Posts for Zowayix

1 2
9 10 11
19 20
Posted: 4/26/2014 4:31 AM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
Lord Tom wrote:
From what I understand, anyone more knowledgeable please correct: 1. Tile is encountered outside of valid area, CPU attempts to handle 2. Based on incorrect tile data, MMC3 register is configured incorrectly. This register's function is to map 16-bit addresses to locations in ROM. So if the register value is X, the instruction JSR $ABCD jumps to one subroutine in ROM. But if the register value is incorrect JSR $ABCD jumps to some unintended location, which could be anywhere. In the forum, this is what HHS means when he says the PRG layout gets changed. 3. The incorrect mapping, causes execution in an incorrect area of ROM -- essentially, arbitrary code execution, but in a bad way! Ultimately, the code executed executes RTS (return) when it is already at the base of the stack (S=FF). This overflows the stack to S=01, and the next jump location is read from memory location $0100. 4. $0100 is technically reserved for the stack (which fills from $01FF downward) but the game designers didn't ever anticipate its being used -- so they used $0100 and $0101 to store some configuration variables. At the time the glitch occurs, their values are 80 00. So I think what happens is the return location is read from this area of the stack, read least-significant byte first for $0080, a RAM location. 5. Though execution starts at $0081, so not sure if the stack stores address-1 or if I'm wrong somewhere...:/
So is this something similar to the SMW arbitrary code glitch? A non-existent sprite/tile is interacted with, and when the game tries to jump to the (non-existent) subroutine for that sprite/tile, it jumps elsewhere? In that case, is the tile in question here not actually a real note block, but a glitch tile that looks like one?
Posted: 4/25/2014 10:06 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
Could someone explain again how the PC jumps to the invalid location in the first place? I know I've asked this before, but earlier I had the impression that it was something like "when Mario touches the note block, the game has to draw the correct 'note block bounce' sprite to the map, which means writing a value to map data, but said map data is invalid so the game writes to an exploitable unrelated place". But apparently that's not what's happening; it's the PC that's made to jump incorrectly to the x-coordinates (which spell out another jump). How does that happen?
Posted: 4/23/2014 8:16 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
Question: According to the Pokemon Speedruns Wiki, in Gen I, the Thunder Badge raises Defense while the Soul Badge raises Speed; this is the opposite of what almost everywhere else (including the game itself) claims (link). The page explicitly mentions that "the game is wrong". I'm sure this game has been disassembled to the ends of the earth by now, so can anyone verify this (with actual disassembly if possible)? On a side note, the same page states that being hit by a stat-lowering move causes any Badge boosts that might apply to other stats to stack; this has been verified directly. My question is, according to this very reputable site, if the Badge boost stacking is true, then burn and paralysis drops should also stack. That is, if a Pokemon is burned (cutting its Attack in half) and its Defense is then lowered, the burn drop should stack causing Attack to be halved again. Can someone verify this part?
Posted: 4/21/2014 8:44 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
GoddessMaria15 wrote:
I'll be up to taking on this one! Also would this mean that we would possibly have 2 branches for this game? - any% - glitchless
No one has attempted a glitchless run yet for Emerald here, and it might not even be published due to perhaps not being different enough from the current Ruby run to meet entertainment standards (since it isn't Vaultable). Having a glitched Emerald run alongside a glitchless Ruby run would be really neat to see, so massive thanks for taking it up! Not sure if a third glitchless Emerald run is necessary on top of that, as per above. I'd pay to see an All Gold Symbols run though, although it'll probably be a few decades before anyone decides to optimize that.
Posted: 4/21/2014 7:57 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
^Not strictly necessary; all you really need is for the Pomeg Berry to drop HP by 2. That simply requires having the right stats, level, etc. Although it's worth noting that normally, a drop of 10 EVs (what the Pomeg Berry does) can't drop HP by 2 unless the user is at least level 41. At any level below that, a 10-EV drop will never lower HP by more than 1. However, prior to Gen V, if the user has more than 100 EVs, a Pomeg Berry will drop them directly to 100, no matter how high they were beforehand. This allows for doing the glitch at theoretically as low as level 3, if you have the time to raise your HP EVs all the way to 255 so that a single Pomeg Berry wipes out 155 of those EVs. Note that an HP Up cannot increase EVs beyond 100.
Posted: 4/21/2014 2:50 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
^Presumably entertainment?
Posted: 4/21/2014 2:04 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
^According to Bulbapedia and the Pokemon Speedruns Wiki, the earliest place to get them is Route 119 (after the 5th gym).
Posted: 4/21/2014 12:43 AM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
Looks like the same exploit as the "Super Glitch" moves from Gen I: A move whose name doesn't contain a proper end marker, so in displaying it to the screen it overflows too many characters and overwrites some in-battle data.
Posted: 4/20/2014 4:38 AM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
Looks like someone got the program counter to jump to an invalid address after opening the summary screen of a glitch Pokemon. Possible arbitrary code exploit in the future? http://forums.glitchcity.info/index.php/topic,6868.45.html (read around a bit, it's pretty interesting) The dynamic RAM thing where values are 'randomly' shuffled around to make cheating harder seems to be a pretty big obstacle.
Posted: 4/17/2014 12:07 AM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
Bumping this to bring the current discussion over the branch name to a more relevant thread. Basically, as Masterjun brilliantly demonstrated in his April Fools' submission, the branch name "11 exits" simply doesn't work. Taken literally, it means to beat the game while completing 11 exits. And this movie obviously isn't the fastest way to do that, nor would anyone want the currently faster movie to obsolete this one. So it's the branch name that needs to change. "No arbitrary code execution" is out; that still allows the previous Yoshi's Island 3 credits glitch movie to obsolete this movie. "No memory corruption" is out for obvious reasons; this movie most definitely corrupts some memory. So what should it be? Whatever it is, it should probably include "no arbitrary code execution" as part of its name, as once you allow ACE, you can pretty much do whatever you want as you have complete control over the game. I mentioned in another thread that I'd prefer "no ACE, beats Bowser" as that most clearly demonstrates what the movie must accomplish. "No ACE, 11 exits" is less clean.
Posted: 4/9/2014 3:57 AM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
But this run does follow the "shortest intended route". There needs to be a name that - Doesn't allow this run - Doesn't allow the YI3 credits glitch run (which doesn't involve arbitrary code execution) - Allows the current run marked as "11 exits"
Posted: 4/8/2014 4:10 AM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
^Wrong thread; this is Gen I.
Posted: 4/8/2014 2:52 AM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
While I don't totally mind this getting rejected, I do mind the fact that the current movie's branch name wasn't changed. As plenty have pointed out, "11 exits" is not a good branch name. It's the same reason why the first Pokemon Gold run had its branch name changed from "all gyms" to "no memory corruption". Of course, a simple name is more difficult to come up with here, as "no arbitrary code execution" still allows the previous YI3 credits glitch run through. I'd recommend something along the lines of "no arbitrary execution, defeats Bowser" or something like that. Would that work?
Posted: 4/5/2014 5:39 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
Oh crap, just wrote two posts in the wrong thread; both of the above were supposed to go in the G/S thread. Sorry!
Posted: 4/5/2014 12:42 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
^That's Gen I, not Gen II.
Posted: 4/4/2014 11:54 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
There's someone over at PokemonSpeedruns.com (repository of lots of real-time speedrun strategies) attempting just that: http://www.pokemonspeedruns.com/index.php/User:Dabomstew/Gold_Coin_Case_CrazyReset_Route Not exactly the same route of course, but it does require getting the high byte of the Trainer ID to one of two specific values, thus a 1/128 chance, meaning that 99.2% of real-time runs must reset before even moving a step. The current real-time record is about 47 minutes, using this Coin Case route that doesn't require Trainer ID manipulation: http://www.pokemonspeedruns.com/index.php/Pok%C3%A9mon_Gold/Silver/Any%25_Guide
Posted: 4/4/2014 3:01 AM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
Since the submission text already mentions the Coin Case glitch, that might be redundant. EDIT: Here's an idea that sounds pretty good: How about a screenshot of the player renaming the boxes? A lot of people aren't even aware that the boxes can be renamed (I certainly wasn't, at least in Gen II), and no one would ever consider such a feature useful in any way, giving it the perfect "WTF is this doing in a speedrun?" feeling while not giving away the final outcome (especially as it happens early in the run and doesn't come into play until a while later).
Posted: 4/3/2014 11:23 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
As I mentioned earlier for the Cooltrainer glitch Pokemon Blue run, the movie screenshot should probably be changed to something more descriptive of the run; the current screenshot would appear in literally any playthrough that beats the game. For the previous submission, I would have recommended the screen immediately before the warp to Mt. Silver, as several glitch characters are written to the screen as the arbitrary code is carried out. In this submission, it's barely noticeable unfortunately (look at the letter i in Coins). Anyone have any ideas?
Posted: 4/3/2014 3:37 AM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
Rena wrote:
Most of the Pokemon runs don't use code execution. Only rearranging some variables in memory using the game's existing inventory code. It's bordering on a nitpick, but they don't construct a program in memory and execute it.
The current "no save corruption on an English game" run using the Cooltrainer move does essentially rely on arbitrary code execution.
Posted: 4/2/2014 10:41 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
At the very, very least, this shows off brilliantly how the branch name "11 exits" needs updating. It will also probably induce flame wars over what to switch the branch name to. I mean, most people would probably not want this published over the current 11 exits run, but that branch can hardly be called "no memory corruption", can it? "No arbitrary code execution" sounds like it should work, but won't even that get a bit iffy? Take a look at the Pokemon Gen I runs for comparison - the branches whose sole aim is to complete the game can essentially be named "any%", "no save corruption", "no save corruption on the English version", and finally what is best described as "no heavy memory corruption" where the difference between light and heavy is pretty much arbitrary and entertainment/viewer based. ("No glitch warps" is a misnomer; like this run, it is certainly possible to beat the game fast without warping by using item underflow to switch around the coordinates of objects on the screen, thus going straight through Routes 22 and 23 while skipping all guards and all battles.) Finally, isn't the Cooltrainer move essentially arbitrary code execution anyway, just like this run? Best April Fools submission ever.
Posted: 3/30/2014 7:52 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
About poison deathwarping being slower due to lack of Poke Balls, would it be possible to set it up so that you receive the 5 Poke Balls from the Aide and then immediately warp back to Cherrygrove? Would it be slower?
Posted: 3/27/2014 3:09 AM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
The Ditto glitch won't work for special 251 anyway; you'll get a ZZAZZ glitch Trainer.
Posted: 3/26/2014 11:14 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
grassini wrote:
silver version this time?
Indeed, but probably not for the reason you'd expect.[/quote]Now I'm intrigued. Looking forward to it!
Posted: 3/23/2014 7:23 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
You can't glitch a GS Ball to get Celebi; not only do you have to have the item in your Pack, but you also have to set some event flag (which is normally triggered upon receiving the item through the event). To get Celebi you'd either have to glitch one directly, or do some fancy stuff with arbitrary code execution to set that flag.
Posted: 3/19/2014 5:50 PM
Quote
Zowayix
Experienced Forum User
Joined: 12/29/2007
Posts: 489
FractalFusion, you've confirmed that Silver is faster than Gold, right?
1 2
9 10 11
19 20