Type 0xD0 move glitch: Difference between revisions

Type 0xD0 move glitch, also known as Move 0x00 arbitrary code execution (not to be confused with - (Generation I move) arbitrary code execution in Pokémon Red and Blue) is a glitch in at least English Pokémon Gold and Silver that allows the player to perform arbitrary code execution without using the Coin Case.

An advantage to this glitch over Coin Case glitch is that it may not corrupt the stack (similar to wrong pocket TM ACE which never corrupts the stack), however it requires move 0x00 which can only be obtained by trading a Pokémon with it over from Generation I (such as "-" move Ditto with the swapping Transform moves glitch), obtaining a bad clone, or using another form of arbitrary code execution.

This glitch has been used in any% speedruns of Pokémon Gold and Silver (see here), and was researched by luckytyphlosion. ChickasaurusGL also adapted it for non-speedrunning uses.

Summary

You can execute arbitrary code by moving in a specific way in Cherrygrove City (see pictures below) and viewing move 0x00 from the move description menu in a Pokémon's summary provided the following requirements are met:

1. You have exactly four Pokémon.

1i) The first Pokémon has move 0x00 (e.g. a "CoolTrainer" Ditto).

1ii) The third Pokémon is a low level 'slide' Pokémon you caught in the wild (whether it will work is up to chance but if you find one that works it will always work, possibly the same one compatible for Coin Case ACE without bad DVs etc.)

1iii) To be safe have Pokémon 2 and 3 have the bird and tailed creature menu sprites and have no Pokémon hold an item except for Pokémon 4.

2. Pokémon 4 is a Quagsire with TM02 and Return as its first move (for box name ACE at D8C0 (box 1 character 2)) or a Quagsire with HP Up and Sleep Talk as its first move (for stored items ACE at D61A (second item quantity)).

Before you move one step up and four steps right from picture 3, save the game. Afterwards view Pokémon 1's moves from the move description menu and close it repeatedly until your code works.

Sometimes this will not execute arbitrary code. At times it is possible to get a flashing color 'disco' effect as well.

Example box name code

This box name code with many thanks to Crystal_ for the concept allows us to warp to the Bug-Catching Contest and obtain Celebi.

The box names for that are as follows. × is the multiplication symbol, not the lowercase letter X.

1. Bp'vZ'vL55

2. é'r2p'vA'vF

3. é!Ap'v/'v)

4. é?2p'v5'vA

5. 'vBéA'tp'vZ

6. 'v[é×2

Technical information

When viewing the party screen or the move screen, the game displays small pokémon icons and animates them based on their current hit point values and status. While it is doing this, the game stores the animation data in a structure starting from address $C51C, which lies right beyond the end of screen tile data at $C508. The game can store and animate up to 10 sprites this way.

When viewing the list of moves, the game places the current pokémon's icon in the top left of the screen and animates it, storing the current animation type in address $C51E. This is used to index a jumptable that is used to control the behavior of the animation. By overwriting this address with an invalid value, we can index this table out of bounds, potentially triggering arbitrary code execution.

Move 0x00 has a glitch type, specifically glitch type 0xD0. The source of its glitch type is 0x8350 in VRAM, hence what is or what was on the screen will affect what the game brings up as a type name; possibly with what's on the Pokémon menu affecting 0x8350^{[citation needed]}, as 0x8350 may be written to if you have enough Pokémon menu sprites and/or held items in the party.

When we have 'good' data at 0x8350 the name of the glitch type causes text to print beyond the end of screen tile data, reaching far enough to corrupt address $C51E, wSpriteAnim1AnimSeqID. Depending on the text character written into this fiels, this indexes the animation jumptable out of bounds, potentially triggering ACE.

Due to the structure of the code located right after the jumptable, a reasonable amount of pointers will land in the vicinity of either the $C9xx region or the $E9xx region (echo RAM for the $C9xx region). For smaller maps, execution will safely slide until it reaches three regions:

• $CC20 contains wBGMapBuffer, which temporarily buffers newly inserted tile IDs.
• $CC48 contains wBGMapPalBuffer, which temporarily buffers newly inserted tile palettes.
• $CC70 contains wBGMapBufferPointers, which temporarily buffers VRAM addresses of newly inserted tiles.

All three of these are affected by the movement pattern of the player. wBGMapBuffer and wBGMapPalBuffer do not contain much useful data, but can fairly easily be manipulated to allow execution to safely slide through, while wBGMapBufferPointers can be directly manipulated to jump to a small selection of possible addresses.

Due to the specific movement pattern used, wBGMapBufferPointers starts with the byte sequence of DA 9B FA (jp c, FA9B, at $EC70), which causes the game to execute $FA9B (echo RAM for $DA9B).

As $DA9B is Pokémon 3's Speed DVs, we can make the data slide over to Pokémon 4. Using Quagsire, the code can be redirected to somewhere else (such as box names or stored items) where we can spell out code.

Here is the assembly code for the box name code to obtain Celebi:

xor a
sub 99
sub 8b
ei
ei
ld d,b
ld [f8d3],a
xor a
sub 80
sub 85
ld d,b
ld [80e7],a
xor a
sub f3
sub 9b
ld d,b
ld [f8e6],a
xor a
sub fb
sub 80
ld d,b
sub 81
ld [d580],a
xor a
sub 99
ld d,b
sub 9e
ld [f8f1],a
ld d,b
ld d,b
ld d,b
ld d,b

YouTube video

See also

• Glitch City Laboratories Forums thread