Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
StatDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg data corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Yet another buffer overflow technique? (glitch Trainer class names)  (Read 210 times)

0 Members and 1 Guest are viewing this topic.

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • ⛄🦋
    • View Profile
The types of already documented buffer overflow techniques that allow memory manipulation from the screen data so far include:

1. Super Glitch: Corruption of data from $CF4B, $D0E1
2. - (move): Corruption of data from $CF4B
3. Unterminated name glitch item: Corruption of data from $CF4B
4. Glitch location names on the Fly menu. This is an obscure one and I'm unsure how it works.
5. Unterminated name glitch Pokémon (when selected from a box): Also corruption of $CF4B onward if I remember rightly. Used in oobLG.

I think I found another one for us to look into, this time with glitch Trainer class names.

D031 (Red/Blue) and D030 (Yellow) partially control the opposing trainer class in battle. I found a Trainer name in Yellow (hex:77) which may have an extremely long trainer name. If you defeat the foe with this value set on D031/D030 (may require avoiding a problematic AI) and they have victory text, their name will be printed on the screen, and it appears that like the other buffer overflows what is corrupted after battle depends on the screen data.

I noticed 9153 in VRAM would control CFD7 (enemy Pokémon), and that this happens to be part of the foe's sprite that is displayed after you beat them. With Lorelei I get FF. Not sure whether this is due to VRAM inaccessibility or if that address is really FF but what's good about this is that the picture pointer of the opposing Trainer can be modified by manipulating the two bytes at D033 (D032 in Yellow). This doesn't have to include valid sprite pointers, hence in theory you can get many more CFD7 values by trying out different pictures and glitch pictures (which could even be in RAM).

The glitch pictures can also be used for their own unique corruption effects (possibly related to things like their dimensions). I tried 99 99 (pointing to VRAM) and it interestingly also corrupted the name you get at the end of the battle, but then I got this lovely corruption:



(I tried this two times and the first time it flew me to a glitch location, but didn't screenshot it, sorry)

Despite the fact that during experimenting the CFD7 value would stay at its corrupted value, it seems D056 (and D058 as well so instant encounter may not be possible either) is reset back to 00 meaning you can't capture Q (or theoretically Charizard 'M if this works similarly in Red/Blue) this way, which is a little sad.

Hopefully we can still exploit this to do useful things though, even though in Yellow the only way I know is through arbitrary code execution (and in Red/Blue possibly with Super Glitch as well).
« Last Edit: January 16, 2018, 11:53:51 pm by Princess Torchic ❤ »
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Give love, receive love, repeat. But in order to love others you must first love yourself unconditionally, even if it means abandoning pressure from projects or taking time off work and empathise with the self as you are your own best friend. The key often is simply to follow your heart, your urges and have faith they are valid; use them to do what you want to do as long as it doesn't harm anyone, and/or sympathise and respect it as we all have bad days (even the prettiest rose has thorns but is still beautiful).

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • ⛄🦋
    • View Profile
Re: Yet another buffer overflow technique? (glitch Trainer class names)
« Reply #1 on: January 17, 2018, 01:06:21 am »
Fossil Charizard 'M get! :)



(This is with name 0x32)

Too bad almost all of the RAM is trashed, making escape from Glitch City very difficult. :(
But you could work with the items you're given in the expanded items pack in theory.

If you combine this with things that print tiles in battle (double distort CoolTrainer can do it) and avoid VRAM inaccessibility, then as VRAM is within the range of the BG Map (9C00-9E33) in theory if 9C2A is 0x15 this is another way to get Mew (or any other Pokémon/glitch Pokémon) as a fossil.



Will look into finding a way to escape the Glitch City (and potentially glitched meta-map scripts) and posting it here. :)
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Give love, receive love, repeat. But in order to love others you must first love yourself unconditionally, even if it means abandoning pressure from projects or taking time off work and empathise with the self as you are your own best friend. The key often is simply to follow your heart, your urges and have faith they are valid; use them to do what you want to do as long as it doesn't harm anyone, and/or sympathise and respect it as we all have bad days (even the prettiest rose has thorns but is still beautiful).

Parzival

  • Buyer beware: House comes with 3 free skeletons in a closet of your choice.
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • This box intentionally left blank. ...wait...
    • View Profile
Re: Yet another buffer overflow technique? (glitch Trainer class names)
« Reply #2 on: January 17, 2018, 07:52:13 am »
>Hopefully we can escape the trashed-RAM Glitch City
change coordinates to somewhere normal with expanded pack
change map id with expanded pack and expanded party
use 9F
hope and pray
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

ALERT: WE ONLY NEED ONE MORE VOTE TO GAIN BACK NET NEUTRALITY! CLICK THE BANNER BELOW TO JOIN THE FIGHT!

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • ⛄🦋
    • View Profile
Re: Yet another buffer overflow technique? (glitch Trainer class names)
« Reply #3 on: January 17, 2018, 09:27:31 am »
>Hopefully we can escape the trashed-RAM Glitch City
change coordinates to somewhere normal with expanded pack
change map id with expanded pack and expanded party
use 9F
hope and pray

9F only works that way in Yellow sadly, thanks though.

If you want to do the same thing as 9F in Red/Blue you may place an X Attack x18 (41 12) in the map script pointer at D36E-D36F after setting your map and coordinates right.

A problem with getting glitch items is (at least some) seem to fall in the 9800 region of the BG map, which is full of 0x7F. However in actuality the items menu doesn't become full of 0x7F or 0xFF, and other items are available.

The menu is also likely invisible, though I found a weird way to get it visible again by using "7 6" (hex:7F) with a 0x50 sub-tile in the screen data, twice. (D35F must be a quantity x127 and Master Ball 01 and you've got to flash the Trainer card) Maybe it's taking 8 8 (hex:7C)'s effect.



(Believe it or not the game is still running and you can still scroll the menu)

I tested writing to D059 (instant encounter) out of interest and it froze the game, so you can't try anything in battle.

I did find B1F in the expanded items pack (which executes SRAM A7D0) so you could in theory use that, because the SRAM is untouched. Beforehand you could use 8F to write to the SRAM, or use many many SRAM corruptions like TheZZAZZGlitch did.

Another idea may be to manipulate D163 as 0xFF from the VRAM inaccessibility, swap Pokémon 62 with 63 to walk through walls, then load a map connection to fix the map, where you may be able to go into the PC to fix meta-map scripts in the expanded PC items.

Unfortunately the only time this has happened the game would freeze after battle.
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Give love, receive love, repeat. But in order to love others you must first love yourself unconditionally, even if it means abandoning pressure from projects or taking time off work and empathise with the self as you are your own best friend. The key often is simply to follow your heart, your urges and have faith they are valid; use them to do what you want to do as long as it doesn't harm anyone, and/or sympathise and respect it as we all have bad days (even the prettiest rose has thorns but is still beautiful).

Charmy

  • A guy who likes glitchyness.
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • "NIDOQUEEN THOMAS wants to battle!"
    • View Profile
Re: Yet another buffer overflow technique? (glitch Trainer class names)
« Reply #4 on: January 17, 2018, 10:41:33 am »
Well, did this against Champion Blue in Yellow and oh boy...
Every turn the game plays a drum and faded to black before either continuing the battle, exiting it, or crashing all together, (I once got a "4 4's true cry"-like effect but that never happened again.
If the game doesn't crash then the screen stays black if I don't use a move that modifies the pallete. And if I don't KO the foe then it exists the battle or freezes. I once got the game to jump to the Pikachu sequence before the title screen, freezing shortly after.
And once the music just glitched our a bit.
Could this be useful and manipulated in some way?
Also I couldn't get past his Jolteon in any way with the code active, I needed to change his class to something valid before finishing the battle then change it back once I knocked out his Jolteon...
And lastly, I managed to trigger the unused text for losing against him.
And yes I did use Debug Yellow for this but I didn't have any other Yellow ROM on hand...

And then I tried d058-ing a random trainer (a Sailor in this case) and I got an occurrence of the battle restarting and my Pokémon 2-6 having their names be corrupted.
« Last Edit: January 17, 2018, 11:00:27 am by Charmy »
"Time is mone
Go along then" - Old Man


TMZ4 is the BEST TM while the sucky Channel is the best channel.

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • ⛄🦋
    • View Profile
Re: Yet another buffer overflow technique? (glitch Trainer class names)
« Reply #5 on: January 17, 2018, 11:51:53 am »
Well, did this against Champion Blue in Yellow and oh boy...
Every turn the game plays a drum and faded to black before either continuing the battle, exiting it, or crashing all together, (I once got a "4 4's true cry"-like effect but that never happened again.
If the game doesn't crash then the screen stays black if I don't use a move that modifies the pallete. And if I don't KO the foe then it exists the battle or freezes. I once got the game to jump to the Pikachu sequence before the title screen, freezing shortly after.
And once the music just glitched our a bit.
Could this be useful and manipulated in some way?
Also I couldn't get past his Jolteon in any way with the code active, I needed to change his class to something valid before finishing the battle then change it back once I knocked out his Jolteon...
And lastly, I managed to trigger the unused text for losing against him.
And yes I did use Debug Yellow for this but I didn't have any other Yellow ROM on hand...

And then I tried d058-ing a random trainer (a Sailor in this case) and I got an occurrence of the battle restarting and my Pokémon 2-6 having their names be corrupted.

Wow, that's interesting. Nice and cool you got the unused text. Which name did you use, is it the 0x77 one?

I may play around with this re: losing the fight too. Thanks for sharing Charmy. :)

By the way I finished a B1F code (which you have in the inventory from RB 0x32) for escaping the Glitch City and making the game still playable, and I managed to get the fossil 'M (FF). This code runs the Hall of Fame script, fixes your name, leaves you in Cinnabar Island after, fixes some event addresses and possibly all the meta-map scripts:

(B1F executes A7D0)

ld a,50
ld (d158),a
ld a,41
ld (d36e),a
ld a,12
ld (d36f),a
ld a,08
ld (d35e),a
xor a
ld (d639),a
ld (d72e),a
ld (d72c),a
ld (d736),a
ld (d732),a
ld (d733),a
ld (d5a0),a
ld hl,d5f0
ld bc,011b
xor a
call 36e0
ld hl,d35f
ld a,5e
ld (hli),a
ld a,c7
ld (hli),a
ld a,0c
ld (hli),a
ld a,0b
ld (hli),a
xor a
ld (hli),a
inc a
ld (hli),a
ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35d6
ret


Still, if this can be set up without arbitrary code execution, I feel using arbitrary code execution with B1F could take away some of the charm. I do wonder if there is a way to escape the Glitch City with no arbitrary code or cheats (I remember a walk through walls route that worked, I entered a building in Saffron but that would require the 0xFF from inaccessible VRAM and no freeze or theoretically VRAM data that's wrong for a battle). The bad map script for Cinnabar Island could possibly be removed with the expanded stored PC items.

Actually if you can jump off a ledge, that should activate walk through walls, but you'd have to find a way to fix the map.
« Last Edit: January 17, 2018, 02:06:01 pm by Princess Torchic ❤ »
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Give love, receive love, repeat. But in order to love others you must first love yourself unconditionally, even if it means abandoning pressure from projects or taking time off work and empathise with the self as you are your own best friend. The key often is simply to follow your heart, your urges and have faith they are valid; use them to do what you want to do as long as it doesn't harm anyone, and/or sympathise and respect it as we all have bad days (even the prettiest rose has thorns but is still beautiful).

Charmy

  • A guy who likes glitchyness.
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • "NIDOQUEEN THOMAS wants to battle!"
    • View Profile
Re: Yet another buffer overflow technique? (glitch Trainer class names)
« Reply #6 on: January 18, 2018, 04:24:50 pm »
Yes I did indeed use 0x77, and without changing the Sprite pointer in any way, the unused text got triggered.
"Time is mone
Go along then" - Old Man


TMZ4 is the BEST TM while the sucky Channel is the best channel.

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • ⛄🦋
    • View Profile
Re: Yet another buffer overflow technique? (glitch Trainer class names)
« Reply #7 on: February 08, 2018, 01:47:37 pm »
Unfortunately the 'Super Glitch' effects that allowed me to get 'M (FF) aren't working anymore.

However glitch Trainer class names can be seen with this:

@DA80

or a
ld a,(ccf6)
dec a
cp 1
jr c,da8a
ret
ld a,xx (class name goes here)
ld (d031),a
ret

@FF80
jp DA80

("If red bar noise is disabled i.e. you beat a Trainer, set D031 to a value")
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Give love, receive love, repeat. But in order to love others you must first love yourself unconditionally, even if it means abandoning pressure from projects or taking time off work and empathise with the self as you are your own best friend. The key often is simply to follow your heart, your urges and have faith they are valid; use them to do what you want to do as long as it doesn't harm anyone, and/or sympathise and respect it as we all have bad days (even the prettiest rose has thorns but is still beautiful).