Jump to content
isleep2late

research [SOLVED] Some progress I might've made in removing Battle Maison/Battle Tree restrictions / banlist

Recommended Posts

Not sure if this is the right place as I don't know how much of a breakthrough this is so mods please let me know if this should be moved elsewhere. There's been multiple posts asking about how to remove the banned Pokemon restrictions on Battle Maison in X/Y/ORAS (Some people are even offering bitcoin incentives to have this figured out). I've spent pretty much the entire day working on this/trying to figure this out but for the life of me could not, so to have this day not go to waste I'd like to share some of the progress/things I found out and discovered along the way. Hopefully someone out there can pick this project up and finish working on it.

So how do you remove the Battle Maison restrictions? My conclusion, after a lot of experimenting, is that you have to edit the DllBattlePartySelect.cro file. Here are my reasons:

1) After messing with that .CRO file, I rebuilt romfs using PK3DS, loaded the patch using Hans, and my game was running completely fine up until the point where the Battle Maison lady asks me to select Pokemon. The game freezes at a black screen and I'm forced to power off.

2) I messed with DllBattlePartySelect.cro by reading it through a Hex editor. Call me crazy, call this a conspiracy theory, but there are 31 instances of the Hex-value sequence "FE FF EB" in that file, and there are exactly 31 Pokemon banned in Battle Maison.

Now I know it's been said before that CRO files can't be edited, and if they do then the game just crashes, but after some research I came across this thread and heard people saying that CRO editing works with Luma3DS (I use Gateway3DS for launching Hans using homebrew). So I spent time setting up Luma and between the CRO resigner and Luma I couldn't get anything to work lol. After patching static.crr with cro_tool.exe the game wouldn't boot so I used the old static.crr, and patching the romfs into a .cia file for Luma3DS didn't work either...

So in short, editing DllBattlePartySelect.cro by modifying the 31 iterations of the "FE FF EB" hex values is my best guess at figuring out how to remove Battle Maison restriction (I am using Alpha Sapphire, sorry if that becomes relevant). The million-dollar question is figuring out how to edit CRO files using a Hex Editor without having the game crash. Maybe Kaphotics or SciresM would know how to do this. I know there are some CRO editing capabilities that Pk3DS has, but still no way to edit that golden DllBattlePartySelect.cro file.

 

Edit 9/24: Solved for ORAS. Still need to find the garc location for X/Y (if anyone really cares). As well as for SuMo's Battle Tree. 80% sure this will be the same for Ultra Sun and Moon, but it would be naive for me to say that about a game that hasn't even been released yet.

EDIT 9/25: Confirmed working for Sun and Moon. tl;dr: GARC location for ORAS is a/1/7/0, for SuMo it is a/1/3/7. Replace the bytes quoted by Kaphotics with 0's and you're good to go!

EDIT 9/26: You can now remove Soul Dew clause in Gen 6 games, rendering the banlist completely lifted! The only type of Pokemon to still be banned in Battle Maison is one whose total EVs exceed 510 (this is allowed in SM, don't ask).

Edited by isleep2late
Successfully lifted Soul Dew ban in ORAS
  • Like 1
  • V-Wheeeeeel!!! 1

Share this post


Link to post
Share on other sites

In Moon, BattleRoyalResult.cro has 39 such entries of FE FF EB, which *could* be the 38 forbidden pokemon + the egg, but the Maison forbids 32 Pokemon, 31 + egg, so something does not match up.

Share this post


Link to post
Share on other sites

Well just today I spent several hours (the whole day pretty much) revisiting this little research project. My fear is that it would be in a .CRO file, because those are obviously harder to edit and have the ROM properly function. So I went through every GARC file in the a folder, basically deleting each of them and building a new rom with a different single garc file missing every time (Citra 3DS was a godsend in allowing this to happen without a 3DS). The reason for this madness was that, IF the banlist was in a garc, I could discover this garc if one of these temporary "test dummy" roms faced a fatal error upon selecting a team of Pokemon during Battle Maison. This might have been how the narc in BW2 Battle Subway was discovered, as I tested deleting a\1\0\6 in Black 2 (thanks to this thread) and running the game. When that happened, the game would freeze at some point talking to the subway worker, so I figured the same thing should happen when talking to the maison employee when the proper garc was deleted.

Here are my results: the file in BW2 is roughly 8 kb in size, so I would expect the file, if it were to exist, to at least be 9 kb or anywhere from 10 kb to 20+ kb, but it wasn't out of the question that it could be less than 8. Therefore, I tried to be selective in my decision process as to which garcs to delete. I obviously didn't go through all of them, as this pastebin has 90% of the work cut out, and so anything that was clearly described to be unrelated to Battle Maison I skipped. I believe I had an "aha!" moment at a\1\0\1 but then I realized I reached the fatal error when opening up my party through regular means, meaning that wasn't it. And then at a\2\2\6 I discovered the SAME type of error that was reproduced in BW2 Subway, which made me believe this was truly the garc, since it fit all the criteria being a) not mentioned in the pastebin and b) about 20 kb in size.... So I tried dissecting the unpacked GARC. I can go more into detail with what I did, but suffice it to say at least some of the data involves the UI of the party selection (ironic... because as I'm typing this, that is what I thought DllBattlePartySelect.cro was for, which was the original reason why I moved away from the CRO theory). And so because this garc deals more with the actual interface and design of the Maison party selection screen, I am 95% confident that this was a red herring (Although any one reading this is more than welcome to prove me wrong if you can analyze that GARC a little further).

Finally, I decided to give up, and I am back to square one. I guess I should share my garc findings with everyone publicly, so I'll attach the word document I made containing some of the notes I've made on all the garcs (please don't expect something big from these notes... they're very disorganized and anticlimactic lol). There are probably still some garcs left unfinished, so if anyone wants to try this at home... hopefully this document will save you a bit of time.

As for what ABZB has discovered, I would say that is a very curious and suspicious finding... I am very reluctant about the FE FF EB thing as well. Now I'm starting to think it was a huge coincidence and that I really should've kept my mouth shut about those hex values or I look like an idiot lol. I've tried many different things, from changing FE FF FB to FE 00 FB or to 00 00 00 and using cro tools and/or doing it without cro tools... I'm not an experienced computer programmer nor do I have very much experience with HEX editing or any of these sort of things (though I have learned quite a bit from this venture). But hopefully everything I have just said and laid out for you guys is something that, for the next person who wants to attempt to remove Battle Maison/BattleRoyal/BattleTree (or whatever SuMo equivalent) banlist restrictions, will bring you one step closer.

 

tl;dr: The banlist might possibly be in a\2\2\6 if it is a GARC but is more than likely still in the DllBattlePartySelect.cro file after ABZB's response, even though I thought that was no longer the case. If the latter is true, then it will be a huge pain in the neck, and may or may not have anything to do with the sequence "FE FF EB". Either way, I no longer have the time to work on this (at least not for the next couple weeks before my exam :P )

documentation for battle maison readme.docx

Share this post


Link to post
Share on other sites

After some thought:

If the "FE FF FB" is how the banlist is implemented, either
a) there must be somewhere a list of index numbers that matches up somehow to those "FE FF FB"

or

 

b) There is a series of fixed length blocks, with "FE FF FB" indicating a ban and some other values in that offset (per block) indicating permitted.

 

First, I'm going to do the math and see if the offsets between the "FE FF FB" make sense for case b. If they do, I'll see if there is a consistent value for that offset in the other blocks and go from there (for example, I'd expect to see two consecutive instances early on (Mewtwo & Mew), with the next instance coming at (mew location - mewto location)*0x98+mew location (Lugia)). 


If that test fails, I will then write and try the following two programs:

 

1a) Search through every file, starting with our suspects, looking for any string that shows up in that file at n*X, where n is a positive integer and X is a 1x38 matrix whose values are the index numbers of the banned pokemon (in case the egg is not banned in the same way/location as the rest).

 

1b) same as 1a, but convert the hex to binary and look for a string of binary digits with the desired property (in this case, looking for one of the two the binary numbers 802 bits long, either the one which is 1 for the banned indices and 0 everywhere else, or vice versa.


2) Parse through all the files (starting with our suspects) looking first for instances of the index numbers of the banned pokemon (write them to a text file along with their offsets, see if there are any likely-looking clusters (as in case a)).

Also, as an aside, I know that the SM shop.cro file is editable by pk3ds, and works with Luma drag&drop, so there is presumably some working method, at least as of the date that Dio Vento released his SM mod.

Share this post


Link to post
Share on other sites

Hmm, I'm not sure if this gets us anywhere, but I was able to successfully edit DllBattlePartySelect.cro and have the game run without the game crashing. The bad news is I got rid of a segment containing "FE FF EB" without any significant changes to the game, which makes me think this is not the likely culprit. Here's what I did...

 

1) I replaced offsets 000005D0x08 through 000005E0x07 with all 0's

2) Copied and pasted the cro_tool.exe file in the romfs folder, copied and pasted static.crr from the .crr folder to the romfs folder, then clicked and dragged this file onto cro_tool.exe, which supposedly is the way you're supposed to use cro_tools (it helps to have two separate File Explorers of the same romfs folder side by side). By the way, not doing this step will cause the game to not load, which is the original problem with CRO files.

3) Built the rom, then proceeded to test each and every pokemon that is banned in battle maison to see if it was unbanned. Turns out... they're all still banned, lol

 

So in conclusion, it's possible to edit "FE FF EB" successfully, but this likely won't be the solution to removing the banlist. I tested all 31 banned pokemon plus any pokemon holding Soul Dew. All were still banned, but I did not test the egg. However, there being only 31 instances of this sequence and there being 31+egg+Soul Dew doesn't really add up....

Interestingly, the sequence "10 A0 E3" appears 66 times, and that is about how many different banned pokemon there are if you include their forms (ie. Mewtwo, Mewtwo X, Mewtwo Y, Arceus-Bug, Arceus-Ghost, etc etc). But this is again grasping at straws. The good news is that it IS possible to edit this CRO file while successfully getting the game to work. But replacing a large amount of the code with 0's will not work.... so the question is what did I actually affect when I performed Step 1 and how much of that can I do before the game decides to crash.

Still, I am interested in your findings @ABZB so keep us posted! As an aside to you btw, are there any iterations of "10 A0 E3" in the SuMo CRO? I'm starting to think that since the data in the game when looking at the Pokemon data in whatever GARC it's in has separate Pokemon identifications for different forms, so is the case for the banlist. (ie. the game distinctly recognizes Mewtwo X as a different "species" than Mewtwo in its code. That's how pk3DS works and that's also how PKHeX works when looking at the source code, and that is also how the ROM data works when unpacking the garc file.

 

PS: If my "10 A0 E3" theory is correct, and I did somehow make a change in Step 1 ("10 A0 E3" is within those offsets), then I would expect that one of the alternate Pokemon forms was unbanned. But I don't have the patience to go through every banned Pokemon form. Not tonight at least lol. Anyone else feel free to test it out. I'll leave this alone for now so it'll give me something to work on over the weekend. If this is the case, then the "FE FF EB" theory is not dead afterall, since it could very well correlate to Pokedex # (which is not the same as Pokemon species if you count megas/primordials as separate).

 

*Edited* Formatting. Also wanted to say that I am now 99% positive that DllBattlePartySelect.cro is the file that contains the banned Pokemon. This is because if you look at my previous post on this thread, the garc file that I thought was the culprit turned out to change the appearance/User Interface of the "Battle Party Select" part of the game. When messing with the garc and messing with the cro I get the same issue of crashing at the same spot, but the garc I now know is responsible for the UI, so the cro has to be dealing with the content of that segment of the game (i.e. determining the legality of a Pokemon). It also fits intuitively with what the other CRO files do (picking out a starter pokemon, etc). And finally, I just want to say that once this is figured out for ORAS, it should not be at all different from SuMo, which I am also most certainly interested in removing the banlist for as well. Baby steps, but we are definitely getting somewhere now.... It's only a matter of time ;)

Edited by isleep2late
  • Like 1

Share this post


Link to post
Share on other sites

Remember this? Have you tried editing it?

In the exefs is a 38 count list of species IDs:

.data.r:0059E870 word_59E870     DCW 150, 151, 249, 250, 251, 382, 383, 384, 385, 386, 483
.data.r:0059E870                 DCW 484, 487, 489, 490, 491, 492, 493, 494, 643, 644, 646
.data.r:0059E870                 DCW 647, 648, 649, 716, 717, 718, 719, 720, 721, 789, 790
.data.r:0059E870                 DCW 791, 792, 800, 801, 802

 

It's called by PokeRegulation::CheckLegend, which looks like this:

signed int __fastcall PokeRegulation::CheckLegend(PokeRegulation *this, int a2, unsigned __int8 a3)
{
  signed int v3; // r1@2
  __int16 *v4; // r2@5
  PokeRegulation *v5; // r12@5
  bool v6; // zf@5

  if ( this != 670 ) // floette
  {
    v3 = 0;
    while ( 1 ) // iterate until list is finished
    {
      v4 = &word_59E870[v3]; // legend list
      v5 = *v4;
      v6 = v5 == this;
      if ( v5 != this )
        v6 = v4[1] == this;
      if ( v6 ) // ???? dunno, possibly an external banlist having a bitflag set
        break; // returns true
      v3 += 2; // each species is 2 bytes (ushort)
      if ( v3 >= 38 ) // last entry exhausted
        return 0; // false
    }
    return 1; // true
  }
  if ( a2 == 5 ) // AZ Floette
    return 1; // true
  return 0; // false
}

That's probably the function it calls; simplest way for the game to check is to just check all species through a list rather than bitflags, which would be reserved for dynamic banlists (ie rulesets in the save file, in which the goal is to minimize the space used rather than speed).

Share this post


Link to post
Share on other sites

Oooh that might be exactly what we're looking for.

The program I was going to scribble was to look for data looking exactly like that...

 

Plan to test after work.

EDIT: Had some time: Looking through the ExrearedExeFS\code.bin, found that string at 49E87 through 49E8BB. replaced every value with Bulbasaur (01 00). Will test later.

Edited by ABZB

Share this post


Link to post
Share on other sites

Hmm.. Unfortunately this doesn't seem to work. I've tried editing both the entire exefs.bin as well as the code.bin, replaced those respective bytes you mentioned with all 0's (rather than 01 00), and it didn't change anything. In fact, the proof that it didn't change anything lies in the fact that when looking at the banned pokemon which in Sun and Moon is made explicit in a display list, all the Pokemon that are banned are still listed and it continues to recognize those marked as legendary as banned.

 

I did put a lot of thought into the idea that there could be a list of banned pokemon that you simply have to edit, but it looks like even though there is a recognized list of legendary pokemon, this is not what the game references when they identify banned pokemon. The good news, for me at least, is that I finally know how the files identify pokemon lol. I always knew Mewtwo and Mew were "96" and "97", but I just didn't know how the game recognized 3-digit hex index numbers based on this incredibly useful resource. Turns out the first number is made to be the second byte, so that Guzzlord's "31F" becomes under a hex editor (such as HxD) "1F 03" (this isn't banned, just being used for demonstration purposes). Now it's just a matter of figuring out which file (is it still in CRO? Is exefs off the table now?) contains these identifiers. It's not necessarily going to be all nicely adjacent to each other like in exefs.bin/code.bin

Share this post


Link to post
Share on other sites

Corroboration.

I think the next step is me writing a program which looks through every file for every instance of each of the legendary's numbers, spit back a list of the ones that have occurrences of all of them, then narrow down from there.

  • V-Wheeeeeel!!! 1

Share this post


Link to post
Share on other sites

I looked deeper into regulation and I found something interesting:

https://pastebin.com/5FwTiami

We know that the player has to select a team, and the game has to know if that pkm is allowed or not.

I assume if the sublegends/legends list wasn't directly used, then it'd be the bitflag alternative.

Since we know the legends are the only ones banned, and only species are banned... (using PKHeX's legends list and c#):

bool[] value = (new bool[808]).Select((z, i) => Legal.Legends.Contains(i)).ToArray();

byte[] data = new byte[value.Length>>3];
for (int i = 0; i < value.Length; i++)
    if (value[i])
        data[i >> 3] |= (byte)(1 << (i & 7));
		
File.WriteAllBytes(@"D:\bans", data);

This generates a 101 byte file:

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00 0E 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C0 
07 00 00 00 00 00 00 00 00 00 00 00 98 7E 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
D8 03 00 00 00 00 00 00 00 F0 03 00 00 00 00 00 
00 00 E0 01 07

I searched thru the decrypted ROM and found it in multiple places. Try clearing the appropriate bitflags everywhere (or maybe just replace this chunk with 101 zeroes). Stop after F0 03 for ORAS (728 bits, 91 bytes).

  • Thanks 1

Share this post


Link to post
Share on other sites

SUCCESS!!!

Replace all 29 instances of that ^ with all 0's in the garc located at a\1\7\0 and you will be able to use your Mega Mewtwo's and Primordial Groudons to your heart's desire in Battle Maison :) (Ignore the "E0 01 07" for ORAS games I guess, as well as X and Y).

Have not tested this yet for Sun and Moon but if it was as easy as it was for ORAS then it shouldn't be difficult. I'll bet it'll be the same for Ultra SuMo as well, if not similar.

  • Like 1
  • Amazed 1

Share this post


Link to post
Share on other sites

Can confirm this works on Sun and Moon as well (I knew it would, but just confirming that it in fact does). the garc for SuMo is located at a/1/3/7. Just replace all instances of that code once again with 0's (including the "E0 01 07" bit). If you're doing a Ctrl + F or Search and Replace, I would start off with "C0" rather than the bunch of 00 00's. There are only 14 iterations of that code, which is very very unusual because there were 29 instances in ORAS and a different amount in BW2. So I guess the moral of the story is that it's all encrypted, and there is no rhyme or reason to the "number of banned pokemon" to the number of banned code reptitions. I've made a video demonstration on my channel which I will not share in this post, but here is some additional photographic proof:

22014541_1873804292635316_526048485_n.jp

21984480_1873804232635322_725665466_n.jp

22053317_1873804262635319_1998232797_n.j

Next step: Edit number of pokemon and pokemon level! lol jk... Also for what it's worth, the file size in ORAS is 33 kb whereas for SuMo it's 29 kb (and it's 8 kb in Gen 5 for comparison even though i know NDS is different). I think that's rather interesting, and sheds some light into the structure of the ways these garcs are organized. 

Another interesting tidbit: Neither of these banlist garc locations were figured out during the initial decryption phase of R&D. In ORAS, the garc was labeled

a\1\7\0 - 53 * 604 bytes Battle Video Info Markup Template

from this pastebin uploaded by Kaphotics and it was labeled 

a\1\3\7 - com_seasand02 02_beachslope

from this GBATemp repost by BelmontSlayer. I would be interested to know if a/1/7/0 does still contain a Battle Video Template, because I wasn't sure if each garc did only one specific thing or if they could do multiple things. But anyway, thank you so much Kaphotics for your help and ABZB for all your contributions! I know a lot of people have been asking about this and I'm glad the community can finally put this issue to rest.

BTW, I still don't have it for X and Y and I'm not sure if anyone wants it for X/Y. I won't waste time finding the garc for XY unless someone wants me to (or you can just do it yourself :P )

  • Amazed 1

Share this post


Link to post
Share on other sites
32 minutes ago, isleep2late said:

Can confirm this works on Sun and Moon as well (I knew it would, but just confirming that it in fact does). the garc for SuMo is located at a/1/3/7. Just replace all instances of that code once again with 0's (including the "E0 01 07" bit). If you're doing a Ctrl + F or Search and Replace, I would start off with "C0" rather than the bunch of 00 00's. There are only 14 iterations of that code, which is very very unusual because there were 29 instances in ORAS and a different amount in BW2. So I guess the moral of the story is that it's all encrypted, and there is no rhyme or reason to the "number of banned pokemon" to the number of banned code reptitions. I've made a video demonstration on my channel which I will not share in this post, but here is some additional photographic proof:

22014541_1873804292635316_526048485_n.jp

21984480_1873804232635322_725665466_n.jp

22053317_1873804262635319_1998232797_n.j

Next step: Edit number of pokemon and pokemon level! lol jk... Also for what it's worth, the file size in ORAS is 33 kb whereas for SuMo it's 29 kb (and it's 8 kb in Gen 5 for comparison even though i know NDS is different). I think that's rather interesting, and sheds some light into the structure of the ways these garcs are organized. 

Another interesting tidbit: Neither of these banlist garc locations were figured out during the initial decryption phase of R&D. In ORAS, the garc was labeled


a\1\7\0 - 53 * 604 bytes Battle Video Info Markup Template

from this pastebin uploaded by Kaphotics and it was labeled 


a\1\3\7 - com_seasand02 02_beachslope

from this GBATemp repost by BelmontSlayer. I would be interested to know if a/1/7/0 does still contain a Battle Video Template, because I wasn't sure if each garc did only one specific thing or if they could do multiple things. But anyway, thank you so much Kaphotics for your help and ABZB for all your contributions! I know a lot of people have been asking about this and I'm glad the community can finally put this issue to rest.

 

BTW, I still don't have it for X and Y and I'm not sure if anyone wants it for X/Y. I won't waste time finding the garc for XY unless someone wants me to (or you can just do it yourself :P )

You made a mistake in your post, Sun/Moon are called SM for short

Share this post


Link to post
Share on other sites

Ah my bad lol. Looks like from the projectpokemon discord there are some people who still play XY and already people working on finding the GARC for that.

I also want to point out that this method does not unban Soul Dew from ORAS. Soul Dew removal is possible, and it took me quite some time to figure this out. I started by continuing the search for those bytes in the rest of the GARCs, nothing. Then I went back to a/1/7/0 and slowly hex edited every piece of data to "00 00 00..."s. My Slowbro holding a Soul Dew was still banned (lol). Then I hex edited some of the stuff in the beginning of that file to all 0's and finally my slowbro was unbanned. It looks like you can start at offset 00000102 and just hold 0 until you're at the end of the file, lol (it helps to click on different parts of the file while you're holding 0.... but really it's that initial list of bytes starting early up in that file that determines that soul dew is banned.) I'm guessing this can be explained by the fact that that list of hex values are items? Not entirely sure tbh, since according to this bulbapedia article Soul Dew's hex value is E1 but that is nowhere to be found. But then again neither are the hex values of any of the legendary pokemon, so long story short everything in the game is pretty uniquely obfuscated.

BTW, idk about the very first bytes in that file but it's interesting to note that in Black and White (2), changing everything to 0 in the "banlist" narc causes the game to crash. That is not the case in Gen 6. And this process is not necessary in SM (I said it right this time haha) as Soul Dew is not banned (it got a nerf wherein it only buffs psychic and dragon type moves by 20%... lame).

 

So that's about it! Everything I ever wanted to figure out how to do has finally been figured out. I haven't tested other clauses such as item clause or species clause (i know this does not remove item clause in SM Battle Tree). I guess that would be the next logical step, but I'm pretty content with stopping here. Some people have been asking me to make a tutorial on how to do this, which I'm not opposed to doing, but everything can already be figured out from reading the past 12 posts on this thread.

As an aside, I would highly discourage anyone from doing this and playing the edited ROM on a 3DS while using the internet. I don't know for a fact that this would get you banned, I just think it makes good sense to protect yourself from that risk. Please, if you try this at home, play your ROM while your 3DS's internet switch is turned OFF!

Share this post


Link to post
Share on other sites

For Ultra Sun & Ultra Moon, the bytes can be found in a/1/4/1 (30 kB). So happy that I can remove the ban-list in Ultra Moon now. Thank you all for finding a way to do this!

Share this post


Link to post
Share on other sites

So there are any news about where are the files on Pokemon XY? I'm really looking foward to unban mythicals most important

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...