0x1500 control code arbitrary code execution: Difference between revisions

4F 15 08 05 C9 00 [code] 37 C9

This works in any unverified string, notably including Pokémon nickname and mail messages. This means that it can be transferred from any Generation I game (with just enough space to jump to a more convenient location) or Generation II game (with more space to possibly write a "built-in" payload).

* The first byte, 0x4F, is the <code><nowiki><LINE></nowiki></code> control character, which signifies that the following text is to be printed in the bottom line of the dialogue box (Generation II dialogue boxes only displays two lines of text at a time). This sets the "cursor location" (where the next character would be printed) to a fixed value<ref>[https://github.com/pret/pokecrystal/blob/8fd66c080f201c401419674229f2714853de008f/home/text.asm#L474-L478 The function <code>LineChar</code> that handles the <code><nowiki><LINE></nowiki></code> control character]</ref>, namely 0xC5E1, which is used as a baseline for subsequent setup.

* The second byte, 0x15, makes the text engine go into mobile script mode.

:: The first two instructions are "safe" slide instructions, and the third causes the game to return to the location after the 0x00 byte, as mentioned at the beginning of this section.</li>

* The last two bytes, "37 C9", are executed after the main payload, and translates to <code>scf</code> then <code>ret</code>. This will set the carry flag and then return to the main loop for the mobile script mode<ref>[https://github.com/pret/pokecrystal/blob/8fd66c080f201c401419674229f2714853de008f/mobile/mobile_5f.asm#L3543-L3546 The main loop for the mobile script mode]</ref>, where a set carry flag will cause the mobile script mode to terminate normally.

15 0A C0 00 [code] E1 C9

15 0B C0 00 [code] E1 C9