Repro Alert

Celebrity Style and Outfits
Pokemon Emerald: Arbitrary code execution – warping to the Hall of Fame

Pokemon Emerald: Arbitrary code execution – warping to the Hall of Fame


The method of executing the code is the same as in my previous video. Watch it if you haven’t already. The method of executing the code is the same as in my previous video. Watch it if you haven’t already.

This trick is TAS-only. To perform it, the checksum of the save file has to be known before saving, and that can only be achieved with savestates and luck manipulation. This trick is TAS-only. To perform it, the checksum of the save file has to be known before saving, and that can only be achieved with savestates and luck manipulation. This trick is TAS-only. To perform it, the checksum of the save file has to be known before saving, and that can only be achieved with savestates and luck manipulation.

The exploit works by replacing the map identifier stored in the save data, forcing the game to teleport me into the Hall of Fame upon reloading. The exploit works by replacing the map identifier stored in the save data, forcing the game to teleport me into the Hall of Fame upon reloading. The exploit works by replacing the map identifier stored in the save data, forcing the game to teleport me into the Hall of Fame upon reloading.

Of course Gen III savefiles are guarded by checksums, and there’s not enough space to recalculate them automatically. Thus the user must input the valid checksum by hand, encoded in Pokemon nicknames. Of course Gen III savefiles are guarded by checksums, and there’s not enough space to recalculate them automatically. Thus the user must input the valid checksum by hand, encoded in Pokemon nicknames. Of course Gen III savefiles are guarded by checksums, and there’s not enough space to recalculate them automatically. Thus the user must input the valid checksum by hand, encoded in Pokemon nicknames.

The checksum I needed was $EAB6, so I had to name my 17th and 18th Pokemon ‘♀RBnuE v’ and ‘vFBnuE v’ respectively. The ‘♀’ symbol has character code $EA, ‘v’ letter has code $B6. The checksum I needed was $EAB6, so I had to name my 17th and 18th Pokemon ‘♀RBnuE v’ and ‘vFBnuE v’ respectively. The ‘♀’ symbol has character code $EA, ‘v’ letter has code $B6. As always, I have my code stored backwards, starting in box 3. Every Pokemon is one opcode. The ‘ F…okk k’ guy causes the CPU to stop executing code, it’s here so garbage won’t be executed after my code finishes running. Saving enough times to force the data into required positions. Cover your ears! Apparently, my ?????????? is a Relicanth. “Pokémon League champions are honored for their exploits here!”

51 comments on “Pokemon Emerald: Arbitrary code execution – warping to the Hall of Fame

  1. Would the code be shorter if it makes the game jump to the input register so you can achieve more freedom with the coding?

  2. I'm curious, what is the address $E118FF4 for? I didn't see it mentioned in the previous ACE video. I notice that $E003004 didn't seem to be the right value without $E118FF4 being $06 (though I didn't do repeated saves until it became $06 to test if that made it the correct value).

  3. Can you also walk through what the code does for anyone unfamiliar with GBA assembly, please, if it's not too much trouble?

    I want to know what the index number for the Hall of Fame room is, and if this code writes the whole value or does an addition to the Pokémon Center map value, or whatever.

  4. This is all kinds of awesome.  Have you considered submitting it to TASVideos as a glitched speedrun?  I'm pretty sure this counts, and it doesn't look like they even have one on record for emerald yet.  I don't know how much gameplay it takes to get to a point where you can do this though?

  5. Could you write arbitrary code to corrupt the bit in which it turns on and off the flag to fly to Ever Grande?

  6. GG bro! Does it requires a glitched save or you can do it on a normal run? (I mean you can do it without downloading the save)

  7. What did you use to know what were the effects of  viewing a Glitch Pokemon Summary (game executing data at a certain adress) ?
    And are there Glitch Pokemon / Glitch Moves that force the game to execute data at other adresses ?
    As seeing the effects of Glitch Moves, I suspect som of them to have the same effects as Glitch Pokemon.
    Thus, would it be possible to force the game executing data from PC Items ? as we can fully (and easily) manipulate the quantities and identifiants with Pomeg Glitch.

    Also, the 4th and 8th letters of a Pokemon nickname can be corrupted (value xor 0x40 or Bits 0 & 2 (0x05) set to 1), so this could give you more values to use for your code.

  8. Can this technique be used to create or modify Pokemon? If so, could those pokes pass the "hacked" check when transferring up through generations?  

  9. I'm not really familiar with assembly and at that only x86, but wouldn't it be possible to jump to the game's save function so that the checksum is recalculated automatically and thus making this a non TAS-only run?

  10. I love how Nurse Joy just followed along. She was just curious about what a little girl was doing in the void.

Leave a Reply

Your email address will not be published. Required fields are marked *