Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation I Glitch Discussion

Mart Guy Buffer Overflow (Mart Pwner) - Page 1

Mart Guy Buffer Overflow (Mart Pwner)

Posted by: luckytyphlosion
Date: 2016-01-17 18:27:06
By creating a custom text pointer for a map, it's possible to turn an NPC into a Poké Mart Vendor.

To set up a custom text pointer, steps would go somewhere similar to this:


Now, in order for an NPC to be a Poke Mart vendor, the first byte of its text must be 0xff. The next byte represents quantity (which is semi-irrelevant unless you want to buy items) and the bytes following are a list of items in the mart, terminated by $ff. This will allow you to create your own Poke Mart Vendor!

If you make the list too long, the mart inventory will eventually overflow into other portions of memory. We can use this to our advantage to write values starting from $cf7b, similar to string buffer overflows such as TMTRAINER items and the CoolTrainer move. Unlike those two, using a Mart Guy allows much easier manipulation as the source is hypothetically user controlled. In addition, it's possible to write to much farther values because the source can be set at any address, allowing a longer distance between the destination (cf7b) and the source.

One application is for catching all Pokémon. I made a speedrunning route using this glitch, as shown here by Chivu93 (setup starts at 18:45, glitch starts at 25:34)

Another application could be to create a Pokémon using items, although it would take a considerable amount of space before the destination would reach $d16b (wPartyMon1).

(Speedrunning route if anyone is interested: Link)

Re: Mart Guy Buffer Overflow (Mart Pwner)

Posted by: Krys3000
Date: 2016-01-18 12:18:13
This is so awesome, luckytyphlosion! You never cease to amaze me  :D

Many things happen in the setup part, do you have a list of things that you have to do to trigger the glitch? It's of course happening very quickly in the video. Thanks!

Re: Mart Guy Buffer Overflow (Mart Pwner)

Posted by: luckytyphlosion
Date: 2016-01-23 16:23:30
I don't have an actual setup for the glitch in the video, but here's a general list of what you would need to do:

Re: Mart Guy Buffer Overflow (Mart Pwner)

Posted by: Torchickens
Date: 2016-01-27 14:15:40
Very beautiful glitch!

Re: Mart Guy Buffer Overflow (Mart Pwner)

Posted by: Spoink
Date: 2016-01-28 14:12:28
I set the text pointer to $f36f, which points to the script pointer.


Could you use $d36f?

Re: Mart Guy Buffer Overflow (Mart Pwner)

Posted by: Torchickens
Date: 2016-01-29 11:02:52

I set the text pointer to $f36f, which points to the script pointer.


Could you use $d36f?


I think here he probably means we place 6F F3 into item 40 (D36C/D36D text pointer table), which would represent the hex: 6F item x243. F36F is Echo RAM for D36F; so hex: 6F x 211 would theoretically work as well.

Then for the Pallet Town lady (ID 02), the game would read the pointer two bytes ahead of D36F (i.e. D371).

At D371 needs to be an FE. Following the FE there must be 239 bytes (or around that) which are not FF, if we want to the Poké Mart vendor to corrupt all the way to wEnemyBattleStatus3:: ; d069.

Trick to encounter a wild catchable Mew or get the "Hurry, get away!" battle system without cheating for Pokémon Yellow:


Have D36C/D36D; item 40 (text pointer table) spell 1E F3 (Repel x243).

At D320 (the Pallet Town mart lady is ID 02 so we told the game that her script pointer lies here), put 6C F1 (any item 2 x108, item 3=TM41).

D16C (F16C) represents the current HP modulo 256 of party Pokémon 1. We can make this 254.

From then on, there is a relationship like this:

D16C + DF = D24B - Pokémon 6 type 1 "Instant encounter" ; $15 (Water-type) - Mew
D24B + 01 = D24C - Pokémon 6 type 2 "Battle system/automatic selection" ; Poison-type is $03; "Hurry, get away!" value.

This means if Pokémon 1's current HP is 254 modulo 256, a Pokémon and battle system will be loaded based on Pokémon 6's types.

Tentacool (Water/Poison), would give Mew with the "Hurry, get away!" battle system (hex:03).

Staryu (Water/Water) gives the invalid hex:15 battle system, where no Pokémon are sent out by the player, but you can catch Mew via automatic A selection if a Master Ball is in the first slot.

The addresses are the relative changes for CF7A to get to D058, D059.

Note that you must not have a Pokémon with a catch rate of 255 (I think Pokémon 6 may be a clean exception to this rule), a Pokémon with FF in its experience bytes, a Pokémon with EVs/DVs containing FF in them, or a Pokémon with a Trainer ID containing FF or the mart will not be able to corrupt as far as D059.

Video (click to view):

https://www.youtube.com/watch?v=-TtWZrTurKA


There is a more complicated non-speedrunning method for catching every Pokémon including up to 20 before having to change the text pointers table again as well.

A Pokémon with Fly may be required so you don't get trapped in Pallet Town.

Have D36C/D36D (text pointer table) spell 1E F3 (Repel x243).

At D320 (the Pallet Town mart lady is ID 02 so we told the game that her script pointer lies here), put 87 F1 (you need any item 2 x135, and item 3 must be a TM41).

D187 (F187) represents the PP of party Pokémon 1's PP move 1. We can have it underflow to 254 (62 PP and all PP Ups applied) using a PP underflow glitch.

The one I used involves a slower Chansey level 7 with Hyper Beam (TM15 - buyable from Game Corner) and Double Team (TM32 - buyable from Celadon Department store) against a level 15 Tentacool. Note that you can get both of these items after dry item underflow glitch using TheZZAZZGlitch's any glitch item trick.

Hyper Beam's PP is reduced to 1. Chansey uses Hyper Beam and the next turn Tentacool uses Wrap and misses, causing Hyper Beam to be executed again and the PP to roll under to 255 (63 PP with all PP Ups used).

After that, you can simply use Hyper Beam again to make the PP value represent 254 (62 PP with all PP Ups used).

To make changes suitable for catch 'em all, there is a relationship like this:

D187 + 5E = D1E5 - Pokémon 3 max HP lower byte controls "Enemy species in battle"
D1E5 + 7F = D264 - Pokémon 6 PP move 2 controls "In battle, must be 01, no PP Ups used"
D264 + 02 = D266 - Pokémon 6 PP move 4 controls "Instant encounter, must be 00"
D266 + 01 = D267 - Pokemon 6 level controls "Battle system/automatic selection, must be 00"
D267 + 0F = D276 - Trainer name for first Pokémon letter 5 controls "Enemy monster not transformed/Ditto clearer, must be 00"

The addresses are the relative changes for CF7A to get to CFD7, D056, D058, D059, D068.

The Pokémon 3 max HP can be adjusted with Rare Candies and HP Ups; but since we set the "in battle?" address (D057) to 01; we won't be able to use them after capturing a Pokémon. Saving and resetting fortunately resets D057 to 00 while keeping the corrupted text script table.

A level 0 Pokémon is needed as Pokémon 6.

We are able to obtain one without trading using that older type of text pointer manipulation MrWint documented, where we turn an item ball into a Pokémon, if there are available item balls in your save file.

E.g. Chansey/Rare Candy (Pokémon Mansion B1F)

Video (click to view):
https://youtu.be/XOJ_32owIJU?t=592 (9:30)

'M (00) level 0 should not be used or traded over to Yellow because it contains FF in its experience bytes.

In order for Pokémon 6 to have move 2 with 1 PP, you can either theoretically use up nearly all of the PP on that move on a level 255 Pokémon and use a Rare Candy to have it reach level 0, or battle against a level 2 Pidgey and fight with the help of many X Defends and a few X Speeds, Potions or Full Restores (it's definitely possible).

If you meet all the requirements detailed above, then you can proceed to activate the mart buffer overflow glitch.

1) Talk to the lady in Pallet Town.
2) Close the mart and wait for Red to stop stepping on the spot if he does this.
3) Throw a Master Ball from your items pack and you will catch the Pokémon depending on party Pokémon 3's max HP.
4) If you immediately throw the Master Ball again, you will get Ditto. If you throw the Master Ball then repeat steps 1 and 2, you can capture the same Pokémon twice without saving and resetting.
5) Save and reset (otherwise Rare Candies and HP Ups won't work).
6) Use any Rare Candies or HP Ups on Pokémon 6 until you get a maximum HP stat you like (e.g. 21=Mew), then talk to the lady and close the mart.
7) Now you can throw the Master Ball again to get a different Pokémon.

If you plan on filling multiple boxes; then you can prepare yourself with many Repel x243 stacks. After a Pokémon box is full, you can Fly away to open the PC and the text pointer table will be reset; but if you still have a Repel x243 stack you are able to repeat the glitch.

Multiple stacks can be obtained if you get Repel x255, then toss the item above it to create another stack of Repel x255. From then on, you can toss 12 from the individual stacks.

To fill all 12 empty boxes (all 12 boxes can contain 240 Pokémon in total), you would require 12 stacks of Repel x243. If you just want all 151 Pokémon, you would need 8 stacks of Repel x243.

Sadly I wasn't able to find a better alternative to using party Pokémon 3's max HP as the species modifier. Current HP may have been a good idea because you could always reduce the party Pokémon's HP by 1 every four steps so that you do not 'skip' a Pokémon ID (since using HP Up, Rare Candy doesn't always increase the Pokémon's HP by 1).

However, I think you could use multiple Pokémon to place into slot 3 to get the values that you missed.

Full steps:

Steps:
1) Teach your Pokémon for the PP wrap around glitch TM15 - Hyper Beam and preferably TM32 - Double Team.
2) Teach your level 0 Pokémon a second move if it doesn't have one, e.g. Pinsir and TM15 - Hyper Beam. It must have 0 PP left of its fourth move (preferably do not teach one). It must not know TM55.
3) Save.
4) Put PP wrap around glitch Pokémon in slot 1, have it have Hyper Beam as move 1.
5) Surf on Route 21 (south of Pallet Town) and encounter a level 15 Tentacool
6) Successfully do the PP wrap around glitch, and use Hyper Beam one more time to get 62 PP Ups (and this will effectively now have all PP Ups applied once the underflow occurred)
7) Swap Hyper Beam into the first move position
8) Save.
9) Put level 0 Pokémon in slot 1 (it should be switched back into slot 6 later).
10) Enter a battle on Route 1 and use X Defends, X Speeds, Potions (not from item 2 if item 2 is a Potion) to be able to exhaust all PP of your second move
11) Exhaust all of your second move's PP to 1.
12) Exit the battle without gaining any experience. If your Pokémon faints or it gains experience, reset.
13) Put level 0 Pokémon back in slot 6.
14) Go to Pallet Town and place the Repel x243 into item 40.
15) Make sure that the PP underflow Pokémon is in slot 1, max HP of your choice Pokémon in slot 3, level 0 Pokémon in slot 6. Talk to lady.
16) Close the mart, throw a Master Ball to get Pokémon ID=Pokémon 3 max HP modulo 256.
17) Save and reset so you can use HP Up, Rare Candy and talk to lady again, repeat step 15.

Note that you must not have a Pokémon with a catch rate of 255, a Pokémon with FF in its experience bytes, a Pokémon with EVs/DVs containing FF in them, or a Pokémon with a Trainer ID containing FF or the mart will not be able to corrupt as far as D068.

Some level 0 Pokémon change to a different level when you deposit them into a box and withdraw them. Some freeze the game. It depends on the experience type and a level 0 medium-slow Pokémon seems to be the only non-glitch Pokémon that stays at level 0 and does not freeze.

The Pinsir I used became level 1; but fortunately withdrawing a level 0 Mew (medium-slow growth rate) captured after this glitch gave me a level 0 Pokémon that could possibly be used if I wanted to repeat the glitch without restricting myself to 5 Pokémon other than the level 0 Pokémon.

Video (click to view):

https://www.youtube.com/watch?v=3TDXWL093AI

Re: Mart Guy Buffer Overflow (Mart Pwner)

Posted by: Krys3000
Date: 2016-01-30 06:22:54
Wow! Thanks for the explanation lucky, and for your work on this Torchickens! This is really a great trick. I can't wait to test this on my game, I'll try to do it soon to maybe publish it on PRAMA as well ;)

Re: Mart Guy Buffer Overflow (Mart Pwner)

Posted by: Torchickens
Date: 2016-01-30 10:14:42

Wow! Thanks for the explanation lucky, and for your work on this Torchickens! This is really a great trick. I can't wait to test this on my game, I'll try to do it soon to maybe publish it on PRAMA as well ;)


No problem Krys3000. Good luck and have fun!  :D