Anonymous user
AreaDex/Y:254: Difference between revisions
Jump to navigation
Jump to search
no edit summary
No edit summary |
No edit summary |
||
Line 81:
#Go to one of the exit mat tiles in a place like a Pokémon Center, and swap the Master Ball x254 with item 36. Make sure it is the item '(glitchblock)x(glitchblock)(glitchblock)'. If it isn't, then go to the other tile. This is important because trying to swap the Master x254 with another Master Ball seemingly doesn't work.
#Go through the exit mat, and if everything worked, the player will be taken to map FE and the game won't freeze
===Data===
Map 0xFE has a map script or "level-script pointer" of DC0E by default, so adding a C9 there (or having the right data) will allow the player to enter the map. The game grabs 20:4F50 (00) to define D3AC as 00. Additionally, 20:4F51 (wMapBackgroundTile) defines D3AD (wNumberOfWarps) as 0xEC, resulting in a coincidental warp upon arriving at the map that allows the player to escape a sound bank freeze. If the warp did not exist, the game will attempt to use glitch sound bank 0x49, freezing the game.
The map uses valid tileset 00, has various interesting wild Pokémon (see below), and NPCs can be seen walking down the screen on arrival if the warps were disabled.
Usually however, a warp to map 0x99 takes the player away and the Bicycle music instead plays for some reason.
The map has a height of 8x17 blocks (D367/8: 0x08 0x11). The "map's data" (D369-D36A) reads 1F 88. The text-script pointer table is at 0089. It has some specific map connection data. (dump from D36F: CC 6E E6 DD DD B9 99 BB BB 67 63 6E 0E EC CC DD DC 99 9F BB B9 33 3E FF 4E 40 9E C7 09 14 F8 27 16 C7 FF 5D 42 B5 C7 09 23 F8 00 12 C7). Tileset bank: 0x19, pointer to blocks: 00 46 (4600), pointer to graphics: 00 40 (4000), pointer to collision data: C2 4A (4AC2), "talking over" tiles: FF FF FF, grass tile: 0x52.
Map 0xFE also causes a huge buffer overflow for D3AE (wWarpEntries), where data from 20:4F52-20:5300 (seems to be in the Pikachu's Beach minigame code) is copied from D3AE-D75D (a corruption of 943 bytes). Not all of this data will change after leaving map 0xFE. In particular, map 0xFE corrupts many [[Meta-map script activation|meta-map scripts]], causing many locations to freeze the game with no easy solution to stop them from freezing the game when entering them without arbitrary code execution.
==Exploring Map 0xFE with arbitrary code execution==
| |||