Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 16

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Nostalgia
Date: 2017-10-31 07:40:21

Nice work!


When I get my cart, i'll probably release a code that grants you any Pokemon you wish with flawless IVs. I don't know the full extent of IVs effect on stats, but it might be of some use to those who are stuck on Red (or Whitney's Miltank lol)


Thanks. Flawless DV's helps, but it still takes awhile to max out the stat experience as well. Though if anyone struggles with Whitney's Miltank or Red, they really are not good players haha, I did struggle when I was like 12, but when you play the games enough you realise the games are really not challenging and it's very easy to sweep through the game, the fact you can beat Red's team of level 70 and 80 Pokemon with a team of level 50's is proof of that.

Even if you had a really awful, low-levelled team going against Whitney, you could still buy X items and set up on the Clefairy and then easily defeat the Miltank, that's provided the RNG doesn't screw you over with Clefairy's Metronome.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-10-31 08:08:14
Here's the code:

All wild Pokemon have perfect IVs:
Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL9p'd
Box 4-6: (Doesn't matter)
Box 7: 09é(female)'dé0'd
Box 8: p'dyyyyyy

Effects trainer Pokemon as
well, so make sure to SAVE/RESET after catching your Pokemon.

In coin case, that's:
Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL9p5
Box 4: éZ(mult).9'l'l'l
Box 5: 'lp'd55555
Box 6: (Doesn't matter)
Box 7: 09é(female)'dé0'd
Box 8: p'dyyyyyy

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2017-10-31 10:12:25

Well that's VC Gold 100% completed. Shoutouts to those who helped me with various Coin Case tricks: Torchickens, Dragon Arbock, ISSOtm, SpunkyBandy, spamviech and Couldntthinkofaname.

Red fight was super easy, more easier then usual as my Houndoom hard counters Espeon which is Red's biggest threat. Even though I've had countless gen II files over the years, it was fun to play with Pokemon I have never used in a run before like Houndoom and Scizor. It was also great to use perfect Hidden Powers for the first time ever, helped give my Scizor necessary STAB and helped Jolteon with necessary coverage against Rock/Ground Pokemon with Hidden Power Water. Biggest highlight of the fight was My Level 50, 7HP DV, Jolteon surviving a Rain Dance boosted Surf from Red's Level 77 Blastoise. :L Also my Scizor OHKO'ed Red's Snorlax with a +6 Hidden Power Bug, but it did crit though. Something also nice with this run is when I caught a Chansey it was holding a Lucky Egg and I don't think I've got one of those before, 1% for Chansey to appear and 8% chance for it to be holding a Lucky Egg. Lucky Egg certainly helped with training during those last few levels.

My team and ending stats:
[img]http://i.picresize.com/images/2017/10/31/SyriX.jpg[/img]
[img]http://i.picresize.com/images/2017/10/31/ZXOM0.jpg[/img]

With Yellow, Crystal, Emerald and now VC Gold that's 4 Pokemon playthroughs I've completed this year. Maybe I should play other games now, but Pokemon is just so damn fun. :'D


Congratulations Nostalgia! and I'm glad I helped you on your quest. :)

I've got 251 no glitches (except for Coin Case Mew and Celebi) too, but your play time is a lot faster than mine.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Nostalgia
Date: 2017-10-31 11:20:45

Congratulations Nostalgia! and I'm glad I helped you on your quest. :)

I've got 251 no glitches (except for Coin Case Mew and Celebi) too, but your play time is a lot faster than mine.


Thanks. It was the VC release and your videos that made me want to play gen II again. :) 251 with only using Coin Case for Mew and Celebi and no other glitches is what I did for my Crystal playthrough on Gameboy, by trading over a Mew and Celebi obtained on a Gold cartridge with Coin Case. However on VC Gold, because I had no one to trade with, I needed all the R/B/Y and Silver exclusives and the only way I could get them was with the Coin Case. I also used other glitches such as your DV code, Master Ball and Rare Candy codes to get through the Pokedex quicker, so that makes up for the time. My Crystal file is probably similar in time to yours, I think it was around 60 or 70 hours iirc, but on that file I trained my Pokemon to level 70 and I did (I think) four Battle Tower runs at level 40, 50, 60, 70.

I don't mind using a few extra glitches to make some of the tedious stuff quicker, for example getting a Larvitar and a Dratini all the way up to a Tyranitar and a Dragonite through training or the daycare takes ages and I've done it before and I wasn't particularly looking forward to doing that again. :P

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Skeef
Date: 2017-10-31 14:44:47


If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file


The risk wouldn't be that great, the game would have to miraculously unlock SRAM before any save corruption would take place.

Nothing too terribly intresting would occur, the game would probably Glitch Dimension before anything noticable happened.


Can you unlock SRAM maunually? Wondering if you can use TM25 to edit pokémon in the box.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-10-31 16:45:48
SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Parzival
Date: 2017-10-31 17:15:56

SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.



If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file


The risk wouldn't be that great, the game would have to miraculously unlock SRAM before any save corruption would take place.

Nothing too terribly intresting would occur, the game would probably Glitch Dimension before anything noticable happened.


Can you unlock SRAM maunually? Wondering if you can use TM25 to edit pokémon in the box.

Write 0Ah or anything else ending in A to ROM addresses 0000-1FFF to unlock SRAM.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: ISSOtm
Date: 2017-10-31 17:33:48
To then switch SRAM banks, write the desired number to $4000-$5FFF. (Avoid writing too high values, results will differ based on platform.)
The selected SRAM bank will then be available in range A000-BFFF…

By the way, to lock SRAM again, write a value that wouldn't unlock it to the same address range.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-10-31 18:15:03


SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.



If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file


The risk wouldn't be that great, the game would have to miraculously unlock SRAM before any save corruption would take place.

Nothing too terribly intresting would occur, the game would probably Glitch Dimension before anything noticable happened.


Can you unlock SRAM maunually? Wondering if you can use TM25 to edit pokémon in the box.

Write 0Ah or anything else ending in A to ROM addresses 0000-1FFF to unlock SRAM.


Thank you! This should be helpful. I bet something like this would work:


Ld hl,0000
Ld bc,01ff
.loop
Ld a,0a
ldi (hl),a
dec bc
ld a,b
or c
jr nz,.loop
...


Although, writing this as a box name code may be difficult. But with enough adjustments and self-modding, I can probably make it work. :)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: forsyz
Date: 2017-11-01 01:33:06
I tired this in an emulator but where the pokemon in boxes are stored its still all 0s

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Skeef
Date: 2017-11-01 05:29:06


SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.



If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file


The risk wouldn't be that great, the game would have to miraculously unlock SRAM before any save corruption would take place.

Nothing too terribly intresting would occur, the game would probably Glitch Dimension before anything noticable happened.


Can you unlock SRAM maunually? Wondering if you can use TM25 to edit pokémon in the box.

Write 0Ah or anything else ending in A to ROM addresses 0000-1FFF to unlock SRAM.


I thought ROM was read only.  O_o Anyways, I found this online and apparently the memory in range 0000-7FFF is used for both reading from ROM, and for writing to the MBCs Control Registers. So how does that work? Reading it is always ROM and writing to it is always RAM?

http://bgb.bircd.org/pandocs.htm#mbc1max2mbyteromandor32kbyteram

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-01 05:57:59

I tired this in an emulator but where the pokemon in boxes are stored its still all 0s


Are you executing this code in a debugger? If so, make sure to execute the code while viewing the bag, pokemon party, etc.

SRAM in gen 2 works a lot differently than in gen 1. In my copy of gold, the SRAM immediatly locks itself if unlocked in the overworld.



I thought ROM was read only.  O_o Anyways, I found this online and apparently the memory in range 0000-7FFF is used for both reading from ROM, and for writing to the MBCs Control Registers. So how does that work? Reading it is always ROM and writing to it is always RAM?

http://bgb.bircd.org/pandocs.htm#mbc1max2mbyteromandor32kbyteram


That sounds about right. Editing ROM in-game is impossible, so it makes sense than ROM addresses could be used for other parts of RAM when written to.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: ISSOtm
Date: 2017-11-01 06:32:33



SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.

(…)
Write 0Ah or anything else ending in A to ROM addresses 0000-1FFF to unlock SRAM.


Thank you! This should be helpful. I bet something like this would work:


Ld hl,0000
Ld bc,01ff
.loop
Ld a,0a
ldi (hl),a
dec bc
ld a,b
or c
jr nz,.loop
...


Although, writing this as a box name code may be difficult. But with enough adjustments and self-modding, I can probably make it work. :)

You don't have to write to all of these addresses, only to one of them. Same for all other writes.

ld a, $0A
ld [$0000], a

That's enough.


I tired this in an emulator but where the pokemon in boxes are stored its still all 0s

You probably didn't switch SRAM banks. If SRAM was locked, you'd see $FF, not $00.



(…)


I thought ROM was read only.  O_o Anyways, I found this online and apparently the memory in range 0000-7FFF is used for both reading from ROM, and for writing to the MBCs Control Registers. So how does that work? Reading it is always ROM and writing to it is always RAM?

http://bgb.bircd.org/pandocs.htm#mbc1max2mbyteromandor32kbyteram

ROM is read-only. And you aren't writing to any kind of RAM either. It's attempting to write to ROM that triggers the operation.
On original hardware, the Game Boy simply forwarded ROM and SRAM read AND write orders to the cartridge ; the MBC chips simply intercepted write orders that targeted some areas of ROM, and processed them as internal commands (switching ROM banks, SRAM banks, unlocking SRAM, etc.)

Also, side note, you should refer to this document instead. It's also the Pan Docs, but wikified and corrected. Also the Pokémon games all use MBC3 (except the Japanese games, which use MBC1), which is why this document will be more accurate. Note that the Gen I games don't have RTC support, so don't try to use the RTC clock, it's not there.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-01 06:46:18
Super-sorry for my ignorance on the subject; SRAM is a new concept for me.

So, allow me to get this straight, editing box Pomemon is as simple as:
1: Unlock SRAM
2: Switch into respective bank
3: Write
4: Relock

If so, is there any list I can access for SRAM banks?

Thanks in advance! :)


Edit: Nevermind, box Pokemon is in SRAM bank 1.

I wrote an SRAM hack that turns your first box Pokemon into Celebi. I'll convert it to a box name code and have it up sometime today.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: ISSOtm
Date: 2017-11-01 08:19:03
Relocking is optional, even more so if the game automatically re-locks it in the overworld. I'm not sure about not switching back to the original bank, but I can bet it's harmless.


SRAM "maps" :

http://github.com/PikalaxALT/pokegold/blob/master/sram.asm
Quite incomplete [last time I checked].

http://github.com/pret/pokecrystal/blob/master/sram.asm
Should be mostly the same as G/S.