Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Using 8F to "permanently" change maps... Does ws m work the same? - Page 1

Using 8F to "permanently" change maps... Does ws m work the same?

Posted by: rortik
Date: 2015-08-11 00:16:22
As shown in this video (https://www.youtube.com/watch?v=ddSHGg4-qSY), you can "permanently" edit ingame maps.

However there are a few questions I had about the topic.

The main one would be: What if I tried this in Yellow? Can ws m do the same thing? I assume that if it did, the executed code would have to be different, but is it at least possible?

Other minor questions are:
What if you hacked a grass tile into a city?
What if you hacked a warp to a nonexistant map, then hacked that map to have an actual tileset? Could you make new cities entirely?

Re: Using 8F to "permanently" change maps... Does ws m work the same?

Posted by: kaikun97
Date: 2015-08-11 06:16:09
No idea if wsm can do it, possibly hacking new maps in is possible if you can find free space in RAM to do it. Hacking in a grass tile wont do anything as a) it has to part of the tileset and b) have wild pokemon data assigned to the map. Try it in a map editor and see.

Re: Using 8F to "permanently" change maps... Does ws m work the same?

Posted by: Krys3000
Date: 2015-08-12 13:23:26
I know that grass area Pokémon are not overwritten in Red and Blue when you enter a city. That's basically the reason why Old Man Trick works, as by talking to the Old Man, your name changes to "Old Man", and your real name is stored in the provisory empty grass Pokémon slot ; but, because shore tiles works as grass tiles, and grass Pokémon data are not overwritten, surfing onto them in Cinnabar allows you to get Pokémon from your name.

This would mean if you implement grass in a city, I guess you would encounter the Pokémon from the last area containing grass tiles you visited.

Re: Using 8F to "permanently" change maps... Does ws m work the same?

Posted by: Spoink
Date: 2015-08-14 13:09:13
I don't see why not?

Re: Using 8F to "permanently" change maps... Does ws m work the same?

Posted by: Torchickens
Date: 2015-08-21 17:40:04

The main one would be: What if I tried this in Yellow? Can ws m do the same thing? I assume that if it did, the executed code would have to be different, but is it at least possible?


Yes. Provided that we can find a Yellow invalid map script ID that executes code from fa reasonable place in writable memory. This would take some research.

My source code can be found here. http://pastebin.com/UarVudWr

About extra changes that need to be done for Yellow:

At DCD2 (will differ for maps of different sizes) - "map script's code": The CopyData routine from Pokémon Red and Blue also exists in Pokémon Yellow at 00B5, so the call 00B5 do not have to be changed for Yellow programs that use CopyData. The parameter in bc 00CE is your map size. The parameter in hl DC04 is the beginning of the block data (the map you want) you write with arbitrary code with 8F/ws m - you don't have to change this address.

The parameter in de C6F9 represents a block data address. The program will take the block data you write and write it here and beyond. How it works: C6F9 represents a 4x4 block somewhere, C6FA represents the next 4x4 block from to the east and so on in this pattern. For example, setting C6F9 to 00 with memory viewer adds part of a building here (top-left corner). If we set C6FA to 00, there would be the same block next to it to the east. The parameter does not have to change (unless you want the start of where blocks get changed to be in a different area of the map), because it appears that block addresses are the same in Yellow and not offset by -1.

At DCDF "set up glitch script", the parameter in bc 000D is the size of the code you want to be written to the pointer of (and executed by) the invalid map script. The parameter in hl DCD2 is the start of your glitch map script. The parameter in de DB3E is the execution pointer of Red's Pallet Town's map script $15. Hence, unless there is also a glitch map script that executes code from DB3E in Yellow, DB3E should be replaced with another value for porting this to Yellow.

The parameter 15 in ld a,15 should be replaced with the ID of an invalid map script that exists for the map you want to change in Yellow.

The D5F1 in ld (D5F1),a should be replaced with D5F0 if you want to edit Yellow's Pallet Town. Some of the addresses around the D5F0 area correspond to other maps. For example, D5F4 (D5F3 in Yellow) represents Viridian City's script. Sadly, I don't know if there is documentation of map script addresses.

During the execution, which I made begin at DC01, the game jumps over the data at DC04 (the start of block data to copy that shouldn't be executed as code) into DCDF.

Instead of TheZZAZZGlitch's Red/Blue coordinates data planting items, you can use these items, where the values you write depend on item quantities (I'm afraid I wasn't sure how to port his exactly).

Item 1 and item 2's quantities are important for this program, if in doubt, have item 2's quantity as 01 to begin with.

Item 3 and beyond:

Carbos x220
TM50 x32
TM11 x111
Poké Ball x250
Repel x211
Ice Heal x119
Carbos x211
X Accuracy x32
Full Heal x11
Lemonade x255
Fresh Water x4
TM34 x30
TM11 x 201
TM33 x 201
ws m x(anything)


ld h,DC
ld a,(D320)
ld l,a
inc b
ld a,(D31E)
dec c
ld (hl),a
ld h,D3
ld l,20
inc (hl)
dec bc
ld a,FF
inc a
inc b
ld (D31E),a
ret
jp hl
ret


How it works:

Upon use, this code will plant a byte at DCXX (in stored Pokémon 12's data). XX depends on item 2's quantity, hence if it is 1, a byte will be written to DC01. The value of the byte depends on item 1's quantity.

After a value is written, the item 2 quantity is increased by 1, allowing you to write the next byte (e.g. DC02) and the item 1 quantity is reset to 00 (256), allowing you to choose any value for this by tossing 1-255 of them.

To execute the code at DC01, prepare the items Carbos x220 (from the old code), X Accuracy x1 (you can toss from your existing stack of 32), TM33 x201 (in the old code but unused until now) at item 3. Note that the x220 represents DC. The x1 represents 01. Hence we execute DC01. If you had X Accuracy x223, you would execute data beginning at DCDF (actually now that I think about it, this means I never needed a jump in my code).

Example use to write some data to make talking to Pikachu give you Mew.


Other minor questions are:
What if you hacked a grass tile into a city?

You would encounter no Pokémon, unless your script changes the addresses at D887 (D886 in Yellow) and beyond. D887 is the encounter rate, D888 is the level of encounter 1, D889 is the species of encounter 1, etc.

In the old man glitch, when the demonstration finishes, and when you enter Cinnabar Island, Sea Route 20, the grass encounter rate becomes 00 (it usually always is, unless you hack/glitch the old man battle in a place with encounters where the game would reset the encounter rate and encounters back to what they originally were after the battle). But after Flying away, the game still leaves over grass encounter data from the demonstration based on characters in your name.

The reason why you can encounter grass Pokémon on the strip even when the grass encounter rate is 00 is because the game uses the water encounter rate with the grass Pokémon list.

Apparently (I say this because I don't know a part of the disassembly to confirm it), according to Dabomstew this is because on the 2x2 block that makes up a position you can walk/Surf to, the west part of the block controls the Pokémon you encounter and the east part controls the encounter rate. The "coast" is read as "use grass encounter list" (and with the old man glitch we can have grass encounters in this list we aren't supposed to have). The water is read as "use water encounter rate" (as one would expect).

[img]http://i4.minus.com/ibySVUFUFpaPoc.png[/img]

Apparently, this also explains a 'glitch' that does not occur in Pokémon Yellow, where in the Viridian Forest, if you walk on to a grass tile that has a star in it on the bottom right corner you won't get any encounters because, apparently the right half with a star is classified as neither a grass or water tile, so the game does "encounter rate is 0".

In Japanese Pokémon Red, Green, Blue, you encounter no Pokémon on the Cinnabar coast at all. I tried changing the grass encounter rate (D806) to 255 just to see if it would do anything and got no encounters either.

In Spanish and Italian Pokémon Red and Blue, the developers apparently made it so that if you are surfing, you will always get Pokémon from the water list; although, if you are surfing on a grass tile you will still get a grass encounter rate. Furthermore, the old man glitch was "semi-patched" in these versions, surfing on the Cinnabar coast brings up Tentacool even after watching the old man's demonstration, however, the old man glitch can still be performed if you use a walk through walls glitch to walk on the coast.

In these versions, there is an obscure glitch where if you encounter a Trainer then Surf on a non-water tile via the Surf down glitch, you can encounter Pokémon you aren't supposed to if you press up and down but not move away from the tile as to stop Surfing, including 'M (00), Mew (Paco81 did this in Unknown Dungeon) and other Pokémon based on the Trainer.

These Pokémon are taken from the water encounter list, and encountering the Trainer affects it (the water encounter list starts at D8AA+ in Spanish/Italian Red, the data gets changed when the Trainer battle begins and can change again during the battle, but I do not know what determines the exact values).

On maps with grass Pokémon but normally no water Pokémon, the water encounter rate is set to 00; meaning you would have to Surf on something like the grass to get the water Pokémon you aren't supposed to get, and not a water tile.
https://www.youtube.com/watch?v=2jI9LeehZ8E (click)


What if you hacked a warp to a nonexistant map, then hacked that map to have an actual tileset? Could you make new cities entirely?

That's a great idea definitely worth investigating! I would love to visit my own custom map that doesn't affect another location. Maybe you could if there are enough things about a map that depend on RAM and not ROM (and the glitch map's ROM data doesn't make the game freeze). However, I don't know if I have the technical know-how to be able to do that yet.

Yellow's map FE is a non-existing map and its level-script pointer points in DC0E (box Pokémon 12's total experience byte 1) so with experience of 201 (or another applicable value) you can avoid a freeze. But something different about the map forces a warp into map $99 (a house in Fuchsia City), and it also corrupts data (apparently the corruption is caused by the map's (Town Map?) name according to TheZZAZZGlitch). Whether you can avoid the forced warp by manipulating the level-script pointer data or maybe map FE's actual script I'm not sure.

You can visit a non-freezing map FE with the codes 01C90EDC, 01FE64D3 if you enter a building like a Pallet Town house and exit it. If you replace 01FE64D3 with 010064D3 after ending up in the Fuchsia house you can return to Pallet Town, but the aforementioned corruption affects maps scripts and causes many maps to freeze the game even after saving and resetting, and there are other effects too like forced spinning.

Without cheating (without needing arbitrary code too), you can access glitch map FE with an expanded items pack obtained by a glitch like dry underflow by changing the quantity of item 36 to 254 and leaving a building, and (as described above) to make it not freeze the game, stored Pokémon 12 should have an experience such as 201. A video of some of the effects can be found here.

https://www.youtube.com/watch?v=mUQxe0GqPBY

More information about map FE's effects can be found here.

Re: Using 8F to "permanently" change maps... Does ws m work the same?

Posted by: Krys3000
Date: 2015-08-23 05:36:56
The reason why you can encounter grass Pokémon on the strip even when the grass encounter rate is 00 is because the game uses the water encounter rate with the grass Pokémon list.

Apparently (I say this because I don't know a part of the disassembly to confirm it), according to Dabomstew this is because on the 2x2 block that makes up a position you can walk/Surf to, the west part of the block controls the Pokémon you encounter and the east part controls the encounter rate. The "coast" is read as "use grass encounter list" (and with the old man glitch we can have grass encounters in this list we aren't supposed to have). The water is read as "use water encounter rate" (as one would expect).

Apparently, this also explains a 'glitch' that does not occur in Pokémon Yellow, where in the Viridian Forest, if you walk on to a grass tile that has a star in it on the bottom right corner you won't get any encounters because, apparently the right half with a star is classified as neither a grass or water tile, so the game does "encounter rate is 0".


Thank you for that explanation. I was looking for the reason why the encounter rate going back to 00 doesn't affect the Old Man Glitch and couldn't find it until then.

About that glitch Paco documented, are we sure it doesn't work on other European versions? I believe Italian, Spanish, French and German games all share the same addresses. I'd make a test in a french version unless you know it won't work.

Re: Using 8F to "permanently" change maps... Does ws m work the same?

Posted by: Torchickens
Date: 2015-08-24 19:03:33

The reason why you can encounter grass Pokémon on the strip even when the grass encounter rate is 00 is because the game uses the water encounter rate with the grass Pokémon list.

Apparently (I say this because I don't know a part of the disassembly to confirm it), according to Dabomstew this is because on the 2x2 block that makes up a position you can walk/Surf to, the west part of the block controls the Pokémon you encounter and the east part controls the encounter rate. The "coast" is read as "use grass encounter list" (and with the old man glitch we can have grass encounters in this list we aren't supposed to have). The water is read as "use water encounter rate" (as one would expect).

Apparently, this also explains a 'glitch' that does not occur in Pokémon Yellow, where in the Viridian Forest, if you walk on to a grass tile that has a star in it on the bottom right corner you won't get any encounters because, apparently the right half with a star is classified as neither a grass or water tile, so the game does "encounter rate is 0".


Thank you for that explanation. I was looking for the reason why the encounter rate going back to 00 doesn't affect the Old Man Glitch and couldn't find it until then.

About that glitch Paco documented, are we sure it doesn't work on other European versions? I believe Italian, Spanish, French and German games all share the same addresses. I'd make a test in a french version unless you know it won't work.


You're welcome.

I tried it in the French version and got grass encounters. In the German version I wasn't able to get any encounters, as in the English version, but I'm unsure if I was unlucky. It could be that one of or both the German or English versions do give encounters.

The glitch works in the Spanish and Italian versions. In English and Spanish Yellow, as well as Green v1.0, Japanese Blue, Japanese Yellow v1.0 I got grass encounters.

I've noticed that map script memory addresses are in the Pokémon Red disassembly under wram.asm This should be useful for people who want to change another map to add an arbitrary script (and an arbitrary script can be found by experimenting with different IDs and setting a breakpoint in BGB to 8000-FEFF via debug>access breakpoints, so that BGB will tell you where in memory it's executing code).


W_OAKSLABCURSCRIPT:: ; d5f0
W_PALLETTOWNCURSCRIPT:: ; d5f1
W_BLUESHOUSECURSCRIPT:: ; d5f3
W_VIRIDIANCITYCURSCRIPT:: ; d5f4
W_PEWTERCITYCURSCRIPT:: ; d5f7
W_ROUTE3CURSCRIPT:: ; d5f8
W_ROUTE4CURSCRIPT:: ; d5f9
W_VIRIDIANGYMCURSCRIPT:: ; d5fb
W_PEWTERGYMCURSCRIPT:: ; d5fc
W_CERULEANGYMCURSCRIPT:: ; d5fd
W_VERMILIONGYMCURSCRIPT:: ; d5fe
W_CELADONGYMCURSCRIPT:: ; d5ff
W_ROUTE6CURSCRIPT:: ; d600
W_ROUTE8CURSCRIPT:: ; d601
W_ROUTE24CURSCRIPT:: ; d602
W_ROUTE25CURSCRIPT:: ; d603
W_ROUTE9CURSCRIPT:: ; d604
W_ROUTE10CURSCRIPT:: ; d605
W_MTMOON1CURSCRIPT:: ; d606
W_MTMOON3CURSCRIPT:: ; d607
W_SSANNE8CURSCRIPT:: ; d608
W_SSANNE9CURSCRIPT:: ; d609
W_ROUTE22CURSCRIPT:: ; d60a
W_REDSHOUSE2CURSCRIPT:: ; d60c
W_VIRIDIANMARKETCURSCRIPT:: ; d60d
W_ROUTE22GATECURSCRIPT:: ; d60e
W_CERULEANCITYCURSCRIPT:: ; d60f
W_SSANNE5CURSCRIPT:: ; d617
W_VIRIDIANFORESTCURSCRIPT:: ; d618
W_MUSEUM1FCURSCRIPT:: ; d619
W_ROUTE13CURSCRIPT:: ; d61a
W_ROUTE14CURSCRIPT:: ; d61b
W_ROUTE17CURSCRIPT:: ; d61c
W_ROUTE19CURSCRIPT:: ; d61d
W_ROUTE21CURSCRIPT:: ; d61e
W_SAFARIZONEENTRANCECURSCRIPT:: ; d61f
W_ROCKTUNNEL2CURSCRIPT:: ; d620
W_ROCKTUNNEL1CURSCRIPT:: ; d621
W_ROUTE11CURSCRIPT:: ; d623
W_ROUTE12CURSCRIPT:: ; d624
W_ROUTE15CURSCRIPT:: ; d625
W_ROUTE16CURSCRIPT:: ; d626
W_ROUTE18CURSCRIPT:: ; d627
W_ROUTE20CURSCRIPT:: ; d628
W_SSANNE10CURSCRIPT:: ; d629
W_VERMILIONCITYCURSCRIPT:: ; d62a
W_POKEMONTOWER2CURSCRIPT:: ; d62b
W_POKEMONTOWER3CURSCRIPT:: ; d62c
W_POKEMONTOWER4CURSCRIPT:: ; d62d
W_POKEMONTOWER5CURSCRIPT:: ; d62e
W_POKEMONTOWER6CURSCRIPT:: ; d62f
W_POKEMONTOWER7CURSCRIPT:: ; d630
W_ROCKETHIDEOUT1CURSCRIPT:: ; d631
W_ROCKETHIDEOUT2CURSCRIPT:: ; d632
W_ROCKETHIDEOUT3CURSCRIPT:: ; d633
W_ROCKETHIDEOUT4CURSCRIPT:: ; d634
W_ROUTE6GATECURSCRIPT:: ; d636
W_ROUTE8GATECURSCRIPT:: ; d637
W_CINNABARISLANDCURSCRIPT:: ; d639
W_MANSION1CURSCRIPT:: ; d63a
W_MANSION2CURSCRIPT:: ; d63c
W_MANSION3CURSCRIPT:: ; d63d
W_MANSION4CURSCRIPT:: ; d63e
W_VICTORYROAD2CURSCRIPT:: ; d63f
W_VICTORYROAD3CURSCRIPT:: ; d640
W_FIGHTINGDOJOCURSCRIPT:: ; d642
W_SILPHCO2CURSCRIPT:: ; d643
W_SILPHCO3CURSCRIPT:: ; d644
W_SILPHCO4CURSCRIPT:: ; d645
W_SILPHCO5CURSCRIPT:: ; d646
W_SILPHCO6CURSCRIPT:: ; d647
W_SILPHCO7CURSCRIPT:: ; d648
W_SILPHCO8CURSCRIPT:: ; d649
W_SILPHCO9CURSCRIPT:: ; d64a
W_HALLOFFAMEROOMCURSCRIPT:: ; d64b
W_GARYCURSCRIPT:: ; d64c
W_LORELEICURSCRIPT:: ; d64d
W_BRUNOCURSCRIPT:: ; d64e
W_AGATHACURSCRIPT:: ; d64f
W_UNKNOWNDUNGEON3CURSCRIPT:: ; d650
W_VICTORYROAD1CURSCRIPT:: ; d651
W_LANCECURSCRIPT:: ; d653
W_SILPHCO10CURSCRIPT:: ; d658
W_SILPHCO11CURSCRIPT:: ; d659
W_FUCHSIAGYMCURSCRIPT:: ; d65b
W_SAFFRONGYMCURSCRIPT:: ; d65c
W_CINNABARGYMCURSCRIPT:: ; d65e
W_CELADONGAMECORNERCURSCRIPT:: ; d65f
W_ROUTE16GATECURSCRIPT:: ; d660
W_BILLSHOUSECURSCRIPT:: ; d661
W_ROUTE5GATECURSCRIPT:: ; d662
W_POWERPLANTCURSCRIPT:: ; d663
W_ROUTE7GATECURSCRIPT:: ; d663
W_SSANNE2CURSCRIPT:: ; d665
W_SEAFOAMISLANDS4CURSCRIPT:: ; d666
W_ROUTE23CURSCRIPT:: ; d667
W_SEAFOAMISLANDS5CURSCRIPT:: ; d668
W_ROUTE18GATECURSCRIPT:: ; d669

Re: Using 8F to "permanently" change maps... Does ws m work the same?

Posted by: Spoink
Date: 2015-08-26 09:50:54
If you have 0 fly locations, the town name data that is written is part of the Pikachu's Beach minigame graphics. This is why hooked metapod appears.

Re: Using 8F to "permanently" change maps... Does ws m work the same?

Posted by: Torchickens
Date: 2015-08-29 14:46:26

If you have 0 fly locations, the town name data that is written is part of the Pikachu's Beach minigame graphics. This is why hooked metapod appears.


Do you know where exactly the graphics are stored?

For some reason, when I fly with no locations CD6D (that would display the name for other maps) is always 58 90 00 00 44 44 FF (…) but I cannot find this data in ROM - and when I bring up the fly map successively the data written to $CF4B is not always the same.

Somehow it is possible to make the corruption go further, into your party Pokémon and items. I don't know exactly how, but I closed and opened the menu repeatedly and my party list got replaced with 255 Pokémon, many of which were Tentacool. It reminded me of this video by TheZZAZZGlitch. But I tried doing that again and it did not work.

Re: Using 8F to "permanently" change maps... Does ws m work the same?

Posted by: camper
Date: 2015-08-30 03:46:56

Somehow it is possible to make the corruption go further, into your party Pokémon and items. I don't know exactly how, but I closed and opened the menu repeatedly and my party list got replaced with 255 Pokémon, many of which were Tentacool. It reminded me of this video by TheZZAZZGlitch. But I tried doing that again and it did not work.

Could it be possible that the stack got somehow corrupted since you're supposed to be already in a battle after you first enter the fly menu?