Type 0xFF mail arbitrary code execution (Japanese Crystal)
0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Serial interrupt ACE | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | Type 0xFF mail arbitrary code execution (Japanese Crystal) | ZZAZZ glitch Trainer FC
List of arbitrary code execution programs
Please note that this glitch only exists in the Japanese versions of the game, or is otherwise a glitch from a Pokémon game which was only released in Japan. |
This article is incomplete. Please feel free to add any missing information about the subject. Reason: Step by step method |
Type 0xFF mail arbitrary code execution is an arbitrary code execution method in Japanese Pokémon Crystal. Behavior in the Japanese version differs from the English version (see mailbox glitches), which causes some unusual effects to the game but does not cause arbitrary code execution.
This method of arbitrary code execution runs 1:D9D9 in the program counter as code. Although at this point in the game the screen is white with a corrupted stack, it is possible to exploit it to modify the save file, and the user can see the applied changes upon resetting the game.
Method
Requirements
- There must be a 0xFF type mail in the mailbox. The mail-type address for the first mail item is at 0:A822 in SRAM. Currently, it is not known how to achieve this without another arbitrary code execution method.
- D9D9 must represent code which opens and writes to SRAM. D9D9 corresponds to Balls pocket item 135, so an overflow/underflow with duplicate key items glitch or ????? map corruption is necessary (both can be set up with the bad clone glitch, or key items can be traded over from Generation I (e.g. by modifying the catch rate/held item with Generation I arbitrary code execution)).
For example, the following ten item long code replaces the species of the first boxed Pokémon to Celebi (note some adjustments may need to be taken to achieve the same effect practically). This does not interfere with the save checksum.
Bytes
3E 0A EA 00 00 3E 02 EA 00 40 3E 96 EA 01 A0 EA 20 A0 C9
Assembly
ld a,0a ld (0000),a ld a,02 ld (4000),a ld a,FB ld (a001),a ld (a020),a ret
Credits
- User:Evie (Torchickens) (initial documentation)