Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Cause of Special Menu Select glitches (JP)  (Read 442 times)

0 Members and 1 Guest are viewing this topic.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Cause of Special Menu Select glitches (JP)
« on: September 01, 2017, 08:19:45 pm »
Couldn't get to sleep, so why not look into the cause of a glitch that hasn't been documented very well?
I used luckytyphlosion's pokered-jp disassembly (a fork of pokered that aims to be a disasm of JP R/G) to help me.

This glitch is caused entirely by the HandleItemListSwapping function. As you can probably see by the helpful comments, the direct cause is the wrong conditional jump was used, and the jump back to the item menu loop happens when carry flag is set, instead of when zero flag is not.

The function can only handle item swapping, and special item lists are just lists of item indices, without quantities.
So, swapping items 1 and 2 cause items 1 and 2 to be swapped with 3 and 4, as items 1 and 2 are interpreted as item+quantity of item 1, and items 3 and 4 as item+quantity of item 2.

Going by the sets of swaps in the wiki article, the last swap swaps items 7 and 8, that is, bytes 14-15 and 16-17. These bytes are located after the FF array terminator. The buffer in WRAM where the item list is located is in fact only 16 bytes long (and the first byte is the list quantity). Directly after this buffer is a pointer to the item list itself, so this pointer is swapped with some undefined data beyond the list terminator but still within the buffer.

I have not yet determined why this causes corruptions to other parts of memory.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody ✿(not really a mum but wanna be)
    • View Profile
Re: Cause of Special Menu Select glitches (JP)
« Reply #1 on: September 02, 2017, 05:47:23 am »
Couldn't get to sleep, so why not look into the cause of a glitch that hasn't been documented very well?
I used luckytyphlosion's pokered-jp disassembly (a fork of pokered that aims to be a disasm of JP R/G) to help me.

This glitch is caused entirely by the HandleItemListSwapping function. As you can probably see by the helpful comments, the direct cause is the wrong conditional jump was used, and the jump back to the item menu loop happens when carry flag is set, instead of when zero flag is not.

The function can only handle item swapping, and special item lists are just lists of item indices, without quantities.
So, swapping items 1 and 2 cause items 1 and 2 to be swapped with 3 and 4, as items 1 and 2 are interpreted as item+quantity of item 1, and items 3 and 4 as item+quantity of item 2.

Going by the sets of swaps in the wiki article, the last swap swaps items 7 and 8, that is, bytes 14-15 and 16-17. These bytes are located after the FF array terminator. The buffer in WRAM where the item list is located is in fact only 16 bytes long (and the first byte is the list quantity). Directly after this buffer is a pointer to the item list itself, so this pointer is swapped with some undefined data beyond the list terminator but still within the buffer.

I have not yet determined why this causes corruptions to other parts of memory.

Nice research Wack0. Thanks! :)

I recently did some other research about this on another thread (http://forums.glitchcity.info/index.php?topic=7984.msg205778#msg205778) and came to similar conclusions; swapping an entry switches pairs of bytes as if they were item/quantity pairs even though the list is displayed as item-item-item, and it is possible to change the list location pointer (including the number of entries on the list) that way illustrated in the thread.

I didn't look into why a Super-Glitch-esque effect can occur though.

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Cause of Special Menu Select glitches (JP)
« Reply #2 on: September 02, 2017, 07:48:20 am »
I didn't look into why a Super-Glitch-esque effect can occur though.

I just tried looking into it, but couldn't figure it out from static analysis alone. I guess some work in the debugger would be required.

I guess it depends on what ends up in wListPointer? The wiki page does say the effects don't happen every time.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016