Pokemon Gold/Silver - Arbitrary code execution in non-english european versions

Channel:
Spain Crystal_
Subscribers:
12,600
Published on ● Video Link: https://www.youtube.com/watch?v=b2tVVeZ7Th4


Game:
Pokémon Gold and Silver (1999)
Duration: 22:04
6,013 views
171

This video introduces an arbitrary code execution method compatible with the french, german, italian, and spanish versions of Pokemon Gold and Silver. It's a more costly alternative to the Coin Case glitch, which only applies to the english versions. However, this method aims to converge to a more accessible solution that offers just as many possibilities as the Coin Case glitch.

Any relevant information not covered in the video that is found important or relevant will go here.
------------------------------

Various resources and examples for Step 8.

For step 8.1) - Use the following resources to find out the location of relevant memory addresses:
https://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Gold_and_Silver:RAM_map
- https://github.com/PikalaxALT/pokegold/blob/master/wram.asm
The first one is more user-friendly but the second one (from the disassembly) has far more information. If you have trouble locating an address in one, resort to the other one.

For step 8.2) - If you want a specific Pokemon, item, or move, you will need to know its hexadecimal number. Use the information from the first, sixth, seventh, and eight columns of the table found here: http://glitchcity.info/biglist.htm. For example, Celebi is FB, Aeroblast is B1, and Rare Candy is 20.

For step 8.3) - Conversion tables from hexadecimal to box name codes (language-dependant):
- Italian and spanish: https://pastebin.com/bAra9Wy7
- German: https://pastebin.com/yW9MeaKe
- French: https://pastebin.com/8VvWLHqA

If you need further assistance with step 8 - Usage examples:
- Party count (https://github.com/PikalaxALT/pokegold/blob/master/wram.asm#L3638): Address DA22
- Party Pokemon #3 species (https://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Gold_and_Silver:RAM_map#Pokemon_3_Settings): Address DA8A
- To make party Pokemon #3 shiny: Write FA to DA9F and AA to DAA0
- Item 6 quantity (https://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Gold_and_Silver:RAM_map#Game_Settings): Address D5C3
- Money (https://github.com/PikalaxALT/pokegold/blob/master/wram.asm#L2919): Addresses D573 to D575 (only set D573 to 0E for near maximum money)
------------------------------

Techncal explanation -

When a Pokemon is withdrawn to the 30th slot of the party, it corrupts addresses between DF9A and DFB9. More specifically, when the Pokemon's data is being copied from SRAM to those WRAM addresses, the stack pointer is at DFB3, and the 3rd and 4th PP slots of the Pokemon are copied to DFB3 and DFB4, respectively. Returning from the memory copy routine will bring the game to whatever stack pointer was spelled out by those two PP fields.

Of course, after doing this, the stack is absolutely destroyed and there are no realistic hope of restoring it to anything playable. The suggested alternative is to edit the SRAM to give ourselves one of the TMs into the items pocket of the bag, some of which execute code from WRAM. Modifying data in SRAM this way also requires to update the checksum at AD69-AD6A by the difference.

The suggested item to obtain this way is TM17, which, when used from outside the TM/HM pocket, makes the game jump to DA47, the middle of the first party Pokemon data. By having two party Pokemon with some specific qualities, we can conveniently redirect the execution to the buffer where box names are stored.
------------------------------

Special thanks to ISSOtm for his help with the development and testing of the method, to luckytyphlosion and gifvex for help with the TM17 setups, and to the GCL Discord for help and support.
------------------------------

Please, do not ask for help with Coin Case arbitrary code execution in english Gold and Silver. I will be working on adapting the "memory editor" setup for Coin Case ACE in those version, and there should be a video about it within the next 2 or 3 weeks. Most of the complexity involved in the method of ACE shown in this video won't be a problem in the Coin Case approach for the english versions. Meanwhile, there are already many videos about Coin Case ACE (not necessarily made by me) that you can check out.

Update: Here is the Coin Case video - https://www.youtube.com/watch?v=PsIb3OZaYAs



Other Videos By Crystal_


2019-01-05Pokemon R/B/Y/G/S/C - (Yet another) 20 little-known facts and curiosities
2018-12-08Sending flexible arbitrary code execution from Pokemon to other GB/C games
2018-06-14Pokemon Yellow - All Pikachu emotions, and a look at Pikachu's friendship
2018-05-11Pokemon Gold/Silver - Inserting a custom map with arbitrary code execution
2018-03-29Pokemon R/B/Y - Stat down modifier overflow glitch (and a look at the quirks of stat modifiers)
2018-02-14Pokemon R/B/Y - Transform + Mirror Move / Metronome PP glitch
2017-12-28Pokemon R/B/Y/G/S/C - 20 (more) little-known facts and curiosities
2017-11-05Pokemon G/S/C - Beat Up glitch (link battle desynchronization)
2017-10-22Pokemon Gold/Silver - Generic Coin Case ACE setup for almost any purpose (no item list required)
2017-10-13Pokemon Gold/Silver - Arbitrary code execution in non-english european versions
2017-09-26Pokemon G/S/C - Effects of entering battle with over 6 party Pokemon
2017-07-20Pokemon Crystal - Remote code execution (sort of) through link trades
2017-06-15Pokemon Red/Blue - Debugging through the mysterious Escape Rope 'ABCD' glitch
2017-05-27Pokemon R/B/Y/G/S/C - 20 little-known facts and curiosities
2017-04-01[APRIL FOOLS] How to transfer shiny MissingNo from Pokemon Red/Blue to the Pokebank
2017-03-25Pokemon R/B/Y - Non-arbitrary code execution glitch item effects
2017-02-15Pokemon Red/Blue - Two-player game via remote arbitrary code execution
2017-02-07Pokemon Red/Blue - Executing arbitrary code in the opponent's game
2017-01-28Pokemon VC Red/Blue (UE) - Pokemon Bank compatible Mew & shiny Pokemon (8F arbitrary code execution)
2017-01-13Pokemon G/S/C - A look at the inner-workings of slot machines
2016-12-27Pokemon Crystal - Arbitrary code execution: Programming a game from scratch!


Tags:
arbitrary code execution
coin case glitch
coin case shiny glitch
coin case any pokemon
pokemon gold glitches
mew glitch
celebi glitch
pokemon silver glitches
arbitrary code execution german
arbitrary code execution spanish
arbitrary code execution italian
arbitrary code execution french
gold silver arbitrary code execution
pokemon or glitch
pokemon oro glitch
pokemon argent glitch
pokemon plata glitch
pokemon oro mew
pokemon oro celebi


Other Statistics

Pokémon Gold and Silver Statistics For Crystal_

At present, Crystal_ has 291,954 views spread across 12 videos for Pokémon Gold and Silver, and close to 2 hours worth of content for Pokémon Gold and Silver published on his channel. This is 13.37% of the total watchable video on Crystal_'s YouTube channel.