Arbitrary code execution: Difference between revisions
Blueapple128 (talk | contribs) |
(→{{game|Gold and Silver|s}}: Added a lot of detail.) |
||
| Line 34: | Line 34: | ||
==={{game|Gold and Silver|s}}=== | ==={{game|Gold and Silver|s}}=== | ||
{{Incomplete|section|needs=hugely more explanation, maybe transfer some stuff from one article into the other (either direction) or even merge the two articles together}} | {{Incomplete|section|needs=hugely more explanation, maybe transfer some stuff from one article into the other (either direction) or even merge the two articles together}} | ||
In English releases of Pokémon Gold and Silver, the [[Coin Case glitches]] are in fact a subset of arbitrary code execution glitches. | In English releases of Pokémon Gold and Silver, the [[Coin Case glitches]] are in fact a subset of [[arbitrary code execution]] glitches. In the Japanese versions, the Coin Case executes code at a certain place (which tells the player how many coins they have) and terminates that with a hex:57 terminator. This causes the code to stop. However, in English releases that terminator is not valid and causes the code to jump to echo RAM at E112 and run code at that spot. The reason this was not caught in the testing of the game is because this section is typically made up of mostly 00, so nothing visible occurs. But if the player has listened to a certain cry, the address executes code that actually has a visible effect, such as 'which move?he PP of' or a glitch dimension. When the cry is of a [[p|Bellsprout]], [[p|Machop]], [[p|Machoke]], or [[p|Omanyte]], this effect makes the code jump again, to address EB12. This address can be modified by using specific [[party]] Pokémon, such as a level 23 [[p|Quagsire]] holding a [[HP Up]] with [[m|Sleep Talk]] as its first move in the fourth party slot, to send the code to the PC items. The Quagsire can be given a [[Protein]] instead to jump to the [[Box]] names. That data is then modified along with certain movement patterns to achieve an effect, such as obtaining [[p|Celebi]] or [[Five question marks#Hex_FF|????? (FF)]], going to [[Mt. Silver]] with no Pokémon (causing the player to win automatically), or coding an entire new game onto the console. This is usually done in [[Generation I]], however. | ||
==={{game|Crystal}}=== | ==={{game|Crystal}}=== | ||
Revision as of 19:39, 30 January 2016
|
This article is incomplete. Please feel free to edit this article to add missing information and complete it. Reason: needs loads of links to documented examples of exploits, images, much more explanation of what's going on, possible links to TASvideos, etc. |
Arbitrary code execution is an advanced glitch present in various Pokémon games that, when performed, allows the player to theoretically run any code they desire on the console.
Cause
|
|
This section is incomplete. Please feel free to edit this section to add missing information and complete it. Reason: Probably could be expanded with a thorough accessible explanation of what machine code is, what assembly language is, how it is possible to use the game's RAM to spell it, what a program counter/jump instruction/etc. is... |
Arbitrary code execution is fundamentally caused whenever faulty code of any kind happens to cause the processor's program counter to jump to a location in RAM whose value can be controlled by the player (as opposed to ordinary code locations, which are in ROM (read-only memory) and cannot be modified). From here, the player may be able to modify these controllable values and values after it to spell out desirable or exploitable code.
Any number of glitch items, moves, etc. may potentially allow arbitrary code execution, as their effects are never intended by the developers and are thus faulty code by definition.
As the glitch literally enables the player to do anything the console's hardware is capable of, it has enormous potential and can be thought of as "jailbreaking" the console; extremely elaborate setups have been performed and documented where players have coded new graphics, music, or even entire new games onto the platform.
Methods
Before performing the initial step to jump the program counter to an exploitable place, it is common for most arbitrary code execution setups to first spell out code there that will jump to another location in memory that is particularly easy for the player to modify. Examples of such locations can include party or PC data, Bag contents, Box names, and Pokémon nicknames. Once this has been done, the player may readily fill the latter memory area with arbitrary code for the console to execute, and then perform the initial jump (by using the glitch item, glitch move, etc.) which will cause the filled code to be run.
More advanced setups may jump the program counter to controller input, allowing a theoretically unlimited amount of code to be run on the fly without having to store it beforehand.
Generation I
The item 8FRB or 5かいRG causes the program counter to jump to the RAM location that stores the number of Pokémon in the player's party. This value (as well as values after it, such as the contents of the player's party and their Bag) is particularly easy to modify right off the bat, and as such they may be considered one of the easiest arbitrary code execution setups to perform once the item has been obtained.[1][2]
To have maximum possible control over the values in memory corresponding to the Bag, heavy use of the item duplication glitch is recommended.
The current simplest known way to obtain the 8F item is through the item underflow glitch. A possible alternate method, though much more time consuming, involves the glitch Pokémon 94 and 94 h whose invalid Pokédex number of #213 corrupts the fourth item in the player's Bag, increasing its index number by 16 upon encountering it (similar to how encountering any Pokémon with a Pokédex number of #000 increases the quantity of the sixth item by 128). This allows transforming a Good Rod into 8F.
Numerous other arbitrary code execution exploits exist in these games, such as situational use of the glitch move --.
Pokémon Yellow
|
|
This section is incomplete. Please feel free to edit this section to add missing information and complete it. Reason: explain more about the "w sm" item for Yellow, such as how to obtain it and where it jumps |
Similar to 8F and 5かい, the glitch item "w sm" causes the program counter to jump to RAM upon use, enabling arbitrary code execution.
Additionally, a separate arbitrary code execution method exists exclusive to Yellow, which can be started by any event that causes the player's following Pikachu to stand off-screen (such as the singing Jigglypuff in Pewter City's Pokémon Center, the Clefairy in the Pokémon Fan Club, or a number of Glitch Cities). Walking while Pikachu is off-screen will in fact slowly cause memory corruption to the current map and nearby areas in memory (such as the current save file's gameplay timer as well as Pikachu's happiness value)[3] as the game runs buggy code that attempts to keep track of Pikachu's off-screen position[citation needed]; it is possible to walk around in specific patterns to eventually create an arbitrary code execution setup (such as by placing a corrupted/glitched signpost on the map whose routine points to RAM rather than ROM[4]).
Pokémon Gold and Silver
|
|
This section is incomplete. Please feel free to edit this section to add missing information and complete it. Reason: hugely more explanation, maybe transfer some stuff from one article into the other (either direction) or even merge the two articles together |
In English releases of Pokémon Gold and Silver, the Coin Case glitches are in fact a subset of arbitrary code execution glitches. In the Japanese versions, the Coin Case executes code at a certain place (which tells the player how many coins they have) and terminates that with a hex:57 terminator. This causes the code to stop. However, in English releases that terminator is not valid and causes the code to jump to echo RAM at E112 and run code at that spot. The reason this was not caught in the testing of the game is because this section is typically made up of mostly 00, so nothing visible occurs. But if the player has listened to a certain cry, the address executes code that actually has a visible effect, such as 'which move?he PP of' or a glitch dimension. When the cry is of a Bellsprout, Machop, Machoke, or Omanyte, this effect makes the code jump again, to address EB12. This address can be modified by using specific party Pokémon, such as a level 23 Quagsire holding a HP Up with Sleep Talk as its first move in the fourth party slot, to send the code to the PC items. The Quagsire can be given a Protein instead to jump to the Box names. That data is then modified along with certain movement patterns to achieve an effect, such as obtaining Celebi or ????? (FF), going to Mt. Silver with no Pokémon (causing the player to win automatically), or coding an entire new game onto the console. This is usually done in Generation I, however.
Pokémon Crystal
|
|
This section is incomplete. Please feel free to edit this section to add missing information and complete it. Reason: Look up explanation from PokemonSpeedruns.com; Pokemon Crystal any% category |
A variant of the Celebi Egg glitch allows the player to control the held item in addition to the species of the Pokémon obtained; this can be manipulated to cause the held item to be a Key Item, something that is not normally possible.
Removing a held Key Item from its holder can allow duplicate copies of a Key Item to be stored in the Bag; these will appear as two separate, identical stacks. The two stacks must then be placed next to each other and a third normal Key Item placed below them. At this point, swapping the two identical stacks using the Select button will corrupt the second stack and either corrupt or destroy the third stack.[5] From here, as the number of stacks in the inventory has unexpectedly decreased, it is possible to achieve a similar effect to the dry item underflow glitch in Generation I, giving the player access to 255 items in the Key Items Pocket; the underflow effect can then be spread to other pockets via item swapping.
As with Generation I, precise out-of-bounds item manipulation can be used to either place a certain TM outside of the TM/HM Pocket, or corrupt the player's current Pokédex sort mode, depending on the language version of the game. Either way, attempting to use the TM in an invalid way or open the glitched Pokédex will execute faulty code and cause the game to jump to RAM, enabling arbitrary code execution.
Pokémon Emerald
Certain ?????????? glitch Pokémon are known to cause the program counter to jump to values in RAM (as opposed to ROM) when their summaries are viewed. The only currently known method to obtain these glitch Pokémon is through Glitzer Popping, a sub-glitch of the Pomeg glitch. Due to its difficulty to perform, currently known applications of arbitrary code execution in this game are limited.
History/Other
|
|
This section is incomplete. Please feel free to edit this section to add missing information and complete it. Reason: discuss history of how ACE was discovered; iirc it was first done in Super Mario World with the Yoshi's Island 3 spinning platform stack overflow credits warp, and then the full extent of its arbitrariness demonstrated rather spectacularly in Pokémon Yellow; link to TASvideos; maybe even link to AGDQ demonstrations |
References
- ↑ http://forums.glitchcity.info/index.php/topic,6638.0.html
- ↑ http://forums.glitchcity.info/index.php/topic,6573.0.html
- ↑ http://forums.glitchcity.info/index.php?topic=7130.0
- ↑ http://wiki.pokemonspeedruns.com/index.php/User:Stump/Yellow_NSC_Pikachu_Offscreen_Stat_XP_ACE_Route#Pikachu_Offscreen
- ↑ https://www.youtube.com/watch?v=FZrFMi6B0jQ
External links
|
This article is a stub. You can help Bulbapedia by expanding it. |
|
This article is part of Project GlitchDex, a Bulbapedia project that aims to write comprehensive articles on glitches in the Pokémon games. |
