Jump to content

Coin Case glitches: Difference between revisions

Work in progress to modernise page with new methods and clearer explanations. Later edits will add more details to causes while ordering ACE example to be less legacy-centric
>Torchickens
No edit summary
(Work in progress to modernise page with new methods and clearer explanations. Later edits will add more details to causes while ordering ACE example to be less legacy-centric)
 
(42 intermediate revisions by 5 users not shown)
Line 1:
{{Arbitrary code execution}}
{{Collective Page}}
{{Major glitches}}
{{Outdated|Document new exploits, in particular simpler box name exploits}}
{{Summary page}}
{{incomplete}}
[[Image:Coin Case GD.png|frame|right|A glitch dimension caused by listening to Machop or Bellsprout's cry then viewing the Coin Case.]]
 
The '''Coin Case glitchglitches''' isare a glitchglitches that isare exclusive to the English versions of Pokémon Gold and Silver. ItThese doesglitches do not exist in any other localizationslocalization of the game, includingsuch as the Japanese version, and it doesdo not exist in Pokémon Crystal.
 
The Coin Case glitchglitches waswere previously thought to be harmlessrelatively useless, with things like [[Glitch Dimension]]s or, 'glitchy coin counts' and freezes, being the only thingseffects found, however, after Sanky and TheZZAZZGlitch researched the glitch, it was found that is possible to executeperform [[Arbitrary code execution|execute arbitrary code execution]] with it to do many things such as, but not limited to:.
 
These began with exploits such as causing a custom message to be displayed by the Coin Case, [http://tasvideos.org/4233S.html warping to Mt. Silver and enabling Red], obtaining Celebi or a [[?????|????? (FF)]], but can be expanded to perform a wide variety of effects
*Causing a custom message to be displayed by the Coin Case.
 
*Getting a glitch phone number.
=How to set up arbitrary code execution using the Coin Case=
*Warping to Mt. Silver.
 
*Obtaining Celebi or a [[?????|????? (FF)]].
The latest up-to-date guide on how to set up Coin Case ACE, along with ready-to-use codes for various applications, can be found on the [[Guides:Coin Case ACE|Coin Case ACE guide page]].
 
=ACE exploits summary=
 
While using the Coin Case triggers ACE, setups are still required to ensure that the execution gets redirected to a location that we can safely manipulate, such as box names, last read mails or stored PC items.
 
All known methods of redirecting the effects of Coin Case ACE require destabilising the [[stack]]. If the [[stack]] isn't fixed once arbitrary code execution finishes, the game will be guaranteed to crash. Due to this, all setups also need to provide a way to fix the [[stack]].
 
The Coin Case tends to be quite inconvenient to use. Setups often require specific movement patterns at specific locations to be used. Due to this inconvenience, most Coin Case ACE focus on enabling the use of other, more convenient ACE methods such as Wrong Pocket TM ACE.
 
Throughout the years, various known variations of Coin Case ACE setups were developed. These are listed below, roughly in chronological order.
 
==Radio Tower method==
 
This setup can be executed once the player reaches Goldenrod City and will redirect the effects of the Coin Case to the start of box names with the help of the last read mail.
 
This setup was developed by TimoVM.
 
===Preparation===
 
* Obtain the Coin Case
* Make sure that the first digit of the total number of held coins equals "1". (for example, 100 coins)
* Buy a Flower Mail at the Goldenrod Dept. Store
* '''Make sure to set box 1 as the current active box.'''
* Always make sure to have a valid box name code set up. You can find an example of a valid box code a bit down below.
* Give this Flower Mail to a party pokémon with the following message:
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
|
[[File:Mail English GS V2.png]]
|}
 
===Execution===
 
In order to use ACE, always perform the following steps:
 
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
|
[[File:EN Coin Case ACE start.png]]
||
[[File:EN Coin Case ACE end.png]]
|}
 
* Go to the Goldenrod Radio Tower and take the stairs up to the second floor. Move to the spot indicated by the above screenshot on the left. '''Save the game while you're still standing on this spot and reset the game.'''
* After reloading, take the following steps until you reach the spot indicated by the above screenshot on the left:
*# 3 steps rightwards
*# 2 steps upwards
*# 1 step leftwards
* Open the start menu, open the pokédex, then listen to the cry of Bellsprout.
* Go to the Pokémon menu and read the previously written mail.
* Open the item bag, switch item pockets at least once, then use the Coin Case. This will execute ACE.
 
===Using the Radio Tower setup to switch to Wrong Pocket TM25 ACE===
 
If the player uses arbitrary code execution to spawn a [[Wrong pocket TMs and HMs|wrong pocket TM/HM]] in the inventory, it can be used as an alternative to the Coin Case glitch, with the wrong pocket TM taking the place of the Coin Case. The main advantages to this are that the player can use the item without having to move in a specific movement pattern, and codes are both often shorter/of aid to programmers because it is no longer necessary to fix the [[stack]].
 
When used outside the TM/HM pocket, [[TMHMDex/GS:216|TM25]] is able to execute ACE starting from address $DA6A, the stat experience data of the second party pokémon.
 
The following box name code can be used to change the first item in the main item pocket to [[TMHMDex/GS:216|TM25]], along with changing the stat experience data of the third party pokémon.
 
* Change the names of box names 1 through 3 to the following (credit to TimoVM):
<pre>
Box 1: A p 0 'm é ( 4 5
Box 2: 'v 4 é y ♀ é : 4
Box 3: H 'v * é ) 4 h 'd
</pre>
* Put a pokémon in party slot #3. After being set up, this pokémon can never gain experience again without destroying the setup. Optionally, give it a nickname so you can recall that you will use it as part of the [[TMHMDex/GS:216|TM25]] setup.
* Follow the steps from the previous section to execute Coin Case ACE.
 
Once you are done, swap party pokémon #3 into the second party slot. As long as this pokémon is present in the second party slot, you can use [[TMHMDex/GS:216|TM25]] to execute box name codes. This pokémon can safely be deposited and withdrawn from the PC, but can never earn experience in battle again without destroying the setup.
 
The code used here is also compatible with Quagsire method Coin Case ACE and can be used to easily update older setups.
 
==Quagsire method==
 
This setup relies on a specific party composition. Execution will first be redirected to the third party pokémon. By ensuring that all remaining data of the third party pokémon are safe to execute (this is known as a "slide pokémon"), execution can continue until it encounters a Quagsire in slot 4. This Quagsire will then redirect execution to a secondary location based on its held item and first move.
 
Quagsire is chosen because its species ID corresponds with an unconditional jump instruction. Wooper is also elegible, but its species ID corresponds to a conditional jump instead. This means that Wooper's effectiveness depends on the exact stats of the used slide pokémon. Due to this general unreliability, Quagsire is preferred for the setup.
 
Due to the higher flexibility of box name codes, execution is often redirected to the second character of the first box name. Older setups will instead redirect to stored PC items.
 
===Preparation===
 
In its current form, it is recommended to have access to Fly so you can easily access both Cherrygrove City and Goldenrod City.
 
* Obtain the Coin Case
* Catch or evolve a Quagsire
* Catch a slide pokémon (see section after "Execution")
* Give the Quagsire a held item and first move depending on the place where code must be executed:
** (Recommended) to redirect to box names, give Quagsire a TM02 as a held item and teach it Return in the 1st move slot.
** To redirect to the second stored PC item, give Quagsire a HP Up as a held item and teach it Sleep Talk in the 1st move slot.
** To redirect to the third stored PC item, give Quagsire a Protein as a held item and teach it Sleep Talk in the 1st move slot.
* Put the slide pokémon in the third party slot, put the Quagsire in the fourth party slot.
* Make sure to set up a valid box name code or item name code (depending on the final location). You can find an example of a valid box code a bit down below.
 
===Execution===
 
* Fly to Cherrygrove City and enter the poké mart. Save and reset at the entrance of the poké mart.
* Exit the poké mart, walk exactly 4 steps to the right.
* Open the start menu, open the pokédex, then listen to the cry of Bellsprout or Machop.
* Open the item bag, switch item pockets at least once, then use the Coin Case. This will execute ACE.
 
===Catching a slide pokémon===
 
Slide pokémon are pokémon whose data doesn't contain any problematic opcode instructions, allowing execution to safely pass through the third party pokémon until it reaches Quagsire. Getting a slide pokémon is somewhat dependent on luck, but there are methods to ensure that a pokémon is usable as a slide pokémon.
 
====Rocky the Onix====
 
(credit to Crystal_ for the provided method)
 
In Violet City, in the house to the right of the pokémon center, an NPC will offer to trade you a Bellsprout for an Onix. This Onix, nicknamed "ROCKY", has set DVS and is guaranteed to work as a slide pokémon when obtained as follows:
 
* Catch any Bellsprout
* Raise it to lvl 5
* Trade it with ROCKY, since Bellsprout is lvl 5, ROCKY will also be lvl 5
 
This Onix can now be used as a slide pokémon as long as its happiness value isn't too high. It is recommended to either keep it stored in the PC as much as possible or to switch to another method of ACE, such as Wrong Pocket TM ACE.
 
====Low level Sentret====
 
(credit to TimoVM for the provided method)
 
This method requires a measure of luck to work and is meant as a backup in case ROCKY isn't available.
 
* Go to route 29. The time of day must be either morning or daytime, to be able to encounter Sentret.
* Encounter and catch a level 2 Sentret.
* Check its stats. If its Special Defense is either 6 or 8, it cannot be used. Otherwise, proceed to the next step.
* Encounter another Sentret (any level)
* Send out the Sentret you captured along with one other Pokémon (the goal is to divide the stat experience between the two Pokémon). Knock out the wild Sentret.
 
Doing this setup correctly will guarantee that your Sentret can be used as a slide Pokémon as long as its happiness value isn't too high. It is recommended to either keep it stored in the PC as much as possible or to switch to another method of ACE, such as Wrong Pocket TM ACE.
 
===Using the Quagsire setup to switch to Wrong Pocket TM17 ACE===
 
If the player uses arbitrary code execution to spawn a [[Wrong pocket TMs and HMs|wrong pocket TM/HM]] in the inventory, it can be used as an alternative to the Coin Case glitch, with the wrong pocket TM taking the place of the Coin Case. The main advantages to this are that the player can use the item without having to move in a specific movement pattern, and codes are both often shorter/of aid to programmers because it is no longer necessary to fix the [[stack]].
 
* Rename box codes 1 through 5 to the following box name codes (credit to Crystal_). This code will change the first item in the main item pocket to a [[TMHMDex/GS:208|TM17]].
<pre>
Box 1. A p 0 'd é y ♀ Pk
Box 2. 'v 't 'v é é 'l 2 h
Box 3. 'd 'd 2 'v 9 . 9 't
Box 4. é ? 2 h h h h h
Box 5. h 'm ♀ ♀
</pre>
* Once that is done, execute Coin Case ACE according to the previous sections.
* In order to use [[TMHMDex/GS:208|TM17]], put the slide pokémon in slot 1 and the Quagsire in slot 2. This will redirect TM17's effect to the location specified by the Quagsire's held item and first move.
 
Please note that Quagsire method box name codes are not compatible with wrong pocket TM17 box name codes.
 
===Quagsire method extension: TM/HM pocket quantities as code===
 
In this method, the quantities of the TM/HM pocket are used as the code. The Quagsire must be holding a Lucky Egg with Attract as its first move. If the player does not have a Lucky Egg, they can find one on a wild Chansey or get one in item slot 1 with the following box name codes, designed for TM17 (these codes will not work with the regular Coin Case method):
 
<pre>
1. Ap09'vB55
2. éy♀'d
3+ (Leave unchanged)
</pre>
 
As both this structure only holds quantities in succession at D57E (the item IDs themselves aren't stored in this structure), it is efficient for programming because the player can write the original code in GBZ80, then represent it in hexadecimal byte form (for example, by writing it in BGB debugger), [https://www.convzone.com/hex-to-decimal/ then in decimal byte form], without having to comply with limits such as a limited number of writable box name characters. Normally, this would be impossible, but obtaining 255 of every TM/HM is possible with the following TM17 codes:
 
<pre>
1: Ap'vCé225
2: 'vj'vué125
3: 'v.é52p'v9
4: é42pé625
5: 'vué82'v 5 (there is a space after the 'v and before the 5)
6: é72'v:é92
7: 09♀5♀555
8: 555555x'd (regular x not multiply sign)
</pre>
 
After acquiring 255 of every TM/HM quantity, any value from 0-255 can be acquired by selling them at the Poké Mart. These quantities represent the code.
 
====Example====
 
These quantities (from TM01 through TM19) are the required TM quantities for an every wild Pokémon is Shiny code. In order to get them, toss (255-n) of the 255 stack quantity after first obtaining it; so for TM01 toss 222 (255-33), for TM02 toss 116, and so on.
 
<pre>
33 139 255 62 213 50 62 139 50 62 195 50 201 62 7 234 25 209 201
</pre>
 
In hexadecimal form this is:
 
<pre>
21 8B FF 3E D5 32 3E 8B 32 3E C3 32 C9 3E 07 EA 19 D1 C9
</pre>
 
In the original GBZ80 form:
 
<pre>
ld hl,ff8b
ld a,d5
ldd (hl),a
ld a,8b
ldd (hl),a
ld a,c3
ldd (hl),a
ret
ld a,07
ld (d119),a
ret
</pre>
 
===Troubleshooting===
====Emulation problems====
Coin Case arbitrary code execution sadly will only work on English (both NA, EU, likely AUS) versions of Pokémon Gold and Silver. It will not work in the French, German, Spanish, Italian versions nor the Japanese and Korean versions.
 
If Coin Case arbitrary code execution is being performed on an emulator, it should first be performed on one that supports Echo RAM, as the Coin Case will always execute code in this region, and if there is incorrect emulation any Coin Case arbitrary code execution glitches will not work. An example of an emulator that doesn't support Echo RAM emulation is an older version of VisualBoyAdvance (however some newer versions support it), while an example of an emulator that correctly supports Echo RAM emulation is [http://bgb.bircd.org/ the latest version of BGB emulator].
 
Furthermore Coin Case arbitrary code execution may not work on Pokémon Stadium 2's GB Tower again due to incorrect Echo RAM emulation.
 
A few glitches that rely on obscure hardware details, such as YouTube user Crystal_'s real time walk through walls glitch OAM DMA exploit may also fail to work on certain platforms/emulators (possibly even including the 3DS Virtual Console Pokémon Gold and Silver).
 
====Slide Pokémon====
One of the most common problems with Coin Case arbitrary code execution is from having a bad slide Pokémon in slot 3. A "slide Pokémon" is a Pokémon that hasn't been trained, has good DVs, is at a good level (preferably low, caught from Route 29), has good stats and a non-problematic happiness value.
 
Unfortunately getting a good slide Pokémon is luck dependent, and it could take many attempts (even over 20 Pokémon) for you to get one.
 
The reason why bad attributes on the slide Pokémon is problematic is because these attributes are executed as code, until the game gets to Pokémon 4 where it reads the Quagsire's held item and first move as a jump location (because Quagsire's index number C3 represents the instruction jp yyxx) to a place like box names or stored PC items (depending on the item and move). This means bad opcodes such as FF (rst $38) could cause the game to not 'fall through' to the Quagsire's data, causing the game to never be able to execute the box names or stored PC items as code.
 
If a slide Pokémon was working in the past and suddenly stopped working the problem could be caused if the Pokémon gained experience (increasing its stat experience) or gained a bad happiness value. For this reason one should not walk too many steps with the slide Pokémon, and it is a good idea to faint the slide Pokémon if it previously worked but you can't get it to work anymore and didn't make it gain any experience.
 
====Wrong box names/stored PC items====
It is very important for the box names (if using a box name method) to be exactly right. If they are wrong (even if it is a small mistake such as using a character without an apostrophe before it or the wrong "x" character) the glitch will most likely not work. For this reason be extra careful when entering the box names.
 
It is also important to have stored PC items that are exactly right and are in the exact order if using a stored PC item method.
 
Sometimes as well a box name or stored PC item code will expect that the code begins at a specific location (such as character 2 of the first box name if using TM02 and Return). If the code is meant to be for another setup (like character 1 of the first box name if using TM01 and Return) then the code may not work.
 
====Not switching pockets====
Before using the Coin Case it is very important to switch item pockets at least once, or the glitch may not work.
 
====Cries and movement pattern====
If the player listened to a Pokémon cry other than Bellsprout, Machop (and a select few other compatible Pokémon) the glitch won't end up executing code in the desired location.
 
The player must also make the exact number of steps for the movement method (most commonly four steps right after walking outside of Professor Elm's lab or Cherrygrove City's Poké Mart) as making the wrong movement pattern will cause the arbitrary code execution glitch not to work.
 
====Pressing A after viewing the Coin Case====
For some box name codes, pressing A instead of B after viewing the number of coins in the Coin Case may cause the game to reset or freeze. For this reason one should always press B.
 
Immediately using the Coin Case again for the box name method can also cause the game to freeze, so one should never use the code again until they save and reset the game.
 
These codes may also slow down menus to the extreme and disable sprites. This is a workaround to the Coin Case glitch corrupting the [[stack pointer]] and can be fixed by tapping down to get to the save option, tapping A to save the game and resetting the game. Changing "Menu Account" to off in the settings beforehand will also disable the lag caused by the glitch.
 
==Cause==
In the Japanese versions of Pokémon Gold and Silver, after the hiraganatext 'まい'displayed inwhen the dialogCoin case is used is "あなたの コイン (n)<x>まい" (youryou numberhave of<x> coins). appearsNotably, aafter hex:57printing controlthe characternumber isof usedcoins (atwhich offset 0xF9FE,happens in bothtext versionscommand mode), andthe ingame bothgoes revisionsback v1.0into andplain v1text mode to print the string "まい".1 This is followed by a 0x57 character (<code><DONE></code> in the disassembly), which is a terminator that terminates both the string and itthe isenclosing validtext asscript<ref>[https://github.com/pret/pokecrystal/blob/c01409be5a9930d6f0687ce53c1c898e1855c884/home/text.asm#L567-L574 aThe terminatorfunction into thesehandle versionsthe <code><DONE></code> character]</ref>.
 
TheIn hex:57the characterEnglish isversions, stillthis usedtext asis atranslated terminator forto "Coins: (<x)>", inwhich is still followed by a 0x57 <code><DONE></code> character. However, the Englishgame versionsremains (atin offsettext 01985B0)command mode after printing the number <x>, butand it0x57 is no longernot a valid text command byte (the only valid terminator therechecked by the text command processor is 0x50 <ref>[https://github.com/pret/pokecrystal/blob/c01409be5a9930d6f0687ce53c1c898e1855c884/home/text.asm#L673-L678 The gamemain jumpsloop intofor memorythe attext command processor], which checks for the terminator <code>TX_END</code> (0x50)</ref>). Trying to execute text command 0x57 causes the game to jump to echo RAM address E112, which is essentially C112 and executes arbitrary code from there. This section of the memory can be changed by listening to cries, but if the player didn't listen to any cry, it is mainly 00, so 'nothing happens'. <!--I can't find a ret and I found an invalid opcode eventually, why doesn't the game freeze?-->, so 'nothing happens'.
 
When the player listens to a certain Pokémon cry before using the Coin Case, the game will execute code that has a noticeable effect, including glitch dimensions are, altered number of coins text and freezes, due to the data no longer being mainly 00.
 
Machop, Bellsprout and other Pokémon's cries are special because they put a hex:33 at ECHO:E117. This is read as the opcode 'inc sp' (increment stack pointer) causing the next 'ret' (return) to go elsewhere, specially to EB12, which contains overworld data. Even though there is no known way to predict the contents of this data, the results are consistent if you move in a specific pattern.
 
By having useful overworld data here, which can be manipulated by moving around, it is possible for the game to jump to an address that can reasonably be manipulated (i.e. to make the game jump to at least{{clarify}} ECHO:FA98 (essentially DA98), which is the second byte of the third Pokémon's attack stat experience.
 
If the 'out of New Bark Town lab' four steps right method is used, the game will jump to ECHO:FA98 (essentially DA98), which is the second byte of the third Pokémon's Attack stat experience.
This glitch was patched in foreign language versions other than the Japanese versions, which use the valid hex:50 terminator instead in at least the French, German, Italian and Spanish versions. It does not exist in English Pokémon Crystal, which also uses the correct 50 terminator (at offset 1C5C88).
 
If the 'out of Cherrygrove City mart' four steps right method is used, the game will jump to ECHO:FA99 (essentially DA99), which is the first byte of the third Pokémon's Defense stat experience.
(Thanks to Sanky from the forums for [http://forums.glitchcity.info/index.php/topic,6716.0.html the explanation], Wack0 for pointing out the changes to 50 in foreign non-Japanese versions and Torchickens for noticing there is a 57 as a terminator in the Japanese version)
 
This glitch was patched in language versions later than the English version and never occurred in the original Japanese versions; Kin/Gin. Foreign versions other than the Japanese versions use the valid hex:50 terminator instead of a hex:57 'terminator' in at least the French, German, Italian and Spanish versions. While Pocket Monsters Kin/Gin use a hex:57 character, it is a valid terminator here.
 
It does not exist in English Pokémon Crystal, which also uses the correct 50 terminator (at offset 1C5C88).
 
(Thanks to Sanky from the forums for [https://forums.glitchcity.info/index.php?topic=6716.0.html the explanation], Wack0 for pointing out the changes to 50 in foreign non-Japanese versions and Torchickens for noticing there is a 57 as a terminator in the Japanese version)
 
==Get Celebi with Coin Case arbitrary code execution==
{{Youtube|SpfgOVfGVTo|TheZZAZZGlitch}}
[https://www.youtube.com/watch?v=SpfgOVfGVTo Video].
 
This trick allows you to change the [[unstable hybrid glitch Pokémon|recipient byte]] of a Pokémon in Day-Care south of Goldenrod City to hex:FB, the same as Celebi. It was made by TheZZAZZGlitch.
 
Since withdrawing a Pokémon from Day-Care makes the game match tothe donor byte to the value in the recipient byte, it will be a perfectly stable Celebi when it is withdrawn.
 
===Requirements===
This glitch requires specific items in the player's item storage system (see below), and they need to be in the exact order they appear in the table, from top to bottom. For this trick, when it is done correctly, the last jump the game makes will be to the address which governs the item storage system's quantity of the second item (D61A).
 
{| border="1"
Line 53 ⟶ 305:
|x42
|-
|Lovely Mail
|x1
|-
Line 69 ⟶ 321:
|-
|[ANY ITEM]
|x[ANY QUANTITY]
|-
|Surf Mail
Line 90 ⟶ 342:
|-
|[ANY ITEM]
|x[ANY QUANTITY]
|-
|TM41
Line 106 ⟶ 358:
*The Coin Case
*A Pokémon including Bellsprout, Machop, Machoke or Omanyte registered in the Pokédex.
*Access to the Pokémon Day-Care on Route 34 and New Bark Town via Fly.
 
===Steps===
Line 123 ⟶ 375:
 
=="Hello world" program==
{{youtube|lB2ja6p-sjg|TheZZAZZGlitch}}
{{factcheck}}
[https://www.youtube.com/watch?v=lB2ja6p-sjg Video]
 
This trick was made by TheZZAZZGlitch and lets the player change the 'number of coins' to a Pokémon's nickname.
Line 147 ⟶ 398:
|x1
|-
|[ANY ITEM]
|[ANY QUANTITY]
|-
Line 295 ⟶ 546:
#Celebi
 
==="Dratini glitch" ('whichWhich move?he PP of.'" (Dratini glitch)===
 
This effect is also known as the '"Dratini glitch'". It will cause the text '"Coins:Which move?PP of.'" to pop up after viewing a certain cry and using the Coin Case. This text is long enough to go outside of the text box border.
 
The following cries have been confirmed to work:
Line 342 ⟶ 593:
 
==See also==
 
#[[Arbitrary code execution]].
#[[Glitch Dimension]] - One of the effects which can be caused by a Coin Case Glitchglitch.
#[[Game freeze]].
 
Line 352 ⟶ 602:
*[https://www.youtube.com/watch?v=lB2ja6p-sjg Youtube: Pokémon Gold/Silver: Arbitrary code execution with Coin Case (hello world program)].
*[https://www.youtube.com/watch?v=SpfgOVfGVTo Youtube: Pokemon Gold/Silver: Yet another Celebi glitch, using Coin Case arbitrary code execution].
 
[[Category:Generation II glitches]]
1,514

edits

Cookies help us deliver our services. By using our services, you agree to our use of cookies.