PRAMA Initiative a également une page sur . |
This article is incomplete. Please feel free to add any missing information about the subject. It is missing: Index number. |
Arbitrary code execution (Japanese: 任意コード実行) refers to a method that allows the player to force the game to run code in a write-enabled region of the game, often WRAM or RAM (see Game Boy memory map). If it is manipulable (e.g. if the region is in a representation of the player's current party), this can be abused to run custom code written by the player.
It commonly involves an invalid execution pointer (such as via glitch items in Generation I). In English versions, another popular method is as a side effect of the Coin Case glitch in English Pokémon Gold and Silver, which the player can manipulate to run custom assembly code.
This custom code is often spelled with items, as a stack of items uses only two (Generation I/II) or four (Generation III) bytes. Box names are also an option for Generation II games.
In Generation I
Via items
Each item that is not a TM or HM (more precisely, with ID less than HM01 (0xC4)), when used, gets its effect from a pointer table. For some glitch items, this effect pointer points to the RAM, enabling arbitrary code execution.All known ACE glitch items jump into an RAM area that is possible to manipulate, but not quite as easy to manipulate as the item pack. Therefore it is popular to jump to the third item in the item pack, and write the main payload there. This strategy of first jumping to an easier to manipulate RAM area is called "bootstrapping".
There are many ways to obtain those glitch items through glitches. In Pokémon Red, Green, and Pokémon Blue (Japanese), the Select glitch can easily create any glitch item. In the international versions, the most common method is to first obtain an expanded item pack, then find the glitch item in the X coordinate (Celadon looping map trick) or in roaming items.
Below is a summary of commonly used ACE glitch items. For more information, including bootstrapping setups, click on the name of an item to go to its ItemDex page.
|
Useful item codes
See Generation I item codes for some useful item lists for 8F (and possibly other ACE methods).Via text boxes
Each map has a number of different map-specific text boxes, with a table of pointers pointing to each piece of text. Certain glitches like text box ID matching can force the game to display a text box that doesn't exist on the current map, which means the pointer may point to anything, including into the RAM. From here, a 0x08 (TX_ASM) text command in a suitable location will enable arbitrary code execution.Notable setups for text box ACE include:
Sea Route 21 0x44 text box glitch (English Yellow), which is accessed by text box ID matching. Pikachu off-screen glitch ACE, which works by forcing the non-existing sign 04 to appear in the Vermilion City Fan Club.
Via "TRAINER 4" (hex:FC)
This method will make "TRAINER 4" (hex:FC) (encountered via the Trainer escape glitch) run code based on the data of the Pokémon in the current PC box.
Requirements :
No Pokémon must ever have been deposited info the Daycare (even on a previous save file) Knowing and being able to perform the Trainer escape glitch A Pokémon with a Special stat of 252
One must perform the Trainer escape glitch using a Special stat of 252 (hex:FC) Aside from the ZZAZZ effects, upon selecting an attack, code based on the data of the Pokémon that was last deposited into the Daycare (specifically at $FA58) will be run. If no Pokémon was ever deposited, the script will "fall" to boxed Pokémon data.
The code at $D040 may also to be adjusted, as not to freeze the game, due to Trainer AI scripts having at least two (ignoring duplicates) separate routines. This Trainer is only known to execute $FA58 and $D040.
REDIRECT Template:YouTube
In Generation II
PRAMA Initiative a également une page sur . |
Gold and Silver
Main article: Coin Case glitchThe English versions of Pokémon Gold and Silver use a hex:57 character as a terminator for the Coin Case's "Coins: (x)" text, like in the Japanese versions.
While this is a valid control character for the Japanese version, it isn't for the English versions, causing the game to jump into the memory at echo RAM address E112 and execute code there.
Bellsprout, Machop and Machamp's cries make the coin case run a "inc sp" which changes the game into running code based on a palette table. Standing at certain places makes the code jump to data regarding party Pokémon data, and finally to the PC items.
Crystal
Main article: Coin Case glitchIn REDIRECT Template:Crystal, there is a recently found way to execute arbitrary code. It is based on getting a Pokémon with an unterminated name (can be done with the bad clone glitch) and viewing its name unprotected (e.g. in the stats screen or in the PC).
This method was first used in a speedrun by Werster. The exploitation strategy consists of renaming boxes to specific names, and jumping there with a specific trainer ID. Until mid 2020, the any% speedrun route was based on this method. However, the current route now consists of using wrong pocket TM22 to achieve ACE, using the item quantity buffer and item quantity change buffer to quickly jump into the Mail buffer, where the payload is stored. REDIRECT Template:YouTube
In Generation III
There are at least three methods of arbitrary code execution, all stemming from the use of Glitzer Popping.Via stack overflow
Certain glitch pokemon have very long species names that overflow the stack and cause execution to jump to save RAM.The method is dependent on save block ordering and is somewhat impractical, but was first performed in this video by TheZZAZZGlitch.
Via glitch move animation
Similar to the above, certain glitch moves that can be acquired via Glitzer Popping have animation scripts that point to PC data. When the animation for these moves play, PC data is treated like an animation script and may create sprites, call callbacks, etc. By writing an animation script that launches a visual or sound task, execution can be redirected into bad data, PC data, PC Box names etc. Below are the most relevant glitch move IDs, EVs required on the in-game trade Plusle to acquire them with glitzer popping, and target script addresses for different versions of Pokemon Emerald. Note that due to address mirroring, addresses like 0x02330000 are mirrored with 0x02030000.Version | Move ID | EVs | Target |
---|---|---|---|
US | 0x1608 | 8 HP 22 Attack | 0x02030400 (Box 12, slot 15) |
JP | 0x3110 | 16 HP 49 Attack | 0x02330000 (Box 12, slot 14) |
On other versions, setting up the bootstrap script is more complicated. There is a Pastebin guide for this by Metarkai.
This strategy was used in this TAS by merrp, using a bootstrap nickname of: 1F 09 18 03 02 FF (まけねうい), targeting Box 1's name.
This method is somewhat finicky because of its dependence on Emerald's memory layout randomization. If the bootstrap in the PC does not line up exactly with the script address, code will not be executed. This means that blindly, per battle, this method has only a 1/32 chance of actually working.
Via glitch sprite animation
Yet another case where glitch pokemon/moves have exploitable behavior. In Emerald, each pokemon's sprite has a small animation when its summary is viewed. Certain glitch pokemon have sprites whose animation callbacks are in RAM, specifically, again, in PC data. Below are the relevant species IDs, EVs required on the in-game trade Seedot to acquire, and target addresses. Again, due to address mirroring, 0x0206xxxx is mirrored with 0x0202xxxx.Version | Species ID | EVs | Target | ARM/THUMB |
---|---|---|---|---|
US | 0x40E9 | 233 HP 64 Attack | 0x0206FFFF (Box 12 Slot 3) | THUMB |
US | 0x0611* | 17 HP 6 Attack | 0x0206FEFE (Box 12 Slot 3) | ARM |
JP | 0x085F | 95 HP 8 Attack | 0x0206FFFF (Box 12 Slot 3) | THUMB |
JP | 0x0615* | 21 HP 6 Attack | 0x0206FEFE (Box 12 Slot 3) | ARM |
THUMB or ARM code can be executed by using PC Box names as instructions and leaving Boxes 12-14 empty. This is much easier on JP Emerald due to the number of available characters.
On US Emerald using species 0x40E9, since writing THUMB code is extremely limited, it may be useful to place a pokemon with the following nickname in Box 12 Slot 4: (x♂zN”6FFxC). This switches execution into ARM mode at Box 12 Slot 13's nickname, as long as your Trainer ID & Secret ID are valid THUMB instructions.
This glitch has been used in the latest (as of 2020/03/19) Any% WR Emerald speedrun by Startoria: https://www.youtube.com/watch?v=M5HrQM5boQs. The code used in the run was written by merrp.
This is by far the most consistent method of ACE in Emerald. Once the glitch pokemon is acquired, all that's needed is to look at it, either by hatching it from an Egg, from the summary, or a Pokemon Contest. Although Emerald's memory randomization still shifts PC data around, as long as code is placed far enough past the maximum shift distance, it will execute 100% of the time. This is why it is suggested to place code in box names or Box 12 Slot 4 even though this targets Box 12 Slot 3.
In Generation VI
A heap overflow utilising a crafted Secret Base name can be used to achieve arbitrary code execution in Pokémon Omega Ruby and Alpha Sapphire. This vulnerability ("basehaxx") was found by MrNbaYoh and is used to execute homebrew/unsigned code on the 3DS.Custom data
Arbitrary code execution can be used to create custom data, such as sprites, text and sounds.Custom Pokémon and Trainer front/back sprites Custom maps Custom player sprite Custom Pokédex entries Custom screens Custom text boxes Custom tilesets Custom PCM sound effects
Related articles
Executing large programs with arbitrary code execution. Cart-swap arbitrary code execution Remote code execution List of 8F bootstrap setups List of arbitrary code execution programs GB Programming