Pretty simple to make with little understanding of Z80 and an opcode table.http://gamehacking.org/faqs/GameBoy_Z80_Opcode_Map.html
Maybe I'm looking at a different version, as the addresses seem off. I'm looking at the English Gold version.
Looking for certain instructions, check a few around to see if it lines up.
The fix to this bug is simple, we just have to change the ret nz instruction before the three sla b to a ret z instruction that does exactly the opposite.
Looking around that area for three SLA Bs (CB 20) in a row. That looks to be $EDAB. Since the instruction right before is the bad one, that means $EDAA should go from $C0 to $C8.
So we'd just change the cp BURN HEAL to cp MOON STONE, whose constant is 08 (Burn heal's constant is 0A).
Find the CP 0A. (opcode FE 0A)
$ED58: 0A -> 08
For the speed one, checking the opcode chart, the bad code starts with INC HL CP #FF. That's opcodes 23 FE FF. That instruction is at $EDCA.
Reading the further post, it seems the right fix is to change CP C : JR NZ .next to CP C : JR Z. The bad instruction is B9 20 ?? (?? as that is branch length, we don't know unless we count the length of the skipped opcodes). Looking at the hex, it turns out the instruction is B9 20 0A. 0A is the branch length. 0A is at $EDD1.
That means it skips the next 10 bytes after the instruction. Indeed that would put us at the following DEC D (15).
We need to go back. The following instruction is a branch length of 0. We go backwards by starting at FF when pointing to the 0A. The CALL instruction should be easy to find (CD ?? ??). Find the CD and then it's one instruction before : 3E 0F. The 3E is at $EDC5. We need to count from the 0A to the 3E.
Starting the count at FF with the cursor at 0A, we move back and count down. We get to F3 when pointing to the 3E.
Therefore the fix is $EDD1: 0A -> F3.