Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Celebi Egg glitch
SRAM glitch
Pomeg glitch data corruption
Tweaking
Pokémon cloning
Arbitrary code execution
Glitches by Generation
Other major glitches
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: More Pikachu off-screen glitch ACE access points with Lg- or WTW (theory)  (Read 50 times)

0 Members and 1 Guest are viewing this topic.

Quirky Flower Chicken ❤✿

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • (Image thanks Sanrio + Pexels)
    • View Profile
After looking into the BGLSG glitch that LanceAndMissingno. found; it appears you can load glitch text boxes for certain texts when D4E0=FF (with the exact same Trainer as LanceAndMissingNo. the value of D4F0 will also influence the text box, with D4F0 as 00 providing the "BGLSG" glitch text box).

The idea then is to set up Pikachu off-screen glitch (which can easily be done with the Lg- (0x6E) glitch item) until D4E0 is corrupted, and then bring Pikachu back on the screen to change all the values you corrupted, including D4F0, to 0xFF.

An example is this sign in Celadon Mansion, which we can in theory manipulate to regard DBCD as the source text box:



DBCD is the second experience byte of stored Pokémon 10. Having exactly 2072, 67608, 133144, 198680, 264216, 329,752 (... anything expressed as 2072 + (65536*n)) experience on this Pokémon will spell 08 18.  The 08 tells the game to begin executing code, and the 18 indicates the jr instruction. Following this, we can have a parameter for the jr instruction. An easy one is 0x14 which requires using two HP Ups on an untrained Pokémon and will make the PC interpret jr DBE4.

At DBE4 is the typing of the Pokémon. For this method, we will use ♀ . (C1), hence these values will be 0x93 and 0x80 (sub e, add b). This is followed by its catch rate constant/held item of 0x8C, which is the adc h instruction. These instructions do not freeze the game.

Finally at DBE8, ♀ . (C1) should have the following moves: Glitch Move 0xC3, Tackle, TM11 (C3 21 D3) to redirect the PC to item 3. These are all viable choices, and fortunately this glitch Pokémon may be obtained with Trainer escape glitch. Unfortunately, the minimum level for this glitch Pokémon to learn TM11 is Level 93, but this is no issue if you have the expanded items pack as you can spawn Rare Candies from Celadon City. According to the Bulbapedia experience table, 643,485 is the amount of experience this glitch Pokémon (part of the Fast experience group) will have at Level 93. Hence, our closest compatible experience is 2072+(65536*10)=657432, which is still at Level 93.

At item 3, you can have any set up you like, such as the widely used 'set d058 to 0x15 (Mew) setups'. Remember to change hl to 01FE, or any unbanked pointer with a 0x50 byte. I think this should secure that the resulting text box does not freeze the game.

This sign is not the only access point. By setting a breakpoint to 0:2882, you can read the source pointer of most texts you read from the hl registers. The only other promising pointer I've found so far was somewhere in the event flags beyond stored items, but unfortunately it seems out of reach with expanded PC items. With the large number of possibilities we never know, there could (and is likely) to be a better setup than the one above. As LanceAndMissingno. demonstrated, Lg- may not be required; you may be able to execute arbitrary code with walk through walls glitch, which can be done infinitely and does not require the expanded items pack. ✿
« Last Edit: January 04, 2019, 09:37:31 am by Evie ❤✿ »

(Image © Sanrio, Nintendo, HAL Laboratory)

✿ Hi! I'm Evie. I'm a transgender woman, but any pronouns are fine. She/her preferred. ✿ 🦋

Nature: Passive, kind, but a little shy sometimes in public though warms up. Sensitive, however brave. I have a hidden protective side to me. Liberal feminist.

War is the birth of new love, love is the birth of new war. Having died once, lived twice. Together alone we are together.

Thank you for this lovely artwork Nyapon! :3