Pikachu off-screen glitch: Difference between revisions

3,035 bytes added , 1 year ago

→‎Glitch text box activation and arbitrary code execution: Added the explanation from the talk page, and clarified that $D221 is arbitrary text commands and not yet arbitrary assembly code.

VisualWikitext

Anonymous user

glitchcitywiki>Bbbbbbbbba

Revision as of 20:53, 2 May 2019 (view source) >Torchickens (→‎Luckless setups) ← Older edit		Latest revision as of 08:22, 2 January 2023 (view source) glitchcitywiki>Bbbbbbbbba (→‎Glitch text box activation and arbitrary code execution: Added the explanation from the talk page, and clarified that $D221 is arbitrary text commands and not yet arbitrary assembly code.)
(7 intermediate revisions by 3 users not shown)
Line 121: {{Youtube\|eT8XfA3gUjg\|ChickasaurusGL}} ==={{Anchor\|Arbitrary code execution}}Glitch text box activation and arbitrary code execution=== <!--Much of this text is copied from ChickasaurusGL's video with permission, who (alias Torchickens) is one of the authors of this article https://www.youtube.com/watch?v=evdxp0UgunQ--> By using the Pikachu off-screen glitch and making specific movements to force the non-existing sign 04 to appear at coordinates x=1, y=1 in the Vermilion City Fan Club, it is possible for the player to execute arbitrary ~~code~~text commands beginning from $D221; (the catch rate/held item of party Pokémon 5). By putting a 0x08 byte (the <code>text_asm</code> text command) either immediately at $D221 or after some "slide" text commands, the player can turn this into a full ACE exploit. The steps to activate this glitch text box are: Line 130: # Step right, step left, then walk up to the top and down to the bottom of the left-most column 10 times. # Step right, then go the top-left tile you can walk to, face right and press A. {{Explanation\|contents= This method assumes that the player enters the Vermilion Fan Club through the Vermilion City. * When the player is in the Vermilion City, the game loads all signs on the Vermilion City map. Each sign has both a coordinate (loaded into <code>wSignCoords</code>) and an associated text ID (loaded into <code>wSignTextIDs</code>)<ref>[https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/ram/wram.asm#L2091-L2094 RAM layout for the variable <code>wNumSigns</code>, and the arrays <code>wSignCoords</code> and <code>wSignTextIDs</code>]</ref>. In particular, sign 04 in Vermilion City corresponds to text ID 11<ref>[https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/data/maps/objects/VermilionCity.asm#L19 Definition of sign 04 in Vermilion City] (the text ID is the third number in <code>bg_event 12, 3, 11</code>)</ref>. Importantly, each map also has its own set of texts. * When the player goes into the Vermilion Fan Club, since that map has no signs, <code>wNumSigns</code> is set to 0, but <code>wSignCoords</code> and <code>wSignTextIDs</code> keep their previous values because there are no values to overwrite them with. * The movement pattern described above overwrites <code>wNumSigns</code> with 4, and the coordinate of sign 04 (in <code>wSignCoords</code>) with (1, 1), but leaves <code>wSignTextIDs</code> as is. ** More precisely, the overwriting is actually done in two "passes" and in the reverse order: First the player overwrites the coordinate of sign 04 with (1, 1) before stepping right (which puts Pikachu back on screen and ends the glitch), then the player steps left to put Pikachu off screen again and overwrites <code>wNumSigns</code> with 4. This is necessary because the layout of the map means that stepping right (writing 4) will always end the glitch. After these steps, the game recognizes sign 04 at (1, 1), and reading it will cause the game to try to display the text with ID 11 '''in Vermilion Fan Club''' (in text command mode, since that is the normal behavior for <code>DisplayTextID</code>). Vermilion Fan Club only has text IDs 1–6 defined<ref>[https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/scripts/PokemonFanClub.asm#L71-L77 Definitions of texts in the Vermilion Fan Club map]</ref>, so the pointer to text ID 11 is out of bound, and happens to point to $D221<ref>This out-of-bound text pointer falls in the first two bytes of [https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/scripts/PokemonFanClub.asm#L84 this instruction]. <code>FanClubText1.yellowtext</code> is $16:53D2, so this instruction translates to "'''21 D2''' 53".</ref>. Therefore the game starts to execute text commands from $D221. }} This technique was discovered by stumpdotio, originally for speedrunning Pokémon Yellow. A video of the route by Dabomstew's may be found [https://www.youtube.com/watch?v=mcsKo4K7BNE here]. Line 139 ⟶ 148: =====Luckless setups===== 5 different setups to use for this trick have been made by Krys3000 and Torchickens/ChickasaurusGL [~~http~~https://forums.glitchcity.info/index.php?topic=8063.0 in this thread]. They all execute code from item 3 in the pack, similarly to ws m or 4F setups. # The 4 moves setup involves as 5th Pokémon in the party a Nidorina or Nidorino. It has to have been traded to G/S/C, hold a Moon Stone there and then be traded back to Yellow. This Pokémon must have 2 'placeholder moves' (typically Bite and Fury Swipes, since it learns both) followed by Double Kick (also learned) and Bubblebeam (TM11). Also, the 6th Pokémon can be anything but requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also). # The 2 moves + HP/Box Level setup involves as 5th Pokémon a Nidorina or Nidorino. It has to have been traded to G/S/C, hold a Moon Stone there and then be traded back to Yellow. This Pokémon must have Double Kick (learned) as first move and Take Down (TM09) as second. Also, the 6th Pokémon can be anything but must have 24 HP currently and also have been lvl24 last time it was stored in the PC. This Pokémon requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also). # The 4 moves + Glitch Pokémon setup involves as 5th Pokémon the glitch Pokémon [[GlitchDex/Y:206\|PKMN pゥぁゥぇ (0xCE)]], that can be obtained via several glitches, such as [[Rival LOL glitch]] (no trading needed), equivalent trade or [[Time Capsule exploit]]. This Pokémon must have Ice Punch, DoubleSlap, Double Kick and BubbleBeam (all can be learned except Bubblebeam which is TM11). Also, the 6th Pokémon can be anything but requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also). # The Untrained Hitmonchan setup is ~~the~~also ~~only~~a tradeless/glitchless setup. 5th Pokémon would be Hitmonchan and this Pokémon must never have been trained, but must know Strength (HM), Agility, Fire Punch and Ice Punch (it requires rising it to lvl 38 with Rare Candies). This Pokémon must also have 00 PP currently at Strength, 24 at Agility, 14 at Fire Punch (Ice Punch doesn't matter). Also, 6th Pokémon can be anything but must be lvl25, requires currently 24 HP, 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also). The code can be broken at any time by Hitmonchan's IV. The best way is to reset the pick of Hitmonchan to make sure that yours work. For this setup to work, you must also check that when converted into hexadecimal, Hitmonchan's trainer ID won't trigger invalid opcodes or many-bytes opcodes # The underflow-based setup is described [~~http~~https://~~forums~~archives.glitchcity.info/~~index.php?topic=~~forums/board-115/thread-8063/page-1.~~msg206641~~html#msg206641 here]. A video of the Hitmonchan setup has been made by ChickasarusGL

Pikachu off-screen glitch: Difference between revisions

Pikachu off-screen glitch (view source)

Revision as of 08:22, 2 January 2023