Duration: 11:42

674 views

24

This glitch exploits a buffer overflow from a very long Pokédex entry. For this video, we choose glitch Pokémon 0xDC in Red/Blue https://glitchcity.wiki/GlitchDex/RB:220 (Pokédex sourced from SRAM AA00).

This glitch Pokémon is a hybrid of Pidgeotto, so to exploit this glitch we must not have Pidgeotto owned in the Pokédex.

Typically, its Pokédex entry will freeze the game, but in this video (following the preparations and steps in the Pastebin below), we use the glitch to have the party cursor be at No. 256 (even if you don't have the expanded party), allowing us to swap Pokémon 144 with Pokémon 10 to give us a lot of Pokédex entries.

(See https://pastebin.com/ZTdrvhPt )

How we avoid the freeze:

1. We'll want to be on SRAM bank 00 and it must be opened. To do that, we'll view a Pokémon's summary from the party before catching the 0xDC outside of battle with Rival LG. So we'll need a six letter long Rival's name, 9F, glitch item 0x9E and Master Balls to do Rival LG. See https://glitchcity.wiki/Rival_LOL_glitch
2. SRAM from 0:AA00 must be 'good'; the best way is to have it all up to where we want to corrupt as FF by starting over with a new save file. We must also never view glitch Pokémon sprites in case they corrupt the data, because control characters or multiple length characters could mess up our plans. Although it takes a while, you can duplicate items and get the expanded inventory and expanded PC items with dry underflow glitch without seeing MissingNo. by getting Ditto from Brock Through Walls, and doing the move 0x00 corruption glitch in Diglett's Cave to catch MissingNo. twice. To get it the second time, make sure to correct the flipped sprites by viewing a normal Pokémon's summary. Have yourself in Fuchsia City.

https://glitchcity.wiki/Brock_through...
https://glitchcity.wiki/Move_0x00_cor...)
https://glitchcity.wiki/Dry_underflow...
https://glitchcity.wiki/Expanded_item...
https://glitchcity.wiki/Expanded_PC_i...)

3. We'll want to enter a specific Hall of Fame induction with data containing a 0x50 terminator to terminate our data (this is where the expanded PC items comes into play, which we can acquire by depositing a x255 stack into the PC and doing the normal dry underflow glitch steps). Although this glitch has potential to be more powerful, with single-length characters and no terminating control characters B372 touches CD6B (wJoyIgnore) and chances are due to the complexity of the characters/chances of a 0x50 terminator, 0x00 byte etc. working out desired SRAM corruption(s)/Hall of Fame induction(s) that doesn't lock up the controls and corrupts the needed data would make preparing it harder. For now, we place the 0x50 byte a little before B372 to give us a glitch cursor position for setting up the equivalent of expanded party/'Select glitch' corruptions later without actually needing the expanded party.

4. To do that, have your only party member as a Level 80 (80 is 0x50 in hexadecimal) non-glitch Pokémon. Make sure you've never entered the Hall of Fame (retaining FF bytes), but at the same time trick the game into thinking it's your 37th induction by changing expanded PC item 52 (D5A2) to x36, and entering the Hall of Fame by changing item 36's quantity to x118 in the expanded bag (if you're swapping the above Ultra Ball x0 into item 36 to toss from map 256-, beware tint 0x07 will make the screen black in Super Game Boy mode, so it's good to change item 36 quantity from 7 to another value such as 6 first). This will register the 37th Hall of Fame entry causing a long corruption up to the 0x50 in your Pokémon's Level, but without touching B372 (would corrupt CD6B).

Effects:

The graphics will be corrupted (I think it's because the glitch Pokémon's sprite wrote to VRAM) and some data before ~CD6B has been corrupted. We use the corrupted cursor position to almost fill the Pokédex by swapping Pokémon 144 with Pokémon 10 (from position 256 this is up 112 times; choose switch, up 102 times, A) , and save and reset the game to avoid a game freeze.