Game:

Pokémon Yellow (1998)

Duration: 0:41

2,217 views

88

This is an arbitrary code execution exploit someone found from the subroutine CheckIfThereIsRoomForPikaPicAnimGFX.

Although I don't know if there is a way to do it naturally, you can ensure that it happens using another arbitrary code execution. Therefore, it is another access point from the Pikachu emotion box (similar to Pikachu glitch emote arbitrary code execution).

https://www.youtube.com/watch?v=q_T8aU35DZY
https://www.youtube.com/watch?v=nkxxAy7IYUA

In order to do that, I used 4F to lock the region at CC5C using OAM DMA hijacking with 16 0x55 bytes, and the region at CC6C with the bytes representing the arbitrary code execution. (cc5b is the wPikaPicUsedGFXCount). The arbitrary code execution then begins at CC6C, and I used it to load the instant encounter battle to Mew and push the OverworldLoop on to the stack; resulting in a stable (and catchable) Mew encounter.

At DA7F

3E55215CCC22222222222222222222222222222222216CCC3E3E223E15223EEA223E58223ED0223E21223E42223E02223EE5223EC922C9

At DA64

2182FF3EDA323E7F323EC332C9

Execute with 4F glitch item (FA64) on a platform that properly emulates Echo RAM.

https://github.com/pret/pokeyellow/blob/master/engine/pikachu/pikachu_pic_animation.asm

Explanation from the disassembly project:

CheckIfThereIsRoomForPikaPicAnimGFX:
; d: idx
; e: size
; FATAL: If the graphic has already been loaded, or if there are
; already 8 graphics objects loaded, the game will execute arbitrary
; code.
push bc
push hl
ld hl, wPikaPicUsedGFX
ld c, 8
.loop
ld a, [hl]
and a
jr z, .empty
cp d
jr z, .found
inc hl
inc hl
dec c
jr nz, .loop
scf
ret ; execute hl, then bc

.found
inc hl
ld a, [hl]
ret ; execute hl, then bc

.empty
ld [hl], d
inc hl
ld a, [wPikaPicUsedGFXCount]
add $80
ld [hl], a
ld a, [wPikaPicUsedGFXCount]
add e
ld [wPikaPicUsedGFXCount], a
cp $80
jr z, .okay
jr nc, .failed
.okay
ld a, [hl]
and a
jr .pop_ret

.failed
scf
.pop_ret
pop hl
pop bc
ret

Other Statistics