Map distortion glitch Rival name variation for a powerful buffer overflow
Posted by: Torchickens
Date: 2018-12-08 19:18:11
The Rival's name can also represent a control character, such as a Pokémon name or the player's name (less ideal because Super Glitch, ACE and obscure things like connection copier are the only glitches which let you do that). This then, in theory, allows you to corrupt much more of the memory.
For the purpose of this post, we shall use a Rival name which contains the 0x59 control character.
Steps (theory):
1) First enter a battle and run. This loads 0x59 as (your Pokémon)
2) Fill the current map data with 0D building blocks. You can do this by having 50 Ice Heal x13 in the stored PC items and setting D35F to 3B D5. In the expanded inventory, this is represented by (item) x 59 followed by TM13. I looked to see if there is a place with many 0D bytes in the ROM. Unfortunately I couldn't spot any except in banked ROM, which I had trouble displaying for custom D35F values (even if the map bank is the same as the ROM bank for the source, it won't bring up those blocks).
[img]https://i.imgur.com/jOvoYPe.png[/img]
Note!: You don't need 50 Ice Heal x13 and the actual amount needed is for now unknown. I'll edit this post with the minimum number needed after the theory is out.
3) Set your Rival name to 59 59 59 59 59 50
4) Open the menu with glitch item 0x87 at the top of the list
5) Profit!
I don't know how long this corruption was, but it was definitely powerful, corrupting cursor related data and sending us to a Glitch City (with entrance warp animation) with a Trainer encounter theme playing after leaving the menu.
[img]https://i.imgur.com/NRrr9rc.png[/img]
[img]https://i.imgur.com/165TF2g.png[/img]
It didn't quite corrupt map connections, so what you can do to escape is move up to go back to Viridian City. However I got stuck with the Start menu cursor glitched so I can't use a Rival's effect item. Darn…
Doing this with a different source map may give a different result though. :)
[img]https://i.imgur.com/mZtjQ1Z.png[/img] [img]https://i.imgur.com/Z4h2WMc.png[/img]
Note: With this glitch, you can heal out of bounds Pokémon if you use a healing item. This could potentially lead to the corruption of other memory addresses.
What I'm going to try and do is find a 'safe' way of corrupting CD38 so you have a replicable way to walk through walls without ACE. I will update this thread with my findings.
Update 1: If you keep spamming up, eventually the cursor will be in a normal range. This lets you escape and Fly away.
Update 2: I've tried corrupting CD38, which was successful, but so far I keep getting freezes upon closing the menu and I don't know what causes them. I can save and reset the game to disable the freeze, but that resets CD38 to 0 (and the enemy Pokémon addresses CFD8 and D059 for that matter), so that's no good. :(
Update 3: Invalid CC47 values cause a freeze after closing Start. 00 and 01 are fine. Maybe we can set it to 00 or 01 and still change later addresses in some way.
Update 4: CC57 comes into play too; bad CC57 values can freeze or execute RAM. This seems like another access point for ACE interestingly enough. Non-freezing values: 0x0D (5 ERROR forever), 0x16, 0x17, 0x2A (dismount Bicycle forever)