Evie (ChickasaurusGL) 🌺 | Arbitrary code execution with Trainer 0xFF (0x37) (Generation I /JP Blue) (ポケモン青のトレーナーFF任意のコード実行 ) @ChickasaurusGL | Uploaded August 2022 | Updated October 2024, 9 hours ago.
Before you try this, some required preparations are in the description.
At present, this glitch is difficult to set up; the stat experiences for the preparations were set up in advance using a memory editor. This glitch also uses the ZZAZZ glitch (ハハバグ) from Trainer 0xFF (0x37), so be warned without a proper name, your name will be unterminated and saving the game will destroy it (as in the video).
Description:
Trainer class FF/255 (effective Trainer class 55) will run arbitrary code execution at D5E5h after switching Pokémon (this address is beyond the range of the stored PC items). The cause is possibly due to an invalid Trainer AI. According to TheZZAZZGlitch, Trainers have two sets of AI; the move modification AI which is intended to control the choice of moves, and another that controls behavior every turn.
This arbitrary code execution also applies to Red/Green/Pikachu (Yellow) and the English Red, Yellow (same pointer D5E5), but the rest of the steps for set up may differ, especially for the English versions.
When you elapse a turn with Trainer FF (255/effective class 55), you'll then need to then bootstrap arbitrary code execution from D5E5, to elsewhere such as your PC items slot 1 (D4BA). Sometimes throwing a Ball won't work; you have to switch Pokémon.
In order for D5E5 to read jp D4BA, a Select glitch (with cursor position 28 and Pokémon) is used to write to D5E5.
Next, the following items at PC items slot 1 are used to run the Hall of Fame (thanks Wack0 for the original code):
Awakening x 22
Carbos x126
X Accuracy x 41
X Attack x 64
TM05 x 54
Max Revive x201
ld c,$16
ld h,$7e
ld l,$29
ld b,c
ld b,b
call $3636
ret
Then, we use the Trainer mutation glitch (cursor position 20 with Pokémon) to battle Trainer FF by altering an existing Trainer on the route. Note this may corrupt your inventory items, which is why we used PC items.
Preparations and steps:
In order to earn stat experience (EVs), you'll need to battle the right Pokémon (to gain its base stats as your stat experience) and then you'll need to apply specific EVs to two Pokémon:
bulbapedia.bulbagarden.net/wiki/List_of_Pok%C3%A9mon_by_base_stats_(Generation_I)
1. Pokémon 2's Defense stat experience must be 255 (or the same modulo 256, so 511, 767, 1023, etc also work) (preferably max out all its stat experience) (its Defense stat exp address is D16D)
2. Pokémon 3's Defense stat experience must be 195 (or the same modulo 256, 451, 707, 963, etc also work) (C3/jp) (its Defense stat exp address is D199)
3. Pokémon 3's Speed stat experience must equal exactly 47828 (BAD4) (its Speed stat exp addresses are D16E-D16F)
4. You'll need the expanded inventory. See https://glitchcity.wiki/Walk_through_walls_glitch_(Select_glitch_method) (there is a bug with the YouTube links, so you'll have to add the right bracket back to the URL)
5. The left-most Hiker on Route 10 should not be beaten.
Step 1. Start at Lavender Town and perform Select glitch 28 with Pokémon 3 (the Charizard/Lizardon in this video), using the Name Rater.
Step 2. Walk up to Route 10. Perform the Select glitch 20 with Pokémon 2 via facing a Trainer, but not the left-most Hiker. (Pokémon 2 is Electrode/マルマイン in this video).
Step 3. Face the left-most Hiker. They will become glitch Trainer class 255 (55). Then switch Pokémon to run your script at PC items slot 1 (we previously bootstrapped what the code to do (jump to PC items slot 1) with the Pokémon in the second and third preparation). The script above is to run the Hall of Fame.
Instead off using the Trainer mutation glitch, you could possibly use another glitch such as the Trainer-escape glitch with a Special of 255 instead.
Japanese description coming soon.
Before you try this, some required preparations are in the description.
At present, this glitch is difficult to set up; the stat experiences for the preparations were set up in advance using a memory editor. This glitch also uses the ZZAZZ glitch (ハハバグ) from Trainer 0xFF (0x37), so be warned without a proper name, your name will be unterminated and saving the game will destroy it (as in the video).
Description:
Trainer class FF/255 (effective Trainer class 55) will run arbitrary code execution at D5E5h after switching Pokémon (this address is beyond the range of the stored PC items). The cause is possibly due to an invalid Trainer AI. According to TheZZAZZGlitch, Trainers have two sets of AI; the move modification AI which is intended to control the choice of moves, and another that controls behavior every turn.
This arbitrary code execution also applies to Red/Green/Pikachu (Yellow) and the English Red, Yellow (same pointer D5E5), but the rest of the steps for set up may differ, especially for the English versions.
When you elapse a turn with Trainer FF (255/effective class 55), you'll then need to then bootstrap arbitrary code execution from D5E5, to elsewhere such as your PC items slot 1 (D4BA). Sometimes throwing a Ball won't work; you have to switch Pokémon.
In order for D5E5 to read jp D4BA, a Select glitch (with cursor position 28 and Pokémon) is used to write to D5E5.
Next, the following items at PC items slot 1 are used to run the Hall of Fame (thanks Wack0 for the original code):
Awakening x 22
Carbos x126
X Accuracy x 41
X Attack x 64
TM05 x 54
Max Revive x201
ld c,$16
ld h,$7e
ld l,$29
ld b,c
ld b,b
call $3636
ret
Then, we use the Trainer mutation glitch (cursor position 20 with Pokémon) to battle Trainer FF by altering an existing Trainer on the route. Note this may corrupt your inventory items, which is why we used PC items.
Preparations and steps:
In order to earn stat experience (EVs), you'll need to battle the right Pokémon (to gain its base stats as your stat experience) and then you'll need to apply specific EVs to two Pokémon:
bulbapedia.bulbagarden.net/wiki/List_of_Pok%C3%A9mon_by_base_stats_(Generation_I)
1. Pokémon 2's Defense stat experience must be 255 (or the same modulo 256, so 511, 767, 1023, etc also work) (preferably max out all its stat experience) (its Defense stat exp address is D16D)
2. Pokémon 3's Defense stat experience must be 195 (or the same modulo 256, 451, 707, 963, etc also work) (C3/jp) (its Defense stat exp address is D199)
3. Pokémon 3's Speed stat experience must equal exactly 47828 (BAD4) (its Speed stat exp addresses are D16E-D16F)
4. You'll need the expanded inventory. See https://glitchcity.wiki/Walk_through_walls_glitch_(Select_glitch_method) (there is a bug with the YouTube links, so you'll have to add the right bracket back to the URL)
5. The left-most Hiker on Route 10 should not be beaten.
Step 1. Start at Lavender Town and perform Select glitch 28 with Pokémon 3 (the Charizard/Lizardon in this video), using the Name Rater.
Step 2. Walk up to Route 10. Perform the Select glitch 20 with Pokémon 2 via facing a Trainer, but not the left-most Hiker. (Pokémon 2 is Electrode/マルマイン in this video).
Step 3. Face the left-most Hiker. They will become glitch Trainer class 255 (55). Then switch Pokémon to run your script at PC items slot 1 (we previously bootstrapped what the code to do (jump to PC items slot 1) with the Pokémon in the second and third preparation). The script above is to run the Hall of Fame.
Instead off using the Trainer mutation glitch, you could possibly use another glitch such as the Trainer-escape glitch with a Special of 255 instead.
Japanese description coming soon.
