PDA

View Full Version : Ram Offsets


Corvus of the Black Night
July 22nd, 2009, 01:30 PM
Share Ram offsets for Pokémon games here. PLEASE NOTE: It says "Ram" and not "Rom", meaning we don't want to see offsets starting in 0x8~~~~~~ or stuff like that. We want offsets that are from VBA's memory viewer, so that others can use them in ASM routines and similar occurrences. Please also indicate what it is and how you (think) it works, and which Rom it applies to (Rom name, ex. AXVE)

Only applies to Ruby/Sapphire, unless you find offsets for the DMA
*by this I mean locating the offset that points to the data in the RAM that changes due to DMA-protection

Interesting Pointers in the WRAM:

RUBY (E; AXVE):

0x02024EA4 = Name, 8 bit. Make sure NOT to change the 0xFF afterwards, or else the game will freeze upon opening the Trainer Card and will erase saved data.

Following effects in battle; not status screen.
0x02024A8C = First Attack. 16-bit.
0x02024A8E = Second Attack. 16-bit.
0x02024A90 = Third Attack. 16-bit.
0x02024A92 = Fourth Attack. 16-bit.
0x02024AA4 = PP for first attack. 8-bit.
0x02024AA5 = PP for second attack. 8-bit.
0x02024AA6 = PP for third attack. 8-bit.
0x02024AA7 = PP for fourth attack. 8-bit.
Note: Following values are generated upon entering battle. Changing Enemy Species will have no effect on Opponent.
0x02024AE4 = First Enemy Attack. 16-bit.
0x02024AE6 = Second Enemy Attack. 16-bit.
0x02024AE8 = Third Enemy Attack. 16-bit.
0x02024AEA = Fourth Enemy Attack. 16-bit.
0x02024AFC = PP for first enemy attack. 8-bit.
0x02024AFD = PP for first enemy attack. 8-bit.
0x02024AFE = PP for first enemy attack. 8-bit.
0x02024AFF = PP for first enemy attack. 8-bit.
0x02024AD8 = Enemy Species.
0x02024B00 = Enemy HP. 16-bit. NOTE: When set to 0xFFFF (maximum value), attack will do normal percentage of damage, but the next attack will cause a loop of HP. When set to 0x0000, your Pokémon will attack, then recieve respective experience points (without the fainting animation of the opponent)
0x02024AF0 = Enemy HP Multiplier. Normal is 0x06. 8-bit. (I actually have no idea why they have this o.o)
0x02024AF1 = Enemy Attack Multiplier. Normal is 0x06. 8-bit.
0x02024AF2 = Enemy Defense Multiplier. Normal is 0x06. 8-bit.
0x02024AF3 = Enemy Speed Multiplier. Normal is 0x06. 8-bit.
0x02024AF4 = Enemy Sp. Attack Multiplier. Normal is 0x06. 8-bit.
0x02024AF5 = Enemy Sp. Defense Multiplier. Normal is 0x06. 8-bit.
0x02024B14 = Enemy OT name. Note: Even Trainers have the same OT name, and will have no effect if changed. 8-bit.

PP values can be set over 0x63, however such values appear with a ?, indicating a number over 99.

0x02024EB2 = This value affects Play Time. The four bytes following it also affect Play Time, however, at faster rates. Hours are 16 bit; minutes, seconds and milliseconds are 8 bit.

0X02024EAE = Your Trainer Card Number. 16-bit.
0x02024EB0 = Your Secret Number. 16-bit.

0x02024E8E = Last accessed LZZ7 Sprite (does not include your trainer backsprite or attack animations). This number applies to Pokemon seen before as well. 16-bit.

0X02024E6D = This value changes to 0x01 when a foe is hit. 8-bit.

0x02024E80 = This value changes when different moves are used. Might be the effect, might be animation. Unsure. Only changes with damaging moves, not stat lowering/effect moves. 8-bit (apparently?)

0x02024E94 = This is a pointer that leads to the pointer that's used for displaying Pokémon. Hm... *wink*. 32-bit.

0x02024E98 = This pointer links to some data involved with Pokémon battles. It changes when Pokémon are encountered in the wild and when Pokémon are sent out. 32-bit.

0x02024E9C = This pointer links to some data involved with the layout of the Pokémon in battles. If the data where the pointer leads to is removed, interesting graphical glitches occur, and an effect resembling the Bo' eAN glitch also occurs. (Debug, anyone?) This Pointer also changes when Pokémon are encountered or when Pokémon are sent out. 32-bit.

0x02024EA0 = This pointer leads to a THUMB routine. The routine may be involved with how the Pokémon are displayed as well. It changes as according to the conditions stated with the above two pointers. 32-bit.

It should be noted that most of these are not permement changes but can be used when designing new effects for attacks. Although I have not obtained offsets for both opponent and ally Pokémon, they can be mirrored to eachother.

Also, for some reason, the player's name pops up in a ton of places, but changing it has no effect on the game at all (that I could find). Reason?

HackMew
July 23rd, 2009, 03:15 AM
This thread should belong to the Documents and Tutorials, actually. Either way, all those makes sense only for R/S as the other games are DMA-protected, hence (most of) the data will be shifting back and forward in RAM. In other words, no fixed RAM addresses.

Also, for some reason, the player's name pops up in a ton of places, but changing it has no effect on the game at all (that I could find). Reason?

It must be the game that puts it into RAM whenever neeeded, as a temporary store. The actual player's name address is one and only one.

score_under
July 23rd, 2009, 03:25 AM
DMA-protected
Which in this case stands for Dynamic Memory Allocation, not Direct Memory Access - you should fix that in your tutorial thread.

There must be some way to track down the pointers to it... although doing so would be tiresome.

Corvus of the Black Night
July 23rd, 2009, 04:23 AM
This thread should belong to the Documents and Tutorials, actually. Either way, all those makes sense only for R/S as the other games are DMA-protected, hence (most of) the data will be shifting back and forward in RAM. In other words, no fixed RAM addresses.



It must be the game that puts it into RAM whenever neeeded, as a temporary store. The actual player's name address is one and only one.
Whoops. Well, at least my hunch was correct. I'll be doing more investigation today (wheee), and I'll make sure I note R/S in the first post : P

Also, mod, take HM's advice and please move this to Documents and Tutorials. Thank you!

HackMew
July 23rd, 2009, 06:31 AM
Which in this case stands for Dynamic Memory Allocation, not Direct Memory Access - you should fix that in your tutorial thread.

There must be some way to track down the pointers to it... although doing so would be tiresome.

Ah, the joys of acronyms ambiguity... yes and no. In my tutorial I clearly stated the locations are dynamic, and to move the data around the GBA uses Direct Memory Access BIOS functions. Dynamic Memory Allocation there relies on such functions. The so-called DMA disabler or Anti-DMA codes will prevent the BIOS functions to be executed, or better to always move the data at the same addresses. In the Pokémon games (but side effects probably happens in other ones as well), the PRNG, which is indeed used to randomize the addresses, gets broken after using them.

Since the data changes on-the-fly, the only things that can be provived are the IWRAM addresses pointing to the protected data, which can be tracked down with a bit of debugging effort.

0m3GA ARS3NAL
July 27th, 2009, 11:43 PM
Ah, the joys of acronyms ambiguity... yes and no. In my tutorial I clearly stated the locations are dynamic, and to move the data around the GBA uses Direct Memory Access BIOS functions. Dynamic Memory Allocation there relies on such functions. The so-called DMA disabler or Anti-DMA codes will prevent the BIOS functions to be executed, or better to always move the data at the same addresses. In the Pokémon games (but side effects probably happens in other ones as well), the PRNG, which is indeed used to randomize the addresses, gets broken after using them.

Since the data changes on-the-fly, the only things that can be provived are the IWRAM addresses pointing to the protected data, which can be tracked down with a bit of debugging effort.

Wut?
Anywho, this is a nice document here... Pretty handy for those R/S hackers.

IIMarckus
August 2nd, 2009, 10:01 AM
Which in this case stands for Dynamic Memory Allocation, not Direct Memory AccessOh! Thanks for the clarification. Do the games use it for cheat protection, or is there some other advantage?