Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
AreaDex
DexDex
ItemDex
MetascriptDex
TMHMDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man glitch
Celebi Egg glitch
SRAM glitch
Buffer overflow techniques
Pomeg glitch data corruption (Glitzer Popping)
Tweaking
Pokémon cloning
Select glitches (Japan)
Time Capsule exploit
Arbitrary code execution
More

Other Glitch Categories
Glitches by generation
Japan-only/language specific glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Recurring glitches
More

References
Pokémon GameShark codes
Pokémon Game Genie codes
Disassembly projects
The Big HEX List
GB programming
Curiosities
Debugging features
Error traps
Non-glitch exploits
Pokémon glitch terminology
Unused content and prerelease information
More

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Map distortion glitch Rival name variation for a powerful buffer overflow  (Read 37 times)

0 Members and 1 Guest are viewing this topic.

Evie Torchic the Glitch Scientist

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Thank you for this lovely artwork Nyapon!
    • View Profile
If the current map contains a lot of 0x53 tiles, map distortion glitch items like 0x87 will print the Rival's name instead of the player's name. As we know through item underflow glitch (and Rival LOL glitch), it is possible to change the values (and length) of this string by modifying items and quantities.

The Rival's name can also represent a control character, such as a Pokémon name or the player's name (less ideal because Super Glitch, ACE and obscure things like connection copier are the only glitches which let you do that). This then, in theory, allows you to corrupt much more of the memory.

For the purpose of this post, we shall use a Rival name which contains the 0x59 control character.

Steps (theory):

1) First enter a battle and run. This loads 0x59 as (your Pokémon)

2) Fill the current map data with 0D building blocks. You can do this by having 50 Ice Heal x13 in the stored PC items and setting D35F to 3B D5. In the expanded inventory, this is represented by (item) x 59 followed by TM13. I looked to see if there is a place with many 0D bytes in the ROM. Unfortunately I couldn't spot any except in banked ROM, which I had trouble displaying for custom D35F values (even if the map bank is the same as the ROM bank for the source, it won't bring up those blocks).



Note!: You don't need 50 Ice Heal x13 and the actual amount needed is for now unknown. I'll edit this post with the minimum number needed after the theory is out.

3) Set your Rival name to 59 59 59 59 59 50

4) Open the menu with glitch item 0x87 at the top of the list

5) Profit!

I don't know how long this corruption was, but it was definitely powerful, corrupting cursor related data and sending us to a Glitch City (with entrance warp animation) with a Trainer encounter theme playing after leaving the menu.





It didn't quite corrupt map connections, so what you can do to escape is move up to go back to Viridian City. However I got stuck with the Start menu cursor glitched so I can't use a Rival's effect item. Darn...

Doing this with a different source map may give a different result though. :)



Note: With this glitch, you can heal out of bounds Pokémon if you use a healing item. This could potentially lead to the corruption of other memory addresses.

What I'm going to try and do is find a 'safe' way of corrupting CD38 so you have a replicable way to walk through walls without ACE. I will update this thread with my findings.

Update 1: If you keep spamming up, eventually the cursor will be in a normal range. This lets you escape and Fly away.

Update 2: I've tried corrupting CD38, which was successful, but so far I keep getting freezes upon closing the menu and I don't know what causes them. I can save and reset the game to disable the freeze, but that resets CD38 to 0 (and the enemy Pokémon addresses CFD8 and D059 for that matter), so that's no good. :(

Update 3: Invalid CC47 values cause a freeze after closing Start.  00 and 01 are fine. Maybe we can set it to 00 or 01 and still change later addresses in some way.

Update 4: CC57 comes into play too; bad CC57 values can freeze or execute RAM. This seems like another access point for ACE interestingly enough. Non-freezing values: 0x0D (5 ERROR forever), 0x16, 0x17, 0x2A (dismount Bicycle forever)
« Last Edit: December 08, 2018, 11:29:35 pm by Evie Torchic the Glitch Scientist »
Hi! I'm Evie. I'm a transgender person, but any pronouns are fine. She/her preferred.

Online I most often use the username Torchickens or Chickasaurus.

Contact:
http://www.youtube.com/user/ChickasaurusGL
https://www.vgcollect.com/Torchickens

Hālian

  • That worldbuilding/micronations/MTG guy
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • For a better world
    • View Profile
    • Hoennese Realm
Needs more PIDGEYPIDGEYPIDGEYPIDGEYPIDGEYPIDGEYPIDGEYPIDGEYPIDGEYPIDGEYPIDGEYPIDGEYPIDGEYPIDGEYPIDGEYPIDGEYPIDGEYPIDGEY. :P
Hoennese Realm



All sprites made by Naitekiakki, except:
Recolored Gardevoir made by me