Pokémon Yellow C109 ID 0x0F arbitrary code execution

More research is needed for this article.
	Reason given: Test if the same C109 0x0F script is possible in Red/Blue with a different method to Yellow MissingNo.

Pokémon Yellow C109 ID 0x0F arbitrary code execution is a glitch in Pokémon Yellow, and a form of arbitrary code execution, involving a glitch 0xC109 ID, with a script activated by glitch item Lg -. It used to be notable for its ability to be accessed early in the game, but has since been obsoleted.

It runs the pointer $FA41 (Echo RAM of DA41).

Notes

This glitch does not work on many emulators, except for (one example) later versions of BGB. It is confirmed to function properly on a real Game Boy Advance SP, but it has not been confirmed on other platforms.

Yellow MissingNo. encounter method

If the player encounters Yellow MissingNo. (non-ghost/fossil form) in Viridian Forest, previously erased the save file with Up+Select+B and has never encountered a glitch Pokémon before, the Yellow MissingNo. will not freeze the game.

If the Pokémon menu and PC was opened in front of the PC in Viridian City's Pokémon Center before encountering the Yellow MissingNo., then after ending the battle, C109 is 0x0F which has the ability to execute arbitrary code at FA41 (DA41) after using glitch item "Lg -" (wPlayTimeMaxed, followed by wPlayTimeMinutes, wPlayTimeSeconds and close to Safari Zone and Day Care data).

If the player doesn't have a problematic play time, has never visited the Safari Zone and doesn't have any Day Care data, the code will fall through to DA7F, where a bootstrap Pokémon set up can be used to run code at item 3.

Expanded party method

The exploit can also be done by swapping a Pokémon into Pokémon 91 in the expanded party.

Typically, the swapped Pokémon's lower Defense byte would determine E109 (Echo RAM of C109), but in actuality there are complications such as the lower Defense being overwritten before the swap occurs. Practically, the following setup should work:

• Have the Pokémon to be swapped as Pokémon 2 and Pokémon 91.
• Have it underneath a Q (0xFF) (in slot 1) to avoid a potential zero maximum HP glitch or display related freeze.
• Pokémon 2 must have a certain Trainer ID modulo 256 and the uppermost experience byte corresponding with a valid sound bank (02 02, 08 08, 1F 1F, 20 20, or a combination of banks (e.g. 02 1F)). For example, the Trainer ID 17666 and the experience 132045 (within Level 51 for stable Nidoran♀). 20 is not recommended due to side effects. This is to avoid a sound bank freeze.
• Pokémon 2 must be a Nidoran♀ (note only the first species byte counts and is the only one taken into consideration; so a Nidoran♀ hybrid from the Pokémon merge glitch is also applicable, but not a glitch that changed only the second species byte to Nidoran♀).

Under unknown circumstances, Lg - may corrupt the player's coordinates; adding 0x33 to D360 (y coordinate), 0x80 to D361 (x coordinate), 0x33 to D362 (y coordinate block) and 0x80 to D363 (x coordinate block) and typically moving the player to no longer be adjacent to the entrance of Viridian Forest, but the player can work around that by setting the glitched coordinates in advance, such as FC, 90, CE, 80 with the expanded inventory (the swaps begin at item 34 quantity through to item 36's item; effectively TM01 x 252, p’é ₽ Enemy TRAINE (0x90) x 206 and ₽ ₽ぅ 88 ₽ ぅ 4A (0x80) x(any) are to be swapped in those places (care should be taken not to merge the existing TM01 stack)). This example results in 2F, 10, 01, 00 (where the addition exceeds FF the result is modulo 0xFF (256)); the default coordinates after entering the door leading to Viridian Forest.

Attribution

• Torchickens/ChickasaurusGL (documentation of arbitrary code execution for 0x0F and steps)
• jfb1337 - Searches for jp hl in the disassembly projects, which lead to C109 arbitrary code execution as a concept, and its discovery

YouTube video

This article or section is a stub. You can help Glitch City Wiki by expanding it.