Map script arbitrary code execution

From Glitch City Wiki
Jump to navigation Jump to search

Map script arbitrary code execution is an arbitrary code execution method in Pokémon Red, Blue, and Yellow, requiring the expanded item pack. In speedrunning communities, it is also called APJM[1], and can be used as a type of arbitrary code execution or a specified unintended ROM code execution, so is typically not allowed.

Summary

Item 42 and item 42's quantity control wMapScriptPtr (D36E-F in Pokémon Red and Blue and D36D-E in Pokémon Yellow), with the index number of item 42 being the first byte to a little-endian pointer, and item 42's quantity as the second. This word contains the current map script (not to be confused with the meta-map script which is not controlled by wMapScriptPtr).

This script is run continuously after the menu is closed. The address can be changed to one corresponding to a different item slot, such as Water Stone x211 (Thunderstone x211 in Yellow) to make the script point to item 3 (D322/D321).

This is an efficient way of arbitrary code execution, but the items in slot 42 will be wiped after leaving the map, so it may be a good idea to swap the original map script back in before moving to a new map.

See also

  1. Expanded bag item documentation (Generation I)

References