български
Català
Čeština
Dansk
Deutsch
ελληνικά
English
Español
Français
Gaeilge
Gàidhlig
Bahasa Indonesia
Italiano
עברית
Latviešu valoda
Lietuvių kalba
Nederlands
日本語
Norsk
Polski
Português
Русский
Suomi
Svenska
Türkçe
中文 (简体)
中文 (繁體)
Since a lot of people like to ask about how people can find these glitches, I think I need to explain technical details at least once 
Anyway, there are husho and Patrick, guys that are documenting all scenarios of starting missions during other missions ("instapass quest"). Not too long time ago they found a way to instapass more missions by running mission chains in order to use missions that require different return value in stack (stack in used in scripts for operating gosubs, and it contains return values).
However, all those manipulations involved using missions that have the same "stack pointer" - which basically is just a number of values in stack, usually it's 1 during mission. Two days ago husho wondered what happens if stack is empty but a return command is executed. This is possible in the game, since there are missions with no gosubs, so he tested it. A while ago I also tested it and always recieved 0 as a return address, it eventually crashed the game. However, husho's log said that his return address was not 0, and it actually was 200. It also resulted in a crash, but when I did the same thing as he did in similar circumstances, I still received 0, so I've decided to find out where that value is taken from.
I started debugging the game and noticed that "stack pointer" used by developers for in-game scripts is an unsigned short. This means that when a return with an empty stack is executed, basically address is taken from this->stack[65535]. Script array is located in bss segment, so these addresses are constant. I calculated all possible addresses that can be used as return value and it turned out that some of these potential addresses are located in script space, that is used for script variables. One of these potential variables was a temp timer in ms for hardware store shopkeeper. This timer is updated when player enters his spawn zone and is either current time in ms if he spawned normally and if he was despawned after he was killed or robbed it's time in ms that passed since he despawned.
So basically we have an option to jump to any part of main script by manipulating this timer. Of course, using timer in ms to choose address is kinda tricky, so we have to use a time window. KYFC starting thread is located at bytes 53475-53716 of script file. This means that shopkeeper timer should be set to a value between 53475 and 53716. Approximately 20% of timer values is a valid address to something that doesn't crash. Some of these addresses only create a trigger at mansion, some start mission immediately.
Another thing is that for that variable to be used as an address the property buy script should be in a script with id 67. There are 128 scripts in array and game fills it starting with last, id 127. It means there should be 60 scripts running at the moment we buy property. At the start of the game there are 51. We need 9 more, so we complete The Party 10 times: The Party starting script is removed since we complete it and it creates 10 new ones for next mission. After it we just need money to start trick.
