Talk:AreaDex

I did this research to see if loading custom glitch maps with custom tilesets is possible. It seems the answer is yes (and FA FE are arbitrary glitch maps), but you have to do some trickery to avoid glitch music (such as with the Bicycle) for Red at least. I haven't checked Yellow yet. I posted it on the talk page until it can be documented in a better form and for a video.

>

MapHeaderPointers @ 01AE (EN Red/Blue, 3F:41F2 in EN Yellow)

Valid maps and dual glitch-unused maps (are covered here;

https://github.com/pret/pokered/blob/2954013da1f10e11db4ec96f9586b7c01706ae1a/data/maps/map_header_pointers.asm https://github.com/pret/pokeyellow/blob/3ce276892c1b97ae893d319125b13fed936d14f2/data/maps/map_header_pointers.asm

Hence, we have just the 7 glitch maps at F8-FF for Red/Blue or 6 (F9-FF) due to the added beach house in Yellow.

The pointers for F8-FF in Red/Blue are as such (as we already know the banks we can just apply them):

F8: 1C06
F9: 1E:7E21
FA: C348
FB: 35D6
FC: FF3E
FD: 0A:6BEA
FE: CDCD
FF: 1241

FA and FE land in RAM. As this was seemingly not documented, the articles about these maps stated empirical behavior that may not be consistent.

Hence, what can we do from the structure of a map header?

If we look at Hat's documentation, it contains

#1: [Tileset Number]
#2: [(Y Size) Map Height]
#3: [(X Size) Map Width]
#4-5: [*2 Bytes*: Pointer to Map]
#6-7: [*2 Bytes*: Pointer to Maps Text Pointers]
#8-9: [*2 Bytes*: Pointer to Maps "Script"]
#10: [Connection Byte:

Trying out reasonable parameters, I'll see if I can get FA to load.

First; when will it read C348? that occurs at 10B6 it seems; at 00:107C LoadMapHeader. So for this purpose I'll change C348 when it reaches the breakpoint to a copy of Agatha's header. It actually has an effect! Though the game still freezes, why is that?

Doing the same process for FE it freezes as well. Maybe it's because of the bad banks 20 and 2F or something else?

This time then, I'll point the map, text pointers and script to RAM or unbanked ROM as well so bank doesn't matter. Specifically I'll just change the map script to 007A, and as expected it now points there and D36E is written to it, but now it freezes a bit later after a few moments.

0605606505652D640034 > 0605606505652D7A0034

I suspect this time maybe it's the music bank? Checking the overworld loop it seems to be from the MapSongBanks pointer at 03:404D, so I'll dump those too (sound ID and song bank).

F8: 0606
F9: 0606
FA: 1106
FB: 0606
FC: 0714
FD: 1401
FE: 0715
FF: 1515

Unfortunately all have an invalid bank, because valid sound banks are 02, 08 or 1F. These only have 06, 14, 01 and 15. As for arbitrary code execution with sound banks, I've only been able to get that to work with 0A which isn't in the table.

Yet, there is a slight delay before it freezes; I wonder if I can use the Bicycle to circumvent the bad music? I'd first have to change the tileset number; 00 works so my header is now:

0005606505652D7A0034 @ C348

..and surprisingly yes! If I use the Bicycle map FA doesn't freeze. I have to be really quick though..

As I handcrafted the header I knew in advance what it would look like (specifically tileset 00 meant ordinary overworld blocks like in a regular outside Glitch City), but this map seems to have wild glitch Pokémon.

Dumping D887 (wild data) I get:

54|2955305EF6553E56B256FF57EC6573646A5869

(data is in Rate, then Level+Pokémon pairs)

...and dumping D89C for water encounters

03B924B9FFFFFF00 (previous trainer data)|DD (rate)|47776691575455065C625F

However, after each battle you must either change D35E or the header at C348 again; as the data in the header would change by then. Evie (Torchickens) (talk) 03:22, 2 February 2022 (UTC)Reply[reply]

Addendum (1)

If you're able to modify the C348 header data from in battle, after previously riding the battle, you can then change D35E (with expanded inventory) to FA - this is a clean way to end up in a non-freezing map FA complete with the glitch encounter table (031A); the same glitch encounters. As for map FE; that one is the same constant glitch encounters too at 02A6 (with rate over 0 possible; it was loaded as 0x60). It's a tad shame we didn't have full control of encounters, but interesting nonetheless. Evie (Torchickens) (talk) 03:35, 2 February 2022 (UTC)Reply[reply]

I suppose the expanded party might be a way; according to expanded party main data for E243 (===C243) is at party Pokémon 99 and we want C348; so that would be type 1 onward. At C348 it's wiped with 00. The HP and such is wiped too; after all the OAM spans a lot and its sprites have to be reset in the main battle menu (out of the party menu). I wonder if there is anything we can do though? (without having to write to C243 with arbitrary code execution) Evie (Torchickens) (talk) 03:44, 2 February 2022 (UTC)Reply[reply]

Ah but for map FE CDCD is part of the screen copy at CD80. X=0x10 and Y=0x03, which lands on the enemy Pokémon sprite; but there should be potential to use a tile writing glitch with arbitrary type buffer overflow. Maybe I can write the header in the rival name? ^^ (Torchickens; forgot to sign, about 03:59)

OK it's possible (without prior arbitrary code execution) https://www.youtube.com/watch?v=nHL67xgIwcM . The question now is can the same be said for FA and FC (which point to different areas also harder to precisely corrupt)? Evie (Torchickens) (talk) 06:45, 2 February 2022 (UTC)Reply[reply]

I've ran out of time today (even though it would be quick to check), but it seems unlike Red/Blue the map header pointers are at 3F:41F2 ; what are the glitch map header pointers for Yellow? Evie (Torchickens) (talk) 06:48, 2 February 2022 (UTC)Reply[reply]