The PokéCommunity Forums  

Go Back   The PokéCommunity Forums > ROM Hacking > Research & Development
Sign Up Rules/FAQ Live Battle Blogs Mark Forums Read

Notices

Research & Development Got a well-founded knack with ROM hacking? Love reverse-engineering the Pokémon games? Or perhaps you love your assembly language. This is the spot for polling and gathering your ideas, and then implementing them! Share your hypothesis, get ideas from others, and collaborate to create!
Research & Development programs in this forum are subject to moderator approval before they are displayed.

Reply
 
Thread Tools
  #1    
Old July 22nd, 2009, 01:30 PM
daigonite's Avatar
daigonite
too much water
Community Supporter
 
Join Date: Feb 2009
Location: With the Birds
Age: 21
Gender:
Nature: Impish
Share Ram offsets for Pokémon games here. PLEASE NOTE: It says "Ram" and not "Rom", meaning we don't want to see offsets starting in 0x8~~~~~~ or stuff like that. We want offsets that are from VBA's memory viewer, so that others can use them in ASM routines and similar occurrences. Please also indicate what it is and how you (think) it works, and which Rom it applies to (Rom name, ex. AXVE)

Only applies to Ruby/Sapphire, unless you find offsets for the DMA
*by this I mean locating the offset that points to the data in the RAM that changes due to DMA-protection

Interesting Pointers in the WRAM:

RUBY (E; AXVE):

0x02024EA4 = Name, 8 bit. Make sure NOT to change the 0xFF afterwards, or else the game will freeze upon opening the Trainer Card and will erase saved data.

Following effects in battle; not status screen.
0x02024A8C = First Attack. 16-bit.
0x02024A8E = Second Attack. 16-bit.
0x02024A90 = Third Attack. 16-bit.
0x02024A92 = Fourth Attack. 16-bit.
0x02024AA4 = PP for first attack. 8-bit.
0x02024AA5 = PP for second attack. 8-bit.
0x02024AA6 = PP for third attack. 8-bit.
0x02024AA7 = PP for fourth attack. 8-bit.
Note: Following values are generated upon entering battle. Changing Enemy Species will have no effect on Opponent.
0x02024AE4 = First Enemy Attack. 16-bit.
0x02024AE6 = Second Enemy Attack. 16-bit.
0x02024AE8 = Third Enemy Attack. 16-bit.
0x02024AEA = Fourth Enemy Attack. 16-bit.
0x02024AFC = PP for first enemy attack. 8-bit.
0x02024AFD = PP for first enemy attack. 8-bit.
0x02024AFE = PP for first enemy attack. 8-bit.
0x02024AFF = PP for first enemy attack. 8-bit.
0x02024AD8 = Enemy Species.
0x02024B00 = Enemy HP. 16-bit. NOTE: When set to 0xFFFF (maximum value), attack will do normal percentage of damage, but the next attack will cause a loop of HP. When set to 0x0000, your Pokémon will attack, then recieve respective experience points (without the fainting animation of the opponent)
0x02024AF0 = Enemy HP Multiplier. Normal is 0x06. 8-bit. (I actually have no idea why they have this o.o)
0x02024AF1 = Enemy Attack Multiplier. Normal is 0x06. 8-bit.
0x02024AF2 = Enemy Defense Multiplier. Normal is 0x06. 8-bit.
0x02024AF3 = Enemy Speed Multiplier. Normal is 0x06. 8-bit.
0x02024AF4 = Enemy Sp. Attack Multiplier. Normal is 0x06. 8-bit.
0x02024AF5 = Enemy Sp. Defense Multiplier. Normal is 0x06. 8-bit.
0x02024B14 = Enemy OT name. Note: Even Trainers have the same OT name, and will have no effect if changed. 8-bit.

PP values can be set over 0x63, however such values appear with a ?, indicating a number over 99.

0x02024EB2 = This value affects Play Time. The four bytes following it also affect Play Time, however, at faster rates. Hours are 16 bit; minutes, seconds and milliseconds are 8 bit.

0X02024EAE = Your Trainer Card Number. 16-bit.
0x02024EB0 = Your Secret Number. 16-bit.

0x02024E8E = Last accessed LZZ7 Sprite (does not include your trainer backsprite or attack animations). This number applies to Pokemon seen before as well. 16-bit.

0X02024E6D = This value changes to 0x01 when a foe is hit. 8-bit.

0x02024E80 = This value changes when different moves are used. Might be the effect, might be animation. Unsure. Only changes with damaging moves, not stat lowering/effect moves. 8-bit (apparently?)

0x02024E94 = This is a pointer that leads to the pointer that's used for displaying Pokémon. Hm... *wink*. 32-bit.

0x02024E98 = This pointer links to some data involved with Pokémon battles. It changes when Pokémon are encountered in the wild and when Pokémon are sent out. 32-bit.

0x02024E9C = This pointer links to some data involved with the layout of the Pokémon in battles. If the data where the pointer leads to is removed, interesting graphical glitches occur, and an effect resembling the Bo' eAN glitch also occurs. (Debug, anyone?) This Pointer also changes when Pokémon are encountered or when Pokémon are sent out. 32-bit.

0x02024EA0 = This pointer leads to a THUMB routine. The routine may be involved with how the Pokémon are displayed as well. It changes as according to the conditions stated with the above two pointers. 32-bit.

It should be noted that most of these are not permement changes but can be used when designing new effects for attacks. Although I have not obtained offsets for both opponent and ally Pokémon, they can be mirrored to eachother.

Also, for some reason, the player's name pops up in a ton of places, but changing it has no effect on the game at all (that I could find). Reason?
__________________

Last edited by daigonite; July 23rd, 2009 at 04:25 AM.
Reply With Quote
  #2    
Old July 23rd, 2009, 03:15 AM
HackMew's Avatar
HackMew
Mewtwo Strikes Back
 
Join Date: Jun 2006
This thread should belong to the Documents and Tutorials, actually. Either way, all those makes sense only for R/S as the other games are DMA-protected, hence (most of) the data will be shifting back and forward in RAM. In other words, no fixed RAM addresses.

Quote:
Originally Posted by Charon the Ferryman View Post
Also, for some reason, the player's name pops up in a ton of places, but changing it has no effect on the game at all (that I could find). Reason?
It must be the game that puts it into RAM whenever neeeded, as a temporary store. The actual player's name address is one and only one.
__________________
Reply With Quote
  #3    
Old July 23rd, 2009, 03:25 AM
score_under's Avatar
score_under
I program the *other* ASM.
 
Join Date: Aug 2005
Location: Hertfordshire, England
Age: 21
Nature: Rash
Quote:
Originally Posted by HackMew View Post
DMA-protected
Which in this case stands for Dynamic Memory Allocation, not Direct Memory Access - you should fix that in your tutorial thread.

There must be some way to track down the pointers to it... although doing so would be tiresome.
__________________
Plz not to PM me, I don't come here often enough. Email if you need me
Reply With Quote
  #4    
Old July 23rd, 2009, 04:23 AM
daigonite's Avatar
daigonite
too much water
Community Supporter
 
Join Date: Feb 2009
Location: With the Birds
Age: 21
Gender:
Nature: Impish
Quote:
Originally Posted by HackMew View Post
This thread should belong to the Documents and Tutorials, actually. Either way, all those makes sense only for R/S as the other games are DMA-protected, hence (most of) the data will be shifting back and forward in RAM. In other words, no fixed RAM addresses.



It must be the game that puts it into RAM whenever neeeded, as a temporary store. The actual player's name address is one and only one.
Whoops. Well, at least my hunch was correct. I'll be doing more investigation today (wheee), and I'll make sure I note R/S in the first post : P

Also, mod, take HM's advice and please move this to Documents and Tutorials. Thank you!
__________________
Reply With Quote
  #5    
Old July 23rd, 2009, 06:31 AM
HackMew's Avatar
HackMew
Mewtwo Strikes Back
 
Join Date: Jun 2006
Quote:
Originally Posted by score_under View Post
Which in this case stands for Dynamic Memory Allocation, not Direct Memory Access - you should fix that in your tutorial thread.

There must be some way to track down the pointers to it... although doing so would be tiresome.
Ah, the joys of acronyms ambiguity... yes and no. In my tutorial I clearly stated the locations are dynamic, and to move the data around the GBA uses Direct Memory Access BIOS functions. Dynamic Memory Allocation there relies on such functions. The so-called DMA disabler or Anti-DMA codes will prevent the BIOS functions to be executed, or better to always move the data at the same addresses. In the Pokémon games (but side effects probably happens in other ones as well), the PRNG, which is indeed used to randomize the addresses, gets broken after using them.

Since the data changes on-the-fly, the only things that can be provived are the IWRAM addresses pointing to the protected data, which can be tracked down with a bit of debugging effort.
__________________
Reply With Quote
  #6    
Old July 27th, 2009, 11:43 PM
0m3GA ARS3NAL's Avatar
0m3GA ARS3NAL
Im comin' home...
Community Supporter Tier 1
 
Join Date: Jan 2008
Location: Superjail Penitentiary
Age: 22
Gender: Male
Nature: Gentle
Quote:
Originally Posted by HackMew View Post
Ah, the joys of acronyms ambiguity... yes and no. In my tutorial I clearly stated the locations are dynamic, and to move the data around the GBA uses Direct Memory Access BIOS functions. Dynamic Memory Allocation there relies on such functions. The so-called DMA disabler or Anti-DMA codes will prevent the BIOS functions to be executed, or better to always move the data at the same addresses. In the Pokémon games (but side effects probably happens in other ones as well), the PRNG, which is indeed used to randomize the addresses, gets broken after using them.

Since the data changes on-the-fly, the only things that can be provived are the IWRAM addresses pointing to the protected data, which can be tracked down with a bit of debugging effort.
Wut?
Anywho, this is a nice document here... Pretty handy for those R/S hackers.
__________________
>Boot Jailbot
>Pass *****
.
.
Jailbot OS Ver 1.1.2
Greetings Warden
of Superjail Penitentiary
Awaiting user input...

>Display User_Info
╠══User Info══╣
Username:
0m3GA ARS3NAL
Age: 18
Sex: Male ♂
Race: Caucasian
Quote:
"What is this
I don't even..."

M/O: Often acts out to get attention, but recently has changed that. Has been studying up on hacking information and hopes to participate in more advanced hacking discussion.
╠══End of File══╣
Awaiting user input...

>
Reply With Quote
  #7    
Old August 2nd, 2009, 10:01 AM
IIMarckus's Avatar
IIMarckus
J946@5488AA97464
 
Join Date: Oct 2007
Gender:
Quote:
Originally Posted by score_under View Post
Which in this case stands for Dynamic Memory Allocation, not Direct Memory Access
Oh! Thanks for the clarification. Do the games use it for cheat protection, or is there some other advantage?
__________________
iimarck.us / hax.iimarck.us

If you want me, please contact me by email. [email protected]

If you want to hack Pokémon RBY or GSC, read, read, and read some more. This has tons of valuable information.

Pokémon Red disassembly project

Rules that should be rethought: 25charlimit, bumping.
Bad posts are bad posts, regardless of how many words are in them or how old the thread is.
Good posts are good posts, regardless of how old the thread is—and brevity is underrated.
Reply With Quote
Reply
Quick Reply

Sponsored Links
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Minimum Characters Per Post: 25



All times are UTC -8. The time now is 05:15 PM.


Style by Nymphadora, artwork by Sa-Dui.
Like our Facebook Page Follow us on Twitter © 2002 - 2014 The PokéCommunity™, pokecommunity.com.
Pokémon characters and images belong to The Pokémon Company International and Nintendo. This website is in no way affiliated with or endorsed by Nintendo, Creatures, GAMEFREAK, The Pokémon Company or The Pokémon Company International. We just love Pokémon.
All forum styles, their images (unless noted otherwise) and site designs are © 2002 - 2014 The PokéCommunity / PokéCommunity.com.
PokéCommunity™ is a trademark of The PokéCommunity. All rights reserved. Sponsor advertisements do not imply our endorsement of that product or service. User generated content remains the property of its creator.