Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

More Pikachu off-screen glitch ACE access points with Lg- or WTW (theory) - Page 1

More Pikachu off-screen glitch ACE access points with Lg- or WTW (theory)

Posted by: Torchickens
Date: 2019-01-04 09:21:37
After looking into the BGLSG glitch that LanceAndMissingno. found; it appears you can load glitch text boxes for certain texts when D4E0=FF (with the exact same Trainer as LanceAndMissingNo. the value of D4F0 will also influence the text box, with D4F0 as 00 providing the "BGLSG" glitch text box).

The idea then is to set up Pikachu off-screen glitch (which can easily be done with the Lg- (0x6E) glitch item) until D4E0 is corrupted, and then bring Pikachu back on the screen to change all the values you corrupted, including D4F0, to 0xFF.

An example is this sign in Celadon Mansion, which we can in theory manipulate to regard DBCD as the source text box:

[img]https://i.imgur.com/7bU4H8i.png[/img]

DBCD is the second experience byte of stored Pokémon 10. Having exactly 2072, 67608, 133144, 198680, 264216, 329,752 (… anything expressed as 2072 + (65536*n)) experience on this Pokémon will spell 08 18.  The 08 tells the game to begin executing code, and the 18 indicates the jr instruction. Following this, we can have a parameter for the jr instruction. An easy one is 0x14 which requires using two HP Ups on an untrained Pokémon and will make the PC interpret jr DBE4.

At DBE4 is the typing of the Pokémon. For this method, we will use . (C1), hence these values will be 0x93 and 0x80 (sub e, add b). This is followed by its catch rate constant/held item of 0x8C, which is the adc h instruction. These instructions do not freeze the game.

Finally at DBE8, . (C1) should have the following moves: Glitch Move 0xC3, Tackle, TM11 (C3 21 D3) to redirect the PC to item 3. These are all viable choices, and fortunately this glitch Pokémon may be obtained with Trainer escape glitch. Unfortunately, the minimum level for this glitch Pokémon to learn TM11 is Level 93, but this is no issue if you have the expanded items pack as you can spawn Rare Candies from Celadon City. According to the Bulbapedia experience table, 643,485 is the amount of experience this glitch Pokémon (part of the Fast experience group) will have at Level 93. Hence, our closest compatible experience is 2072+(65536*10)=657432, which is still at Level 93.

At item 3, you can have any set up you like, such as the widely used 'set d058 to 0x15 (Mew) setups'. Remember to change hl to 01FE, or any unbanked pointer with a 0x50 byte. I think this should secure that the resulting text box does not freeze the game.

This sign is not the only access point. By setting a breakpoint to 0:2882, you can read the source pointer of most texts you read from the hl registers. The only other promising pointer I've found so far was somewhere in the event flags beyond stored items, but unfortunately it seems out of reach with expanded PC items. With the large number of possibilities we never know, there could (and is likely) to be a better setup than the one above. As LanceAndMissingno. demonstrated, Lg- may not be required; you may be able to execute arbitrary code with walk through walls glitch, which can be done infinitely and does not require the expanded items pack.