• Our software update is now concluded. You will need to reset your password to log in. In order to do this, you will have to click "Log in" in the top right corner and then "Forgot your password?".
  • Forum moderator applications are now open! Click here for details.
  • Welcome to PokéCommunity! Register now and join one of the best fan communities on the 'net to talk Pokémon and more! We are not affiliated with The Pokémon Company or Nintendo.

Quick Research & Development Thread

94
Posts
13
Years
  • Seen Nov 2, 2016
Exactly, I've been looking for the routine to checks the badge/HM flags in the menu, then allows you to use them if they are set. That way all that need be done is skip that check and allow use of HMs no matter if the flags are set or not. The problem is that because flags are DMA protected I can't simply set a break on read on their addresses. I've been looking for some sort of routine to calculate their locations, but I haven't been able to find anything.

EDIT: I've allowed menu use of all HMs without needing any badges(not quite sure exactly why it works), but haven't found a way to allow "quick" use by just pressing the A button to use surf or waterfall. Flash and fly don't need quick use, and I'm assuming that the scripts will take care of quick use for cut, rock smash, and strength.

EDIT 2: Found the surf check routine, and made a hack to allow "quick command" surfing even before the command is set, I just skip a check if the player has the correct flag set.

As a sidenote, each of these routines loads a flag like a variable, then calls 0x0806e6d0(passing r0 as an argument, for example, flag 720 would be 00000720), I believe this calculates addresses of flags then stores it's bit , but don't quote me on this.

EDIT 3: Did the same as in the 2nd edit for waterfall. It's now completely functional, allowing use of any HM before you receive any badge, and allowing "quick" use of waterfall and surf by pressing the A button at a waterfall or water respectively.
 
Last edited:

TheDarkShark

Metal Headed Hacker
56
Posts
13
Years
Exactly, I've been looking for the routine to checks the badge/HM flags in the menu, then allows you to use them if they are set. That way all that need be done is skip that check and allow use of HMs no matter if the flags are set or not. The problem is that because flags are DMA protected I can't simply set a break on read on their addresses. I've been looking for some sort of routine to calculate their locations, but I haven't been able to find anything.

EDIT: I've allowed menu use of all HMs without needing any badges(not quite sure exactly why it works), but haven't found a way to allow "quick" use by just pressing the A button to use surf or waterfall. Flash and fly don't need quick use, and I'm assuming that the scripts will take care of quick use for cut, rock smash, and strength.

EDIT 2: Found the surf check routine, and made a hack to allow "quick command" surfing even before the command is set, I just skip a check if the player has the correct flag set.

As a sidenote, each of these routines loads a flag like a variable, then calls 0x0806e6d0(passing r0 as an argument, for example, flag 720 would be 00000720), I believe this calculates addresses of flags then stores it's bit , but don't quote me on this.

EDIT 3: Did the same as in the 2nd edit for waterfall. It's now completely functional, allowing use of any HM before you receive any badge, and allowing "quick" use of waterfall and surf by pressing the A button at a waterfall or water respectively.

How about sharing info what you changed to make this work?
 

Shiny Quagsire

I'm Still Alive, Elsewhere
697
Posts
14
Years
Verisign is an SSL certificate signer. It's probably used for the GTS servers, which has been hacked before using a custom DNS server. I don't think there's any mystery gift stuff in there, which I wish was there. I think it'd be cool to hack mystery gift. ^_^
 

knizz

192
Posts
16
Years
  • Seen Oct 28, 2020
I uploaded my private offset list here: REMOVED
Check the my signature for updates.
 
Last edited:

knizz

192
Posts
16
Years
  • Seen Oct 28, 2020
0x9C (doanimation) is a command like "special" which takes a halfword for choosing the action.
It uses it's own scripting language. The animation-tableis at 081D96AC. The commands of this sub-language are at 083CBE30. The most common commands are 0x03, 0x04 and 0x07. 0x03 starts ASM code. 0x04 ends the execution. Idk more about 0x07.

I created the list in the spoiler by overwriting the script of the girl in the hometown with
eb 0816575C 0x9C
eb 0816575D <number>
eb 0816575E 0x00
eb 0816575F 0x02

Disable the badge-check for HMs:
eb 0812462E 0

I assume that most of these 0x9C-animations do more than what I wrote down here. I just tested them in one situation. For example if the game thinks I'm currently in the air it won't show the take off animation just the landing animation. Etc.

Spoiler:





If you want to fly callasm 080BFEDC, 080BFF50 or 080C4EF8. (I don't know the difference between those yet)




Flying uses animations 1f, 3b, 06, 03 and 20. Not all of them are called directly. Animation 3B for example is called by animation 1f (if I'm not mistaken).
 
Last edited:

lmdst

Blast From the Past
13
Posts
15
Years
  • Age 33
  • Seen Feb 26, 2014
Hey, it turns out I can do more than ask questions!


I don't know if this deserves its own thread or not, so I'm posting it here. You guys tell me otherwise.

Okay here's the thing, I've seen before how to alter the order of the Pokémon in the Sinnoh Pokédex in D/P, but I nobody knew how to change the numbers around - the Pokémon still kept their original Sinnoh dex numbers, meaning an Abra would be 020 no matter his position, Turtwig would be 001, and Pokémon not in the Sinnoh dex would be 000. This obviously meant that the numbers are stored elsewhere. So I decided to look for them.

What I figured is that the code kept a list of the Pokémon, in their internal order, and one or two bytes determined their number. For example, the list would start at Bulbasaur, who is not in the dex, so it would say "00". That would go on until the first Kanto pokémon you can find in Sinnoh, Pikachu, shows up. At this point the code would say "68", which is hex for his Sinnoh dex number, 104. Raichu would follow with 69, and so on.

With this method, when the list reached the Gen IV Pokémon, it would start with 01 (Turtwig) and go on until Luxray (19 in the Sinnoh dex, which is 13 in hex). After that, there would be a gap to account for Abra and Magikarp's evolutionary lines, then would follow into Budew (number 25, or 19 in hex).

So what I did was search the rom for the hex string "13001900". Turns out, I was right!

Okay so, long story short, the Sinnoh Pokédex numbers (not the order) in Diamond and Pearl starts at 385CE46, with Bulbasaur. Each Pokémon's info is two bytes long, with the first being the Pokémon's Sinnoh dex number in hex and the second being typically a 00. However, I believe it could be changed to 01 to account for numbers above 255, Which means that one could potentially increase the size of the Sinnoh Pokédex.
 

knizz

192
Posts
16
Years
  • Seen Oct 28, 2020
... starts at 385CE46, with Bulbasaur. ...

Posting offsets for DS-Games isn't ideal because the ROMs have a filesystem.
I wrote a tool to convert offsets to paths.
C-Code and Mac-EXE: REMOVED
EXE: http://www.pokecommunity.com/showpost.php?p=5805522&postcount=10

I ran this tool on all occurances of "13001900". (Which are: 0440dbC 1c2ed66 1c2ed88 2f7b8a3 3155614 317b2b4 32af774 33c28d5 33c38b9 33dc999 385d166) This is the output:
Code:
Start    End      Position    Length     Name
00440200 00441314 00000BBC of 00001114 | tmap_block.dat < data < 
01C2ED64 01C2ED6C 00000002 of 00000008 | 53. < trpoke.narc < trainer < poketool < 
01C2ED80 01C2ED94 00000008 of 00000014 | 56. < trpoke.narc < trainer < poketool < 
02F79ABC 02F7C4B4 00001DE7 of 000029F8 | 211 < land_data_release.narc < land_data < fielddata < 
0314AC14 03155980 0000AA00 of 0000AD6C | 337 < land_data_release.narc < land_data < fielddata < 
03174818 0317B4E6 00006A9C of 00006CCE | 344 < land_data_release.narc < land_data < fielddata < 
032A8604 032AFAEE 00007170 of 000074EA | 401 < land_data_release.narc < land_data < fielddata < 
033BA0B4 033C5250 00008821 of 0000B19C | 431 < land_data_release.narc < land_data < fielddata < 
033BA0B4 033C5250 00009805 of 0000B19C | 431 < land_data_release.narc < land_data < fielddata < 
033DA264 033E4B46 00002735 of 0000A8E2 | 435 < land_data_release.narc < land_data < fielddata < 
[B]0385CE3C 0385D218 0000032A of 000003DC | 0. < pokezukan.narc < poketool <[/B]

Of course all land_data_release lines are false matches because we know that they contain 3d-models

Please correct me if I'm wrong about something.
 
Last edited:

Iacobus

sǝɯɐɾ
64
Posts
20
Years
Hey, it turns out I can do more than ask questions!

I don't know if this deserves its own thread or not, so I'm posting it here. You guys tell me otherwise.

Okay here's the thing, I've seen before how to alter the order of the Pokémon in the Sinnoh Pokédex in D/P, but I nobody knew how to change the numbers around -...
Sorry to say this, but it was one of the first things documented when Diamond and Pearl got dumped.
Link
 

r0bert

Quitifyingly awesome.
370
Posts
13
Years
1st of all,I can revive this thread,right?
2nd; if this is in the wrong place I'm sorry.
after browsing every offset in my firered ROM looking for the PALS A-map uses,I've found some of them:
PAL0___EA1B68
PAL1___EA1B88
PAL2___EA1BA8
PAL3___EA1BC8
PAL4___EA1BE8
PAL5___EA1C08
PAL6___EA1C28
But a question:why are the offsets always 20 apart?
 

DrFuji

[I]Heiki Hecchara‌‌[/I]
1,691
Posts
14
Years
1st of all,I can revive this thread,right?
2nd; if this is in the wrong place I'm sorry.
after browsing every offset in my firered ROM looking for the PALS A-map uses,I've found some of them:
PAL0___EA1B68
PAL1___EA1B88
PAL2___EA1BA8
PAL3___EA1BC8
PAL4___EA1BE8
PAL5___EA1C08
PAL6___EA1C28
But a question:why are the offsets always 20 apart?

Because each pallet is comprised of sixteen colours, which are translated from two bytes. For example, black is represented as 00 00, while white is 7F FF. As each colour takes up two bytes, the sixteen of them will take up thirty two bytes in total - Which can be translated to a space of twenty in HEX.
 

Full Metal

C(++) Developer.
810
Posts
16
Years
Heyhey, this has probably been found but...
0202557A - Y co-ordinates of the player
02025578 - X co-ordinates of the player
:) ( I finally figured out how to use cheat search~ :D )
( they are 16-bit values )
 
1
Posts
12
Years
  • Seen May 26, 2011
How to prevent legendary birds from fleeing

I think I've found a way to prevent the three original legendary birds from fleeing when you encounter them in Gold and Silver. At offset 0x03C560, there's a list of hex codes which includes Articuno, Zapdos, and Moltres; changing their three codes to 0x00 does the trick.

I think this question was being asked when Bright Gold was in development. Anyway, I'm working on a similar hack, so I hope this helps.
 

linkandzelda

Ex-rom hacker turned indie game developer
777
Posts
17
Years
Hello,
I'm trying to run an item's asm, from within a script using callasm. At 080A1D9D is the ask for the VS SEEKER. i would like to run that but as i'm not in the bag it will run the bag close routine which results in a fade screen.

Hope i can ask this here,
Thanks
 

Darthatron

巨大なトロール。
1,152
Posts
18
Years
Hello,
I'm trying to run an item's asm, from within a script using callasm. At 080A1D9D is the ask for the VS SEEKER. i would like to run that but as i'm not in the bag it will run the bag close routine which results in a fade screen.

Hope i can ask this here,
Thanks

Try running it from 080A1DF4+1. This bypasses most of the checks (like "Now isn't the time to use that...") but I don't think it work correctly since the routine seems to have at least one parameter (in R0.)
 

linkandzelda

Ex-rom hacker turned indie game developer
777
Posts
17
Years
Try running it from 080A1DF4+1. This bypasses most of the checks (like "Now isn't the time to use that...") but I don't think it work correctly since the routine seems to have at least one parameter (in R0.)

Thanks for the help, but it went straight to the fadescreen again.
 
Back
Top