Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation I Glitch Discussion

TMTRAINER Effect and No Pokemon RAM corruption - Page 1

TMTRAINER Effect and No Pokemon RAM corruption

Posted by: Missingno255
Date: 2014-07-06 14:43:30
What is the source of corruption in the RAM and code with TMTRAINER effect and the RAM corruption from having no pokemon (it does get corrupt with that glitch). I found that the RAM will get corrupted starting from $CF5E and ending somewhere near approximately $CFFF (unsure of this) doing TMTRAINER (That offset is BEFORE the start of the battle information. So what exactly is stored there?) Turns out most of the effects from super glitch don't happen at all if the opponent uses Super Glitch. TMTRAINER effect will still happen, but Super Glitch RAM corruption won't happen as a result of not having to load it's name. Also it will not say "Enemy TMTRAINER is frozen solid!" and will change the opposing pokemon's name and status AFTER it faints. The burn damage will still happen though. The only thing that will be glitched after TMTRAINER when done by opponent, is the overworld sprites, as they don't load correctly (Move animations are not overwritten correctly in the VRAM).

You know the name TMTRAINER? Apparently, that's the name given to the pokemon as the pokemon gets corrupted.

I changed offset $CFE8 (Status ailment byte) from $30 (Burned and Frozen) to $20 (Frozen) and the game just proceeded as usual WITHOUT doing the massive burn damage. So what exactly is it that causes TMTRAINER to happen? It's not just Super Glitch that does it, but also Cooltrainer move and several glitch items as well.

As for the "No Pokemon glitch" what exactly causes the RAM to get corrupted here? It starts at $CEE9 and stops approximately at $CFD6. Some of it gets overwritten when it's a trainer battle, where the opponent information is. This doesn't happen if it's a wild battle (source of Wild appeared!)

Re: TMTRAINER Effect and No Pokemon RAM corruption

Posted by: TheZZAZZGlitch
Date: 2014-07-06 15:36:14
TMTRAINER effect:

Source of corruption: Overly long names of Super Glitch moves and/or certain glitch items.
Origin: Address $CF4B
Written bytes: constant
Size: hard to predict

The whole effect is caused by a buffer overflow, starting at $CF4B. This address contains a 20 character general purpose memory block, used to store names of all kinds. Its most notable use is to store the name of the move when it's needed to be displayed in sequence "[B1] used [B2]!". So the effect can be caused both when Super Glitch is used by the player and when Super Glitch is used by the opponent.

This effect happens only if the battle screen is cached in the game's display buffer (one way to ensure this is to enter a battle and view the Pokemon or Item screen from there). This is because just like with every effect of Super Glitch, the outcome is determined by what was recently displayed on the screen.

'Wild appeared'

Source of corruption: the Pokeball sprites drawn at the beginning of battles
Origin: $CEE9
Written bytes: dependent on the statuses of Pokemon beyond the sixth slot
Size: maximum of 256 bytes

This is pretty much the same error that causes the 'Split Screen' in Pacman.
At the beginning of every battle, the game draws some Pokeball sprites, representing the status of Pokemon in player's party:

[img]http://i1.minus.com/ibgW4mqoEBjsuw.PNG[/img]

The buffer at $CEE9 is used to store the state of Pokeballs to draw. It is 6 bytes long, each byte representing one Pokeball, with following possible values:
$31 - no status ailment
$32 - status ailment
$33 - fainted
$34 - empty

Having 0 Pokemon causes the game to draw 256 Pokeballs, and that overflows the buffer.

Some more interesting facts:
- The 'Wild appeared' effect happens for trainers too. If a trainer has 0 Pokemon, all the effects of this glitch will activate (this is why the music fades out after encountering certain glitch trainers)
- The values written by this glitch can differ, they depend on the status of Pokemon beyond the sixth slot (this is also why ZZAZZ trainers' music fadeout ends either with distorted Vulpix cry ($33) or distorted Electabuzz cry ($31)).
- This is not the effect of having 0 Pokemon, but the effect of having 'too many' Pokemon. So having, let's say, 200 Pokemon still causes the effect.

Re: TMTRAINER Effect and No Pokemon RAM corruption

Posted by: Kelvinv
Date: 2014-07-06 16:13:50
where does the game draw TMTRAINER from?

Re: TMTRAINER Effect and No Pokemon RAM corruption

Posted by: Missingno255
Date: 2014-07-06 20:52:10
TheZZAZZglitch never fails to amaze and impress me with this suff!

Anyways, so TMTRAINER really is based on Saved screen contents? interesting!
Like in the post above mine, where does it pull "TMTRAINER" from as a name? Why also does the pokemon immediately faint when it takes burn damage? I set $CFE8 to $30 on a normal pokemon in a normal battle and didn't faint right away.

So the fact that the game loads 256 pokeballs for "Wild Appeared" pretty much also explains when you heal "0" pokemon at pokemon centers as well.

Also on the topic of "Wild Appeared!", if you don't have a pokemon to send out, you send out 3trainerpoke or 'M. Why then does it have corrupted stats like HP, status, name, invalid moveset etc?

Re: TMTRAINER Effect and No Pokemon RAM corruption

Posted by: TheZZAZZGlitch
Date: 2014-07-07 02:02:19
Like in the post above mine, where does it pull "TMTRAINER" from as a name? Why also does the pokemon immediately faint when it takes burn damage? I set $CFE8 to $30 on a normal pokemon in a normal battle and didn't faint right away.


TMTRAINER is essentially just copying the battle screen tiles to $CF5F. Different parts of on-screen data are responsible for different effects:

[img]http://i4.minus.com/iblJYQUnidiAMX.png[/img]

I actually don't know why the frozen burn status causes the opponent to faint instantly during TMTRAINER, I guess that's because the damage counter for Toxic is corrupted and causes the game to calculate damage from status ailments in a wrong way.

Also on the topic of "Wild Appeared!", if you don't have a pokemon to send out, you send out 3trainerpoke or 'M. Why then does it have corrupted stats like HP, status, name, invalid moveset etc?


At the beginning of the game, when player has no Pokemon, the player's party is really filled with Lv.0 'Ms, with 0 HP out of 0, with no moves and 0's in each stat. These Pokemon are considered fainted by the game - after all, they have 0 HP. So it will skip these Pokemon and start searching beyond the sixth slot. So the game actually sends out a Pokemon at slot 12, not slot 1.

Re: TMTRAINER Effect and No Pokemon RAM corruption

Posted by: camper
Date: 2014-07-07 02:13:32

Like in the post above mine, where does it pull "TMTRAINER" from as a name?

It's likely two characters (TM and TRAINER) derived from the battle menu, as it's constant.


Why also does the pokemon immediately faint when it takes burn damage? I set $CFE8 to $30 on a normal pokemon in a normal battle and didn't faint right away.

The Pokemon may have much higher max HP than its current HP after the corruption.


Also on the topic of "Wild Appeared!", if you don't have a pokemon to send out, you send out 3trainerpoke or 'M. Why then does it have corrupted stats like HP, status, name, invalid moveset etc?

You should be sending out the first Pokemon in your party with a non-zero HP, which locates at $D34F (slot 12), the later part of the rival name if his name is 6 characters or more/a default name; or locates at $D37B (slot 13), the map's connection data.

Re: TMTRAINER Effect and No Pokemon RAM corruption

Posted by: Torchickens
Date: 2014-07-07 07:27:45
TM and TRAINER are control characters or magic words, hex: $5C and $5D specifically, meaning instead of the game adding just one letter e.g. 'A', the game adds the whole phrase. They probably get copied.

Here are more control characters.

I need to revise TheZZAZZGlitch's earlier Super Glitch research. I will give an exact reason if I find one.

Edit: Yeah. They get copied.

After opening the Pokémon menu in battle:

[img]http://i.minus.com/jb2E18gUIxmtM5.png[/img]

TM was only seen momentarily here before the bottom text changed. Note that PIDGEY is not from a control character, it got copied from the user's name one letter at a time.

CFDA is the start of the enemy Pokémon's name.

Edit 2:

I'll summarize TheZZAZZGlitch's Super Glitch explanation.

The name of the current move selected from the fight menu is stored at CD6D. This is 20 bytes long (so data is written to CD6D-CD80), and a move like Fly will look like FLY(50)BIND(50)SLAMVYNE(SPACE) (85 8B 98 50 81 88 87 7F).

The game copies everything here before a $50 into $CF4B (if you activate Super Glitch by selecting it in battle.)

But Super Glitch's name may not have a $50 in it within CD6D-CD80. This causes the game to copy more data than it should to CF4B, causing memory corruption (buffer overflow).

Directly following CD80 is the current screen data, which is updated when you open the Pokédex, view your Pokémon or Trainer Card or items. Here is a dump from battle screen data, specifically from a level 18 DIGLETT and a level 100 PIDGEY with 233/235 HP:

[img]http://i.minus.com/jbq8ioCojF10r1.png[/img]

You can see the 5C (TM), 56 (……) and 5D (TRAINER) there.

The battle screen data is mainly the same, and TM, …… and TRAINER happen to be constant for CF4B corruption.

The data I highlighted in red marks the start of what is copied into the enemy name:

[img]http://i.minus.com/jbpWqn56cykrAL.png[/img]

As expected, it is at CFDA after a CF4B copy:

[img]http://i.minus.com/joEV18ds8HjBU.png[/img]

Note:

This is from a $CF4B copying corruption. This is not related to corruption 2 (data into $D0E1), where the number of letters of the moves preceding Super Glitch +1 for each slot influence where the corruption begins.

I will copy TheZZAZZGlitch's examples.

Moveset: Agility, Agility, TM28, [Super Glitch]
Agility [7 chars] + Agility [7 chars] + TM28 [4 chars] = 18 chars
D0E116 + 1810 + 310* = D0F616   
The Super Glitch will start its corruption at address $D0F6


Moveset: Barrage, Clamp, [Super Glitch], Hi Jump Kick
Barrage [7 chars] + Clamp [5 chars] = 12 chars
D0E116 + 1210 + 210* = D0EF16 
The Super Glitch will start its corruption at address $D0EF


This means the enemy Super Glitch name for a battle is truly constant if the opponent and the user have the sprites used in my images.

Edit 3: Ha ha, oops. I just noticed that TheZZAZZGlitch's image does the same thing and more as mine.