Main Menu

Glitches

References/Resources

Affiliates

Technical

Search Wiki

Toolbox

Arbitrary code execution
 Page | Discussion | View source | History

From Glitch City Laboratories

Jump to: navigation, search
Major glitches of the Pokémon series

Arbitrary code execution (template, remote, cart-swap, unintended ROM code execution) | 2x2 block encounter glitches (Left-facing shore tile glitch (in-game trade shore encounter trick, old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick)) | 99 item stack glitch | Bad clone glitch (????? party overloading (Type 0xD0 move glitch, ????? map corruption, | Celebi trick, Celebi Egg trick, Shiny Celebi trick, glitch move map corruption, overloaded party map corruption, Glitch Unown (Glitch Unown map corruption) Duplicate key items glitch (infinite items and item creation, expanded Balls pocket (TM/HMs outside of the TM/HM pocket, Glitch Pokédex categories)) | Berry glitch | Bug-Catching Contest data copy glitch (Japan only) | Cloning | Ditto DV manipulation | Elite Four door glitch (Japan only) | Expanded party encounter table manipulation | Glitch City (Safari Zone exit glitch, RAM manipulation) | Glitch meta-map script activation (Generation I) | Infinite Master Balls (Colosseum) | Large storage box byte shift glitch (storage box remaining HP glitch, maximum stat glitch) | Item duplication glitch | Item stack duplication glitch (Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow), Map script pointer manipulation (arbitrary code execution, map script pointer item ball manipulation), Text pointer manipulation (arbitrary code execution, item ball manipulation, mart buffer overflow), Trainerless instant encounter glitch) | Transform held item glitch (Japan only) | Mimic glitch (Japan only) | Out of bounds Glitch City (Generation II) (Slowpoke Well out of bounds corruption (French version)) Lumiose City save glitch | Pikachu off-screen glitch (Trainer corruption glitch) | Pokémon merge glitch | Pomeg glitch (Pomeg data corruption glitch) | Roaming Pokémon encounter glitch | (Mimic) Transform Rage glitch | Select glitches (Japan only) (Closed menu: Dokokashira door glitch (international), Fossil conversion glitch (international), Second type glitch, Skip to Level 100 glitch, Trainer mutation glitch, walk through walls (international) Special menu: Lift glitch, Badge describer glitch) | Sketch glitch | SRAM glitch (Generation I) (255 Pokémon glitch, send party Pokémon to a new game) | Surf down glitch (Grass/rock Surfing glitch (Spanish/Italian only) (English)) | Time Capsule exploit | SRAM glitches (Generation II) (Mailbox glitches, Mystery Gift item corruption, Trainer House glitches) | Tweaking | Trainer escape glitch (Death-warp, Mew Trick, Ditto Trick, Experience underflow glitch) | Buffer overflow techniques (Japanese unterminated name glitch item instant encounter glitch, LOL glitch, Rival LOL glitch, Instant LOL glitch, RAM LOL glitch, oobLG, blockoobLG, Instant encounter infinite chain glitch (LGFly)), Super Glitch (Generation I) (party remaining HP glitch), Super Glitch (Generation III), Text pointer manipulation mart buffer overflow glitch, CoolTrainer♀-type move, Double distort CoolTrainer♀ corruption, Yami Shop glitch) | Walk through walls (ledge method, museum guy method, Rival's effect, Select glitch method (international), Brock Through Walls) | ZZAZZ glitch (party Pokémon box data shift glitch)

(view, talk, edit)
Arbitrary code execution in the Pokémon series

0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Connection Copier (arbitrary RAM writer) | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC (view, talk, edit)
PRAMA Initiative a également une page sur Arbitrary code execution.
Bulbapedia also has an article about Arbitrary code execution.
This article is incomplete. Please feel free to add any missing information about the subject. It is missing:

The following methods of ACE: custom map script pointer, move effect, Trainer escape glitch text box, bad clone summary, Burned Tower Silver, TM/HM use outside of the correct pocket, glitch Pokédex categories, Pikachu glitch emote and specific details on Generation III summary and move animation ACE.

Arbitrary code execution (Japanese: 任意コード実行) refers to a method that allows the player to force the game to run code in a write-enabled region of the game, often WRAM or RAM (see Game Boy memory map). If it is manipulable (e.g. if the region is in a representation of the player's current party), this can be abused to run custom code written by the player.

It commonly involves an invalid execution pointer (such as via glitch items in Generation I). In English versions, another popular method is as a side effect of the Coin Case glitch in English Pokémon Gold and Silver, which the player can manipulate to run custom assembly code.

This custom code is often spelled with items, as a stack of items uses only two (Generation I/II) or four (Generation III) bytes. Box names are also an option for Generation II games.

In Generation I

Via items

Each item that is not a TM or HM (more precisely, with ID less than HM01 (0xC4)), when used, gets its effect from a pointer table. For some glitch items, this effect pointer points to the RAM, enabling arbitrary code execution.

All known ACE glitch items jump into an RAM area that is possible to manipulate, but not quite as easy to manipulate as the item pack. Therefore it is popular to jump to the third item in the item pack, and write the main payload there. This strategy of first jumping to an easier to manipulate RAM area is called "bootstrapping".

Below is a summary of commonly used ACE glitch items. For more information, including bootstrapping setups, click on the name of an item to go to its ItemDex page.

Version ID Name Effect pointer Pointing to Notes
English Red/Blue 0x5D 8F $D163 Party Pokémon data Equivalent to 5かい due to the fix for the old man full box glitch
European non-English Red/Blue 0x5D 7EME ETAGE / S7 / 7°P / P7 Party Pokémon data Same item as 8F
Japanese Red/Green/Blue 0x5A 5かい $D123 Party Pokémon data
English Yellow 0x63 ws m $DA7F Box Pokémon data
European non-English Yellow 0x63 ws l' m / ws & m Box Pokémon data Same item as ws m
English Yellow 0x59 4F $FA64 Middle of daycare data
European non-English Yellow 0x59 3EME ETAGE / S3 / 3°P / P3 $FA64 Middle of daycare data Same item as 4F
Japanese Red/Green 0x7B てヘ $D806 Grass encounter table Can be changed to the player's name by the old man

Notice that the items in the European non-English versions are all the same as the corresponding item (with the same ID) in English version; however, due to differences in memory layout, the bootstrapping setups will be slightly different. (The "floor items" have different numbers because in those countries, "first floor" refers to what is called second floor in American English.)

Useful item codes

See Generation I item codes for some useful item lists for 8F (and possibly other ACE methods).

Via text boxes

Each map has a number of different map-specific text boxes, with a table of pointers pointing to each piece of text. Certain glitches like text box ID matching can force the game to display a text box that doesn't exist on the current map, which means the pointer may point to anything, including into the RAM. From here, a 0x08 (TX_ASM) text command in a suitable location will enable arbitrary code execution.

Notable setups for text box ACE include:

Via "TRAINER 4" (hex:FC)

This method will make "TRAINER 4" (hex:FC) (encountered via the Trainer escape glitch) run code based on the data of the Pokémon in the current PC box.

Requirements :

  • No Pokémon must ever have been deposited info the Daycare (even on a previous save file)
  • Knowing and being able to perform the Trainer escape glitch
  • A Pokémon with a Special stat of 252
  1. One must perform the Trainer escape glitch using a Special stat of 252 (hex:FC)
  2. Aside from the ZZAZZ effects, upon selecting an attack, code based on the data of the Pokémon that was last deposited into the Daycare (specifically at $FA58) will be run. If no Pokémon was ever deposited, the script will "fall" to boxed Pokémon data.

The code at $D040 may also to be adjusted, as not to freeze the game, due to Trainer AI scripts having at least two (ignoring duplicates) separate routines. This Trainer is only known to execute $FA58 and $D040.

YouTube video by TheZZAZZGlitch

In Generation II

PRAMA Initiative a également une page sur Arbitrary code execution.

Gold and Silver

Main article: Coin Case glitch

The English versions of Pokémon Gold and Silver use a hex:57 character as a terminator for the Coin Case's "Coins: (x)" text, like in the Japanese versions.

While this is a valid control character for the Japanese version, it isn't for the English versions, causing the game to jump into the memory at echo RAM address E112 and execute code there.

Bellsprout, Machop and Machamp's cries make the coin case run a "inc sp" which changes the game into running code based on a palette table. Standing at certain places makes the code jump to data regarding party Pokémon data, and finally to the PC items.

Crystal

Main article: 0x1500 control code arbitrary code execution

In Pokémon Crystal, there is a recently found way to execute arbitrary code. It is based on getting a Pokémon with an unterminated name (can be done with the bad clone glitch) and viewing its name unprotected (e.g. in the stats screen or in the PC).

This method was first used in a speedrun by Werster. The exploitation strategy consists of renaming boxes to specific names, and jumping there with a specific trainer ID. As of 2019, The current any% speedrun route is still based on this method.

YouTube video by Werster

In Generation III

The method is extremely complicated, but can be achieved.

To learn how, watch this video by TheZZAZZGlitch.

In Generation VI

A heap overflow utilising a crafted Secret Base name can be used to achieve arbitrary code execution in Pokémon Omega Ruby and Alpha Sapphire. This vulnerability ("basehaxx") was found by MrNbaYoh and is used to execute homebrew/unsigned code on the 3DS.

Related articles