Pokémon Yellow C109 ID 0x0F arbitrary code execution: Difference between revisions

← Older edit

Pokémon Yellow C109 ID 0x0F arbitrary code execution (view source)

Revision as of 23:41, 24 May 2022

532 bytes added , 1 year ago

→‎Expanded party method

VisualWikitext

Anonymous user

glitchcitywiki>Evie (Torchickens)

Revision as of 22:34, 24 May 2022 (view source) glitchcitywiki>Evie (Torchickens) (→‎Expanded party method) ← Older edit		Latest revision as of 23:41, 24 May 2022 (view source) glitchcitywiki>Evie (Torchickens) (→‎Expanded party method)
(12 intermediate revisions by the same user not shown)
Line 20: ==Expanded party method== The exploit can also be done by swapping a Pokémon into Pokémon 91 in the [[expanded ~~inventory~~party]]. Typically, the swapped Pokémon's lower Defense byte would ~~determines~~determine E109 (Echo RAM of C109), ~~and its Trainer ID determines E0EF, E0F0 (C0EF and C0F0)~~ but in actuality there are complications such as the lower Defense being overwritten before the swap occurs. Practically, the following setup should work: Have the Pokémon to be swapped as Pokémon 2 and Pokémon 91. Have it underneath a [[GlitchDex/Y:255\|Q (0xFF)]] (in slot 1) to avoid a potential [[zero maximum HP glitch]] or display related freeze. Pokémon 2 must have a certain Trainer ID modulo 256 and the uppermost experience byte corresponding with a valid sound bank (02 02 ~~(Trainer ID 00514)~~, 08 08 ~~(Trainer ID 02056)~~, 1F 1F ~~(Trainer ID 07967)~~, 20 20 ~~(8224)~~, or a combination of banks (e.g. 02 1F)). For example, the (Trainer ID ~~0543)~~17666 and the experience 132045 (within Level 51 for stable Nidoran♀). 20 is not recommended due to side effects. This is to avoid a sound bank freeze. Pokémon 2 must be a Nidoran♀ (note only the first species byte counts and is the only one taken into consideration; so a Nidoran♀ hybrid from the [[Pokémon merge glitch]] is also applicable, but not a glitch that changed only the second species byte to Nidoran♀). Under unknown circumstances, Lg - may corrupt the player's coordinates; adding 0x33 to D360 (y coordinate), 0x80 to D361 (x coordinate), 0x33 to D362 (y coordinate block) and 0x80 to D363 (x coordinate block) and typically moving the player to no longer be adjacent to the entrance of Viridian Forest, but the player can work around that by setting the glitched coordinates in advance, such as FC, 90, CE, 80 with the [[expanded inventory]] (the swaps begin at item 34 quantity through to item 36's item; effectively TM01 x 252, [[ItemDex/Y:144\|p’é ₽ Enemy TRAINE (0x90)]] x 206 and [[ItemDex/Y:128\|₽ ₽ぅ 88 ₽ ぅ 4A (0x80)]] x(any) are to be swapped in those places (care should be taken not to merge the existing TM01 stack)). This example results in 2F, 10, 01, 00 (where the addition exceeds FF the result is modulo 0xFF (256)); the default coordinates after entering the door leading to Viridian Forest. ==Attribution== Torchickens/ChickasaurusGL (~~text~~documentation ~~from~~of ~~YouTube~~arbitrary ~~video~~code execution for 0x0F and steps) [https://archives.glitchcity.info/forums/board-115/thread-7930/page-1.html jfb1337 - Searches for jp hl in the disassembly projects, which lead to C109 arbitrary code execution as a concept, and its discovery] ==YouTube video== {{YouTube\|5aOVYyr3uTw\|ChickasaurusGL}} {{YouTube\|iJbW-wVEpzE\|ChickasaurusGL}} {{stub}} [[Category:Arbitrary code execution]]