Arbitrary code execution in the Pokémon series
0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC
List of arbitrary code execution programs
(view, talk, edit)
0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC
List of arbitrary code execution programs
(view, talk, edit)
More research is needed for this article. | |
Reason given: Document more effects of it. Can a Glitch Pokémon evolve if its sprite and name are "stable" enough? Are there many glitch cries available for Glitch Pokémon? List Glitch Type Sprites that could cause interesting effects. Study the causes and effects of the corruption of the PC Pokémon Selection in Fr/Lg. Test again the effect of Pokédex entries of Glitch Pokémon. |
OAM DMA hijacking is a form of arbitrary code execution in Game Boy games, which allows for the player to execute code every frame.
This glitch works by hijacking the "OAM DMA" process associated with sprites. [elaboration needed]
An easy means to perform OAM DMA hijacking in both Pokémon Red and Blue and Pokémon Gold and Silver is to write to the HRAM region FF80, however care must be taken as this region will be executed every frame. For this reason it is safe to place a ret (0xC9) opcode at the beginning of this region, write the code after it and replace the ret with a nop (0x00) byte afterwards. This exploit was documented by Crystal_.
Another exploit for Red and Blue can involve making the following modifications to the HRAM, as documented by luckytyphlosion:
At FF86, write "jr FFF9". At FFF9, write "dec a" At FFFA, write "jr nz, FFF9" At FFFC, write "jp [region]"
Do note that this will disable moving the character.
OAM DMA hijacking is useful as a form of 'real-time' arbitrary code execution, allowing the player to perform exploits such as walk through walls in Generation II or writing a 0x50 sub-tile permanently to the beginning of the screen data for Generation I.
This article or section is a stub. You can help wiki by [ expanding it]. |