Agatha's badge describer glitch
More research is needed for this article.
| |
|
Reason given: Setting it up without arbitrary code execution or arbitrary RAM modification, more general information |
Agatha's badge describer glitch is an effect caused by glitch meta-map script 0x7F or 0xFF for Agatha's Elite Four room (D64F) in Pokémon Red and Blue. It simulates the Cerulean City badge describer and is a means of accessing glitch badge describer options outside of the Japanese versions, where it is possible with the Special menu Select glitch instead.
Setup
The aim is to write 0x7F or 0xFF to D64F then enter Agatha's Elite Four room. The player doesn't have to fight the Elite Four members before her, and can use a Rival's effect item (such as 
(0x94) to pass through the closed doors. Unfortunately, D64F is outside of the range of expanded PC items. Two options are arbitrary code execution or arbitrary RAM modification (e.g. text move abuse) and another is potentially the expanded Pokémon Storage System by depositing Pokémon 216 (main data from F64D onward).
To obtain 215 Pokémon in the current PC box without arbitrary code execution or arbitrary RAM modification, ideas might be using an invalid box from the box breaker glitch or 9F (0x94) stack corruption, but there could be side effects when depositing or withdrawing those Pokémon.
Details
When the player enters Agatha's room with the script set to 0x7F, Red's sprite won't move or be visible on the screen. Sometimes an invisible menu will appear straight away, otherwise the player must press A a few times to bring it up. The invisible menu may only be visible on an emulator's VRAM viewer for region 9C00 of the BG map, although the font is glitched and the 'badge' names are illegible. Attempting to exit with B will briefly flash Red's sprite (making it visible on the screen again for a short moment) and bring up an invisible "Come visit me any time you wish." text box, but the menu will still be active.
'Default' list
If the player entered Agatha's map directly after a save and reset, the menu itself will be sourced from 1:4E00. Otherwise, the value of CF8B will effectively be added on to 1:4E00. This can be manipulated by opening the item menu before entering the map to get the 1:4E1D list.
In the 1:4E00 list, there are some lag items making navigation difficult. There are many possible effects based on the badges chosen.
There are 95 'badges' on the list as such: (Badge pointers for items 0x80-0xFF are assumed to be that of the item -0x80)
| Position on menu | Badge | ID (HEX) | ID (DEC) | Text pointer |
|---|---|---|---|---|
| 1 | SoulBadge | 19 | 25 | 1D:4EAA |
| 2 | ## ## ## A# ?## | 7E | 126 | 1D:47DB |
| 3 | Item Finder | 47 | 71 | CDD1 |
| 4 | Awakening | 0E | 14 | DE21 |
| 5 | Master Ball | 1 | 1 | 303E |
| 6 | TM05 | CD | 205 | EA03 |
| 7 | X Accuracy | 2E | 46 | 1750 |
| 8 | Lemonade | 3E | 62 | C712 |
| 9 | Card Key | 30 | 48 | 1D:5026 |
| 10 | Potion | 14 | 20 | 3E3E |
| 11 | TM40 | F0 | 240 | 03FE |
| 12 | TM19 | DB | 219 | 0E08 |
| 13 | TM34 | EA | 234 | B6CB |
| 14 | Good Rod | 4D | 77 | EA03 |
| 15 | TM04 | CC | 204 | 3ECC |
| 16 | Lemonade | 3E | 62 | C712 |
| 17 | Max Potion | 11 | 17 | 030E |
| 18 | TM05 | CD | 205 | EA03 |
| 19 | #il# | 6D | 109 | 204F |
| 20 | Lemonade | 3E | 62 | C712 |
| 21 | Lemonade | 3E | 62 | C712 |
| 22 | Master Ball | 1 | 1 | 303E |
| 23 | TM34 | EA | 234 | B6CB |
| 24 | Fresh Water | 3C | 60 | C6F4 |
| 25 | TM04 | CC | 204 | 3ECC |
| 26 | Thunderstone | 21 | 33 | 1D:5026 |
| 27 | Carbos | 26 | 38 | 1D:5026 |
| 28 | Super Rod | 4E | 78 | CC29 |
| 29 | RainbowBadge | 18 | 24 | 1D:4EA5 |
| 30 | Great Ball | 3 | 3 | 0E3C |
| 31 | Thunderstone | 21 | 33 | 1D:5026 |
| 32 | ???? (Unusable) | 2C | 44 | C717 |
| 33 | Super Rod | 4E | 78 | CC29 |
| 34 | TM05 | CD | 205 | EA03 |
| 35 | Poké Flute | 49 | 73 | EAAF |
| 36 | Fresh Water | 3C | 60 | C6F4 |
| 37 | TM01 | C9 | 201 | EAAF |
| 38 | ThunderBadge | 17 | 23 | 1D:4EA0 |
| 39 | SoulBadge | 19 | 25 | 1D:4EAA |
| 40 | X Attack | 41 | 65 | 0307 |
| 41 | Fire Stone | 20 | 32 | 1D:51F2 |
| 42 | Antidote | 0B | 11 | D821 |
| 43 | Ether | 50 | 80 | 28EA |
| 44 | ThunderBadge | 17 | 23 | 1D:4EA0 |
| 45 | Helix Fossil | 2A | 42 | 1D:5388 |
| 46 | X Attack | 41 | 65 | 0307 |
| 47 | Fire Stone | 20 | 32 | 1D:51F2 |
| 48 | Ether | 50 | 80 | 28EA |
| 49 | TM50 | FA | 250 | C34F |
| 50 | #j. | 0 | 0 | 2ECD |
| 51 | # | C2 | 194 | 9921 |
| 52 | #S#'tS MS4# h####L | A7 | 167 | 2A17 |
| 53 | Rare Candy | 28 | 40 | 2653 |
| 54 | Moon Stone | 0A | 10 | F120 |
| 55 | TM54 | FE | 254 | 1D:47DB |
| 56 | Cancel | FF | 255 | ? |
| 57 | Rare Candy | 28 | 40 | 2653 |
| 58 | Paralyz Heal | 0F | 15 | 11FF |
| 59 | Soda Pop | 3D | 61 | 200 |
| 60 | TM34 | EA | 234 | B6CB |
| 61 | #j. | 0 | 0 | 2ECD |
| 62 | # | C2 | 194 | 1D:4FC3 |
| 63 | RainbowBadge | 18 | 24 | 1D:4EA5 |
| 64 | Pokédex | 9 | 9 | 05C1 |
| 65 | TM50 | FA | 250 | C34F |
| 66 | 7F | 5C | 92 | CD0C |
| 67 | HM01 | C4 | 196 | 3C49 |
| 68 | TM24 | E0 | 224 | C406 |
| 69 | #—##2pゥ | 93 | 147 | 6DCD |
| 70 | TM54 | FE | 254 | 1D:47DB |
| 71 | 11F | 60 | 96 | C406 |
| 72 | Super Repel | 38 | 56 | 100 |
| 73 | Bicycle | 6 | 6 | 3EC5 |
| 74 | Lemonade | 3E | 62 | C712 |
| 75 | Cancel | FF | 255 | ? |
| 76 | TM34 | EA | 234 | B6CB |
| 77 | Ultra Ball | 2 | 2 | 062C |
| 78 | ##4S #v é##: ## ## | C1 | 193 | O307 |
| 79 | TM01 | C9 | 201 | EAAF |
| 80 | TM05 | CD | 205 | EA03 |
| 81 | #QGnS#I | 70 | 112 | 03FE |
| 82 | Old Rod | 4C | 76 | 3ECC |
| 83 | Carbos | 26 | 38 | 1D:5026 |
| 84 | ##4S #v é##: ## ## | C1 | 193 | 0307 |
| 85 | TM50 | FA | 250 | C34F |
| 86 | HM02 | C5 | 197 | 133E |
| 87 | TM07 | CF | 207 | 033E |
| 88 | #S#'tS MS4# h####L | A7 | 167 | 2A17 |
| 89 | Fire Stone | 20 | 32 | 1D:51F2 |
| 90 | Revive | 35 | 53 | FF08 |
| 91 | TM50 | FA | 250 | C34F |
| 92 | Rare Candy | 28 | 40 | 2653 |
| 93 | TM13 | D5 | 213 | 25EA |
| 94 | TM03 | CB | 203 | 2AEA |
| 95 | 2F | 57 | 87 | D730 |
Arbitrary code execution
By having the cursor on the Awakening (option 4), choosing it will load text box DE21, which is the sixth character of the third Pokémon in the current box of the Pokémon Storage System. This could potentially be manipulated to be 08 followed by desired code to execute for arbitrary code execution, but 08 cannot be input as a name, so assuming no arbitrary code execution is used prior, the player may have to manipulate glitch Pokémon in the box with specific glitch names.
The Moon Stone (option 54) might be another option if F120 (wNumRunAttempts, D120) can be manipulated to 08 and the player has a setup past D121+(?)
Other options with text sources in different RAM addresses can be used, but methods to safely change them without arbitrary code execution are unclear.
