Arbitrary Pokédex code execution with ₽ (hex:F9) (Pokémon Yellow)

Описание: A good number of glitch Pokémon in Generation I take their Pokédex data (including category, height, weight and text) from writable memory. This means contrary to what some may expect their actual Pokédex data may vary.

It turns out the Pokédex entry of glitch Pokémon ₽ (hex:F9) in Yellow is sourced from F403 (Echo RAM for D403) which can be manipulated by moving specific items to item 116 in the expanded items pack. This allows for a custom category, height and/or weight (such as having the category as the "HAX" Pokémon) and through using the 08 text code character five bytes after the first 50 in the category name, arbitrary code execution.

Unfortunately the difficulty of setting up Rival LOL glitch to catch hex:F9 makes this method largely redundant over ws m glitch item (hex:63) arbitrary code execution, but it can be used as an alternative method using it to set up ws m by installing a payload to item 3 (C3 21 D3), and this bypasses having to get specific Pokémon for ws m such as a Tangela with 233 HP.


These are the execution points:
http://forums.glitchcity.info/index.p...

Red and Blue:

BF: 9183
C0: 8B88
C6: 8F50
C7: 9180
C8: 8D84
CE: 8F50
CF: 888E
D0: 8E92
D2: 888F
D6: B417*
D8: 8550
D9: 8880
DA: 9891
DC: AA00*
E0: 8893
E1: 988D
E2: 817F
E3: 9188
E9: 8150
EA: 8B80
EE: CB17*
EF: 8350
F1: 8891
F2: 8B8B
F8: 8487
F9: 8C91
FA: 9388
FB: 9182
FC: 8180
FE: C203*

Yellow:

00: 9288
BF: 8492
C0: 8384
C2: 9604
C6: 8492
C7: 8384
CD: 8492
CE: 8384
D0: A207/FREEZE
D4: 888B
D5: 8099
D6: 8391
D8: BE00
DC: 8B85
DD: 8C80
E1: 8417
E3: 8550
E4: 808B
E5: 848C
E7: D007
EB: 8893
EC: 988D
ED: 9493
EE: 9391
EF: 848B
F1: C808
F5: 9493
F6: 9391
F7: 848B
F9: F403 (!!)
FD: 8792
FE: 8B84
FF: 858B