Pikachu off-screen glitch: Difference between revisions

2,988 bytes added , 1 year ago

→‎Glitch text box activation and arbitrary code execution: Added the explanation from the talk page, and clarified that $D221 is arbitrary text commands and not yet arbitrary assembly code.

VisualWikitext

Anonymous user

glitchcitywiki>Bbbbbbbbba

Pikachu off-screen glitch: Difference between revisions

Pikachu off-screen glitch (view source)

Revision as of 08:22, 2 January 2023

Revision as of 03:02, 29 May 2022 (view source) glitchcitywiki>Bbbbbbbbba m (→‎Luckless setups: Fixed the link to the forum archives.) ← Older edit		Latest revision as of 08:22, 2 January 2023 (view source) glitchcitywiki>Bbbbbbbbba (→‎Glitch text box activation and arbitrary code execution: Added the explanation from the talk page, and clarified that $D221 is arbitrary text commands and not yet arbitrary assembly code.)
Line 123: ==={{Anchor\|Arbitrary code execution}}Glitch text box activation and arbitrary code execution=== <!--Much of this text is copied from ChickasaurusGL's video with permission, who (alias Torchickens) is one of the authors of this article https://www.youtube.com/watch?v=evdxp0UgunQ--> By using the Pikachu off-screen glitch and making specific movements to force the non-existing sign 04 to appear at coordinates x=1, y=1 in the Vermilion City Fan Club, it is possible for the player to execute arbitrary ~~code~~text commands beginning from $D221; (the catch rate/held item of party Pokémon 5). By putting a 0x08 byte (the <code>text_asm</code> text command) either immediately at $D221 or after some "slide" text commands, the player can turn this into a full ACE exploit. The steps to activate this glitch text box are: Line 130: # Step right, step left, then walk up to the top and down to the bottom of the left-most column 10 times. # Step right, then go the top-left tile you can walk to, face right and press A. {{Explanation\|contents= This method assumes that the player enters the Vermilion Fan Club through the Vermilion City. * When the player is in the Vermilion City, the game loads all signs on the Vermilion City map. Each sign has both a coordinate (loaded into <code>wSignCoords</code>) and an associated text ID (loaded into <code>wSignTextIDs</code>)<ref>[https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/ram/wram.asm#L2091-L2094 RAM layout for the variable <code>wNumSigns</code>, and the arrays <code>wSignCoords</code> and <code>wSignTextIDs</code>]</ref>. In particular, sign 04 in Vermilion City corresponds to text ID 11<ref>[https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/data/maps/objects/VermilionCity.asm#L19 Definition of sign 04 in Vermilion City] (the text ID is the third number in <code>bg_event 12, 3, 11</code>)</ref>. Importantly, each map also has its own set of texts. * When the player goes into the Vermilion Fan Club, since that map has no signs, <code>wNumSigns</code> is set to 0, but <code>wSignCoords</code> and <code>wSignTextIDs</code> keep their previous values because there are no values to overwrite them with. * The movement pattern described above overwrites <code>wNumSigns</code> with 4, and the coordinate of sign 04 (in <code>wSignCoords</code>) with (1, 1), but leaves <code>wSignTextIDs</code> as is. ** More precisely, the overwriting is actually done in two "passes" and in the reverse order: First the player overwrites the coordinate of sign 04 with (1, 1) before stepping right (which puts Pikachu back on screen and ends the glitch), then the player steps left to put Pikachu off screen again and overwrites <code>wNumSigns</code> with 4. This is necessary because the layout of the map means that stepping right (writing 4) will always end the glitch. After these steps, the game recognizes sign 04 at (1, 1), and reading it will cause the game to try to display the text with ID 11 '''in Vermilion Fan Club''' (in text command mode, since that is the normal behavior for <code>DisplayTextID</code>). Vermilion Fan Club only has text IDs 1–6 defined<ref>[https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/scripts/PokemonFanClub.asm#L71-L77 Definitions of texts in the Vermilion Fan Club map]</ref>, so the pointer to text ID 11 is out of bound, and happens to point to $D221<ref>This out-of-bound text pointer falls in the first two bytes of [https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/scripts/PokemonFanClub.asm#L84 this instruction]. <code>FanClubText1.yellowtext</code> is $16:53D2, so this instruction translates to "'''21 D2''' 53".</ref>. Therefore the game starts to execute text commands from $D221. }} This technique was discovered by stumpdotio, originally for speedrunning Pokémon Yellow. A video of the route by Dabomstew's may be found [https://www.youtube.com/watch?v=mcsKo4K7BNE here].