Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Easier way to perform the Pikachu Off-Screen ACE in Yellow - Page 1

Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Krys3000
Date: 2017-08-30 07:09:32
Hi folks,

Following my recent work on an easier Yellow ACE using the Day Care and the 4F item, I wanted to demonstrate that the not-so-well known Pikachu Off-Screen ACE can be improved to avoid the ~75 Pokémon battles.

If you don't know about POS Code Execution, see this video from Torchickens.

Anyway, instead of using the trained Pokémon, I suggest we use one of the five following configurations:

4 moves configuration

- 5th Pokémon would be a Nidorina or Nidorino. It has to have been traded to G/S/C, hold a Moon Stone there and then be traded back to Yellow.
- This Pokémon must have 2 'placeholder moves' (typically Bite and Fury Swipes, since it learns both) followed by Double Kick (also learned) and Bubblebeam (TM11).
- The 6th Pokémon can be anything but requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
- The code starts from item 3, so it is performed in a similar fashion than using 4F/wslm.


WRA1:D221 08 [cc execute]
WRA1:D222 2C inc l
WRA1:D223 9A sbc d
WRA1:D224 18 3D jr D263
WRA1:D263 C3 21 D3 jp D321


2 moves + HP/Box Level configuration

- 5th Pokémon would be a Nidorina or Nidorino. It has to have been traded to G/S/C, hold a Moon Stone there and then be traded back to Yellow.
- This Pokémon must have Double Kick (learned) as first move and Take Down (TM09) as second.
- The 6th Pokémon can be anything but must have 24 HP currently and also have been lvl24 last time it was stored in the PC.
- This Pokémon requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
- The code starts from item 3, so it is performed in a similar fashion than using 4F/wslm.


WRA1:D221 08 [cc execute]
WRA1:D222 18 24 jr D248
WRA1:D248 00 nop
WRA1:D249 18 18 jr D263
WRA1:D263 C3 21 D3 jp D321


4 moves + Glitch Pokémon configuration

- 5th Pokémon would the glitch Pokémon PKMN pぁ , that can be obtained via several glitches (although not the Ditto Trick - best is probably LOL Glitch), Equivalent Trade or Time Capsule Exploit.
- This Pokémon must have Ice Punch, DoubleSlap, Double Kick and BubbleBeam (all can be learned except Bubblebeam which is TM11)
- The 6th Pokémon can be anything but requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
- The code starts from item 3, so it is performed in a similar fashion than using 4F/wslm.


WRA1:D221 2D [not read]
WRA1:D222 08 [cc execute]
WRA1:D223 03 inc bc
WRA1:D224 18 3D jr D263
WRA1:D263 C3 21 D3 jp D321


Untrained Hitmonchan configuration

Since all previous setup require trading or glitching, here is the only tradeless/glitchless/trainless setup that will work most times.

- 5th Pokémon would be Hitmonchan
- This Pokémon must never have been trained, but must know Strength (HM), Agility, Fire Punch and Ice Punch. This requires rising it to lvl 38 with Rare Candies.
- This Pokémon must also have 00 PP currently at Strength, 24 at Agility, 14 at Fire Punch (Ice Punch doesn't matter)
- The 6th Pokémon can be anything but must be lvl25, requires currently 24 HP, 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
- The code starts from item 3, so it is performed in a similar fashion than using 4F/wslm.

The code can be broken at any time by Hitmonchan's IV. The best way is to reset the pick of Hitmonchan to make sure that yours work. For this setup to work, you must check that when converted into hexadecimal, Hitmonchan's trainer ID won't trigger invalid opcodes or many-bytes opcodes


WRA1:D221 2D [not read]
WRA1:D222 46 [not read]
WRA1:D223 61 [not read]
WRA1:D224 07 [not read]
WRA1:D225 08 [cc execute]
WRA1:D226 ?? depends on the trainer ID
WRA1:D227 ?? depends on the trainer ID
WRA1:D228-D234 00 nop
WRA1:D235 ?? depends on Hitmonchan's IV
WRA1:D236 ?? depends on Hitmonchan's IV
WRA1:D237 00 nop
WRA1:D238 18 0E jr D248
WRA1:D248 18 19 jr D263
WRA1:D263 C3 21 D3 jp D321


Underflow-based configuration

For informations about a way to use the expanded item pack for an easy setup, see here: http://forums.glitchcity.info/index.php?topic=8063.msg206641#msg206641

I wanted to adapt these to european non-english games, though the POS ACE does not seem to work in non-english games - or at least doesn't seem to read from $D221.

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Torchickens
Date: 2017-08-30 07:14:46
Wow, this looks great! Thanks Krys3000. :D Nice to know this otherwise difficult glitch can be made easier.

May test this out soon.

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Krys3000
Date: 2017-08-30 07:34:20
Thanks Torchickens! I look forward for your test, if you can do it :)

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Torchickens
Date: 2017-08-30 07:50:22
You're welcome. :)

Bad news though. :( I notice you don't have the 08 at D221. After testing the code it otherwise works perfectly (provided you change hl to a pointer that points to a 00 byte or 50 byte afterwards in your items code to avoid a bad text box). However the 08 is needed to tell the game to begin executing code after it because it is a text command (normal text boxes begin with 00, 80 executes code).

If you can trade however the following extra step can work. Trade the Nidorina to Generation II and give it a Moon Stone to hold (ID 08, don't use it though), trade it back to change the catch rate value to 08.

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Krys3000
Date: 2017-08-30 08:09:58
Ah yes! I recall now, that's why I couldn't make it work recently.

I'll work on a workaround later. Also I need to see if this is an issue in non-english games.

Thanks a lot!

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Torchickens
Date: 2017-08-30 08:17:19
Pleasure! :)

Actually it seems from my video that the 08 can be some place after D221 (the game could read it after a text byte representing a cry), so it doesn't need to be at the beginning byte for D221 fortunately. Maybe you could use a Pokémon with Ice Punch (08).

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: ISSOtm
Date: 2017-08-30 08:43:46
Also these setups have the side effect of NOT working by `jp hl`, so some codes (such as the `dec hl \ dec [hl]` one to obtain a x0 stack) won't work (because hl doesn't point to D322)

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Krys3000
Date: 2017-08-30 08:58:40
I don't think Nidorinx learn Ice punch but yeah there is probably room for something, to avoid trading to a 2G game. I'll try everything I can think of later today!

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Krys3000
Date: 2017-08-30 11:51:44
Interestingly enough (although being not that useful) there are glitch Pokémon that meet all requirements: 4 4 (hex:BF) is one of them.

Its catch rate (hex:14) is a good placeholder since it does not print a 'bad' character, while it learns Ice Punch, Double Kick and Aurora Beam, allowing to jump to $D263.

However, since this last move is only learned at lvl 109 (I'm not sure it's possible then), a better solution would be PkMn pぁ (hex:CE) with Ice Punch, DoubleSlap, Double Kick and Bubblebeam (TM11).

I wonder if people will find less annoying to use a glitch, catch a glitch Pokémon and then perform ACE, or to train a Graveler/normal Pokémon to do it  ;D

Still working on a glitchless/tradeless solution but it's not easy since no Pokémon knowing Ice Punch learns a move compatible with jumps.

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Torchickens
Date: 2017-08-30 15:01:32
Ooh interesting!  Nice finds Krys3000. ;D

From personal experience Rival LOL glitch isn't too bad to set up once you get used to it, you can move the Ethers/x80 in your bag if they are in a an unsuitable place, and I used it to get a stored Pokémon setup for ws m.

You could use that to get PkMn pぁ at a level over 100 and theoretically if it doesn't know Ice Punch, DoubleSlap, Double Kick level it beyond 255 until it learns them. It looks like the glitch Pokémon's IVs could potentially be a problem because Double Kick and Bubblebeam goes one byte forward less than Double Kick and Aurora Beam (rather than landing on its first PP byte), but it seems like it's faster than training the Graveler/normal Pokémon.

Perhaps there's a chance Rival LOL glitch could be modified to obtain the Pokémon at Level 101-108. Failing that maybe you could hybridize 4 4 (hex:BF) with a glitch Pokémon of a really fast experience curve to give it enough experience to level past Level 100, as the learnset is taken from the 'donor' byte (which would be 4 4) if I remember rightly. In fact that may even work with Chansey (4 4/Chansey hybrid) up to a few levels past 100 and you could use Rare Candies for it to go further and reach Level 109.

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Krys3000
Date: 2017-08-30 15:58:50
Well, I didn't think about continuing to level up 4 4 until it learns Ice Punch and Double Kick (lvl 3 and 4 normally). That's nice  :D ! I think that you're right about LOL/Cooltrainer glitch to get it above 100, we should be able to do that. 4 4 is a Medium Fast Pokémon, so the idea of hybridization is also a good idea. IIRC Fast Pokémon hybrids can go up to 105 :)

Regarding PkMn pぁ , there is no lvl up problem since all moves can be learned before lvl 100, except for Bubblebeam which is a TM. The idea here would be to put DoubleSlap (or some other move) as second move, before Double Kick, so we can use BubbleBeam as fourth move (3D) for a relative jump to the same location than Aurora Beam as third move (3E) would do. It probably take less time than preparing 4 4  :P

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Torchickens
Date: 2017-08-30 16:54:26

Well, I didn't think about continuing to level up 4 4 until it learns Ice Punch and Double Kick (lvl 3 and 4 normally). That's nice  :D ! I think that you're right about LOL/Cooltrainer glitch to get it above 100, we should be able to do that. 4 4 is a Medium Fast Pokémon, so the idea of hybridization is also a good idea. IIRC Fast Pokémon hybrids can go up to 105 :)

Regarding PkMn pぁ , there is no lvl up problem since all moves can be learned before lvl 100, except for Bubblebeam which is a TM. The idea here would be to put DoubleSlap (or some other move) as second move, before Double Kick, so we can use BubbleBeam as fourth move (3D) for a relative jump to the same location than Aurora Beam as third move (3E) would do. It probably take less time than preparing 4 4  :P


I see, thanks! I looked at the code again and confirmed with BGB's debugger to make sure, the 18 3D at D224 indeed is a jump to D263 (PP move 1).

I notice one small error in your top post you might want to fix.



WRA1:D221 2C [not read]
WRA1:D222 08 [cc execute]
WRA1:D223 03 inc bc
WRA1:D224 18 3E jr D263
WRA1:D263 C3 21 D3 jp D321



The 3E byte should be 3D (Bubblebeam) as 3E is Aurora Beam.
Edit: I think PkMn p [CE]'s catch rate is 0x2D as well, according to my edit on the wiki page, which shouldn't be a problem as long as you address it's a dec l in your inventory.

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Krys3000
Date: 2017-08-30 16:57:31
Yep, typical copy/paste mistake. Fixed, thanks!

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Torchickens
Date: 2017-08-30 17:05:44

Yep, typical copy/paste mistake. Fixed, thanks!


You're welcome! :)

I successfully got this to work with a cheated PkMn pぁ (CE) with the right moves (and the catch rate was indeed 0x2D, not 0x2C so that may need changing in your post as well if you don't mind) in slot 5 and Metapod in slot 6 with the right PPs. This should work with a LOL glitch PkMn pぁ (CE) provided you obtain it with the catch rate unchanged from its default (I'm not actually sure if a memory address could get corrupted that changes the catch rate, but from experience with using the CascadeBadge to increase the catch rate of a Pokémon the game didn't keep the changed catch rate, so you probably catch it with the default catch rate).

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Krys3000
Date: 2017-08-31 09:13:10
Great that it works! I fixed the mistake.

If we analyze the structure of a Pokémon in WRAM to discuss what we can manipulate, what we can at least see, and what we must pray for. Here's what we have:

- Catch rate is not an issue.
- Moves can be dealt with: it requires 4 moves to avoid hex:00 if you use the EV technique.
- Trainer ID is an issue you must pray for, but you can convert it to hexadecimal to check quickly if you're f*cked or not.
- Experience can be avoided with the experience underflow glitch in the EV technique. You can also just convert it to hexadecimal (or is it BCD?) to check if the Pokémon can be used. If not, you can just use another.
- EVs are used to execute, if you are ready to fight 74 Pokémon battles.

There may be a way to reduce the Pokémon battles, maybe by attempting to put hex:0508 HP EV but it wouldn't be much worth it.

Untrained hitmonchan configuration

A good theorical Pokémon for a tradeless/glitchless technique would be an untrained Hitmonchan, rose up from lvl30 to lvl38 with Rare Candies.
- Its catch rate is 2D.
- At this level it will know Comet Punch, Agility, Fire Punch and Ice Punch. Comet Punch has to be replaced with a TM/HM (Strength will do the job).
- Trainer ID is still an issue, although here you must not just avoid 00 and 08 but pretty much every invalid opcodes.
- Experience is stable at 27000 (hex:6978) if untrained, and it's fine for your code.
- EVs will be 0 if untrained, noping the code until IVs.
- IVs cannot be controled. Unfortunately you can't just catch plenty of them, so you'll have to test it and reset it if it's not working.
- 00 PP currently at first move, 24 at Agility, 14 at Fire Punch should push until Pokémon 6's HP (second byte) and then we may push to its PP.

If you haven't picked your Hitmonx yet, it could be an interesting alternative maybe.