Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 7

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Nostalgia
Date: 2017-10-18 13:52:08

7 Exeggcutes sounds like a pain. Isn't it pure headbutt-encounter?
4 Slowpoke and 2 Shuckle sounds doable, but requires Surf to get Slowpoke with >15% probability. Since it's not too far after Coin Case (story wise) I don't think it's a problem.


To be honest the whole process sounds like a pain.

I don't know if it's just me, but every Pokemon I have hatched from a egg has worked as a slide Pokemon and I find the Togepi you get especially useful as you can get it before you get to Goldenrod. So personally, I don't see the need for this long process to get the ultimate slide Pokemon. My egg-hatched slide Pokemon work perfectly after many many uses of the coin case.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-10-18 14:07:02
Because it's consistent and eliminates at least one source of error.

Obviously, this is nothing for a speedrun and if you prefer to roll the dice the option is still there.
This one is more for us fellows with large streaks of bad (rng-)luck. Like, I prefer doing such a tedious (but guaranteed) process compared to catching a bunch of mons without even the guarantee for it to succed.
Ultimately it probably comes down to personal preference which is perfectly fine with me.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-10-18 14:13:25

So I can simply use whichever I like and achieve the same thing? (don't want to dive too deep into gameboy specifics)
Sounds really useful since da has no valid character whereas fa is easily usable with 4.

Thanks for the reply.


No problem. Not every address can be represented with Echo Ram though. Thankfully, the main ones (Pokemon data,item data,etc.) are in ECHO Ram somewhere. I have yet to find an echo ram map, however.

Someone correct me if i'm wrong, but I believe any address from $d000 - $dfff is in echo ram somewhere.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-10-18 14:43:32
No problem. Not every address can be represented with Echo Ram though. Thankfully, the main ones (Pokemon data,item data,etc.) are in ECHO Ram somewhere. I have yet to find an echo ram map, however.

Someone correct me if i'm wrong, but I believe any address from $d000 - $dfff is in echo ram somewhere.


Nice, thanks.  :)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Storyreader21
Date: 2017-10-18 16:46:48
Does it matter what level the freshly caught pokemon you defeat the magikarp, geodude, sunkern, and give the iron too is?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: ISSOtm
Date: 2017-10-18 17:44:22

No problem. Not every address can be represented with Echo Ram though. Thankfully, the main ones (Pokemon data,item data,etc.) are in ECHO Ram somewhere. I have yet to find an echo ram map, however.

Someone correct me if i'm wrong, but I believe any address from $d000 - $dfff is in echo ram somewhere.


Nice, thanks.  :)

Echo RAM is a quirk of the GB's hardware ; tl;dr : WRAM (the RAM mapped to C000-DFFF) is mirrored in range E000-FDFF, meaning accessing FAB0 (both reading and writing) is the same as accessing DAB0 !
The downside is that DE00-DFFF can't be accessed through Echo RAM (FEXX and FFXX are mapped to other things), but that doesn't really matter most of the time (stack space occupies DFXX, and DEXX isn't important afaik).

Also, VBA doesn't emulate Echo RAM.
VBA sucks.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-10-18 18:14:30

Does it matter what level the freshly caught pokemon you defeat the magikarp, geodude, sunkern, and give the iron too is?


No, just that it's stat-Exp is at 0 before the fights (i.e. didn't win a fight before).
I would advice for a level of ~15 or higher so it can solo the fights (don't know how stat-Exp behaves if you use switch tactics), but ultimately it doesn't matter. You only need to make sure that it doesn't have Pokérus, since it doubles aquired stat-Exp and messes up calculations.
For reference I used a lvl 13 Miltank.
The mentioned Pokémon are quite weak, so anything in that powerlevel should have no problems defeating them.


Echo RAM is a quirk of the GB's hardware ; tl;dr : WRAM (the RAM mapped to C000-DFFF) is mirrored in range E000-FDFF, meaning accessing FAB0 (both reading and writing) is the same as accessing DAB0 !
The downside is that DE00-DFFF can't be accessed through Echo RAM (FEXX and FFXX are mapped to other things), but that doesn't really matter most of the time (stack space occupies DFXX, and DEXX isn't important afaik).

Also, VBA doesn't emulate Echo RAM.
VBA sucks.


Yay, tl;dr. Love those.  ;D
Also nice hardware quirk. As if it was designed with box name ACE in mind.  ::)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-10-19 07:30:43

VBA sucks.


I second that.

<rant>

I used to use VBA for glitch research, and it was a nightmare. Tons of glitches were Unavailable/Weren't working properly, including Dokashira door, Coin case,Glitch Dimension, and many others, not to mention the debugger was garbage (you couldn't write anything in the debugger, you had to write code from the Hex Editor)

If your "emulator" cannot accurately emulate the target hardware, then your software should not be considered a true emulator.

</rant>

I realize that in posting this I may have derailed the topic, so here's a code just to be safe:

Masterball in ball slot 2:
Box 1: Ap'v9é9't5
Box 2: p'd555555

This for use with TM25 in the ball slot, not the coin case. Tested and confirmed to work.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Storyreader21
Date: 2017-10-19 13:15:13
Hey I just did a coin case glitch for shiny pokemon I got from youtube with the item list:  

Any x1          
Any x62          
TM 42 x1           
Any x1          
X Accuracy x63      
TM 27 x1         
Any x1  
Leaf Stone x1   
Any x1          
Poke Ball x62          
Sun Stone x1  
Any x1          
TM 07 x1         
Focus Band x1     
HM 03          
Full Heal x18          
Blu Apricorn x1
Any Item x1
NeverMeltIce x1
Any Item x1    
X Defend x1          
Flower Mail x51          
TM 06 x1   
Any x1  
TM 41 x1  

when I did it it turned my female pokemon male, which means the attack dv was high, how can I modify the item list so the attack dv is 2 which makes most pokemon in Gold female, but is still shiny?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-10-19 13:58:54

Hey I just did a coin case glitch for shiny pokemon I got from youtube with the item list: 

Any x1         
Any x62         
TM 42 x1         
Any x1         
X Accuracy x63     
TM 27 x1       
Any x1 
Leaf Stone x1 
Any x1         
Poke Ball x62         
Sun Stone x1 
Any x1         
TM 07 x1       
Focus Band x1   
HM 03         
Full Heal x18         
Blu Apricorn x1
Any Item x1
NeverMeltIce x1
Any Item x1   
X Defend x1         
Flower Mail x51         
TM 06 x1 
Any x1 
TM 41 x1 

when I did it it turned my female pokemon male, which means the attack dv was high, how can I modify the item list so the attack dv is 2 which makes most pokemon in Gold female, but is still shiny?


Just change TM42 into Super Repel

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Storyreader21
Date: 2017-10-19 15:26:08
Thanks. That did it.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: hobgoblinpie
Date: 2017-10-19 17:52:02
How would one go about modifying the EVs to maximum? Modifying the code for Rare Candies/Masterballs to place HP UP/Protein/Carbos etc. works up until 25600, but since EVs max out at 65535, it's still off by a way. I know there's one that exists already, but I think one that doesn't immediately boost to level 100 would be good too.

Also slightly strange, changing the Box 2 code from 'p0B'vAé7't' (255x Master Balls) to 'p0't'vAé7't' should yield PP Ups, but instead yields Red Aprikorns. Would a code to modify the quantity of an item in say bag slot 1, without modifying the item itself?

Appreciate all the work you guys do, it's really impressive.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-10-19 19:21:43

How would one go about modifying the EVs to maximum? Modifying the code for Rare Candies/Masterballs to place HP UP/Protein/Carbos etc. works up until 25600, but since EVs max out at 65535, it's still off by a way. I know there's one that exists already, but I think one that doesn't immediately boost to level 100 would be good too.

Also slightly strange, changing the Box 2 code from 'p0B'vAé7't' (255x Master Balls) to 'p0't'vAé7't' should yield PP Ups, but instead yields Red Aprikorns. Would a code to modify the quantity of an item in say bag slot 1, without modifying the item itself?

Appreciate all the work you guys do, it's really impressive.


Regarding question 1:
Box 1: A09é(female symbol)455
Box 2: é04é1455
Box 3: é24é3455
Box 4: é44é5455
Box 5: é64é7455
Box 6: é84p'd555

This is a slightly modified version of Torchicken's code.

Also, this doesn't work with the coin case, only TM25 in the balls pocket

Regarding question 2: Can you please post the entire box code? Box 2 loads register a into $f6af, but register a was defined in box 1.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-10-20 08:04:35
Finished a code to create a Celebi with its usual egg moves (Leech Seed, Recover, Confusion, Heal Bell).
Just to make it easier to get a legal moveset once Pokémon Bank finally comes to Gold/Silver VC.

First you need to run FMK's one-off code (if you haven't done so already). (No longer required)



Afterwards, use the following code twice, which on the second run will change your first Pokémon into Celebi with the moves Leech Seed, Recover, Confusion & Heal Bell.


Box 1($D8BF to $D8C7): Ap0b'vA55 (XOR A; OR a1; SUB 80 | A->21)
Box 2($D8C8 to $D8D0): é'l2p0555 (LD [d1f8], A; XOR A; OR fb | A->fb)
Box 3($D8D1 to $D8D9): ^^4~__55 ({LD HL, [{2a}fa]}; {LD [HL], A}; {INC HL}; {INC HL} | HL->fa2a; HL->fa2c)
Box 4($D8DA to $D8E2): 55p0'd'vH~ (XOR A; OR d0; SUB 87; {LD [HL], A} | A->49)
Box 5($D8E3 to $D8EB): _p0/'vK~_ ({INC HL}; XOR A; OR f3; SUB 84; {LD [HL], A}; {INC HL} | HL->fa2d; A->69; HL->fa2e)
Box 6($D8EC to $D8F4): 55p'vd~5_ (XOR A; SUB a3; {LD [HL], A}; {INC HL} | A->5d; HL->fa2f)
Box 7($D8F5 to $D8FD): p0X0'd~'vu (XOR A; OR 97; OR d0; {LD [HL], A}; SUB b4 | A->d7; A->23)
Box 8($D8FE to $D906): é't2é'v255 (LD [d5f8], A; LD [d6f8], A)
Box 9($D907 to $D90F): é-2éé255 (LD [e3f8], A; LD [eaf8], A)
Box10($D910 to $D918): é/2'vmé's2 (LD [f3f8], A; SUB ac; LD [d4f8], A | A->77)
Box11($D919 to $D921): é(Pk)2é&255 (LD [e1f8], A; LD [e9f8], A)
Box12($D922 to $D92A): é2é425p (LD [f2f8], A; LD [faf8], A; XOR A | A->00)
Box13($D92B to $D933): éZ'v'vé'm2 (LD [99f1], A; SUB d6; LD [d2f8], A | A->2a)
Box14($D934 to $D93c): .9'l'l'l'lx'd (ADD SP, ff; POP DE; POP DE; POP DE; POP DE; OR A; RET NC)

You still need to give it to the day care/hatch the egg to get a "proper" Celebi.
Edit: changed to reduce menu-lag on execution and remove  requirement for one-off code.

Note:
Due to space requirements I changed the name of Box 13. You have to change it back to the one-off code name when using a different code.
Also: don't touch the name of Box 14!


Edit:
If you use TM25 (or TM17, I'm not discriminating) from the balls pocket use the following code instead:

Box 1($D8BF to $D8C7): Ap0b'vA55 (XOR A; OR a1; SUB 80 | A->21)
Box 2($D8C8 to $D8D0): é'l2p0555 (LD [d1f8], A; XOR A; OR fb | A->fb)
Box 3($D8D1 to $D8D9): ^^4~__55 ({LD HL, [{2a}fa]}; {LD [HL], A}; {INC HL}; {INC HL} | HL->fa2a; HL->fa2c)
Box 4($D8DA to $D8E2): 55p0'd'vH~ (XOR A; OR d0; SUB 87; {LD [HL], A} | A->49)
Box 5($D8E3 to $D8EB): _p0/'vK~_ ({INC HL}; XOR A; OR f3; SUB 84; {LD [HL], A}; {INC HL} | HL->fa2d; A->69; HL->fa2e)
Box 6($D8EC to $D8F4): 55p'vd~5_ (XOR A; SUB a3; {LD [HL], A}; {INC HL} | A->5d; HL->fa2f)
Box 7($D8F5 to $D8FD): p0X0'd~'vu (XOR A; OR 97; OR d0; {LD [HL], A}; SUB b4 | A->d7; A->23)
Box 8($D8FE to $D906): é't2é'v255 (LD [d5f8], A; LD [d6f8], A)
Box 9($D907 to $D90F): é-2éé255 (LD [e3f8], A; LD [eaf8], A)
Box10($D910 to $D918): é/2'vmé's2 (LD [f3f8], A; SUB ac; LD [d4f8], A | A->77)
Box11($D919 to $D921): é(Pk)2é&255 (LD [e1f8], A; LD [e9f8], A)
Box12($D922 to $D92A): é2é425p (LD [f2f8], A; LD [faf8], A; XOR A | A->00)
Box13($D92B to $D933): 'v'vé'm25x'd (SUB d6; LD [d2f8], A; OR A; RET NC | A->2a)
Box14 can be left blank/doesn't matter.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Nostalgia
Date: 2017-10-20 08:22:37
That's good stuff, I found this video helpful for getting Celebi's egg moves though:

https://www.youtube.com/watch?v=KdpbBYio-T0