Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 2

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Sanqui
Date: 2014-01-10 11:29:15
Remember a ret pops whatever's on the top of the stack into pc.
So you can push the address of whatever you want onto the stack, and a ret would make the pc transfer there..

I'm well aware, but the only push available with box names is push de, and there's no way to put anything into d or e.  You could of course write on the stack manually, but at that point it would take like four times as much code as three pops.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Stackout
Date: 2014-01-10 14:14:45

Remember a ret pops whatever's on the top of the stack into pc.
So you can push the address of whatever you want onto the stack, and a ret would make the pc transfer there..

I'm well aware, but the only push available with box names is push de, and there's no way to put anything into d or e.  You could of course write on the stack manually, but at that point it would take like four times as much code as three pops.


Ah.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Ketsuban
Date: 2014-01-14 17:34:49

Well, ZZAZZglitch posted a very interesting video. Always a pleasure to see what that guy comes up with next, haha

I'm glad to see some real practical use to the coin case here. And that phonecall to '999' that initiates the hall of fame is incredibly weird. This definitely piques my interest.

Also, I've noticed some videos posted here using machoke's cry instead of machop. They seem to yield the same results, but what about other cries?


Video is private :(

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2014-01-15 06:11:09


Well, ZZAZZglitch posted a very interesting video. Always a pleasure to see what that guy comes up with next, haha

I'm glad to see some real practical use to the coin case here. And that phonecall to '999' that initiates the hall of fame is incredibly weird. This definitely piques my interest.

Also, I've noticed some videos posted here using machoke's cry instead of machop. They seem to yield the same results, but what about other cries?


Video is private :(


I think that was TheZZAZZGlitch's first TAS. You can still download the VBM file on the TASVideos submission page.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2014-04-26 16:55:00
*stickied*

I've found out how you can change TheZZAZZGlitch's alternative Celebi glitch to get ????? (FF) without the bad clone glitch so you can do the Johto guard glitch and other stuff!

It's actually a rather simple change. To understand it, use the old code and set a breakpoint for when the Game Boy jumps to D61A (item storage system item 2 quantity). Press F3 (or Fn+F3) multiple times, and then when the Game Boy jumps to WRA1:D626 (inc b), bc=FAF9, then next instruction [ld (hl),b] it's FB; Celebi's index number.

Basically, 'inc b' increments (increases 'b' by one), and in the items list there are two inc bs (Great Ball x4). All you need to do is have two more stacks of Great Ball x4 below it. That's 2x2 more addresses, and FB+4=FF.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Pirat3
Date: 2014-05-10 07:43:47
Hey everyone,

how would you have to modify the arbitrary code if you wanted to collect not only Celebi but any Pokémon? Watching the video clips that shows how you get Celebi, I noticed that Celebi inherited the moves of Togepi. This would allow you to create some interesting move setups, as Pokémon could "learn" moves which they normally wouldn't.
While I'm familiar with arbitrary coding, I do not know which instructions are triggered by your stored items. If anyone seasoned could help me out I would appreciate it.
Also, while googling I noticed that there was a piece of code available ( http://tasvideos.org/4126S.html= ) that allowed your character to warp to mount Silver. If I wanted warp the character to Viridian City instead, how would the code have to modified?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: camper
Date: 2014-05-10 08:31:31

Hey everyone,

how would you have to modify the arbitrary code if you wanted to collect not only Celebi but any Pokémon?

Change HM07 to whatever index you need - 2, I think.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Crystal_
Date: 2014-06-26 13:46:42
My take on coin case arbitrary code execution: Since obtaining Celebi is obviously taken I decided to think of something else that could be interesting, and that is… making any Pokemon shiny! It basically consists on changing the DVs of the first party Pokemon to 14/10/10/10, so that the Pokemon becomes shiny.

The way to perform this trick is similar to the method to obtain Celebi (including the Quagsire jump) but the item list is obviously different:


I means Item and Q means Quantity. The number indicates the position where the item must be at. 

-------------------------- I1 = Q1 = I2 = ANY
ld a,EA ----- 3E EA ------ Q2 = 62 | I3 = TM42 (Dream Eater)
ld bc,XXXX -- 01 XX XX --- Q3 = 01 | I4 = Q4 = ANY
ld hl,DA3F -- 21 3F DA --- I5 = X Accuracy | Q5 = 63 | I6 = TM27 (Return)
ld bc,XXXX -- 01 XX XX --- Q6 = 01 | I7 = Q7 = ANY
ldi (hl),a -- 22 --------- I8 = Leaf Stone 
ld bc,XXXX -- 01 XX XX --- Q8 = 01 | I9 = Q9 = ANY
dec b ------- 05 --------- I10 = Pokeball
ld a,A9 ----- 3E A9 ------ Q10 = 62 | I11 = Sun Stone
ld bc,XXXX -- 01 XX XX --- Q11 = 01 | I12 = Q12 = ANY 
add a,1 ----- C6 01 ------ I13 = TM07 | Q13 = 01
ld (hl),a --- 77 --------- I14 = Focus Band
ld bc,F5XX -- 01 F5 XX --- Q14 = 01 | I15 = HM03 (Surf) | Q15 = ANY (01)
ld h,12 ----- 26 12 ------ I16 = Full Heal | Q16 = 18
ld l,b ------ 69 --------- I17 = Stick
ld bc,0133 -- 01 33 01 --- Q17 = Q18 = 01 | I18 = X Defend
inc b ------- 04 --------- I19 = Great Ball
inc sp ------ 33 --------- Q19 = 51
push bc ----- C5 --------- I20 = TM06 (Toxic)
ld bc,XXXX -- 01 XX XX --- Q20 = 01 | I21 = Q21 = ANY
jp (hl) ----- E9 --------- I22 = TM41 (ThunderPunch) | Q22 = ANY (01)


See this video for more information: https://www.youtube.com/watch?v=NADKp7PI2XY

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2014-06-26 14:26:40
That's really cool, thanks Crystal_. I recognize the EA (TM42) means 14 Attack/10 Defense, but to make your trick slightly better, couldn't you change it to FA (TM50) to get 15 Attack DVs/10 Defense, or am I missing something?

Edit: Oops, FA is the glitch item HM08 in Generation II, my bad.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Crystal_
Date: 2014-06-26 14:40:28
Yep, you called it. I guess I could've tried to fit ld a,F9 and inc a, but inc a as an item becomes Silver Leaf, so it's not easy. I just didn't think it was worth the extra effort and extra items. If you wanted better DVs for some reason, you'd probably be looking for FF FF anyway.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Crystal_
Date: 2014-06-28 09:49:59
So it seems I got addicted to writing asm with pokemon items… Whatever.

Anyway, this time I will persent you the asm and corresponding item list required to make the first party Pokemon have perfect DVs and EVs and instantly reach level 100 (actually, level 98/99 + 2x/1x rare candy) via the coin case glitch. The only other notable difference is that it requires a Quagsire with Protein (instead of with HP Up).

------------------------------- I1 = Q1 = I2 = Q2 = ANY
ld de,020E ---- 11 0E 02 ------ I3 = Super Potion | Q3 = 14 | I4 = Ultra Ball
ld a,(de) ----- 1A ------------ Q4 = 26
ld hl,DA35 ---- 21 35 DA ------ I5 = X Accuracy | Q5 = 53 | I6 = TM27
ld bc,XX0C ---- 01 0C XX ------ Q6 = 01 | I7 = Awakening | Q7 = ANY
inc de -------- 13 ------------ I8 = Escape Rope
ldi (hl),a ---- 22 ------------ Q8 = 34
inc d --------- 14 ------------ I9 = Repel
inc d --------- 14 ------------ Q9 = 20
dec c --------- 0D ------------ I10 = Paralyz Heal
jr nz,F9 ------ 20 F9 --------- Q10 = 32 | I11 = HM07
ld bc,XXXX ---- 01 XX XX ------ Q11 = 01 | I12 = Q12 = ANY
ld l,49 ------- 2E 49 --------- I13 = Fresh Water | Q13 = 73
ld c,31 ------- 0E 31 --------- I14 = Full Restore | Q14 = 49
rlc c --------- CB 01 --------- I15 = TM12 (Sweet Scent) | Q15 = 01
ld (hl),c ----- 71 ------------ I16 = Spell Tag
ld bc,XXF5 ---- 01 F5 XX ------ Q16 = 01 | I17 = HM03 | Q17 = ANY (01)
ld h,12 ------- 26 12 --------- I18 = Full Heal | Q18 = 18
ld e,c -------- 59 ------------ I19 = Blu Apricorn
ld bc,XXXX ---- 01 XX XX ------ Q19 = 01 | I20 = Q20 = ANY
ld l,e -------- 6B ------------ I21 = NeverMeltIce
ld bc,0133 ---- 01 33 01 ------ Q21 = 01 | I22 = X Defend | Q22 = 01
inc b --------- 04 ------------ I23 = Great Ball
inc sp -------- 33 ------------ Q23 = 51
push bc ------- C5 ------------ I24 = TM06
ld bc,XXXX ---- 01 XX XX ------ Q24 = 01 | I25 = Q25 = ANY
jp hl --------- E9 ------------ I26 = TM41 | Q26 = ANY

Video here (contains very detailed information in the description): https://www.youtube.com/watch?v=JEOOCpNTx88

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Sanqui
Date: 2014-06-29 04:26:54
Check out Shenanagans' Pokémon Gold run at SGDQ, using the power of the coin case to beat the game in 40 minutes: https://www.youtube.com/watch?v=XaSg_mWVOUM

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2014-08-01 17:22:25
Here is code to activate the Pokémon color test menu with TheZZAZZGlitch's Celebi trick Pokémon set up; which is a freshly caught Pokémon in position 3 of the party, and a Quagsire holding a HP Up with Sleep Talk as its first move in the fourth position. Thanks to Tauwasser for the bank switch method, and this Skeetendo thread:

Youtube video.

Save states for Pokémon color test and Trainer color test (these may not work on all versions of VBA. I used vba-v24m-svn-r422).

inc b
ld a, 3F
inc b
ld hl, 52C9
rst $08 (CF)

04 3E 3F 04 21 C9 52 CF

In stored PC items starting from item 2, this is:

(ANYTHING)x 4
PP Up x63
Great Ball x33
TM10 x82

I'll try to make a new version of this code to enable the Trainer color menu tomorrow.

Edit: Here is Trainer color menu code.

inc b (04)
ld a, $3F (3E 3F)
inc b (04)
ld h, $CE (26 CE)
ld l, $ED (2E ED)
ld (hli), a (22)
dec b (05)
ld hl, 52C9 (21 C9 52)
rst $08 (CF)

04 3e 3f 04 26 ce 2e ed 22 05 21 c9 52 cf

In stored PC items from item 2, this is:
(ANYTHING)x4
PP Up x63
Great Ball x38
TM15 x46
TM45 x34
Poké Ball x33
TM10 x82
TM16 x(ANYTHING)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2014-08-03 11:33:53
Code to activate the unused memory (card matching) game, same Pokémon set-up as above:

Youtube video

Save state for being in the game.

Code:
inc b
ld a,38
ld hl, 6663
inc l
inc l
inc l
inc l
inc l
rst 08

(04 3e 38 21 63 66 2c 2c 2c 2c 2c cf)

The reason for the many 'inc l's is that without them I would have required an item quantity of 104, while the normal limit is 99. The code is to make the game call 38:6668.

Items required from stored item 2:
(ANYTHING) x4
PP Up x56
X Accuracy x99
Blackglasses x44
Dire Hit x44
Dire Hit x44
TM16 x(ANYTHING)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2014-09-30 07:41:29
Code to get effectively infinite Rare Candies, same Pokémon set-up as my second to last post. This puts a Rare Candy in the Balls pocket, and since it's in the wrong pocket, its quantity will never decrease.

Youtube video

Requirements:
*A Quagsire in the 4th position holding a HP Up with Sleep Talk as the first move
*A freshly caught Pokémon in the third position

Items from item 2:

(ANYTHING)x62
Calcium x13
Great Ball x60
Paralyz Heal x13
Poké Ball x4
(ANYTHING)x(ANYTHING)
Awakening x38
TM22 x1
(ANYTHING)x(ANYTHING)
Leaf Stone x46
HM03 x1
X Speed x1
Full Heal x18
Flower Mail x51
TM06 x1
(ANYTHING)x(ANYTHING)
TM41 x1

Code:

@D61A

ld a, 1F    | 3E 1F ;a=Calcium
dec c      | 0D ; c=FF
inc b      | 04 ; junk code
inc a      | 3C; a+1=Rare Candy
dec c      | 0D ; c=FE
dec c      | 0D ; c=FD
dec b      | 05 ; junk code
inc b      | 04 ; junk code
ld l, c    | 69 ; address = XXFD
ld bc,$aabb | 01 ?? ?? ; junk code
inc c      | 0C ; junk code
ld h, D5    | 26 D5 ; address = D5FD
ld bc,$aabb | 01 ?? ?? ; junk code
ld (hli),a  | 22 ; Put Rare Candy into D5FD (Balls item 1)

@D62E; This is an adaption of TheZZAZZGlitch's messed up stack workaround made by Crystal_ . (Unfortunately you can't just ret)

ld l, F5
ld bc, 0134
ld h, 12
sbc a,(hl)
inc sp
push bc
ld bc, XXXX
jp hl

2E F5 01 34 01 26 12 9E 33 C5 01 XX XX E9



I have a bad feeling that register c is not always 00. If true, this code may not work.

I also tried testing this from a new game with the item requirements hacked in via memory viewer. It didn't work. It wasn't an item problem, because according to BGB diassembler the game never ended up at D61A.

Would anyone more experienced with this glitch than I am like to look at my save file and find out, please?

New save (doesn't work): here
Working save: here

Remember, you have to step out the lab, walk right until you're one tile below the first tree, then listen to Machop's cry, then switch item pockets and use the Coin Case.