Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

ACE within Pikachu's Beach - Page 1

ACE within Pikachu's Beach

Posted by: Torchickens
Date: 2018-12-07 19:22:17
C5D1 controls the Pikachu's Beach script. Some values cause arbitrary code execution. The best one I could find was value 0x5B, which executes D3EA. This is within wWarpEntries, but it can be accessed with the expanded items pack from item 103's quantity and will usually stay even after saving/changing maps.

You can place any code you like at item 103's quantity. If the effects of the code apply outside of the minigame, simply press Select to leave the minigame and return to the overworld (you may need to have played the minigame at least once, not sure?). You can still do things like writing 0x15 (Mew encounter) to D058, so that you encounter a Mew immediately after leaving the minigame.

There may be more than one approach to doing this. Unfortunately a modified C5D1 value isn't kept before Pikachu's Beach, but in theory you could just run a modified Pikachu's Beach routine (likely from another ACE method) that only runs script 0x5B. Another approach would be to use OAM DMA hijacking to lock C5D1 to 0x5B.

Though we already have ACE and this likely requires ACE to begin with, this could be a cool way of causing arbitrary code execution if you wanted to do something in the minigame (like the creation of a cheat mode).