Anonymous user
0x1500 control code arbitrary code execution: Difference between revisions
0x1500 control code arbitrary code execution (view source)
Revision as of 19:39, 8 September 2018
, 5 years agono edit summary
>Torchickens No edit summary |
>Torchickens No edit summary |
||
Line 1:
{{Arbitrary code execution}}
{{incomplete|Original speedrunning method needed}}
[[File:0x1500 Lapras.png|thumb|right|160px|Traded Lapras method. In this case, the arbitrary code execution is triggered after exiting the inventory with A on Cancel with Antidote x21 at the bottom of the bag, and then viewing Lapras's summary.]]
'''0x1500 control code arbitrary code execution''' is an [[arbitrary code execution]] method found in {{Crystal}}. It does not occur in {{GS}}.
It was discovered by luckytyphlosion. The original method used for speedrunning purposes is not yet covered in this article.
This glitch involves the combination of the byte 0x15 ("Day" control character) followed by 0x00 in a text string, and will lead to arbitrary code execution at memory address 0xCD52. Once the code is terminated with a ret, the program counter by default will be at the location following where the 0x1500 sequence was in the RAM.
Line 8 ⟶ 11:
There are various means of setting up this glitch:
==Unterminated name glitch Pokémon method w/ traded Lapras and box names==
For this method, an [[unterminated name glitch Pokémon]] is required. A convenient way of getting one is through a box name corruption glitch in {{RBY}}, such as through the [[ItemDex/RB:094|9F (0x5E)]] glitch item in {{RB}}.
Line 661 ⟶ 664:
Interestingly, I found this ACE exploit a while ago when attempting to do regular cloning, but I dismissed it as the result of a crash. (When I was doing some testing regarding cloning, I encountered this glitch again and actually decided to look into it)."
</tt>
==Stored unterminated name Pokémon/bad clone method w/ stored PC items==
===Video===
{{YouTube|YqD68-2aAjg|Crystal_}}
===Requirements===
(From Crystal_'s video)
1. Items in the PC item storage ended with a ret command, with register de set to a specific value (e.g. 0134)
2. A bad clone in the current PC box
3. Max Elixer or TM21 (Frustration) in the bag
4. Quagsire in party slot 1, with Return as move 1, with a move with less than 10 characters in it, in slot 4
5. Spearow holding TM50 (Nightmare) in party slot 2. TM49 may also work and depends on the number of items in the PC item storage.
===Steps===
1. Save and reset the game just outside of a regular Pokémon Center
2. Press up on the d-pad only, until the player character is one tile below the Pokémon Center desk
3. Move right only, until facing the wall/edge of map
4. Move up only until facing the PC. Do not use the PC yet.
5. Press Start and open the player's bag
6. Have the cursor point to Max Elixer or TM21, then exit the bag without pressing A on the item
7. Go to deposit a Pokémon and view your Quagsire's summary.
8. Exit and scroll down to Spearow, then exit Deposit
9. Choose withdraw and have the cursor on the bad clone/unterminated name Pokémon, which will force its name and the 0x1500 sequence that follows, and cause arbitrary code execution.
[[Category:Arbitrary code execution]]
| |||