Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Celadon Corner Glitch Metamap Script ACE could be used as a "Yellow gm- ACE" - Page 1

Celadon Corner Glitch Metamap Script ACE could be used as a "Yellow gm- ACE"

Posted by: Krys3000
Date: 2018-09-03 16:06:28
…or a 4F/ws m ACE without 4F/ws m.

Hello everyone,

Glitch Meta-map Script ACE is a rather poorly documentated ACE method in Pokémon Red, Blue and Yellow, which relies on using either the Trainer Escape Glitch or the Item Underflow Glitch in the PC (or any other ACE method) to change the value of the address controlling the script for a given map.

Indeed, some (all?) of these addresses can be changed directly by changing the nature or the quantity of the right item beyond the 50th slot using PC underflow.
But, as you probably all know, when performing the Trainer Escape Glitch, we change the escaped trainer's map script to 01 and change it back to 00 when coming back after facing a Pokémon and flashing the start menu (whose textbox ID on every map is 00). And, if reading another textbox than the start menu before getting back on the escaped trainer's map, we can attribute to the script address another value than 00 - the one matching the given textbox ID.

While working a bit on Glitch Metamap Script ACE I noticed that Glitch Script 0x12 of Celadon Corner in Yellow executes codes in both english and french games at $FA4C, an Echo RAM copy of $DA4C. This is the fifth character of the last Daycare Pokémon name in english games (and the safari balls count in french games, which could be noped as well as the following address controlling the presence of a Pokémon in the Daycare to reach the first character in that name).

Of course, I couldn't help but thinking about luckytyphlosion's extensive work on gm- glitch item ACE that I believe could be adapted to this. Executing code would not use gm- but just entering into the Corner!

As a proof of concept I have performed a setup that could be used aswell (of course, it should also work with gm- in R/B provinding that we adapt the jump) derived from the setup I invented for glitch item ACE using 4F. Note that similarly to 4F ACE, if your Daycare as never been used, you can use a 10/11-Stored Pokémon ws m setup and it will work with this method.

- If playing french games, make sure that during your last visit to the Safari Zone, you have come out of time or of Balls.
- Place at the Daycare an un-nicknamed Abra at lvl 80 with currently 24 HP. The O.T. of this Pokémon must be compatible with ACE (e.g.: AAAAAAA)
- If playing french games, take back that Pokémon. You can also do it if playing english games.
- Have in PC Slot 1 a Pokémon with 33 PP currently on first move, 33 PP currently on second move (38 if playing french games), 19 PP currently on third move (3 PP Up used) and no fourth move or no PP on it.
- Have in PC Slot 2 Clefairy, Male Nidoran or Spearow (or another Abra) with currently 233 HP.

This jumps to $D321 (english) or $D326 (french) which is item 3 of the pack. Enter in the Corner to execute the code.

This stays theorical. It seems impossible to Trainer Escape the Rocket in Celadon Corner (except with a glitch item maybe, Evie may know more about this), and I don't know if $D65E, which is the address for the Corner's script, is accessible through the underflow in the PC. If not, then this ACE method would be exclusively limited to the ability to use another ACE Method to setup the script!

If anyone of you has some time to work on this, don't hesitate to do it  :)

Re: Celadon Corner Glitch Metamap Script ACE could be used as a "Yellow gm- ACE"

Posted by: Torchickens
Date: 2018-09-04 07:18:06
This sounds really interesting. Awesome find Krys3000. :) Unfortunately I'm not sure if this will work for reasons below without another arbitrary code execution (or connection copier which is like ACE and debatably is), so we may have to settle for an earlier meta-map script.


This stays theorical. It seems impossible to Trainer Escape the Rocket in Celadon Corner (except with a glitch item maybe, Evie may know more about this), and I don't know if $D65E, which is the address for the Corner's script, is accessible through the underflow in the PC. If not, then this ACE method would be exclusively limited to the ability to use another ACE Method to setup the script!


I think from what has been found unfortunately you can only escape from long-range Trainers, otherwise Trainers who spot you with the help of a Rival's effect item. I feel it may not be out of the question though with the complexity of glitch items and it would be cool to be able to do something like that.

This is the method I use to find the item.

First assume:

D53A (number of items) + (x) + (x-1)

Then take D65E (desired address) and minus D53A on Windows Calculator (programmer mode) and divide by two to get 0x92.

Now assume 0x92 to be x:

D53A + 92 + 91
=D65D

This way we find that D65D is item 0x92 (which is item 146), so because quantities follow items, D65E is the quantity of item 146.

However it seems sadly it may still be impossible due to it being an item beyond slot 127. I remember Dabomstew telling me regarding the usual expanded items pack that items 128-255 are regarded by the game as earlier items in the pack (unsure of the specifics but they appear and function as if they were something such as -128 of the original or item 0-127. I've confirmed many items past slot 127 are repeats but it confuses me because I don't know what item 0 would be.). It may be then that the expanded PC covers the same rule.

I hope you success in finding a working meta-map script method!

Re: Celadon Corner Glitch Metamap Script ACE could be used as a "Yellow gm- ACE"

Posted by: Krys3000
Date: 2018-09-04 08:32:08
Ok Evie, thanks!

Apparently yes, it seems that this item cannot be reached in the Expanded PC. If we want this method to replace the necessity for a glitch item, we could be using Pikachu Off-Screen ACE to setup $D65E to 12. This way, there would be no need for a glitch item nor performing the annoying Pikachu Off-Screen process to execute code: entering the corner would do the job. I will work more on this soon if possible :)

Re: Celadon Corner Glitch Metamap Script ACE could be used as a "Yellow gm- ACE"

Posted by: Torchickens
Date: 2018-09-04 08:49:17

Ok Evie, thanks!

Apparently yes, it seems that this item cannot be reached in the Expanded PC. If we want this method to replace the necessity for a glitch item, we could be using Pikachu Off-Screen ACE to setup $D65E to 12. This way, there would be no need for a glitch item nor performing the annoying Pikachu Off-Screen process to execute code: entering the corner would do the job. I will work more on this soon if possible :)


You're welcome. That's true. OK, good luck and have fun! :)

Re: Celadon Corner Glitch Metamap Script ACE could be used as a "Yellow gm- ACE"

Posted by: Krys3000
Date: 2018-09-04 16:02:09
According to your method, Pallet Town script, $D5F0, can be manipulated from the expanded PC. Pallet Town Glitch Script 0x13 executes code from current player x-position ($D361) which also can be manipulated from an expanded pack.

This of course is rather hard to use in routine, but do you think that, similarly to what you said about Viridian Glitch script 0x11, it is possible to put a code at this position that would change the Celadon's Corner script to 0x12 and execute it, then go on with the Corner ACE?

Thanks  :)

Re: Celadon Corner Glitch Metamap Script ACE could be used as a "Yellow gm- ACE"

Posted by: Torchickens
Date: 2018-09-04 16:38:10

According to your method, Pallet Town script, $D5F0, can be manipulated from the expanded PC. Pallet Town Glitch Script 0x13 executes code from current player x-position ($D361) which also can be manipulated from an expanded pack.

This of course is rather hard to use in routine, but do you think that, similarly to what you said about Viridian Glitch script 0x11, it is possible to put a code at this position that would change the Celadon's Corner script to 0x12 and execute it, then go on with the Corner ACE?

Thanks  :)


Yes. That's right. :) According to my description on my old dry underflow video, this is the item ID of stored PC item 92, and 0x13 is a Super Potion is reasonable and can easily go in that slot (with some good counting).

I'm unsure however whether there are safe Pallet Town normal initial x-coordinates (and the data that follows) which will not freeze the game.

If this is not the case however, perhaps changing D35D (item 32 quantity) to 0x00, setting up the desired x-position/y-block (ideally a relative jump back to 21 D3) and using 9F to refresh the map is possible. At D321 would be your code to set up the Game Corner script (or whichever ACE method you like).

This as bytes would be 18 BE. D361 is item 34's quantity and D362 is item 35. Hence item 34 should be any item x24 (hex:18) and the glitch item # ...# (hex:BE) in slot 35. If this is possible, it may actually be simpler than a method involving entering Pallet Town normally. The only other potential problem is if D36D ("level-script pointer" map script, which I wrote about in an earlier thread) is an address in the range of 4000-7FFF and you are switching to a map which is from another bank (as listed here), so to be safe it may be that only certain maps should be used with the 9F method, such as Viridian City (bank 6; the same as Pallet Town), however not all old D36D-D36E values would freeze the game.

Hope this helps for now! It's late and unfortunately I don't have time to experiment with this with you sorry, but I can try to verify the 9F method tomorrow with you if you like.

Re: Celadon Corner Glitch Metamap Script ACE could be used as a "Yellow gm- ACE"

Posted by: Krys3000
Date: 2018-09-15 17:10:08
Sorry for the time before getting back on this. I was busy these days  ;D

So, I actually wrote a setup for it that uses the connection copier, which in my opinion is indeed an underrated subglitch of the item underflow, to copy 12 to $D65E. With these items and once saved and reset, the game can execute code from item 3 as long as you have the good setup, everytime you enter the Game Corner.

Item 1 ($D31D) = Hyper Potion ($12)
Item 37 quantity ($D367) = 127 ($7F)
Item 38 quantity ($D369) = 250 ($FA)
Item 43 ($D372) = Escape Rope ($1D)
Item 43 quantity ($D373) = 211 ($D3)
Item 44 ($D374) = 9F ($5E)
Item 44 quantity ($D375) = 214 ($D6)
Item 45 ($D376) = Master Ball ($01)
Item 45 quantity ($D377) = 0 ($00)

However, it still needs a glitch item (9F). If one has a series of 6 still unused slots in its regular bag (meaning 12 bytes with a value of 00), he could place the Hyper Potion right after them and use connection copying to move the 13 bytes from $D652 to $D65E. This way, we avoid the glitch item because $52 is Elixer, but it would require adapting the Item 43 to point to this data block (Super Repel if the blank spots are Item 14 to 19).

Re: Celadon Corner Glitch Metamap Script ACE could be used as a "Yellow gm- ACE"

Posted by: Torchickens
Date: 2018-09-15 17:59:47
Nice!

Actually it seems Connection Copier could be a convenient way to bootstrap 4F for you.

If you place in an item quantity slot: Item x195, followed by Water Stone x211, (or jp 22D3) and then copy that data to FA65 (or FA64 for Yellow) (in Day Care), you can set up 4F ACE easily, for any item 3 configuration (including reusable RAM writer). This may be quicker than the D36E/reusable RAM writer method I put together earlier.