Arbitrary code execution in the Pokémon series
0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC
List of arbitrary code execution programs
(view, talk, edit)
0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC
List of arbitrary code execution programs
(view, talk, edit)
Major glitches of the Pokémon series
Arbitrary code execution
0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC
[hr]
No further extensions
Cloning | Item duplication glitch (Generation I) | Pokémon merge glitch ("Q Glitch", Generation I) | Time Capsule exploit | Bug-Catching Contest data copy glitch (Generation II, Japan only) | Berry glitch | Battle Tower Lati@s glitch (Generation III) | (Mimic) Transform Rage glitch (Generation IV)
Transform held item glitch (Generation IV, Japan only) | Mimic glitch (Generation IV, Japan only)
[hr]
Buffer overflow techniques
99 item stack glitch | LOL glitch | Rival LOL glitch | Instant LOL glitch | RAM LOL glitch | Out of bounds LOL glitch | blockoobLG | Instant encounter infinite chain glitch | LGFly | Super Glitch (Generation I) | Party remaining HP glitch | Super Glitch (Generation III) | Text pointer manipulation mart buffer overflow glitch | CoolTrainer♀-type move | Double distort CoolTrainer♀ corruption | Yami Shop glitch | Party Pokémon box data shift glitch | Unterminated name glitch item instant encounter (Japanese Red/Green)
[hr]
Item stack duplication glitch (Generation I)
Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow) | Map script pointer manipulation (arbitrary code execution | Map script pointer item ball manipulation) | Text pointer manipulation (arbitrary code execution | Item ball manipulation | Mart buffer overflow) | Trainerless instant encounter glitch
[hr]
Bad clone glitch (Generation II)
????? party overloading (Type 0xD0 move glitch | ????? map corruption | Celebi trick | Celebi Egg trick | Shiny Celebi trick | Glitch move map corruption | Overloaded party map corruption | Glitch Unown (Glitch Unown map corruption) | Duplicate key items glitch (Infinite items and item creation, Expanded Balls pocket (Wrong pocket TM/HMs, Glitch Pokédex categories))
[hr]
Closed menu Select glitches (Japanese Red/Green)
Dokokashira door glitch (International) | Fossil conversion glitch (international) | Second type glitch | Skip to Level 100 glitch | Trainer mutation glitch | Walk through walls (International) | Lift glitch | Badge describer glitch
[hr]
Pomeg glitch (Generation III)
Pomeg data corruption glitch ("Glitzer Popping") | Charm glitch
[hr]
Voiding (Generation IV)
Tweaking
Broken escalator glitch (Japan only) | Elite Four door glitch (Japan only)
[hr]
2x2 block encounter glitches (Generation I)
Left-facing shore tile glitch (in-game trade shore encounter trick, Old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick) | Viridian Forest no encounter grass tiles glitch
[hr]
Glitch City
Safari Zone exit glitch | RAM manipulation | Out of bounds Glitch City (Generation II) | Slowpoke Well out of bounds corruption (French Gold/Silver/Crystal)
[hr]
Large storage box byte shift glitch
Storage box remaining HP glitch | Generation I max stat trick
[hr]
Pikachu off-screen glitch
Trainer corruption glitch
[hr]
SRAM glitches
Generation I save corruption | 255 Pokémon glitch | Expanded party encounter table manipulation (Generation I) | Send party Pokémon to a new game (Generation I) | Generation II save corruption | Mailbox glitches | Mystery Gift item corruption | Trainer House glitches
[hr]
Trainer escape glitch
Death-warp | Ditto trick | Experience underflow glitch | Mew trick | Text box ID matching | Meta-map script activation
[hr]
Walk through walls
Ledge method | Museum guy method | Rival's effect | Select glitch method (International Select glitch method), Brock Through Walls
[hr]
Surf down glitch
Grass/rock Surfing glitch (Spanish/Italian only) (adaptions: Submerge glitch (international)) | 8 8 (0x7C) grass/rock surfing glitch (English Red/Blue))
(view, talk, edit)
Arbitrary code execution 0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC
[hr]
No further extensions Cloning | Item duplication glitch (Generation I) | Pokémon merge glitch ("Q Glitch", Generation I) | Time Capsule exploit | Bug-Catching Contest data copy glitch (Generation II, Japan only) | Berry glitch | Battle Tower Lati@s glitch (Generation III) | (Mimic) Transform Rage glitch (Generation IV)
Transform held item glitch (Generation IV, Japan only) | Mimic glitch (Generation IV, Japan only)
[hr]
Buffer overflow techniques 99 item stack glitch | LOL glitch | Rival LOL glitch | Instant LOL glitch | RAM LOL glitch | Out of bounds LOL glitch | blockoobLG | Instant encounter infinite chain glitch | LGFly | Super Glitch (Generation I) | Party remaining HP glitch | Super Glitch (Generation III) | Text pointer manipulation mart buffer overflow glitch | CoolTrainer♀-type move | Double distort CoolTrainer♀ corruption | Yami Shop glitch | Party Pokémon box data shift glitch | Unterminated name glitch item instant encounter (Japanese Red/Green)
[hr]
Item stack duplication glitch (Generation I) Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow) | Map script pointer manipulation (arbitrary code execution | Map script pointer item ball manipulation) | Text pointer manipulation (arbitrary code execution | Item ball manipulation | Mart buffer overflow) | Trainerless instant encounter glitch
[hr]
Bad clone glitch (Generation II) ????? party overloading (Type 0xD0 move glitch | ????? map corruption | Celebi trick | Celebi Egg trick | Shiny Celebi trick | Glitch move map corruption | Overloaded party map corruption | Glitch Unown (Glitch Unown map corruption) | Duplicate key items glitch (Infinite items and item creation, Expanded Balls pocket (Wrong pocket TM/HMs, Glitch Pokédex categories))
[hr]
Closed menu Select glitches (Japanese Red/Green) Dokokashira door glitch (International) | Fossil conversion glitch (international) | Second type glitch | Skip to Level 100 glitch | Trainer mutation glitch | Walk through walls (International) | Lift glitch | Badge describer glitch
[hr]
Pomeg glitch (Generation III) Pomeg data corruption glitch ("Glitzer Popping") | Charm glitch
[hr]
Voiding (Generation IV) Tweaking
Broken escalator glitch (Japan only) | Elite Four door glitch (Japan only)
[hr]
2x2 block encounter glitches (Generation I) Left-facing shore tile glitch (in-game trade shore encounter trick, Old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick) | Viridian Forest no encounter grass tiles glitch
[hr]
Glitch City Safari Zone exit glitch | RAM manipulation | Out of bounds Glitch City (Generation II) | Slowpoke Well out of bounds corruption (French Gold/Silver/Crystal)
[hr]
Large storage box byte shift glitch Storage box remaining HP glitch | Generation I max stat trick
[hr]
Pikachu off-screen glitch Trainer corruption glitch
[hr]
SRAM glitches Generation I save corruption | 255 Pokémon glitch | Expanded party encounter table manipulation (Generation I) | Send party Pokémon to a new game (Generation I) | Generation II save corruption | Mailbox glitches | Mystery Gift item corruption | Trainer House glitches
[hr]
Trainer escape glitch Death-warp | Ditto trick | Experience underflow glitch | Mew trick | Text box ID matching | Meta-map script activation
[hr]
Walk through walls Ledge method | Museum guy method | Rival's effect | Select glitch method (International Select glitch method), Brock Through Walls
[hr]
Surf down glitch Grass/rock Surfing glitch (Spanish/Italian only) (adaptions: Submerge glitch (international)) | 8 8 (0x7C) grass/rock surfing glitch (English Red/Blue))
(view, talk, edit)
Cart-swap arbitrary code execution is an exploit for Game Boy or Game Boy Color games running on a physical Game Boy Color or SNES; in which the player swaps one cartridge with another while the system is still running to transfer data or execute arbitrary code on the other.
This technique was developed by ISSOtm and TheZZAZZGlitch, inspired by MrCheeze's Magi Nation exploit in which he executed arbitrary code in Magi Nation for Game Boy Color with data leftover from Pokémon Red's 255 Pokémon glitch.
It was originally nicknamed the "Luigi exploit" because the player can force the game to do 'absolutely nothing' until the cartridge is swapped; a reference to the "Luigi wins by doing absolutely nothing" meme.
Cart-swap arbitrary code execution may be set up with another form of arbitrary code execution, such as via 8F.
During cart swap arbitrary code execution, interrupts usually must be disabled to prevent the game running code from the ROM which doesn't exist when the cartridge is removed.
Applications
Force load a game, including CGB games in DMG mode. The game may be loaded with the wrong palette. Warp to the credits in Super Mario Land 2 Activate TCG debug menuBooting up a game without setting the palette
Set up 8F arbitrary code execution and prepare your items pack as such:
8F
Any item
TM43 x22
Moon Stone x1
Master Ball x147
Antidote x121
Escape Rope x176
Fire Stone x250
Parlyz Heal x21
Guard Spec. x32
TM45 x175
Great Ball x111
Carbos x1
TM33 xAny
Bytes:
5d 01 01 01 f3 16 0a 01 01 93 0b 79 1d b0 20 fa 0f 15 37 20 f5 af 03 6f 26 01 e9 01ASM:
di
ld d,0a
ld bc,9301
dec bc
ld a,c
dec e
or b
jr nz,D328
rrca
dec d
scf
jr nz,D328
xor a
inc b
ld l,a
ld h,01
jp hlUpon using 8F, the game will hang for a few moments. During that time quickly pull out the cartridge and replace it with another cartridge (but not a game that only works on Game Boy Color or later) and it will boot up, possibly with a palette based on the palette while playing Pokémon Red.
Force boot in Game Boy mode
Run the following code. (Created by TheZZAZZGlitch)F3 16 0B 01 FF FF 0B 79 B0 20 FB 15 20 F5 C3 00
01Force boot game in GBC mode
Run the following code. (Created by TheZZAZZGlitch)F3 16 0B 01 FF FF 0B 79 B0 20 FB 15 20 F5 3E 11
C3 00 01Super Mario Land 2 credits
Refer to executing large programs with arbitrary code execution and write the following code to execute with your execution method. (Created by TheZZAZZGlitch)F3 16 0B 01 FF FF 0B 79 B0 20 FB 15 20 F5 21 00
D0 11 E5 01 0E FF 1A 22 13 0D 20 FA AF EA 30 D0
21 37 D0 3E 3E 22 3E 01 22 3E EA 22 3E D5 22 3E
A2 22 3E C3 22 3E 1C 22 3E 02 22 21 E0 D0 3E 21
22 AF 22 3E D1 22 3E 01 22 AF 22 3E 1F 22 3E AF
22 3E 22 22 3E 0B 22 3E 79 22 3E B0 22 3E 20 22
3E F9 22 3E C3 22 AF 22 3E D0 22 C3 E0 D0Execute it only after turning off Super Mario Land 2 at the title screen. This will cause a white screen to appear, but after pressing Start you can play a stage to instantly trigger the credits.
Pokémon TCG (EU) debug menu
Created by ISSOtm. For the English European version. This does not work on US versions.Steps:
1) Use a Game Boy program writing exploit to write data.
In this example we write offgao's memory editor known as "Pocket Computer" ported by cryo and then use it as a tool to write the data for the cart-swap program.
For this example we write the Pocket Computer to data at DA80-DB7C using a modified version of TheZZAZZGlitch's method of writing and executing large programs.
To access it with we require the following items:
Items:
Bicycle
8F
X Accuracy x97
Burn Heal x126
Paralyz Heal x15
HP Up x15
Ice Heal x15
Potion x134
TM34 x20
TM15 x46
Leaf Stone x52
Great Ball x201
TM10 x1
TM18 x46
(any non duplicate item) x (any)
TM34 x128
(any non duplicate item) x (any)
TM19 x46
TM34 x0
(any non duplicate item) x (any)
Item C3 ("H") x 128
TM18 x 201
Method for setting up Pocket Computer:
1) Swap TM18 x46 with TM15 x46, use 8F and jump off a ledge to walk through walls. This allows the player to walk on impassable tiles, so that they may access all coordinates ranging from hex:00 to hex:0F. There will now be a TM34 x21 instead of x20.
2) Swap TM18 and TM15 back, swap TM34 below Potion with TM34 x128 and use Bicycle. The program is now in 'entering mode', and upon using 8F one byte is written to address DA80 (and onward for each use) with its value depending on your X and Y positions where the Y position represents the high nybble and the X position represents the low nybble. For example, a coordinate of y=0C, x=09 would write a C9 (ret).
3) Swap TM18 with TM19 and TM34 with TM34 x0, enter DB00 bytes. To run the created code, add item c3 x 128 and TM18 x201 to items 3 and 4.
Coordinates map:
Data you need:
@DA80:
07 F6 01 00 FE 01 18 1F FF 00
00 00 00 00 00 00 00 00 00 00
00 00 F6 F7 F8 F9 FA FB FC FD
FE FF 60 61 62 63 64 65 66 01
00 DA C5 0B 0B 16 12 21 AA C3
CD 4F DB 03 C5 01 0A 00 09 C1
15 20 F3 C1 3E ED EA D3 C3 3E
FF E0 B7 76 C5 CD 31 38 C1 F0
B5 FE 02 C8 FE 03 20 03 00 C5
C9 FE 40 20 01 0B FE 80 20 01
03 FE 20 20 06 21 F0 FF 09 44
4D FE 10 20 06 21 10 00 09 44
4D FE 24 20 06 21 00 FF
@DB00:
09 44 4D FE 14 20 06 21 00 01
09 44 4D 16 00 FE 88 20 02 16
FF FE 48 20 02 16 01 FE 28 20
02 16 F0 FE 18 20 02 16 10 60
69 FE 44 20 08 F5 3A F5 2A 32
F1 77 F1 FE 84 20 0A F5 2A 18
00 F5 3A 22 F1 77 F1 44 4D 7A
A7 28 03 0A 82 02 C3 AA DA 3E
7C 22 3E 7F 22 78 CD 6A DB 79
1E 1F CD 6A DB 3E E3 22 0A CD
6A DB 3E 7C 22 C9 F5 CB 37 CD
71 DB F1 E5 26 DA E6 0F C6 96
6F 7E E1 22 C9After you finish writing the data, save the game and write the following bytes using the memory editor you just created:
@DF00 :
21 F8 DF 36 01 2E 11 0E 83 06 03 CD 8A 05 C3 83
FF 3E CA E0
DF14-DF50: 00
@DF51 :
21 83 FF 36 C3 23 36 00 23 36 DF C3 8D 01 21
00 C0 01 00 1F C3 E3 03 21 00 C0 01 00 1F C3 E3
03
@D53B
3E 10 E0 FF 07
E0 00 76 00 3E 01 E0 FF 76 00 21 50 01 11 14 DF
06 3D CD B7 06 21 1F DF 36 68 23 72 C3 14 DF
@D322 :
C3 3B D5Sadly you can't save now if the trick doesn't work the first time as the data in the DFXX region isn't kept after you save and reset.
Use 8F again and then swap the cartridge with a European version of Pokémon Trading Card Game and press any button. The game should boot to Pokémon Trading Card Game with Red/Blue's palette and you should be able to access the debug menu by choosing 'continue by diary'.