Self-referential control character abuse

From Glitch City Wiki
Jump to navigation Jump to search

Self-referential control character abuse refers to any exploits in the Pokémon games where a control character prints text but refers back to itself, resulting in an infinite loop. In practise the loop is indefinite but not infinite; a buffer overflow may at some point freeze the game or break the text printing routine (e.g. via corruption of the stack).

In order for self-referential control character abuse to be successful, the game must also avoid printing terminating bytes before referring back to itself (where relevant such as 0x00, 0x50, etc.).

Examples

  • Infinitely long enemy Pokémon name - If wild appeared! is exploited under certain conditions (such as facing a Geodude with the move Earthquake (0x59)); the game will print the Enem. control character (0x59) in an infinite loop, potentially either freezing the game or allowing the player to escape the battle in a glitched overworld. 0x59 prints wBattleMonNick if it's the enemy turn, and wEnemyMonNick if it's the player's turn.
  • A similar exploit may be possible with 0x5A (wEnemyMonNick if the enemy's turn, wBattleMonNick if the player's turn), again if wEnemyMonNick or wBattleMonNick contains another 0x5A.
  • ÙEnem. ゥ♀úÍ (F0) in Spanish Pokémon Red and Blue includes the Enem. control character within its own name, and the infinite loop will occur if it is faced on the opponent's side.
  • The 0x52 control character (player's name) can be included within the player's own name, resulting in an infinite loop.
  • The same applies with the 0x53 control character (rival's name) if facing the rival.
  • In Generation II, 0x3F is an enemy control character, including their Trainer class. In a Remote Code Execution exploit by Tetsuji this is written to wOTClassName ($C64C). The later occurrence of another 0x3F at $D29C leads to a recurrence (and stack overflow); the program counter falls into WRAM for arbitrary code execution after executing ret with the stack pointer in locked SRAM. However, pfero is skeptical if this would work on real hardware because of difficult to predict open bus behavior.
  • An exploit similar to the infinite player's name may be possible with <PLAY_G>, PlaceGenderedPlayerName in Pokémon Crystal.
  • An exploit may potentially be possible with a mobile script (0x15) in (Japanese) Pokémon Crystal.