Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Possible luck-based ACE setup for Red/Blue using a glitch Viridian City script - Page 1

Possible luck-based ACE setup for Red/Blue using a glitch Viridian City script

Posted by: metalmario32
Date: 2018-08-07 10:39:24
Glitch script 0x10 for Viridian City in Red/Blue executes code at FAC9 in Echo RAM (equivalent to DAC9 in WRAM) representing the least significant byte of the 2nd stored Pokémon's HP stat experience. If this is a fresh Pokémon, and the IVs and PP for the moves are "good" data, the code will fall through to DAD8, the 3rd stored Pokémon's second species byte. Placing an h POKé (among other options), which is obtainable via the Trainer escape glitch with a Special stat of 195 with 211 or 243 current HP will make the code jump to D300 or F300 (the own Pokédex entries for 73-80). If the data here is "good", we will fall through to D31D or F31D (number of items!) Could this be a possible setup? It only requires switching a Full Restore into PC item 94 (Viridian Forest's current script) and an expanded PC is easily available through Glitch City RAM Manipulation.

Re: Possible luck-based ACE setup for Red/Blue using a glitch Viridian City script

Posted by: Torchickens
Date: 2018-08-07 14:07:38

Glitch script 0x10 for Viridian City in Red/Blue executes code at FAC9 in Echo RAM (equivalent to DAC9 in WRAM) representing the least significant byte of the 2nd stored Pokémon's HP stat experience. If this is a fresh Pokémon, and the IVs and PP for the moves are "good" data, the code will fall through to DAD8, the 3rd stored Pokémon's second species byte. Placing an h POKé (among other options), which is obtainable via the Trainer escape glitch with a Special stat of 195 with 211 or 243 current HP will make the code jump to D300 or F300 (the own Pokédex entries for 73-80). If the data here is "good", we will fall through to D31D or F31D (number of items!) Could this be a possible setup? It only requires switching a Full Restore into PC item 94 (Viridian Forest's current script) and an expanded PC is easily available through Glitch City RAM Manipulation.


Sounds like you may be able to have a good setup with this, yes!

Getting an expanded PC to set up glitch meta-map scripts (I like to call them this to distinguish them from what is called the "level-script pointer" on the DataCrystal RAM map for Red/Blue) is also possible with dry underflow, by having at least three items in the PC including one of them x255.

I've collected information on glitch scripts on the meta script dex. Here you can find other arbitrary scripts, but I've stopped documenting the ones that execute arbitrary code as I don't use emulators anymore to be able to have a way to detect arbitrary code. If you have information on others feel free to add them if you like.

A better script may be Viridian City's script 0x11 which executes D361 (current y-position). In theory you could use the expanded items pack to corrupt your coordinates to represent a jump instruction to earlier in the items pack, or simply place your code there.

Re: Possible luck-based ACE setup for Red/Blue using a glitch Viridian City script

Posted by: metalmario32
Date: 2018-08-07 16:05:19
With the 0x11 script method, however, you would have to switch your jump or code into D361 every time you left the map and came back. With script 0x10, you only have to swap 1 Full Restore into item 94 to run the code. The luck involved in this setup may be a detrimental factor, though.

Re: Possible luck-based ACE setup for Red/Blue using a glitch Viridian City script

Posted by: Torchickens
Date: 2018-08-07 17:08:02

With the 0x11 script method, however, you would have to switch your jump or code into D361 every time you left the map and came back. With script 0x10, you only have to swap 1 Full Restore into item 94 to run the code. The luck involved in this setup may be a detrimental factor, though.


Yeah, that's true. I think a good idea would be to set up code to set up a more reliable method, for instance you could redirect 0x11 script to run another a script earlier in the inventory that gives you 8F and a party set up, without having to get the bootstrap Pokémon (change D163 to 05 C3 22 D3 and D31E to 5D [which is 8F]).

Or you could use the 0x11 script to set up DAC9 to jp D322 first, then the 0x10 script which would be a reliable way to execute code without an arbitrary code item. On the other hand, you'd probably have to be careful not to access Viridian City if you don't have the right items or if there's something that has to be done once (e.g. if you changed D059 to 15 for Mew having the 0x10 script might cause you to encounter it non-stop until you black out).

Another thing you can do is simply change D36E (the aforementioned level-script pointer) in the expanded items pack because D36E-D36F can be represented by a single item stack. So for instance, this could be Water Stone x 211 (22 D3). Then regardless of your location D322 will be executed, which could contain code to do one of the aforementioned things (set up 8F or set up 0x10 script). Like 0x11 script you'd have to set this item every time you want to do it.

Re: Possible luck-based ACE setup for Red/Blue using a glitch Viridian City script

Posted by: metalmario32
Date: 2018-08-08 08:14:21
By the way, I made a mistake on saying D5F4 (Viridian City's script) was item 94. It is actually item 93's quantity, which makes this setup even easier! Every time you leave the map (e.g. entering into the Viridian City Pokémon Center) you can simply toss item 93 until it is 16, set up your code with items, and then exit the center to execute your code!

Another question, what item stack does D36E-D36F represent in the expanded items pack? I would like to play around with it a bit. The set-ups you mentioned are quite good, but I still feel this is one of the easiest ACE methods in Red/Blue.

Edit: I also managed to find a similar script in Yellow. Glitch script 0x12 in Pallet Town executes FAAE in Echo RAM (equivalent to DAAE), which is equivalent to the most significant byte of the Special stat experience of stored Pokémon 1. Having this be a fresh Pokémon (preferably from Route 1 as they only know one move) and with "good" IVs and PP will make the code fall through to DAB6, stored Pokémon 2's species byte 2. If this Pokémon is a Z4 (hex:C3) with 211 or 243 current HP, the code jumps to D300 or F300, which will fall through to D31C or F31C with "good" Pokédex data.

Unfortunately, Pallet Town's script address (D5F4) points to PC item 92 and not a PC item quantity. This means you need several Hyper Potion x1 stored in the PC to execute your code every time you want to. In Yellow, also, the expanded PC is really only available through GCRM or through stable MissingNo. (e.g. level 80 Starmie double T-Fly or Special stat of 182-184)

Re: Possible luck-based ACE setup for Red/Blue using a glitch Viridian City script

Posted by: Torchickens
Date: 2018-08-08 10:15:29

Another question, what item stack does D36E-D36F represent in the expanded items pack? I would like to play around with it a bit. The set-ups you mentioned are quite good, but I still feel this is one of the easiest ACE methods in Red/Blue.


Just tested it on my copy of Pokémon Red and it's item 41 and item 41 quantity.


In Yellow, also, the expanded PC is really only available through GCRM or through stable MissingNo. (e.g. level 80 Starmie double T-Fly or Special stat of 182-184)


SRAM glitch (255 Pokémon glitch) is also actually quite an underrated way to do it. If you catch a Pokémon you will get 51 Pokémon instead of 255, and depositing them all doesn't take too long. On certain versions their unterminated name can freeze the game, but you can work around this by finding a Pokémon in the expanded party with a terminated name somehow (I think when I did it on French Red this Pokémon was also an 'M (FF) meaning I could then continuously deposit Pokémon 1).

The expanded items pack will give you the required items to set up dry underflow in the PC, and you can set the Professor Oak's Lab script (item 91 quantity?) to 15 so you can get the Pokédex (or you could use ACE to get it).

Re: Possible luck-based ACE setup for Red/Blue using a glitch Viridian City script

Posted by: metalmario32
Date: 2018-08-08 17:41:37
On the topic of the Yellow script, do you think it would be more efficient than something like ws m, 4F, Sea Route 21 0x44 text box, etc.?