Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 48137 times)

0 Members and 1 Guest are viewing this topic.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #315 on: November 14, 2017, 06:47:37 pm »
You can set b and d by using pushing and popping cleverly. I agree it doesn't add much, but it still has potential if a large script is ever needed, such as a GUI memory editor (offgao's being the reference for this in Gen I)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Epsilon

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #316 on: November 15, 2017, 11:19:34 am »
Hey all, I remade my Catch 'em all code into a TM quantity script. It is considerably more lengthy, but it has some benefits over the original.

First, use Evie's x255 TM code.

After which, spell the following opcodes with TM quantities:

Keep/Deposit:
62/193
(SpeciesId)/(255 - SpeciesId)     // This quantity will be reset to 255 after Wrong Pocket is executed
234/21
247/8
248/7
62/193
237/18
234/21
249/6
248/7
175/80
61/194
234/21
127/128
245/10
201/54

Then, write the following box name code:

Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL955
Box 4: p'vCé?255
Box 5: 5p'mA(female)555
Box 6: (Doesn't matter)
Box 7: p0AéA'dyy
Box 8: p0éé(female)'dyy
Box 9: p0ké0'dp'd
Box 10: p0A'vxéJ9
Box 11: p'dyyyyyy

Finally, execute wrong pocket. Your desired Pokémon will be found in the wild with 100% encounter rate.

With the old code, if the desired Pokémon's ID is lower than $7f, you had to change a box name and add $7f to the species id. With the new code, no special adaptions are necessary for any Pokemon. Another flaw that plagued the old code was that is was required to SAVE/RESET to shut it off. To shut off the new code, simply replace Box 9 with:

yyyyyyyy

After this, the OAM DMA will patch itself thanks to code written at Box 10-11, and it will be safe to write other box name codes in the Box 7-12 region.

The old code may be preferable due to length, but this is here if one would rather use it. :)
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #317 on: November 16, 2017, 03:55:12 am »
It's good to have many possibilities to do the same thing :)

Regarding the old code, even by doing your trick for Pokémon with hex ID lower than $7F, some Pokémon cannot be caught because we don't have access to the character. For the french version, I had to use 5 different variations of the code (basically the original one, the 'sub 7f' one, and three other subs with different values) to get them all. I'm assuming it can be improved to 4 codes somehow. It would be great anyway to have the full coverage for the english version too  :)

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Epsilon

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #318 on: November 16, 2017, 06:54:26 am »
Thank you! :)

Regarding the old code, even by doing your trick for Pokémon with hex ID lower than $7F, some Pokémon cannot be caught because we don't have access to the character.

Yep. There were some Pokemon (Hex $d8, to name one) that couldn't be obtained with the $7f trick. Any Pokemon who fit into that category had to be obtained with clever use of integer underflow (For example, Hex $d8 could be obtained using $80 - $a8). That was a pain, so hopefully this new code fixes that. :)

As for French translations, it may take me a while to translate this new code, but i'm certain it should still work.
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

spamviech

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #319 on: November 19, 2017, 03:07:47 pm »
Needed a break from playing Ultra Moon, so here is a new code to actually use Mail data.
So far this code is only able to use one Mail since for fore you'd need to also skip trainer name data.

The code is an item code, so I can also use it on german version. This also enables text based codes, even though they are still complicated (no sub/add instruction).
To execute item codes use a Quagsire holding a HP Up with Sleep talk as its first move after your Slide-Pokémon.

First, here are two short item codes to get the required items:

Box Item 1 quantity changed to 255:
Code: [Select]
Any x Any
Any x 03 INC BC
Full Restore x 01 LD C, 01
Paralyz Heal x 13 DEC C; DEC C
Energypowder x 03 LD A, C; INC BC
TM42 x 24 LD [18d6], A
TM23 x 03 INC BC
TM10 x Any RET

Change Box Item 1 to any item you want:
Code: [Select]
Any x Any
Any x 03 INC BC
PP-Up x {item} LD A, {item}
TM42 x 23 LD [17d6], A
TM23 x 03 INC BC
TM10 x Any RET

And now to the big one:
Copy the message of the first mail in your PC to the end of box names and execute them. If you only want to copy them without execution replace the final TM41 (JP [HL]) with TM10 (RET).
Code: [Select]
Any x Any
Any x 62 LD A, 0a
Burn Heal x 234 LD [1201], A
Potion x 01
Full Restore x 01 LD C, 01
Paralyz Heal x 121 DEC C; LD A, C
TM42 x 01 LD [0140], A
Max Ether x 03 INC BC
X-Accuracy x 60 LD HL, 3cd9
TM26 x 17 LD DE, 55a8
Red Apricorn x 168
Brightpowder x 06 INC BC; LD B, 01
Master Ball x 14 LD C, 10
Hyper Potion x 26 LD A, [DE]
Protein x 50 DEC DE; LD [HLD], A
Paralyz Heal x 32 DEC C; JR NZ, fa
HM08 x 27 DEC DE
Poké Ball x 32 DEC B; JR NZ, f4
HM02 x 01 LD BC, ...
Any x Any
Great Ball x 35 INC B; INC HL
TM41 x Any JP [HL]

Note that box name terminators are also overwritten, so the copied box names probably look glitchy.
All codes from this post are for wrong-pocket-TM execution, since they are mostly meant for non-english games where Coin Case ACE is not possible.



Edit:
Looked into it some more.
After the mail message there are 10 bytes (including 50h terminator if name is shorter (which it should be)) which appear to be used for the name of the sender.
Afterwards are 4 bytes with info on the type of the mail. A surf mail produces F3 74 F9 B5 while a flower mail gives F3 74 A3 9E.
Afterwards, the next mail starts with its message.
« Last Edit: November 21, 2017, 09:16:50 am by spamviech »

spamviech

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #320 on: November 26, 2017, 10:37:03 am »
Here is a code to copy the messages of your first four mails in your mailbox/pc into box names (and a few bytes after) and execute them afterwards. (Edit: turns out VC doesn't like execution) (Edit²: turns out me being stupid doesn't help avoiding VC pecularities)
With this execution of text-based code for german version is at least possible (yay for é; ignore the fact that using clever use of call it might have been already), even though it's still difficult (no sub/add).

TM quantity code for wrong-pocket-TM execution (Quagsire, Lucky Egg, Attract):
Code: [Select]
Copy content of Mail 1-4 to box names (and a few bytes after) and execute it
format: keep/deposit code
TM01 62/193 ld a, 0a
TM02 10/245
TM03 234/21 ld [0000], a
TM04 0/255
TM05 0/255
TM06 175/80 xor a
TM07 234/21 ld [0040], a
TM08 0/255
TM09 64/191
TM10 1/254 ld bc, f0a8 (Mail Data End; before start of Message 5)
TM11 240/15
TM12 168/87
TM13 33/222 ld hl, 3ef9 (a bit after box names)
TM14 62/192
TM15 249/6
TM16 22/233 ld d, 04
TM17 4/251
TM18 205/50 call 97f5 (.copymail)
TM19 151/104
TM20 245/10
TM21 21/234 dec d
TM22 32/223 jr nz, fa (TM18)
TM23 250/5
TM24 35/220 inc hl
TM25 233/22 jp [hl]
TM26 30/225 ld e, 0e | .copymail -> d597
TM27 14/241
TM28 11/244 dec bc
TM29 29/226 dec e
TM30 32/223 jr nz, fc (TM28)
TM31 252/3
TM32 205/50 call a5f5 (.copyline)
TM33 165/90
TM34 245/10
TM35 11/244 dec bc
TM36 205/50 call a5f5 (.copyline)
TM37 165/90
TM38 245/10
TM39 201/54 ret
TM40 30/225 ld e, 10 | .copyline -> d5a5
TM41 16/239
TM42 10/245 ld a, [bc]
TM43 50/205 ld [hld], a
TM44 11/244 dec bc
TM45 29/226 dec e
TM46 32/223 jr nz, fa (TM42)
TM47 250/5
TM48 201/54 ret

As a quick proof of concept, this message for your first mail changes the beginning character of Box 7 to ¥ (pokédollar symbol; used as replacement here).
Code: [Select]
p0¥é♀2Ä
« Last Edit: December 10, 2017, 02:20:22 pm by spamviech »

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #321 on: November 26, 2017, 11:55:30 am »
That's very nice, we could add that to the newcomers guide!

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

spamviech

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #322 on: November 26, 2017, 12:28:13 pm »
Currently testing this a bit and VC doesn't seem to like the execution part of this code. It restarts with wonky colors, changes your options and mailbook upon reloading. Also I apparently beat the elite 4 once which was the 80th time with a bunch of slowbros and a zapdos.  :o
I changed the jp [hl] instruction with a ret statement to simply copy it towards box names which then can be executed as normal (or with the Quagsire holding TM01 instead of TM02 to start with character 1).

At least for now I didn't notice any negative side effects.


If you add this to the beginners guide you should also include the part about how to maximize TM/HM count
presented here.
And maybe include the ability to increase/decrease deposit quantities by 10 via left/right input. I totally forgot about it and re-finding it made things way easier.
TM-codes are still a pain to set up ingame, though.
« Last Edit: November 26, 2017, 12:34:36 pm by spamviech »

Epsilon

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #323 on: November 26, 2017, 04:48:50 pm »
VC probably wont like anything that involves SRAM
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

spamviech

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #324 on: December 10, 2017, 01:30:23 pm »
luckytyphlosion told me about a temporary mail buffer and after poking I found it to be at $ceed (same for english and german, probably other european version as well).

It is reset after reloading and contains the data from the mail last written or read (maybe also on transfer to PC, forgot to test this one).
For most shorter codes this is probably the preferred way to write text-based code. You only have to account for a 4e character after the first line (16 bytes) of text.
This also allows to store a few different codes and circle them without constant rewriting.

To execute you would either have to teach your Quagsire False Swipe as a first move (can't learn naturally) and give it a TM45 or use this box item code:
Code: [Select]
Any x Any
Any x 195
TM45 x 206
For english version (possibly others) there also exists this box name code:
Code: [Select]
1) A p 0 z'v 1 5 5 XOR A; OR b9; SUB f7; EI; EI; LD D, B | A->ce
2) é'r 2'vPk é'm 2 LD [d3f8], A; SUB e1; LD [d2f8], A; LD D, B | A->ed
3)'m ^ ^ JP NC, {edce}


Also to note about my previous code:
I swapped registers for some reason, so it still was execution in SRAM. Direct execution after copying might be possible after all.
Will add results once I've tested this with corrected registers.

Edit:
Using the right registers direct execution works. I'll edit my original post.
« Last Edit: December 10, 2017, 02:16:27 pm by spamviech »