Main Menu

Databases

Major Glitches

Other Glitch Categories

References

Useful Tools

Affiliates

Search Wiki

Toolbox

Arbitrary code execution
 Page | Discussion | View source | History

From Glitch City Laboratories

Jump to: navigation, search
Major glitches of the Pokémon series

Arbitrary code execution (template, remote, cart-swap, unintended ROM code execution) | 2x2 block encounter glitches (Left-facing shore tile glitch (in-game trade shore encounter trick, old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick)) | 99 item stack glitch | Bad clone glitch (????? party overloading (Type 0xD0 move glitch, ????? map corruption, | Celebi trick, Celebi Egg trick, Shiny Celebi trick, glitch move map corruption, overloaded party map corruption, Glitch Unown (Glitch Unown map corruption) Duplicate key items glitch (infinite items and item creation, expanded Balls pocket (TM/HMs outside of the TM/HM pocket, Glitch Pokédex categories)) | Berry glitch | Bug-Catching Contest data copy glitch (Japan only) | Cloning | Ditto DV manipulation | Elite Four door glitch (Japan only) | Generation IV item cloning glitch (Japan only) | Glitch City (Safari Zone exit glitch, RAM manipulation) | Infinite Master Balls (Colosseum) | Large storage box byte shift glitch (storage box remaining HP glitch, maximum stat glitch) | Item duplication glitch | Item stack duplication glitch (Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow), Map script pointer manipulation (arbitrary code execution, map script pointer item ball manipulation), Text pointer manipulation (arbitrary code execution, item ball manipulation, mart buffer overflow), Trainerless instant encounter glitch) | Mimic glitch (Japan only) | Out of bounds Glitch City (Generation II) (Slowpoke Well out of bounds corruption (French version)) Lumiose City save glitch | Pikachu off-screen glitch (Trainer corruption glitch) | Pokémon merge glitch | Pomeg glitch (Pomeg data corruption glitch) | Roaming Pokémon encounter glitch | (Mimic) Transform Rage glitch | Select glitches (Japan only) (Closed menu: Dokokashira door glitch (international), Fossil conversion glitch (international), Second type glitch, Skip to Level 100 glitch, Trainer mutation glitch, walk through walls (international) Special menu: Lift glitch, Badge describer glitch) | Sketch glitch | SRAM glitch (Generation I) (255 Pokémon glitch, send party Pokémon to a new game) | Surf down glitch (Grass/rock Surfing glitch (Spanish/Italian only) (English)) | Time Capsule exploit | SRAM glitches (Generation II) (Mailbox glitches, Mystery Gift item corruption, Trainer House glitches) | Tweaking | Trainer escape glitch (Death-warp, Mew Trick, Ditto Trick, Experience underflow glitch) | Buffer overflow techniques (Japanese unterminated name glitch item instant encounter glitch, LOL glitch, Rival LOL glitch, Instant LOL glitch, RAM LOL glitch, oobLG, blockoobLG, Instant encounter infinite chain glitch (LGFly)), Super Glitch (Generation I) (party remaining HP glitch), Super Glitch (Generation III), Text pointer manipulation mart buffer overflow glitch, CoolTrainer♀-type move, Double distort CoolTrainer♀ corruption, Yami Shop glitch) | Walk through walls (ledge method, museum guy method, Rival's effect, Select glitch method (international), Brock Through Walls) | Zapdos LV68 glitch | ZZAZZ glitch (party Pokémon box data shift glitch)

(view, talk, edit)
PRAMA Initiative a également une page sur Arbitrary code execution.
Bulbapedia also has an article about Arbitrary code execution.
This article is incomplete, please feel free to add any missing information about the subject. It is missing:

The following methods of ACE: custom map script pointer, move effect, Trainer escape glitch text box, bad clone summary, Burned Tower Silver, TM/HM use outside of the correct pocket, glitch Pokédex categories, Pikachu glitch emote and specific details on Generation III summary and move animation ACE.

Arbitrary code execution refers to a method that allows the player to force the game to run code written by the player.

It usually uses an invalid execution pointer (glitch items in Generation I, an incorrectly terminated string in English Pokémon Gold and Silver), which the player can manipulate to run custom assembly code.

This custom code is often spelled with items, as a stack of items uses only two bytes.

In Generation I

Via items

Both (glitch) items require a special setup for the item to run correct code.

For detailed info about these items, read this topic on GCL forums if playing R/B, or this post if playing Yellow.

It is a good idea to read all the topic messages for info.

Using てヘ (tehe) in JP Red/Green

Glitch item hex:7B has its execution script pointing to wild Pokémon data. However, by naming yourself (any character)てルめ(any characters or nothing) and talking to the Old Man, the script jumps to item pack #3.

Using 8F (English Red/Blue)

The 8F item doesn't run arbitrary code in at least the French versions.

The player's party Pokémon must be in a certain order and have certain stats :

  1. 5 Pokémon
  2. Pidgey as the first Pokémon
  3. Parasect as the second Pokémon
  4. Onix as the third Pokémon
  5. Tentacool as the fourth Pokémon
  6. Kangaskhan as the fifth Pokémon
  7. Pidgey must have 233 HP

To obtain such a Pidgey, Rare Candy it up to Lv100, apply 5~6 HP Ups.

If needed get it poisoned, use a Max Potion (not Full Restore !), walk 4*(Pidgey's max HP-233) steps and cure the poison.

Another setup allows any Pokémon at the front of the party :

  1. 6 Pokémon
  2. The first Pokémon does not matter
  3. Pidgey as the second Pokémon
  4. Parasect as the third Pokémon
  5. Onix as the fourth Pokémon
  6. Tentacool as the fifth Pokémon
  7. Arbok as the sixth Pokémon
  8. Pidgey must have 233 HP

It is possible to use a super-compressed setup, which requires hex:C3 and hex:D3, Pokémon difficult to obtain.

  1. 3 to 5 Pokémon
  2. hex:C3 as the first Pokémon
  3. Onix as the second Pokémon
  4. hex:D3 as the third Pokémon

Some item setups won't work with this setup ; however, inserting two items will fix this problem :

  1. 8F
  2. Any item x[any qty]
  3. X Accuracy x34
  4. Carbos x211
  5. (Listed items)

(credits to NukingDragons for this fix)


When selecting Use on 8F, the game will run code depending on the item pack (starting from item #3)

The bootstrap code translates to the following ASM :

Initial hl = D163

$D163 <- 05 || dec b
$D164 <- 24 || inc h  ; h = D2
$D165 <- 2E ||
$D166 <- 22 || ld l, 22 ; hl = D222
$D167 <- 18 ||
$D168 <- 02 || jr 2  ; pc = D16B
$D169 <- FF ||
$D16A <- FF ||
$D16B <- 24 || inc h  ; h = D3
$D16C <- 00 || nop
$D16D <- e9 || jp (hl)  ; pc = D322

and, for the 6-Pokémon setup,

$D163 <- 06 ||
$D164 <- ?? || ld b, ??
$D165 <- 24 || inc h  ; h = D2
$D166 <- 2E ||
$D167 <- 22 || ld l, 22 ; hl = D222
$D168 <- 18 ||
$D169 <- 02 || jr 2D  ; pc = D197
(...)
$D197 <- 24 || inc h  ; h = D3
$D198 <- 00 || nop
$D199 <- E9 || jp (hl)  ; pc = D322

To make 8F run code starting from item 1, replace the Onix with a Tangela.

Using 7eme etage / P7 / S7 (French & Italian / Spanish / German Red/Blue)

These items (which will be referred to as "7F" for this part) run code like 8F in English versions.

In these versions, 8F has the much less useful effect of returning to the overworld script even in-battle. This can be used when the Pokémon FF terminator is removed and the player is warped into a Glitch City every four steps, as this will return the player where they were.

The bootstrap code for 7eme etage, P7 or S7 must be slightly changed from the English version: no matter the setup, the player should replace the Onix with a Graveler.

When selecting Use on 7F, the game will run code depending on the item pack (starting from item #3).

The bootstrap code translates to the following ASM :

Initial hl = D163

$D163 <- 05 || dec b
$D164 <- 24 || inc h  ; h = D2
$D165 <- 2E ||
$D166 <- 27 || ld l, 27 ; l = 27
$D167 <- 18 ||
$D168 <- 02 || jr 2  ; pc = D16B
$D169 <- FF ||
$D16A <- FF ||
$D16B <- 24 || inc h  ; h = D3
$D16C <- 00 || nop
$D16D <- e9 || jp hl  ; pc = D327

and, for the 6-Pokémon setup,

$D163 <- 06 ||
$D164 <- ?? || ld b, ??
$D165 <- 24 || inc h  ; h = D2
$D166 <- 2E ||
$D167 <- 22 || ld l, 22 ; hl = D222
$D168 <- 18 ||
$D169 <- 02 || jr 2D  ; pc = D197
(...)
$D197 <- 24 || inc h  ; h = D3
$D198 <- 00 || nop
$D199 <- E9 || jp (hl)  ; pc = D322

To make "7F" run code starting with item 1, replace the Graveler with a Fearow.

Using "ws m" (Yellow)

The Pokémon in the current PC box must be in a certain order for the instruction pointer to be redirected to the item pack :

  1. 11 Pokémon in your current PC box
  2. Seel as the 1st Pokémon in the current PC box
  3. Parasect as the 2nd Pokémon in the current PC box
  4. Growlithe as the 3rd Pokémon in the current PC box
  5. Magikarp as the 4th Pokémon in the current PC box
  6. Psyduck as the 5th Pokémon in the current PC box
  7. Flareon as the 6th Pokémon in the current PC box
  8. Tentacool as the 7th Pokémon in the current PC box
  9. Female Nidoran as the 8th Pokémon in the current PC box
  10. Three more Pokémon
  11. Finally, Seel's HP must be 233

Much like 8F, the contents of the item pack (starting from item 3) will be read as ASM code. Optionally, Seel can be replaced by Butterfree or Mr. Mime.

The bootstrap code translates to the following ASM :

Initial hl = DA7F

$DA80 <- 3A || ldd a, (hl) ; a = 0B
$DA81 <- 2E ||
$DA82 <- 21 || ld l, 21
$DA83 <- 85 || add l ; a = 2C
$DA84 <- 2F || cpl ; a = D3
$DA85 <- 67 || ld h,a ; hl = D321
$DA86 <- 18 ||
$DA87 <- 0F || jr 0F ; pc = DA97
(...)
$DA97 <- E9 || jp (hl) ; pc = D321

Useful item codes

All the following items lists begin from the first item pack slot.

Non-key item duplication

8F

The item to duplicate x1

X Accuracy x33 (Red/Blue) OR X Accuracy x32 (Yellow)

Revive x201

To obtain the 201 Revive stack, have Revive x73 in the sixth item pack slot, then encounter / capture MissingNo or 'M. It will be a stack of 201 Revives.

Upon using 8F, the quantity of item #2 will be decreased by one. If there was only one item, it will be a stack of zero items. Tossing one of these rolls the quantity back to 255.

Obtain any item(Red/Blue, compressed)

Note: This code does not work with the super-compressed 3 to 5 Pokemon setup.

8F

[Item to morph] x[any qty]

TM03 x141

Full Heal x201 OR Revive x201

To obtain the TM03 x141 and Full Heal x201 stacks, have TM03 x13 or Full Heal x73 in the sixth item pack slot, then encounter/capture MISSINGNO. or 'M. Alternatively, the "Non-Key item duplication" code above can be run, and tossing TM03 x115 or Full Heal x55 will give the correct quantity.

Upon using 8F, the item in your second item pack slot will morph to the item with the next or previous index number, depending on whether Full Heals or Revives are used. Refer to the ItemDex to see which items will result.

Obtain any item

8F

[Item to morph] x[any qty]

Thunderstone x31 (Yellow) OR Thunderstone x32 (Red/Blue)

TM11 x52 OR TM11 x53

TM01 x[any qty]


Upon using 8F, the item in your second item pack slot will morph to the item with the next or previous index number, depending on whether TM11 x52 or x53 was used. Refer to the ItemDex to see which items will result.


Gameshark-like code

The following item list will work the same way a game-altering device does.

8F

Any item x Any qty

X Accuracy x(b2)

Carbon x(b3)

Max Revive x(b1)

Poké Ball x201

To obtain the 201 Poké Balls stack, have Poké Balls x73 in the sixth item pack slot, then encounter / capture MissingNo or 'M. It will be a stack of 201 Poké Balls. It is also possible to use the Non-key items duplication code.

This code aims to write code like the Gameshark code "01(b1)(b2)(b3)".

For example, the code 010138CD, which allows to walk through walls, can be transcripted into the following :

X Accuracy x(b2)

Carbon x(b3)

Max Revive x(b1)

Poké Ball x201

Via text boxes

Via Trainer escape glitch on Sea Route 21

Main article: Sea Route 21 arbitrary text box

Loading the hex:44 text box on Route 21 (via the shelves of Pokémon goods in Cinnabar Poké Mart) executes arbitrary text code from D2C3 in WRAM (the fifth character of the second Pokémon's nickname). This can be manipulated to run arbitrary code; for example with Super Glitch and the expanded party one can convert items in the inventory into Pokémon nicknames and abuse this to obtain Mew as a gift Pokémon via the 08 text function (run ASM following the 08). This trick was documented by Torchickens.

Via Pikachu off-screen glitch

By using the Pikachu off-screen glitch in the Vermilion City Fan Club and making specific movements to force the non-existing sign 04 to appear at coordinates x=1, y=1, it is possible for the player to read the signpost and execute arbitrary code beginning from D221; the catch rate/held item of party Pokémon 5.

Outside of speedrunning, a Graveler with 08 c2 (2242) HP stat experience and 1d d3 (7635) Attack stat experience may be used as an applicable Pokémon 5, preferably a Graveler from Victory Road.

If you are using level 44 Graveler, make note that since you can't really predict its total exp. you may not be able to get your result dictated by items. However, saving before the last few Krabby to get different levels or keeping Rare Candies, saving before talking to the text box and using one if it didn't work last time may fix this.

To get these specific EVs, your Pokémon needs to have encountered the following Pokémon (and no more):

71 Krabby, 1 Farfetch'd, 1 Dugtrio, and 1 Magnemite.

(Thanks FMK for working out what Pokémon to battle).

Steps

Once you have the correct EVs, put your Pokémon in the 5th position of the party, prepare your items from item 1, get the Clefairy event in the Vermilion Fan Club, then do the following steps:

1) Go to the bottom-left walkable tile (putting Pikachu off the screen), then walk up to the top and down to the bottom of the left-most column 11 times, but for the 11th time step one tile short on the final way back down.

2) Step right, step left, then walk up to the top and down to the bottom of the left-most column 10 times.

3) Step right, then go the top-left tile you can walk to, face right and press A.

Example codes (all from item 1)

Obtain 255 items:

This allows you to do 20+ items related glitches and get more complicated item set ups if you have items like multiple X Special x1 spare.

  • Protein x1
  • Repel x1
  • X Accuracy x28
  • Lemonade x1
  • Poké Ball x61
  • Antidote x61
  • Water Stone x37
  • X Accuracy x97
  • TM01 x1

Note: This code may be unstable.

Encounter a Pokémon:

  • Iron x37
  • X Accuracy x88
  • Lemonade x(species you want, 21=Mew)
  • Water Stone x4
  • Protein x4
  • TM01 x1

This technique was discovered by stumpdotio, originally for speedrunning Pokémon Yellow using a different method. A video of the route by Dabomstew's may be found here.

YouTube video by ChickasaurusGL

Via ZZAZZ Trainer hex:FC

This method will make the ZZAZZ trainer hex:FC (encountered via the Trainer escape glitch) to run code based on the data of the Pokémon in the current PC box.

Requirements :

  • No Pokémon must ever have been deposited info the Daycare (even on a previous save file)
  • Knowing and being able to perform the Trainer-Fly glitch
  • A Pokémon with a Special stat of 252
  1. One must perform the Trainer escape glitch using a Special stat of 252 (hex:FC)
  2. Aside from the ZZAZZ effects, upon selecting an attack, code based on the data of the Pokémon that was last deposited into the Daycare will be run. If no Pokémon was ever deposited, the script will "fall" to boxed Pokémon data.
YouTube video by TheZZAZZGlitch

In Generation II

Gold and Silver

Main article: Coin Case glitch

The English versions of Pokémon Gold and Silver use a hex:57 character as a terminator for the Coin Case's "Coins: (x)" text, like in the Japanese versions.

While this is a valid control character for the Japanese version, it isn't for the English versions, causing the game to jump into the memory at echo RAM address E112 and execute code there.

Bellsprout, Machop and Machamp's cries make the coin case run a "inc sp" which changes the game into running code based on a palette table. Standing at certain places makes the code jump to data regarding party Pokémon data, and finally to the PC items.

Crystal

In Pokémon Crystal, there is a recently found way to executed arbitary code. It is based on getting a bad clone, renaming boxes to specific names, and jumping there with a specific trainer ID. This method was used in a speedrun by Werster.

YouTube video by Werster

In Generation III

The method is extremely complicated, but can be achieved.

To learn how, watch this video by TheZZAZZGlitch.

Related articles