Research: Pokemon data decrypting (asm code)

JPAN · Feb 13, 2009

mod edit: just for your information, ingame routines that do exactly this already exist within the code

NOTE: all the code posted here was made with the US fire red version in mind. If you are interested in using this code in any other verison, it should still work as long as you change the values for the variable adress and party adress with those from your respective version. To find them, see the end of this post.

I have made an algorithm to decrypt the encripted data and place it somewhere in the RAM where we can look at and modify it acording to our needs. First, a brief explanation on how it works.

The GBA pokemon data is composed of 80 bytes (or 100, for party pokemon). On those 80 bytes, we can divide it in two:

The first 32 bytes of unencrypted information, like the nickname, original trainer name and IDs and a 32 bit word usually called Personality/Pokemon ID, that determines if it's shiny, gender, nature, amongst other things;
The remaining 48 bytes, encrypted information that contains almost everything important about our pokemon, like species, IV's, EV's, contest and regular status, happiness, experience, level...

Now, to access the first information, one can easily read it just by fetcing it. the second block, however, can only be read if one has the key. That key is found by performing an exclusive OR on the Personality value and OTids, both as 32bit words.

Applying that key to the data, one word at the time will decrypt it, and passing it on decrypted information will encrypt it.

On that second block, the information is compacted in four sub-blocks that store pieces of information of the same nature. Those sub-blocks change position depending on the Personality value. The remainder of Personality\24 indicates it position.

To make it harder to modify, there is also a checksum for this second block on the first block, and if the second block, adding all data as 16bit words is not equal to that checksum, the pokemon becomes a BadEgg.

This algorithm works by having a party pokemon number stored at 0x8004 (where the special 9f stores it)

So, what this algorithm does:

Finds the encryption key and stores it at the first memory position (first)
Stores the checksum at another memory position (first + 0x6)
decrypts and copies all the data from the selected pokemon (first+ 0x18)
trough a large algorytm of compares, stores all four sub-blocks starting positions (growth = first +0x8; attack = first + 0xc; effort = first +0x10; miscelaneous info = first + 0x14)

Here's the code
Edit: the portions in bold on the code is the part you need to change in order for it to work. Goes for all valid posts.

Spoiler:

But this code is pretty much useless if you don't know how to access its information. I will post further ahead some code examples on how to change and read this information.

This code has a second part to it, that must be called upon to save changes on the selected pokemon. It's pretty much the reverse, but much shorter because it doesn't need to know what was changed or the position where it must put the data. It just corrects the checksum and copies the information after encrypting it.

Spoiler:

With these two algoritms, many new commands manipulating and checking pokemon caracteristics are possible. I hope this code will be helpful on your rom-hacking.

Edit:
For easy insertion, The two main codes are now available in a small hex file, at this post.
https://www.pokecommunity.com/posts/4914212/

Now, some asm examples on how to use this new found information.
Identifying a pokemon species
I know there is a combination of commands to identify a pokemon, but it only works on pokemon that are not eggs. This code allows you to identify a pokemon egg as well. Only one problem. You must manually set the variable 0x8004 to the egg's position as it cannot be selected by special 0x9f. I would recommend setting it to 0x0, and asking the player to put the egg in the first party slot.

Spoiler:

Or in ROM-ready version

Spoiler:

Increasing a pokemon happiness by any value
If you wish to make some ways for a pokemon to gain happiness, or to make a pokemon love his trainer after an event, this code will allow it.

Spoiler:

ROM-ready version

Spoiler:

See a Pokemon's pokeball
If you wish to have a place to release pokemon but keep their ball, or for a script that
bars entrance to any trainer who doesn't keep all pokemons in a special kind of ball, we have this code

Spoiler:

ROM ready version

Spoiler:

And that's it for now. I shall post more examples later on. For now, you may post requests on this thread.

For more information on the data stored, I recommend the place where I learned about it, bulbapedia (search there for Pokémon data substructures in the GBA).

To find the addresses for your version:

Spoiler:

To find the variables 0x8000:

Spoiler:

FoggyDoggy · Feb 14, 2009

How about editing a Pokemon's EXP? That is what I need to know...
You should write a tutorial... you seem good at explaining alot of things...

JPAN · Feb 14, 2009

To 0m3GA ARS3NAL

While it is possible to make code that changes the amount of experience on a pokemon, I have no way of reproducing the level up routine without messing up some of the status gains, at the moment. As such, I give here a code that will allow you to give a pokemon experience, but for it to level up, it is necessary to fight a battle. Also, this code has several limits. First, you can only add up to 32767 exp points (0x7fff). Any bigger and the pokemon will crash your game. Also, if the experience surpasses that of the needed to gain a level, the pokemon will present, on the status screen, a full blue experience bar with a transparent middle, and the numbers will be mixed with question marks.

If you still want it, here it is.

Spoiler:

And in the compiled version

Spoiler:

Edit: As promissed, some more examples of what to do with this code

Catch the pokerus
This code here allows you to cure, immunize and catch the pokemon virus. To make it work, put in var 0x8005 a number between 0x1 and 0xf to give it, 0x0 to cure but not immunize and 0x10 or higher to immunize the pokemon, preventing him to ever catch the virus again (even with this code)

Spoiler:

Compiled and ready

Spoiler:

EV related material
Several codes that allow you to manipulate Contest stats and Effort values. This following "Stat table" is used in all the following examples
Value -> Stat

Spoiler:

Any of the following EV codes only work correctly if the value is present on the table. Using others results in the unexpected.

Reading EV's/Contest stats
This one code reads the values of the stat placed on variable 0x8005, and places the result on that variable, a number from 0x0 - 0xff.

Spoiler:

Ready to use version

Spoiler:

Adding to EV/Contest stats
This code allows you to change the values of both EV's and Contest Stats, but it works differently on both situations. Place the value to add, between 0x0 - 0xff on var 0x8006 and a table value on 0x8007.
Adding EV obeys the 512 limit, so only values up to a total of 512 will be accepted. On both the Contest and EV, adding a value that is bigger than the allowed will cause the code to add only up to that limit, meaning that adding efforts that surpass 512 after adding will add only up to 512, and adding values that exceed 0xff will make the value 0xff.

Spoiler:

Ready version

Spoiler:

Erasing all EV's
This last code receives nothing and returns nothing, changing only all EV's to 0.

Spoiler:

Ready version

Spoiler:

And that is all for now. Feel free to ask for any other codes. Next time I post here I will bring a "teaching Attacks" code, a dumbed down "move tutor".

liuyanghejerry · Feb 15, 2009

According to this tut,it seems there are a lot of things we can do now ...

FoggyDoggy · Feb 16, 2009

Wow, this is great, I did not need to level the Pokemon up, but this is insane, you really should make a tutorial, and add to the super cool ASM saga that is about to hit PC.
(PC went is stages, Hex, ScriptED, Pokescript PKSV, XSE... I can see more people are going to start using ASM now...)

Okay, I have a toughie, how about changing Pokemon from shiny to normal and vice/versa while they are in your party/activated with a script? (also having it activate like leveling up would be cool, for instance if you battle for bunch of battles, the Pokemon becomes shiny, or vice versa, cause I also need that, hehe.

JPAN · Feb 16, 2009

To make a pokemon shiny, as explained in Mastermind_X shiny hack, the encryption key on a pokemon must be lower than 8. For that to be acomplished one of two things must be sacrificed: either we make Personality = OTID or OTID = Personality. The main question here is when do you wish to use that script. One will sacrifice nature, gender and all that is determined by personality. The other will make the pokemon not to be yours. If at a higher level, a pokemon will not obey a trainer if he doesn't have the right badge.
So, the first method (nature-changing) is recomended for short periods of time, at the beggining of the game. But the second (OTID) is the best way as all the stat-changing nature, gender, etc will be maintained and the location for all the data will remain the same. Personality editing, for the reasons mentioned in the first post, would mess things up. So will write the code for OT changing.
Suggestions for keeping pokemon obeying you: Set a flag with the current eight badge flag value. set the flag before the battle start and clear it if both flags aren't identical.
As all other code in this page, you should keep var 0x8004 as the pokemon slot.
Place variable 0x8005 to 0x0 to return the pokemon to normal.

Spoiler:

Compiled rom code

Spoiler:

Also, as promissed, a dumbed down move tutor. It will always teach your pokemon a move, replacing one move if no empty slots are available.
Free attack slot finder
This piece of code is to be used before the teaching code, and will check the pokemon for empty attack slots, returning 0 if none are found(corresponding to the first slot). This code will place its result on variable 0x8007.

Spoiler:

Compiled and ready

Spoiler:

Teaching the attack
This code will place any attack you placed on 0x8006 on the slot indicated by 0x8007,
placing its corresponding pp to the fullest and erasing any pp bonus from the previous attack. This code will check for range, not working it 0x8007 is equal to or bigger than 0x4, but it will not check for a pokemon's capability to learn such attack.

Spoiler:

Ready to use version

Spoiler:

That is all for now.

FoggyDoggy · Feb 16, 2009

So, if I want a pokemon to be shiny, I have 0x8005 set to 1, and if not, set it to 0?
And what if I need multiple pokemon de-shinnied, up to 6 at a time?

JPAN · Feb 17, 2009

0m3GA ARS3NAL said:
So, if I want a pokemon to be shiny, I have 0x8005 set to 1, and if not, set it to 0?
And what if I need multiple pokemon de-shinnied, up to 6 at a time?

Yes, to make a pokemon shiny, set 0x8005 to a value that is not 0x0.
While it would be possible to make 6 pokemon shiny at a time, it would be very hard to keep track of what pokemon was changed when with this code. Also, all these codes were made to alter one pokemon at a time.

FoggyDoggy · Feb 17, 2009

That would be cool to do 6 at a time... important for a hack actually...
Am I able to change 0x8004 to change a 2nd pokemon, or 3rd, or 4th etc.. Shiny/Normal?
if not, would you be able to do that?

JPAN · Feb 17, 2009

By editing the previous shiny code, and placing a small value in one of the pokemon unused stats to keep track of which variables hold the corresponding ID, I managed to modify the code to allow for up to six pokemon to be "Shinied" at a time. But, as the code only works in between a Decrypt-encrypt function, to use it correctly your script should look like this:

Code:

setvar 0x8004 0x0
#org @loop
compare 0x8004 0x6
if 0x1 goto @next
callasm @decript
callasm @shine
callasm @encript
add 0x8004 0x1
jump @loop
#org @next

This will make all party pokemon shiny. Next, I'll post the code. This time, I'll post it compilable on the devkitARM assembler, and indicate only where the values should be changed to allow a new shiny limit.

Spoiler:

The compiled version

Spoiler:

The stat I used was the two bytes next to the checksum, right before the encripted data.

Grinner · Feb 18, 2009

Heh I dont know if I should be exasperated or gratefull (leaning towards gratefull) becuse I have been trying to learn ASM to do simmiler things to this for a while thinking that ASM would never become mainstream enough to have this complecated stuff posted on a forum. Now I need to work out if I will struggle on and write inferior code so I can feel I have earned it or...

Anyway thanks for posting this.

FoggyDoggy · Feb 19, 2009

Grinner said:
Heh I dont know if I should be exasperated or gratefull (leaning towards gratefull) becuse I have been trying to learn ASM to do simmiler things to this for a while thinking that ASM would never become mainstream enough to have this complecated stuff posted on a forum. Now I need to work out if I will struggle on and write inferior code so I can feel I have earned it or...

Anyway thanks for posting this.

I agree 100% I am extremly greatful for the ASM hackers coming out of seclusion and ASMing... heheh.
May I recomend HackMew's tutorial on ASM, and ZodiacDaGreat... his site has 2 ASM tutorials...
or even maybe JPAN could try his hand at one? you never know!

~0A :t282:

HentaiHentai · Feb 20, 2009

Ok, Admitted looking at this and my eyes are telling me Im insane.
Lol, I understand this is ASM, and I do see that you have converted I have no clue what into hex so.
What Im most curious about is that Pokerus virus. How would I use that. heres an example of what I want to do.
EX: Player goes somewhere umm...toxic, touches something infecting the lead pokemon with pokerus what steps would i have to use to get the asm/hex stuff into a script?
Thank You

JPAN · Feb 20, 2009

HentaiHentai said:
EX: Player goes somewhere umm...toxic, touches something infecting the lead pokemon with pokerus what steps would i have to use to get the asm/hex stuff into a script?

After inserting the ASM code in the ROM, and being (for example) 0x800000 the offset of the pokemon loading script (first posted) , 0x800500 the give-pokerus code offset and 0x801000 the pokemon storing/encryption code offset, nomething like this would work

Code:

(other preceding code)
setvar 0x8004 0x0
callasm 0x08800001
setvar 0x8005 0xf (for maximum time, any other value below is fine)
callasm 0x08800501
callasm 0x08801001
(code after event)

Basically the structure is always
choose pokemon (either fixed through setvar, or variable with special 0x9f)
callasm Decript_function
set variable needed
callasm modifying_function1
set variable needed
callasm modifying_function2
...
callasm encryption_code

Sophidius · May 10, 2009

Does anyone know the code to make a new Hidden Machine?

onyx79 · May 12, 2009

can you add more then 386 pokemon by using asm?

destinedjagold · May 15, 2009

~~sophidius, please don't revive month-old threads~~~

edit...
nevermind...
new rule applied. :P

Gamer2020 · May 22, 2009

JPAN said:
EV related material
Several codes that allow you to manipulate Contest stats and Effort values. This following "Stat table" is used in all the following examples
Value -> Stat

Spoiler:

0x0 -> HP EV
0x1 -> Attack EV
0x2 -> Defense EV
0x3 -> Speed EV
0x4 -> Special Attack EV
0x5 -> Special Defense EV
0x6 -> Coolness
0x7 -> Beauty
0x8 -> Cuteness
0x9 -> Smartness
0xa -> Toughness
0xb -> Feel (not used in Fire Red, so if needed, any new stat)

Any of the following EV codes only work correctly if the value is present on the table. Using others results in the unexpected.

Reading EV's/Contest stats
This one code reads the values of the stat placed on variable 0x8005, and places the result on that variable, a number from 0x0 - 0xff.

Spoiler:

b507 push {r0-r2, lr}
4803 ldr r0, 0x0203f410 ;Effort block data storage address
6800 ldr r0, [r0]
4903 ldr r1, 0x020370C2 ;0x8005 for effort type
880a ldrh r2, [r1]
5c82 ldrb r2, [r0 + r2]
800a strh r2, [r1] ;stores effort value on variable
bd07 pop {r0-r2, pc}

Ready to use version

Spoiler:

07 B5 03 48 00 68 03 49 0A 88 82 5C 0A 80 07 BD
10 F4 03 02 C2 70 03 02

Adding to EV/Contest stats
This code allows you to change the values of both EV's and Contest Stats, but it works differently on both situations. Place the value to add, between 0x0 - 0xff on var 0x8006 and a table value on 0x8007.
Adding EV obeys the 512 limit, so only values up to a total of 512 will be accepted. On both the Contest and EV, adding a value that is bigger than the allowed will cause the code to add only up to that limit, meaning that adding efforts that surpass 512 after adding will add only up to 512, and adding values that exceed 0xff will make the value 0xff.

Spoiler:

b51f push {r0-r4, lr}
4811 ldr r0, 0x0203f410 ;Effort block data storage address
6800 ldr r0, [r0]
4911 ldr r1, 0x020370C4 ; use 8006 for storing given points and 0x8005 for effort type
6809 ldr r1, [r1]
040a lsr r2, r1, 0x10 ;value to increase effort-contest stats by
0c09 lsl r1, r1, 0x10 ;stat to increase
0c12 lsl r2, r2 0x10
2906 cmp r1, 0x6
db02 blt Effort
290c cmp r1, 0xc
db0d blt Contest
bd1f pop {r0-r4, pc}

1c13 Effort: add r3, r2, 0x0
2500 mov r5, 0x0

5d44 loop:ldrb r4, [r0 + r5]
18e3 add r3, r3, r4
3501 add r5, 0x1
2d06 cmp r5, 0x6
d1fa bne loop

2420 mov r4, 0x20
0124 lsl r4, r4, 0x4
429c cmp r4, r3
dc01 bgt Contest
e00f b Checkmax

5c43 Contest:ldrb r3, [r0 + r1]
18d2 add r2, r2, r3
23ff mov r3, 0xff
429a cmp r2, r3
dd01 ble add_value
22ff mov r2 , 0xff
0000 nop
5411 add_value: strb r2 , [r0 + r1]
bd1f pop {r0-r4,pc}
pointers

1a9b checkmax: sub r3, r3, r2
1ae2 sub r2, r4, r3
2a00 cmp r2, 0x0
dbf6 bgt add_value
bd1f pop {r0-r4,pc}

Ready version

Spoiler:

3F B5 11 48 00 68 11 49 09 68 0A 04 09 0C 12 0C
00 00 06 29 02 DB 0C 29 0D DB 3F BD 13 1C 00 25
44 5D E3 18 01 35 06 2D FA D1 20 24 24 01 9C 42
01 DC 0D E0 00 00 43 5C D2 18 FF 23 9A 42 01 DD
FF 22 00 00 42 54 3F BD 10 F4 03 02 C4 70 03 02
9B 1A 45 5C 5B 1B E2 1A 00 2A F3 DC 3F BD

Erasing all EV's
This last code receives nothing and returns nothing, changing only all EV's to 0.

Spoiler:

b505 push {r0-r1, lr}
4803 ldr r0, 0x0203f410 ;Effort block data storage address
6800 ldr r0, [r0]
2100 mov r1, 0x0
6001 str r1, [r0]
8081 strh r1, [r0 + 0x4]
bd05 pop {r0-r2,pc}
0000 garbage
pointer

Ready version

Spoiler:

03 B5 03 48 00 68 00 21 01 60 81 80 03 BD 00 00
10 F4 03 02

And that is all for now. Feel free to ask for any other codes. Next time I post here I will bring a "teaching Attacks" code, a dumbed down "move tutor".

Could you please explain a little on more on this?
Like How would I include this in a script?
(I know I have to use callasm but is that all?)

FoggyDoggy · Jun 10, 2009

I just read through the first ASM code, and I must ask, am I Able to edit a pokemon's hold item using the first 2 ASM routines in this thread?
If so, I thank thee for your ASM skills, and will learn from them if you don't mind...

HackMew · Jun 10, 2009

0m3GA ARS3NAL said:
I just read through the first ASM code, and I must ask, am I Able to edit a pokemon's hold item using the first 2 ASM routines in this thread?
If so, I thank thee for your ASM skills, and will learn from them if you don't mind...

Acrutally those just decrypt the data into RAM.

Research: Pokemon data decrypting (asm code)

pokemon rom researcher

Im comin' home...

pokemon rom researcher

Im comin' home...

pokemon rom researcher

Im comin' home...

pokemon rom researcher

Im comin' home...

pokemon rom researcher

Smiley Face

Im comin' home...

Banned

pokemon rom researcher

Need a storyline? PM me!

Red Dead Revolver

Oh Hai Thar.

Accept no Imitations!

Im comin' home...

Mewtwo Strikes Back