Pokémon Yellow C109 ID 0x0F arbitrary code execution
0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Serial interrupt ACE | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | Type 0xFF mail arbitrary code execution (Japanese Crystal) | ZZAZZ glitch Trainer FC
List of arbitrary code execution programs
More research is needed for this article.
| |
|
Reason given: Test if the same C109 0x0F script is possible in Red/Blue with a different method to Yellow MissingNo. |
Pokémon Yellow C109 ID 0x0F arbitrary code execution is a glitch in Pokémon Yellow, and a form of arbitrary code execution, involving a glitch 0xC109 ID, with a script activated by glitch item Lg -. It used to be notable for its ability to be accessed early in the game, but has since been obsoleted.
Notes
This glitch does not work on many emulators, except for (one example) later versions of BGB. It is confirmed to function properly on a real Game Boy Advance SP, but it has not been confirmed on other platforms.
Yellow MissingNo. encounter method
If the player encounters Yellow MissingNo. (non-ghost/fossil form) in Viridian Forest, previously erased the save file with Up+Select+B and has never encountered a glitch Pokémon before, the Yellow MissingNo. will not freeze the game.
If the Pokémon menu and PC was opened in front of the PC in Viridian City's Pokémon Center before encountering the Yellow MissingNo., then after ending the battle, C109 is 0x0F which has the ability to execute arbitrary code at DA41 after using glitch item "Lg -" (wPlayTimeMaxed, followed by wPlayTimeMinutes, wPlayTimeSeconds and close to Safari Zone and Day Care data).
If the player doesn't have a problematic play time, has never visited the Safari Zone and doesn't have any Day Care data, the code will fall through to DA7F, where a bootstrap Pokémon set up can be used to run code at item 3.
Expanded party method
The exploit can also be done by swapping a Pokémon into Pokémon 91 in the expanded inventory, where the swapped Pokémon's lower Defense byte determines E109 (Echo RAM of C109), and its Trainer ID determines E0EF, E0F0 (C0EF and C0F0) and must correspond with valid sound banks (02 02 (Trainer ID 00514), 08 08 (Trainer ID 02056), 1F 1F (Trainer ID 07967), 20 20 (8224), or a combination of banks (e.g. 02 1F (Trainer ID 0543)). 20 is not recommended due to side effects.
Under unknown circumstances, Lg - may corrupt the player's coordinates; adding 0x33 to D360 (y coordinate), 0x80 to D361 (x coordinate), 0x33 to D362 (y coordinate block) and 0x80 to D363 (x coordinate block) and typically moving the player to no longer be adjacent to the entrance of Viridian Forest, but the player can work around that by setting the glitched coordinates in advance, such as FC, 90, CE, 80 with the expanded inventory. This example results in 2F, 10, 01, 00 (where the addition exceeds FF the result is modulo 0xFF (256)); the default coordinates after entering the door leading to Viridian Forest.
Attribution
- Torchickens/ChickasaurusGL (text from YouTube video)
YouTube video
| |
This article or section is a stub. You can help Glitch City Wiki by expanding it. 
|