Main Menu

Glitches

References/Resources

Affiliates

Technical

Search Wiki

Toolbox

Difference between revisions of "Arbitrary code execution"
 Page | Discussion | View source | History

From Glitch City Laboratories

Jump to: navigation, search
[checked revision][checked revision]
(→‎Via text boxes: Added an introduction.)
m (forgot to put a word my edit in oops)
 
(16 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
{{Template:Major_glitches}}
 
{{Template:Major_glitches}}
 
{{Template:Arbitrary_code_execution}}
 
{{Template:Arbitrary_code_execution}}
{{PRAMA|8f-code-execution}}
+
{{PRAMA|ace-1G}}
 
{{Bulbapedia}}
 
{{Bulbapedia}}
 
{{incomplete|1=<br><br>The following methods of ACE: custom map script pointer, move effect, Trainer escape glitch text box, bad clone summary, Burned Tower Silver, TM/HM use outside of the correct pocket, glitch Pokédex categories, Pikachu glitch emote and specific details on Generation III summary and move animation ACE}}
 
{{incomplete|1=<br><br>The following methods of ACE: custom map script pointer, move effect, Trainer escape glitch text box, bad clone summary, Burned Tower Silver, TM/HM use outside of the correct pocket, glitch Pokédex categories, Pikachu glitch emote and specific details on Generation III summary and move animation ACE}}
Line 15: Line 15:
  
 
All known ACE glitch items jump into an RAM area that is possible to manipulate, but not quite as easy to manipulate as the item pack. Therefore it is popular to jump to the third item in the item pack, and [[Generation I item codes|write the main payload there]]. This strategy of first jumping to an easier to manipulate RAM area is called "bootstrapping".
 
All known ACE glitch items jump into an RAM area that is possible to manipulate, but not quite as easy to manipulate as the item pack. Therefore it is popular to jump to the third item in the item pack, and [[Generation I item codes|write the main payload there]]. This strategy of first jumping to an easier to manipulate RAM area is called "bootstrapping".
 +
 +
There are many ways to obtain those glitch items through glitches. In {{RGB}}, the [[Select glitch]] can easily [[item creation Select glitches|create]] any glitch item. In the international versions, the most common method is to first obtain an [[expanded item pack]], then find the glitch item in the X coordinate ([[Celadon looping map trick]]) or in [[roaming items]].
  
 
Below is a summary of commonly used ACE glitch items. For more information, including bootstrapping setups, click on the name of an item to go to its [[ItemDex]] page.
 
Below is a summary of commonly used ACE glitch items. For more information, including bootstrapping setups, click on the name of an item to go to its [[ItemDex]] page.
  
 
{|
 
{|
{| align=top style="background: grey; -moz-border-radius: 0.5em; border: 5px solid #000000; color: grey"
+
|}
 +
{| style="background: grey; -moz-border-radius: 0.5em; border: 5px solid #000000; color: grey" align="top"
 
|-
 
|-
 
|
 
|
{| border=1 width="100%" align=left class="sortable" style="background:#f0f0f0; border:1px solid #000000; border-collapse:collapse;"
+
{| class="sortable" style="background:#f0f0f0; border:1px solid #000000; border-collapse:collapse;" width="100%" border="1" align="left"
|-style="background: silver;"
+
|- style="background: silver;"
! Version !! ID !! Name !! Effect pointer !! Pointing to !! Notes
+
!Version!!ID!!Name!!Effect pointer!!Pointing to!!Notes
 +
|-
 +
|English Red/Blue||0x6A||[[ItemDex/RB:106|-gm]]||$DA47||Safari Ball count||Followed by Day Care data and box Pokémon data <br /> Equivalent to なかよしバッジ due to the fix for the [[old man full box glitch]]
 
|-
 
|-
| English Red/Blue || 0x5D || [[ItemDex/RB:093|8F]] || $D163 || Party Pokémon data || Equivalent to 5かい due to the fix for the [[old man full box glitch]]
+
|Japanese Red/Green/Blue||0x67||[[ItemDexJP/RGB:103|なかよしバッジ]]||$D983||Safari Ball count||Followed by Day Care data and box Pokémon data
 
|-
 
|-
| European non-English Red/Blue || 0x5D || [[ItemDex/RB:093#In other European versions|7EME ETAGE / S7 / 7°P / P7]] || <!-- TODO --> || Party Pokémon data || Same item as 8F
+
|English Red/Blue||0x5D||[[ItemDex/RB:093|8F]]||$D163||Party Pokémon data||Equivalent to 5かい due to the fix for the [[old man full box glitch]]
 
|-
 
|-
| Japanese Red/Green/Blue || 0x5A || [[ItemDexJP/RGB:090|5かい]] || $D123 || Party Pokémon data ||
+
|European non-English Red/Blue||0x5D||[[ItemDex/RB:093#In other European versions|7EME ETAGE / S7 / 7°P / P7]]||<!-- TODO -->||Party Pokémon data||Same item as 8F
 
|-
 
|-
| English Yellow || 0x63 || [[ItemDex/Y:099|ws m]] || $DA7F || Box Pokémon data ||
+
|Japanese Red/Green/Blue||0x5A||[[ItemDexJP/RGB:090|5かい]]||$D123||Party Pokémon data||
 
|-
 
|-
| European non-English Yellow || 0x63 || [[ItemDex/Y:099#In other European versions|ws l' m / ws & m]] || <!-- TODO --> || Box Pokémon data || Same item as ws m
+
|English Yellow||0x63||[[ItemDex/Y:099|ws m]]||$DA7F||Box Pokémon data||
 
|-
 
|-
| English Yellow || 0x59 || [[ItemDex/Y:089|4F]] || $FA64 || Middle of daycare data ||
+
|European non-English Yellow||0x63||[[ItemDex/Y:099#In other European versions|ws l' m / ws & m]]||<!-- TODO -->||Box Pokémon data||Same item as ws m
 
|-
 
|-
| European non-English Yellow || 0x59 || [[ItemDex/Y:089#In other European versions|3EME ETAGE / S3 / 3°P / P3]] || $FA64 || Middle of daycare data || Same item as 4F
+
|English Yellow||0x59||[[ItemDex/Y:089|4F]]||$FA64||Middle of Day Care data||
 
|-
 
|-
| Japanese Red/Green || 0x7B || [[ItemDexJP/RG:123|てヘ]] || $D806 || Grass encounter table || Can be changed to the player's name by the [[Old man trick|old man]] <!-- NOTE: Should be tested for JP Blue and JP Yellow, too -->
+
|European non-English Yellow||0x59||[[ItemDex/Y:089#In other European versions|3EME ETAGE / S3 / 3°P / P3]]||$FA64||Middle of Day Care data||Same item as 4F
 +
|-
 +
|Japanese Red/Green||0x7B||[[ItemDexJP/RG:123|てヘ]]||$D806||Grass encounter table||Can be changed to the player's name by the [[Old man trick|old man]]<!-- NOTE: Should be tested for JP Yellow, too -->
 +
|-
 +
|Japanese Blue||0x7B||[[ItemDexJP/B:123]]||$D806||Grass encounter table||See てヘ. Requires [[0x50 sub-tile]].
 
|}
 
|}
 
|}
 
|}
 
Notice that the items in the European non-English versions are all the same as the corresponding item (with the same ID) in English version; however, due to differences in memory layout, the bootstrapping setups will be slightly different. (The "floor items" have different numbers because in those countries, "first floor" refers to what is called second floor in American English.)
 
Notice that the items in the European non-English versions are all the same as the corresponding item (with the same ID) in English version; however, due to differences in memory layout, the bootstrapping setups will be slightly different. (The "floor items" have different numbers because in those countries, "first floor" refers to what is called second floor in American English.)
  
===Useful item codes===
+
====Useful item codes====
See [[Generation I item codes]] for some useful item lists for 8F (and other ACE methods).
+
See [[Generation I item codes]] for some useful item lists for 8F (and possibly other ACE methods).
  
 
===Via text boxes===
 
===Via text boxes===
 
Each map has a number of different map-specific text boxes, with a table of pointers pointing to each piece of text. Certain glitches like [[Trainer escape glitch#Text box ID matching|text box ID matching]] can force the game to display a text box that doesn't exist on the current map, which means the pointer may point to anything, including into the RAM. From here, a 0x08 (TX_ASM) text command in a suitable location will enable arbitrary code execution.
 
Each map has a number of different map-specific text boxes, with a table of pointers pointing to each piece of text. Certain glitches like [[Trainer escape glitch#Text box ID matching|text box ID matching]] can force the game to display a text box that doesn't exist on the current map, which means the pointer may point to anything, including into the RAM. From here, a 0x08 (TX_ASM) text command in a suitable location will enable arbitrary code execution.
  
====Via Trainer escape glitch on Sea Route 21====
+
Notable setups for text box ACE include:
{{main|Sea Route 21 0x44 text box glitch (English Yellow)}}
 
Loading the hex:44 text box on Route 21 (via the shelves of Pokémon goods in Cinnabar Poké Mart) executes arbitrary text code from D2C3 in WRAM (the fifth character of the second Pokémon's nickname). This can be manipulated to run arbitrary code; for example with [[Super Glitch]] and the [[expanded party]] one can convert items in the inventory into Pokémon nicknames and abuse this to obtain Mew as a gift Pokémon via the 08 text function (run ASM following the 08). This trick was documented by Torchickens.
 
 
 
====Via Pikachu off-screen glitch====
 
<!--Much of this text is copied from ChickasaurusGL's video with permission, who (alias Torchickens) is one of the authors of this article https://www.youtube.com/watch?v=evdxp0UgunQ-->
 
By using the [[Pikachu off-screen glitch]] in the Vermilion City Fan Club and making specific movements to force the non-existing sign 04 to appear at coordinates x=1, y=1, it is possible for the player to read the signpost and execute arbitrary code beginning from D221; the catch rate/held item of party Pokémon 5.
 
 
 
Once you have prepared one of the setups below, put your Pokémon in the 5th position of the party, prepare your items from item 1, get the Clefairy event in the Vermilion Fan Club, then do the following steps:
 
 
 
1) Go to the bottom-left walkable tile (putting Pikachu off the screen), then walk up to the top and down to the bottom of the left-most column 11 times, but for the 11th time step one tile short on the final way back down.
 
 
 
2) Step right, step left, then walk up to the top and down to the bottom of the left-most column 10 times.
 
 
 
3) Step right, then go the top-left tile you can walk to, face right and press A.
 
 
 
=====Luckless setups=====
 
 
 
5 different setups to use for this trick have been made by Krys3000 and Torchickens/ChickasaurusGL [http://forums.glitchcity.info/index.php?topic=8063.0 in this thread]. They all execute code from item 3 in the pack, similarly to ws m or 4F setups.
 
 
 
# The 4 moves setup involves as 5th Pokémon in the party a Nidorina or Nidorino. It has to have been traded to G/S/C, hold a Moon Stone there and then be traded back to Yellow. This Pokémon must have 2 'placeholder moves' (typically Bite and Fury Swipes, since it learns both) followed by Double Kick (also learned) and Bubblebeam (TM11). Also, the 6th Pokémon can be anything but requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
 
# The 2 moves + HP/Box Level setup involves as 5th Pokémon a Nidorina or Nidorino. It has to have been traded to G/S/C, hold a Moon Stone there and then be traded back to Yellow. This Pokémon must have Double Kick (learned) as first move and Take Down (TM09) as second. Also, the 6th Pokémon can be anything but must have 24 HP currently and also have been lvl24 last time it was stored in the PC. This Pokémon requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
 
# The 4 moves + Glitch Pokémon setup involves as 5th Pokémon the glitch Pokémon PKMN pゥぁ ゥぇ, that can be obtained via several glitches, Equivalent Trade or Time Capsule Exploit. This Pokémon must have Ice Punch, DoubleSlap, Double Kick and BubbleBeam (all can be learned except Bubblebeam which is TM11). Also, the 6th Pokémon can be anything but requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
 
# The Untrained Hitmonchan setup is the only tradeless/glitchless setup. 5th Pokémon would be Hitmonchan and this Pokémon must never have been trained, but must know Strength (HM), Agility, Fire Punch and Ice Punch (it requires rising it to lvl 38 with Rare Candies). This Pokémon must also have 00 PP currently at Strength, 24 at Agility, 14 at Fire Punch (Ice Punch doesn't matter). Also, 6th Pokémon can be anything but must be lvl25, requires currently 24 HP, 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also). The code can be broken at any time by Hitmonchan's IV. The best way is to reset the pick of Hitmonchan to make sure that yours work. For this setup to work, you must also check that when converted into hexadecimal, Hitmonchan's trainer ID won't trigger invalid opcodes or many-bytes opcodes
 
# The underflow-based setup is described [http://forums.glitchcity.info/index.php?topic=8063.msg206641#msg206641 here].
 
 
 
A video of the Hitmonchan setup has been made by ChickasarusGL
 
{{youtube|bewkwWKf7qU|ChickasaurusGL}}
 
 
 
=====Luck-based setup=====
 
 
 
A Graveler with 08 c2 (2242) HP stat experience and 1d d3 (7635) Attack stat experience may be used as an applicable Pokémon 5, preferably a Graveler from Victory Road.
 
 
 
If you are using level 44 Graveler, make note that since you can't really predict its total exp. you may not be able to get your result dictated by items. However, saving before the last few Krabby to get different levels or keeping Rare Candies, saving before talking to the text box and using one if it didn't work last time may fix this.
 
 
 
To get these specific EVs, your Pokémon needs to have encountered the following Pokémon (and no more):
 
 
 
71 Krabby, 1 Farfetch'd, 1 Dugtrio, and 1 Magnemite.
 
 
 
(Thanks FMK for working out what Pokémon to battle).
 
 
 
=====Example codes (all from item 1)=====
 
 
 
Obtain 255 items:
 
 
 
This allows you to do 20+ items related glitches and get more complicated item set ups if you have items like multiple X Special x1 spare.
 
 
 
*Protein x1
 
*Repel x1
 
*X Accuracy x28
 
*Lemonade x1
 
*Poké Ball x61
 
*Antidote x61
 
*Water Stone x37
 
*X Accuracy x97
 
*TM01 x1
 
  
Note: This code may be unstable.
+
*[[Sea Route 21 0x44 text box glitch (English Yellow)]], which is accessed by text box ID matching.
 
+
*[[Pikachu off-screen glitch#Glitch text box activation and arbitrary code execution|Pikachu off-screen glitch ACE]], which works by forcing the non-existing sign 04 to appear in the Vermilion City Fan Club.
Encounter a Pokémon:
 
 
 
*Iron x37
 
*X Accuracy x88
 
*Lemonade x(species you want, 21=Mew)
 
*Water Stone x4
 
*Protein x4
 
*TM01 x1
 
 
 
This technique was discovered by stumpdotio, originally for speedrunning Pokémon Yellow using a different method. A video of the route by Dabomstew's may be found [https://www.youtube.com/watch?v=mcsKo4K7BNE here].
 
 
 
{{Youtube|evdxp0UgunQ|ChickasaurusGL}}
 
  
 
===Via "TRAINER 4" (hex:FC)===
 
===Via "TRAINER 4" (hex:FC)===
Line 128: Line 70:
  
 
Requirements :
 
Requirements :
* No Pokémon must ever have been deposited info the Daycare (even on a previous save file)
 
* Knowing and being able to perform the [[Trainer escape glitch]]
 
* A Pokémon with a Special stat of 252
 
  
# One must perform the Trainer escape glitch using a Special stat of 252 (hex:FC)
+
*No Pokémon must ever have been deposited info the Daycare (even on a previous save file)
# Aside from the [[ZZAZZ glitch|ZZAZZ effects]], upon selecting an attack, code based on the data of the Pokémon that was last deposited into the Daycare (specifically at $FA58) will be run. If no Pokémon was ever deposited, the script will "fall" to boxed Pokémon data.
+
*Knowing and being able to perform the [[Trainer escape glitch]]
 +
*A Pokémon with a Special stat of 252
 +
 
 +
#One must perform the Trainer escape glitch using a Special stat of 252 (hex:FC)
 +
#Aside from the [[ZZAZZ glitch|ZZAZZ effects]], upon selecting an attack, code based on the data of the Pokémon that was last deposited into the Daycare (specifically at $FA58) will be run. If no Pokémon was ever deposited, the script will "fall" to boxed Pokémon data.
  
 
The code at $D040 may also to be adjusted, as not to freeze the game, due to Trainer AI scripts having at least two (ignoring duplicates) separate routines. This Trainer is only known to execute $FA58 and $D040.
 
The code at $D040 may also to be adjusted, as not to freeze the game, due to Trainer AI scripts having at least two (ignoring duplicates) separate routines. This Trainer is only known to execute $FA58 and $D040.
Line 140: Line 83:
  
 
==In [[bp:Generation II|Generation II]]==
 
==In [[bp:Generation II|Generation II]]==
 +
{{PRAMA|ace-2G}}
  
 
===Gold and Silver===
 
===Gold and Silver===
 
{{main|Coin Case glitch}}
 
{{main|Coin Case glitch}}
 +
 
The English versions of {{GS}} use a hex:57 character as a terminator for the Coin Case's "Coins: (x)" text, like in the Japanese versions.
 
The English versions of {{GS}} use a hex:57 character as a terminator for the Coin Case's "Coins: (x)" text, like in the Japanese versions.
  
Line 151: Line 96:
 
===Crystal===
 
===Crystal===
 
{{main|0x1500 control code arbitrary code execution}}
 
{{main|0x1500 control code arbitrary code execution}}
 +
 
In {{C}}, there is a recently found way to execute arbitrary code. It is based on getting [[unterminated name Pokémon (Generation II)|a Pokémon with an unterminated name]] (can be done with the [[bad clone glitch]]) and viewing its name unprotected (e.g. in the stats screen or in the PC).
 
In {{C}}, there is a recently found way to execute arbitrary code. It is based on getting [[unterminated name Pokémon (Generation II)|a Pokémon with an unterminated name]] (can be done with the [[bad clone glitch]]) and viewing its name unprotected (e.g. in the stats screen or in the PC).
  
This method was first used in a speedrun by Werster. The exploitation strategy consists of renaming boxes to specific names, and jumping there with a specific trainer ID. As of 2019, The [[Pokémon Crystal any% speedrun route|current any% speedrun route]] is still based on this method.
+
This method was first used in a speedrun by Werster. The exploitation strategy consists of renaming boxes to specific names, and jumping there with a specific trainer ID. Until mid 2020, the [[Pokémon Crystal any% speedrun route|any% speedrun route]] was based on this method. However, [https://pastebin.com/3satHMsE the current route] now consists of using wrong pocket TM22 to achieve ACE, using the item quantity buffer and item quantity change buffer to quickly jump into the Mail buffer, where the payload is stored.
 
{{Youtube|Gj7m4vh18c8|Werster}}
 
{{Youtube|Gj7m4vh18c8|Werster}}
  
 
==In [[bp:Generation III|Generation III]]==
 
==In [[bp:Generation III|Generation III]]==
The method is extremely complicated, but can be achieved.
+
There are at least three methods of arbitrary code execution, all stemming from the use of [[Glitzer Popping]].
 +
 
 +
===Via stack overflow===
 +
Certain glitch pokemon have very long species names that overflow the stack and cause execution to jump to save RAM.
 +
 
 +
The method is dependent on save block ordering and is somewhat impractical, but was first performed in [http://youtu.be/m9pvNYdhldo this video] by TheZZAZZGlitch.
 +
 
 +
===Via glitch move animation===
 +
Similar to the above, certain glitch moves that can be acquired via Glitzer Popping have animation scripts that point to PC data. When the animation for these moves play, PC data is treated like an animation script and may create sprites, call callbacks, etc.
 +
By writing an animation script that launches a visual or sound task, execution can be redirected into bad data, PC data, PC Box names etc.
 +
Below are the most relevant glitch move IDs, EVs required on the in-game trade Plusle to acquire them with glitzer popping, and target script addresses for different versions of Pokemon Emerald. Note that due to address mirroring, addresses like 0x02330000 are mirrored with 0x02030000.
 +
{| class="wikitable"
 +
|-
 +
!Version!!Move ID!!EVs!!Target
 +
|-
 +
|US||0x1608||8 HP 22 Attack||0x02030400 (Box 12, slot 15)
 +
|-
 +
|JP||0x3110||16 HP 49 Attack||0x02330000 (Box 12, slot 14)
 +
|}
 +
As for the animation script, a Pokemon nickname can be used on Japanese Emerald, using this [https://bulbapedia.bulbagarden.net/wiki/Character_encoding_in_Generation_III character map].
 +
An example script may look like: 1F zz yy xx ww FF to execute code at address 0xWWXXYYZZ.
  
To learn how, watch [http://youtu.be/m9pvNYdhldo this video] by TheZZAZZGlitch.
+
On other versions, setting up the bootstrap script is more complicated. There is a [https://pastebin.com/U5ajVMp8 Pastebin guide] for this by Metarkai.
 +
 
 +
This strategy was used in [https://www.youtube.com/watch?v=cY_O9nRwxc4&t=3309s this TAS] by merrp, using a bootstrap nickname of: 1F 09 18 03 02 FF (まけねうい), targeting Box 1's name.
 +
 
 +
This method is somewhat finicky because of its dependence on Emerald's memory layout randomization. If the bootstrap in the PC does not line up exactly with the script address, code will not be executed. This means that blindly, per battle, this method has only a 1/32 chance of actually working.
 +
 
 +
===Via glitch sprite animation===
 +
Yet another case where glitch pokemon/moves have exploitable behavior. In Emerald, each pokemon's sprite has a small animation when its summary is viewed. Certain glitch pokemon have sprites whose animation callbacks are in RAM, specifically, again, in PC data. Below are the relevant species IDs, EVs required on the in-game trade Seedot to acquire, and target addresses. Again, due to address mirroring, 0x0206xxxx is mirrored with 0x0202xxxx.
 +
{| class="wikitable"
 +
|-
 +
!Version!!Species ID!!EVs!!Target!!ARM/THUMB
 +
|-
 +
|US||0x40E9||233 HP 64 Attack||0x0206FFFF (Box 12 Slot 3)||THUMB
 +
|-
 +
|US||0x0611*||17 HP 6 Attack||0x0206FEFE (Box 12 Slot 3)||ARM
 +
|-
 +
|JP||0x085F||95 HP 8 Attack||0x0206FFFF (Box 12 Slot 3)||THUMB
 +
|-
 +
|JP||0x0615*||21 HP 6 Attack||0x0206FEFE (Box 12 Slot 3)||ARM
 +
|}
 +
Species IDs with asterisks cannot be safely viewed from the summary screen; the game will crash from its species name. They can only be used for ACE by either hatching them from an Egg, or viewing their animation in a Pokemon Contest.
 +
 
 +
[https://problemkaputt.de/gbatek.htm THUMB or ARM code] can be executed by using PC Box names as instructions and leaving Boxes 12-14 empty. This is much easier on JP Emerald due to the number of available characters.
 +
 
 +
On US Emerald using species 0x40E9, since writing THUMB code is extremely limited, it may be useful to place a pokemon with the following nickname in Box 12 Slot 4: (x♂zN”6FFxC). This switches execution into ARM mode at Box 12 Slot 13's nickname, as long as your Trainer ID & Secret ID are valid THUMB instructions.
 +
 
 +
This glitch has been used in the latest (as of 2020/03/19) Any% WR Emerald speedrun by Startoria: https://www.youtube.com/watch?v=M5HrQM5boQs. The code used in the run was written by merrp.
 +
 
 +
This is by far the most consistent method of ACE in Emerald. Once the glitch pokemon is acquired, all that's needed is to look at it, either by hatching it from an Egg, from the summary, or a Pokemon Contest. Although Emerald's memory randomization still shifts PC data around, as long as code is placed far enough past the maximum shift distance, it will execute 100% of the time. This is why it is suggested to place code in box names or Box 12 Slot 4 even though this targets Box 12 Slot 3.
  
 
==In [[bp:Generation VI|Generation VI]]==
 
==In [[bp:Generation VI|Generation VI]]==
 
A heap overflow utilising a crafted Secret Base name can be used to achieve arbitrary code execution in Pokémon Omega Ruby and Alpha Sapphire. This vulnerability ("basehaxx") was found by MrNbaYoh and is used to execute homebrew/unsigned code on the 3DS.
 
A heap overflow utilising a crafted Secret Base name can be used to achieve arbitrary code execution in Pokémon Omega Ruby and Alpha Sapphire. This vulnerability ("basehaxx") was found by MrNbaYoh and is used to execute homebrew/unsigned code on the 3DS.
 +
 +
==Custom data==
 +
Arbitrary code execution can be used to create custom data, such as sprites, text and sounds.
 +
 +
*[[Arbitrary sprites|Custom Pokémon and Trainer front/back sprites]]
 +
*[[Custom maps]]
 +
*[[Custom player sprite]]
 +
*[[Custom Pokédex entries]]
 +
*[[Custom screens]]
 +
*[[Custom text boxes]]
 +
*[[Custom tilesets]]
 +
*[[Custom PCM sound effects]]
  
 
==Related articles==
 
==Related articles==
 +
 
*[[Executing large programs with arbitrary code execution]].
 
*[[Executing large programs with arbitrary code execution]].
 
*[[Cart-swap arbitrary code execution]]
 
*[[Cart-swap arbitrary code execution]]
Line 171: Line 178:
 
*[[List of arbitrary code execution programs]]
 
*[[List of arbitrary code execution programs]]
 
*[[GB Programming]]
 
*[[GB Programming]]
 
  
 
[[Category:Arbitrary code execution|*]]
 
[[Category:Arbitrary code execution|*]]

Latest revision as of 00:49, 17 May 2020

Major glitches of the Pokémon series


GB.png Arbitrary code execution GB.png

0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC


Bulbasaur.png No further extensions Bulbasaur.png

Cloning | Item duplication glitch (Generation I) | Pokémon merge glitch ("Q Glitch", Generation I) | Time Capsule exploit | Bug-Catching Contest data copy glitch (Generation II, Japan only) | Berry glitch | Battle Tower Lati@s glitch (Generation III) | (Mimic) Transform Rage glitch (Generation IV)

Transform held item glitch (Generation IV, Japan only) | Mimic glitch (Generation IV, Japan only)


Bruno.png Buffer overflow techniques Bruno.png

99 item stack glitch | LOL glitch | Rival LOL glitch | Instant LOL glitch | RAM LOL glitch | Out of bounds LOL glitch | blockoobLG | Instant encounter infinite chain glitch | LGFly | Super Glitch (Generation I) | Party remaining HP glitch | Super Glitch (Generation III) | Text pointer manipulation mart buffer overflow glitch | CoolTrainer♀-type move | Double distort CoolTrainer♀ corruption | Yami Shop glitch | Party Pokémon box data shift glitch | Unterminated name glitch item instant encounter (Japanese Red/Green)


Ball.png Item stack duplication glitch (Generation I) Ball.png

Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow) | Map script pointer manipulation (arbitrary code execution | Map script pointer item ball manipulation) | Text pointer manipulation (arbitrary code execution | Item ball manipulation | Mart buffer overflow) | Trainerless instant encounter glitch


PC.png Bad clone glitch (Generation II) PC.png

????? party overloading (Type 0xD0 move glitch | ????? map corruption | Celebi trick | Celebi Egg trick | Shiny Celebi trick | Glitch move map corruption | Overloaded party map corruption | Glitch Unown (Glitch Unown map corruption) | Duplicate key items glitch (Infinite items and item creation, Expanded Balls pocket (Wrong pocket TM/HMs, Glitch Pokédex categories))


Lab pass.png Closed menu Select glitches (Japanese Red/Green) Lab pass.png

Dokokashira door glitch (International) | Fossil conversion glitch (international) | Second type glitch | Skip to Level 100 glitch | Trainer mutation glitch | Walk through walls (International) | Lift glitch | Badge describer glitch


Gromeg berry.png Pomeg glitch (Generation III) Gromeg berry.png

Pomeg data corruption glitch ("Glitzer Popping") | Charm glitch


Darkrai.png Voiding (Generation IV) Darkrai.png

Tweaking

Broken escalator glitch (Japan only) | Elite Four door glitch (Japan only)


Lying old man.png 2x2 block encounter glitches (Generation I) Lying old man.png

Left-facing shore tile glitch (in-game trade shore encounter trick, Old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick) | Viridian Forest no encounter grass tiles glitch


Glitchtile.png Glitch City Glitchtile.png

Safari Zone exit glitch | RAM manipulation | Out of bounds Glitch City (Generation II) | Slowpoke Well out of bounds corruption (French Gold/Silver/Crystal)


RBYPC.png Large storage box byte shift glitch RBYPC.png

Storage box remaining HP glitch | Generation I max stat trick


Pikachu.png Pikachu off-screen glitch Pikachu.png

Trainer corruption glitch


Tereka.png SRAM glitches Tereka.png

Generation I save corruption | 255 Pokémon glitch | Expanded party encounter table manipulation (Generation I) | Send party Pokémon to a new game (Generation I) | Generation II save corruption | Mailbox glitches | Mystery Gift item corruption | Trainer House glitches


Ditto.png Trainer escape glitch Ditto.png

Death-warp | Ditto trick | Experience underflow glitch | Mew trick | Text box ID matching | Meta-map script activation


Brock.png Walk through walls Brock.png

Ledge method | Museum guy method | Rival's effect | Select glitch method (International Select glitch method), Brock Through Walls


Surf.png Surf down glitch Surf.png

Grass/rock Surfing glitch (Spanish/Italian only) (adaptions: Submerge glitch (international)) | 8 8 (0x7C) grass/rock surfing glitch (English Red/Blue))

(view, talk, edit)
Arbitrary code execution in the Pokémon series

0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC


List of arbitrary code execution programs

(view, talk, edit)
PRAMA Initiative a également une page sur Arbitrary code execution.
Bulbapedia also has an article about Arbitrary code execution.
This article is incomplete. Please feel free to add any missing information about the subject. It is missing:

The following methods of ACE: custom map script pointer, move effect, Trainer escape glitch text box, bad clone summary, Burned Tower Silver, TM/HM use outside of the correct pocket, glitch Pokédex categories, Pikachu glitch emote and specific details on Generation III summary and move animation ACE.

Arbitrary code execution (Japanese: 任意コード実行) refers to a method that allows the player to force the game to run code in a write-enabled region of the game, often WRAM or RAM (see Game Boy memory map). If it is manipulable (e.g. if the region is in a representation of the player's current party), this can be abused to run custom code written by the player.

It commonly involves an invalid execution pointer (such as via glitch items in Generation I). In English versions, another popular method is as a side effect of the Coin Case glitch in English Pokémon Gold and Silver, which the player can manipulate to run custom assembly code.

This custom code is often spelled with items, as a stack of items uses only two (Generation I/II) or four (Generation III) bytes. Box names are also an option for Generation II games.

In Generation I

Via items

Each item that is not a TM or HM (more precisely, with ID less than HM01 (0xC4)), when used, gets its effect from a pointer table. For some glitch items, this effect pointer points to the RAM, enabling arbitrary code execution.

All known ACE glitch items jump into an RAM area that is possible to manipulate, but not quite as easy to manipulate as the item pack. Therefore it is popular to jump to the third item in the item pack, and write the main payload there. This strategy of first jumping to an easier to manipulate RAM area is called "bootstrapping".

There are many ways to obtain those glitch items through glitches. In Pokémon Red, Green, and Pokémon Blue (Japanese), the Select glitch can easily create any glitch item. In the international versions, the most common method is to first obtain an expanded item pack, then find the glitch item in the X coordinate (Celadon looping map trick) or in roaming items.

Below is a summary of commonly used ACE glitch items. For more information, including bootstrapping setups, click on the name of an item to go to its ItemDex page.

Version ID Name Effect pointer Pointing to Notes
English Red/Blue 0x6A -gm $DA47 Safari Ball count Followed by Day Care data and box Pokémon data
Equivalent to なかよしバッジ due to the fix for the old man full box glitch
Japanese Red/Green/Blue 0x67 なかよしバッジ $D983 Safari Ball count Followed by Day Care data and box Pokémon data
English Red/Blue 0x5D 8F $D163 Party Pokémon data Equivalent to 5かい due to the fix for the old man full box glitch
European non-English Red/Blue 0x5D 7EME ETAGE / S7 / 7°P / P7 Party Pokémon data Same item as 8F
Japanese Red/Green/Blue 0x5A 5かい $D123 Party Pokémon data
English Yellow 0x63 ws m $DA7F Box Pokémon data
European non-English Yellow 0x63 ws l' m / ws & m Box Pokémon data Same item as ws m
English Yellow 0x59 4F $FA64 Middle of Day Care data
European non-English Yellow 0x59 3EME ETAGE / S3 / 3°P / P3 $FA64 Middle of Day Care data Same item as 4F
Japanese Red/Green 0x7B てヘ $D806 Grass encounter table Can be changed to the player's name by the old man
Japanese Blue 0x7B ItemDexJP/B:123 $D806 Grass encounter table See てヘ. Requires 0x50 sub-tile.

Notice that the items in the European non-English versions are all the same as the corresponding item (with the same ID) in English version; however, due to differences in memory layout, the bootstrapping setups will be slightly different. (The "floor items" have different numbers because in those countries, "first floor" refers to what is called second floor in American English.)

Useful item codes

See Generation I item codes for some useful item lists for 8F (and possibly other ACE methods).

Via text boxes

Each map has a number of different map-specific text boxes, with a table of pointers pointing to each piece of text. Certain glitches like text box ID matching can force the game to display a text box that doesn't exist on the current map, which means the pointer may point to anything, including into the RAM. From here, a 0x08 (TX_ASM) text command in a suitable location will enable arbitrary code execution.

Notable setups for text box ACE include:

Via "TRAINER 4" (hex:FC)

This method will make "TRAINER 4" (hex:FC) (encountered via the Trainer escape glitch) run code based on the data of the Pokémon in the current PC box.

Requirements :

  • No Pokémon must ever have been deposited info the Daycare (even on a previous save file)
  • Knowing and being able to perform the Trainer escape glitch
  • A Pokémon with a Special stat of 252
  1. One must perform the Trainer escape glitch using a Special stat of 252 (hex:FC)
  2. Aside from the ZZAZZ effects, upon selecting an attack, code based on the data of the Pokémon that was last deposited into the Daycare (specifically at $FA58) will be run. If no Pokémon was ever deposited, the script will "fall" to boxed Pokémon data.

The code at $D040 may also to be adjusted, as not to freeze the game, due to Trainer AI scripts having at least two (ignoring duplicates) separate routines. This Trainer is only known to execute $FA58 and $D040.

YouTube video by TheZZAZZGlitch

In Generation II

PRAMA Initiative a également une page sur Arbitrary code execution.

Gold and Silver

Main article: Coin Case glitch

The English versions of Pokémon Gold and Silver use a hex:57 character as a terminator for the Coin Case's "Coins: (x)" text, like in the Japanese versions.

While this is a valid control character for the Japanese version, it isn't for the English versions, causing the game to jump into the memory at echo RAM address E112 and execute code there.

Bellsprout, Machop and Machamp's cries make the coin case run a "inc sp" which changes the game into running code based on a palette table. Standing at certain places makes the code jump to data regarding party Pokémon data, and finally to the PC items.

Crystal

Main article: 0x1500 control code arbitrary code execution

In Pokémon Crystal, there is a recently found way to execute arbitrary code. It is based on getting a Pokémon with an unterminated name (can be done with the bad clone glitch) and viewing its name unprotected (e.g. in the stats screen or in the PC).

This method was first used in a speedrun by Werster. The exploitation strategy consists of renaming boxes to specific names, and jumping there with a specific trainer ID. Until mid 2020, the any% speedrun route was based on this method. However, the current route now consists of using wrong pocket TM22 to achieve ACE, using the item quantity buffer and item quantity change buffer to quickly jump into the Mail buffer, where the payload is stored.

YouTube video by Werster

In Generation III

There are at least three methods of arbitrary code execution, all stemming from the use of Glitzer Popping.

Via stack overflow

Certain glitch pokemon have very long species names that overflow the stack and cause execution to jump to save RAM.

The method is dependent on save block ordering and is somewhat impractical, but was first performed in this video by TheZZAZZGlitch.

Via glitch move animation

Similar to the above, certain glitch moves that can be acquired via Glitzer Popping have animation scripts that point to PC data. When the animation for these moves play, PC data is treated like an animation script and may create sprites, call callbacks, etc. By writing an animation script that launches a visual or sound task, execution can be redirected into bad data, PC data, PC Box names etc. Below are the most relevant glitch move IDs, EVs required on the in-game trade Plusle to acquire them with glitzer popping, and target script addresses for different versions of Pokemon Emerald. Note that due to address mirroring, addresses like 0x02330000 are mirrored with 0x02030000.

Version Move ID EVs Target
US 0x1608 8 HP 22 Attack 0x02030400 (Box 12, slot 15)
JP 0x3110 16 HP 49 Attack 0x02330000 (Box 12, slot 14)

As for the animation script, a Pokemon nickname can be used on Japanese Emerald, using this character map. An example script may look like: 1F zz yy xx ww FF to execute code at address 0xWWXXYYZZ.

On other versions, setting up the bootstrap script is more complicated. There is a Pastebin guide for this by Metarkai.

This strategy was used in this TAS by merrp, using a bootstrap nickname of: 1F 09 18 03 02 FF (まけねうい), targeting Box 1's name.

This method is somewhat finicky because of its dependence on Emerald's memory layout randomization. If the bootstrap in the PC does not line up exactly with the script address, code will not be executed. This means that blindly, per battle, this method has only a 1/32 chance of actually working.

Via glitch sprite animation

Yet another case where glitch pokemon/moves have exploitable behavior. In Emerald, each pokemon's sprite has a small animation when its summary is viewed. Certain glitch pokemon have sprites whose animation callbacks are in RAM, specifically, again, in PC data. Below are the relevant species IDs, EVs required on the in-game trade Seedot to acquire, and target addresses. Again, due to address mirroring, 0x0206xxxx is mirrored with 0x0202xxxx.

Version Species ID EVs Target ARM/THUMB
US 0x40E9 233 HP 64 Attack 0x0206FFFF (Box 12 Slot 3) THUMB
US 0x0611* 17 HP 6 Attack 0x0206FEFE (Box 12 Slot 3) ARM
JP 0x085F 95 HP 8 Attack 0x0206FFFF (Box 12 Slot 3) THUMB
JP 0x0615* 21 HP 6 Attack 0x0206FEFE (Box 12 Slot 3) ARM

Species IDs with asterisks cannot be safely viewed from the summary screen; the game will crash from its species name. They can only be used for ACE by either hatching them from an Egg, or viewing their animation in a Pokemon Contest.

THUMB or ARM code can be executed by using PC Box names as instructions and leaving Boxes 12-14 empty. This is much easier on JP Emerald due to the number of available characters.

On US Emerald using species 0x40E9, since writing THUMB code is extremely limited, it may be useful to place a pokemon with the following nickname in Box 12 Slot 4: (x♂zN”6FFxC). This switches execution into ARM mode at Box 12 Slot 13's nickname, as long as your Trainer ID & Secret ID are valid THUMB instructions.

This glitch has been used in the latest (as of 2020/03/19) Any% WR Emerald speedrun by Startoria: https://www.youtube.com/watch?v=M5HrQM5boQs. The code used in the run was written by merrp.

This is by far the most consistent method of ACE in Emerald. Once the glitch pokemon is acquired, all that's needed is to look at it, either by hatching it from an Egg, from the summary, or a Pokemon Contest. Although Emerald's memory randomization still shifts PC data around, as long as code is placed far enough past the maximum shift distance, it will execute 100% of the time. This is why it is suggested to place code in box names or Box 12 Slot 4 even though this targets Box 12 Slot 3.

In Generation VI

A heap overflow utilising a crafted Secret Base name can be used to achieve arbitrary code execution in Pokémon Omega Ruby and Alpha Sapphire. This vulnerability ("basehaxx") was found by MrNbaYoh and is used to execute homebrew/unsigned code on the 3DS.

Custom data

Arbitrary code execution can be used to create custom data, such as sprites, text and sounds.

Related articles