Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 45865 times)

0 Members and 1 Guest are viewing this topic.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #315 on: November 14, 2017, 06:47:37 pm »
You can set b and d by using pushing and popping cleverly. I agree it doesn't add much, but it still has potential if a large script is ever needed, such as a GUI memory editor (offgao's being the reference for this in Gen I)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #316 on: November 15, 2017, 11:19:34 am »
Hey all, I remade my Catch 'em all code into a TM quantity script. It is considerably more lengthy, but it has some benefits over the original.

First, use Evie's x255 TM code.

After which, spell the following opcodes with TM quantities:

Keep/Deposit:
62/193
(SpeciesId)/(255 - SpeciesId)     // This quantity will be reset to 255 after Wrong Pocket is executed
234/21
247/8
248/7
62/193
237/18
234/21
249/6
248/7
175/80
61/194
234/21
127/128
245/10
201/54

Then, write the following box name code:

Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL955
Box 4: p'vCé?255
Box 5: 5p'mA(female)555
Box 6: (Doesn't matter)
Box 7: p0AéA'dyy
Box 8: p0éé(female)'dyy
Box 9: p0ké0'dp'd
Box 10: p0A'vxéJ9
Box 11: p'dyyyyyy

Finally, execute wrong pocket. Your desired Pokémon will be found in the wild with 100% encounter rate.

With the old code, if the desired Pokémon's ID is lower than $7f, you had to change a box name and add $7f to the species id. With the new code, no special adaptions are necessary for any Pokemon. Another flaw that plagued the old code was that is was required to SAVE/RESET to shut it off. To shut off the new code, simply replace Box 9 with:

yyyyyyyy

After this, the OAM DMA will patch itself thanks to code written at Box 10-11, and it will be safe to write other box name codes in the Box 7-12 region.

The old code may be preferable due to length, but this is here if one would rather use it. :)
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #317 on: November 16, 2017, 03:55:12 am »
It's good to have many possibilities to do the same thing :)

Regarding the old code, even by doing your trick for Pokémon with hex ID lower than $7F, some Pokémon cannot be caught because we don't have access to the character. For the french version, I had to use 5 different variations of the code (basically the original one, the 'sub 7f' one, and three other subs with different values) to get them all. I'm assuming it can be improved to 4 codes somehow. It would be great anyway to have the full coverage for the english version too  :)

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #318 on: November 16, 2017, 06:54:26 am »
Thank you! :)

Regarding the old code, even by doing your trick for Pokémon with hex ID lower than $7F, some Pokémon cannot be caught because we don't have access to the character.

Yep. There were some Pokemon (Hex $d8, to name one) that couldn't be obtained with the $7f trick. Any Pokemon who fit into that category had to be obtained with clever use of integer underflow (For example, Hex $d8 could be obtained using $80 - $a8). That was a pain, so hopefully this new code fixes that. :)

As for French translations, it may take me a while to translate this new code, but i'm certain it should still work.
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

spamviech

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #319 on: November 19, 2017, 03:07:47 pm »
Needed a break from playing Ultra Moon, so here is a new code to actually use Mail data.
So far this code is only able to use one Mail since for fore you'd need to also skip trainer name data.

The code is an item code, so I can also use it on german version. This also enables text based codes, even though they are still complicated (no sub/add instruction).
To execute item codes use a Quagsire holding a HP Up with Sleep talk as its first move after your Slide-Pokémon.

First, here are two short item codes to get the required items:

Box Item 1 quantity changed to 255:
Code: [Select]
Any x Any
Any x 03 INC BC
Full Restore x 01 LD C, 01
Paralyz Heal x 13 DEC C; DEC C
Energypowder x 03 LD A, C; INC BC
TM42 x 24 LD [18d6], A
TM23 x 03 INC BC
TM10 x Any RET

Change Box Item 1 to any item you want:
Code: [Select]
Any x Any
Any x 03 INC BC
PP-Up x {item} LD A, {item}
TM42 x 23 LD [17d6], A
TM23 x 03 INC BC
TM10 x Any RET

And now to the big one:
Copy the message of the first mail in your PC to the end of box names and execute them. If you only want to copy them without execution replace the final TM41 (JP [HL]) with TM10 (RET).
Code: [Select]
Any x Any
Any x 62 LD A, 0a
Burn Heal x 234 LD [1201], A
Potion x 01
Full Restore x 01 LD C, 01
Paralyz Heal x 121 DEC C; LD A, C
TM42 x 01 LD [0140], A
Max Ether x 03 INC BC
X-Accuracy x 60 LD HL, 3cd9
TM26 x 17 LD DE, 55a8
Red Apricorn x 168
Brightpowder x 06 INC BC; LD B, 01
Master Ball x 14 LD C, 10
Hyper Potion x 26 LD A, [DE]
Protein x 50 DEC DE; LD [HLD], A
Paralyz Heal x 32 DEC C; JR NZ, fa
HM08 x 27 DEC DE
Poké Ball x 32 DEC B; JR NZ, f4
HM02 x 01 LD BC, ...
Any x Any
Great Ball x 35 INC B; INC HL
TM41 x Any JP [HL]

Note that box name terminators are also overwritten, so the copied box names probably look glitchy.
All codes from this post are for wrong-pocket-TM execution, since they are mostly meant for non-english games where Coin Case ACE is not possible.



Edit:
Looked into it some more.
After the mail message there are 8 bytes (including 50h terminator) which appear to be used for the name of the sender.
Afterwards are 6 bytes with info on the type of the mail. A surf mail produces 84 86 F3 74 F9 B5 while a flower mail gives 84 86 F3 74 A3 9E. I have also seen this for a flower mail 00 00 F3 74 16 9E, so there appears to be some additional data stored here.
Afterwards, the next mail starts with its message.
« Last Edit: November 19, 2017, 04:55:38 pm by spamviech »