Interesting things you've seen with glitches in games May 2, 2019 15:35:57 GMT -5 nocturnal YL likes this
Post by Evie the Mother Hen ❤✿ on May 2, 2019 15:35:57 GMT -5
Spun-off from a post about Korean Gold and Silver here:\
I like to play with glitches a lot but usually just with (mainly) older Pokémon games Generations I-III (not as good with Generation III though), that I've been researching for a long time, and a branch of the most powerful exploits are called arbitrary code execution (which at first wasn't as widely known about in terms of how you can abuse it in video game glitching but TASVideos, Pokémon glitchers, Super Mario World glitchers etc. popularised), which involve execution of your own programs (more specifically called subroutines, for instance a ROM routine gives you a Pokémon, but custom routines from RAM allows you to have more freedom with what behaviours you want on the game) and sometimes storage of data for these programs.
In Pokémon Red/Green/Blue/Yellow (and Gold/Silver/Crystal but can be harder), you can for instance have specific item list data. Once ACE occurs there, the game will read it not as items but as if they were bytes, and run thehm as if they were bytes (opcodes/operands, together: instructions) for Game Boy's modified Z80 CPU.
In Super Mario World, it was instead a series of game state details about the overworld that would lead to a credits warp after ACE occurs, and like the Pokémon Yellow "Total Control Hack", for TASes that constantly read from the joypad data you can have a lot of freedom on what you want the video/audio data to do, or more efficiently create custom software etc..
Example abused in Super Mario World:
The credits warp:
User-written 'software' for the arbitrary code execution, like:
The act of causing ACE to occur may be referred to as exploiting an "access point", and is done from something problematic in the programming code that leads the game to run modifiable data as code rather than intentionally hardcoded data. Sometimes some hardware state data must be adjusted afterwards (such as the stack pointer), which can be done within an ACE code to avoid a freeze.
In systems like the Game Boy, it exploits a quirk about how the CPU works. The program counter ("PC") is responsible for what line in the code is being executed and ROM regions 0000-3FFF, banked ROM 4000-7FFF are intentionally coded and cannot be changed. With the CPU (involving things like the hardware registers, the language (a simplified Z80), the stack (responsible for what subroutines to execute after finishing it, and after that etc. usually with the "ret" instruction to return back to the higher subroutines), in most circumstances the hardware will loop around ROM routines (with some exceptions like the OAM DMA routine at FF80). However, (C000-DFFF) is regarded as the "WRAM" (yet is part of the global memory map too which (often at least?) can be executed as if it was intended code too with no protection (note: I've seen exceptions like with the Mobile Trainer cartridge which intentionally runs RAM as code maybe for the game to modify it when needed)), and in basic terms stores variables during the game; which unlike ROM can be easily modified including within the game itself. Some of it (e.g. music progression data and random number generation bytes), the ROM will always be changing, in other situations not. For instance in English Pokémon Red and Blue, D31D marks the beginning of your inventory data.
For this reason, with specific inventory items you can make your own codes; often simple RAM changing ones (like simulating a GameShark) for instance to encounter Mew, or get the "GF" OT Mew with ID 22796 etc. (the same one as an event and so is transferable from Pokémon RBY Virtual Console to Pokémon Bank), which is popular for people who want to glitch in the English Pokémon community (and in the Japanese Pokémon community as well, but with different techniques).
A popular method that gets talked about the most for EN RBY is just with the glitch item "8F" (Red/Blue) or the glitch item "ws m" (Yellow), after which easier methods were found but still haven't caught on that much (e.g. general use map script ACE; by changing the map script pointer in the expanded inventory (items beyond slot 20), the same exploit used in some Pokémon Yellow TASes etc. with the "SRAM glitch", which allows you from a cleared save file to proceed to play with a corrupted one with 255 Pokémon to modify memory with, just by resetting the game while saving at a very early specific time (it's actually viable for real-time with practice; usually i.e. for Yellow; resetting the game shortly after the Yes/No box disappears and before the other text box updates see How to beat Pokemon Yellow in 0:00 by Scykoh), or alternative items like 4F and -g m. Also in English Yellow there are Pikachu off-screen glitch arbitrary code execution methods, which you can do with no long-range Trainers (see Trainer escape glitch) or trades (as old man glitch; the repeatable Cinnabar coast exploit for MissingNo. doesn't work in Yellow, and adding to that most Yellow Missingno. have problematic front sprites with a high chance to freeze the game, unless it's the first time you encounter it (or any SRAM corrupting glitch Pokémon sprites; which is by the way, why the game appears to 'save' when ; it directly affects your save data for the Hall of Fame providing you have entries, causing it to corrupt and stay that way even if you reset just after without saving manually) and your save was cleared with Up+Select+B)
However, they do require at first, difficult to get items (like even for a short code; Lemonade x(Pokémon you want); TM34 x 89 (or x88 in Yellow) TM08 x 201 for an instant encounter, although you can modify the code in certain ways to use TM01 instead of a x201 if you like). Recently, you can do a workaround so only quantities count including all quantities (through tossing) being available at the start after you set up the right glitches, without having to farm them (with item 0 x 256 stacks (also called x0); as quantities range from 1-256) but it restricts you to simpler tasks like RAM writing (unless you self-modify the code you run with another RAM write). This is often all you need though.
The glitch items and most item stacks can be farmed reliably though using a series of glitches: such as (but not the only way, there were different harder methods before this), item duplication (e.g. with Missingno.) to get a x129 stack, toss 2 duplicate again to get a x255 stack, a glitch discovered by the speedrunning community based on an older exploit by TAS Community member MrWint to access inventory items beyond slot 20, and how items beyond slot 20 correspond with other memory addresses, such as e.g. for general use; your x-position (which due to how the game works can be extended beyond the connection boundary limit with an item swap, then if you proceed to manually exceed it with the Celadon City map by walking right the map will just loop around for really high x-positions without changing the modified x value); so this can be abused to get almost any item (as each item will correspond with an x value) using the Celadon looping map glitch (of note, in the original Japanese versions the x position was a quantity and the y position an item; meaning for Red/Green/Blue/Yellow a similar exploit is on Cycling Road but you get Glitch Cities instead of looping maps the further you move down; so may need a glitch like the walk through walls Select glitch).
If a programming error leads to the game attempting to execute RAM (known as an access point), that can be used for your advantage. An early example is the discovery of ５かい in Japanese Red/Green (since a long time ago here; I know the archive says 2011 but I think it may have been before that too) running your party Pokémon structure as code, which in the Japanese versions runs D123 (party Pokémon data structure, beginning at the number of party Pokémon), so with specific Pokémon you can redirect the code to a more easily changeable and intricate structure like your inventory items (~D2A2). This much later lead to the discovery of the 8F glitch item doing essentially the same thing in English versions (it runs D163 which is the same structure as Japanese versions at number of party Pokémon), just requiring different Pokémon to get to (usually as has been done) item 3 (D322).
Pokémon arbitrary code execution things:
[TAS] Pokémon Yellow - Arbitrary Code Execution
By far probably the most advanced Pokémon RBY exploit for arbitrary code execution, meaning this would work on an unmodified ROM from scratch if you made it play by a TAS bot, it completely takes over the video and audio data and code flow using constant inputs to the game (impossible for a human without a TAS), as much to give the illusion you switch to playing a ROM hack, Gold/Silver, Tetris, etc. Additionally, the hardware's limits are tested with PCM for portal related text to speech, PCM Spongebob sound clip etc.
Other Pokémon program TASes on TASVideos:
www.youtube.com/watch?v=tNPisyK43Lc : Pijack version for Pi Day
www.youtube.com/watch?v=p5T81yHkHtI : "Total control" arbitrary code execution glitch to play some custom My Little Pony music with custom graphics (basic now compared to MrWint's)
Pokemon Blue: Creating a creepypasta save file with the '8F' item (arbitrary code execution)
"Pokemon Red/Blue Virus 2.0, and the Mew that was hiding under the truck all along.":
Non-emulator required memory editor, memory viewer (originally by offgao):
Enchanced version for executing areas in the code you want by TheZZAZZGlitch (with other changes):
Non-emulator required memory editor, memory viewer and code runner (EN G/S):
By Epsilon, method to set it up by me:
Shrek the Pokémon:
I made my own exploit for Shrek a 'real' Pokémon once, who would actually stay in an unmodified ROM after saving and resetting, because most of the data is in the current stored Pokémon box which is relatively large.
(It was possible to set up with glitches, even though it would take forever. At the time I had CFW on 3DS but just copied the save file over though. I lost the source code but have the Pokémon Yellow Shrek.sav save file, which will add Shrek to a real unmodified ROM, as if it was a ROM hack but isn't at the same time).
He's '100% real' you could say (in terms of sprites anyway, I guess that's not 100% then), and permanent (until I change boxes or significantly modify the save):
However, he only exists because I used arbitrary code execution to hijack the OAM DMA routine (normally run every frame and is sprite related) to instead check whether the Pokémon was Bellsprout and/or maybe 65535 ID (not sure what conditions I used) and then automatically change it's sprite. So this Pokémon is just a Bellsprout named Shrek with glitches to secure he always has a custom sprite (which I wrote in the RAM using glitches to write to the memory byte by byte, and sprite creation tools to convert .PNG into raw bytes). Bellsprout was fitting because it could loosely be associated with onions, and naturally has a good palette for Shrek.
There is also a glitch in the save file (a glitch of this glitch!), where sometimes the sprite doesn't automatically change. The broken overworld sprites was because I still didn't know how to properly fix the normal OAM DMA process.
Another one of my exploits to turn Pallet Town into a simulation of Twinleaf Town without ROM hacking (because town layout can be stored in RAM as tileblocks in the memory, so you just have to copy the bytes you want over from one structure to the tile block structures, change them and make sure this doesn't change again) yet in practice you need to use ACE to write a lot of bytes to RAM as you can't just do this with e.g. one set of inventory items without e.g. using the inventory items as a memory editor for the much large PC Pokémon structure:
More custom Pokémon sprite stuff:
"SRAM hack" on a physical Game Boy Color but because this is save data, you don't need to hack the ROM and can even modify the save data specifically to do it with something like the ws m glitch item.
Tetris in unmodified Pokémon ROM: