Arbitrary code execution: Difference between revisions

← Older edit

Arbitrary code execution (view source)

Revision as of 16:04, 7 December 2022

1,034 bytes added , 1 year ago

Add initial information on Gen 4 (thanks to RETIRE for corrections!)

VisualWikitext

Vriska

0

edits

Revision as of 21:49, 24 March 2020 (view source) >CasualPokePlayer (Addition of previous edit regarding Pokemon Contests and Sprite 0x0611/0x0615 ACE) ← Older edit		Latest revision as of 16:04, 7 December 2022 (view source) Vriska (talk \| contribs) (Add initial information on Gen 4 (thanks to RETIRE for corrections!))
(8 intermediate revisions by 4 users not shown)
Line 3: {{PRAMA\|ace-1G}} {{Bulbapedia}} {{incomplete\|1=<br><br>The following methods of ACE: custom map script pointer, move effect, Trainer escape glitch text box, bad clone summary, Burned Tower Silver, TM/HM use outside of the correct pocket, glitch Pokédex categories, Pikachu glitch emote ~~and~~, specific details on Generation III summary and move animation ACE, and specific details on Generation IV ACE}} '''Arbitrary code execution''' (Japanese: 任意コード実行) refers to a method that allows the player to force the game to run code in a write-enabled region of the game, often WRAM or RAM (see [http://gameboy.mongenel.com/dmg/asmmemmap.html Game Boy memory map]). If it is manipulable (e.g. if the region is in a representation of the player's current party), this can be abused to run custom code written by the player. Line 20: Below is a summary of commonly used ACE glitch items. For more information, including bootstrapping setups, click on the name of an item to go to its [[ItemDex]] page. {\| class="wikitable sortable" {\| \|}▼ ~~{\| style="background: grey; -moz-border-radius: 0.5em; border: 5px solid #000000; color: grey" align="top"~~ \|- \| ~~{\| class="sortable" style="background:#f0f0f0; border:1px solid #000000; border-collapse:collapse;" width="100%" border="1" align="left"~~ ~~\|- style="background: silver;"~~ !Version!!ID!!Name!!Effect pointer!!Pointing to!!Notes \|- Line 42 ⟶ 36: \|- \|European non-English Yellow\|\|0x63\|\|[[ItemDex/Y:099#In other European versions\|ws l' m / ws & m]]\|\|<!-- TODO -->\|\|Box Pokémon data\|\|Same item as ws m ▲\|}- \|English Red/Blue\|\|0x59\|\|[[ItemDex/RB:089\|4F]]\|\|$FA65\|\|Middle of Day Care data \|- \|English Yellow\|\|0x59\|\|[[ItemDex/Y:089\|4F]]\|\|$FA64\|\|Middle of Day Care data\|\| Line 47 ⟶ 43: \|European non-English Yellow\|\|0x59\|\|[[ItemDex/Y:089#In other European versions\|3EME ETAGE / S3 / 3°P / P3]]\|\|$FA64\|\|Middle of Day Care data\|\|Same item as 4F \|- \|Japanese Red/Green\|\|0x7B\|\|[[ItemDexJP/RG:123\|てヘ]]\|\|$D806\|\|Grass encounter table\|\|Can be changed to the player's name by the [[Old man trick\|old man]]<!-- NOTE: Should be tested for ~~JP Blue and~~ JP Yellow, too --> \|}- \|Japanese Blue\|\|0x7B\|\|[[ItemDexJP/B:123]]\|\|$D806\|\|Grass encounter table\|\|See てヘ. Requires [[0x50 sub-tile]]. \|} Notice that the items in the European non-English versions are all the same as the corresponding item (with the same ID) in English version; however, due to differences in memory layout, the bootstrapping setups will be slightly different. (The "floor items" have different numbers because in those countries, "first floor" refers to what is called second floor in American English.) Line 97 ⟶ 94: In {{C}}, there is a recently found way to execute arbitrary code. It is based on getting [[unterminated name Pokémon (Generation II)\|a Pokémon with an unterminated name]] (can be done with the [[bad clone glitch]]) and viewing its name unprotected (e.g. in the stats screen or in the PC). This method was first used in a speedrun by Werster. The exploitation strategy consists of renaming boxes to specific names, and jumping there with a specific trainer ID. AsUntil ofmid ~~2019~~2020, ~~The~~the [[Pokémon Crystal any% speedrun route\|~~current~~ any% speedrun route]] ~~is still~~was based on this method. However, [https://pastebin.com/3satHMsE the current route] now consists of using wrong pocket TM22 to achieve ACE, using the item quantity buffer and item quantity change buffer to quickly jump into the Mail buffer, where the payload is stored. {{Youtube\|Gj7m4vh18c8\|Werster}} Line 152 ⟶ 149: This is by far the most consistent method of ACE in Emerald. Once the glitch pokemon is acquired, all that's needed is to look at it, either by hatching it from an Egg, from the summary, or a Pokemon Contest. Although Emerald's memory randomization still shifts PC data around, as long as code is placed far enough past the maximum shift distance, it will execute 100% of the time. This is why it is suggested to place code in box names or Box 12 Slot 4 even though this targets Box 12 Slot 3. ==In [[bp:Generation IV\|Generation IV]]== ===Via Retire glitch=== Executing a script with an index higher than the available script indexes in a map via the [[Retire glitch]] can be used to obtain arbitrary script execution, which can be escalated to full ACE. This method has been [https://www.craft.do/s/VTsIAtSd7ob1uT refined] over time. {{Youtube\|tmPzFAuKMA8\|RETIRE}} ===Via Alt-Retire glitch=== Similarly to the previous method, arbitrary script execution can also be obtained via the [[Alt-Retire glitch]]. ===Via NPC ASE=== Interacting with an NPC runs a script with an index equal to the event_id of that NPC. ASE can be obtained through invalid event_ids. Currently, this can only be achieved via an existing ASE method. There is a [https://www.craft.do/s/oLpZYx2GFRf8N1 guide] for this by RETIRE. ==In [[bp:Generation VI\|Generation VI]]== Line 163 ⟶ 172: [[Custom player sprite]] [[Custom Pokédex entries]] [[Custom screens]] [[Custom text boxes]] *[[Custom tilesets]]