Research & Development Quick Research/Development Thread

[diegoisawesome]

0x291FC0 contains the script for egg hatching through walking in Emerald.
And yes, it IS a script.

[NintendoBoyDX]

Knizz, do you know at what part of the whiteout routine are the two texts displayed, and where it cuts off the sound?
"[player] scurried to the pokemon center, shielding the pokemon from further harm..."
and
"first, let's heal your pokemon back to full health"

I've been looking for those for quite a bit with no luck.

[knizz]

Can you give me the offsets of the texts?

[NintendoBoyDX]

Here are the offsets:
"First, you should restore your POKéMON to full health." - 0x1A5E89

There are actually 2 for this one, one for home returns and one for returns to the pokemon center.

"[PLAYER] scurried to a POKéMON CENTER,
protecting the exhausted and fainted
POKéMON from further harm[...]" - 0x41B554

"[PLAYER] scurried back home, protecting
the exhausted and fainted POKéMON from
further harm[...]: - 0x41B5B6

I'd guess that the part where the music cut's off would be near the routine that uses these strings, but it's just a guess.

EDIT:

I think I found where it loads the text that is on the black screen

Spoiler:

Code:

080566a4  b500 push {lr}
080566a6  b081 add sp, -#0x4
080566a8  4917 ldr r1, [$08056708] (=$030030f0)
080566aa  2087 mov r0, #0x87
080566ac  00c0 lsl r0, r0, #0x03
080566ae  1809 add r1, r1, r0
080566b0  7808 ldrb r0, [r1, #0x0]
080566b2  3001 add r0, #0x1
080566b4  7008 strb r0, [r1, #0x0]
080566b6  0600 lsl r0, r0, #0x18
080566b8  0e00 lsr r0, r0, #0x18
080566ba  2877 cmp r0, #0x77
080566bc  d921 bls $08056702
080566be  f000 bl $080569bc
080566c2  f01b bl $08071a94
080566c6  f7ff bl $08056420
080566ca  f7fe bl $08054bc8
080566ca  f7fe bl $08054bc8
080566ce  2002 mov r0, #0x2
080566d0  f7ff bl $080559f8
080566d4  f013 bl $08069a80
080566d8  f013 bl $0806994c
080566dc  490b ldr r1, [$0805670c] (=$03005020)
080566de  480c ldr r0, [$08056710] (=$0807f5f1)
080566e0  6008 str r0, [r1, #0x0]
080566e2  4669 mov r1, sp
080566e4  2000 mov r0, #0x0
080566e6  7008 strb r0, [r1, #0x0]
080566e8  4668 mov r0, sp
080566ea  f000 bl $08056e5c
080566ee  f0bb bl $08112364
080566ee  f0bb bl $08112364
080566f2  f000 bl $08056a04
080566f6  4807 ldr r0, [$08056714] (=$08056535)
080566f8  f7ff bl $080565e0
080566fc  4806 ldr r0, [$08056718] (=$080565b5)
080566fe  f7a9 bl $08000544
08056702  b001 add sp, #0x4
08056704  bc01 pop {r0}
08056706  4700 bx r0

Was right at the end of the whiteout routine, which I wasn't expecting. Still looking for the other parts.

[knizz]

Here's what the code looks like from my perspecive:

Spoiler:

Code:

080566A4 @ =============== S U B R O U T I N E =======================================
080566A4
080566A4
080566A4 c2_whiteout_maybe:                      @ DATA XREF: sub_0807FB40+2Ao
080566A4                                         @ sub_0807FB40:off_0807FB7Co ...
080566A4
080566A4 var_8           = -8
080566A4
080566A4                 PUSH    {LR}
080566A6                 SUB     SP, SP, #4
080566A8                 LDR     R1, =callback1
080566AA                 MOVS    R0, 0x438
080566AE                 ADDS    R1, R1, R0
080566B0                 LDRB    R0, [R1]
080566B2                 ADDS    R0, #1
080566B4                 STRB    R0, [R1]
080566B6                 LSLS    R0, R0, #0x18
080566B8                 LSRS    R0, R0, #0x18
080566BA                 CMP     R0, #0x77
080566BC                 BLS     loc_08056702
080566BE                 BL      sub_080569BC
080566C2                 BL      sub_08071A94
080566C6                 BL      clear_flag_x800_2
080566CA                 BL      sub_08054BC8
080566CE                 MOVS    R0, #2
080566D0                 BL      sub_080559F8
080566D4                 BL      script_start_3
080566D8                 BL      script_pause
080566DC                 LDR     R1, =unk_03005020
080566DE                 LDR     R0, =(run_c3_whiteout+1)
080566E0                 STR     R0, [R1]
080566E2                 MOV     R1, SP
080566E4                 MOVS    R0, #0
080566E6                 STRB    R0, [R1,#8+var_8]
080566E8                 MOV     R0, SP
080566EA                 BL      sub_08056E5C
080566EE                 BL      sub_08112364
080566F2                 BL      sub_08056A04
080566F6                 LDR     R0, =(c1_overworld+1)
080566F8                 BL      set_callback1
080566FC                 LDR     R0, =(c2_overworld+1) @ func
080566FE                 BL      set_callback2
08056702
08056702 loc_08056702:                           @ CODE XREF: c2_whiteout_maybe+18j
08056702                 ADD     SP, SP, #4
08056704                 POP     {R0}
08056706                 BX      R0
08056706 @ End of function c2_whiteout_maybe
08056706
08056706 @ ---------------------------------------------------------------------------

run_c3_whiteout:

Code:

0807F5F0 @ =============== S U B R O U T I N E =======================================
0807F5F0
0807F5F0
0807F5F0 run_c3_whiteout:                        @ DATA XREF: c2_whiteout_maybe+3Ao
0807F5F0                                         @ ROM:off_08056710o
0807F5F0                 PUSH    {LR}
0807F5F2                 BL      script_play
0807F5F6                 BL      fill_unfaded_pal
0807F5FA                 LDR     R0, =(c3_whiteout+1)
0807F5FC                 MOVS    R1, #0xA
0807F5FE                 BL      add_to_callback3_list
0807F602                 LSLS    R0, R0, #0x18
0807F604                 LSRS    R0, R0, #0x18
0807F606                 LDR     R2, =callback3
0807F608                 LSLS    R1, R0, #2
0807F60A                 ADDS    R1, R1, R0
0807F60C                 LSLS    R1, R1, #3
0807F60E                 ADDS    R1, R1, R2
0807F610                 MOVS    R0, #0
0807F612                 STRH    R0, [R1,#c3entry.args.arg1]
0807F614                 POP     {R0}
0807F616                 BX      R0
0807F616 @ End of function run_c3_whiteout
0807F616
0807F616 @ ---------------------------------------------------------------------------

c3_whiteout:

Code:

0807F45C @ =============== S U B R O U T I N E =======================================
0807F45C
0807F45C
0807F45C c3_whiteout:                            @ DATA XREF: run_c3_whiteout+Ao
0807F45C                                         @ ROM:off_0807F618o
0807F45C                 PUSH    {R4-R7,LR}
0807F45E                 LSLS    R0, R0, #0x18
0807F460                 LSRS    R6, R0, #0x18
0807F462                 LDR     R1, =callback3
0807F464                 LSLS    R0, R6, #2
0807F466                 ADDS    R0, R0, R6
0807F468                 LSLS    R0, R0, #3
0807F46A                 ADDS    R0, R0, R1
0807F46C                 MOVS    R2, #c3entry.args.arg1
0807F46E                 LDRSH   R0, [R0,R2]
0807F470                 MOVS    R2, R1
0807F472                 CMP     R0, #6
0807F474                 BLS     loc_0807F478
0807F476                 B       loc_0807F5E4
0807F478 @ ---------------------------------------------------------------------------
0807F478
0807F478 loc_0807F478:                           @ CODE XREF: c3_whiteout+18j
0807F478                 LSLS    R0, R0, #2
0807F47A                 LDR     R1, =off_0807F48C
0807F47C                 ADDS    R0, R0, R1
0807F47E                 LDR     R0, [R0]
0807F480                 MOV     PC, R0
0807F480 @ ---------------------------------------------------------------------------
0807F482                 .byte    0
0807F483                 .byte    0
0807F484 off_0807F484:   .long callback3         @ DATA XREF: c3_whiteout+6r
0807F488 off_0807F488:   .long off_0807F48C      @ DATA XREF: c3_whiteout+1Er
0807F48C off_0807F48C:   .long loc_0807F4A8,loc_0807F538,loc_0807F588@ 0
0807F48C                                         @ DATA XREF: c3_whiteout+1Eo
0807F48C                                         @ c3_whiteout:off_0807F488o
0807F48C                 .long loc_0807F5B6,loc_0807F540,loc_0807F588@ 3
0807F48C                 .long loc_0807F5D0      @ 6
0807F4A8 @ ---------------------------------------------------------------------------
0807F4A8
0807F4A8 loc_0807F4A8:                           @ DATA XREF: c3_whiteout:off_0807F48Co
0807F4A8                 LDR     R0, =unk_083C68E4
0807F4AA                 BL      textbox_mega_func
0807F4AE                 LSLS    R0, R0, #0x18
0807F4B0                 LSRS    R5, R0, #0x18
0807F4B2                 LDR     R1, =callback3
0807F4B4                 LSLS    R4, R6, #2
0807F4B6                 ADDS    R0, R4, R6
0807F4B8                 LSLS    R0, R0, #3
0807F4BA                 ADDS    R7, R0, R1
0807F4BC                 STRH    R5, [R7,#0xA]
0807F4BE                 MOVS    R0, #0xF0
0807F4C0                 BL      sub_080F77CC
0807F4C4                 MOVS    R0, R5
0807F4C6                 MOVS    R1, #0
0807F4C8                 BL      sub_0800445C
0807F4CC                 MOVS    R0, R5
0807F4CE                 BL      sub_08003FA0
0807F4D2                 MOVS    R0, R5
0807F4D4                 MOVS    R1, #3
0807F4D6                 BL      sub_08003F20
0807F4DA                 MOVS    R0, #1
0807F4DC                 BL      sub_080BFCB0
0807F4E0                 MOVS    R3, R0
0807F4E2                 LDR     R0, =saveblock1
0807F4E4                 LDR     R2, [R0]
0807F4E6                 LDRH    R0, [R2,#0x1C]
0807F4E8                 LDRH    R5, [R3]
0807F4EA                 CMP     R0, R5
0807F4EC                 BNE     loc_0807F524
0807F4EE                 MOVS    R1, #0x1E
0807F4F0                 LDRSB   R1, [R2,R1]
0807F4F2                 MOVS    R0, #1
0807F4F4                 NEGS    R0, R0
0807F4F6                 CMP     R1, R0
0807F4F8                 BNE     loc_0807F524
0807F4FA                 MOVS    R0, #0x20
0807F4FC                 LDRSH   R1, [R2,R0]
0807F4FE                 MOVS    R5, #2
0807F500                 LDRSH   R0, [R3,R5]
0807F502                 CMP     R1, R0
0807F504                 BNE     loc_0807F524
0807F506                 MOVS    R0, #0x22
0807F508                 LDRSH   R1, [R2,R0]
0807F50A                 MOVS    R2, #4
0807F50C                 LDRSH   R0, [R3,R2]
0807F50E                 CMP     R1, R0
0807F510                 BNE     loc_0807F524
0807F512                 MOVS    R0, #4
0807F514                 STRH    R0, [R7,#c3entry.args.arg1]
0807F516                 B       loc_0807F5E4
0807F516 @ ---------------------------------------------------------------------------
0807F518 off_0807F518:   .long unk_083C68E4      @ DATA XREF: c3_whiteout:loc_0807F4A8r
0807F51C off_0807F51C:   .long callback3         @ DATA XREF: c3_whiteout+56r
0807F520 off_0807F520:   .long saveblock1        @ DATA XREF: c3_whiteout+86r
0807F524 @ ---------------------------------------------------------------------------
0807F524
0807F524 loc_0807F524:                           @ CODE XREF: c3_whiteout+90j
0807F524                                         @ c3_whiteout+9Cj ...
0807F524                 LDR     R0, =callback3
0807F526                 ADDS    R1, R4, R6
0807F528                 LSLS    R1, R1, #3
0807F52A                 ADDS    R1, R1, R0
0807F52C                 MOVS    R0, #1
0807F52E                 STRH    R0, [R1,#c3entry.args.arg1]
0807F530                 B       loc_0807F5E4
0807F530 @ ---------------------------------------------------------------------------
0807F532                 .byte    0
0807F533                 .byte    0
0807F534 off_0807F534:   .long callback3         @ DATA XREF: c3_whiteout:loc_0807F524r
0807F538 @ ---------------------------------------------------------------------------
0807F538
0807F538 loc_0807F538:                           @ DATA XREF: c3_whiteout:off_0807F48Co
0807F538                 LDR     R1, =a1ScurriedToAPokMonCenterProtec @ "?1 scurried to a POK\x1BMON CENTER, protec"...
0807F53A                 B       loc_0807F542
0807F53A @ ---------------------------------------------------------------------------
0807F53C off_0807F53C:   .long a1ScurriedToAPokMonCenterProtec
0807F53C                                         @ DATA XREF: c3_whiteout:loc_0807F538r
0807F53C                                         @ "?1 scurried to a POK\x1BMON CENTER, protec"...
0807F540 @ ---------------------------------------------------------------------------
0807F540
0807F540 loc_0807F540:                           @ DATA XREF: c3_whiteout:off_0807F48Co
0807F540                 LDR     R1, =a1ScurriedBackHomeProtectingThe @ "?1 scurried back home, protecting the e"...
0807F542
0807F542 loc_0807F542:                           @ CODE XREF: c3_whiteout+DEj
0807F542                 MOVS    R0, R6
0807F544                 MOVS    R2, #2
0807F546                 MOVS    R3, #8
0807F548                 BL      sub_0807F3A4
0807F54C                 LSLS    R0, R0, #0x18
0807F54E                 CMP     R0, #0
0807F550                 BEQ     loc_0807F5E4
0807F552                 LDR     R0, =walkrun_state
0807F554                 LDRB    R1, [R0,#walkrun.npcid]
0807F556                 LSLS    R0, R1, #3
0807F558                 ADDS    R0, R0, R1
0807F55A                 LSLS    R0, R0, #2
0807F55C                 LDR     R1, =npc_states
0807F55E                 ADDS    R0, R0, R1
0807F560                 MOVS    R1, #2
0807F562                 BL      sub_0805F218
0807F566                 LDR     R1, =callback3
0807F568                 LSLS    R0, R6, #2
0807F56A                 ADDS    R0, R0, R6
0807F56C                 LSLS    R0, R0, #3
0807F56E                 ADDS    R0, R0, R1
0807F570                 LDRH    R1, [R0,#8]
0807F572                 ADDS    R1, #1
0807F574                 STRH    R1, [R0,#8]
0807F576                 B       loc_0807F5E4
0807F576 @ ---------------------------------------------------------------------------
0807F578 off_0807F578:   .long a1ScurriedBackHomeProtectingThe
0807F578                                         @ DATA XREF: c3_whiteout:loc_0807F540r
0807F578                                         @ "?1 scurried back home, protecting the e"...
0807F57C off_0807F57C:   .long walkrun_state     @ DATA XREF: c3_whiteout+F6r
0807F580 off_0807F580:   .long npc_states        @ DATA XREF: c3_whiteout+100r
0807F584 off_0807F584:   .long callback3         @ DATA XREF: c3_whiteout+10Ar
0807F588 @ ---------------------------------------------------------------------------
0807F588
0807F588 loc_0807F588:                           @ DATA XREF: c3_whiteout:off_0807F48Co
0807F588                 LSLS    R4, R6, #2
0807F58A                 ADDS    R4, R4, R6
0807F58C                 LSLS    R4, R4, #3
0807F58E                 ADDS    R4, R4, R2
0807F590                 LDRB    R5, [R4,#0xA]
0807F592                 MOVS    R0, R5
0807F594                 BL      sub_080040B8
0807F598                 MOVS    R0, R5
0807F59A                 MOVS    R1, #1
0807F59C                 BL      sub_08003F20
0807F5A0                 MOVS    R0, R5
0807F5A2                 BL      sub_08003E3C
0807F5A6                 BL      fill_unfaded_pal
0807F5AA                 BL      sub_0807DC00
0807F5AE                 LDRH    R0, [R4,#8]
0807F5B0                 ADDS    R0, #1
0807F5B2                 STRH    R0, [R4,#8]
0807F5B4                 B       loc_0807F5E4
0807F5B6 @ ---------------------------------------------------------------------------
0807F5B6
0807F5B6 loc_0807F5B6:                           @ DATA XREF: c3_whiteout:off_0807F48Co
0807F5B6                 BL      sub_0807E418
0807F5BA                 CMP     R0, #1
0807F5BC                 BNE     loc_0807F5E4
0807F5BE                 MOVS    R0, R6
0807F5C0                 BL      sub_08077508
0807F5C4                 LDR     R0, =scr_081A8D97
0807F5C6                 BL      script_start_1
0807F5CA                 B       loc_0807F5E4
0807F5CA @ ---------------------------------------------------------------------------
0807F5CC off_0807F5CC:   .long scr_081A8D97      @ DATA XREF: c3_whiteout+168r
0807F5D0 @ ---------------------------------------------------------------------------
0807F5D0
0807F5D0 loc_0807F5D0:                           @ DATA XREF: c3_whiteout:off_0807F48Co
0807F5D0                 BL      sub_0807E418
0807F5D4                 CMP     R0, #1
0807F5D6                 BNE     loc_0807F5E4
0807F5D8                 MOVS    R0, R6
0807F5DA                 BL      sub_08077508
0807F5DE                 LDR     R0, =scr_081A8DD8
0807F5E0                 BL      script_start_1
0807F5E4
0807F5E4 loc_0807F5E4:                           @ CODE XREF: c3_whiteout+1Aj
0807F5E4                                         @ c3_whiteout+BAj ...
0807F5E4                 POP     {R4-R7}
0807F5E6                 POP     {R0}
0807F5E8                 BX      R0
0807F5E8 @ End of function c3_whiteout
0807F5E8
0807F5E8 @ ---------------------------------------------------------------------------

scr_081A8D97:

Code:

081A8D97 scr_081A8D97:   .byte lockall           @ DATA XREF: c3_whiteout+168o
081A8D97                                         @ c3_whiteout:off_0807F5CCo
081A8D98                 .byte change_text_color
081A8D99                 .byte 1
081A8D9A                 .byte load_message
081A8D9B                 .byte 0
081A8D9C                 .long aFirstYouShouldRestoreYourPokMo @ "First, you should restore your POK\x1BMON "...
081A8DA0                 .byte callstd
081A8DA1                 .byte 4
081A8DA2                 .byte call
081A8DA3                 .long scr_081A65CE
081A8DA7                 .byte checkflag
081A8DA8                 .short 0x4B0
081A8DAA                 .byte if_call
081A8DAB                 .byte 0
081A8DAC                 .long scr_081A8DC6
081A8DB0                 .byte checkflag
081A8DB1                 .short 0x4B0
081A8DB3                 .byte if_call
081A8DB4                 .byte 1
081A8DB5                 .long scr_081A8DCF
081A8DB9                 .byte execute_movement
081A8DBA                 .short 0x800F
081A8DBC                 .long unk_081A666C
081A8DC0                 .byte waitmove
081A8DC1                 .short 0
081A8DC3                 .byte fade_to_default
081A8DC4                 .byte release
081A8DC5                 .byte end
081A8DC6 scr_081A8DC6:   .byte load_message      @ DATA XREF: ROM:081A8DACo
081A8DC7                 .byte 0
081A8DC8                 .long aYourPokMonHaveBeenHealedToPerf @ "Your POK\x1BMON have been healed to perfec"...
081A8DCC                 .byte callstd
081A8DCD                 .byte 4
081A8DCE                 .byte return
081A8DCF scr_081A8DCF:   .byte load_message      @ DATA XREF: ROM:081A8DB5o
081A8DD0                 .byte 0
081A8DD1                 .long aYourPokMonHaveBeenHealedToPe_0 @ "Your POK\x1BMON have been healed to perfec"...
081A8DD5                 .byte callstd
081A8DD6                 .byte 4
081A8DD7                 .byte return
...
081A65CE scr_081A65CE:   .byte execute_movement  @ DATA XREF: ROM:081A8DA3o
081A65CF                 .short 0x800F
081A65D1                 .long unk_081A75E7
081A65D5                 .byte waitmove
081A65D6                 .short 0
081A65D8                 .byte execute_HM
081A65D9                 .short 0x19
081A65DB                 .byte checkarray_HM_animation
081A65DC                 .short 0x19
081A65DE                 .byte execute_movement
081A65DF                 .short 0x800F
081A65E1                 .long unk_081A75ED
081A65E5                 .byte waitmove
081A65E6                 .short 0
081A65E8                 .byte special_call
081A65E9                 .short 0
081A65EB                 .byte return

scr_081A8DD8:

Code:

081A8DD8 scr_081A8DD8:   .byte lockall           @ DATA XREF: c3_whiteout+182o
081A8DD8                                         @ ROM:off_0807F5ECo
081A8DD9                 .byte change_text_color
081A8DDA                 .byte 1
081A8DDB                 .byte execute_movement
081A8DDC                 .short 1
081A8DDE                 .long unk_081A75ED
081A8DE2                 .byte waitmove
081A8DE3                 .short 0
081A8DE5                 .byte load_message
081A8DE6                 .byte 0
081A8DE7                 .long aMom1WelcomeHome__itSoundsLikeY @ "MOM: ?1! Welcome home._It sounds like y"...
081A8DEB                 .byte callstd
081A8DEC                 .byte 4
081A8DED                 .byte call
081A8DEE                 .long scr_081A6C26
081A8DF2                 .byte load_message
081A8DF3                 .byte 0
081A8DF4                 .long aMomOhGoodYouAndYourPokMonAreLo @ "MOM: Oh, good! You and your POK\x1BMON are"...
081A8DF8                 .byte callstd
081A8DF9                 .byte 4
081A8DFA                 .byte fade_to_default
081A8DFB                 .byte release
081A8DFC                 .byte end
...
081A6C26 scr_081A6C26:   .byte screen_special_effect @ DATA XREF: ROM:081A8DEEo
081A6C27                 .byte 1
081A6C28                 .byte play_fanfare
081A6C29                 .short 0x100
081A6C2B                 .byte wait_fanfare
081A6C2C                 .byte special_call
081A6C2D                 .short 0
081A6C2F                 .byte screen_special_effect
081A6C30                 .byte 0
081A6C31                 .byte return

[NintendoBoyDX]

Quote:

Originally Posted by diegoisawesome

Hm... Turns out, the checkflag routine (the actual one that does the calculations) is run a lot of times in the OW (I know, duh, the people event flags) so I got the flag location (or at least, the memory pointer to it). In Emerald, it's at the address pointed at by 0x03005D8C plus 0x1270.
Now, I have to find the bit that designates the badge flags..
EDIT: 0x0809C7EC in Emerald contains the surf-check-routine... at least for the tile. I'm not sure about the PKMN menu one.
EDIT2: 0x081B54E8 (again, in Emerald) contains the badge-check-routine for the menu. I'm trying to find out where the numbers to add to the first badge are obtained from...
EDIT3: Well, apparently they're loaded from 0x02000020, but I can't find how it gets the value...
Anybody, feel free to help me out with this. :/
EDIT4: Well, I hacked the routine and made it load different flag numbers for each of the old badge+base number. And it works! :D
To get all of the flags to work out on the field, however, you'll need to edit all of the scripts for, say, Rock Smash, Strength, and Cut so that they have the new flags. And then you'll need to hack the surf routine, like I said above.
Also, with the Set Disobedience findings, all we need to control the badges completely is to find out where the Attack/Defense... stats are increased.Even though that doesn't matter much, it would still be cool to be able to control the badges completely.

Do you or anyone else have the addresses for the seven HM routines and the badge check routine for the menu in FR? Been searching for a while and can't find them, if they are found I'd guess it'd be simple enough to make all HMs usable without giving the badges.

[diegoisawesome]

Quote:

Originally Posted by altariaking

JPAN already did it xD
http://www.pokecommunity.com/showpos...1&postcount=24

I think what he means is something similar to the routine I found in Emerald; the one that checks for flags before allowing the move to be used from the menu. What you have posted, however, is NOT what he's looking for.

[NintendoBoyDX]

Exactly, I've been looking for the routine to checks the badge/HM flags in the menu, then allows you to use them if they are set. That way all that need be done is skip that check and allow use of HMs no matter if the flags are set or not. The problem is that because flags are DMA protected I can't simply set a break on read on their addresses. I've been looking for some sort of routine to calculate their locations, but I haven't been able to find anything.

EDIT: I've allowed menu use of all HMs without needing any badges(not quite sure exactly why it works), but haven't found a way to allow "quick" use by just pressing the A button to use surf or waterfall. Flash and fly don't need quick use, and I'm assuming that the scripts will take care of quick use for cut, rock smash, and strength.

EDIT 2: Found the surf check routine, and made a hack to allow "quick command" surfing even before the command is set, I just skip a check if the player has the correct flag set.

As a sidenote, each of these routines loads a flag like a variable, then calls 0x0806e6d0(passing r0 as an argument, for example, flag 720 would be 00000720), I believe this calculates addresses of flags then stores it's bit , but don't quote me on this.

EDIT 3: Did the same as in the 2nd edit for waterfall. It's now completely functional, allowing use of any HM before you receive any badge, and allowing "quick" use of waterfall and surf by pressing the A button at a waterfall or water respectively.

[shiny quagsire]

Has anyone managed to hack what gym badges are linked to which HMs? It's always bugged me, and I still haven't been able to locate this.

[diegoisawesome]

Quote:

Originally Posted by shiny quagsire

Has anyone managed to hack what gym badges are linked to which HMs? It's always bugged me, and I still haven't been able to locate this.

In Emerald? I have; search this thread for the info.

[TheDarkShark]

Quote:

Originally Posted by NintendoBoyDX

Exactly, I've been looking for the routine to checks the badge/HM flags in the menu, then allows you to use them if they are set. That way all that need be done is skip that check and allow use of HMs no matter if the flags are set or not. The problem is that because flags are DMA protected I can't simply set a break on read on their addresses. I've been looking for some sort of routine to calculate their locations, but I haven't been able to find anything.

EDIT: I've allowed menu use of all HMs without needing any badges(not quite sure exactly why it works), but haven't found a way to allow "quick" use by just pressing the A button to use surf or waterfall. Flash and fly don't need quick use, and I'm assuming that the scripts will take care of quick use for cut, rock smash, and strength.

EDIT 2: Found the surf check routine, and made a hack to allow "quick command" surfing even before the command is set, I just skip a check if the player has the correct flag set.

As a sidenote, each of these routines loads a flag like a variable, then calls 0x0806e6d0(passing r0 as an argument, for example, flag 720 would be 00000720), I believe this calculates addresses of flags then stores it's bit , but don't quote me on this.

EDIT 3: Did the same as in the 2nd edit for waterfall. It's now completely functional, allowing use of any HM before you receive any badge, and allowing "quick" use of waterfall and surf by pressing the A button at a waterfall or water respectively.

How about sharing info what you changed to make this work?

[shiny quagsire]

Quote:

Originally Posted by diegoisawesome

In Emerald? I have; search this thread for the info.

No, in Fire Red version. I'm not much of an emerald hacker. :\

[Team Fail]

So, today, I've been exploring a Pokemon Diamond rom looking for something specific. I never did find it, but I've come across some rather interesting things.

1. overlay_0013.bin

Code:

NINTENDO-DS.€....................................................................Ý!.ÙÜ!.....À¨.°ÿÿÿ.À¨.ÈÀ¨. ........................................ˆø#.............WARP....char/jtNull.nsc.l...char/jb2HlAp.nsc.l..char/jb4HlIp.nsc.l..char/jb4HlWep.nsc.l.char/jb4HlUsb.nsc.l.char/jb4HlDns1.nsc.l....char/jb4HlSsid.nsc.l....char/jb5HlMove.nsc.l....char/jb2HlWiFi.nsc.l....char/jb5HlInfo.nsc.l....char/jb4HlMask.nsc.l....char/jb4HlSet2.nsc.l....char/jb4HlDns0.nsc.l....char/jb4HlSet3.nsc.l....char/jb4HlSet1.nsc.l....char/jb3HlList1.nsc.l...char/jb3HlList2.nsc.l...char/jb3HlList3.nsc.l...char/jb5HlErase.nsc.l...char/jb5HlOption.nsc.l..char/jb4HlGateway.nsc.l.àù#.Hù#.ˆú#. ú#.¸ú#.pú#.(ú#.Xú#.„ù#.°ù#.pù#.\ù#..ú#..û#.@ú#.˜ù#.èú#.øù#.Ðú#.Èù#.char/jbBgHl.ncg.l....ü#.¤û#.Ôû#.4ü#.˜ü#.üü#.................!@#$%^&*()_+QWERTYUIOP{}ASDFGHJKL:"~ZXCVBNM<>?|.1234567890-=QWERTYUIOP[]ASDFGHJKL;'`ZXCVBNM,./\.1234567890-=qwertyuiop[]asdfghjkl;'`zxcvbnm,./\.1.2.3.4.5.6.7.8.9.0.-.=.q.w.e.r.t.y.u.i.o.p.[.].a.s.d.f.g.h.j.k.l.;.'.`.z.x.c.v.b.n.m.,.../.\. .....!.@.#.$.%.^.&.*.(.)._.+.Q.W.E.R.T.Y.U.I.O.P.{.}.A.S.D.F.G.H.J.K.L.:.".~.Z.X.C.V.B.N.M.<.>.?.|. .....1.2.3.4.5.6.7.8.9.0.-.=.Q.W.E.R.T.Y.U.I.O.P.[.].A.S.D.F.G.H.J.K.L.;.'.`.Z.X.C.V.B.N.M.,.../.\. .....dwc:/move/child.srl.dwc:/move/banner.plt....dwc:/move/banner.char...`ý#.........Œý#.tý#.Y.......msg/spa.bmg.l...msg/jap.bmg.l...msg/ger.bmg.l...msg/fre.bmg.l...msg/eng.bmg.l...msg/ita.bmg.l...Ðý#..þ#.ðý#.àý#..þ#.Àý#.msg/usa.bmg.l...char/jtMain.nce.l...char/jbMain.nce.l...char/jtBgMain.ncg.l.char/jtBgMain.ncl.l.char/jtObjMain.ncg.l....char/xtObjMain.ncl.l....char/jbBgStep1.ncg.l....char/jbBgStep1.ncl.l....char/jbObjMain.ncg.l....char/ybObjMain.ncl.l....char/jtTop.nsc.l....char/jtStep1.nsc.l..char/jbBgStep1.ncg.l....char/jbBgStep1.ncl.l....char/jb2Menu.nsc.l..char/yb5Multi.nsc.l.char/yb5Multi.nsc.l.%.0.2.X.-.%.0.2.X.-.%.0.2.X.-.%.0.2.X.-.%.0.2.X.-.%.0.2.X...%.0.4.d.-.%.0.4.d.-.%.0.4.d.-.%.0.4.d...-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-...char/jb5Info.nsc.l..char/jbBgOption.ncg.l...char/jb5OptMenu.nsc.l...char/yb5Multi.nsc.l.char/yb5Multi.nsc.l.char/yb5Multi.nsc.l.char/yb5Multi.nsc.l.char/jb5Move.nsc.l..char/yb5Multi.nsc.l.char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4Multi.nsc.l.char/xb4Multi.nsc.l.char/jb4ApList.nsc.l....char/ybObjMain.ncl.l....char/ybObjKb.ncl.l..char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4Edit.nsc.l..char/ybObjMain.ncl.l....char/ybObjKb.ncl.l..char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4EditAddr.nsc.l..  0.%.d.....char/jb4Error.nsc.l.%.3.d...%.3.d...%.3.d...%.3.d...char/ybObjMain.ncl.l....char/ybObjKb.ncl.l..char/jbBgStep2.ncg.l....char/jbBgStep21.ncg.l...char/jb3List.nsc.l..char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4None.nsc.l..char/xb4Multi.nsc.l.char/xb4Multi.nsc.l.char/xb4Multi.nsc.l.char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4Multi.nsc.l.char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4Multi.nsc.l.char/ybObjMain.ncl.l....char/ybObjWay.ncl.l.char/jbBgStep1.ncg.l....char/jbBgStep1.ncl.l....char/jb2Ap.nsc.l....char/jbBgStep2.ncg.l....char/ybBgStep2.ncl.l....char/jb3Way.nsc.l...char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/xb4Multi.nsc.l.char/xb4Multi.nsc.l.char/xb4None.nsc.l..char/xb4Multi.nsc.l.char/jbBgStep2.ncg.l....char/ybBgStep2.ncl.l....char/xb3Multi.nsc.l.char/jbBgStep3.ncg.l....char/ybBgStep3.ncl.l....char/jb4Usb.nsc.l...%3d%3d%3d%3d....sound/sound_data.sdat.l.char/jtTop.nsc.l....char/jtStep1.nsc.l..char/jtStep2.nsc.l..char/jtStep3.nsc.l..char/jtOption.nsc.l...$...$.0.$.D.$.ô.$.DWCi_MOV_WH_SYSSTATE_STOP...DWCi_MOV_WH_SYSSTATE_IDLE...DWCi_MOV_WH_SYSSTATE_BUSY...DWCi_MOV_WH_SYSSTATE_ERROR..DWCi_MOV_WH_SYSSTATE_SCANNING...DWCi_MOV_WH_SYSSTATE_CONNECTED..DWCi_MOV_WH_SYSSTATE_KEYSHARING.DWCi_MOV_WH_SYSSTATE_DATASHARING....DWCi_MOV_WH_SYSSTATE_CONNECT_FAIL...DWCi_MOV_WH_SYSSTATE_MEASURECHANNEL.l.$.ˆ.$.Ü.$.¤.$.ü.$.<.$...$.„.$.`.$.À.$.already DWCi_MOV_WH_SYSSTATE_IDLE...DWCi_MOV_WH_Finalize, state = %d....DWCi_MOV_WH_StepDataSharing - Warning No Child..DWCi_MOV_WH_StepDataSharing - Warning No DataSet....recv buffer size = %d...send buffer size = %d...unknown connect mode %d.....decided channel = %d....channel %d bratio = %x..unknown indicate, state = %d....DWCi_MOV_WH_StateInEndParent failed.....DWCi_MOV_WH_StateInStartParentKeyShare failed...StartParent - new child (aid %x) connected..StartParent - child (aid %x) disconnected...%s -> ..%s...l..rom:/...rom:/dwc/utility.bin....%s:/......$...$.msg/lc_m.NFTR.l.msg/lc_s.NFTR.l.........................

It seems there are debugging settings here, and some other various things.

2. overlay_0028.bin

Code:

icon[%d] REF[%d]....------------.... icon[%d] Default... icon[%d] ReaLike... icon[%d] ReaHate... icon[%d] TcgLike... icon[%d] TchHate... icon[%d] Reset!!.......

I don't get what this could be fore, but RESET!! looks interesting.

3. overlay_0065.bin

Code:

data/porucase_pal.resdat....data/porucase_chr.resdat....data/porucase_canm.resdat...data/porucase_cell.resdat...data/porucase_celact.cldat

There are no files like this anywhere in the game. Could be either save data, temporary files, or unused files.

4. overlay_0066.bin

Code:

data/tmap_block.dat.data/tmapn_pal.resdat...data/tmapn_chr.resdat...data/tmapn_canm.resdat..data/tmapn_cell.resdat..data/tmapn_celact.cldat

Same as overlay_0065.bin.

5. overlay_0074.bin

Code:

data/btower_pal.resdat..data/btower_chr.resdat..data/btower_cell.resdat.data/btower_canm.resdat.data/btower_celact.cldat

Same as above.

6. overlay_0079.bin

Code:

AdeqWo3voLeC5r16DYv....&hash=..&data=..error: check sum      ..error: pid            ..error: data length    ..error: token not found..error: token expired  ..error: incorrect hash ..%s?pid=%d...bufferIn != NULL....ghttpBuffer.c...len != NULL.buffer..%d..: ......data....dataLen >= 0....connection->encryptor.mEngine != GHTTPEncryptionEngine_None.connection..userBuffer..size > 0....initialSize > 0.sizeIncrement > 0...connection..ghttpCallbacks.c....ú...}...connection..ghttpConnection.c...connection->redirectURL.request >= 0....request < ghiConnectionsLen.connection->request >= 0....connection->request < ghiConnectionsLen.connection->inUse...ghiNumConnections == ghiConnectionsLen..ghttpMain.c.URL && URL[0]...bufferSize >= 0.!buffer || bufferSize...connection..ghiRequestToConnection(connection->request) == connection...connection..ghttpPost.c.connection->post....connection->postingState.states.ArrayLength(connection->post->data) == ArrayLength(connection->postingState.states).connection->postingState.index >= 0.connection->postingState.index <= ArrayLength(connection->postingState.states)..postState...connection->completed && connection->result...--Qr4G823s23d---<<><><<<>--7d118e0536--...state->data->type == GHIString..%s=.&%s=....--Qr4G823s23d---<<><><<<>--7d118e0536.....--Qr4G823s23d---<<><><<<>--7d118e0536.....%sContent-Disposition: form-data; name="%s".....%sContent-Disposition: form-data; name="%s"; filename="%s"..Content-Type: %s........0...state->data->type == GHIFileMemory..state->pos >= 0.state->pos < state->data->data.fileMemory.len...state->pos < state->state.fileDisk.len..state->pos == (int)ftell(state->state.fileDisk.file)....state->pos < state->data->data.string.len...abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_@-.*.(c / 16) < 16...0123456789ABCDEF....post....--Qr4G823s23d---<<><><<<>--7d118e0536...state...data->type == GHIString.....multipart/form-data; boundary=Qr4G823s23d---<<><><<<>--7d118e0536...application/x-www-form-urlencoded...............Location:...http://%s:%d%s..Content-Length:.Transfer-Encoding: chunked..connection..ghttpProcess.c..data....len > 0.0...len >= 0....len.%x......connection->recvBuffer.len > 0..HTTP/%d.%d %d%n.connection->completed && connection->result.POST ...HEAD ...GET .... HTTP/1.1...Host....Host: ..User-Agent..GameSpyHTTP/1.0.Connection..Keep-Alive..close...%d..Content-Length..Content-Type....https://....connection->URL.http://.:/../.......

Could be used for accessing online functions. And what is this I see? GameSpy?

7. overlay_0080.bin

Code:

http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/post.asp....http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/post_finish.asp.http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/get.asp.http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/result.asp..http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/delete.asp..http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/return.asp..http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/search.asp..http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/exchange.asp....http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/exchange_finish.asp.http://gamestats2.gs.nintendowifi.net/pokemondpds/worldexchange/info.asp

These must be for online accessing, like Mystery Gift, and the GTS.

8. overlay_0082.bin

Code:

http://gamestats2.gs.nintendowifi.net/pokemondpds/battletower/roomnum.asp...http://gamestats2.gs.nintendowifi.net/pokemondpds/battletower/download.asp..http://gamestats2.gs.nintendowifi.net/pokemondpds/battletower/upload.asp....http://gamestats2.gs.nintendowifi.net/pokemondpds/battletower/info.asp

They must use a gamestats server for their data.

9. overlay_0083.bin

Code:

`...AXVJ....AXVE....AXVF....AXVD....AXVS....AXVI....AXPJ....AXPE....AXPF....AXPD....AXPS....AXPI....BPRJ....BPRE....BPRF....BPRD....BPRS....BPRI....BPGJ....BPGE....BPGF....BPGD....BPGS....BPGI....BPEJ....BPEE....BPEF....BPED....BPES....BPEI

These must be internal names for the Pal Park function and any other GBA insertion.

Code:

EB5BEC5BED5BEE5BEF5BEG5BEH5BEI5BEJ5BEK5BEL5BEM5BEP5BEQ5BER5BES5BET5BEU5BEV5BEW5B....mywh_SYSSTATE_IDLE..mywh_SYSSTATE_BUSY..mywh_SYSSTATE_STOP..mywh_SYSSTATE_ERROR.mywh_SYSSTATE_SCANNING..mywh_SYSSTATE_CONNECTED.mywh_SYSSTATE_KEYSHARING....mywh_SYSSTATE_DATASHARING...mywh_SYSSTATE_CONNECT_FAIL..mywh_SYSSTATE_MEASURECHANNEL.....·#.ð¶#.@·#..·#.X·#.Œ·#.p·#.Ä·#.¨·#.,·#.%s -> ..%s..not my parent ggid (%d != %d)...ADAE....Sx439tCkbrWyR8X2................

This, I don't even know...

10. overlay_0084.bin (This one is full of goodies!)

Code:

Wayport2FREESPOTNINTENDOWFC

lolwut?

Code:

Content-Disposition: form-data; name="..Content-Type: application/octet-stream..Content-Transfer-Encoding: binary....Êš;.áõ.€–˜.@B.. †...'..è...d...................pokemondpds.1vTlwb..о ..................... N..https://nas.test.nintendowifi.net/ac....acctcreate..action..login...gsbrcd..Y...iswfc...ingamesn....Date....httpresult..returncd....token...locator.challenge...datetime....Set-Cookie..ALLOC bmwork....FREE bmwork.https://nas.nintendowifi.net/ac.FREE DWCauth....ALLOC DWCauth...%03d%03d....sdkver..userid..passwd..bssid...apinfo..gamecd..makercd.unitcd..macadr..lang....birth...devtime.devname.ssid....Nitro WiFi SDK/%d.%d....User-Agent..HTTP_X_GAMECD...%013llu.%03u....%02x....%02x%02x....%02d%02d%02d%02d%02d%02d....%02d:0000000-00..Ï .ìÍ .ÌÐ .¨Ñ .„Æ . É ..Ê .ÐÇ .ÔÌ .´Ë .ÌÊ .FREE array_entry[i].label...FREE array_entry[i].value........... ...httpresult..200.....: ..=...&...ALLOC result->entry[i].label....ALLOC result->entry[i].value....FREE result->entry[i].label.FREE result->entry[i].value.http://.https://....:.../...ALLOC newptr....FREE buf->buffer....ALLOC buf->buffer...%s..%s=.&%s=....%s: %s......POST /%s HTTP/1.0..Content-type: application/x-www-form-urlencoded..Host: %s........GET /%s HTTP/1.0..Host: %s......FREE http->lowrecvbuf...FREE http->lowsendbuf...Content-Length: ....Connection..close...%d..Content-Length..ALLOC http->lowrecvbuf..ALLOC http->lowsendbuf..pà .http://conntest.nintendowifi.net/...ALLOC DWCnetcheck->body_302.FREE DWCnetcheck->body_302..ALLOC url...ALLOC data_len..ALLOC wait_len..ALLOC DWCnetcheck->body_wayport.httpresult..https://nas.nintendowifi.net/ac.action..message.HotSpotResponse.FREE DWCnetcheck->body_wayport..parse...HTML....returncd....url.data....wait....FREE url....FREE data...FREE wait...FREE DWChttp....FREE DWCnetcheck....ALLOC DWCnetcheck...ALLOC DWChttp...Dec.Jul.Oct.Sep.Aug.Nov.Jun.May.Apr.Mar.Feb.Jan.LÅ .HÅ .DÅ .@Å .<Å .8Å .$Å .0Å .,Å .(Å .4Å . Å .Fri, 03 Mar 2006 01:28:13 GMT...Date....httpresult..returncd....svchost.servicetoken....statusdata..https://nas.nintendowifi.net/ac.action..SVCLOC..svc.FREE intwork....ALLOC intwork...<Æ .ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789

This isn't the first time I've seen the alphabet written. Why is it needed half a million times?

Code:

GlobalSign nv-sa, Root CA, GlobalSign Root

What is it signing?

Code:

IE, Baltimore, CyberTrust, Baltimore CyberTrust Root

This game loves Baltimore for some reason. Baseball, perhaps? XD

Code:

US, GTE Corporation, GTE CyberTrust Solutions, Inc., GTE CyberTrust Global Root.

Code:

US, GTE Corporation, GTE CyberTrust Root.

I have no clue what GTE Cybertrust is.

Code:

US, Washington, Nintendo of America Inc, NOA, Nintendo CA, [email protected]

Why is NoA's email embedded in the game?

Code:

Western Cape, Cape Town, Thawte Consulting cc, Certification Services Division, Thawte Premium Server CA, [email protected]....èÌ .€...hÍ .....ÐÌ .ZA, Western Cape, Cape Town, Thawte Consulting cc, Certification Services Division, Thawte Server CA, [email protected]

No idea.

Code:

gUS, VeriSign, Inc., Class 3 Public Primary Certification Authority - G2, (c) 1998 VeriSign, Inc. - For authorized use only, VeriSign Trust Network......,Ï .....ÈÏ ......Ï .US, VeriSign, Inc., VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only, VeriSign Class 3 Public Primary Certification Authority

Code:

US, VeriSign, Inc., Class 3 Public Primary Certification Authority

Verisign? It sounds familiar.

Code:

US, RSA Data Security, Inc., Secure Server Certification Authority

No idea.

Code:

https://nas.test.nintendowifi.net/ac....https://nas.dev.nintendowifi.net/ac.https://nas.nintendowifi.net/ac.....0000....9000....https:///download...https://%s/download.

This must be used to verify if the game can connect to the internet? IDK.

Code:

I have authorized your request to add me to your list

whatisthisidonteven... have me on any list.

Code:

wc_eval....dwc_pid.numplayers..maxplayers..dwc_mtype...dwc_mresv...dwc_mver........VER.FME.MDF.%s%dv%s.GPCM....MAT./%u.%s = %d and %s != %u and maxplayers = %d and numplayers < %d and %s = %d and %s != %s...%s and (%s).%s = %u.SCM.SCN.Init state..Server full.Unknown connect attempt

maximum players? IDK.

Code:

vailable.gs.nintendowifi.net....fn..darray.c....(n >= 0) && (n < array->count)..comparator..(n >= 0) && (n <= array->count).array...elemSize....array->list.fn..hashtable.c.table...hashFn..compFn..elemSize....nBuckets....table->buckets..%02x........OS_IsTickAvailable() == TRUE....nonport.c...localhost...The connection has already been disconnected....\sesskey\...\final\.No callback.....Invalid message.....Invalid statusString....Invalid locationString..\status\....\statstring\....\locstring\.Invalid status..Invalid index...buddyStatus.gp.c....Invalid reason..\addbuddy\..\newprofileid\..\reason\........Invalid func....(iconnection->connectState == GPI_NOT_CONNECTED) || (iconnection->connectState == GPI_CONNECTING) || (iconnection->connectState == GPI_NEGOTIATING) || (iconnection->connectState == GPI_CONNECTED) || (iconnection->connectState == GPI_DISCONNECTED)..gpi.c...0...CM..There was an error reading from the server..\final\.CMD: %s.....Out of memory...\id\....No matching operation found for id %d...\bm\....\ka\....Received an unrecognized, unsolicited message...The server has closed the connection.........*************.gpiInitialize....Invalid profile.....\delbuddy\..\sesskey\...\delprofileid\..\final\.index >= 0..gpiBuddy.c..iconnection->profileList.numBuddies >= 0....\bm\....\t\.\msg\...Unexpected data was received from the server....\f\.\date\..Out of memory...|signed|....|s|.|ss|....|ls|....|ip|....|p|.|l|.1...\authadd\...\fromprofileid\.\sig\...\msg\...\m\.\len\...outputBuffer != NULL....gpiBuffer.c.len >= 0....pos >= 0....pos <= len..sock != INVALID_SOCKET..inputBuffer != NULL.bytesRead != NULL...connClosed != NULL..Out of memory...There was an error reading from a socket....RECVXXXX(%s): Connection closed.....RECVTOTL(%s): %d....%d..peer->outputBuffer.buffer != NULL...PT..There was an error sending on a socket..SENDXXXX(%s): Connection closed.....string != NULL..stringLen >= 0..data->callback.callback != NULL.gpiCallback.c...data->arg != NULL...Out of memory...iconnection != NULL.result != GP_NO_ERROR...(fatal == GP_FATAL) || (fatal == GP_NON_FATAL)..gpcm.gs.nintendowifi.net........................................\logout\\sesskey\...\final\.CM..The server has refused the connection...state == GPI_CONNECTED..gpiConnect.c....\pid\...\fatal\.\lc\1...Unexpected data was received from the server....\challenge\.\nur\...\userid\....Unexepected data was received from the server...\profileid\.\lc\2...\sesskey\...\uniquenick\....\lt\....%s@%s...%s%s%s%s%s%s....                                                ....\proof\.Could not authenticate server...Out of memory...\newuser\...\email\.\nick\..\passwordenc\...\productid\.\gamename\..\namespaceid\...\cdkeyenc\..\id\1...\login\.\authtoken\.\user\..@...\response\..\firewall\1.\port\..Invalid connection..Invalid firewall....There was an error creating a socket....There was an error making a socket non-blocking.....There was an error binding a socket.....There was an error listening on a socket....There was an error getting a socket's addres....Could not resolve connection mananger host name.....address.sin_addr.s_addr != 0....There was an error connecting a socket..ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789..Out of memory...\getprofile\\sesskey\...\profileid\.\id\....\final\.%d..Invalid info....\birthday\..Invalid value...\nick\..\uniquenick\....\email\.\password\..\firstname\.\lastname\..\homepage\..\zipcode\...Invalid countrycode.....\countrycode\...0...1...2...\sex\...\icquin\....\videocard1string\..\videocard2string\..\osstring\..\aim\...\pic\...\occ\...\ind\...\inc\...\mar\...\chc\...\i1\....Invalid zipcode.....Invalid sex.....\cpubrandid\....\cpuspeed\..\memory\....\videocard1ram\.\videocard2ram\.\connectionid\..\connectionspeed\...\hasnetwork\....\updatepro\\sesskey\....\updateui\\sesskey\.\pi\....Unexpected data was received from the server....profileid > 0...gpiInfo.c...\lon\...\lat\...\loc\...\pmask\.\o1\....\conn\..\sig\...gpiIsValidDate(d, m, y).Invalid date....gpiProcessOperation was passed an operation with an invalid type (%d)...0...gpiOperation.c..iconnection->numSearches >= 0...Out of memory...connection != NULL..*connection != NULL.operation != NULL...peer != NULL....gpiPeer.c.......\len\%d\msg\....transferID..\m\%d\xfer\%d %u %u.message != NULL.\m\.\len\...\msg\...Error connecting to a peer..There was an error creating a socket....There was an error making a socket non-blocking.....There was an error connecting a socket..0...Tried to remove peer not in list....peer->state != GPI_PEER_NOT_CONNECTED...PR..Out of memory...1...peer->state == GPI_PEER_WAITING.\final\.\auth\..\pid\...\nick\..\sig\...%s%d%d..\anack\.\aack\..Error getting buddy authorization...Error parsing buddy message.....id > 0..gpiProfile.c....\npr\...Unexpected data was received from the server....\profileid\.Out of memory...gpsp.gs.nintendowifi.net........................................Out of memory...num < iconnection->numSearches..gpiSearch.c.SM..Could not connect to the search manager.....\search\....\sesskey\...\profileid\.\namespaceid\...\nick\..\uniquenick\....\email\.\firstname\.\lastname\..\icquin\....\skip\..\valid\.\nicks\.\pass\..\pmatch\....\productid\.\check\.\newuser\...\productID\.\cdkey\.\others\....\uniquesearch\..\preferrednick\.0...\gamename\..\final\.There was an error reading from the server..bsrdone.more....bsr.nick....uniquenick..firstname...lastname....email...Error reading from the search server....vr..nr..ndone...psrdone.psr.status..statuscode..cur.\pid\...nur.others..odone...o...first...last....us..usdone..count == arg->numSuggestedNicks.No search criteria..There was an error creating a socket....There was an error making a socket non-blocking.....Could not resolve search mananger host name.....address.sin_addr.s_addr != 0....There was an error connecting a socket..\xfer\..%d %u %u........\version\%d\result\%d...\rn\....Unexpected data was received from the server....Out of memory...buffer != NULL..gpiUtility.c....key != NULL.value != NULL...Parse Error.....Error connecting....There was an error checking for a completed connection..Connection rejected.....Connection accepted.....command != NULL.len > 0.\error\.\err\...\errmsg\....\fatal\.dest != NULL....src != NULL.ÿÿÿÿÜí ..ameSpy3D........rojectAphex....\pauthr\....\getpidr\...\getpdr\....\setpdr\....setpdr..pid.lid.mod.getpdr..length..\data\......getpidr.pauthr..errmsg..\...3b8dd8995f7c40a9a5c5b7dd5b481341....buffer..gt2Auth.c...start <= buffer->len....gt2Buffer.c.shortenBy <= (buffer->len - start)..(buffer->len + len) <= buffer->size.(buffer->len + 2) <= buffer->size...buffer->len < buffer->size..socket..gt2Callback.c...connection..socket && connection....connection..gt2Main.c...þþ..time....len > 0.gt2Message.c........len < GTI2_STACK_HOSTLEN_MAX....gt2Utility.c....%s:%d...%s..:%d.ýü.fj²..natneg1.gs.nintendowifi.net.natneg2.gs.nintendowifi.net.%s.%s...dð .ÿÿÿÿ............................................................................................................................................................................................................................................................................localip%d...localport...natneg..1...0...statechanged....gamename....publicip....publicport..final\\queryid\1.1..unknown.....%s%d....%08X%04X....255.255.255.255.%d..No challenge value was received from the master server..%s.master.gs.nintendowifi.net.......pid_....team_...ping_...score_..team_t..skill_..mapname.deaths_.gamever.player_.score_t.groupid.gamename....hostport....password....hostname....numteams....gamemode....teamplay....gametype....roundtime...fraglimit...timelimit...numplayers..maxplayers..gamevariant.timeelapsed.roundelapsed....teamfraglimit

Have fun reading this.

Code:

\final\.\basic\\info\...\status\....final...queryid.%s%d........ping....server..sb_server.c.%d..\%s..ø .Query Error: ...slist->inbufferlen >= 0.sb_serverlist.c.inlen >= 0..ÿÿÿÿ....0...slist->state == sl_disconnected.....%s.ms%d.gs.nintendowifi.net.slist != NULL...callback != NULL....val != NULL.....àø .€...0ù .....Èø .US, Washington, Nintendo of America Inc, NOA, Nintendo CA, [email protected].³Íy—w]Š¯†¨è×s.w...�öÄrBI½.DhNóÚ.æMØùYˆÜ®>›8.Ê.ÿÜ$¢DxxI“Ô„@.¸ì>Û-“È.Èýx-a.1®†&°ýZ?¡=¿âKIìÎf˜X&.Àûôwe.êûË.àŒË.£N^Œê›Nitro WiFi SDK/%d.%d....Ìø .contents....offset..num.User-Agent..gamecd..rhgamecd....passwd..token...userid..macadr..action..attr1...attr2...attr3...apinfo..HTTPSTATUSCODE..returncd....Content-Length..http://.https://....HTTPSTATUSCODE..GET ....POST ...HEAD .../... HTTP/1.1...Host: ......: ..Content-Type: multipart/form-data; boundary=....Content-Type: application/x-www-form-urlencoded.....Content-Length: ...."...--......=...&...HTTP/...Content-Length..Connection..Keep-Alive..Transfer-Encoding...chunked

And this.

11. overlay_0005.bin

Code:

data/area01light.txt....data/area00light.txt....data/area02light.txt....sea.rhana...hamabe..asasea..lakep.1.dun_sea

.txt? coolbeans.

Code:

/data/dp_areawindow.NCGR..../data/dp_areawindow.NCLR....fielddata/build_model/build_model_matshp.dat

This must initiate the text box we all read from.

12. overlay_0006.bin

Code:

data/shop_h.cldat...data/shop_chr.resdat....data/shop_pal.resdat....data/shop_cell.resdat...data/shop_canm.resdat

I don't remember there being an online shop...

Now, what I was looking for is the list of what is loaded on initiation of the game. What file is it in Pokemon Diamond?

[shiny quagsire]

Verisign is an SSL certificate signer. It's probably used for the GTS servers, which has been hacked before using a custom DNS server. I don't think there's any mystery gift stuff in there, which I wish was there. I think it'd be cool to hack mystery gift.

[Team Fail]

Quote:

Originally Posted by shiny quagsire

Verisign is an SSL certificate signer. It's probably used for the GTS servers, which has been hacked before using a custom DNS server. I don't think there's any mystery gift stuff in there, which I wish was there. I think it'd be cool to hack mystery gift.

I'll see if I can. That'd prove interesting.

[knizz]

I uploaded my private offset list here: REMOVED
Check the my signature for updates.

[knizz]

0x9C (doanimation) is a command like "special" which takes a halfword for choosing the action.
It uses it's own scripting language. The animation-tableis at 081D96AC. The commands of this sub-language are at 083CBE30. The most common commands are 0x03, 0x04 and 0x07. 0x03 starts ASM code. 0x04 ends the execution. Idk more about 0x07.

I created the list in the spoiler by overwriting the script of the girl in the hometown with
eb 0816575C 0x9C
eb 0816575D <number>
eb 0816575E 0x00
eb 0816575F 0x02

Disable the badge-check for HMs:
eb 0812462E 0

I assume that most of these 0x9C-animations do more than what I wrote down here. I just tested them in one situation. For example if the game thinks I'm currently in the air it won't show the take off animation just the landing animation. Etc.

Spoiler:

00 -
01 show pokeball & black pokemon bar & leaf spiral
02 show pokeball & black pokemon bar
03 -
04 -
05 -
06 show black shiny-pokemon bar
07 -
08 buggy surf-pokemon-sprite appears on map
09 show pokeball & black pokemon bar & surf
0A -
0B -
0C -
0D -
0E -
0F -
10 -
11 -
12 -
13 -
14 -
15 -
16 -
17 -
18 -
19 pokecenter
1A -
1B -
1C -
1D -
1E Bird-pokemon enter and leave the screen
1F -
20 -
21 -
22 Land
23 Fly & Crash (Probably because the destination isn't set)
24 -
25 show pokeball & black pokemon bar
26 show pokeball & black pokemon bar & slow teleport to last poke center
27 -
28 show pokeball & black pokemon bar
29 -
2A -
2B freeze
2C show black pokemon bar & freeze
2D buggy textbox in the top left corner
2E -
2F -
30 -
31 -
32 -
33 show pokeball & black pokemon bar & screen turns red (probably "sweet scent")
34 -
35 -
36 -
37 -
38 -
39 -
3A leaf spiral
3B show black shiny-pokemon bar
3C -
3D -
3E different pokecenter
3F show pokeball & black pokemon bar & fast teleport to last used warp
40 -
41 show cell-phone & freeze
42 -
43 -
44 -
45 white flash

If you want to fly callasm 080BFEDC, 080BFF50 or 080C4EF8. (I don't know the difference between those yet)




Flying uses animations 1f, 3b, 06, 03 and 20. Not all of them are called directly. Animation 3B for example is called by animation 1f (if I'm not mistaken).

[lmdst]

Hey, it turns out I can do more than ask questions!


I don't know if this deserves its own thread or not, so I'm posting it here. You guys tell me otherwise.

Okay here's the thing, I've seen before how to alter the order of the Pokémon in the Sinnoh Pokédex in D/P, but I nobody knew how to change the numbers around - the Pokémon still kept their original Sinnoh dex numbers, meaning an Abra would be 020 no matter his position, Turtwig would be 001, and Pokémon not in the Sinnoh dex would be 000. This obviously meant that the numbers are stored elsewhere. So I decided to look for them.

What I figured is that the code kept a list of the Pokémon, in their internal order, and one or two bytes determined their number. For example, the list would start at Bulbasaur, who is not in the dex, so it would say "00". That would go on until the first Kanto pokémon you can find in Sinnoh, Pikachu, shows up. At this point the code would say "68", which is hex for his Sinnoh dex number, 104. Raichu would follow with 69, and so on.

With this method, when the list reached the Gen IV Pokémon, it would start with 01 (Turtwig) and go on until Luxray (19 in the Sinnoh dex, which is 13 in hex). After that, there would be a gap to account for Abra and Magikarp's evolutionary lines, then would follow into Budew (number 25, or 19 in hex).

So what I did was search the rom for the hex string "13001900". Turns out, I was right!

Okay so, long story short, the Sinnoh Pokédex numbers (not the order) in Diamond and Pearl starts at 385CE46, with Bulbasaur. Each Pokémon's info is two bytes long, with the first being the Pokémon's Sinnoh dex number in hex and the second being typically a 00. However, I believe it could be changed to 01 to account for numbers above 255, Which means that one could potentially increase the size of the Sinnoh Pokédex.

[knizz]

Quote:

Originally Posted by lmdst

... starts at 385CE46, with Bulbasaur. ...

Posting offsets for DS-Games isn't ideal because the ROMs have a filesystem.
I wrote a tool to convert offsets to paths.
C-Code and Mac-EXE: REMOVED
EXE: http://www.pokecommunity.com/showpos...2&postcount=10

I ran this tool on all occurances of "13001900". (Which are: 0440dbC 1c2ed66 1c2ed88 2f7b8a3 3155614 317b2b4 32af774 33c28d5 33c38b9 33dc999 385d166) This is the output:

Code:

Start    End      Position    Length     Name
00440200 00441314 00000BBC of 00001114 | tmap_block.dat < data < 
01C2ED64 01C2ED6C 00000002 of 00000008 | 53. < trpoke.narc < trainer < poketool < 
01C2ED80 01C2ED94 00000008 of 00000014 | 56. < trpoke.narc < trainer < poketool < 
02F79ABC 02F7C4B4 00001DE7 of 000029F8 | 211 < land_data_release.narc < land_data < fielddata < 
0314AC14 03155980 0000AA00 of 0000AD6C | 337 < land_data_release.narc < land_data < fielddata < 
03174818 0317B4E6 00006A9C of 00006CCE | 344 < land_data_release.narc < land_data < fielddata < 
032A8604 032AFAEE 00007170 of 000074EA | 401 < land_data_release.narc < land_data < fielddata < 
033BA0B4 033C5250 00008821 of 0000B19C | 431 < land_data_release.narc < land_data < fielddata < 
033BA0B4 033C5250 00009805 of 0000B19C | 431 < land_data_release.narc < land_data < fielddata < 
033DA264 033E4B46 00002735 of 0000A8E2 | 435 < land_data_release.narc < land_data < fielddata < 
0385CE3C 0385D218 0000032A of 000003DC | 0. < pokezukan.narc < poketool <

Of course all land_data_release lines are false matches because we know that they contain 3d-models

Please correct me if I'm wrong about something.

[Iacobus]

Quote:

Originally Posted by lmdst

Hey, it turns out I can do more than ask questions!

I don't know if this deserves its own thread or not, so I'm posting it here. You guys tell me otherwise.

Okay here's the thing, I've seen before how to alter the order of the Pokémon in the Sinnoh Pokédex in D/P, but I nobody knew how to change the numbers around -...

Sorry to say this, but it was one of the first things documented when Diamond and Pearl got dumped.
► Link

[r0bert]

1st of all,I can revive this thread,right?
2nd; if this is in the wrong place I'm sorry.
after browsing every offset in my firered ROM looking for the PALS A-map uses,I've found some of them:
PAL0___EA1B68
PAL1___EA1B88
PAL2___EA1BA8
PAL3___EA1BC8
PAL4___EA1BE8
PAL5___EA1C08
PAL6___EA1C28
But a question:why are the offsets always 20 apart?

[DrFuji]

Quote:

Originally Posted by r0bert

1st of all,I can revive this thread,right?
2nd; if this is in the wrong place I'm sorry.
after browsing every offset in my firered ROM looking for the PALS A-map uses,I've found some of them:
PAL0___EA1B68
PAL1___EA1B88
PAL2___EA1BA8
PAL3___EA1BC8
PAL4___EA1BE8
PAL5___EA1C08
PAL6___EA1C28
But a question:why are the offsets always 20 apart?

Because each pallet is comprised of sixteen colours, which are translated from two bytes. For example, black is represented as 00 00, while white is 7F FF. As each colour takes up two bytes, the sixteen of them will take up thirty two bytes in total - Which can be translated to a space of twenty in HEX.

[Full Metal]

Heyhey, this has probably been found but...
0202557A - Y co-ordinates of the player
02025578 - X co-ordinates of the player
( I finally figured out how to use cheat search~ :D )
( they are 16-bit values )

[knizz]

I think I made the first html-only rom-research tool: http://chna.kilu.de/jsgba/ (You need Google Chrome for that)
It's a port of my old BL Finder.

[skishore]

I think I've found a way to prevent the three original legendary birds from fleeing when you encounter them in Gold and Silver. At offset 0x03C560, there's a list of hex codes which includes Articuno, Zapdos, and Moltres; changing their three codes to 0x00 does the trick.

I think this question was being asked when Bright Gold was in development. Anyway, I'm working on a similar hack, so I hope this helps.