Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 48490 times)

0 Members and 1 Guest are viewing this topic.

danny

  • Decamark Collector and Pokémaniac
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • i hate being alive
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #30 on: February 03, 2016, 08:35:04 am »
Can anybody provide a completed save file that has all of the necessary requirements for the coin case glitch? I lost the old one, sadly.
i ain't happy, i'm feeling glad
i got sunshine, in a bag
i'm useless, but not for long
my future is coming on

if you see any posts from around 2014-2016, please don't hold them against me in 2017 onwards.

my music

lowena

  • GCLF Member
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #31 on: February 14, 2016, 04:43:59 pm »
Does anyone have any ideas on how this glitch was fixed in Crystal? Is it just the text end byte for the Coin Case or is there more? I'm curious since we have a great disassembly of Crystal but not Gold/Silver which can help a lot with glitching/hacking. I haven't looked at the disassembly yet though or tried this glitch so maybe it would be easy to "unfix" in Crystal to have the glitch working. Obviously it would only work on emulators unless you had a flash cart or something, but it would be cool to have working for fun. :)
« Last Edit: February 14, 2016, 09:31:35 pm by lowena »

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #32 on: February 15, 2016, 07:07:06 am »
Well since this glitch is due to a translation mistake (the japanese terminator character was mistakenly not replaced by the english one) I'm guessing they just corrected it.

Using TM33 Code Execution might allow you to replace the japanese terminator in crystal games, thus reactivating the glitch, but I'm not an expert about this glitch so I'm not sure it can be done (Torchickens knows, maybe). If such, this would be the only way I could think of to legit create a Coin Case Glitch in either emulated or real game without any cheating device.

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

lowena

  • GCLF Member
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #33 on: February 15, 2016, 05:14:34 pm »
Yeah, hopefully that's the case. I know nothing about Crystal's code or glitches, but I'm gonna take a look and see if I can find anything :)

EDIT: A quick look shows that the terminator was indeed changed from 0x57 to 0x50 from G/S to Crystal. Also I found that changing the code for the Coin Case from db "@@" to done changed the terminator from 50 50 00 to 57 00 so that's cool. ;p I'll put the code and hex/text for Crystal below for reference:

Code for Coin Case:
Code: [Select]
UnknownText_0x1c5c7b::
text "Coins:"
line "@"
deciram Coins, 2, 4
db "@@"

Hex and text for Coin Case:
Code: [Select]
82 AE A8 AD B2 9C 4F 50 09 55 D8 24 50 50 00
Coins:=($50)($09)+($D8)($24)($50)($50)($00)

2ND EDIT: I don't think this will work. :/ Changing the terminator to 57 does lead to an invalid pointer, but the invalid pointer goes to the middle of VRAM (8ccd), so it just crashes the game and restarts.

That's really disappointing. :'(
« Last Edit: February 15, 2016, 10:48:12 pm by lowena »

danny

  • Decamark Collector and Pokémaniac
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • i hate being alive
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #34 on: February 18, 2016, 06:38:56 pm »
I really need a completed save file with the glitch ready, as I want to search for cool effects?
i ain't happy, i'm feeling glad
i got sunshine, in a bag
i'm useless, but not for long
my future is coming on

if you see any posts from around 2014-2016, please don't hold them against me in 2017 onwards.

my music

lowena

  • GCLF Member
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #35 on: February 20, 2016, 04:16:02 pm »
Here you go. Look at the bottom of this thread, and download the working one. It worked fine for me.

danny

  • Decamark Collector and Pokémaniac
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • i hate being alive
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #36 on: February 21, 2016, 01:42:02 pm »
Got one:

Enter, exit, and re-enter radio tower in goldenrod (twss), then go:

  • Take two steps left
  • Open & Close menu
  • Take four steps up
  • Take two steps right

Then do the glitch. The effect is similar to the pokecenter music box, but with more drums.
i ain't happy, i'm feeling glad
i got sunshine, in a bag
i'm useless, but not for long
my future is coming on

if you see any posts from around 2014-2016, please don't hold them against me in 2017 onwards.

my music

bestgoldglitche

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #37 on: July 12, 2016, 03:26:06 am »
Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.

I've been playing around with this glitch for a while now and recently found a way to produce any item.  The process is almost the same as what TheZZAZZGlitch laid out in his video where he explained how to get Celebi. 

https://www.youtube.com/watch?v=SpfgOVfGVTo

Basically, you place 43 Fresh Water in your PC instead of 42, and you'll jump to the item of the first Pokemon in your party instead of the ID number.  Given the normal set up that would yield HM09 I think which can be sold for about 19000 Pokebucks...

This happens because the stack of 4 Great balls increases the index number of the item where TheZZAZZGlitch placed HM07 in the video, so you don't just get back the same item that you put in the PC.  Also, using only 2 Great Balls increases the index number by 1 and using multiple stacks of Great Balls will increase the index number in the same manner.

This can be helpful for getting stray items by finding base items that have an index number before theirs as you can swap out HM07 with other base items to mutate.  This way you don't even lose the item you were initially working with.

I don't know much assembly, but I know enough to understand the concepts behind how the glitch works.  Given that 42 Fresh Water correspond to changing the ID number of the first Pokemon in your party, subsequently adding Fresh Water with move you one byte further into the Pokemon's data allowing you to overwrite things like moves by having 44 to 47 Fresh Waters or EXP by having 50 to 52. 

There's a simple list of the data structure here:
http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_structure_in_Generation_II

An interesting way to use this is getting a level 100 by changing the EXP of a Pokemon and simply knocking out one wild Pokemon.  I'm pretty sure this takes 50 Fresh Water.

So there's a rudimentary form of item mutation and also access to all the Pokemon's stats and their Attacks, EXP, Friendship etc.

Oh, and a nice list of Pokemon, Moves, and Items by index number courtesy of TheZZAZZGlitch's video:
http://pastebin.com/raw/arPmsvYu
« Last Edit: July 12, 2016, 08:38:57 am by bestgoldglitche »

TheUnReturned

  • A strange guy
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • Yawns
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #38 on: July 12, 2016, 07:15:46 am »
Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.

I've been playing around with this glitch for a while now and recently found a way to produce basically any item.  The process is basically the same as what TheZZAZZGlitch laid out in his video where he explained how to get Celebi. 

https://www.youtube.com/watch?v=SpfgOVfGVTo

Basically, you place 43 Fresh Water in your PC instead of 42, and you'll jump to the item of the first Pokemon in your party instead of the ID number.  Given the normal set up that would yield HM09 I think which can be sold for about 19000 Pokebucks...

This happens because the stack of 4 Great balls increases the index number of the item where TheZZAZZGlitch placed HM07 in the video, so you don't just get back the same item that you put in the PC.  Also, using only 2 Great Balls increases the index number by 1 and using multiple stacks of Great Balls will increase the index number in the same manner.

This can be helpful for getting stray items by finding base items that have an index number before theirs as you can swap out HM07 with other base items to mutate.  This way you don't even lose the item you were initially working with.

I don't know much assembly, but I know enough to understand the concepts behind how the glitch works.  Given that 42 Fresh Water correspond to changing the ID number of the first Pokemon in your party, subsequently adding Fresh Water with move you one byte further into the Pokemon's data allowing you to overwrite things like moves by having 44 to 47 Fresh Waters or EXP by having 50 to 52. 

There's a simple list of the data structure here:
http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_structure_in_Generation_II

An interesting way to use this is getting a level 100 by changing the EXP of a Pokemon and simply knocking out one wild Pokemon.  I'm pretty sure this takes 50 Fresh Water.

So there's a rudimentary form of item mutation and also access to all the Pokemon's stats and their Attacks, EXP, Friendship etc.

Oh, and a nice list of Pokemon, Moves, and Items by index number courtesy of TheZZAZZGlitch's video:
http://pastebin.com/raw/arPmsvYu
Really nice :9
Always treasure the present
To remain it in the past

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • The Chicken Girl
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #39 on: July 12, 2016, 08:01:19 am »
Neato! ^^
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Give love, receive love, repeat. But in order to love others you must first love yourself unconditionally, even if it means abandoning pressure from projects or taking time off work and empathise with the self as you are your own best friend. The key often is simply to follow your heart, your urges and have faith they are valid; use them to do what you want to do as long as it doesn't harm anyone, and/or sympathise and respect it as we all have bad days (even the prettiest rose has thorns but is still beautiful).

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • The Chicken Girl
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #40 on: December 18, 2016, 06:12:30 pm »
Adding a useful bit of information.

Although stored PC items have been a common requirement (with Crystal_ having a stored PC item RAM editor), you may want to use PC names instead of box items, like what is done in glitched speedruns because literally the only things you need are a Pokédex with Bellsprout in it, the slide Pokémon in slot 3 and a special Quagsire in slot 4 (no items other than TM02 and TM27 are required).

To do this, you may give Quagsire a TM02 (available from Goldenrod Department Store) instead of HP Up or Protein and have Return as its first move. This will redirect the code to PC box 1's name character 2 after you do the specific movements (e.g. the ones from Elm's Lab and from Cherrygrove City).

The operations you can access via box names are highly limited (see Sanqui's Pastebin http://pastebin.com/raw/arPmsvYu) but fortunately it's still possible to do things like RAM editing (I do it using the xor a and sub xx operations to give 'a' a value and then the ld (xxyy),a operation to write 'a' into that address).

Though Coin Case gives you a corrupted stack and the game would glitch dimension/freeze after ret, you can solve the issue by using the following edits as part of a footer in your code.

Code: [Select]
xor a
ld (ff83),a
pop de
pop de
inc sp
pop de
or a
ret nc

(Found from deconstructing the box name code here).

There is one catch and something you need to know:

inc sp (hex:33) cannot normally be represented by box characters. However, you can get the ID for inc sp with the following: xor a;  sub fd; sub d0 and then use ld (xxyy),a to self-modify your code to add an inc sp.

This method also has a bad side effect of slowing menus down to an extreme, but after closing the menu if you hold down A and tap down you will be able to move the cursor to SAVE, mash A to save the game and reset the game to bring things back to normal.
« Last Edit: December 18, 2016, 06:19:59 pm by Torchickens »
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Give love, receive love, repeat. But in order to love others you must first love yourself unconditionally, even if it means abandoning pressure from projects or taking time off work and empathise with the self as you are your own best friend. The key often is simply to follow your heart, your urges and have faith they are valid; use them to do what you want to do as long as it doesn't harm anyone, and/or sympathise and respect it as we all have bad days (even the prettiest rose has thorns but is still beautiful).

Nostalgia

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • ?
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #41 on: December 19, 2016, 01:28:51 am »
So basically this would enable ACE stuff much earlier into the game then before? Because before with the item lists in the PC you would need stuff like TM06 (Toxic) which cannot be obtained until after beating the Elite Four.
« Last Edit: December 19, 2016, 01:29:44 am by Nostalgia »

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • The Chicken Girl
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #42 on: December 19, 2016, 07:17:13 am »
So basically this would enable ACE stuff much earlier into the game then before? Because before with the item lists in the PC you would need stuff like TM06 (Toxic) which cannot be obtained until after beating the Elite Four.

Yeah you can conveniently do this early in game once you get the Coin Case (and TM02, TM27). I think it's also easier to set up.

Note I think Quagsire can possibly be replaced with Wooper (jp nz,$xxyy) like in the previously linked speedrunning route, and werster's 43:47 speedrun uses a particular path in the Pokémon Center with the starter Croconaw in slot 4 (possibly meaning a specific Croconaw could work too).
« Last Edit: December 19, 2016, 07:33:29 am by Torchickens »
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Give love, receive love, repeat. But in order to love others you must first love yourself unconditionally, even if it means abandoning pressure from projects or taking time off work and empathise with the self as you are your own best friend. The key often is simply to follow your heart, your urges and have faith they are valid; use them to do what you want to do as long as it doesn't harm anyone, and/or sympathise and respect it as we all have bad days (even the prettiest rose has thorns but is still beautiful).

asphere

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #43 on: July 01, 2017, 06:55:27 am »
So basically this would enable ACE stuff much earlier into the game then before? Because before with the item lists in the PC you would need stuff like TM06 (Toxic) which cannot be obtained until after beating the Elite Four.

Yeah you can conveniently do this early in game once you get the Coin Case (and TM02, TM27). I think it's also easier to set up.

Note I think Quagsire can possibly be replaced with Wooper (jp nz,$xxyy) like in the previously linked speedrunning route, and werster's 43:47 speedrun uses a particular path in the Pokémon Center with the starter Croconaw in slot 4 (possibly meaning a specific Croconaw could work too).

Hey, is possible to change my ID number on Pokemon Silver? i need to change it on pokemon silver 2 gen ITALY...
thanks :)
« Last Edit: July 01, 2017, 06:58:40 am by asphere »

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #44 on: July 01, 2017, 08:47:48 am »
You're in the wrong topic for this, the Coin Case glitch doesn't work in European localizations of Gold/Silver. There are other methods to obtain ACE, but they are more complicated.
(I will continue replying in the "G/S/C glitch discussion")


(Also the post you quoted has no relation whatsoever to what you asked. Quoting a post should be done when you refer to it, please.)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)