FFVII's Strangest Glitch Finally Solved

Using 4 bytes to store a number that is read into 2 bytes, as an ASCII string, in base 10, with no null terminator, is probably the most psychotic method I've ever heard for storing a number. I'm shocked it even works as well as it does.

Me before watching video: "An upside down model usually indicates a negative scale; I bet this is an overflow glitch."
After watching video: "Holy crap we're lucky this game ever functioned..."

I've gotta say, I've missed your glitch and in depth game mechanics videos. I'd say you're in my top 5 content creators but I'm not as much into long play vids so I haven't watched as much as I used to but I so make sure to like and comment on all your vids I can. Keep up the good work man.

This is exactly the reason I subscribed to you death, other than the awesome mod play throughs that is. Thanks for everything.

Not only upside down, he's probably inside out as well, sm64 has a pretty similar glitch with the fly guy.

It’s great to see this figured out after so long; and thanks for explaining it to those of us without backgrounds in computer science or game development in such a concise, understandable manner.
All I could think was that those are the materia Scarlet was really looking for. Imagine if they launched that at meteor. Sephiroth would’ve been speechless.

I knew this game was made of chewing gum and string but I didn't realize _any_ of the code was THAT bad. It is actually difficult to find a worse way to store a number, and if you do, its something that's so ridiculous that it is clearly intended to be bad design.
That said, I bet this code dates back to the PS1 version, but never happens on that version because the PS1 doesn't have dynamic memory allocation like modern PC games.

As a programmer I love in depth info like this. First ran across your channel when you had just a few subs and were kind of struggling. Happy to see your near 100k now. If you keep making indepth programming vids like this youll fill a much needed niche. I can say for certain ill be watching! Also, I wonder if the algorithm isnt looking for the Null terminator as it iterates over the memory

This is not an exotic storage. They just stored the size in a null/zero terminated ascii string. The number in the images from death are actually hexadecimal. And in ascii, 5 is 0x35 (the 0x prefix means hexadecimal), 1 is 0x31 and 2 is 0x32.
In C:
puts("\x35\x31\x32");
is exactly like:
puts("512");
The only strange thing is that they store numbers in ascii string. There are two drawbacks.
The first one is that they need to convert the string back to a number to be able to use it.
The second one is that it takes more memory. Here they use 4 bytes and they can only store a number from 0 to 999, while a C unsigned short int is usually 2 bytes and can contain a number from 0 to 65,535.

FFVII, the gift that keeps on giving, hopfuly one day I am blessed and found worthy of viewing big Cloud.

Thank you and m4v3k for continuing to breathe new life into this classic! So grateful to have fans like you who keep making FFVII content.

There were certainly some decisions made in this game's development. It's honestly a miracle this game runs as well as it does, let alone at all, and proves this is truly the best timeline. I love this game

They say they left the debug room in the game because the game was so broken right before launch they were afraid that if they took it out, something would break. I think we finally know why. Why on earth did they do it this way and how in the WORLD was the PS1 able to handle such inefficiency?????

Wow you explained that so clearly. When you said you'd explain how the code was working I figured there was no way I'd understand it. Thanks for that super simplified breakdown!

As a software engineer, I agree with the guy who said this is the worst thing he’s ever seen 😂. Idk why they made storing and reading the size so complicated hahaha. Also great explanation, I gotta try this in my current playthrough when I get to Corel lol

Saw m4v3k checking about this on stream, I was wondering if you would make a video about it, I'm glad you did! It was a really interesting glitch to understand!

ff7 will never give up all it secrets in over 25 years.

I love how after so long, you all are still finding out stuff about this game

Thank you so much! This happened to me once and I was so confused and I couldn’t find anyone explaining how it happened

8:40 I played through the game for the first time earlier this year and encountered this glitch here. I streamed what was happening to my friends through discord and they had never seen it before so it's cool to know all this now!

I think I've only ever heard you mention this, never seen it!
Great vid dude

I had this happen to me in Corel on my first playthrough and have been curious about it ever since. Interesting stuff!

If I may defend the algorithm a bit (I don't mind losing all credibility haha), this seems like a fairly common bug and isn't too egregiously stupid.
First of all, as you mentioned, the value is stored as a string in ASCII. I don't know why they store it like that but OK, that's just the format it came in. It's inefficient but there's nothing particularly wrong with that.
All ASCII strings are supposed to end with a 00 byte, and it's standard practice to keep reading strings until you hit a 00. They improved this a bit knowing it can only be a number, so they end on anything outside of 30-39 instead of only 00. This is a fairly typical implementation.
The only thing that went wrong was a mismatched assumption. Probably the people who built the fields put a 4-byte limit on the model size string, but thought they had room for 4 digits and didn't have to end it with 00. Then the people who wrote the 3D model code assumed it would be a regular ASCII string which always ends with 00 and didn't bother checking the 4-byte limit. Both are reasonable (and common) ways to do it, but the two teams needed to be consistent which they weren't.
Finally, this could be something that did work reliably on the PS due to how memory was managed on the console, where the assumption that the string would always end after 4 bytes did hold up. But because memory is allocated differently on PC, and nobody was aware of such an inconspicuous underlying assumption when porting the game, it introduced this new bug.

Kinda got behind watching twitch, but I never miss a YT vid. Good work on it, man! I absolutely love your content, and you’re by far the best FF7 content creator I know of.

the fact this game works at all is a genuine miracle

I get so much joy out of you sharing your love of this game.

FF7 is my favorite game and I love these videos. It's interesting to see under the hood of this bizarrely programmed game.

So, they store the ASCII digits of the number with a null terminator. It would have saved memory by simply using 2 bytes to store the binary number. Based on what you said about the underflow, the system probably only handles signed 16-bit integers anyway which have a max value of 32,767.

Very cool finally seeing this showcased. I legit had this happen to me once and had NO EARTHLY clue how it happened to me LMAO! Now I know its not that big of a deal and my game file wasnt corrupted or something dire!

Always learning something new about FF7. Amazing. Thanks Death

The minute you started talking about it I knew it was going to have to do with random memory being used in an unintended way. That's almost always the way these things work.

Videos like this are always a fun watch for a CS student :)

This is one of the funniest things I've seen in a long time. I literally burst out laughing when I realized how bad the algorithm is!

Going by the memory explanation given, this glitch should also trigger on any map where Cloud's model is defaulted to 2,048.
I bet you could trigger this glitch by loading in/out of rooms with the Debug Room.
Maybe try this when Cloud is inside the Submarine? I recall the "camera" being zoomed in a bit close there.

Why does FF7 years later still shrouded in mystery..... This game will always feel like there's something else to discover

I've never even heard of this glitch before. Very interesting...

Hey, thanks for all your videos. I have learnt stuff I never knew existed in my all time favourite game. can I ask, I have the Ochu trainer because I want to speed up FPS, but I can't friggin edit the values like you do. How do you even do that?

Great work!

This game has endless secrets and quirks and I am here for all of them

For real this is probably the best and most reliable FF7 content in recent years

Oh wow, It's not everyday I see something new in FF7.

almost 100k subs that's insane i'm glad that i am able to be subbed before it

Very cool! Does this happen with Tifa/Cid, and can it work on any other versions?

loved this, bro - more please

I’m so glad I’m not the only person who ever noticed this. I remember taking a screenshot back in 2015 but somehow I lost it 😂

11:15 "Trying everything on everything".
Ah, the Broken Sword method.

Just to point out the normal approach when you don't know how many bytes you'll need for your number is to have one or more bytes to keep the size.
Basically 512 would be 2(because we need 2 bytes for the size as it's above 255), 2(because 2*256 = 512), 0(for the remainder).
This prevents any potential issues because you're always storing how many bytes you need rather than looking at the values of bytes to tell when you end.
Also given the game only ever uses powers of two for scaling it may be more efficient to just store the power, 1024 is just 2^10, 512 is 2^9; storing 10 and 9 respectively and just doing a left shift by the number for the scaling would be a lot safer/efficient.

Rumor has it the guy who made this code went on to number the kingdom hearts games

want to know if this work with cid amd tifa besides just cloud?

Will there ever be a final glitch?

Sooo, upside down gigantimax cloud% when 😅 So goofy glitch and good that we have now more details in this.
Keep up the good work.

Missed it live but I’m here now

this is beautiful

This happened to me the first time I played FFVII Steam version, I had no idea it was considered a “rare” glitch lol :D

This probably has to do with the field module passing data to the battle module, then the menu module and back again. Timer is constantly changing between battles; so too is Gil count and XP. If you're max level, this should stop. In theory though, shouldn't different party members change the math? I don’t think they all have the same XP values. Could it be step count related? You should reset it after each battle.
My last thought is, could it be a fault in the initialization code for the modules?

16:07 makes sense since that is an ASCII string that represents a number. There are valid scenarios where you want to take a number that is displayed as a text string and pull the displayed number as a real number.
The code is likely bog standard code for pulling a number from a string. The way you describe it is how that sort of thing is done, it's a very standard function. parseInt() in JavaScript and int.Parse() in ..NET both work the same as what you described.
It's likely the text was typed in by a developer somewhere and it was just dumped into the game as-is. Given it only uses four bytes and they could have saved a whopping two bytes for each model it really isn't a big deal all things considered. Then the game itself had the responsibility to parse out the strings. Of course they failed to protect against buffer overflow, a very basic bug.

The Bugenhagen one happened to me on Playstation 4 (?) I played on PS5. Is there a PS5 version, or was it the same as for PS4?

Chat: Pay attention, this is how you become tall
The reality: Cloud becomes so short that he becomes negative tall

Would this work also when you are cid or tifa running around while Cloud is sick?

Cloud must have taken a super mushroom from the super smash Bros game back with him into FF7

Alternate timeline confirmed, Aeris Aerith / Cloud Upside Down Massive Cloud

I didn't even understand what you were talking about at first. I immediately understood it as "oh, those are hex numbers. That makes sense they would read numbers there". But when it clicked that they were literally just taking the decimal 30 range and reading the ones digit there, I mean that is just so dumb! I know consoles back in the day did hacky stuff in order to fit more on the disc/cartridge. But I can't imagine that this would even improve anything at all? It's just a weird obfuscated way to read numbers.

I'd completely forgotten about this happened to me until this video

Good videos I would love to see you do would be on Important Missable Item Locations/How To Get Them and all the ways Get Each Type of Chocobo, not just the 15 minute way for the speed runners.

Great find! Hey, I revisited Bloodstained again recently and I once again couldn't help but think Zangetsu is your doppelganger. Has anyone else pointed this out? Maybe the character designer is an 4-8 viewer?

This is great! A very fun glitch.

this happened to me! changing the resolution worked at the time - and it was always on the same room (the one from your ss)

So when I came upon this glitch I thought it was somehow related to the northern crater scene at the end of disk one where cloud is on the ceiling before crystalized sephiroth drops down all being triggered by the extremely wonky code

Hyped to see this 🥦

i didnt even know this was a thing. i never encountered it. the only glitch i remember activating was the cut scene in the junon elevator of the fishing village that kept showing cloud giving the black materia to sephiroth.

My FMVs used to play upside down in this game for some reason - way back in the day on PC

Cloud working on them squats

Is this possible with Tifa and/or Cid?

I never get tired of this game

I am a very novice programmer. My code is horrible.
But my jaw dropped when I saw how they coded this. That is insanity. What materia were they smoking?

So the 3 junk slots after 1024 are always the same when this happens? Or does any number over 1024 cause max underflow, therefore, no variations?
Also, why doesn't this happen on other platforms?

Yea mate I had that trigger in Bugenhagen's observatory once, confused the heck out of me!

It'll be 2050 and we'll still be making discoveries about this game.

So my hunch it has to do with bad Memory management, or as i wrote under the part in question of the Pincer Mod play trough, "garbage collection". I thought it was a simple error in handling signed and unsigned integers, wich wouldn't be a surprise. I had never imagined such a bad/warped/inefficient way of storing the value of the model size. It hasn't even a advantage over the standard way of storing values and will use more time/resources. Please correct me if i am mistaken.
Thank you for telling us how and why this happens.
This question bugged me for years.

Bro you reminded me that i saw this glitch when i first ever played through this game. I was 7 and it happened at bugenhagen. My brother didnt believe me!

The previous FF game FF6 in Japan and FF3 in America, where on the SNES and FF7 might have been started while the negotiations were ongoing with Square, Nintendo, and Sony. Square might not have known what console architecture the game would be released under. The dynamic could have been a way to make it easier to port to multiple systems depending on who would host the game. It was also their first 3D game so there might be some jankie code as a result of not knowing what problems could arise from being in a 3D engine. But even their 2D games had some weird glitches and bugs.

math with Death is the best. Got my geek on for sure 1024 bits man!!!

very well explained ;)

What if there's only one 3 in the next byte? Then the model would be 10x as big instead of 1000x like in your example. Is that enough to overflow?

if one number is stored cloud becomes very big but the right way up?

You know what they say about big, upside down Cloud? Big Shoes!

What if it doesn't happen with three other numbers at the end and just one is added? do you end up with just a larger, right side up cloud?

I wonder if the same can be done to Cid when he temporarily becomes leader?

i think death broke it lol but yh this was very insightful i didnt know why this happened when i watched one of your stream this was a good watch and explaination

Can you do this with Cid and Tifa when they are in charge of the party?

I’ve experienced this glitch before. I believe I was playing on the steam version. It was on the screen behind Coral where Barret looses his hand.

im not sure to understand. When you allocate a variable in C language you don't need to specify its type, just the length. or am i missing something?

This makes me think that the glitch could also happen in the Lifestream, unless the multiple Clouds are handled differently from normal Cloud.

No way lmao, I remember getting this glitch like 5 years ago just casually playing the game. It happened at the screen just past the North Corel reactor

is there any application for this?

That's adorable. though all they would have to have done is leave in a trailing 00, but I mean it's an interesting lesson for programming overlooked side effects.

I got it to trigger on the avalanche screen with 95% consistency on my casual playthrough, it triggered immediately when i returned to the avalanche screen after the cutscene and was triggered like 1/20 times (the only time it didn't trigger after 1 try is right after a battle cancelled it on the avalanche screen). I got recordings :3

Might be nothing, but could it be related to the demos of the game that were released? The first reactor and Mt Nibel reactor areas were both areas used in demos of the game.
I guess that doesn't explain Bugenhagen's observatory though.

Weird, I wonder if they ever patched this glitch out. I attempted to recreate the glitch in the first place you mentioned. I took a SCUS-94163 version and formatted it to work on a jailbroken PSP. I attempted to do this about 3 different times on 2 different new games and I could never recreate this. What version of FF7 were you using?

I love this game so much.