AGDQ "Mew under the truck" Writeup

1. Mew under the truck
2. =============================
3. Save file (didn't release early because lazy): https://cdn.discordapp.com/attachments/528745839708078093/673381639631536128/pokeblue_mew_unmodified.sav
4.  
5. Pre-ramble
6. =============================
7. The idea first started about a year ago. I posted the idea and my initial code on the GCLF forums (http://forums.glitchcity.info/index.php/topic,6638.msg197210.html#msg197210), but I scrapped the project away and began working on other things.
8.  
9. A year later, I thought it would be cool to show it off at a big event like AGDQ. My initial plan was to have the save start at the truck, but then Shenanagans_ suggested showing how to get back on the S.S. Anne, then preceeding with pushing the truck to reveal Mew. This made the code a bit harder, but it was worth it in the end.
10.  
11. Technical Terms
12. =============================
13. First off, if you don't know other numeric bases, then read something up on that (specifically binary and hexadecimal).
14.  
15. This explanation will use many technical terms. To clear things up, here are quick explanations of them:
16. - $: $ will indicate a hexadecimal value. (0x is the standard notation for a hexadecimal value, but $ is used in the RGBDS (Rednex Game Boy Development System) compiler)
17. - Byte: (Partially copied from Wikipedia) A byte is a unit of measurement of the size of information on a computer or other electronic device. It is composed of 8 bits, and can hold values from $00 to $ff.
18. - Address: A memory location in the GameBoy indicated by one 16-bit value, or two bytes. An address can be for ROM, or the many types of RAM.
19. - Pointer: A set of two bytes which tell the game the address of the data to use. For example, the game would use a pointer to the move data in order to find the attack power of a move.
20. - Tile: A 8x8 square composed of pixels. Tiles are stored in memory like a grid.
21. - Metatile: A cluster of tiles used to create a bigger tile in the game's memory. For example, the Pokemon Center sign is a metatile composed of 2x2 tiles.
22. - Block: Composed of a 4x4 metatile, this is the building block for overworld maps.
23. - Video RAM/VRAM: A special portion of memory in the GameBoy that handles data related to the display, such as the internal tilemap and the tile data.
24.  
25.  
26.  
27. Before I go on about how the setup works, there are three portions of memory that I'd like to explain in simple terms. They are:
28. - Map Script Pointer: Every overworld frame (2 frames while in the overworld without any menus open), the game will run code at whatever this value is. This handles stuff like trainer engaging, or special scripts like the Oak Cutscene in Pallet Town. By setting this to a value that points to WRAM (Work RAM), one could run custom code every overworld frame. This is the foundation of the whole setup; without this, it would have been much harder to create this.
29. - Map Text Pointer: In short, this tells the game where the text for NPCs and signs on the current map is located in ROM. Like the Map Script Pointer, one could create a custom text box for an NPC. Because there are multiple NPC and signs, the text pointer points to a table of multiple pointers, where the game uses the internal sprite ID to find which text to print.
30. - Bit 7 of the Tileset: This bit is completely unrelated to the tileset. It's used as a flag to determine if the game is entering a map from the CONTINUE option on the screen, to avoid re-loading map data when it's unnecessary. In the setup, this is used in order to keep the Map Script from being re-written upon changing maps.
31.  
32. Explanation
33. =============================
34. The save starts out in Vermillion City, near the Sailor guy. Right now, our map script pointer is set to an address in WRAM, to allow for later exploits.
35.  
36. (Technical note: The reason I can't set an invalid value to Vermillion Dock's Cur Script is because it flat out doesn't exist. For Vermillion Dock's Script, the game uses event flags to control scripts such as the boat leaving)
37.  
38. Our first goal is to get on Vermillion Dock without losing the custom map script. As mentioned earlier, setting bit 7 of the Tileset would prevent new map data from loading, allowing us to enter the Vermillion Dock and continue on with the exploit. However, there are some problems with that. The biggest problem is the game thinks that we're on tileset $80, which is obviously an invalid tileset (the game doesn't load garbage to Video RAM because the tiles are loaded using a pointer in WRAM, and not the value of the tileset). Here is a list of the uses of the current tileset relevant to the setup, and the problems caused with an invalid tileset:
39. - Determine if surfing is allowed.
40. - Problem caused: As the current tileset isn't in a tileset with water, we can't surf.
41. - Determine which function to use for checking for map warps. There are two functions:
42. - Function 1: Check if the player is standing on a warp tile (like a door tile) before looking if the player coordinates match a warp entry.
43. - Function 2: Check if we're facing the edge of the map.
44. - Problem caused: While the overworld (outside) tileset uses function 1, most other tilesets default to function 2. This requires us to adjust the map height in order to trick the game that warping is possible. However, by setting the Map Height too soon, upon loading the game, the bottom row of blocks won't be drawn on screen.
45.  
46. To solve these two problems, the custom map script will only modify the tileset and the map height if the player is surfing. This solves the surfing problem as it allows surfing, and solves the map height problem as the blocks have been already loaded in memory, so the map would look perfectly normal.
47.  
48. After surfing, the player enters Vermillion Dock. Because bit 7 of the tileset is set, the game will only load the internal map ID without loading other necessary map data. This is a problem, since the map would look like a bunch of garbage, and bear no resemblance to Vermillion Dock. Luckily, we can fix this with our custom map script. This is done with these steps:
49. - Check if the current map ID is Vermillion Dock.
50. - If it isn't, run the Vermillion City Script.
51. - Otherwise, continue running the custom code.
52. - Firstly, black the screen palette so the garbage map wouldn't be shown
53. - Secondly, load the actual map data for Vermillion Dock
54. - Thirdly, write the new map script pointer relevant to the Mew Code
55. - Finally, run the rest of the "EnterMap" code, which will run additional code and then execute the overworld loop
56.  
57. Now, to an unknowing viewer, this seems perfectly normal. However, the custom map script is secretly running in the background, doing the following checks in order before moving the truck:
58. - Check if Strength was used
59. - Check if the player coordinates match either the left side or right side of the truck
60. - Check if the bottom-left tile of the 2x2 metatile in front of the player matches the tile if the player was facing the truck
61. - Check if we've moved after all the above checks have been succeeded (this is to prevent pushing the truck by simply moving to the correct location)
62. - Check if we're facing the direction that would have the player face the truck
63.  
64. Once all those checks have been fulfilled, then comes the actual moving of the truck, with the following steps:
65. - Create a copy of the truck in the section of VRAM designated to sprites
66. - Change the player's sprite picture to the "moving" picture to simulate the player in a pushing motion, then wait one frame for it to be shown on the screen
67. - Disable overworld sprite updating to freeze the player sprite in the pushing motion
68. - Write data to the game's sprite buffer (which is copied to actual sprite data every frame) which will make the truck appear on the same spot as the truck on the map:
69. - Copy a "blank" tile to sprite VRAM. This is necessary as one of the four colours a sprite can have is transparent, so we need to copy an additional set of blank sprites under the truck in order to make the truck look "normal"
70. - Write more data to the game's sprite buffer which will write the blank tiles directly under the truck
71. - Adjust the truck's position on screen if the player is facing right
72. - Modify the sprite palette so the truck doesn't appear different from the one on the map
73. - (Temporarily) remove the truck block on the map
74. - Play the Boulder sound and animate the truck moving left/right, depending on the facing direction
75. - (Technical note: the reason the truck moves two tiles instead of one is because there isn't a block with only half a truck, and another block with the other half of the truck)
76. - Save the player's facing direction when the truck was moved for later, as well as the address of the truck block on screen
77. - Redraw the truck block on screen, relative to where the truck was pushed
78. - Hide the truck sprite
79.  
80. Now, we need to show Mew on screen. Unfortunately, the reasons for some of the stuff I did is all fuzzy, so I can't really explain much here. I know that the code could be optimized but I didn't want to mess with the code after it was done.
81.  
82. So, after the truck is pushed, the Mew sprite is created with the following steps:
83. - Create a copy of the generic monster sprite into the VRAM slot reserved for sprites that have only one facing picture (like item balls). This was necessary at the time, as I couldn't figure out how to make a sprite look in a set direction like trainers do, and if Mew were to face another direction, it would turn into another sprite as Vermillion Dock was never meant to have a generic monster sprite on screen (the reason it's located in VRAM is that it's a remnant of previously loaded sprite data.
84. - Enable overworld sprite updating (actually irrevelant and doesn't do anything)
85. - Write the number of non-player overworld map sprites to one (so the game will handle Mew's sprite)
86. - Write the sprite ID to overworld sprite data (overworld sprite data is a section of memory that handles various attributes of overworld map sprites. It is converted to internal sprite data every frame and copied to actual sprite data)
87. - Write the coordinates of the Mew sprite
88. - Prevent Mew from moving
89. - Set the "sprite slot" of the Mew sprite to a non-facing sprite to prevent turning.
90.  
91. Now, we have to animate the boulder dust:
92. - Disable sprite updating (enabled earlier)
93. - Modify the player's absolute x coord (pixel-wise) so that the boulder dust will appear to come from the end of the truck
94. - Run some code which does the boulder dust
95. - Fix the player's absolute x coord to what it was before animating boulder dust
96. - Enable sprite updating
97.  
98. Finally, we modify the map text pointer so that it runs custom text, and the script pointer so that it does nothing.
99.  
100. The player will then talk to Mew. The custom text will print the "Mew!" text, then run some custom code:
101. - Write Mew's internal index number to a special variable which will start a battle with the index number of the Pokémon contained in it
102. - Play and wait for Mew's cry
103. - Set the level of the Mew to be 5
104. - Write another map script pointer, which points to more custom code that will clean up after the battle is finished.
105. - Set bit 7 of the tileset to prevent the map script from being overwritten
106.  
107. The battle starts with Mew, and it is finished in any way possible. However, the map has refreshed to its original state, which means we have to fix the overworld map so that the truck stays where it was pushed. Since the custom map script is still in memory, it is executed to:
108. - Clear the Mew sprite from memory
109. - Write the truck block to where it was pushed. The address of the truck block that was saved earlier is used here.
110. - Clear the address of where the truck block would normally be. The saved player facing direction is used here to determine the location of the normal truck block, relative to the location where the truck block was moved.
111. - Finally, set the Map Script Pointer to the regular Vermillion Dock script.
112.  
113. Doing this setup at home.
114. =============================
115. Unfortunately, I didn't create a setup to store this code in memory. stump (twitch.tv/stumpdotio) had a save flasher which he used in order to flash the save which had the code stored on using an emulator. If I have the motivation, I may create a setup so you could fool your friends (Kappa), but for now there isn't a setup.
116.  
117. Special Thanks
118. =============================
119. The people who worked on the pokered disassembly - Without the amount of documentation they wrote, I wouldn't have been able to create this code
120. stump - for having a save flasher so I didn't have to create a bootstrap to write the code