Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Pokedex Numbers Obtainable via Arbitrary Code Execution - Page 1

Pokedex Numbers Obtainable via Arbitrary Code Execution

Posted by: Flashlight237
Date: 2020-06-05 09:49:50
Hey there. So, Retro Game Mechanics Explained has stated that it is possible to hack in more glitch pokemon through Arbitrary Code Execution, as shown here: https://youtu.be/o_2btnBl9PM?t=569

As noted by the glitch hybrids, a pokemon's base stats, types, catch rate, initial moveset, and sprites are determined by dex number, and I have pointed out in the comments that a pokemon's color palette is determined by its dex number as well. The thing is information on this topic is VERY limited before and after RGM uploaded the video, and I haven't seen anyone bring the subject up on Glitch City Laboratories. That being said, I think this would be an interesting project. That being said, here are the dex numbers that ARE taken up by glitch pokemon.:

Red/Blue Dex Numbers Used


Yellow Dex Numbers Used


By the looks of things, Pokemon Red/Blue had 14 unique dex numbers taken by glitch pokemon while Pokemon Yellow had 15. Glitch pokemon take up dex numbers 0, 205, 234, 245, 250, 254, and 255 in all three games. BF, C1, and D8 are the only glitch pokemon that keep their dex numbers in Red, Blue, and Yellow.

There is only one Dex Number glitch pokemon with its details listed out, and that was Dex Number #152 R/B (It was very evident that RGM used Pokemon Red/Blue for his video). These are all its details.



Red/Blue Dex #152

Color: Unknown
Type: Normal
Catch Rate: 5
EXP Yield: 0

HP: 128
Attack: 12
Defense: 0
Speed: 128
Special: 11

Initial Moves: Clamp, Scratch



But yeah, there's that. Would this be an interesting new realm of glitch pokemon to explore?

Re: Pokedex Numbers Obtainable via Arbitrary Code Execution

Posted by: Torchickens
Date: 2020-06-07 12:48:08
Yes. :) Note it's not exactly new, but it's definitely worth researching more and thanks for your thread.

Crystal_ also did something like it in 2013 before that video was made. https://www.youtube.com/watch?v=oPiPOkbs50s I made an article here in 2017 but it's only a stub. https://glitchcity.info/wiki/Artificial_glitch_Pok%C3%A9mon_family

You can find them with Game Genie;

https://glitchcity.info/wiki/Pok%C3%A9mon_Red_and_Blue_Game_Genie_codes

EN Red/Blue:

Change Pidgey's Pokédex number:

XX0-47A-A2A

Change Rattata's Pokédex number:

XX0-C8A-A26

EN Yellow:

Pidgey
XX0-D4A-A2A

Rattata
XX1-55A-A26

Note the index number would also affect the bank of the pointers (4000-7FFF) as such, meaning doing this with Rhydon results in a different sprite to doing it with Rattata, etc.

https://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_base_stats_data_structure_in_Generation_I#Sprites

As for colours that's true, I made an article here https://glitchcity.info/wiki/Glitch_color_layer mentioning the 'palette attribute data' (based on a Skeetendo thread) and started videoing them at some point, but I'm unsure if anyone has compiled all the GBC, SGB colours before. The Skeetendo thread link is here https://hax.iimarckus.org/topic/109/


0x725c8, one byte per Pokémon, Pokédex order. Valid palettes can be any of the overworld route palettes or Pokémon palettes, so palette 0x02 is Viridian City, , 0x16 is Bulbasaur/Ivysaur/Venusaur, etc.


The dex numbers (also called families) differ between languages, with Japanese Blue having a No. 152 glitch Pokémon. https://glitchcity.info/wiki/GlitchDexJP/B:204

The Pokédex number is what affects the item modifications too; so the ACE only ones could affect your item pack in unique ways. https://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9dex_flags

For seeing a glitch Pokémon with a Pokédex number that isn't assigned to any index number without a cheating device, perhaps you could lock a memory address with OAM DMA arbitrary code execution or execute a loading routine but in the middle of it with different registers loaded? (like the artificial glitch Trainers? https://glitchcity.info/wiki/Artificial_Trainer_class )

Re: Pokedex Numbers Obtainable via Arbitrary Code Execution

Posted by: Torchickens
Date: 2020-06-10 16:45:20
I've added a new FamilyDex with your information and some more details. It needs some more research like what colour 0xBF (if I got it right) is, and a screenshot of its back sprite and possible non-freezing front sprites if you lock the sound banks with 0108EFC0 and 0108F0C0. https://glitchcity.info/wiki/FamilyDex/RB:152

Re: Pokedex Numbers Obtainable via Arbitrary Code Execution

Posted by: Flashlight237
Date: 2020-06-12 11:16:58
Weirdly, when using the Pidgey dex number code for Mew (970-47A-A2A), instead of anything pointing to Mew, you get a pokemon with the starting moves: Pay Day, TM37, Clamp, and Thunderpunch. Must be one of the "Unused wrong bank sprites 1-151" families you've mentioned in the newly-created FamilyDex article.

Re: Pokedex Numbers Obtainable via Arbitrary Code Execution

Posted by: Flashlight237
Date: 2020-06-12 12:33:30
Okay, so RB:152 doesn't seem to like being encountered. As already described in its article, it would crash the game if encountered normally, and would bring up a glitched trainer battle if brought up after locking the sound banks with the Gameshark codes provided. It would lead to a soft lock that looks like it came straight out of a Creepypasta: https://prnt.sc/synjgb

Turning off the code before the trainer can send a mon out (having it send out Pidgey instead: https://i.imgur.com/wQJIRvr.png ) allows the battle to commence… But selecting any option causes a game crash.

Oddly enough, having Pidgeys in my party makes some bits of research easier, plus I was able to get RB:152's color palette (Well, NORMAL color palette; thing apparently has two; one through the glitch trainer battle and one normal one) with a trick.

It's rather simple, have the code turned off and walk in the grass until you get into a battle. Once you do, if you see a Pidgey, go right into your cheat list and turn on the code, then watch the scene play out. It provided me with a pitch-black Pidgey: [img]https://i.imgur.com/d0FCqHW.png[/img]

To verify that the trick works, I used a different code that gives Pidgey Mewtwo's dex number and used the same trick and got a Pidgey with Mewtwo's color palette. The trick only works with color palettes; I got a Gust to the face when trying to check if movesets changed.

As for its backsprite, here's what it looks like: [img]https://i.imgur.com/y1d4Ppp.png[/img]

Mind the black line at the bottom; that's part of the UI. I don't know anything about TM/HM flags, though.

Re: Pokedex Numbers Obtainable via Arbitrary Code Execution

Posted by: Torchickens
Date: 2020-06-12 14:13:39
Thanks for your research Flashlight! ^^ I'll add your backsprite to the wiki. I'm currently grinding Yellow encounters, there are a lot of glitch battles/corrupted battle modes.

Weirdly, when using the Pidgey dex number code for Mew (970-47A-A2A), instead of anything pointing to Mew, you get a pokemon with the starting moves: Pay Day, TM37, Clamp, and Thunderpunch. Must be one of the "Unused wrong bank sprites 1-151" families you've mentioned in the newly-created FamilyDex article.


Good point. Actually now that you mention it, I've read the real Mew's base stats are located elsewhere in Red/Blue, but are at the expected place in Yellow. This may be why using its Pokédex number on the iimarckus.org link equation ( https://hax.iimarckus.org/files/missingno_explained.html ) seems to form a new glitch Pokémon. It's interesting because that breaks the 'two Pokémon with the same number have the same base stats and starting moves' rule.

In Yellow however, it may be different; using 151 gives you a Psychic-type Pokémon with Pound as its starting move, but may have a broken sprite; so I suppose that 151 fits more in the wrong bank sprite category, while Red/Blue's no Mew 151 is more like 152 and the rest.

Also of note I think because (none starting) learnsets/evolutions are taken from the index number not the Dex number, the Pokémon may still have some of the original Pokémon's moves (this is in addition to the cry which is [normally unless glitch battle or bad sound bank] unchanged too). I haven't tried evolutions though, so unsure if they work.

Re: Pokedex Numbers Obtainable via Arbitrary Code Execution

Posted by: Flashlight237
Date: 2020-06-16 09:03:34

Also of note I think because (none starting) learnsets/evolutions are taken from the index number not the Dex number, the Pokémon may still have some of the original Pokémon's moves (this is in addition to the cry which is [normally unless glitch battle or bad sound bank] unchanged too). I haven't tried evolutions though, so unsure if they work.


Testing evolutions is probably the single biggest chore, as the only way to feasibly evolve a Glitch Family pokemon was to level it up through rare candies. I learned that the hard way after constant instances of RB:156s leveling down to Level 1. I tested a rare candy on a Level 17 RB:156 and upon reaching Level 18, while its evolution process started with a purple glitch overlay, it evolved into a Pidgeotto, effectively proving that evolutions are affected by ID number regardless of a pokemon's dex number.

Given the three Onix hybrids (RB C9, DA, and FB) have the same family yet different learnsets and evolution chains, it would come to no surprise that learnsets and evolutions would've been dictated by ID number.

I went into this topic again and noticed that there are two personal roadblocks.

1. I have no idea how to access addresses 0x0383DE and further (pokedex data, which is required for data analysis). As far as I can tell, VBA can only read 0x00000000 to 0x0000FFFF (Zero-Page RAM).
2. I have no idea how to convert TM/HM flags into a proper TM/HM set, which neither the Bulbapedia article nor the Missingno explanation page really clarified.

Furthermore, I've noticed that RB:153 is rather unstable. If it has been caught before and had its dex entry registered, catching it again seems to cause a soft lock. Viewing its stats freezes the game even with the sound lock on. Strangely, RB:153's backsprite also freezes the game; only unlike the stats screen, this can be worked around through the sound lock. I managed to put both its front and back sprites together in one battle: https://prnt.sc/t0rnc6

Its palette is, once again, pitch black. While I'm not exactly sure how to view a pokemon's palette attribute data, meaning I don't know if it's still 0xBF or some other empty palette, I do have a hypothesis that palettes beyond 0x19 are empty, hence the pitch-blackness.

Its typing is Blank/Electric (not sure if fake or not because, again, I'm not sure how to access addresses 0x0383DE and further)

RB:156 is the most stable out of the Glitch families I've encountered, as it seems to work completely fine for the most part. For some odd reason, it had a completely blank starting moveset, and its type is AwAwAwAwA(There's probably one or so more Ws and As that are off-screen)/Normal. Its palette is a solid purple according to my personal Pidgey sprite test: http://prntscr.com/t0skdd

This palette seems to be shared with RB 0xD0 (Pkmn Pkmn T), although I can't exactly compare the two palettes on a ROM level.

Re: Pokedex Numbers Obtainable via Arbitrary Code Execution

Posted by: Flashlight237
Date: 2020-06-17 06:53:55
So, I went through the GlitchDex in pretty much its entirety to see how families worked in different versions of Pokemon Red and Blue (Red and Green in Japan): https://drive.google.com/file/d/1IoMlQZjQqHfiOZbVo5NtgjUndLmQg5FY/view?usp=sharing

Unfortunately, there are little or no differences in what families the glitch pokemon take up save for 0xCC, 0xDD, and 0xFB. The rest of the IDs have families that are either exactly the same or take up a fairly stable pattern. It goes without saying that glitch pokemon data in every language but English in the GlitchDex didn't get anywhere beyond visual information. As a result, there is no information on how regional differences worked in glitch pokemon.

Re: Pokedex Numbers Obtainable via Arbitrary Code Execution

Posted by: Torchickens
Date: 2020-06-19 11:38:38
Nice work. Actually I think some users studied the non-English version glitch Pokémon in the past, but the research is scattered around the forum and may be incomplete. There was also a document by danny extensively covering the Japanese glitch Pokémon (excuse the message at the beginning of the document) https://docs.google.com/document/d/1UXh27xFgGqrrxKJx-afoqZ22ROe_X1Ex-oU9KTWxkGM

Answering your questions,

1. 0x0383DE is an offset and 0x0000-0xFFFF is a pointer, which is different. To view an offset you need to open the ROM with a hex editor, such as the freeware HxD, and then go to that offset.
2. In theory you convert each byte into binary (you can do it with Windows Calculator), and then the first bit from lowest to highest is TM01, the second is TM02, and so on. The commented out data is based on that theory as I don't know either, but checking the TM/HMs by hand will confirm if it's right. Photon-Phoenix and Yuzihax converted them in the past but for GSC glitch Pokémon, I think.

Re: Pokedex Numbers Obtainable via Arbitrary Code Execution

Posted by: Flashlight237
Date: 2020-06-20 14:58:47

2. In theory you convert each byte into binary (you can do it with Windows Calculator), and then the first bit from lowest to highest is TM01, the second is TM02, and so on. The commented out data is based on that theory as I don't know either, but checking the TM/HMs by hand will confirm if it's right. Photon-Phoenix and Yuzihax converted them in the past but for GSC glitch Pokémon, I think.

I decided to use the method for Bulbasaur. Converting the bits to binary led me to this.

A4: 1010 0100
03: 0000 0011
38: 0011 1000
C0: 1100 0000
03: 0000 0011
08: 0000 1000
06: 0000 0110

The weird thing is reading all the bits the way we're used to (left to right, going downwards) led to a complete mismatch of flags with Bulbasaur's TM and HM list. Instead, you have to read all the bits like you would with a manga: right to left, going downwards. Yes, I seriously mean you have to read it all backwards. Oddly enough, doing it either properly or improperly implies that there was supposed to be an HM06 in Pokemon Red, Blue, and Yellow, but there are only 5 HMs. Really makes you wonder what the HM06 flag was for; maybe it's padding.

Now, let's do the same, but for Pokemon #152.:

80: 1000 0000
19: 0001 1001
00: 0000 0000
80: 1000 0000
04: 0000 0100
00: 0000 0000
80: 1000 0000

This was converted into this.:

TM08: Body Slam
TM09: Take Down
TM12: Water Gun
TM13: Ice Beam
TM32: Double Team
TM35: Metronome
HM06: ??????????

I added the information in except for HM06 because, for real, what the frick is HM06 and why is it marked with a "1?"

Re: Pokedex Numbers Obtainable via Arbitrary Code Execution

Posted by: Flashlight237
Date: 2020-06-20 18:12:26
Looking into it more, I decided to try seeing how different "Fake Mew" is from the real deal. Here's what I gathered.

Dex No: 151 (Fake Mew)

HP: 0
Attack: 128
Defense: 3
Speed: 0
Special: 128

Type: Normal

Catch Rate: 128
EXP Yield: 25

Sprite Dimensions: 12x12 (Jesus!)

Starting Moves:
1. Pay Day
2. TM37
3. Clamp
4. Thunderpunch

Growth Rate: Medium Fast

TM/HM Flags: [80 1F 00 80 0F 20 80]

1000 0000
0001 1111
0000 0000
1000 0000
0000 1111
0010 0000
1000 0000

TMs and HMs:

TM08: Body Slam
TM09: Take Down
TM10: Double Edge
TM11: Bubblebeam
TM12: Water Gun
TM13: Ice Beam
TM32: Double team
TM33: Reflect
TM34: Bide
TM35: Metronome
TM36: SelfDestruct
TM46: Psywave

After that, I'll try the guys I've experimented with most: RB153 and RB156.

Dex No: 153

HP: 21
Attack: 0
Defense: 128
Speed: 30
Special: 238

Type: 0xFF (unlisted in typedex)/Electric

Catch Rate: 0
EXP Yield: 128

Sprite Dimensions: 1x8

Starting Moves:
1. Clamp
2. Sand Attack
3. 0x00 (or is it blank?)
4. Clamp (again)

Growth Rate: 0x16 (whatever the crap that means)

TM/HM Flags: [00 80 1E 02 20 13 00]

0000 0000
1000 0000
0001 1110
0000 0010
0010 0000
0001 0011
0000 0000

TMs and HMs:

TM16: Pay Day
TM18: Counter
TM19: Seismic Toss
TM20: Rage
TM21: Mega Drain
TM26: Earthquake
TM38: Fire Blast
TM41: Softboiled
TM42: Dream Eater
TM45: Thunder Wave (RIP this thing's chances of killing everything with an electric move)

Dex No: 156

HP: 13
Attack: 136
Defense: 32
Speed: 18
Special: 224

Type: 0x40 (Same as Glitch Move A7)/Normal

Catch Rate: 0
EXP Yield: 0

Sprite Dimensions: 0x4

Starting Moves:
1. Glitch Move 0x00 (or blank)
2. Pay Day
3. Sky Attack
4. TM55

Growth Rate: 0x1C (whatever the crap that means, but apparently ridiculously slow)

TM/HM Flags: [20 C0 12 E6 DD 00 00]

0010 0000
1100 0000
0001 0010
1110 0110
1101 1101
0000 0000
0000 0000

TMs and HMs:

TM06: Toxic
TM15: Hyper Beam
TM16: Pay Day
TM18: Counter
TM21: Mega Drain
TM26: Earthquake
TM27: Fissure
TM30: Teleport
TM31: Mimic
TM32: Double Team
TM33: Reflect
TM35: Metronome
TM36: Selfdestruct
TM37: Egg Bomb
TM39: Swift
TM40: Skull Bash

Re: Pokedex Numbers Obtainable via Arbitrary Code Execution

Posted by: Torchickens
Date: 2020-06-21 12:19:39
Thanks for this, Flashlight. :)

I think with sprite dimensions, with the exception of 0 (which is read as x256), the game reads dimensions of 8, 9, 10, 11, 12, 13, 14 or 15 as if it was a valid dimension, possibly 7 (56x56 pixels). However, I don't have a more thorough answer to what actually happens when the game encounters a dimension of 8-15.

Type 0xFF (at least in name, but most if not all glitch types [not sure about $09-$13 and $80-$9A though]) apparently work the same if I remember from another post here) may be the same as glitch 0x7F (0xFF-0x80). I think the ones from $80-$FF except those used on (used Dex number) glitch Pokémon were omitted for this reason, but maybe we could add the ones from unused Dex numbers in addition to the used ones.

Cool, thanks for confirming re: TM/HM flags :). The reason why you have to read them right to left depends on the converter, as some like Windows Calculator print them in highest bit to lowest bit order (which leads to bit 0x7, bit 0x6 (…) first instead of bit 0x0, bit 0x1 (…) first).

Note there is the possibility HM06 (last byte's eighth bit or hexadecimal 0x7) still may have never been intended. Here a bit is effectively from lowest to highest 2^0 (first bit), 2^1 (second bit) and so on, and modern computers (with Game Boy counting) use eight bits in a byte; 2^8 is 256. This is a convenient way to store the data without using too many bytes (or the data structure could have been like [1st byte] (…) [55th byte] or having too many possible glitch entries if the engine would allow it with that change (though with this said, maybe you can access 'glitch HMs' like HM06+ through other more elaborate means?)

However, there is an unused field move (the third one internally after Fly and before Surf https://hax.iimarckus.org/topic/684/ ) if you force a Pokémon to have move 0xB4. In the past it's been speculated this linked to unused "Ground rose up somewhere!" text but the text doesn't mention a move in both EN and JP versions.  I remember trying the unused field move in Red/Green and it did seemingly nothing, but in the English version it worked like Surf?

The seen/own Pokédex flags also work this way (if I remember there are 19 bytes for seen and 19 bytes for own, and 19*8 is 152); and this goes as far as if that flag is set a Pokémon or glitch Pokémon will appear as No. 152 in the Pokédex, you can scroll to it too (not just through the Pokédex with 0 seen/own glitch or modifying the cursor manually) and it varies based on the language of the game and version.

Edit: Here are the glitch experience group formulas, (the file download GlitchExperienceGroups (1).png.) TheZZAZZGlitch originally made the image after posting how glitch experience groups work. https://sites.google.com/site/torchickens2/glitch-city-laboratories-resources (see also this thread https://forums.glitchcity.info/index.php?topic=6588.0 )

Re: Pokedex Numbers Obtainable via Arbitrary Code Execution

Posted by: Flashlight237
Date: 2020-06-22 08:52:54
Looking through the list of EXP formulas, I can better understand why the game freezes when trying to view a Family #153 glitch's stat page. It seems the game is trying to divide by zero. Calculators, the most basic computing tool we have, have a built-in function that stops division by zero from happening, always providing us with an error message. Hypothetically, despite Pokemon Red/Blue's complexity, the games don't have a built-in function that stops the game from trying to divide by zero, thus causing the game to freeze from trying to solve that function.

I put Growth Rate 0x1C into a graphing calculator and noticed that the formula was rife with underflows, with the underflows sticking around until Level 94. Imagine having to obtain over a literal billion EXP to get to Level 100. At least that's what the calculator's table had given me.