Submission Text Full Submission Page
"Pokémon Gold and Silver" is one of the games from the second generation of the Pokémon games. Compared to the previous series, Pokémon Red and Blue, many new features and gameplay changes were introduced. And it turned out that one of the features, storing the game corner coins in a coin case that is, would allow to beat Red in under an hour, while never defeating the Elite Four in the first place.

Categories

  • Heavy glitch abuse
  • Low% completion
  • Uses a game restart sequence

Emulator and ROM

The movie was recorded on VBA-RR v23.6 svn480. I used a standard EU Gold Version ROM found on the Interwebz. MD5: a6924ce1f9ad2228e1c6580779b23878, filename: Pokemon Gold Version (UE) [C][!].gbc
VBA seems to have problems with emulating the Real Time Clock while recording a movie, and Bizhawk seems to really like desyncing movies. Since having a movie is much better than not having it in the first place, I decided to use VBA, despite its RTC problems.

Comments

This is my second, way better attempt of using Coin Case glitches to beat the game; you can see my previous (absolutely failed) attempt here: #4084: TheZZAZZGlitch's GBC Pokémon: Gold Version "game end glitch" in 1:30:08.36.
The run uses only two glitches: Pokémon cloning glitch and the Coin Case glitch. The Coin Case glitch is what the run is focusing on, since it allows for getting the Holy Grail of glitches - arbitrary code execution.
On Pokémon Gold/Silver, there is a popular glitch involving opening the Coin Case after listening to Machop/Machamp's cry. Usually it just causes the game to restart in a weird color scheme - however, there is much more to it than expected. The Coin Case text script is improperly terminated, so the game tries to execute commands past the actual script, leading to arbitrary code execution. This text script error causes the game to jump to address $E112. By listening to specific cries, manipulating the party Pokémon list and by standing in specific locations on the map, it is possible to redirect that accidental jump to a useful location, giving me a possibility to run my own code by storing specific items into the PC box.
So the goal of the run is to turn the Coin Case's bad habit of executing arbitrary code into our favor, by forcing it to:
  • Somehow warp me to Mt. Silver
  • Make Red appear at Mt. Silver (he doesn't normally appear there before beating the Elite Four)
  • Give me a chance to defeat him with a level 20 Croconaw
  • Not crash the game in the process
I won't be getting into much detail about how the Coin Case glitch works: instead read this thread on Glitch City Laboratories Forums: http://forums.glitchcity.info/index.php/topic,6716.0.html. We already have a possiblity to execute some code, by storing items into the PC box. Now, how to make the code do everything mentioned above? Since we can execute anything directly on the console/emulator, it's possible to write any part of memory. So everything can be done by just changing a couple memory addresses:
  • DA00 -> 03, DA01 -> 56: Will warp me to Mt. Silver after leaving the current building.
  • D8A3 -> 00: Will make Red appear on Mt. Silver.
  • DA22 -> 00: Will cause the game to think I don't have any Pokémon, allowing me to instantly win the battle with Red.
To change those addresses, I created a simple "memory writer" program, which allows me to write a more complicated "memory writer" program, which finally writes the memory addresses I want.
Below is a list of items I had to acquire before doing anything:
Flower Mail     x17         
Potion          x(High nibble)      
Energy Root     x1          
ANY ITEM        x(ANY QTY)   
Escape Rope     x7           
Ice Heal        x7           
Awakening       x7           
Repel           x7            
Fresh Water     x(Low nibble)        
Berry           x2           
X Accuracy      x(Position)          
TM28            x1          
ANY ITEM        x(ANY QTY)  
Parlyz Heal     x34         
Full Heal       x17        
Flower Mail     x46        
Poke Ball       x2         
X Defend        x1         
TM49            x1         
Antidote        x1         
PsnCureBerry    x1           
Burn Heal       x2          
TM41            x1   
Thankfully, all those items are available at the game beginning, in Goldenrod Department Store.

What happens

The first program

Doing everything possible with just items is not a great idea, since we don't want going around the whole region just to get necessary items. A better solution is to make a simple program, which will write to a specified memory location, and jump to it afterwards. The first argument, controlled by the quantity of Potions, is the lower 4 bits of the byte I want to write. Quantity of Fresh Water controls the high 4 bits. Then the amount of X-Accuracies controls the least significant byte of the address to write, with the most significant one is always 0xDB. This allows me to write something more complicated to the (DB01-DB10) address range.
Because it saves time and items, the program exits in a wrong way, which will cause a very annoying side-effect: the menus will scroll the text like they were textboxes.

The second program

As soon as I deposit all the items in their respective places, I start writing the payload. Thankfully, the nearest place which allows the Coin Case to work is 4 steps from the PC. I optimized the withdraw/deposit combination so it would display the least amount of menus as possible (saves a lot of time, because of the side-effect mentioned above). Eventually, DB01 contains a sequence:
D6 12 21 FE DA 2C 2C 22 33 00 AF 3C 21 F6 12 E9
Or in assembly:
sub $12
ld hl,$dafe
inc l
inc l
ldi (hl),a
inc sp
nop
xor a
inc a
ld hl,12f6
jp hl
What the code does is takes the value set with the items (Potions and Fresh Waters), and subtracts 0x12 from it - this is to allow me to write values less than 0x10. Then it loads this value to $DA00, and returns control back to the game. By swapping the last item (TM41) with Parlyz Heals, the code is modified to jump to the second part.
One of the bytes is skipped, and set to NOP, which does nothing. The problem is that DB0A is actually in the middle of the fifth party Pokémon data, and specifies if the Pokémon has any status problems. Setting it to anything but 0 would cause the addresses to change around, which would mess up the code.
Next, this program is delicately modified, so it writes a value to $DA01 - it only requires to change one byte.

The third program

The two last addresses need to be set to the same value - 00. To speed things up, I write a yet another program - which will replace parts of the previous one. I change the bytes at $DB03 to:
EA 22 DA EA A3 D8
Instead of writing one address at a time, this one writes two: $DA22 and $D8A3. This modification is entered and executed exactly like the previous one - by running around, changing the amounts of Fresh Waters and Potions.
Finally, I execute the final piece of code, and by going through the stairs in Goldenrod Pokemon Center... I end up on Mt. Silver. The game must be saved once more, because of the previously described side-effect, which causes the credits to require mashing A to go through. Saving and resetting gets rid of this effect, and after reloading the game, we can finally talk to Red and win the battle with him, without even fighting.

Remarks

Special thanks to Sanqui, for discovering the actual arbitrary code part of the coin case glitch.

Noxxa: Judging.
Spikestuff: Removed Branch Name "glitched" as reasoning are within this discussion.
Noxxa: This movie displays a very impressive technical trick to glitch to the end using arbitrary code. However, during the first half of the movie, the gameplay is plagued by a significant amount of suboptimalities and sloppiness, and is clearly improvable in many areas, including overworld movement and item collection. Rejecting due to noticable suboptimality.


TASVideoAgent
They/Them
Moderator
Joined: 8/3/2004
Posts: 15576
Location: 127.0.0.1
Patashu
He/Him
Joined: 10/2/2005
Posts: 4043
What we're all thinking: Encode please! :D
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Joined: 1/5/2012
Posts: 52
Location: Maridia
I'd love to see more explanation of the programs you're writing and where you're storing them, why you stand in that specific place, etc. It seems like the game is lagging when displaying the pause menu text too? You can turn that off in the settings; does that break it? Also, I wonder about the previous method you used, adding glitched phone numbers. Is there one that executes script, rather than machine code, from a manipulable address? That might allow to do interesting things with fewer bytes.
Spikestuff
They/Them
Editor, Publisher, Expert player (2642)
Joined: 10/12/2011
Posts: 6438
Location: The land down under.
Working on Encode: Link to video (Thanks YouTube for taking forever to render out >.>) CALLING FINAL (random issues with archive.org atm that's why no sonic)
WebNations/Sabih wrote:
+fsvgm777 never censoring anything.
Disables Comments and Ratings for the YouTube account. Something better for yourself and also others.
Experienced player (658)
Joined: 5/16/2009
Posts: 235
enjoyed the TAS, but still would like to see more explanation about some of the tricks done in the run / items you bought / items you picked, etc.
Joined: 10/1/2013
Posts: 98
Location: My Basement
Would this trick be viable in a real-time run? From your description of it, it doesn't seem to be dependent on RNG.
Experienced player (584)
Joined: 2/23/2008
Posts: 266
Location: CA, USA
Well that looked complicated. Shame you needed to move items around so much and reuse the coin case, but whatever gets the job done. The end result was really sweet! I did find myself fast forwarding a lot so I will give this a weak yes vote.
Player (13)
Joined: 6/17/2006
Posts: 508
So you put a program in your program in your inventory in your PC in the game so that you can beat Pokémon while beating Pokémon while using your Coin Case while beating Pokémon? Impressive!
Fortranm
He/Him
Editor, Experienced player (878)
Joined: 10/19/2013
Posts: 1121
Impressive run. Yes vote. I thought you were gonna use 6 I's with proteins to beat Red though :P
Joined: 12/6/2008
Posts: 1193
Sorry, voting no. While this glitch is certainly impressive the resulting movie is boring as hell and the poll-question is if this movie is entertaining. It is not.
Patashu
He/Him
Joined: 10/2/2005
Posts: 4043
Do you think that this route is faster than the route used for glitched any% RTA (with the making of the bad clone)?
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Editor
Joined: 11/3/2013
Posts: 506
A two-hour obsoletion of perhaps the most nostalgic game of my childhood? How could I resist? I'm also intrigued by Patashu's question and was going to ask it myself. AFAIK nobody knows how to manipulate map distortions at the moment, right? Just about to watch, probably with some popcorn, because this run deserves it. EDIT: So I've watched this now, and honestly I sympathise with Slowking. This is a remarkable technical achievement but it does test the patience somewhat, with the fifteen-or-so minutes of item glitching at the end - in fact, in this respect it is somewhat reminiscent of Bobtreb's Pokemon-Yellow-that-becomes-The-Matrix-that-becomes-My-Little-Pony movie. While this belongs on the site, I'm not sure it deserves a moon. The only reason I have abstained rather than voted "no" is that I kept thinking to myself "keep watching, something amazing is about to happen", and that kept me watching it and looking forward to the payoff, which was ultimately a bit disappointing. Again, like Bobtreb's movie. I guess since that movie got a moon this should too by that logic. The RTA route is probably more entertaining, but sometimes the quickest route is not the most entertaining. Anyway, congrats on a two-hour obsoletion of a seven-year-old movie. One thing to note is that the word "glitched" in the title can probably go, since the old movie was a Vault run, and hence will be obsoleted now it is not the fastest time.
Tompa
Any
Editor, Expert player (2215)
Joined: 8/15/2005
Posts: 1941
Location: Mullsjö, Sweden
Werster, WR holder for the real time version of this run, streamed the run yesterday with comments: http://www.twitch.tv/werster/b/486207288?t=1h32m35s
Spikestuff
They/Them
Editor, Publisher, Expert player (2642)
Joined: 10/12/2011
Posts: 6438
Location: The land down under.
Tompa wrote:
Werster, WR holder for the real time version of this run, streamed the run yesterday with comments: http://www.twitch.tv/werster/b/486207288?t=1h32m35s
Correction (marked in bold on what's wrong.) - FWR Holder. CP1414 has 1:13:26 - Today. He is Australian. Sorry Tompalalalalalalalalala In other news. No Nico version exists yet... trying to make one. Right, never-mind on that account for me anyway. Edit: Question for Slowking and thatguy. Just on what you said. Can you justify with This in your reasoning (not trying to be picky just curious).
WebNations/Sabih wrote:
+fsvgm777 never censoring anything.
Disables Comments and Ratings for the YouTube account. Something better for yourself and also others.
Experienced player (584)
Joined: 2/23/2008
Posts: 266
Location: CA, USA
Tompa wrote:
Werster, WR holder for the real time version of this run, streamed the run yesterday with comments: http://www.twitch.tv/werster/b/486207288?t=1h32m35s
Very interesting watch... I wonder how much time would be saved with optimal movement, talking to some trainers to save time, better manipulated stats, buying a few items instead of picking them up, etc. And of those what could be changed without messing up the code execution.
Tompa
Any
Editor, Expert player (2215)
Joined: 8/15/2005
Posts: 1941
Location: Mullsjö, Sweden
Spike: I guess the date could be wrong :). Though his time is 1:12:24: http://www.twitch.tv/werster/c/3338277
Spikestuff
They/Them
Editor, Publisher, Expert player (2642)
Joined: 10/12/2011
Posts: 6438
Location: The land down under.
Tompa wrote:
Spike: I guess the date could be wrong :). Though his time is 1:12:24: http://www.twitch.tv/werster/c/3338277
Ah, apologizes on that one, Werster hasn't updated his spreadsheet.
WebNations/Sabih wrote:
+fsvgm777 never censoring anything.
Disables Comments and Ratings for the YouTube account. Something better for yourself and also others.
Editor, Experienced player (570)
Joined: 11/8/2010
Posts: 4036
Thanks for the encode, Spikestuff! This is quite a technically impressive run, TheZZAZZGlitch. However, I have to say I wasn't entertained, unless you count the novelty of seeing most of the game for the first time, so I'm going to vote No. I found the ending funny and surprising though. By the way, when this is published, it'll either obsolete the currently published run (likely, since it's in the Vault) or be published alongside it as the any% run. It won't retain its "glitched" branch name.
Spikestuff
They/Them
Editor, Publisher, Expert player (2642)
Joined: 10/12/2011
Posts: 6438
Location: The land down under.
CoolKirby wrote:
By the way, when this is published, it'll either obsolete the currently published run (likely, since it's in the Vault) or be published alongside it as the any% run. It won't retain its "glitched" branch name.
Would it be renamed to "no save corruption" or just nothing at all?
WebNations/Sabih wrote:
+fsvgm777 never censoring anything.
Disables Comments and Ratings for the YouTube account. Something better for yourself and also others.
Noxxa
They/Them
Moderator, Expert player (4124)
Joined: 8/14/2009
Posts: 4090
Location: The Netherlands
It looks like this run is quite suboptimal in many areas (prior to the arbitrary execution part). Werster's commentary does a pretty good job at pointing this out. There's just all kinds of sloppy mistakes, bad overworld movement, bad battles, bad luck manipulation (Totodile having bad stats and missing KOs because of this is a very bad one), and other decisions that don't seem sensible or necessary (getting Potions/Super Potions at bad or weird places when there are faster ones available to get, going out of the way to get a Parlyz Heal instead of buying it at the shop, etc.). I'm also not convinced the arbitrary execution method is the optimal to do it either. According to the submission text, you write a memory writer in arbitrary code, in order to write a more advanced memory writer, just to write 4 values in memory? Is it impossible to just assemble instructions to modify those values directly? That'd seem like it could be significantly faster. Of course, I don't know if that's possible. EDIT: Never mind, I see this is explained in the submission comments now.
http://www.youtube.com/Noxxa <dwangoAC> This is a TAS (...). Not suitable for all audiences. May cause undesirable side-effects. May contain emulator abuse. Emulator may be abusive. This product contains glitches known to the state of California to cause egg defects. <Masterjun> I'm just a guy arranging bits in a sequence which could potentially amuse other people looking at these bits <adelikat> In Oregon Trail, I sacrificed my own family to save time. In Star trek, I killed helpless comrades in escape pods to save time. Here, I kill my allies to save time. I think I need help.
Editor, Experienced player (570)
Joined: 11/8/2010
Posts: 4036
Spikestuff wrote:
Would it be renamed to "no save corruption" or just nothing at all?
It would gain a branch name like "no save corruption", and this run would be published with no branch name.
Editor
Joined: 11/3/2013
Posts: 506
Spikestuff wrote:
Question for Slowking and thatguy. Just on what you said. Can you justify with This in your reasoning (not trying to be picky just curious).
I think the main reason is that I didn't read the submission notes before this one, because I assumed it would be an optimised version of wersterlobe's RTA (looking at the time, it seemed reasonable) which I had already seen and understood roughly. So I didn't really understand what was going on. Having read the comments afterwards, I am now regretting my "meh" vote a little. I have mixed feelings - I really want this run to be in moons, but I wasn't really entertained by it.
Mitjitsu
He/Him
Banned User
Joined: 4/24/2006
Posts: 2997
Published? Yes Entertaining? No
Joined: 12/6/2008
Posts: 1193
Spikestuff wrote:
Question for Slowking and thatguy. Just on what you said. Can you justify with This in your reasoning (not trying to be picky just curious).
Certainly. That one doesn't have over 15 minutes of shuffeling items. Also play before the glitch is much better.
Joined: 4/23/2012
Posts: 7
Voting no due to sloppy gameplay (both in battle and on the overworld) and poor luck manipulation during the early game.