Arbitrary code execution: Difference between revisions

Arbitrary code execution refers to a method that allows the player to force the game to run code written by the player.

It usually uses an invalid execution pointer (glitch items in Generation I, an incorrectly terminated string in English Pokémon Gold and Silver), which the player can manipulate to run custom assembly code.

This custom code is often spelled with items, as a stack of items uses only two bytes.

In Generation I

Via Items

Both (glitch) items require a special setup for the item to run correct code.

For detailed info about these items, read this topic on GCL forums if playing R/B, or this post if playing Yellow.

It is a good idea to read all the topic messages for info

Using 8F (Red/Blue)

The player's party Pokémon must be in a certain order and have certain stats :

1. 6 Pokémon [0xD163 = 0x06]
2. Onix as the first Pokémon [0xD164 = 0x22]
3. Pidgey as the second Pokémon [0xD165 = 0x24]
4. Tentacool as the third Pokémon [0xD165 = 0x18]
5. Meowth as the fourth Pokémon [0xD166 = 0x4D]
6. 24 PP left on the second Pokémon's second move [0xD1B5 = 0x18]
7. 21 PP left on the second Pokémon's third move w/ 1 PP Up used [0xD1B6 = 0x55]
8. 36 PP left on the fourth Pokémon's first move [0xD20C = 0x24]
9. 24 PP left on the fourth Pokémon's second move [0xD20D = 0x18]
10. 20 PP left on the fourth Pokémon's third move [0xD20E = 0x14]
11. Double Team as the fifth Pokémon's first move [0xD223 = 0x68]
12. Double Kick as the fifth Pokémon's second move [0xD224 = 0x18]
13. Strength as the fifth Pokémon's third move [0xD225 = 0x46]
14. Sixth Pokémon's attack stat has to be exactly 233 [0xD26C = 0xE9]

Using "ws m" (Yellow)

The Pokémon in the current PC box must be in a certain order for the instruction pointer to be redirected to the item pack

Via ZZAZZ Trainer hex:FC

Video by TheZZAZZGlitch

This method will make the ZZAZZ trainer hex:FC (encountered via the Trainer escape glitch) to run code based on the data of the Pokémon in the current PC box.

Requirements :

• No Pokémon must ever have been deposited info the Daycare (even on a previous save file)
• Knowing and being able to perform the Ditto glitch
• A Pokémon with a Special stat of 252

1. One must perform the Trainer escape glitch using a Special stat of 252 (hex:FC)
2. Aside from the ZZAZZ effects, upon selecting an attack, code based on the data of the Pokémon that was last deposited into the Daycare will be run. If no Pokémon was ever deposited, the script will "fall" to boxed Pokémon data.

In Generation II

Main article: Coin Case glitch

The English versions of Pokémon Gold and Silver use a hex:57 character as a terminator for the Coin Case's "Coins: (x)" text, like in the Japanese versions.

While this is a valid control character for the Japanese version, it isn't for the English versions, causing the game to jump into the memory at echo RAM address E112 and execute code there.

Bellsprout, Machop and Machamp's cries make the coin case run a "inc sp" which changes the game into running code based on a palette table. Standing at certain places makes the code jump to data regarding party Pokémon data, and finally to the PC items.

In Generation III

The method is extremely complicated, but can be achieved.

To learn how, watch this video by TheZZAZZGlitch