Anonymous user
Pikachu off-screen glitch: Difference between revisions
→Glitch text box activation and arbitrary code execution: Added the explanation from the talk page, and clarified that $D221 is arbitrary text commands and not yet arbitrary assembly code.
>Torchickens |
(→Glitch text box activation and arbitrary code execution: Added the explanation from the talk page, and clarified that $D221 is arbitrary text commands and not yet arbitrary assembly code.) |
||
| (16 intermediate revisions by 4 users not shown) | |||
Line 1:
{{Summary page}}
<!--This article has large sections of text copied from ChickasaurusGL's video (the original author of this article) with permission https://www.youtube.com/watch?v=l7FBp1BOEM0 https://www.youtube.com/watch?v=eT8XfA3gUjg https://www.youtube.com/watch?v=vcfjsHsbAkE-->
'''Pikachu off-screen glitch''', also '''Pikawalk''', '''Pikachu's glitch''' ([https://www.youtube.com/watch?v=V3lmLZAAN4M]) refers to a number of [[
It also refers to glitches to put Pikachu off the screen from glitch items such as [[Rival's effect]] and [[ItemDex/Y:110|Lg-]] (hex:6E), or exploring a [[Glitch City]], which allow the player to perform the glitch anywhere easily.
Line 33:
5) Causing NPCs to move when they shouldn't.
Youtube Video:
{{Youtube|vcfjsHsbAkE|ChickasaurusGL}}
▲====Glitch text box activation and arbitrary code execution====
By using the Pikachu off-screen glitch and making specific movements to force the non-existing sign 04 to appear at coordinates x=1, y=1 in the Vermilion City Fan Club, it is possible for the player to execute arbitrary code beginning from D221; the catch rate/held item of party Pokémon 5.▼
Outside of speedrunning, a Graveler with 08 c2 (2242) HP stat experience and 1d d3 (7635) Attack stat experience may be used as an applicable Pokémon 5.▼
To get these specific EVs, your Pokémon needs to have encountered the following Pokémon (and no more):▼
71 Krabby, 1 Farfetch'd, 1 Dugtrio, and 1 Magnemite.▼
(Thanks FMK for working out what Pokémon to battle).▼
This technique was discovered by stumpdotio, originally for speedrunning Pokémon Yellow using a different method. A video of the route by Dabomstew's may be found [https://www.youtube.com/watch?v=mcsKo4K7BNE here].▼
{{Youtube|evdxp0UgunQ|ChickasaurusGL}}▼
==Via glitch items==
Line 59 ⟶ 45:
*The glitch item Lg- (hex:6E) - makes Pikachu stay.
*The item 9F, hex:5E - makes Pikachu stay but may cause a Glitch City in some places. Thanks EstebanZD Glitcher.
*A Rival's effect (Jack effect) item, such as hex:94 - doesn't make Pikachu stay but can put him off the screen and desync him. Thanks
Lg- is available through item underflow glitch and pPkMnp' ' (special 194)'s mutation of the fifth item when it's a Super Rod.
Line 134 ⟶ 120:
It is possible to battle level 255 Pokémon if you FF corrupt the roster/level with the Rival's item, somehow get Pikachu to re-appear by opening/closing the Pokémon menu after Pikachu is invisible, then start to walk around with Pikachu off the screen again just until corruption of a Trainer class (or Pokémon if less than C8) but not their roster (level).
{{Youtube|eT8XfA3gUjg|ChickasaurusGL}}
==={{Anchor|Arbitrary code execution}}Glitch text box activation and arbitrary code execution===
<!--Much of this text is copied from ChickasaurusGL's video with permission, who (alias Torchickens) is one of the authors of this article https://www.youtube.com/watch?v=evdxp0UgunQ-->
▲By using the Pikachu off-screen glitch and making specific movements to force the non-existing sign 04 to appear at coordinates x=1, y=1 in the Vermilion City Fan Club, it is possible for the player to execute arbitrary
The steps to activate this glitch text box are:
# Trigger the Clefairy event in the Vermilion Fan Club.
# Go to the bottom-left walkable tile (putting Pikachu off the screen), then walk up to the top and down to the bottom of the left-most column 11 times, but for the 11th time step one tile short on the final way back down.
# Step right, step left, then walk up to the top and down to the bottom of the left-most column 10 times.
# Step right, then go the top-left tile you can walk to, face right and press A.
{{Explanation|contents=
This method assumes that the player enters the Vermilion Fan Club through the Vermilion City.
* When the player is in the Vermilion City, the game loads all signs on the Vermilion City map. Each sign has both a coordinate (loaded into <code>wSignCoords</code>) and an associated text ID (loaded into <code>wSignTextIDs</code>)<ref>[https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/ram/wram.asm#L2091-L2094 RAM layout for the variable <code>wNumSigns</code>, and the arrays <code>wSignCoords</code> and <code>wSignTextIDs</code>]</ref>. In particular, sign 04 in Vermilion City corresponds to text ID 11<ref>[https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/data/maps/objects/VermilionCity.asm#L19 Definition of sign 04 in Vermilion City] (the text ID is the third number in <code>bg_event 12, 3, 11</code>)</ref>. Importantly, each map also has its own set of texts.
* When the player goes into the Vermilion Fan Club, since that map has no signs, <code>wNumSigns</code> is set to 0, but <code>wSignCoords</code> and <code>wSignTextIDs</code> keep their previous values because there are no values to overwrite them with.
* The movement pattern described above overwrites <code>wNumSigns</code> with 4, and the coordinate of sign 04 (in <code>wSignCoords</code>) with (1, 1), but leaves <code>wSignTextIDs</code> as is.
** More precisely, the overwriting is actually done in two "passes" and in the reverse order: First the player overwrites the coordinate of sign 04 with (1, 1) before stepping right (which puts Pikachu back on screen and ends the glitch), then the player steps left to put Pikachu off screen again and overwrites <code>wNumSigns</code> with 4. This is necessary because the layout of the map means that stepping right (writing 4) will always end the glitch.
After these steps, the game recognizes sign 04 at (1, 1), and reading it will cause the game to try to display the text with ID 11 '''in Vermilion Fan Club''' (in text command mode, since that is the normal behavior for <code>DisplayTextID</code>). Vermilion Fan Club only has text IDs 1–6 defined<ref>[https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/scripts/PokemonFanClub.asm#L71-L77 Definitions of texts in the Vermilion Fan Club map]</ref>, so the pointer to text ID 11 is out of bound, and happens to point to $D221<ref>This out-of-bound text pointer falls in the first two bytes of [https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/scripts/PokemonFanClub.asm#L84 this instruction]. <code>FanClubText1.yellowtext</code> is $16:53D2, so this instruction translates to "'''21 D2''' 53".</ref>. Therefore the game starts to execute text commands from $D221.
}}
▲This technique was discovered by stumpdotio, originally for speedrunning Pokémon Yellow
====Arbitrary code execution setups====
Multiple setups has been found to use this glitch text box for [[arbitrary code execution]]. To do arbitrary code execution, do one of the following setups with party Pokémon 5 and prepare the payload in the item pack, '''before''' doing the above steps to activate the glitch text box.
The below setups all jump to '''item 1''' in the pack.
=====Luckless setups=====
5 different setups to use for this trick have been made by Krys3000 and Torchickens/ChickasaurusGL [https://forums.glitchcity.info/index.php?topic=8063.0 in this thread]. They all execute code from item 3 in the pack, similarly to ws m or 4F setups.
# The 4 moves setup involves as 5th Pokémon in the party a Nidorina or Nidorino. It has to have been traded to G/S/C, hold a Moon Stone there and then be traded back to Yellow. This Pokémon must have 2 'placeholder moves' (typically Bite and Fury Swipes, since it learns both) followed by Double Kick (also learned) and Bubblebeam (TM11). Also, the 6th Pokémon can be anything but requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
# The 2 moves + HP/Box Level setup involves as 5th Pokémon a Nidorina or Nidorino. It has to have been traded to G/S/C, hold a Moon Stone there and then be traded back to Yellow. This Pokémon must have Double Kick (learned) as first move and Take Down (TM09) as second. Also, the 6th Pokémon can be anything but must have 24 HP currently and also have been lvl24 last time it was stored in the PC. This Pokémon requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
# The 4 moves + Glitch Pokémon setup involves as 5th Pokémon the glitch Pokémon [[GlitchDex/Y:206|PKMN pゥぁ ゥぇ (0xCE)]], that can be obtained via several glitches, such as [[Rival LOL glitch]] (no trading needed), equivalent trade or [[Time Capsule exploit]]. This Pokémon must have Ice Punch, DoubleSlap, Double Kick and BubbleBeam (all can be learned except Bubblebeam which is TM11). Also, the 6th Pokémon can be anything but requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
# The Untrained Hitmonchan setup is also a tradeless/glitchless setup. 5th Pokémon would be Hitmonchan and this Pokémon must never have been trained, but must know Strength (HM), Agility, Fire Punch and Ice Punch (it requires rising it to lvl 38 with Rare Candies). This Pokémon must also have 00 PP currently at Strength, 24 at Agility, 14 at Fire Punch (Ice Punch doesn't matter). Also, 6th Pokémon can be anything but must be lvl25, requires currently 24 HP, 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also). The code can be broken at any time by Hitmonchan's IV. The best way is to reset the pick of Hitmonchan to make sure that yours work. For this setup to work, you must also check that when converted into hexadecimal, Hitmonchan's trainer ID won't trigger invalid opcodes or many-bytes opcodes
# The underflow-based setup is described [https://archives.glitchcity.info/forums/board-115/thread-8063/page-1.html#msg206641 here].
A video of the Hitmonchan setup has been made by ChickasarusGL
{{youtube|bewkwWKf7qU|ChickasaurusGL}}
=====Luck-based setup=====
▲
If you are using level 44 Graveler, make note that since you can't really predict its total exp. you may not be able to get your result dictated by items. However, saving before the last few Krabby to get different levels or keeping Rare Candies, saving before talking to the text box and using one if it didn't work last time may fix this.
▲To get these specific EVs, your Pokémon needs to have encountered the following Pokémon (and no more):
▲71 Krabby, 1 Farfetch'd, 1 Dugtrio, and 1 Magnemite.
▲(Thanks FMK for working out what Pokémon to battle).
====Example codes (all from item 1)====
Notice that since text box based ACE happens on a different code path than glitch item based ACE, item codes for the latter may not be immediately usable for the former. In particular, the game will try to continue to display text from hl, so to avoid complications, it is necessary to point hl somewhere near a 0x50 terminator.
=====Obtain 255 items=====
The following code gives you an [[expanded item pack]]. This allows you to do 20+ items related glitches and get more complicated item set ups if you have items like multiple X Special x1 spare.
*Protein x1
*Repel x1
*X Accuracy x28
*Lemonade x1
*Poké Ball x61
*Antidote x61
*Water Stone x37
*X Accuracy x97
*TM01 x1
Note: This code may be unstable.
=====Encounter a Pokémon=====
*Iron x37
*X Accuracy x88
*Lemonade x(species you want, 21=Mew)
*Water Stone x4
*Protein x4
*TM01 x1
▲{{Youtube|evdxp0UgunQ|ChickasaurusGL}}
[[Category:Generation I glitches]]
[[Category:
| |||