Glitch City RAM manipulation (Cut abuse)
0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC
No further extensions
Cloning | Item duplication glitch (Generation I) | Pokémon merge glitch ("Q Glitch", Generation I) | Time Capsule exploit | Bug-Catching Contest data copy glitch (Generation II, Japan only) | Berry glitch | Battle Tower Lati@s glitch (Generation III) | (Mimic) Transform Rage glitch (Generation IV)
Transform held item glitch (Generation IV, Japan only) | Mimic glitch (Generation IV, Japan only)
99 item stack glitch | LOL glitch | Rival LOL glitch | Instant LOL glitch | RAM LOL glitch | Out of bounds LOL glitch | blockoobLG | Instant encounter infinite chain glitch | LGFly | Super Glitch (Generation I) | Party remaining HP glitch | Super Glitch (Generation III) | Text pointer manipulation mart buffer overflow glitch | CoolTrainer♀-type move | Double distort CoolTrainer♀ corruption | Yami Shop glitch | Party Pokémon box data shift glitch | Unterminated name glitch item instant encounter (Japanese Red/Green)
Item stack duplication glitch (Generation I)
Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow) | Map script pointer manipulation (arbitrary code execution | Map script pointer item ball manipulation) | Text pointer manipulation (arbitrary code execution | Item ball manipulation | Mart buffer overflow) | Trainerless instant encounter glitch
Bad clone glitch (Generation II)
????? party overloading (Type 0xD0 move glitch | ????? map corruption | Celebi trick | Celebi Egg trick | Shiny Celebi trick | Glitch move map corruption | Overloaded party map corruption | Glitch Unown (Glitch Unown map corruption) | Duplicate key items glitch (Infinite items and item creation, Expanded Balls pocket (Wrong pocket TM/HMs, Glitch Pokédex categories))
Closed menu Select glitches (Japanese Red/Green)
Dokokashira door glitch (International) | Fossil conversion glitch (international) | Second type glitch | Skip to Level 100 glitch | Trainer mutation glitch | Walk through walls (International) | Lift glitch | Badge describer glitch
Pomeg glitch (Generation III)
Pomeg data corruption glitch ("Glitzer Popping") | Charm glitch
Voiding (Generation IV)
Broken escalator glitch (Japan only) | Elite Four door glitch (Japan only)
2x2 block encounter glitches (Generation I)
Left-facing shore tile glitch (in-game trade shore encounter trick, Old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick) | Viridian Forest no encounter grass tiles glitch
Safari Zone exit glitch | RAM manipulation | Out of bounds Glitch City (Generation II) | Slowpoke Well out of bounds corruption (French Gold/Silver/Crystal)
Large storage box byte shift glitch
Storage box remaining HP glitch | Generation I max stat trick
SRAM glitches
Generation I save corruption | 255 Pokémon glitch | Expanded party encounter table manipulation (Generation I) | Send party Pokémon to a new game (Generation I) | Generation II save corruption | Mailbox glitches | Mystery Gift item corruption | Trainer House glitches
Death-warp | Ditto trick | Experience underflow glitch | Mew trick | Text box ID matching | Meta-map script activation
Ledge method | Museum guy method | Rival's effect | Select glitch method (International Select glitch method), Brock Through Walls
Grass/rock Surfing glitch (Spanish/Italian only) (adaptions: Submerge glitch (international)) | 8 8 (0x7C) grass/rock surfing glitch (English Red/Blue))
| PRAMA Initiative a également une page sur Glitch City RAM manipulation (Cut abuse). |
Glitch City RAM manipulation is a glitch that allows the player to edit RAM by cutting trees in a specific Glitch City, named RAM City. This allows the player to change a value in RAM from a specific set to another specific value.
Uses
Using this glitch, the player is able to edit arbitrary bytes in RAM. However, there are restrictions :
- Only a few fixed values can be changed.
- Each of these values change to another fixed value.
- Not every byte can be changed this way.
General pattern
The glitch is essentially three steps :
- Accessing the RAM City
- Finding the correct place
- Cutting the tree.
The only true requirement is the ability to CUT. The current methods of accessing the Glitch City currently require the player to access Fuchsia City, but a method only requiring Pewter City will maybe be developed.
Accessing the Glitch City
TheZZAZZGlitch's method
This method is simple to perform, and only requires the player to have enough money to access the Safari Zone and the ability to SURF. Its downsides are that the player has less options when it comes to choosing their RAM address, and also has to have beaten Koga and found the Secret House.
- The player must perform the Safari Zone exit glitch, being called by the PA on Sea Route 20 (the place the player is when being recalled does not matter).
- Upon exiting the Safari Zone gate, the player should be standing in the Sea Route 20 Glitch City.
- The player should step south once, the go left until they are two steps above a cave. Going any further left will trap the player in a glitched area.
- The player should be stuck. If so, press Up to face north.
- Then, open the START menu. If done correctly, the map should be flooded with water.
- The player should SURF, then move right.
- The player will be in the RAM City, at coordinates ($6C ; $63)
Krys3000's method
This method offers a wide range of manipulable addresses, but it requires the player to perform Walk through walls.
- Perform any method of Walk through walls.
- The player should stand here :
- The RAM City can be accessed by walking left until the player is standing on water ; the player will be at coordinates ($DC ; $63).
Reaching the correct place
Each method place the player at different coordinates ; any coordinates correspond to a 2x2 tiles block, which correspond to a byte in RAM. Here is the formula :
Target address = $C721 + $38 * (floor(Vpos / 2) + 2) + (floor(Hpos / 2) + 2)
Note that the same address is targeted by moving 1 step up or 38 steps left !
Coordinates are given like so : (Vpos ; Hpos).
To get the optimal coordinates of address A, do the following :
- Subtract $C721 from A ; call that B.
- Divide B by $38, rounding down ; call that C.
- Multiply C by $38 ; call that D.
- Subtract D from B ; call that E.
- Your destination coordinates are (C*2 ; E*2) !
Actually, these aren't the optimal coordinates... you can sometimes save some walking left by going one less time up. Oh well.
Here is a relative map of data in the Glitch City : (each square is a 2x2 tile block)
Combination with expanded inventory (alternative method)
Instead of walking to the Glitch City by stepping out of bounds, the player can instead directly spawn the correct Glitch City with the the quantity of item 33 and the identifier of item 34 in the expanded inventory. See Valid source map Glitch City#Through manual editing of D35F-D360 for more information.
Cutting the tree
The player should find a cuttable tree in one of the following coordinates : (C*2 ; E*2), (C*2+1 ; E*2), (C*2 ; E*2+1) and (C*2+1 ; E*2+1). Cutting it will change the byte in RAM, and that's it!
Side note: the player may find, instead of a cuttable tree, a patch of wild encounter grass. Did you know this grass can be CUT in Gen 1? Now you do.
Possible values
Obviously, we need the value of the byte we want to change to spawn a cuttable tree. Good news, there is a few values that do just that.
Here is a conversion table for hex value <-> 2x2 tile block, called the TileBlockDex:
You can see that a few blocks have CUTtable trees on them ; they are summarized in the tables below.
Hexadecimal conversion table:
| Value... | 0B | 32 | 33 | 34 | 35 | 60 |
| will become... | 0A | 6D | 6C | 6F | 4C | 6E |
Refer to The Big HEX List for corresponding Pokémon, Items and Attacks.
Decimal conversion table:
| Value... | 11 | 50 | 51 | 52 | 53 | 96 |
| will become... | 10 | 109 | 108 | 111 | 76 | 110 |
Additionally, there are three more conversions.
Hexadecimal conversion table:
| Value... | 3C | 3F | 3D |
| will become... | 35 | 35 | 36 |
Decimal conversion table:
| Value... | 60 | 63 | 61 |
| will become... | 53 | 53 | 54 |
These last three conversions are used for Celadon Gym, which uses a different tileset, however it is possible to change the block regardless of the tileset by manipulating CFC6 (CFC5 in Yellow) (tile in front of the player) to be the grass/tree tile (0x52 or 0x50). This would be possible with screen data saving and printing glitch items, or arbitrary code execution, but is not with the former two combined due to 0x52 and 0x50 being control characters. As 0x35 also becomes 0x4C, two conversions can be achieved in succession with the CFC6/5 exploit (using block 0x3C or 0x3F first, ending with block 0x4C as a result of the consecutive conversions).
Any other block can be converted into block 0x0E with the Card Key glitch (Japanese versions only).
Applications
WARNING : here, a $ prefixed to a number means hex:(that number). So $99 is not 99 dollars, it is hex:99.
Earning money
This is the simplest thing to do, and yet there is a quirk. Money isn't stored the same way most other numbers are : it's stored in a BCD way : each hexadecimal digit corresponds to a decimal digit : basically, $63 <=> 63 ($3F), $99 <=> 99.
To say it in another way : an amount of $999999 corresponds to one million minus one.
Let's say you have 123456 money ; the game stores this internally as $123456, that is, the three following bytes : $12, then $34, then $56. You can "cut" the $34 to turn it into a $6F. You now have $126F56 money internally. How much is that ?
Strangely, emulators (at least VBA) and console seem to exhibit different behavior : VBA considers this as 126956 money (that's still a nice gain), but consoles consider this as 127556 money (1 * 100000 + 2 * 10000 + 6 * 1000 + 15 * 100 + 5 * 10 + 6 * 1), which should be the correct behavior. See this topic for more.
Capturing Pokémon
This one is more intricate, as you don't directly see the values you're going to manipulate.
See, Pokédex flags are grouped by 8 and stored as bytes. Thus, you can "trade" some flags for others.
Example : have Ivysaur and Venusaur captured, but not Bulbasaur, Charmander, Charmeleon, Charizard, Squirtle and Wartortle. This way, the first byte in the Pokédex will be $60. Cut the corresponding map block, and it will turn into a $6E, which means you will have "captured" Ivysaur, Venusaur, Charizard, Squirtle and Wartortle, but not Bulbasaur, Charmander and Charmeleon.
The method to get a conversion pattern is simple if you know a bit of the RAM map and Pokédex order. It won't be described here.
Manipulating items
Accessing the pack : 34 left (36 in Pokémon Yellow), 115 steps up. Accessing the item PC : 60 left (62 in Yellow), 95 steps up.
When at this position, you will be facing a tile block that corresponds to the number of slots you can access in the corresponding item list.
The block to its right corresponds to the ID of the first item in that list, then there is the quantity, then the second item's ID then its quantity, and so forth.
Item mutations
This is not as interesting as you might imagine : items with ID 6C, 6D, 6E and 6F are glitch items that haven't been found a use yet (even though one of them executes code depending on tile data).
You can also turn a Revive into an Old Rod (side note : you can have multiple Old Rods in one stack this way, which won't work well with the PC), or Antidotes into Moon Stones.
Item duplications
Cutting a tree corresponding to a quantity will change it according to the above tables ; however, item underflow cannot be achieved this way. You can still turn your 50 X Accuracies into 109, then sell 59 of them, and repeat.
Pack / PC length manipulation
There are two applications : one usually useless, and one that was groundbreaking when it was found out.
The useless one :
If you have exactly 11 items in your pack / PC, you will find some CUTtable grass. Cut it and the last item in your inventory / PC will disappear.
The useful one :
If you have exactly 50 items in your PC (you filled it), you will find a tree. Cut it... and you will be allowed to access 109 slots in your item PC, which is a partial expanded item pack. You can then retrieve a stack of 255 items (Casino Chips are good for this) to perform a full expanded pack with your inventory.
Beware : depositing items has very high chances to corrupt some game data.
To fix the number of items in the PC, you can either retrieve 59 items from your PC (difficult) or use Arbitrary code execution (longer but 100% safe).
Manipulating Pokémon
Ready for genetics? Prof Oak will be mind-blown.
You can change about everything in a Pokémon's structure. Boy is it useful! But you'll have to walk.
Changing species
This is more complicated than it seems, because you're going to create an unstable hybrid Pokémon, with the original Pokémon as the donor, and the new Pokémon as the recipient. (Read the article if you don't understand these terms, as well as a method to fully obtain the desired Pokémon)
To change the species of your 5th party Pokémon, go 90 steps left (92 in Yellow) and 123 up. Refer to The Big HEX List to find out who can be converted into who. (Example: Lickitung into Exeggutor)
Changing attacks
Now it's time to reconfigure your beloved Pokémon's brains. Yup.
(Note: that may actually be between 14 and 16 steps. Testing required.) To access the region representing your Pokémon's attacks, do 8 steps right.
Example of modification: turn Flamethrower into Solarbeam! Gives a Fire Pokémon a good defense against Water-type Pokémon.
Changing EXP
Go 66 steps left (68 in Yellow) and 123 steps up to reach the first byte of your 5th Pokémon's EXP. They are stored in a big-endian order ($01, $00, $00 equates to $10000 = 65536 EXP)
Right of EXP are EVs, followed by IVs, in this order : HP EV, ATK EV, DEF EV, SPD EV, SPE EV, ATK/DEF IV, and SPD/SPE IV. If you cannot edit them, at least you can visualize them, using the TileBlockDex.
If you modify IVs or EVs, the stats won't be re-calculated ; you must either deposit the Pokémon in the PC for the stats to be recalculated, or level up.
Changing stats
Due to the way out of bounds works in this game, it is not possible to change your 5th Pokémon's stats.
But it is possible to change your 6th Pokémon's stats!
Simply go 36 steps left and 121 steps up, and you'll have reached the Max HP stat. All attacks are 2 bytes (2 blocks) wide, stored in a big-endian order, and the attacks are stored in the following order: Max HP, ATK, DEF, SPD, SPE.
Note that you don't affect your IVs nor your EVs this way, so having the game recalculate the Pokémon's stats (see end of previous section) will have your changes reverted.
Note that it is perfectly fine to switch Pokémon while in the Glitch City; but the screen won't be refreshed, so you will have to either open the START menu (temporary) or move away, then back (permanent).
Another use is changing a Pokémon's level to above Level 100; for example, changing a Level 51 Pokémon into a Level 108 Pokémon. Using Rare Candies, this is one of the ways of accessing the over Level 100 moves on glitch Pokémon's learnpools in the GlitchDex for Levels 109-255 and 0 (256).
External links
| |
| |