Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Easier way to perform the Pikachu Off-Screen ACE in Yellow - Page 2

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Torchickens
Date: 2017-08-31 13:15:59
Cool thanks!

That's interesting. :)

Wait a moment, I have an idea. Your Trainer ID can be manipulated from the expanded items pack by changing item 30's quantity and item 31, and then you could catch a Pokémon with a good catch rate with four moves and the Trainer ID of your choice.

If the second byte of the Trainer ID was a Safari Ball (08) e.g. from an x-coordinate of 08, it could probably set up the text box arbitrary code execution following it.

Following Trainer ID is the Pokémon's experience. The first byte could be a 00 (a nop), the second two bytes could be 18 38 (jr D263), where your sixth Pokémon with specific PPs would go (e.g. a Metapod evolved from Caterpie). Total experience is indeed stored as a normal three byte hexadecimal value, so the 001838 converts to 6200 total experience.

This does need the expanded items pack sadly, but then again the glitch Pokémon method to get the items for Rival LOL glitch probably does as well. Thinking about it I guess you can use a custom map script (D36D-D36E's pointer; which can be redirected to RAM) instead of POS or a glitch item for setting up your first arbitrary code execution as well.

Hopefully the game doesn't mind a 08 00 sequence.
Edit: 08 00 18 38 is fine, so this should indeed work provided the catch rate and moves are good.

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Krys3000
Date: 2017-08-31 13:49:45
That's a very good plan! I did not think about it. This way, we can try to get the correct XP or even catch several Pokémon until finding one for which the moves, experience and IV are friendly, then it would nop until PPs that we can manipulate (learning 40 PP moves via TM would help).

The issue with expanded item pack in Yellow is mainly that it requires MissingNo., but there is still the possibility to use Glitch City RAM Manipulation.

Among all techniques, this one may be the less painful one :D

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Parzival
Date: 2017-09-01 09:23:33
This post got me thinking about whether or not there'd be a way to create a universal ACE setup. Which'd be cool.
…on-topic, I've got nothing to say but "That's awesome!".

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: camper
Date: 2017-09-02 05:43:53
Missingno. is safe the first time you encounter it, so you just have to make sure you capture it to get a x255 stack.

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Torchickens
Date: 2017-09-02 05:58:34

Missingno. is safe the first time you encounter it, so you just have to make sure you capture it to get a x255 stack.


Yeah. This may assume you erased your previous save file with Up+Select+B (other times unstable MissingNo. may freeze the game even if it's the first encounter with it), but I remember doing that with Viridian Forest unstable MissingNo. to have it not freeze the game the first time the first time I set up the expanded items pack in the Virtual Console release. This also works on a physical cartridge.

However, if you don't want to do that or get a Special stat of 182, 183, 184 for fossil/ghost MissingNo. there are two other methods for Trainer-Fly:

1. Double Trainer-Fly from the Level 80 Starmie you get from interacting with the Cubone trade girl (found by a speedrunner based on Paco81's special Trainer-Fly yield finds, I'm afraid I can't remember the person who discovered this trick specifically)

2. Lost-Paisley's underflowed L100 Nidoqueen method

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Krys3000
Date: 2017-09-02 07:09:45
Related to Wacko's thread on international glitchdex, I think it's very interesting that in French games, MissingNo. freezes the game in R/B (via instant encounter) but not in Yellow, whereas in English games, you can get it in R/B but it's difficult in Yellow. That says a lot about the differences between localizations.

Fossil/Ghost MissingNo. is the better option, provided that you can Trainer-Fly. The existence of RAM Glitch City ensures that you can do it even without trainers if necessary.

I'll update the first post with this new possibility.

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Krys3000
Date: 2018-08-21 05:00:13
Hey everyone,

Sorry for bumping, but I've been working on adapting this glitch to european non-english games, as it wasn't demonstrated before to my knowledge.
Basically it works the same way but the textbox starts at $D221, which in our case is not the catch rate but the 5th Pokémon's HP.

In that way, the 4 moves setup using Nidorina works fine but it doesn't require any trade, which makes it easier than in english games. Also there's a slight change in PP for the 6th Pokémon. Here it is:

- 5th Pokémon would be a Nidorina or Nidorino having only 8 remaining HP and no status. It is best if this Pokémon was never stored in the PC otherwise trouble can happen.
- This Pokémon must have 2 'placeholder moves' (typically Bite and Fury Swipes, since it learns both) followed by Double Kick (also learned) and Bubblebeam (TM11).
- The 6th Pokémon can be anything but requires currently 3 PP on its first move (with 3 PP Up used), 38 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
- The code starts from item 3, so it is performed in a similar fashion than using 4F/wslm.

Of course, many more setups can be found for european games. Any normal Pokémon with 8 HP and no status would nop until moves.

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Torchickens
Date: 2018-08-21 10:15:39

Hey everyone,

Sorry for bumping, but I've been working on adapting this glitch to european non-english games, as it wasn't demonstrated before to my knowledge.
Basically it works the same way but the textbox starts at $D221, which in our case is not the catch rate but the 5th Pokémon's HP.

In that way, the 4 moves setup using Nidorina works fine but it doesn't require any trade, which makes it easier than in english games. Also there's a slight change in PP for the 6th Pokémon. Here it is:

- 5th Pokémon would be a Nidorina or Nidorino having only 8 remaining HP and no status. It is best if this Pokémon was never stored in the PC otherwise trouble can happen.
- This Pokémon must have 2 'placeholder moves' (typically Bite and Fury Swipes, since it learns both) followed by Double Kick (also learned) and Bubblebeam (TM11).
- The 6th Pokémon can be anything but requires currently 3 PP on its first move (with 3 PP Up used), 38 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
- The code starts from item 3, so it is performed in a similar fashion than using 4F/wslm.

Of course, many more setups can be found for european games. Any normal Pokémon with 8 HP and no status would nop until moves.


This is great! Awesome find Krys3000. :) So this is another reasonable means of setting up ACE in non-English Yellow.

Is the PC set to $D221 in all non-English European versions or just one or more like the French version?

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Krys3000
Date: 2018-08-21 16:23:43
Thanks! I believe this will work the same in all European non-english games but I can't say for sure :)

Re: Easier way to perform the Pikachu Off-Screen ACE in Yellow

Posted by: Torchickens
Date: 2018-08-22 05:57:03

Thanks! I believe this will work the same in all European non-english games but I can't say for sure :)


You're welcome. OK cool! :)