Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Burned Tower Silver executing arbitrary code in German and Spanish Crystal. - Page 1

Burned Tower Silver executing arbitrary code in German and Spanish Crystal.

Posted by: Torchickens
Date: 2015-01-10 11:59:58
Even though arbitrary code execution has been found in English Crystal, I thought I'd document this interesting glitch. It may be possible without cheating if you can pull off walk through walls (from a suitable map distortion?) and instant victory. A bad clone would be required first.

In the Burned Tower, you can find your rival Silver. In Pokémon Gold and Silver, the rival talks to you after you enter but in Pokémon Crystal you have to approach him from the right.

[img]http://i1.minus.com/iGdcX8395O3V.png[/img]

The game glitches out if you use walk through walls to talk to him directly (or approach him from the left in most versions). In most versions, the game may just freeze without executing code from writable memory. In English Crystal, talking to Silver this way executed an invalid opcode at RO61:607E, freezing the game.

[img]http://i5.minus.com/ik5yG8tRPbDl2.png[/img]
[img]http://i2.minus.com/i6TH1yzrzrxyQ.png[/img]

German Pokémon Crystal is special, because the game let me battle Silver as a Trainer with non-freezing glitch text; who was a male Swimmer called KTE with a level 21 Staryu.

(In French, German, Italian and Spanish Crystal the collision addresses seem to be the same as the English version, so the WTW codes 00100FAC2, 0100FBC2, 0100FCC2, 0100FDC2  will work)


[img]http://i6.minus.com/irj8MSlnemVQN.png[/img][img]http://i2.minus.com/iZVwt70OwFzoy.png[/img]
[img]http://i3.minus.com/ijwzL7DgXhccF.png[/img][img]http://i3.minus.com/iQwAz10U3Jyqh.png[/img]

[img]http://i1.minus.com/iyaL4qTgJ0Sht.png[/img][img]http://i1.minus.com/iyaL4qTgJ0Sht.png[/img]

After beating KTE, the game executed code from SRAM:B3B3, which may be a writable location.

But this glitch is most promising if you somehow avoid the battle (with all fainted Pokémon from ????? FF or no Pokémon at all).

The game did some stuff and executed code from WRAM:C610, and then later WRAM:DD63 which is the total HP of Pokémon 3. So maybe with specific Pokémon you could execute arbitrary code? I think the game probably messed up the stack though, so we may need a workaround to that and you would have to terminate the script somehow.

[img]http://i1.minus.com/ibe2QR0qq11ZxC.png[/img]
[img]http://i5.minus.com/i89Dh4KaxTAZe.png[/img]

In Spanish Pokémon Crystal, Silver won't walk up to you from the left, but you can still talk to him and this will execute code from SRAM:B2CD.

[img]http://i5.minus.com/igDMxg78UfEQJ.png[/img]

Edit on July 9th 2015: Fixed WTW GameShark codes.

Re: Burned Tower Silver executing arbitrary code in German and Spanish Crystal.

Posted by: Torchickens
Date: 2015-07-09 13:14:25
*bump*

When I did this with Silver in Japanese Crystal (thanks to the walk through walls codes 01083ED1 01083FD1 010840D1 010841D1), I experienced mainly just Trainer challenge (Juggler?) BGM playing, Electabuzz's cry playing and the GBC incompatibility message appearing.

However, another time the game executed arbitrary code from somewhere in the D5XX or D4XX (I can't quite remember) range. I haven't been able to replicate this yet.

Another time the low HP sound played, the music faded out and 9s were written to the screen (perhaps the game was copying too much data), and I remember the text box getting more text but not being able to scroll through it.

In German Crystal, with assistance of the following code:

013E10C6
012011C6
012112C6
017613C6
015B14C6
01CF15C6
01C916C6

i.e.

ld a,20
ld hl, 5B76
rst $08
ret

; Execute ROM pointer 20:5B76.

…I could load up the unused Trainer debug menu after talking to glitch Silver with no Pokémon, though the cursors were glitched and I couldn't alter Falkner's sprite.

With this code:

013E10C6
013811C6
012112C6
016313C6
015E14C6
01CF15C6
01C916C6

i.e.

ld a,38
ld hl, 5E63
rst $08
ret

; Execute ROM pointer 38:5E63.

…I could access the memory game but it didn't boot up properly.

Unfortunately the data at C610 where arbitrary code is executed changes as you step. Hence this is tricky to be make viable even with glitch TM/HM arbitrary code.

I tried altering the data at DD63 (Pokémon data) to add my custom code but sadly it wouldn't work for some reason. But the game executed it on BGB. So maybe extra data to bring control back to the game is needed.

Re: Burned Tower Silver executing arbitrary code in German and Spanish Crystal.

Posted by: Krys3000
Date: 2015-07-10 13:31:01
I haven't seen this thread before, it's very interesting! Congratulations for your work on this.

You guys are very lucky to be able to perform ACE with Coin Case. I hope someday, we'll also find something easy that allows us to get rid of the very painful TM25/33 method  ;D

Re: Burned Tower Silver executing arbitrary code in German and Spanish Crystal.

Posted by: Torchickens
Date: 2015-07-10 15:04:31

I haven't seen this thread before, it's very interesting! Congratulations for your work on this.

You guys are very lucky to be able to perform ACE with Coin Case. I hope someday, we'll also find something easy that allows us to get rid of the very painful TM25/33 method  ;D


Thanks! Yes.

I agree that it's still painful. You would need a bad clone or link cable to get duplicate key items and TM25 in the wrong pocket in the first place. What we need is a completely new glitch to get it in the items, balls or key items pocket or a new relatively easy to set up arbitrary code execution method altogether I suppose.

Pokémon Crystal's out of bounds Glitch Cities can corrupt your items (I haven't observed this in Gold), but getting there in the first place may be impossible without a bad clone, and luck would have it TM33 still requires linking. I can't remember finding a better item, but maybe on hindsight there are ones with pointers in an expanded items pack. Also, you would need to escape from the out of bounds Glitch City.

Comparing TM25 with TM33, TM25 (FA6A - Pokemon 2 Defense EV byte 2) in Gold is not as bad as TM33 in Crystal (F418 - Fifth enemy Pokémon character 5). The factor where you have to link up in the current session is eliminated with TM25.

A nice detail with TM/HM arbitrary code execution is that you should be able to end your code with a ret using it.

With Coin Case glitch you couldn't and needed to use a work around (due to corrupted stack apparently) after the end of your program like below (from TheZZAZZGlitch's code) if you wanted to make RAM modifications.

ld l, F5
ld bc, 0134
ld h, 12
sbc a,(hl)
inc sp
push bc
ld bc, XXXX
jp hl

2E F5 01 34 01 26 12 9E 33 C5 01 XX XX E9

Conveniently, I think the requirements for TM25 arbitrary code may be shared with French, German, Italian, Spanish versions (where TM25 jumps to DA6A). That is if DA6A is Pokémon 2 Defense EV byte 2 on all of these versions. But it seems likely because one of the addresses close to it (DA76) is Pokémon 2 Pokérus byte in these versions, like in English Gold.

You could use an untrained Pokémon as Pokémon 2 so that data slides through to Pokémon 3 and the same Quagsire holding a HP Up with Sleep Talk as the first move as the Pokémon 3 (instead of the Pokémon 4), because this data spells C3 1A D6 (jump to D61A, PC item slot 2 quantity)

Another means of arbitrary code are through glitch Pokédex modes (mode is determined by D959 in English Crystal). They can be accessed with the key items glitch because D959 is one of the 'ball' addresses beyond slot 12 (the final slot).

Though I think TM arbitrary code execution is better. Glitch Pokédex mode ACE will break your Pokédex's ability to view entries and sadly seem to be more complicated to set up than TM25 (though they do not appear to mess up the stack).

In a route for speedrunning Pokémon Crystal, Pokédex mode 09 (FA20) is used. This is somewhere in the glitched balls pocket inventory, and Burn Heal x195, Dragon Fang x251 were used to jump to $FB90 (box names) because these items with quantities of 0 happened to be in the glitch inventory; so you could deposit 195 and 251 of them into the PC to force them into the PC items slots (accessible with an expanded balls pocket).

I wonder what useful glitch TM/HM pointers may exist in Japanese and Korean Gold?

Re: Burned Tower Silver executing arbitrary code in German and Spanish Crystal.

Posted by: Krys3000
Date: 2015-07-12 04:58:39
Pokémon Crystal's out of bounds Glitch Cities can corrupt your items (I haven't observed this in Gold), but getting there in the first place may be impossible without a bad clone, and luck would have it TM33 still requires linking. I can't remember finding a better item, but maybe on hindsight there are ones with pointers in an expanded items pack. Also, you would need to escape from the out of bounds Glitch City.


I have not been Bad Cloning for a while, how exactly do you access to Glitch City with a Bad Clone? I was under the impression you could get "?????"-induced Glitch Cities only by fighting them, which the Bad Clone Trick doesn't allow.

You could use an untrained Pokémon as Pokémon 2 so that data slides through to Pokémon 3 and the same Quagsire holding a HP Up with Sleep Talk as the first move as the Pokémon 3 (instead of the Pokémon 4), because this data spells C3 1A D6 (jump to D61A, PC item slot 2 quantity)


Yep, I haven't thought about this!

Another means of arbitrary code are through glitch Pokédex modes (mode is determined by D959 in English Crystal). They can be accessed with the key items glitch because D959 is one of the 'ball' addresses beyond slot 12 (the final slot).

Though I think TM arbitrary code execution is better. Glitch Pokédex mode ACE will break your Pokédex's ability to view entries and sadly seem to be more complicated to set up than TM25 (though they do not appear to mess up the stack).

In a route for speedrunning Pokémon Crystal, Pokédex mode 09 (FA20) is used. This is somewhere in the glitched balls pocket inventory, and Burn Heal x195, Dragon Fang x251 were used to jump to $FB90 (box names) because these items with quantities of 0 happened to be in the glitch inventory; so you could deposit 195 and 251 of them into the PC to force them into the PC items slots (accessible with an expanded balls pocket).


I will look more into this, to find out what's more painful  :XD: thanks for the method!

Re: Burned Tower Silver executing arbitrary code in German and Spanish Crystal.

Posted by: MidnightNinetales
Date: 2015-07-12 17:21:14

I agree that it's still painful. You would need a bad clone or link cable to get duplicate key items and TM25 in the wrong pocket in the first place.

Are bad clones that hard to get in Crystal? I had plenty of bad clones on my previous save file. It's been a while, but I don't recall having too much trouble.

Re: Burned Tower Silver executing arbitrary code in German and Spanish Crystal.

Posted by: Torchickens
Date: 2015-07-12 17:39:51
Did you use Pokémon Stadium 2? Without Pokémon Stadium 2, it seems to be a pain for me in Crystal. (it is somewhere between 2.3-2.4 seconds after "SAVING…DO NOT TURN OFF THE POWER." is printed) if you deposited 5 Pokémon according to luckytyphlosion.

Mind you, I just tried on Japanese Crystal (because I have something planned for this and it's coming to fruition) without Stadium 2 and succeeded. It didn't take me that many attempts, so maybe it's not that bad or I've just been particularly lucky.


I have not been Bad Cloning for a while, how exactly do you access to Glitch City with a Bad Clone? I was under the impression you could get "?????"-induced Glitch Cities only by fighting them, which the Bad Clone Trick doesn't allow.


I have never actually got to an OoB Glitch City with the bad clone glitch now that you say, I'm sorry. ;_;

Some glitch Unown in Pokémon Gold and Silver corrupt the map (I'm not sure about Pokémon Crystal), meaning that there may be potential to move off it and access an out of bounds Glitch City.

You can register a glitch Unown by having a Pokémon 5 with the Defense stat modulo 256 of the Unown you want. Then put ????? (00) at the top of the party and obtain 11 Pokémon with Move w/o Mail and your Pokédex and glitch Unown will become corrupted, with the first one depending on Pokémon 5's Defense stat.

With a number of party Pokémon based map distortion you can use Move w/o Mail to glitch 27 Pokémon in the party and corrupt the map by opening the party menu. However, I sadly haven't attempted this before, and it's for Pokémon Gold/Silver, where I haven't seen any OoB Glitch Cities that corrupt your items.


I will look more into this, to find out what's more painful  :XD: thanks for the method!


You're welcome.

Re: Burned Tower Silver executing arbitrary code in German and Spanish Crystal.

Posted by: MidnightNinetales
Date: 2015-07-12 17:55:22
No, just Crystal. It took a bunch of tries, but each try doesn't take that long. And I'm pretty sure it was less than 2.3 - 2.4 seconds after for me. Is it normal for it to vary a bit?

Anyway, I started a new save file after accidentally corrupting my old one, and I haven't managed to get a single bad clone since then. I'm still pretty early in the game though, and have a very small variety of Pokemon to use. The most that's happened is a clone of my Cyndaquil gained the nickname and moveset of a Stantler.

Re: Burned Tower Silver executing arbitrary code in German and Spanish Crystal.

Posted by: Torchickens
Date: 2015-07-12 18:06:17

No, just Crystal. It took a bunch of tries, but each try doesn't take that long. And I'm pretty sure it was less than 2.3 - 2.4 seconds after for me. Is it normal for it to vary a bit?


Maybe so, based on this.

Re: Burned Tower Silver executing arbitrary code in German and Spanish Crystal.

Posted by: MidnightNinetales
Date: 2015-07-12 18:22:15
If you want, I can work on getting further in the game and then try to get some bad clones. If it works, I can try to help out. I only have English Crystal, though. And English Yellow, if I need to link to a Gen I game.

Edit: I managed to get some bad clones. I'll make a post about it in the G/S/C glitch discussion sticky, since it probably doesn't really belong here.

Re: Burned Tower Silver executing arbitrary code in German and Spanish Crystal.

Posted by: Krys3000
Date: 2015-07-13 04:13:08
Thanks for all the indications Torchickens, I will work on all this and tell you what comes out.

About Bad Clones, by the time I was doing this glitch oftenly, I remember it was pretty easy to do but not all bad clones were OK for the glitch. With some practice, it's probably not that long to have one in Crystal. In Gold and Silver however, it's very hard.