View Single Post
  #1    
Old June 28th, 2009 (6:50 AM). Edited August 14th, 2009 by JPAN.
JPAN JPAN is offline
pokemon rom researcher
     
    Join Date: Dec 2008
    Posts: 104
    After a long break, I came back today with a large document. Might I add, this document is still incomplete, but is an honest attempt at cracking this game.

    This document I bring you is a List of All Special commands for Fire Red\Leaf Green and a small study on the Special and Special2 commands in XSE.

    All of you must have worked at least once with this versatile command, that allows you to execute a pre-rendered function other than those of the script.
    These commands range from small pieces of work, such as healing your pokemon, to more complex ones such as checking hardware. I shall make a brief explanation on how they work.
    Special (0xaabb)
    Code:
    0x25 0xbb 0xaa
    Special2 (0xvvww 0xaabb)
    Code:
    0x26 0xww 0xvv 0xbb 0xaa
    Although slightly different in their making, they are both identical in nature. Special (also refered here as Special1) recives only the special you wish to perform. Special2 recieves also a variable to store a returned value.
    Special1 and Special2 are interchangeable, meaning that using Special1 calls only for the execution of that special function for its effects, while Special2 also receives a value from the execution and stores it at the given variable.
    When in doubt, using special2 will allow you to know if the function is meant to return something or not.
    When searching for Specials that work in FR\LG, I found an interesting reaction from the return addresses.
    Special functions can be divided in three cathegories:
    The ones that return 9f69 (40809):
    Code:
    These are meant to be used with Special1, for their effects are what matter. 
    Generaly they either return by themselves a value to the 0x800y familly (most often 0x8004,0x8005 or 0x800D)
    The ones that return ADC1(44481):
    Code:
    These are special ones, for they seem to have fallen out of use from R\S, mostly because of the lack of real-time events,secret-bases and contests.
    I Studied some of them through decompiling the ASM code, and all those I saw jumped to the same function, So I ruled them out as useless.
    The ones that return other values:
    Code:
    These are meant to be called with Special2, as the value is what is important. 
    Generaly, it's about reading values, not editing them.
    Underneath, all of them function the same in the begining and in the end:
    Code:
    1. Special\2 found by script executer;
    2. loads address based on Special appearece(special table pointer);
    2.5. (the executer loads variable address in the 2nd case);
    3. special number is loaded;
    4. multiplies the number by 4 (adress byte size), adds it to the address loaded;
    5. checks if bigger than address + (1BB*4). If not, load data from address(function address), then run it.
    What the function do is what this document is all about.
    This list here has all the specials I could understand what they were doing in game.
    Spoiler:
    Special Description *other data*
    000 Heals pokemon
    001 clears the variable given in special2 or all the usual variables if in special 1

    Warp Commands
    002 door warp script (fade black until finished warping)
    003 same screen effect as 02. Peculiar behaviour, warps to last used warp, or to center-map if last change was made by a screen transition, or trapped in Battle link if used after game start

    Link Commands
    020 battle trough link. Stored in the same location as all other battle data
    021 link start (trading)
    022 faster link start (overwrites other commands)
    023 save game popup
    027 updates a copy of your party at address stored at 03005008 +0x38. the number of pokemon in that party copy is stored 4 bytes before the start
    028 replaces your party with the one stored with the code above. If you never used special 0x27, the party is that of the last time you loaded the game
    029 although it lets you select three pokemon, it shows not where they are stored, being nowhere on the usual variables(8000-800f)
    02A Nice crash sound…
    032 checks the data for the Enigma Berry, stored at (03005008) + 0x30ec. if the old, not E-reader one, returns 1, else 0

    Trainer Commands
    034 prints a buffered message, buffered by the trainerBattle command.
    035 prints a buffered message, buffered somewhere by a different command from 34. Dpad-Sensitive.
    036 returns the number of times the buffered trainer was fought. If bigger than 0, usually is followed by na end signal
    038 plays buffered trainer music
    039 used vs-seeker. placed in given variable if it was fought before or not
    03B activates battle with buffered trainer

    03C activates pokestorage menu

    Double battle commands
    03d checks for a single viable pokemon, that is, pokemon capable to fight. returns 0x1 to given variable if only one pokemon capable of fight is present, 0 otherwise
    045 checks for all viable pokemon. result stored in given variable

    Profile commands
    05D save game popup
    05F edit profiles. Which depend on 0x8004 value *Key: 0x0 = profile 0x1 = battle quote 0x2 = uppon wining 0x3 = uppon losing quote 0x4 = nine word message 0x5 and up, nothing*
    060 displays profile, same key as 5f

    Pokemon Size "mini-game"
    077 Buffers Heracross in buffer 0x0 and its recorded size in buffer 0x1
    078 checks Heracross size. returns to given variable 0x1 if there was no heracross, 0x2 if it was smaller, 0x3 if bigger and 0x4 if the same size. Updates record automatically
    079 Buffers Magicarp in buffer 0x0 and its recorded size in buffer 0x1
    07A checks Magicarp size. returns to given variable 0x1 if there was no Magicarp, 0x2 if it was smaller, 0x3 if bigger and 0x4 if the same size. Updates record automatically

    Name Rater commands
    07B checks pokemon nickname, buffers it and put 01 in given variable if it was never nicknamed
    07C buffers pokemon name indicated at 0x8004 (nickname)
    07D obtained in a trade checker

    080 flushes random words into buffer 2

    083 counts the number of pokemon in your party and places it on a given variable
    084 same as 83
    085 gives the number to the last pokemon on your party, to the variable passed

    Map Commands
    08D displays last processed message
    08e Forces map refresh, that is, puts into effect all changes made by setmaptile command
    08f Returns the player map position, the X to 0x8004 and the y to 0x8005. Coordinates are the same as the ones for the map in AdvanceMap.

    094 Buffers a word based on gender, big guy if boy, big girl if girl
    095 Buffers other words based on gender, daughter if boy, son if girl. These two commands may be harmless leftovers from R/S

    09D old man battle
    Name rater commands 2

    09E nickname pokemon in party indicated by 0x8004
    09F chooses a pokemon for a purpose and stores its position at 0x8004. works even with eggs

    Trainer House Commands
    0A3 checks the Trainer Card achievements (color and stars). Place the achievement number from 0 to 7 in 0x8004, and returned in a given variable 1 if completed
    0A4 Places how many achievements you have in a given variable
    0a5 Buffers the rival achievement trainer name to the 0x0 buffer. Mostly, your rival name, but LT Surge, Koga and Lance also appear.

    Special Battle commands
    0AB makes a random battle based on the Tree wild values
    0B4 after battle, ceratin variables are set. b4 reads them and places on a given variable the status at battle end. *key 0x1 = fainted, 0x7 = captured, 0x4 = escaped*

    Breeding center commands
    0B5 Buffers the Daycare Pokemon name to the buffers 0x0 and 0x1
    0B6 daycare status *key: 0x1 = one egg, 0x2 = one pokemon, 0x3 = two pokemon*
    0b7 Clear egg flag and reset timer for another egg
    0b8 Creates and gives away egg
    0b9 Corrects, in your party, the egg given by 0xb8, adding all learnable attacks, including egg moves
    0BA seems to register a pokemon number after reading from the party(with other special) and puts it in a variable. Returns 277 for Treeko, so real, in game number.
    0BB removes pokemon stored at 0x8004 from party. Places it on the daycare center address (dynamic)
    0BC A selection screen for pokemon with store instead of select, identical in use to 9f
    0BD two slot selection screen that allows you to choose one of two pokemon on the daycare center. If no pokemon is stored there, blank name, lv0 male will appear.
    0BE checks number of levels they grew in daycare and places it on given variable as well as in buffer2.
    0BF calculates price on pokemon growth and places it on buffer2
    0C0 gets pokemon back from daycare center (taken with bb). If 0x8004 is different from the slot number the pokemon is in, a bad egg is formed.
    0c1 a "silent hatch" code, hatches an egg in your party indicated by 0x8004, even if not an egg (reset level to 5, changes met location, clears EVs)
    0C2 hatches a pokemon in the 0x8004 given position, even if not an egg
    0C4 shows battle records and time scores. varies with value on ox8004 *key:0x0 = battle records, else = time board*
    0C5 checks if you have enough money to pay for pokemon return. If true, return 1 to given variable
    0C6 charges the money calculated bf

    Whiteout command
    0C8 whiteout screen and carried to a pokecenter. Variables are cleaned, money is partially lost

    Safari mode command
    0CD start safari game. Upon end, teleported back to default map, even though you never went near it
    0CE ends safari game. This end, not being the default call to script, lets you remain where you are

    Pokedex evaluation command
    0D4 seems to place on 0x8005 the seen pokemon and on 0x8006 the caught ones. Also places on 0x800c a number that might be pokemon the pokedex doesn't detect but were caught. if 0x8004 = 0, print kanto's values, 0x8004 != 0x0, national dex values
    0D5 prints the pokedex evaluation. Number of pokemon caught is stored on 0x8004

    Pc animation commands
    0D6 flashes a tile that is one tile above the script. Used in pc scripts
    0D7 switches a tile above script. Another animation

    move deleter\reminder commands
    0DB selects a pokemon, but no variable is updated
    0DC shows moves from pokemon in 0x8004 and allows you to choose one, position placed on 0x8005
    0DD deletes move that was suposedly chosen with dc
    0DF places on last-result the number of attacks on a pokemon defined by 0x8004
    0E0 opens up a menu to teach previously known attacks to pokemon (move reminder) pokemon used is stored at 0x8004
    0E6 returns the slot of the first available attack. If all occupied, returns 3 to given variable

    Wierd Commands
    0e9 prepares the message "previously on your quest", as well as others saved from last playthrough
    0ea & eb continue the previous command, but have some glitches
    0EC depending on 0x8004, may crash (0x0), have a wild battle with the buffered wild pokemon (0x1) or start an item-forbidden Trainer match (0x2), all other values crash.
    0EF clears party, erasing all pokemon. And this definitely erases them, as the code clearly only fills the places with 0's
    0F1 after clearing all waiting data, shuts down the system internally with the Stop Bios command. Also, disables all interuptions, killing the game right there.
    0F5 asks to select three pokemon, and places them in the given order(removing the remaining) - pokemon tower. Choose cancel to get all your pokemon back.
    0F6 appears to return if a pokemon is able to enter the event
    0F8 really wierd command, deletes part of your party except for some of those you chose in f5

    Item storage
    0F9 pc item storage menu with pc animation (your room)
    0FA same as f9 but without pc animation
    0FB town map

    Trade commands
    0FC checks the trade in 0x8004 and buffers the name of the wanted pokemon(0x0) and the given pokemon(0x1)
    0FD gets the pokemon to trade and places it in 0x0202402c. Is in it's party form, that is, fully decrypted, 100 bytes.
    0FE activates trade, gets pokemon from previous memory address Incomplete pokemon(80 byte form) crash when seen. If deposited and withdrawn, it's fixed
    0FF checks pokemon in 0x8004's number and places it in given variable

    pc menu
    106 opens pc menu, no animations, returns 01 to given variable and ff to lastresult

    Finishing commands
    107 shows hall of fame thens returns you to pc menu
    108 shows diploma for finishing kanto dex. Finishes script.
    10F this is the function that is called by f1 to do the shuting down thing. Therefore, this crashes everything
    110 saves hall of fame and plays ending

    camera control commands
    111 elevator scene + small animation
    113 freeze screen, but only on scripts, not on signposts or people. Call again to unfreeze
    114 unfreeze screen\camera. Works on all surfaces
    11F returns to a variable the facing you had when activating the event

    Pokemon check commands
    126 Check first pokemon added EV's. if over 510, returns 0x1
    12b Checks party for a grass pokemon. returns 0x1 if there is one.
    12e Checks party for your kanto starter. 0x1 if you have it
    130 See if there is room for pokemon in a box. returns 0x1 if there is.

    132 shows current floor
    136 use strenght sound

    Wild battle commands
    137 starts wild battle on ice. Uses everything the normal wild battle use
    138 starts wild battle on normal terrain. Uses everything the normal wild battle use.
    139 same as 138

    Cave commands
    13D flashes screen.
    13E warps to last used warp
    13F falls to last used warp
    143 perfectly normal wild battle

    147 checks your pokemon in position referenced by 0x8004 and returns to the given variable its pokemon number. returns 0x19c if an egg.
    14C fades sound until it turns off. Only some soundeffects remain. Loses effect after leaving map.
    153 checks your party for pokemon equipped with e-card berries. 1 to variable if it happens
    156 ghost battle. If you have a shilp scope, it becomes the lv 30, uncatchable marowak. If not, the ghost will have the cry of the pokemon that was buffered.
    157 activates bicycle
    158 opens several different multichoice boxes depending on 0x8004 *key: 0x0 = badge talk; 0x1 = silph-co elevator; 0x2 = rocket elevator; 0x3 = celadon department store elevator; 0x4 = link options; 0x5 = pharmacy options?; 0x6 other elevator; 0x7 and up - return 0x7f to lastresult*
    15C crashes game after executing whole script
    15d buffers to buffer 0x0 the name of the last pokemon you encountered
    15e checks if values 0n 0x8004 and 0x8006 add up to more than 9999 decimal.
    15f checks pokemon number in party and places the function for the correct pokecenter animation. returns to given variable that number.

    161 activates surf sprite
    162 places the number of the starter you chose in a given variable
    163 sees pokemon number 0x8004 in the pokedex
    166 lets you nickname the pokemon in the box in 0x800f, slot 0x8010. Gives it the buffered name.

    Wireless link mini game commands
    16A checks for wireless connector, 1 if there, 0 otherwise. Places value on given variable
    16B tries to link for a game of pokemon jump the rope
    16C tries to link for a game of dodrio berry-picking
    16D linking for union room
    16E wireless status

    16F activates national dex
    171 makes it impossible to step through scripts with the D-pad. only works on Scripts (green S on Advance Map)

    Fame checker commands
    173 activates the info at the slot 0x8005, for person 0x8004
    174 sets the pesron picture status. 0x8004 = pesron number, 0x8005 = set value. 0x1 = only shadow. 0x2 = correct picture

    (cerulean) Daycare commands
    176 Remove pokemon from party and store it in daycare.
    177 buffers daycare pokemon name in buffer 0x0 and the money owed for it in buffer 0x1
    178 checks if a pokemon is at the daycare. returns 0x1 if there is.
    179 returns the levels grown and buffers the same data as 0x177
    17a returns the pokemon kept there to the trainer. returns to variable the pokemon number

    17B travels in the boat for vermillion
    17c checks for a pokemon species in the party. pokemon number wanted is stored in 0x8004, returns to given variable 0x1 if there is one.
    183 checks if someone is playing through wireless and buffers that player name. if none, the empty string is buffered
    187 places value on given variable. Seems to be a error checker of some kind, for every time it returns 0x2, a script is called to end.

    Fossil commands
    18B shows fossil picture. Only works if 0x8004 is 0x8d or 0x8e. Position is stored in 0x8005(x) and 0x8006(y)
    18C unshows picture

    Move tutor commands
    18D Accesses move tutor data and teaches that move to an allowed pokemon. Tutor placed at 0x8005
    18E a menu to choose pokemon for something

    191 SS Anne departure scene. With no boat, your sprite will follow it and disappear, making you invisible.
    192 checks if you have any of the needed pokemon to play Jump the Rope minigame
    193 checks if the national pokedex is active.
    194 if used without 0x8004, clears all warps and reproduces buffered video all over the map. Entering any menu will blank the video, crashing the game on exit
    195 pokemon jump records
    196 buffers attacks to 0x0 if 0x121< 0x8004 <0x15a. attacks buffered are stored in a table. returns 0x1 if it buffered anything

    Berry powder commands
    19b checks if you have the berry pouch and at least a berry. returns 0x1 if true to given variable and to 0x800d
    19C shows powder counter
    19D hides powder counter
    19e checks if powder is more or equal to the amount asked for in 0x8004. returns 0x1 to given variable if its true.
    19f decreases the amount in 0x8004 to the powder counter. returns 0x1 to given variable if it didn't go negative.
    1A2 shows berry crushing records

    Old lady tutor commands
    1a3 buffers the ultimate attack for the starters and prepares the right tutor. return 0x0 if no pokemon in your party can learn it.
    1a4 after teaching, checks the value of the tutor and sets the respective flag to the attack. if all three attacks were taught, returns 1 to given variable

    1A5 plays credits
    1A6 berry-picking records
    1A7 multichoice for the islands, varies with what's on 0x8004
    1AB sound effect for deoxys triangles
    1AE checks for illegal pokemon for the union room and places one if found on a given variable
    1B0 checks if pokedex (national) is complete. 0x1 if true, placed on a given variable
    1B2 places a red arrow at the pixel coordinates indicated by 0x8004(X) and 0x8005(Y). 0x8006 = 0 means turn on, or create a new one, 0x8006 != 0 means shut last arrow down

    1B5 creates a tile animaiton one block left two-four up the player
    1b6 checks if you have a dodrio in your party.
    1B7 creates a tile animation two-six blocks right from the top-left corner of the screen
    1bb Create a full, party ready pokemon, at the trade slot. 0x8004 = pokemon number, 0x8005 = pokemon level, 0x8006 = item held

    Here, I place those I know what they do, but don't know what the offsets, flags and variables used mean in-game
    Spoiler:
    (address) = content of that address
    004 Updates the value in 02031dbc by analizing the data from the party copy at (03005008)+0x38
    005 Places a pointer to a function for posterior execution to 03000e84. The wierd part is that that function only kills itself, erasing the content of 03000e84.
    01c stores in 0x0202271A 0x2233 if 0x8004 is 1, 0x2244 if 2 and 0x2255 if 5.
    01d,01e,05c Same thing, but have some extra steps.
    033 loads to r0 the value at 0x020386AC, which is returned to given variable
    096 adresses a variable\flag that number is stored in 8004, and makes some ands and ors(sets ang checks)
    0A6 checks if the 8th bit in var 0x4038 is on, if so, copies the content of (0300500c)+1c to var 0x4039
    0a7 the opposite of 0xa6. copies the content (0300500c)+1c to 0x4039
    0a8 activates the 8th bit at 0x4038
    0a9 same as A6 + store same value on variables 0x6c-0x6f
    0aa returns to given variable one of seven values stored at 0x08456934. attribute those values to 0x4038 as well. it's 0x8004 dependant.
    0c3 0x8004 dependant. Checks what is at position 0x70 of the pokemon in the daycare.
    0d8 updates the value of 0x403a, vased on the value at (0300500c)+0x12
    0e3 returns 2 to variable if the value in 0x2037078 ends in 6. 0x02037078 is the character speed control. bit0 = walking, bit1 = using bike, bit3 = ???
    0e7 change value at var 0x4000 depending on the value of (300500c)+55e
    11e updates and changes random seed, but other than that, seems to have no inherent use
    125 sets flag 0x83b and executes special 0x124
    142 sets var 0x4010 to 0x12. seems incomplete, as it loads values that never uses.
    15b calculates values and uses 0x8004 and 0x8005 to save it. besides, 0x8004 is the result of the first function, and the 0x8005 is the result of the function that, in a table, is that number.
    165 if flag 0x843 is set, returns 0, if not checks a byte in the Pokemon storage, and if different to the content of var 0x4037, set the flag and return 1.
    167 changes a bunch of variables in the 4043 range. 4042 is a copy of 0x8004 at that time
    168 places value on given variable. also changes values of several variables (417d o 0x8004 and 0x8006, ffff 0n 0x8005)
    170 sets values on 0x020370a0 and 0x03000f9e, but don't stay until the end of the script
    17d changes the value at 0203b0ec to the content of 0x8004. it seems to be related to the condition of the map (inside, outside, center, shop, forest, cave...)
    17e reads the value at 03005ea0 and places it on 0203b0ec
    17f reads the value at 0203b0ec and places it on 03005ea0
    181 sets 2 flags at [0300500c]+a8 (5th and 6th)
    182 sets the previous flags and places a function for further execution
    188 usualy clears the values at 0203ae04 and ae08, but also may, if the values are right, change the value of 0203ae8c, which is a pointer to the RAM. is used before every legendary battle.
    18f sets the flag 500+(020386ae)
    197 a large list of comparisons to the target pokemon. Places 0 in 0x404e in any event
    198 stores 0 in 0x3005ecc
    199 if 0x0203adfa is smaller than 3, set the above to 1
    19a sets a flag in (0300500c)+9 and sets flags 1,2,3 and 31 on (0300500c)+A8
    1a9 compares values from 0x8004 and 0x8006 and returns specific values: returns 1 if either var is 8,7 if either var is 0, A if either var is 9, c if either is A, 2 if smaller than 2, 3 if smaller than 5, five if smaller than 7 and 6 if not any of the above
    1aa returns the lower 4 bits of (02036e38 + (0203707d)+ 18)
    1ad 1 if (03005008)+8 == 0x503 and (03005008)+ 0x503 > 17, 1 otherwise
    1b1 check if [03005008]+8 is equal to 0x0a02
    1b8 sets the value of 0x02039a0e depending on the value of itself and 0x02039a10
    1b9 clears one of the flags A4-AC, depending on the values at [03005008]+1200 and [0300500c]+ f20.
    1ba sets function 0x80cd1cc to be executed

    There are the ones I have no idea what they do. If any of them sound familiar, post what it does so it might be added.
    Spoiler:
    02A
    037: uses 03005090
    03a
    093: uses (3005008)+a
    099
    0c7: loads a function for later execution. sets a byte in 0x300ea8 (script related) to 1, which only happens when in wait for a result of a function.
    0ed: accesses (300500c)+55e
    0ee: similar to the one before in structure
    0f0: accesses (300500c)+55e
    0f2: access to the (300500c)+ 55c or (300500c)+ 0x570
    0f3: access to the (300500c)+ 55c or (300500c)+ 0x570
    0f4: access to the (300500c)+ 55c and party address
    11d: copies 4 bytes off (300500c) + 4a4 to display
    127
    128
    129: accesses var 4031, the var that keeps the starter pokemon chosen
    134
    135
    13a: uses 0x3005074
    148: checks something on party pokemon
    14b
    14f
    150
    152
    159: store function for posterior use
    15a: store function for posterior use
    164
    169
    172: store function 0810c3b8, with 0x50 as an argument, for posterior use
    175: checks a number of pokemon status, and then loads an encription key, applies it and buffers the result
    180
    184
    185
    186: apparently is a memory allocator, for a quantity defined by last_result, returns 0 is successful
    190: related to PC script
    1a0: makes some checks and recalculate some keys, but I can't grasp why it's needed
    1a1:stores several functions for near use, and is dependant on flag 0x3 and [03005008]+8 (=or != 4f01)
    1AC works with the value at 0x403e


    Just for completion, or if anyone wants to test them out, these are the specials that return ADC1:
    Spoiler:
    006 --> 01b
    024 --> 026
    02B --> 031
    03E --> 044
    046 --> 05B
    061 --> 076
    07e,07f,081
    086 --> 08c
    090 --> 092
    097,098
    09a --> 09c
    0A0 --> 0A2
    0Ac --> 0B3
    0C9 --> 0CC
    0CF --> 0D3
    0D9,0DA
    0E1,0E2
    0E4,0E5
    0F7
    100 --> 105
    109 --> 10D
    112
    115 --> 11C
    120 --> 123
    12A
    12C,12D
    12F
    131
    133
    13B,13C
    140,141
    144 --> 146
    149,14A
    14D,14E
    151
    154

    That's it for now. I hope you find this document helpful. I may return to post some more in-detailed analysis of this code to the more practice-oriented.

    thanks to liuyanghejerry for the use of Special 0x39
    Reply With Quote