Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Obtain Mew with arbitrary glitch Pokémon evolution - Page 1

Obtain Mew with arbitrary glitch Pokémon evolution

Posted by: Torchickens
Date: 2017-03-17 15:39:49
As Crystal_ documented (thread, video), not every Pokémon's level-up and evolution data is taken from the ROM, and there are exactly four glitch Pokémon each in both Red and Yellow who actually take their evolution data from VRAM (graphics data).

This is the list of applicable glitch Pokémon, copy and pasted from the wiki article I have just written:

http://glitchcity.info/wiki/Arbitrary_learnset_glitch_Pok%C3%A9mon

Red/Blue

Beginning of pointer table=$3B05C

A (0xEA) (VRAM $8124) It learns certain moves when levelled up with Rare Candies but no moves when levelled up in battle.
Glitch (0xEB) (VRAM $992B)
G'Mp (0xF6) (VRAM $852C)
94 h (0xF9) (VRAM $9A20)

Yellow

Beginning of pointer table= $3B1E5

'r (0xEA) (VRAM $8124)
4 h 4 (0xEB) (VRAM $992B)
A (0xF6) (VRAM $852C)
(0xF9) (VRAM $9A20)

According to Okk and echinodermata, level up evolutions are read when there is data in the form "01 [level] Pokémon ID]".

http://forums.glitchcity.info/index.php?topic=5217.0

In Yellow, after entering a map or saving and resetting, the location of $9A20 may be taken from one of the screen tiles.

Very fortunately, 01 01 15 can be represented by block 09 in Cinnabar Mansion, and when it is at the bottom-left corner of the screen in this spot on 2F you have a chance of evolving (0xF9) into Mew at Level 1 due to the VRAM data representing evolution code to evolve it into Mew. (You must save and reset the game at this spot with your (0xF9))

[img]https://i.imgur.com/fnlBOu4.png[/img]

Sadly for unknown reasons it's only a chance and a rather low chance at that it seems; your (0xF9) may evolve into Q or Nidoran many times but never Mew, until you reset and try again hopefully to get a successful attempt. I don't know why and wonder whether it's to do with VRAM banks.

What's left to do now is test the other locations and whether this works on Red/Blue.

Edit: OK, you should be able to do this with 0xEB too except the data has to be in this green block and I'm not sure how easy that is to do as I couldn't align the 01 tiles and then that tree in the aforementioned map here.

[img]https://i.imgur.com/WJMw3sT.png[/img]

Edit 2: 0xF9 confirmed on Red in addition to Yellow.

Re: Obtain Mew with arbitrary glitch Pokémon evolution

Posted by: ISSOtm
Date: 2017-03-17 20:33:46
The low chance is due to VRAM being read while the LCD is accessing it ; the 01 01 15 bytes are (at least partially) read as $FF due to the LCD having priority.
Eventually the read lands on a HBlank period and the evolutions succeeds.

Re: Obtain Mew with arbitrary glitch Pokémon evolution

Posted by: Torchickens
Date: 2017-03-17 20:34:44

The low chance is due to VRAM being read while the LCD is accessing it ; the 01 01 15 bytes are (at least partially) read as $FF due to the LCD having priority.
Eventually the read lands on a HBlank period and the evolutions succeeds.


I see, interesting.  :) Thanks for this.

Re: Obtain Mew with arbitrary glitch Pokémon evolution

Posted by: TheZZAZZGlitch
Date: 2017-03-17 20:44:42
The problem here is something called VRAM inaccessibility.

When the LCD is on, VRAM can only be read (and written to) during short, specific periods of time.
The underlying reason for this is that most of the time during a frame, the graphics hardware is busy drawing graphics to the screen, and it doesn't allow anything to modify or access its data when it's working on it. There are only small periods each frame that the graphics controller takes a break and allows graphics data to be modified.

Being more exact, the time periods are called vBlank (short for 'vertical blanking interval') and hBlank ('horizontal blanking interval'). The first one occurs when the hardware finishes drawing the current frame, but hasn't yet started drawing the next frame. The second one happens if the hardware finishes drawing a single line of pixels on screen and goes to the next line. If graphics are actively displayed on the screen, these are the only periods when VRAM can ever be touched. Otherwise, the VRAM data sits there locked out from access.

Any write on "locked" VRAM won't do anything.
Any read on "locked" VRAM will return 0xFF, regardless of what the address really contains.

We really don't know when the code responsible for checking evolution data is going to run. It might, or might not run during vBlank. Or it might even run partially during an hBlank, and partially after hBlank has ended. It's impossible to predict - it comes down to microsecond-precise timing, which for a human player is essentially random.

So this bit of data:

[tt]10 10 10 10 10 10 08 00 00 00 10 10 10 15 12 1F 12 00 00 00[/tt]

Will usually end up looking something like this when read by the game:

[tt]10 FF FF FF FF FF FF FF 00 00 10 FF FF FF FF FF FF FF 00 00[/tt]

The 0xFF bytes are there because the subroutine tries to read VRAM data outside of vBlank/hBlank, and it ends up just reading 0xFF bytes.

The result of course comes down to timing, so it could be possible for this pattern to be shifted to a different position:

[tt]FF FF FF FF FF 10 08 00 FF FF FF FF FF FF FF 1F 12 00 FF FF[/tt]

I haven't tested this in more detail, but it should be possible to have this pattern shifted in such a way that the Mew evolution data could still be read. It might just take a lot of time.

I think it would be more practical to not bother trying to put the appropriate data into VRAM, and focus on making the VRAM data slide through to SRAM and try to get the appropriate data into SRAM instead (maybe there's a Pokemon that has a "01 01 15" sequence in its decompressed sprite, and if not, we can just corrupt that with 'M/Missingno. until we get it).

Edit: Was too late :(

Re: Obtain Mew with arbitrary glitch Pokémon evolution

Posted by: ISSOtm
Date: 2017-03-17 21:29:50
I don't have a proof of what I'm saying, but this glitch (caused by the game still running the VBlank interrupt during the first three transferred screen rows) suggests that the only code that runs during VBlank is the VBlank interrupt handler. Your explanation is still right, though - only the VBlank case would never happen.