See #7090: CasualPokePlayer's GBC Pokémon: Gold Version "save glitch" in 10:54.77 for the branch name change; this movie, while doing save corruption, ultimately just does a game end glitch, so I'm marking the branch as such.

Emulator used: Bizhawk 2.5.2

  • SubGBHawk is used due to the use of a sub-frame reset.
  • CGB in GBA is enabled for potential console verification which I mean no chance in heck this thing is getting console verified anyways lmao.

Categories

  • Corrupts save data
  • Executes arbitrary code
  • No luck manipulation (lmao)

About the run

Version Choice

Gold is used over Silver due to better default names.

Route

  • Save data is cleared this time due to the ACE payload requiring cleared save data.
  • A default name (GOLD) is chosen as the name doesn't appear enough to warrant a custom name.
  • Cyndaquil's Berry is taken off, then the game is saved.
  • The Berry is tossed, then a checksum collision is done to save the 0 items count while keeping the berry in my pack.
  • The Berry is tossed again, but this time since there was "0 items" in the pack, the item pocket underflows to 255 items.
  • Items are created in the Balls pocket to setup ACE.
    • Mail is created first to create a payload. The payload is largely identical to the previous submission's, just accounting for it using Mail instead of box names, along with storing a bootstrap to jump from the mail buffer to the actual mail data in SRAM.
    • TM22 is created, then swapped down to slot 0x25, then 0xE9 is put into the tossed buffer by faking a toss, then TM22 is used. This executes a small bootstrap, which jumps to the actual bootstrap in the mail buffer, which unlocks SRAM then jumps to a little before the Mail data in SRAM. Note this SRAM area jumped to is never initialized by the game, so it will be filled with 0xFF (crashes) unless save data is explicitly cleared as was done in the beginning of the movie.
  • Auto-input takes over once the payload is finished, then Red is "defeated".

Bootstrap & Payload

Here is a tracelog of the relevant parts of the bootstrap and payload:
D002:  D5        push de                 AF:0200 BC:0007 DE:CF70 HL:D002 SP:DFC9 ; TM22 jumps here
D003:  25        dec h                   AF:0200 BC:0007 DE:CF70 HL:D002 SP:DFC7 ; D003 holds the current item slot, this is why TM22 is swapped
D004:  9B        sbc a, e                AF:0260 BC:0007 DE:CF70 HL:CF02 SP:DFC7 ; D004 holds the last Pokemon species interacted with (Cyndaquil)
D009:  E9        jp hl                   AF:9250 BC:0007 DE:CF70 HL:CF02 SP:DFC7 ; D009 holds the tossed item buffer, this is why a fake toss is done
CF02:  D6 88     sub a, $88              AF:9250 BC:0007 DE:CF70 HL:CF02 SP:DFC7 ; CF02 is in the middle of the mail buffer, a bit after the actual payload
CF04:  F5        push af                 AF:0A60 BC:0007 DE:CF70 HL:CF02 SP:DFC7
CF05:  F5        push af                 AF:0A60 BC:0007 DE:CF70 HL:CF02 SP:DFC5
CF06:  E1        pop hl                  AF:0A60 BC:0007 DE:CF70 HL:CF02 SP:DFC3 ; address $0000-$1FFF needs to be written to to unlock SRAM
CF07:  D1        pop de                  AF:0A60 BC:0007 DE:CF70 HL:0A60 SP:DFC5 ; value $xA needs to be written to unlock SRAM 
CF08:  72        ld [hl], d              AF:0A60 BC:0007 DE:0A60 HL:0A60 SP:DFC7 ; unlock SRAM
CF09:  D2 FB A5  jp nc, $A5FB            AF:0A60 BC:0007 DE:0A60 HL:0A60 SP:DFC7 ; jump a little before Mail data in SRAM, also where Joypad->Opcode byte is written
A5FB:  27        daa                     AF:0A00 BC:0007 DE:2D00 HL:0A60 SP:DFC7
A5FB:  BD        cp a, l                 AF:1000 BC:0007 DE:9000 HL:0A60 SP:DFC7
A5FB:  62        ld h, d                 AF:1000 BC:0007 DE:F200 HL:0A60 SP:DFC7
A5FB:  6F        ld l, a                 AF:1000 BC:0007 DE:9D00 HL:F260 SP:DFC7
A5FB:  3D        dec a                   AF:1000 BC:0007 DE:A000 HL:F210 SP:DFC7
A5FB:  32        ld [hl-], a             AF:0F00 BC:0007 DE:9200 HL:F210 SP:DFC7 ; wPlayerLastMapY = $0F
A5FB:  7E        ld a, [hl]              AF:0F00 BC:0007 DE:EC00 HL:F20F SP:DFC7
A5FB:  25        dec h                   AF:0900 BC:0007 DE:C900 HL:F20F SP:DFC7
A5FB:  6A        ld l, d                 AF:0900 BC:0007 DE:A300 HL:F10F SP:DFC7
A5FB:  19        add hl, de              AF:0900 BC:0007 DE:BA00 HL:F1A3 SP:DFC7
A5FB:  62        ld h, d                 AF:0900 BC:0007 DE:D800 HL:ABA3 SP:DFC7
A5FB:  22        ld [hl+], a             AF:0900 BC:0007 DE:FA00 HL:D8A3 SP:DFC7 ; EVENT_RED_IN_MT_SILVER = clear bit 2
A5FB:  66        ld h, [hl]              AF:0900 BC:0007 DE:9C00 HL:D8A4 SP:DFC7
A5FB:  50        ld d, b                 AF:0900 BC:0007 DE:CC00 HL:F0A4 SP:DFC7
A5FB:  CC 00 00  call z, $0000           AF:0900 BC:0007 DE:CC00 HL:F0A4 SP:DFC7
A5FB:  6A        ld l, d                 AF:0900 BC:0007 DE:A600 HL:F0A4 SP:DFC7
A5FB:  22        ld [hl+], a             AF:0900 BC:0007 DE:8400 HL:F0A6 SP:DFC7 ; wSouthConnectionStripYOffset = $09
A5FB:  1F        rra                     AF:0900 BC:0007 DE:9B00 HL:F0A7 SP:DFC7
A5FB:  77        ld [hl], a              AF:0400 BC:0007 DE:EC00 HL:F0A7 SP:DFC7 ; wSouthConnectionStripXOffset = $04
A5FB:  18 00     jr $A5FD                AF:0400 BC:0007 DE:F400 HL:F0A7 SP:DFC7
A5FB:  6A        ld l, d                 AF:0400 BC:0007 DE:9E00 HL:F0A7 SP:DFC7
A5FB:  3D        dec a                   AF:0400 BC:0007 DE:A300 HL:F09E SP:DFC7
A5FB:  22        ld [hl+], a             AF:0300 BC:0007 DE:8100 HL:F09E SP:DFC7 ; wSouthConnectedMapGroup = $03
A5FB:  BF        cp a, a                 AF:0300 BC:0007 DE:3E00 HL:F09F SP:DFC7
A5FB:  7A        ld a, d                 AF:0300 BC:0007 DE:4400 HL:F09F SP:DFC7
A5FB:  77        ld [hl], a              AF:4400 BC:0007 DE:3300 HL:F09F SP:DFC7 ; wSouthConnectedMapNumber = $44
A5FB:  29        add hl, hl              AF:4400 BC:0007 DE:1A00 HL:F09F SP:DFC7
A5FB:  44        ld b, h                 AF:4400 BC:0007 DE:5E00 HL:E13E SP:DFC7
A5FB:  0F        rrca                    AF:4400 BC:E107 DE:5100 HL:E13E SP:DFC7
A5FB:  F8 00     ld hl, sp + $00         AF:2200 BC:E107 DE:A900 HL:E13E SP:DFC7
A5FB:  60        ld h, b                 AF:2200 BC:E107 DE:C900 HL:DFC7 SP:DFC7
A5FB:  2D        dec l                   AF:2200 BC:E107 DE:E400 HL:E1C7 SP:DFC7
A5FB:  35        dec [hl]                AF:2200 BC:E107 DE:D100 HL:E1C6 SP:DFC7 ; wInputType = $FF
A5FB:  49        ld c, c                 AF:2200 BC:E107 DE:9800 HL:E1C6 SP:DFC7
A5FB:  62        ld h, d                 AF:2200 BC:E107 DE:FA00 HL:E1C6 SP:DFC7
A5FB:  6F        ld l, a                 AF:2200 BC:E107 DE:9500 HL:FAC6 SP:DFC7
A5FB:  35        dec [hl]                AF:2200 BC:E107 DE:A000 HL:FA22 SP:DFC7 ; wPartyCount = $00
A5FB:  F8 00     ld hl, sp + $00         AF:2200 BC:E107 DE:5800 HL:FA22 SP:DFC7
A5FB:  68        ld l, b                 AF:2200 BC:E107 DE:3000 HL:DFC7 SP:DFC7
A5FB:  F9        ld sp, hl               AF:2200 BC:E107 DE:C900 HL:DFE1 SP:DFC7 ; SP = $DFE1 (return to overworld)
A5FB:  C9        ret                     AF:2200 BC:E107 DE:0080 HL:DFE1 SP:DFE1

Samsara: File replaced with a 13 second improvement on Gold, and judging.
Samsara: The palindrome of Gen2 glitched is finally complete. Gold is obsoleted by Silver is obsoleted by Crystal is obsoleted by Crystal is obsoleted by Silver and is now obsoleted by Gold once more. I do hope that future TASes will continue to uphold this tradition. Accepting as an improvement to the published run.
Spikestuff: Agumon is my favourite Pokémon.


TASVideoAgent
They/Them
Moderator
Joined: 8/3/2004
Posts: 15583
Location: 127.0.0.1
Spikestuff
They/Them
Editor, Publisher, Expert player (2642)
Joined: 10/12/2011
Posts: 6438
Location: The land down under.
Claiming for Pubs... (The ride never ends)
WebNations/Sabih wrote:
+fsvgm777 never censoring anything.
Disables Comments and Ratings for the YouTube account. Something better for yourself and also others.
Emulator Coder, Judge, Experienced player (729)
Joined: 2/26/2020
Posts: 783
Location: California
http://tasvideos.org/userfiles/info/70778271449044110 I've improved the movie by 13 seconds with a better bootstrap. I also swapped games over to Gold as it had better default names and I no longer needed to do any RNG manipulation, so the advantage Silver had is now gone.
Banned User
Joined: 4/1/2016
Posts: 295
Location: Cornelia Castle
This TAS (and the new version) are great! yes vote for me.
DJ Incendration Believe in Michael Girard and every speedrunner and TASer!
Acumenium
He/Him
Banned User
Joined: 6/11/2020
Posts: 73
Yes vote. It's fun and pretty unique as it seems any viewer could imitate it as well.
Player (67)
Joined: 3/13/2021
Posts: 20
Location: Charlotte, NC
Simple, effective, and makes a mockery of a broken game. Easy yes vote
TAS noob. Completed: Pokemon FireRed/LeafGreen Round 2 In Progress/Backlog: Pokemon FireRed/LeafGreen Any% Reroute Pokemon FireRed/LeafGreen Beat All Trainers The Neverhood Any% NES Monopoly 1 CPU Glitchless
Joined: 5/14/2007
Posts: 525
Location: Pisces-Cetus filament
CasualPokePlayer wrote:
http://tasvideos.org/userfiles/info/70778271449044110 I've improved the movie by 13 seconds with a better bootstrap. I also swapped games over to Gold as it had better default names and I no longer needed to do any RNG manipulation, so the advantage Silver had is now gone.
You were exactly a month late. Other than that, superb improvement!
AzumaK wrote: I swear my 1 year old daughter's favorite TASVideo is your R4MI run :3 xxNKxx wrote: ok thanks handsome feos :D Help improving TASVideos!
Post subject: Movie published
TASVideoAgent
They/Them
Moderator
Joined: 8/3/2004
Posts: 15583
Location: 127.0.0.1
This movie has been published. The posts before this message apply to the submission, and posts after this message apply to the published movie. ---- [4465] GBC Pokémon: Gold Version "save glitch" by CasualPokePlayer in 03:14.16
Banned User
Joined: 4/1/2016
Posts: 295
Location: Cornelia Castle
Wait a minute, isn't this "game end glitch", not "save glitch"? I'm confused.
DJ Incendration Believe in Michael Girard and every speedrunner and TASer!
Patashu
He/Him
Joined: 10/2/2005
Posts: 4043
If this was improved by 1 frame, it'd be 3:14.15 for the digits of pi meme. Worthwhile?
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Emulator Coder, Judge, Experienced player (729)
Joined: 2/26/2020
Posts: 783
Location: California
Patashu wrote:
If this was improved by 1 frame, it'd be 3:14.15 for the digits of pi meme. Worthwhile?
The actual time is 814362983/2^22 seconds, which is ~3:14.1592652798
Patashu
He/Him
Joined: 10/2/2005
Posts: 4043
CasualPokePlayer wrote:
Patashu wrote:
If this was improved by 1 frame, it'd be 3:14.15 for the digits of pi meme. Worthwhile?
The actual time is 814362983/2^22 seconds, which is ~3:14.1592652798
Ok, I stand corrected - that is VERY pi-tastic already. Nice work!
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Site Admin, Skilled player (1254)
Joined: 4/17/2010
Posts: 11475
Location: Lake Char­gogg­a­gogg­man­chaugg­a­gogg­chau­bun­a­gung­a­maugg
DJ Incendration wrote:
Wait a minute, isn't this "game end glitch", not "save glitch"? I'm confused.
Post #506791
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.