PMD: Red Rescue Team: Arbitary code execution with hex:0999 glitch move info - Page 1
Finally! I found arbitary code execution in Pokémon Mystery Dungeon: Red Rescue Team!
Viewing an hex:0999 glitch move info will cause the game to start executing code somewhere around 5ec1200c.
Viewing the glitch move name rarely occurs, so I have prepared a save state for this.
Just load the save state in VBA, click Info, and enjoy the glitchness!
(Note: The save state has been created on VBA version 1.8.0)
Did you use original VBA? Since that emulator is very old and inaccurate, could you please try VBA-M and/or mGBA?
I did use the VBA 1.8.0 and I do not want to change versions.
I checked it, this is a buffer overflow caused by the glitch move's description. Code execution takes place by overwriting the IRQ handler (similar to what happens in Gen III with decamark summary screens)
This exact move is not exploitable, since the instruction pointer lands in unmapped memory. But there probably is an index that would work for ACE.
Edit: Never mind, it actually locks up the game in both mGBA and No$gba Debug, so I'm forced to think that this is just an emulation error