Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 25

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: greentyphlosion
Date: 2019-12-25 18:18:03
I haven't read through the whole thread so please forgive me if this has been covered already, but is it possible, using ACE, to change a Pokemon's location data? I got wondering recently after noticing that there is a special text entry for Pokemon obtained from events when speaking with the PokeSeer in Cianwood City ("What!? Incredible! I don't how understand how, but it is incredible! You are special. I can't tell where you met it, but it was at [level].) which is completely inaccessible in the Virtual Console versions due to there not being any event Pokemon; it would be nifty if this could be unlocked. The only other way I can think of is transplanting cartridge save data to the 3DS (I've seen it done before) and taking a Pokemon obtained from Stadium or a real-world event.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: dsteel23
Date: 2020-03-09 07:23:13

From my understanding, what the code does is take the character's hex value, subtract $80, and use the end result as the item.

't ($d5) - ($80) = $55, which should return Red Apricorns.

Unfortunately, The hex value of PP Ups ($3e) + ($80) = ($BE), which is not able to be represented as a valid character.

If you would like, i can alter the code to produce PP Ups.

Edit: Change box 2 to p0'v'vYé7't

Hope this helps!


I'm very new to this. Any chance you could help me with the code for Twisted Spoon ? Would be much appreciated! Thanks

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2020-03-09 08:06:54


From my understanding, what the code does is take the character's hex value, subtract $80, and use the end result as the item.

't ($d5) - ($80) = $55, which should return Red Apricorns.

Unfortunately, The hex value of PP Ups ($3e) + ($80) = ($BE), which is not able to be represented as a valid character.

If you would like, i can alter the code to produce PP Ups.

Edit: Change box 2 to p0'v'vYé7't

Hope this helps!


I'm very new to this. Any chance you could help me with the code for Twisted Spoon ? Would be much appreciated! Thanks




[REQUIRED] One-off code so all future codes don't need the 'return to game' code:
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555    (LD [80f9], A)
Box 4+: 55555555    (Safe filler code)
Box 13: 5555péD9    (XOR A; LD [83ff], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)


Let's modify this to change Pokémon 3's held item:

Pokemon 5, Move 4 Modifier (Aeroblast) - Box 1, change r to whatever and replace 5555 with 'v(Letter)55 or 'v(Letter)'v(Letter) when needed:
Box 1: Ap0r5555  (XOR A; OR b1)
Box 2: é455555  (LD [efda], A)
Box 3+: 55555555
Box 13 and 14: Should never be modified after using the required code.

^ This becomes;

(Bold means change)

> Box 1: Ap0?5555 (XOR A OR e6 ) ; xor A or E6 basically means reset to 0 and add E6 (?).
> Box 2: 'vGéG4555              ; 'vA is subtract 86 because e6-86 is 60 (TwistedSpoon; see https://glitchcity.info/wiki/The_Big_HEX_List) (LD [dA8C], a). E6 is a ? mark. The bold M is taken from 8C in DA8C. 4 is FA; but FA8C is the basically the same as DA and works on VC.
> Box 3-12: 55555555
; As usual Box 13/14 remain the same


We also can refer to http://pastebin.com/raw/arPmsvYu by Sanqui

This code will change the held item of Pokémon 3 (the same as doing the GameShark code 01xx8CDA once). This should let you get TwistedSpoon. Hope this helps. Feel free to ask if you have any questions. :)

(edit: I messed up something fixed post now.)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: dsteel23
Date: 2020-03-09 08:32:25
Thank you so much for helping out. Pardon my ignorance but how do you input Apostrophe into the box name? It doesn't show up as a character. I'm on Pokemon Gold on the Gameboy and using the coin case .

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2020-03-09 08:42:30

Thank you so much for helping out. Pardon my ignorance but how do you input Apostrophe into the box name? It doesn't show up as a character. I'm on Pokemon Gold on the Gameboy and using the coin case .

You're welcome. I'm sorry I overlooked this too.  :-[ Changed it again this might help

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: dsteel23
Date: 2020-03-09 08:55:04
> Box 1: Ap0?5555 (XOR A OR e6 ) ; xor A or E6 basically means reset to 0 and add E6 (?).
> Box 2: 'vGéG4555              ; 'vA is subtract 86 because e6-86 is 60 (TwistedSpoon; see https://glitchcity.info/wiki/The_Big_HEX_List) (LD [dA8C], a). E6 is a ? mark. The bold M is taken from 8C in DA8C. 4 is FA; but FA8C is the basically the same as DA and works on VC.
> Box 3-12: 55555555
; As usual Box 13/14 remain the same

My game restarts with a different colour. My 3rd 'slide' Pokemon now knows solarbeam as its first move, not sure if that's the result ? hah

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2020-03-09 09:43:02

> Box 1: Ap0?5555 (XOR A OR e6 ) ; xor A or E6 basically means reset to 0 and add E6 (?).
> Box 2: 'vGéG4555              ; 'vA is subtract 86 because e6-86 is 60 (TwistedSpoon; see https://glitchcity.info/wiki/The_Big_HEX_List) (LD [dA8C], a). E6 is a ? mark. The bold M is taken from 8C in DA8C. 4 is FA; but FA8C is the basically the same as DA and works on VC.
> Box 3-12: 55555555
; As usual Box 13/14 remain the same

My game restarts with a different colour. My 3rd 'slide' Pokemon now knows solarbeam as its first move, not sure if that's the result ? hah


Oh nooo Evie you idiot!! -_- (note to self before writing codes always test them) OK can you try this in box 1 and 2 please?

Ap0?5555 (? is the character not something to change and 0 is zero)
'vGéL4555

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: dsteel23
Date: 2020-03-09 10:12:06
Oh nooo Evie you idiot!! -_- (note to self before writing codes always test them) OK can you try this in box 1 and 2 please?

Ap0?5555 (? is the character not something to change and 0 is zero)
'vGéL4555

The one off code works fine, however when I change the box names to the ones you gave me the game freezes or restarts in a new colour.
FYI: I've got 5 Pokes in my party
Pokemon 3 is a slide HootHoot and is carrying Max Repel as the change item

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2020-03-09 10:33:22
Sorry to hear that it still didn't work. I see. Sometimes, in addition to doing the movement pattern and listening to Bellsprout/Machop's cry, you need to switch bag pockets before using the Coin Case. The issue might be if you open the bag on that pocket without switching pockets it won't work, resulting in the colours reset (called a Glitch Dimension). Another issue might be if boxes 3-12 were changed after using the one-off code, and when the one-off code works, you can save and reset to secure that future codes work because you have to execute it again otherwise. Additionally re: getting Solarbeam, are you using the same slide Pokémon as when you got it?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: dsteel23
Date: 2020-03-09 10:53:09
I have used the coin case exploit for a while now and I am familiar with the bag pocket switching and usual bugs.

"Another issue might be if boxes 3-12 were changed after using the one-off code" - regarding this, the one off code has Box 3 set as éA355555, so you would have to change it to 55555555 in order to make it work right? As the code only requires the name change of boxes 1 and 2.

So I am a little confused as to what the underlying issue may be.

The slide pokemon works for the One off code so surely it would work for the next code? I'll try with a new slide and update this.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2020-03-09 11:21:10
Sorry, yes change it to 55555555. Yeah if the slide Pokémon works it should work again. I got it to happen on a video hope this might clear some things up. :) Otherwise I don't know sorry. :( https://www.youtube.com/watch?v=x-uM9PJUDwc&feature=youtu.be

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: dsteel23
Date: 2020-03-09 11:36:43
It worked! It had to do with the fact that you were turning off menu account in settings? I had no idea that was a thing to do. Thank you so much for the video. You are a legend.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2020-03-09 11:46:50

It worked! It had to do with the fact that you were turning off menu account in settings? I had no idea that was a thing to do. Thank you so much for the video. You are a legend.


Yay! You're welcome. ^^ Glad it worked and sorry for me taking such a long time. You can do it with menu account on too, but the menu will lag even more, repeating the menu descriptions letter by letter on loop. So still unsure, but I get freezes like you if I don't change box 3 to 55555555

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Unused Trainer
Date: 2020-03-09 14:23:12
How many ACE mode has Pokémon Gold and Silver?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2020-03-09 16:04:13

How many ACE mode has Pokémon Gold and Silver?


Umm, for Gold/Silver we have the following ACE methods;

1. Coin Case
2. Wrong pocket TMs
3. Move 0x00's type 0xD0 arbitrary code execution

ACE within ACE: FF80 ACE

Crystal has a few more:

1. 0x15 control character ACE
2. Burned Tower Silver wrong side glitches

Edit: Ah, also remote code execution :) https://www.youtube.com/watch?v=e8CO_e_rKd8 and https://www.youtube.com/watch?v=exbS3yO45k0

Edit 2:

Stack smash ACE
Glitch Pokédex mode ACE
CartSwap ACE

https://forums.glitchcity.info/index.php?topic=8126.msg207521#msg207521

Hope this helps :)