Burned Tower Silver wrong side glitches

From Glitch City Wiki
Jump to navigation Jump to search
Arbitrary code execution in the Pokémon series

0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | Type 0xFF mail arbitrary code execution (Japanese Crystal) | ZZAZZ glitch Trainer FC


List of arbitrary code execution programs

(view, talk, edit)
More research is needed for this article.

Reason given: Test on Virtual Console releases, where invalid opcodes are ignored



Initiating an encounter with Silver from the left


The Burned Tower Silver wrong side glitches are glitch effects in Pokémon Crystal caused by talking to or approaching Silver in Burned Tower from the the left side or below, instead of from the right side.

These effects were documented by Japanese YouTube user hibiki ganaha, and were later researched by Torchickens/ChickasaurusGL.

These effects vary depending on the language of Pokémon Crystal, and are also capable of arbitrary code execution. However, the only known way of talking to Burned Tower Silver from the wrong side is via another form of arbitrary code execution, such as via a wrong pocket TM to enable walk through walls.

Details

There is a battle with the rival Silver in Burned Tower.

Exclusively to Pokémon Crystal, the battle with Silver in Burned Tower is not started immediately when you enter through the building.

The player has to approach Silver from the right, then he will walk up to you and a normal battle will happen, after which Gold falls through the floor.

But if the player uses walk through walls to talk to Silver from the west (an "!" mark will appear) or from the south, a glitch text box will appear.

A different Trainer challenge music is played (used for Sailors) and the effects after differ between certain versions.

English version

Freeze with blank text box, unknown opcode.

Japanese version

Seemingly, most often a sound plays like Electabuzz's cry, then the game's Game Boy Color only message appears. Different effects may happen for unknown reasons. On one occasion the low HP sound may play, the music may fade out and 9s may be written to the screen. Additionally the text box may be written to but the player may not be able to scroll through it. Another time the game may execute arbitrary code in the D4XX-D5XX range.[clarification needed]

French version

Freeze with blank text box, unknown opcode.

Italian version

Freeze with blank text box, unknown opcode.

Spanish version

May freeze the game with a blank text box not immediately like before, or execute code from SRAM B2CD. Does not always approach the player from the left.

German version

Glitch text may appear and real text may follow it ("Wie hart wir auch kämpfen, der TURM bleibt stehen." taken from Weiser Eckart from Sprout Tower) Afterwards, a battle will start. If the player has no Pokémon (or no active Pokémon), then they can skip the battle either before it begins (no Pokémon) or after it starts (no active Pokémon). If so, then the game may execute code from WRAM:C610, and then later WRAM:DD63 which is the total HP of Pokémon 3. This is most promising for arbitrary code execution - if you could get appropriate data from DD63 onward and all fainted Pokémon. C610 changes as you walk around, so it isn't viable to place arbitrary code there and keep it; but you can if you use cheats.

If the player has Pokémon, then they will battle a male Swimmer called KÄTE with a level 21 Staryu. After defeating him, the game may execute code from SRAM:B3B3.


Proof of concept of arbitrary code execution

As a proof of concept it is possible to use cheat codes to cause the arbitrary code execution in German Crystal to have a useful effect.

The following codes will load the unused Trainer debug menu:

013E10C6

012011C6

012112C6

017613C6

015B14C6

01CF15C6

01C916C6

i.e.

ld a,20

ld hl, 5B76

rst $08

ret

Execute ROM pointer 20:5B76.

The following codes will load the unused memory game but it may not boot up properly:

013E10C6

013811C6

012112C6

016313C6

015E14C6

01CF15C6

01C916C6

i.e.

ld a,38 ld hl, 5E63 rst $08 ret

Execute ROM pointer 38:5E63.

Relevant codes

Walk through walls codes:

English, French, Spanish, German, Italian Crystal

0100FAC2

0100FBC2

0100FCC2

0100FDC2

Japanese Crystal:

01083ED1

01083FD1

010840D1

010841D1

Credits

  • hibiki ganaha: Documentation
  • ChickasaurusGL: Research, YouTube video, article text (with permission)