Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Derivatives of 5 in Red/Green - Page 2

Re: Derivatives of 5 in Red/Green

Posted by: TheZZAZZGlitch
Date: 2013-04-20 06:15:45
For all you guys wanting to do that in English versions, I've got some good news. Red/Blue's item '8F' (hex 5D) jumps to address $D163 (Number of Pokemon), exactly like 5!

Here's also a list of jump locations for all glitch items in Red/Blue:

Item $00:  ExecutionPointer=01D1

Item $54:  ExecutionPointer=57FA
Item $55:  ExecutionPointer=A7D0
Item $56:  ExecutionPointer=81CA
Item $57:  ExecutionPointer=3D65
Item $58:  ExecutionPointer=8BC2
Item $59:  ExecutionPointer=FA65
Item $5A:  ExecutionPointer=D05A
Item $5B:  ExecutionPointer=283D
Item $5C:  ExecutionPointer=FA0F
Item $5D:  ExecutionPointer=D163 [!!!]
Item $5E:  ExecutionPointer=06FE
Item $5F:  ExecutionPointer=0820
Item $60:  ExecutionPointer=80FA
Item $61:  ExecutionPointer=FEDA
Item $62:  ExecutionPointer=CA14
Item $63:  ExecutionPointer=65B1
Item $64:  ExecutionPointer=EAAF
Item $65:  ExecutionPointer=D11C
Item $66:  ExecutionPointer=5AFA
Item $67:  ExecutionPointer=FED0
Item $68:  ExecutionPointer=2002
Item $69:  ExecutionPointer=2104
Item $6A:  ExecutionPointer=DA47
Item $6B:  ExecutionPointer=CD35 
Item $6C:  ExecutionPointer=3DED
Item $6D:  ExecutionPointer=433E
Item $6E:  ExecutionPointer=1EEA
Item $6F:  ExecutionPointer=CDD1
Item $70:  ExecutionPointer=3725
Item $71:  ExecutionPointer=E821
Item $72:  ExecutionPointer=CD65
Item $73:  ExecutionPointer=3C49
Item $74:  ExecutionPointer=3A21
Item $75:  ExecutionPointer=0658
Item $76:  ExecutionPointer=CD0F 
Item $77:  ExecutionPointer=35D6
Item $78:  ExecutionPointer=1006
Item $79:  ExecutionPointer=01CA
Item $7A:  ExecutionPointer=FA58
Item $7B:  ExecutionPointer=D05A
Item $7C:  ExecutionPointer=203D
Item $7D:  ExecutionPointer=210F
Item $7E:  ExecutionPointer=D887
Item $7F:  ExecutionPointer=5811
Item $80:  ExecutionPointer=01D1

*Items with IDs >0x80 omitted, because they are either TMs, HMs or normal items with glitch names.

Re: Derivatives of 5 in Red/Green

Posted by: Torchickens
Date: 2013-04-20 06:36:35

For all you guys wanting to do that in English versions, I've got some good news. Red/Blue's item '8F' (hex 5D) jumps to address $D163 (Number of Pokemon), exactly like 5!

Here's also a list of jump locations for all glitch items in Red/Blue:

Item $00:  ExecutionPointer=01D1

Item $54:  ExecutionPointer=57FA
Item $55:  ExecutionPointer=A7D0
Item $56:  ExecutionPointer=81CA
Item $57:  ExecutionPointer=3D65
Item $58:  ExecutionPointer=8BC2
Item $59:  ExecutionPointer=FA65
Item $5A:  ExecutionPointer=D05A
Item $5B:  ExecutionPointer=283D
Item $5C:  ExecutionPointer=FA0F
Item $5D:  ExecutionPointer=D163 [!!!]
Item $5E:  ExecutionPointer=06FE
Item $5F:  ExecutionPointer=0820
Item $60:  ExecutionPointer=80FA
Item $61:  ExecutionPointer=FEDA
Item $62:  ExecutionPointer=CA14
Item $63:  ExecutionPointer=65B1
Item $64:  ExecutionPointer=EAAF
Item $65:  ExecutionPointer=D11C
Item $66:  ExecutionPointer=5AFA
Item $67:  ExecutionPointer=FED0
Item $68:  ExecutionPointer=2002
Item $69:  ExecutionPointer=2104
Item $6A:  ExecutionPointer=DA47
Item $6B:  ExecutionPointer=CD35 
Item $6C:  ExecutionPointer=3DED
Item $6D:  ExecutionPointer=433E
Item $6E:  ExecutionPointer=1EEA
Item $6F:  ExecutionPointer=CDD1
Item $70:  ExecutionPointer=3725
Item $71:  ExecutionPointer=E821
Item $72:  ExecutionPointer=CD65
Item $73:  ExecutionPointer=3C49
Item $74:  ExecutionPointer=3A21
Item $75:  ExecutionPointer=0658
Item $76:  ExecutionPointer=CD0F 
Item $77:  ExecutionPointer=35D6
Item $78:  ExecutionPointer=1006
Item $79:  ExecutionPointer=01CA
Item $7A:  ExecutionPointer=FA58
Item $7B:  ExecutionPointer=D05A
Item $7C:  ExecutionPointer=203D
Item $7D:  ExecutionPointer=210F
Item $7E:  ExecutionPointer=D887
Item $7F:  ExecutionPointer=5811
Item $80:  ExecutionPointer=01D1

*Items with IDs >0x80 omitted, because they are either TMs, HMs or normal items with glitch names.


Wow! Is that so? Thanks so much for your research, TheZZAZZGlitch. Somebody could probably use 8F to obsolete this run.

Re: Derivatives of 5 in Red/Green

Posted by: camper
Date: 2013-04-20 09:48:07
Still impossible. We don't know how to obtain 8F in the English version yet, and dokokashira door glitch is not available outside the Japanese version (which means we have to get Cut and the Cascade Badge anyways)

Re: Derivatives of 5 in Red/Green

Posted by: Torchickens
Date: 2013-04-20 14:17:01

Still impossible. We don't know how to obtain 8F in the English version yet, and dokokashira door glitch is not available outside the Japanese version (which means we have to get Cut and the Cascade Badge anyways)


It's not impossible to get 8F, though I'm not sure how a full run would map out. I think I got carried away there.

You can obtain 8F with a glitch that corrupts the number of items in the bag, such as the save corruption glitch. If you swap the 3rd Pokémon with the 36th (thx VaeporSage), the 'PA: Your SAFARI GAME is over!' message will appear and you'll be warped to the Safari Zone gate, allowing you to bypass Professor Oak's "Hey! Wait! Don't go out!" message.

From there you can swap the 2nd Pokémon with the 10th to corrupt the items, then toss D365 (the quantity of item 36), which should be 00 (so you can access maps 1-255) to warp where you want.

If you get Eevee and withdraw it from the PC, the number of Pokémon changes from FFh to 66h. You can then keep depositing Pokémon until you get 6.

It turns out you can't manipulate the y-coordinate to get 8F in Red/Blue, because the y-coordinate byte D361, corresponds to the quantity of item 34, not an item, so you have to use something else, like D359, the player ID byte 1, which relies on really good luck, unfortunately.

Even if you used luck manipulation, I think a problem lies in getting a manageable number of items. The required items other than 8F are available if you warp. Max Revive is obtainable in the the Pokémon Mansion, TM10 is available from Rocket Hideout B3F, TM01 is obtainable in Celadon Department Store and TM50 is available from the Game Corner (though for 7700 Coins).

Re: Derivatives of 5 in Red/Green

Posted by: TheZZAZZGlitch
Date: 2013-04-20 15:24:49
Getting 8F isn't a problem even without luck manipulation. Corrupting the Pokemon number with Super Glitch and swapping the 2nd Pokemon with the 10th will successfully explode the item pack.
Then, one should be able to do the looping map glitch (doing the walk through walls glitch and walking in certain corners so the maps loop indefinetely: http://www.youtube.com/watch?v=Glxx94hpZAM), get the X coordinate right, take the 8F item and fly away.

I will try my best at making all this work in English versions. I will post a video and make a separate thread when I'm done.

Re: Derivatives of 5 in Red/Green

Posted by: Torchickens
Date: 2013-04-20 15:37:42

Getting 8F isn't a problem even without luck manipulation. Corrupting the Pokemon number with Super Glitch and swapping the 2nd Pokemon with the 10th will successfully explode the item pack.
Then, one should be able to do the looping map glitch (doing the walk through walls glitch and walking in certain corners so the maps loop indefinetely: http://www.youtube.com/watch?v=Glxx94hpZAM), get the Y coordinate right, take the 8F item and fly away.

I will try my best at making all this work in English versions. I will post a video and make a separate thread when I'm done.


When I checked, D361 corresponded to the quantity of item 34, not an identifier. I tried getting y to 5Dh on Cycling Road but couldn't spot an 8F item.

[img]http://i.minus.com/jbudU3TMUPidKh.png[/img]

Re: Derivatives of 5 in Red/Green

Posted by: TheZZAZZGlitch
Date: 2013-04-20 15:59:38
Typo, meant the X coordinate :P

Re: Derivatives of 5 in Red/Green

Posted by: Torchickens
Date: 2013-04-20 16:10:01

Typo, meant the X coordinate :P


Ah, OK sorry.

By the way, I've noticed if you have 255 items, you can pick up an item or buy another at the PokéMart to reset your number of items to 0. This should probably be done so you can pick up the required items other than 8F.


I will try my best at making all this work in English versions. I will post a video and make a separate thread when I'm done.


I appreciate this, good luck.

Re: Derivatives of 5 in Red/Green

Posted by: camper
Date: 2013-04-21 00:42:37

Then, one should be able to do the looping map glitch (doing the walk through walls glitch and walking in certain corners so the maps loop indefinetely: http://www.youtube.com/watch?v=Glxx94hpZAM), get the X coordinate right, take the 8F item and fly away.

Going to the Sea Route 20 Glitch City is a faster and easier replacement of this.

Which position should be used for the Super Glitch so it's done without side effects?

Re: Derivatives of 5 in Red/Green

Posted by: Torchickens
Date: 2013-04-21 05:15:17


Then, one should be able to do the looping map glitch (doing the walk through walls glitch and walking in certain corners so the maps loop indefinetely: http://www.youtube.com/watch?v=Glxx94hpZAM), get the X coordinate right, take the 8F item and fly away.

Going to the Sea Route 20 Glitch City is a faster and easier replacement of this.

Which position should be used for the Super Glitch so it's done without side effects?


He probably means [url=http://this:

[img]http://smartfeel.net/images/spot2.png[/img]

Access to Celadon City.
- A Pokemon meeting very specific moveset requirements:
  a) It needs to have a Super Glitch as a 4th move,
  b) Its three moves besides the Super Glitch have to contain 28 characters in total
    (for example: BODY SLAM [9 chars], DOUBLESLAP [10 chars], WATER GUN [9 chars])
- At least 5 Pokemon in your party, a party of 6 is recommended.

Re: Derivatives of 5 in Red/Green

Posted by: camper
Date: 2013-04-21 05:39:06



Then, one should be able to do the looping map glitch (doing the walk through walls glitch and walking in certain corners so the maps loop indefinetely: http://www.youtube.com/watch?v=Glxx94hpZAM), get the X coordinate right, take the 8F item and fly away.

Going to the Sea Route 20 Glitch City is a faster and easier replacement of this.

Which position should be used for the Super Glitch so it's done without side effects?


He probably means [url=http://this:

[img]http://smartfeel.net/images/spot2.png[/img]

Access to Celadon City.
- A Pokemon meeting very specific moveset requirements:
  a) It needs to have a Super Glitch as a 4th move,
  b) Its three moves besides the Super Glitch have to contain 28 characters in total
    (for example: BODY SLAM [9 chars], DOUBLESLAP [10 chars], WATER GUN [9 chars])
- At least 5 Pokemon in your party, a party of 6 is recommended.



Note: 4 first Pokemon in your party will change their species, but it isn't a problem as you're probably not going to save after this glitch anyways.

Careful about this though. You won't want to change your starter's species.