Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of an article from Glitch City Laboratories wiki.

A live version of this article is available at the Glitch City Wiki here.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of the wiki in .tar.gz or .xml.gz formats.

Text pointer manipulation mart buffer overflow glitch

Major glitches of the Pokémon series


Arbitrary code execution

0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC

[hr] No further extensions

Cloning | Item duplication glitch (Generation I) | Pokémon merge glitch ("Q Glitch", Generation I) | Time Capsule exploit | Bug-Catching Contest data copy glitch (Generation II, Japan only) | Berry glitch | Battle Tower Lati@s glitch (Generation III) | (Mimic) Transform Rage glitch (Generation IV)

Transform held item glitch (Generation IV, Japan only) | Mimic glitch (Generation IV, Japan only)


[hr] Buffer overflow techniques

99 item stack glitch | LOL glitch | Rival LOL glitch | Instant LOL glitch | RAM LOL glitch | Out of bounds LOL glitch | blockoobLG | Instant encounter infinite chain glitch | LGFly | Super Glitch (Generation I) | Party remaining HP glitch | Super Glitch (Generation III) | Text pointer manipulation mart buffer overflow glitch | CoolTrainer♀-type move | Double distort CoolTrainer♀ corruption | Yami Shop glitch | Party Pokémon box data shift glitch | Unterminated name glitch item instant encounter (Japanese Red/Green)

[hr] Item stack duplication glitch (Generation I)

Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow) | Map script pointer manipulation (arbitrary code execution | Map script pointer item ball manipulation) | Text pointer manipulation (arbitrary code execution | Item ball manipulation | Mart buffer overflow) | Trainerless instant encounter glitch

[hr] Bad clone glitch (Generation II)

????? party overloading (Type 0xD0 move glitch | ????? map corruption | Celebi trick | Celebi Egg trick | Shiny Celebi trick | Glitch move map corruption | Overloaded party map corruption | Glitch Unown (Glitch Unown map corruption) | Duplicate key items glitch (Infinite items and item creation, Expanded Balls pocket (Wrong pocket TM/HMs, Glitch Pokédex categories))

[hr] Closed menu Select glitches (Japanese Red/Green)

Dokokashira door glitch (International) | Fossil conversion glitch (international) | Second type glitch | Skip to Level 100 glitch | Trainer mutation glitch | Walk through walls (International) | Lift glitch | Badge describer glitch

[hr] Pomeg glitch (Generation III)

Pomeg data corruption glitch ("Glitzer Popping") | Charm glitch

[hr] Voiding (Generation IV)

Tweaking

Broken escalator glitch (Japan only) | Elite Four door glitch (Japan only)


[hr] 2x2 block encounter glitches (Generation I)

Left-facing shore tile glitch (in-game trade shore encounter trick, Old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick) | Viridian Forest no encounter grass tiles glitch

[hr] Glitch City

Safari Zone exit glitch | RAM manipulation | Out of bounds Glitch City (Generation II) | Slowpoke Well out of bounds corruption (French Gold/Silver/Crystal)

[hr] Large storage box byte shift glitch

Storage box remaining HP glitch | Generation I max stat trick

[hr] Pikachu off-screen glitch

Trainer corruption glitch

[hr] SRAM glitches

Generation I save corruption | 255 Pokémon glitch | Expanded party encounter table manipulation (Generation I) | Send party Pokémon to a new game (Generation I) | Generation II save corruption | Mailbox glitches | Mystery Gift item corruption | Trainer House glitches

[hr] Trainer escape glitch

Death-warp | Ditto trick | Experience underflow glitch | Mew trick | Text box ID matching | Meta-map script activation

[hr] Walk through walls

Ledge method | Museum guy method | Rival's effect | Select glitch method (International Select glitch method), Brock Through Walls

[hr] Surf down glitch

Grass/rock Surfing glitch (Spanish/Italian only) (adaptions: Submerge glitch (international)) | 8 8 (0x7C) grass/rock surfing glitch (English Red/Blue))



(view, talk, edit)




Text pointer manipulation mart buffer overflow glitch, informally known as Mart Pwner or Lucky Wins Again is an extension of text pointer manipulation for Pokémon Red, Blue, and Yellow documented by luckytyphlosion.

It involves the player bringing up a corrupted Poké Mart which corrupts data from CF7B (Poké Mart total items) onward in RAM with data from a specific source.

Unlike corruption techniques from Super Glitch moves, items, Pokémon names the source can be controlled by the user and is specifically taken from the address which is the beginning of the Poké Mart list (manipulated by adjusting the text pointer table and text pointer).

It may be used to catch many Pokémon for the Pokédex and is the only known non-arbitrary code execution/cheating device method to trigger the unused battle system featuring the text "Hurry, get away!" in
  • REDIRECT Template:Yellow.

    This article documents non-speedrunning adaptions of the glitch.

    Catch 'em all glitch (Yellow)

    This glitch is a trick for Pokémon Yellow you can use that can be applied outside of speedrunning to capture any Pokémon you wish outside of battle (where you can throw a Master Ball from the items pack to capture the Pokémon), with the species depending on Pokémon 3's lower max HP byte. We talk to the lady in Pallet Town to bring up the corrupted Poké Mart.

    This trick requires an expanded items pack which can be obtained with a glitch such as "dry underflow" glitch.

    Requirements



    1) Pokémon 1 must have a move 1 PP value of 254 (62 PP with all PP Ups applied) - enables glitch mart (possible with a PP underflow glitch).

    2) The PP of Pokémon 6's move 2 must be 01 - makes the game think you're in a battle.

    3) The PP of Pokémon 6's move 4 must be 00 - disables instant encounter (as instant encounter will reset our Pallet Town text pointer table back to normal) to easily capture many Pokémon quickly.

    4) Pokémon 6's level must be 00 - disables automatic item selection as it would prevent you from catching more than two unique Pokémon (one Pokémon, and Ditto).

    5) If you want opening the Poké Mart to disable Ditto (who normally appears if you throw the Master Ball twice), have the Original Trainer name letter 5 for first Pokémon as 00.

    6) In the party, you must not have a Pokémon with a catch rate of 255, a Pokémon with FF in its experience bytes, a Pokémon with EVs/DVs containing FF in them, or a Pokémon with a Trainer ID containing FF or the mart may not be able to corrupt as far as it is meant to.

    7) Repel x243 must be placed into item 40 (map's text pointer table) (a quantity of 211 might also work).

    8) Item 2 must have a quantity of 135.

    9) Item 3 must be a TM41 (a TM09 might also work).

    Level 0 Pokémon can be obtained without trading using the text pointer item ball manipulation that was documented by MrWint, if you have available item balls in the overworld (see here).

    They can also be obtained via a trade with another game (such as Red and Blue). Note that 'M (00) at level 0 sadly cannot be used for the glitch because it has FF values in its experience, but non-'medium slow' growth Pokémon (basically all Pokémon part of a three-stage evolution as well as Mew, except for Butterfree and Beedrill) can.

    How to use the trick

    1) Go to Pallet Town and place the Repel x243 into item 40.

    2) Make sure that the PP underflow Pokémon is in slot 1, max HP of your choice Pokémon in slot 3, level 0 Pokémon in slot 6. Talk to lady in Pallet Town.

    3) Close the mart, throw a Master Ball to get Pokémon ID=Pokémon 3 max HP modulo 256.

    4) Save and reset so you can use HP Up, Rare Candy and talk to lady again, repeat step 2.

    If you stocked up on many Repel x243 stacks, you can Fly away (the low HP music may continue for some reason) and switch boxes. Flying away will reset item 40 back to what it was, but the extra Repel x243 stack will let you repeat the glitch.

    Multiple stacks can be obtained if you get Repel x255, then toss the item above it to create another stack of Repel x255. From then on, you can toss 12 from the individual stacks.

    Pokémon and glitch Pokémon IDs can be found here.

  • REDIRECT Template:YouTube

    Manipulating specific battle systems (Yellow)

    This is a trick for Pokémon Yellow to encounter a Pokémon or Trainer in battle with a specific battle system (depending on the Pokémon 6's type 1 and type 2). We talk to the lady in Pallet Town to bring up the corrupted Poké Mart.

    Like the any Pokémon trick, it requires an expanded items pack which can be obtained with a glitch such as "dry underflow" glitch (https://www.youtube.com/watch?v=ZyppANEvnh8).

    Pokémon 1 must have a current HP of 254 for the trick to work. To enable a suitable glitch Poké Mart, a Repel x243 must be placed into item 40 (text pointer table) (a quantity of 211 might also work), item 2 must have a quantity of 108 and item 3 must be a TM41 (a TM09 might also work).

    Additionally, there most be no 'FF' bytes in your party Pokémon data, so this means no Pokémon with a catch rate of 255, EVs or DVs with an FF byte in them, experiences with an FF byte, or a Pokémon with a Trainer ID with a FF byte in them.

    The Pokémon ID is based on Pokémon 6's type 1. The battle system ID is based on Pokémon 6's type 2, so for example a Pokémon with Poison (hex:03) as type 2 will bring up the unused "Hurry, get away!" encounter system in Yellow. Pokémon with only one type are internally stored as having the same type for type 1 and 2.

    Pokémon and Trainer ID numbers can be found on The Big HEX List.

    Type index numbers

    {|
    Index number (dec)Index number (hex)Type
    00Normal-type
    11Fighting-type
    22Flying-type
    33Poison-type
    44Rock-type
    55Ground-type
    66Bird-type (only used by 4h (hex
    D6)
    and Red/Blue Missingno.)
    77Bug-type
    88Ghost-type
    2014Fire-type
    2115Water-type
    2216Grass-type
    2317Electric-type
    2418Psychic-type
    2519Ice-type
    261ADragon-type


    Battle systems index numbers

    {|
    Index number (dec)Index number (hex)Battle system
    00Normal
    11Old man battle
    22Safari Zone battle
    33Hurry, get away!
    44Professor Oak (entering Pallet Town's tall grass with no Pokémon) battle.
    5+5+Glitch battle systems where you don't initially send out a Pokémon and cannot fight, and item 1 is automatically selected if you choose to use an item.


    YouTube videos

  • General use:

  • REDIRECT Template:YouTube

  • In luckytyphlosion's TAS:

    [b]YouTube video by PLASMA GER[/b]


  • Thread on the Glitch City Laboratories forums.

    Categories