Arbitrary code execution

From Glitch City Wiki
Major glitches of the Pokémon series


Arbitrary code execution

0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC


No further extensions

Cloning | Item duplication glitch (Generation I) | Pokémon merge glitch ("Q Glitch", Generation I) | Time Capsule exploit | Bug-Catching Contest data copy glitch (Generation II, Japan only) | Berry glitch | Battle Tower Lati@s glitch (Generation III) | (Mimic) Transform Rage glitch (Generation IV)

Transform held item glitch (Generation IV, Japan only) | Mimic glitch (Generation IV, Japan only)


Buffer overflow techniques

99 item stack glitch | LOL glitch | Rival LOL glitch | Instant LOL glitch | RAM LOL glitch | Out of bounds LOL glitch | blockoobLG | Instant encounter infinite chain glitch | LGFly | Super Glitch (Generation I) | Party remaining HP glitch | Super Glitch (Generation III) | Text pointer manipulation mart buffer overflow glitch | CoolTrainer♀-type move | Double distort CoolTrainer♀ corruption | Yami Shop glitch | Party Pokémon box data shift glitch | Unterminated name glitch item instant encounter (Japanese Red/Green)


Item stack duplication glitch (Generation I)

Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow) | Map script pointer manipulation (arbitrary code execution | Map script pointer item ball manipulation) | Text pointer manipulation (arbitrary code execution | Item ball manipulation | Mart buffer overflow) | Trainerless instant encounter glitch


Bad clone glitch (Generation II)

????? party overloading (Type 0xD0 move glitch | ????? map corruption | Celebi trick | Celebi Egg trick | Shiny Celebi trick | Glitch move map corruption | Overloaded party map corruption | Glitch Unown (Glitch Unown map corruption) | Duplicate key items glitch (Infinite items and item creation, Expanded Balls pocket (Wrong pocket TM/HMs, Glitch Pokédex categories))


Closed menu Select glitches (Japanese Red/Green)

Dokokashira door glitch (International) | Fossil conversion glitch (international) | Second type glitch | Skip to Level 100 glitch | Trainer mutation glitch | Walk through walls (International) | Lift glitch | Badge describer glitch


Pomeg glitch (Generation III)

Pomeg data corruption glitch ("Glitzer Popping") | Charm glitch


Voiding (Generation IV)

Tweaking

Broken escalator glitch (Japan only) | Elite Four door glitch (Japan only)


2x2 block encounter glitches (Generation I)

Left-facing shore tile glitch (in-game trade shore encounter trick, Old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick) | Viridian Forest no encounter grass tiles glitch


Glitch City

Safari Zone exit glitch | RAM manipulation | Out of bounds Glitch City (Generation II) | Slowpoke Well out of bounds corruption (French Gold/Silver/Crystal)


Large storage box byte shift glitch

Storage box remaining HP glitch | Generation I max stat trick


Pikachu off-screen glitch

Trainer corruption glitch


SRAM glitches

Generation I save corruption | 255 Pokémon glitch | Expanded party encounter table manipulation (Generation I) | Send party Pokémon to a new game (Generation I) | Generation II save corruption | Mailbox glitches | Mystery Gift item corruption | Trainer House glitches


Trainer escape glitch

Death-warp | Ditto trick | Experience underflow glitch | Mew trick | Text box ID matching | Meta-map script activation


Walk through walls

Ledge method | Museum guy method | Rival's effect | Select glitch method (International Select glitch method), Brock Through Walls


Surf down glitch

Grass/rock Surfing glitch (Spanish/Italian only) (adaptions: Submerge glitch (international)) | 8 8 (0x7C) grass/rock surfing glitch (English Red/Blue))

(view, talk, edit)
Arbitrary code execution in the Pokémon series

0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Serial interrupt ACE | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | Type 0xFF mail arbitrary code execution (Japanese Crystal) | ZZAZZ glitch Trainer FC


List of arbitrary code execution programs

(view, talk, edit)
PRAMA Initiative a également une page sur Arbitrary code execution.
Bulbapedia also has an article about Arbitrary code execution.
This article is incomplete. Please feel free to add any missing information about the subject.
Reason:

The following methods of ACE: custom map script pointer, move effect, Trainer escape glitch text box, bad clone summary, Burned Tower Silver, TM/HM use outside of the correct pocket, glitch Pokédex categories, Pikachu glitch emote, specific details on Generation III summary and move animation ACE, and specific details on Generation IV ACE

Arbitrary code execution (Japanese: 任意コード実行) refers to a method that allows the player to force the game to run code in a write-enabled region of the game, often WRAM or RAM (see Game Boy memory map). If it is manipulable (e.g. if the region is in a representation of the player's current party), this can be abused to run custom code written by the player.

It commonly involves an invalid execution pointer (such as via glitch items in Generation I). In English versions, another popular method is as a side effect of the Coin Case glitch in English Pokémon Gold and Silver, which the player can manipulate to run custom assembly code.

This custom code is often spelled with items, as a stack of items uses only two (Generation I/II) or four (Generation III) bytes. Box names are also an option for Generation II games.

In Generation I

Via items

Each item that is not a TM or HM (more precisely, with ID less than HM01 (0xC4)), when used, gets its effect from a pointer table. For some glitch items, this effect pointer points to the RAM, enabling arbitrary code execution.

All known ACE glitch items jump into an RAM area that is possible to manipulate, but not quite as easy to manipulate as the item pack. Therefore it is popular to jump to the third item in the item pack, and write the main payload there. This strategy of first jumping to an easier to manipulate RAM area is called "bootstrapping".

There are many ways to obtain those glitch items through glitches. In Pokémon Red, Green, and Pokémon Blue (Japanese), the Select glitch can easily create any glitch item. In the international versions, the most common method is to first obtain an expanded item pack, then find the glitch item in the X coordinate (Celadon looping map trick) or in roaming items.

Below is a summary of commonly used ACE glitch items. For more information, including bootstrapping setups, click on the name of an item to go to its ItemDex page.

Version ID Name Effect pointer Pointing to Notes
English Red/Blue 0x6A -g m $DA47 Safari Ball count Followed by Day Care data and box Pokémon data
Equivalent to なかよしバッジ due to the fix for the old man full box glitch
Japanese Red/Green/Blue 0x67 なかよしバッジ $D983 Safari Ball count Followed by Day Care data and box Pokémon data
English Red/Blue 0x5D 8F $D163 Party Pokémon data Equivalent to 5かい due to the fix for the old man full box glitch
European non-English Red/Blue 0x5D 7EME ETAGE / S7 / 7°P / P7 Party Pokémon data Same item as 8F
Japanese Red/Green/Blue 0x5A 5かい $D123 Party Pokémon data
English Yellow 0x63 ws m $DA7F Box Pokémon data
European non-English Yellow 0x63 ws l' m / ws & m Box Pokémon data Same item as ws m
English Red/Blue 0x59 4F $FA65 Middle of Day Care data
English Yellow 0x59 4F $FA64 Middle of Day Care data
European non-English Yellow 0x59 3EME ETAGE / S3 / 3°P / P3 $FA64 Middle of Day Care data Same item as 4F
Japanese Red/Green 0x7B てヘ $D806 Grass encounter table Can be changed to the player's name by the old man
Japanese Blue 0x7B ItemDexJP/B:123 $D806 Grass encounter table See てヘ. Requires 0x50 sub-tile.

Notice that the items in the European non-English versions are all the same as the corresponding item (with the same ID) in English version; however, due to differences in memory layout, the bootstrapping setups will be slightly different. (The "floor items" have different numbers because in those countries, "first floor" refers to what is called second floor in American English.)

Useful item codes

See Generation I item codes for some useful item lists for 8F (and possibly other ACE methods).

Via text boxes

Each map has a number of different map-specific text boxes, with a table of pointers pointing to each piece of text. Certain glitches like text box ID matching can force the game to display a text box that doesn't exist on the current map, which means the pointer may point to anything, including into the RAM. From here, a 0x08 (TX_ASM) text command in a suitable location will enable arbitrary code execution.

Notable setups for text box ACE include:

Via "TRAINER 4" (hex:FC)

This method will make "TRAINER 4" (hex:FC) (encountered via the Trainer escape glitch) run code based on the data of the Pokémon in the current PC box.

Requirements :

  • No Pokémon must ever have been deposited info the Daycare (even on a previous save file)
  • Knowing and being able to perform the Trainer escape glitch
  • A Pokémon with a Special stat of 252
  1. One must perform the Trainer escape glitch using a Special stat of 252 (hex:FC)
  2. Aside from the ZZAZZ effects, upon selecting an attack, code based on the data of the Pokémon that was last deposited into the Daycare (specifically at $FA58) will be run. If no Pokémon was ever deposited, the script will "fall" to boxed Pokémon data.

The code at $D040 may also to be adjusted, as not to freeze the game, due to Trainer AI scripts having at least two (ignoring duplicates) separate routines. This Trainer is only known to execute $FA58 and $D040.

YouTube video by TheZZAZZGlitch


In Generation II

PRAMA Initiative a également une page sur Arbitrary code execution.

Gold and Silver

Main article: Coin Case glitch

The English versions of Pokémon Gold and Silver use a hex:57 character as a terminator for the Coin Case's "Coins: (x)" text, like in the Japanese versions.

While this is a valid control character for the Japanese version, it isn't for the English versions, causing the game to jump into the memory at echo RAM address E112 and execute code there.

Bellsprout, Machop and Machamp's cries make the coin case run a "inc sp" which changes the game into running code based on a palette table. Standing at certain places makes the code jump to data regarding party Pokémon data, and finally to the PC items.

Crystal

Main article: 0x1500 control code arbitrary code execution

In Pokémon Crystal, there is a recently found way to execute arbitrary code. It is based on getting a Pokémon with an unterminated name (can be done with the bad clone glitch) and viewing its name unprotected (e.g. in the stats screen or in the PC).

This method was first used in a speedrun by Werster. The exploitation strategy consists of renaming boxes to specific names, and jumping there with a specific trainer ID. Until mid 2020, the any% speedrun route was based on this method. However, the current route now consists of using wrong pocket TM22 to achieve ACE, using the item quantity buffer and item quantity change buffer to quickly jump into the Mail buffer, where the payload is stored.

YouTube video by Werster


In Generation III

There are at least three methods of arbitrary code execution, all stemming from the use of Glitzer Popping.

Via stack overflow

Certain glitch pokemon have very long species names that overflow the stack and cause execution to jump to save RAM.

The method is dependent on save block ordering and is somewhat impractical, but was first performed in this video by TheZZAZZGlitch.

Via glitch move animation

Similar to the above, certain glitch moves that can be acquired via Glitzer Popping have animation scripts that point to PC data. When the animation for these moves play, PC data is treated like an animation script and may create sprites, call callbacks, etc. By writing an animation script that launches a visual or sound task, execution can be redirected into bad data, PC data, PC Box names etc. Below are the most relevant glitch move IDs, EVs required on the in-game trade Plusle to acquire them with glitzer popping, and target script addresses for different versions of Pokemon Emerald. Note that due to address mirroring, addresses like 0x02330000 are mirrored with 0x02030000.

Version Move ID EVs Target
US 0x1608 8 HP 22 Attack 0x02030400 (Box 12, slot 15)
JP 0x3110 16 HP 49 Attack 0x02330000 (Box 12, slot 14)

As for the animation script, a Pokemon nickname can be used on Japanese Emerald, using this character map. An example script may look like: 1F zz yy xx ww FF to execute code at address 0xWWXXYYZZ.

On other versions, setting up the bootstrap script is more complicated. There is a Pastebin guide for this by Metarkai.

This strategy was used in this TAS by merrp, using a bootstrap nickname of: 1F 09 18 03 02 FF (まけねうい), targeting Box 1's name.

This method is somewhat finicky because of its dependence on Emerald's memory layout randomization. If the bootstrap in the PC does not line up exactly with the script address, code will not be executed. This means that blindly, per battle, this method has only a 1/32 chance of actually working.

Via glitch sprite animation

Yet another case where glitch pokemon/moves have exploitable behavior. In Emerald, each pokemon's sprite has a small animation when its summary is viewed. Certain glitch pokemon have sprites whose animation callbacks are in RAM, specifically, again, in PC data. Below are the relevant species IDs, EVs required on the in-game trade Seedot to acquire, and target addresses. Again, due to address mirroring, 0x0206xxxx is mirrored with 0x0202xxxx.

Version Species ID EVs Target ARM/THUMB
US 0x40E9 233 HP 64 Attack 0x0206FFFF (Box 12 Slot 3) THUMB
US 0x0611* 17 HP 6 Attack 0x0206FEFE (Box 12 Slot 3) ARM
JP 0x085F 95 HP 8 Attack 0x0206FFFF (Box 12 Slot 3) THUMB
JP 0x0615* 21 HP 6 Attack 0x0206FEFE (Box 12 Slot 3) ARM

Species IDs with asterisks cannot be safely viewed from the summary screen; the game will crash from its species name. They can only be used for ACE by either hatching them from an Egg, or viewing their animation in a Pokemon Contest.

THUMB or ARM code can be executed by using PC Box names as instructions and leaving Boxes 12-14 empty. This is much easier on JP Emerald due to the number of available characters.

On US Emerald using species 0x40E9, since writing THUMB code is extremely limited, it may be useful to place a pokemon with the following nickname in Box 12 Slot 4: (x♂zN”6FFxC). This switches execution into ARM mode at Box 12 Slot 13's nickname, as long as your Trainer ID & Secret ID are valid THUMB instructions.

This glitch has been used in the former (13 March 2020 until 14 April 2023) WR Any% Emerald speedrun by Startoria. The code used in the run was written by merrp.

This is by far the most consistent method of ACE in Emerald. Once the glitch pokemon is acquired, all that's needed is to look at it, either by hatching it from an Egg, from the summary, or a Pokemon Contest. Although Emerald's memory randomization still shifts PC data around, as long as code is placed far enough past the maximum shift distance, it will execute 100% of the time. This is why it is suggested to place code in box names or Box 12 Slot 4 even though this targets Box 12 Slot 3.

In Generation IV

Via Retire glitch

Executing a script with an index higher than the available script indexes in a map via the Retire glitch can be used to obtain arbitrary script execution, which can be escalated to full ACE. This method has been refined over time.

YouTube video by RETIRE


Via Alt-Retire glitch

Similarly to the previous method, arbitrary script execution can also be obtained via the Alt-Retire glitch.

Via NPC ASE

Interacting with an NPC runs a script with an index equal to the event_id of that NPC. ASE can be obtained through invalid event_ids. Currently, this can only be achieved via an existing ASE method. There is a guide for this by RETIRE.

In Generation VI

A heap overflow utilising a crafted Secret Base name can be used to achieve arbitrary code execution in Pokémon Omega Ruby and Alpha Sapphire. This vulnerability ("basehaxx") was found by MrNbaYoh and is used to execute homebrew/unsigned code on the 3DS.

Custom data

Arbitrary code execution can be used to create custom data, such as sprites, text and sounds.

Related articles