Map script arbitrary code execution

From Glitch City Wiki
Revision as of 16:59, 7 February 2019 by >Sherkel (Now THIS is an awesome find! Let me know if there's any problem with this kind of proofreading.)

Map script arbitrary code execution is an arbitrary code execution method in Pokémon Red, Blue, and Yellow, requiring the expanded item pack.

Summary

Item 42 and item 42's quantity control wMapScriptPtr (D36E-F in Pokémon Red and Blue and D36D-E in Pokémon Yellow), with the index number of item 42 being the first byte to a little-endian pointer. This address contain the current map script (not to be confused with the meta-map script which is not controlled by wMapScriptPtr).

This script is run continuously after the menu is closed. The address can be changed to one corresponding to a different item slot, such as Water Stone x211 (Thunderstone x211 in Yellow) to make the script point to item 3 (D322/D321).

This is an efficient way of arbitrary code execution, but the items in slot 42 will be wiped after leaving the map, so it may be a good idea to swap the original map script back in before moving to a new map.

See also

  1. Expanded bag item documentation (Generation I)
Retrieved from "https://glitchcity.wiki/wiki/Map_script_arbitrary_code_execution?oldid=28090"