Arbitrary code execution

Arbitrary code execution (Japanese: 任意コード実行) refers to a method that allows the player to force the game to run code in a write-enabled region of the game, often WRAM or RAM (see Game Boy memory map). If it is manipulable (e.g. if the region is in a representation of the player's current party), this can be abused to run custom code written by the player.

It commonly involves an invalid execution pointer (such as via glitch items in Generation I). In English versions, another popular method is as a side effect of the Coin Case glitch in English Pokémon Gold and Silver, which the player can manipulate to run custom assembly code.

This custom code is often spelled with items, as a stack of items uses only two (Generation I/II) or four (Generation III) bytes. Box names are also an option for Generation II games.

In Generation I

Via items

Each item that is not a TM or HM (more precisely, with ID less than HM01 (0xC4)), when used, gets its effect from a pointer table. For some glitch items, this effect pointer points to the RAM, enabling arbitrary code execution.

All known ACE glitch items jump into an RAM area that is possible to manipulate, but not quite as easy to manipulate as the item pack. Therefore it is popular to jump to the third item in the item pack, and write the main payload there. This strategy of first jumping to an easier to manipulate RAM area is called "bootstrapping".

Using てヘ (tehe) in JP Red/Green

The glitch item てヘ (0x7B) has its execution script pointing to wild Pokémon data. However, by naming yourself (any character)てルめ(any characters or nothing) and talking to the Old Man, the script jumps to item pack #3.

Using 8F (English Red/Blue)

The glitch item 8F (0x5D) executes code starting from the party Pokémon data. See the ItemDex page for more information on the setup.

Using 7EME ETAGE (French) / S7 (German) / 7°P (Italian) / P7 (Spanish) (Red/Blue)

These items are the same item than the 8F of English versions (the difference in numbers is because in these countries, "first floor" refers to what is called second floor in english). Therefore, it executes code in the same way.

The bootstrap code for 7eme etage, S7, 7°P or P7 must be slightly changed from the English version: no matter the setup, the player should replace the Onix with a Graveler. See the ItemDex page of 8F for more information.

Using ws m (English), ws l' m (French/German), ws & m (Italian/Spanish) (Yellow)

The Pokémon in the current PC box must be in a certain order for the instruction pointer to be redirected to the item pack. In English games, below are just two of the options possible.

Option 1

1. 10 Pokémon in your current PC box
2. Tangela with 233 HP in slot 1
3. Nidoking in slot 2
4. Metapod in slot 3
5. Haunter in slot 4
6. Flareon in slot 5
7. Parasect in slot 6
8. Growlithe in slot 7
9. Tentacool in slot 8
10. Grimer in slot 9
11. Any Pokemon in slot 10

The bootstrap code translates to the following ASM:

$DA97 <- E9 || jp (hl)  ; pc = D321

Much like 8F games, the contents of the item pack (starting from item 3) will be read as ASM code.

Option 2

1. 11 Pokémon in your current PC box
2. Seel as the 1st Pokémon in the current PC box
3. Parasect as the 2nd Pokémon in the current PC box
4. Growlithe as the 3rd Pokémon in the current PC box
5. Magikarp as the 4th Pokémon in the current PC box
6. Psyduck as the 5th Pokémon in the current PC box
7. Flareon as the 6th Pokémon in the current PC box
8. Tentacool as the 7th Pokémon in the current PC box
9. Female Nidoran as the 8th Pokémon in the current PC box
10. Three more Pokémon
11. Finally, Seel's HP must be 233

Much like 8F games, the contents of the item pack (starting from item 3) will be read as ASM code. Optionally, Seel can be replaced by Butterfree or Mr. Mime.

The bootstrap code translates to the following ASM:

$DA97 <- E9 || jp (hl) ; pc = D321

Non-English European games

In European non-English games, the item name is nearly the same to that of English Yellow but slightly different. In French and German Versions, it is called "ws l' m". In Italian and Spanish Versions, it is called "ws & m". The setup is also different.

1. 10 Pokémon in your current PC box
2. Tangela as the 1st Pokémon in the current PC box
3. Nidoking as the 2nd Pokémon in the current PC box
4. Metapod as the 3rd Pokémon in the current PC box
5. Haunter as the 4th Pokémon in the current PC box
6. Flareon as the 5th Pokémon in the current PC box
7. Parasect as the 6th Pokémon in the current PC box
8. Kadabra as the 7th Pokémon in the current PC box
9. Tentacool as the 8th Pokémon in the current PC box
10. Grimer as the 9th Pokémon in the current PC box
11. Any Pokémon as 10th Pokémon in the current PC box
12. Finally, Tangela's HP must be 233

Much like 8F, the contents of the item pack (starting from item 3) will be read as ASM code.

Using 4F (English and European non-english Yellow)

By using item 4F instead of "ws m", we can execute code using Daycare data. Although this possibility was previously known, it was setup by Krys3000 in this thread for both English and non-English Yellow games.

In english games, deposit and withdraw (or not) at the Day Care a Nidorina (that should not be evolved from a Female Nidoran), with Bite, Fury Swipes, Double Kick and Growl (the first two moves are placeholders and can be replaced with some other moves, but not just any move). Then, store in the active PC Box:

1. Any lvl25 Pokémon with currently 24 HP, 33 PP currently for the first AND second move, 19 PP currently for the third move (3 PP Up used) and no fourth move or no PP currently on it
2. Clefairy, Male Nidoran or Spearow (among many possibilities) with 233 HP

Using 4F will then execute code from the third item, as with other setups.

WRA1:DA64 <- 78 || ld a,b
WRA1:DA65 <- 2C || inc l
WRA1:DA66 <- 9A || sbc d
WRA1:DA67 <- 18 2E || jr DA97
WRA1:DA97 <- 18 19 || jr DAB2
WRA1:DAB2 <- 21 21 D3 || ld hl,D321
WRA1:DAB5 <- 00 || nop
WRA1:DAB6 <- 04 || inc b
WRA1:DAB7 <- 00 || nop
WRA1:DAB8 <- E9 || jp hl

The setup is somewhat easier in non-english games. Deposit and withdraw (or not) a lvl80 Pokémon with currently 24 HP in the Day Care. The, store in the active PC Box:

1. Any Pokémon with 33 PP currently for the first move, 38 PP currently for the second move, 19 PP currently for the third move (3 PP Up used) and no fourth move or no PP currently on it
2. Clefairy, Male Nidoran or Spearow (among many possibilities) with 233 HP

Using 4F will then execute code from the third item, as with other setups.

WRA1:DA64 <- 00 || nop
WRA1:DA65 <- 18 50 || jr DAB7
WRA1:DAB7 <- 21 26 D3 || ld hl,D326
WRA1:DABA <- 00 || nop
WRA1:DABB <- 04 || inc b
WRA1:DABC <- 00 || nop
WRA1:DABD <- E9 || jp hl

Useful item codes

See Generation I item codes for some useful item lists for 8F (and other ACE methods).

Via text boxes

Via Trainer escape glitch on Sea Route 21

Main article: Sea Route 21 0x44 text box glitch (English Yellow)

Loading the hex:44 text box on Route 21 (via the shelves of Pokémon goods in Cinnabar Poké Mart) executes arbitrary text code from D2C3 in WRAM (the fifth character of the second Pokémon's nickname). This can be manipulated to run arbitrary code; for example with Super Glitch and the expanded party one can convert items in the inventory into Pokémon nicknames and abuse this to obtain Mew as a gift Pokémon via the 08 text function (run ASM following the 08). This trick was documented by Torchickens.

Via Pikachu off-screen glitch

By using the Pikachu off-screen glitch in the Vermilion City Fan Club and making specific movements to force the non-existing sign 04 to appear at coordinates x=1, y=1, it is possible for the player to read the signpost and execute arbitrary code beginning from D221; the catch rate/held item of party Pokémon 5.

Once you have prepared one of the setups below, put your Pokémon in the 5th position of the party, prepare your items from item 1, get the Clefairy event in the Vermilion Fan Club, then do the following steps:

1) Go to the bottom-left walkable tile (putting Pikachu off the screen), then walk up to the top and down to the bottom of the left-most column 11 times, but for the 11th time step one tile short on the final way back down.

2) Step right, step left, then walk up to the top and down to the bottom of the left-most column 10 times.

3) Step right, then go the top-left tile you can walk to, face right and press A.

Luckless setups

5 different setups to use for this trick have been made by Krys3000 and Torchickens/ChickasaurusGL in this thread. They all execute code from item 3 in the pack, similarly to ws m or 4F setups.

1. The 4 moves setup involves as 5th Pokémon in the party a Nidorina or Nidorino. It has to have been traded to G/S/C, hold a Moon Stone there and then be traded back to Yellow. This Pokémon must have 2 'placeholder moves' (typically Bite and Fury Swipes, since it learns both) followed by Double Kick (also learned) and Bubblebeam (TM11). Also, the 6th Pokémon can be anything but requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
2. The 2 moves + HP/Box Level setup involves as 5th Pokémon a Nidorina or Nidorino. It has to have been traded to G/S/C, hold a Moon Stone there and then be traded back to Yellow. This Pokémon must have Double Kick (learned) as first move and Take Down (TM09) as second. Also, the 6th Pokémon can be anything but must have 24 HP currently and also have been lvl24 last time it was stored in the PC. This Pokémon requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
3. The 4 moves + Glitch Pokémon setup involves as 5th Pokémon the glitch Pokémon PKMN pゥぁ ゥぇ, that can be obtained via several glitches, Equivalent Trade or Time Capsule Exploit. This Pokémon must have Ice Punch, DoubleSlap, Double Kick and BubbleBeam (all can be learned except Bubblebeam which is TM11). Also, the 6th Pokémon can be anything but requires currently 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also).
4. The Untrained Hitmonchan setup is the only tradeless/glitchless setup. 5th Pokémon would be Hitmonchan and this Pokémon must never have been trained, but must know Strength (HM), Agility, Fire Punch and Ice Punch (it requires rising it to lvl 38 with Rare Candies). This Pokémon must also have 00 PP currently at Strength, 24 at Agility, 14 at Fire Punch (Ice Punch doesn't matter). Also, 6th Pokémon can be anything but must be lvl25, requires currently 24 HP, 3 PP on its first move (with 3 PP Up used), 33 PP on the second move, and 19 PP for the third move (with 3 PP Up used also). The code can be broken at any time by Hitmonchan's IV. The best way is to reset the pick of Hitmonchan to make sure that yours work. For this setup to work, you must also check that when converted into hexadecimal, Hitmonchan's trainer ID won't trigger invalid opcodes or many-bytes opcodes
5. The underflow-based setup is described here.

A video of the Hitmonchan setup has been made by ChickasarusGL

Luck-based setup

A Graveler with 08 c2 (2242) HP stat experience and 1d d3 (7635) Attack stat experience may be used as an applicable Pokémon 5, preferably a Graveler from Victory Road.

If you are using level 44 Graveler, make note that since you can't really predict its total exp. you may not be able to get your result dictated by items. However, saving before the last few Krabby to get different levels or keeping Rare Candies, saving before talking to the text box and using one if it didn't work last time may fix this.

To get these specific EVs, your Pokémon needs to have encountered the following Pokémon (and no more):

71 Krabby, 1 Farfetch'd, 1 Dugtrio, and 1 Magnemite.

(Thanks FMK for working out what Pokémon to battle).

Example codes (all from item 1)

Obtain 255 items:

This allows you to do 20+ items related glitches and get more complicated item set ups if you have items like multiple X Special x1 spare.

• Protein x1
• Repel x1
• X Accuracy x28
• Lemonade x1
• Poké Ball x61
• Antidote x61
• Water Stone x37
• X Accuracy x97
• TM01 x1

Note: This code may be unstable.

Encounter a Pokémon:

• Iron x37
• X Accuracy x88
• Lemonade x(species you want, 21=Mew)
• Water Stone x4
• Protein x4
• TM01 x1

This technique was discovered by stumpdotio, originally for speedrunning Pokémon Yellow using a different method. A video of the route by Dabomstew's may be found here.

Via "TRAINER 4" (hex:FC)

This method will make "TRAINER 4" (hex:FC) (encountered via the Trainer escape glitch) run code based on the data of the Pokémon in the current PC box.

Requirements :

• No Pokémon must ever have been deposited info the Daycare (even on a previous save file)
• Knowing and being able to perform the Trainer escape glitch
• A Pokémon with a Special stat of 252

1. One must perform the Trainer escape glitch using a Special stat of 252 (hex:FC)
2. Aside from the ZZAZZ effects, upon selecting an attack, code based on the data of the Pokémon that was last deposited into the Daycare (specifically at $FA58) will be run. If no Pokémon was ever deposited, the script will "fall" to boxed Pokémon data.

The code at $D040 may also to be adjusted, as not to freeze the game, due to Trainer AI scripts having at least two (ignoring duplicates) separate routines. This Trainer is only known to execute $FA58 and $D040.

In Generation II

Gold and Silver

Main article: Coin Case glitch

The English versions of Pokémon Gold and Silver use a hex:57 character as a terminator for the Coin Case's "Coins: (x)" text, like in the Japanese versions.

While this is a valid control character for the Japanese version, it isn't for the English versions, causing the game to jump into the memory at echo RAM address E112 and execute code there.

Bellsprout, Machop and Machamp's cries make the coin case run a "inc sp" which changes the game into running code based on a palette table. Standing at certain places makes the code jump to data regarding party Pokémon data, and finally to the PC items.

Crystal

In Pokémon Crystal, there is a recently found way to executed arbitary code. It is based on getting a bad clone, renaming boxes to specific names, and jumping there with a specific trainer ID. This method was used in a speedrun by Werster.

In Generation III

The method is extremely complicated, but can be achieved.

To learn how, watch this video by TheZZAZZGlitch.

In Generation VI

A heap overflow utilising a crafted Secret Base name can be used to achieve arbitrary code execution in Pokémon Omega Ruby and Alpha Sapphire. This vulnerability ("basehaxx") was found by MrNbaYoh and is used to execute homebrew/unsigned code on the 3DS.

Related articles

• Executing large programs with arbitrary code execution.
• Cart-swap arbitrary code execution
• Remote code execution
• List of 8F bootstrap setups
• List of arbitrary code execution programs
• GB Programming