How far can 0x0 sprite dimensions corrupt?
Posted by: Torchickens
Date: 2019-11-02 13:16:26
Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.
You can join Glitch City Research Institute to ask questions or discuss current developments.
You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.
how many bytes does the typical frontsprite take up and how big is it?
Glitch Pokémon's 0 dimension sprite dimensions (height/width) can cause a buffer overflow while decompressing the SRAM, into RAM. Up to where in RAM can this corrupt? We know Yellow MissingNo. corrupts C0EF/C0F0. Other than C109 (facing direction which allows for ACE), are there any other corruptible locations to do something useful to exploit?
5 x 5, 6 x 6, or 7 x 7 tiles. Not sure if it has to be uniform, but all examples are. Presumably treating one as 256 x 256 and seeing how far it reaches if the same routine is run for it should show up to where it overwrites.how many bytes does the typical frontsprite take up and how big is it?
Glitch Pokémon's 0 dimension sprite dimensions (height/width) can cause a buffer overflow while decompressing the SRAM, into RAM. Up to where in RAM can this corrupt? We know Yellow MissingNo. corrupts C0EF/C0F0. Other than C109 (facing direction which allows for ACE), are there any other corruptible locations to do something useful to exploit?
well if I knew how many bytes one frontsprite of known size takes up, I could calculate out how many bytes it'd take up and thus (barring weird position-resetting behavior) the range of corruption.5 x 5, 6 x 6, or 7 x 7 tiles. Not sure if it has to be uniform, but all examples are. Presumably treating one as 256 x 256 and seeing how far it reaches if the same routine is run for it should show up to where it overwrites.how many bytes does the typical frontsprite take up and how big is it?
Glitch Pokémon's 0 dimension sprite dimensions (height/width) can cause a buffer overflow while decompressing the SRAM, into RAM. Up to where in RAM can this corrupt? We know Yellow MissingNo. corrupts C0EF/C0F0. Other than C109 (facing direction which allows for ACE), are there any other corruptible locations to do something useful to exploit?