Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Some competitive battling box name codes for Coin Case arbitrary code execution - Page 1

Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: Torchickens
Date: 2017-10-08 11:53:53
I created these for the Quagsire holding a TM02 with Return as first move setup for arbitrary code execution in English Gold/Silver. :) Let me know if you have any difficulties with them and I'll try to help.

Change Pokémon 1 codes:

Pokérus:

Ap0'd'vK55
é'm2p0955
éA455555
55555555
5555555p
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Shiny:

Ap0'd'vR55
é'm2pp045
éA4p0'd'vQ
é?2p0k55
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Max DVs:

Ap0'd'vR55
é'm2p0955
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Dark max Hidden Power:
Atk Def 15 15

Ap0'd'vR55
é'm2pp095
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Dragon max Hidden Power:
Atk Def 15 14

Ap0'd'vR55
é'm2pp085
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Ice max Hidden Power:
Atk Def 15 13

Ap0'd'vR55
é'm2pp075
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Psychic max Hidden Power:
Atk Def 15 12

Ap0'd'vR55
é'm2pp065
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Electric max Hidden Power:
Atk Def 14 15

Ap0'd'vR55
é'm2pp0(male)5
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Grass max Hidden Power:
Atk Def 14 14

Ap0'd'vR55
é'm2p0é'v6
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Water max Hidden Power:
Atk Def 14 13

Ap0'd'vR55
é'm2p0é'v7
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Fire max Hidden Power:
Atk Def 14 12

Ap0'd'vR55
é'm2p0é'v8
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Steel max Hidden Power:
Atk Def 13 15

Ap0'd'vR55
é'm2p0'v'v1
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555


Ghost max Hidden Power:
Atk Def 13 14

Ap0'd'vR55
é'm2p0'v'v2
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555


Bug max Hidden Power:
Atk Def 13 13

Ap0'd'vR55
é'm2p0'v'v3
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Rock max Hidden Power:
Atk Def 13 12

Ap0'd'vR55
é'm2p0'v'v4
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Ground max Hidden Power:
Atk Def 12 15

Ap0'd'vR55
é'm2p0z'vé
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Poison max Hidden Power:
Atk Def 12 14

Ap0'd'vR55
é'm2p0u'v?
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555


Flying max Hidden Power:
Atk Def 12 13

Ap0'd'vR55
é'm2p0u'v!
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Fighting max Hidden Power:
Atk Def 12 12

Ap0'd'vR55
é'm2p0u'v.
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555

Change Pokémon 5 codes:

First use:

[REQUIRED code by FMK] One-off code so all future codes don't need the 'return to game' code:
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555    (LD [80f9], A)
Box 4+: 55555555    (Safe filler code)
Box 13: 5555péD9    (XOR A; LD [83ff], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)

Next you can use:

Max out stat experience, give experience for Level 100 after battle:

The old code had an error.

I made a new code that will modify Pokémon 5's experience.


Box 1: Ap0x'v955  (multiply small x from the uppercase field only)
Box 2: e'm2p0955
Box 3: éA455555
Box 4-Box 12 (or possibly just box up to all of box 6 in your case): 55555555

Spamviech has also offered an alternative solution.


Just tried this code (well, a variant for usage with wrong pocket TM execution) and the experience is not granted.
Reason is probably that the . character is not 0xf2, but instead 0xe8 (different dot character, only looks the same). Therefore, instead of maximizing Exp gained we are corrupting the SpDef stat of Pokémon 4 (harmless; can be fixed by depositing and re-withdrawing).

Adjusted version that should work; TM variant:

Box 1: Ap0(mult)'v955
Box 2: é3209é14
Box 3: é24é3455
Box 4: é44é5455
Box 5: é64é7455
Box 6: é84é0455
Box 7: é4éé4x'd

Coin Case Variant (untested):

Box 1: Ap0(mult)'v955
Box 2: é3209é14
Box 3: é24é3455
Box 4: é44é5455
Box 5: é64é74'l'l
Box 6: é84é04'l'l
Box 7: é4éé455
Box 8: péZ(mult)x'd



All TMs/HMs:

Requires above one-off code:

Box 1: Ap'vCé225
Box 2: 'vj'vué125
Box 3: 'v.é52p'v9
Box 4: é42pé625
Box 5: 'vué82'v 5 (there is a space after the 'v and before the 5)
Box 6: é72'v:é92
Box 7: 095555
Box 8-12: 55555555
Box 13, 14: Same as before, don't change them.

February 6, 2019: Updated all TMs/HMs code to give quantities of 255.

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: Krys3000
Date: 2017-10-08 12:06:26
Hey Torchickens, nice codes!

I was wondering: technically, if we use TM25/17 to execute code from box names in european games, these codes would work exactly the same way, right?

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: Torchickens
Date: 2017-10-08 12:26:47

Hey Torchickens, nice codes!

I was wondering: technically, if we use TM25/17 to execute code from box names in european games, these codes would work exactly the same way, right?


Thanks Krys! :)

I'm unsure, however most of them should work if the jump is to PC box name 1 character 2 as the addresses are unchanged between different language versions, and if all the characters can be input regardless of version. I tested D5B7 (the number of items address) for instance and it was unchanged on the French version.

However even if all the addresses are the same the all TM/HMs code may not work. This is because a call to ByteFill (314C) is involved, which may be at a different pointer in other languages (including at least French).

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: Nostalgia
Date: 2017-10-08 13:35:16
Very useful post, as I was interested in the hidden powers. Great job.

Though I was having some trouble with my last code (in the PM I sent you) and I wasn't sure if it was the slide pokemon or Quagsire. Can it ever be a issue with the Quagsire or does the code only check that the Quagsire is holding TM02 and has Return has the first move and no other factors of the Quagsire matter? And the amount of pokemon in a box doesn't change anything?

Just have no idea why it didn't work as it seemed I had tried everything.

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: Torchickens
Date: 2017-10-08 13:52:23

Very useful post, as I was interested in the hidden powers. Great job.

Though I was having some trouble with my last code (in the PM I sent you) and I wasn't sure if it was the slide pokemon or Quagsire. Can it ever be a issue with the Quagsire or does the code only check that the Quagsire is holding TM02 and has Return has the first move and no other factors of the Quagsire matter? And the amount of pokemon in a box doesn't change anything?

Just have no idea why it didn't work as it seemed I had tried everything.


Thanks Nostalgia. :)

That's right. Other than the slide Pokémon, the game will only read the species, held item and move 1 of the Quagsire which in this case is a jump to the box names, so it's likely something went wrong with your slide Pokémon. The number of Pokémon in a box doesn't matter as well. It may help therefore to just catch a new one if the box names are fine.

Sorry for the late response.

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: Krys3000
Date: 2017-10-08 14:31:49
As far as I know, addresses are the same in english and other european games, but you're right, the differences in characters could be a problem that would require some adaptation.

That being said, the easiest way to jump to box names using TM25 is through box 9, so I'm guessing using the code starting from this box should do the trick. I have no clue about the call issue in french games, maybe ISSOtm can answer that because he's more into game functions than I am.

EDIT: According to ISSOtm, pointers are indeed very different in other languages (315E in french, 313F in italian, 313E in spanish, 3179 in german). So, that means these codes have to be remade for each european games?

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: Nostalgia
Date: 2017-10-13 13:05:06
Torchickens, do you know how to teach the moves Ice Beam, Flamethrower and Thunderbolt via Coin Case? Felt appropriate to ask in the ''competitive'' thread -  and sadly these moves are not available in Gold/Silver, only Crystal version got them through the move tutor. So for someone who has Gold/Silver but can't trade, Coin Case would be the only way to obtain them. And it's silly how few Pokemon actually learn them through level up, especially Thunderbolt which I think Pikachu is the only Electric type in the whole game to learn it through level-up.


Max DVs:

Ap0'd'vR55
é'm2p0955
éA4p0'd'vQ
é?2p0955
55éA4ppp
'v7'v'dé42p
éD9'l'lA'lx
'd5555555


So I had a chance to test this. It changed the DV's of my Houndour, but it did not max the DV's.

My Houndour level 5 stats after using your code:

20 HP
11 Attack
9 Defense
13 Special Attack
10 Special Defense
12 Speed

But a max DV level 5 Houndour would be:

21 HP
12 Attack
9 Defense
14 Special Attack
11 Special Defense
13 Speed

So the code changed some DV's, I know that because it changed it from a female Houndour to a male, but it did not max them.

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: JalapenosTurtle
Date: 2017-10-17 08:30:46
I'm running into some trouble with the max stat experience/max experience script:


Max out stat experience, give experience for Level 100 after battle:

Box 1: Ap09é45
Box 2: é04é1455
Box 3: é24é3455
Box 4: é44é5455
Box 5: é64é7455
Box 6: é84é.455
Box 7+: 55555555
Box 13: Unchanged from before
Box 14: Unchanged from before


I didn't use the required code, but I am running the modified Quagsire setup where you no longer need a slide Pokemon or coin case (opting instead to use TM25 from the ball pocket). My box 7 is "x'd" to terminate the script. When I used TM25 it modified my fifth Pokemon. This wasn't immediately apparent, but the stats of my fifth Pokemon changed when I deposited and withdrew the Pokemon. This makes sense as the actual stat and the IVs are separate components of the Pokemon data structure. I did not see any change in the experience my Pokemon had, however. Fighting a wild Pokemon did not cause me to automatically level to 100. I'm attempting to figure out what went wrong from the Assembly

Box 1: Ap09é45 ( XOR A; OR ff; LD [f5fa], A)
Box 2: é04é1455 (LD [f6fa], A; LD [f7fa], A)
Box 3: é24é3455 (LD [f8fa], A; LD [f9fa], A)
Box 4: é44é5455 (LD [fafa], A; LD [fbfa], A)
Box 5: é64é7455 (LD [fcfa], A; LD [fdfa], A)
Box 6: é84é.455 (LD [fefa], A; LD [e8fa], A)
Box 7: x'd (OR A; RET NC)

If I'm understanding the code correctly, you're getting A=ff, then loading A into the necessary locations to max out the values. All of the bytes for stat experience are right next to the bytes for experience, and there's a total of 13 (3 for experience, 10 among the stat experience for attack, defense, special, speed, hp). I'm only seeing 11 loads (expected 13), and one of the loads isn't directly next to the others (LD [e8fa], A). I suspect I'm misunderstanding a critical detail here. Can you help me understand how the script works and why it may not be working for me?

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: Torchickens
Date: 2017-10-17 17:31:54
Hi.

The modified addresses are as follows:

FAF6, FAF5: HP EV (two bytes)
FAF7, FAF8: Attack EV (two bytes)
FAF9, FAFA: Defense EV (two bytes)
FAFB, FAFC: Speed EV (two bytes)
FAFD, FAFE: Special EV (two bytes)
FAE8: Pokémon 4 Special Attack byte 1

So it looks like I did make a mistake, sorry (with the name é84é.455).  :-[

The problem seems to lie in there being more than one ID for the "." character. The hex ID was supposed to be F2 for the code to modify FAF2 (total experience byte 1) to FF (giving it 16711680 more experience, which is recalculated to Level 100), but in actuality you can only enter the E8 "." (which would modify FAE8).

I used the F2 character while testing without double checking if that would appear when entering "." using the box names.

To fix this you can wipe out the old box names with 5s except where your 'footer' is, and use this one instead to modify Pokémon 5's experience:

Box 1: Ap0x'v955  (multiply small x from the uppercase field only)
Box 2: e'm2p0955
Box 3: éA455555
Box 4-Box 12 (or possibly just box up to all of box 6 in your case): 55555555

This should work if your modified setup runs from box 1 character 2 (or box 1 character 1), which it possibly does.

Hope this helps.

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: Couldntthinkofaname
Date: 2017-10-17 18:17:24

Hi.

The modified addresses are as follows:

FAF6, FAF5: HP EV (two bytes)
FAF7, FAF8: Attack EV (two bytes)
FAF9, FAFA: Defense EV (two bytes)
FAFB, FAFC: Speed EV (two bytes)
FAFD, FAFE: Special EV (two bytes)
FAE8: Pokémon 4 Special Attack byte 1

So it looks like I did make a mistake, sorry (with the name é84é.455).  :-[

The problem seems to lie in there being more than one ID for the "." character. The hex ID was supposed to be F2 for the code to modify FAF2 (total experience byte 1) to FF (giving it 16711680 more experience, which is recalculated to Level 100), but in actuality you can only enter the E8 "." (which would modify FAE8).

I used the F2 character while testing without double checking if that would appear when entering "." using the box names.

To fix this you can wipe out the old box names with 5s except where your 'footer' is, and use this one instead to modify Pokémon 5's experience:

Box 1: Ap0x'v955  (multiply small x from the uppercase field only)
Box 2: e'm2p0955
Box 3: éA455555
Box 4-Box 12 (or possibly just box up to all of box 6 in your case): 55555555

This should work if your modified setup runs from box 1 character 2 (or box 1 character 1), which it possibly does.

Hope this helps.



Pardon my ignorance, but why use filler (5s)?

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: Nostalgia
Date: 2017-10-18 03:53:08
Torchickens, have you had a chance to test your max DV code? I'm not knowledgeable in the code matters but I'm sure there must be slight error somewhere as it doesn't give max DVs.

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: Torchickens
Date: 2017-10-18 08:31:17

Torchickens, have you had a chance to test your max DV code? I'm not knowledgeable in the code matters but I'm sure there must be slight error somewhere as it doesn't give max DVs.


I tested it and it worked for changing Pokémon 1's DVs all to 15, so it's possible you made a slight mistake somewhere. The x in the code here is the normal lower case one (not the multiplication x) and 0 is zero.


Pardon my ignorance, but why use filler (5s)?


After the code, it will continue to run until it finds a 'd (ret nc). The 5s act as a safe ei instruction (enable interrupts) which effectively does nothing relevant here, as interrupts may already be enabled.

The code I made is to be used after using FMK's one-off code, so the code needs to run safely to box 13 and box 14 where the footer code is. However if you use wrong-pocket TM/HM code execution it doesn't corrupt the stack and you can use a 'd directly after (or close-by to) the code.

Generally codes which just have 5s until FMK's box 13 and box 14 names are a little easier to make.

Less 5s are required if the code includes a means of bringing control back to the game without the need of FMK's one-off code, such as the above Shiny Pokémon 1 code. I can make one more like that if you like.

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: Nostalgia
Date: 2017-10-18 12:25:00


I tested it and it worked for changing Pokémon 1's DVs all to 15, so it's possible you made a slight mistake somewhere. The x in the code here is the normal lower case one (not the multiplication x) and 0 is zero.


[img]http://i.picresize.com/images/2017/10/18/smfQY.jpg[/img]
[img]http://i.picresize.com/images/2017/10/18/He9X.jpg[/img]
[img]http://i.picresize.com/images/2017/10/18/4K0yb.jpg[/img]

Well I tried again, but it didn't work. Screenshots with the correct box names and the last screenshot is my current party, the Togepi at the top is a clone of the slide Togepi in slot 3 which I performed the glitch on, but it did not max the DVs as you can see they both have 19HP, max DVs would be 20HP for a level 5 Togepi. I also performed the glitch on the Magikarp at the bottom of the party, but nothing. The glitch is only doing what I reported before - making a slight change to the DVs (turning female Pokemon male, so weirdly only affecting the Attack stat slightly, but not maxing them out) I'm using the DV calculator to determine what the max DVs would be.

http://www.psypokes.com/gsc/dv.php

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: ISSOtm
Date: 2017-10-18 17:38:33
I'm just wondering, but did you make the game recalculate the stats ? AFAIK that's doable by both depositing then withdrawing (not sure about Move w/o mail), or leveling up.

Re: Some competitive battling box name codes for Coin Case arbitrary code execution

Posted by: Nostalgia
Date: 2017-10-19 02:55:57
Well it worked from doing that. :) Kinda makes sense because I remember using ws m in Yellow for max DVs and that involved depositing and withdrawing the Pokemon after the code. Though to avoid confusion for others, maybe it should be written in the OP to deposit and withdraw the Pokemon afterwards.