Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation I Glitch Discussion

Yet another buffer overflow technique? (glitch Trainer class names) - Page 1

Yet another buffer overflow technique? (glitch Trainer class names)

Posted by: Torchickens
Date: 2018-01-16 23:46:39
The types of already documented buffer overflow techniques that allow memory manipulation from the screen data so far include:

1. Super Glitch: Corruption of data from $CF4B, $D0E1
2. - (move): Corruption of data from $CF4B
3. Unterminated name glitch item: Corruption of data from $CF4B
4. Glitch location names on the Fly menu. This is an obscure one and I'm unsure how it works.
5. Unterminated name glitch Pokémon (when selected from a box): Also corruption of $CF4B onward if I remember rightly. Used in oobLG.

I think I found another one for us to look into, this time with glitch Trainer class names.

D031 (Red/Blue) and D030 (Yellow) partially control the opposing trainer class in battle. I found a Trainer name in Yellow (hex:77) which may have an extremely long trainer name. If you defeat the foe with this value set on D031/D030 (may require avoiding a problematic AI) and they have victory text, their name will be printed on the screen, and it appears that like the other buffer overflows what is corrupted after battle depends on the screen data.

I noticed 9153 in VRAM would control CFD7 (enemy Pokémon), and that this happens to be part of the foe's sprite that is displayed after you beat them. With Lorelei I get FF. Not sure whether this is due to VRAM inaccessibility or if that address is really FF but what's good about this is that the picture pointer of the opposing Trainer can be modified by manipulating the two bytes at D033 (D032 in Yellow). This doesn't have to include valid sprite pointers, hence in theory you can get many more CFD7 values by trying out different pictures and glitch pictures (which could even be in RAM).

The glitch pictures can also be used for their own unique corruption effects (possibly related to things like their dimensions). I tried 99 99 (pointing to VRAM) and it interestingly also corrupted the name you get at the end of the battle, but then I got this lovely corruption:

[img]https://i.imgur.com/xzys5LE.png[/img] [img]https://i.imgur.com/K4g17Mj.png[/img]

(I tried this two times and the first time it flew me to a glitch location, but didn't screenshot it, sorry)

Despite the fact that during experimenting the CFD7 value would stay at its corrupted value, it seems D056 (and D058 as well so instant encounter may not be possible either) is reset back to 00 meaning you can't capture Q (or theoretically Charizard 'M if this works similarly in Red/Blue) this way, which is a little sad.

Hopefully we can still exploit this to do useful things though, even though in Yellow the only way I know is through arbitrary code execution (and in Red/Blue possibly with Super Glitch as well).

Re: Yet another buffer overflow technique? (glitch Trainer class names)

Posted by: Torchickens
Date: 2018-01-17 01:06:21
Fossil Charizard 'M get! :)

[img]https://i.imgur.com/U2KJVKf.png[/img]

(This is with name 0x32)

Too bad almost all of the RAM is trashed, making escape from Glitch City very difficult. :(
But you could work with the items you're given in the expanded items pack in theory.

If you combine this with things that print tiles in battle (double distort CoolTrainer can do it) and avoid VRAM inaccessibility, then as VRAM is within the range of the BG Map (9C00-9E33) in theory if 9C2A is 0x15 this is another way to get Mew (or any other Pokémon/glitch Pokémon) as a fossil.

[img]https://i.imgur.com/EGieCQN.png[/img]

Will look into finding a way to escape the Glitch City (and potentially glitched meta-map scripts) and posting it here. :)

Re: Yet another buffer overflow technique? (glitch Trainer class names)

Posted by: Parzival
Date: 2018-01-17 07:52:13
>Hopefully we can escape the trashed-RAM Glitch City
change coordinates to somewhere normal with expanded pack
change map id with expanded pack and expanded party
use 9F
hope and pray

Re: Yet another buffer overflow technique? (glitch Trainer class names)

Posted by: Torchickens
Date: 2018-01-17 09:27:31

>Hopefully we can escape the trashed-RAM Glitch City
change coordinates to somewhere normal with expanded pack
change map id with expanded pack and expanded party
use 9F
hope and pray


9F only works that way in Yellow sadly, thanks though.

If you want to do the same thing as 9F in Red/Blue you may place an X Attack x18 (41 12) in the map script pointer at D36E-D36F after setting your map and coordinates right.

A problem with getting glitch items is (at least some) seem to fall in the 9800 region of the BG map, which is full of 0x7F. However in actuality the items menu doesn't become full of 0x7F or 0xFF, and other items are available.

The menu is also likely invisible, though I found a weird way to get it visible again by using "7 6" (hex:7F) with a 0x50 sub-tile in the screen data, twice. (D35F must be a quantity x127 and Master Ball 01 and you've got to flash the Trainer card) Maybe it's taking 8 8 (hex:7C)'s effect.

[img]https://i.imgur.com/SB4p2Mz.png[/img]

(Believe it or not the game is still running and you can still scroll the menu)

I tested writing to D059 (instant encounter) out of interest and it froze the game, so you can't try anything in battle.

I did find B1F in the expanded items pack (which executes SRAM A7D0) so you could in theory use that, because the SRAM is untouched. Beforehand you could use 8F to write to the SRAM, or use many many SRAM corruptions like TheZZAZZGlitch did.

Another idea may be to manipulate D163 as 0xFF from the VRAM inaccessibility, swap Pokémon 62 with 63 to walk through walls, then load a map connection to fix the map, where you may be able to go into the PC to fix meta-map scripts in the expanded PC items.

Unfortunately the only time this has happened the game would freeze after battle.

Re: Yet another buffer overflow technique? (glitch Trainer class names)

Posted by: Charmy
Date: 2018-01-17 10:41:33
Well, did this against Champion Blue in Yellow and oh boy…
Every turn the game plays a drum and faded to black before either continuing the battle, exiting it, or crashing all together, (I once got a "4 4's true cry"-like effect but that never happened again.
If the game doesn't crash then the screen stays black if I don't use a move that modifies the pallete. And if I don't KO the foe then it exists the battle or freezes. I once got the game to jump to the Pikachu sequence before the title screen, freezing shortly after.
And once the music just glitched our a bit.
Could this be useful and manipulated in some way?
Also I couldn't get past his Jolteon in any way with the code active, I needed to change his class to something valid before finishing the battle then change it back once I knocked out his Jolteon…
And lastly, I managed to trigger the unused text for losing against him.
And yes I did use Debug Yellow for this but I didn't have any other Yellow ROM on hand…

And then I tried d058-ing a random trainer (a Sailor in this case) and I got an occurrence of the battle restarting and my Pokémon 2-6 having their names be corrupted.

Re: Yet another buffer overflow technique? (glitch Trainer class names)

Posted by: Torchickens
Date: 2018-01-17 11:51:53

Well, did this against Champion Blue in Yellow and oh boy…
Every turn the game plays a drum and faded to black before either continuing the battle, exiting it, or crashing all together, (I once got a "4 4's true cry"-like effect but that never happened again.
If the game doesn't crash then the screen stays black if I don't use a move that modifies the pallete. And if I don't KO the foe then it exists the battle or freezes. I once got the game to jump to the Pikachu sequence before the title screen, freezing shortly after.
And once the music just glitched our a bit.
Could this be useful and manipulated in some way?
Also I couldn't get past his Jolteon in any way with the code active, I needed to change his class to something valid before finishing the battle then change it back once I knocked out his Jolteon…
And lastly, I managed to trigger the unused text for losing against him.
And yes I did use Debug Yellow for this but I didn't have any other Yellow ROM on hand…

And then I tried d058-ing a random trainer (a Sailor in this case) and I got an occurrence of the battle restarting and my Pokémon 2-6 having their names be corrupted.


Wow, that's interesting. Nice and cool you got the unused text. Which name did you use, is it the 0x77 one?

I may play around with this re: losing the fight too. Thanks for sharing Charmy. :)

By the way I finished a B1F code (which you have in the inventory from RB 0x32) for escaping the Glitch City and making the game still playable, and I managed to get the fossil 'M (FF). This code runs the Hall of Fame script, fixes your name, leaves you in Cinnabar Island after, fixes some event addresses and possibly all the meta-map scripts:

(B1F executes A7D0)

ld a,50
ld (d158),a
ld a,41
ld (d36e),a
ld a,12
ld (d36f),a
ld a,08
ld (d35e),a
xor a
ld (d639),a
ld (d72e),a
ld (d72c),a
ld (d736),a
ld (d732),a
ld (d733),a
ld (d5a0),a
ld hl,d5f0
ld bc,011b
xor a
call 36e0
ld hl,d35f
ld a,5e
ld (hli),a
ld a,c7
ld (hli),a
ld a,0c
ld (hli),a
ld a,0b
ld (hli),a
xor a
ld (hli),a
inc a
ld (hli),a
ld c,$16
ld h,$64
ld l,$bb
ld b,c
ld b,b
call $35d6
ret


Still, if this can be set up without arbitrary code execution, I feel using arbitrary code execution with B1F could take away some of the charm. I do wonder if there is a way to escape the Glitch City with no arbitrary code or cheats (I remember a walk through walls route that worked, I entered a building in Saffron but that would require the 0xFF from inaccessible VRAM and no freeze or theoretically VRAM data that's wrong for a battle). The bad map script for Cinnabar Island could possibly be removed with the expanded stored PC items.

Actually if you can jump off a ledge, that should activate walk through walls, but you'd have to find a way to fix the map.

Re: Yet another buffer overflow technique? (glitch Trainer class names)

Posted by: Charmy
Date: 2018-01-18 16:24:50
Yes I did indeed use 0x77, and without changing the Sprite pointer in any way, the unused text got triggered.

Re: Yet another buffer overflow technique? (glitch Trainer class names)

Posted by: Torchickens
Date: 2018-02-08 13:47:37
Unfortunately the 'Super Glitch' effects that allowed me to get 'M (FF) aren't working anymore.

However glitch Trainer class names can be seen with this:

@DA80

or a
ld a,(ccf6)
dec a
cp 1
jr c,da8a
ret
ld a,xx (class name goes here)
ld (d031),a
ret

@FF80
jp DA80

("If red bar noise is disabled i.e. you beat a Trainer, set D031 to a value")

Re: Yet another buffer overflow technique? (glitch Trainer class names)

Posted by: Torchickens
Date: 2018-05-01 13:05:26
I suddenly thought, I wonder if this can be done without an artificial glitch trainer by using Jacred (hex:C8)?

Will do some more testing.

Edit: Video of the Glitch City actually loading in Red (
https://www.youtube.com/watch?v=uV2I0RZ3IDk) but haven't been able to do it without BGB emulator's debugger.