Main Menu
Main Page
New pages
Recent changes
Random page

Arbitrary code execution
Pokémon cloning
Pomeg glitch
Glitches by generation
Glitch categories

Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools

Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Site source code

Search Wiki


Search Forums


Author Topic: More Pikachu off-screen glitch ACE access points with Lg- or WTW (theory)  (Read 85 times)

0 Members and 1 Guest are viewing this topic.

Eve the Bird Mother ❤✿

  • Always believe in yourself first. ✿ Aspiring to be a mother. 🦋
  • Head Administrator
  • *****
  • Online Online
  • Gender: Female
  • Characters © Tsuburaya, Sanrio, Nintendo/TOSE
    • View Profile
After looking into the BGLSG glitch that LanceAndMissingno. found; it appears you can load glitch text boxes for certain texts when D4E0=FF (with the exact same Trainer as LanceAndMissingNo. the value of D4F0 will also influence the text box, with D4F0 as 00 providing the "BGLSG" glitch text box).

The idea then is to set up Pikachu off-screen glitch (which can easily be done with the Lg- (0x6E) glitch item) until D4E0 is corrupted, and then bring Pikachu back on the screen to change all the values you corrupted, including D4F0, to 0xFF.

An example is this sign in Celadon Mansion, which we can in theory manipulate to regard DBCD as the source text box:

DBCD is the second experience byte of stored Pokémon 10. Having exactly 2072, 67608, 133144, 198680, 264216, 329,752 (... anything expressed as 2072 + (65536*n)) experience on this Pokémon will spell 08 18.  The 08 tells the game to begin executing code, and the 18 indicates the jr instruction. Following this, we can have a parameter for the jr instruction. An easy one is 0x14 which requires using two HP Ups on an untrained Pokémon and will make the PC interpret jr DBE4.

At DBE4 is the typing of the Pokémon. For this method, we will use ♀ . (C1), hence these values will be 0x93 and 0x80 (sub e, add b). This is followed by its catch rate constant/held item of 0x8C, which is the adc h instruction. These instructions do not freeze the game.

Finally at DBE8, ♀ . (C1) should have the following moves: Glitch Move 0xC3, Tackle, TM11 (C3 21 D3) to redirect the PC to item 3. These are all viable choices, and fortunately this glitch Pokémon may be obtained with Trainer escape glitch. Unfortunately, the minimum level for this glitch Pokémon to learn TM11 is Level 93, but this is no issue if you have the expanded items pack as you can spawn Rare Candies from Celadon City. According to the Bulbapedia experience table, 643,485 is the amount of experience this glitch Pokémon (part of the Fast experience group) will have at Level 93. Hence, our closest compatible experience is 2072+(65536*10)=657432, which is still at Level 93.

At item 3, you can have any set up you like, such as the widely used 'set d058 to 0x15 (Mew) setups'. Remember to change hl to 01FE, or any unbanked pointer with a 0x50 byte. I think this should secure that the resulting text box does not freeze the game.

This sign is not the only access point. By setting a breakpoint to 0:2882, you can read the source pointer of most texts you read from the hl registers. The only other promising pointer I've found so far was somewhere in the event flags beyond stored items, but unfortunately it seems out of reach with expanded PC items. With the large number of possibilities we never know, there could (and is likely) to be a better setup than the one above. As LanceAndMissingno. demonstrated, Lg- may not be required; you may be able to execute arbitrary code with walk through walls glitch, which can be done infinitely and does not require the expanded items pack. ✿
« Last Edit: January 04, 2019, 09:37:31 am by Evie ❤✿ »

(Image © Sanrio, Nintendo, HAL Laboratory)

✿ Hi! I'm Evie. I'm a transgender woman, but any pronouns are fine. She/her preferred. ✿ 🦋

Please note:

While I'm one of the staff who runs the site, Abwayax is the founder and manages the technical side of the site (specifically the server, but I can do forum/wiki stuff if you like, I suggest if you do to make a thread about it to gather a consensus). Still feel free to contact me about higher site issues though; I will forward them to Abwayax if needed. :)

Forgiveness is timeless, and moments we look back on humble the soul.

Thank you Nyapon for this lovely artwork. :3