Arbitrary code execution: Difference between revisions

no edit summary
(Word cruft)
No edit summary
Line 14: Line 14:


==Methods==
==Methods==
After discovering a glitch that causes the program counter to jump to RAM, it is often the case that the initial location jumped to is hard for the player to control (such as sound bank data). Thus, it is common for most arbitrary code execution setups to first spell out only a small amount of code there, forming another jump instruction that will lead to a second location in memory that is easy for the player to modify. Examples of such locations can include [[party]] or [[PC]] data, [[Bag]] contents, [[Box]] names, and Pokémon [[nickname]]s. Once this has been done, the player may readily fill the second memory area with arbitrary code for the console to execute, and then perform the initial jump (by using the glitch item, glitch move, etc.), which will perform the second jump to the filled code and cause it to be run.
After discovering a glitch that causes the program counter to jump to RAM, it is often the case that the initial location jumped to is hard for the player to control (such as sound bank data). Thus, it is common for most arbitrary code execution setups to first spell out only a small amount of code there, forming another jump instruction that will lead to a second location in memory that is easy for the player to modify. Examples of such locations can include [[party]] or [[PC]] data, [[Bag]] contents, [[Pokémon Storage System|Box]] names, and Pokémon [[nickname]]s. Once this has been done, the player may readily fill the second memory area with arbitrary code for the console to execute, and then perform the initial jump (by using the glitch item, glitch move, etc.), which will perform the second jump to the filled code and cause it to be run.


For more complex exploits, the above "two-stage" jump setup may not be enough as the game will eventually run out of space in the easily modifiable second location (the Bag/Box/etc.) to continue spelling out code. It is possible to extend the setup to three stages by writing code in the second location whose effect is to write more code to a third location that contains more space but is hard for the player to modify directly<!-- such as what? couldn't find a direct example; does someone with more experience know what location is being written to in the linked video? -->. Once enough code has been written to the third location, the player may substitute the second location's code for code that jumps to the third location, then perform the glitch which will execute three jumps and run the desired code.<ref>https://www.youtube.com/watch?v=D3EvpRHL_vk</ref><!-- This multi-stage setup is specifically *NOT* TAS-exclusive; in fact it's the most viable substitute for jumping to controller input when the goal is to show off a demonstration unassisted rather than speed. -->
For more complex exploits, the above "two-stage" jump setup may not be enough as the game will eventually run out of space in the easily modifiable second location (the Bag/Box/etc.) to continue spelling out code. It is possible to extend the setup to three stages by writing code in the second location whose effect is to write more code to a third location that contains more space but is hard for the player to modify directly<!-- such as what? couldn't find a direct example; does someone with more experience know what location is being written to in the linked video? -->. Once enough code has been written to the third location, the player may substitute the second location's code for code that jumps to the third location, then perform the glitch which will execute three jumps and run the desired code.<ref>https://www.youtube.com/watch?v=D3EvpRHL_vk</ref><!-- This multi-stage setup is specifically *NOT* TAS-exclusive; in fact it's the most viable substitute for jumping to controller input when the goal is to show off a demonstration unassisted rather than speed. -->
Line 29: Line 29:
The current simplest known way to obtain the 8F item is through the [[item underflow]] glitch. A possible alternate method, though much more time-consuming, involves the glitch Pokémon [[94]] and [[94 h]] whose invalid Pokédex number of #213 corrupts the fourth item in the player's Bag, increasing its index number by 16 upon encountering it (similar to how encountering any Pokémon with a Pokédex number of #000 [[item duplication glitch|increases]] the quantity of the sixth item by 128). This allows transforming a [[Good Rod]] into 8F. An even older method which uses the heavy corruption effects of [[Super Glitch]] also exists.
The current simplest known way to obtain the 8F item is through the [[item underflow]] glitch. A possible alternate method, though much more time-consuming, involves the glitch Pokémon [[94]] and [[94 h]] whose invalid Pokédex number of #213 corrupts the fourth item in the player's Bag, increasing its index number by 16 upon encountering it (similar to how encountering any Pokémon with a Pokédex number of #000 [[item duplication glitch|increases]] the quantity of the sixth item by 128). This allows transforming a [[Good Rod]] into 8F. An even older method which uses the heavy corruption effects of [[Super Glitch]] also exists.


Outside of 8F and 5かい, numerous other arbitrary code execution exploits also exist in these games, such as situational use of the glitch move [[--_(move)|--]] or turning [[Pallet Town]] into [[Twinleaf Town]]<!-- link to TASvideos submission exploiting this-->.
Outside of 8F and 5かい, numerous other arbitrary code execution exploits also exist in these games, such as situational use of the glitch move {{m|--}} or turning [[Pallet Town]] into [[Twinleaf Town]]<!-- link to TASvideos submission exploiting this-->.


===={{game|Yellow}}====
===={{game|Yellow}}====
Line 40: Line 40:
In English releases of Pokémon Gold and Silver, the [[Coin Case glitches]] are a subset of arbitrary code execution glitches.
In English releases of Pokémon Gold and Silver, the [[Coin Case glitches]] are a subset of arbitrary code execution glitches.


In the Japanese versions, the Coin Case executes code at a certain place (which tells the player how many coins they have) and terminates that with a hex:57 terminator. This causes the code to stop. However, in English releases that terminator is not valid and causes the code to jump to echo RAM at E112 and run code at that spot. The reason this was not caught in the testing of the game is because this section is typically made up of mostly 00, so nothing visible occurs. But if the player has listened to a certain cry, the address executes code that actually has a visible effect, such as 'which move?he PP of' or a glitch dimension. When the cry is of a {{p|Bellsprout}}, {{p|Machop}}, {{p|Machoke}}, or {{p|Omanyte}}, this effect makes the code jump again, to address EB12. This address can be modified by using specific [[party]] Pokémon, such as a level 23 {{p|Quagsire}} holding a {{DL|Vitamin|HP Up}} with {{m|Sleep Talk}} as its first move in the fourth party slot, to send the code to the PC items. The Quagsire can be given a {{DL|Vitamin|Protein}} instead to jump to the [[Box]] names. That data is then modified along with certain movement patterns to achieve an effect, such as obtaining {{p|Celebi}} or [[Five question marks#Hex FF|????? (FF)]], going to [[Mt. Silver]] with no Pokémon (causing the player to win automatically), or coding an entire new game onto the console.
In the Japanese versions, the Coin Case executes code at a certain place (which tells the player how many coins they have) and terminates that with a hex:57 terminator. This causes the code to stop. However, in English releases that terminator is not valid and causes the code to jump to echo RAM at E112 and run code at that spot. The reason this was not caught in the testing of the game is because this section is typically made up of mostly 00, so nothing visible occurs. But if the player has listened to a certain cry, the address executes code that actually has a visible effect, such as 'which move?he PP of' or a glitch dimension. When the cry is of a {{p|Bellsprout}}, {{p|Machop}}, {{p|Machoke}}, or {{p|Omanyte}}, this effect makes the code jump again, to address EB12. This address can be modified by using specific [[party]] Pokémon, such as a level 23 {{p|Quagsire}} holding an [[HP Up]] with {{m|Sleep Talk}} as its first move in the fourth party slot, to send the code to the PC items. The Quagsire can be given a [[Protein]] instead to jump to the [[Pokémon Storage System|Box]] names. That data is then modified along with certain movement patterns to achieve an effect, such as obtaining {{p|Celebi}} or [[Five question marks#Hex FF|????? (FF)]], going to [[Mt. Silver]] with no Pokémon (causing the player to win automatically), or coding an entire new game onto the console.


==={{game|Crystal}}===
==={{game|Crystal}}===
{{Incomplete|section|needs=Look up more detailed explanation from PokemonSpeedruns.com, Pokemon Crystal any% category}}
{{Incomplete|section|needs=Look up more detailed explanation from PokemonSpeedruns.com, Pokemon Crystal any% category}}


A variant of the [[Celebi Egg glitch]] allows the player to control the [[held item]] in addition to the [[species]] of the Pokémon obtained. This can be manipulated to cause the held item to be a [[Key Item]], something that is not normally possible.
A variant of the [[Celebi Egg glitch]] allows the player to control the [[held item]] in addition to the {{OBP|Pokémon|species|species}} of the Pokémon obtained. This can be manipulated to cause the held item to be a [[Key Item]], something that is not normally possible.


Removing a held Key Item from its holder while another copy of the item is already in the [[Bag]] will cause the duplicate copies to appear as two separate, identical stacks. The two stacks must then be placed next to each other and a third normal Key Item placed below them. At this point, swapping the two identical stacks (with the Select button), behavior unaccounted for by the developers, will corrupt the second stack and either corrupt or destroy the third stack.<ref>https://www.youtube.com/watch?v=FZrFMi6B0jQ</ref> From here, as the number of stacks in the inventory has now unexpectedly decreased, it is possible to achieve a similar effect to the dry [[item underflow]] glitch in [[Generation I]], giving the player access to 255 items in the Key Items Pocket; the underflow effect can then be spread to other pockets via item swapping.
Removing a held Key Item from its holder while another copy of the item is already in the [[Bag]] will cause the duplicate copies to appear as two separate, identical stacks. The two stacks must then be placed next to each other and a third normal Key Item placed below them. At this point, swapping the two identical stacks (with the Select button), behavior unaccounted for by the developers, will corrupt the second stack and either corrupt or destroy the third stack.<ref>https://www.youtube.com/watch?v=FZrFMi6B0jQ</ref> From here, as the number of stacks in the inventory has now unexpectedly decreased, it is possible to achieve a similar effect to the dry [[item underflow]] glitch in [[Generation I]], giving the player access to 255 items in the Key Items Pocket; the underflow effect can then be spread to other pockets via item swapping.
118,457

edits