Dissecting Pokemon Red Savegame 

.

Username checks out

would love to see that video

Can't wait.

Maybe you need to provide your twitter

That's so friggin cool. What a fun, interesting, practical way to learn!

That would kinda be a cool idea for a game I think. Tell the players that thy are already holding the map and the silkscreen would show town names and such in the cartridge that you could see through the plastic of

If you used multi-layer boards you could get all the connections you'd need for it to work and then use the topmost layer to lay out some traces that would be the map. They could still be functional too if you worked it out right

Cheesed it!

Checksums exist to detect unexpected flips in storage data, not unexpected flips in active memory. The GameShark family worked by hijacking the communication between the game cartridge and the console and patching the game's ROM on the fly. While Action Replay and other more modern cheat mechanisms work by hooking a small piece of code to be run every frame, locking specific RAM values to what the cheatcodes have set. PC game cheating software works in exactly the same way, implementing the same memory lock mechanism by taking advantage of the OS's native multitasking support and timers, and using special functions in the OS intended for debuggers, to gain access to the game processes' private memory. Either that or hooking custom code into the game that changes its behavior in more advanced ways. After all, nobody really cares about stopping you from cheating singleplayer games. If you want to cheat in your own singleplayer experience that's just for you and you alone anyway, that's your decision to make. In fact, there's also many online game servers that trust in the game client's logic, and will only react to desynchronization of the game instances across players. Thus, if hackers make a private lobby where their games are all running with the exact same modifications, their games will stay synchronized, and those servers will let these uniformly hacked lobbies play with no issues. This is my personal favorite approach to online play, since if me and my buddies are all hacking privately with the same rule changes applying to all of us equally, then it's not cheating anymore. We're basically just playing a new game. It's a less reliable server design though, and things can slip through the cracks... Unfortunately, there's also selecting normally unselectable characters, items and maps (if the devs don't account for it). Since they exist in every copy of the game, and those are technically valid object IDs, if those IDs end up on the network for any reason, many games will load those resources and allow those components to spawn online. That is cheating though, since hacking your game to select unselectable things doesn't usually allow other players to select them too.

@@3lH4ck3rC0mf0r7 Ah there was something back in the Black Ops 2 days where there was a camo for a weapon that you could only get if you pre-ordered the game. If you set the right item ID in memory it would show it, but as soon as you went into an online game the server would realise and it would be removed from your weapons. Interestingly though, there was a second set of IDs with one of them pointing to the same camo. That ID didn't get checked by the server - so you could essentially hack your account to be able to use it. (Although you needed to have bought another specific DLC camo for it to stick properly). I wouldn't call that cheating though - it was only a visual thing.

@@StartToSkill It is cheating if it affects gameplay in a way that puts the hacking player in unequal grounds compared to the other players. Super Smash Bros. Ultimate has a valid character ID for Giga Bowser in its code. Hack your game to select it, and you'll be playing as an overpowered boss character online. You can also select story-mode maps or special maps that are not designed to have Vs. matches playing on them, where their death boundaries do not conform to Vs. Match standards. I'd say selecting a hidden character is cheating, but selecting a hidden map may or may not be. A hidden map is weird for everybody, not just you, and it is just as likely to benefit any given player as it is to play against them, not just the hacker. Of course, the hacker is likely to pick maps that they'll know will favor them, but this also relies on the hacking player being granted their turn to pick a map. If it is another player's turn to pick the stage, this doesn't happen in the first place.

@@3lH4ck3rC0mf0r7 I get that, but a gun camo in call of duty doesn't give you any advantage whatsoever. Never have I not noticed an enemy because their gun was camouflaged. ...or maybe I have 😂

@@StartToSkill Yeah, I know. I wanted to put that example out there though, because I actually saw it in action (ZeRo made a video when a hacker entered one of his public arenas and this stuff is exactly what ensued) I know Nintendo pulls a lot of telemetry and uploads crash information of the games to the servers because I also use a modded Switch and had to turn off all that stuff (although I'm not subscribed to the online service, so I can't go online even if I was not modding), and given the game did crash for these guys several times in one of the hacked stages, I assume Nintendo had more than enough data sent to them to ban RareKirby's console on the next audit. But I can't know that for sure... And then there's the mess that is Fallout '76. Fallout '76 is special, because its servers completely trust all the game clients at an entity/engine level. That game just sends all the entity state changes caused by their players to the servers, and no sanitization of those state changes takes place. Meaning any silly scripthook will trigger state changes, get them processed by the game engine, and then the engine automatically just uploads those changes into the servers online, and into other people's games. This is insane, almost any mod shy of custom assets that would typically only work in a singleplayer game works online there. This went as far as freely spawning NPCs and entities left lingering in the game's code from older Fallout games, and outright _stealing inventory items from other players._ Yes, as in, you're in my render distance, and I get your inventory, while you look and find that all your items have disappeared. And let me say, that is not how any online mode should work.

(SGB Enhanced)

I was looking to see if someone pointed this out before I commented LOL

"Broken" is a bit unfair in this context. They simply did not have storage for more checks.This can easily be verified by the fact that the Pokemon games are among the biggest few game boy roms in existence. It's more of a display of: Nothing is free. Not even the "magical performance gain" some people attribute to assembly. You mostly cut corners like checks. Higher level languages just went off in an entirely different direction. Just to have data types you need to allocate tons of storage just for metadata that tells the system how to treat the actual value. While on the GameBoy you just wrote the values and prayed nothing tries to mess with them in an uncontrolled fashion like god forbid overflow something. That's why a modern 32bit integer will never just use 4bytes. because 4 bytes would be just the payload. Then you have nothing that tells the program stuff like: How big is this? What type of data is it? So assuming just 1 bytes for each those 2 questions would be 6 bytes of total storage need. 5 if you say the data type is the first one and assign int32 its own number, but then you are limited to 256 data types of which signed and unsigned int32 already take up 2. But assuming IBM sort of standard the first few bytes usually indicate the length. And even then we haven't even touched on the additional code requirements to actually use this additional information. (And even then the computing cycles top check em.)

@@fgregerfeaxcwfeffece I didn't say they could have easily done better, just that the game's broken

@@Qbe_Root So how often did you execute arbitrary code on accident?

Yes

Pretty much, it's one reason why I love writing homebrew games for the GB because I'm fascinated with the idea of bank switching and custom PCB designs. The creativity is endless.

HOW DO I SAY ZZAZZ? WTF

​@@bonkmaykr Just "zazz", I think.

First gen had trainer IDs, random number generated to tell if you got the pokemon in a trade. That is what the first difference other than names was. The next was play time, nothing at all to do with RNG.

@vlnux I've only tried the trial of 010 but the templates work great. It's really helpful when reversing some unknown file format www.sweetscape.com/010editor/templates.html

Oh yes. I love 010 Hex Editor. It's great!

@@4g3v I made an 010 template covering every single variable across the entire save file github.com/junebug12851/pokered-save-editor/blob/master/non-app-assets/savefile-structure.bt ---- Personally I love the editor although it's designed for very complex modern binary files so it can sometimes be overkill for just an old GB Sav file. The templating system was worth the money though.

Yes.

So the game save has 4 banks. Bank 0 is mostly garbage but contains HOF data. Bank 1 is pretty much 99% of the game. Bank 2 and 3 are identical and they contain boxes 1-6 and 7-12. The way the game is designed, only 1 box is active at a time and that's to simplify code and memory usage. The game has a "cached box" or a "fake box" in bank 1. The box you are currently using is actually the fake box. When you change boxes it has to copy the fake box in bank 1 over the real box in bank 2 or 3 overwriting it. Then it has to copy the box you want to switch to from bank 2 or 3 to the fake box in bank 1 overwriting it. This is why the tedious save mechanism for bank switches. They didn't have to have this complicated system but they did it for performance since they gamble you won't change boxes too often.

There's also the play timer.

To mask the output to just be a single byte

@@LiveOverflow Ah, thank you

0x8000 = 32768

It protects the save data from being corrupted.

Nvm VBam works

There is a thing called ROM-hacks, modifying the original game or even complete reworks and new levels. The SuperMario and Zelda ROM-hack scene was very active in the past few years. look up "kaizo" and be amazed what is possible with rom-hacks. (together with smb or swm; kaizo means rearraged but it's current meaning is more like "in the spirit of the oririnal kaizo levels" = very hard; so you will also find a lot of smm kaizo) while you are at it, look for speed runs in general. the exploits they use are often really crazy. my favorite speedruns are still smw, only 45 seconds from intro to credits :D

Oh, I thought that was an RNG thing that generated based on your player name.

@@bsharpmajorscale I am not sure about the other data, I am just sure one is the ID player

@@thiscateatspancakes2451 I think there's a run where they give the player a specific name to manipulate certain RNG. But that's probably unrelated to the random player ID.

@@bsharpmajorscale The player id is a separate thing all-together and doesn't have anything to do with the name. It's just extra security defense so that if you trade Pokemon with someone who has the same name, the game can differentiate which is a trade Pokemon and which isn't.

@@junehanabi1756 Got it.

Because for some reason it's using MacRoman character encoding for the decoded characters, which is Apple's own encoding dating back to classic MacOS. Character 0xF0 happens to be the Apple logo, even if that has nothing to do with what 0xF0 represents in the game ROM.

I think the cartridge RAM is only used for save data, although I could be wrong. If this is the case then it would only need to access the cartridge RAM when saving or loading a save.

It's only disabling the cartridge RAM (which is typically only used for save data), not the main console RAM.

Or also trainer ID

Same thing, I'm German and immediately I searched for comments like yours. Great video though