Main Menu

Glitches

References/Resources

Affiliates

Technical

Search Wiki

Toolbox

Arbitrary sprites
 Page | Discussion | View source | History

From Glitch City Laboratories

Jump to: navigation, search
'Yoshi' as the backsprite of a Pokémon.

Arbitrary sprite (or custom sprites) or arbitrary sprite pointers refers to a glitch technique in Pokémon Red, Blue, and Yellow, in which a glitch or memory edit is used to insert data the player desires into a Pokémon, glitch Pokémon, Trainer or glitch Trainer's sprite.

It does not refer to hacking Pokémon sprites into the ROM, but rather refers to 'custom sprites' appearing due to modified RAM.

For the later discovered methods, this requires that the source of the sprite is sourced from writable memory region. For the original method, an emulator and memory viewer may be needed.

The technique in its simplest form can be used to modify the sprite dimensions and data representing the sprite, in order to modify how glitches relying on glitch sprites affect data such as the Hall of Fame (see Hall of Fame corruption).

The most powerful form of the glitch involves arbitrary code execution or otherwise a modified save file. By encoding their own compressed sprite (which is made easier using tools), the player can insert a custom sprite into the game within other technical constraints (such as one palette with limited colors).

While technically, arbitrary VRAM or SRAM sprites are possible, these regions may be locked making the glitch harder to exploit, especially for VRAM in which the quirks of VRAM inaccessibility apply.

A similar technique (seemingly discovered before first), involves directly copying and pasting the contents of a Pokémon sprite into VRAM. This usually requires an emulator however. It was documented by Newo.

Predecessor technique

If the player copies VRAM data beginning from address $9000 with a size of about 310 (e.g. from Pokémon Gold, Silver and Pokémon Crystal), they may paste it back into address $9000 while viewing the status of a Pokémon or encountering a wild Pokémon in Pokémon Red, Blue, and Yellow to temporarily create a custom Pokémon sprite. The effects go away after battle.

Viable examples

With solely OAM DMA hijacking

Addresses D0C2 (sprite dimension) and D0C3-D0C4 (front sprite pointer) (D0C1 and D0C2-D0C3 in Yellow) may be locked using OAM DMA hijacking or a cheating device to load a custom front sprite for every opposing Pokémon.

D0C2-D0C3 reads pointer expressed in little-endian form, for example, $DA7F for Yellow would be represented by $7F at $D0C2 and $80 at $D0C3.

For a cheating device like the GameShark, the following codes will replicate the same effects as locking these values with OAM DMA hijacking (assuming the sprites were properly patched):

01XXC2D0 (sprite dimension: usually $77 for front sprites or $44 for back sprites. Change $C2 to $C1 for Yellow)

01DAC4D0 (source pointer byte 2. Change $C4 to $C3 for Yellow.)

017FC3D0 (source pointer byte 1. Change $C3 to $C2 for Yellow.)

The first person to use this exploit is unknown, but it was popularized by pokeglitch and Torchickens.

With 9ゥ (E6)'s backsprite (Yellow)

In Yellow, glitch Pokémon 9ゥ (0xE6)'s backsprite is sourced from FAC9 (DAC9)). By default, on Super Game Boy the glitch Pokémon is yellow, but the palette of the desired sprite can be changed by changing the second species byte of a 9ゥ (0xE6).

Dimension byte 0x44 sprites can be 'installed' into the game for 9ゥ (0xE6, by modifying the contents of DAC9 (which is located within the storage system Pokémon data) with arbitrary code execution.

This exploit was documented by Torchickens.

With Family 175 (Red/Blue)

The Family 175 glitch Pokémon in Red/Blue (specifically 0xE4, 0xE9, 0xEE) take their frontsprite from screen data at CDE5. Though it may not be possible to see a custom frontsprite from those glitch Pokémon with standard arbitrary code execution, it is possible with a special form of arbitrary code execution known as OAM DMA hijacking, and this exploit can be set up with a tool such as TheZZAZZGlitch's memory editor and map script execution at D36E.

This exploit was documented by Torchickens.

With instant encounter 255 (glitch Trainer ID 55)

  • 14S (Red/Blue) and ゥ, A (Yellow) are glitch Trainer classes which can be accessed with the Trainer escape glitch, usually requiring a Special stat of 255 in this case. The front sprites of these glitch Trainers are both sourced from E891 (C891), which is a temporary part of the C6E8 (wOverworldMap) buffer.

Using arbitrary code execution, a custom sprite (usually with internal dimension byte 0x77 meaning a 56x56 dimension sprite) can be written here just before entering the battle, however, the data is wiped after saving and resetting the game (and possibly other options that change the buffer like moving to another map).

In later generations

Arbitrary sprites are theoretically possible, but no vulnerability to do it has, as of yet been documented.

See also

Lists of glitch Pokémon with arbitrary sprite pointers.

YouTube videos

Original exploit:

YouTube video by glitchedgamer

Glitch Pokémon arbitrary sprite pointer exploits:

YouTube video by ChickasaurusGL

External links