Text pointer manipulation mart buffer overflow glitch

From Glitch City Wiki
Jump to navigation Jump to search
Major glitches of the Pokémon series


Arbitrary code execution

0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC


No further extensions

Cloning | Item duplication glitch (Generation I) | Pokémon merge glitch ("Q Glitch", Generation I) | Time Capsule exploit | Bug-Catching Contest data copy glitch (Generation II, Japan only) | Berry glitch | Battle Tower Lati@s glitch (Generation III) | (Mimic) Transform Rage glitch (Generation IV)

Transform held item glitch (Generation IV, Japan only) | Mimic glitch (Generation IV, Japan only)


Buffer overflow techniques

99 item stack glitch | LOL glitch | Rival LOL glitch | Instant LOL glitch | RAM LOL glitch | Out of bounds LOL glitch | blockoobLG | Instant encounter infinite chain glitch | LGFly | Super Glitch (Generation I) | Party remaining HP glitch | Super Glitch (Generation III) | Text pointer manipulation mart buffer overflow glitch | CoolTrainer♀-type move | Double distort CoolTrainer♀ corruption | Yami Shop glitch | Party Pokémon box data shift glitch | Unterminated name glitch item instant encounter (Japanese Red/Green)


Item stack duplication glitch (Generation I)

Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow) | Map script pointer manipulation (arbitrary code execution | Map script pointer item ball manipulation) | Text pointer manipulation (arbitrary code execution | Item ball manipulation | Mart buffer overflow) | Trainerless instant encounter glitch


Bad clone glitch (Generation II)

????? party overloading (Type 0xD0 move glitch | ????? map corruption | Celebi trick | Celebi Egg trick | Shiny Celebi trick | Glitch move map corruption | Overloaded party map corruption | Glitch Unown (Glitch Unown map corruption) | Duplicate key items glitch (Infinite items and item creation, Expanded Balls pocket (Wrong pocket TM/HMs, Glitch Pokédex categories))


Closed menu Select glitches (Japanese Red/Green)

Dokokashira door glitch (International) | Fossil conversion glitch (international) | Second type glitch | Skip to Level 100 glitch | Trainer mutation glitch | Walk through walls (International) | Lift glitch | Badge describer glitch


Pomeg glitch (Generation III)

Pomeg data corruption glitch ("Glitzer Popping") | Charm glitch


Voiding (Generation IV)

Tweaking

Broken escalator glitch (Japan only) | Elite Four door glitch (Japan only)


2x2 block encounter glitches (Generation I)

Left-facing shore tile glitch (in-game trade shore encounter trick, Old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick) | Viridian Forest no encounter grass tiles glitch


Glitch City

Safari Zone exit glitch | RAM manipulation | Out of bounds Glitch City (Generation II) | Slowpoke Well out of bounds corruption (French Gold/Silver/Crystal)


Large storage box byte shift glitch

Storage box remaining HP glitch | Generation I max stat trick


Pikachu off-screen glitch

Trainer corruption glitch


SRAM glitches

Generation I save corruption | 255 Pokémon glitch | Expanded party encounter table manipulation (Generation I) | Send party Pokémon to a new game (Generation I) | Generation II save corruption | Mailbox glitches | Mystery Gift item corruption | Trainer House glitches


Trainer escape glitch

Death-warp | Ditto trick | Experience underflow glitch | Mew trick | Text box ID matching | Meta-map script activation


Walk through walls

Ledge method | Museum guy method | Rival's effect | Select glitch method (International Select glitch method), Brock Through Walls


Surf down glitch

Grass/rock Surfing glitch (Spanish/Italian only) (adaptions: Submerge glitch (international)) | 8 8 (0x7C) grass/rock surfing glitch (English Red/Blue))

(view, talk, edit)

Text pointer manipulation mart buffer overflow glitch, informally known as Mart Pwner or Lucky Wins Again (LWA) is an extension of text pointer manipulation for Pokémon Red, Blue, and Yellow documented by luckytyphlosion.

It involves the player bringing up a corrupted Poké Mart which corrupts data from CF7B (Poké Mart total items) onward in RAM with data from a specific source.

Unlike corruption techniques from Super Glitch moves, items, Pokémon names the source can be controlled by the user and is specifically taken from the address which is the beginning of the Poké Mart list (manipulated by adjusting the text pointer table and text pointer).

It may be used to catch many Pokémon for the Pokédex and is the only known non-arbitrary code execution/cheating device method to trigger the unused battle system featuring the text "Hurry, get away!" in Pokémon Yellow.

This article documents non-speedrunning adaptions of the glitch.

Catch 'em all glitch (Yellow)

This glitch is a trick for Pokémon Yellow you can use that can be applied outside of speedrunning to capture any Pokémon you wish outside of battle (where you can throw a Master Ball from the items pack to capture the Pokémon), with the species depending on Pokémon 3's lower max HP byte.

We talk to the lady in Pallet Town to bring up the corrupted Poké Mart.

This trick requires an expanded items pack which can be obtained with a glitch such as "dry underflow" glitch.

Requirements

1) Pokémon 1 must have a move 1 PP value of 254 (62 PP with all PP Ups applied) - enables glitch mart (possible with a PP underflow glitch).

2) The PP of Pokémon 6's move 2 must be 01 - makes the game think you're in a battle.

3) The PP of Pokémon 6's move 4 must be 00 - disables instant encounter (as instant encounter will reset our Pallet Town text pointer table back to normal) to easily capture many Pokémon quickly.

4) Pokémon 6's level must be 00 - disables automatic item selection as it would prevent you from catching more than two unique Pokémon (one Pokémon, and Ditto).

5) If you want opening the Poké Mart to disable Ditto (who normally appears if you throw the Master Ball twice), have the Original Trainer name letter 5 for first Pokémon as 00.

6) In the party, you must not have a Pokémon with a catch rate of 255, a Pokémon with FF in its experience bytes, a Pokémon with EVs/DVs containing FF in them, or a Pokémon with a Trainer ID containing FF or the mart may not be able to corrupt as far as it is meant to.

7) Repel x243 must be placed into item 40 (map's text pointer table) (a quantity of 211 might also work).

8) Item 2 must have a quantity of 135.

9) Item 3 must be a TM41 (a TM09 might also work).

Level 0 Pokémon can be obtained without trading using the text pointer item ball manipulation that was documented by MrWint, if you have available item balls in the overworld (see here).

They can also be obtained via a trade with another game (such as Red and Blue). Note that 'M (00) at level 0 sadly cannot be used for the glitch because it has FF values in its experience, but non-'medium slow' growth Pokémon (basically all Pokémon part of a three-stage evolution as well as Mew, except for Butterfree and Beedrill) can.

How to use the trick

1) Go to Pallet Town and place the Repel x243 into item 40.

2) Make sure that the PP underflow Pokémon is in slot 1, max HP of your choice Pokémon in slot 3, level 0 Pokémon in slot 6. Talk to lady in Pallet Town.

3) Close the mart, throw a Master Ball to get Pokémon ID=Pokémon 3 max HP modulo 256.

4) Save and reset so you can use HP Up, Rare Candy and talk to lady again, repeat step 2.

If you stocked up on many Repel x243 stacks, you can Fly away (the low HP music may continue for some reason) and switch boxes. Flying away will reset item 40 back to what it was, but the extra Repel x243 stack will let you repeat the glitch.

Multiple stacks can be obtained if you get Repel x255, then toss the item above it to create another stack of Repel x255. From then on, you can toss 12 from the individual stacks.

Pokémon and glitch Pokémon IDs can be found here.

YouTube video by ChickasaurusGL


Manipulating specific battle systems (Yellow)

This is a trick for Pokémon Yellow to encounter a Pokémon or Trainer in battle with a specific battle system (depending on the Pokémon 6's type 1 and type 2). We talk to the lady in Pallet Town to bring up the corrupted Poké Mart.

Like the any Pokémon trick, it requires an expanded items pack which can be obtained with a glitch such as "dry underflow" glitch (https://www.youtube.com/watch?v=ZyppANEvnh8).

Pokémon 1 must have a current HP of 254 for the trick to work. To enable a suitable glitch Poké Mart, a Repel x243 must be placed into item 40 (text pointer table) (a quantity of 211 might also work), item 2 must have a quantity of 108 and item 3 must be a TM41 (a TM09 might also work).

Additionally, there most be no 'FF' bytes in your party Pokémon data, so this means no Pokémon with a catch rate of 255, EVs or DVs with an FF byte in them, experiences with an FF byte, or a Pokémon with a Trainer ID with a FF byte in them.

The Pokémon ID is based on Pokémon 6's type 1. The battle system ID is based on Pokémon 6's type 2, so for example a Pokémon with Poison (hex:03) as type 2 will bring up the unused "Hurry, get away!" encounter system in Yellow. Pokémon with only one type are internally stored as having the same type for type 1 and 2.

Pokémon and Trainer ID numbers can be found on The Big HEX List.

Type index numbers

Index number (dec) Index number (hex) Type
0 0 Normal-type
1 1 Fighting-type
2 2 Flying-type
3 3 Poison-type
4 4 Rock-type
5 5 Ground-type
6 6 Bird-type (only used by 'M (00) and Red/Blue Missingno.)
7 7 Bug-type
8 8 Ghost-type
20 14 Fire-type
21 15 Water-type
22 16 Grass-type
23 17 Electric-type
24 18 Psychic-type
25 19 Ice-type
26 1A Dragon-type

Battle systems index numbers

Index number (dec) Index number (hex) Battle system
0 0 Normal
1 1 Old man battle
2 2 Safari Zone battle
3 3 Hurry, get away!
4 4 Professor Oak (entering Pallet Town's tall grass with no Pokémon) battle.
5+ 5+ Glitch battle systems where you don't initially send out a Pokémon and cannot fight, and item 1 is automatically selected if you choose to use an item.

YouTube videos

  • General use:

YouTube video by ChickasaurusGL


  • In luckytyphlosion's TAS:

YouTube video by luckytyphlosion


External links