Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Posted by: Spoink
Date: 2016-02-03 08:35:04
Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.
You can join Glitch City Research Institute to ask questions or discuss current developments.
You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.
UnknownText_0x1c5c7b::
text "Coins:"
line "@"
deciram Coins, 2, 4
db "@@"82 AE A8 AD B2 9C 4F 50 09 55 D8 24 50 50 00
Coins:=($50)($09)+($D8)($24)($50)($50)($00)
Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.
Really nice :9
Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.
I've been playing around with this glitch for a while now and recently found a way to produce basically any item. The process is basically the same as what TheZZAZZGlitch laid out in his video where he explained how to get Celebi.
https://www.youtube.com/watch?v=SpfgOVfGVTo
Basically, you place 43 Fresh Water in your PC instead of 42, and you'll jump to the item of the first Pokemon in your party instead of the ID number. Given the normal set up that would yield HM09 I think which can be sold for about 19000 Pokebucks…
This happens because the stack of 4 Great balls increases the index number of the item where TheZZAZZGlitch placed HM07 in the video, so you don't just get back the same item that you put in the PC. Also, using only 2 Great Balls increases the index number by 1 and using multiple stacks of Great Balls will increase the index number in the same manner.
This can be helpful for getting stray items by finding base items that have an index number before theirs as you can swap out HM07 with other base items to mutate. This way you don't even lose the item you were initially working with.
I don't know much assembly, but I know enough to understand the concepts behind how the glitch works. Given that 42 Fresh Water correspond to changing the ID number of the first Pokemon in your party, subsequently adding Fresh Water with move you one byte further into the Pokemon's data allowing you to overwrite things like moves by having 44 to 47 Fresh Waters or EXP by having 50 to 52.
There's a simple list of the data structure here:
http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_structure_in_Generation_II
An interesting way to use this is getting a level 100 by changing the EXP of a Pokemon and simply knocking out one wild Pokemon. I'm pretty sure this takes 50 Fresh Water.
So there's a rudimentary form of item mutation and also access to all the Pokemon's stats and their Attacks, EXP, Friendship etc.
Oh, and a nice list of Pokemon, Moves, and Items by index number courtesy of TheZZAZZGlitch's video:
http://pastebin.com/raw/arPmsvYu
xor a
ld (ff83),a
pop de
pop de
inc sp
pop de
or a
ret nc
So basically this would enable ACE stuff much earlier into the game then before? Because before with the item lists in the PC you would need stuff like TM06 (Toxic) which cannot be obtained until after beating the Elite Four.
So basically this would enable ACE stuff much earlier into the game then before? Because before with the item lists in the PC you would need stuff like TM06 (Toxic) which cannot be obtained until after beating the Elite Four.
Yeah you can conveniently do this early in game once you get the Coin Case (and TM02, TM27). I think it's also easier to set up.
Note I think Quagsire can possibly be replaced with Wooper (jp nz,$xxyy) like in the previously linked speedrunning route, and werster's 43:47 speedrun uses a particular path in the Pokémon Center with the starter Croconaw in slot 4 (possibly meaning a specific Croconaw could work too).