Game:

Pokémon Red and Blue (1996)

Duration: 4:28

1,158 views

46

I found this interesting technically specific glitch with Map 250 (0xFA) while looking for improvements to dokokashira door glitch. ^^
This glitch probably won't work on VisualBoyAdvance (even ones with correct Echo RAM emulation), but does work on BGB.

In fact, there should be a whole branch of glitches whenever a rst 0x38 occurs (where in Red/Blue/Yellow exploiting the rst 0x38 probably hasn't been done yet(??), with it working different pointing to another rst 0x38 and no useful exploit being found)

It works in both my v1.0 Green and v1.1 Red (and possibly Red v1.0, Green v1.1), but you may have to adjust the pointers you call in your code if the locations are different between the versions. The code below is for Green v1.0.

The cause of this glitch is its map script A000 which points to 00A0 (rst 38). In the Japanese versions Red/Green/Blue and Yellow v1.0 (interesting v1.1, v1.2, v1.3 changed it to rst 38 like other language versions), the rst 38 is different, and is for some reason jp F080. Hence arbitrary code execution occurs at F080 (Echo RAM for D080) but there are some interesting currently unknown details that causes the glitch to fail on VisualBoyAdvance.

In this save file of the glitch requirements set up is another weird exploit, where the game freezes if you go to the continue/new game/option screen and press B, causing the game to freeze. I noticed it and it's something to do with this specific save file?
https://drive.google.com/file/d/1w0i3QPB2PRwNp0vqBxxkPL7Y9JyjU1Di/view?usp=sharing

At D080 the exploit will plant the following code,

ld b,16
ld h,7B
ld l,E4
ld a,02
ld (C0EF),a
ld (C0F0),a (set the sound bank to the valid 02, as map 0xFA's 06 will freeze the game)
ld (D2DD),a (partially set the map to Viridian City to avoid other potential glitches on choosing continue)
nop
nop
nop (gets replaced by inc e 1C later for some reason; I added these filler nops knowing this happens somewhere in advance)
nop
ld a,DB
ld (D2EE),a
call 3620 (call bank 16 7BE4 ; Hall of Fame script)
ret

The new map script (also accessed after choosing continue) will be DBA0.

At DBA0

ld a,02
ld hl,C0EF
ldi (hl),a
ldi (hl),a
ret (same fix sound bank action as before)

Map 250 corrupted my party, but I escaped with an Escape Rope after adjusting the tileset address in the expanded inventory.

Method:
1. Set up this glitch, known as LWA/mart pwner https://archives.glitchcity.info/forums/board-107/thread-7417/page-0.html - for this purpose I chose the following

i.Text pointer table =D9B2 ; at fourth NPC (the non-Cable Club lady in Celadon City at the Pokémon Center) text pointer (D9B8) must be FE).
ii.Have no FF bytes below D9B2 up until DB5D (where you'll place your code that will be copied to D080 after the glitch).
iii. Add TM50 to D2E4, the exit destination slot in the expanded inventory.

(For the above the pointer from D9B2 is in box Pokémon data, so you'll need specific box Pokémon, at the moment I don't have details sorry; but you can set this up with another arbitrary code execution to wipe out those memory regions (and add your code to DB5D)

Steps:

1. Get
i. In slot 1 , Master Ball x178 (B2)
ii. In slot 2, TM17 (B2) x 157 (D9)
iii. In slot 3, TM50 (FA) x1
iv. An Escape Rope somewhere below if you want to escape the Glitch City.

2. Swap
i Slot 1 with slot 37 (may be just below a ?????)
ii. Slot 2 with slot 38
iii. Slot 3 with slot 34 (may be the Bicycle; じてんしゃ)

3. Talk to the non-Cable Club lady to bring up the glitch mart, and close it.

4. Go through the exit of the Pokémon Center to load Map 250, which in turn loads the 00A0 pointed rst 0x38 to jump to F080 (D080) where your code should reside. Note it can be awkward to get your codes not to freeze, and this likely won't work on VBA (BGB was used in this video).

Other Statistics