Main Menu
Main Page
New pages
Recent changes
Random page

Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools

Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Site source code

Search Wiki


Search Forums


Author Topic: Map distortion glitch Rival name variation for a powerful buffer overflow  (Read 287 times)

0 Members and 1 Guest are viewing this topic.

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I want to be a mother. 🦋 ✿
    • View Profile
If the current map contains a lot of 0x53 tiles, map distortion glitch items like 0x87 will print the Rival's name instead of the player's name. As we know through item underflow glitch (and Rival LOL glitch), it is possible to change the values (and length) of this string by modifying items and quantities.

The Rival's name can also represent a control character, such as a Pokémon name or the player's name (less ideal because Super Glitch, ACE and obscure things like connection copier are the only glitches which let you do that). This then, in theory, allows you to corrupt much more of the memory.

For the purpose of this post, we shall use a Rival name which contains the 0x59 control character.

Steps (theory):

1) First enter a battle and run. This loads 0x59 as (your Pokémon)

2) Fill the current map data with 0D building blocks. You can do this by having 50 Ice Heal x13 in the stored PC items and setting D35F to 3B D5. In the expanded inventory, this is represented by (item) x 59 followed by TM13. I looked to see if there is a place with many 0D bytes in the ROM. Unfortunately I couldn't spot any except in banked ROM, which I had trouble displaying for custom D35F values (even if the map bank is the same as the ROM bank for the source, it won't bring up those blocks).

Note!: You don't need 50 Ice Heal x13 and the actual amount needed is for now unknown. I'll edit this post with the minimum number needed after the theory is out.

3) Set your Rival name to 59 59 59 59 59 50

4) Open the menu with glitch item 0x87 at the top of the list

5) Profit!

I don't know how long this corruption was, but it was definitely powerful, corrupting cursor related data and sending us to a Glitch City (with entrance warp animation) with a Trainer encounter theme playing after leaving the menu.

It didn't quite corrupt map connections, so what you can do to escape is move up to go back to Viridian City. However I got stuck with the Start menu cursor glitched so I can't use a Rival's effect item. Darn...

Doing this with a different source map may give a different result though. :)

Note: With this glitch, you can heal out of bounds Pokémon if you use a healing item. This could potentially lead to the corruption of other memory addresses.

What I'm going to try and do is find a 'safe' way of corrupting CD38 so you have a replicable way to walk through walls without ACE. I will update this thread with my findings.

Update 1: If you keep spamming up, eventually the cursor will be in a normal range. This lets you escape and Fly away.

Update 2: I've tried corrupting CD38, which was successful, but so far I keep getting freezes upon closing the menu and I don't know what causes them. I can save and reset the game to disable the freeze, but that resets CD38 to 0 (and the enemy Pokémon addresses CFD8 and D059 for that matter), so that's no good. :(

Update 3: Invalid CC47 values cause a freeze after closing Start.  00 and 01 are fine. Maybe we can set it to 00 or 01 and still change later addresses in some way.

Update 4: CC57 comes into play too; bad CC57 values can freeze or execute RAM. This seems like another access point for ACE interestingly enough. Non-freezing values: 0x0D (5 ERROR forever), 0x16, 0x17, 0x2A (dismount Bicycle forever)
« Last Edit: December 08, 2018, 11:29:35 pm by Evie Torchic the Glitch Scientist »

Here have some free flowers on every post ^^

(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

War does not determine who is right or wrong; only who is loudest.
Athena follower. I know that some people view it as idolism, but I follow the spirit in relation to her and God too.

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3


  • That worldbuilding/micronations/MTG guy
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • *happy space elf noises*
    • View Profile
    • Hoennese Realm
Re: Map distortion glitch Rival name variation for a powerful buffer overflow
« Reply #1 on: December 09, 2018, 10:37:46 pm »
Hoennese Realm

All sprites made by Naitekiakki, except:
Recolored Gardevoir made by me


  • Ringsome on the aquaface
  • Administrator
  • *****
  • Offline Offline
  • Gender: Male
  • Is it an illusion, or a tower built on sand?
    • View Profile
Re: Map distortion glitch Rival name variation for a powerful buffer overflow
« Reply #2 on: December 10, 2018, 04:40:40 pm »
Quote from: luckytyphlosion
that's a lot of memory you'd have to overflow to corrupt cd38
you can probably do better by just corrupting map height/width and reloading the map
Does that help clarify anything?

As for me I need a lot more practice with this glitch before I could think of any input.


  • Buyer beware: House comes with 3 free skeletons in a closet of your choice.
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • This box intentionally left blank. ...wait...
    • View Profile
    • (null)
Re: Map distortion glitch Rival name variation for a powerful buffer overflow
« Reply #3 on: December 10, 2018, 08:48:37 pm »
That's one hell of a thread title.
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.