Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation I Glitch Discussion

Glitch moves lowering glitched stats - potential to alter a useful address? - Page 1

Glitch moves lowering glitched stats - potential to alter a useful address?

Posted by: Torchickens
Date: 2015-08-30 21:36:46
In Pokémon Yellow, the glitch move TM47 (hex:F7) has the move effect $92 (one can check the move effect without the need of looking in the ROM by putting the cursor over a glitch move and checking the address CFD3 (Red/Blue) or CFD2 (Yellow)).

Move effect $92 gives it a chance of apparently lowering a glitched stat with a name that may be blank, though I've also had it as named "ONIX" (which makes me curious if the 'stat name' may be unpredictable like CoolTrainer's internal name).

When I learned about it lowering a glitched stat, it made me wonder whether the game actually tries to decrease the value of a used memory address that could represent something useful to manipulate (maybe for instance we could lower the value of a species byte and we do not know it yet!). Though there's the possibility that it doesn't or tries to lower a read only address as well.

Bulbapedia says that HM01 can also cause a glitched stat to become lowered. But this may be an error. In Red, its move effect is $8F. When I used the move, the game said "nothing happened" after damage was dealt, and when I set breakpoints to writable memory (8000-FEFF) in BGB, the debugger did not break there, so no arbitrary code was executed at that point.

In Yellow, HM01 has the effect 4B, which is documented here as "none" (or is it?).

On the subject of obtaining TM47, Bulbapedia seem to unfortunately have error(s) regarding the details of acquiring it as well.

Yellow's Z (hex:E5) will not learn TM47 at level 47, and I don't know if you can get it with the trade evolution glitch with Alakazam because Alakazam does not try to learn Shadow Ball (hex:F7) at any level.

If we want to obtain TM47 without arbitrary code execution and no Pokémon learns it, I guess that we might be able to get it with Super Glitch in a Glitch City that has a   symbol in it, or possibly the max stat experience and DVs trick if you shifted a current experience of 247 (TM47's index number) into a move.

Re: Glitch moves lowering glitched stats - potential to alter a useful address?

Posted by: TheZZAZZGlitch
Date: 2015-08-31 03:35:31
TM47's move effect pointer causes an accidental jump to 0F:7502. This is a valid move effect subroutine responsible for handling side effect stat reductions - all of them. To determine which stat it's supposed to lower, it reads the move effect ID, which for valid stat reduction effects should be between 0x44 and 0x47, and subtracts 0x44 to obtain the stat identifier.

TM47's move effect ID is 0x92, so the game will try to lower an out of bounds stat with ID 0x4E. Enemy stat changes are stored in an 8-byte table at $CD2E. Attempting to index this table with a wrong stat ID causes out of bounds writes. In our case, the move effect will cause address ($CD2E+$4E) = $CD7C to be decreased.

That doesn't help us in any way. $CD7C is in the middle of the temporary text buffer. Any changes there do not matter, as they will be overwritten as soon as a new text string is loaded. After that is the cached screen data, and changing it also isn't helpful in any way.

So lowering glitched stats indeed causes out of bounds writes, but they are all useless.

The glitched stat name is unpredictable, just like the Cooltrainer move's internal name. The whole scenario is exactly the same. A 0x50 separated list of stat names is searched at 0F:7655. Out of bounds stat IDs cause the search to go beyond the buffer, and the final name pointer is determined by the amount of 0x50 bytes in the RAM.
The only difference is that the name can't cause any memory corruption like Cooltrainer does. The game always copies exactly 7 characters from the table, no more. You can get some insanely long stat names if the name isn't properly terminated, but it's never copied between any buffers after it's loaded, so no memory corruption occurs.

So the glitch name isn't useful in any way either. It just looks nice.

Re: Glitch moves lowering glitched stats - potential to alter a useful address?

Posted by: Torchickens
Date: 2015-08-31 06:50:05
Oh, that's a shame we can't do anything with it. Thanks for your research. :) I appreciate it a lot.

Edit:


After that is the cached screen data, and changing it also isn't helpful in any way.


I'm not sure if I'm misunderstanding something, but this made me theorize about something.

I was thinking if there is actually a way something like this could hypothetically be a little helpful in Red/Blue and Yellow, only if there happens to be another move that handles stat reductions and can decrement one of the cached screen data addresses. It seems very unlikely we could find something useful though, I know.

You could maybe (only potentially) corrupt some addresses in between CF4B-D006 or D0E1-D19C ($CD2E+$FF-$44 is a difference of $BB) with Super Glitch to -1 of what the data would normally be (dictated by the screen cache), with some of those being useful, such as a letter in your name, and in Yellow since you can't (normally?) bring over screen data from outside of battle, it could have its own use there because of you needing to open the party menu in battle.

In battle, it seems like you can normally only get two corruptions in Yellow other than a freeze (the one that gives level 127 Missingno. and the inversed sprites one that gives level 127 Horsea). I'm not sure if that's really the case though.

The cached screen data may not change if you do not open the party menu or items menu as you originally found (Red/Blue/Yellow).

With Super Glitch, could you have the Super Glitch effects fail, and while you're on the fight screen use the glitch move with a lowering effect to alter a byte in the cached screen data, then have Super Glitch work to have the game copy the data to one of the two buffers including the byte that was altered? So for instance if we found a move that combined with Super Glitch would alter CFD8 to 1 less than expected (highly unlikely), could you use that to have a CoolTrainer/Super Glitch spot give a different Pokémon (e.g. Mr. Mime instead of Hitmonlee?).

For Red/Blue and Yellow, there is a glitch that would allow the steps in theory to work with CoolTrainer (where you can normally only select one move when CoolTrainer is the first move). If your moves are like hex:00, (glitch move) and then you view the summary of a Pokémon in battle with more than one move, then you can move the cursor beyond hex:00, the number of moves you can select depending on the Pokémon, which would mean you could use the glitch move to lower the stat and then access hex:00 without opening the party menu and changing the data at CD81 onward that way.

Incidentally, I've noticed that in Yellow if the foe makes a move or the "hurt by the burn!"/"fast asleep", possibly other messages appear; the cached screen data at CD81+ will be updated again.

Edit 2: What would happen if it was the opponent that used the glitch move on the user and it happened to lower a glitch stat rather than the other way around?