New(?) powerful non-ACE glitch
Posted by: Torchickens
Date: 2020-06-20 15:24:07
Basically, this glitch involves bad storage boxes. There is a way to precisely access boxes beyond box 12, and that is by touching memory address D5A0 with dry underflow glitch but set up in the items PC. It will be one of the item quantities representing your box number, which for this glitch (but you can do many more things in theory!) you can change to 0D (x13) or 8D (x141), placing you in box 14. From there, changing the box to itself will update DA80 (current box contents).
In order to retrieve a PC box, the game grabs a pointer (which is meant to be in SRAM) and copies it into DA80. However, for box 14 hl is CD7A (in RAM, not SRAM! which soon contains things like the last mart items @cf7b) when de is DA80 so the game copies content beginning from CD7A, nice.
However, in the process there is a buffer overflow, and data around that afrea (CD7A, maybe actually starting somewhere else) is corrupted based on the last contents of the box. So you can start on a valid box with your own Pokémon, and use that to affect the result once you modify D5A0 to the invalid box. By setting a breakpoint in BGB debugger for a convenient address like D059 (the encounter once the box is closed) or D157 (player name), you can find the source (+1) in hl while the pointer (D059/D157 etc.) is in de.
In these cases, DD60 affects D059 (last character in Trainer name for 5th Pokémon, followed by first character for 6th Pokémon) and DE5E (nickname for 9th Pokémon first character) affects D157. In other words, we can change our name to match the 9th Pokémon (which can be renamed with the Name Rater), including names over 7 characters (however, you can only have a maximum of 10 or 11+ will delete the save) and then use the new name to encounter different Pokémon with the old man glitch. Old man glitch is also more efficient in this case. Another idea might be to name yourself a glitch Pokémon with invalid characters, to get Pokémon like Mew (0x15 character)). You can do anything you want RAM write-wise with arbitrary code execution and connection copier already, so this is another means.
Additionally, Pokémon 18's Speed EV lower byte (DCDF) affects CFD8! Maybe with enough manipulation you can catch anything you want with this (and not restricted to IDs 1-199), unless the Pokémon's experience group freezes the game (only applies to a few glitch Pokémon in Yellow where I haven't tested porting the glitch to yet).
Another idea might be to simply directly change the Pokémon in your party. DE6B (nickname for 10th Pokémon 3rd character) seems to touch D164, however the name input characters are usually $80+, making some Pokémon inaccessible. However, somehow I was able to have a past Level 100 Mewtwo in my party and because the terminators were broken, I could keep depositing the top Mewtwo which filled over 7 boxes. So this is also a cartridge mass cloning glitch as an alternative to the Virtual Console Poké Transporter one.
Another use of this glitch is withdrawing the Pokémon in the glitch storage boxes (but you have to be careful to avoid freezes). So if the Pokémon were taken from RAM, maybe with enough luck there might be a glitch to convert an item quantity into a PC Pokémon or similar?
Edit: So the pointers that get corrupted can vary by the invalid box you choose. There are some quite interesting ones in Red, from my notes
10 get "trainer" glitch mon in day care
15 write to cd38 based on db3a(?)
1a f622 (interesting, event flags) also 1e
1b dc43 mew from afe2? [3:b1a4]
27 fa7a
28 c050
29 ffcc (pokemon 1 speed ev lower byte must be 00 daae so fff9 not set disabling controls]
2b cdd6
2d 8012 (vram corruption; break some sprites)
2e disables buttons
32 cd3e freeze
34 7e14 touches vram 8000+
35 cd13 freeze
3c cdb7
3f another wtw enabling can open start but cursor broke
42 e551 - tile corruption bgmap2?
4b cd05
52 cd1b freeze
55 cdbb
5d cb8f semi freeze
68 facd
69 d5a1 [find map warp address source]
6a 7fe7 touches vram
6d cc2b
71 cd0a
73 d422
74 cd7a
79 cd08
7b f622
7c afe2/??
7f c122
I did a few extra tests for those indices and the box data was again sourced as the data to write to the pointer (i.e. like in 15). Maybe all of them take the box data and write it to the pointer. The ones above D3/F3 like f622 are interesting, and other than through glitch meta map scripts/other glitch map related things you don't see corruption of event flags very often. Of note is also 29 (ffcc), which writes to the HRAM. If FFF9 is 00, the buttons won't be disabled, but other than text boxes all bringing up the Pokémon Center text there were only a few graphical glitches.