Anonymous user
Pikachu off-screen glitch: Difference between revisions
→Glitch text box activation and arbitrary code execution: Added the explanation from the talk page, and clarified that $D221 is arbitrary text commands and not yet arbitrary assembly code.
>Bbbbbbbbba (Moved ACE setups to the bottom of this page.) |
(→Glitch text box activation and arbitrary code execution: Added the explanation from the talk page, and clarified that $D221 is arbitrary text commands and not yet arbitrary assembly code.) |
||
(10 intermediate revisions by 3 users not shown) | |||
Line 45:
*The glitch item Lg- (hex:6E) - makes Pikachu stay.
*The item 9F, hex:5E - makes Pikachu stay but may cause a Glitch City in some places. Thanks EstebanZD Glitcher.
*A Rival's effect (Jack effect) item, such as hex:94 - doesn't make Pikachu stay but can put him off the screen and desync him. Thanks
Lg- is available through item underflow glitch and pPkMnp' ' (special 194)'s mutation of the fifth item when it's a Super Rod.
Line 121:
{{Youtube|eT8XfA3gUjg|ChickasaurusGL}}
==={{Anchor|Arbitrary code execution}}Glitch text box activation and arbitrary code execution===
<!--Much of this text is copied from ChickasaurusGL's video with permission, who (alias Torchickens) is one of the authors of this article https://www.youtube.com/watch?v=evdxp0UgunQ-->
By using the Pikachu off-screen glitch and making specific movements to force the non-existing sign 04 to appear at coordinates x=1, y=1 in the Vermilion City Fan Club, it is possible for the player to execute arbitrary
The steps to activate this glitch text box are:
Line 130:
# Step right, step left, then walk up to the top and down to the bottom of the left-most column 10 times.
# Step right, then go the top-left tile you can walk to, face right and press A.
{{Explanation|contents=
This method assumes that the player enters the Vermilion Fan Club through the Vermilion City.
* When the player is in the Vermilion City, the game loads all signs on the Vermilion City map. Each sign has both a coordinate (loaded into <code>wSignCoords</code>) and an associated text ID (loaded into <code>wSignTextIDs</code>)<ref>[https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/ram/wram.asm#L2091-L2094 RAM layout for the variable <code>wNumSigns</code>, and the arrays <code>wSignCoords</code> and <code>wSignTextIDs</code>]</ref>. In particular, sign 04 in Vermilion City corresponds to text ID 11<ref>[https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/data/maps/objects/VermilionCity.asm#L19 Definition of sign 04 in Vermilion City] (the text ID is the third number in <code>bg_event 12, 3, 11</code>)</ref>. Importantly, each map also has its own set of texts.
* When the player goes into the Vermilion Fan Club, since that map has no signs, <code>wNumSigns</code> is set to 0, but <code>wSignCoords</code> and <code>wSignTextIDs</code> keep their previous values because there are no values to overwrite them with.
* The movement pattern described above overwrites <code>wNumSigns</code> with 4, and the coordinate of sign 04 (in <code>wSignCoords</code>) with (1, 1), but leaves <code>wSignTextIDs</code> as is.
** More precisely, the overwriting is actually done in two "passes" and in the reverse order: First the player overwrites the coordinate of sign 04 with (1, 1) before stepping right (which puts Pikachu back on screen and ends the glitch), then the player steps left to put Pikachu off screen again and overwrites <code>wNumSigns</code> with 4. This is necessary because the layout of the map means that stepping right (writing 4) will always end the glitch.
After these steps, the game recognizes sign 04 at (1, 1), and reading it will cause the game to try to display the text with ID 11 '''in Vermilion Fan Club''' (in text command mode, since that is the normal behavior for <code>DisplayTextID</code>). Vermilion Fan Club only has text IDs 1–6 defined<ref>[https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/scripts/PokemonFanClub.asm#L71-L77 Definitions of texts in the Vermilion Fan Club map]</ref>, so the pointer to text ID 11 is out of bound, and happens to point to $D221<ref>This out-of-bound text pointer falls in the first two bytes of [https://github.com/pret/pokeyellow/blob/cf5a7f02113265edc9369841ec986af3f47b64b1/scripts/PokemonFanClub.asm#L84 this instruction]. <code>FanClubText1.yellowtext</code> is $16:53D2, so this instruction translates to "'''21 D2''' 53".</ref>. Therefore the game starts to execute text commands from $D221.
}}
This technique was discovered by stumpdotio, originally for speedrunning Pokémon Yellow. A video of the route by Dabomstew's may be found [https://www.youtube.com/watch?v=mcsKo4K7BNE here].
Line 139 ⟶ 148:
=====Luckless setups=====
5 different setups to use for this trick have been made by Krys3000 and Torchickens/ChickasaurusGL [
# The 4 moves setup involves as 5th Pokémon in the party a Nidorina or Nidorino. It has to have been traded to G/S/C, hold a Moon Stone there and then be traded back to Yellow. This Pokémon must have 2 'placeholder moves' (typically Bite and Fury Swipes, since it learns both) followed by Double Kick (also learned) and Bubblebeam (TM11). Also, the 6th Pokémon can be anything but requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
# The 2 moves + HP/Box Level setup involves as 5th Pokémon a Nidorina or Nidorino. It has to have been traded to G/S/C, hold a Moon Stone there and then be traded back to Yellow. This Pokémon must have Double Kick (learned) as first move and Take Down (TM09) as second. Also, the 6th Pokémon can be anything but must have 24 HP currently and also have been lvl24 last time it was stored in the PC. This Pokémon requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
# The 4 moves + Glitch Pokémon setup involves as 5th Pokémon the glitch Pokémon [[GlitchDex/Y:206|PKMN pゥぁ ゥぇ (0xCE)]], that can be obtained via several glitches,
# The Untrained Hitmonchan setup is
# The underflow-based setup is described [
A video of the Hitmonchan setup has been made by ChickasarusGL
|