Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of an article from Glitch City Laboratories wiki.

A live version of this article is available at the Glitch City Wiki here.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of the wiki in .tar.gz or .xml.gz formats.

Arbitrary code execution

Template:Template:Major_glitches Template:Template:Arbitrary_code_execution
PRAMA Initiative a également une page sur .
This article is incomplete. Please feel free to add any missing information about the subject. It is missing: Index number.

Arbitrary code execution (Japanese: 任意コード実行) refers to a method that allows the player to force the game to run code in a write-enabled region of the game, often WRAM or RAM (see Game Boy memory map). If it is manipulable (e.g. if the region is in a representation of the player's current party), this can be abused to run custom code written by the player.

It commonly involves an invalid execution pointer (such as via glitch items in Generation I). In English versions, another popular method is as a side effect of the Coin Case glitch in English Pokémon Gold and Silver, which the player can manipulate to run custom assembly code.

This custom code is often spelled with items, as a stack of items uses only two (Generation I/II) or four (Generation III) bytes. Box names are also an option for Generation II games.

In Generation I

Via items

Each item that is not a TM or HM (more precisely, with ID less than HM01 (0xC4)), when used, gets its effect from a pointer table. For some glitch items, this effect pointer points to the RAM, enabling arbitrary code execution.

All known ACE glitch items jump into an RAM area that is possible to manipulate, but not quite as easy to manipulate as the item pack. Therefore it is popular to jump to the third item in the item pack, and write the main payload there. This strategy of first jumping to an easier to manipulate RAM area is called "bootstrapping".

There are many ways to obtain those glitch items through glitches. In Pokémon Red, Green, and Pokémon Blue (Japanese), the Select glitch can easily create any glitch item. In the international versions, the most common method is to first obtain an expanded item pack, then find the glitch item in the X coordinate (Celadon looping map trick) or in roaming items.

Below is a summary of commonly used ACE glitch items. For more information, including bootstrapping setups, click on the name of an item to go to its ItemDex page.

VersionIDNameEffect pointerPointing toNotes
English Red/Blue0x6A-gm$DA47Safari Ball countFollowed by Day Care data and box Pokémon data

Equivalent to なかよしバッジ due to the fix for the old man full box glitch
Japanese Red/Green/Blue0x67なかよしバッジ$D983Safari Ball countFollowed by Day Care data and box Pokémon data
English Red/Blue0x5D8F$D163Party Pokémon dataEquivalent to 5かい due to the fix for the old man full box glitch
European non-English Red/Blue0x5D7EME ETAGE / S7 / 7°P / P7Party Pokémon dataSame item as 8F
Japanese Red/Green/Blue0x5A5かい$D123Party Pokémon data
English Yellow0x63ws m$DA7FBox Pokémon data
European non-English Yellow0x63ws l' m / ws & mBox Pokémon dataSame item as ws m
English Yellow0x594F$FA64Middle of Day Care data
European non-English Yellow0x593EME ETAGE / S3 / 3°P / P3$FA64Middle of Day Care dataSame item as 4F
Japanese Red/Green0x7Bてヘ$D806Grass encounter tableCan be changed to the player's name by the old man
Japanese Blue0x7BItemDexJP/B:123$D806Grass encounter tableSee てヘ. Requires 0x50 sub-tile.
Notice that the items in the European non-English versions are all the same as the corresponding item (with the same ID) in English version; however, due to differences in memory layout, the bootstrapping setups will be slightly different. (The "floor items" have different numbers because in those countries, "first floor" refers to what is called second floor in American English.)

Useful item codes

See Generation I item codes for some useful item lists for 8F (and possibly other ACE methods).

Via text boxes

Each map has a number of different map-specific text boxes, with a table of pointers pointing to each piece of text. Certain glitches like text box ID matching can force the game to display a text box that doesn't exist on the current map, which means the pointer may point to anything, including into the RAM. From here, a 0x08 (TX_ASM) text command in a suitable location will enable arbitrary code execution.

Notable setups for text box ACE include:

  • Sea Route 21 0x44 text box glitch (English Yellow), which is accessed by text box ID matching.
  • Pikachu off-screen glitch ACE, which works by forcing the non-existing sign 04 to appear in the Vermilion City Fan Club.

    Via "TRAINER 4" (hex:FC)

    This method will make "TRAINER 4" (hex:FC) (encountered via the Trainer escape glitch) run code based on the data of the Pokémon in the current PC box.

    Requirements :

  • No Pokémon must ever have been deposited info the Daycare (even on a previous save file)
  • Knowing and being able to perform the Trainer escape glitch
  • A Pokémon with a Special stat of 252

  • One must perform the Trainer escape glitch using a Special stat of 252 (hex:FC)
  • Aside from the ZZAZZ effects, upon selecting an attack, code based on the data of the Pokémon that was last deposited into the Daycare (specifically at $FA58) will be run. If no Pokémon was ever deposited, the script will "fall" to boxed Pokémon data.

    The code at $D040 may also to be adjusted, as not to freeze the game, due to Trainer AI scripts having at least two (ignoring duplicates) separate routines. This Trainer is only known to execute $FA58 and $D040.

  • REDIRECT Template:YouTube

    In Generation II

    PRAMA Initiative a également une page sur .

    Gold and Silver

    Main article: Coin Case glitch

    The English versions of Pokémon Gold and Silver use a hex:57 character as a terminator for the Coin Case's "Coins: (x)" text, like in the Japanese versions.

    While this is a valid control character for the Japanese version, it isn't for the English versions, causing the game to jump into the memory at echo RAM address E112 and execute code there.

    Bellsprout, Machop and Machamp's cries make the coin case run a "inc sp" which changes the game into running code based on a palette table. Standing at certain places makes the code jump to data regarding party Pokémon data, and finally to the PC items.


    Main article: Coin Case glitch

  • REDIRECT Template:Crystal, there is a recently found way to execute arbitrary code. It is based on getting a Pokémon with an unterminated name (can be done with the bad clone glitch) and viewing its name unprotected (e.g. in the stats screen or in the PC).

    This method was first used in a speedrun by Werster. The exploitation strategy consists of renaming boxes to specific names, and jumping there with a specific trainer ID. Until mid 2020, the any% speedrun route was based on this method. However, the current route now consists of using wrong pocket TM22 to achieve ACE, using the item quantity buffer and item quantity change buffer to quickly jump into the Mail buffer, where the payload is stored.
  • REDIRECT Template:YouTube

    In Generation III

    There are at least three methods of arbitrary code execution, all stemming from the use of Glitzer Popping.

    Via stack overflow

    Certain glitch pokemon have very long species names that overflow the stack and cause execution to jump to save RAM.

    The method is dependent on save block ordering and is somewhat impractical, but was first performed in this video by TheZZAZZGlitch.

    Via glitch move animation

    Similar to the above, certain glitch moves that can be acquired via Glitzer Popping have animation scripts that point to PC data. When the animation for these moves play, PC data is treated like an animation script and may create sprites, call callbacks, etc. By writing an animation script that launches a visual or sound task, execution can be redirected into bad data, PC data, PC Box names etc. Below are the most relevant glitch move IDs, EVs required on the in-game trade Plusle to acquire them with glitzer popping, and target script addresses for different versions of Pokemon Emerald. Note that due to address mirroring, addresses like 0x02330000 are mirrored with 0x02030000.
    VersionMove IDEVsTarget
    US0x16088 HP 22 Attack0x02030400 (Box 12, slot 15)
    JP0x311016 HP 49 Attack0x02330000 (Box 12, slot 14)
    As for the animation script, a Pokemon nickname can be used on Japanese Emerald, using this character map. An example script may look like: 1F zz yy xx ww FF to execute code at address 0xWWXXYYZZ.

    On other versions, setting up the bootstrap script is more complicated. There is a Pastebin guide for this by Metarkai.

    This strategy was used in this TAS by merrp, using a bootstrap nickname of: 1F 09 18 03 02 FF (まけねうい), targeting Box 1's name.

    This method is somewhat finicky because of its dependence on Emerald's memory layout randomization. If the bootstrap in the PC does not line up exactly with the script address, code will not be executed. This means that blindly, per battle, this method has only a 1/32 chance of actually working.

    Via glitch sprite animation

    Yet another case where glitch pokemon/moves have exploitable behavior. In Emerald, each pokemon's sprite has a small animation when its summary is viewed. Certain glitch pokemon have sprites whose animation callbacks are in RAM, specifically, again, in PC data. Below are the relevant species IDs, EVs required on the in-game trade Seedot to acquire, and target addresses. Again, due to address mirroring, 0x0206xxxx is mirrored with 0x0202xxxx.
    VersionSpecies IDEVsTargetARM/THUMB
    US0x40E9233 HP 64 Attack0x0206FFFF (Box 12 Slot 3)THUMB
    US0x0611*17 HP 6 Attack0x0206FEFE (Box 12 Slot 3)ARM
    JP0x085F95 HP 8 Attack0x0206FFFF (Box 12 Slot 3)THUMB
    JP0x0615*21 HP 6 Attack0x0206FEFE (Box 12 Slot 3)ARM
    Species IDs with asterisks cannot be safely viewed from the summary screen; the game will crash from its species name. They can only be used for ACE by either hatching them from an Egg, or viewing their animation in a Pokemon Contest.

    THUMB or ARM code can be executed by using PC Box names as instructions and leaving Boxes 12-14 empty. This is much easier on JP Emerald due to the number of available characters.

    On US Emerald using species 0x40E9, since writing THUMB code is extremely limited, it may be useful to place a pokemon with the following nickname in Box 12 Slot 4: (x♂zN”6FFxC). This switches execution into ARM mode at Box 12 Slot 13's nickname, as long as your Trainer ID & Secret ID are valid THUMB instructions.

    This glitch has been used in the latest (as of 2020/03/19) Any% WR Emerald speedrun by Startoria: The code used in the run was written by merrp.

    This is by far the most consistent method of ACE in Emerald. Once the glitch pokemon is acquired, all that's needed is to look at it, either by hatching it from an Egg, from the summary, or a Pokemon Contest. Although Emerald's memory randomization still shifts PC data around, as long as code is placed far enough past the maximum shift distance, it will execute 100% of the time. This is why it is suggested to place code in box names or Box 12 Slot 4 even though this targets Box 12 Slot 3.

    In Generation VI

    A heap overflow utilising a crafted Secret Base name can be used to achieve arbitrary code execution in Pokémon Omega Ruby and Alpha Sapphire. This vulnerability ("basehaxx") was found by MrNbaYoh and is used to execute homebrew/unsigned code on the 3DS.

    Custom data

    Arbitrary code execution can be used to create custom data, such as sprites, text and sounds.

  • Custom Pokémon and Trainer front/back sprites
  • Custom maps
  • Custom player sprite
  • Custom Pokédex entries
  • Custom screens
  • Custom text boxes
  • Custom tilesets
  • Custom PCM sound effects

  • Executing large programs with arbitrary code execution.
  • Cart-swap arbitrary code execution
  • Remote code execution
  • List of 8F bootstrap setups
  • List of arbitrary code execution programs
  • GB Programming