    Thanks to this post, I was able to find the part of the code that checks the badges for Surf and Waterfall. They're at 0x06D59C for Surf and at 0x06D5D0 for Waterfall. They're obviously stored as little endian. That's why the bytes at Surf's location are 24 08. Why is this important? Well, if we set those to flags that get set at the start of the game (0x33 = 33 00 is one, more in this thread), we can practically remove the badge checks for HMs with the following three steps:
    • Change the two bytes at 0x06D59C and 0x06D5D0 to the number of a flag that's set by the game start script - removes overworld badge checks for Surf and Waterfall (found using this post).
    • Write 01 20 00 00 00 00 00 00 00 00 00 to 0x124620 - removes HM checks from the menu (well known and found by karatekid552, source)
    • The overworld badge checks for Cut, Strength and Rock Smash in are in the scripts themselves. Just open up the script for any tree, boulder or rock and you'll see it.
    I personally think this is a great discovery. Of course, I all I did was stare at some bytes in a Hex Editor to find the offsets for the badges themselves, so I take absolutely no credit for this.
    Also, yes, I do realise it's a better idea to completely null out the call to the routine that checks flags, though I bet anybody who knows ASM could do it in seconds just by looking at the bytes.

