0x1500 control code arbitrary code execution
0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Serial interrupt ACE | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | Type 0xFF mail arbitrary code execution (Japanese Crystal) | ZZAZZ glitch Trainer FC
List of arbitrary code execution programs
| This article is incomplete. Please feel free to add any missing information about the subject. It is missing: {{{1}}}. |
0x1500 control code arbitrary code execution is an arbitrary code execution method found in Pokémon Crystal. It does not occur in Pokémon Gold and Silver.
This glitch involves the combination of the byte 0x15 ("Day" control character) followed by 0x00 in a text string, and will lead to arbitrary code execution at memory address 0xCD52. Once the code is terminated with a ret, the program counter by default will be at the location following where the 0x1500 sequence was in the RAM.
There are various means of setting up this glitch:
Unterminated name Pokémon method
For this method, an unterminated name Pokémon is required. A convenient way of getting one is through a box name corruption glitch in Pokémon Red, Blue, and Yellow, such as through the 9F (0x5E) glitch item in Pokémon Red and Blue.
Requirements
1) A Lapras with Perish Song (level 29 in Generation II), Bide (TM34 in Generation I) and Safeguard (level 50 in Generation II) which will have its name corrupted. The Lapras should be able to gain experience with an Exp. Share or Rare Candies (in this video Rare Candies are used from outside of the items pack, which allows them to be used effectively infinitely).
2) The 9F glitch item in Pokémon Red/Blue if you want to corrupt Lapras' name without getting a bad clone in Generation II. When the 9F glitch item is used many times with Lapras in the box, its name will corrupt.
You can then save and reset the game to withdraw it and its moves shouldn't be corrupted if you didn't use 9F too much. We can get the 9F glitch item with dry underflow glitch (https://www.youtube.com/watch?v=ZyppA...) with the Celadon looping map trick (http://glitchcity.info/wiki/Celadon_l...).
3) Two Generation II core games; one a that just got the ability to trade (this was a measure due to the glitch not working on a later save file) with Crystal and another (with access to the Time Capsule after meeting Bill in Ecruteak City and waiting a day) to raise Lapras to level 50.
4) Specific box names for storage box 1
Steps
Steps:
1) Teach level 28 Lapras on Generation I Bide via TM34; move 2.
2) Deposit in the PC, corrupt nickname with 9F. Try about 15 9F uses each iteration.
3) Save and reset after nickname is corrupted, view a Pokémon summary that can withdraw unterminated name Pokémon and withdraw the Pokémon.
4) Trade to a Generation II game (Time Capsule must be enabled - meet Bill in Ecruteak and wait one day).
5) Raise it to level 29 (e.g. with Rare Candy) to learn Perish Song; move 1. Raise it to level 50 to learn Safeguard; move 3.
6) Trade to a new Generation II Crystal that just got to the Pokémon Center with Antidote x21 purchased
7) Do box name cheats and save every iteration. There are various examples below, indicated with Roman numerals (i get TM17), (ii all badges), (iii have fly) (iv fly can go anywhere), (v get GS ball in Goldenrod Pokémon Center), (vi Master Ball item slot 2), (vii Rare Candy Balls slot 1 [buy ball if necessary]), (vii or x; make Wednesday or Thursday to advance clock for GS Ball to be checked), (xi and xii; get Egg first then change to Mew) with xi, then change hatch cycle to 1 with xii), (xiii finish off the demonstration warping to Safari Zone for fun).
Box name codes (from slot 1)
i) Get TM17 with code at DA47 to go to DB75:
p0'déT2(Pk)5
p'vzéM5p5
'vd'v(éA45
p'vyé:5p5
'vLéB4p'vx
ém5p0555
éI4x'd
xor a
or a, d0
ld (f893),a
pop hl
ei
ld d,b
xor a
sub b9 ; 47
ld (fb8c),a
xor a
ei
ld d,b
sub a3
sub 9a ;c3
ld (fa80),a
ei
ld d,b
xor a
sub b8 ; 48
ld (fb9c),a
xor a
ei
ld d,b
sub 8b ; 75
ld (fa81),a
xor a
sub b7; 49
ld d,b
ld (fbac),a
xor a
or a, fb
ei
ei
ld d,b
ld (fa88),a
or a
ret nc
ii) All badges:
p'viéI5p5
'vjéL5p09
éA2éB2(Pk)'d
xor a
sub a8
ld (fb88),a
xor a
ld d,b
ld d,b
sub a9
ld (fb8b),a
xor a
or a, ff
ld d,b
ld (f880),a
ld (f881),a
ld d,b
ld d,b
ld d,b
pop hl
or a
ret nc
iii) Have Fly (DCE1 [move 1]=0x13):
p0T'vAé(Pk)6
(Pk)x'd
xor a or a, 93 sub 80 ld (fce1),a ld d,b pop hl or a ret nc ld d,b
iv) Fly can go anywhere
p09ée655
éf6ég6(Pk)5
éh6éi6x'd
xor a
or a, ff
ld (fca4),a
ei
ei
ld d,b
ld (fca5),a
ld (fca6),a
pop hl
ei
ld d,b
ld (fca7),a
ld (fca8),a
or a
ret nc
ld d,b
v) Get GS Ball in Goldenrod City Pokémon Center
p'vséJ5p(Pk)
0B'vAéI55
éAAp0N'vA
ée5p0B'vA
éd5p0K'vA
éBBp'va'vc
55555555
55555555
é'l5p'v(male)'v't
é'd5p0L'vA
éIIx'd
xor a
sub b2 ;a=4e
ld (fb89),a
xor a
pop hl
ld d,b
or 81
sub 80 ;a=01
ld (fb88),a
ld d,b
ld d,b
ld (8080),a
xor a
or 8d
sub 80 ;0d
ld d,b
ld (fba4),a
xor a
or 81
sub 80
ld d,b
ld (fba3),a
xor a
or 8a
sub 80
ld d,b
ld (8181),a
xor a
sub a0
sub a2 ;be
ld d,b
ei
ei
ei
ei
ei
ei
ei
ei
ld d,b
ei
ei
ei
ei
ei
ei
ei
ei
ld d,b
ld (fbd1),a
xor a
sub ef
sub d5 ; 3c
ld d,b
ld (fbd0),a
xor a
or 8b
sub 80 ; 0b
ld d,b
ld (8888),a
or a
ret nc
ld d,b
ld d,b
--What this does basically:
ld a,01
ld (4e01),a ;change to SRAM bank 1
ld a, 0a
ld (0d01),a ;this enables writing to SRAM
ld a, 0b
ld (be3c),a ;enable Celebi GS Ball event
vi) Get Master Ball items slot 2
p0B'vAéV2
(Pk)x'd
xor a
or 81
sub 80
ld (f895),a
ld d,b
pop hl
or a
ret nc
ld d,b
vii) Get Rare Candy balls slot 1
p0i'vA'v
éI5p0a'vA
éA2x(Pk)'d
(fill box 1 name with 5 beforehand to prevent freeze)
xor a
or a8
sub 80
sub 50
ld d,b
ld d,b
ld (fb88),a
xor a
or a0
sub 80
ld d,b
ld (f880),a
or a
pop hl
ret nc
ld d,b
viii) Make it a day+1 (D4B6 = 01)
p0B'vAéw,
xPk'd
xor a
or 81
sub 80
ld (f4b6),a
ld d,b
or a
pop hl
ret nc
ld d,b
x) Make it a day+2 (D4B6 = 02)
p0C'vAéw,
xPk'd
xor a
or 82
sub 80
ld (f4b6),a
ld d,b
or a
pop hl
ret nc
ld d,b
xi) Get Mew (recommended Egg slot 1) DCDF=97
p0?'vH'vA5
éI5p0X55
éA6(Pk)x'd
xor a
or a, e6
sub 87
sub 80
ei
ld d,b
ld (fb88),a
xor a
or a,97
ei
ei
ld d,b
ld (fc80),a
pop hl
or a
ret nc
xii) Hatch steps left = 1 cycle/1 happiness (DCFA=01)
p0B'vAé46
Pkx'd
xor a
or a, 81
sub 80
ld (fcfa),a
ld d,b
pop hl
or a
ret nc
ld d,b
xiii) Warp to Safari Zone
p0D'vAév6
(Pk)p'vhéw6x
'd
xor a
or a, 83
sub 80
ld (fcb5),a
ld d,b
pop hl
xor a
sub a7 (;59)
ld (fcb6),a
or a
ld d,b
ret nc
ld d,b
Explanation
Luckytyphlosion offers the following explanation on the forums:
"Basically, it's the cause of poor error checking by GameFreak. When the game has to print the Fake Bad Clone's name through the PlaceString function, it encounters 0x00 characters which aren't supposed to be printed.
In Gold/Silver, encountering a 0x00 character would cause the game to stop processing the string (and also terminate a call from the text processing engine, although that's irrelevant in this case). However, in Crystal, for whatever reason GameFreak replaced this error checking so encountering a 0x00 character would print a ? instead. This can lead to PlaceString writing past the tilemap in WRAM and into other RAM (as seen in Crystal_'s Bad Clone/Kingdra video).
This new error checking has another consequence; being able to read invalid characters. Normally this would not be too destructive; the only thing you could do at best (worst?) is overflowing text into other portions of RAM, as seen above. However, due to another instance of bad error checking, the <DAY> control code (0x15) can jump to a fairly exploitable portion of RAM, 0xcd52.
The code for control code 0x15 jumps to a mobile function, Function17f036, which then calls Function17f036 leading to a jumptable, which reads the next byte from the source as the jumptable index. While there's error checking implemented, GameFreak missed one invalid index, 0x00. The maximum index check checks if the index is greater than the upper bound, but then decrements the a register after the error check. This can allow a 0x00 index to pass through the error check, but then underflow to 0xFF, thereby reading an invalid address from ROM, which conveniently points to WRAM, and a fairly manipulable portion. This is why you need the byte combination 0x15 0x00 to jump to 0xcd52.
From there, you can do whatever setup you want to achieve ACE. Conveniently, Gamefreak pushed the source address onto the stack before jumping to the specified address, so the return address will point to whatever was after the 0x15 0x00. In the Crystal Any% speedrun case, this is an immense help as the memory after is a temporary buffer for storing a Pokemon struct (which stores the Pokémon with the corrupted nickname), allowing us to use the moves and trainer ID as a bootstrap to reach box names.
It might be possible to find other locations for a bootstrap. The address where the game jumps is similar to the address where Coin Case jumps in Gold/Silver, so you could potentially manipulate the BG Map buffers to jump to a more suitable place. (The jump to the middle of party data would not work, as the address of party data had shifted in Crystal).
Interestingly, I found this ACE exploit a while ago when attempting to do regular cloning, but I dismissed it as the result of a crash. (When I was doing some testing regarding cloning, I encountered this glitch again and actually decided to look into it)."