Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: How far can 0x0 sprite dimensions corrupt?  (Read 384 times)

0 Members and 1 Guest are viewing this topic.

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
How far can 0x0 sprite dimensions corrupt?
« on: November 02, 2019, 12:16:26 pm »
Glitch Pokémon's 0 dimension sprite dimensions (height/width) can cause a buffer overflow while decompressing the SRAM, into RAM. Up to where in RAM can this corrupt? We know Yellow MissingNo. corrupts C0EF/C0F0. Other than C109 (facing direction which allows for ACE), are there any other corruptible locations to do something useful to exploit?
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

Parzival

  • The Laziest Malware Enthusiast
  • Banned
  • *
  • Offline Offline
  • Gender: Male
  • who posted nudes in upstream
    • View Profile
    • (null)
Re: How far can 0x0 sprite dimensions corrupt?
« Reply #1 on: November 03, 2019, 11:52:17 am »
Glitch Pokémon's 0 dimension sprite dimensions (height/width) can cause a buffer overflow while decompressing the SRAM, into RAM. Up to where in RAM can this corrupt? We know Yellow MissingNo. corrupts C0EF/C0F0. Other than C109 (facing direction which allows for ACE), are there any other corruptible locations to do something useful to exploit?
how many bytes does the typical frontsprite take up and how big is it?

Sherkel

  • Banned
  • *
  • Offline Offline
  • Gender: Male
  • PSYNCIN' IN THE FINNAGaiN
    • View Profile
Re: How far can 0x0 sprite dimensions corrupt?
« Reply #2 on: November 03, 2019, 12:43:16 pm »
Glitch Pokémon's 0 dimension sprite dimensions (height/width) can cause a buffer overflow while decompressing the SRAM, into RAM. Up to where in RAM can this corrupt? We know Yellow MissingNo. corrupts C0EF/C0F0. Other than C109 (facing direction which allows for ACE), are there any other corruptible locations to do something useful to exploit?
how many bytes does the typical frontsprite take up and how big is it?
5 x 5, 6 x 6, or 7 x 7 tiles. Not sure if it has to be uniform, but all examples are. Presumably treating one as 256 x 256 and seeing how far it reaches if the same routine is run for it should show up to where it overwrites.
Held aloft, as if by hands, their thoughts remain adrift
Torn asunder, broken bands
A void, a dream, a rift

Parzival

  • The Laziest Malware Enthusiast
  • Banned
  • *
  • Offline Offline
  • Gender: Male
  • who posted nudes in upstream
    • View Profile
    • (null)
Re: How far can 0x0 sprite dimensions corrupt?
« Reply #3 on: November 03, 2019, 03:16:46 pm »
Glitch Pokémon's 0 dimension sprite dimensions (height/width) can cause a buffer overflow while decompressing the SRAM, into RAM. Up to where in RAM can this corrupt? We know Yellow MissingNo. corrupts C0EF/C0F0. Other than C109 (facing direction which allows for ACE), are there any other corruptible locations to do something useful to exploit?
how many bytes does the typical frontsprite take up and how big is it?
5 x 5, 6 x 6, or 7 x 7 tiles. Not sure if it has to be uniform, but all examples are. Presumably treating one as 256 x 256 and seeing how far it reaches if the same routine is run for it should show up to where it overwrites.
well if I knew how many bytes one frontsprite of known size takes up, I could calculate out how many bytes it'd take up and thus (barring weird position-resetting behavior) the range of corruption.

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: How far can 0x0 sprite dimensions corrupt?
« Reply #4 on: March 10, 2020, 08:23:09 am »
Actually there's a great point here. You can probably use the sprite import tools and method in someway; except these originally aren't sprites but data/code interpreted as sprites. A 7x7 sprite is 56x56 pixels. We can probably find how many pixels then a 256x256 sprite would be; hence around how many bytes long it might be. We know these cause buffer overflows into SRAM (and in Yellow MissingNo.'s case C0EF/C0F0). Maybe you do 256x8 which is 2048 pixels.
« Last Edit: March 10, 2020, 08:27:44 am by Evie (retired from head adminship) »
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: How far can 0x0 sprite dimensions corrupt?
« Reply #5 on: March 10, 2020, 11:27:00 am »
So we have (from disassembly);

wSpriteCurPosX:: ; d0a1
   ds 1
wSpriteCurPosY:: ; d0a2

For D0A1, the game seems to cycle through values of 0 to (sprite width x8). For instance, when loading Rattata's sprite; d0a1 will only be from $00-$27 (dec:0-39), because 5x8=40. (Rattata has 5 for its dimensions).

Encountering Yellow MissingNo. (addresses here other than A188 are -1)

When we get to

sSpriteBuffer1:: ds SPRITEBUFFERSIZE ; a188

@0:24D9
; Put a into D0A0
; Put D0AC (sprite output pointer) into a
; increment a, and then value in D0AC
; At some point we get back to 0:24D9. D0A0 increases to the maximum width of Yellow MissingNo. (256 bytes).
; hl (a188) increases 1040 times

OK my Yellow MissingNo. corrupted up to C30F from the 2564 routine.
« Last Edit: March 10, 2020, 12:46:15 pm by Evie (retired from head adminship) »
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.