Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of an article from Glitch City Laboratories wiki.

A live version of this article is available at the Glitch City Wiki here.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of the wiki in .tar.gz or .xml.gz formats.

Map script arbitrary code execution

Map script arbitrary code execution is an arbitrary code execution method in Pokémon Red, Blue, and Yellow, requiring the expanded item pack.

Summary

Item 42 and item 42's quantity control wMapScriptPtr (D36E-F in Pokémon Red and Blue and D36D-E in Pokémon Yellow), with the index number of item 42 being the first byte to a little-endian pointer, and item 42's quantity as the second. This word contains the current map script (not to be confused with the meta-map script which is not controlled by wMapScriptPtr).

This script is run continuously after the menu is closed. The address can be changed to one corresponding to a different item slot, such as Water Stone x211 (Thunderstone x211 in Yellow) to make the script point to item 3 (D322/D321).

This is an efficient way of arbitrary code execution, but the items in slot 42 will be wiped after leaving the map, so it may be a good idea to swap the original map script back in before moving to a new map.

See also

  • Expanded bag item documentation (Generation I)

    Categories