anywhere in memory (with the exception of bytes representing in-text control characters). We use a form of text pointer manipulation to spawn a text box using command 03 (an unused text command to copy data using the text engine).

I've written information on how to do this here https://glitchcity.wiki/Text_move_abuse

Reset SRAM glitch party count from 255 to 1 w/one withdraw+have MissingNo. as starter (Red/Blue)

Evie (ChickasaurusGL) 🌺 2022-09-23 | Read the description for more information:
Due to space, I've written the steps you need to do and linked to the Glitch City articles on them separately. I hope that's better as it's a lot of text otherwise.

Note that before this glitch, a different glitch was applied to the SRAM glitch by Krys3000 to receive any starter Pokémon. I suspect it's possible with the box breaker glitch also, but I haven't tried it yet.

https://glitchcity.wiki/International_fossil_conversion_glitch

Additionally, in the past (for specifically Red/Blue due to the wild appeared glitch) we'd have to either catch a Pokémon in Diglett's Cave (etc.) with wild appeared active to set the party count to 51 (Magmar) or theoretically 49 through 52 (which is a lot of Pokémon), or receive a gift Pokémon and withdraw it from the PC (such as Lapras, 19 Pokémon; or Eevee, 102 Pokémon etc.). This technique then works from the PC Pokémon method, using glitch box 15 (from box breaker glitch) to manipulate Rhydon into the Pokémon Storage System, and then withdraw it to get a party count of 1.

(At that point, you're free to take other Pokémon from glitch boxes to use as your 'starter Pokémon' as well. At present I don't have much data of the Pokémon inside the glitch boxes , except for this research https://glitchcity.wiki/Talk:Box_breaker_glitch )

Steps (reduce counter to 1):
1. Perform the SRAM glitch as usual, and swap Pokémon 2 with Pokémon 10. https://glitchcity.wiki/SRAM_glitch
2. Set up dry underflow glitch in the PC, with the help of a j. x255 stack and an Ether to secure three stacks with the x255 stack at the bottom. https://glitchcity.wiki/Dry_underflow_glitch
3. Find PC item 51's quantity, and change it to x14 (PC box 15, which doesn't normally exist)
https://glitchcity.wiki/Box_breaker_glitch
4. Use item 36's quantity to warp to Viridian City, by setting it to x1 and leaving your house.
5. Next, swap PC box 15 with itself. Some glitch text will appear, but fortunately it will eventually close and the game will not freeze.
6. Before doing anythig else, from your bag flash Professor Oak's 'this item can't be used right now' message (this is to avoid a potential freeze from unterminated Pokémon names).
7. Withdraw the second Pokémon in PC box 15 which should be a Rhydon. As Rhydon's index number is 1 and the party counter is 255, this confuses the game setting the number of Pokémon to the index number (1). Withdrawing other Pokémon will set the party counter to different amounts.

Steps (MissingNo. as the starter):

8. Continuing on from before, from box 15 withdraw the first Pokémon, which should be MissingNo. (0x3E), with some moves it can't normally learn such as Cut and glitch moves. If it becomes a very high level, you may want to fix its disobedience. Also it may have a status ailment.
9. Warp to Pallet Town, and walk near the top-right corner (when you open the menu, the bush should be visible); this reduces potential lag from glitch item names in the menu.
10. Scroll down to find Rare Candies, and give them to MissingNo. until it is Level 5 (etc.)
11. Finally, if you want to carry on the story; walk into the tall grass as usual and beat Blue with MissingNo. Then, receiving the Potion on Route 1 will overflow your bag count from 255 to 0. From there on, receiving Oak's Parcel will register it in the bag correctly (with a count of 1 item) and you can give it to Professor Oak and continue the story.
12. If you ever need the expanded bag (non-PC) again, set up dry underflow glitch in the bag again, using a x255 retrieved from the stored PC items.

See also:
https://glitchcity.wiki/Expanded_bag_item_documentation_(Generation_I)
https://glitchcity.wiki/Expanded_PC_item_documentation_(Generation_I)

Berry trees can give non-Berry items (Generation II version) (short)

Evie (ChickasaurusGL) 🌺 2022-09-22 | Read description for more information:
A very long time ago, bigsupes made this GameShark code for Pokémon Gold and Silver to turn Berry trees into item trees; 01??2ACF . Earlier, I tried to lock CF2A with arbitrary code execution, but unfortunately currently it seems the GameShark code is still the only way.

https://glitchcity.wiki/Pok%C3%A9mon_Gold_and_Silver_GameShark_codes

Also someone made this code for GameShark UBB, and you have to carefully use it in a specific way to avoid a loop.

"The Ever-Giving Fruit Tree (Author was known, but name was lost and post has since been
deleted on GameShark UBB)
912E61D1
Note: To use this code, walk up to a tree and talk to it. Make sure the switch is off. When
the message says "It's a fruit-bearing tree", turn the GameShark on then off. Repeat to
gather more berries. "

While in the GCRI Discord, I noticed someone had done this for Generation IV, so later I may show a video of non-Berry trees there (and try to do it in Generation III too).

Another Shiny wild Pokémon glitch, w original species (Pokémon Gold/Silver TM/HM pocket) (request)

Evie (ChickasaurusGL) 🌺 2022-09-22 | Read description for more information:

This is a request from DricoPlaysPokemon (their channel youtube.com/channel/UCSMMyPJQQDx94ILlysYefgw ) ^^. It only makes wild Pokémon Shiny, without setting the species at the same time (the earlier one was used to get a specific wild Pokémon Shiny such as Celebi).

In order to get this to work, from the original Coin Case arbitrary code execution glitch, you'll need to set up TM/HM pocket quantity execution introduced in my earlier video. It requires following the steps to obtain TM17 and then Quagsire with Lucky Egg and Attract as the first move.

youtube.com/watch?v=Q2D-VuTwRfc

I've updated the Glitch City wiki article with more information on this:

https://glitchcity.wiki/Coin_Case_glitches#Arbitrary_code_execution_exploits_summary

From TM01 through TM19 you'll need these quantities

33 139 255 62 213 50 62 139 50 62 195 50 201 62 7 234 25 209 201

After setting up x255 of every TM/HM in the TM/HM pocket, 255-n is the number you'll need to sell, so sell 222 (255-33) to get 33 as the TM01 quantity, etc.

(I did this in the TM/HM pocket, because it's easier to code that way; you can write in GBZ80 then use the byte representations of your code for the TM/HM quantities unchanged.)

Mobile command 15 08 as the player name mystery (Pokémon Crystal JP)

Evie (ChickasaurusGL) 🌺 2022-09-22 | When you force the Mobile System GB mobile script 15 08 as the player name, the game will end up printing a number near the bottom-right corner of the screen. Curiously, the value varies as you walk around.

This function Function17f2cb has been dissambled as such:
github.com/pret/pokecrystal/blob/0f5540740bb494cfc6a5c724a2eeac4e064e9659/mobile/mobile_5f.asm

pop hl
push bc
ld a, [hli]
ld [wcd54], a
ld a, [hli]
ld [wcd55], a
ld a, [wcd2e]
inc a
ld [wcd56], a
pop bc
push hl
ld l, c
ld h, b
push hl
ld de, wcd56
ld b, $1
ld a, [wcd54]
ld c, a
call MobilePrintNum
ld a, l
ld [wcd52], a
ld a, h
ld [wcd53], a
pop hl
ld a, [wcd55]
call Function17f50f
pop de
and a
ret

https://glitchcity.wiki/Mobile_script

Reduce the expanded party count in the SRAM glitch from 255 to 3 (Pokémon Yellow)

Evie (ChickasaurusGL) 🌺 2022-09-22 | Notes: This is an old trick from years ago that I couldn't find an existing video of already, so here it is. ^^

Step 1: Perform the SRAM glitch https://glitchcity.wiki/SRAM_glitch
Step 2: Swap one of the top Pokémon (Pokémon 3 in this video) with Pokémon 36 (a trick found by someone a long time ago, I think my friend blaphy) to warp to the Safari Zone.
Step 3; optional step, swap Pokémon 2 with Pokémon 10 to get the expanded bag of 255 items https://glitchcity.wiki/Expanded_bag_item_documentation_(Generation_I)
Step 4: Enter the Safari Zone
Step 5: Catch Nidoran♂; the party count is changed to 3, which is the same as Nidoran♂'s index number. Catching other Pokémon will set the party count to that value. I forgot who found this, but I remember trying it with another friend Golderzoa.
Step 6 (optional): Catch a normal Pokémon from the expanded inventory, view HM04 to adjust a buffer (to avoid a freeze when depositing the remaining unterminated name glitch Pokémon), then deposit and release the last three glitch Pokémon.

This doesn't quite work in Pokémon Red and Blue, because displaying the player's belt causes the wild appeared glitch; corrupting the enemy Pokémon to Magmar, Golem, MissingNo. 0x32 or MissingNo. 0x33. In Pokémon Yellow, it doesn't show the player's belt in the Safari Zone, hence doesn't corrupt the enemy Pokémon.

Your best bets for Red/Blue is catching the Magmar etc. in Diglett's Cave (which is still 51-54 Pokémon) and probably receiving gift Pokémon Lapras (19 Pokémon).

Unlock Mobile System GB +get (unredeemable) Egg Ticket, Battle Tower w/ACE (Crystal JP) (request)

Evie (ChickasaurusGL) 🌺 2022-09-12 | More information in the description:
This was a request from ただのザングース youtube.com/channel/UCLOvC-NXtu5SxNs4QBwsXlg

Later in the pinned comment I'll link to a save file with it already set up as well.

Setting the following bytes in the Japanese Pokémon Crystal save file will make the game think you've linked the Mobile Adapter peripheral with Mobile Trainer/Pokémon Crystal and set up the (now long defunct) Mobile System GB. There are bound to be glitchy side effects as you didn't properly link a Mobile GB Adapter, but it at least unlocks the modes.

4:b000 fe
7:a800 01

In offsets, these are offset 0x9000 (which must be FE) and 0xE800 (which must be 01) of the save file respectively, so simply modifying these bytes in the save file with a hex editor will do the same.

Using arbitrary code execution, you can do the steps in this video but use different box name codes for TM15:

youtube.com/watch?v=ZL-fcIM4zLI

Namely, use these box names first;

Box 4: ぼガがパぜパべ
Box 5: づぼぜがゼづがィ
Box 6: ぜガずずずずず
Box 7: ぼガべべべべべべ
Box 8: べづの
Box 9: (any will do but we left it as アアアアアアアア)

Now use the TM15 you set up by following the above video. The effects are invisible, but we just set 4:b000 in the save file to FE.

Next, for the old box names, keep them the same except

i. For box 4 change the ガ to ゲ.
ii. For box 5 change the ィ to ロ.
ii. For box 7 change the ガ to ゲ.

Now use the TM15. Again the effects are invisible, but we just set 7:A800 in the save file to 01.

Now save and reset the game, and it will show the Mobile System GB splash screen, prompt you to enter your Mobile Profile data, change the PokéCom Center music/unlock it, let you redeem the Egg Ticket from the Day Care couple, and unlock the Battle Tower.

However, you won't be able to redeem the Egg Ticket anymore; because most of the Odd Egg information in Japanese Crystal was from the server. However, the group REON has been working on reverse engineering and reimplementing the Mobile GB features. There is a repositary here. github.com/Incineroar/MobileAdapterGB

For that approach, use BGB emulator and the Mobile Trainer ROM (Mobile Trainer is the firmware cartridge for Mobile GB Adapter). Select "Link" then "Listen" with the default port in the settings. Then download the repositary, set command prompt to the directory of the repositary you downloaded (using cd), then run the Python script and configure the Mobile Adapter with any settings you want (it doesn't matter if you're not using an external server), then when you run Pokémon Crystal JP that will modify the save file with your Mobile Adapter settings too.

Cable Club Link Battle desynchronisation caused by two leading ????? (FF) in the party (Gold/Silver)

Evie (ChickasaurusGL) 🌺 2022-09-12 | ????? causes corruption to regions close to D000 in WRAM. For that reason, battling one usually results in the game hanging on the "Waiting..." message even if you're not in a Link Battle. However, if you send these into a link battle they give side effects of their own, including in this case a desync where the opponent's side becomes glitched and the game thinks ????? used Spark even if it isn't in its moveset. We're also able to cause freezes if we continue battling or run away. At the moment this video is empirical only, but maybe if this is researched better we can find ways to exploit it.

Placeholder OT/Trainer ID data within Odd Egg before hatching it (Crystal) (+how normal Eggs apply)

Evie (ChickasaurusGL) 🌺 2022-09-12 | More information in the description:

I learned about this from the user RationalPsycho on the GCRI Discord and bbbbbbbbba later pointed to this relevant code in the Pokémon Crystal disassembly project. I decided to check how this applies to other languages as well, which use different placeholder OT names.

github.com/pret/pokecrystal/blob/51bfd31ea82dbe45220f791eabf1b5bd9edf2e0a/engine/events/odd_egg.asm#L80-L84

When you receive the Odd Egg gift, there is some placeholder OT and Trainer ID data within the Egg before it actually hatches (and the data is replaced with the player's OT and Trainer ID). We can't normally see the OT/Trainer ID data in an Egg before it hatches. Note in this video I change the donor species to Pokémon that aren't normally in the Odd Egg (such as to Jolteon), to remove the Egg (0xFD) part of its species, however the OT/ID data is unmodified.

The Trainer IDs seem to be simple single or double digit IDs based on the contents of the Egg (such as 00001 or 00010), and as for the Trainer OT, it will vary based on the language of the game:

English: ODD
French: BIZAR
German: Kurios
Spanish: Raro
Italian: Strano
Japanese: な (unverified but based on this thread by Háčky archives.glitchcity.info/forums/board-76/thread-7509/page-0.html )

Using a Generation II variation of the Pokémon merge glitch, you can 'prematurely' hatch them without a cheating device, but the Pokémon will usually be a hybrid between the original Pokémon inside and the donor;

youtube.com/watch?v=KPiJStUldjI

Set up:

Two Pokémon
????? (0xFF)
Donor Pokémon (any)
Recipient Pokémon (Odd Egg)

;Then when you deposit the top Pokémon, the Odd Egg will turn into a hybrid between the donor Pokémon and the original Pokémon in the Odd Egg
(but you could probably use the actual Pokémon within the Odd Egg as the donor, to create a non-hybrid).

Another case applies to Togepi Eggs and Eggs received through breeding. Unlike the Odd Eggs, the Trainer OT and ID matches the player within the Egg but the game doesn't know the gender of the Trainer that owns the Egg until it actually hatches (hence in this video EVIE (no symbol) becomes EVIE (♀).

Additional steps to Event Mew from beginning of the game glitch to make it Shiny (Yellow) (request)

Evie (ChickasaurusGL) 🌺 2022-08-28 | These steps are explained here.
pastebin.com/Eib2Pnha

This glitch is an extension of an earlier glitch I put together in 2019. youtube.com/watch?v=RrfAzewhLW4

The Shiny DVs (8, 15, 10, 10 ,10 ) would have given stats (HP, Atk, Def, Speed, Special): 326, 235, 225, 225, 255 at Level 100, however the stats are slightly higher because we defeated a Level 2 Rattata after switching.

Arbitrary code execution with Trainer 0xFF (0x37) (Generation I /JP Blue) (ポケモン青のトレーナーFF任意のコード実行 )

Evie (ChickasaurusGL) 🌺 2022-08-28 | Before you try this, some required preparations are in the description.

At present, this glitch is difficult to set up; the stat experiences for the preparations were set up in advance using a memory editor. This glitch also uses the ZZAZZ glitch (ハハバグ) from Trainer 0xFF (0x37), so be warned without a proper name, your name will be unterminated and saving the game will destroy it (as in the video).

Description:

Trainer class FF/255 (effective Trainer class 55) will run arbitrary code execution at D5E5h after switching Pokémon (this address is beyond the range of the stored PC items). The cause is possibly due to an invalid Trainer AI. According to TheZZAZZGlitch, Trainers have two sets of AI; the move modification AI which is intended to control the choice of moves, and another that controls behavior every turn.

This arbitrary code execution also applies to Red/Green/Pikachu (Yellow) and the English Red, Yellow (same pointer D5E5), but the rest of the steps for set up may differ, especially for the English versions.

When you elapse a turn with Trainer FF (255/effective class 55), you'll then need to then bootstrap arbitrary code execution from D5E5, to elsewhere such as your PC items slot 1 (D4BA). Sometimes throwing a Ball won't work; you have to switch Pokémon.

In order for D5E5 to read jp D4BA, a Select glitch (with cursor position 28 and Pokémon) is used to write to D5E5.

Next, the following items at PC items slot 1 are used to run the Hall of Fame (thanks Wack0 for the original code):

Awakening x 22
Carbos x126
X Accuracy x 41
X Attack x 64
TM05 x 54
Max Revive x201

ld c,$16
ld h,$7e
ld l,$29
ld b,c
ld b,b
call $3636
ret

Then, we use the Trainer mutation glitch (cursor position 20 with Pokémon) to battle Trainer FF by altering an existing Trainer on the route. Note this may corrupt your inventory items, which is why we used PC items.

Preparations and steps:

In order to earn stat experience (EVs), you'll need to battle the right Pokémon (to gain its base stats as your stat experience) and then you'll need to apply specific EVs to two Pokémon:

bulbapedia.bulbagarden.net/wiki/List_of_Pok%C3%A9mon_by_base_stats_(Generation_I)

1. Pokémon 2's Defense stat experience must be 255 (or the same modulo 256, so 511, 767, 1023, etc also work) (preferably max out all its stat experience) (its Defense stat exp address is D16D)
2. Pokémon 3's Defense stat experience must be 195 (or the same modulo 256, 451, 707, 963, etc also work) (C3/jp) (its Defense stat exp address is D199)
3. Pokémon 3's Speed stat experience must equal exactly 47828 (BAD4) (its Speed stat exp addresses are D16E-D16F)
4. You'll need the expanded inventory. See https://glitchcity.wiki/Walk_through_walls_glitch_(Select_glitch_method) (there is a bug with the YouTube links, so you'll have to add the right bracket back to the URL)
5. The left-most Hiker on Route 10 should not be beaten.

Step 1. Start at Lavender Town and perform Select glitch 28 with Pokémon 3 (the Charizard/Lizardon in this video), using the Name Rater.

Step 2. Walk up to Route 10. Perform the Select glitch 20 with Pokémon 2 via facing a Trainer, but not the left-most Hiker. (Pokémon 2 is Electrode/マルマイン in this video).

Step 3. Face the left-most Hiker. They will become glitch Trainer class 255 (55). Then switch Pokémon to run your script at PC items slot 1 (we previously bootstrapped what the code to do (jump to PC items slot 1) with the Pokémon in the second and third preparation). The script above is to run the Hall of Fame.

Instead off using the Trainer mutation glitch, you could possibly use another glitch such as the Trainer-escape glitch with a Special of 255 instead.

Japanese description coming soon.

ThunderBadge (0x62) arbitrary code execution (かみなりバッヂの任意のコード実行) (Red/Green/Blue JP) (赤/緑/青)

Evie (ChickasaurusGL) 🌺 2022-08-24 | 日本語 :

ここを参照です。

twitter.com/Alice_177_/status/1562220212321230848

1. 「かみなりバッヂ」(62h) を取得します ( 闇ショップバグ ? , セレクトバグ, 拡張されたプレーヤーのどうぐ) ( 等 ))。

2. プレイヤー名 (ASM)でどうぐを使用です。

例: アてルめ (add b jp D2A6) (どうぐのアイテム3です)。

参照「てへ」(7Bh): youtube.com/watch?v=B1E4msXNaYY

3. D0E1~D11D コードがプレーヤーの名前から悪用される前に、これらのアドレスの内容は安全でなければなりません。マサラタウンの自宅から再スタートです。成功は運次第です (事前に内容を知らなければ)。

日本の『ポケットモンスター青』も D0E1 をコードとして実行することに注意してください。ただし、日本語『ピカチュウ』バージョンの機能は異なります。プログラムカウンターはリビジョン(Rev0～Rev3)によって異なるようです。

English:
This subject was raised by my friend Alice, the owner of the Pokémon blog (including glitches) Wonderland Seeker.
alice-wreath.hatenablog.com/entry/WonderlandSeeker

Alice noted that the execution pointer of the ThunderBadge (0x62) (which runs 0xD0E1 in RAM) could possibly be exploited, so we looked into it together.

twitter.com/Alice_177_/status/1562220212321230848

We found a way to do it. This is just one potential method. Acquire the item (with a glitch such as with Yami Shop glitch(?), Select glitch, expanded inventory) and then you can make it read from the player's name, to bootstrap it to the inventory. For instance, having the name アてルめ will redirect to item 3. However, in order for this to work the game must span through D0E1~D11D without issues first. At a glance, you only have a chance of the glitch working when you restart at your house in Pallet Town, sometimes the game will freeze (possibly because the game wasn't able to reach D11D or you corrupted the stack, etc.) unless you knew the data in advance (and more research is perhaps needed regarding what these memory addresses correspond to).

Previously, the arbitrary code execution items in Japan have been restricted to items like ５かい (0x5A) or なかよしバッジ (0x67) or てヘ (0x7B). てヘ is similar to this glitch technique, because it relies on the player's name. The luck element is removed, but unlike かみなりバッヂ (0x62) you will have to watch the old man's catching demonstration in Viridian City if the wild encounter table (minus the encounter rate) doesn't match the player's name.

Note, Japanese Pokémon Blue also runs D0E1. However, Japanese Yellow functions differently. The execution pointer seems to vary based on the revision (Rev 0~Rev 3).

How to get Shiny Treecko (+theoretically others) w/Game Boy mark guide (Generation II+)

Evie (ChickasaurusGL) 🌺 2022-08-22 | Instructions in the description:

Earlier this month, my friend Alm pointed me to a recent Reddit thread by ccSleepy telling you how to get Shiny Game Boy mark Treecko. You can get it through that method on the r/PokémonGlitches reddit. ^^

I don't support hacking Pokémon to use in later generations online, but this may interest some.

reddit.com/r/PokemonGlitches/comments/w0xt9y/my_new_favorite_pok%C3%A9mon/?utm_source=share&utm_medium=ios_app&utm_name=iossmf

I decided to make my own method as well, which this video shows and below. I've only tested it with Treecko so far, but it may work for Grovyle (but I'm not sure because its ID is Egg) and Sceptile (254) as well. I'm also not sure about Torchic because 255 is the Cancel button (furthermore it can't learn Absorb). I haven't tested 0 either.

If you want to test others, replace step 7's TM/HM pocket TM 18 and TM 35 quantities from 252 (????? 0xFC) to 254, (and 253, 255 or 0 but they're less likely to work).

If you want to remove the Shininess, you could try setting TM27 and TM30 quantities to 0 (selling them all), which will give the lowest possible DVs.

If you want to change Absorb to another move, change TM22's quantity from 71 (Absorb) to your desired move with another decimal index number from here https://glitchcity.wiki/The_Big_HEX_List

1. Use the Coin Case glitch (slot 3 slide Pokémon, Quagsire holding TM02 w/Return (via TM27) as move 1 set up in slot 4) to get TM17 outside of the TM/HM pocket in item slot 1 (note the item there will be overwritten, so make sure it isn't valuable). To do the Coin Case glitch, read here https://glitchcity.wiki/Coin_Case_glitch

As documented by Crystal_, working box names for this are:

1. Ap0'déy♀Pk
2. 'v't'véé'l2h
3. 'd'd2'v9.9't
4. é?2hhhhh
5. h'm♀♀

2. Next, write the following box names I made.

1. Ap09'vB55
2. éy♀'d
3+ (Leave unchanged)

3. Move the slide Pokémon to slot 1 and the Quagsire to slot 2. Move TM17 to item slot 2 and put another item you don't need in slot 1. Use TM17 (where it is in the inventory doesn't matter as long as it's outside of the TM/HM pocket) to now get a Lucky Egg in item slot 1. Keep both the Lucky Egg and TM17s.

4. Next, write the following box names I made.

1: Ap'vCé225
2: 'vj'vué125
3: 'v.é52p'v9
4: é42pé625
5: 'vué82'v 5 (there is a space after the 'v and before the 5)
6: é72'v:é92
7: 09♀5♀555
8: 555555x'd (regular x not multiply sign)

5. Keep the party as it was, and use the wrong pocket TM17. You should now have x255 of every TM (and possibly HM but I forgot sorry).

6. Now we'll need to use a different Quagsire in the same slot. If you only have one Quagsire, sell all your TM02 so you can take its item, then replace its held TM02 with Lucky Egg, and Return (move 1) with Attract (move 1) via TM45.

7. Next, with the modified/new Quagsire you'll want to sell TMs in your (glitched) TM/HM pockets to spell out a new code with TM quantities; as such:
1: 1 (-254)
2: 1 (-254)
3: 255 (-0)
4: 62 (-193)
5: 1 (-254)
6: 234 (-21)
7: 0 (-255)
8: 64 (-191)
9: 62 (-193)
10: 10 (-245)
11: 234 (-21)
12: 0 (-255)
13: 0 (-255)
14: 33 (-222)
15: 130 (-125)
16: 173 (-82)
17: 62 (-193)
18: 252 (-3)
19: 34 (-221)
20: 44 (-211)
21: 62 (-193)
22: 71 (-184)
23: 34 (-221)
24: 46 (-209)
25: 151 (-104)
26: 62 (-193)
27: 250 (-5)
28: 34 (-221)
29: 62 (-193)
30: 170 (-85)
31: 34 (-221)
32: 46 (-209)
33: 109 (-146)
34: 62 (-193)
35: 252 (-3)
36: 34 (-221)
37: 201 (-54)

0101FF3E01EA00403E0AEA00002182AD3EFC222C3E47222E973EFA223EAA222E6D3EFC22C9

Note: Whenever you exceed x99, the new left digit is what is expected, just with a glitch tile. It's good to count how many times the right d-pad (+multiple of 10) is pressed at that point)

Unlike the Reddit method, this version modifies slot 1 in the box directly, instead of modifying the party and you having to use move Pokémon without mail to get it in there.

8. Have a specific Pokémon in box 1 slot 1 with only one move. In this case, we chose Unown. Maybe it has to be below Level 101 and not Level 0. Its nickname won't be updated, so you might want to name that Pokémon TREECKO as a nickname.

In slot 2, have any other Pokémon. I'm not sure if the rest of the box matters, but in case it does avoid corruption (as the Reddit post mentioned corruption on the Game Boy game after the transfer) have slot 3 and below empty. Save at this point.

9. Use TM17 (slide Pokémon slot 1, Quagsire with Lucky Egg and Attract as first move in slot 2) and if everything is correct, that Pokémon will become the glitch Pokémon ????? 0xFC (Shiny) and its first move will be replaced with Absorb, because Treecko can learn Absorb.
Note 2: This code opens a locked part of the save file to write to boxes, but it probably doesn't matter if you immediately reset or save normally proceed.

10. You can now transfer the Pokémon using Poké Transporter and Pokémon Bank, Pokémon Home as usual.

The variation in Indigo Plateau signs, inaccessible signs and the unused message (Generation I)

Evie (ChickasaurusGL) 🌺 2022-07-28 | Notes: Some of the Indigo Plateau signs say "INDIGO PLATEAU The highest authority POKéMON LEAGUE HQ" and others say "INDIGO PLATEAU The ultimate goal of trainers" POKéMON LEAGUE HQ". Furthermore, you can interact with signs even if it would require walk through walls (signs in between other signs and the non-Rhydon like signs left and right of the signs; bringing up one of these messages). Weird huh? :]

Note though it gets stranger. Of the 'walk through walls only' signs, (on the left and right statues) four 'Rhydon statues' south of the Pokémon League doors are particularly special, because their message is unique; just "INDIGO PLATEAU POKéMON LEAGUE HQ" in a single text box. It's also apparent they were stored differently to the rest? but I don't know more on that at the moment sorry. :( (it isn't read from wMapTextPtr beforehand so it is like a genuine sign) You can observe this in Extra Tricky's PokéWorld map project. ^^ extratricky.com/pokeworld/rb/1#178,273 (however sadly at present rolling the mouse over it doesn't bring up the sign text).

This behaviour was seemingly untouched in Pokémon Yellow (the two "INDIGO PLATEAU POKéMON LEAGUE HQ" signs also remain) but I don't know if anything was changed.

In Japanese Red v1.0, these curiosities apply also, and the messages are:

ここは　セキエイ　こうげん　ポケモンの　さいこう　きかん　ポケモン　リーグ　ほんぶ

('Highest authority message')

ここは　セキエイ　こうげん　ポケモン　トレーナの　ちょうてん！　ポケモン　リーグ　ほんぶ

('Ultimate goal of Trainers message')

セキエイこうげん　ポケモンリーグ　ほんぶ

(Unused message from those two inaccessible signs, and is essentially the same; Sekiei Plateau Pokémon League Headquarters)

The Poké Seer only reports caught origin levels modulo 64 (Pokémon Crystal)

Evie (ChickasaurusGL) 🌺 2022-07-14 | Notes: If you were to catch a Pokémon greater than level 63, the reported levels at the Poké Seer would wrap around. Using arbitrary code execution to make the game think we're in a glitch map (I changed a location byte, probably the group byte to 0xFF) let us catch a Level 222 Forretress. The seer however thinks we caught it at Level 30 (222 modulo 64).

This design flaw doesn't normally come in to play, because the highest level Pokémon (under normal circumstances) are Ho-Oh and Lugia (Level 60) in Pokémon Crystal.

Explanation: github.com/pret/pokecrystal/blob/master/docs/design_flaws.md

Route 15 binoculars tile corruption (at least Japanese Yellow)

Evie (ChickasaurusGL) 🌺 2022-07-14 | Notes: Go up the stairs of Route 15, walk straight up past the chairs one step below the right binoculars, walk directly left to the left binoculars, view Articuno and walk down. You may see some tile corruption in the black space outside of the map, however this glitch doesn't always work.

This glitch was documented in the Nintendo of America bug report notes from the 2020 Pokémon Yellow source code leak.

Oak catching demonstration transition depends on map connection+rival name slot 6 (Generation I)

Evie (ChickasaurusGL) 🌺 2022-07-14 | Notes: As Crystal_ has documented, a transition before battle is influenced in specific ways youtube.com/watch?v=YbDCXJ0xH2g

Namely, in this case the battle transition can be one of the below two (as it is not a Trainer battle or dungeon map).

Single circle (wild battle, no dungeon map, player's level +3 is less than or equal to enemy level) (if rival's name isn't less than 6 characters)
Double circle (wild battle, no dungeon map, player's level +3 is greater than enemy level) (if rival's name isn't greater than 6 characters)

A variation occurs when the Rival's name is greater than 5 characters (including hidden characters on pre-set names). This is due to the 'party Pokémon 12' beyond slot 6, which has its current HP byte 1 from Red/Blue $D350(?)/Yellow $D34F (counting as an active Pokémon with over 0 HP but actually rival name slot 6) and Red/Blue $D370(?)/Yellow $D36F (counting as Pokémon 12's level (the second level address in the structure), but actually the map's connection byte).
Source: github.com/pret/pokeyellow/blob/master/docs/bugs_and_glitches.md

Walking Pikachus water tile corruption (Pokémon Yellow JP)

Evie (ChickasaurusGL) 🌺 2022-07-14 | Notes: Chatting to Pikachu near the water many times will corrupt the water tiles. Doing this even more will corrupt them further.

Found from the Nintendo of America bug reports from the 2020 source code leaks.

Route 15 is not capitalised in a signpost (Pokémon Gold and Silver, fixed in Crystal)

Evie (ChickasaurusGL) 🌺 2022-07-14 | Notes:
Found here github.com/pret/pokegold/blob/master/docs/bugs_and_glitches.md#route-15-is-not-capitalized-in-a-signpost
This error was fixed in Pokémon Crystal.

Adding prototype beta Blaine back into the game with a glitched save file (Pokémon Yellow)

Evie (ChickasaurusGL) 🌺 2022-06-25 | Notes: When Pokémon Red and Green were in development, Blaine had a different design (something you can even see in the manual archives.bulbagarden.net/wiki/File:Sugimori_Blaine.png ). Also Ken Sugimori released art of him and other cut characters once. twitter.com/helixchamber/status/1016520835958476800

A 2020 source code leak ( wiki.raregamingdump.ca/index.php/osrc.zip ) revealed more of this earlier Blaine's assets, such as his front sprite and the Trainer Card icon for when you don't have his badge (the latter wasn't on The Cutting Room Floor so I had to data-mine it from the source code from badge.dat then add it into the save myself). I got into the idea of 're-adding' prerelease things, so I decided to make yet another glitched Pokémon Yellow save file ^^ which 'adds' the prototype Blaine back into the game. Note in the case of the save file adding back the Trainer Card icon, it only properly displays for me on Game Boy Color mode (on Super Game Boy mode it's glitchy), so you might want to play it on Game Boy Color (not Super Game Boy).

I meant to merge it with Pokémon Yellow Special Clefairy save but that destroyed a lot of that save file's functionality (including the code to play its actual cry ; sometimes when immediately talking to Clefairy you can still hear the Clefairy sound clip I added in the chaos though, though it'll likely freeze the game) to save space. Also as usual sorry my code is buggy including a side effect of horrible artefacts on Pokémon back-sprites (like something out of a Creepypasta), and breaking the top part of Blaine's normal overworld sprite among other sprites, but hope you like this save anyway. :]

Note the game will freeze after actually defeating 'beta Blaine'/leaving the gym might break other things as well such as the Kris/Clefairy sprites I put in, so you have to reset the game and do it again.

I'll pin the save file in the comments as usual. ^^

Arbitrary code execution with a slower defrosted Pokémon (Generation I)

Evie (ChickasaurusGL) 🌺 2022-06-25 | Notes: This was very funny. xD I literally came across this accidentally with Blaine because I wanted to see the "Fire defrosted (POKéMON)!" message, but as soon as my Onix defrosted it started using move 0x00 (CoolTrainer), apparently because the game thought it had to auto-select a move (but one had never been chosen prior).

So I just set up X Accuracy to use the move and conditioned the right data at F928 (D928, one byte before opponent's Pokémon 4).

Blaine only has three Pokémon so this data isn't overwritten. If this is possible in a speedrun though, you'd need to plan to condition that data in some way (because outside of a speedrun you could encounter any Trainer you want beforehand, a link trainer, etc.). One idea might be specific data at D9AB (Trainer names for Pokémon), because in NPC battles it will just be copies of the player's name in succession.

Unused Pikachus expression ID test message (Pokémon Yellow)

Evie (ChickasaurusGL) 🌺 2022-06-25 | Notes: This is an unused test message in Pokémon Yellow which displays "This expression is No. (x)". ^^ It remains in the final game at 28:4777.

It was used in a debug version (see tcrf.net/Proto:Pok%C3%A9mon_Yellow ) but unlike a lot of the debug features was carried over. In order to get the expression ID, the game reads D447, which is meant to be updated every time you speak to Pikachu (but if you wanted, you could modify it to manipulate the message).

In the Japanese versions, the message is "ナンバー　(x)　のひょうげんです！"

Using assembly, the following code will print the message.

ld b,28
ld hl,4777
call 3c4c
ret

(06 28 21 77 47 CD 4C 3C C9)

Changes in the behaviour of Poké Flute (with a sleeping party) outside of battle (Generations I-III)

Evie (ChickasaurusGL) 🌺 2022-06-24 | Notes: In Generation I, using the Poké Flute outside of battle with a sleeping Pokémon in the party doesn't actually do anything, returning the usual "Now, that's a catchy tune!" (Japanese: うーん！　すばらしい　ねいろだ！). In the Japanese versions of Yellow, this was curiously changed to "ポケモンのふえだ！　ねむったポケモンを　おこせるかも...", also appearing if none of the Pokémon are asleep.

As revealed from osrc.zip in the 2018-2020 Nintendo data leaks, a preliminary translation for the exclusive Japanese Yellow behaviour was meant to be "Sleeping Pokemon don't like this!" (even though literally it is like "It's a Poké Flute! I wonder if you can awaken sleeping Pokémon with this...", but this translation never made it into the final localisations, with the ordinary "Now that's a catchy tune!" still appearing. Nintendo of America brought it up as a bug for Pokémon Yellow, but it seems in the end you still couldn't awaken party Pokémon outside of battle with the Poké Flute in the localisations and the message was left as "Now, that's a catchy tune!".

(The exact report is as such and curiously the report also got the Japanese name of Poké Flute wrong (ポケフルート rather than ポケモンのふえ))
"
＃８：ポケフルートは戦いの外の眠りポケモンには通用しない。戦い
の外でそれを使用しようとすると、テキストメッセージ「眠っているポケモン
はこれが好きじゃない！(Sleeping Pokemon don't like this!)」が出る。
"

When Pokémon Gold and Silver were in development, item 0x38 (now a Teru-Sama) had the behaviour of a Poké Flute with functionality for waking up Pokémon outside of battle, playing the music and displaying "All sleeping POKéMON woke up." (Japanese: すべての　ポケモンがめをさました!) (and ignoring the "Played the POKé FLUTE. Now, that's a catchy tune!" message if any were asleep). This can be restored using a cheat code to bring back the Use option/'fix' the attributes of that Teru-Sama in the final game. The final game's Poké Flute only works from the Pokégear radio, but seemingly doesn't actually wake up any party Pokémon.

With the release of Pokémon FireRed and LeafGreen, the Poké Flute wakes up sleeping party Pokémon outside of battle and displays a different message "The POKé FLUTE awakened sleeping POKéMON." (Japanese: ふえのねを　きいた　ポケモンは　めを　さました) (note also the Japanese text uses the は particle instead of が and is missing a full stop or exclamation mark at the end).

Brief closing and reopening of the moves list (Pokémon Red/Green/Yellow JP)

Evie (ChickasaurusGL) 🌺 2022-06-24 | Notes: This is a very minor Japanese version only glitch. If you run out of PP on a move in battle, try to select it while holding down the A-Button, then close the message with a B-Button press sometimes for a very brief moment the menu is partially closed, revealing your Pokémon's normally hidden sprite again.

I tried it in all known revisions of Japanese Green and Japanese Yellow and got it to work, however, curiously I could never get it to work in Japanese Blue, leading me to believe it doesn't occur there.

Additionally, when the wave of Nintendo leaks occurred between 2018-2020, the "osrc.zip" archive included Nintendo of America's original bug reports for Pokémon Yellow. This was one of the glitches documented in those reports.

Ghost Bicycle glitch blackout method (Pokémon Red/Green/Blue/Yellow JP)

Evie (ChickasaurusGL) 🌺 2022-06-24 | Notes:
This glitch disables use of the Bicycle with the "You can't get off here." (おりることが　できない！) message even if the player isn't on Cycling Road. While you can do the same glitch in the English versions with another method (see https://glitchcity.wiki/Ghost_Bicycle_glitch ), this method is exclusive to the Japanese versions. It occurs in all known revisions of the Japanese versions, but was fixed in English Red/Blue/Yellow.

Additionally, when the wave of Nintendo leaks occurred between 2018-2020, the "osrc.zip" archive included Nintendo of America's original bug reports for Pokémon Yellow. This was one of the glitches documented in those reports.

PikaPicAnimGFX arbitrary code execution (Pokémon Yellow only)

Evie (ChickasaurusGL) 🌺 2022-06-21 | This is an arbitrary code execution exploit someone found from the subroutine CheckIfThereIsRoomForPikaPicAnimGFX.

Although I don't know if there is a way to do it naturally, you can ensure that it happens using another arbitrary code execution. Therefore, it is another access point from the Pikachu emotion box (similar to Pikachu glitch emote arbitrary code execution).

youtube.com/watch?v=q_T8aU35DZY
youtube.com/watch?v=nkxxAy7IYUA

In order to do that, I used 4F to lock the region at CC5C using OAM DMA hijacking with 16 0x55 bytes, and the region at CC6C with the bytes representing the arbitrary code execution. (cc5b is the wPikaPicUsedGFXCount). The arbitrary code execution then begins at CC6C, and I used it to load the instant encounter battle to Mew and push the OverworldLoop on to the stack; resulting in a stable (and catchable) Mew encounter.

At DA7F

3E55215CCC22222222222222222222222222222222216CCC3E3E223E15223EEA223E58223ED0223E21223E42223E02223EE5223EC922C9

At DA64

2182FF3EDA323E7F323EC332C9

Execute with 4F glitch item (FA64) on a platform that properly emulates Echo RAM.

github.com/pret/pokeyellow/blob/master/engine/pikachu/pikachu_pic_animation.asm

Explanation from the disassembly project:

CheckIfThereIsRoomForPikaPicAnimGFX:
; d: idx
; e: size
; FATAL: If the graphic has already been loaded, or if there are
; already 8 graphics objects loaded, the game will execute arbitrary
; code.
push bc
push hl
ld hl, wPikaPicUsedGFX
ld c, 8
.loop
ld a, [hl]
and a
jr z, .empty
cp d
jr z, .found
inc hl
inc hl
dec c
jr nz, .loop
scf
ret ; execute hl, then bc

.found
inc hl
ld a, [hl]
ret ; execute hl, then bc

.empty
ld [hl], d
inc hl
ld a, [wPikaPicUsedGFXCount]
add $80
ld [hl], a
ld a, [wPikaPicUsedGFXCount]
add e
ld [wPikaPicUsedGFXCount], a
cp $80
jr z, .okay
jr nc, .failed
.okay
ld a, [hl]
and a
jr .pop_ret

.failed
scf
.pop_ret
pop hl
pop bc
ret

Hall of Fame party menu pseudo-OAM buffer (CC5B) art creation exploit (Pokémon Yellow)

Evie (ChickasaurusGL) 🌺 2022-06-19 | Hi ^^, enjoy another silly video because why not! :D If you like, check out the other three today. :]
Thanks MercenaryCorruptionVT for the thumbnail!

In a nutshell, drawing the party Pokémon menu sprites assumes that 0xFF (end of list) is not at the top of the menu; otherwise the game will update the menu sprites based on your Pokémon and in a specific layout, as expected.
However, there is a quirk if you place 'M (FF)/Q (FF) at the top (this also applies to the Japanese versions, where the earliest known way to access such a party is with the empty party glitch; where you try to use your Potion from the PC without ever getting a Pokémon).

Typically, you may not notice any garbage OAM sprites, but performing a number of actions directly before viewing the party will corrupt it or sometimes 'fix' a corruption (even if all of the OAM sprites are off screen); such as (unexhaustive list)
1. Viewing the Trainer Card (badges influence the OAM sprites).
2. Viewing the Hall of Fame (Pokémon influence it).
3. Accessing an elevator list.
4. Having the S.S. Anne set sail (actual visual event, not NPC message).

(Really anything that touches CC5B but it's possible some of these may be overwritten at an intermediate stage)

00:cc5b wBoostExpByExpAll
00:cc5b wHallOfFame
00:cc5b wFilteredBagItems
00:cc5b wNPCMovementDirections
00:cc5b wDexRatingNumMonsSeen
00:cc5b wVermilionDockTileMapBuffer
00:cc5b wMonPartySpritesSavedOAM
00:cc5b wUnusedCC5B
00:cc5b wTrainerCardBlkPacket
00:cc5b wPikaPicUsedGFXCount
00:cc5b wElevatorWarpMaps
00:cc5b wSlotMachineSevenAndBarModeChance
00:cc5b wAnimationType
00:cc5b wOaksAideRewardItemName

I tried looking for the most powerful, and a relatively viable way is by viewing a page of the Hall of Fame. I edited my save file for specific Hall of Fame data.

A599 (corresponding to certain Pokémon in the Hall of Fame)

ffffff

(The first OAM entry second-fourth, but the first byte (y-coordinate) is written as 0xD2 for some reason (on hindsight maybe that was the contents of A598?), so we 'dummy-out' the rest of this entry with three FF).

A59C (corresponding to certain Pokémon in the Hall of Fame)

101087011018880110284C0110304D0118284E0118304F0112386801124069011A386A011A406B0118109C0118189F01

(The OAM data displaying "Hi :]" and Clefairy, Pikachu at those exact coordinates on the screen).
Note that when you move the cursor, the game will still attempt to animate sprites (based on the Pokémon's remaining HP) by adding 0x40 to the sprite entry after few moments.

Receiving the Cerulean City Bulbasaur happiness gift, even though we never received Pikachu (Yellow)

Evie (ChickasaurusGL) 🌺 2022-06-19 | When you start a new game, the happiness (used for the starter/walking Pikachu) value is 90. This is still the case even after performing the 255 Pokémon glitch. https://glitchcity.wiki/255_Pok%C3%A9mon_glitch_(Generation_I)

Interestingly, I remember reading the NPC at Cerulean City will give Bulbasaur if the happiness is 147 or higher if Pikachu is not in the game (and as confirmed here; even if Pikachu was never in the game to begin with; the latter is impossible without glitches).

The 255 Pokémon glitch is an exception that lets you warp to Cerulean City without Pikachu via a Pokémon swap enabling the expanded inventory, then adjusting the expanded inventory (e.g. the item 36 quantity 'exit'). Furthermore, because the top Pokémon have lots of 255 bytes, and the expanded party does map later on to D46F (happiness) https://glitchcity.wiki/Expanded_party you can manipulate the happiness with a Pokémon 18 swap; giving you 255 happiness (for the walking Pikachu/shared with any walking Pikachu if more than one, even though none has ever existed in the game).

Giovanni door soft-locking (similar to Cinnabar Island Blaine Door) Dokokashira door glitch (RG JP)

Evie (ChickasaurusGL) 🌺 2022-06-19 | This is just a route to trap yourself outside of Viridian Gym using the block corruption caused by dokokashira door glitch. ^^ Note by the time I got to Viridian City, I may have been able to do this earlier, but left the emulator on turbo speed (corrected to regular speed by the video) and walked more than I should have. Note this may also work the same on Japanese Blue or with a modification (where the base dokokashira door glitch/Select glitch also works).

Unlike this https://glitchcity.wiki/Infinite_Blaine_Door - the soft-lock is actually infinite because the other involved an NPC that could later move out of the way, but in this case the map block has changed to be impassable by the time you access the door, and four steps are required to change it (but you can't make extra steps at that point).

Another infamous soft-lock is the one in Pallet Town grass with the lady https://glitchcity.wiki/Get_stuck_in_a_wall . Another similar example involves the Cinnabar Pokémon Mansion. https://glitchcity.wiki/Trapped_in_Pok%C3%A9mon_Mansion_oversight

Addendum to empty party glitch (Trainer Card flashing) (Red/Green)

Evie (ChickasaurusGL) 🌺 2022-06-19 | When you perform the empty party glitch in Red/Green (involving using the Potion at the beginning of the game with no Pokémon), typically it won't show any Pokémon. However, viewing the Trainer Card (depending on the obtained badges) will bring up some corrupted OAM menu sprites, because the CC5B buffer was previously overwritten (Trainer Card packet data in this case).

This also applies to any party with the 0xFF Pokémon on top (also including the English versions' 'M (FF)/Q (FF); as this is technically the case at the beginning of the game; just with 0 Pokémon. ^^

Pokémon Green (Japan) - Reverse Badge Acquisition proof-of-concept route

Evie (ChickasaurusGL) 🌺 2022-06-07 | Notes:
(Please note this video has some flashing lights if sensitive to them from the Hyper Beam animation)
This is a LOTAD (Low-Optimised Tool Assisted Demo), especially later on where I backtrack with Jack/Rival's effect instead of warping for fun. ^^ Although this video is over 2 hours long, with modifications to this route and better execution it should be possible to do it much faster. Additionally, where some of these glitches seem unintuitive (without learning the expanded inventory), I'm sure there are some even less intuitive glitches which could save time. Furthermore, I banned arbitrary code execution for this challenge, but that could definitely save time.

I'm unsure if this deviates from any speedrun rules somewhere, though the concept is you have to earn all 8 Badges in backwards order, so Giovanni, then Blaine, and so on. In this video I do the Elite Four first. This is the one time I break some sort of Trainer order, as the Elite Four and Champion are fought in order because I didn't want to do Champion Blue first (with if I remember, because there might be a flag preventing you from battling him without defeating the others - why you don't battle Blue in dokokashira door glitch?).

The Reverse Badge Acquisition concept is a concept which has existed before (and a few speedrunners will know about it like Shenanigans; famous for glitched 151), and I remember Golderzoa was one of the earliest runners for Reverse Badge Acquisition before it become a little more popular(?), but not sure if it's been done for Red/Green before. I got inspired to run this thanks to two videos by Dobbs and Johnstone but for the English versions. youtube.com/watch?v=T4dbmMd9p7I youtube.com/watch?v=InJbog7tJMM

Change Fossil/Ghost MissingNo. base stats/header to all 255 arbitrary code execution (Generation I)

Evie (ChickasaurusGL) 🌺 2022-06-05 | Notes: Fossil/Ghost MissingNo.'s base stat attributes (a structure with lots of data, but not level up data, etc., however you can change its TM/HM learnpool) aren't updated like other Pokémon, the data stored there can based on what was last stored in memory. This is unless you modified one of the memory addresses below (with wMonHBaseHP being base HP and so on). In the previous video, I made it match a party Pokémon, but with arbitrary code execution you can set it to anything you like. ^-^
youtube.com/watch?v=JnwN-uIVliA

(In fact, there might be some non-ACE glitches to touch those addresses, meaning normally unavailable base stats may be available with other non-ACE glitches. I haven't confirmed this at present though.)

Change base stats/structure data (with MissingNo. as the only Pokémon in the party):

ld a,xx (where x is your desired base stat in hexadecimal - note the front sprite however will be Ghost/Fossil)
ld (xxyy),a (opposite byte order in actuality when writing it with opcodes and operands; 21 yy xx)
ret

where xxyy is..

00:d0b7 wMonHIndex
00:d0b7 wMonHeader
00:d0b8 wMonHBaseHP
00:d0b9 wMonHBaseAttack
00:d0ba wMonHBaseDefense
00:d0bb wMonHBaseSpeed
00:d0bc wMonHBaseSpecial
00:d0bd wMonHType1
00:d0bd wMonHTypes
00:d0be wMonHType2
00:d0bf wMonHCatchRate
00:d0c0 wMonHBaseEXP
00:d0c1 wMonHSpriteDim
00:d0c2 wMonHFrontSprite
00:d0c4 wMonHBackSprite
00:d0c6 wMonHMoves
00:d0ca wMonHGrowthRate
00:d0cb wMonHLearnset
00:d0d3 wMonHeaderEnd

(Addresses are +1 in Red/Blue)

Encounter Fossil/Ghost MissingNo. (to do this quickly, I used ws m, otherwise you can use the Trainer escape glitch/Trainer Fly/Ditto glitch):

ld a,xx (B6, B7, B8)
ld (d058),a (d059 for Red/Blue)
ret

Port of the lost Test Fight debug menu to a Pokémon Yellow save file with ws m (0x63)

Evie (ChickasaurusGL) 🌺 2022-06-04 | Notes: Now you can access the Test Fight debug menu without access to the debug ROM. :] ^-^

I'll add the save file shortly.

I added a few minor modifications to the code, to fix some bugs when I was trying my below method, to fix the mojibake (garbled text), and removed the function that alters the battle menu and makes all your moves Pound (because I feel it's better to use your own moves). Also, it corrupted my party, so I edited the code to fix that. I changed it not to give you the set items x99 because that would destroy your inventory and remove ws m.

This is how you can do it.

1. If you don't have the ROM, you can build it from the Pokémon Yellow disassembly with the instructions on github.com/pret/pokeyellow/blob/14555dde3618a7f2b8a4ce054f321fb9b04599ab/INSTALL.md Even though it looks intimidating, if you follow it through exactly step by step, you should be able to build your own Pokémon Yellow ROM and the (originally leaked) debug build.
2. Find the code from TestBattle. You should be able to locate it using the SYM file generated from the disassembly project, otherwise it should be at pointer 3f 6750 TestBattle (that's offset FE750).
3. After setting up ws m, make another bootstrap code that opens SRAM bank 2 and jumps to A000 (e.g. ld a,02 then ld (4000),a ; then ld a,0a ld (0d01),a. I know the latter isn't the official memory bank controller command, but I borrowed it from an earlier attempt that worked).
4. The next part is tedious unless you can make a tool to manually do it. If there is a way to do it from A000 as a vector that would be much easier. At the moment I don't know how (nor how to make a tool).

It's a fun hacking exercise though.
-You will want to take every banked pointer (4000-7FFF) that would have been in bank 3F and replace it with the original pointer +38B0 (landing it in SRAM). There is one that won't make sense with +38B0 being before A000. For that one exception, nop those instructions out and ignore it. Do this for both jumps/calls and values into the registers.
-Have two BGB emulator windows open, one with a SYM file loaded for retail Yellow and one for debug Yellow. For the unbanked pointers (0000-3FFF) which aren't in the retail Yellow SYM file, replace them with the retail Yellow equivalent (these are functions which moved around slightly, such as BankSwitch).
-As you'll be doing this for a while, test the end result through trial and error on BGB debugger (setting breakpoints to places where there may be bugs). I'm sure I made lots of silly errors; so this part was essential.

For more information on Test Fight, see:
tcrf.net/Proto:Pok%C3%A9mon_Yellow

C109 (facing direction) arbitrary code execution expanded party method (Pokémon Yellow)

Evie (ChickasaurusGL) 🌺 2022-05-24 | For the original exploit, see youtube.com/watch?v=5aOVYyr3uTw

Turns out you can also do this with the expanded inventory ^^, provided you corrupt your coordinates to be -0x33 and -0x80 of a spot adjacent to the map's entrance with the expanded inventory first, because after the Pokémon 91 swap, Lg- added 0x33, 0x80 to y/x, and 0x33 and 0x80 (y block/x block). Too bad after the credits, we 'bricked' our save file.

For more information, see https://glitchcity.wiki/Pok%C3%A9mon_Yellow_C109_ID_0x0F_arbitrary_code_execution#Expanded_party_method

rst 38 arbitrary code execution (Pokémon Red/Green/Blue/Yellow 1.0 JP) via Map 250/FA (Red/Green JP)

Evie (ChickasaurusGL) 🌺 2022-05-14 | I found this interesting technically specific glitch with Map 250 (0xFA) while looking for improvements to dokokashira door glitch. ^^
This glitch probably won't work on VisualBoyAdvance (even ones with correct Echo RAM emulation), but does work on BGB.

In fact, there should be a whole branch of glitches whenever a rst 0x38 occurs (where in Red/Blue/Yellow exploiting the rst 0x38 probably hasn't been done yet(??), with it working different pointing to another rst 0x38 and no useful exploit being found)

It works in both my v1.0 Green and v1.1 Red (and possibly Red v1.0, Green v1.1), but you may have to adjust the pointers you call in your code if the locations are different between the versions. The code below is for Green v1.0.

The cause of this glitch is its map script A000 which points to 00A0 (rst 38). In the Japanese versions Red/Green/Blue and Yellow v1.0 (interesting v1.1, v1.2, v1.3 changed it to rst 38 like other language versions), the rst 38 is different, and is for some reason jp F080. Hence arbitrary code execution occurs at F080 (Echo RAM for D080) but there are some interesting currently unknown details that causes the glitch to fail on VisualBoyAdvance.

In this save file of the glitch requirements set up is another weird exploit, where the game freezes if you go to the continue/new game/option screen and press B, causing the game to freeze. I noticed it and it's something to do with this specific save file?
drive.google.com/file/d/1w0i3QPB2PRwNp0vqBxxkPL7Y9JyjU1Di/view?usp=sharing

At D080 the exploit will plant the following code,

ld b,16
ld h,7B
ld l,E4
ld a,02
ld (C0EF),a
ld (C0F0),a (set the sound bank to the valid 02, as map 0xFA's 06 will freeze the game)
ld (D2DD),a (partially set the map to Viridian City to avoid other potential glitches on choosing continue)
nop
nop
nop (gets replaced by inc e 1C later for some reason; I added these filler nops knowing this happens somewhere in advance)
nop
ld a,DB
ld (D2EE),a
call 3620 (call bank 16 7BE4 ; Hall of Fame script)
ret

The new map script (also accessed after choosing continue) will be DBA0.

At DBA0

ld a,02
ld hl,C0EF
ldi (hl),a
ldi (hl),a
ret (same fix sound bank action as before)

Map 250 corrupted my party, but I escaped with an Escape Rope after adjusting the tileset address in the expanded inventory.

Method:
1. Set up this glitch, known as LWA/mart pwner archives.glitchcity.info/forums/board-107/thread-7417/page-0.html - for this purpose I chose the following

i.Text pointer table =D9B2 ; at fourth NPC (the non-Cable Club lady in Celadon City at the Pokémon Center) text pointer (D9B8) must be FE).
ii.Have no FF bytes below D9B2 up until DB5D (where you'll place your code that will be copied to D080 after the glitch).
iii. Add TM50 to D2E4, the exit destination slot in the expanded inventory.

(For the above the pointer from D9B2 is in box Pokémon data, so you'll need specific box Pokémon, at the moment I don't have details sorry; but you can set this up with another arbitrary code execution to wipe out those memory regions (and add your code to DB5D)

Steps:

1. Get
i. In slot 1 , Master Ball x178 (B2)
ii. In slot 2, TM17 (B2) x 157 (D9)
iii. In slot 3, TM50 (FA) x1
iv. An Escape Rope somewhere below if you want to escape the Glitch City.

2. Swap
i Slot 1 with slot 37 (may be just below a ?????)
ii. Slot 2 with slot 38
iii. Slot 3 with slot 34 (may be the Bicycle; じてんしゃ)

3. Talk to the non-Cable Club lady to bring up the glitch mart, and close it.

4. Go through the exit of the Pokémon Center to load Map 250, which in turn loads the 00A0 pointed rst 0x38 to jump to F080 (D080) where your code should reside. Note it can be awkward to get your codes not to freeze, and this likely won't work on VBA (BGB was used in this video).

Calling the Game Boy DMG boot ROM code (Pokémon Yellow arbitrary code execution experiment)

Evie (ChickasaurusGL) 🌺 2022-05-10 | Before I did this, I also called 1DC6 (ClearVRAM), disabled interrupts (di) and adjusted the absolute jumps within the boot ROM code to jump to the equivalent address in RAM (so anywhere there is CD YY XX adjust that to CD (your address)).
I set up the copy beginning at DA7F (see https://gbdev.gg8.se/files/roms/bootroms/ ). As you can see, for whatever reason it 'works' but the Nintendo logo is corrupted, similar to a misread Game Pak. Nothing happens after the end and it may be an indefinite loop.

Pokémon Remerald is such broken game

Evie (ChickasaurusGL) 🌺 2022-05-10 | Warning: This video contains loud unpleasant freeze noises. Turning down the volume is advised.
The first half of the ROM is Pokémon Ruby, the second half is Pokémon Emerald (like previously with Sapphire). However, this is even more unstable; you have to use save states to play, you can't even battle or open lots of menus, and many locations glitch out. Featuring Roudon and Rogre.

Note: If you open the title screen in a map viewer you get this nice art of Roudon ^-^ twitter.com/Torchickens/status/1522381958856204288