Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 24

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2018-02-25 09:51:33


Don't forget the terminator character at the end of box name 1 which is a "ld d,b" instruction. Here it doesn't really change anything (maybe set 0 flag), but still could add confusion when you forget it.


ld instructions do not update flags, so the $50 terminator "ld d,b" isn't really worth mentioning in this context.


Ah, so they don't.
I always forget since I never had to use them other then after specifically setting them (i.e. by dec statement).


I was also wondering about this. What values or value ranges of each of these would be needed to make a suitable slide pokémon? As in, just a regular working slide pokémon, not a specific one like the special coin case one which jumps over a lot of these factors.


Not contain any values that interrupt execution, jump somewhere else or set a random byte.
In general you're fine with values <10.
If you plan to look at values anyway I'd advice to use TM17 instead of TM25. IIRC it starts execution somewhere in the stats of Pokémon 1 (i.e. slide as first, quagsire as second) instead of some invisible value of pokémon 2.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Azarokkusu
Date: 2018-03-01 18:26:47
So, avoiding things like unwanted SUB, ADD and JMP instructions for example then. Fair enough! The more I think about this the more I am convinced I need to learn the gameboy Assembly (modified version of Z80 iirc.)  Not like it'd even be the first assembly language i've learned.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2018-03-01 19:49:05
Trust me, if you already understand assembly at least to an extent, Gbz80 will be a cakewalk.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Haircoolass
Date: 2018-03-02 05:41:40

Little helper code which might be useful to someone else as well:
Maximize all PC items (quantity x 255) while leaving the item type unchanged.

1)  A  p  'v  5  é  4  2  5 XOR A; SUB fb; LD [faf8], A | A->05
2)  'v  9  é  /  2  p  'v  . SUB ff; LD [f3f8], A; XOR A; SUB e8 | A->06; A->18
3)  é  0  2  'v  2  é  5  2 LD [f6f8], A; SUB f8; LD [fbf8], A | A->20
4)  'v  9  é    2  'v  9  5 SUB ff; LD [f5f8], A; SUB ff | A->21; A->22
5)  é  2  2  'v  9  é  3  2 LD [f8f8], A; SUB ff; LD [f9f8], A | A->23
6)  'v    é  ,  2  0  9  9 SUB f1; LD [f4f8], A; OR ff; LD B, 32 | A->32
7)  0  0  0  5  5  5  5  5 LD HL, 18f6; LD [HLI], A; INC HL; DEC B; JR NZ, fb | HL->f618
8)  x  'd OR A; RET NC


Fun little thing about x0 quantity (at least in the PC):
You can withdraw/toss any quantity you want, it won't change the quantity of the item. While tossing obviously does nothing, withdrawing works without problems (creates items).
Depositing an additional item of the type simply adds the amount which restores normal functionality.
Possibly also works in the inventory to give you an infinite amount of an item, but I didn't test that.


Hey there im pretty now to the world of ACE-glitches in gen 2.

I used the wild shiny celebi-glitch yesterday and wanted to try this code to multiply some items.
My questions are: how do I use this code in the quote? Is it for CoinCase or TM25?
And in case of using tm 25 do I always need to have quagsire as my 3rd mon and my slide-Pokemon (I use the traded Onix "Rocky") on the 2nd slot?
Is there a way I can identify a code if it is used for tm 25 or coincase?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Krys3000
Date: 2018-03-02 08:16:52
There is an explanation of the differences between Coin Case and TM codes in a few replies to the newcomers guide to G/S/C ACE. You will basically read there what is needed in a Coin Case code compared to TM codes so you can see if a code is designed for Coin Case.

Also, I wonder why people keep doing the TM25 setup. Preparing TM17 for ACE is easier…

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Azarokkusu
Date: 2018-03-23 23:45:29
add 1 to id of item 1 (early game viable version)
Uses stored items starting from stored item 3. Requires Quagsire with Sleep talk as first move and holding protein.

Item 3: poke ball x 38
Item 4: TM 23 x 04
Item 5: Fresh Water x 23
Item 6: X speed x 04
Item 7: TM10 x any


dec b
ld h,d6
inc b
ld l,17
inc (hl), inc b
ret


lots of filler but this way you don't require anything you can't easily get early game (use torchicken's get all tms and hms code, or the modified 255x version, first for the tms).

The best thing about this is it's easy to change to decrement, or to change to item 1 quantity. To make it decrement boxed item 1's id by 1, change x speed to x special. To make it increment item 1 quantity, make it Fresh Water x 24. To make it decrement item 1's quantity, do both. Note you can use this to get pretty much any item setup you will need, ever (withdraw all but 1 of item in slow 1, decrement twice, withdraw all but amount you need) However, I'd use it to get certain things and then do a more efficient setup once you had what you  needed for said more efficient setup.

For example:

Write to any byte in memory by Wack0, ported by Azarokkusu

Same Quagsire setup here.

Item 3: Full Heal x XX ; XX = higher byte of address you're going to write to
Item 4: Fresh Water x XX ; XX = lower byte of address you're going to write to
Item 5: PP up x XX ; XX is value you want to write
Item 6: Focus Band x 201



ld h,xx
ld l,xx
ld a,xx
ld (hl),a
ret


You could do 1 less item with coin case x (value you want to write) but then you can't see what that value is because key items.



Here's a sprawling code to set the quantity of all your items in your items and balls pockets to 0 AND all your hms and tms to a quantity of 255. Note you can't have 0 of a tm in your tm pocket or it doesn't show up, but you CAN have 0 of a tm in your box. This is due to it storing inventory TMs only as quantities, but box items as ID and quantity. Also, getting ? (id $0) is incredibly easy if you already underflowed your ball pocket, but is also doable with the above code.

Same Quagsire setup again

item 3: X accuracy x 183
item 4: TM22 x 6
item 5: repel x 62
item 6: master ball x 61
item 7: dire hit x 44
item 8: ? x 119
item 9:poke ball x 184
item 10: TM04 x 35
item 11: TM23 x 0
item 12: X accuracy x 252
item 13: TM 22 x 6
item 14: Awakening x 184
item 15: dire hit x 44
item 16: ? x 119
item 17:poke ball x 184
item 18: TM04 x 51
item 19: TM23 x 0
item 20: X accuracy x 125
item 21: TM 22 x 6
item 22: X special x 4
item 23: great ball x 04
item 24: great ball x 184
item 25: dire hit x 119
item 26: X special x 5
item 27: ? x 184
item 28: TM04 x 71
item 29: tm23 x 201

Note the tm04s here are the normal one ($c2), not the one that does nothing ($c3).


ld hl,d5b7
ld b,14
ld a,01
dec a
inc l
inc l
nop
ld (hl),a
dec b
cp b
jp nz,d623
nop
ld hl,d5fc
ld b,0c
cp b
inc l
inc l
nop
ld (hl),a
dec b
cp b
jp nz,d633
nop
ld hl,d57d
ld b,35
inc b
inc b
inc b
inc b
cp b
inc l
ld (hl),a
dec (hl)
dec b
nop
cp b
jp nz,d647
ret


The nops can be replaced with inc d, dec c etc etc (since we don't use c, d etc) but I used nop simply because 1 it's easy to get high amounts of ? and 2. I wasn't sure if I'd have to re-write the number of items in each inventory since I had a problem with that earlier where it wrote FF to the bytes you initially set hl to in each setup phase. However that problem is gone now.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Azarokkusu
Date: 2018-03-24 04:54:58
Something nice for y'all. Complete your pokedex (251 seen, 251 caught, and no glitched entries etc)

item 3: X accuracy x 227
item 4: TM28 x 6
item 5: Ether x 62
item 6: master ball x 61
item 7: Dire hit x 189
item 8: TM11 x 61
item 9: TM23 x 119
item 10: X special x 20
item 11: pokeball x 184
item 12: TM04 x 35
item 13: TM23 x 46
item 14: Brightpowder x54
item 15: poke ball x 52
item 16: X speed x 46
item 17: Metal Powder x 54
item 18: poke ball x 52
item 19: X speed x 201
item 20: nugget x 195
item 21: Max revive x 214


;setup
ld hl,dbe3
ld b,3f
ld a,01
dec a
;execution
inc l
cp l
jp z,d63d
ld (hl),a
dec (hl)
inc d
dec b
cp b
jp nz,d623
ld l,03
ld (hl),05
inc (hl)
inc (hl)
ld l,23
ld (hl),05
inc (hl)
inc (hl)
ret
;increase h if l rolls over (first conditional jump)
inc h
jp d628

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: bestgoldglitche
Date: 2018-05-11 16:05:01
Hey all, preemptive apologies if this is something that's already been done, but, I had a thought an it might prove useful.

Consider writing your assembly commands into the pokemon stats themselves. 

One of the first uses of this glitch was to get Celebi (https://www.youtube.com/watch?v=SpfgOVfGVTo).  If you increase the number of Fresh Water used in that video you traverse the data in the first pokemon in your party.  If you change HM07 to other items, and change the number of great balls.  That way you can write different bytes into the pokemon's stats. 

So, the thought is:
- use that process to write data into the pokemon's stats
- fill the current box with specially written pokemon
- use the glitch to jump to the boxed pokemon's data

Voila, you have addressed $AD82 through $B001 in which to write code byte at a time instead of $D616 through $D67A.  Thoughts?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: ISSOtm
Date: 2018-05-11 17:50:38
Coin Case is fairly obsolete, for starters. We tend to use box names instead, and Wrong Pocket TMs.
Using SRAM is a bad idea, for three reasons:
1. It's banked, so you have to ensure the correct bank is loaded
2. It has to be unlocked, then ideally re-locked
3. 3DS VC cannot execute from SRAM

Corrupting Pokémon data is also a rather bad idea, since it's prone to lots of corruptions.

If you need to write large payloads, you can instead use luckytyphlosion's Mail execution setup.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Pablo
Date: 2018-10-21 16:33:12
Ive been reading on this subject for about a week now, reading and reading and reading, headace inducing. I get the basic concept of it, but i dont believe my knowledge of it is good enough to start executing it or experimenting with it. More like an infant to this code writing stuff at the moment, i really dont want to run the risk of currupting my save file beyond repair.

Well to my point, is there a way to use this code to

1. Warp to Mt silver, or possibly walk through walls to get there, i really would like to catch a Larvitar (train/evolve there as well)

2. Change another bag Item, held item, or be able to edit PokeMart inventory to get a Scope Lens (not enough games to Mystery Gift it)

3. Get 250+ of protein, Iron, calcium, carbos, pp-up, and hp-up, or any other items that matter, balls,tms,ect… tired of cloning over and over

4. And eventually Start editing pokemons IVs and or Attacks


There is a catch though, i havent recieved the item Pass yet, havent even beat the Elite Four, or havent even gotten the Eighth Gym badge, but what i am doing is working on all of the pokedex before i beat the Elite Four.
Is there a way before i go to kanto? Everything else ive been reading show post E4 and 16 badges.There are a few that show before, but they arent very clear and dont include the most important codes i would like to perform on my list (#1 & #2).

Ive seen speed runs jump to Mt Silver but they use a Flag (i think)to allow Red to be shown or to instantly win that battle or some sort, i dont care about that or dont want to beat Red early. So i cant follow their codes to the T. Plus they rely heavily on luck IV manipulation (i think) which i wouldnt begin to know how to perform from the beginning.
The first two are really more important to me than the last two, at least for now, but i would really appreciate some help from somebody who has more experience with ACE and has done this more than a few times.

Im playing on 3DS Virtual Console with Pokemon Silver Version.  Thanks again.

Ps i have lots of pokecash so buying items isnt a problem, as long as they are available to me at the moment.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2018-12-02 06:33:11

Ive been reading on this subject for about a week now, reading and reading and reading, headace inducing. I get the basic concept of it, but i dont believe my knowledge of it is good enough to start executing it or experimenting with it. More like an infant to this code writing stuff at the moment, i really dont want to run the risk of currupting my save file beyond repair.

Well to my point, is there a way to use this code to

1. Warp to Mt silver, or possibly walk through walls to get there, i really would like to catch a Larvitar (train/evolve there as well)

2. Change another bag Item, held item, or be able to edit PokeMart inventory to get a Scope Lens (not enough games to Mystery Gift it)

3. Get 250+ of protein, Iron, calcium, carbos, pp-up, and hp-up, or any other items that matter, balls,tms,ect… tired of cloning over and over

4. And eventually Start editing pokemons IVs and or Attacks


There is a catch though, i havent recieved the item Pass yet, havent even beat the Elite Four, or havent even gotten the Eighth Gym badge, but what i am doing is working on all of the pokedex before i beat the Elite Four.
Is there a way before i go to kanto? Everything else ive been reading show post E4 and 16 badges.There are a few that show before, but they arent very clear and dont include the most important codes i would like to perform on my list (#1 & #2).

Ive seen speed runs jump to Mt Silver but they use a Flag (i think)to allow Red to be shown or to instantly win that battle or some sort, i dont care about that or dont want to beat Red early. So i cant follow their codes to the T. Plus they rely heavily on luck IV manipulation (i think) which i wouldnt begin to know how to perform from the beginning.
The first two are really more important to me than the last two, at least for now, but i would really appreciate some help from somebody who has more experience with ACE and has done this more than a few times.

Im playing on 3DS Virtual Console with Pokemon Silver Version.  Thanks again.

Ps i have lots of pokecash so buying items isnt a problem, as long as they are available to me at the moment.


What you want is most certainly possible.
For setup (even prior to Elite 4) check out this guide, section III. WRONG POCKET TM ACE EXPLAINED (use Ctrl+F to find it).

To multiply items Ctrl+F for VI.3: INCREASE/DECREASE THE QUANTITY OF AN ITEM CODE (Items, G/S/C)

Morphing to specific items is directly below that VI.4: GET ANY ITEM CODE (Items, G/S/C)

For DV/Attack editing, it's probably easiest to use VI.5: MEMORY EDITOR CODE, A.K.A. GAMESHARK SIMULATOR (Items or Box, G/S/C)
Except adding/changing a single move, then look here (Box Name Code)


Teleporting to Mt. Silver is more difficult, but this Box Name Code for Coin Case should work (untested; simply removed the party count 0 part of the speedrun-code):

Box 1 pppppppp
Box 2 pppppppp XOR A
BOX 3 'v,'véé72'l SUB f4; SUB ea; LD [Box7,terminator], A (22h); POP DE
BOX 4 'vé,2p SUB ef; LD [Box6,terminator], A (33h); XOR A
BOX 5 é2'v9é22 LD [Box6,char4], A (00h); SUB ff; LD [Box7,char4], A (01h)
BOX 6 'v8éé4'v't'l SUB fe; LD [{00}fa], A (03h); SUB d5; POP DE; {INC SP}
BOX 7 'vééé4p'lé SUB ea; LD [{01}fa], A (44h); XOR A; POP DE; LD [{22}fa], A (0h)
BOX 8 4éd2'd LD [a3f8], A (0h); RET NC

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Pablo
Date: 2019-02-14 19:03:34
Ok thanks man Ill start messing with it.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Link_enfant
Date: 2019-02-28 10:30:54

I've successfully combined my two prior codes! Here's the outcome:

All encountered Pokemon are <insert x Pokemon here> and shiny:
Box 1:  Ap'v8é'm25
Box 2:  p0(male)55555
Box 3:  'vAé52p0'm
Box 4:  éJ9p0(female)55
Box 5:  éK9p0255
Box 6:  éL9p'd555
Box 7:  p0?yyéA'd
Box 8:  p0éé(female)'dyy
Box 9:  p0ké0'dp'd

Replace ? with the species index

To access species indexes that are lower than $7f, than replace Box 7 with:

Box 7: p0?'v(space)éA'd

Then replace ? with SpeciesIndex + $7f

Due to the way the game generates wild Pokemon, most Pokemon obtained this way are 100% legitimate. This means they will probably be able to be moved to Pokébank when such services become available. There might still be OT issues with Mew, but these can easily be resolved with an OT editor, and I can make one if needs be.

Nintendo's going to have a real headache on their hands :)


Awesome job! I've been looking for this kind of code :)

What changes would it require to make it work on a French Silver ROM using Wrong Pocket TM17?

It seems the RAM maps are the same across all versions but I might be wrong.
If that's the case, then would the box names need to be adapted or could they be used as such, which would only require a different setup with the slide Pokémon and Quagsire to work with TM17?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Sherkel
Date: 2019-02-28 13:20:29
I think the difference is with the text character values, not the memory locations. This is a table for which corresponds to each (which you can compare with the Big List).

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Link_enfant
Date: 2019-03-01 05:31:33

I think the difference is with the text character values, not the memory locations. This is a table for which corresponds to each (which you can compare with the Big List).

You're right! I quickly realized I couldn't even input the code anyway, because of that.

I've tried this other code, also posted by Epsilon, but it doesn't seem to work at least on VC (freezes on white screen right after using TM17):

All wild Pokémon have flawless DVs (French versions):
ApAu'oéJ9
p0(female)éK955
p02éL955
p0Au'qé62
é32u'9m'55
55555555
09é(female)Aé0A
pu'9m'5555

I'll probably try to contact him, but I'm not sure what would be the easier:

- convert the already working "All wild Pokémon are shiny" code to French versions
- alter the code above to both make it work, and have a way to choose different DV values by replacing some characters (which would then allow to force shiny Pokémon to appear, which is one of the few things I'd really want to try on French VC)