Arbitrary code execution: Difference between revisions
Blueapple128 (talk | contribs) |
Blueapple128 (talk | contribs) |
||
Line 37: | Line 37: | ||
A variant of the [[Celebi Egg glitch]] allows the player to control the [[held item]] in addition to the [[species]] of the Pokémon obtained; this can be manipulated to cause the held item to be a [[Key Item]], something that is not normally possible. | A variant of the [[Celebi Egg glitch]] allows the player to control the [[held item]] in addition to the [[species]] of the Pokémon obtained; this can be manipulated to cause the held item to be a [[Key Item]], something that is not normally possible. | ||
Removing a held Key Item from its holder can allow duplicate copies of a Key Item to be stored in the [[Bag]]; these will appear as two separate, identical stacks. The two stacks must then be placed next to each other and a third normal Key Item placed below them. At this point, swapping the two identical stacks using the Select button will corrupt the second stack and either corrupt or destroy the third stack.<ref>https://www.youtube.com/watch?v=FZrFMi6B0jQ</ref> From here, a similar effect to the dry [[item underflow]] glitch in [[Generation I]] can be achieved, giving the player access to 255 items in the Key Items Pocket; the underflow effect can then be spread to other pockets via item swapping. | Removing a held Key Item from its holder can allow duplicate copies of a Key Item to be stored in the [[Bag]]; these will appear as two separate, identical stacks. The two stacks must then be placed next to each other and a third normal Key Item placed below them. At this point, swapping the two identical stacks using the Select button, behavior unforseen by the developers, will corrupt the second stack and either corrupt or destroy the third stack.<ref>https://www.youtube.com/watch?v=FZrFMi6B0jQ</ref> From here, a similar effect to the dry [[item underflow]] glitch in [[Generation I]] can be achieved, giving the player access to 255 items in the Key Items Pocket; the underflow effect can then be spread to other pockets via item swapping. | ||
As with [[Generation I]], precise out-of-bounds item manipulation can be used to either place a certain [[TM]] outside of the TM/HM Pocket, or corrupt the player's current Pokédex sort mode, depending on the language version of the game. Either way, attempting to use the TM in an invalid way or open the glitched Pokédex will execute faulty code and cause the game to jump to RAM, enabling arbitrary code execution. | As with [[Generation I]], precise out-of-bounds item manipulation can be used to either place a certain [[TM]] outside of the TM/HM Pocket, or corrupt the player's current Pokédex sort mode, depending on the language version of the game. Either way, attempting to use the TM in an invalid way or open the glitched Pokédex will execute faulty code and cause the game to jump to RAM, enabling arbitrary code execution. |
Revision as of 09:29, 19 January 2016
Arbitrary code execution is an advanced glitch present in various Pokémon games that, when performed, allows the player to theoretically run any code they desire on the console.
Cause
Arbitrary code execution is fundamentally caused whenever faulty code of any kind happens to cause the processor's program counter to jump to a location in RAM whose value can be controlled by the player (as opposed to ordinary code locations, which are in ROM (read-only memory) and cannot be modified). From here, the player may be able to modify these controllable values and values after it to spell out desirable or exploitable code.
Any number of glitch items, moves, etc. may potentially allow arbitrary code execution, as their effects are never intended by the developers and are thus faulty code by definition.
As the glitch literally enables the player to do anything the console's hardware is capable of, it has enormous potential and can be thought of as "jailbreaking" the console; extremely elaborate setups have been performed and documented where players have coded new graphics, music, or even entire new games onto the platform.
Methods
Before performing the initial step to jump the program counter to an exploitable place, it is common for most arbitrary code execution setups to first spell out code there that will jump to another location in memory that is particularly easy for the player to modify. Examples of such locations can include party data, Bag contents, Box names, and Pokémon nicknames. Once this has been done, the player may readily fill the latter memory area with arbitrary code for the console to execute, and then perform the initial jump (by using the glitch item, glitch move, etc.) which will cause the filled code to be run.
More advanced setups may jump the program counter to controller input, allowing a theoretically unlimited amount of code to be run on the fly without having to store it beforehand.
Generation I
This section is incomplete. Please feel free to edit this section to add missing information and complete it. Reason: explain the "w sm" item for Yellow |
The item 8FRB or 5かいRG causes the program counter to jump to the RAM location that stores the number of Pokémon in the player's party. This value (as well as values after it, such as the contents of the player's party and their Bag) is particularly easy to modify right off the bat, and as such they may be considered one of the easiest arbitrary code execution setups to perform once the item has been obtained.[1][2]
To have maximum possible control over the values in memory corresponding to the Bag, heavy use of the item duplication glitch is recommended.
The current simplest known way to obtain the 8F item is through the item underflow glitch. A possible alternate method, though much more time consuming, involves the glitch Pokémon 94 and 94 h whose invalid Pokédex number of #213 corrupts the fourth item in the player's Bag, increasing its index number by 16 upon encountering it (similar to how encountering any Pokémon with a Pokédex number of #000 increases the quantity of the sixth item by 128). This allows transforming a Good Rod into 8F.
Numerous other arbitrary code execution exploits exist in these games, such as situational use of the glitch move --.
Pokémon Gold and Silver
In English releases of Pokémon Gold and Silver, the Coin Case glitches are in fact a subset of arbitrary code execution glitches.
Most exploits revolve around eventually redirecting the program counter to the Box name data, which can be easily modified by the player to spell out code.
Pokémon Crystal
This section is incomplete. Please feel free to edit this section to add missing information and complete it. Reason: Look up explanation from PokemonSpeedruns.com; Pokemon Crystal any% category |
A variant of the Celebi Egg glitch allows the player to control the held item in addition to the species of the Pokémon obtained; this can be manipulated to cause the held item to be a Key Item, something that is not normally possible.
Removing a held Key Item from its holder can allow duplicate copies of a Key Item to be stored in the Bag; these will appear as two separate, identical stacks. The two stacks must then be placed next to each other and a third normal Key Item placed below them. At this point, swapping the two identical stacks using the Select button, behavior unforseen by the developers, will corrupt the second stack and either corrupt or destroy the third stack.[3] From here, a similar effect to the dry item underflow glitch in Generation I can be achieved, giving the player access to 255 items in the Key Items Pocket; the underflow effect can then be spread to other pockets via item swapping.
As with Generation I, precise out-of-bounds item manipulation can be used to either place a certain TM outside of the TM/HM Pocket, or corrupt the player's current Pokédex sort mode, depending on the language version of the game. Either way, attempting to use the TM in an invalid way or open the glitched Pokédex will execute faulty code and cause the game to jump to RAM, enabling arbitrary code execution.
Pokémon Emerald
Certain ?????????? glitch Pokémon are known to cause the program counter to jump to values in RAM (as opposed to ROM) when their summaries are viewed. The only currently known method to obtain these glitch Pokémon is through Glitzer Popping, a sub-glitch of the Pomeg glitch. Due to its difficulty to perform, currently known applications of arbitrary code execution in this game are limited.
History/Other
References
This article is a stub. You can help Bulbapedia by expanding it. |
This article is part of Project GlitchDex, a Bulbapedia project that aims to write comprehensive articles on glitches in the Pokémon games. |