Glitch City RAM Manipulation and Code Execution (no MissingNo. needed)
Posted by: Krys3000
Date: 2015-09-13 13:06:56
Hey guys. This is something I started following my previous thread in which I discuss and show an example of using Glitch City regions matching with RAM data to perform the Cooltrainer Trick (based on TheZZAZZGlitch's previous discovery of a region matching with the items).
I decided to explore a little more of this and to "map" this specific Out-of-Bounds Glitch City by matching it with RAM data. The results are, I think, worth the try.
More importantly, I decided to work on an English version, since RAM addresses are +5 in other European versions like the french one I normally use
What is this about?
You can view most, if not all, the values of the game's RAM addresses by going to a specific glitch city, in form of 4x4 tile blocks. By doing this, you are literally WALKING on RAM. Basically, having the item whose hex ID is 3C in first position will make the tile block matching with the first item in this glitch city to appear as the tile block whose hex ID is 3C.
This is a tileblockdex for which you must note that some characters are different in english versions so it might lead to differences in some blocks :
http://prama-initiative.com/RBJ/CTRAM1.png
It first was ISSOtm from our website PRAMA Initiative who developped a way to use the blocks generated by stored items to perform an item-custom cooltrainer as shown in the other thread.
Here I will explain how to visualise a lot more RAM data, so you can perform the Cooltrainer with, but also how to change the values directly through glitch city for other useful or entertaining purposes.
How to access to this Glitch City?
Using a glitch to walk through walls (e.g. the ledge method which is easy and doesn't require anything), you can access this OoB Glitch City by walking, starting from here (south of Fuschia City):
[img]http://prama-initiative.com/RBJ/rammap.png[/img]
And walking 104 steps left then 95 steps up. This is an example entry point I use on my grid below:
Matching RAM with blocks
[img]http://prama-initiative.com/RBJ/ram-grid.png[/img]
If you followed the steps above, you will be as indicated on a block matching with RAM address $D524. The GC is organized in rows of 56 blocks matching with 56 addresses, then you go back to block 1 of the following row for the following address. In this grid, I voluntarly skip the first three and last three addresses of each row.
You can visualize them but I don't recommand it, because their behaviour is random; they will turn into something else when you hit start (e.g. water, even though the value of this address does not match with water blocks). This makes them unusable for the Cooltrainer Trick, and also, you will not be able to manipulate their value anyway.
Here, I indicate which block match with which address using informations from datacrystal. As you can see, you can visualise the data from some Pokémon (stats, moves, names etc.), money, items, Pokédex, rival's name and much more. The big white space between player's ID and stored items is audio and tileset data. I don't know much on how to use them so I will not talk about this.
I personnally never went further the 5th Pokémon data but I assume you can continue to go up to find new data, such as you can go down and reach event flags or stored Pokémon.
If you intend to perform the cooltrainer trick, since you will need a block containing a tree below the block with the good tile for the Pokémon you want, the best thing is to use Pokémon data (since you can change stats) or stored items (using, for example, item 1 and 29 as I did in the video of the other thread). Of course, you can use "bag" items, and generate a tree from Badges data - this is what we did first at PRAMA before ISSOtm finds the stored items region.
Manipulating the data
Now what is really awesome here is that we can manipulate this data. This is very limited and certainly is not an in-game memory viewer. But you will be able to get 8F and ws||'lm|| with this, allowing you to execute code without MissingNo. or any form of corruption.
The only way for the player to change a tile block from one to another is this tile block having grass or a cuttable tree and cut it. There are 7 tiles block you can Cut (hex values 0B, 32, 33, 34, 35, 60, D5). This means if a value on ANY address you can reach is one of those, you can manipulate it.
- 0B is a grass block. Once cut, it will turn into block 0A. This lowers a value by 1, meaning if you wanted to have a special stat of 10 but unfortunately got 11, you can fix that.
- 32 is a block containing a cuttable tree in the upper right corner. Once cut, it becomes block 6D. This is a good way, for example, to turn a stat of 50 to 109.
- 33 has a cuttable tree in the down-right tile. Once cut, it becomes 6C.
- 34 has one in the upper-left corner and turns to 6F. This is the highest available value by GC RAM Manipulation.
- 35 has one in the upper-right corner too, and turns to 4C.
- 60 has one in the down-left corner and turns to 6E.
- 5D is a glitched block. Cutting the tree won't change anything to the tile, who will still have a tree and a hex value of 5D.
Outside from obvious uses of getting more money, more casino chips, or better stats for your Pokémon easily, this is also important because of hex value matching with items, moves and Pokémon.
Here is another excel table:
[img]http://prama-initiative.com/RBJ/ram-corres.png[/img]
As you can see this is useless for player's name manipulation. So bad. About Pokémon, probably the only useful thing here is to change Lickitung for Exeggutor… and if you have the good MissingNo. I guess it's an easy way to get Poliwrath.
Then you can learn Solar Beam to any fire-type Pokémon which previously know Flamethrower. Considering this is a powerful attack you could use on a ground or rock-type foe.
But it becomes even more fun when you deal with items (besides having a whole lot of moon stones) as you can use this to get glitch items without the need for ACE or expanded item pack! Probably glitch items 6D and 6E are not realistic because you can't have the prototype PP Plus or 11F (floor) item in game.
Item 6C reads $3DED (ROM data) so it's probably useless, however using Item 6F execute code from $CDD1 which is inside a tile buffer ; this address particularly is a tile from the Start menu when it is open. The code here jumps to $9C60 which is a screen tile. I don't know is this can lead a code execution but I'll check that some day. It's not the most important part of this glitch.
Trigger a PC overflow and taking advantage of it
Now this is the most recent and maybe the major breakthrough here. You can have a maximum of 50 items inside the PC. 50 is hex:32, so it's a cuttable tile! If you cut the tree in it, it will turn into 6D… which is 109 stored items. You just activated an overflow.
Use the PC overflow to trigger an inventory underflow (and execute code)
The most complete form of using this is also very easy. You will have a lot of items x0 in this overflow. Just toss 1 item of one stack and withdraw the remaining x255. You don't need anything else to perform a regular dry underflow and get an expanded item pack.
Now you can use this to manipulate bytes and also get 8F / ws*l||lm||. Click here to read more about 8F Code Execution.
Use the PC overflow to directly get glitch items such as ws*l||lm||
If you play Yellow, you might wanna do this trick with 63 casino chips. Doing so, once the PC is at 109 items, your 52nd item will be ws*l||lm||, which is the item you need to execute code. You don't even need to underflow your item menu anymore.
I'm working on a R/B adaptation of this but you can't have 5E (hex for the item 8F used in R/B code execution) chips. Maybe some addresses after can be used but they are indicated as "Missable Object Flags" and I don't know what that means.
Anyway, using the chips, you can get pretty much any item or glitch item whose hex value contains no letters. This includes a lot of "xF" and "x||lm||" items but I still need to watch if they are documented. Also Surfboard, Master Ball, etc. are easy to get.
Use the PC overflow to directly get the 8F item (or others items you could not get with the casino chips trick
From item 55 onwards, items match with the fact that you did or did not picked visible items on Routes (see posts below) with one address/item matching with the current status of 8 items (one per bit). Therefore, there is a way to use this to get some items, including the 8F item (hex:5D) for code execution.
if you have picked :
- Hp Up on Route 2
- TM04 on Route 4
- TM30 on Route 9
- TM16 on Route 12
But haven't picked :
- Moon Stone on Route 2
- Iron on Route 12
And the Snorlax in Route 12 is still sleeping, then 8F will appear as the 56th item in the PC.
Delete an item
Well this is a more a side trick but it can be useful if, for some reason, you wanna get rid of a rare, untossable item, or a glitch item. Then, just have 11 items (PC or held) with the last being this item. Then go to the number of items spot in Glitch City (the one according whether you chose to do that in the stored items or not) and cut the grass. The item will be deleted as the number of items drops to 10.
Sorry for the long post, I think it comes to an end now (for now). Next step is the dex. Don't hesitate to tell me what you think about all this!