PDA

View Full Version : Quick Research & Development Thread


Pages : [1] 2 3

Spherical Ice
January 9th, 2010, 02:23 AM
cogs Quick Research & Development Thread
This thread is for small-scale research and development that can be solved in a matter of, say, five or six posts (or less). If you think of something you want to investigate but think it is too minor or shot for an entire Research & Development thread, or discover a small titbit of information that, on its own, would not warrant a whole thread for itself, just post it here!

edit Posting format
When posting your researched articles, please post them in a format that can be easily understood. Along with posting all your research on the matter in hand, please include any website links, offsets, subsidiary information and the likes when posting your article. Posts that are unclear in their message or that miss out vital information will not be added to the directory, for the sake of convenience and ease of access.

check Thread rules
All posts must follow the posting format above. In addition, posts must follow the rules detailed below. (Of course, please ensure that you follow the PokéCommunity global rules (http://www.pokecommunity.com/showthread.php?p=6446812), as well as this subforum's local rules (http://www.pokecommunity.com/showthread.php?t=325283).)

This is not a Simple Question thread.This is purely for quick research, don’t ask your ROM Hacking questions unless they are undocumented enough to warrant research. Simple Questions should be posted as unique threads in the Beginner's Lounge (http://www.pokecommunity.com/forumdisplay.php?f=284) subforum.

You should have a minimum amount of knowledge on the matter in hand.We expect that you’ll have knowledge of ROM Hacking and at least a small idea on what to do with what you've found out.

Reviving old topics in the thread is forbidden.Unless you've found significant research and the case was unresolved in the first time of posting.

sort-amount-desc Thread Directory
To make navigating this thread easier for everybody, the posts in this thread are linked to in this directory. It is split into a few categories, and each link is marked with a prefix. The meaning of these prefixes is explained in the Key at the bottom of this post.

puzzle-piece Mechanics Research
[GS] Preventing the Legendary Birds from fleeing (http://www.pokecommunity.com/showthread.php?p=6658955#6658955)
[RS] Editing the Hoenn Pokédex order (http://www.pokecommunity.com/showthread.php?p=7153621#7153621)
[RS] Editing Battle Tower opponents (http://www.pokecommunity.com/showthread.php?p=5976129#5976129)
[FR] Making HMs deleteable (http://www.pokecommunity.com/showthread.php?p=6078341#6078341)
[FR] Enabling automatic running without the use of the B Button (http://www.pokecommunity.com/showthread.php?p=6250699#6250699)
[FR] Location of the badge-check for Surf and Waterfall (http://www.pokecommunity.com/showthread.php?p=7015146#7015146)
[FR] Making the "Seen" amount of your Pokédex displayed in the continue screen and the save screen instead of the caught numbers (http://www.pokecommunity.com/showthread.php?p=7171923#7171923)
[FR] Removing the introduction part of the New Game function (http://www.pokecommunity.com/showthread.php?p=7434819#7434819)
[FR] Skipping parts of the introduction (http://www.pokecommunity.com/showthread.php?p=7526770#7526770)
[FR] Changing the Level at which Eggs hatch (http://www.pokecommunity.com/showthread.php?p=7584159#7584159) [EM 1] (http://www.pokecommunity.com/showthread.php?p=7584457#7584457) [EM 2] (http://www.pokecommunity.com/showthread.php?p=7838859#7838859)
[FR] Extend the limit to the seen/caught text and extending the number of Pokemon that will be correctly featured in the habitat pages (http://www.pokecommunity.com/showthread.php?p=7691854#7691854)
[FR] Information on the Secret Key (http://www.pokecommunity.com/showthread.php?p=7708221#7708221)
[FR] Removing the flag-check for the Running Shoes (http://www.pokecommunity.com/showthread.php?p=7770864#7770864)
[FR] Removing the flag-checks for all HMs from the POKéMON menu (http://www.pokecommunity.com/showthread.php?p=7778220#7778220)
[FR] Preventing Safari Zone Pokémon from fleeing (http://www.pokecommunity.com/showthread.php?p=7803428#7803428) [RS] (http://www.pokecommunity.com/showthread.php?p=7805302#7805302)
[FR] Changing the level of the Ghost Marowak (http://www.pokecommunity.com/showthread.php?p=7997230#7997230)
[FR] The Pickup ability's item table structure (http://www.pokecommunity.com/showthread.php?p=7999725#7999725) [EM] (http://www.pokecommunity.com/showthread.php?p=8202188#8202188)
[FR] Egg group information [Part 1] (http://www.pokecommunity.com/showthread.php?p=8024909#8024909) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8438336#8438336) [EM] (http://www.pokecommunity.com/showthread.php?p=8438336#8438336)
[FR] Preventing Pokémon from fainting in the field from poison (http://www.pokecommunity.com/showthread.php?p=8422384#8422384)
[FR] Disabling poison in the over world (http://www.pokecommunity.com/showthread.php?p=8574891#8574891)
[FR] Implementing the X/Y-styled experience gain after capturing wild Pokémon [Part 1] (http://www.pokecommunity.com/showthread.php?p=8308957#8308957) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8311049#8311049) [EM] (http://www.pokecommunity.com/showthread.php?p=8309821#8309821)
[FR] Enabling the player to run off of ledges (http://www.pokecommunity.com/showthread.php?p=8378117#8378117)
[FR] Updating the critical hit mechanics [Part 1] (http://www.pokecommunity.com/showthread.php?p=8495151#8495151) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8497631#8497631) [RS] (http://www.pokecommunity.com/showthread.php?p=8495365#8495365)
[FR] VS. Seeker table information (http://www.pokecommunity.com/showthread.php?p=8498158#8498158)
[FR] Enabling the capture of opponent Trainers' Pokémon (http://www.pokecommunity.com/showthread.php?p=8509590#8509590)
[FR] Information on the structure of in-game trades [Part 1] (http://www.pokecommunity.com/showthread.php?p=8528011#8528011) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8565673#8565673)
[EM] Editing the Hoenn Pokédex order (http://www.pokecommunity.com/showthread.php?p=7154117#7154117)
[EM] Swarm structures (http://www.pokecommunity.com/showthread.php?p=7453895#7453895)
[EM] Secret base decorations structure (http://www.pokecommunity.com/showthread.php?p=7527016#7527016)
[EM] Enabling the Mach Bike's speed for default walking (http://www.pokecommunity.com/showthread.php?p=8391202#8391202)
[EM] Changing the flag required for Surfing on the over world [Part 1] (http://www.pokecommunity.com/showthread.php?p=8399668#8399668) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8400448#8400448) [Part 3] (http://www.pokecommunity.com/showthread.php?p=8543303#8543303) [Part 4] (http://www.pokecommunity.com/showpost.php?p=8689774&postcount=663)
[EM] Frontier Brain info and Battle Pyramid wild spawns (http://www.pokecommunity.com/showthread.php?p=7092796#7092796)
[EM] Battle Tower Pokémon exclusion list location [Part 1] (http://www.pokecommunity.com/showthread.php?p=7020447#7020447) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8619324#8619324)
[EM] Battle Pike wilds structure (http://www.pokecommunity.com/showthread.php?p=7115858#7115858)
[EM] Script executed when the player enters a Trainer event's view radius (http://www.pokecommunity.com/showthread.php?p=6293915#6293915)
[EM] Steven's Double Battle team structure (http://www.pokecommunity.com/showthread.php?p=6133157#6133157)
[EM] Reusable TMs (http://www.pokecommunity.com/showthread.php?p=7993745#7993745)
[EM] Skipping the Prof. Birch intro [Part 1] (http://www.pokecommunity.com/showthread.php?p=8444249#8444249) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8444297#8444297) [Part 3] (http://www.pokecommunity.com/showthread.php?p=8446384#8446384)
[EM] Setting the Player's name (http://www.pokecommunity.com/showthread.php?p=8444386#8444386)
[EM] Editing the start menu options (http://www.pokecommunity.com/showthread.php?p=8450458#8450458)
[EM] Extending the Hoenn regional Pokédex (http://www.pokecommunity.com/showthread.php?p=8466427#8466427)
[RS] [FR] [EM] Dynamic offsets for the TM / HM Compatibility Table (http://www.pokecommunity.com/showthread.php?p=8383856#8383856)
[RS] [FR] [EM] Enabling bicycle-riding in maps (http://www.pokecommunity.com/showthread.php?p=7209316#7209316)
[RS] [FR] [EM] Information on the wild Pokémon structures (http://www.pokecommunity.com/showthread.php?p=7650568#7650568)
[RS] [FR] [EM] Enabling support for extended Pokémon in the wild for AdvanceMap 1.9.2 [Part 1] (http://www.pokecommunity.com/showthread.php?p=8271873#8271873) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8278234#8278234)
[RS] [FR] [EM] Research into the altitude of Person events in maps (http://www.pokecommunity.com/showthread.php?p=8290709#8290709)
[FR] [EM] Adding more field moves (http://www.pokecommunity.com/showthread.php?p=8431419#8431419)
[FR] [EM] Updating Rough Skin (http://www.pokecommunity.com/showthread.php?p=8465150#8465150)
[FR] [EM] Critical Hit table information (http://www.pokecommunity.com/showthread.php?p=8495151#8495151)
[FR] [EM] Critical Hit nerf hack (http://www.pokecommunity.com/showthread.php?p=8497631#8497631)


code Scripting Research
[RS] "The battle script associated with both Birch's whining as well as the 'Can't Escape!' message" (http://www.pokecommunity.com/showthread.php?p=7827306#7827306)
[FR] The difference between trainerbattle 0x1 and trainerbattle 0x2 (http://www.pokecommunity.com/showthread.php?p=8466596#8466596)
[FR] The first script executed (http://www.pokecommunity.com/showthread.php?p=6375660#6375660)
[FR] Loading the White Out cutscene [Part 1] (http://www.pokecommunity.com/showthread.php?p=6399093#6399093) [Part 2] (http://www.pokecommunity.com/showthread.php?p=6399900#6399900)
[FR] Explanation of cmd9C (doanimation) command (http://www.pokecommunity.com/showthread.php?p=6464348#6464348)
[FR] Exploring the Coin Case (http://www.pokecommunity.com/showthread.php?p=6806741#6806741)
[FR] Displaying a secondary message box with header text and body text (http://www.pokecommunity.com/showthread.php?p=6813658#6813658)
[FR] An overview of the use of flags and variables in a vanilla ROM (http://www.pokecommunity.com/showthread.php?p=6829256#6829256)
[FR] "Interesting quirks about some FireRed scripting commands" (http://www.pokecommunity.com/showthread.php?p=6851052#6851052)
[FR] Exploration of cmda6 [Part 1] (http://www.pokecommunity.com/showthread.php?p=6862459#6862459) [Part 2] (http://www.pokecommunity.com/showthread.php?p=6865436#6865436)
[FR] Naming the player from the over world (http://www.pokecommunity.com/showthread.php?p=7087946#7087946)
[FR] applymovement values (http://www.pokecommunity.com/showthread.php?p=7100605#7100605) [EM] (http://www.pokecommunity.com/showthread.php?p=8375207#8375207)
[FR] callasm battle script function and battle string function (http://www.pokecommunity.com/showthread.php?p=7101031#7101031)
[FR] FireRed scripting engine wiki (http://www.pokecommunity.com/showthread.php?p=7113389#7113389)
[FR] Identifying the setmapfooter footer byte (http://www.pokecommunity.com/showthread.php?p=7204567#7204567)
[FR] Locating the player's current amount of money (http://www.pokecommunity.com/showthread.php?p=7207585#7207585)
[FR] Location of the script that executes after whiting out [Part 1] (http://www.pokecommunity.com/showthread.php?p=7397942#7397942) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8256188#8256188)
[FR] Enabling greyscale or sepia overlays [Part 1] (http://www.pokecommunity.com/showthread.php?p=7434713#7434713) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8106815#8106815)
[FR] Mystery Gift information (http://www.pokecommunity.com/showthread.php?p=7683990#7683990)
[FR] RAM locations of the opponent Pokémon's primary and secondary type (http://www.pokecommunity.com/showthread.php?p=7850284#7850284)
[FR] Scripts executed after exiting the second floor of Pokémon Centers for the Colosseum room or Trade room (http://www.pokecommunity.com/showthread.php?p=7932160#7932160)
[FR] A script that alerts the player when eggs have been spawned by Pokémon in the Day-care Center (http://www.pokecommunity.com/showthread.php?p=7951279#7951279)
[FR] A script that will allow you to choose how many Pokemon you need to have registered in order to receive a diploma (http://www.pokecommunity.com/showthread.php?p=7994097#7994097)
[FR] Information on changing the start menu [Part 1] (http://www.pokecommunity.com/showthread.php?p=8168936#8168936) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8168985#8168985)
[FR] Removing Prof. Oak's text from trainerbattle 0x9 (http://www.pokecommunity.com/showthread.php?p=8182332#8182332)
[FR] Information on the textcolor command (http://www.pokecommunity.com/showthread.php?p=8269562#8269562)
[FR] Information on the 0x9F byte for applymovement (http://www.pokecommunity.com/showthread.php?p=8375191#8375191)
[FR] Info on Hidden Items (http://www.pokecommunity.com/showthread.php?p=8413143#8413143)
[FR] Warp command accept variables (http://www.pokecommunity.com/showthread.php?p=8564902#8564902)
[FR] Editing or expanding the locations of the Seagallop Ferry (special 0x17B) (http://www.pokecommunity.com/showpost.php?p=8698352&postcount=664)
[EM] Location of the Surf behavior byte's script (http://www.pokecommunity.com/showthread.php?p=8380911#8380911)
[EM] A way to checkpokemon in your party for events [Part 1] (http://www.pokecommunity.com/showthread.php?p=8384600#8384600) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8385049#8385049)
[EM] A tag battle script (http://www.pokecommunity.com/showthread.php?p=8386994#8386994)
[EM] List of Variables (http://www.pokecommunity.com/showthread.php?p=7017201#7017201)
[EM] List of Specials [Part 1] (http://www.pokecommunity.com/showthread.php?p=7015627#7015627) [Part 2] (http://www.pokecommunity.com/showthread.php?p=7017201#7017201) [Part 3] (http://www.pokecommunity.com/showthread.php?p=8015414#8015414) [Part 4] (http://www.pokecommunity.com/showthread.php?p=8034863#8034863) [Part 5] (http://www.pokecommunity.com/showthread.php?p=8036302#8036302) [Part 6] (http://www.pokecommunity.com/showthread.php?p=8039395#8039395)
[EM] Egg-hatching script (http://www.pokecommunity.com/showthread.php?p=6397112#6397112)
[EM] Badge checks for HMs (http://www.pokecommunity.com/showthread.php?p=8422137#8422137)
[EM] doanimation command values (http://www.pokecommunity.com/showthread.php?p=8422374#8422374)
[EM] Enable a different fanfare for obtaining Key Items (http://www.pokecommunity.com/showthread.php?p=7354419#7354419)
[EM] The flag set when the player has mounted their bicycle (http://www.pokecommunity.com/showthread.php?p=8432861#8432861)
[EM] The script that executes when there is no item registered (http://www.pokecommunity.com/showthread.php?p=8432861#8432861)
[EM] List of various scripts (http://www.pokecommunity.com/showthread.php?p=8474711#8474711)
[RS] [FR] [EM] Information on the playsong2 command (http://www.pokecommunity.com/showthread.php?p=8103551#8103551)
[RS] [FR] [EM] Information on cry command [Part 1] (http://www.pokecommunity.com/showthread.php?p=8104240#8104240) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8135701#8135701) [Part 3] (http://www.pokecommunity.com/showthread.php?p=8155159#8155159)
[RS] [FR] [EM] Information on the movement byte 0x69 (http://www.pokecommunity.com/showthread.php?p=8131615#8131615)
[RS] [FR] [EM] Translating Trainer flags to regular flags (http://www.pokecommunity.com/showthread.php?p=6385877#6385877)
[RS] [FR] [EM] Adding black bars to the top and bottom of the screen [Part 1] (http://www.pokecommunity.com/showthread.php?p=7422715#7422715) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8106702#8106702)
[RS] [FR] [EM] Special table (http://www.pokecommunity.com/showthread.php?p=7669647#7669647)
[FR] [EM] List of used flags (http://www.pokecommunity.com/showthread.php?p=7800179#7800179)
[FR] [EM] Check / Count a Specific Pokémon Species in the Party (http://www.pokecommunity.com/showthread.php?p=8388671#8388671)
[FR] [EM] Research on the spriteface2 command (http://www.pokecommunity.com/showthread.php?p=8523321#8523321)


camera Graphics Research
[FR] Animation location for arrows in the Bag (http://www.pokecommunity.com/showthread.php?p=6237069#6237069)
[FR] Changing the duration of the title screen (http://www.pokecommunity.com/showthread.php?p=6284099#6284099)
[FR] Making the title screen last forever (http://www.pokecommunity.com/showthread.php?p=6284862#6284862)
[FR] Location of a table that dictates the "type" / gender of a Person event (http://www.pokecommunity.com/showthread.php?p=6353376#6353376)
[FR] Snow weather animation location (http://www.pokecommunity.com/showthread.php?p=6373875#6373875)
[FR] Editing PC Boxes (http://www.pokecommunity.com/showthread.php?p=6920008#6920008)
[FR] Location of Transform's animation (http://www.pokecommunity.com/showthread.php?p=7020668#7020668)
[FR] Naming the Rival from the over world (http://www.pokecommunity.com/showthread.php?p=7508563#7508563)
[FR] Editing the Pokédex's display [Part 1] (http://www.pokecommunity.com/showthread.php?p=7516162#7516162) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8540162#8540162)
[FR] Location of the palette for the player's reflection (http://www.pokecommunity.com/showthread.php?p=7797558#7797558)
[FR] Town Map route / city dimensions offsets (http://www.pokecommunity.com/showthread.php?p=8048560#8048560)
[FR] Information of the table that controls the position of various elements during the item-use animation (http://www.pokecommunity.com/showthread.php?p=8049434#8049434)
[FR] Trainer Card tileset, tilemap and palette locations (http://www.pokecommunity.com/showthread.php?p=8071787#8071787)
[FR] Information on changing the start menu (http://www.pokecommunity.com/showthread.php?p=8168936#8168936)
[FR] Changing the color filter used by flashbacks (http://www.pokecommunity.com/showthread.php?p=8195303#8195303)
[FR] Information on the generateOAM function [Part 1] (http://www.pokecommunity.com/showthread.php?p=8231290#8231290) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8231803#8231803) [Part 3] (http://www.pokecommunity.com/showthread.php?p=8233143#8233143)
[FR] Changing text boxes (http://www.pokecommunity.com/showthread.php?p=8271341#8271341)
[FR] Information on adding more eye catches (http://www.pokecommunity.com/showthread.php?p=8335708#8335708)
[FR] Location of the amorphous blob the player surfs on's sprites (http://www.pokecommunity.com/showthread.php?p=8372959#8372959)
[FR] Changing the default text color / gender for Person events (http://www.pokecommunity.com/showthread.php?p=8399248#8399248)
[FR] Info on the Spinda dots (http://www.pokecommunity.com/showthread.php?p=8615539#8615539)
[FR] Lavender Tower Ghost palette info (http://www.pokecommunity.com/showpost.php?p=8680715&postcount=661)
[FR] Adjusting the x/y/layout of the textbox (http://www.pokecommunity.com/showpost.php?p=8701665&postcount=665)
[EM] Document of all LZ77-compressed data (http://www.pokecommunity.com/showthread.php?p=7374842#7374842)
[EM] Location of the type icon chart (http://www.pokecommunity.com/showthread.php?p=8016477#8016477)
[EM] Location of the battle animation background table (http://www.pokecommunity.com/showthread.php?p=8129461#8129461)
[RS] [FR] Limiters for the over world amount (http://www.pokecommunity.com/showthread.php?p=7559140#7559140)
[RS] [FR] [EM] Block editing via hex editors (http://www.pokecommunity.com/showthread.php?p=8186402#8186402)
[DP] List of Material IDs and Polygon IDs (http://www.pokecommunity.com/showthread.php?p=7028747#7028747)


music Audio Research
[FR] Track number of the Low HP sound (http://www.pokecommunity.com/showthread.php?p=7699003#7699003) [EM] (http://www.pokecommunity.com/showthread.php?p=8407194#8407194)
[FR] Changing the Level-Up fanfare (http://www.pokecommunity.com/showthread.php?p=7956244#7956244)
[FR] Changing the Wild Battle defeat fanfare (http://www.pokecommunity.com/showthread.php?p=8577690#8577690)
[EM] Identifying Voice Groups (http://www.pokecommunity.com/showthread.php?p=7019898#7019898)
[RS] [FR] [EM] Format of the song table (http://www.pokecommunity.com/showthread.php?p=8081693#8081693)
[RS] [FR] [EM] Removing modulation from .s files [Part 1] (http://www.pokecommunity.com/showthread.php?p=8196346#8196346) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8196354#8196354) [Part 3] (http://www.pokecommunity.com/showthread.php?p=8196401#8196401)
[RS] [FR] [EM] Extending the Number of DirectSound Tracks [Part 1] (http://www.pokecommunity.com/showthread.php?p=7559059#7559059) [Part 2] (http://www.pokecommunity.com/showthread.php?p=8352359#8352359)
[RS] [FR] [EM] Info on songs and fanfares (http://www.pokecommunity.com/showthread.php?p=7296215#7296215)
[RS] [FR] [EM] Changing the cry of the Pokémon the Professor releases during the introduction speech (http://www.pokecommunity.com/showthread.php?p=7550436#7550436)
Converting MIDI files to .SSEQ files (http://www.pokecommunity.com/showthread.php?p=7426961#7426961)


plus Other
[FR] The purpose of 0x0203C000 (http://www.pokecommunity.com/showthread.php?p=6391789#6391789)
[FR] Location of "S" when obtaining multiple items (http://www.pokecommunity.com/showthread.php?p=6210916#6210916)
[FR] Controlling other Person events in a map (http://www.pokecommunity.com/showthread.php?p=6250319#6250319)
[FR] Player control RAM structure(s) (http://www.pokecommunity.com/showthread.php?p=6250763#6250763)
[FR] Pokédex Habitat data structure(s) (http://www.pokecommunity.com/showthread.php?p=6263014#6263014)
[FR] RAM addresses that store the map bank, map number, and the player's current X and Y co-ordinates [Part 1] (http://www.pokecommunity.com/showthread.php?p=6395789#6395789) [Part 2] (http://www.pokecommunity.com/showthread.php?p=6396108#6396108)
[FR] The limit of script recursion [Part 1] (http://www.pokecommunity.com/showthread.php?p=6801692#6801692) [Part 2] (http://www.pokecommunity.com/showthread.php?p=6804537#6804537)
[FR] RAM locations that control screen refreshing (http://www.pokecommunity.com/showthread.php?p=6813142#6813142)
[FR] Person data structure (http://www.pokecommunity.com/showthread.php?p=6841700#6841700)
[FR] "Offsets for some scripts that people may find interesting" (http://www.pokecommunity.com/showthread.php?p=6841700#6841700)
[FR] Information on the RAM location starting at 0x0203F3C0 (http://www.pokecommunity.com/showthread.php?p=6888927#6888927)
[FR] Location of obedience checks (http://www.pokecommunity.com/showthread.php?p=7331751#7331751)
[FR] The starting position of the player in a new game (http://www.pokecommunity.com/showthread.php?p=7365034#7365034)
[FR] Step counter location in the RAM (http://www.pokecommunity.com/showthread.php?p=7505380#7505380)
[FR] "Wait-for-interrupt" loop patch (http://www.pokecommunity.com/showthread.php?p=7529991#7529991)
[FR] Location of the battle menu's text (FIGHT / BAG / PKMN / RUN) (http://www.pokecommunity.com/showthread.php?p=7694701#7694701)
[FR] DMA Negation (http://www.pokecommunity.com/showthread.php?p=7708221#7708221)
[FR] RAM location of the player's money (http://www.pokecommunity.com/showthread.php?p=7708221#7708221)
[FR] RAM locations of the player's X and Y co-ordinates (http://www.pokecommunity.com/showthread.php?p=6615306#6615306)
[FR] How to edit the default options in the Options menu (http://www.pokecommunity.com/showthread.php?p=8615361#8615361)
[EM] Cheat codes (http://www.pokecommunity.com/showthread.php?p=8402732#8402732)
[EM] Locations of the default names for the player (http://www.pokecommunity.com/showthread.php?p=8278904#8278904)
[RS] [FR] [EM] Clearing 0x1000 bytes in the RAM (http://www.pokecommunity.com/showthread.php?p=6122029#6122029)
[RS] [FR] [EM] Order of events (http://www.pokecommunity.com/showpost.php?p=8682565&postcount=662)
[FR] [EM] JPAN's Save Variable Patch (http://www.pokecommunity.com/showthread.php?p=6104707#6104707)
[DP] "Some rather interesting things" (http://www.pokecommunity.com/showthread.php?p=6418856#6418856)
[DP] Sinnoh Pokédex numbers location (http://www.pokecommunity.com/showthread.php?p=6508772#6508772)
[DP] A tool to convert offsets to paths (http://www.pokecommunity.com/showthread.php?p=6509620#6509620)
[XY] Pumpkaboo mystery gift downloading packet info (http://www.pokecommunity.com/showthread.php?p=8476441#8476441)
[PMD] Saving cheat code (http://www.pokecommunity.com/showthread.php?p=6282751#6282751)
[PMD] Research into .bpc files (http://www.pokecommunity.com/showthread.php?p=8248047#8248047)
[OTHER] knizz's HTML-only BL Finder tool port (http://www.pokecommunity.com/showthread.php?p=6649305#6649305)
[OTHER] Porting C files to ASM (http://www.pokecommunity.com/showthread.php?p=6796113#6796113)
[OTHER] knizz's online database (http://www.pokecommunity.com/showthread.php?p=7678797#7678797)
[OTHER] A Python script for debugging a map (http://www.pokecommunity.com/showthread.php?p=8061640#8061640)


[B]key Directory Key[RG] - Japanese Red / Green
[RB] - Red / Blue
[Y] - Yellow
[GS] - Gold / Silver
[C] - Crystal
[RS] - Ruby / Sapphire (usually just Ruby)
[FR] - FireRed / LeafGreen (usually just FireRed)
[EM] - Emerald
[DP] - Diamond / Pearl
[Pt] - Platinum
[HGSS] - HeartGold / SoulSilver
[B2W2] - Black / White / Black 2 / White 2
[XY] - X / Y
[ORAS] - OmegaRuby / AlphaSapphire
[PMD] - Pokémon Mystery Dungeon (not necessarily the same versions)
[OTHER] - Not necessarily specific to one ROM, or not Pokémon-related
[Part #] - Links to other posts that expand upon or correct the first part

HackMew
February 12th, 2010, 10:04 AM
The title says it all. If you have any suggestions, or criticism or you spotted some erros, feel free to post. Otherwhise avoid spamming, thanks!
Note: only clean ROMs are taken into account. Also, features available in all games are not included.

[snip]Those pictures weren't meant to be there, I suppose XD[/giradialkia]

diegoisawesome
February 12th, 2010, 04:20 PM
The title says it all. If you have any suggestions, or criticism or you spotted some erros, feel free to post. Otherwhise avoid spamming, thanks!
HackMew, doesn't FireRed have Pokérus? Maybe you mean random Pokérus (in which case I wouldn't know) but as a feature it does.

Team Fail
February 13th, 2010, 11:36 AM
The title says it all. If you have any suggestions, or criticism or you spotted some erros, feel free to post. Otherwhise avoid spamming, thanks!]

Also, here are some other fixes you should include:
Battling 2 trainers at once: I'm sure FireRed has that, especially at the Battle Tower in 7 Island
Colored dialogue: I think Ruby has that, although limited, and I also think Emerald has that.
More than one Bike: I think with a little ASM, the hidden Key Items in FR/LG can be made to work with R/S/E standards, although I have no idea how to use it.
Pokérus: I KNOW FR/LG has it, and I think diegoisawesome is right on that call. That definitely needs to be corrected.

Spherical Ice
February 13th, 2010, 11:40 AM
Also, here are some other fixes you should include:
Battling 2 trainers at once: I'm sure FireRed has that, especially at the Battle Tower in 7 Island
Colored dialogue: I think Ruby has that, although limited, and I also think Emerald has that.
More than one Bike: I think with a little ASM, the hidden Key Items in FR/LG can be made to work with R/S/E standards, although I have no idea how to use it.
Pokérus: I KNOW FR/LG has it, and I think diegoisawesome is right on that call. That definitely needs to be corrected.

By Coloured Dialogue, I think HackMew meant automatic colouring for person events; the numerous bike feature IS RS/E exclusive, as that list is for an unedited ROM, and I agree with you and diegoisawesome with the Pokérus factor.

Still, that is a very helpful post, HackMew.

HackMew
February 13th, 2010, 11:48 AM
HackMew, doesn't FireRed have Pokérus? Maybe you mean random Pokérus (in which case I wouldn't know) but as a feature it does.

Nope, it doesn't. It does support Pokérus as status, for compatibility. But you won't be able to infect other Pokémon and the virus will never wear off either.
You can't even get the Pokérus unless you trade/cheat. At least, that's what I read on Bulbapedia.


Also, here are some other fixes you should include:
Battling 2 trainers at once: I'm sure FireRed has that, especially at the Battle Tower in 7 Island
Colored dialogue: I think Ruby has that, although limited, and I also think Emerald has that.
More than one Bike: I think with a little ASM, the hidden Key Items in FR/LG can be made to work with R/S/E standards, although I have no idea how to use it.
Pokérus: I KNOW FR/LG has it, and I think diegoisawesome is right on that call. That definitely needs to be corrected.

Are you sure on the Battle Tower? Mind checking again, just in case?
Also, for colored dialogue I meant, like The Master said, the automatic, gender-based coloring.
If you look at the original games, you'll see R/S/E messages are plain black.

Team Fail
March 13th, 2010, 07:19 PM
Nope, it doesn't. It does support Pokérus as status, for compatibility. But you won't be able to infect other Pokémon and the virus will never wear off either.
You can't even get the Pokérus unless you trade/cheat. At least, that's what I read on Bulbapedia.




Are you sure on the Battle Tower? Mind checking again, just in case?
Also, for colored dialogue I meant, like The Master said, the automatic, gender-based coloring.
If you look at the original games, you'll see R/S/E messages are plain black.

I can see why there's no support for Pokerus: No RTC. It wears off at midnight, but there isn't a RTC.

I grabbed my LeafGreen (same as Firered...) Yup. At the battle tower, there are 4 modes:
Single
Double
Knockout
Mixed

On double, the trainers will face you- 2-on-2 matches (Double battles) until you complete the challenge or loose. Also, right before Pattern Bush, there are twins Miu and Mia that both send out Pikachu.

OK. I guess I was wrong for text coloring in R/S. I beat Ruby ages ago (360+ hours...) so I kinda forgot...
And sorry for a month-long response...

Gamer2020
March 13th, 2010, 08:26 PM
I can see why there's no support for Pokerus: No RTC. It wears off at midnight, but there isn't a RTC.

I grabbed my LeafGreen (same as Firered...) Yup. At the battle tower, there are 4 modes:
Single
Double
Knockout
Mixed

On double, the trainers will face you- 2-on-2 matches (Double battles) until you complete the challenge or loose. Also, right before Pattern Bush, there are twins Miu and Mia that both send out Pikachu.

OK. I guess I was wrong for text coloring in R/S. I beat Ruby ages ago (360+ hours...) so I kinda forgot...
And sorry for a month-long response...

It is not the same as emerald though. That is just a normal double battle.
In Emerald if 2 trainers happen to both see you at the same time they will both battle you at once.

Chaos Rush
April 14th, 2010, 03:26 PM
I think "Improved Graphics" is an opinion, not an actual fact.

Quite frankly, I think the FR/LG graphics are horrible.

EDIT: Okay, they aren't horrible, they look fine to be honest, but I still think that "Improved Graphics" is just an opinion.

HackMew
April 14th, 2010, 03:37 PM
I think "Improved Graphics" is an opinion, not an actual fact.

Quite frankly, I think the FR/LG graphics are horrible.

Well, that's meant as graphics engine. Maybe I'll reword it a little.

Shiny Quagsire
May 1st, 2010, 08:17 AM
Does anyone know where each map's pokemon list is stored and how it is stored? Ex XXXX -level XX -species

mindfreak
May 1st, 2010, 08:32 AM
You can find the offsets for each maps pokemon in Advance map.
Go to the wild pokemon tab and click on expand.
There you ll' find the offset.

its stored...

YY Min Lv
XX Max LV
FFFF Pokemon hex number

kittopian
June 16th, 2010, 08:57 PM
Well... I am researching "glitch moves" In the hope of creating more attacks... I would like to know where the move data table is so I may try to expand it because the "glitch move" data is really existing rom data, and if this is actualy acheivable Any way... hopefully I will be able to 'create' new moves. E.G. for 4th gen pokemon, ect.

My knowledge so far: Move data can be interpreted from other data.

P.S I do not truly know if this thread was where to put this...

Shiny Quagsire
July 1st, 2010, 06:26 PM
I'm using JPAN's hacked engine, and I was wondering how I could turn his random water battle, to use the tree data? Here is the code he made:

.align 2
.thumb


/*Special 0x98 will start a random water battle, such as those in the sea.
Sister to the previous function, will start a water battle anywhere there is
a water pokemon data.*/

Special_98: push {r4-r7, lr}
mov r7, r8
push {r7}
sub SP, SP, #0x8
ldr r0, water_data
lsl r4, r0, #0x18
lsr r4, r4, #0x18
ldr r1, wild_generator2
bx r1
.hword 0x0000
water_data: .word 0x22000410 /*the lake tile data*/
wild_generator2: .word 0x0806cbe5

diegoisawesome
July 1st, 2010, 06:31 PM
I'm using JPAN's hacked engine, and I was wondering how I could turn his random water battle, to use the tree data? Here is the code he made:

.align 2
.thumb


/*Special 0x98 will start a random water battle, such as those in the sea.
Sister to the previous function, will start a water battle anywhere there is
a water pokemon data.*/

Special_98: push {r4-r7, lr}
mov r7, r8
push {r7}
sub SP, SP, #0x8
ldr r0, water_data
lsl r4, r0, #0x18
lsr r4, r4, #0x18
ldr r1, wild_generator2
bx r1
.hword 0x0000
water_data: .word 0x22000410 /*the lake tile data*/
wild_generator2: .word 0x0806cbe5

Actually, you don't need to do that. there's already a built-in special for that, although I don't know what it is.
If you find it, please tell me, and I'll try to get it into my scripting tutorial.

Shiny Quagsire
July 1st, 2010, 06:41 PM
I believe it's special AB, which is unknown in XSE's guide. Here'd the code for rock smash:

'---------------
#org 0x1BE00C
special 0x187
compare LASTRESULT 0x2
if 0x1 goto 0x81A7AE0
lockall
checkflag 0x825
if 0x0 goto 0x81BE091
checkattack 0xF9
compare LASTRESULT 0x6
if 0x1 goto 0x81BE091
setanimation 0x0 LASTRESULT
bufferpartypokemon 0x0 LASTRESULT
bufferattack 0x1 0xF9
msgbox 0x81BE09D MSG_YESNO '"This rock appears to be breakable...."
compare LASTRESULT 0x0
if 0x1 goto 0x81BE09A
msgbox 0x81BDFD7 MSG_KEEPOPEN '"[buffer1] used [buffer2]!"
closeonkeypress
doanimation 0x25
waitstate
goto 0x81BE06F

'---------------
#org 0x1A7AE0
release
end

'---------------
#org 0x1BE091
msgbox 0x81BE0E2 MSG_SIGN '"It's a rugged rock, but a POKéMON\..."
end

'---------------
#org 0x1BE09A
closeonkeypress
releaseall
end

'---------------
#org 0x1BE06F
applymovement LASTTALKED 0x81BE08F
waitmovement 0x0
hidesprite LASTTALKED
[S-HIGHLIGHT]special 0xAB[/S-HIGHLIGHT]
compare LASTRESULT 0x0
if 0x1 goto 0x81BE08D
waitstate
releaseall
end

'---------------
#org 0x1BE08D
releaseall
end


'---------
' Strings
'---------
#org 0x1BE09D
= This rock appears to be breakable.\nWould you like to use ROCK SMASH?

#org 0x1BDFD7
= [buffer1] used [buffer2]!

#org 0x1BE0E2
= It's a rugged rock, but a POKéMON\nmay be able to smash it.


'-----------
' Movements
'-----------
#org 0x1BE08F
#raw 0x68 'mov68
#raw 0xFE 'End of Movements

diegoisawesome
July 1st, 2010, 06:50 PM
I believe it's special AB, which is unknown in XSE's guide. Here'd the code for rock smash:

'---------------
#org 0x1BE00C
special 0x187
compare LASTRESULT 0x2
if 0x1 goto 0x81A7AE0
lockall
checkflag 0x825
if 0x0 goto 0x81BE091
checkattack 0xF9
compare LASTRESULT 0x6
if 0x1 goto 0x81BE091
setanimation 0x0 LASTRESULT
bufferpartypokemon 0x0 LASTRESULT
bufferattack 0x1 0xF9
msgbox 0x81BE09D MSG_YESNO '"This rock appears to be breakable...."
compare LASTRESULT 0x0
if 0x1 goto 0x81BE09A
msgbox 0x81BDFD7 MSG_KEEPOPEN '"[buffer1] used [buffer2]!"
closeonkeypress
doanimation 0x25
waitstate
goto 0x81BE06F

'---------------
#org 0x1A7AE0
release
end

'---------------
#org 0x1BE091
msgbox 0x81BE0E2 MSG_SIGN '"It's a rugged rock, but a POKéMON\..."
end

'---------------
#org 0x1BE09A
closeonkeypress
releaseall
end

'---------------
#org 0x1BE06F
applymovement LASTTALKED 0x81BE08F
waitmovement 0x0
hidesprite LASTTALKED
[S-HIGHLIGHT]special 0xAB[/S-HIGHLIGHT]
compare LASTRESULT 0x0
if 0x1 goto 0x81BE08D
waitstate
releaseall
end

'---------------
#org 0x1BE08D
releaseall
end


'---------
' Strings
'---------
#org 0x1BE09D
= This rock appears to be breakable.\nWould you like to use ROCK SMASH?

#org 0x1BDFD7
= [buffer1] used [buffer2]!

#org 0x1BE0E2
= It's a rugged rock, but a POKéMON\nmay be able to smash it.


'-----------
' Movements
'-----------
#org 0x1BE08F
#raw 0x68 'mov68
#raw 0xFE 'End of Movements

I think that's it! Try it out in a script and see what you get.

Shiny Quagsire
July 1st, 2010, 07:00 PM
Yeah, I tried it and it worked :)

diegoisawesome
July 1st, 2010, 07:04 PM
Yeah, I tried it and it worked :)
Awesome! I'll add it in as soon as I update the old tutorial. It might take a while, though.

Chaos Rush
July 16th, 2010, 06:35 PM
I found out how to edit the Battle Tower opponent Pokemon in Pokemon Ruby. The data is located at 0x4038E0.

I posted a whole thread about it, but just in case it doesn't get approved, I wanted to mention the offset anyway, because hopefully some hacker more advanced than me can find out where the pointer is.

I don't want to explain in detail the data, but at 0x4038E0, change 19 into 18, and congratulations, most Pikachu will now turn into Arboks in the Battle Tower.

knizz
July 26th, 2010, 09:58 AM
I found this in the US-FR-Rom:
081e3b14 b580 push {r7,lr}
081e3b16 b084 add sp, -#0x10
081e3b18 466f mov r7, sp
081e3b1a 6038 str r0, [r7, #0x0]
081e3b1c 6079 str r1, [r7, #0x4]
081e3b1e 60ba str r2, [r7, #0x8]
081e3b20 60fb str r3, [r7, #0xc]
081e3b22 68f8 ldr r0, [r7, #0xc]
081e3b24 2800 cmp r0, #0x0
081e3b26 d00b beq $081e3b40
081e3b28 4804 ldr r0, [$081e3b3c] (=$086fc08c)
081e3b2a 687a ldr r2, [r7, #0x4]
081e3b2c 68bb ldr r3, [r7, #0x8]
081e3b2e 6839 ldr r1, [r7, #0x0]
081e3b30 f7ff bl $081e39d8
081e3b34 f7ff bl $081e3b04
081e3b38 efff [ ??? ]
081e3b3a e007 b $081e3b4c
...
081e3b4c b004 add sp, #0x10
081e3b4e bc80 pop {r7}
081e3b50 bc01 pop {r0}
081e3b52 4700 bx r0

What is this [ ??? ]-instruction doing there?

prime-dialga
July 26th, 2010, 12:38 PM
Some hwords have no opcode in Thumb.
If you try to decompile one of this hwords the output is [???].

Maybe it is a grafik or an ARM code.

knizz
July 26th, 2010, 05:12 PM
Some hwords have no opcode in Thumb.
If you try to decompile one of this hwords the output is [???].

Maybe it is a grafik or an ARM code.

That's what I thought at first too. But it all makes sense:

The function pushes registers in the first line
The function pops registers in the last line
The registers are popped to the positions they were pushed from except for lr/pc of course.
The stack-pointer is decreased and then used to the limit. (Why allocate more or less?)
The cmp-opcode is followed by a beq-opcode.
The functions called from this function are valid too.


It *has* to be THUMB-Code!

JPAN
August 16th, 2010, 06:02 PM
I found something that bugs a lot of people, the fact HM moves cannot be deleted, can be easily erased on Fire Red.
There are two main routines that check if an attack is an HM or not:
one for the battle routine at 0x80441B8;
one for the in-screen move learning at 0x08125A90.
Both routines check for HMs in different locations.
The first checks if the attack given is part of a non-deletion list at 0x0825e014, ended in FFFF, and searches through it until it reaches the ending value, or finding a valid attack. Here's the code:
ROM:080441B8 ; =============== S U B R O U T I N E =======================================
ROM:080441B8
ROM:080441B8
ROM:080441B8 Battle_HM_set ; CODE XREF: sub_80CE8DC+A80p
ROM:080441B8 PUSH {R4,LR}
ROM:080441BA LSLS R0, R0, #0x10
ROM:080441BC LSRS R3, R0, #0x10 ;given attack stored
ROM:080441BE LDR R2, =unk_825E014 ;list location
ROM:080441C0 LDRH R0, [R2]
ROM:080441C2 LDR R1, =0xFFFF
ROM:080441C4 CMP R0, R1
ROM:080441C6 BEQ loc_80441EA ;is end of list
ROM:080441C8 MOVS R4, R1
ROM:080441CA ADDS R1, R2, #0
ROM:080441CC
ROM:080441CC loc_80441CC ; CODE XREF: Battle_HM_set+30j
ROM:080441CC LDRH R0, [R2]
ROM:080441CE ADDS R1, #2
ROM:080441D0 ADDS R2, #2
ROM:080441D2 CMP R0, R3
ROM:080441D4 BNE loc_80441E4
ROM:080441D6 MOVS R0, #1 ;is same attack, undeletable
ROM:080441D8 B loc_80441EC
ROM:080441D8 ; ---------------------------------------------------------------------------
ROM:080441DA DCB 0
ROM:080441DB DCB 0
ROM:080441DC off_80441DC DCD unk_825E014 ; DATA XREF: Battle_HM_set+6r
ROM:080441E0 dword_80441E0 DCD 0xFFFF ; DATA XREF: Battle_HM_set+Ar
ROM:080441E4 ; ---------------------------------------------------------------------------
ROM:080441E4
ROM:080441E4 loc_80441E4 ; CODE XREF: Battle_HM_set+1Cj
ROM:080441E4 LDRH R0, [R1]
ROM:080441E6 CMP R0, R4
ROM:080441E8 BNE loc_80441CC ;new end_of_list check
ROM:080441EA
ROM:080441EA loc_80441EA ; CODE XREF: Battle_HM_set+Ej
ROM:080441EA MOVS R0, #0 ;ended list, attack deletable
ROM:080441EC
ROM:080441EC loc_80441EC ; CODE XREF: Battle_HM_set+20j
ROM:080441EC POP {R4}
ROM:080441EE POP {R1}
ROM:080441F0 BX R1

The other searches for them at 0x0845A80C, the TM attack list. It does so by looking over the TMs at position 50+
ROM:08125A90 ; =============== S U B R O U T I N E =======================================
ROM:08125A90
ROM:08125A90
ROM:08125A90 Check_for_HM ; CODE XREF: ROM:0813939Ep
ROM:08125A90 PUSH {LR}
ROM:08125A92 LSLS R0, R0, #0x10
ROM:08125A94 LSRS R2, R0, #0x10
ROM:08125A96 MOVS R1, #0
ROM:08125A98 LDR R3, =TM_List ;Location for all TM Attacks
ROM:08125A9A
ROM:08125A9A loc_8125A9A ; CODE XREF: Check_for_HM+28j
ROM:08125A9A MOVS R0, R1
ROM:08125A9C ADDS R0, #0x32
ROM:08125A9E LSLS R0, R0, #1
ROM:08125AA0 ADDS R0, R0, R3
ROM:08125AA2 LDRH R0, [R0] ;loads HM required by R1
ROM:08125AA4 CMP R0, R2
ROM:08125AA6 BNE loc_8125AB0
ROM:08125AA8 MOVS R0, #1 ;if equal, undeletable, return 1
ROM:08125AAA B loc_8125ABC
ROM:08125AAA ; ---------------------------------------------------------------------------
ROM:08125AAC off_8125AAC DCD TM_List ; DATA XREF: Check_for_HM+8r
ROM:08125AB0 ; ---------------------------------------------------------------------------
ROM:08125AB0
ROM:08125AB0 loc_8125AB0 ; CODE XREF: Check_for_HM+16j
ROM:08125AB0 ADDS R0, R1, #1
ROM:08125AB2 LSLS R0, R0, #0x18
ROM:08125AB4 LSRS R1, R0, #0x18
ROM:08125AB6 CMP R1, #6 ;maximum TM checking
ROM:08125AB8 BLS loc_8125A9A
ROM:08125ABA MOVS R0, #0 ;not any TM, deletable
ROM:08125ABC
ROM:08125ABC loc_8125ABC ; CODE XREF: Check_for_HM+1Aj
ROM:08125ABC POP {R1}
ROM:08125ABE BX R1


So, how to "fix" it? Well, change 080441D6 to 00 and 08125AA8 to 00 to make no attack undeletable.
If, on the other hand, you have a wish to prevent the player from deleting random attacks, simply repoint the list to a location where your attacks fit (plus the 0xffff part), and change the following addresses:
0x08125A9C to 00 (one byte only)
0x08125AAC to your list pointer reversed
0x08125AB6 to the number of attacks you placed -2 (to a max of 101 undeletable attacks)

If, for some reason, you wish to make all attacks undeletable, change
080441EA to 00
08125ABA to 00

Hope this helps those hacks who want to get rid of HMs.

Saxisai
August 18th, 2010, 08:32 AM
I don't know if this belongs here but I didn't know where else to post it.

Has anyone thought of a way to hack the pal park in the generation iv games?

diegoisawesome
August 20th, 2010, 02:16 PM
Here's one thing that troubles everyone: badge hacking.
I'm talking about hacking what levels of obedience, what HM is usable, and things like that.
I'm sure that SOMEONE has done it and, hopefully, they can share it, here, with us.

colcolstyles
August 20th, 2010, 02:24 PM
Here's one thing that troubles everyone: badge hacking.
I'm talking about hacking what levels of obedience, what HM is usable, and things like that.
I'm sure that SOMEONE has done it and, hopefully, they can share it, here, with us.

I would guess that the code is spread throughout the ROM. For example, in this post (http://www.pokecommunity.com/showthread.php?p=6047471#post6047471), JPAN revealed that he found the routine which, during a battle, checks the player's acquired badges. However, the routine which checks what badges the player has in order to prevent the player from using Surf too early, for example, is probably located elsewhere. I don't know if the badge flags are at a fixed address in the RAM or not but if they are, you should put a break-on-read on those addresses and then disassemble the routines around wherever the game breaks.

diegoisawesome
August 20th, 2010, 02:28 PM
I would guess that the code is spread throughout the ROM. For example, in this post (http://www.pokecommunity.com/showthread.php?p=6047471#post6047471), JPAN revealed that he found the routine which, during a battle, checks the player's acquired badges. However, the routine which checks what badges the player has in order to prevent the player from using Surf too early, for example, is probably located elsewhere. I don't know if the badge flags are at a fixed address in the RAM or not but if they are, you should put a break-on-read on those addresses and then disassemble the routines around wherever the game breaks.
The flag locations are probably DMA-protected, as with the variables...
Any other ideas?

colcolstyles
August 20th, 2010, 02:32 PM
The flag locations are probably DMA-protected, as with the variables...
Any other ideas?

You could disassemble the routine that is executed when a 'checkflag' command is encountered in a script in order to try to find where the flags are located. I've never worked with flags on the ASM-level before so I'm afraid I can't be of much help.

diegoisawesome
August 20th, 2010, 03:05 PM
Hm... Turns out, the checkflag routine (the actual one that does the calculations) is run a lot of times in the OW (I know, duh, the people event flags) so I got the flag location (or at least, the memory pointer to it). In Emerald, it's at the address pointed at by 0x03005D8C plus 0x1270.
Now, I have to find the bit that designates the badge flags..
EDIT: 0x0809C7EC in Emerald contains the surf-check-routine... at least for the tile. I'm not sure about the PKMN menu one.
EDIT2: 0x081B54E8 (again, in Emerald) contains the badge-check-routine for the menu. I'm trying to find out where the numbers to add to the first badge are obtained from...
EDIT3: Well, apparently they're loaded from 0x02000020, but I can't find how it gets the value...
Anybody, feel free to help me out with this. :/
EDIT4: Well, I hacked the routine and made it load different flag numbers for each of the old badge+base number. And it works! :D
To get all of the flags to work out on the field, however, you'll need to edit all of the scripts for, say, Rock Smash, Strength, and Cut so that they have the new flags. And then you'll need to hack the surf routine, like I said above.
Also, with the Set Disobedience findings, all we need to control the badges completely is to find out where the Attack/Defense... stats are increased.Even though that doesn't matter much, it would still be cool to be able to control the badges completely.

JPAN
August 24th, 2010, 08:32 PM
I found something disturbing. There are no variables above the first 0x4000 set. Variables nearing the 0x5000 set start by overwriting the pokemon data at the Breeding center, and variables from 0x5ef4 to 0x7fff are inside Box space, meaning that there is nearly no variables usable in-game.
The reason we can use those variable spaces is because the game has no variable check for values other than 0x4000 and 0x8000. So, up until now, all variables we use in the upper scale are permanently damaging the game file.
Also, trainer flags correspond to the normal flags 0x500 to 0x700.

Chaos Rush
August 24th, 2010, 08:56 PM
I found something disturbing. There are no variables above the first 0x4000 set. Variables nearing the 0x5000 set start by overwriting the pokemon data at the Breeding center, and variables from 0x5ef4 to 0x7fff are inside Box space, meaning that there is nearly no variables usable in-game.
The reason we can use those variable spaces is because the game has no variable check for values other than 0x4000 and 0x8000. So, up until now, all variables we use in the upper scale are permanently damaging the game file.
Also, trainer flags correspond to the normal flags 0x500 to 0x700.
I really hope that's just FR/LG... because I'm generally using variables from 0x5000 to 0x7FFF in my hack.

JPAN
August 25th, 2010, 02:17 PM
I really hope that's just FR/LG... because I'm generally using variables from 0x5000 to 0x7FFF in my hack.
I've searched the other ROM versions for it, and I have bad news:
In Emerald, from 0x5536 forward affect the Boxes, and at Ruby, although not directly problematic, from 0x55a0 the variables aren't saved, and from 0x415c, you start overwriting names, sayings and Overworld data.
This fact has made me think, how can we get usable, permanent variables? So, I've studied the FlashRom write routines, and found something interesting, and since I was on a multi-ROM streak, I confirmed it for Ruby, Fire Red and Emerald.

The Pokemon games, as we know, use a 128K Flash ROM, that can be accessed by using the correct key at the 0x0e00xxxx addresses. A 128kB Flash has a total of 0x20000 possible addresses, so it uses a Bank system to allow access to the full memory. More details can be find at this useful document here (http://nocash.emubase.de/gbatek.htm#gbacartbackupflashrom).

The save File is always written in 4kB blocks (0x1000 addresses), so the pokemon Game considers a Block to be a set of 0x1000 bytes of information. Those blocks always have the same configuration:
0x0 - 0xf80 -> Data to store. (maximum spotted, can be less)
0xff4 -> Block number
0xff6 -> Checksum, calculated by adding all words in the copyed memory, then adding both Upper and lower halfword toguether.
0xff8 -> Seems like a pointer, but needs further investigation
0xffc -> a byte that seems to indicate how many saves since last load.

The Games seem to use a round-Robin list to change the location of the Save data at each save, most likely to avoid chip degradation and unfortunate hacking attempts. Emerald and Fire Red have two lists (ruby is not confirmed), that have this Saving pattern:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d
0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b
The game has a complex pattern of choosing the start. I'll leave you with examples:
07 08 09 0a 0b 0c 0d 00 01 02 03 04 05 06
16 17 18 19 1a 1b 0e 0f 10 11 12 13 14 15
09 0a 0b 0c 0d 00 01 02 03 04 05 06 07 08
18 19 1a 1b 0e 0f 10 11 12 13 14 15 16 17
0b 0c 0d 00 01 02 03 04 05 06 07 08 09 0a
1a 1b 0e 0f 10 11 12 13 14 15 16 17 18 19
The only data saved on these blocks are the data that in Fire Red and Emerald are located in the Dynamic pointers at 0x3005008, 0x300500c and 0x3005010.

The Fire Red Table is as follows

0x0 - Personal Data (at 0x300500c) Size: 0xf24
0x1 to 0x4 - Map Data (at 0x03005008) Size: 0xf80*3 + 0xee8 = 0x3d68
0x5 to 0xd - Box Data (at 0x03005010) Size: 0xf80*8 + 0x7d0 = 0x83d0

Both Ruby and Emerald have similar tables, although the sizes of the ending packets may vary between ROMs. Layout is always this one.

Now, why does this matter? Well, if you notice the lists presented, you can see that blocks 1c, 1d, 1e and 1f are not used, and that is true.
So, if anyone wants, we can use this area to save and load our own pieces of data, just like the game.
That can be used to increase the number of seen-caught pokemon, get some real empty Variables we can use, and even save our own data structures that we need to fit in pre-used variables to use.

As a complementary note, I will now post the location of the "Save block" Routine in the three mainly used US versions
Ruby -> 0x081DFE74
Fire Red -> 0x081DF070
Emerald -> 0x082E20AC

diegoisawesome
August 25th, 2010, 02:30 PM
I've searched the other ROM versions for it, and I have bad news:
In Emerald, from 0x5536 forward affect the Boxes, and at Ruby, although not directly problematic, from 0x55a0 the variables aren't saved, and from 0x415c, you start overwriting names, sayings and Overworld data.
This fact has made me think, how can we get usable, permanent variables? So, I've studied the FlashRom write routines, and found something interesting, and since I was on a multi-ROM streak, I confirmed it for Ruby, Fire Red and Emerald.

The Pokemon games, as we know, use a 128K Flash ROM, that can be accessed by using the correct key at the 0x0e00xxxx addresses. A 128kB Flash has a total of 0x20000 possible addresses, so it uses a Bank system to allow access to the full memory. More details can be find at this useful document here (http://nocash.emubase.de/gbatek.htm#gbacartbackupflashrom).

The save File is always written in 4kB blocks (0x1000 addresses), so the pokemon Game considers a Block to be a set of 0x1000 bytes of information. Those blocks always have the same configuration:
0x0 - 0xf80 -> Data to store. (maximum spotted, can be less)
0xff4 -> Block number
0xff6 -> Checksum, calculated by adding all words in the copyed memory, then adding both Upper and lower halfword toguether.
0xff8 -> Seems like a pointer, but needs further investigation
0xffc -> a byte that seems to indicate how many saves since last load.

The Games seem to use a round-Robin list to change the location of the Save data at each save, most likely to avoid chip degradation and unfortunate hacking attempts. Emerald and Fire Red have two lists (ruby is not confirmed), that have this Saving pattern:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d
0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b
The game has a complex pattern of choosing the start. I'll leave you with examples:
07 08 09 0a 0b 0c 0d 00 01 02 03 04 05 06
16 17 18 19 1a 1b 0e 0f 10 11 12 13 14 15
09 0a 0b 0c 0d 00 01 02 03 04 05 06 07 08
18 19 1a 1b 0e 0f 10 11 12 13 14 15 16 17
0b 0c 0d 00 01 02 03 04 05 06 07 08 09 0a
1a 1b 0e 0f 10 11 12 13 14 15 16 17 18 19The only data saved on these blocks are the data that in Fire Red and Emerald are located in the Dynamic pointers at 0x3005008, 0x300500c and 0x3005010.

The Fire Red Table is as follows

0x0 - Personal Data (at 0x300500c) Size: 0xf24
0x1 to 0x4 - Map Data (at 0x03005008) Size: 0xf80*3 + 0xee8 = 0x3d68
0x5 to 0xd - Box Data (at 0x03005010) Size: 0xf80*8 + 0x7d0 = 0x83d0
Both Ruby and Emerald have similar tables, although the sizes of the ending packets may vary between ROMs. Layout is always this one.

Now, why does this matter? Well, if you notice the lists presented, you can see that blocks 1c, 1d, 1e and 1f are not used, and that is true.
So, if anyone wants, we can use this area to save and load our own pieces of data, just like the game.
That can be used to increase the number of seen-caught pokemon, get some real empty Variables we can use, and even save our own data structures that we need to fit in pre-used variables to use.

As a complementary note, I will now post the location of the "Save block" Routine in the three mainly used US versions
Ruby -> 0x081DFE74
Fire Red -> 0x081DF070
Emerald -> 0x082E20AC
JPAN, in Emerald, what variables are safe, then? Anything under 0x5536, or are there other used places?

JPAN
August 25th, 2010, 02:37 PM
JPAN, in Emerald, what variables are safe, then? Anything under 0x5536, or are there other used places?
The main problem here is that it's impossible to truly know which are safe at this point. I would bet the ones originaly used by the game outside the ASM Routines(0x4050-0x40c0) should be safe, but the area saved is widely unknown. The Variables are stored between People data on the OW and the Breeding Daycare store. But that area is large, and filled with used data. As they are indirectly referenced in-game, it may take a long while to find all possibilities out.

diegoisawesome
August 25th, 2010, 02:41 PM
The main problem here is that it's impossible to truly know which are safe at this point. I would bet the ones originaly used by the game outside the ASM Routines(0x4050-0x40c0) should be safe, but the area saved is widely unknown. The Variables are stored between People data on the OW and the Breeding Daycare store. But that area is large, and filled with used data. As they are indirectly referenced in-game, it may take a long while to find all possibilities out.
Wow, this is really bad...
I wish I could help, but I can barely do anything in ASM.

Also, up to what point are the 0x5000 variables okay, would you say?

JPAN
August 25th, 2010, 03:12 PM
Wow, this is really bad...
I wish I could help, but I can barely do anything in ASM.

Also, up to what point are the 0x5000 variables okay, would you say?
I think what would be best right now is to choose variables in an area you are not going to use. For instance, if your hack doesn't use the breeding center, you can use 0x4e4a to 0x4ed6. The 0x5000 variable is located in a location that is unknown, so I can't say what it will break, if it breaks anything at all.

On a more positive sidenote, I managed to make the game save a location of my choice to the 1f bank, and it affected nothing adversly, so it should be possible to recreate the variables there, with some work.

diegoisawesome
August 25th, 2010, 03:18 PM
I think what would be best right now is to choose variables in an area you are not going to use. For instance, if your hack doesn't use the breeding center, you can use 0x4e4a to 0x4ed6. The 0x5000 variable is located in a location that is unknown, so I can't say what it will break, if it breaks anything at all.

On a more positive sidenote, I managed to make the game save a location of my choice to the 1f bank, and it affected nothing adversly, so it should be possible to recreate the variables there, with some work.
Amazing! Still, Game Freak needed to do better with the coding of the routine in the first place, even if they weren't planning on using those variables.

BTW, what would you suggest for a hack of Emerald that's used variables up to around, say, 0x5030? Would you recommend switching them all out (somehow), or will we see a fix in the near future?

JPAN
August 25th, 2010, 03:40 PM
Amazing! Still, Game Freak needed to do better with the coding of the routine in the first place, even if they weren't planning on using those variables.

BTW, what would you suggest for a hack of Emerald that's used variables up to around, say, 0x5030? Would you recommend switching them all out (somehow), or will we see a fix in the near future?
Luckily, all Save functions seem identical (with the exceptions of a few pointers), so saving should be easily solved. Repointing variables to solve the problem should also be simple. It's the loading that will take a while to crack, as I've yet to find that function. Also, the new variables will be limited to 0x800 (one block), and finding 0x1000 bytes in the RAM that are free in a joint space should also be problematic.

But, for now, keep using that 0x5030 variables. A fix shouldn't be far out.
By the way, if you can find an empty RAM location with the needed space(should be near the end), it would make things easier.

diegoisawesome
August 25th, 2010, 03:44 PM
Luckily, all Save functions seem identical (with the exceptions of a few pointers), so saving should be easily solved. Repointing variables to solve the problem should also be simple. It's the loading that will take a while to crack, as I've yet to find that function. Also, the new variables will be limited to 0x800 (one block), and finding 0x1000 bytes in the RAM that are free in a joint space should also be problematic.

But, for now, keep using that 0x5030 variables. A fix shouldn't be far out.
By the way, if you can find an empty RAM location with the needed space(should be near the end), it would make things easier.
How would you go about seeing if a RAM location is empty? Is there a special method, or do you just look and try to find a ton of 00s?
If the second one is right, try 0x02FF0000. Found it randomly.

Chaos Rush
August 25th, 2010, 03:47 PM
I've searched the other ROM versions for it, and I have bad news:
In Emerald, from 0x5536 forward affect the Boxes, and at Ruby, although not directly problematic, from 0x55a0 the variables aren't saved, and from 0x415c, you start overwriting names, sayings and Overworld data.
This fact has made me think, how can we get usable, permanent variables? So, I've studied the FlashRom write routines, and found something interesting, and since I was on a multi-ROM streak, I confirmed it for Ruby, Fire Red and Emerald.

So in an Emerald hack, is it okay to use any variable below 0x5536? And would a 100% safe way is to use 0x4050-0x40C0?

JPAN
August 25th, 2010, 03:57 PM
How would you go about seeing if a RAM location is empty? Is there a special method, or do you just look and try to find a ton of 00s?
If the second one is right, try 0x02FF0000. Found it randomly.
RAM only goes from 0x02000000 to 0x0203ffff. 0x0203f000 seems open in Emerald, but the only way to be sure is to search for the value 00 several times, with VBA, and try and see if the values closer to it change by doing different things (for example, fill a box with pokemon, and check if it touches there. Then try other things like teaching an attack, a wild battle, safari zone... If it remains 00 all that time, chances are it's safe).

So in an Emerald hack, is it okay to use any variable below 0x5536? And would a 100% safe way is to use 0x4050-0x40C0?
Like I said before, 0x5536 is the first box position. Lower than that it's the Map Data, that include several random events. The only variables you can use with certainty are the ones they used in-game. All others may either damage your save or be ok. So, use the any you want. Then, If when testing, you see it affected something (like battle frontier records, daycare center, "trendy phrase", Rival name), check if it's the variable. If so, try another.

JPAN
August 26th, 2010, 08:42 AM
Ok, I finished a preliminary version of a replacement for the unsafe Variables. Depending on if you want, or not, to replace the Variable system, there are two features you can get.
First, the new block saved at the end of the Flash ROM, that contains 4096 bytes of usable, saveable space. That block is located at 0x0203e000 (as it seems free on both Fire Red and Emerald), and can be accessed alone by the use of the byte manipulating commands (in the 0x10 range).
Second, the ability to use that new area as Variables. The current solution destroys the access to the old ones, So if you're not OK with it, I'm sure we can work something out (after all, we still have 0x9000-0xffff to work with).
Installing informations are inside the Zip below, as well as the source code.

Before you go and install that directly in your Hack, I only tested it slightly. The save-load function alone is harmless, but the Variable one needs further testing. So, if you could, please test it in a normal ROM and see if it doesn't break anything.

diegoisawesome
August 26th, 2010, 04:24 PM
Ok, I finished a preliminary version of a replacement for the unsafe Variables. Depending on if you want, or not, to replace the Variable system, there are two features you can get.
First, the new block saved at the end of the Flash ROM, that contains 4096 bytes of usable, saveable space. That block is located at 0x0203e000 (as it seems free on both Fire Red and Emerald), and can be accessed alone by the use of the byte manipulating commands (in the 0x10 range).
Second, the ability to use that new area as Variables. The current solution destroys the access to the old ones, So if you're not OK with it, I'm sure we can work something out (after all, we still have 0x9000-0xffff to work with).
Installing informations are inside the Zip below, as well as the source code.

Before you go and install that directly in your Hack, I only tested it slightly. The save-load function alone is harmless, but the Variable one needs further testing. So, if you could, please test it in a normal ROM and see if it doesn't break anything.
The hack (the one that makes the new variables work) broke my ROM. I couldn't start the game (once I pressed Continue, it crashed), I couldn't load my save states (take one step, it freezes) and other stuff.
My ROM is Emerald.

JPAN
August 26th, 2010, 07:20 PM
The hack (the one that makes the new variables work) broke my ROM. I couldn't start the game (once I pressed Continue, it crashed), I couldn't load my save states (take one step, it freezes) and other stuff.
My ROM is Emerald.
Sorry about that. It seems I forgot to include some steps in the Emerald aplication. The problem comes from the Emerald Var_decrypt function being too simple, and not pushing r4-r6. Fixed instructions are posted.

diegoisawesome
August 27th, 2010, 02:21 PM
Sorry about that. It seems I forgot to include some steps in the Emerald aplication. The problem comes from the Emerald Var_decrypt function being too simple, and not pushing r4-r6. Fixed instructions are posted.
There, it seems to be working fine now. :D
I was testing this out awhile, and so far, it seems to be working fine.
Of course, all of my variables (0x5000 and up) were set to 0x0, which told me it was repointed.
It works great! :D

diegoisawesome
September 1st, 2010, 02:05 PM
JPAN! I have a HUGE problem!!
It appears that the RAM address you specified (0x0203E000) is used by the D/N system!!
What would be a good RAM address to use instead? (This is using BPEE)
EDIT: Also, the RAM address I changed it to doesn't seem to get refreshed upon starting a new game, with a game already having been saved!

JPAN
September 1st, 2010, 04:15 PM
JPAN! I have a HUGE problem!!
It appears that the RAM address you specified (0x0203E000) is used by the D/N system!!
What would be a good RAM address to use instead? (This is using BPEE)
EDIT: Also, the RAM address I changed it to doesn't seem to get refreshed upon starting a new game, with a game already having been saved!
Well, 0x0203e000 is the start, but in Emerald, all up to 0x0203ffff seems free. So, just choose 0x1000 area or Ram from where the D/N lets up and use that.
Also, Emerald appears to load Flash-to-RAM only once, at the start of the first screen. Previously unused areas of the RAM shouldn't be deleted by themselves on New Game. So, use a script that only happens on the new game (set by one of the old 0x40xx variables, that the game clears for you) that clears the entire memory area for you.

diegoisawesome
September 1st, 2010, 04:22 PM
Well, 0x0203e000 is the start, but in Emerald, all up to 0x0203ffff seems free. So, just choose 0x1000 area or Ram from where the D/N lets up and use that.
Also, Emerald appears to load Flash-to-RAM only once, at the start of the first screen. Previously unused areas of the RAM shouldn't be deleted by themselves on New Game. So, use a script that only happens on the new game (set by one of the old 0x40xx variables, that the game clears for you) that clears the entire memory area for you.
Okay then. Thanks for the fast response.
But, my question is:
How would I go about writing a script (or an ASM routine, if necessary) that clears the RAM?
I remember seeing something about ldstia or something like that in some ASM routines, and heard it does something with an increasing value... Would that help?

JPAN
September 1st, 2010, 09:30 PM
You can use this routine to clear 0x1000 bytes. Just replace the last pointer for the one you will be using.
.align 2
.thumb
Fill_memory: push {r4-r7, lr}
mov r4, #0x10
lsl r4, r4, #0x8 /*value = 0x1000*/
ldr r5, start_addr
add r4, r5, r4
mov r0, #0x0
mov r1, #0x0
mov r2, #0x0
mov r3, #0x0
fill_loop: stmia r5!, {r0-r3}
cmp r4, r5
bgt fill_loop
pop {r4-r7,pc}
.hword 0x0000
start_addr: .word 0x0203f000 /*change as needed*/

or, in byte code, this:
f0 b5 10 24 240205 4d 2c 19 00 20 00 21 00 22
00 23 0f c5 ac 42 fc dc f0 bd 00 00 00 f0 03 02
The last bolded bytes are the pointer you wish to use. replace for your own. The bolded number above is the instruction needed to replace to make different sizes. For instance, if your replace 10 with 20, you will clear 0x2000 bytes. This code will always cover 0x100 bytes minimum (0x1).

Shiny Quagsire
September 2nd, 2010, 06:25 AM
Alright, this question is mostly directed to JPAN, but anyone can answer.
In your berry system, you said htis:


There is a limit of 256 different berry slots, each identified in the person id by the table number 0xfe.


What exactly does that mean? I've tried everything I could to understand, but the sentence is kinda smeared out in my mind. :\

JPAN
September 2nd, 2010, 08:44 AM
Alright, this question is mostly directed to JPAN, but anyone can answer.
In your berry system, you said htis:

There is a limit of 256 different berry slots, each identified in the person id by the table number 0xfe.


What exactly does that mean? I've tried everything I could to understand, but the sentence is kinda smeared out in my mind. :\
This means that each of the variables is linked to a specific OW number (person ID wasn't the best choice of words in this one, here it means the Sprite OW) And as OW sprite numbers are limited to a byte (0xfe, the table number, indicating that it is a berry tree), you only have 256 slots where you can have berries.

Shiny Quagsire
September 2nd, 2010, 05:39 PM
This means that each of the variables is linked to a specific OW number (person ID wasn't the best choice of words in this one, here it means the Sprite OW) And as OW sprite numbers are limited to a byte (0xfe, the table number, indicating that it is a berry tree), you only have 256 slots where you can have berries.

So to turn the overworld into a berry tree, I'd use your OW hack, set the table # to 0xFE. But where does the variable come in? I'm not quite sure what you mean by the OW number. (Sorry if I'm frustrating you, it's just harder to understand when there's just text :p)

Wait, do you mean set the sprite to the desired variable index?

diegoisawesome
September 4th, 2010, 11:57 AM
JPAN, what about the flags? Is there a way to fix the flags above 0x900 or something?

HackMew
September 5th, 2010, 01:45 AM
You can use this routine to clear 0x1000 bytes. Just replace the last pointer for the one you will be using.
.align 2
.thumb
Fill_memory: push {r4-r7, lr}
mov r4, #0x10
lsl r4, r4, #0x8 /*value = 0x1000*/
ldr r5, start_addr
add r4, r5, r4
mov r0, #0x0
mov r1, #0x0
mov r2, #0x0
mov r3, #0x0
fill_loop: stmia r5!, {r0-r3}
cmp r4, r5
bgt fill_loop
pop {r4-r7,pc}
.hword 0x0000
start_addr: .word 0x0203f000 /*change as needed*/


I really don't understand why would you push r6 and r7 when they're not even used, and not pushing r0-r3 instead, which might be needed depending from where the routine is called. Either way, there are better and faster ways to do that:

.text
.align 2
.thumb
.thumb_func
.global EraseMemory

main:
push {r0-r3, lr}
ldr r0, .START_ADDRESS
mov r1, #0x0
str r1, [r0]
add r1, r0, #0x0
ldr r2, .LENGTH
swi #0xC
pop {r0-r3, pc}

.align 2
.START_ADDRESS:
.word 0x0203F000
.LENGTH:
.word 0x01000400

In the code above, 0x01000400 stands for 0x400 words, and the 1 is for memory filling, rather then copying (the default behavior). Note that due to the way the SWI 0xC works, the word count (total amount of bytes / 4) must be a multiple of 8.

JPAN, what about the flags? Is there a way to fix the flags above 0x900 or something?

FYI, the address of the hypotetical flag 0x900 overlaps the one used by variable 0x4000. I guess I'll be able to tell you more when I implement the safe variables myself (sorry JPAN, but your code is just too messy).

EDIT: I did some research, and I think I found some safe areas to store the new variables in. For FR/LG, the whole area between 0x0203C000 - 0x0203EFFF appears to be totally unused. I somewhat confirmed it by putting a breakpoint on read/write on the whole area. I wasn't able to get the debugger to break yet. Also, here's a list I made, which clearly shows my theory:

02030000
02030001
02030003
02030014
0203001C
02030020
02030023
02030028
0203002F
02030032
02030040
02030050
0203005F
02030064
02030073
02030076
0203007E
0203009F
020300CD
020300DB
020300DF
020300F5
020300F9
02030101
02030103
02030104
02030120
02030201
02030202
0203022F
0203025F
02030400
02030401
02030405
0203043F
020304C0
020304FF
02030502
0203050A
02030614
0203081D
0203083E
02030908
02031022
02031036
020310B8
02031208
02031764
02031C8C
02031C90
02031C94
02031CCC
02031DA4
02031DA8
02031DAC
02031DB0
02031DB4
02031DBC
02031DC4
02031DCC
02031DD4
02031DD8
02031DDA
02031DDC
02031DE0
02031DE4
02031DE8
02031DEA
02031DEC
02031DFC
020320AF
020324C9
0203281E
0203303A
0203306F
020330BB
020330F8
020340FB
02034B41
02035046
020350E3
02036DFC
02036E18
02036E24
02036E28
02036E2C
02036E30
02036E34
02036E38
02037003
02037044
02037078
02037098
0203709A
0203709C
020370A0
020370A4
020370A8
020370AC
020370AE
020370B0
020370B2
020370B4
020370B6
020370B8
020370BA
020370BC
020370BE
020370C0
020370C2
020370C4
020370C6
020370C8
020370CA
020370CC
020370CE
020370D0
020370D2
020370D4
020370D6
020370D8
020370DA
020370DC
020370DE
020370E0
020370F0
020370F4
020370F5
020370F6
020370FF
02037100
02037101
02037104
02037108
020371F8
020371FA
02037218
02037238
02037258
02037278
02037398
020373F8
02037408
020375F8
020375FA
02037638
020376B0
020377F8
02037850
020379F8
02037AB8
02037AC8
02037ACC
02037ECC
02037ED0
02037ED4
02037ED8
02037EDC
02037EE0
02037EE1
02037EE2
02037EE3
02037EE4
02037EE8
02037EEC
02037EEE
02037EFE
02037F00
02037F02
02037F12
02037F14
02037F16
02037F17
02037F18
02037F1A
02037F1B
02037F1C
02037F24
02037F28
02037F30
02037F34
02038134
02038208
02038394
02038684
020386A4
020386A8
020386AC
020386AE
020386B0
020386B4
020386B8
020386BC
020386C0
020386C4
020386C8
020386CC
020386D0
020386DC
020386E0
02038700
02038702
02038704
02038980
02038E80
02038FC0
02039600
0203961C
02039620
02039624
02039638
0203963A
02039654
020397A4
020397A8
020397AC
020397B0
020397B4
020397B5
020397B6
020397B7
020397B8
020397BA
020397BC
02039820
02039821
02039822
02039823
02039824
02039825
02039826
02039828
0203982C
02039830
02039870
02039874
02039878
02039879
02039882
02039884
02039888
0203988C
020398A4
020398AC
020398B4
020398B8
020398BA
02039934
02039942
02039950
02039954
02039958
0203995C
02039960
02039964
02039968
0203996C
02039984
02039988
0203998C
02039990
02039994
02039996
02039998
0203999C
020399A4
020399B4
020399B8
020399BC
020399C0
020399C4
020399C8
020399CC
020399D0
020399D4
020399D8
020399DC
020399E0
020399E4
020399E8
020399EC
020399F0
020399FC
02039A00
02039A04
02039A0C
02039A0E
02039A10
02039A14
02039A18
02039A1A
02039A1B
02039A1C
02039A20
02039A24
02039A28
02039A2C
02039A30
02039A34
02039A38
0203A066
0203AA3C
0203AAB0
0203AAB4
0203AAB8
0203AABC
0203AAC0
0203AAC4
0203AAC6
0203AAD4
0203AB00
0203AB02
0203AB04
0203AB06
0203AB08
0203AB0A
0203AB0C
0203AB0E
0203AB10
0203AB12
0203AB14
0203AB16
0203AB18
0203AB1A
0203AB1C
0203AB1E
0203AB20
0203AB22
0203AB24
0203AB28
0203AB2C
0203AB30
0203AB34
0203AB38
0203AB3C
0203AB40
0203AB44
0203AB48
0203AB4C
0203AB50
0203AB54
0203AB58
0203AB5C
0203AB60
0203ABE0
0203ABE4
0203ABE8
0203ABEC
0203ABED
0203ABF0
0203AC08
0203ACE4
0203ACE8
0203ACEC
0203ACF0
0203ACF4
0203ACFC
0203AD02
0203AD04
0203AD0A
0203AD10
0203AD14
0203AD18
0203AD1C
0203AD20
0203AD24
0203AD28
0203AD2C
0203AD30
0203AD34
0203AD40
0203AD58
0203ADB8
0203ADBC
0203ADC0
0203ADC4
0203ADC8
0203ADCC
0203ADD0
0203ADD8
0203ADDC
0203ADE0
0203ADE4
0203ADF0
0203ADF2
0203ADF3
0203ADF4
0203ADF8
0203ADF9
0203ADFA
0203ADFC
0203ADFE
0203AE04
0203AE08
0203AE0C
0203AE8C
0203AE90
0203AE94
0203AE98
0203AF98
0203AF9A
0203B01A
0203B01C
0203B01E
0203B020
0203B024
0203B044
0203B048
0203B049
0203B04A
0203B04B
0203B04C
0203B058
0203B059
0203B05C
0203B064
0203B068
0203B06A
0203B06C
0203B084
0203B088
0203B08C
0203B090
0203B094
0203B098
0203B09C
0203B0A0
0203B0A9
0203B0AE
0203B0B4
0203B0B8
0203B0BC
0203B0C0
0203B0C1
0203B0C4
0203B0C8
0203B0CC
0203B0D0
0203B0D4
0203B0D8
0203B0DC
0203B0E0
0203B0E4
0203B0E8
0203B0EC
0203B0EE
0203B0F0
0203B0F4
0203B0F8
0203B0FC
0203B100
0203B104
0203B108
0203B10C
0203B116
0203B118
0203B11C
0203B120
0203B124
0203B128
0203B12C
0203B130
0203B140
0203B144
0203B148
0203B158
0203B15C
0203B160
0203B164
0203B168
0203B16C
0203B16D
0203B16E
0203B170
0203B174
0203F174
0203F175
0203F176
0203F177
0203F178
0203F18A
0203F190
0203F1AC
0203F34C
0203F36C
0203F370
0203F37A
0203F37C
0203F380
0203F384
0203F388
0203F38C
0203F39C
0203F3A0
0203F3A4
0203F3A8
0203F3AE
0203F3B0
0203F3B8
0203F3BC
0203F3C0
0203F3C4
0203F3C8
0203F3CC
0203F3D0
0203F3D4
0203F3D8
0203F3DC
0203F3E0
0203F3E4
0203F3F8
0203F400
0203F42C
0203F43C
0203F440
0203F444
0203F44A
0203F450
0203F454
0203F458
0203F45C
0203F464
0203F754
0203F758
0203F76C
0203F774
0203FB74
0203FB78
0203FB7C
0203FB80
0203FB84
0203FB88
0203FC00

As for Emerald, the whole 0x0203XXXX area is mostly used by the game already. So my suggestion is to try the 0x0202XXXX area, in particular anything between 0x02027000 - 0x02027FFF, or 0x0202A000 - 0x0202AFFF, or 0x0202D000 - 0x0202DFFF, or 0x0202F000 - 0x0202FFFF.

02020000
02020001
02020004
020200AC
020200C6
020200FF
02020100
02020101
02020102
02020103
02020180
02020184
02020188
0202018C
020201B0
02020201
02020202
02020203
0202022F
02020242
02020243
02020244
020202F0
02020400
02020401
0202043F
020204C0
020204FF
02020609
02020630
02020638
0202064C
0202065E
02020706
02020810
02020815
02020827
02020857
02020859
0202085C
020208A6
02020908
02020E00
02021774
020217F4
02021834
02021835
02021838
02021B38
02021B3A
02021B3C
02021BBC
02021BBE
02021BC0
02021CC0
02021CC4
02021DC4
02021EC4
02021FC4
02022212
020223AC
020223BC
020223BD
020223C0
020223C4
020223C8
020228C4
020229C4
020229C6
020229C8
020229CC
020229E8
020229F0
02022A0C
02022A74
02022B00
02022B08
02022B0C
02022B10
02022B14
02022B22
02022B2C
02022B44
02022C20
02022C2C
02022C2D
02022C30
02022C38
02022C3C
02022C3E
02022C40
02022C58
02022C60
02022C64
02022C68
02022C6C
02022C70
02022C74
02022C78
02022C7C
02022C80
02022C84
02022C88
02022C8C
02022C90
02022C94
02022C98
02022C9C
02022CB0
02022CB8
02022CE4
02022CF4
02022CF8
02022CFC
02022D00
02022D04
02022D06
02022D08
02022D09
02022D0A
02022D0C
02022D10
02022E10
02022E14
02022E16
02022E18
02022E1A
02022E1C
02022E1E
02022E20
02022E22
02022E24
02022E26
02022E28
02022E2A
02022E2C
02022F58
02022F5A
02022F5C
02022F68
02022F6A
02022F78
02022F88
02022FEC
02022FF0
02022FF4
02022FF8
02023058
0202305C
02023060
02023064
02023066
02023067
02023068
020235DB
020237AA
02023864
02023868
02024064
02024068
0202406C
0202406E
02024076
0202407A
0202407E
02024082
02024083
02024084
02024090
0202409C
020240A8
020240AC
020240B4
020240CC
020240D0
020240D4
020241E4
020241E8
020241E9
020241EA
020241EC
020241EE
020241F0
020241F1
020241F3
020241F4
020241F8
02024208
0202420A
0202420B
0202420C
0202420D
0202420E
0202420F
02024210
02024211
02024212
02024214
0202421C
02024220
02024230
02024240
02024248
02024250
02024258
02024260
02024268
02024270
02024274
0202427C
02024280
02024284
02024288
0202428C
0202428E
02024294
020242AC
020242BC
0202432C
0202432E
02024330
02024332
02024333
02024335
02024337
0202433A
0202433C
0202437C
020243CC
020243D0
020243FC
020243FE
02024400
02024402
02024404
0202440C
02024474
02024478
0202447C
02024482
02024483
02024484
02024487
02024488
0202448A
0202448B
0202448C
0202448D
0202448E
0202448F
02024492
0202449C
020244A0
020244A4
020244A8
020244AC
020244B0
020244B4
020244B8
020244B9
020244BC
020244CC
020244D0
020244D4
020244D8
020244DC
020244E0
020244E2
020244E4
020244E8
020244E9
020244EA
020244EC
02024550
020245B4
02024618
0202467C
020246E0
02024744
020247A8
0202480C
02024870
020248D4
02024938
0202499C
020249B4
020249BC
020249C0
020249C4
02024A28
02024A30
02024A38
02024A4C
02024A54
02024C08
02025301
02025A00
02025E62
02026B6C
02026C04
0202800D
02029808
0202BF21
0202CAAC
0202E82A

As for R/S, the whole are between 0x0203B000 - 0x0x0203DFFF should be safe.

02030000
02030001
02030004
02030009
02030012
02030014
0203001C
02030020
02030022
02030023
02030028
0203002F
02030032
02030034
02030040
02030043
02030044
02030050
0203005F
02030064
02030066
02030073
02030077
0203007E
020300A0
020300A4
020300AC
020300CC
020300DD
020300DF
020300F9
02030101
02030104
02030120
02030200
02030202
02030203
02030206
02030208
0203022F
0203025F
0203026F
020302B3
02030303
02030400
02030401
02030405
0203043F
020304C0
020304FF
02030502
0203050A
02030604
02030647
02030800
0203081D
0203083D
02030908
02030A27
02030DD2
02030DDD
0203100E
02031016
02031022
0203104A
02031068
0203106F
02031096
02032053
020320CE
0203281E
02032EAA
020330D2
020330D5
020330EE
0203323F
02033301
020340FB
02034B41
02035046
02035100
02037044
02037850
02038208
020383E4
02038470
02038473
02038474
02038478
0203847C
0203847D
0203847E
0203847F
02038480
020384E4
020384E5
020384E6
020384E7
020384E8
020384E9
020384EA
020384EC
020384F0
020384F4
020384F8
02038538
0203853C
02038540
02038544
02038550
02038554
02038558
02038559
0203855A
0203855B
0203855C
0203855E
02038560
02038561
02038562
02038563
02038564
02038568
0203856C
02038570
02038572
0203857D
0203858E
02038596
02038670
02038678
02038680
02038688
02038690
02038694
02038695
02038696
0203869A
0203869B
0203869C
0203869E
020386A0
020386A4
020386A8
020386AA
02038724
02038730
02038731
02038734
02038738
020387B0
020387B1
020387B2
020387B3
020387B4
020387D8
020387D9
020387DC
020387E0
020387E2
020387E4
020387E8
020387EC
020387F0
02038800
02038804
02038808
0203880A
0203880C
02038814
020388AC
020388B0
020388B4
020388B8
020388BC
020388C0
020388C4
020388CC
020388D0
020388D4
020388D5
020388D6
020388E6
020388F2
020388F3
020388F4
020388F5
020388F6
020388F7
02038900
02038984
02039184
020391A4
020391A6
020391A8
020391A9
020391AA
020391AC
020391B4
02039234
02039238
0203923C
02039244
02039248
0203924C
02039250
02039251
02039254
02039258
02039259
0203925A
0203925B
0203925C
02039260
02039262
02039264
02039266
02039268
0203926A
0203926C
02039270
02039274
02039278
02039279
0203927A
0203927B
0203927C
0203927D
02039284
02039288
020392FC
02039302
02039304
02039308
0203930C
02039310
02039312
02039314
02039318
0203931A
0203931C
02039320
02039322
02039324
02039325
02039328
0203932A
0203932C
0203932E
02039338
0203933C
0203933E
02039350
02039358
0203935A
0203935C
02039360
02039460
02039629
02039760
0203A360
0203A380
0203A3D0
0203A3D1
0203A3D2
0203A3D3
0203A3D4
0203A602
0203E006
0203E0ED
0203F07F

Although I made those lists as accurate as possible, please note that they're only approximative; testing is always a must. Especially if you're using R/S/E, because I didn't test them.

Wichu
September 6th, 2010, 02:08 AM
Not really that advanced compared to what you guys have been up to, but I was asked whether I knew where Steven's double battle team in Emerald was located. A bit of digging later, and I found it. It's not quite in the same format as normal trainers.

Metang: 0x5dd6d0
Skarmory: 0x5dd6e4
Aggron: 0x5dd6f8

Format:
Species (2 bytes)
IVs (1 byte)
Level (1 byte)
Nature? (1 byte) - unconfirmed; check this (Metang should be Lonely, Skarmory Impish, and Aggron Adamant)?
EVs? (6 bytes) - unconfirmed; check this?
Padding (1 byte)
Moves (8 bytes)

Unlike ordinary trainers (as far as I can remember), Steven's data appears to include nature and EVs. I bet this could be used to add opposing trainers with stronger Pokémon somehow.

Anyway, a question: this isn't really useful for ROM hacking, but it's related. Could somebody find the formula used to calculate the PIDs of eggs in Emerald if the mother is holding an Everstone? I know the formula without the Everstone already, but I'm stumped as to what happens when one is used.

colcolstyles
October 8th, 2010, 08:59 PM
If anyone's interested, here's a tiny little morsel of information that I found recently. At the address '0x3A72A0' in Fire Red, you will find two bytes: '0xCD' and '0xFF'. These two bytes are used whenever the player is given two or more of some item using the 'giveitem' construct. The '0xCD' corresponds to an uppercase 'S' while the '0xFF' is the terminator byte, signifying the end of the string. If you change the byte from '0xCD' to '0xE7', the 'S' will become a lowercase 's'. I figure this might come in handy for those de-capitalization patches because it's really annoying to see "Player received the Poké BallS!" every time the player receives more than one of an item.

slawter666
October 11th, 2010, 09:01 AM
Realistically, how much work would be needed to change the 64x64 pixel limit in the 3rd generation games to the 80x80 pixel limit used in the 4th generation games? Please don't tell me it's hard or a lot of work. I'm genuinely interested in what would have to be done to increase the limit as it would be extremely beneficial to lots of people, especially as it would allow much higher quality sprites to be used as well as being able to import the 4th and 5th generation pokémon without (too much) resizing.

diegoisawesome
October 11th, 2010, 03:51 PM
It appears that the offsets Hackmew posted a while back that were safe (for Emerald) are wrong..

Shiny Quagsire
October 11th, 2010, 05:48 PM
Realistically, how much work would be needed to change the 64x64 pixel limit in the 3rd generation games to the 80x80 pixel limit used in the 4th generation games? Please don't tell me it's hard or a lot of work. I'm genuinely interested in what would have to be done to increase the limit as it would be extremely beneficial to lots of people, especially as it would allow much higher quality sprites to be used as well as being able to import the 4th and 5th generation pokémon without (too much) resizing.

You would need to modify the games ASM code, which would be a pain and would be way too hard. And, the sprites would go outside the picture box in the status screen. In other words, it's really hard, and it's just not worth it.

Gamer2020
October 11th, 2010, 05:52 PM
It appears that the offsets Hackmew posted a while back that were safe (for Emerald) are wrong..
How's about putting a reason as to why you believe that?

HackMew
October 12th, 2010, 01:55 AM
It appears that the offsets Hackmew posted a while back that were safe (for Emerald) are wrong..

That's right, but like I said, I did not test them. What about 0x0203D800?

slawter666
October 12th, 2010, 07:59 AM
You would need to modify the games ASM code, which would be a pain and would be way too hard. And, the sprites would go outside the picture box in the status screen. In other words, it's really hard, and it's just not worth it.

Ok, I thought it would involve ASM and it wouldn't be a case of just changing a few values. I never even thought about the box in the status screen though. It's just irritating having to resize sprites and them losing their quality because of it.

Anyway, thanks for the swift reply.

The 100 Mega Shock
October 12th, 2010, 12:28 PM
The GBA hardware will only draw sprites up to 64 x 64 pixels.

Go any bigger and you'll have to work with tiles and tilemaps, which would be an absolute nightmare to both code in the first place and then implement for each Pokémon.

diegoisawesome
October 12th, 2010, 01:39 PM
That's right, but like I said, I did not test them. What about 0x0203D800?
That address appears to function properly, but only time will tell... hopefully.

HackMew
October 12th, 2010, 02:06 PM
Go any bigger and you'll have to work with tiles and tilemaps, which would be an absolute nightmare to both code in the first place and then implement for each Pokémon.

No doubt it would be painful, but... you would only need a single tilemap for all the Pokémon. However, even if you succeeded, there would still be problems in the Pokédex etc. because the sprites weren't supposed to be bigger than 64x64 pixels.

slawter666
October 14th, 2010, 12:11 PM
The GBA hardware will only draw sprites up to 64 x 64 pixels.

Go any bigger and you'll have to work with tiles and tilemaps, which would be an absolute nightmare to both code in the first place and then implement for each Pokémon.

No doubt it would be painful, but... you would only need a single tilemap for all the Pokémon. However, even if you succeeded, there would still be problems in the Pokédex etc. because the sprites weren't supposed to be bigger than 64x64 pixels.

Ah I see why it's hard then...Could the pokédex problem be fixed by a gfx hack to make the box where they're shown bigger or do you mean they wouldn't show up properly? I take it that it would it be the same for the trainer sprites?

I'll probably just leave it then and just resize any sprites I need to, but anyway, thank you all for the help, it's appreciated.

knizz
October 21st, 2010, 08:27 AM
In Pokemon Firered 825E074 contains the ping-pong animation for the arrows in the bag. Open in VBA Memory Viewer and play around. ;)

Team Fail
October 21st, 2010, 06:12 PM
In Pokemon Firered 825E074 contains the ping-pong animation for the arrows in the bag. Open in VBA Memory Viewer and play around. ;)

Pretty cute little find. ;) Both arrows run off the same script, I believe. I made it really twitchy. I also may try to make a custom animation for them when I have some time on my hands.

knizz
October 27th, 2010, 04:27 AM
Controlling other characters on a map: Just write their id to 0x02037078+5. As always this is for Firered.

sonic1
October 27th, 2010, 09:49 AM
If you want to always run without using button B, like in HG/SS, set 0x02037078 to 02. Warning: If you open 1 of the menu options, or have a battle or warp, the effect fades off and you have to set it again.
VERSION: FIRERED

Credits to you knizz, for the offset! Can you tell us what really that offset is?

Controlling other characters on a map: Just write their id to 0x02037078+5. As always this is for Firered.

Neat trick, i had this bug once in emerald and it only happened in a certain house opening the pokedex and always wondered how to do it.

But controlling other persons in A-Map has some limitations in-game like the camera not moving, and the limits the person can go,etc.

altariaking
October 27th, 2010, 09:57 AM
If you want to always run without using button B, like in HG/SS, set 0x02037078 to 02. Warning: If you open 1 of the menu options, or have a battle or warp, the effect fades off and you have to set it again.

Credits to you knizz, for the offset! Can you tell us what really that offset is?


Neat trick, i had this bug once in emerald and it only happened in a certain house opening the pokedex and always wondered how to do it.

But controlling other persons in A-Map has some limitations in-game like the camera not moving, and the limits the person can go,etc.

Interesting find 0_0
This is or FireRed? I'll try and find the offset for Ruby after I finish my English essay xD

sonic1
October 27th, 2010, 10:06 AM
Interesting find 0_0
This is or FireRed? I'll try and find the offset for Ruby after I finish my English essay xD

Sorry, i forgot to put the version. Yes, it is for firered, i work only with firered.

Also, do you know why that happens? Check what happens to that value when you put the bike.
Sidenote: Because it simulates the speed of a bike, its a bit faster than running.

knizz
October 27th, 2010, 10:19 AM
02037078 is a structure that controls the movement of, and only of, the player. However it can be associated to any NPC on screen.

The first two bits (0x03) of 02037078+0 determine the speed. 1 is normal. 2 is bike speed. 3 gives you a bike and changes itself to 2.

No matter what you write to 02037078+1 it is set to 0 again. If the value was 2 before the reset you get a bike. If you change the bike-byte the NPC turns into the hero.

02037078+2 and 02037078+3 behave like this:
0 0 Nothing pressed
0 0 Nothing pressed
1 1 Pressed forward
2 1 Pressed forward
2 1 Pressed forward
2 1 Pressed forward
0 0 Nothing pressed
2 1 Pressed forward
2 1 Pressed forward
0 0 Nothing pressed
0 0 Nothing pressed
1 1 Pressed forward
2 1 Pressed forward
2 1 Pressed forward

I don't know about 02037078+4.
02037078+5 sets the npc-id that is controlled by the keypad. (I wonder which numbers the npcs from connected maps have)
02037078+6 locks all movement when set to 1

More info about the NPCs is stored at 02036E38 in 16 0x24-byte long structures (Does that mean that there can't be more than 16 npcs in the overworld at the same time?!)
0x00 bits 7 and 6 are set when this npc is talking
0x01-0x0A unknown
0x0B height
0x0C-0x0F unknown
0x10 from (coords)
0x14 to (coords)
0x18 unknown
0x19 direction (in which the character actually looks)
0x1A unknown
0x1C direction (set when talked to but not always copied to 0x19)
0x1E unknown
0x20 direction (set after talk)
0x21-0x23 unknown

UPDATE: http://www.pokecommunity.com/showpost.php?p=6353380&postcount=2

coordinates are saved as two halfwords (x and y)

The code for moving uses a table to convert the direction to relative coordinates.
Table: 083A64C8
Function that uses the table above: 08063A20
Function that uses the function above to move npcs: 0805C4F4

Note that the table contains 9 and not 5 directions. Yes. Game Freak planned to have diagonally moving npcs.

colcolstyles
November 1st, 2010, 05:23 PM
In a Fire Red ROM, there is a table of data located at the address '0x452c4c'. Each entry in this table contains two pieces of information. One is a pointer and the other is a 32-bit number (I assume this is to keep the alignment consistent). The pointer points to another table and the number specifies the size of that table. In one of these secondary tables, there are a number of entries (the exact number is specified by the number mentioned earlier), each of which are also composed of a pointer and a 32-bit number. These pointers point instead to a list of pokémon and the number dictates the length of that list.

After a bit of research, I determined that the first table of pointers controls the classification of pokémon habitats (e.g., Grassland, Mountain, Rough-Terrain, etc.) as displayed in the PokéDex. The secondary tables specify which pokémon are in each Habitat and which pokémon appear on each "page" of the PokéDex (see the screenshots if you don't know what I mean). Let's look at an example. The first pointer at '0x452c4c' points to '0x4527d4' and is followed by the number '0x1b'. Thus, if you have a complete PokéDex, then there will be 27 ('0x1b' in decimal) pages of pokémon in the Grassland Habitat (the pointers are arranged in the order that they appear in-game, so Grassland comes first). The first pointer at '0x4527d4' points to '0x4524d0' and is followed by the number '0x4'. This means that the first four pokémon at that address are grouped onto one "PokéDex page". In this case, the numbers at that address (after reversing them) are '0x0013', '0x0014', '0x00a1', and '0x00a2', which correspond to Rattata, Raticate, Sentret, and Furret. So, if on the main PokéDex screen you select "Grassland Pokémon", you'll get a screen like this:
http://homepage.mac.com/loristyles/.Pictures/habitat_unedited.png

But if we edit that data, we could get something like this:
http://homepage.mac.com/loristyles/.Pictures/habitat_edited.png

So let's say you replaced Machop (a Mountain Habitat pokémon) with a fakemon that you want to go in the Urban Habitat. You should first subtract one from the number of Mountain pokémon (Mountain is the sixth Habitat so the number would be found at '0x452c78') and add one to the number of Urban pokémon (Urban is the eigth Habitat so the number would be found at '0x452c88'). Then you would have to remove the entry for Machop's evolutionary family's page in the Mountain Habitat table and add it somewhere in the table for Urban Habitat pokémon.

knizz
November 11th, 2010, 06:17 AM
I need infos on the 0x083E-0x083F area.

Darthatron
November 11th, 2010, 06:27 AM
I need infos on the 0x083E-0x083F area.

Want to be a little more specific what you're looking for? :\

knizz
November 11th, 2010, 07:18 AM
Want? Yes. Can? No.
Theres just a pile of structureless numbers and addresses.

diegoisawesome
November 11th, 2010, 02:39 PM
Want? Yes. Can? No.
Theres just a pile of structureless numbers and addresses.
Is 0x083e to 0x083f an address range? (Because that would only be one byte long...)
Or what is it? Where is it? How did you come to the conclusion that they're structureless?
We need this in order to even know what you're talking about...

liuyanghejerry
November 11th, 2010, 08:07 PM
Cheat code for bugfixing the save failed of Pokémon Mystery Dungeon: Explorers of Sky

Bugfix device includes:

no$gba //needs to restart the game after using
akrpg (thanks linoul for testing)
ak+ (thanks tingyigg for testing)

It's worth trying if meet this bug in other device

cheat code:

U version
2204AA98 00000007
2208380c 000000BF

E version
2204ADD0 00000007
22083BA4 000000BF

Give credits to enler, who allowed me to post here.
Any problems please contact [email protected]

knizz
November 12th, 2010, 11:51 AM
I meant 0x083e0000-0x083f0000

Team Fail
November 12th, 2010, 12:04 PM
Tell me what is wrong with these images. I will explain what I am doing if someone can guess it, and I will explain my research, as well as who I did this with as well (Manipulation, don't say anything! :P). For more info, visit http://www.megaupload.com/?d=ACNYQ1VR and patch onto a Pokemon Diamond (U) Rom.
http://img257.imageshack.us/img257/7659/pokemondiamondandpearlk.png
http://img440.imageshack.us/img440/8900/rivalglitch.png

diegoisawesome
November 12th, 2010, 04:43 PM
Tell me what is wrong with these images. I will explain what I am doing if someone can guess it, and I will explain my research, as well as who I did this with as well (Manipulation, don't say anything! :P). For more info, visit http://www.megaupload.com/?d=ACNYQ1VR and patch onto a Pokemon Diamond (U) Rom.
http://img257.imageshack.us/img257/7659/pokemondiamondandpearlk.png
http://img440.imageshack.us/img440/8900/rivalglitch.png
By the name of the UPS file, I'm guessing you're making Diamond more like its demo version, probably the one in GameStop or something?

colcolstyles
November 12th, 2010, 04:50 PM
For anyone who's interested, at '0x078c1c' there is a 32-bit number (the default value is '0x00000a8b') which dictates the number of frames for which the titlescreen is displayed before resetting. The GBA operates at roughly 60 frames per second and '0xa8b' divided by 60 is 45 so the unedited titlescreen is displayed for 45 seconds. You can change that number (remember to reverse it) to lengthen or shorten the amount of time it takes for the titlescreen to reset.

This is for Fire Red, by the way.

Team Fail
November 12th, 2010, 10:02 PM
By the name of the UPS file, I'm guessing you're making Diamond more like its demo version, probably the one in GameStop or something?

Yup. You got some of it. What is different about the screens that would compare to normal gameplay from a retail ROM? I'll give you a hint: I obtained a "hacked savestate" with help from my helper. Look at the images closely, they'll stand out blatantly.
For anyone who's interested, at '0x078c1c' there is a 32-bit number (the default value is '0x00000a8b') which dictates the number of frames for which the titlescreen is displayed before resetting. The GBA operates at roughly 60 frames per second and '0xa8b' divided by 60 is 45 so the unedited titlescreen is displayed for 45 seconds. You can change that number (remember to reverse it) to lengthen or shorten the amount of time it takes for the titlescreen to reset.

This is for Fire Red, by the way.

Is it possible to make this number become infinite?

knizz
November 13th, 2010, 12:44 AM
Is it possible to make this number become infinite?

In case 0xFFFFFFFF (=4294967295) frames are not enough for you you can remove the 05 DD (BLE) at 08078C04 and replace it with 05 E0 (B).

linkandzelda
November 17th, 2010, 03:27 AM
Hey guys, i've been wondering something regarding Emerald.

People have coded tools and stuff to use Emeralds "free space" which is that load of 00 bytes from around 0x9C2000 - 0xAFFFFF. Some people say they are not free space and shouldn't be touched. I also saw that it makes peoples music go funny with beeps?

Well i ran a small test. I was thinking: If the game uses those bytes then filling them out with FF would make it chock; so i did it. The game ran fine and i tested 50 different songs and sounds in-game without problems, they played fine.

So it begs the question: Can anyone confirm either the 00 bytes are free space and can be used or, that they cannot be used but with an explanation as to why.

Also, regarding A-MAP, i think it searches from 0x6B0000 which, is not free space but includes data with quite a few 00 bytes there. If i remember correctly, voicegroup data looks like that with a lot of 00 to it. I have a feeling thats the "music beeps" people talk of as AM decided to write small data to those "blank areas".

Thanks in advance,
Link

colcolstyles
November 17th, 2010, 04:42 PM
In Emerald, the script at '0x271354' appears to be executed whenever the player steps within the view radius of a trainer. And frankly, I don't have the time or the heart to do much more research than that. :(

Here's the script if anyone wants to see it:

'---------------
#org 0x271354
cmdd8
cmdd9
special 0x3B
special 0x3A
waitstate
goto 0x827143C

'---------------
#org 0x27143C
special 0x37
waitmsg
waitkeypress
special 0x20B
compare LASTRESULT 0x1
if 0x1 goto 0x8271356
goto 0x8271454

'---------------
#org 0x271356
special 0x3B
special 0x3A
waitstate
goto 0x827143C

'---------------
#org 0x271454
repeattrainerbattle
special2 LASTRESULT 0x36
compare LASTRESULT 0x0
if 0x1 goto 0x8271491
compare LASTRESULT 0x2
if 0x1 goto 0x8271491
compare LASTRESULT 0x1
if 0x1 goto 0x8271491
compare LASTRESULT 0x6
if 0x1 goto 0x8271491
compare LASTRESULT 0x8
if 0x1 goto 0x8271491
endtrainerbattle2
releaseall
end

'---------------
#org 0x271491
endtrainerbattle2
releaseall
end

knizz
December 21st, 2010, 07:19 AM
I think that the table at 0839FDB0 points to structures that describe the different npc-types.

Team Fail
December 21st, 2010, 11:54 AM
Ok. I have a little question that won't require the Simple Questions thread.

How are voicegroups stored? Do they use samples like DS games, by basing each sample on a MIDI instrument that is played at that point in the song? I'm curious as to so. I might try something if I can get that bit answered.

colcolstyles
December 21st, 2010, 11:30 PM
How are voicegroups stored? Do they use samples like DS games, by basing each sample on a MIDI instrument that is played at that point in the song? I'm curious as to so. I might try something if I can get that bit answered.

I'm not very knowledgeable when it comes to music hacking but perhaps this document (http://www.romhacking.net/docs/462/) can help you (it has some information on instruments, I know).

Datriot
December 22nd, 2010, 05:27 AM
Does anyone have the specification for Pokémon Black/White's Pokémon and species (name, base stats, type, etc.) data? I'm trying to find out where the data is stored (and how Pokémon and species are represented), so I can dump it into a file and read from it in the application I'm developing. I've managed to find this (http://projectpokemon.org/wiki/Pokemon_Black/White_NDS_Structure) for the B/W Pokémon format, but there's no information on block shuffling or encryption. I can't find anything for the fifth generation species data either.

Also, can anyone confirm that the move and item data structures are the same for R/S/E, D/P/P and B/W? I managed to find move and item specs for the third generation on Bulbapedia, but not D/P/P or B/W. I can't imagine items and moves would need new attributes for the fourth and fifth generation games (new enumerations can be made for the move's target and which bag the item is placed it), but that might not be the case. This isn't as important as the Pokémon and species data, but it'd still be nice.

Team Fail
December 22nd, 2010, 10:51 AM
Does anyone have the specification for Pokémon Black/White's Pokémon and species (name, base stats, type, etc.) data? I'm trying to find out where the data is stored (and how Pokémon and species are represented), so I can dump it into a file and read from it in the application I'm developing. I've managed to find this (http://projectpokemon.org/wiki/Pokemon_Black/White_NDS_Structure) for the B/W Pokémon format, but there's no information on block shuffling or encryption. I can't find anything for the fifth generation species data either.

Also, can anyone confirm that the move and item data structures are the same for R/S/E, D/P/P and B/W? I managed to find move and item specs for the third generation on Bulbapedia, but not D/P/P or B/W. I can't imagine items and moves would need new attributes for the fourth and fifth generation games (new enumerations can be made for the move's target and which bag the item is placed it), but that might not be the case. This isn't as important as the Pokémon and species data, but it'd still be nice.

I can tell you the item structure is the same because the same dummied items exist in B/W.

Anyways, that tutorial you pointed to me didn't have 100% wat I was looking for, but it did somewhat confirm something. THe game uses some kind of sample. But, I need to know
A. Where they are
B. What instrument they are assigned to
C. What format they can be extracted in.

Shiny Quagsire
January 1st, 2011, 11:12 AM
When editing some weather GFX, I came across a spot that contained, what I though could be an animation. After editing it in VBA's Memoryviewer, it turns out it used two snow images and looped the animation continuously. The animation is a bit different than some, but it appears to be in similar format.

The animation is located at 0x3C67B4.

knizz
January 2nd, 2011, 06:51 AM
This is the first script started in a firered-game: 081A6481

Fabi_ash
January 4th, 2011, 02:48 AM
In Emerald I found a routine which should be the one for naming your characther at 080e48a8.
Can someone check if I am right, please? I'm trying to undesrstand the meaning of this but I'm new to to ASM so it will take ages... :P

knizz
January 7th, 2011, 12:51 PM
I just found out that trainer flag 0xXY is regular flag 0x5XY.

diegoisawesome
January 10th, 2011, 04:04 PM
EDIT: I did some research, and I think I found some safe areas to store the new variables in. For FR/LG, the whole area between 0x0203C000 - 0x0203EFFF appears to be totally unused. I somewhat confirmed it by putting a breakpoint on read/write on the whole area. I wasn't able to get the debugger to break yet. Also, here's a list I made, which clearly shows my theory:
0x0203C000 is being used by the help menu: it floods to 00s on opening.

NintendoBoyDX
January 12th, 2011, 10:57 PM
Using firered bpre.
Are there ram addresses that store the map bank, map number, and current X and Y coordinates? If so does anyone know where they are?

Edit: May have found them
0x02036E4B holds the Y coordinate of the player (byte) [might be a half-word if a map is large enough 0x02036E4A-0x02036E4B]
0x02036E4D holds the X coordinate of the player (byte) [might be a half-word if a map is large enough 0x02036E4C-0x02036E4D]
0x0203F3A8 holds the current player map (byte)
0x0203F3A9 holds the current player map bank(byte)
0x0203F3AA holds the last map the player was at (byte)
0x0203F3AB holds the last map bank the player was at (byte)
0x0203F3AC holds the map the player was at 2 maps beforehand (byte)
0x0203F3AD holds the map bank the player wast at 2 maps beforehand (byte)

Can anyone confirm?

as a side note, I think
0x0203F4E0
0x0203F4E4

are both words(or maybe just half-words) that store the amount of steps taken since the player started the game(or maybe number of tiles covered, haven't tested with running, surfing, or biking).

Can anyone confirm?

Also, due to the fact that arm7 is little endian, I'm not exactly sure which byte is exactly where, but these are the spots they show up as in the memory viewer.

One more question, does anyone know where the whiteout and win-battle routines are?

knizz
January 13th, 2011, 06:31 AM
0x02036E4B holds the Y coordinate of the player
0x02036E4D holds the X coordinate of the player


As I said once in another thread there is an array of npc-data at 02036E38. Every npc uses 0x24 bytes. The first (n)pc is usually the player (but it can be changed with a variable I mentioned somewhere in this thread.)
0x02036E38 + 0x10 = 0x02036E48 X of the tile the NPC is leaving
0x02036E38 + 0x12 = 0x02036E4A Y of the tile the NPC is leaving
0x02036E38 + 0x14 = 0x02036E4C X of the tile the NPC is entering
0x02036E38 + 0x16 = 0x02036E4E Y of the tile the NPC is entering


0x0203F3A8 holds the current player map (byte)
0x0203F3A9 holds the current player map bank(byte)
0x0203F3AA holds the last map the player was at (byte)
0x0203F3AB holds the last map bank the player was at (byte)
0x0203F3AC holds the map the player was at 2 maps beforehand (byte)
0x0203F3AD holds the map bank the player wast at 2 maps beforehand (byte)


If it's true ... thank you a lot. Afaik the current map & bank is also stored at 02031DBC (mapnumbers_mem1) and 02031DB4 (mapnumbers_mem2).

One more question, does anyone know where the whiteout and win-battle routines are?

Yup. 08054BC8 for whiteout.

08054BC8 sub_08054BC8: @ CODE XREF: sub_080566A4+26p
08054BC8 PUSH {R4,LR}
08054BCA LDR R0, =unk_081A654B
08054BCC BL script_start2
08054BD0 LDR R0, =saveblock1
08054BD2 LDR R4, [R0]
08054BD4 MOVS R0, 0x290
08054BD8 ADDS R4, R4, R0
08054BDA BL sub_08054C04
08054BDE MOVS R1, R0
08054BE0 MOVS R0, R4
08054BE2 BL sub_0809FDD8
08054BE6 BL sp_00_heal_pokemon
08054BEA BL sub_08054DD8
08054BEE BL whiteout_mem1
08054BF2 BL load_warp_map
08054BF6 POP {R4}
08054BF8 POP {R0}
08054BFA BX R0
08054BFA @ End of function sub_08054BC8


080554BC whiteout_mem1: @ CODE XREF: sub_08054BC8+26p
080554BC PUSH {LR}
080554BE LDR R0, =mapnumbers_mem1
080554C0 BL whiteout (=080BFCD0)
080554C4 POP {R0}
080554C6 BX R0
080554C6 @ End of function whiteout_mem1

diegoisawesome
January 13th, 2011, 05:17 PM
0x291FC0 contains the script for egg hatching through walking in Emerald.
And yes, it IS a script.

NintendoBoyDX
January 13th, 2011, 11:09 PM
Knizz, do you know at what part of the whiteout routine are the two texts displayed, and where it cuts off the sound?
"[player] scurried to the pokemon center, shielding the pokemon from further harm..."
and
"first, let's heal your pokemon back to full health"

I've been looking for those for quite a bit with no luck.

knizz
January 14th, 2011, 08:06 AM
Can you give me the offsets of the texts?

NintendoBoyDX
January 14th, 2011, 06:27 PM
Here are the offsets:
"First, you should restore your POKéMON to full health." - 0x1A5E89

There are actually 2 for this one, one for home returns and one for returns to the pokemon center.

"[PLAYER] scurried to a POKéMON CENTER,
protecting the exhausted and fainted
POKéMON from further harm[...]" - 0x41B554

"[PLAYER] scurried back home, protecting
the exhausted and fainted POKéMON from
further harm[...]: - 0x41B5B6

I'd guess that the part where the music cut's off would be near the routine that uses these strings, but it's just a guess.

EDIT:

I think I found where it loads the text that is on the black screen
080566a4 b500 push {lr}
080566a6 b081 add sp, -#0x4
080566a8 4917 ldr r1, [$08056708] (=$030030f0)
080566aa 2087 mov r0, #0x87
080566ac 00c0 lsl r0, r0, #0x03
080566ae 1809 add r1, r1, r0
080566b0 7808 ldrb r0, [r1, #0x0]
080566b2 3001 add r0, #0x1
080566b4 7008 strb r0, [r1, #0x0]
080566b6 0600 lsl r0, r0, #0x18
080566b8 0e00 lsr r0, r0, #0x18
080566ba 2877 cmp r0, #0x77
080566bc d921 bls $08056702
080566be f000 bl $080569bc
080566c2 f01b bl $08071a94
080566c6 f7ff bl $08056420
080566ca f7fe bl $08054bc8
080566ca f7fe bl $08054bc8
080566ce 2002 mov r0, #0x2
080566d0 f7ff bl $080559f8
080566d4 f013 bl $08069a80
080566d8 f013 bl $0806994c
080566dc 490b ldr r1, [$0805670c] (=$03005020)
080566de 480c ldr r0, [$08056710] (=$0807f5f1)
080566e0 6008 str r0, [r1, #0x0]
080566e2 4669 mov r1, sp
080566e4 2000 mov r0, #0x0
080566e6 7008 strb r0, [r1, #0x0]
080566e8 4668 mov r0, sp
080566ea f000 bl $08056e5c
080566ee f0bb bl $08112364
080566ee f0bb bl $08112364
080566f2 f000 bl $08056a04
080566f6 4807 ldr r0, [$08056714] (=$08056535)
080566f8 f7ff bl $080565e0
080566fc 4806 ldr r0, [$08056718] (=$080565b5)
080566fe f7a9 bl $08000544
08056702 b001 add sp, #0x4
08056704 bc01 pop {r0}
08056706 4700 bx r0

Was right at the end of the whiteout routine, which I wasn't expecting. Still looking for the other parts.

knizz
January 15th, 2011, 04:46 AM
Here's what the code looks like from my perspecive:

080566A4 @ =============== S U B R O U T I N E =======================================
080566A4
080566A4
080566A4 c2_whiteout_maybe: @ DATA XREF: sub_0807FB40+2Ao
080566A4 @ sub_0807FB40:off_0807FB7Co ...
080566A4
080566A4 var_8 = -8
080566A4
080566A4 PUSH {LR}
080566A6 SUB SP, SP, #4
080566A8 LDR R1, =callback1
080566AA MOVS R0, 0x438
080566AE ADDS R1, R1, R0
080566B0 LDRB R0, [R1]
080566B2 ADDS R0, #1
080566B4 STRB R0, [R1]
080566B6 LSLS R0, R0, #0x18
080566B8 LSRS R0, R0, #0x18
080566BA CMP R0, #0x77
080566BC BLS loc_08056702
080566BE BL sub_080569BC
080566C2 BL sub_08071A94
080566C6 BL clear_flag_x800_2
080566CA BL sub_08054BC8
080566CE MOVS R0, #2
080566D0 BL sub_080559F8
080566D4 BL script_start_3
080566D8 BL script_pause
080566DC LDR R1, =unk_03005020
080566DE LDR R0, =(run_c3_whiteout+1)
080566E0 STR R0, [R1]
080566E2 MOV R1, SP
080566E4 MOVS R0, #0
080566E6 STRB R0, [R1,#8+var_8]
080566E8 MOV R0, SP
080566EA BL sub_08056E5C
080566EE BL sub_08112364
080566F2 BL sub_08056A04
080566F6 LDR R0, =(c1_overworld+1)
080566F8 BL set_callback1
080566FC LDR R0, =(c2_overworld+1) @ func
080566FE BL set_callback2
08056702
08056702 loc_08056702: @ CODE XREF: c2_whiteout_maybe+18j
08056702 ADD SP, SP, #4
08056704 POP {R0}
08056706 BX R0
08056706 @ End of function c2_whiteout_maybe
08056706
08056706 @ ---------------------------------------------------------------------------
run_c3_whiteout:
0807F5F0 @ =============== S U B R O U T I N E =======================================
0807F5F0
0807F5F0
0807F5F0 run_c3_whiteout: @ DATA XREF: c2_whiteout_maybe+3Ao
0807F5F0 @ ROM:off_08056710o
0807F5F0 PUSH {LR}
0807F5F2 BL script_play
0807F5F6 BL fill_unfaded_pal
0807F5FA LDR R0, =(c3_whiteout+1)
0807F5FC MOVS R1, #0xA
0807F5FE BL add_to_callback3_list
0807F602 LSLS R0, R0, #0x18
0807F604 LSRS R0, R0, #0x18
0807F606 LDR R2, =callback3
0807F608 LSLS R1, R0, #2
0807F60A ADDS R1, R1, R0
0807F60C LSLS R1, R1, #3
0807F60E ADDS R1, R1, R2
0807F610 MOVS R0, #0
0807F612 STRH R0, [R1,#c3entry.args.arg1]
0807F614 POP {R0}
0807F616 BX R0
0807F616 @ End of function run_c3_whiteout
0807F616
0807F616 @ ---------------------------------------------------------------------------
c3_whiteout:
0807F45C @ =============== S U B R O U T I N E =======================================
0807F45C
0807F45C
0807F45C c3_whiteout: @ DATA XREF: run_c3_whiteout+Ao
0807F45C @ ROM:off_0807F618o
0807F45C PUSH {R4-R7,LR}
0807F45E LSLS R0, R0, #0x18
0807F460 LSRS R6, R0, #0x18
0807F462 LDR R1, =callback3
0807F464 LSLS R0, R6, #2
0807F466 ADDS R0, R0, R6
0807F468 LSLS R0, R0, #3
0807F46A ADDS R0, R0, R1
0807F46C MOVS R2, #c3entry.args.arg1
0807F46E LDRSH R0, [R0,R2]
0807F470 MOVS R2, R1
0807F472 CMP R0, #6
0807F474 BLS loc_0807F478
0807F476 B loc_0807F5E4
0807F478 @ ---------------------------------------------------------------------------
0807F478
0807F478 loc_0807F478: @ CODE XREF: c3_whiteout+18j
0807F478 LSLS R0, R0, #2
0807F47A LDR R1, =off_0807F48C
0807F47C ADDS R0, R0, R1
0807F47E LDR R0, [R0]
0807F480 MOV PC, R0
0807F480 @ ---------------------------------------------------------------------------
0807F482 .byte 0
0807F483 .byte 0
0807F484 off_0807F484: .long callback3 @ DATA XREF: c3_whiteout+6r
0807F488 off_0807F488: .long off_0807F48C @ DATA XREF: c3_whiteout+1Er
0807F48C off_0807F48C: .long loc_0807F4A8,loc_0807F538,loc_0807F588@ 0
0807F48C @ DATA XREF: c3_whiteout+1Eo
0807F48C @ c3_whiteout:off_0807F488o
0807F48C .long loc_0807F5B6,loc_0807F540,loc_0807F588@ 3
0807F48C .long loc_0807F5D0 @ 6
0807F4A8 @ ---------------------------------------------------------------------------
0807F4A8
0807F4A8 loc_0807F4A8: @ DATA XREF: c3_whiteout:off_0807F48Co
0807F4A8 LDR R0, =unk_083C68E4
0807F4AA BL textbox_mega_func
0807F4AE LSLS R0, R0, #0x18
0807F4B0 LSRS R5, R0, #0x18
0807F4B2 LDR R1, =callback3
0807F4B4 LSLS R4, R6, #2
0807F4B6 ADDS R0, R4, R6
0807F4B8 LSLS R0, R0, #3
0807F4BA ADDS R7, R0, R1
0807F4BC STRH R5, [R7,#0xA]
0807F4BE MOVS R0, #0xF0
0807F4C0 BL sub_080F77CC
0807F4C4 MOVS R0, R5
0807F4C6 MOVS R1, #0
0807F4C8 BL sub_0800445C
0807F4CC MOVS R0, R5
0807F4CE BL sub_08003FA0
0807F4D2 MOVS R0, R5
0807F4D4 MOVS R1, #3
0807F4D6 BL sub_08003F20
0807F4DA MOVS R0, #1
0807F4DC BL sub_080BFCB0
0807F4E0 MOVS R3, R0
0807F4E2 LDR R0, =saveblock1
0807F4E4 LDR R2, [R0]
0807F4E6 LDRH R0, [R2,#0x1C]
0807F4E8 LDRH R5, [R3]
0807F4EA CMP R0, R5
0807F4EC BNE loc_0807F524
0807F4EE MOVS R1, #0x1E
0807F4F0 LDRSB R1, [R2,R1]
0807F4F2 MOVS R0, #1
0807F4F4 NEGS R0, R0
0807F4F6 CMP R1, R0
0807F4F8 BNE loc_0807F524
0807F4FA MOVS R0, #0x20
0807F4FC LDRSH R1, [R2,R0]
0807F4FE MOVS R5, #2
0807F500 LDRSH R0, [R3,R5]
0807F502 CMP R1, R0
0807F504 BNE loc_0807F524
0807F506 MOVS R0, #0x22
0807F508 LDRSH R1, [R2,R0]
0807F50A MOVS R2, #4
0807F50C LDRSH R0, [R3,R2]
0807F50E CMP R1, R0
0807F510 BNE loc_0807F524
0807F512 MOVS R0, #4
0807F514 STRH R0, [R7,#c3entry.args.arg1]
0807F516 B loc_0807F5E4
0807F516 @ ---------------------------------------------------------------------------
0807F518 off_0807F518: .long unk_083C68E4 @ DATA XREF: c3_whiteout:loc_0807F4A8r
0807F51C off_0807F51C: .long callback3 @ DATA XREF: c3_whiteout+56r
0807F520 off_0807F520: .long saveblock1 @ DATA XREF: c3_whiteout+86r
0807F524 @ ---------------------------------------------------------------------------
0807F524
0807F524 loc_0807F524: @ CODE XREF: c3_whiteout+90j
0807F524 @ c3_whiteout+9Cj ...
0807F524 LDR R0, =callback3
0807F526 ADDS R1, R4, R6
0807F528 LSLS R1, R1, #3
0807F52A ADDS R1, R1, R0
0807F52C MOVS R0, #1
0807F52E STRH R0, [R1,#c3entry.args.arg1]
0807F530 B loc_0807F5E4
0807F530 @ ---------------------------------------------------------------------------
0807F532 .byte 0
0807F533 .byte 0
0807F534 off_0807F534: .long callback3 @ DATA XREF: c3_whiteout:loc_0807F524r
0807F538 @ ---------------------------------------------------------------------------
0807F538
0807F538 loc_0807F538: @ DATA XREF: c3_whiteout:off_0807F48Co
0807F538 LDR R1, =a1ScurriedToAPokMonCenterProtec @ "?1 scurried to a POK\x1BMON CENTER, protec"...
0807F53A B loc_0807F542
0807F53A @ ---------------------------------------------------------------------------
0807F53C off_0807F53C: .long a1ScurriedToAPokMonCenterProtec
0807F53C @ DATA XREF: c3_whiteout:loc_0807F538r
0807F53C @ "?1 scurried to a POK\x1BMON CENTER, protec"...
0807F540 @ ---------------------------------------------------------------------------
0807F540
0807F540 loc_0807F540: @ DATA XREF: c3_whiteout:off_0807F48Co
0807F540 LDR R1, =a1ScurriedBackHomeProtectingThe @ "?1 scurried back home, protecting the e"...
0807F542
0807F542 loc_0807F542: @ CODE XREF: c3_whiteout+DEj
0807F542 MOVS R0, R6
0807F544 MOVS R2, #2
0807F546 MOVS R3, #8
0807F548 BL sub_0807F3A4
0807F54C LSLS R0, R0, #0x18
0807F54E CMP R0, #0
0807F550 BEQ loc_0807F5E4
0807F552 LDR R0, =walkrun_state
0807F554 LDRB R1, [R0,#walkrun.npcid]
0807F556 LSLS R0, R1, #3
0807F558 ADDS R0, R0, R1
0807F55A LSLS R0, R0, #2
0807F55C LDR R1, =npc_states
0807F55E ADDS R0, R0, R1
0807F560 MOVS R1, #2
0807F562 BL sub_0805F218
0807F566 LDR R1, =callback3
0807F568 LSLS R0, R6, #2
0807F56A ADDS R0, R0, R6
0807F56C LSLS R0, R0, #3
0807F56E ADDS R0, R0, R1
0807F570 LDRH R1, [R0,#8]
0807F572 ADDS R1, #1
0807F574 STRH R1, [R0,#8]
0807F576 B loc_0807F5E4
0807F576 @ ---------------------------------------------------------------------------
0807F578 off_0807F578: .long a1ScurriedBackHomeProtectingThe
0807F578 @ DATA XREF: c3_whiteout:loc_0807F540r
0807F578 @ "?1 scurried back home, protecting the e"...
0807F57C off_0807F57C: .long walkrun_state @ DATA XREF: c3_whiteout+F6r
0807F580 off_0807F580: .long npc_states @ DATA XREF: c3_whiteout+100r
0807F584 off_0807F584: .long callback3 @ DATA XREF: c3_whiteout+10Ar
0807F588 @ ---------------------------------------------------------------------------
0807F588
0807F588 loc_0807F588: @ DATA XREF: c3_whiteout:off_0807F48Co
0807F588 LSLS R4, R6, #2
0807F58A ADDS R4, R4, R6
0807F58C LSLS R4, R4, #3
0807F58E ADDS R4, R4, R2
0807F590 LDRB R5, [R4,#0xA]
0807F592 MOVS R0, R5
0807F594 BL sub_080040B8
0807F598 MOVS R0, R5
0807F59A MOVS R1, #1
0807F59C BL sub_08003F20
0807F5A0 MOVS R0, R5
0807F5A2 BL sub_08003E3C
0807F5A6 BL fill_unfaded_pal
0807F5AA BL sub_0807DC00
0807F5AE LDRH R0, [R4,#8]
0807F5B0 ADDS R0, #1
0807F5B2 STRH R0, [R4,#8]
0807F5B4 B loc_0807F5E4
0807F5B6 @ ---------------------------------------------------------------------------
0807F5B6
0807F5B6 loc_0807F5B6: @ DATA XREF: c3_whiteout:off_0807F48Co
0807F5B6 BL sub_0807E418
0807F5BA CMP R0, #1
0807F5BC BNE loc_0807F5E4
0807F5BE MOVS R0, R6
0807F5C0 BL sub_08077508
0807F5C4 LDR R0, =scr_081A8D97
0807F5C6 BL script_start_1
0807F5CA B loc_0807F5E4
0807F5CA @ ---------------------------------------------------------------------------
0807F5CC off_0807F5CC: .long scr_081A8D97 @ DATA XREF: c3_whiteout+168r
0807F5D0 @ ---------------------------------------------------------------------------
0807F5D0
0807F5D0 loc_0807F5D0: @ DATA XREF: c3_whiteout:off_0807F48Co
0807F5D0 BL sub_0807E418
0807F5D4 CMP R0, #1
0807F5D6 BNE loc_0807F5E4
0807F5D8 MOVS R0, R6
0807F5DA BL sub_08077508
0807F5DE LDR R0, =scr_081A8DD8
0807F5E0 BL script_start_1
0807F5E4
0807F5E4 loc_0807F5E4: @ CODE XREF: c3_whiteout+1Aj
0807F5E4 @ c3_whiteout+BAj ...
0807F5E4 POP {R4-R7}
0807F5E6 POP {R0}
0807F5E8 BX R0
0807F5E8 @ End of function c3_whiteout
0807F5E8
0807F5E8 @ ---------------------------------------------------------------------------
scr_081A8D97:

081A8D97 scr_081A8D97: .byte lockall @ DATA XREF: c3_whiteout+168o
081A8D97 @ c3_whiteout:off_0807F5CCo
081A8D98 .byte change_text_color
081A8D99 .byte 1
081A8D9A .byte load_message
081A8D9B .byte 0
081A8D9C .long aFirstYouShouldRestoreYourPokMo @ "First, you should restore your POK\x1BMON "...
081A8DA0 .byte callstd
081A8DA1 .byte 4
081A8DA2 .byte call
081A8DA3 .long scr_081A65CE
081A8DA7 .byte checkflag
081A8DA8 .short 0x4B0
081A8DAA .byte if_call
081A8DAB .byte 0
081A8DAC .long scr_081A8DC6
081A8DB0 .byte checkflag
081A8DB1 .short 0x4B0
081A8DB3 .byte if_call
081A8DB4 .byte 1
081A8DB5 .long scr_081A8DCF
081A8DB9 .byte execute_movement
081A8DBA .short 0x800F
081A8DBC .long unk_081A666C
081A8DC0 .byte waitmove
081A8DC1 .short 0
081A8DC3 .byte fade_to_default
081A8DC4 .byte release
081A8DC5 .byte end
081A8DC6 scr_081A8DC6: .byte load_message @ DATA XREF: ROM:081A8DACo
081A8DC7 .byte 0
081A8DC8 .long aYourPokMonHaveBeenHealedToPerf @ "Your POK\x1BMON have been healed to perfec"...
081A8DCC .byte callstd
081A8DCD .byte 4
081A8DCE .byte return
081A8DCF scr_081A8DCF: .byte load_message @ DATA XREF: ROM:081A8DB5o
081A8DD0 .byte 0
081A8DD1 .long aYourPokMonHaveBeenHealedToPe_0 @ "Your POK\x1BMON have been healed to perfec"...
081A8DD5 .byte callstd
081A8DD6 .byte 4
081A8DD7 .byte return
...
081A65CE scr_081A65CE: .byte execute_movement @ DATA XREF: ROM:081A8DA3o
081A65CF .short 0x800F
081A65D1 .long unk_081A75E7
081A65D5 .byte waitmove
081A65D6 .short 0
081A65D8 .byte execute_HM
081A65D9 .short 0x19
081A65DB .byte checkarray_HM_animation
081A65DC .short 0x19
081A65DE .byte execute_movement
081A65DF .short 0x800F
081A65E1 .long unk_081A75ED
081A65E5 .byte waitmove
081A65E6 .short 0
081A65E8 .byte special_call
081A65E9 .short 0
081A65EB .byte return

scr_081A8DD8:
081A8DD8 scr_081A8DD8: .byte lockall @ DATA XREF: c3_whiteout+182o
081A8DD8 @ ROM:off_0807F5ECo
081A8DD9 .byte change_text_color
081A8DDA .byte 1
081A8DDB .byte execute_movement
081A8DDC .short 1
081A8DDE .long unk_081A75ED
081A8DE2 .byte waitmove
081A8DE3 .short 0
081A8DE5 .byte load_message
081A8DE6 .byte 0
081A8DE7 .long aMom1WelcomeHome__itSoundsLikeY @ "MOM: ?1! Welcome home._It sounds like y"...
081A8DEB .byte callstd
081A8DEC .byte 4
081A8DED .byte call
081A8DEE .long scr_081A6C26
081A8DF2 .byte load_message
081A8DF3 .byte 0
081A8DF4 .long aMomOhGoodYouAndYourPokMonAreLo @ "MOM: Oh, good! You and your POK\x1BMON are"...
081A8DF8 .byte callstd
081A8DF9 .byte 4
081A8DFA .byte fade_to_default
081A8DFB .byte release
081A8DFC .byte end
...
081A6C26 scr_081A6C26: .byte screen_special_effect @ DATA XREF: ROM:081A8DEEo
081A6C27 .byte 1
081A6C28 .byte play_fanfare
081A6C29 .short 0x100
081A6C2B .byte wait_fanfare
081A6C2C .byte special_call
081A6C2D .short 0
081A6C2F .byte screen_special_effect
081A6C30 .byte 0
081A6C31 .byte return

NintendoBoyDX
January 21st, 2011, 11:19 PM
Hm... Turns out, the checkflag routine (the actual one that does the calculations) is run a lot of times in the OW (I know, duh, the people event flags) so I got the flag location (or at least, the memory pointer to it). In Emerald, it's at the address pointed at by 0x03005D8C plus 0x1270.
Now, I have to find the bit that designates the badge flags..
EDIT: 0x0809C7EC in Emerald contains the surf-check-routine... at least for the tile. I'm not sure about the PKMN menu one.
EDIT2: 0x081B54E8 (again, in Emerald) contains the badge-check-routine for the menu. I'm trying to find out where the numbers to add to the first badge are obtained from...
EDIT3: Well, apparently they're loaded from 0x02000020, but I can't find how it gets the value...
Anybody, feel free to help me out with this. :/
EDIT4: Well, I hacked the routine and made it load different flag numbers for each of the old badge+base number. And it works! :D
To get all of the flags to work out on the field, however, you'll need to edit all of the scripts for, say, Rock Smash, Strength, and Cut so that they have the new flags. And then you'll need to hack the surf routine, like I said above.
Also, with the Set Disobedience findings, all we need to control the badges completely is to find out where the Attack/Defense... stats are increased.Even though that doesn't matter much, it would still be cool to be able to control the badges completely.
Do you or anyone else have the addresses for the seven HM routines and the badge check routine for the menu in FR? Been searching for a while and can't find them, if they are found I'd guess it'd be simple enough to make all HMs usable without giving the badges.

diegoisawesome
January 22nd, 2011, 06:22 AM
JPAN already did it xD
http://www.pokecommunity.com/showpost.php?p=6078341&postcount=24
I think what he means is something similar to the routine I found in Emerald; the one that checks for flags before allowing the move to be used from the menu. What you have posted, however, is NOT what he's looking for.

NintendoBoyDX
January 22nd, 2011, 01:00 PM
Exactly, I've been looking for the routine to checks the badge/HM flags in the menu, then allows you to use them if they are set. That way all that need be done is skip that check and allow use of HMs no matter if the flags are set or not. The problem is that because flags are DMA protected I can't simply set a break on read on their addresses. I've been looking for some sort of routine to calculate their locations, but I haven't been able to find anything.

EDIT: I've allowed menu use of all HMs without needing any badges(not quite sure exactly why it works), but haven't found a way to allow "quick" use by just pressing the A button to use surf or waterfall. Flash and fly don't need quick use, and I'm assuming that the scripts will take care of quick use for cut, rock smash, and strength.

EDIT 2: Found the surf check routine, and made a hack to allow "quick command" surfing even before the command is set, I just skip a check if the player has the correct flag set.

As a sidenote, each of these routines loads a flag like a variable, then calls 0x0806e6d0(passing r0 as an argument, for example, flag 720 would be 00000720), I believe this calculates addresses of flags then stores it's bit , but don't quote me on this.

EDIT 3: Did the same as in the 2nd edit for waterfall. It's now completely functional, allowing use of any HM before you receive any badge, and allowing "quick" use of waterfall and surf by pressing the A button at a waterfall or water respectively.

Shiny Quagsire
January 24th, 2011, 02:46 PM
Has anyone managed to hack what gym badges are linked to which HMs? It's always bugged me, and I still haven't been able to locate this.

diegoisawesome
January 24th, 2011, 03:47 PM
Has anyone managed to hack what gym badges are linked to which HMs? It's always bugged me, and I still haven't been able to locate this.
In Emerald? I have; search this thread for the info.

TheDarkShark
January 25th, 2011, 04:47 AM
Exactly, I've been looking for the routine to checks the badge/HM flags in the menu, then allows you to use them if they are set. That way all that need be done is skip that check and allow use of HMs no matter if the flags are set or not. The problem is that because flags are DMA protected I can't simply set a break on read on their addresses. I've been looking for some sort of routine to calculate their locations, but I haven't been able to find anything.

EDIT: I've allowed menu use of all HMs without needing any badges(not quite sure exactly why it works), but haven't found a way to allow "quick" use by just pressing the A button to use surf or waterfall. Flash and fly don't need quick use, and I'm assuming that the scripts will take care of quick use for cut, rock smash, and strength.

EDIT 2: Found the surf check routine, and made a hack to allow "quick command" surfing even before the command is set, I just skip a check if the player has the correct flag set.

As a sidenote, each of these routines loads a flag like a variable, then calls 0x0806e6d0(passing r0 as an argument, for example, flag 720 would be 00000720), I believe this calculates addresses of flags then stores it's bit , but don't quote me on this.

EDIT 3: Did the same as in the 2nd edit for waterfall. It's now completely functional, allowing use of any HM before you receive any badge, and allowing "quick" use of waterfall and surf by pressing the A button at a waterfall or water respectively.

How about sharing info what you changed to make this work?

Shiny Quagsire
January 25th, 2011, 07:30 AM
In Emerald? I have; search this thread for the info.

No, in Fire Red version. I'm not much of an emerald hacker. :\

Team Fail
January 25th, 2011, 11:12 PM
So, today, I've been exploring a Pokemon Diamond rom looking for something specific. I never did find it, but I've come across some rather interesting things.

1. overlay_0013.bin
NINTENDO-DS.€....................................................................Ý!.ÙÜ!.....À¨.°ÿÿÿ.À¨.ÈÀ¨. ........................................ˆø#.............WARP....char/jtNull.nsc.l...char/jb2HlAp.nsc.l..char/jb4HlIp.nsc.l..char/jb4HlWep.nsc.l.char/jb4HlUsb.nsc.l.char/jb4HlDns1.nsc.l....char/jb4HlSsid.nsc.l....char/jb5HlMove.nsc.l....char/jb2HlWiFi.nsc.l....char/jb5HlInfo.nsc.l....char/jb4HlMask.nsc.l....char/jb4HlSet2.nsc.l....char/jb4HlDns0.nsc.l....char/jb4HlSet3.nsc.l....char/jb4HlSet1.nsc.l....char/jb3HlList1.nsc.l...char/jb3HlList2.nsc.l...char/jb3HlList3.nsc.l...char/jb5HlErase.nsc.l...char/jb5HlOption.nsc.l..char/jb4HlGateway.nsc.l.àù#.Hù#.ˆú#. ú#.¸ú#.pú#.(ú#.Xú#.„ù#.°ù#.pù#.\ù#..ú#..û#.@ú#.˜ù#.èú#.øù#.Ðú#.Èù#.char/jbBgHl.ncg.l....ü#.¤û#.Ôû#.4ü#.˜ü#.üü#.................!@#$%^&*()_+QWERTYUIOP{}ASDFGHJKL:"~ZXCVBNM<>?|.1234567890-=QWERTYUIOP[]ASDFGHJKL;'`ZXCVBNM,./\.1234567890-=qwertyuiop[]asdfghjkl;'`zxcvbnm,./\.1.2.3.4.5.6.7.8.9.0.-.=.q.w.e.r.t.y.u.i.o.p.[.].a.s.d.f.g.h.j.k.l.;.'.`.z.x.c.v.b.n.m.,.../.\. .....!.@.#.$.%.^.&.*.(.)._.+.Q.W.E.R.T.Y.U.I.O.P.{.}.A.S.D.F.G.H.J.K.L.:.".~.Z.X.C.V.B.N.M.<.>.?.|. .....1.2.3.4.5.6.7.8.9.0.-.=.Q.W.E.R.T.Y.U.I.O.P.[.].A.S.D.F.G.H.J.K.L.;.'.`.Z.X.C.V.B.N.M.,.../.\. .....dwc:/move/child.srl.dwc:/move/banner.plt....dwc:/move/banner.char...`ý#.........Œý#.tý#.Y.......msg/spa.bmg.l...msg/jap.bmg.l...msg/ger.bmg.l...msg/fre.bmg.l...msg/eng.bmg.l...msg/ita.bmg.l...Ðý#..þ#.ðý#.àý#..þ#.Àý#.msg/usa.bmg.l...char/jtMain.nce.l...char/jbMain.nce.l...char/jtBgMain.ncg.l.char/jtBgMain.ncl.l.char/jtObjMain.ncg.l....char/xtObjMain.ncl.l....char/jbBgStep1.ncg.l....char/jbBgStep1.ncl.l....char/jbObjMain.ncg.l....char/ybObjMain.ncl.l....char/jtTop.nsc.l....char/jtStep1.nsc.l..char/jbBgStep1.ncg.l....char/jbBgStep1.ncl.l....char/jb2Menu.nsc.l..char/yb5Multi.nsc.l.char/yb5Multi.nsc.l.%.0.2.X.-.%.0.2.X.-.%.0.2.X.-.%.0.2.X.-.%.0.2.X.-.%.0.2.X...%.0.4.d.-.%.0.4.d.-.%.0.4.d.-.%.0.4.d...-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-...char/jb5Info.nsc.l..char/jbBgOption.ncg.l...char/jb5OptMenu.nsc.l...char/yb5Multi.nsc.l.char/yb5Multi.nsc.l.char/yb5Multi.nsc.l.char/yb5Multi.nsc.l.char/jb5Move.nsc.l..char/yb5Multi.nsc.l.char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4Multi.nsc.l.char/xb4Multi.nsc.l.char/jb4ApList.nsc.l....char/ybObjMain.ncl.l....char/ybObjKb.ncl.l..char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4Edit.nsc.l..char/ybObjMain.ncl.l....char/ybObjKb.ncl.l..char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4EditAddr.nsc.l.. 0.%.d.....char/jb4Error.nsc.l.%.3.d...%.3.d...%.3.d...%.3.d...char/ybObjMain.ncl.l....char/ybObjKb.ncl.l..char/jbBgStep2.ncg.l....char/jbBgStep21.ncg.l...char/jb3List.nsc.l..char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4None.nsc.l..char/xb4Multi.nsc.l.char/xb4Multi.nsc.l.char/xb4Multi.nsc.l.char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4Multi.nsc.l.char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4Multi.nsc.l.char/ybObjMain.ncl.l....char/ybObjWay.ncl.l.char/jbBgStep1.ncg.l....char/jbBgStep1.ncl.l....char/jb2Ap.nsc.l....char/jbBgStep2.ncg.l....char/ybBgStep2.ncl.l....char/jb3Way.nsc.l...char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4Multi.nsc.l.char/xb4Multi.nsc.l.char/xb4None.nsc.l..char/xb4Multi.nsc.l.char/jbBgStep2.ncg.l....char/ybBgStep2.ncl.l....char/xb3Multi.nsc.l.char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/jb4Usb.nsc.l...%3d%3d%3d%3d....sound/sound_data.sdat.l.char/jtTop.nsc.l....char/jtStep1.nsc.l..char/jtStep2.nsc.l..char/jtStep3.nsc.l..char/jtOption.nsc.l...$...$.0.$.D.$.ô.$.DWCi_MOV_WH_SYSSTATE_STOP...DWCi_MOV_WH_SYSSTATE_IDLE...DWCi_MOV_WH_SYSSTATE_BUSY...DWCi_MOV_WH_SYSSTATE_ERROR..DWCi_MOV_WH_SYSSTATE_SCANNING...DWCi_MOV_WH_SYSSTATE_CONNECTED..DWCi_MOV_WH_SYSSTATE_KEYSHARING.DWCi_MOV_WH_SYSSTATE_DATASHARING....DWCi_MOV_WH_SYSSTATE_CONNECT_FAIL...DWCi_MOV_WH_SYSSTATE_MEASURECHANNEL.l.$.ˆ.$.Ü.$.¤.$.ü.$.<.$...$.„.$.`.$.À.$.already DWCi_MOV_WH_SYSSTATE_IDLE...DWCi_MOV_WH_Finalize, state = %d....DWCi_MOV_WH_StepDataSharing - Warning No Child..DWCi_MOV_WH_StepDataSharing - Warning No DataSet....recv buffer size = %d...send buffer size = %d...unknown connect mode %d.....decided channel = %d....channel %d bratio = %x..unknown indicate, state = %d....DWCi_MOV_WH_StateInEndParent failed.....DWCi_MOV_WH_StateInStartParentKeyShare failed...StartParent - new child (aid %x) connected..StartParent - child (aid %x) disconnected...%s -> ..%s...l..rom:/...rom:/dwc/utility.bin....%s:/......$...$.msg/lc_m.NFTR.l.msg/lc_s.NFTR.l.........................
It seems there are debugging settings here, and some other various things.

2. overlay_0028.bin
icon[%d] REF[%d]....------------.... icon[%d] Default... icon[%d] ReaLike... icon[%d] ReaHate... icon[%d] TcgLike... icon[%d] TchHate... icon[%d] Reset!!.......
I don't get what this could be fore, but RESET!! looks interesting.

3. overlay_0065.bin
data/porucase_pal.resdat....data/porucase_chr.resdat....data/porucase_canm.resdat...data/porucase_cell.resdat...data/porucase_celact.cldat
There are no files like this anywhere in the game. Could be either save data, temporary files, or unused files.

4. overlay_0066.bin
data/tmap_block.dat.data/tmapn_pal.resdat...data/tmapn_chr.resdat...data/tmapn_canm.resdat..data/tmapn_cell.resdat..data/tmapn_celact.cldat
Same as overlay_0065.bin.

5. overlay_0074.bin
data/btower_pal.resdat..data/btower_chr.resdat..data/btower_cell.resdat.data/btower_canm.resdat.data/btower_celact.cldat
Same as above.

6. overlay_0079.bin
AdeqWo3voLeC5r16DYv....&hash=..&data=..error: check sum ..error: pid ..error: data length ..error: token not found..error: token expired ..error: incorrect hash ..%s?pid=%d...bufferIn != NULL....ghttpBuffer.c...len != NULL.buffer..%d..: ......data....dataLen >= 0....connection->encryptor.mEngine != GHTTPEncryptionEngine_None.connection..userBuffer..size > 0....initialSize > 0.sizeIncrement > 0...connection..ghttpCallbacks.c....ú...}...connection..ghttpConnection.c...connection->redirectURL.request >= 0....request < ghiConnectionsLen.connection->request >= 0....connection->request < ghiConnectionsLen.connection->inUse...ghiNumConnections == ghiConnectionsLen..ghttpMain.c.URL && URL[0]...bufferSize >= 0.!buffer || bufferSize...connection..ghiRequestToConnection(connection->request) == connection...connection..ghttpPost.c.connection->post....connection->postingState.states.ArrayLength(connection->post->data) == ArrayLength(connection->postingState.states).connection->postingState.index >= 0.connection->postingState.index <= ArrayLength(connection->postingState.states)..postState...connection->completed && connection->result...--Qr4G823s23d---<<><><<<>--7d118e0536--...state->data->type == GHIString..%s=.&%s=....--Qr4G823s23d---<<><><<<>--7d118e0536.....--Qr4G823s23d---<<><><<<>--7d118e0536.....%sContent-Disposition: form-data; name="%s".....%sContent-Disposition: form-data; name="%s"; filename="%s"..Content-Type: %s........0...state->data->type == GHIFileMemory..state->pos >= 0.state->pos < state->data->data.fileMemory.len...state->pos < state->state.fileDisk.len..state->pos == (int)ftell(state->state.fileDisk.file)....state->pos < state->data->data.string.len...abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_@-.*.(c / 16) < 16...0123456789ABCDEF....post....--Qr4G823s23d---<<><><<<>--7d118e0536...state...data->type == GHIString.....multipart/form-data; boundary=Qr4G823s23d---<<><><<<>--7d118e0536...application/x-www-form-urlencoded...............Location:...http://%s:%d%s..Content-Length:.Transfer-Encoding: chunked..connection..ghttpProcess.c..data....len > 0.0...len >= 0....len.%x......connection->recvBuffer.len > 0..HTTP/%d.%d %d%n.connection->completed && connection->result.POST ...HEAD ...GET .... HTTP/1.1...Host....Host: ..User-Agent..GameSpyHTTP/1.0.Connection..Keep-Alive..close...%d..Content-Length..Content-Type....https://....connection->URL.http://.:/../.......
Could be used for accessing online functions. And what is this I see? GameSpy?

7. overlay_0080.bin
http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/post.asp....http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/post_finish.asp.http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/get.asp.http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/result.asp..http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/delete.asp..http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/return.asp..http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/search.asp..http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/exchange.asp....http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/exchange_finish.asp.http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/info.asp
These must be for online accessing, like Mystery Gift, and the GTS.

8. overlay_0082.bin
http://gamestats2.gs.nintendowifi.net/pokemondpds/battletower/roomnum.asp...http://gamestats2.gs.nintendowifi.net/pokemondpds/battletower/download.asp..http://gamestats2.gs.nintendowifi.net/pokemondpds/battletower/upload.asp....http://gamestats2.gs.nintendowifi.net/pokemondpds/battletower/info.asp
They must use a gamestats server for their data.

9. overlay_0083.bin
`...AXVJ....AXVE....AXVF....AXVD....AXVS....AXVI....AXPJ....AXPE....AXPF....AXPD....AXPS....AXPI....BPRJ....BPRE....BPRF....BPRD....BPRS....BPRI....BPGJ....BPGE....BPGF....BPGD....BPGS....BPGI....BPEJ....BPEE....BPEF....BPED....BPES....BPEI
These must be internal names for the Pal Park function and any other GBA insertion.
EB5BEC5BED5BEE5BEF5BEG5BEH5BEI5BEJ5BEK5BEL5BEM5BEP5BEQ5BER5BES5BET5BEU5BEV5BEW5B....mywh_SYSSTATE_IDLE..mywh_SYSSTATE_BUSY..mywh_SYSSTATE_STOP..mywh_SYSSTATE_ERROR.mywh_SYSSTATE_SCANNING..mywh_SYSSTATE_CONNECTED.mywh_SYSSTATE_KEYSHARING....mywh_SYSSTATE_DATASHARING...mywh_SYSSTATE_CONNECT_FAIL..mywh_SYSSTATE_MEASURECHANNEL.....·#.ð¶#.@·#..·#.X·#.Œ·#.p·#.Ä·#.¨·#.,·#.%s -> ..%s..not my parent ggid (%d != %d)...ADAE....Sx439tCkbrWyR8X2................
This, I don't even know...

10. overlay_0084.bin (This one is full of goodies!)
Wayport2FREESPOTNINTENDOWFC
lolwut?
Content-Disposition: form-data; name="..Content-Type: application/octet-stream..Content-Transfer-Encoding: binary....Êš;.áõ.€–˜.@B.. †...'..è...d...................pokemondpds.1vTlwb..о ..................... N..https://nas.test.nintendowifi.net/ac....acctcreate..action..login...gsbrcd..Y...iswfc...ingamesn....Date....httpresult..returncd....token...locator.challenge...datetime....Set-Cookie..ALLOC bmwork....FREE bmwork.https://nas.nintendowifi.net/ac.FREE DWCauth....ALLOC DWCauth...%03d%03d....sdkver..userid..passwd..bssid...apinfo..gamecd..makercd.unitcd..macadr..lang....birth...devtime.devname.ssid....Nitro WiFi SDK/%d.%d....User-Agent..HTTP_X_GAMECD...%013llu.%03u....%02x....%02x%02x....%02d%02d%02d%02d%02d%02d....%02d:0000000-00..Ï .ìÍ .ÌÐ .¨Ñ .„Æ . É ..Ê .ÐÇ .ÔÌ .´Ë .ÌÊ .FREE array_entry[i].label...FREE array_entry[i].value........... ...httpresult..200.....: ..=...&...ALLOC result->entry[i].label....ALLOC result->entry[i].value....FREE result->entry[i].label.FREE result->entry[i].value.http://.https://....:.../...ALLOC newptr....FREE buf->buffer....ALLOC buf->buffer...%s..%s=.&%s=....%s: %s......POST /%s HTTP/1.0..Content-type: application/x-www-form-urlencoded..Host: %s........GET /%s HTTP/1.0..Host: %s......FREE http->lowrecvbuf...FREE http->lowsendbuf...Content-Length: ....Connection..close...%d..Content-Length..ALLOC http->lowrecvbuf..ALLOC http->lowsendbuf..pà .http://conntest.nintendowifi.net/...ALLOC DWCnetcheck->body_302.FREE DWCnetcheck->body_302..ALLOC url...ALLOC data_len..ALLOC wait_len..ALLOC DWCnetcheck->body_wayport.httpresult..https://nas.nintendowifi.net/ac.action..message.HotSpotResponse.FREE DWCnetcheck->body_wayport..parse...HTML....returncd....url.data....wait....FREE url....FREE data...FREE wait...FREE DWChttp....FREE DWCnetcheck....ALLOC DWCnetcheck...ALLOC DWChttp...Dec.Jul.Oct.Sep.Aug.Nov.Jun.May.Apr.Mar.Feb.Jan.LÅ .HÅ .DÅ .@Å .<Å .8Å .$Å .0Å .,Å .(Å .4Å . Å .Fri, 03 Mar 2006 01:28:13 GMT...Date....httpresult..returncd....svchost.servicetoken....statusdata..https://nas.nintendowifi.net/ac.action..SVCLOC..svc.FREE intwork....ALLOC intwork...<Æ .ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
This isn't the first time I've seen the alphabet written. Why is it needed half a million times?
GlobalSign nv-sa, Root CA, GlobalSign Root
What is it signing?
IE, Baltimore, CyberTrust, Baltimore CyberTrust Root
This game loves Baltimore for some reason. Baseball, perhaps? XD
US, GTE Corporation, GTE CyberTrust Solutions, Inc., GTE CyberTrust Global Root.
US, GTE Corporation, GTE CyberTrust Root.
I have no clue what GTE Cybertrust is.
US, Washington, Nintendo of America Inc, NOA, Nintendo CA, [email protected]
Why is NoA's email embedded in the game?
Western Cape, Cape Town, Thawte Consulting cc, Certification Services Division, Thawte Premium Server CA, [email protected]....èÌ .€...hÍ .....ÐÌ .ZA, Western Cape, Cape Town, Thawte Consulting cc, Certification Services Division, Thawte Server CA, [email protected]
No idea.
gUS, VeriSign, Inc., Class 3 Public Primary Certification Authority - G2, (c) 1998 VeriSign, Inc. - For authorized use only, VeriSign Trust Network......,Ï .....ÈÏ ......Ï .US, VeriSign, Inc., VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only, VeriSign Class 3 Public Primary Certification Authority
US, VeriSign, Inc., Class 3 Public Primary Certification Authority
Verisign? It sounds familiar.
US, RSA Data Security, Inc., Secure Server Certification Authority
No idea.
https://nas.test.nintendowifi.net/ac....https://nas.dev.nintendowifi.net/ac.https://nas.nintendowifi.net/ac.....0000....9000....https:///download...https://%s/download.
This must be used to verify if the game can connect to the internet? IDK.
I have authorized your request to add me to your list
whatisthisidonteven... have me on any list.
wc_eval....dwc_pid.numplayers..maxplayers..dwc_mtype...dwc_mresv...dwc_mver........VER.FME.MDF.%s%dv%s.GPCM....MAT./%u.%s = %d and %s != %u and maxplayers = %d and numplayers < %d and %s = %d and %s != %s...%s and (%s).%s = %u.SCM.SCN.Init state..Server full.Unknown connect attempt
maximum players? IDK.
vailable.gs.nintendowifi.net....fn..darray.c....(n >= 0) && (n < array->count)..comparator..(n >= 0) && (n <= array->count).array...elemSize....array->list.fn..hashtable.c.table...hashFn..compFn..elemSize....nBuckets....table->buckets..%02x........OS_IsTickAvailable() == TRUE....nonport.c...localhost...The connection has already been disconnected....\sesskey\...\final\.No callback.....Invalid message.....Invalid statusString....Invalid locationString..\status\....\statstring\....\locstring\.Invalid status..Invalid index...buddyStatus.gp.c....Invalid reason..\addbuddy\..\newprofileid\..\reason\........Invalid func....(iconnection->connectState == GPI_NOT_CONNECTED) || (iconnection->connectState == GPI_CONNECTING) || (iconnection->connectState == GPI_NEGOTIATING) || (iconnection->connectState == GPI_CONNECTED) || (iconnection->connectState == GPI_DISCONNECTED)..gpi.c...0...CM..There was an error reading from the server..\final\.CMD: %s.....Out of memory...\id\....No matching operation found for id %d...\bm\....\ka\....Received an unrecognized, unsolicited message...The server has closed the connection.........*************.gpiInitialize....Invalid profile.....\delbuddy\..\sesskey\...\delprofileid\..\final\.index >= 0..gpiBuddy.c..iconnection->profileList.numBuddies >= 0....\bm\....\t\.\msg\...Unexpected data was received from the server....\f\.\date\..Out of memory...|signed|....|s|.|ss|....|ls|....|ip|....|p|.|l|.1...\authadd\...\fromprofileid\.\sig\...\msg\...\m\.\len\...outputBuffer != NULL....gpiBuffer.c.len >= 0....pos >= 0....pos <= len..sock != INVALID_SOCKET..inputBuffer != NULL.bytesRead != NULL...connClosed != NULL..Out of memory...There was an error reading from a socket....RECVXXXX(%s): Connection closed.....RECVTOTL(%s): %d....%d..peer->outputBuffer.buffer != NULL...PT..There was an error sending on a socket..SENDXXXX(%s): Connection closed.....string != NULL..stringLen >= 0..data->callback.callback != NULL.gpiCallback.c...data->arg != NULL...Out of memory...iconnection != NULL.result != GP_NO_ERROR...(fatal == GP_FATAL) || (fatal == GP_NON_FATAL)..gpcm.gs.nintendowifi.net........................................\logout\\sesskey\...\final\.CM..The server has refused the connection...state == GPI_CONNECTED..gpiConnect.c....\pid\...\fatal\.\lc\1...Unexpected data was received from the server....\challenge\.\nur\...\userid\....Unexepected data was received from the server...\profileid\.\lc\2...\sesskey\...\uniquenick\....\lt\....%s@%s...%s%s%s%s%s%s.... ....\proof\.Could not authenticate server...Out of memory...\newuser\...\email\.\nick\..\passwordenc\...\productid\.\gamename\..\namespaceid\...\cdkeyenc\..\id\1...\login\.\authtoken\.\user\..@...\response\..\firewall\1.\port\..Invalid connection..Invalid firewall....There was an error creating a socket....There was an error making a socket non-blocking.....There was an error binding a socket.....There was an error listening on a socket....There was an error getting a socket's addres....Could not resolve connection mananger host name.....address.sin_addr.s_addr != 0....There was an error connecting a socket..ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789..Out of memory...\getprofile\\sesskey\...\profileid\.\id\....\final\.%d..Invalid info....\birthday\..Invalid value...\nick\..\uniquenick\....\email\.\password\..\firstname\.\lastname\..\homepage\..\zipcode\...Invalid countrycode.....\countrycode\...0...1...2...\sex\...\icquin\....\videocard1string\..\videocard2string\..\osstring\..\aim\...\pic\...\occ\...\ind\...\inc\...\mar\...\chc\...\i1\....Invalid zipcode.....Invalid sex.....\cpubrandid\....\cpuspeed\..\memory\....\videocard1ram\.\videocard2ram\.\connectionid\..\connectionspeed\...\hasnetwork\....\updatepro\\sesskey\....\updateui\\sesskey\.\pi\....Unexpected data was received from the server....profileid > 0...gpiInfo.c...\lon\...\lat\...\loc\...\pmask\.\o1\....\conn\..\sig\...gpiIsValidDate(d, m, y).Invalid date....gpiProcessOperation was passed an operation with an invalid type (%d)...0...gpiOperation.c..iconnection->numSearches >= 0...Out of memory...connection != NULL..*connection != NULL.operation != NULL...peer != NULL....gpiPeer.c.......\len\%d\msg\....transferID..\m\%d\xfer\%d %u %u.message != NULL.\m\.\len\...\msg\...Error connecting to a peer..There was an error creating a socket....There was an error making a socket non-blocking.....There was an error connecting a socket..0...Tried to remove peer not in list....peer->state != GPI_PEER_NOT_CONNECTED...PR..Out of memory...1...peer->state == GPI_PEER_WAITING.\final\.\auth\..\pid\...\nick\..\sig\...%s%d%d..\anack\.\aack\..Error getting buddy authorization...Error parsing buddy message.....id > 0..gpiProfile.c....\npr\...Unexpected data was received from the server....\profileid\.Out of memory...gpsp.gs.nintendowifi.net........................................Out of memory...num < iconnection->numSearches..gpiSearch.c.SM..Could not connect to the search manager.....\search\....\sesskey\...\profileid\.\namespaceid\...\nick\..\uniquenick\....\email\.\firstname\.\lastname\..\icquin\....\skip\..\valid\.\nicks\.\pass\..\pmatch\....\productid\.\check\.\newuser\...\productID\.\cdkey\.\others\....\uniquesearch\..\preferrednick\.0...\gamename\..\final\.There was an error reading from the server..bsrdone.more....bsr.nick....uniquenick..firstname...lastname....email...Error reading from the search server....vr..nr..ndone...psrdone.psr.status..statuscode..cur.\pid\...nur.others..odone...o...first...last....us..usdone..count == arg->numSuggestedNicks.No search criteria..There was an error creating a socket....There was an error making a socket non-blocking.....Could not resolve search mananger host name.....address.sin_addr.s_addr != 0....There was an error connecting a socket..\xfer\..%d %u %u........\version\%d\result\%d...\rn\....Unexpected data was received from the server....Out of memory...buffer != NULL..gpiUtility.c....key != NULL.value != NULL...Parse Error.....Error connecting....There was an error checking for a completed connection..Connection rejected.....Connection accepted.....command != NULL.len > 0.\error\.\err\...\errmsg\....\fatal\.dest != NULL....src != NULL.ÿÿÿÿÜí ..ameSpy3D........rojectAphex....\pauthr\....\getpidr\...\getpdr\....\setpdr\....setpdr..pid.lid.mod.getpdr..length..\data\......getpidr.pauthr..errmsg..\...3b8dd8995f7c40a9a5c5b7dd5b481341....buffer..gt2Auth.c...start <= buffer->len....gt2Buffer.c.shortenBy <= (buffer->len - start)..(buffer->len + len) <= buffer->size.(buffer->len + 2) <= buffer->size...buffer->len < buffer->size..socket..gt2Callback.c...connection..socket && connection....connection..gt2Main.c...þþ..time....len > 0.gt2Message.c........len < GTI2_STACK_HOSTLEN_MAX....gt2Utility.c....%s:%d...%s..:%d.ýü.fj²..natneg1.gs.nintendowifi.net.natneg2.gs.nintendowifi.net.%s.%s...dð .ÿÿÿÿ............................................................................................................................................................................................................................................................................localip%d...localport...natneg..1...0...statechanged....gamename....publicip....publicport..final\\queryid\1.1..unknown.....%s%d....%08X%04X....255.255.255.255.%d..No challenge value was received from the master server..%s.master.gs.nintendowifi.net.......pid_....team_...ping_...score_..team_t..skill_..mapname.deaths_.gamever.player_.score_t.groupid.gamename....hostport....password....hostname....numteams....gamemode....teamplay....gametype....roundtime...fraglimit...timelimit...numplayers..maxplayers..gamevariant.timeelapsed.roundelapsed....teamfraglimit
Have fun reading this.
\final\.\basic\\info\...\status\....final...queryid.%s%d........ping....server..sb_server.c.%d..\%s..ø .Query Error: ...slist->inbufferlen >= 0.sb_serverlist.c.inlen >= 0..ÿÿÿÿ....0...slist->state == sl_disconnected.....%s.ms%d.gs.nintendowifi.net.slist != NULL...callback != NULL....val != NULL.....àø .€...0ù .....Èø .US, Washington, Nintendo of America Inc, NOA, Nintendo CA, [email protected].³Íy—w]Š¯†¨è×s.wß....øAž!Uß¼ücû.CñöÄrBI½.DhNóÚ.æMØùYˆÜ®>›8.Ê.ÿÜ$¢DxxI“Ô„@.¸ì>Û-“È.Èýx-a.1®†&°ýZ?¡=¿âKIìÎf˜X&.Àûôwe.êûË.àŒË.£N^Œê›Nitro WiFi SDK/%d.%d....Ìø .contents....offset..num.User-Agent..gamecd..rhgamecd....passwd..token...userid..macadr..action..attr1...attr2...attr3...apinfo..HTTPSTATUSCODE..returncd....Content-Length..http://.https://....HTTPSTATUSCODE..GET ....POST ...HEAD .../... HTTP/1.1...Host: ......: ..Content-Type: multipart/form-data; boundary=....Content-Type: application/x-www-form-urlencoded.....Content-Length: ...."...--......=...&...HTTP/...Content-Length..Connection..Keep-Alive..Transfer-Encoding...chunked
And this.

11. overlay_0005.bin
data/area01light.txt....data/area00light.txt....data/area02light.txt....sea.rhana...hamabe..asasea..lakep.1.dun_sea
.txt? coolbeans.
/data/dp_areawindow.NCGR..../data/dp_areawindow.NCLR....fielddata/build_model/build_model_matshp.dat
This must initiate the text box we all read from.

12. overlay_0006.bin
data/shop_h.cldat...data/shop_chr.resdat....data/shop_pal.resdat....data/shop_cell.resdat...data/shop_canm.resdat
I don't remember there being an online shop...

Now, what I was looking for is the list of what is loaded on initiation of the game. What file is it in Pokemon Diamond?

Shiny Quagsire
January 26th, 2011, 07:25 AM
Verisign is an SSL certificate signer. It's probably used for the GTS servers, which has been hacked before using a custom DNS server. I don't think there's any mystery gift stuff in there, which I wish was there. I think it'd be cool to hack mystery gift. ^_^

Team Fail
January 26th, 2011, 08:04 AM
Verisign is an SSL certificate signer. It's probably used for the GTS servers, which has been hacked before using a custom DNS server. I don't think there's any mystery gift stuff in there, which I wish was there. I think it'd be cool to hack mystery gift. ^_^

I'll see if I can. That'd prove interesting.

knizz
January 27th, 2011, 06:06 AM
I uploaded my private offset list here: REMOVED
Check the my signature for updates.

knizz
February 19th, 2011, 08:00 AM
0x9C (doanimation) is a command like "special" which takes a halfword for choosing the action.
It uses it's own scripting language. The animation-tableis at 081D96AC. The commands of this sub-language are at 083CBE30. The most common commands are 0x03, 0x04 and 0x07. 0x03 starts ASM code. 0x04 ends the execution. Idk more about 0x07.

I created the list in the spoiler by overwriting the script of the girl in the hometown with
eb 0816575C 0x9C
eb 0816575D <number>
eb 0816575E 0x00
eb 0816575F 0x02

Disable the badge-check for HMs:
eb 0812462E 0

I assume that most of these 0x9C-animations do more than what I wrote down here. I just tested them in one situation. For example if the game thinks I'm currently in the air it won't show the take off animation just the landing animation. Etc.

00 -
01 show pokeball & black pokemon bar & leaf spiral
02 show pokeball & black pokemon bar
03 -
04 -
05 -
06 show black shiny-pokemon bar
07 -
08 buggy surf-pokemon-sprite appears on map
09 show pokeball & black pokemon bar & surf
0A -
0B -
0C -
0D -
0E -
0F -
10 -
11 -
12 -
13 -
14 -
15 -
16 -
17 -
18 -
19 pokecenter
1A -
1B -
1C -
1D -
1E Bird-pokemon enter and leave the screen
1F -
20 -
21 -
22 Land
23 Fly & Crash (Probably because the destination isn't set)
24 -
25 show pokeball & black pokemon bar
26 show pokeball & black pokemon bar & slow teleport to last poke center
27 -
28 show pokeball & black pokemon bar
29 -
2A -
2B freeze
2C show black pokemon bar & freeze
2D buggy textbox in the top left corner
2E -
2F -
30 -
31 -
32 -
33 show pokeball & black pokemon bar & screen turns red (probably "sweet scent")
34 -
35 -
36 -
37 -
38 -
39 -
3A leaf spiral
3B show black shiny-pokemon bar
3C -
3D -
3E different pokecenter
3F show pokeball & black pokemon bar & fast teleport to last used warp
40 -
41 show cell-phone & freeze
42 -
43 -
44 -
45 white flash




If you want to fly callasm 080BFEDC, 080BFF50 or 080C4EF8. (I don't know the difference between those yet)




Flying uses animations 1f, 3b, 06, 03 and 20. Not all of them are called directly. Animation 3B for example is called by animation 1f (if I'm not mistaken).

lmdst
March 13th, 2011, 07:42 PM
Hey, it turns out I can do more than ask questions!


I don't know if this deserves its own thread or not, so I'm posting it here. You guys tell me otherwise.

Okay here's the thing, I've seen before how to alter the order of the Pokémon in the Sinnoh Pokédex in D/P, but I nobody knew how to change the numbers around - the Pokémon still kept their original Sinnoh dex numbers, meaning an Abra would be 020 no matter his position, Turtwig would be 001, and Pokémon not in the Sinnoh dex would be 000. This obviously meant that the numbers are stored elsewhere. So I decided to look for them.

What I figured is that the code kept a list of the Pokémon, in their internal order, and one or two bytes determined their number. For example, the list would start at Bulbasaur, who is not in the dex, so it would say "00". That would go on until the first Kanto pokémon you can find in Sinnoh, Pikachu, shows up. At this point the code would say "68", which is hex for his Sinnoh dex number, 104. Raichu would follow with 69, and so on.

With this method, when the list reached the Gen IV Pokémon, it would start with 01 (Turtwig) and go on until Luxray (19 in the Sinnoh dex, which is 13 in hex). After that, there would be a gap to account for Abra and Magikarp's evolutionary lines, then would follow into Budew (number 25, or 19 in hex).

So what I did was search the rom for the hex string "13001900". Turns out, I was right!

Okay so, long story short, the Sinnoh Pokédex numbers (not the order) in Diamond and Pearl starts at 385CE46, with Bulbasaur. Each Pokémon's info is two bytes long, with the first being the Pokémon's Sinnoh dex number in hex and the second being typically a 00. However, I believe it could be changed to 01 to account for numbers above 255, Which means that one could potentially increase the size of the Sinnoh Pokédex.

knizz
March 14th, 2011, 09:31 AM
... starts at 385CE46, with Bulbasaur. ...

Posting offsets for DS-Games isn't ideal because the ROMs have a filesystem.
I wrote a tool to convert offsets to paths.
C-Code and Mac-EXE: REMOVED
EXE: http://www.pokecommunity.com/showpost.php?p=5805522&postcount=10

I ran this tool on all occurances of "13001900". (Which are: 0440dbC 1c2ed66 1c2ed88 2f7b8a3 3155614 317b2b4 32af774 33c28d5 33c38b9 33dc999 385d166) This is the output:
Start End Position Length Name
00440200 00441314 00000BBC of 00001114 | tmap_block.dat < data <
01C2ED64 01C2ED6C 00000002 of 00000008 | 53. < trpoke.narc < trainer < poketool <
01C2ED80 01C2ED94 00000008 of 00000014 | 56. < trpoke.narc < trainer < poketool <
02F79ABC 02F7C4B4 00001DE7 of 000029F8 | 211 < land_data_release.narc < land_data < fielddata <
0314AC14 03155980 0000AA00 of 0000AD6C | 337 < land_data_release.narc < land_data < fielddata <
03174818 0317B4E6 00006A9C of 00006CCE | 344 < land_data_release.narc < land_data < fielddata <
032A8604 032AFAEE 00007170 of 000074EA | 401 < land_data_release.narc < land_data < fielddata <
033BA0B4 033C5250 00008821 of 0000B19C | 431 < land_data_release.narc < land_data < fielddata <
033BA0B4 033C5250 00009805 of 0000B19C | 431 < land_data_release.narc < land_data < fielddata <
033DA264 033E4B46 00002735 of 0000A8E2 | 435 < land_data_release.narc < land_data < fielddata <
0385CE3C 0385D218 0000032A of 000003DC | 0. < pokezukan.narc < poketool <

Of course all land_data_release lines are false matches because we know that they contain 3d-models

Please correct me if I'm wrong about something.

Iacobus
March 14th, 2011, 02:23 PM
Hey, it turns out I can do more than ask questions!

I don't know if this deserves its own thread or not, so I'm posting it here. You guys tell me otherwise.

Okay here's the thing, I've seen before how to alter the order of the Pokémon in the Sinnoh Pokédex in D/P, but I nobody knew how to change the numbers around -...Sorry to say this, but it was one of the first things documented when Diamond and Pearl got dumped.
► Link (http://www.pipian.com/ierukana/hacking/ds_shinoudex.html)

r0bert
April 30th, 2011, 04:25 AM
1st of all,I can revive this thread,right?
2nd; if this is in the wrong place I'm sorry.
after browsing every offset in my firered ROM looking for the PALS A-map uses,I've found some of them:
PAL0___EA1B68
PAL1___EA1B88
PAL2___EA1BA8
PAL3___EA1BC8
PAL4___EA1BE8
PAL5___EA1C08
PAL6___EA1C28
But a question:why are the offsets always 20 apart?

DrFuji
April 30th, 2011, 05:43 AM
1st of all,I can revive this thread,right?
2nd; if this is in the wrong place I'm sorry.
after browsing every offset in my firered ROM looking for the PALS A-map uses,I've found some of them:
PAL0___EA1B68
PAL1___EA1B88
PAL2___EA1BA8
PAL3___EA1BC8
PAL4___EA1BE8
PAL5___EA1C08
PAL6___EA1C28
But a question:why are the offsets always 20 apart?

Because each pallet is comprised of sixteen colours, which are translated from two bytes. For example, black is represented as 00 00, while white is 7F FF. As each colour takes up two bytes, the sixteen of them will take up thirty two bytes in total - Which can be translated to a space of twenty in HEX.

Full Metal
April 30th, 2011, 06:11 AM
Heyhey, this has probably been found but...
0202557A - Y co-ordinates of the player
02025578 - X co-ordinates of the player
:) ( I finally figured out how to use cheat search~ :D )
( they are 16-bit values )

knizz
May 19th, 2011, 04:33 PM
I think I made the first html-only rom-research tool: http://chna.kilu.de/jsgba/ (You need Google Chrome for that)
It's a port of my old BL Finder.

skishore
May 24th, 2011, 09:51 PM
I think I've found a way to prevent the three original legendary birds from fleeing when you encounter them in Gold and Silver. At offset 0x03C560, there's a list of hex codes which includes Articuno, Zapdos, and Moltres; changing their three codes to 0x00 does the trick.

I think this question was being asked when Bright Gold was in development. Anyway, I'm working on a similar hack, so I hope this helps.

knizz
May 29th, 2011, 01:04 AM
Nice find. Also congratulations on your first post.

linkandzelda
June 13th, 2011, 01:40 AM
Hello,
I'm trying to run an item's asm, from within a script using callasm. At 080A1D9D is the ask for the VS SEEKER. i would like to run that but as i'm not in the bag it will run the bag close routine which results in a fade screen.

Hope i can ask this here,
Thanks

Darthatron
June 13th, 2011, 04:41 AM
Hello,
I'm trying to run an item's asm, from within a script using callasm. At 080A1D9D is the ask for the VS SEEKER. i would like to run that but as i'm not in the bag it will run the bag close routine which results in a fade screen.

Hope i can ask this here,
Thanks

Try running it from 080A1DF4+1. This bypasses most of the checks (like "Now isn't the time to use that...") but I don't think it work correctly since the routine seems to have at least one parameter (in R0.)

linkandzelda
June 13th, 2011, 05:47 AM
Try running it from 080A1DF4+1. This bypasses most of the checks (like "Now isn't the time to use that...") but I don't think it work correctly since the routine seems to have at least one parameter (in R0.)

Thanks for the help, but it went straight to the fadescreen again.

hi sir tomato my password is syvniti
June 16th, 2011, 01:39 PM
http://www.youtube.com/watch?v=EUzj-6IvCoI
I can do it! :p
- But I can't post videos with these youtube thingys:(

tinix
August 10th, 2011, 04:33 AM
Hello everybody,
Recently I have been experimenting with C, trying to compile working code for Pokemon ROMs, because I find ASM very messy and I cant get the grip of it.
I chosen C because there is available compiler for GBA/ARM and because I am
familiar with it.
After a while of experimenting, messing with compiler flags and pointers, I have managed to successfully compile, insert and test a function that returned lowest level of your party Pokémon, and a function that jumped/branched into (standard) ASM routine. This process has a few drawbacks, mainly that resulting binary code is larger.

In attachment you will find C files along with instructions how to compile them (Code is set up for FIRE RED!). If you have any issues with compiling PM me and i will try to help you.

I want to know your opinion on this subject as whole.

Full Metal
August 10th, 2011, 07:21 AM
@Above - C seems a bit overkill for this. By judging on the size of the file, you didn't optimize the output or anything, which makes for a HUGE output, when you probably could have accomplished the same thing in a smaller routine. :\
On the other hand, congrats on getting it all to work properly. (:

Alice
August 10th, 2011, 03:39 PM
I'm not entirely sure the best place to post ideas like this is, but this seems to be close enough.

I have no clue how feasible this is, but it was just an idea I had, and since I really don't hack anymore, I thought I'd post it, and see if anyone might want to try it.

The idea is that you would be able to only use a single pokemon throughout the game, but on every level up it would evolve (no b cancel allowed) into a completely random pokemon. It could go from caterpie to mewtwo at level 6, and then from mewtwo to magikarp at level 7. Completely random. It would also attempt to learn a completely random move from the new pokemon's list of moves learnable by level up.

Just an interesting gimmick that I'd like try, if anyone wants to incorporate it into a hack. Maybe even just a mod of firered/ruby, if nothing else.




(Now that I think about it, this is basically gungame, but with pokemon, haha.)

Full Metal
August 10th, 2011, 06:09 PM
I'm not entirely sure the best place to post ideas like this is, but this seems to be close enough.

I have no clue how feasible this is, but it was just an idea I had, and since I really don't hack anymore, I thought I'd post it, and see if anyone might want to try it.

The idea is that you would be able to only use a single pokemon throughout the game, but on every level up it would evolve (no b cancel allowed) into a completely random pokemon. It could go from caterpie to mewtwo at level 6, and then from mewtwo to magikarp at level 7. Completely random. It would also attempt to learn a completely random move from the new pokemon's list of moves learnable by level up.

Just an interesting gimmick that I'd like try, if anyone wants to incorporate it into a hack. Maybe even just a mod of firered/ruby, if nothing else.




(Now that I think about it, this is basically gungame, but with pokemon, haha.)

Good Grief No.
Who in their right minds would play that?

EdensElite
August 11th, 2011, 03:07 PM
I was just wonderig if it's possible to edit the box backgrounds on the pc, I couldnt find it in unLZ but since its a image it should be at some offset :/

Alice
August 12th, 2011, 10:56 AM
Good Grief No.
Who in their right minds would play that?
I would?

Like I said, it's just a gimmick, but it would be fun to mess around with.

DavidJCobb
August 12th, 2011, 10:45 PM
Just in case anyone was wondering, there's no (practically-achievable) limit to how many times a script can recurse in FR. That is to say, scripts can call scripts that call scripts that... all the way up to 65535 nesting levels (though of course, there is some noticeable lag associated with running 65535 call statements almost directly after each other).

Test script 1 (master A calls sub B calls sub B...):
#dynamic 0x800000

/*
Vars:
4000 Number of levels to recurse to
4001 How deep are we right now?
4002 How deep did we get?
*/

#org @start
lock
setvar 0x4000 0x0005
setvar 0x4001 0x0000
setvar 0x4002 0x0000
call @recursive
buffernumber 0x00 0x4002
buffernumber 0x01 0x4000
msgbox @sAllReturnsWorked 0x02
release
end

#org @recursive
addvar 0x4001 0x0001
addvar 0x4002 0x0001
comparevars 0x4001 0x4000
if 0x0 call @recursive
subvar 0x4001 0x0001
return

#org @sAllReturnsWorked
= Successfully returned to the\noutermost script.\pDepth: [buffer1] / [buffer2]

Test script 2 (master A calls sub B calls sub C calls sub B...):
#dynamic 0x800000

/*
Vars:
4000 Number of levels to recurse to
4001 How deep are we right now?
4002 How deep did we get?
*/

#org @start
lock
setvar 0x4000 0xFFFF
setvar 0x4001 0x0000
setvar 0x4002 0x0000
call @recursive1
buffernumber 0x00 0x4002
buffernumber 0x01 0x4000
msgbox @sAllReturnsWorked 0x02
release
end

#org @recursive1
addvar 0x4001 0x0001
addvar 0x4002 0x0001
comparevars 0x4001 0x4000
if 0x0 call @recursive2
subvar 0x4001 0x0001
return

#org @recursive2
addvar 0x4001 0x0001
addvar 0x4002 0x0001
comparevars 0x4001 0x4000
if 0x0 call @recursive1
subvar 0x4001 0x0001
return

#org @sAllReturnsWorked
= Successfully returned to the\noutermost script.\pDepth: [buffer1] / [buffer2]

So if you need to do something such as creating a recursive function to count how much of a certain item a player has, you should be able to do so without having to worry about hitting any kind of recursion limit. Again, though, efficiency is something to keep in mind.

TheDarkShark
August 13th, 2011, 02:43 AM
Actually you don't need to worry about how many returns you may use in a recursive script. I wrote a standard script to check an item's amount (item number stored in some variable I'd need to look up...) which use goto to loop. When you use goto return will not jump to that branch, which means it will jump right back to the callstd command instead of the last recursion (I wonder if that's an actual word. We have a similar one in German for sure... ^^).
Nice find anyway.

Oh, and before I forget to write that:
@EdensElite: Of course it is possible, when you have the needed offsets. There are two possible reasons why you couldn't find them in unLZ. 1 - They aren't lz-compressed, which would mean you'd need to edit them via tile molester or a similar program, like NSE. 2 - They are strored as a tileset/tilemap-combo which you usually can't guess without the right palette. That would mean, you've already found them but don't know it (sounds weird, huh?).
A good way to find the ROM-offset of some graphics is to lookup the RAM-offset via Tile-/Map-Viewer in the VBA, put a break point on write on that offset (via VBA-SDL-H) and make the game load the graphics. With next-to-no-but-still-some ASM-knowledge you are then able to lookup the correct offset (plus you know if and how the graphic is compressed by checking the swi-function used). Also you could use logging to find the graphics, but I'm not 100 % sure if I can explain that right now...
I hop that helped a bit. I recommend to read a tutorial anyway :P

JPAN
August 14th, 2011, 02:18 PM
I'm not entirely sure the best place to post ideas like this is, but this seems to be close enough.

I have no clue how feasible this is, but it was just an idea I had, and since I really don't hack anymore, I thought I'd post it, and see if anyone might want to try it.

The idea is that you would be able to only use a single pokemon throughout the game, but on every level up it would evolve (no b cancel allowed) into a completely random pokemon. It could go from caterpie to mewtwo at level 6, and then from mewtwo to magikarp at level 7. Completely random. It would also attempt to learn a completely random move from the new pokemon's list of moves learnable by level up.Or a stone-like item that has that behaviour. In fact, it would be quite simple to implement such a feature. For simplicity, let's say we would get rid of evolution nº2, and that any pokemon is elligible from the original 251 (so we don't deal with the 21 empty slots.)
At 08042FC8 you would place a pointer to this function (with no +1, as this is a mov to PC and not a bx)

.thumb
bl getRandomHalfword
mov r1, #0xfb /*Celebi number*/
bl module
add r0, r0, #0x1 /*so that ? is not an option*/
ADD SP, SP, #0x14 /*we exit the function for them*/
POP {R3-R5}
MOV R8, R3
MOV R9, R4
MOV R10, R5
POP {R4-R7, pc}
.align 4
getRandomHalfword: ldr r0, rng_addr
bx r0
rng_addr: 0x08044EC9
module: ldr r2, mod_addr
bx r2
mod_addr: 0x081E4685

PS:untested, but looks bug-free from here
And with this, you have a random evolution, that always takes place when a level changes.
To use, place in the evolution type 0x02
You can always extend the Evolution table at 08042FC4 and use this with other number, if you want

Just in case anyone was wondering, there's no (practically-achievable) limit to how many times a script can recurse in FR. That is to say, scripts can call scripts that call scripts that... all the way up to 65535 nesting levels (though of course, there is some noticeable lag associated with running 65535 call statements almost directly after each other).

So if you need to do something such as creating a recursive function to count how much of a certain item a player has, you should be able to do so without having to worry about hitting any kind of recursion limit. Again, though, efficiency is something to keep in mind.

Actually, no. Script depth is locked at 0x0806988E, to 20 pointers stored.
The infinite recursion displayed by your example scripts is an illusuion caused by the fact that when the limit is reached, it jumps instead of going back recusively. As the return value will be the same for all called code (or almost all), it will return to the location it should correctly. And this value can't be changed (well, it could but would cause trouble) as the memory where it is located is surrounded by usefull data, and it is stored on the smallest RAM (0x0300XXXX).

DavidJCobb
August 14th, 2011, 03:34 PM
Actually, no. Script depth is locked at 0x0806988E, to 20 pointers stored.
The infinite recursion displayed by your example scripts is an illusuion caused by the fact that when the limit is reached, it jumps instead of going back recusively. As the return value will be the same for all called code (or almost all), it will return to the location it should correctly. And this value can't be changed (well, it could but would cause trouble) as the memory where it is located is surrounded by usefull data, and it is stored on the smallest RAM (0x0300XXXX).So FireRed remembers the outermost caller, but after a certain point it treats "return" as "goto"? That is clever... And it explains why after a certain number of tests, the screen lag caused by the calls stopped increasing.

Thanks for sharing that info. :)

Crimson5M
August 14th, 2011, 04:35 PM
If anyone's interested to know, 251FEE is the start of the FireRed Pokedex order. Not exactly sure if it can be considered "Research and Development" but I thought I'd share anyway.

MikeBricks
August 14th, 2011, 05:23 PM
You are wrong! It is 251FEE! You have to make there is a pointer for offsets you find! You are stupid for not doing so.

No you are wrong! It is 251FEE!
Reverse it which is EE1F2508. Then search that. You will get 2 results which mean I am right.

No you are wrong! It is 251FEE!
Reverse it which is EE1F2508. Then search that. You will get 2 results which mean I am right.

Gamer2020
August 14th, 2011, 06:04 PM
MikeBricks is correct. His offset is the same one I have in my ini.

Crimson5M
August 14th, 2011, 06:12 PM
MikeBricks is correct. His offset is the same one I have in my ini.

Yeah, I know, it was a mistake. I interpreted the first byte of two 0s to be the beginning, because I thought it went:
00 01 00 02
When it was actually:
01 00 02 00

Who's stalking now

mystletainn
August 14th, 2011, 06:51 PM
Cut the crap Gamer and Fireworks. This is the last straw before infractions and even temp bans are going to be put in place for you. A timeout from PC might do both of you good.

Gamer2020
August 14th, 2011, 07:37 PM
Cut the crap Gamer2020 and Fireworks. This is the last straw before infractions and even temp bans are going to be put in place for you. A timeout from PC might do both of you good.
I actually did not do anything.

Here are some offsets I found in BPEE. I didn't give them proper names because I'm lazy...

copyright - 080A9179
fadescreen - 0816CF19
- 0816D12D
Gamefreak - 0816D191
Grassup and flygon flies - 0816D355
white screen - 0816D459
white screen - 0816D48D
white screen - 0816D4E5
Bike ride1 - 0816D651
Bike ride fadeout - 0816D7E8
white screen - 0816DBAD
Intro Battle start - 0816DC65
White screen - 0816DCFD
white screen - 0816DD29
White screen - 0816DDD9
lava fade in - 0816DE7D
lava fade in2 - 0816DED1
lava fade in3 - 0816DEED
GROUDON! - 0816DF2D
White screen - 0816E21
Kyorge! - 0816E359
White screen - 0816E889
White screen - 0816E955
White screen - 0816E999
Sky gets dark - 0816E9DD
still dark - 0816EAB9
Is it a bird? - 0816EB45
dark - 0816ED21
That bird did something scary - 0816EDB5
White screen - 0816EE91
White screen - 080A9179
Pokemon TitleScreen- 080AAB45
Emerald Vesion - 080AAC51
Press Start - 080AAD65
White screen - 080A9179
Fade in blue - 0802F8D9
still blue - 0802FAB1
blue... - 802FBA5
blue....... - 080300B1
New Game - 0803024D
Black screen - 0803027D
Black screen - 080307B1
Background loaded for birch- 080308B1
Birch appears - 08030928
Hi! Sorry to keep you waiting! - 080309CD
This is what is called a Pokemon. - 08030A2D
This world is widely... - 08030BCD
And You Are? - 08030C19
Spotlight went right - 08030C91
OMG he left! - 08030CD5
Is that me? - 08030D85
Nothing? - 08030DC9
Are you a boy? Or are you a girl? - 08030E09
Boy - Girl Multichoice - 08030E39
prepare - 08030FD5
All right. What's your name? - 08031015
press a - 08031041
fade to black - 08031091
still black - 080A9179
Your name? - 080E465D
black - 080A9179
black - 0803261D
I'm back! - 08031105
so it's?- 08031145
yes no - 08031189
spotlight to left - 08031221
I'm gone - 08031259
Ah, okay! - 0803133D
birch gone - 080313E5
All right are you ready? - 080314C5
I'm shrinking - 08031581
nothing? - 080315BD
I'm white? - 08031631
black - 080A9179
black - 080AB161
Overworld - 080AB1B1

DavidJCobb
August 14th, 2011, 10:49 PM
I'm about to start trying to reverse-engineer the COIN CASE ASM script in FireRed. My aim is to identify the functionality that makes the "COINS: XXXX COINS" message box work, so that I can call/clone it and be able to show two message boxes at once in script. (I can already imagine the possibilities...)

I've done a small amount of work, but before I go any further, I have three questions:


Uh... How do I know when I've found the ASM that actually creates a secondary message box?
.
My understanding of ASM is as basic as it gets, so I'll ask right now: has anyone already done what I'm trying to do? Because if someone's already done it, there's little point in me doing it. :\
.
I'll check this one on my own if it goes unanswered when I wake up later.
The "showcoins" command shows a secondary box. And I'm pretty sure that the COIN CASE item code shows both a secondary box and a standard box, but my memory's a little hazy. When you use the COIN CASE from the Bag, does it show the same box that appears when "showcoins" is called?

TheDarkShark
August 15th, 2011, 02:08 AM
1. I'm not really sure (I'm new to code hacking too, I've only built ASM functions to call them from a script...), but I think when data is copied from the graphic's ROM-offset. While debugging, watch registers r0-r2 carefully. They are used by the data-copying swi-functions. r0 is the source- and r1 the aim-offset.

2. I don't know if anyone has researched opening a second message box. I'm currently researching the Text-Box palette loading routine, just in case that sounds important. But as I'm using a German ROM, I can only be of little help. Not that I could be of much help if I used another ROM, lol.

3. I don't know, sorry.

DavidJCobb
August 15th, 2011, 10:52 PM
Turns out, the COIN CASE item script does not generate a secondary box as I recalled. However, through hours of brute-force near-blind-searching, I have managed to locate the assembly code used by the scripting engine. I've confirmed that my findings matched those presented here (http://www.pokecommunity.com/showthread.php?t=204934).

I have thus managed to locate the offsets of the ASM that runs when the scripting engine is processing the showcoins command. I anticipate that if I simply examine what data is passed to where, I can figure out the offset of the ASM that generates a secondary box. Manipulating that ASM should allow the script-based generation of a non-blocking (http://en.wikipedia.org/wiki/Blocking_%28computing%29) second message box alongside the standard scriptable one, without either replacing or forcibly closing the other.

I feel the need to mention that I have barely any idea what I'm doing. I am so incompetent at ASM that I cannot even get code that I've written to compile, let alone actually work. So I'm going to share what I find, so that if I fail, I'll at least have saved other people some time.

All offsets are in hex.

08069873
Part of the scripting engine. Calls 08069842.

08069842
Part of the scripting engine. Part of some code that reads the current command byte from the script and interprets it. If the current script byte is 0x00 (nop), this code calls 08069832. Otherwise, it calls 08069858.

08069858
Loads the current command byte into r1. Stores offset of the next byte of the script somewhere in the script engine's RAM (this is used later to grab the arguments). Examines some kind of table located at 0815F9B4 -- the table seems to map each command byte to the offset of its respective ASM code. For showcoins, this code loads 0x0806C259 into r1. Calls 081E3BAC.

081E3BAC
Calls whatever address has been stored in r1. For showcoins, that would be 0806C259.

0806C258
ASM for showcoins? Loads first and second argument (X and Y) into r5 and r4, respectively. Stores a pointer to the next command byte (the byte directly after the last argument) somewhere in the script engine's RAM (that RAM offset being held in r0). Calls 081119D4 (I haven't deciphered that yet). I haven't deciphered what this chunk of code does next, but it involves conditional (if r0 != 0x1) calls to 080D0554 and 080D072C, and then it goes back to 08069873, which processes the next command in the script.

- - - - - - - - - -

Ergo the ASM at 081119D4, and possibly also 080D0554 and 080D072C, are somehow responsible for loading a predetermined string ("[buffer] COINS", at 084162C4) into RAM (specifically, to offset 02021D18), drawing the frame of the secondary box, and drawing that string as the box's contents.

There are other things that I discovered in my blind search, though I do not know exactly where or how they fit into the showcoins functionality as a whole. They are:

I do not fully understand the assembly code at 08005ED4, but I do know that it loops through each character of the string after that string has been loaded into RAM and retrieves some value (stored in ROM) for each character. I suspect that it is obtaining the pixel widths that correspond to each charcode, though I do not know what it does with the numbers.

Multiple calls are made to 08002C48, a chunk of ASM code that seems to also be called on every frame of animation. Presumably it is called either to check for keypresses or to update what is on-screen, though I don't know why such checks would be run before the secondary box has even appeared. Perhaps it is done to prevent showcoins from blocking music and the playtime counter.

I suspect that assembly code at 08008FCC is what loads the message string into RAM, but I am not sure.

- - - - - - - - - -

EDIT1: ADDITIONAL FINDINGS

Still don't know what exactly 081119D4, above, does. But I know that 080D0554 loads the number of coins from DMA-protected memory, and 080D072C initiates a huge volume of code that eventually produces the secondary box.

08008E78 is the offset of an ASM function that buffers a number. It appears to divide the input by a number (hardcoded 0xA) and process the remainder, thereby splitting the number into digits. Each digit is compared to 0x9; if lower or equal to, the charcode for it is found; if greater than, the charcode AC ("?") is returned. I have no idea which register holds the number to be buffered, however.

08003CE4 calls different blocks of code depending on what kind of message is to be displayed. It runs once when the message is to be displayed, and then I think it runs on every frame of animation thereafter. I'm not sure, however; VBA-SDL-H is... temperamental, shall we say. Moving on:

When a message box is created, its data -- a 12-byte structure that was partially documented here (http://www.pokecommunity.com/showpost.php?p=6304155&postcount=19) -- is written either into the stack or into some memory area very close to it. (The stack pointer itself is frequently shifted and unshifted throughout the process. Confusing!) When the first eight bytes of the data have been put together, code at 08003DE8 generates the last four bytes (based on the last four bytes of the preceding message box data) and then moves the new structure from the stack-or-near-the-stack area into the proper RAM area. Note that there is always one chunk of message box data already in RAM -- that of the standard message box, even if that box is inactive.

08008FCC appears to be used to load the string from ROM into RAM. r0 is the destination offset, r1 is the source; for showcoins, they are 0x02021D18 (message to be displayed) and 0x084162C4 (" COINS"), respectively. Characters are transferred one at a time. Most charcodes are handled by a copying code at [B]080090A6, but codes FA through FF each have some kind of special handler, with FA's being at 08008FEC. I haven't investigated that further; it's not relevant to what I'm trying to find.

Here's a hierarchical chart of my findings:
0x08069842
Load and proess script byte.

0x08069858
Identify script command byte.

0x0806C258
ASM for showcoins. Retrieves arguments.

0x081119D4
Unknown. But if it sets r0 to
0x1, then showcoins doesn't do
anything.

0x080D0554
Retrieve coins from DMA-protected
memory and store in r0.

0x080D072C
Unknown. Starts generation of
secondary msgbox data.

0x0810FE50
Gathers certain attributes for
box sizing? Uses bitmasks of some
sort.

0x08003CE4
Calls different code blocks depending
on what kind of message box is being
shown. It seems as though every kind
of message box passes through here --
even the Start Menu!

It also locates the first unused slot
for message box position data in RAM.

0x08003D96
Unknown. Runs once for most message
boxes. Runs twice for the Start Menu
(once mid-sound, once after). Does not
run for signbox or msgbox.

0x08002B9C
Unknown.

0x08003DE8
Transfers the new message box position
data from some space near the stack to
the proper RAM offset.

0x0800445C
Unknown. Uses a software interrupt to
copy a section of memory.

0x08003FA0
Unknown. Some of the code it calls
runs a TON of weird and complicated
comparisons, returning 0x0 or 0x1
based on the result.

0x080D06D0
Triggers loading of the "[buffer]
COINS" display.

0x08008E78
Buffers a number. r2 specifies the
buffer to use?

0x08008FCC
Copies the string at r1 into the
offset at r0, one character at a
time. Calls special codes for each
charcode between 0xFA and 0xFF,
inclusive.

0x08005ED4
Unknown. But it seems important.

0x0806C287 (cont'd from 0x0806C258)
...Returns to the script engine
ASM to process the next command.


- - - - - - - - - -

EDIT2: ADDITIONAL FINDINGS

08002C48 is not actually called on every frame; that was just the debugger going haywire. It's only called a few times, and I suspect that it -- or code called by it -- triggers drawing and erasing of message boxes.

0800445C is the code that uses a software interrupt to copy data. It copies a very large chunk of data; I think it loads the tiles for either a box's frame or its interior.

And finally, I have managed to just barely manipulate secondary box generation. Have a look at this screenshot:

http://img215.imageshack.us/img215/2884/wildv0d165prelim5asm.png

You'll notice that there is a problem with the palettes... But look in the upper-left corner. That is the bottom corner of a secondary box! It even vanishes when another secondary box (or a multichoice) is displayed. However, I couldn't find the tiles for the secondary's text content in VBA's Tile Viewer... According to the Memory Viewer, however, a pointer to my text was successfully loaded to 0x02021D18, so it appears that the only issues left to solve are graphical ones.

Here's the ASM code I used, if anyone wants to have a look and see what they can find. You would use loadpointer to load a string into memory, and then call this with callasm. The code was modeled after that used by the game; essentially, it's a copy that loads the string you feed with loadpointer. (Apparently, it isn't a very accurate copy...)
.align 2
.thumb

main:
push {r0-r7,lr}
mov r4, #0x0
mov r3, #0x0
lsl r4, r4, #0x18
lsl r3, r3, #0x18
mov r0, #0x80
lsr r0, r0, #0x11
add r4, r4, r0
add r3, r3, r0
lsr r4, r4, #0x18
lsr r3, r3, #0x18
mov r0, #0x08
str r0, [sp]
mov r0, #0x03
str r0, [sp, #0x4]
mov r0, #0x0F
str r0, [sp, #0x8]
mov r0, #0x20
str r0, [sp, #0xC]
add r0, sp, #0x10
mov r1, #0x0
mov r2, r4
push {r7}
ldr r7, DATA_ASSEMBLE
bl CALL_GAME_ASM
pop {r7}
ldr r0, [sp, #0x18]
ldr r1, [sp, #0x14]
str r0, [sp, #0x18]
str r1, [sp, #0x1C]
ldr r4, UNKNOWN_DATA_1
add r0, sp, #0x18
strb r0, [r4]
ldrb r0, [r4]
mov r1, #0x0
push {r7}
ldr r7, UNKNOWN_FUNCTION_1
bl CALL_GAME_ASM
pop {r7}
ldrb r0, [r4]
push {r7}
ldr r7, UNKNOWN_FUNCTION_2
bl CALL_GAME_ASM
pop {r7}
ldrb r0, [r4]
ldr r5, UNKNOWN_DATA_2
mov r1, r5
mov r2, #0x0
push {r7}
ldr r7, UNKNOWN_FUNCTION_4
bl CALL_GAME_ASM
pop {r7}
ldrb r0, [r4]
mov r1, #0x0
mov r2, r5
mov r3, #0xD
push {r7}
ldr r7, UNKNOWN_FUNCTION_5
bl CALL_GAME_ASM
pop {r7}
ldrb r0, [r4]
ldr r2, SECONDARY_BOX_HEADER_STRING
mov r3, #0x0
str r3, [sp]
mov r1, #0xFF
str r1, [sp, #0x4]
str r3, [sp, #0x8]
mov r1, #0x2
push {r7}
ldr r7, UNKNOWN_FUNCTION_3
bl CALL_GAME_ASM
pop {r7}
mov r0, r6
bl COBB_SUBFUNCTION
add sp, #0x20
pop {r0-r7,pc}

COBB_SUBFUNCTION:
push {r4,lr}
add sp, #-0xC
ldr r0, STRING_RAM_OFFSET
ldr r1, SCRIPT_LOADED_POINTER_0
mov r3, #0x4
mov r4, r0
push {r7}
ldr r7, BODY_STRING_LOADER
bl CALL_GAME_ASM
pop {r7}
mov r0, #0x0
mov r1, r4
mov r2, #0x0
push {r7}
ldr r7, UNKNOWN_FUNCTION_6
bl CALL_GAME_ASM
pop {r7}
ldr r1, UNKNOWN_DATA_1
ldrb r1, [r1]
mov r3, #0x40
sub r3, r0
lsl r3, r3, #0x18
lsr r3, r3, #0x18
mov r0, #0xC
str r0, [sp]
mov r0, #0x0
str r0, [sp, #0x4]
str r0, [sp, #0x8]
mov r0, r1
mov r1, #0x0
mov r2, r4
push {r7}
ldr r7, UNKNOWN_FUNCTION_3
bl CALL_GAME_ASM
pop {r7}
add sp, #0xC
pop {r4}
pop {r0}
bx r0

CALL_GAME_ASM:
bx r7

SECONDARY_BOX_HEADER_STRING:
.word 0x08417C2D

SCRIPT_LOADED_POINTER_0:
.word 0x03000F14

STRING_RAM_OFFSET:
.word 0x02021D18

DATA_ASSEMBLE:
.word 0x810FE51

UNKNOWN_DATA_1:
.word 0x02039A28

UNKNOWN_FUNCTION_1:
.word 0x0800445D

UNKNOWN_FUNCTION_2:
.word 0x08003FA1

UNKNOWN_DATA_2:
.word 0x0000021D

UNKNOWN_FUNCTION_3:
.word 0x08002C49

UNKNOWN_FUNCTION_4:
.word 0x0814FF2D

UNKNOWN_FUNCTION_5:
.word 0x0810F2E9

BODY_STRING_LOADER:
.word 0x08008FCD

UNKNOWN_FUNCTION_6:
.word 0x08005ED5

- - - - - - - - - -


EDIT3:

Removing the call to 0814FF2C prevents palette damage, but it also prevents any messageboxes from appearing. It would seem that I am not providing the correct values to it; I'll have to investigate it further.

Mr.Pkmn
August 19th, 2011, 06:40 AM
How can we fix the broken sun weather in FRLG? Heavy rain works fine but intense sunlight makes the screen black.
Also I wonder if the snowy weather could set auto-hail, like other weathers do...

TheDarkShark
August 19th, 2011, 09:00 AM
@DavidJCobb: lol, while fiddling with the values in the memory viewer i managed to open a second textbox. All it does is showing the same text though...
Here's what I did: open apply a new value to the text box's y coordinate (in this case i chose 8) and open the text box. While it's open, apply a new value (here 0xf) and return to the game. when pressing A it will open the second text box.
Actually, only the second text box will be hidden when the script is ended, the first one is cleared.
Just in case you can use this...

DavidJCobb
August 19th, 2011, 01:43 PM
@DavidJCobb: lol, while fiddling with the values in the memory viewer i managed to open a second textbox. All it does is showing the same text though...
Here's what I did: open apply a new value to the text box's y coordinate (in this case i chose 8) and open the text box. While it's open, apply a new value (here 0xf) and return to the game. when pressing A it will open the second text box.
Actually, only the second text box will be hidden when the script is ended, the first one is cleared.
Just in case you can use this...
Ah, yes, you've taken advantage of our ability to modify the textbox's recorded coordinates before a screen repaint erases it. It is a clever technique.

However, I am looking to do something more ambitious: my goal is to manipulate the textbox generated by the showcoins/showmoney commands. These boxes, unlike the standard ones, are variable in size and can have their positions changed without properly-timed memory alterations.

The uses for a dynamically-positioned variably-sized non-blocking second message box are many and varied. For example, in dialogue-heavy hacks, the second box could function as a nametag positioned directly above the standard one, thereby removing the need to repeat the speaker's name in the main dialogue.

I am still having difficulty dissecting and identifying all of the code, but I already know of two things I can try. Furthermore I plan on finding the offsets of every single piece of ASM code that runs as part of the showcoins functionality. I may also investigate showmoney functionality and look for commonalities. If I can't accomplish my goal, I hope to at least save a significant amount of time for others who may pursue it in the future.

Team Fail
August 19th, 2011, 09:10 PM
I found three interesting offsets while fooling around in the RAM of Firered BPRE.

Offsets 0x02277AC0 to 0x02277AC2 have to do with screen refreshing (after toggling help menus or using warps) and if you make the game "freeze", just set the bytes to 00 00 00 to unfreeze it.

Also, I just found this, but if you modify the bytes 0x02277AB8 to 0x02277ABB and 0x02277AC8 to 0x02277ACB you can tinker with the fades to black and "freeze" it part way, leaving some tiles dimmed and some bright.

DavidJCobb
August 20th, 2011, 04:21 PM
I have managed to create ASM code that successfully displays a secondary message box with header text and body text.

http://img191.imageshack.us/img191/9020/successn.png

The capabilities and limitations of the code that I know of are as follows:


It has header and body text. You can specify strings for both, but you can't, say, display only a header.
The position and size cannot yet be changed. The underlying code is capable of taking single-byte X and Y arguments, but currently I just force them both to 0. SEE NEW CODE AT BOTTOM
I don't know if it works with \n, \l, \p, or any other formatting control codes. I didn't try any.
To hide the box, you can call hidecoins. It requires X and Y arguments, but doesn't appear to use them; it will hide the secondary box regardless of position and size.

Here's an example script to demonstrate how you would load your strings and call the ASM:

#dynamic 0x800000

#org @start
lock
loadpointer 0x0 @sHeader // Header text
loadpointer 0x1 @sBody // Body text
callasm 0x8780001 // Change this to wherever you place the ASM
release
end

#org @sHeader
= HEAD

#org @sBody
= BODY

And finally, the ASM:

.align 2
.thumb

SHOWCOINS:
push {lr}
push {r0-r7}
mov r5, #0x0
mov r4, #0x0
ldr r0, UNKNOWN_DATA_0
ldr r1, SHOWCOINS_UNK_1
bl CALL_R1
lsl r0, r0, #0x10
lsr r0, r0, #0x10
cmp r0, #0x1
beq SHOWCOINS_RETURN
mov r1, r5
mov r2, r4
bl SECONDARY
b SHOWCOINS_RETURN

SHOWCOINS_RETURN:
pop {r0-r7}
pop {pc}



SECONDARY:
push {lr}
push {r0-r7}
add sp, #-0x20
mov r6, r0
mov r4, r1
mov r3, r2
lsl r4, r4, #0x18
lsl r3, r3, #0x18
mov r0, #0x80
lsl r0, r0, #0x11
add r4, r4, r0
lsr r4, r4, #0x18
add r3, r3, r0
lsr r3, r3, #0x18
mov r0, #0x8
str r0, [sp]
mov r0, #0x3
str r0, [sp, #0x4]
mov r0, #0xF
str r0, [sp, #0x8]
mov r0, #0x20
str r0, [sp, #0xC]
add r0, sp, #0x10
mov r1, #0x0
mov r2, r4
ldr r4, UNKNOWN_FUNCTION_0
bl CALL_R4
ldr r0, [sp, #0x10]
ldr r1, [sp, #0x14]
str r0, [sp, #0x18]
str r1, [sp, #0x1C]
ldr r4, UNKNOWN_DATA_1
add r0, sp, #0x18
ldr r5, UNKNOWN_FUNCTION_1
bl CALL_R5
strb r0, [r4]
ldrb r0, [r4]
mov r1, #0x0
ldr r2, UNKNOWN_FUNCTION_2
bl CALL_R2
ldrb r0, [r4]
ldr r5, UNKNOWN_FUNCTION_3
bl CALL_R5
ldrb r0, [r4]
ldr r5, UNKNOWN_DATA_2
mov r1, r5
mov r2, #0xD0
ldr r3, UNKNOWN_FUNCTION_4
bl CALL_R3
ldrb r0, [r4]
mov r1, #0x0
mov r2, r5
mov r3, #0xD
ldr r6, UNKNOWN_FUNCTION_5
bl CALL_R6
ldrb r0, [r4]
ldr r2, SCRIPT_BANK_0
ldr r2, [r2]
mov r3, #0x0
str r3, [sp]
mov r1, #0xFF
str r1, [sp, #0x4]
str r3, [sp, #0x8]
mov r1, #0x2
ldr r7, UNKNOWN_FUNCTION_6
bl CALL_R7
mov r0, r6
bl SECONDARY_LOAD_BODY
add sp, #0x20
pop {r0-r7}
pop {pc}



SECONDARY_LOAD_BODY:
push {lr}
push {r0-r7}
add sp, #-0xC
mov r1, r0
ldr r0, BUFFER_RAM_OFFSET
mov r2, #0x1
mov r3, #0x4
ldr r6, UNKNOWN_FUNCTION_7
bl CALL_R6
ldr r4, STRING_RAM_OFFSET
ldr r1, SCRIPT_BANK_1
ldr r1, [r1]
mov r0, r4
ldr r6, BODY_STRING_LOADER
bl CALL_R6
mov r0, #0x0
mov r1, r4
mov r2, #0x0
ldr r6, UNKNOWN_FUNCTION_8
bl CALL_R6
ldr r1, UNKNOWN_DATA_1
ldrb r1, [r1]
mov r3, #0x40
sub r3, r3, r0
lsl r3, r3, #0x18
lsr r3, r3, #0x18
mov r0, #0xC
str r0, [sp]
mov r0, #0x0
str r0, [sp, #0x4]
str r0, [sp, #0x8]
mov r0, r1
mov r1, #0x0
mov r2, r4
ldr r6, UNKNOWN_FUNCTION_6
bl CALL_R6
add sp, #0xC
pop {r0-r7}
pop {pc}

CALL_R1:
bx r1
bx lr

CALL_R2:
bx r2
bx lr

CALL_R3:
bx r3
bx lr

CALL_R4:
bx r4
bx lr

CALL_R5:
bx r5
bx lr

CALL_R6:
bx r6
bx lr

CALL_R7:
bx r7
bx lr

.align 2
SCRIPT_BANK_0:
.word 0x03000F14

SCRIPT_BANK_1:
.word 0x03000F18

UNKNOWN_DATA_0:
.word 0x0809D6D5

UNKNOWN_DATA_1:
.word 0x02039A28

UNKNOWN_DATA_2:
.word 0x0000021D

SHOWCOINS_UNK_1:
.word 0x081119D5

UNKNOWN_FUNCTION_0:
.word 0x0810FE51

UNKNOWN_FUNCTION_1:
.word 0x08003CE5

UNKNOWN_FUNCTION_2:
.word 0x0800445D

UNKNOWN_FUNCTION_3:
.word 0x08003FA1

UNKNOWN_FUNCTION_4:
.word 0x0814FF2D

UNKNOWN_FUNCTION_5:
.word 0x0810F2E9

UNKNOWN_FUNCTION_6:
.word 0x08002C49

UNKNOWN_FUNCTION_7:
.word 0x08008E79

UNKNOWN_FUNCTION_8:
.word 0x08005ED5

BUFFER_RAM_OFFSET:
.word 0x02021CD0

STRING_RAM_OFFSET:
.word 0x02021D18

BODY_STRING_LOADER:
.word 0x08008FCD


This is the first fully-functional ASM code I have ever written. There is still much to be done, but this is a big step. C:

EDIT: New code. This one allows you to specify the box X, Y, width, and height using script variables.

http://img856.imageshack.us/img856/4985/successv3.png

Script:
#dynamic 0x800000

#org @start
lock
loadpointer 0x0 @sHeader // Header text
loadpointer 0x1 @sBody // Body text
setvar 0x8000 0x0003 // X -- single-byte!
setvar 0x8001 0x0001 // Y -- single-byte!
setvar 0x8002 0x000A // Width -- single-byte!
setvar 0x8003 0x0002 // Height -- single-byte!
callasm 0x8780001 // Change this to wherever you place the ASM

msgbox @sStandard 0x2 // just as a demonstration.

hidecoins 0x00 0x00 // hides secondary box.
release
end

#org @sHeader
= HEAD

#org @sBody
= BODY

#org @sStandard
= STANDARD

And new assembly:
.align 2
.thumb

SHOWCOINS:
push {lr}
push {r0-r7}
ldr r5, SCRIPT_VAR_8000
ldrh r5, [r5]
ldr r4, SCRIPT_VAR_8001
ldrh r4, [r4]
ldr r0, UNKNOWN_DATA_0
ldr r1, SHOWCOINS_UNK_1
bl CALL_R1
lsl r0, r0, #0x10
lsr r0, r0, #0x10
cmp r0, #0x1
beq SHOWCOINS_RETURN
mov r1, r5
mov r2, r4
bl SECONDARY
b SHOWCOINS_RETURN

SHOWCOINS_RETURN:
pop {r0-r7}
pop {pc}



SECONDARY:
push {lr}
push {r0-r7}
add sp, #-0x20
mov r6, r0
mov r4, r1
mov r3, r2
lsl r4, r4, #0x18
lsl r3, r3, #0x18
mov r0, #0x80
lsl r0, r0, #0x11
add r4, r4, r0
lsr r4, r4, #0x18
add r3, r3, r0
lsr r3, r3, #0x18
ldr r0, SCRIPT_VAR_8002
ldrh r0, [r0]
str r0, [sp]
ldr r0, SCRIPT_VAR_8003
ldrh r0, [r0]
str r0, [sp, #0x4]
mov r0, #0xF
str r0, [sp, #0x8]
mov r0, #0x20
str r0, [sp, #0xC]
add r0, sp, #0x10
mov r1, #0x0
mov r2, r4
ldr r4, UNKNOWN_FUNCTION_0
bl CALL_R4
ldr r0, [sp, #0x10]
ldr r1, [sp, #0x14]
str r0, [sp, #0x18]
str r1, [sp, #0x1C]
ldr r4, UNKNOWN_DATA_1
add r0, sp, #0x18
ldr r5, UNKNOWN_FUNCTION_1
bl CALL_R5
strb r0, [r4]
ldrb r0, [r4]
mov r1, #0x0
ldr r2, UNKNOWN_FUNCTION_2
bl CALL_R2
ldrb r0, [r4]
ldr r5, UNKNOWN_FUNCTION_3
bl CALL_R5
ldrb r0, [r4]
ldr r5, UNKNOWN_DATA_2
mov r1, r5
mov r2, #0xD0
ldr r3, UNKNOWN_FUNCTION_4
bl CALL_R3
ldrb r0, [r4]
mov r1, #0x0
mov r2, r5
mov r3, #0xD
ldr r6, UNKNOWN_FUNCTION_5
bl CALL_R6
ldrb r0, [r4]
ldr r2, SCRIPT_BANK_0
ldr r2, [r2]
mov r3, #0x0
str r3, [sp]
mov r1, #0xFF
str r1, [sp, #0x4]
str r3, [sp, #0x8]
mov r1, #0x2
ldr r7, UNKNOWN_FUNCTION_6
bl CALL_R7
mov r0, r6
bl SECONDARY_LOAD_BODY
add sp, #0x20
pop {r0-r7}
pop {pc}



SECONDARY_LOAD_BODY:
push {lr}
push {r0-r7}
add sp, #-0xC
mov r1, r0
ldr r0, BUFFER_RAM_OFFSET
mov r2, #0x1
mov r3, #0x4
ldr r6, UNKNOWN_FUNCTION_7
bl CALL_R6
ldr r4, STRING_RAM_OFFSET
ldr r1, SCRIPT_BANK_1
ldr r1, [r1]
mov r0, r4
ldr r6, BODY_STRING_LOADER
bl CALL_R6
mov r0, #0x0
mov r1, r4
mov r2, #0x0
ldr r6, UNKNOWN_FUNCTION_8
bl CALL_R6
ldr r1, UNKNOWN_DATA_1
ldrb r1, [r1]
mov r3, #0x40
sub r3, r3, r0
lsl r3, r3, #0x18
lsr r3, r3, #0x18
mov r0, #0xC
str r0, [sp]
mov r0, #0x0
str r0, [sp, #0x4]
str r0, [sp, #0x8]
mov r0, r1
mov r1, #0x0
mov r2, r4
ldr r6, UNKNOWN_FUNCTION_6
bl CALL_R6
add sp, #0xC
pop {r0-r7}
pop {pc}

CALL_R1:
bx r1
bx lr

CALL_R2:
bx r2
bx lr

CALL_R3:
bx r3
bx lr

CALL_R4:
bx r4
bx lr

CALL_R5:
bx r5
bx lr

CALL_R6:
bx r6
bx lr

CALL_R7:
bx r7
bx lr

.align 2
SCRIPT_BANK_0:
.word 0x03000F14

SCRIPT_BANK_1:
.word 0x03000F18

SCRIPT_VAR_8000:
.word 0x020370B8

SCRIPT_VAR_8001:
.word 0x020370BA

SCRIPT_VAR_8002:
.word 0x020370BC

SCRIPT_VAR_8003:
.word 0x020370BE

UNKNOWN_DATA_0:
.word 0x0809D6D5

UNKNOWN_DATA_1:
.word 0x02039A28

UNKNOWN_DATA_2:
.word 0x0000021D

SHOWCOINS_UNK_1:
.word 0x081119D5

UNKNOWN_FUNCTION_0:
.word 0x0810FE51

UNKNOWN_FUNCTION_1:
.word 0x08003CE5

UNKNOWN_FUNCTION_2:
.word 0x0800445D

UNKNOWN_FUNCTION_3:
.word 0x08003FA1

UNKNOWN_FUNCTION_4:
.word 0x0814FF2D

UNKNOWN_FUNCTION_5:
.word 0x0810F2E9

UNKNOWN_FUNCTION_6:
.word 0x08002C49

UNKNOWN_FUNCTION_7:
.word 0x08008E79

UNKNOWN_FUNCTION_8:
.word 0x08005ED5

BUFFER_RAM_OFFSET:
.word 0x02021CD0

STRING_RAM_OFFSET:
.word 0x02021D18

BODY_STRING_LOADER:
.word 0x08008FCD

Mr.Pkmn
August 20th, 2011, 10:37 PM
I'm sorry to bump, but since it was the last post of the page i throught it passed unnoticed...

How can we fix the broken sun weather in FRLG? Heavy rain works fine but intense sunlight makes the screen black.
Also I wonder if the snowy weather could set auto-hail, like other weathers do...

TheDarkShark
August 21st, 2011, 05:26 AM
@Mr.Pkmn: I think fog has already been researched. I'm sure it'd be easy to find the main weather-routine by debugging that one.

@DavidJCobb: Ah, so that's what you meant... I thought you wanted another textbox like I have an the screenshot I posted above. I think I'll take a look into porting this over to the German version of Firered... but I already told Jambo I would port the trainer mugshot thing first. I'll see what I can do. Pretty neat, anyway. I think I can make good use of the text-rendering when I work on my hack again...

EdensElite
August 31st, 2011, 03:40 PM
How do you edit the PC Boxes? I assume its they are graphics in the ROM but I can't find them on unLZ.

DavidJCobb
August 31st, 2011, 07:54 PM
Out of boredom, I dug through every single script and OW in a clean FireRed BPRE ROM and wrote down every single flag and variable I could find. My findings are below, and include OW-visibility flags, item ownership flags, and more. (Not trainer or world map flags, though.)

Summarized flag findings:
Flags 0x000 - 0x006, at minimum, are temporary flags and are directly manipulated by the game engine.

Flags 0x011 - 0x01F are used to control the visibility of destructible OWs, i.e. Rock Smash boulders. They are probably cleared by the game engine every time a map is loaded, as no level scripts clear them. Do not use them on standard OWs.

Flag 0x266 appears to be directly manipulated by the game engine. If set, there is an EGG waiting for you in the Four Island Daycare Center. It is unset manually by scripts if you choose to discard the egg.

The game does not use checkitem to see if you have an item; instead, Game Freak scripts will always check for flags that were set as part of the event sequence that gave you the item (or it may even check for the OW-visibility flags if it was a pickup). E.x. the game uses "checkflag 0x271" after manually setting it, not "checkitem ITEM_BICYCLE 0x1".

A similar thing is done with badges. The "champ-in-making" guy that always chills next to a Gym statue doesn't check badge flags directly; there are eight flags (4B0-4B7) that are set along with those flags, which he checks. Redundant...

Not all of the listed OW-visibility flags are set/cleared directly. Most of them correspond to Person IDs in AMap, and are indirectly altered when one uses "hidesprite" on the Persons (referring to them by Person event number rather than ID).

Notable flags:
Flags 0x011 - 0x01F are used to control the visibility of destructible OWs.

Flag 0x266 is set by the game engine if an Egg is in the Daycare.

Flags 0x4B0 - 0x4B7 affect the "champ-in-making" guy's dialogue in Gyms.

Flags 0x4B8 - 0x4BC are set if the player has beaten {whoever} in the Elite Four during their current attempt at it. They're cleared upon entering the Hall of Fame registration room.

Flags 0x500 - 0x700 are trainer flags.

Flags 0x820 - 0x827 are read directly by the game engine and determine Badge acquisition. But we already knew this.

Flag 0x82D is set if you customize your profile by talking to some woman in some PokeCenter. Apparently directly set by the game engine.

If Flag 0x834 is set, then the player knows the name of Bill's PC (as opposed to "Someone's" PC). Don't know if this affects the PC menu, but it affects dialogue shown when receiving a Pokemon and having it sent to the PC.

Flag 0x842 may have something to do with wireless functionality or some minigame. It's checked after healing at a PokeCenter.

Flag 0x844 is set when Celio connects to Lanette -- IOW when you can trade with R/S/E. Don't mistake it for the E4 completion flag like I almost did.

Flag 0x849 is set when you solve the Tanoby Key.

If Flags 0x84A and 0x84B are cleared, the Vermilion City dockworker won't even bother checking for the MysticTicket and AuroraTicket, respectively. You won't be able to use them. I don't know what sets or clears these flags.

Flags 0x890 - 0x8FD are world map flags.

Flags 0x900 and up overlap the RAM used for script variables and hence ARE NOT SAFE TO USE.

Summarized variable findings:
0x4020 - 0x4024 are all pedometers, the first of them controlling REPEL expiration.

0x4036 is used for Selphy's Pokemon-fetching game. (She's the woman at Resort Gorgeous). I don't know what modifies this var -- possibly the game engine itself?

0x403A is used in elevator scripts and is directly modified when special 0xD8 is called. Don't store anything that you want to be permanent in this variable.

Vars 0x4064 through 0x4066 are used as part of the boulder puzzles in Victory Road. They're also cleared upon entering Route 23, along with 0x4067.

0x4069 sets which fossil is being revived in Cinnabar Island, and 0x406A sets the progress (1 = active, 2 = complete).

Full findings:
Some of the flags and variables are set by a script that runs once at the start of the game. This script is called by the game engine itself, and shall be referred to as "game start script" in the notes below.

LIST OF IDENTIFIED IN-GAME FLAGS (FIRERED)

002 Apparent temporary flag.
003 Apparent temporary flag.
004 Apparent temporary flag.
005 Apparent temporary flag.
006 Apparent temporary flag.
011 Used for a CUT tree in VIRIDIAN CITY.
Used for ROCK SMASH boulders in KINDLE ROAD and ROCK TUNNEL (1.82).
012 Used for CUT trees in
VIRIDIAN,PEWTER,VERMILION,FUCHSIA;
2+3 ISLES;
RTS 8,9,10,12,13,14,16,25;
BOND BRIDGE, FIVE ISLE MEADOW;
BERRY FOREST;
ERIKA's Gym
Used for ROCK SMASH boulders in
FOUR ISLAND;
SEVAULT CANYON;
CERULEAN CAVE (1.72, 1.73, 1.74), ROCK TUNNEL (1.82), MT. EMBER (1.97,99,103,104,105,106,107,108)
013 Used for CUT trees in
CERULEAN CITY, CELADON CITY, FUCHSIA CITY;
RTS 1, 8, 10, 14;
BOND BRIDGE, FIVE ISLE MEADOW;
BERRY FOREST;
ERIKA's Gym
Used for ROCK SMASH boulders in
KINDLE ROAD, SEVAULT CANYON;
CERULEAN CAVE (1.72, 1.73, 1.74), ROCK TUNNEL (1.82), MT. EMBER (1.97,99,103,104,105,106,108)
014 Used for CUT trees in
CELADON CITY, FUCHSIA CITY;
ROUTE 1, ROUTE 10, ROUTE 14;
BERRY FOREST;
ERIKA's Gym
Used for ROCK SMASH boulders in
CERULEAN CAVE (1.72, 1.73, 1.74), ROCK TUNNEL (1.82), MT. EMBER (1.97, 1.99, 1.103, 1.104, 1.105, 1.106)
015 Used for CUT trees in FUCHSIA CITY, ROUTE 1, ROUTE 10, and BERRY FOREST.
Used for ROCK SMASH boulders in
KINDLE ROAD, SEVAULT CANYON;
CERULEAN CAVE (1.72, 1.73, 1.74), ROCK TUNNEL (1.82), MT. EMBER (1.97, 1.99, 1.103, 1.104, 1.105, 1.106)
016 Used for CUT trees in ROUTE 1 and BERRY FOREST.
Used for ROCK SMASH boulders in
KINDLE ROAD, SEVAULT CANYON;
CERULEAN CAVE (1.72, 1.73, 1.74), ROCK TUNNEL (1.82), MT. EMBER (1.97, 1.99, 1.103, 1.106)
017 Used for a CUT tree in BERRY FOREST.
Used for ROCK SMASH boulders in
KINDLE ROAD, SEVAULT CANYON;
CERULEAN CAVE (1.72, 1.73, 1.74), ROCK TUNNEL (1.82), MT. EMBER (1.97, 1.99, 1.106)
018 Used for a CUT tree in BERRY FOREST.
Used for ROCK SMASH boulders in
KINDLE ROAD, CERULEAN CAVE (1.73, 1.74), ROCK TUNNEL (1.82), MT. EMBER (1.99)
019 Used for a CUT tree in BERRY FOREST.
Used for ROCK SMASH boulders in
KINDLE ROAD, CERULEAN CAVE (1.73, 1.74), ROCK TUNNEL (1.82), MT. EMBER (1.99)
01A Used for a CUT tree in BERRY FOREST.
Used for ROCK SMASH boulders in
KINDLE ROAD, CERULEAN CAVE (1.73, 1.74), ROCK TUNNEL (1.82), MT. EMBER (1.99)
01B Used for a CUT tree in BERRY FOREST.
Used for ROCK SMASH boulders in
KINDLE ROAD, SEVAULT CANYON;
CERULEAN CAVE (1.73), ROCK TUNNEL (1.82)
01C Used for ROCK SMASH boulders in KINDLE ROAD and ROCK TUNNEL (1.82).
01D Used for ROCK SMASH boulders in KINDLE ROAD and ROCK TUNNEL (1.82).
01E Used for ROCK SMASH boulders in KINDLE ROAD and ROCK TUNNEL (1.82).
01F Used for ROCK SMASH boulders in KINDLE ROAD and ROCK TUNNEL (1.82).
028 Controls visibility of the BULBASAUR BALL OW in OAK's Lab.
029 Controls visibility of the CHARMANDER BALL OW in OAK's Lab.
02A Controls visibility of the SQUIRTLE BALL OW in OAK's Lab.
02B Controls visibility of the OAK OW in OAK's Lab (PALLET TOWN (4.3)).
Set by GAME START SCRIPT.
Cleared after the "Don't go out yet!" OAK Script event.
02C Controls visibility of the OAK OW in PALLET TOWN (3.0).
Set by GAME START SCRIPT.
Set after the wild-battle-with-OAK Script event.
Set after OAK welcomes the player back to PALLET TOWN (level script).
02D Controls visibility of GARY's OW in OAK's Lab (PALLET TOWN (4.3)).
02E Controls visibility of the "You Must Battle Brock" guy in PEWTER CITY.
Cleared after he escorts you to the Gym.
02F Controls visibility of DOME FOSSIL OW in MT. MOON (1.3).
Cleared if you enter MT. MOON (1.3) while 232 is cleared.
030 Controls visibility of HELIX FOSSIL OW in MT. MOON (1.3).
Cleared if you enter MT. MOON (1.3) while 232 is cleared.
031 Controls visibility of the NUGGET BRIDGE prize-giver OW in ROUTE 24.
Set after BILL gives the player the S.S. ANNE TICKET.
032 Controls visibility of BILL's mutant OW in his cottage (ROUTE 25 (30.0)).
033 Controls visibility of BILL's OW in his cottage (ROUTE 25 (30.0)).
Set by GAME START SCRIPT.
Cleared when the player helps BILL turn back into a human being.
034 Controls visibility of MR. FUJI's OW in POKeMON TOWER (1.94).
035 Controls visibility of MR. FUJI's OW in LAVENDER TOWN (8.2).
Set by GAME START SCRIPT.
Cleared after talking to MR. FUJI in POKeMON TOWER.
036 Controls visibility of an item OW in ROCKET HIDEOUT (1.45).
Set by GAME START SCRIPT.
037 Controls visibility of the item OW (SILPH SCOPE) in ROCKET HIDEOUT (1.45).
Set by GAME START SCRIPT.
Cleared after beating GIOVANNI for the first time.
038 Controls visibility of GIOVANNI's OW in ROCKET HIDEOUT (1.45).
039 Controls visibility of the TOWN MAP OW in Daisy's house (PALLET TOWN (4.2)).
03A Controls visibility of the POKEDEX OWs in OAK's Lab (PALLET TOWN (4.3)).
03B Controls visibility of the TEAM ROCKET GRUNT OW in CERULEAN CITY.
03C Controls visibility of the Rival OW in CERULEAN CITY.
Set by GAME START SCRIPT.
03D Controls visibility of the Rival OW in S.S. ANNE (1.6).
Set by GAME START SCRIPT.
Set every time you enter LAVENDER TOWN.
03E Controls visibility of the TEAM ROCKET GRUNT OWs in SAFFRON CITY.
Set after beating TEAM ROCKET at SILPH CO.
03F Controls visibility of the civilian OWs in SAFFRON CITY and the receptionist OW in SILPH CO. (1.47).
Set by GAME START SCRIPT.
Cleared after beating TEAM ROCKET at SILPH CO.
040 Controls visibility of a STRENGTH boulder in SEAFOAM ISLANDS (1.83).
041 Controls visibility of a STRENGTH boulder in SEAFOAM ISLANDS (1.83).
042 Controls visibility of a STRENGTH boulder in SEAFOAM ISLANDS (1.84).
043 Controls visibility of a STRENGTH boulder in SEAFOAM ISLANDS (1.84).
044 Controls visibility of a STRENGTH boulder in SEAFOAM ISLANDS (1.85).
045 Controls visibility of a STRENGTH boulder in SEAFOAM ISLANDS (1.85).
046 Controls visibility of a current-blocking STRENGTH boulder in SEAFOAM ISLANDS (1.86).
047 Controls visibility of a current-blocking STRENGTH boulder in SEAFOAM ISLANDS (1.86).
048 Controls visibility of a STRENGTH boulder in SEAFOAM ISLANDS (1.86).
049 Controls visibility of a STRENGTH boulder in SEAFOAM ISLANDS (1.86).
04A Controls visibility of a STRENGTH boulder in SEAFOAM ISLANDS (1.86).
04B Controls visibility of a STRENGTH boulder in SEAFOAM ISLANDS (1.86).
04C Controls visibility of a current-blocking STRENGTH boulder in SEAFOAM ISLANDS (1.87).
04D Controls visibility of a current-blocking STRENGTH boulder in SEAFOAM ISLANDS (1.87).
04E Controls visibility of Gary's OW in SILPH CO. (1.53).
04F Controls visibility of Gary's OW in ROUTE 22.
Set by GAME START SCRIPT.
050 Unknown. Cleared after an NPC escorts you to the MUSEUM in PEWTER CITY.
051 Controls visibility of Gary's OW in POKeMON TOWER (1.89).
052 Controls visibility of the MOLTRES OW in MT. EMBER (1.101).
Cleared if the player enters the map while 2BD is unset (MOLTRES not fainted/0x5'd).
053 Controls visibility of TEAM ROCKET GRUNT OWs in SILPH CO., and of GIOVANNI's OW in SILPH CO..
054 Controls visibility of the SNORLAX OW on ROUTE 12.
Set immediately before the battle with the SNORLAX on ROUTE 12.
055 Controls visibility of GIOVANNI's OW in VIRIDIAN CITY's Gym.
057 Controls visibility of the EEVEE BALL OW in CELADON CITY (10.11).
058 Controls visibility of a STRENGTH boulder in VICTORY ROAD (1.40).
059 Controls visibility of a STRENGTH boulder in VICTORY ROAD (1.41).
05A Controls visibility of OAK's OW in POKeMON LEAGUE (1.79).
Set by GAME START SCRIPT.
05B Controls visibility of a TEAM ROCKET GRUNT OW in the GAME CORNER.
05C Controls visibility of the OW that blocks access to CERULEAN CAVE.
Set after finishing the CELIO/RUBY/SAPPHIRE subplot.
05D Controls visibility of the ZAPDOS OW in POWER PLANT (1.95).
05E Controls visibility of a TEAM ROCKET GRUNT in POKeMON TOWER (1.94).
05F Controls visibility of the TEAM ROCKET GRUNT OWs in CELADON CITY.
Controls visibility of the SILPH CO. employee OW in CELADON CITY.
Set after beating GIOVANNI for the first time, in the hideout beneath the GAME CORNER.
060 Controls visibility of the HITMONLEE BALL OW in the FIGHTING DOJO (SAFFRON CITY (14.2)).
061 Controls visibility of the HITMONCHAN BALL OW in the FIGHTING DOJO (SAFFRON CITY (14.2)).
062 Controls visibility of BILL's OW in CINNABAR ISLAND.
Set by GAME START SCRIPT.
Cleared after beating CINNABAR ISLAND Gym Leader BLAINE, and after encountering BILL in the CINNABAR
ISLAND PokeCenter.
063 Controls visibility of a Player OW in the Union Room (0.4).
064 Controls visibility of a Player OW in the Union Room (0.4).
065 Controls visibility of a Player OW in the Union Room (0.4).
066 Controls visibility of a Player OW in the Union Room (0.4).
067 Controls visibility of a Player OW in the Union Room (0.4).
068 Controls visibility of a Player OW in the Union Room (0.4).
069 Controls visibility of a Player OW in the Union Room (0.4).
06A Controls visibility of a Player OW in the Union Room (0.4).
06B Controls visibility of the SEAGALLOP Ferry OW in CINNABAR ISLAND.
Set by GAME START SCRIPT.
06C Controls visibility of an OW in SAFFRON's fan club. He responds to your TRAINER CARD stickers.
Set by GAME START SCRIPT.
06D Controls visibility of an OW in SAFFRON's fan club. He responds to your TRAINER CARD stickers.
Set by GAME START SCRIPT.
06E Controls visibility of an OW in SAFFRON's fan club. She responds to your TRAINER CARD stickers.
Set by GAME START SCRIPT.
06F Controls visibility of an OW in SAFFRON's fan club. She responds to your TRAINER CARD stickers.
Set by GAME START SCRIPT.
070 Controls visibility of green-suit OW in the second floor of all PokeCenters.
Altered by the Pokemon Center 2F level scripts.
071 Controls visibility of BILL's OW in ONE ISLAND.
072 Controls visibility of BILL's OW in ONE ISLAND's PokeCenter.
073 Controls visibility of CELIO's OW in ONE ISLAND's PokeCenter.
074 Controls visibility of a Biker OW in TWO ISLAND's GAME CORNER.
Set by GAME START SCRIPT.
075 Controls visibility of LOSTELLE's OW in TWO ISLAND's GAME CORNER.
Set by GAME START SCRIPT.
076 Controls visibility of LOSTELLE's OW in her home in THREE ISLAND (THREE ISLAND (34.0)).
Set by GAME START SCRIPT.
079 Controls visibility of Biker OWs in THREE ISLAND and THREE ISLE PORT.
07A Controls visibility of LOSTELLE's OW in BERRY FOREST.
07B Controls visibility of a shopper OW in TWO ISLAND.
Set by GAME START SCRIPT.
Cleared when the TWO ISLAND shopkeeper hears about Lostelle. (TWO ISLAND level script.)
07C Controls visibility of a BRUNO-rumor-telling OW in TWO ISLAND.
Set by GAME START SCRIPT.
Cleared when the TWO ISLAND shopkeeper hears about Gym progress. (TWO ISLAND level script.)
07D Controls visibility of a shopper OW in TWO ISLAND.
Set by GAME START SCRIPT.
Cleared when the TWO ISLAND shopkeeper hears about E4 progress. (TWO ISLAND level script.)
07E Controls visibility of anti-Biker OWs in THREE ISLAND.
Set when entering THREE ISLAND after you've rescued LOSTELLE (2A3 is set).
080 Controls visibility of the SNORLAX OW in ROUTE 16.
Set immediately before the battle with the SNORLAX on ROUTE 16.
081 Controls visibility of the MEWTWO OW in CERULEAN CAVE (1.74).
082 Controls visibility of the ARTICUNO OW in SEAFOAM ISLANDS (1.87).
083 Controls visibility of a TEAM ROCKET GRUNT in POKeMON TOWER (1.94).
084 Controls visibility of a TEAM ROCKET GRUNT in POKeMON TOWER (1.94).
085 Controls visibility of a VOLTORB in POWER PLANT (1.95).
086 Controls visibility of a VOLTORB in POWER PLANT (1.95).
087 Controls visibility of S.S. ANNE OW in S.S. ANNE (1.4).
088 Controls visibility of TEAM ROCKET GRUNT OWs in FIVE ISLE MEADOW, OUTCAST ISLAND, and ROCKET WAREHOUSE.
Set if the player has defeated TEAM ROCKET at ROCKET WAREHOUSE.
089 Controls visibility of TEAM ROCKET GRUNT OWs in MT. EMBER (1.97).
08A Controls visibility of the RUBY OW in MT. EMBER (1.102).
08B Controls visibility of LORELEI's OW in ICEFALL CAVE (1.113).
08C Controls visibility of LORELEI's OW in her home on FOUR ISLAND.
Set by GAME START SCRIPT.
Set after finishing the CELIO/RUBY/SAPPHIRE subplot.
Cleared after assisting LORELEI in ICEFALL CAVE.
08D Controls visibility of TEAM ROCKET GRUNT OWs in ICEFALL CAVE (1.113).
08E Controls visibility of the scientist OW in RUIN VALLEY.
Set after assisting LORELEI in ICEFALL CAVE.
08F Controls visibility of the SAPPHIRE OW in DOTTED HOLE (1.120).
090 Controls visibility of the thief OW in DOTTED HOLE (1.120).
Set by GAME START SCRIPT.
091 Controls visibility of one single Biker OW in THREE ISLAND.
Set by GAME START SCRIPT.
Cleared after a brief confrontation with a biker at the TWO ISLAND GAME CORNER.
092 Controls visibility of the Running Shoes guy in PEWTER CITY.
Set by GAME START SCRIPT.
Cleared after beating PEWTER CITY Gym Leader BROCK.
093 Controls visibility of SELPHY's OW in LOST CAVE (2.22).
094 Controls visibility of SELPHY's OW in RESORT GORGEOUS.
Set by GAME START SCRIPT.
Cleared after rescuing SELPHY from LOST CAVE, before warping to RESORT GORGEOUS.
095 Controls visibility of SELPHY's OW in her home at RESORT GORGEOUS (RESORT GORGEOUS (39.0)).
Set by GAME START SCRIPT.
Cleared after rescuing SELPHY from LOST CAVE, after she dismisses you from her front door.
096 Controls visibility of SELPHY's Butler's OW in her home at RESORT GORGEOUS.
Set by GAME START SCRIPT.
097 Controls visibility of GARY's OW in FOUR ISLAND.
Set by GAME START SCRIPT.
Cleared by one FOUR ISLAND level script if another (Gary encounter) is able to run.
098 Controls visibility of GARY's OW in SIX ISLAND's PokeCenter.
099 Controls visibility of the DEOXYS OW in BIRTH ISLAND (2.56).
Set by GAME START SCRIPT.
Set when entering the map after 2E4 is set.
09A Controls visibility of the Triangle OW in BIRTH ISLAND (2.56).
Set when entering the map after 2E4 is set. Cleared when wnetering when 2E4 is cleared
and 2F7 (DEOXYS fainted) is unset.
09B Controls visibility of the LUGIA OW in NAVEL ROCK (2.38).
Set when entering the map after 2F2 is set. Cleared when entering when 2F2 is cleared
and 2F5 (fainted) is unset.
09C Controls visibility of the HO-OH OW in NAVEL ROCK (2.37).
Set when entering the map after 2F3 is set. Cleared when entering when 2F3 is cleared
and 2F6 (fainted) is unset.
09D Controls visibility of certain FAME CHECKER NPCs that spawn in after you beat the Elite Four. It is cleared
during a Hall of Rame room level script.
Set by GAME START SCRIPT.
Controls visibility of the FUJI fan OW in LAVENDER CITY's PokeCenter.
Controls visibility of the LANCE fan OW in SAFFRON CITY (near the Trainer Fan Club).
Controls visibility of the BRUNO fan OW in EMBER SPA.
09E Controls visibility of two invisible Person events on a bookcase in CELADON CITY (10.8). They contain FAME
CHECKER data on ERIKA.
Set by GAME START SCRIPT.
09F Unknown.
Set by GAME START SCRIPT.
0A0 Unknown.
Set by GAME START SCRIPT.
0A1 Controls visibility of the OAK Assistant OW in VERMILION CITY.
Set by GAME START SCRIPT.
Set when entering VERMILION CITY while 2F9 is set.
0A2 Controls visibility of BILL's OW in the CINNABAR ISLAND PokeCenter.
Set by GAME START SCRIPT.
0A3 Controls visibility of OAK's OW at the INDIGO PLATEAU (3.9).
Set by GAME START SCRIPT.
0A4 Unknown.
Set by GAME START SCRIPT.
Conditionally cleared by special 1B9.
0A5 Controls visibility of a MEOWTH Doll OW in LORELEI's home on FOUR ISLAND.
Set by GAME START SCRIPT.
Conditionally cleared by special 1B9.
0A6 Controls visibility of a CHANSEY Doll OW in LORELEI's home on FOUR ISLAND.
Set by GAME START SCRIPT.
Conditionally cleared by special 1B9.
0A7 Controls visibility of a NIDORANF Doll OW in LORELEI's home on FOUR ISLAND.
Set by GAME START SCRIPT.
Conditionally cleared by special 1B9.
0A8 Controls visibility of a JIGGLYPUFF Doll OW in LORELEI's home on FOUR ISLAND.
Set by GAME START SCRIPT.
Conditionally cleared by special 1B9.
0A9 Controls visibility of a NIDORANM Doll OW in LORELEI's home on FOUR ISLAND.
Set by GAME START SCRIPT.
Conditionally cleared by special 1B9.
0AA Controls visibility of a FEAROW Doll OW in LORELEI's home on FOUR ISLAND.
Set by GAME START SCRIPT.
Conditionally cleared by special 1B9.
0AB Controls visibility of a PIDGEOT Doll OW in LORELEI's home on FOUR ISLAND.
Set by GAME START SCRIPT.
Conditionally cleared by special 1B9.
0AC Controls visibility of a LAPRAS Doll OW in LORELEI's home on FOUR ISLAND.
Set by GAME START SCRIPT.
Conditionally cleared by special 1B9.
0AD Controls visibility of TEAM ROCKET GRUNT OWs in MT. MOON (1.3) and ROCKET HIDEOUT (all).
Set after beating VIRIDIAN CITY Gym Leader GIOVANNI.
0AE Unknown.
Set by GAME START SCRIPT.
154 Controls visibility of an item OW in ROUTE 1.
155 Controls visibility of an item OW in ROUTE 1.
156 Controls visibility of an item OW in VIRIDIAN FOREST.
157 Controls visibility of an item OW in VIRIDIAN FOREST.
158 Controls visibility of an item OW in VIRIDIAN FOREST.
159 Controls visibility of an item OW in MT. MOON (1.1).
15A Controls visibility of an item OW in MT. MOON (1.1).
15B Controls visibility of an item OW in MT. MOON (1.1).
15C Controls visibility of an item OW in MT. MOON (1.1).
15D Controls visibility of an item OW in MT. MOON (1.1).
15E Controls visibility of an item OW in MT. MOON (1.1).
15F Controls visibility of an item OW in MT. MOON (1.3).
160 Controls visibility of an item OW in MT. MOON (1.3).
161 Controls visibility of an item OW in ROUTE 4.
162 Controls visibility of an item OW in ROUTE 24.
163 Controls visibility of an item OW in ROUTE 25.
164 Controls visibility of an item OW in S.S. ANNE (1.13).
165 Controls visibility of an item OW in S.S. ANNE (1.19).
166 Controls visibility of an item OW in S.S. ANNE (1.21).
167 Controls visibility of an item OW in S.S. ANNE (1.25).
168 Controls visibility of an item OW in S.S. ANNE (1.26).
169 Controls visibility of an item OW in S.S. ANNE (1.28).
16A Controls visibility of an item OW in S.S. ANNE (1.10).
16B Controls visibility of an item OW in ROUTE 9.
16C Controls visibility of an item OW in ROCKET HIDEOUT (1.42).
16D Controls visibility of an item OW in ROCKET HIDEOUT (1.42).
16E Controls visibility of an item OW in ROCKET HIDEOUT (1.43).
16F Controls visibility of an item OW in ROCKET HIDEOUT (1.43).
170 Controls visibility of an item OW in ROCKET HIDEOUT (1.43).
171 Controls visibility of an item OW in ROCKET HIDEOUT (1.43).
172 Controls visibility of an item OW in ROCKET HIDEOUT (1.44).
173 Controls visibility of an item OW in ROCKET HIDEOUT (1.44).
174 Controls visibility of an item OW in ROCKET HIDEOUT (1.45).
175 Controls visibility of an item OW in ROCKET HIDEOUT (1.45).
176 Controls visibility of an item OW in ROCKET HIDEOUT (1.45).
177 Controls visibility of an item OW in POKeMON TOWER (1.90).
178 Controls visibility of an item OW in POKeMON TOWER (1.91).
179 Controls visibility of an item OW in POKeMON TOWER (1.91).
17A Controls visibility of an item OW in POKeMON TOWER (1.91).
17B Controls visibility of an item OW in POKeMON TOWER (1.92).
17C Controls visibility of an item OW in POKeMON TOWER (1.93).
17D Controls visibility of an item OW in POKeMON TOWER (1.93).
17E Controls visibility of an item OW in ROUTE 12.
17F Controls visibility of an item OW in ROUTE 12.
180 Controls visibility of an item OW in ROUTE 15.
181 Controls visibility of an item OW in SAFARI ZONE (1.63).
182 Controls visibility of an item OW in SAFARI ZONE (1.64).
183 Controls visibility of an item OW in SAFARI ZONE (1.64).
184 Controls visibility of an item OW in SAFARI ZONE (1.64).
185 Controls visibility of an item OW in SAFARI ZONE (1.64).
186 Controls visibility of an item OW in SAFARI ZONE (1.65).
187 Controls visibility of an item OW in SAFARI ZONE (1.65).
188 Controls visibility of an item OW in SAFARI ZONE (1.66).
189 Controls visibility of the item OW (GOLD TEETH) in SAFARI ZONE (1.66).
18A Controls visibility of an item OW in SAFARI ZONE (1.66).
18B Controls visibility of an item OW in SAFARI ZONE (1.66).
18C Controls visibility of an item OW in SILPH CO. (1.49).
18D Controls visibility of an item OW in SILPH CO. (1.50).
18E Controls visibility of an item OW in SILPH CO. (1.50).
18F Controls visibility of an item OW in SILPH CO. (1.50).
190 Controls visibility of an item OW in SILPH CO. (1.51).
191 Controls visibility of an item OW in SILPH CO. (1.51).
192 Controls visibility of the item OW (CARD KEY) in SILPH CO. (1.52). Set if the player has the CARD KEY.
193 Controls visibility of an item OW in SILPH CO. (1.52).
194 Controls visibility of an item OW in SILPH CO. (1.52).
195 Controls visibility of an item OW in SILPH CO. (1.53).
196 Controls visibility of an item OW in SILPH CO. (1.53).
197 Controls visibility of an item OW in SILPH CO. (1.56).
198 Controls visibility of an item OW in SILPH CO. (1.56).
199 Controls visibility of an item OW in SILPH CO. (1.56).
19A Controls visibility of an item OW in POWER PLANT (1.95).
19B Controls visibility of an item OW in POWER PLANT (1.95).
19C Controls visibility of an item OW in POWER PLANT (1.95).
19D Controls visibility of an item OW in POWER PLANT (1.95).
19E Controls visibility of an item OW in POWER PLANT (1.95).
19F Controls visibility of an item OW in POKeMON MANSION (1.59).
1A1 Controls visibility of an item OW in POKeMON MANSION (1.60).
1A2 Controls visibility of an item OW in POKeMON MANSION (1.61).
1A3 Controls visibility of an item OW in POKeMON MANSION (1.61).
1A4 Controls visibility of an item OW in POKeMON MANSION (1.62).
1A5 Controls visibility of an item OW in POKeMON MANSION (1.62).
1A7 Controls visibility of an item OW in POKeMON MANSION (1.62).
1A8 Controls visibility of the item OW (SECRET KEY) in POKeMON MANSION (1.62).
Set if the player has the key for CINNABAR ISLAND's Gym.
1A9 Controls visibility of an item OW in VICTORY ROAD (1.39).
1AA Controls visibility of an item OW in VICTORY ROAD (1.39).
1AB Controls visibility of an item OW in VICTORY ROAD (1.40).
1AC Controls visibility of an item OW in VICTORY ROAD (1.40).
1AD Controls visibility of an item OW in VICTORY ROAD (1.40).
1AE Controls visibility of an item OW in VICTORY ROAD (1.40).
1AF Controls visibility of an item OW in VICTORY ROAD (1.41).
1B0 Controls visibility of an item OW in VICTORY ROAD (1.41).
1B1 Controls visibility of an item OW in CERULEAN CAVE (1.72).
1B2 Controls visibility of an item OW in CERULEAN CAVE (1.72).
1B3 Controls visibility of an item OW in CERULEAN CAVE (1.72).
1B4 Controls visibility of an item OW in CERULEAN CAVE (1.73).
1B5 Controls visibility of an item OW in CERULEAN CAVE (1.73).
1B6 Controls visibility of an item OW in CERULEAN CAVE (1.73).
1B7 Controls visibility of an item OW in CERULEAN CAVE (1.74).
1B8 Controls visibility of an item OW in CERULEAN CAVE (1.74).
1B9 Controls visibility of an item OW in FUCHSIA CITY (11.7).
1BA Controls visibility of an item OW in TWO ISLAND.
1BB Controls visibility of an item OW in THREE ISLAND.
1BE Controls visibility of an item OW in VIRIDIAN FOREST.
1BF Controls visibility of an item OW in MT. MOON (1.3).
1C0 Controls visibility of an item OW in MT. MOON (1.3).
1C1 Controls visibility of an item OW in ROUTE 11.
1C2 Controls visibility of an item OW in ROUTE 9.
1C3 Controls visibility of an item OW in ROCK TUNNEL (1.81).
1C4 Controls visibility of an item OW in ROCK TUNNEL (1.81).
1C5 Controls visibility of an item OW in ROCK TUNNEL (1.81).
1C6 Controls visibility of an item OW in ROCK TUNNEL (1.82).
1C7 Controls visibility of an item OW in ROCK TUNNEL (1.82).
1C8 Controls visibility of an item OW in SILPH CO. (1.54).
1C9 Controls visibility of an item OW in SILPH CO. (1.57).
1CA Controls visibility of an item OW in POKeMON MANSION (1.59).
1CB Controls visibility of an item OW in POKeMON MANSION (1.60).
1CC Controls visibility of an item OW in POKeMON MANSION (1.60).
1CD Controls visibility of an item OW in VIRIDIAN CITY.
1CE Controls visibility of an item OW in ROUTE 11.
1CF Controls visibility of an item OW in ROUTE 11.
1D0 Controls visibility of an item OW in POKeMON TOWER (1.92).
1D1 Controls visibility of an item OW in CELADON CITY.
1D2 Controls visibility of an item OW in ROCKET HIDEOUT (1.44).
1D3 Controls visibility of an item OW in SAFARI ZONE (1.65).
1D4 Controls visibility of an item OW in SEAFOAM ISLANDS (1.83).
1D5 Controls visibility of an item OW in SEAFOAM ISLANDS (1.84).
1D6 Controls visibility of an item OW in SEAFOAM ISLANDS (1.84).
1D7 Controls visibility of an item OW in SEAFOAM ISLANDS (1.85).
1D8 Controls visibility of an item OW in SEAFOAM ISLANDS (1.87).
1D9 Controls visibility of an item OW in FOUR ISLAND.
1DA Controls visibility of an item OW in FOUR ISLAND.
1DB Controls visibility of an item OW in KINDLE ROAD.
1DC Controls visibility of an item OW in KINDLE ROAD.
1DD Controls visibility of an item OW in KINDLE ROAD.
1DE Controls visibility of an item OW in FIVE ISLE MEADOW.
1DF Controls visibility of an item OW in FIVE ISLE MEADOW.
1E0 Controls visibility of an item OW in MEMORIAL PILLAR.
1E1 Controls visibility of an item OW in OUTCAST ISLAND.
1E2 Controls visibility of an item OW in WATER PATH.
1E3 Controls visibility of an item OW in WATER PATH.
1E4 Controls visibility of an item OW in RUIN VALLEY.
1E5 Controls visibility of an item OW in RUIN VALLEY.
1E6 Controls visibility of an item OW in RUIN VALLEY.
1E7 Controls visibility of an item OW in SEVAULT CANYON.
1E8 Controls visibility of an item OW in SEVAULT CANYON.
1E9 Controls visibility of an item OW in SEVAULT CANYON.
1EA Controls visibility of an item OW in BERRY FOREST.
1EB Controls visibility of an item OW in BERRY FOREST.
1EC Controls visibility of an item OW in BERRY FOREST.
1ED Controls visibility of an item OW in MT. EMBER (1.97).
1EE Controls visibility of an item OW in MT. EMBER (1.97).
1EF Controls visibility of an item OW in MT. EMBER (1.97).
1F0 Controls visibility of an item OW in ICEFALL CAVE (1.111).
1F1 Controls visibility of an item OW in ICEFALL CAVE (1.111).
1F2 Controls visibility of an item OW in ICEFALL CAVE (1.112).
1F3 Controls visibility of an item OW in ICEFALL CAVE (1.112).
1F4 Controls visibility of an item OW in ROCKET WAREHOUSE.
1F5 Controls visibility of an item OW in ROCKET WAREHOUSE.
1F6 Controls visibility of an item OW in ROCKET WAREHOUSE.
1F7 Controls visibility of an item OW in ROCKET WAREHOUSE.
1F8 Controls visibility of an item OW in LOST CAVE (2.22).
1F9 Controls visibility of an item OW in LOST CAVE (2.23).
1FA Controls visibility of an item OW in LOST CAVE (2.24).
1FB Controls visibility of an item OW in LOST CAVE (2.25).
1FC Controls visibility of an item OW in LOST CAVE (2.26).
1FD Controls visibility of an item OW in SEVAULT CANYON (42.0).
1FE Controls visibility of an item OW in SILPH CO. (1.50).
230 Set if the player received a POTION from the salesman on ROUTE 1.
231 Set if the player has received TM34 SHOCK WAVE from VERMILION CITY Gym Leader LT. SURGE.
232 Set if the player has taken either of the two fossils from MT. MOON.
233 Set if the player helped BILL turn back into a human being.
234 Set if the player received the S.S. ANNE TICKET from BILL.
235 Unknown. Set after BILL gives the player the S.S. ANNE TICKET.
236 Set if the player received TM42 from the bereaved man at MEMORIAL PILLAR.
237 Set if the player received HM01 CUT from the captain of the S.S. ANNE.
238 Set if the player received HM02 FLY from the woman on ROUTE 16 (map 25.0).
239 Set if the player received HM03 SURF from the man in the SAFARI ZONE.
23A Set if the player received HM04 STRENGTH from the SAFARI ZONE Warden.
23B Set if the player received HM05 FLASH from one of OAK's assistants on ROUTE 2 (map 15.2).
23C Set after talking to MR. FUJI in POKeMON TOWER. Allows the player to sneak past a TEAM
ROCKET guard in SAFFRON CITY and enter the besieged SILPH CO. skyscraper.
23D Set if the player received the POKe FLUTE from MR. FUJI at his home in LAVENDER TOWN.
23F Unknown. If set, the hiker in the burglarized CERULEAN house calms down.
240 Set if the player received the OLD ROD from the fisherman in VERMILION CITY.
241 Set if the player obtained a BIKE VOUCHER from the man in the POKeMON Fan Club.
243 Set if the player received the COIN CASE from a man in CELADON CITY.
Checked by the internal script that handles hidden item Signposts. (Item ID 0 is
treated as a COINS pickup, you see.)
244 Set if the player received the GOOD ROD from the fisherman in FUCHSIA CITY.
245 Set if the player received TM29 PSYCHIC from MR. PSYCHIC in SAFFRON CITY.
246 Set if the player received LAPRAS from the man in SILPH CO.
247 Unknown. Checked when the player enters PROF. OAK's lab.
248 Set if the player traded with a boy on ROUTE 2 (map 15.1).
249 Set if the player purchased a MAGIKARP from the conman on ROUTE 4 (map 16.0).
24A Set if the player traded with an old man in CERULEAN CITY (map 7.2).
24B Set if the player traded with a young girl at the UNDERGROUND PATH entrance (map 1.30).
24D Set if the player traded with a young girl in VERMILION CITY (map 9.4).
24E Set if the player received TM38 FIRE BLAST from CINNABAR ISLAND Gym Leader BLAINE.
24F Unknown. Set if the player enters PROF. OAK's lab while 247 is set.
250 Set if the player received the MASTER BALL from the SILPH CO. PRESIDENT.
251 Set if the player traded with a boy on ROUTE 11 (map 22.1).
252 Set if the player received the ITEMFINDER from one of OAK's aides on ROUTE 11 (map 22.1).
253 Set if the player has battled the SNORLAX on ROUTE 12.
254 Set if the player has received TM39 ROCK TOMB from PEWTER CITY Gym Leader BROCK.
255 Set if the player has received the SUPER ROD from the fisherman on ROUTE 12 (map 23.2).
256 Set if the player has received the EXP. SHARE from one of OAK's aides on ROUTE 15 (map 24.1).
257 Set if the player traded with a boy on ROUTE 18 (map 26.1).
258 Set after the first Rival battle. Allows the player to heal at their house in PALLET TOWN.
259 Set if the player has received TM06 TOXIC from FUCHSIA CITY Gym Leader KOGA.
25B Set if the player has received TM27 RETURN from the bereaved woman on ROUTE 12 (map 23.1).
25E Set if the player has received OLD AMBER from a man in PEWTER CITY's Museum.
263 Set if the player has received EEVEE from the Poke Ball OW in CELADON CITY (10.11).
264 Unknown. Used as part of the trashcan puzzle in VERMILION CITY's Gym.
265 Unknown. Used as part of the quiz puzzles in CINNABAR ISLAND's Gym.
266 Set if the FOUR ISLAND Daycare has an EGG waiting for the player. Is directly manipulated by
the game engine.
26C Toggles which set of POKeMON MANSION blocked doorways is open.
26D Set if the player hit the switch behind the poster in the GAME CORNER.
26E Set if the player received 10 COINS from the fisherman in the GAME CORNER.
26F Set if the player received 20 COINS from the scientist in the GAME CORNER.
270 Set if the player received 20 COINS from the gentleman in the GAME CORNER.
271 Set if the player received a BICYCLE from CERULEAN CITY's bike salesman.
272 Set if the player chose the DOME FOSSIL (KABUTO) in MT. MOON.
273 Set if the player chose the HELIX FOSSIL (OMANYTE) in MT. MOON.
274 Set if the player traded with an old man in CINNABAR ISLAND (map 12.2).
275 Set if the player traded with a woman in CINNABAR ISLAND (map 12.2).
276 Set if the player traded with a man in CINNABAR ISLAND (map 12.4).
278 Set if the player has taken one of the two prize Pokemon from the SAFFRON CITY FIGHTING DOJO.
27A SILPH CO. blocked doorway. If set, the door is open.
27B SILPH CO. blocked doorway.
27C SILPH CO. blocked doorway.
27D SILPH CO. blocked doorway.
27E SILPH CO. blocked doorway.
27F SILPH CO. blocked doorway.
280 SILPH CO. blocked doorway.
281 SILPH CO. blocked doorway.
282 SILPH CO. blocked doorway.
283 SILPH CO. blocked doorway.
284 SILPH CO. blocked doorway.
285 SILPH CO. blocked doorway.
286 SILPH CO. blocked doorway.
287 SILPH CO. blocked doorway.
288 SILPH CO. blocked doorway.
289 SILPH CO. blocked doorway.
28A SILPH CO. blocked doorway.
28B SILPH CO. blocked doorway.
28C SILPH CO. blocked doorway.
28D SILPH CO. blocked doorway.
290 Set if the player has spoken to the sticker kid on FOUR ISLAND at least once?
291 Unknown. Checked in a PALLET TOWN level script. Set when the player has chosen a starter.
293 Set if the player has received TM19 GIGA DRAIN from CELADON CITY Gym Leader ERIKA.
294 Set if the player has given LEMONADE to the girl on the CELADON Department Store roof.
...in exchange for TM33 REFLECT.
295 Set if the player has given SODA POP to the girl on the CELADON Department Store roof.
...in exchange for TM20 SAFEGUARD.
296 Set if the player has given FRESH WATER to the girl on the CELADON Department Store roof.
...in exchange for TM16 LIGHT SCREEN.
297 Set if the player has received TM03 WATER PULSE from CERULEAN CITY Gym Leader MISTY.
298 Set if the player has received TM26 EARTHQUAKE from VIRIDIAN CITY Gym Leader GIOVANNI.
29A Set if the player has received TM04 CALM MIND from SAFFRON CITY Gym Leader SABRINA.
29B Set after beating Gary at CERULEAN CITY.
29C Set if the player has shown a MAGIKARP to the fisherman on Route 12 (map 23.2) and had its
size recorded.
29D Set if the TWO ISLAND shopkeeper has told you that his shop is new.
29E Set if the TWO ISLAND shopkeeper has told you that he now stocks items with help from the
islanders now that you've rescued Lostelle.
29F Set if the TWO ISLAND shopkeeper has told you that he "gives it his best".
2A0 Set if the TWO ISLAND shopkeeper has told you that he now stocks items from distant lands.
2A1 Unknown. If set, the SEVII ISLAND PokeCenters will "now have PC linkage with people in
KANTO".
Set by a level script every time the player enters THREE ISLE PORT (3.49).
2A2 Set when the player enters TWO ISLAND for the first time.
2A3 Set after rescuing LOSTELLE in BERRY FOREST, before warping to her home.
2A5 Set if the palyer picked up the LIFT KEY from the OW (ROCKET HIDEOUT (1.45)).
If unset, the ROCKET HIDEOUT elevator does not work. ("It appears to need a key.")
2A6 Set if the player has received TEA from the old woman in CELADON CITY.
2AC If unset, the ROCKET HIDEOUT elevator does not work. ("It appears to need a key.")
2BB Set if the player has received a POWDER JAR from a man in CERULEAN CITY.
2BC Set if the MEWTWO battle does not end in an 0x4 (escaped) or 0x5 (?) outcome (special B4).
2BD Set if the MOLTRES battle does not end in an 0x4 (escaped) or 0x5 (?) outcome (special B4).
2BE Set if the ARTICUNO battle does not end in an 0x4 (escaped) or 0x5 (?) outcome (special B4).
2BF Set if the ZAPDOS battle does not end in an 0x4 (escaped) or 0x5 (?) outcome (special B4).
2C0 Set if the ROCK SLIDE Move Tutor has already been used.
2C1 Set if the THUNDER WAVE Move Tutor has already been used.
2C2 Set if the ROCK SLIDE Move Tutor has already been used.
2C3 Set if the EXPLOSION Move Tutor has already been used.
2C4 Set if the MEGA PUNCH Move Tutor has already been used.
2C5 Set if the MEGA KICK Move Tutor has already been used.
2C6 Set if the DREAM EATER Move Tutor has already been used.
2C7 Set if the SOFTBOILED Move Tutor has already been used.
2C8 Set if the SUBSTITUTE Move Tutor has already been used.
2C9 Set if the SWORDS DANCE Move Tutor has already been used.
2CA Set if the SEISMIC TOSS Move Tutor has already been used.
2CB Set if the COUNTER Move Tutor has already been used.
2CC Set if the METRONOME Move Tutor has already been used.
2CD Set if the player has given a POKe DOLL to the COPYCAT in SAFFRON CITY.
2CE Set if the BODY SLAM Move Tutor has already been used.
2CF Unknown. Set when entering PROF. OAK's lab.
2D0 Set if a POWER PLANT ELECTRODE battle doesn't end in an 0x4 or 0x5 outcome (special B4).
2D1 Set if a POWER PLANT ELECTRODE battle doesn't end in an 0x4 or 0x5 outcome (special B4).
2D2 Unknown. Part of the SEAFOAM ISLANDS level scripts that determine whether the fast current is blocked.
If not set, a Route 20 level script clears 40 and 41, and sets 42 through 47.
2D3 Unknown. Part of the SEAFOAM ISLANDS level scripts that determine whether the fast current is blocked.
If not set, a Route 20 level script clears 48 through 4B, and sets 4C and 4D.
2D4 Unknown. Affects LORELEI's dialogue at her home on FOUR ISLAND.
2D5 Set if the player has defeated TEAM ROCKET at ROCKET WAREHOUSE.
2D6 If set, the player will be able to enter the ROCKET WAREHOUSE. (The tile will change to one
that enables warps.)
2D7 Set if the player earned TM42 from the bereaved man at MEMORIAL PILLAR, but had no room for
it. Talking to the man with this flag set will make him remember the player and give the
item if there is now room for it.
2D8 Set when the SAPPHIRE is stolen from DOTTED HOLE by TEAM ROCKET. Allows the player to enter
both of the necessary passwords to open the door to ROCKET WAREHOUSE.
2D9 Set if the player has shown a HERACROSS to the woman on WATER PATH (map 41.0) and had its
size recorded.
2DA Set if the player received the EGG from the man in the WATER LABYRINTH.
2DB Set if the player "earned" the EGG from WATER LABYRINTH, but had no room for it at the time.
Upon talking to the man again, he'll give them the EGG immediately if this flag is set.
2DC Set when the player finds the SAPPHIRE at ROCKET WAREHOUSE.
2DD Set when the player finds the RUBY in MT. EMBER.
2E1 Set if the player has learned a starter-only power move from the woman on CAPE BRINK (40.0).
2E2 Set if the player received a NUGGET from the man in THREE ISLE PATH.
2E3 Set if the door to the ruins in RUIN VALLEY is open. A level script enables the door warp.
2E4 Set if the DEOXYS battle doesn't end in a 1, 4 (escaped), or 5 (?) (special B4).
2EC Set if the DOME FOSSIL (KABUTO) has been revived.
2ED Set if the HELIX FOSSIL (OMANYTE) has been revived.
2EE Set if the OLD AMBER (AERODACTYL) has been revived.
2EF Set if the player received HM06 ROCK SMASH from the man in EMBER SPA.
2F0 Set if the VERMILION sailor already knows you have the MYSTICTICKET.
2F1 Set if the VERMILION sailor already knows you have the AURORATICKET.
2F2 Set if the LUGIA battle doesn't end in a 1, 4 (escaped), or 5 (?) (special B4).
2F3 Set if the HO-OH battle doesn't end in a 1 (faint), 4 (escaped), or 5 (?) (special B4).
2F5 Unknown. Allows you to rebattle a fainted LUGIA if you beat the ELITE FOUR again?
Cleared during the Hall of Fame room level script, if the National Dex is already unlocked.
Set if the LUGIA battle ends with the Pokemon fainting.
2F6 Unknown. Allows you to rebattle a fainted HO-OH if you beat the ELITE FOUR again?
Cleared during the Hall of Fame room level script, if the National Dex is already unlocked.
Set if the HO-OH battle ends with the Pokemon fainting.
2F7 Unknown. Allows you to rebattle a fainted DEOXYS if you beat the ELITE FOUR again?
Cleared during the Hall of Fame room level script, if the National Dex is already unlocked.
Set if the DEOXYS battle ends with the Pokemon fainting.
2F8 Unknown. Affects the dialogue of the TEA-giving woman in CELADON CITY.
2F9 Set if the player spoke to the OAK assistant in VERMILION CITY. When the player re-enters the map, this flag
will be used by a level script to hide the assistant's OW.
2FA Set if the player received an EVERSTONE from one of OAK's assistants on ROUTE 10 (map 21.0).
2FB Set if the player received a MOON STONE from the man in the TWO ISLAND GAME CORNER.
2FC Set if the player received a FULL RESTORE from a thankful THREE ISLAND civilian.
2FD Set if the player received an AMULET COIN from one of OAK's aides on ROUTE 16 (map 25.2).
2FE Set if the player earned the MOON STONE from the man in the TWO ISLAND GAME CORNER, but did
not have room for it. The player will receive it if they talk to the man again later.
2FF Used by the game's internal PC script. It is set immediately before the plaer is asked if they want their
Pokedex rated, and cleared immediately after (regardless of their selection).
4B0 Champ-in-making guy flag. Set if the player has defeated PEWTER's Gym Leader, BROCK.
Also affects PokeCenter nurse dialog when she heals your Pokemon after a whiteout. If this flag is not
set, she'll offer some advice.
4B1 Champ-in-making guy flag. Set if the player has defeated CERULEAN's Gym Leader, MISTY.
4B2 Champ-in-making guy flag. Set if the player has defeated VERMILION's Gym Leader, LT. SURGE.
4B3 Champ-in-making guy flag. Set if the player has defeated CELADON's Gym Leader, ERIKA.
4B4 Champ-in-making guy flag. Set if the player has defeated FUCHSIA's Gym Leader, KOGA.
4B5 Champ-in-making guy flag. Set if the player has defeated SAFFRON's Gym Leader, SABRINA.
4B6 Champ-in-making guy flag. Set if the player has defeated CINNABAR's Gym Leader, BLAINE.
4B7 Champ-in-making guy flag. Set if the player has defeated VIRIDIAN's Gym Leader, GIOVANNI.
4B8 Set if the player has defeated Lorelei during the current attempt at the E4. Cleared in the Hall of Fame room.
4B9 Set if the player has defeated Bruno during the current attempt at the E4. Cleared in the Hall of Fame room.
4BA Set if the player has defeated Agatha during the current attempt at the E4. Cleared in the Hall of Fame room.
4BB Set if the player has defeated Lance during the current attempt at the E4. Cleared in the Hall of Fame room.
4BC Set if the player has defeated Gary during the current attempt at the E4. Cleared in the Hall of Fame room.

// Flags 500 - 700 are trainer flags. Subtract 0x500 from a normal flag
// for the equivalent used in trainer flag script commands.

805 Strength has already been used on this map.
807 Set just prior to a wild battle triggered by talking to an OW, and cleared just after. Possibly used as a
failsafe for if a player faints during a legendary battle, as that would (I think) terminate script execution.
820 Unknown. Appears to be set if the player has the TEACHY TV when talking to VIRIDIAN Old Man.
820 If set, the player has the BOULDERBADGE.
821 If set, the player has the CASCADEBADGE.
822 If set, the player has the THUNDERBADGE.
823 If set, the player has the RAINBOWBADGE.
824 If set, the player has the SOULBADGE.
825 If set, the player has the MARSHBADGE.
826 If set, the player has the VOLCANOBADGE.
827 If set, the player has the EARTHBADGE.
828 If set, the POKeMON menu is accessible.
829 If set, the POKeDEX menu is accessible.
Checked by the game's internal PC script.
Checked by the game's internal linking functions. ("It appears to be undergoing adjustments...")
If not set, the WIRELESS COMMUNICATION CLUB on PokeCenters 2F is disabled.
If not set, the MYSTERY GIFT questionnaire in PokeMarts is disabled.
82C If set, the player has beaten the Elite Four at least once.
Checked during Bruno's, Agatha's, Lance's, and Gary's Elite Four scripts.
Checked by the game's internal PC script.
If set, DAISY will groom Pokemon.
Does this get set when you obtain the VS SEEKER?
82D Set if the player has customized their profile. (Apparently set by the game engine itself?)
82F Running Shoes
830 Unknown. Set if variable 0x405E == 0x1 when entering ROUTE 16 and ROUTE 18.
834 If set, the player knows the name of BILL's PC. (Unset = "Someone's".)
This is used both in normal scripts and in the internal script for the PC.
839 UNCONFIRMED: Mystery Gift enabled.
83B Unknown.
Set by special 125.
83E Set when talking to some chick in PALLET TOWN that mimics a sign or whatever.
841 Unknown. Cleared by a level script every time the player enters THREE ISLE PORT (3.49).
If set, the PC will be unusable ("The usual PC services aren't available...").
842 Unknown. Checked after healing at a PokeCenter.
843 Unknown.
Read and written to by special 165.
844 Set when CELIO successfully connects to LANETTE -- in other words, when you're allowed to
trade to R/S/E.
846 Set when obtaining the RAINBOW PASS.
847 Unknown... Set if the player has no berries, or no BERRY POUCH? (Set by the game engine?)
848 Cleared when entering BIRTH ISLAND when 2E4 is unset and 2F7 (DEOXYS fainted?) is unset.
849 Set if the player has solved TANOBY KEY.
84A If not set, the VERMILION sailor won't check if you have the MYSTICTICKET. You can't use it.
84B If not set, the VERMILION sailor won't check if you have the AURORATICKET. You can't use it.
890 World Map Flag (PALLET TOWN).
891 World Map Flag (VIRIDIAN CITY).
892 World Map Flag (PEWTER CITY).
893 World Map Flag (CERULEAN CITY).
894 World Map Flag (LAVENDER TOWN).
895 World Map Flag (VERMILION CITY).
896 World Map Flag (CELADON CITY).
897 World Map Flag (FUCHSIA CITY).
898 World Map Flag (CINNABAR ISLAND).
899 World Map Flag (INDIGO PLATEAU).
89A World Map Flag (SAFFRON CITY).
89B World Map Flag (ONE ISLAND).
If set, OAK welcomes the player back to PALLET TOWN when they enter the town.
89C World Map Flag (TWO ISLAND).
89D World Map Flag (THREE ISLAND).
89E World Map Flag (FOUR ISLAND).
89F World Map Flag (FIVE ISLAND).
8A0 World Map Flag (SEVEN ISLAND).
8A1 World Map Flag (SIX ISLAND).
8A4 World Map Flag (VIRIDIAN FOREST).
8A5 World Map Flag (MT. MOON (1.1)).
8A6 World Map Flag (S.S. ANNE (1.4)).
8A7 World Map Flag (UNDERGROUND PATH (1.31)).
8A8 World Map Flag (UNDERGROUND PATH (1.34)).
8A9 World Map Flag (DIGLETT'S CAVE (1.37)).
8AA World Map Flag (VICTORY ROAD (1.39)).
8AB World Map Flag (ROCKET HIDEOUT (1.42)).
8AC World Map Flag (SILPH CO. (1.47)).
8AD World Map Flag (POKeMON MANSION (1.59)).
8AE World Map Flag (SAFARI ZONE (1.63)).
8AF World Map Flag (POKeMON LEAGUE (1.75)).
8B0 World Map Flag (ROCK TUNNEL (1.81)).
8B1 World Map Flag (SEAFOAM ISLANDS (1.83)).
8B2 World Map Flag (POKeMON TOWER (1.88)).
8B3 World Map Flag (CERULEAN CAVE (1.72)).
8B4 World Map Flag (POWER PLANT).
8B5 World Map Flag (NAVEL ROCK (2.0)).
8B6 World Map Flag (MT. EMBER (1.97)).
8B7 World Map Flag (BERRY FOREST).
8B8 World Map Flag (ICEFALL CAVE (1.110)).
8B9 World Map Flag (ROCKET WAREHOUSE).
8BA World Map Flag (TRAINER TOWER (2.10)).
8BB World Map Flag (DOTTED HOLE (1.115)).
8BC World Map Flag (LOST CAVE (2.12)).
8BD World Map Flag (PATTERN BUSH).
8BE World Map Flag (ALTERING CAVE).
8BF World Map Flag (MONEAN CHAMBER).
8C0 World Map Flag (THREE ISLE PATH).
8C1 World Map Flag (TANOBY KEY).
8C2 World Map Flag (BIRTH ISLAND (2.56)).
// I have reason to believe that flags 0x890 - 0x8FD
// are reserved for World Map Flags, even though you
// can't fly to most of them.



LIST OF IDENTIFIED IN-GAME VARS (FIRERED)

4000 Temporary/disposable variable.
Written to by special E7.
4001 Temporary/disposable variable.
4003 Temporary/disposable variable? Used in TRAINER TOWER.
4006 Temporary/disposable variable? Used in TANOBY KEY.
4008 Temporary/disposable variable? Used in TANOBY KEY.
400E Temporary/disposable variable? Used in TRAINER TOWER.
400F Temporary/disposable variable? Used in TRAINER TOWER.
4010 Temporary/disposable variable.
Written to by (incomplete?) special 142.
4020 Pedometer. It counts down, and upon reaching 0x0000, REPEL expires.
4021 Pedometer. Max value 0x007F; it loops back to 0x0000 after.
4022 Pedometer. Max value 0x0004; it loops back to 0x0000 after.
4023 Pedometer. Max value 0x05DC; it just stays at that value after?
4025 Pedometer? Used for DAISY's script? Haven't seen it in action myself yet.
Set to 0x01F4 (500) by GAME START SCRIPT.
4031 The starter that the player chose (0, 1, 2).
Accessed directly by special 129.
4036 Multi-use, for SELPHY's Pokemon-fetching-and-showing game.
Apparently set to 0x0000 when it's time for a new "round" to start.
Apparently set to 0xFFFF if you're out of time.
4037 Box that a newly-received (givepokemon) Pokemon was sent to. Is directly manipulated by the game engine
itself.
Read by special 165.
4038 Unknown.
Read by specials A6 and A9.
Written to by special A8.
Used by special AA.
4039 Unknown.
Written to by specials A6, A7, and A9.
403A Used in elevator scripts (current floor?). Written to by special 0xD8.
403C 0xXXYY -- the current bank and map, respectively.
403E Unknown.
Accessed directly by special 1AC.
4042 Unknown.
Read by special 167.
4043 Unknown.
Written to by special 167.
4049 Unknown. Something to do with the sticker kid on FOUR ISLAND.
404A Unknown. Something to do with the sticker kid on FOUR ISLAND.
404B Unknown. Something to do with the sticker kid on FOUR ISLAND.
404E Unknown.
Written to by special 197.
4050 Unknown or multi-use.
Set to 0x1 after the "Don't go out yet!" OAK Script event.
Set to 0x2 during the Hall of Fame room level script, if the National Dex is NOT already unlocked.
Set to 0x3 after OAK's chat with the player in PALLET TOWN after beating the E4.
4051 Set to 0x2 to disable the "Old Man Needs Coffee" Script event in VIRIDIAN CITY.
4052 Set to 0x1 to disable Script events for Gary in CERULEAN CITY.
4053 Unknown. Set to 0x0 after the player watches the S.S. ANNE depart.
4054 Unknown or multi-use.
Set to 0x2 to disable Script events for a Rival encounter on ROUTE 22.
Set to 0x3 after VIRIDIAN CITY Gym Leader GIOVANNI is defeated. Enables next Rival.
Set to 0x4 to disable Script events for a second Rival encounter on ROUTE 22.
4055 Unknown.
Is set to 0x0 when the player hasn't encounted PROF. OAK yet.
Is set to 0x1 when OAK is escorting the player to his lab.
Is set to 0x2 when the player needs to choose a starter.
Is set to 0x3 when the player and their Rival have both chosen starters.
Is set to 0x4 after the player's first battle with their Rival.
Is set to 0x5 when the player needs to deliver OAK's PARCEL.
Is set to 0x9 when the player enters PROF. OAK while it is set to 0x8.
If >= 0x1 and no other events pending, then DAISY comments on a recent Rival battle.
Set to 0x7 after OAK's chat with the player in PALLET TOWN after beating the E4.
4056 Unknown. If equal to 0x0, "sethealingplace" runs whenever the player enters their bedroom in
PALLET TOWN. Another level script then sets the variable to 0x1.
4057 Multi-use.
Set to 0x1 to disable the OAK's PARCEL level script in VIRIDIAN CITY's PokeMart.
Set to some other value to enable VIRIDIAN CITY's normal PokeMart script.
4058 Unknown. Checked by DAISY's script in PALLET TOWN. Apparently part of the sequence of events
that makes her give away the TOWN MAP.
Set to 0x2 when DAISY gives away the TOWN MAP.
4059 If != 0x0, then the player beat the Ghost MAROWAK at POKeMON TOWER.
405A Set to some value to disable the Old Man that blocks the VIRIDIAN CITY Gym.
405B Multi-use.
Set to 0x1 to disable Script events for a Rival encounter on the S.S. ANNE.
Is set to 0x1 when entering LAVENDER TOWN.
405C If != 0x0, then the player beat Gary at SILPH CO.
405D If != 0x0, then the player beat Gary at POKeMON TOWER.
405E Set to 0x0 to disable Script events on the tiles bordering the exits to the CYCLING ROAD
gatehouse. Set to 0x1 to disable Script events on the tiles bordering the entrances.
405F Controls various badge-checking Script events on Route 23.
4060 If >= 0x1, then TEAM ROCKET has left SILPH CO.
4061 Set to 0x1 to disable the Pay-To-Enter Script events in PEWTER CITY's Museum.
4062 Set to 0x1 to disable the thirsty-guard roadblock Script events in the SAFFRON gatehouses.
4064 Unknown or multi-use.
Reset to 0x0000 when entering Route 23.
Used as part of the Boulder puzzle scripts in VICTORY ROAD.
4065 Unknown or multi-use.
Reset to 0x0000 when entering Route 23.
Used as part of the Boulder puzzle scripts in VICTORY ROAD.
4066 Unknown or multi-use.
Reset to 0x0000 when entering Route 23.
Used as part of the Boulder puzzle scripts in VICTORY ROAD.
4067 Unknown. Reset to 0x0000 when entering Route 23.
4068 Set to 0x2 after an Elite Four chamber level script forces the player to walk up. Rechecked
later after the E4 battle in that chamber has ended. Reset to 0x0000 in the Hall of Fame room.
4069 Set to 0x1, 0x2, or 0x3 depending on which fossil is being revived at the CINNABAR ISLAND
lab.
406A Fossil revival process. 0x1 means that a revival is in progress. 0x2 means that it is
complete.
406B Set to 0x1 to disable Script events for the Nugget Bridge challenge.
406C Unknown or multi-use.
Set to 0x1 to disable the man that traps you in PEWTER until you beat Brock.
Set to 0x2 to disable Script events for the man that gives Running Shoes at PEWTER.
406E Safari Zone status.
Set to 0x0 when not in the SAFARI ZONE.
Set to 0x1 ...?
Set to 0x2 after paying to enter the SAFARI ZONE.
406F I haven't the faintest idea. Used in Pokemon Center 2F level scripts.
4070 Set to 0x1 when talking to some chick in PALLET TOWN that mimics a sign or whatever.
4071 See 408A.
4073 Affects dialogue in the SAFFRON CITY TRAINER FAN CLUB building.
Is set to 0x1 when the occupants -- your new fans -- swarm you.
4074 Unknown. Checked if != 0x0 in a level script for the woman-who-likes-battles's house (map
31.0).
4075 Used in a ONE ISLAND level script. If it equals 0x2, BILL will welcome you to ONE ISLAND,
bring you into the PokeCenter to see CELIO, and then the variable will be set to 0x3.
4076 Multi-use, for the RUBY/SAPPHIRE subplot.
Set to 0x4 if hasn't beaten the ROCKET GRUNTs they eavesdrop on at MT. EMBER?
Set to 0x5 when the RUBY has been delivered to CELIO on ONE ISLAND.
Set to 0x6 when the subplot is complete.
If >= 0x5, VERMILION dockworker acknowledges your RAINBOW PASS. (Travel to SEVII)
If >= 0x1, VERMILION dockworker acknowledges your TRI-PASS. (Travel to SEVII 1-3)
4078 Affects the commentary and items offered by the shopkeeper on One Island. The variable's
value is managed by a TWO ISLAND level script that checks various flags.
0x4078 == 0x2 means that Lostelle has been rescued.
0x4078 == 0x3 means that you've beaten all Gyms, but not the Elite Four. (?)
0x4078 == 0x4 means that the shopkeeper offers items "from distant lands". (Beat E4)
4079 Multi-use, for the LOSTELLE event.
Set to 0x1 after dealing with a Biker at the TWO ISLAND GAME CORNER.
Set to 0x2 after rescuing LOSTELLE in BERRY FOREST, before warping to her home.
Is set to 0x3 when LOSTELLE is reunited with her father.
Is set to 0x4 when the subplot is complete.
407B Unknown or multi-use.
Set to 0x2 to enable the first Script events for the Bikers in THREE ISLAND?
Set to 0x3 to disable the first Script events for the Bikers in THREE ISLAND.
Set to 0x4 to disable the second Script events for the Bikers. (They leave.)
407C Unknown or multi-use.
Set to 0x1 to ...?
Set to 0x2 to disable the Pokemon Center 2F level script (TEALA's tutorial).
407D Set to 0x1 to disable the ROCKET GRUNT Script events behind the broken home in CERULEAN.
407E Unknown or multi-use.
Is set to 0x1 after the player helps the S.S. ANNE's captain.
Is set to 0x2 when the player is stepping out of a boat and into VERMILION CITY or the S.S. ANNE harbor.
Is set to 0x3 when the S.S. ANNE has departed VERMILION CITY.
407F Set to 0x2 after a Script event on MT. EMBER, in which the player hears ROCKET GRUNTs talk.
4080 Set to 0x1 after a Script event in ICEFALL CAVE, in which the player assists LORELEI.
4081 Set to 0x1 to disable a Script event blocking access to the Pokemon in the FIGHTING DOJO.
4082 Multi-use.
Set to 0x0 to enable a Script event at the TRAINER TOWER counter. (A level script
on the tower's exterior (Map 3.62) does this.)
Set to 0x1 to disable a Script event at the TRAINER TOWER counter.
4083 Set to 0x1 upon entering the LOST CAVE room with the lost woman.
4084 Multi-use, for the SELPHY event.
Set to 0x1 upon rescuing SELPHY from LOST CAVE, before warping to RESORT GORGEOUS.
Set to 0x2 upon being promptly dismissed from her front door (level script).
4085 Unknown. Used in two level scripts for INDIGO PLATEAU (3.9). Does something if it equals 1.
4086 Set to 0x1 to disable a FOUR ISLAND level script (Gary encounter without battle).
4088 Set to 0x1 to disable Script events in ROCKET WAREHOUSE.
4089 Set to 0x1 to disable a SIX ISLAND (37.0) level script (Gary encounter without battle).
408A Multi-use, for an event where you meet BILL at CINNABAR ISLAND's PokeCenter, and he leaves on
a boat.
Set to 0x1 upon meeting BILL in the PokeCenter. The same script makes you both leave.
Is set to 0x1 when used in level scripts that show BILL's departure from the island.
408B Set to 0x1 to disable the Script events for the fossil guy in MT. MOON.
...
5EF4 - 7FFF CONFIRMED UNSAFE! In PC box space!





LIST OF IDENTIFIED ITEM HIDDEN IDS (FIRERED)

UNUSED: 07, 10, 18, 28, 2B, 2C, 2D, 2E, 7C, BC, BF, all above.

00 POTION VIRIDIAN FOREST (1.0)
01 ANTIDOTE VIRIDIAN FOREST (1.0)
02 MOON STONE MT. MOON (1.3)
03 ETHER MT. MOON (1.3)
04 ELIXIR ROUTE 25 (3.44)
05 ETHER ROUTE 25 (3.44)
06 ETHER ROUTE 9 (3.27)
08 HYPER POTION S.S. ANNE (1.8)
09 SUPER POTION ROUTE 10 (3.28)
0A MAX ETHER ROUTE 10 (3.28)
0B PP UP ROCKET HIDEOUT (1.42)
0C NUGGET ROCKET HIDEOUT (1.44)
0D NEST BALL ROCKET HIDEOUT (1.45)
0E BIG MUSHROOM POKeMON TOWER (1.92)
0F PP UP ROUTE 13 (3.31)
11 RARE CANDY ROUTE 17 (3.35)
12 FULL RESTORE ROUTE 17 (3.35)
13 PP UP ROUTE 17 (3.35)
14 MAX REVIVE ROUTE 17 (3.35)
15 MAX ELIXIR ROUTE 17 (3.35)
16 LEAF STONE SAFARI ZONE (1.63)
17 REVIVE SAFARI ZONE (1.66)
19 MAX POTION SILPH CO. (1.55)
1A NUGGET SAFFRON CITY (14.1)
1B MAX ELIXIR POWER PLANT (1.95)
1C THUNDERSTONE POWER PLANT (1.95)
1D NUGGET SEAFOAM ISLANDS (1.86)
1E WATER STONE SEAFOAM ISLANDS (1.87)
1F MOON STONE POKeMON MANSION (1.59)
20 RARE CANDY POKeMON MANSION (1.61)
21 ELIXIR POKeMON MANSION (1.62)
22 FULL RESTORE ROUTE 23 (3.42)
23 ULTRA BALL ROUTE 23 (3.42)
24 MAX ETHER ROUTE 23 (3.42)
25 ULTRA BALL VICTORY ROAD (1.39)
26 FULL RESTORE VICTORY ROAD (1.39)
27 ULTRA BALL CERULEAN CAVE (1.72)
29 ESCAPE ROPE ROUTE 11 (3.29)
2A HYPER POTION ROUTE 12 (3.30)
2F PP UP CELADON CITY (3.6)
30 MAX ETHER VERMILION CITY (3.5)
31 RARE CANDY CERULEAN CITY (3.3)
32 GREAT BALL ROUTE 4 (3.22)
33 ???????? [0000] CELADON CITY (10.14) // Amount: $0A -- COINS pickup?!
34 ???????? [0000] CELADON CITY (10.14) // Amount: $0A -- COINS pickup?!
35 ???????? [0000] CELADON CITY (10.14) // Amount: $14 -- COINS pickup?!
36 ???????? [0000] CELADON CITY (10.14) // Amount: $0A -- COINS pickup?!
37 ???????? [0000] CELADON CITY (10.14) // Amount: $0A -- COINS pickup?!
38 ???????? [0000] CELADON CITY (10.14) // Amount: $14 -- COINS pickup?!
39 ???????? [0000] CELADON CITY (10.14) // Amount: $0A -- COINS pickup?!
3A ???????? [0000] CELADON CITY (10.14) // Amount: $0A -- COINS pickup?!
3B ???????? [0000] CELADON CITY (10.14) // Amount: $0A -- COINS pickup?!
3C ???????? [0000] CELADON CITY (10.14) // Amount: $28 -- COINS pickup?!
3D ???????? [0000] CELADON CITY (10.14) // Amount: $64 -- COINS pickup?!
3E ???????? [0000] CELADON CITY (10.14) // Amount: $0A -- COINS pickup?!
3F CHERI BERRY SEVAULT CANYON (3.64)
40 HEART SCALE TANOBY RUINS (3.65)
41 HEART SCALE TANOBY RUINS (3.65)
42 HEART SCALE TANOBY RUINS (3.65)
43 HEART SCALE TANOBY RUINS (3.65)
44 NEST BALL ROCKET WAREHOUSE (1.114)
45 NET BALL ROCKET WAREHOUSE (1.114)
46 POTION UNDERGROUND PATH (1.31)
47 ANTIDOTE UNDERGROUND PATH (1.31)
48 PARLYZ HEAL UNDERGROUND PATH (1.31)
49 AWAKENING UNDERGROUND PATH (1.31)
4A BURN HEAL UNDERGROUND PATH (1.31)
4B ICE HEAL UNDERGROUND PATH (1.31)
4C ETHER UNDERGROUND PATH (1.31)
4D POTION UNDERGROUND PATH (1.34)
4E ANTIDOTE UNDERGROUND PATH (1.34)
4F PARLYZ HEAL UNDERGROUND PATH (1.34)
50 AWAKENING UNDERGROUND PATH (1.34)
51 BURN HEAL UNDERGROUND PATH (1.34)
52 ICE HEAL UNDERGROUND PATH (1.34)
53 ETHER UNDERGROUND PATH (1.34)
54 TINYMUSHROOM MT. MOON (1.2)
55 TINYMUSHROOM MT. MOON (1.2)
56 TINYMUSHROOM MT. MOON (1.2)
57 BIG MUSHROOM MT. MOON (1.2)
58 BIG MUSHROOM MT. MOON (1.2)
59 BIG MUSHROOM MT. MOON (1.2)
5A RAZZ BERRY BERRY FOREST (1.109)
5B BLUK BERRY BERRY FOREST (1.109)
5C NANAB BERRY BERRY FOREST (1.109)
5D WEPEAR BERRY BERRY FOREST (1.109)
5E ORAN BERRY BERRY FOREST (1.109)
5F CHERI BERRY BERRY FOREST (1.109)
60 CHESTO BERRY BERRY FOREST (1.109)
61 PECHA BERRY BERRY FOREST (1.109)
62 RAWST BERRY BERRY FOREST (1.109)
63 ASPEAR BERRY BERRY FOREST (1.109)
64 PERSIM BERRY BERRY FOREST (1.109)
65 PINAP BERRY BERRY FOREST (1.109)
66 LUM BERRY BERRY FOREST (1.109)
67 STARDUST TREASURE BEACH (3.46)
68 STARDUST TREASURE BEACH (3.46)
69 PEARL TREASURE BEACH (3.46)
6A PEARL TREASURE BEACH (3.46)
6B ULTRA BALL TREASURE BEACH (3.46)
6C ULTRA BALL TREASURE BEACH (3.46)
6D STAR PIECE TREASURE BEACH (3.46)
6E BIG PEARL TREASURE BEACH (3.46)
6F RARE CANDY CAPE BRINK (3.47)
70 POKe BALL PEWTER CITY (3.2)
71 ORAN BERRY ROUTE 3 (3.21)
72 PERSIM BERRY ROUTE 4 (3.22)
73 PECHA BERRY ROUTE 24 (3.43)
74 ORAN BERRY ROUTE 25 (3.44)
75 BLUK BERRY ROUTE 25 (3.44)
76 SITRUS BERRY ROUTE 6 (3.24)
77 RARE CANDY ROUTE 6 (3.24)
78 PECHA BERRY S.S. ANNE (1.10)
79 CHERI BERRY S.S. ANNE (1.10)
7A CHESTO BERRY S.S. ANNE (1.10)
7B RARE CANDY ROUTE 9 (3.27)
7D PERSIM BERRY ROUTE 10 (3.28)
7E CHERI BERRY ROUTE 10 (3.28)
7F RAWST BERRY ROUTE 8 (3.26)
80 LUM BERRY ROUTE 8 (3.26)
81 LEPPA BERRY ROUTE 8 (3.26)
82 RARE CANDY ROUTE 12 (3.30)
83 LEFTOVERS ROUTE 12 (3.30)
84 LEFTOVERS ROUTE 16 (3.34)
85 MAX REVIVE FUCHSIA CITY (3.7)
86 NET BALL ROCKET HIDEOUT (1.45)
87 ULTRA BALL SILPH CO. (1.48)
88 PROTEIN SILPH CO. (1.49)
89 IRON SILPH CO. (1.50)
8A PP UP SILPH CO. (1.51)
8B CARBOS SILPH CO. (1.52)
8C ZINC SILPH CO. (1.53)
8D NUGGET SILPH CO. (1.54)
8E CALCIUM SILPH CO. (1.55)
8F HP UP SILPH CO. (1.56)
90 REVIVE SILPH CO. (1.57)
91 LUM BERRY ROUTE 23 (3.42)
92 SITRUS BERRY ROUTE 23 (3.42)
93 ASPEAR BERRY ROUTE 23 (3.42)
94 LEPPA BERRY ROUTE 23 (3.42)
95 ZINC ROUTE 14 (3.32)
96 CHESTO BERRY ROUTE 9 (3.27)
97 NANAB BERRY ROUTE 10 (3.28)
98 WEPEAR BERRY ROUTE 7 (3.25)
99 STARDUST ROUTE 20 (3.38)
9A PEARL ROUTE 21 (3.39)
9B MAX ELIXIR ROUTE 23 (3.42)
9C RAZZ BERRY ROUTE 4 (3.22)
9D PINAP BERRY ROUTE 14 (3.32)
9E FIRE STONE MT. EMBER (1.97)
9F SOOTHE BELL POKeMON TOWER (1.94) // Amount: $81 ?!?
A0 SACRED ASH NAVEL ROCK (2.37)
A1 PP MAX CAPE BRINK (3.47)
A2 ULTRA BALL MT. EMBER (1.97)
A3 NUGGET THREE ISLE PATH (2.34)
A4 PP UP THREE ISLAND (3.14)
A5 MAX REPEL BOND BRIDGE (3.48)
A6 PEARL BOND BRIDGE (3.48)
A7 STARDUST BOND BRIDGE (3.48)
A8 PEARL FOUR ISLAND (3.15)
A9 ULTRA BALL FOUR ISLAND (3.15)
AA BIG PEARL MEMORIAL PILLAR (3.57)
AB RAZZ BERRY MEMORIAL PILLAR (3.57)
AC SITRUS BERRY MEMORIAL PILLAR (3.57)
AD BLUK BERRY MEMORIAL PILLAR (3.57)
AE NEST BALL RESORT GORGEOUS (3.54)
AF STARDUST RESORT GORGEOUS (3.54)
B0 STAR PIECE RESORT GORGEOUS (3.54)
B1 STARDUST RESORT GORGEOUS (3.54)
B2 STAR PIECE OUTCAST ISLAND (3.58)
B3 NET BALL OUTCAST ISLAND (3.58)
B4 ULTRA BALL GREEN PATH (3.59)
B5 ASPEAR BERRY WATER PATH (3.60)
B6 ORAN BERRY WATER PATH (3.60)
B7 PINAP BERRY WATER PATH (3.60)
B8 LEPPA BERRY SIX ISLAND (3.18)
B9 BIG PEARL TRAINER TOWER (3.62)
BA PEARL TRAINER TOWER (3.62)
BB NANAB BERRY TRAINER TOWER (3.62)
BD MACHO BRACE VIRIDIAN CITY (5.1) // Amount: $81 ?!?
BE LAVA COOKIE S.S. ANNE (1.4)

EDIT: Updated with information from JPAN's special list as well as some hidden scripts I found (that are executed directly by the game engine, and are not referenced in maps).

knizz
September 1st, 2011, 01:43 AM
DavidJCobb, I wish I knew you when I was still ROM Hacking. Great work.

DavidJCobb
September 9th, 2011, 12:13 AM
DavidJCobb, I wish I knew you when I was still ROM Hacking. Great work.Thanks. I've seen some of your work; coming from someone of your skill, that compliment means a lot.

* * * * *

Building on some work by knizz --

As I said once in another thread there is an array of npc-data at 02036E38 . . .

-- I have deciphered more of the OW/Person data structure:

Bytes 0 - 8: Unknown.
Byte 9: Map number for this Person event.
Byte 10: Map bank number for this Person event.
Bytes 11 - 15: Unknown
Bytes 16 - 17: Tile X (stepping off of)
Bytes 18 - 19: Tile Y (stepping off of)
Bytes 20 - 21: Tile X (stepping onto)
Bytes 22 - 23: Tile Y (stepping oto)
Byte 24: Unknown. Changes with last movement direction. (11 down, 44 right, 33 left)
Bytes 25 - 27: Unknown.
Byte 28: Sprite frame
Bytes 29 - 31: Unknown.
Byte 32: Facing direction (same format as PLAYERFACING script var's values).
Bytes 33 - 35: Unknown.

Offset of the facing direction byte for Person event N: 0x02036E38 + (0x24 * N) + 0x20

* * * * *

EDIT: Found offsets for some scripts that people may find interesting.

0x081A4EB4 and 0x081A4EC1
Something to do with trainer battles... Is this used by the core game engine?

0x081A6843
This script handles hidden-item Signposts. Inputs are 0x8005 (item ID) and 0x8006 (amount). If the item ID is 0 (item: ????????) then it is treated as a Coins pickup.

0x081A6955
Script for the PC.

0x081A6AC8
Script for SURF. It does not include the badge check; that is evidently done in ASM before this is called.

0x081A6B0D
Script for current that is too fast to SURF in.

0x081A7705
Script for the Mystery Gift questionnaire.

0x081A77A0
Appears to be the script that is executed if you press Select without having a Key Item registered to that button.

0x081A8D49
I have no idea, but it has something to do with digging up an item. Where in FireRed can you do that?

0x081A8D97
Script for PokeCenter healing after whiting out.

0x081A8DD8
Script for Mom healing after whiting out.

0x081A8DFD
Script for whiting out (on the overworld, in battles, or both?).

0x081AD008
Script for a Fame Checker entry. This actually runs inside the Fame Checker. The others probably do, too.

0x081BE2B7
Script for WATERFALL. Like the SURF script, the badge check is performed elsewhere.

0x081BE38B
Script for DIVE (submerging). Apparently an R/S/E leftover. Like SURF and WATERFALL, there's no badge check here.

0x081BE3D4
Script for DIVE (emerging). No badge check.

0x081BE420
Script for if you try to use DIVE when you cannot emerge at the spot you're currently standing on.

0x081BF546
Internal script for hatching an EGG (by walking).

0x081BFB65
Script executed when REPEL wears off.

* * * * *

And some string offsets:

0x0826CF8C - 0x0826D19D
Nicknames of the Pokemon you can receive in in-game trades.

0x081C55C9
Strings for saving the game.

0x081B2DF8 - 0x081BB1B3(?)
L/R help strings.

NarutoActor
September 10th, 2011, 07:33 AM
'Offset of the facing direction byte for Person event N: 0x02036E38 + (0x24 * N) + 0x20'
This is extremely useful I have been trying to find this out recently too. Good job :D

Actually, I have a question. If you talk to the npc does the value change, or is it strictly the facing the player has in advance map.

DavidJCobb
September 10th, 2011, 01:54 PM
'Offset of the facing direction byte for Person event N: 0x02036E38 + (0x24 * N) + 0x20'
This is extremely useful I have been trying to find this out recently too. Good job :D

Actually, I have a question. If you talk to the npc does the value change, or is it strictly the facing the player has in advance map.It varies depending on the movement behavior that you have set. What I found was that the byte was not updated after talking if the behavior was "No Movement". When using either the rotate-clockwise or walk-around-randomly behaviors, however, the OW's facing byte updated when they moved, when they turned, and when the "faceplayer" command was used.

EDIT: I also just updated my list of every known flag and variable in FireRed (http://www.pokecommunity.com/showpost.php?p=6829256&postcount=158). A list of all Hidden IDs (hidden-item Signposts) has been added as well.

DavidJCobb
September 16th, 2011, 12:28 AM
I just found a few interesting quirks about some FireRed scripting commands. When I get around to it, I'll be uploading an updated version of a command reference I've been working on.

- - -

Setworldmapflag will set a flag if it is one of the sixteen entries in a list of world map flag numbers whose maps can be flown to. (That is, it will work for Viridian City's world map flag, but not for, say, Rock Tunnel's.)

- - -

Braille2 sets variable 0x8004 to a value based on the width of the braille string at the pointer you give it.

Because braille strings do not support the \p or \l control codes, Game Freak had to create a "fake" message cursor every time they wanted to show multi-part or multi-line braille strings. To facilitate this, they created special 0x1B2, which draws a cursor on the screen at a position specified by variables 0x8004 (X) and 0x8005 (Y).

braille2 will calculate the length of a specified braille string, and then set 0x8004 to a value based on that length. If you then show that string in a message box and call special 0x1B2, a cursor will appear exactly at the end of the braille string. For an example of its usage, view the scripts for the Signpost events in the Ruby or Sapphire rooms in Mt. Ember.

- - -

Setwildbattle will actually generate a 100-byte Pokemon data structure. If you know how, you can then manipulate this data structure before calling dowildbattle if you want to change its moveset or something.

- - -

If hidepokepic is called too soon after showpokepic, the script will freeze and hang with the pokepic box visible. I suspect the problems arise if you try to hide a pokepic while the game is still trying to display one.

- - -

Givepokemon will send the new Pokemon to the player's PC if their party is full. The number of the box to which the Pokemon is sent is stored in 0x4037 (yes, the game itself writes that var as part of the command). LASTRESULT is set to 0 if the Pokemon is stored in the party, 1 if it's sent to the PC, and 2 if there's no room in the party or the PC.

Mr. Magius
September 23rd, 2011, 11:09 AM
How about adding a new type? Sorry if it's been mentioned, I haven't checked out much of this thread.

Crimson5M
September 23rd, 2011, 11:30 AM
How about adding a new type? Sorry if it's been mentioned, I haven't checked out much of this thread.

Why not just edit the ??? type and change Curse to ghost like it is in gen V?

Mr. Magius
September 23rd, 2011, 07:53 PM
Why not just edit the ??? type and change Curse to ghost like it is in gen V?Hmm.. yes, but what about strengths and weaknesses and whatnot? And say one wanted to add more than one type?

DavidJCobb
September 24th, 2011, 02:36 PM
During my analysis of cmda6, I discovered that Game Freak implemented their own script-controlled walking ASM into the Advance-generation games. There can be up to eight subroutines to run on every frame of animation, only one of which may be active at any given time. You can select a subroutine to activate using cmda6.

At 0x03005090, there is a list of ASM functions to be executed on every frame of animation. Each entry in the list is a pointer to the routine, some metadata about the list item itself, and thirty-or-so bytes for the routine to work with (so that it may maintain its state).

When on the overworld, one of the items on this list is 0x0806E811, a walking routine manager. This routine manager will check one of the bytes in its execution-list-item (set by cmda6) and based on that byte, it will call one of eight walking subroutines.

Those subroutines in turn check the player's coordinates against stored values to see if the player has moved. If so, the subroutine processes player movement accordingly (check the tile they're standing on, change it if necessary, what have you).

There are eight slots for walking subroutines, and the defined subroutines (pointed to by pointers at 0x083A7310) are:
#0 at 0x0806E955: Nop
#1 at 0x0806EB55: Broken (R/S/E leftover: Route 113 ash-covered grass)
#2 at 0x0806E955: Nop
#3 at 0x0806E955: Nop
#4 at 0x0806E9E1: Icefall Cave ice tiles
#5 at 0x0806E955: Nop
#6 at 0x0806E955: Nop
#7 at 0x0806EC41: Broken (R/S/E leftover: Granite Cave/Sky Pillar broken floor tiles)

(The three defined subroutines basically change certain tiles out from under the player's feet. Theoretically, though, a subroutine can do anything it wants on every frame of animation that the overworld is being processed.)

What this means is that we now have an official way -- something that was designed for this use -- to set up our own custom-made ASM functions to run the very instant the player takes a step. If we keep the broken functions in the table, we can define up to four custom ASM subroutines; if we ditch those, we can define six.

(We could also repoint and extend the subroutine pointer table, and modify the related ASM code, thereby allowing up to 255 custom subroutines to be predefined and activated with cmda6.)

One possible use case for all of this would be an alternate (and more script-friendly) implementation of JPAN-style walking scripts, which would work without breaking other game functions (i.e. wild encounters in tall grass).

For more information, see the description for cmda6 in my FireRed script command reference (http://www.pokecommunity.com/showpost.php?p=6856053&postcount=197).

Oh, something else: the R/S/E leftovers prove that this discovery applies to all Advance-generation games. The offsets will differ, and the walking subroutines will have some differences in R/S/E, but the system itself exists in all Pokemon GBA games.

DavidJCobb
September 26th, 2011, 06:42 PM
Here's some information that may make my previous discovery more useful.

First, a demonstration. (http://www.youtube.com/watch?v=P0aQHash9rE)

Next, the walking subroutine that I used in that demonstration, with comments added. Modifying this should allow for easily-controlled tile-changing-when-stepped on effects.

.align 2
.thumb

SUBR_MAIN:
push {r4-r7,lr}
add sp, #-0x4
lsl r0, r0, #0x18
lsr r0, r0, #0x18
ldr r2, EXECUTION_QUEUE
add r2, r2, #0x8
lsl r1, r0, #0x2
add r1, r1, r0
lsl r1, r1, #0x3
add r5, r1, r2 // r5 is the start of roughly 30 bytes of RAM alotted for this functionality
mov r1, #0x2
ldsh r0, [r5, r1] // we use this as part of a queueing system
cmp r0, #0x0 // only happens after switching subroutines with cmda6 (the 30 bytes are cleared)
beq SUBR_INIT
cmp r0, #0x1 // 1 means that we're listening for footsteps
beq SUBR_STEP
bgt SUBR_TILE // higher values mean we have a tile change queued
mov r0, #0x1
strh r0, [r5, #0x2]

SUBR_RTRN:
add sp, #0x4
pop {r4-r7}
pop {pc}

SUBR_INIT: // initialize our state data
mov r4, sp
add r4, r4, #0x2
mov r1, r4
ldr r3, F_GET_COORDS
bl CALL_R3
ldrh r2, [sp]
strh r2, [r5, #0x4] // we
ldrh r0, [r4]
strh r0, [r5, #0x6]
ldr r2, DEFAULT_COLOR
strh r2, [r5, #0x8]
mov r2, #0x0
strh r2, [r5, #0xC]
mov r2, #0x1
strh r2, [r5, #0x2]
b SUBR_RTRN

SUBR_STEP: // check if the player's taken a step
mov r4, sp
add r4, r4, #0x2
mov r1, r4
mov r0, sp
ldr r3, F_GET_COORDS
bl CALL_R3
mov r0, sp // compare current coords to logged coords
ldrh r2, [r0]
mov r3, #0x0
ldsh r1, [r0, r3]
mov r3, #0x4
ldsh r0, [r5, r3]
cmp r0, r1
bne SUBR_STEP_CHECK_SWITCH
mov r3, #0x0
ldsh r1, [r4, r3]
mov r3, #0x6
ldsh r0, [r5, r3]
cmp r0, r1
beq SUBR_RTRN
b SUBR_STEP_CHECK_SWITCH

SUBR_STEP_CHECK_SWITCH:
strh r2, [r5, #0x4] // log the new coords
ldrh r0, [r4]
strh r0, [r5, #0x6]
mov r0, sp
mov r3, #0x0
ldsh r0, [r0, r3]
ldsh r1, [r4, r3]
ldr r3, F_GET_TILE // check if the player's standing on one of the "palette" tiles
bl CALL_R3
mov r2, #0x0
ldr r1, BLUE_SWITCH_TILE
cmp r0, r1
beq SUBR_STEP_SET_BLUE
ldr r1, RED_SWITCH_TILE
cmp r0, r1
beq SUBR_STEP_SET_RED
ldr r1, GREEN_SWITCH_TILE
cmp r0, r1
beq SUBR_STEP_SET_GREEN
ldr r1, WHITE_SWITCH_TILE
cmp r0, r1
beq SUBR_STEP_SET_WHITE
b SUBR_STEP_CHECK_CANVAS

SUBR_STEP_SET_BLUE:
ldr r2, BLUE_CANVAS_TILE
b SUBR_STEP_SET

SUBR_STEP_SET_RED:
ldr r2, RED_CANVAS_TILE
b SUBR_STEP_SET

SUBR_STEP_SET_GREEN:
ldr r2, GREEN_CANVAS_TILE
b SUBR_STEP_SET

SUBR_STEP_SET_WHITE:
ldr r2, WHITE_CANVAS_TILE
b SUBR_STEP_SET

SUBR_STEP_SET:
strh r2, [r5, #0x8] // if so, store their selection (tile ID of color to change to)
b SUBR_RTRN

SUBR_STEP_CHECK_CANVAS: // check if standing on a "canvas" tile
ldr r2, BLUE_CANVAS_TILE
cmp r0, r2
beq SUBR_STEP_QUEUE_CANVAS
ldr r2, RED_CANVAS_TILE
cmp r0, r2
beq SUBR_STEP_QUEUE_CANVAS
ldr r2, GREEN_CANVAS_TILE
cmp r0, r2
beq SUBR_STEP_QUEUE_CANVAS
ldr r2, WHITE_CANVAS_TILE
cmp r0, r2
beq SUBR_STEP_QUEUE_CANVAS
b SUBR_RTRN

SUBR_STEP_QUEUE_CANVAS:
mov r2, #0x4 // if so, queue a change
strh r2, [r5, #0xC]
mov r0, #0x2
strh r0, [r5, #0x2]
ldrh r0, [sp]
strh r0, [r5, #0xE]
ldrh r0, [r4]
strh r0, [r5, #0x10]
b SUBR_RTRN

SUBR_TILE:
ldrh r0, [r5, #0xC]
cmp r0, #0x1 // we can delay a change by a specific number of frames
bgt SUBR_TILE_DELAY
mov r1, sp
ldrh r0, [r5, #0xE]
strh r0, [r1]
mov r4, sp
add r4, r4, #0x2
ldrh r0, [r5, #0x10]
strh r0, [r4]
mov r0, #0x24 // the "ice tile just cracked" sound
ldr r3, F_PLAY_SOUND
bl CALL_R3
mov r0, sp
mov r3, #0x0
ldsh r0, [r0, r3]
ldsh r1, [r4, r3]
ldrh r2, [r5, #0x8]
ldr r3, F_CHANGE_TILE
bl CALL_R3
mov r0, sp
mov r3, #0x0
ldsh r0, [r0, r3]
ldsh r1, [r4, r3]
ldr r3, F_REPAINT_TILE // not entirely sure how it works, but it does update the specified tile's entries in graphical memory
bl CALL_R3
mov r0, #0x1
strh r0, [r5, #0x2]
b SUBR_RTRN

SUBR_TILE_DELAY:
sub r0, #0x1
strh r0, [r5, #0xC]
b SUBR_RTRN

CALL_R3:
bx r3
bx lr

.align 2
F_GET_COORDS:
.word 0x0805C539

F_GET_TILE:
.word 0x08058E49

F_PLAY_SOUND:
.word 0x080722CD

F_CHANGE_TILE:
.word 0x08058FA5

F_REPAINT_TILE:
.word 0x0805A8E9

EXECUTION_QUEUE:
.word 0x03005090

// Everything below here is a tile number in the major and minor tilesets
// You'd basically use the hex values that AMap shows you when you mouseover a given tile
DEFAULT_COLOR:
.word 0x000003F4

BLUE_CANVAS_TILE:
.word 0x000003EC

RED_CANVAS_TILE:
.word 0x000003ED

GREEN_CANVAS_TILE:
.word 0x000003F5

WHITE_CANVAS_TILE:
.word 0x000003F4

BLUE_SWITCH_TILE:
.word 0x000003E9

RED_SWITCH_TILE:
.word 0x000003EA

GREEN_SWITCH_TILE:
.word 0x000003EB

WHITE_SWITCH_TILE:
.word 0x000003F1


The upshot of all of this is that it is now very easy to make polished effects like a floor cracking underneath the player's feet, for example -- complete with sound effects and perhaps even other behaviors.

That alone could be used for things like unique Gym puzzles. Theoretically, that is just scratching the surface of this functionality's potential, however. Remember that it runs on every frame of animation in which the overworld is being shown and/or processed. In theory, you could do things like timing how long the player stands on a block, or tampering with the movement patterns of an NPC (this runs when you take a step, not when you finish moving, so problems waiting for movement should be few and far between).

And so this concludes my research on CmdA6.

knizz
October 6th, 2011, 07:38 AM
At 0x03005090, there is a list of ASM functions to be executed on every frame of animation. Each entry in the list is a pointer to the routine, some metadata about the list item itself, and thirty-or-so bytes for the routine to work with (so that it may maintain its state).

FINALLY! Finally someone understands the relevance of this list.
I called it callback3-list and all functions that can be in one of it's slots are prefixed with c3_ in my database. The walking routine manager (0x0806E811) is called c3_ash in it. The table with the eight slots (0x083A7310) is named 'ashtable'.

The ash handler calls 'music_play' and 'setmaptile' internally. Once at 0806EB22 (Tile 0x35B) and another time at 0806EAD8 (Tile 0x35A). A subfunction (0806E958) that is called from 0806EA82 and sets some flags.

I didn't know that this is controllable via the 0xA6 command. So thanks for telling.

slawter666
October 13th, 2011, 07:21 AM
Is the screen size for the GBA Pokémon games (240 x 160) set within the ROM or the GBA hardware? And if it was theoretically possible to expand it to the DS screen size (or greater)(256 x 192) would it be that size on an emulator or if it was played on a DS or would it still be limited to the original GBA screen size?

Team Fail
October 13th, 2011, 07:57 AM
Is the screen size for the GBA Pokémon games (240 x 160) set within the ROM or the GBA hardware? And if it was theoretically possible to expand it to the DS screen size (or greater)(256 x 192) would it be that size on an emulator or if it was played on a DS or would it still be limited to the original GBA screen size?

It's set by the GBA hardware. And, if it were played on DS hardware, it might just be scaled to fit the screen.

The 100 Mega Shock
October 13th, 2011, 08:27 AM
Even if you tried expanding the viewable area on an emulator I'm almost certain that the system would not draw anything outside of the original screen size, due to the nature of how 2D consoles, and emulation of them, work

You can do this with emulators for 3D consoles like N64, DC and Gamecube, but they're a completely different beast when it comes to emulation and passing the graphics to your computer to be drawn - and it totally depends on the game whether or not you'll get a useful result from displaying more screen area than was originally intended.

As for your other point, for all intents and purposes the DS is treated as a Game Boy Advance when it goes into backwards compatibility mode - the main processor of the GBA is identical to the second processor of the DS, so the game's code can be run natively on the system. It behaves exactly the same as a GBA would.

romancandle
October 13th, 2011, 11:03 AM
How hard would it be to make a tool for editing Pokemon Abilities--names, effects, descriptions--or adding new ones in Gen III?

Gamer2020
October 13th, 2011, 11:26 AM
How hard would it be to make a tool for editing Pokemon Abilities--names, effects, descriptions--or adding new ones in Gen III?
I'm not sure but I think someone made one already.

romancandle
October 13th, 2011, 11:35 AM
I'm not sure but I think someone made one already.

I sure haven't found any, but then again, I'm not a great searcher. I've tried Google and searching these forums specifically. If you find it, please PM a link to me.

ruup20
October 14th, 2011, 05:06 AM
Do you mean like YAPE? That's a good one.

romancandle
October 14th, 2011, 09:05 AM
Do you mean like YAPE? That's a good one.

YAPE lets me give pokemon any ability in the game, yes, but I'd like to edit the Abilities themselves. For example, I wouldn't mind making Lightning Rod act like it does Gen V or put in Motor Drive.

TheDarkShark
October 14th, 2011, 09:31 AM
If there was a tool for something like that, I'd probably leave GBA-Hacking - it'd be too easy (which it already is, IMO). If you want something alike, you'll have to do some serious hacking involving ASM.
If you don't want to do it that way, you don't want that feature bad enough to deserve it. That's my philosophy.

Anyway, try putting a break on read at a pokemon's Ability. That should lead you to most routines which use them. Then you can easily extend the header to enable new abilities. That won't do the job, though. AFAIK, each ability has it's own ASM-routines, so you'd need to wright new code.
I'm sure there's a thread around dealing with it. I think it's name was "modernizing the Firered-field engine" or something.
I hope I could help you - at least a bit.

Jambo51
October 14th, 2011, 01:13 PM
YAPE lets me give pokemon any ability in the game, yes, but I'd like to edit the Abilities themselves. For example, I wouldn't mind making Lightning Rod act like it does Gen V or put in Motor Drive.

I don't wanna s**t all over your hopes, but there is no such editor. And I highly doubt there ever will be.

Gamer2020's tool lets you change/add ability names and descriptions, but there is no way to create custom ability effects without using ASM.

I'm currently working on adding pretty much everything I can from gen 4/5 into gen 3, abilities included. Give me some time, and I'll see what I can do.

DavidJCobb
October 14th, 2011, 01:20 PM
Hey, guys, just a heads-up. I haven't confirmed anything yet, but...

The RAM used by JPAN's Hacked Engine (1856 bytes starting at 0x0203F3C0) appears to overlap a small RAM space used by the Teachy TV's ASM (10 bytes starting at 0x0203F444). This sound minor, but it's a clear indicator that the RAM isn't unused, and it also means that there may be more overlaps with other seldom-used functionality.

I haven't heard of any particularly-bizarre or unexplained problems arising from JPAN's Hacked Engine, and it's worked excellently for me; this is just a minor thing to keep in mind. Nothing major should be affected by RAM conflicts with JPAN's code.

dudedude1
October 14th, 2011, 03:57 PM
I'm not sure if this has yet to have been accomplished but I've read Darthatron says its possible. I'm trying to find and way to increase the number of unique world map tiles to at least 2048 but I had read Darthatron said the max that was possible was 4096. Any information would be greatly appreciated!

SupahNinja
October 24th, 2011, 08:50 AM
LIST OF IDENTIFIED IN-GAME VARS (FIRERED)

4000 Temporary/disposable variable.
Written to by special E7.
4001 Temporary/disposable variable.
4003 Temporary/disposable variable? Used in TRAINER TOWER.
4006 Temporary/disposable variable? Used in TANOBY KEY.
4008 Temporary/disposable variable? Used in TANOBY KEY.
400E Temporary/disposable variable? Used in TRAINER TOWER.
400F Temporary/disposable variable? Used in TRAINER TOWER.
4010 Temporary/disposable variable.
Written to by (incomplete?) special 142.
4020 Pedometer. It counts down, and upon reaching 0x0000, REPEL expires.
4021 Pedometer. Max value 0x007F; it loops back to 0x0000 after.
4022 Pedometer. Max value 0x0004; it loops back to 0x0000 after.
4023 Pedometer. Max value 0x05DC; it just stays at that value after?
4025 Pedometer? Used for DAISY's script? Haven't seen it in action myself yet.
Set to 0x01F4 (500) by GAME START SCRIPT.
4031 The starter that the player chose (0, 1, 2).
Accessed directly by special 129.
4036 Multi-use, for SELPHY's Pokemon-fetching-and-showing game.
Apparently set to 0x0000 when it's time for a new "round" to start.
Apparently set to 0xFFFF if you're out of time.
4037 Box that a newly-received (givepokemon) Pokemon was sent to. Is directly manipulated by the game engine
itself.
Read by special 165.
4038 Unknown.
Read by specials A6 and A9.
Written to by special A8.
Used by special AA.
4039 Unknown.
Written to by specials A6, A7, and A9.
403A Used in elevator scripts (current floor?). Written to by special 0xD8.
403C 0xXXYY -- the current bank and map, respectively.
403E Unknown.
Accessed directly by special 1AC.
4042 Unknown.
Read by special 167.
4043 Unknown.
Written to by special 167.
4049 Unknown. Something to do with the sticker kid on FOUR ISLAND.
404A Unknown. Something to do with the sticker kid on FOUR ISLAND.
404B Unknown. Something to do with the sticker kid on FOUR ISLAND.
404E Unknown.
Written to by special 197.
4050 Unknown or multi-use.
Set to 0x1 after the "Don't go out yet!" OAK Script event.
Set to 0x2 during the Hall of Fame room level script, if the National Dex is NOT already unlocked.
Set to 0x3 after OAK's chat with the player in PALLET TOWN after beating the E4.
4051 Set to 0x2 to disable the "Old Man Needs Coffee" Script event in VIRIDIAN CITY.
4052 Set to 0x1 to disable Script events for Gary in CERULEAN CITY.
4053 Unknown. Set to 0x0 after the player watches the S.S. ANNE depart.
4054 Unknown or multi-use.
Set to 0x2 to disable Script events for a Rival encounter on ROUTE 22.
Set to 0x3 after VIRIDIAN CITY Gym Leader GIOVANNI is defeated. Enables next Rival.
Set to 0x4 to disable Script events for a second Rival encounter on ROUTE 22.
4055 Unknown.
Is set to 0x0 when the player hasn't encounted PROF. OAK yet.
Is set to 0x1 when OAK is escorting the player to his lab.
Is set to 0x2 when the player needs to choose a starter.
Is set to 0x3 when the player and their Rival have both chosen starters.
Is set to 0x4 after the player's first battle with their Rival.
Is set to 0x5 when the player needs to deliver OAK's PARCEL.
Is set to 0x9 when the player enters PROF. OAK while it is set to 0x8.
If >= 0x1 and no other events pending, then DAISY comments on a recent Rival battle.
Set to 0x7 after OAK's chat with the player in PALLET TOWN after beating the E4.
4056 Unknown. If equal to 0x0, "sethealingplace" runs whenever the player enters their bedroom in
PALLET TOWN. Another level script then sets the variable to 0x1.
4057 Multi-use.
Set to 0x1 to disable the OAK's PARCEL level script in VIRIDIAN CITY's PokeMart.
Set to some other value to enable VIRIDIAN CITY's normal PokeMart script.
4058 Unknown. Checked by DAISY's script in PALLET TOWN. Apparently part of the sequence of events
that makes her give away the TOWN MAP.
Set to 0x2 when DAISY gives away the TOWN MAP.
4059 If != 0x0, then the player beat the Ghost MAROWAK at POKeMON TOWER.
405A Set to some value to disable the Old Man that blocks the VIRIDIAN CITY Gym.
405B Multi-use.
Set to 0x1 to disable Script events for a Rival encounter on the S.S. ANNE.
Is set to 0x1 when entering LAVENDER TOWN.
405C If != 0x0, then the player beat Gary at SILPH CO.
405D If != 0x0, then the player beat Gary at POKeMON TOWER.
405E Set to 0x0 to disable Script events on the tiles bordering the exits to the CYCLING ROAD
gatehouse. Set to 0x1 to disable Script events on the tiles bordering the entrances.
405F Controls various badge-checking Script events on Route 23.
4060 If >= 0x1, then TEAM ROCKET has left SILPH CO.
4061 Set to 0x1 to disable the Pay-To-Enter Script events in PEWTER CITY's Museum.
4062 Set to 0x1 to disable the thirsty-guard roadblock Script events in the SAFFRON gatehouses.
4064 Unknown or multi-use.
Reset to 0x0000 when entering Route 23.
Used as part of the Boulder puzzle scripts in VICTORY ROAD.
4065 Unknown or multi-use.
Reset to 0x0000 when entering Route 23.
Used as part of the Boulder puzzle scripts in VICTORY ROAD.
4066 Unknown or multi-use.
Reset to 0x0000 when entering Route 23.
Used as part of the Boulder puzzle scripts in VICTORY ROAD.
4067 Unknown. Reset to 0x0000 when entering Route 23.
4068 Set to 0x2 after an Elite Four chamber level script forces the player to walk up. Rechecked
later after the E4 battle in that chamber has ended. Reset to 0x0000 in the Hall of Fame room.
4069 Set to 0x1, 0x2, or 0x3 depending on which fossil is being revived at the CINNABAR ISLAND
lab.
406A Fossil revival process. 0x1 means that a revival is in progress. 0x2 means that it is
complete.
406B Set to 0x1 to disable Script events for the Nugget Bridge challenge.
406C Unknown or multi-use.
Set to 0x1 to disable the man that traps you in PEWTER until you beat Brock.
Set to 0x2 to disable Script events for the man that gives Running Shoes at PEWTER.
406E Safari Zone status.
Set to 0x0 when not in the SAFARI ZONE.
Set to 0x1 ...?
Set to 0x2 after paying to enter the SAFARI ZONE.
406F I haven't the faintest idea. Used in Pokemon Center 2F level scripts.
4070 Set to 0x1 when talking to some chick in PALLET TOWN that mimics a sign or whatever.
4071 See 408A.
4073 Affects dialogue in the SAFFRON CITY TRAINER FAN CLUB building.
Is set to 0x1 when the occupants -- your new fans -- swarm you.
4074 Unknown. Checked if != 0x0 in a level script for the woman-who-likes-battles's house (map
31.0).
4075 Used in a ONE ISLAND level script. If it equals 0x2, BILL will welcome you to ONE ISLAND,
bring you into the PokeCenter to see CELIO, and then the variable will be set to 0x3.
4076 Multi-use, for the RUBY/SAPPHIRE subplot.
Set to 0x4 if hasn't beaten the ROCKET GRUNTs they eavesdrop on at MT. EMBER?
Set to 0x5 when the RUBY has been delivered to CELIO on ONE ISLAND.
Set to 0x6 when the subplot is complete.
If >= 0x5, VERMILION dockworker acknowledges your RAINBOW PASS. (Travel to SEVII)
If >= 0x1, VERMILION dockworker acknowledges your TRI-PASS. (Travel to SEVII 1-3)
4078 Affects the commentary and items offered by the shopkeeper on One Island. The variable's
value is managed by a TWO ISLAND level script that checks various flags.
0x4078 == 0x2 means that Lostelle has been rescued.
0x4078 == 0x3 means that you've beaten all Gyms, but not the Elite Four. (?)
0x4078 == 0x4 means that the shopkeeper offers items "from distant lands". (Beat E4)
4079 Multi-use, for the LOSTELLE event.
Set to 0x1 after dealing with a Biker at the TWO ISLAND GAME CORNER.
Set to 0x2 after rescuing LOSTELLE in BERRY FOREST, before warping to her home.
Is set to 0x3 when LOSTELLE is reunited with her father.
Is set to 0x4 when the subplot is complete.
407B Unknown or multi-use.
Set to 0x2 to enable the first Script events for the Bikers in THREE ISLAND?
Set to 0x3 to disable the first Script events for the Bikers in THREE ISLAND.
Set to 0x4 to disable the second Script events for the Bikers. (They leave.)
407C Unknown or multi-use.
Set to 0x1 to ...?
Set to 0x2 to disable the Pokemon Center 2F level script (TEALA's tutorial).
407D Set to 0x1 to disable the ROCKET GRUNT Script events behind the broken home in CERULEAN.
407E Unknown or multi-use.
Is set to 0x1 after the player helps the S.S. ANNE's captain.
Is set to 0x2 when the player is stepping out of a boat and into VERMILION CITY or the S.S. ANNE harbor.
Is set to 0x3 when the S.S. ANNE has departed VERMILION CITY.
407F Set to 0x2 after a Script event on MT. EMBER, in which the player hears ROCKET GRUNTs talk.
4080 Set to 0x1 after a Script event in ICEFALL CAVE, in which the player assists LORELEI.
4081 Set to 0x1 to disable a Script event blocking access to the Pokemon in the FIGHTING DOJO.
4082 Multi-use.
Set to 0x0 to enable a Script event at the TRAINER TOWER counter. (A level script
on the tower's exterior (Map 3.62) does this.)
Set to 0x1 to disable a Script event at the TRAINER TOWER counter.
4083 Set to 0x1 upon entering the LOST CAVE room with the lost woman.
4084 Multi-use, for the SELPHY event.
Set to 0x1 upon rescuing SELPHY from LOST CAVE, before warping to RESORT GORGEOUS.
Set to 0x2 upon being promptly dismissed from her front door (level script).
4085 Unknown. Used in two level scripts for INDIGO PLATEAU (3.9). Does something if it equals 1.
4086 Set to 0x1 to disable a FOUR ISLAND level script (Gary encounter without battle).
4088 Set to 0x1 to disable Script events in ROCKET WAREHOUSE.
4089 Set to 0x1 to disable a SIX ISLAND (37.0) level script (Gary encounter without battle).
408A Multi-use, for an event where you meet BILL at CINNABAR ISLAND's PokeCenter, and he leaves on
a boat.
Set to 0x1 upon meeting BILL in the PokeCenter. The same script makes you both leave.
Is set to 0x1 when used in level scripts that show BILL's departure from the island.
408B Set to 0x1 to disable the Script events for the fossil guy in MT. MOON.
...
5EF4 - 7FFF CONFIRMED UNSAFE! In PC box space!
Does this mean that vars under 4000 (and vars in betwen 408B and 5EF4) are safe to use?

DavidJCobb
October 24th, 2011, 12:40 PM
Does this mean that vars under 4000 are safe to use?Variables under 4000 can't be used because:


They overlap RAM used for flags
Most script commands don't recognize them as variables

Most commands basically do this: "If argument > 0x3FFF, then find the value of variable number argument and use that value. Else, use argument itself as a value."


Does this mean that vars in betwen 408B and 5EF4 are safe to use?Some of them have been confirmed unsafe since I last updated that document. The rest are a mystery and could be safe or unsafe.


Variables 0x4100 to 0x417F (inclusive) overlap the RAM used for a special data type called "hidden variables" -- a set of 64 dwords used by certain script commands whose purpose is unknown.
Variables 0x5084 to 0x55CC overlap RAM used for seemingly-arbitrary data. I haven't noticed any ill effects from overwriting this data, but it changes frequently, so the variables themselves are unreliable.
Variables 0x56F4 - 0x5EF3 appear to also overlap RAM used for the PC. This doesn't match with JPAN's findings (the 0x5EF4 figure is from him) so either one of us is wrong, or this variable range overlaps non-essential parts of the PC data.

My suspicion -- an unconfirmed one -- is that the only safe variables are those from 0x4000 to 0x40FF (inclusive), excluding variables in that range that are set or read by the core game engine (as opposed to those used by scripts that can be safely removed).

Basically, you're better off keeping your variables to a minimum. If you find yourself running short on variables, see if flags (or perhaps key items) could be used instead of variables to track the player's progression through different scripts.

SupahNinja
October 24th, 2011, 03:24 PM
Variables under 4000 can't be used because:


They overlap RAM used for flags
Most script commands don't recognize them as variables

Most commands basically do this: "If argument > 0x3FFF, then find the value of variable number argument and use that value. Else, use argument itself as a value."


Some of them have been confirmed unsafe since I last updated that document. The rest are a mystery and could be safe or unsafe.


Variables 0x4100 to 0x417F (inclusive) overlap the RAM used for a special data type called "hidden variables" -- a set of 64 dwords used by certain script commands whose purpose is unknown.
Variables 0x5084 to 0x55CC overlap RAM used for seemingly-arbitrary data. I haven't noticed any ill effects from overwriting this data, but it changes frequently, so the variables themselves are unreliable.
Variables 0x56F4 - 0x5EF3 appear to also overlap RAM used for the PC. This doesn't match with JPAN's findings (the 0x5EF4 figure is from him) so either one of us is wrong, or this variable range overlaps non-essential parts of the PC data.

My suspicion -- an unconfirmed one -- is that the only safe variables are those from 0x4000 to 0x40FF (inclusive), excluding variables in that range that are set or read by the core game engine (as opposed to those used by scripts that can be safely removed).

Basically, you're better off keeping your variables to a minimum. If you find yourself running short on variables, see if flags (or perhaps key items) could be used instead of variables to track the player's progression through different scripts.

Okay, thank you.
So I'll use flags when possible, and when I need variables (let's say, for the scripts that activate when stepped on by the player, and require a certain variable to be set) then I'll use 0x4000 to 0x40FF.
If any of the variables cause an error, I'll report back here so you can update the list.

EdensElite
November 7th, 2011, 06:17 AM
Hey Guys. I've been trying to find out how to edit the PC Boxes for a while. So far all I've find out is that it is stored in the VRAM and what I've include in the screenshot below. If anyone experienced with Hex etc. can help me out, I would really appreciate it :)

Findings (http://dl.dropbox.com/u/4875391/PC/PCBox.bmp)

I managed to find the header. I havn't tried editing it yet. As I'm more interested interested in the actual box. I noticed that most boxes only use one or two different tiles repeated over and over, so maybe there isn't actually a whole image to edit unlike Gen IV games. In which case it's possible that those tiles are in that picture and I missed them.

Awkward Squirtle
November 8th, 2011, 04:04 PM
Uh... they're stored in the ROM, and copied to the VRAM when the game needs to draw them to the screen. I suspect they're uncompressed in the ROM, so you could just use a tile editor to change them (if you can find them).

Team Fail
November 8th, 2011, 05:15 PM
I've been curious as to this for a while, but has anyone managed to create a Mode 7 hack for these games? I think it can be done- it was done with Super Mario World and it's 2D graphics engine.

IIMarckus
November 8th, 2011, 11:15 PM
I've been curious as to this for a while, but has anyone managed to create a Mode 7 hack for these games? I think it can be done- it was done with Super Mario World and it's 2D graphics engine.Mode 7 can be done on the GBA. It’s kind of limited because you can only manipulate two planes this way (essentially, a floor and a ceiling)—walls and such have to be sprites. Since they can’t be scaled in the same way, you have to create separate sprites for various distances, and switch between them. It works better for open areas with no walls.

M.L
November 21st, 2011, 09:25 AM
Small question i have seen a animated titlescreen before but im curious is it possible to create an animated Battle background like leaves in blowing or rock in the cave falling or sea moving or somthing like that?

TheDarkShark
November 21st, 2011, 09:34 AM
Well, it could be doable, but you'd need to find out how the background image is drawn and update it every second or so, which might be kind of hard considering that you'd need to hack the battle engine itself, eventually, which of course takes a lot of ASM skillz.

M.L
November 21st, 2011, 09:35 AM
Ahh thanx lol i was just curious xD

Team Fail
November 29th, 2011, 09:06 PM
Mode 7 can be done on the GBA. It’s kind of limited because you can only manipulate two planes this way (essentially, a floor and a ceiling)—walls and such have to be sprites. Since they can’t be scaled in the same way, you have to create separate sprites for various distances, and switch between them. It works better for open areas with no walls.

Interesting. Perhaps a minigame of sorts could benefit from this. But to have many several sprites for different distances, couldn't a calculation be used, and depending on how far away from an object yor are, it would scale/resize the image? It'd take up less space. I'd have to think of a new way for this kind of engine to work, but the idea might not be too farfetched as I think it is (Regarding movements and boundaries). But if I were to write that- I'd have to learn ASM first.

IIMarckus
November 30th, 2011, 06:53 PM
Interesting. Perhaps a minigame of sorts could benefit from this. But to have many several sprites for different distances, couldn't a calculation be used, and depending on how far away from an object yor are, it would scale/resize the image? It'd take up less space.I’m not the one to ask about efficiency here. The GBA is not really my forte, and I’ve never worked with Mode 7, so I really can’t provide any details. Try reading up on it (http://www.coranac.com/tonc/text/mode7.htm).But if I were to write that- I'd have to learn ASM first.Do it! ASM isn’t nearly as hard as people make it out to be, and it’s a lot of fun.

redriders180
December 15th, 2011, 02:38 PM
Do it! ASM isn’t nearly as hard as people make it out to be, and it’s a lot of fun.

Maybe it's me, but ASM is a pain. I've found plenty of tutorials saying the basic stuff, but nothing that says what tools you need, or anything of that nature. ANYWAYS...

How easy or hard would it be to make it so pokemon that hatch from an egg are level 1 instead of level 5 in firered? I think it was unsafe to have level 1 Pokemon in Gen I and II, but in Gen III they're fine for the most part. Anyway, I just think it makes more sense if they hatch at Level 1.

JPAN
January 1st, 2012, 10:40 PM
Unfortunately, time to hack is growing shorter by the semester, and research subjects seem to pile up when you have little time. I was hoping to release some examples with this, but...

The subject is Battle AI.
Battles are pretty much a mystery when compared to other fields of pokemon study. We can pretty much change the Overworld to do whatever we want, but to get the code to run anything else (other than that for which it was intended) in the battle screen is hard. Even strings, that outside we can display with a simple call, need to be encoded into the battle string displayer and accessed by an index, requiring repointing tables, changing limiter bytes and much more.

When we look at a battle, we expect the opposing team to do something back. They supposedly have some strategy, but digging into the trainer and wild pokemon code revealed something suprising: Trainers and wild pokemon seem to share the same code.
Functions used by the wild pokemon have trainer only functions, disabled because of the battle flag.
And I have yet to find where they select what they do. The trainer "AI byte" only function seem to be setting the IV's for each party member (0xff being 31 IV's for everything).

So, what I found was the attack selection byte. In the case the pokemon will attack, this is the byte that is used to see what he selected.
At 0x0801488E is the last location the selected attack is stored. It first goes through a series of temporary addresses that change a lot, so pinpointing the origin is hard. Replacing that location with a hook and creating a routine to handle it can create diverse AI.

At 0x02000090 is the location of your attack. 0x02000091 keeps the enemy attack, 92 and 93 the same for partner pokemon. That attack is stored as the Attack slot number. The attack it corresponds can be found by going into the battle data for each pokemon (0x02023be4 for yours, 0x02023be4 + 0x58 for opponent) + 0xc + (attackSlot*2).

So, what can we use this for? We can hook this routine to simulate lots of different scenarios.
For instance, using it to create smarter pokemon (like Elite Four members that know the type chart and use the most effective attacks, and learn information about your team during battle). Or change attacks on your own pokemon(like simulating the battle palace on Fire Red). Or create double battles with a secondary trainer (AI for the second trainer).

The main reason I don't have any simple examples for this one is because other than the really dumb "random attack" model, there are no simple examples. Programming an AI is time consuming (specially in assembly), but for anyone out there that wants to try, I give you a way to start.

As you may notice, the function refered is not the AI function. It's merely the last in a series of memory variables being copied, that end at that location when the attack is selected. This findings do not allow you to change Item usage for trainers, and if the game decides to use an item, or change the pokemon on the field, your attack changes at this level will have no effect. But for wild pokemon, it works perfectly.

Lost Heart
January 19th, 2012, 02:28 PM
For anyone that wants to change the badge required for surf, the offset of the flag is 0806D59C. Also, I pretty sure that 0806D5D0 is waterfall, but I haven't tested it. (FireRed)

droomph
January 19th, 2012, 08:11 PM
I've noticed that JPAN has a thread on Specials in Fire Red, but I can't find a thread (or post) that has one that is just as comprehensive as his on any other game. So I dug out some of the more common Specials, and a little bit on flags, variables, and stuff.

Specials:
Note: Special2-recommended specials will be noted with a 2 before description.
Note2: Returning 0x933F means that it is meant for Special, not Special2.0x0 - Healing - who could forget that?
0x1 - 2 Returns 0, but has something to do with var 0x7EA1…no idea.
0x2 - Blacks out the screen.
0x3 - Blacks out the screen, returns you to the last warp you used on current map. If you didn't use a warp on the map you were on, then returns you to center of the map you were on.
0x4-0x7 - Returns 0x933F (37695), but does nothing visible.

0x22 - Trading menu.

0x27 - Returns 0x933F (37695), but does nothing visible.
0x28 - Saves party Pokémon into RAM.
0x29 - Reverses changes from 0x28.
0x2A - Chooses 3 Pokémon, relocates those three to 0x203CEF8.

0x2C - Returns to 0x8004 - the status of the Loamy Soil of 0x800F, 0x8005 - the "beauty" of the Loamy Soil plant, if there is one. When it is 0xFF, all scripts are programmed to return a msgbox "!", possibly displaying a state change. It will return 0x0 through 0x5 depending on the state of the Loamy Soil, from 0x0 being not planted at all, to 0x5 being fully grown.
0x2D - Something to do with the Wailmer Pail.
0x2E - Stores into memory the type of Berry you chose to plant and how many Berries there are ("beauty"?), and returns into \v\h03 ([buffer2]) how many Berries there are, if any, and \v\h02 ([buffer1]) what type of Berry plant it is.
0x2F - Allows you to choose a Berry from the Berry pocket of your Bag. Affects 0x800E.
0x30 - Something to do with planting berries.
0x31 - Probably returns into 0x8004 how much room that you have left in your Berry pocket. If none, then 0x0 is returned.
0x32 - Something to do with picking Berries.
0x33 - Does something about the "beauty" of the plant.
0x34 - 2 Appears to return 0x1 into specified variable if Player has a Berry available.

0x3B - Starts playing the “Trainer Spotted!” music depending on the trainer class indicated by 0x8015.
0x3C - 2 Checks if Rematch available. Returns 0x1 as yes.

0x3E - Makes a trainer battle happen. Turns Player to left after done.
0x3F - Displays a second text box displaying all the possible options for the POKéMON Storage System. Ends and returns to script if you select "SEE YA!".

0x61 - Plays the actual "watering" animation, and possibly even sets the effects of the Wailmer Pail…
0x62 - "Trendy Phrase". Used by the Trendy Dude outside in Dewford Town.

0x86 - Checks how many Pokémon in Party and places in Variable. Identical to FireRed 0x83. (Credit to JPAN and buddies)
0x87 - I assume this is identical to 0x86…

0x8E – Used first in the Mauville City Gym switches.
0x8F – Used second in the Mauville City Gym switches.

0x91 - Map refresh. Identical to FireRed 0x8E.

0x9D - Better set the clock!
0x9E - Now look at the clock.
0x9F - Starter Pokémon; Birch's Bag
0xA0 – Wally Meets Ralts! - Wally sends out first Party Pokémon unless special paramaters are set.
0xA1 - Nickname Pokémon in Party, as indicated by 0x8004.
0xA2 – Choose a Pokémon. – Sends it somewhere.

0xA4 – Berry blender.
0xA5 – 2/ Roulette game. Somehow returns 1, then 3. Has something to do with 0x8004 and cmd96.

0xA9 - Returns 0x933F (37695), but does nothing visible.

0xAE - Generates a wild battle from the "Tree (Rock Smash)" wild Pokémon data. May have a chance of returning 0x0 into LASTRESULT; 0x0 means no battle.

0xB7 - 2 Checks how the last wild battle ended. 0x1 if won, 0x4 if lost, 0x5 because it can, 0x7 if captured.
0xB8 - Buffers the two Day-Care Pokémon into \v\h02 ([buffer1]) and \v\h03 ([buffer2]). Identical to FireRed 0xB5. (Credit to JPAN and buddies)
0xB9 - 2 Returns 0x1 if there is an egg, 0x2 if one Pokémon, 0x3 if two Pokémon. Identical to FireRed 0xB6. (Credit to JPAN and buddies)
0xBA - Clears Egg timer, prepares it for new timer. Identical to FireRed 0xB7. (Credit to JPAN and buddies)
0xBB - Creates and places egg in Party. Identical to FireRed 0xB8. (Credit to JPAN and buddies)

0xD9 - Turns the tile above the player that is also directly bordering the script tile into the 6th tile in the tileset, and flickers it between the 5th and the 6th tile for a while. Used for PCs.
0xDA - Turns the tile changed in 0xD9 into the 5th tile in the tileset. Used for PCs. Changes the movement to "blocked"?

0xF4 - Stops all music.

0xFC - Player's PC.
0xFD - Player's POKéMON Center PC. Returns to script when "TURN OFF" is selected.
0xFE - HOENN map.

0x109 - Sets up a second text box displaying all accessible PCs, displaying "LANETTE's" instead of "SOMEONE's" if you have seen her. Returns to 0x800D (LASTRESULT) 0x0 if you chose Pokémon Storage; 0x1 if you chose "\v\h01's PC"; 0x3 if you backed out by selecting "LOG OFF"; 0x7F if you backed out with the B button.

0x129 - Used in a manner like FireRed 0x127. Something to do with [0x3005DF0].
0x12A - Used in a manner like FireRed 0x128. Something to do with [0x3005DF0].

0x136 - 2 Seems like it checks for Pokérus in party; returns 0x1 if indeed Pokérus exists.
0x137 - Returns 0x933F (37695), but does nothing visible.
0x138 - Takes variables from 0x8004 (dyp), 0x8005 (dxp), 0x8006 (length, in shakes), and 0x8007 (frames between shakes?) and makes an earthquake.

0x13A - dowildbattle for RAYQUAZA.
0x13B - dowildbattle for the Regis.
0x13C - Returns 0x933F (37695), but does nothing visible.
0x13D - Jostles the screen up then down in medium speed.

0x13F - "Flash grenade" effect.
0x140 - Same as 0x3.
0x141 - Same as 0x140, but with a fall-animation instead.

0x143-0x144 - Returns 0x933F (37695), but does nothing visible.
0x145 - Normal battle.
0x146-0x148 - Returns 0x933F (37695), but does nothing visible.

0x14A - Returns 0x933F (37695), but does nothing visible.

0x15E - Something to do with planting Berries.
0x15F - Something to do with picking Berries.

0x19F - Checks for Wireless. 0x1 true, 0x0 false. Identical to FireRed 0x16A. (Credit to JPAN and buddies)

0x1A5 - 2 Checks if someone is linked to you, and puts their name in \v\h02 ([buffer1]), otherwise clears buffer. Identical to FireRed 0x183. (Credit to JPAN and buddies)

0x1A9 - 2 Checks for bad Union Room Pokémon, then returns 0x1 if indeed there is. Identical to Fire Red 0x1AE. (Credit to JPAN and his buddies)

0x1D9 - 2 Checks for Trainer Stars; returns to given variable how many stars. Notably used by Nurse Joy for "special treatment"

0x1E6 - Names a Pokémon that is to be sent to the PC.
0x1E7 - 2 Returns to given variable the current default box name. Moves default box forward one?
0x1E8 - 2 Returns to given variable if the box is full. 0x1 means full.
0x1E9 - Takes value in 0x8004 and registers in the POKéNAV the corresponding Trainer.

0x1F3 - Obtain National Dex!

0x203 - 2 Checks if [Map Block] +8 bytes is equal to 0xA02. Probably vaguely has something to do with Linking. Identical to FireRed 0x1B1. (Credit to JPAN and his buddies)Variables:0x0-0x3FFF - Not Variables

0x4050 - Introduction Events
Default 0
Meet Rival - set to 1; now Route 101 is open!
Go to Route 101 - set to 2; Birch is in trouble!

Get Running Shoes - set to 4

0x4082 - Temporary variable?
Leave truck as MAY - set to 1

0x408C - Temporary variable?
Leave truck as BRENDAN - set to 1

0x408D - Introduction Events
Meet Rival - set to 3; now script downstairs will not activate.

0x4092 - Introduction Events
Leave truck as BRENDAN - set to 1
Leave truck as MAY - set to 2
Go into house as BRENDAN - set to 3
Observe house as BRENDAN - set to 4

0x8004 - Multiple Uses
PokéCenter - if 0x1 then alternate but identical scene for goodbye message
MOM - set to 0x5 when jump out of truck
MOM - if 0x1 then move MOM in MAY/BRENDAN's house.

0x8005 - Multiple Uses
MOM - set to 0x5 when jump out of truck

0x8008 - Multiple Uses
BRENDAN/MAY - chooses which script-tile you are on for "meeting" them.
MR. BRINEY in Dewford - Holds the value of 0x4096. Temporarily?

0x800D - LASTRESULT, who could forget you?
0x800E - LASTITEM basically.
0x800F - LASTTALKED - stores the Person ID of the OW that is linked to the most recent executed script; is processed each time a script is about to happen.

0x8015 - LASTBATTLED basically.Flags:0x1 - Has PokéMart Lady told you about the PokéMart?

0x11 - Controls visibility of:
A tree on Route 104.
A rock on Route 111.
A rock on Route 114.
A rock on Route 115.
A tree on Route 116.
A tree on Route 117.
A tree on Route 118.
A tree on Route 120.
0x12 - Controls visibility of:
A tree on Route 103.
A rock on Route 111.
A rock on Route 114.
A tree on Route 116.
A tree on Route 120.
0x13 - Controls visibility of:
A tree on Route 103.
A tree on Route 111.
A rock on Route 114.
A tree on Route 116.
0x14 – Controls visibility of:
A rock on Route 114.
A tree on Route 116.
A tree on Route 120.
0x15 – Controls visibility of:
A rock on Route 114.
A tree on Route 116.

0x50 - Controls the battling RAYQUAZA.
0x51 - If set, you set the clock. Great job!
0x52 - You encountered BIRCH in trouble!

0x59 – You came from far away.
0x5A – You got the bike.

0x5E - If set, you got the Wailmer Pail.

0x6B – Has gotten HM06 (ROCK SMASH) yet?

0x74 - Ready to Catch POKéMON! (Finished Introductory Scenes, Footprint Guy moves away)

0x93 - Has talked to MR. BRINEY for the first time?

0x95 - Has delivered the package to CAPT. STERN yet?

0xA5 – Has beaten ROXANNE yet, and received her TM?
0xA6 – Has beaten BRAWLY yet, and received his TM?
0xA7 – Has beaten WATTSON yet, and received his TM?
0xA8 – Has beaten FLANNERY yet, and received her TM?
0xA9 – Has beaten NORMAN yet, and received his TM?
0xAA – Has beaten WINONA yet, and received her TM?
0xAB – Has beaten TATE & LIZA yet, and received their TM?
0xAC – Has beaten JUAN yet, and received his TM?

0xAE - Disposable Character 1 in Player's room, possibly a doll?
0xAF - Disposable Character 2 in Player's room, possibly a doll?
0xB0 - Disposable Character 3 in Player's room, possibly a doll?
0xB1 - Disposable Character 4 in Player's room, possibly a doll?
0xB2 - Disposable Character 5 in Player's room, possibly a doll?
0xB3 - Disposable Character 6 in Player's room, possibly a doll?
0xB4 - Disposable Character 7 in Player's room, possibly a doll?
0xB5 - Disposable Character 8 in Player's room, possibly a doll?
0xB6 - Disposable Character 9 in Player's room, possibly a doll?
0xB7 - Disposable Character 10 in Player's room, possibly a doll?
0xB8 - Disposable Character 11 in Player's room, possibly a doll?
0xB9 - Disposable Character 12 in Player's room, possibly a doll?
0xBA - Not sure; set unconditionally upon entering Room
0xBB - Not sure; set unconditionally upon entering Room

0xBD - Has sent the LETTER to STEVEN yet?

0xE1 – Has gotten 20 coins from MAN in Mauville yet?
0xE2 – Has gotten GIRL’s duplicate doll in Mauville yet?

0x102 – Has gotten COIN CASE from GIRL yet?

0x111 - If unset, then Nurse Joy didn't tell you about Pokérus, did she?
0x112 - Not sure, Mom sets that upon "switching shoes".

0x12F - Set when you obtain the PokéNav.

0x159 - Oh, you have a Gold Card! I'll take note of that…

0x1BB - You beat Regirock…
0x1BC - You beat Regice…
0x1BD - You beat Registeel…

0x2D0 - Controls Prof. BIRCH in trouble on Route 101.
0x2D3 - Controls Rival on Route 103.

0x2BC - Controls BIRCH's BAG on Route 101.
0x2BE - Controls MYSTERY EVENT lady in the second floor of the Pokémon Center.
0x2BF - Controls a disposable character in the Union Room.
0x2C0 - Controls a disposable character in the Union Room.
0x2C1 - Controls a disposable character in the Union Room.
0x2C2 - Controls a disposable character in the Union Room.
0x2C3 - Controls a disposable character in the Union Room.
0x2C4 - Controls a disposable character in the Union Room.
0x2C5 - Controls a disposable character in the Union Room.
0x2C6 - Controls a disposable character in the Union Room.

0x2CF – Controls Rival (MAY/BRENDAN) outside MR. BRINEY’s house on Route 104.

0x2D1 - Controls BRICH in BIRCH's lab.
0x2D2 - Controls MAY in MAY's room.

0x2D6 – Controls WALLY outside in Petalburg City.

0x2D8 – Controls WALLY’s mom in Petalburg City.

0x2DB – Controls TEAM AQUA GRUNT in Rustboro City.
0x2DC – Controls the DEVON GOODS guy in Rustboro City.

0x2DE - Controls NORMAN in Player's house.
0x2DF - Controls BRENDAN's little brother in BRENDAN's house.
0x2E0 - Controls MAY's little brother in MAY's house.

0x2E2 – Controls MR. BRINEY on Route 104.
0x2E3 - Controls MR. BRINEY in his house.
0x2E4 - Controls MR. BRINEY in Dewford Town.
0x2E5 – Controls MR. BRINEY on Route 109.
0x2E6 – Controls MR. BRINEY’s boat on Route 104.
0x2E7 - Controls MR. BRINEY's boat in Dewford Town.
0x2E8 – Controls Mr. BRINEY’s boat on Route 109.
0x2E9 - Controls BRENDAN (?) in BRENDAN's house.
0x2EA - Controls MAY (?) in MAY's house.

0x2ED – Controls SCOTT outside the Slateport Battle Tent.
0x2EE - Controls the ZIGZAGOON on Route 101.

0x2F0 - Controls MOM in Littleroot Town.

0x2F2 - Controls "Fugiiiiih!" Vigoroth in Player's house.
0x2F3 - Controls "Huggoh, ugh ugh…" Vigoroth in Player's house.

0x2F5 - Controls MOM in Player's room.
0x2F6 - Controls MOM in BRENDAN's house.
0x2F7 - Controls MOM in MAY's house.
0x2F8 - Controls BRENDAN upstairs in his room.
0x2F9 - Controls BRENDAN's Moving Van in Littleroot Town.
0x2FA - Controls MAY's Moving Van in Littleroot Town.

0x2FD – Controls SCOTT in Mauville City.

0x300 – Controls Winston Family Member on Route 111.
0x301 – Controls Winston Family Member on Route 111.
0x302 – Controls Winston Family Member on Route 111.
0x303 – Controls Winston Family Member on Route 111.

0x305 - Controls the sleeping RAYQUAZA.

0x30D – Controls the Gym Assistant of Norman.

0x310 - Controls BRENDAN's mom in BRENDAN's house.
0x311 - Controls MAY's mom in MAY's house.
0x312 – Controls Scott on Route 119.

0x314 – Controls Scott in Mossdeep City.

0x31A - Controls someone near MAY's home in Littleroot Town. (D,A)
0x31B - Controls someone near MAY's home in Littleroot Town. (D,B)
0x31C – Controls GABBY & TY on Route 111.
0x31D – Controls GABBY & TY on Route 118.
0x31E – Controls GABBY & TY rematch on Route 120.
0x31F – Controls GABBY & TY rematch on Route 111.

0x324 – Controls WALLY in Mauville City.
0x325 – Controls WALLY’s uncle in Mauville City.

0x32B - Controls the POKé BALL that allows you to choose CYNDAQUIL after completing the POKé DEX in BIRCH's lab.
0x32C - Controls the POKé BALL that allows you to choose TOTODILE after completing the POKé DEX in BIRCH's lab.
0x32D – Controls the BlackGlasses dude on Route 116.
0x32E – Controls Rival (MAY/BRENDAN) in Rustboro City.
0x32F - Controls SWABLU doll (?) in BRENDAN's room.
0x330 – Controls WALLACE in Sootopolis City, outside the Cave of Origin.
0x331 - Controls BRENDAN's POKé BALL in BRENDAN's room.
0x332 - Controls MAY's POKé BALL in MAY's room.
0x333 – Controls TEAM MAGMA GRUNTS on Route 112.

0x337 – Controls the TEAM MAGMA GRUNTS and MAXIE in Mossdeep City.
0x338 – Controls GABBY in the Petalburg City Gym.

0x33A – Controls ARCHIE in Sootopolis City.
0x33B – Controls MAXIE in Sootopolis City.

0x33E – Controls some person (WALLY’s dad?) outside in Petalburg City.

0x343 – Controls TY and GABBY in Slateport City.
0x345 – Controls PROF. BIRCH on Route 110.
0x346 - Controls the POKé BALL that allows you to choose CHIKORITA after completing the POKé DEX in BIRCH's lab.
0x347 – Controls a man outside in Sootopolis City.
0x348 – Controls CAPT. STERN outside the Slateport Harbor.

0x34B – Controls “Forgot my Rock Smash!” Guy on Route 111.
0x34C – Controls Scientist in Rustboro City.

0x351 - Controls PIKACHU doll (?) in MAY's room.

0x353 – Controls Rival (MAY/BRENDAN) on Route 119.
0x354 – Controls the TEAM AQUA GRUNTS in Lilycove City.

0x356 – Controls bystanders of the battle between GROUDON and KYOGRE outside in Sootopolis City.
0x357 - Controls WALLACE outside Sky Pillar.

0x362 – Controls WALLY in the Petalburg City Gym.

0x364 - Controls "Technology is Awesome!" Guy in Littleroot Town.

0x36B – Controls a person on Route 111. (Fossil?)
0x36C – Controls a FOSSIL on Route 111.

0x371 - Controls PEEKO in MR. BRINEY's house.
0x372 – Controls TEAM AQUA GRUNTS outside the Museum in Slateport City.

0x379 - Controls BIRCH's child (MAY/BRENDAN) in BIRCH's lab.
0x37A – Controls TEAM AQUA GRUNTS on Route 119.
0x37B – Controls MR. BRINEY on Route 116.

0x37E – Controls the Digging guy on Route 116.

0x381 - Controls Prof. BIRCH on Route 101.
0x382 - Controls Prof. BIRCH on Route 103.

0x384 – Controls the TEAM AQUA GRUNTS on Route 110.
0x385 – Controls GABBY & TY rematch on Route 118.
0x386 – Controls GABBY & TY rematch on Route 120.
0x387 – Controls GABBY & TY rematch on Route 111.
0x388 – Controls GABBY & TY rematch on Route 118.

0x38A – Controls lady outside Pretty Petal Shop on Route 104.
0x38B – Controls an AZURILL in Fallarbor Town.

0x390 – Controls WATTSON in Mauville City.

0x397 – Controls a person on Route 110. (Rival?)

0x39A – Controls a person on Route 110. (Rival?)
0x39B – Controls a person on Route 119.

0x3A1 – Controls a person (C, F) outside Lavaridge Town Gym.
0x3A2 – Controls a person (6, 10) outside Lavaridge Town Gym.

0x3A7 - Controls REGIROCK in the Desert Ruins.
0x3A8 - Controls REGICE in the Island Cave.
0x3A9 - Controls REGISTEEL in the Aincent Tomb.

0x3B3 – Controls the Devon Goods guy on Route 116.
0x3B4 – Controls the TM10/TM43 lady outside in the Slateport Market area.

0x3C0 – Controls the Secret Power lady on Route 111.

0x3C6 – Controls STEVE on Route 118.

0x3C9 – Controls the KECLEON!? in Fortree City.
0x3CA – Controls the KECLEON!? on Route 120.
0x3CB – Controls Rival (MAY/BRENDAN) outside the Lilycove Department Store.
0x3CC – Controls STEVEN on Route 120.
0x3CD – Controls STEVEN outside in Sootopolis. “It’s Amazing…”

0x3D3 - Controls BIRCH's child (MAY/BRENDAN) on the way back to completing the Introductory Scenes in Odale Town.

0x3D5 – Controls a KECLEON!? on Route 120.
0x3D6 – Controls a KECLEON!? on Route 120.

0x3D9 – Controls a KECLEON!? on Route 120.
0x3DA – Controls a KECLEON!? on Route 120.
0x3DB – Controls a KECLEON!? on Route 120.
0x3DC – Controls a KECLEON!? on Route 120.
0x3DD – Controls a KECLEON!? on Route 119.
0x3DE – Controls a KECLEON!? on Route 119.
0x3DF – Controls a guy in Route 101.

0x3E3 – Controls SCOTT in Petalburg City.
0x3E4 – Controls RAYQUAZA in Sootopolis City.
0x3E5 – Controls KYOGRE in Sootopolis City.
0x3E6 – Controls GROUDON in Sootopolis City.

0x3E8 - Controls a Potion on Route 102.
0x3E9 – Controls an X-Special on Route 116.
0x3EA - Controls a PP Up on Route 104.
0x3EB – Controls an Iron on Route 105.
0x3EC – Controls a Protein on Route 106.
0x3ED – Controls a PP Up on Route 109.
0x3EE – Controls a Rare Candy on Route 110.
0x3EF – Controls a Dire Hit on Route 110.
0x3F0 – Controls a TM37 on Route 111.
0x3F1 – Controls a Stardust on Route 111.
0x3F2 – Controls an HP Up on Route 111.
0x3F3 – Controls a Nugget on Route 112.
0x3F4 – Controls a Max Ether on Route 113.
0x3F5 – Controls a Super Repel on Route 113.
0x3F6 – Controls a Rare Candy on Route 114.
0x3F7 – Controls a Protein on Route 114.
0x3F8 – Controls a Super Potion on Route 115.
0x3F9 – Controls a TM01 on Route 115.
0x3FA – Controls an Iron on Route 115.
0x3FB – Controls an Ether on Route 116.
0x3FC – Controls a Repel on Route 116.
0x3FD – Controls an HP Up on Route 116.
0x3FE – Controls a Great Ball on Route 117.
0x3FF – Controls a Revive on Route 117.
0x400 – Controls a Super Repel on Route 119.
0x401 – Controls a Zinc on Route 119.
0x402 – Controls an Elixir on Route 119.
0x403 – Controls a Leaf Stone on Route 119.
0x404 – Controls a Rare Candy on Route 119.
0x405 – Controls a Hyper Potion on Route 119.
0x406 – Controls a Nugget on Route 120.
0x407 – Controls a Full Heal on Route 120.

0x40F – Controls a Max Revive in Petalburg City.
0x410 – Controls an Ether in Petalburg City.
0x411 – Controls an X-Defend in Rustboro City.
0x412 – Controls a Max Repel in Lilycove City.
0x413 – Controls a Net Ball in Mossdeep City.

0x421 - Controls a Poké Ball on Route 104.

0x452 – Controls a Hyper Potion on Route 119.
0x453 – Controls a Hyper Potion on Route 120.
0x454 – Controls a Nest Ball on Route 120.

0x45A - Controls a Guard Spec on Route 103.
0x45B - Controls an X-Accuracy on Route 104.
0x45C – Controls an X-Speed in Mauville City.

0x45E – Controls a Great Ball on Route 115.

0x461 – Controls a Hyper Potion on Route 118.

0x46E – Controls a Nugget on Route 119.
0x46F - Controls a Potion on Route 104.

0x471 - Controls a PP Up on Route 103.

0x473 – Controls a Star Piece on Route 108.
0x474 – Controls a Potion on Route 109.
0x475 – Controls an Elixir on Route 110.
0x476 – Controls an Elixir on Route 111.
0x477 – Controls a Hyper Potion on Route 113.
0x478 – Controls a Heal Powder on Route 115.

0x47A – Controls a Potion on Route 116.
0x47B – Controls an Elixir on Route 119.
0x47C – Controls a Revive on Route 120.

0x488 – Controls an Energy Powder on Route 114.
0x489 – Controls a PP Up on Route 115.

0x4F0 - Gym Assistant of Roxanne
0x4F1 - Gym Assistant of Brawly
0x4F2 - Gym Assistant of Wattson
0x4F3 - Gym Assistant of Flannery
0x4F4 - Gym Assistant of Norman
0x4F5 - Gym Assistant of Winona
0x4F6 - Gym Assistant of Tate and Liza
0x4F7 - Gym Assistant of Wallace

0x860 - Pokémon Menu
0x861 - Pokédex Menu
0x862 - Pokénav Menu

0x867 - Got Stone Badge!
0x868 - Got Knuckle Badge!
0x869 - Got Dynamo Badge!
0x86A - Got Heat Badge!
0x86B - Got Balance Badge!
0x86C - Got Feather Badge!
0x86D - Got Mind Badge!
0x86E - Got Rain Badge!

0x8AB - Met LANETTE!

0x8C0 - Got Running Shoes!
0x8C1 - Did you win the Legendary battle? 1 - no.

0x930 - Berry from Pretty Petal Shop; reset at Midnight.

0x4000 - Set by game? Cleared when Mom enters house.
Hidden Items:0x25 - 1 POTION; Route 104

0x2C - 1 SUPER POTION; Route 104

0x3E - 1 POKé BALL; Route 104

0x55 - 1 ANTIDOTE; Route 104

0x58 - 1 HEART SCALE; Route 104Revised Sounds:0x19 – “a’a’a’a’a” synth-voice.
0x1A – “i’i’i’i’i” synth-voice.
0x1B – “u’u’u’u’u” synth-voice.
0x1C – “e’e’e’e’e” synth-voice.
0x1D – “o’o’o’o’o” synth-voice.
0x1E – “n’n’n’n’n” synth-voice. Now sounds are shifted six ahead.

0x30 – Open PokéNav. Now sounds are shifted seven ahead.

0xFF – Kaching!Note that this is far from finished; I only started this afternoon. I will add more as I find even more stuff.

I hope this will be of some help to the Emerald population.

sonic1
January 21st, 2012, 04:57 AM
Hey, for emerald i have something too:

Specials:

28 - Saves pokemon party into RAM. Used for situations of switching parties (battle frontier)
29 - Restores that party
2A - Lets you choose 3 pokemons and puts their party slot in 0x203CEF8
3B - Plays trainer encounter music (not the battle one) according to the 8015 (trainer number) VAR. Used in the game internal script of trainer spotting.
91 - Map Refresh. Used in setmaptiles. Similar to FireRed 0x8E.
AE - WildBattle using Tree wild Data.
F4 - Stops any music from playing.
FE - Shows worldmap.
1F3 - Sets National Dex



Variables:

4010 - OWs with image number 240 (0xF0) gets the sprite defined in this var.
800E - When you select an item on bag, this var gets the value of that item
8015 - Opponent trainer number (when you fight someone, this value is what trainer is)

droomph
January 21st, 2012, 04:07 PM
Hey Guys. I've been trying to find out how to edit the PC Boxes for a while. So far all I've find out is that it is stored in the VRAM and what I've include in the screenshot below. If anyone experienced with Hex etc. can help me out, I would really appreciate it :)

Findings (http://dl.dropbox.com/u/4875391/PC/PCBox.bmp)

I managed to find the header. I havn't tried editing it yet. As I'm more interested interested in the actual box. I noticed that most boxes only use one or two different tiles repeated over and over, so maybe there isn't actually a whole image to edit unlike Gen IV games. In which case it's possible that those tiles are in that picture and I missed them.
You do realize in that picture you didn't include ALL the tiles in the tileset, right? Go check on those. When you find a couple "grainy" tiles, those are the tiles.

Uh... they're stored in the ROM, and copied to the VRAM when the game needs to draw them to the screen. I suspect they're uncompressed in the ROM, so you could just use a tile editor to change them (if you can find them).

If you want to find it in the ROM, simply go to 0x600400, note the first hundred or so bytes (copy function?) and search for that in the actual ROM (0x8000000 onwards).

aar2697
January 22nd, 2012, 07:36 PM
For music hacking with Pokemon Emerald, you can find out the voicegroups by doing this...

1. Have two windows of Sappy open.
2. http://www.pokecommunity.com/showthread.php?t=148811 Use this page
3. One window of Sappy has Emerald. The other has Fire Red.
4. Look for a song in Fire Red that has a voicegroup from the link that you want.
5. Open the same song in the Emerald Sappy window.
6. The voicegroups correspond with each other.
7. Use the Emerald voicegroup for the new song your inserting.

sonic1
January 23rd, 2012, 08:46 AM
In emerald, at the offset 0x611C9A, there's a table with 10 entries of 2 bytes (shorts), followed by an FFFF at the end of the table, which marks the pokemon restricted for entry in Battle Tower. To add or remove entries, add the pokemon number reversed in hex, and end the table with FFFF. If you want to remove all the limitations, just write FFFF to the beginning of the table (offset 611C9A).

~Sonic1

Jambo51
January 23rd, 2012, 12:15 PM
I have found the transform animation in FireRed. It's located at 0xDF9BC.
It gets called multiple times, once a frame I believe, during the transformation. Everything is in here, including the pallet loading part which gets the "whited out" pallet, and the part which gets the actual sprite.

Using this routine, we could theoretically create custom transformations, such as Burmy changing into a different forme, or perhaps even in battle evolution.

Darkdata
January 26th, 2012, 03:43 PM
I have a spreadsheet file that contains a bunch of useful information for those who like to keep organized when scripting. With it, you can quickly reference and grab information in a easy to read format.

Credits for the information are on the last sheet.

http://i.imgur.com/ts6p1.png (http://www.mediafire.com/?zxpyk01chb6hl2c)

Click picture to download

droomph
January 29th, 2012, 04:43 PM
I got bored, so I made this. I'll probably add to it as I find out more about NSBMD. Hm, maybe not.List of Material IDs:Twinleaf Town:
0x0 - Bottom part of leaves. Maybe stumps too? (ID: conttree_b_lm52)
0x1 - Top of the trees (ID: conttree_t_lm52)
0x2 - Doorstop (ID: hage_lm27) Oh you, Game Freak…^^
0x3 - Fence (ID: imped_lm51)
0x4 - Water - PURE water ^^ (ID: lake_lm34)
0x5 - Water approaching shore. (ID: lakep_lm3)
0x6 - Your average, everyday neatly mowed grass. (ID: ngrass_lm42)
0x7 - Flowers. (ID: nhana_lm59)
0x8 - Main dirt…or "sand". (ID: nsand_lm52)
0x9 - Dirt fringes - or "curb". (ID: nsandp_lm70)
0xA - Puddle apparently… (ID: puddle_b_lm8)
0xB - Jump-into-sea ledge, e.g. where you select SURF. (ID: seaside3_lm55)
0xC - A NORMAL freaking tree… (ID: tree01_lm48)
0xD - Forest Floor. I don't even care. (ID: tshadow_lm13)List of Polygon IDs:Twinleaf Town:
0x0 - *Almost* every tree in town.
0x1 - Flowers.
0x2 - Fence surrounding flowers.
0x3 - Dirt fringes.
0x4 - Main dirt path.
0x5 - Door-mat tile.
0x6 - Select SURF here. Water's edge. I dunno how to explain clearer.
0x7 - The bottom of the trees, and the stumps? (southeastern corner)
0x8 - The tops of the trees of 0x7. WTH
0x9 - All the grass in this little town.
0xA - Forest Floor.
0xB - Edge of Pond.
0xC - Inside of Pond.
0xD - Essence of Pond? I don't know.

redriders180
March 15th, 2012, 12:25 PM
Complete Edit: I decided to delete my previous post, and ask something else instead
Oh wow, you guys are quite a few calibers above me...I feel sort of insignificant, but I guess I'll post my ideas.

Anyway, I'd like to implement a very dynamic script in my game...Basically, I wanted to allow myself to release events for my game. But instead of being limited to whatever I choose at the time, and avoiding releasing a new patch every time I wanted to do an event, I decided to make a spot in my game with a person that asks for a series of codes. These codes would be released by me, and the script would take the codes hex values, arrange them as necessary, do some checks to make sure the player isn't just mashing buttons, and "build" a completely custom Pokemon. This would allow me to easily decide an event, calculate the code, and release it in a post.

But my problem is that I need a keyboard to pop up, in order to enter the code. I've decided on two approaches:

The easy way would be to edit the mail input to take easy chat words and convert them into code. This would be good, since there are so many words, and I assume each is a byte value. But it's somewhat unprofessional.

The hard way would be to recreate the "nickname" keyboard. I wouldn't know whats involved, but I know emerald has one for Walda...could we port it over.

Aw man, I made my post immensely long for no reason again ._. Sorry, and thanks for the help!

sonic1
March 15th, 2012, 01:02 PM
Complete Edit: I decided to delete my previous post, and ask something else instead
Oh wow, you guys are quite a few calibers above me...I feel sort of insignificant, but I guess I'll post my ideas.

Anyway, I'd like to implement a very dynamic script in my game...Basically, I wanted to allow myself to release events for my game. But instead of being limited to whatever I choose at the time, and avoiding releasing a new patch every time I wanted to do an event, I decided to make a spot in my game with a person that asks for a series of codes. These codes would be released by me, and the script would take the codes hex values, arrange them as necessary, do some checks to make sure the player isn't just mashing buttons, and "build" a completely custom Pokemon. This would allow me to easily decide an event, calculate the code, and release it in a post.

But my problem is that I need a keyboard to pop up, in order to enter the code. I've decided on two approaches:

The easy way would be to edit the mail input to take easy chat words and convert them into code. This would be good, since there are so many words, and I assume each is a byte value. But it's somewhat unprofessional.

The hard way would be to recreate the "nickname" keyboard. I wouldn't know whats involved, but I know emerald has one for Walda...could we port it over.

Aw man, I made my post immensely long for no reason again ._. Sorry, and thanks for the help!

Well, either way of doing things, if you want to create a completely "custom" pokemon, you're gonna need ASM.
My approach is: why don't you build a system that, when inputting some values in the ram, reads them and does things based on them?
Did you know that VBA's Memory Viewer has the ability of loading hex data into ram offsets? You could create your .raw/.bin files and ask the player to load them manually with vba.

But yeah, thats only an idea i have.

~Sonic1

redriders180
March 15th, 2012, 01:32 PM
Well, either way of doing things, if you want to create a completely "custom" pokemon, you're gonna need ASM.
My approach is: why don't you build a system that, when inputting some values in the ram, reads them and does things based on them?
Did you know that VBA's Memory Viewer has the ability of loading hex data into ram offsets? You could create your .raw/.bin files and ask the player to load them manually with vba.

But yeah, thats only an idea i have.

~Sonic1
I already knew that I'd need ASM, and I do have a plan on making this work...Each letter has a byte value, and I want to make the keyboard thing store a byte value to certain variables (0x8000 to 0x8009 come to mind). The all you need to do is create a certain code, e.g the first two bytes determine pokemon species, etc. etc, put in some checks, and then voila, the Pokemon is created. I've already studied extensively on pokemon data structures, and JPANs hack engine makes it easier...simply give a "base pokemon" (aka Bulbasaur), use the special that "unlocks" the pokemon, and "push" the values from the variables to the corresponding bytes. All I need to make is the keyboard store each letters byte value into a variable.

I realise that simply giving a .raw file would be simple, but I dunno, I kinda want it to look nice, keep it interesting, and make it so even the noobiest of rom hack players could obtain my events, and I'm sure almost everyone can input some codes.

droomph
March 15th, 2012, 02:19 PM
I already knew that I'd need ASM, and I do have a plan on making this work...Each letter has a byte value, and I want to make the keyboard thing store a byte value to certain variables (0x8000 to 0x8009 come to mind). The all you need to do is create a certain code, e.g the first two bytes determine pokemon species, etc. etc, put in some checks, and then voila, the Pokemon is created. I've already studied extensively on pokemon data structures, and JPANs hack engine makes it easier...simply give a "base pokemon" (aka Bulbasaur), use the special that "unlocks" the pokemon, and "push" the values from the variables to the corresponding bytes. All I need to make is the keyboard store each letters byte value into a variable.

I realise that simply giving a .raw file would be simple, but I dunno, I kinda want it to look nice, keep it interesting, and make it so even the noobiest of rom hack players could obtain my events, and I'm sure almost everyone can input some codes.well, 0x815F9B4+(0x79x4) in FireRed is the pointer to the ASM routine for givepokemon...maybe you could try a little call-with-parameters to that or whatnot?

Also, if you wanna do that keyboard thing, DavidJCobb has a keyboard (of sorts) for variable reading, although it's kinda cumbersome. I think he has a link in his sig or something...

If you know some programming you could set up a small applet online which automatically patches your save file, like a real Event.

Team Fail
March 15th, 2012, 02:24 PM
You could create your .raw/.bin files and ask the player to load them manually with vba.

There's just one problem with that. What about people that use hardware (ie. A Flashcard) and not VBA?

sonic1
March 15th, 2012, 03:45 PM
There's just one problem with that. What about people that use hardware (ie. A Flashcard) and not VBA?
Well... Yeah, i admit, it isn't good for those, but you can just do an action replay that overwrites the values in RAM.


I already knew that I'd need ASM, and I do have a plan on making this work...Each letter has a byte value, and I want to make the keyboard thing store a byte value to certain variables (0x8000 to 0x8009 come to mind). The all you need to do is create a certain code, e.g the first two bytes determine pokemon species, etc. etc, put in some checks, and then voila, the Pokemon is created. I've already studied extensively on pokemon data structures, and JPANs hack engine makes it easier...simply give a "base pokemon" (aka Bulbasaur), use the special that "unlocks" the pokemon, and "push" the values from the variables to the corresponding bytes. All I need to make is the keyboard store each letters byte value into a variable.

Well, you know, its fairly easy to use the naming routine (the keyboard thing). Its just calling the routine with 2 parameters plus 2 optional (optinal depending on the type of usage = player, pokemon, box, mail). R0 is type of naming/usage, and R1 is the adress in RAM where the input is gonna be stored! This is a valuable info for you. You can store the adress of the var 8000 there and it will store 10 bytes (max letters) from the initial address onward (thus ending in var 8005, if i'm correct).

But hey, don't try to put everything in just 1 input. Make 3-4 inputs depending on your needs. I doubt 2 bytes are enough to store a pokemon species using the keyboard, because the keyboard doesn't have access to 255 different symbols (ok, what i'm tryin' to explain is a bit hard, and i don't know how to explain it well).

~Sonic1

Mana
March 15th, 2012, 04:18 PM
I've been fiddling around with special 0xC2 which apparently hatches eggs, to try and create a 'force hatching' scenario.

The special alone (in a script) seems to only work if 'egg' is the only thing in your party. Having 2 eggs in your party - only the first one will hatch. Having any pokemon in your party and a " - hatched from the Egg" message will occur, giving you the option to nickname 'egg' but having no effect.

The normal egg hatching script:

#org 0x1BF546
lockall
msgbox 0x81BFB5A MSG_KEEPOPEN '"Huh?"
special 0xC2
waitstate
releaseall
end

I tried using Special2 and set the store variable to 0x2 to see if it could 'select' the correct position for the egg, if it was 2/3rd in the party. However the only change this made was the egg then hatched to ??????, which then got nicknamed, but the eggs stayed in the party still.

So is it possible to use the special / special2, in co-ordination with writing a byte or calling forth a variable to then either pick what the egg hatches into, or what egg hatches.

droomph
March 15th, 2012, 04:33 PM
I've been fiddling around with special 0xC2 which apparently hatches eggs, to try and create a 'force hatching' scenario.

The special alone (in a script) seems to only work if 'egg' is the only thing in your party. Having 2 eggs in your party - only the first one will hatch. Having any pokemon in your party and a " - hatched from the Egg" message will occur, giving you the option to nickname 'egg' but having no effect.

The normal egg hatching script:



I tried using Special2 and set the store variable to 0x2 to see if it could 'select' the correct position for the egg, if it was 2/3rd in the party. However the only change this made was the egg then hatched to ??????, which then got nicknamed, but the eggs stayed in the party still.

So is it possible to use the special / special2, in co-ordination with writing a byte or calling forth a variable to then either pick what the egg hatches into, or what egg hatches.Try decompiling the pointers to that script/the few bytes around the script and see what you find, maybe those pass the parameters to the variables...

redriders180
March 15th, 2012, 05:01 PM
Well... Yeah, i admit, it isn't good for those, but you can just do an action replay that overwrites the values in RAM.




Well, you know, its fairly easy to use the naming routine (the keyboard thing). Its just calling the routine with 2 parameters plus 2 optional (optinal depending on the type of usage = player, pokemon, box, mail). R0 is type of naming/usage, and R1 is the adress in RAM where the input is gonna be stored! This is a valuable info for you. You can store the adress of the var 8000 there and it will store 10 bytes (max letters) from the initial address onward (thus ending in var 8005, if i'm correct).

But hey, don't try to put everything in just 1 input. Make 3-4 inputs depending on your needs. I doubt 2 bytes are enough to store a pokemon species using the keyboard, because the keyboard doesn't have access to 255 different symbols (ok, what i'm tryin' to explain is a bit hard, and i don't know how to explain it well).

~Sonic1

I understand completely what you mean :) I had planned to make the script something with a maybe 4 or 5 inputs...I wanted complete control over species, IVs, moves, item held, and possibly nickname. How do you recommend I make this work, however? Would I have to make an ASM that just puts the ram offset into R1, then call the normal nicknaming special?

This brings up something else...If I just use the nickname keyboard, the text says "[pokemon's] Nickname?". If it's not hard, I'd like to make it say something else on it, otherwise I'm sure I could live with it.

Mana
March 15th, 2012, 05:13 PM
Try decompiling the pointers to that script/the few bytes around the script and see what you find, maybe those pass the parameters to the variables...

Hmm the pointer to the egg script lies at 0x6d71c, the only data string that is just before that pointed to a script with the line 'fadesong 0x9AOD' which as far as I know doesn't exist - so looks like egg hatching is controlled by ASM.

Does anyone know where Egg-Step information is stored?

//

Been looking for possibly Egg-Step info, can't seem to find it anywhere o_o nobody lists it with species/etc. data, and I have looked around the areas with it to no avail (For example, I'm assuming Pikachu will have a value of '15' somewhere in it's data to signify 21 cycles for hatching. If that value was momentarily set to 0, I wonder if the egg would insta-hatch.

redriders180
March 15th, 2012, 05:51 PM
Hmm the pointer to the egg script lies at 0x6d71c, the only data string that is just before that pointed to a script with the line 'fadesong 0x9AOD' which as far as I know doesn't exist - so looks like egg hatching is controlled by ASM.

Does anyone know where Egg-Step information is stored?

//

Been looking for possibly Egg-Step info, can't seem to find it anywhere o_o nobody lists it with species/etc. data, and I have looked around the areas with it to no avail (For example, I'm assuming Pikachu will have a value of '15' somewhere in it's data to signify 21 cycles for hatching. If that value was momentarily set to 0, I wonder if the egg would insta-hatch.

I think the egg to hatch is stored in a variable...I think it's 0x8004, but I don't know for sure. You wouldn't use special2, because that just specifies where the output goes, not what the input is. I believe the slot number of the egg is stored to 0x8004, and the egg hatch special is called.

sonic1
March 15th, 2012, 06:27 PM
I understand completely what you mean :) I had planned to make the script something with a maybe 4 or 5 inputs...I wanted complete control over species, IVs, moves, item held, and possibly nickname. How do you recommend I make this work, however? Would I have to make an ASM that just puts the ram offset into R1, then call the normal nicknaming special?
As for this, now i'm outta time, but i'll try to do something to you. Thing is, there's a routine in the rom, a powerful one, that has ENTIRE access to a pokemon's data, and can change anything about it!
List of things discovered that the routine can change (don't mind the hex numbers):

0x00 - Pokémon ID
0x01 - Trainer IDs
0x02 - Nickname Max Length 1 (r6 should be the nickname's address)
0x03 - Font / Language
0x04 - Sanity
0x05 - Sanity
0x06 - Sanity
0x07 - OT Name Max Length
0x08 - Marks
0x09 - Checksum
0x0A - Filler
0x0B - Species
0x0C - Held Item
0x0D - Attack 1
0x0E - Attack 2
0x0F - Attack 3
0x10 - Attack 4
0x11 - PP 1
0x12 - PP 2
0x13 - PP 3
0x14 - PP 4
0x15 - PP Bonuses
0x16 - Coolness
0x17 - Beauty
0x18 - Cuteness
0x19 - Exp. Points
0x1A - HP EV
0x1B - Attack EV
0x1C - Defense EV
0x1D - Speed EV
0x1E - Sp. Attack EV
0x1F - Sp. Defense EV
0x20 - Happiness
0x21 - Smartness
0x22 - Pokérus Status
0x23 - Catch Location
0x24 - Catch Level
0x25 -
0x26 - Hometown / Poké Ball / Trainer Gender
0x27 - HP IV
0x28 - Attack IV
0x29 - Defense IV
0x2A - Speed IV
0x2B - Sp. Attack IV
0x2C - Sp. Defense IV
0x2D - IsEgg
0x2E - Ability Bit
0x2F - Toughness
0x30 - Sheen
0x31 - OT Gender
0x32 -
0x33 -
0x34 -
0x35 -
0x36 -
0x37 - Status Ailment
0x38 - Level
0x39 - Current HP
0x3A - Total HP
0x3B - Attack
0x3C - Defense
0x3D - Speed
0x3E - Sp. Attack
0x3F - Sp. Defense
0x43 - Hall Of Fame ribbon
0x50 - Obedience


This brings up something else...If I just use the nickname keyboard, the text says "[pokemon's] Nickname?". If it's not hard, I'd like to make it say something else on it, otherwise I'm sure I could live with it.

Well, i explained this in the last post. Its the naming type, which is gonna through r0. But that can be easily changed, i think, so this is the least of our worries.

My main worry is how you're gonna convert the letters bytes into usable codes.

Mana
March 15th, 2012, 06:54 PM
I understand completely what you mean :) I had planned to make the script something with a maybe 4 or 5 inputs...I wanted complete control over species, IVs, moves, item held, and possibly nickname. How do you recommend I make this work, however? Would I have to make an ASM that just puts the ram offset into R1, then call the normal nicknaming special?

This brings up something else...If I just use the nickname keyboard, the text says "[pokemon's] Nickname?". If it's not hard, I'd like to make it say something else on it, otherwise I'm sure I could live with it.

I think the egg to hatch is stored in a variable...I think it's 0x8004, but I don't know for sure. You wouldn't use special2, because that just specifies where the output goes, not what the input is. I believe the slot number of the egg is stored to 0x8004, and the egg hatch special is called.

You are right, 0x8004 0x1 hatches an egg that is 2nd in the party, etc.

The only trouble now is identifying where the egg is. I've had a look at JPAN's Pokemon data decryption thread from years ago, in which he has a routine that can return a species, even in egg form - but that can't give a permission.

Ideally something like

Check (egg) species -> Locate species -> setvar 0x8004 to position

Especially if it's a one of pokemon, so there can't be more than one, so there is no trouble in accidentally hatching a normal pokemon instead. Anything to identify where the egg is would be a great start ><.

droomph
March 15th, 2012, 07:09 PM
Especially if it's a one of pokemon, so there can't be more than one, so there is no trouble in accidentally hatching a normal pokemon instead. Anything to identify where the egg is would be a great start ><.I don't know what you mean by "identify where the egg is", but every Party Pokémon is 100 bytes long, meaning you just take variable 0x8004 into a register andldr rd, #0x02024284
mul rm, #0x64
add rm, #0x20
add rd, rmit, and so on.

Or maybe something like this, but with str instead of ldr: (it's far from finished)species
;select Pokemon slot (r0); zero-indexed
;return Species (r0); ROM number
push {lr}
bl pval
mov r1, 0x18
mov r2, r0
bl mod
mov r1, 0x5
cmp r0, r1
bls first
mov r1, 0x7
cmp r0, r1
bls second
mov r1, 0x8
cmp r0, r1
bls third
mov r1, 0xA
cmp r0, r1
beq third
mov r1, 0xB
cmp r0, r1
bls fourth
mov r1, 0xD
cmp r0, r1
bls second
mov r1, 0xE
cmp r0, r1
beq third
mov r1, 0x10
cmp r0, r1
beq third
mov r1, 0x11
cmp r0, r1
bls fourth
mov r1, 0x13
cmp r0, r1
bls second
mov r1, 0x14
cmp r0, r1
beq third
mov r1, 0x16
cmp r0, r1
beq third
mov r1, 0x17
bls fourth
first
ldr r2, .PARTY
mov r1, 0x64
mul r0, r1
add r2, r0
ldr r0, [r2, 0x20]
pop {pc}
second
ldr r2, .PARTY
mov r1, 0x64
mul r0, r1
add r2, r0
ldr r0, [r2, 0x2C]
pop {pc}
third
ldr r2, .PARTY
mov r1, 0x64
mul r0, r1
add r2, r0
ldr r0, [r2, 0x38]
pop {pc}
fourth
ldr r2, .PARTY
mov r1, 0x64
mul r0, r1
add r2, r0
ldr r0, [r2, 0x44]
pop {pc}
.PARTY
= 0x20244EC

redriders180
March 15th, 2012, 08:18 PM
You are right, 0x8004 0x1 hatches an egg that is 2nd in the party, etc.

The only trouble now is identifying where the egg is. I've had a look at JPAN's Pokemon data decryption thread from years ago, in which he has a routine that can return a species, even in egg form - but that can't give a permission.

Ideally something like

Check (egg) species -> Locate species -> setvar 0x8004 to position

Especially if it's a one of pokemon, so there can't be more than one, so there is no trouble in accidentally hatching a normal pokemon instead. Anything to identify where the egg is would be a great start ><.

You actually don't need ASM for this one. I quote from the list of specials, courtesy of JPAN:

[Special 0x]147 checks your pokemon in position referenced by 0x8004 and returns to the given variable its pokemon number. returns 0x19c if an egg.

So all you need to do is use set the variable 0x8004 to 0x0, special2 LASTRESULT 0x147, compare LASTRESULT 0x19C, if 0x1 goto @hatch, if 0x0, add 0x1 to 0x8004, and repeat. You also need to build in a failsafe for if they don't have an egg, so the script won't loop you forever.


As for this, now i'm outta time, but i'll try to do something to you. Thing is, there's a routine in the rom, a powerful one, that has ENTIRE access to a pokemon's data, and can change anything about it!
List of things discovered that the routine can change (don't mind the hex numbers):

0x00 - Pokémon ID
0x01 - Trainer IDs
0x02 - Nickname Max Length 1 (r6 should be the nickname's address)
0x03 - Font / Language
0x04 - Sanity
0x05 - Sanity
0x06 - Sanity
0x07 - OT Name Max Length
0x08 - Marks
0x09 - Checksum
0x0A - Filler
0x0B - Species
0x0C - Held Item
0x0D - Attack 1
0x0E - Attack 2
0x0F - Attack 3
0x10 - Attack 4
0x11 - PP 1
0x12 - PP 2
0x13 - PP 3
0x14 - PP 4
0x15 - PP Bonuses
0x16 - Coolness
0x17 - Beauty
0x18 - Cuteness
0x19 - Exp. Points
0x1A - HP EV
0x1B - Attack EV
0x1C - Defense EV
0x1D - Speed EV
0x1E - Sp. Attack EV
0x1F - Sp. Defense EV
0x20 - Happiness
0x21 - Smartness
0x22 - Pokérus Status
0x23 - Catch Location
0x24 - Catch Level
0x25 -
0x26 - Hometown / Poké Ball / Trainer Gender
0x27 - HP IV
0x28 - Attack IV
0x29 - Defense IV
0x2A - Speed IV
0x2B - Sp. Attack IV
0x2C - Sp. Defense IV
0x2D - IsEgg
0x2E - Ability Bit
0x2F - Toughness
0x30 - Sheen
0x31 - OT Gender
0x32 -
0x33 -
0x34 -
0x35 -
0x36 -
0x37 - Status Ailment
0x38 - Level
0x39 - Current HP
0x3A - Total HP
0x3B - Attack
0x3C - Defense
0x3D - Speed
0x3E - Sp. Attack
0x3F - Sp. Defense
0x43 - Hall Of Fame ribbon
0x50 - Obedience




Well, i explained this in the last post. Its the naming type, which is gonna through r0. But that can be easily changed, i think, so this is the least of our worries.

My main worry is how you're gonna convert the letters bytes into usable codes.
My first problem is that the method you posted earlier is that it stores the value in only five variables, which basically means two letter per variable, and this is NOT what I want...I want one letter per variable. I'm sure I could whip up a seperation script, though. After doing this, the game applies a cipher, and applies my method of conversion, which I won't reveal right here, so I don't have someone who's playing my rom hack in the future stumble upon it, and suddenly find him or herself able to create a team of six level 100 Arceus. If you really want/need to know, feel free to PM me. And thanks for your help!

Oh yea...thanks for that routine...but after a quick glance, it seems to all be stuff I can already access.

sonic1
March 16th, 2012, 07:14 AM
My first problem is that the method you posted earlier is that it stores the value in only five variables, which basically means two letter per variable, and this is NOT what I want...I want one letter per variable. I'm sure I could whip up a seperation script, though. After doing this, the game applies a cipher, and applies my method of conversion, which I won't reveal right here, so I don't have someone who's playing my rom hack in the future stumble upon it, and suddenly find him or herself able to create a team of six level 100 Arceus. If you really want/need to know, feel free to PM me. And thanks for your help!



Well about the method, it isn't my fault, it's how the keyboard works, and i can't do anything about it without breaking compatibility to all other things that use it (at least me, i'm sure that there are many people out there who know a lot more ASM than me).

But yeah, a separation script is totally possible, just use copybyte to copy a byte to other variable while using writebytetooffset to clear the other 8bits (1-byte) of the variable.

The cipher... Well, i'm a student of asm for about 2 years from now, and i'm willing to try to learn everything about it. I'm not asking to see your cipher specifically, but an example of one would be nice for me to learn how to deal with those things.

Oh yea...thanks for that routine...but after a quick glance, it seems to all be stuff I can already access.
Well, if you say so... But yeah, the things i posted are the only ones that i know what it does, that routine is actually able to change everything, but i don't know what to pass as arguments to actually change everything, just those.

sonic1
March 17th, 2012, 01:36 PM
To anyone who is interested, callasm 0x09FC91 to name yourself in overworld.
FireRed Only.

~Sonic1

NarutoActor
March 17th, 2012, 07:53 PM
You are right, 0x8004 0x1 hatches an egg that is 2nd in the party, etc.

The only trouble now is identifying where the egg is. I've had a look at JPAN's Pokemon data decryption thread from years ago, in which he has a routine that can return a species, even in egg form - but that can't give a permission.

Ideally something like

Check (egg) species -> Locate species -> setvar 0x8004 to position

Especially if it's a one of pokemon, so there can't be more than one, so there is no trouble in accidentally hatching a normal pokemon instead. Anything to identify where the egg is would be a great start ><.
Well what you can do is have a series of checks that check each pokemon in the party's catch level (Which would be zero since it didn't hatch yet)that way you can tell where the egg is in the party, and if there is even one in said party.


Also isn't egg hacking based on the amount of steps the player takes. You can just add a certain amount of steps to the area where the amount of steps are stored, then start the routine for the egg check. Just my brain storming, I didn't actually try it myself, so tell me how it goes.

sonic1
March 18th, 2012, 06:57 AM
After a quick research, i discovered that in R/S/E, the scripting command 0x2E, Resetvars, doesn't reset vars.
In Firered does, but in those versions it sets 8000 to the current clock hours, 8001 to minutes and 8002 to seconds. The reason FIRERED resets those vars is because it doesn't have Real Time Clock.

Agastya
March 20th, 2012, 09:58 PM
As I've been doing a Fakemon hack in Emerald, the Frontier was obviously a mess. Things weren't very well documented outside of the normal structures for the Tents and regular Pokemon (which is very well documented on Bulbapedia - for brevity they will not be discussed here, go to bulbapedia.bulbagarden.net/wiki/Battle_Frontier_data_structures_in_Generation_III if interested), but this still left things like the Brains and wild spawns in the Pyramid/Pike up in the air. After a bit of snooping around, I've found some stuff. I really doubt this warrants its own thread, so I'll put it here.

Frontier Brain info:
The Frontier Brain teams are stored in a 20 Byte data structure, as shown:
41 00 | B3 00 | 18 | 0F | 6A/00/98/98/64/00 | 09 00/07 00/08 00/32 00

1) Species
2) Item (Normal indexing instead of Frontier indexing)
3) IVs (Apply to all stats)
4) Nature
5) EVs, in the order of HP/ATK/DEF/SPEED/SATK/SDEF
6) Movepool

Shown was Salon Maiden Anabel's Alakazam. It has a Modest nature, IVs of 24, an EV investment of 106 HP/152 DEF/152 SPD/100 SATK, and a movepool of Thunderpunch, Fire Punch, Ice Punch, and Disable. Its hold item is a Brightpowder.
Two things interesting to note is that Frontier Brains use normal item indexing instead of the Frontier's custom indexing, so they can hold whatever is wished for them to hold. Also, similarly to Steven's team in the Space Center event, they can have up to 255 EVs in each stat, and all EVs will be accounted for.

The teams themselves are located at the following offsets:
0x61156C, Salon Maiden Anabel
0x6115E4, Dome Ace Tucker
0x61165C, Palace Maven Spenser
0x6116D4, Arena Tycoon Greta
0x61174C, Metang, Skarmory, Aggron, Metang, Skarmory, Aggron*
0x6117C4, Pike Queen Lucy
0x61183C, Pyramid King Brandon

At each offset is six Pokemon. The first three Pokemon are used in the Silver symbol battle, and the next three Pokemon are used in the Gold symbol battle.
*This is two copies of Steven's team in the Space Center event - as Factory Head Noland uses random Pokemon from the Factory listing, he doesn't get a special team to use.

Battle Pyramid wild spawns:
The format for the wild spawns is 12 bytes long:
61 01 | 23 | 02 | 56 00/D1 00/E3 00/00 00

1) Species
2) EVs, dictated by the normal Frontier EVing setup
3) ???
4) Movepool

I'm not quite sure what the ?? is, but it's 02 in every wild spawn entry.
Showcased here is a Pluslie with EV investment of HP/ATK/SDEF, and a movepool of Thunder Wave, Spark, and Encore.

As strange as it is to EV in Attack, it was most likely done to keep it from being too "bulky" as EVs in regular Frontier Pokemon are evenly distributed among each stat (in which case this is 170 in each stat, compared to 255 in both HP and SDEF)


The wild spawns themselves are located at 0x6126B0 for Level 50 and 0x612E80 for Open Level. At each offset is a master list of 160 Pokemon broken up into groups of eight, and then twenty pointers respective to which round it is pointing to. The list is virtually identical for Level 50 and Open Level, but the EVs are different in Open Level. A listing of the Pokemon in the Pyramid itself can be found at Bulbapedia, and it generally follows the order that the Pokemon are listed.

I haven't looked at the wild spawns in the Pike yet, but they probably share a similar format to the wilds in the Pyramid. Hopefully this can help out with Frontier hacking.

knizz
March 24th, 2012, 02:45 AM
As for this, now i'm outta time, but i'll try to do something to you. Thing is, there's a routine in the rom, a powerful one, that has ENTIRE access to a pokemon's data, and can change anything about it!
List of things discovered that the routine can change (don't mind the hex numbers):

0x00 - Pokémon ID
0x01 - Trainer IDs
0x02 - Nickname Max Length 1 (r6 should be the nickname's address)
0x03 - Font / Language
0x04 - Sanity
0x05 - Sanity
0x06 - Sanity
0x07 - OT Name Max Length
0x08 - Marks
0x09 - Checksum
0x0A - Filler
0x0B - Species
0x0C - Held Item
0x0D - Attack 1
0x0E - Attack 2
0x0F - Attack 3
0x10 - Attack 4
0x11 - PP 1
0x12 - PP 2
0x13 - PP 3
0x14 - PP 4
0x15 - PP Bonuses
0x16 - Coolness
0x17 - Beauty
0x18 - Cuteness
0x19 - Exp. Points
0x1A - HP EV
0x1B - Attack EV
0x1C - Defense EV
0x1D - Speed EV
0x1E - Sp. Attack EV
0x1F - Sp. Defense EV
0x20 - Happiness
0x21 - Smartness
0x22 - Pokérus Status
0x23 - Catch Location
0x24 - Catch Level
0x25 -
0x26 - Hometown / Poké Ball / Trainer Gender
0x27 - HP IV
0x28 - Attack IV
0x29 - Defense IV
0x2A - Speed IV
0x2B - Sp. Attack IV
0x2C - Sp. Defense IV
0x2D - IsEgg
0x2E - Ability Bit
0x2F - Toughness
0x30 - Sheen
0x31 - OT Gender
0x32 -
0x33 -
0x34 -
0x35 -
0x36 -
0x37 - Status Ailment
0x38 - Level
0x39 - Current HP
0x3A - Total HP
0x3B - Attack
0x3C - Defense
0x3D - Speed
0x3E - Sp. Attack
0x3F - Sp. Defense
0x43 - Hall Of Fame ribbon
0x50 - Obedience




Well, i explained this in the last post. Its the naming type, which is gonna through r0. But that can be easily changed, i think, so this is the least of our worries.

My main worry is how you're gonna convert the letters bytes into usable codes.

:O
Is this 0803FBE8?
Thanks!

sonic1
March 24th, 2012, 05:13 AM
:O
Is this 0803FBE8?
Thanks!

Well, actually that's the routine that retrieves the pokemon data.

The one that i'm talking about is at 804037C, name's 'set_pokemon_data'

Pass adress at r0, pass index number r1, and the address which is located the data to set at r2. Thats why i was asking you about the stack. Game usually passes SP to R2, and the game uses the data present at the stack.

knizz
March 24th, 2012, 06:27 PM
Well, actually that's the routine that retrieves the pokemon data.

The one that i'm talking about is at 804037C, name's 'set_pokemon_data'

Pass adress at r0, pass index number r1, and the address which is located the data to set at r2. Thats why i was asking you about the stack. Game usually passes SP to R2, and the game uses the data present at the stack.

I updated my DB to include this and an enumeration with all numbers get/set_pokemon_data uses and the pokemon-properties they represent.

Also smaller changes and fixes.

Download link in the signature.

atomen
March 24th, 2012, 07:39 PM
Hi!

I thought this question might just fit in this thread. I've recently
developed a map editor for Red/Blue (out of pure curiousity) and now I've turned my sight for FR/LG. the difference compared to my
previous project though, is that I seem to be unable to find an
in-depth guide/format description of the map structure that LG/FR
uses. Now correct me if I'm wrong but does it not resemble the
format used in ruby/sapphire? At least that's what I've read.

If this statement is true, how close does this format description
match the FR/LG one (since it describes ruby's):
pokecommunity.com/showthread.php?p=6646782

Any hint or help would be greatly appreciated!
(sorry for the feeble reply, written on my cellphone...)

Note: I have tried to search for answers but without succes.

redriders180
March 26th, 2012, 05:27 PM
I'm happy to be posting here something that might help someone, actually! But then again, someone probably already posted this somewhere else. v.v

Anyways, in Diego's tutorial, it discusses applymovement, and lists many commands that can be used. It lists from 0x0 up to 0x66, skipping 0x45 and everything from 0x5A to 0x5F. I decided to try every possible byte as an applymovement command, to see if there's anything else besides the listed commands...and there was! I found almost 67 unmentioned movements, and a fair majority of them actually work. Most of these are useful, because they access frames besides the first eight. I'll list the ones not mentioned in the tutorial here...These are for Firered/Leafgreen:

#raw 0x45 = Walk in place. Direction of walking depends on which way you were facing at time of activation. Loops forever
#raw 0x5A = Look Down
#raw 0x5B = Run in place, downwards. Loops forever. Uses running frames, as opposed to walking frames.
#raw 0x5C = Seemingly Absolutely nothing
#raw 0x5D = Also absolutely nothing
#raw 0x5E = Again, Nothing
#raw 0x5F = Nothing once more.
#raw 0x67 = Nothing.
#raw 0x68 = Face up, and locks movement.
#raw 0x69 = Face up, and locks movement. When used for cut trees and smash rocks, it plays the destruction animation.
#raw 0x6A = Nothing.
#raw 0x6B = Nothing.
#raw 0x6C = Causes person not to flip while moving right, aka Moonwalking.
#raw 0x6D = Nothing.
#raw 0x6E = Walks one tile down, but takes two steps.
#raw 0x6F = Walks one tile down, but takes two steps.
#raw 0x70 = Faces right, then down, very fast.
#raw 0x71 = Faces down, then up, very fast.
#raw 0x72 = Faces up, then left, very fast.
#raw 0x73 = Faces left, then right, very fast.
#raw 0x74 = Runs in place downward, uses running frames, as opposed to normal
walking frames. Loops forever.
#raw 0x75 = Runs in place upward, uses running frames, as opposed to normal
walking frames. Loops forever.
#raw 0x76 = Runs in place left, uses running frames, as opposed to normal
walking frames. Loops forever.
#raw 0x77 = Runs in place right, uses running frames, as opposed to normal walking frames. Loops forever.
#raw 0x78 = Player looks diagonally left and right, twice.
#raw 0x79 = Faces down, Locks movement.
#raw 0x7A = Faces up, and locks movement.
#raw 0x7B = Faces left, locks movement.
#raw 0x7C = Runs and jumps in place, facing down. Uses running frames.
#raw 0x7D = Runs and jumps in place, facing up. Uses running frames
#raw 0x7E = Runs and jumps in place, facing left. Uses running frames.
#raw 0x7F = Runs and jumps in place, facing right. Uses running frames.
#raw 0x80 = Runs and jumps down. Uses running frames.
#raw 0x81 = Runs and jumps up. Uses running frames.
#raw 0x82 = Runs and jumps left. Uses running frames.
#raw 0x83 = Runs and jumps right. Uses running frames.
#raw 0x84 = Runs and jumps down two tiles. Uses running frames.
#raw 0x85 = Runs and jumps up two tiles. Uses running frames.
#raw 0x86 = Runs and jumps left two tiles. Uses running frames.
#raw 0x87 = Runs and jumps right two tiles. uses running frames.
#raw 0x88 = Step on the spot right, then face down.
#raw 0x89 = Step on the spot down, then face up.
#raw 0x8A = Step on the spot up, then face left
#raw 0x8B = Step on the spot left, then face right
#raw 0x8C = Run down. Uses running frames
#raw 0x8D = Run up. Uses running frames
#raw 0x8E = Run left. Uses running frames
#raw 0x8F = Run right. Uses running frames
#raw 0x90 = Slide down, facing right, then faces down.
#raw 0x91 = Slide up, facing down, then faces up.
#raw 0x92 = Slides left, facing up, then faces left.
#raw 0x93 = Slides right, facing left, then faces right.
#raw 0x94 = Spins down. Faces down when completed.
#raw 0x95 = Spins up. Faces up when completed.
#raw 0x96 = Spins left. Faces left when completed.
#raw 0x97 = Spins right. Faces left when completed.
#raw 0x98 = Runs downward, using running frames. Loops forever.
#raw 0x99 = Runs downward in place, and jumps. Repeats once.
#raw 0x9A = Runs downward in place, swaying from side to side slighty. Uses running frames.
#raw 0x9B = Walks downward VERY slowly, taking ten steps to move one tile.
#raw 0x9C = Walks upward VERY slowly.
#raw 0x9D = Walks left VERY slowly.
#raw 0x9E = Walks right VERY slowly.
#raw 0x9F = Looks diagonaly left and right, twice, then faces the same way you started facing.
#raw 0xA0 = Slides down one tile.
#raw 0xA1 = Slides up one tile.
#raw 0xA2 = Slides left one tile.
#raw 0xA3 = Slides right one tile.
#raw 0xA4 = Flies up off the screen, and disappears.
#raw 0xA5 = Flies down from top of screen, and reappears.
#raw 0xA6 = Runs very fast, and jumps down one tile
#raw 0xA7 = Runs very fast, and jumps up one tile
#raw 0xA8 = Runs very fast, and jumps left one tile
#raw 0xA9 = Runs very fast, and jumps right one tile
#raw 0xAA through #raw 0xFD either lock or crash the game.

A note: The ones that say "loop forever" can be un-looped, of course. The commands in question simply won't trigger the "waitmovement" command, so the script is waiting for a movement to end, causing the loop. I'll leave it up to you to figure it out ;)

Jambo51
March 27th, 2012, 03:56 AM
I've decided to post a couple of useful hacks on here today, both related to battle scripting.

First, here's my "callasm" scripting command. It does exactly what its namesake in overworld scripting does.

.text
.align 2
.thumb
.thumb_func
.global battlescriptcallasm
main:
push {lr}
push {r1-r7}
ldr r0, scriptlocation
ldr r0, [r0, #0x0]
ldrb r1, [r0, #0x1]
ldrb r2, [r0, #0x2]
lsl r2, r2, #0x8
orr r1, r2
ldrb r2, [r0, #0x3]
lsl r2, r2, #0x10
orr r1, r2
ldrb r2, [r0, #0x4]
lsl r2, r2, #0x18
orr r1, r2
bl bx_r1
ldr r0, scriptlocation
ldr r1, [r0, #0x0]
add r1, #0x5
str r1, [r0, #0x0]
pop {r1-r7}
pop {r0}
bx r0
bx_r1: bx r1
.align
scriptlocation: .word 0x02023D74


In order to insert this command, you need to repoint and extend the battle script command table which is at 0x0825011C and add a new entry pointing to the routine I just gave you. If you insert it directly after the end of the table, it will become command 0xF8.

Usage is thus:
F8 XX XX XX 08
Where XX XX XX 08 is the pointer to the ASM to call + 1 for THUMB mode, or not incremented for ARM mode.

Second up, this is the battle string loader hack I made. It intercepts the "failed" part of the loader. That is, it branches out from what the loader would otherwise consider to be a bad number to load from and skip.

.text
.align 2
.thumb
.thumb_func
.global battlestringloaderhack
main:
mov r0, #0xC2
lsl r0, r0, #0x1
cmp r0, r6
bne normalcode
ldr r0, ramlocation
ldr r7, [r0, #0x0]
cmp r7, #0x0
beq alternative
mov r0, #0xA
lsl r0, r0, #0x18
cmp r7, r0
bge alternative
mov r0, #0x8
lsl r0, r0, #0x18
cmp r7, r0
blt alternative
b continue
alternative: mov r6, #0xC
ldr r1, returntwo
bx r1
continue: ldr r0, returnone
bx r0
normalcode: ldr r1, otherramloc
mov r0, #0xFF
strb r0, [r1, #0x0]
pop {r3-r5}
mov r8, r3
mov r9, r4
mov r10, r5
pop {r4-r7}
pop {r0}
bx r0
.align
ramlocation: .word 0x0203C020
returntwo: .word 0x080D77D1
returnone: .word 0x080D77DD
otherramloc: .word 0x0202298C


As you can see, it has checks to try and catch a "bad" location given in the RAM location I set aside for the new functionality. All it can catch, sadly, is if you leave the RAM location empty, or if you try to use an invalid ROM location. The rest, I have to leave to the user.

I've written the routine such that it supports 32MB ROMs as well, so you don't have to worry about that either.

To insert the actual routine, navigate to 0xD77BE and change the code to 03 49 08 47, then go to 0xD77CC and change the pointer to the insert location of the routine, plus 1 for THUMB mode of course.

Now, using it. It's as easy as this: Using the storebyte command of the battle script functionality (0x2E), store the bytes of the ROM pointer in little endian ordering, into the RAM address 0x0203C020. Then, you call the battle string printer as such:
10 84 01 39 40 00

The routines will take care of the rest!

knizz
April 3rd, 2012, 12:12 PM
I wrote a bit about the scripting system at this new wiki http://pkmnhackersonline.com/wiki/index.php?title=Firered_Engine. Stuff that is in my DB already, but that isn't available online.

Agastya
April 5th, 2012, 07:49 AM
I think I've found the Battle Pike wilds. I say think, because despite the fact I have edited them in a hex editor (and multiple hex editors showing the changes), I personally can't get any changes to show up in-game. I'm only really posting these because they make sense compared to what's shown on the Bulbapedia page, and maybe somebody else can help out with this to say if they get results, if this is somehow completely wrong, or if it's just VBA getting tired of allowing me to have nice things.

Pike wilds start at 0x6121D4 for (Level 50?) and 0x612274 for (Open Level?). There are twelve entries followed by four pointers on the first one splitting them into four blocks of three, and then twelve entries followed by six pointers on the second one, the first four pointers splitting the previous twelve entries into four blocks of three and the final two pointing towards the first and second sets of pointers. The format for the wilds itself is a 12 byte data structure:

7B 01 | 04 00 | 5C 00 89 00 22 00 BC 00

1) Species, 2 bytes
2) ???, 2 bytes
3) Movepool, 8 bytes

Displayed is the generic Seviper entry. Its movepool is Toxic, Glare, Body Slam, and Sludge Bomb. I'm not sure what the ??? is, but it's either 04 00 or 05 00, and has been noted in the spawn listing alongside what Bulbapedia states is its spawn rate.


Set one (Rooms 0~280)
Seviper 04 00 26%
Milotic 04 00 26%
Dusclops 05 00 48%

Set two (Rooms 281~560)
Seviper 04 00 26%
Milotic 04 00 26%
Electrode 05 00 48%

Set three (Rooms 561~840)
Seviper 04 00 26%
Milotic 04 00 26%
Breloom 05 00 48%

Set four (Rooms 840+)
Seviper 04 00 26%
Milotic 04 00 26%
Wobbuffet 05 00 48%

Each instance of Seviper and Milotic is its own entry, so they should be customizable to the hacker's whims. The entries in Open Level are the same, but have slightly different movepools.

It'd be nice if these actually were the offsets though, because then after that it's figuring out what determines the Pokemon selected by each facility. Outside of the list being a in a "general sliding scale of difficulty" there's not really much other leads on selection.

redriders180
April 5th, 2012, 05:23 PM
Hi there! I was designing a berry tree system for my game (Firered), and while I figured out a way to make a tree give a berry a day, I realized that there was something else in the game that does pretty much the same thing; the regenerating berries in Berry Forest, and regenerating trinkets on treasure beach. Does anyone have any info on these regenerating items, and how I might be able to expand the list to cover all my berry trees? Additionally, does anyone know where I might find the offsets for the flags/variables for hidden items?

ipatix
April 8th, 2012, 04:35 AM
Hey guys,

I have some questions about the SSEQ file format:

I read in the SDAT specs of kiwi.ds that the delay and note length parameters are expressed with a variable anmount of bytes.
But these parameters aren't described and I want to know how these work.

What I noticed so far is that if you have more than one byte, the last byte is positive and the others are negative.
But what do I have to do with these values?
Do I have to read them out in Little Endian or do I have to add all these values?

Hope you can help me out with this ;-)

looper
April 8th, 2012, 12:40 PM
I guess here you find, what you're looking for: http://kiwi.ds.googlepages.com/sdat.html

sonic1
April 8th, 2012, 04:21 PM
Hi there! I was designing a berry tree system for my game (Firered), and while I figured out a way to make a tree give a berry a day, I realized that there was something else in the game that does pretty much the same thing; the regenerating berries in Berry Forest, and regenerating trinkets on treasure beach. Does anyone have any info on these regenerating items, and how I might be able to expand the list to cover all my berry trees? Additionally, does anyone know where I might find the offsets for the flags/variables for hidden items?


Well, i only took a quick look into this issue (3 minutes) because i'm very busy now, and i don't want to discourage you, but there's a limit for those items.
The routine at 080CC44C is the one who gets the flag associated with the hidden item, based on Hidden ID + 0x3e8. This means no repoint+add items without overwriting other game flags.

Thats the only thing i found out by now.

Props

redriders180
April 9th, 2012, 10:59 AM
Well, i only took a quick look into this issue (3 minutes) because i'm very busy now, and i don't want to discourage you, but there's a limit for those items.
The routine at 080CC44C is the one who gets the flag associated with the hidden item, based on Hidden ID + 0x3e8. This means no repoint+add items without overwriting other game flags.

Thats the only thing i found out by now.

Props

Well, plan B is to make a script that just clears all the hidden item flags to zero at midnight, which is simple enough. I assume the hidden item flags are stored somewhere in memory, so I'd just have to write 0 to all the bytes I need to clear it out. Does anyone have the offset for this location in the memory?

sonic1
April 9th, 2012, 02:20 PM
Well, plan B is to make a script that just clears all the hidden item flags to zero at midnight, which is simple enough. I assume the hidden item flags are stored somewhere in memory, so I'd just have to write 0 to all the bytes I need to clear it out. Does anyone have the offset for this location in the memory?

Well, actually, they are normal flags, like 0x800 etc..., but are Hidden ID + Flag 0x3E8. (E.g: Hidden item 0x10 would be flag 0x3F8. Clear the flag to be able to get the item again)

The script is somewhat easy. There are 0xBE hidden items. Here's a script made now for the purpose:

#dynamic 0x800000
'----------------
#org @start
setvar 0x8000 0x3E8 'Base flag
setvar 0x8001 0x0 'Counter
goto @loop

#org @loop
compare 0x8001 0xBE
if B_> goto @end
addvar 0x8001 0x1
clearflag 0x8000 ' Clear flag in var 8000
addvar 0x8000 0x1
goto @loop

#org @end
setvar 0x8000 0
setvar 0x8001 0 'Reset vars
release
end


I made this in 5 minutes and didn't test it. Test it and please warn me if there's an inconvenience with this.

(to @redriders180: I saw your PM, i just hadn't the time to answer it because its a little complex for my current time available)

redriders180
April 10th, 2012, 04:29 PM
Well, actually, they are normal flags, like 0x800 etc..., but are Hidden ID + Flag 0x3E8. (E.g: Hidden item 0x10 would be flag 0x3F8. Clear the flag to be able to get the item again)

The script is somewhat easy. There are 0xBE hidden items. Here's a script made now for the purpose:

#dynamic 0x800000
'----------------
#org @start
setvar 0x8000 0x3E8 'Base flag
setvar 0x8001 0x0 'Counter
goto @loop

#org @loop
compare 0x8001 0xBE
if B_> goto @end
addvar 0x8001 0x1
clearflag 0x8000 ' Clear flag in var 8000
addvar 0x8000 0x1
goto @loop

#org @end
setvar 0x8000 0
setvar 0x8001 0 'Reset vars
release
end
I made this in 5 minutes and didn't test it. Test it and please warn me if there's an inconvenience with this.

(to @redriders180: I saw your PM, i just hadn't the time to answer it because its a little complex for my current time available)

I just tested this, and for some odd reason, it's not working. I activated a hidden item in the usual way, obtained it, and then ran this script via signpost, but I couldn't get the item again. I even expanded it to clear every flag from 0x1 to 0xFFF, but nothing. Am I doing something wrong?

sonic1
April 11th, 2012, 10:46 AM
Ok, sorry, my bad, the script doesn't work, and i don't know why. In the past months i only worked with ASM, so i'm a but rusty with scripts. Here's a routine.
Try callingasm this routine:
.align 2
.thumb

main:
push {r0-r4, lr}
ldr r0, =0x3E8 @flag base
ldr r1, =0x0 @counter
loop:
cmp r1, #0xBE
bhi end
add r1, r1, #0x1
bl clearflag
add r0, r0, #0x0 @next flag
b loop
end:
pop {r0-r4, pc}

clearflag:
ldr r4, =0x0806E6A8+1 @clearflag routine offset
bx r4

Hope this helps.

Light_of_Aether
April 20th, 2012, 08:53 AM
I looked at the list of identified flags posted by DavidJCobb and it isn't very clear which ranges of flags can be used safely. It looks like the range between 0AE and 154 doesn't have any flags. Does anyone know if new flags can be created in that range?

Chaos Rush
April 28th, 2012, 09:59 PM
I figured out how to edit the Hoenn Dex order in Ruby, without editing the National Dex. The offset is at 0x1FC84C. It does not list by Pokemon index number, it lists by dex entry index number. Treecko's index number is 277, but Treecko's dex entry number is 252. Which is why the byte at the offset I listed is FC. Changing the bytes here will change the Hoenn Dex while keeping the National Dex intact.

I suspect the same table exists in Emerald, and the bytes should be exactly the same.

EDIT: Hacked the Hoenn Dex to something similar (but not exactly the same) to a listing I'm planning on using in a future hack:
http://i49.tinypic.com/262l4s9.png

sonic1
April 29th, 2012, 08:09 AM
I figured out how to edit the Hoenn Dex order in Ruby, without editing the National Dex. The offset is at 0x1FC84C. It does not list by Pokemon index number, it lists by dex entry index number. Treecko's index number is 277, but Treecko's dex entry number is 252. Which is why the byte at the offset I listed is FC. Changing the bytes here will change the Hoenn Dex while keeping the National Dex intact.

I suspect the same table exists in Emerald, and the bytes should be exactly the same.

EDIT: Hacked the Hoenn Dex to something similar (but not exactly the same) to a listing I'm planning on using in a future hack:
http://i49.tinypic.com/262l4s9.png

Yup, that table exists in Emerald, it's located at 0x31DFB8
For any ruby/firered to emerald equivalents, you can ask me, as i'm a emerald hacker.

Chaos Rush
April 29th, 2012, 08:47 AM
Yup, that table exists in Emerald, it's located at 0x31DFB8
For any ruby/firered to emerald equivalents, you can ask me, as i'm a emerald hacker.
Do you know where the limiter that limits the Hoenn Dex to 202 entries is though? It would be nice if we could expand it. It shouldn't require any ram repointing because the maximum amount of entries that the ram allows is 386.

Jambo51
May 12th, 2012, 05:56 AM
For anyone interested, in FR US 1.0 (aka BPRE 1.0), to change your Pokédex "mode" to the style which DPPt used (That is, to have the seen amount displayed in the continue screen and the save screen instead of the caught numbers), change:

0800CF56: 00 20
0800CF64: 00 20
080F803C: 00 20
080F8044: 00 20

It really is that simple. :)

Haru~
May 22nd, 2012, 06:48 AM
Hello guys! :)

Does anyone know the RAM location for the player's current money, if any?
I've been messing with the memory viewer but I can't see it unless I access the trainer card, 0x02000490. But I want to know where the data is when you're not viewing the card.

EDIT: Oh, it's for BPRE. Silly me! ^^

Spherical Ice
May 22nd, 2012, 06:51 AM
Well the offset 0x054B80 contains bytes that can be edited to change the amount of money you start off with in FireRed, but I don't know which ROM you're referring to.

Chaos Rush
May 31st, 2012, 02:08 PM
stuff
So glad I found this, thank you! I've been thinking of figuring out how to make my own callasm command for battle scripting, but you've just saved me some work!

aar2697
June 4th, 2012, 02:35 PM
For the setmapfooter command/script in XSE, you're required to know the map footer for the map. Some people suggest subtracting the map footer table from the pointer to map footer offset, but there's a much easier way. I also think that method only works with Emerald, because since no one has posted the map footer table for Fire Red on these forums, I had to reverse find the "table," but using that number did not work with other maps than the map that I used to reverse find it. I probably checked my math, offsets, and pointers countless times, and I'm positive that method doesn't work with Fire Red.

This, however DOES work with Fire Red, along with Leaf Green, Ruby, Sapphire, and Emerald.
1. Go into Advance Map.
2. Choose a map you want the setmapfooter command to work with.
3. Go to header.
4. CTRL+H for professional settings.
5. Find the 19th byte in the Map Header (long strand of bytes under Map Settings)
6. That 19th byte is what you will use.

Haru~
June 7th, 2012, 11:13 PM
After a long battle with cancer trying to find the RAM location of the player's money, I had a feeling that it is encrypted somewhere in the RAM and that's why I can't find it. So after going to my local POKeMART, I found a little routine that seems to decrypt something. After doing further testing, I made this routine to get the player's current money using the game's own code.

The routine:


.align 2
.thumb

/*This routine does all the hard work in retrieving your current
money and stores it in vars 0x8000 and 0x8001.
0x8000 - Lower half
0x8001 - Upper half
*/

main: push {r4-r6, lr}
ldr r6, .DMA_MAP
ldr r0, [r6, #0x0]
mov r5, #0xA4
lsl r5, r5, #0x2
add r0, r0, r5
ldr r1, .OTHER_RAMLOC
ldr r1, [r1, #0x8]
bl get_amount /*Does the actual decrypting*/
ldr r1, .VAR_8000
str r0, [r1]
pop {r4-r6, pc}

get_amount: ldr r4, .DO_CALC
bx r4

.hword 0x0000
.DMA_MAP: .word 0x03005008
.OTHER_RAMLOC: .word 0x02039934
.VAR_8000: .word 0x020370B8 /*Var 0x8000-0x8001*/
.DO_CALC: .word 0x0809FD59



I slept after that...