Type 0xFF mail arbitrary code execution (Japanese Crystal)

From Glitch City Wiki
Jump to navigation Jump to search
Arbitrary code execution in the Pokémon series

0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Serial interrupt ACE | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | Type 0xFF mail arbitrary code execution (Japanese Crystal) | ZZAZZ glitch Trainer FC


List of arbitrary code execution programs

(view, talk, edit)
Please note that this glitch only exists in the Japanese versions of the game, or is otherwise a glitch
from a Pokémon game which was only released in Japan.
This article is incomplete. Please feel free to add any missing information about the subject.
Reason: Step by step method

Type 0xFF mail arbitrary code execution is an arbitrary code execution method in Japanese Pokémon Crystal. Behavior in the Japanese version differs from the English version (see mailbox glitches), which causes some unusual effects to the game but does not cause arbitrary code execution.

This method of arbitrary code execution runs 1:D9D9 in the program counter as code. Although at this point in the game the screen is white with a corrupted stack, it is possible to exploit it to modify the save file, and the user can see the applied changes upon resetting the game.

Method

Requirements

  • There must be a 0xFF type mail in the mailbox. The mail-type address for the first mail item is at 0:A822 in SRAM. Currently, it is not known how to achieve this without another arbitrary code execution method.
  • D9D9 must represent code which opens and writes to SRAM. D9D9 corresponds to Balls pocket item 135, so an overflow/underflow with duplicate key items glitch or ????? map corruption is necessary (both can be set up with the bad clone glitch, or key items can be traded over from Generation I (e.g. by modifying the catch rate/held item with Generation I arbitrary code execution)).

For example, the following ten item long code replaces the species of the first boxed Pokémon to Celebi (note some adjustments may need to be taken to achieve the same effect practically). This does not interfere with the save checksum.

Bytes

3E 0A
EA 00 00
3E 02
EA 00 40
3E 96
EA 01 A0
EA 20 A0
C9

Assembly

ld a,0a
ld (0000),a
ld a,02
ld (4000),a
ld a,FB
ld (a001),a
ld (a020),a
ret

Credits