Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 39994 times)

0 Members and 1 Guest are viewing this topic.

Sanqui

  • Distinguished Member
  • Offline Offline
  • Also known as Sanky
    • View Profile
    • Sanky @ Rusted Logic
Hello all!  I was going to hold off releasing this until I make an actual "hello world"-like proof of concept, but I don't think you guys need one, and I bet you'll try to do some cool stuff with it yourself.

So, this exploit allows you to execute arbitrary code (i.e., jailbreak) the English version of Pokémon Gold.  Unfortunately, it is much more limited than the 8F item you have grown to like from Gen 1, but it's still pretty nifty, and might pave way to a better exploit!

Long explanation

To explain.  You have probably heard of the coin case glitch, where if you speak to the Machop in Vermilion and open the coin case, the game crashes.  But I haven't found anybody actually studying what the game does, so I traced it and figured out why it happens.
In short, I believe the translators messed up.  The text script for the Coin Case ("Coins: 1234") ends in a $57, which while a valid text ending byte, is not a valid text script byte.  (The correct one would've been $50.)  Since after printing the number, the game is in text script mode, the game reads an invalid pointer and, surprise, jumps into memory at $e112 (since that's ECHO RAM, it's essentially $c112).  This section of RAM is used by cries.  Most of the time, it's filled by zeroes, and by sheer luck ends in a ret.  But if you play a cry immediately before opening the Coin Case, the memory will be tainted.
Most cries don't do much, some return successfully, some mess with the text a bit.  Machop's cry is special, because it happens to contain inc sp.  This causes the ret to go elsewhere, specifically, $eb12, which contains some overworld stuff...  Specifically, as you move around, it has tile attributes for the window tilemap.  The contents are mostly unpredictable, but consistent if you move in a specific pattern, which will lead us, to $FA98 (again, ECHO RAM, so essentially $DA98).  This is in the middle of the third party Pokémon's data, which is already something we can sanely work with!  You could probably hunt a Pokémon with specific EVs and stats in order to construct some opcodes, but I opted for picking a Pokémon which's data doesn't do anything and slides through to the fourth Pokémon. 
The first three bytes of a Pokémon are species, item and first move.  Thus, we can construct a Pokémon which "jumps" somewhere useful.  I picked the PC box for this purpose: $D61A, which si the second boxed item's amount.
So, now we can get the game to execute what we can control.  Unfortunately, like I warned, this method is extremely limited.  Since the arbitrary code on the way tampered with the stack and random memory, one would have to carefully reconstruct these in order to return control *back* to the game after opening the Coin Case.  It should be possible, but I didn't explore this.  So, for now, this is an one-way trip.

Preparation
Get a Quagsire with HP Up and Sleep Talk as the first move.  Put it fourth in party.
Put a valid slide Pokémon in slot 3.  A low-level freshly caught or hatched Pokémon should work.  (The Pokémon's data CANNOT have code which changes code flow, such as jumps, calls or rets.)
Build the code you want to execute in the PC, starting from the second item's count.

Exploit
You MUST move in specific ways, though there may be other methods.
0. Prepare everything.
1. Save & Restart, or step through a warp.
2. Take a step down and four steps right.  (Three to the left might work, too?)
For example, if you were performing this trick from Elm's lab (the traditional method), you'd be standing here:

3. Listen to Machop's cry (I used the Pokédex, but party should work too)
4. Open the bag and change pockets at least once
5. Open the Coin Case
At this point, the game does a ton of wacky stuff and eventually jumps to $D61A, which should contain your code!
The state is (but it might depend on your slide Pokémon):
af=2800  bc=0f0f  de=0600  hl=1c2f  sp=dfbc  pc=d61a  rom=66
Interrupts DISABLED (?)

Final words
I don't believe this exploit works the Japanese version, but I haven't tested.  It was definitely fixed in Crystal.  It also may have been fixed in other language revisions.

I hope to see some cool stuff done with this, but I do realize that the set up is kind of annoying.  Have fun, anyway.

—Sanqui/Sanky
P.S.: As a bonus, have this nifty table! http://pastebin.com/raw.php?i=arPmsvYu
P.P.S.: Have you people really got no real IRC channel I could hang out in?
« Last Edit: December 26, 2013, 04:52:10 pm by Sanqui »

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
That's awesome. And I thought Gen II was written well.
I did some more research into this, and I have a lot to say:

First of all, it works. However, this is a lot more difficult to pull off and exploit. Mainly because of all those random factors - before the instruction pointer reaches its destination, it needs to go through many different addresses. Also, because there's no Missingno in G/S, there's no item duplication either, so the possibilities are severely restricted by player's money and item availability.

A small thing about requirements: There is one necessity you forgot: Before using the Coin Case, it is required to change your bag pocket at least once, as in this example:

Bag opens and starts in the Items pocket: just go to Key Items and use Coin Case.
Bag opens and starts in the Key Items pocket: go to any pocket first, then go back to Key Items and use Coin Case.

This is required since playing the "pocket switch" sound changes bytes at $E162 to {0x08,0x00,0x00} - ld (0000),sp; otherwise, the bytes are left with values {0x20,0x10,0x00} - jr nz,E174 - which causes the game to skip important code parts.

About a "slide Pokemon": It seems that any low level Pokemon will do the trick. Those little critters will probably not have any stats/IVs bigger than 32, and thus, they should not be able to change the code flow.

Now it's time to end the boring part and do something amazing with it!

Doing something useful seems impossible, since after all this the stack is severely messed up. However, there is a small trick that will bring everything back to order:

Code: [Select]
inc  sp
ld   bc,$0134
push bc
jp   12f5

The first [inc sp] negates the effects of the previous [inc sp]. After this, the stack will look like this:

     Return address to the Coin Case script
SP-> Text loading routine: saved register AF
     *Text loading routine's saved register HL should be there*
     *Return address to the text reading routine should be there*


Then, I push a value $0134 into the location where text reading function's saved register HL was supposed to be, and I jump back where the text reading routine is located ($12F5). The game is now tricked into thinking it was reading text data from $0134. On a normal clean ROM, address $0134 always contains value $50 - so the text routine thinks that text data is over and returns control back to the game. Mission accomplished!

Hello World:

This is an example program, which will display first Pokemon's nickname instead of the amount of coins, as long this nickname is less than 10 characters:



Because of many restrictions, most of the code are just elaborate ways of doing nothing, just to pad the memory and make the program representable with items.

Code: [Select]
WRA1:D61A 26 DA            ld   h,DA      ; hl = $DA??
WRA1:D61C 02               ld   (bc),a    ; * do nothing
WRA1:D61D 24               inc  h         ; hl = $DB??
WRA1:D61E 01 ?? ??         ld   bc,????   ; * do nothing
WRA1:D621 B5               or   l         ; * do nothing
WRA1:D622 2E 8A            ld   l,8A      ; hl = $DB8A
WRA1:D624 01 ?? ??         ld   bc,????   ; * do nothing
WRA1:D627 AF               xor  a         ; a = $00
WRA1:D628 01 ?? ??         ld   bc,????   ; * do nothing
WRA1:D62B 22               ldi  (hl),a    ; $DB8A = $00, HL = $DB8B
WRA1:D62C 01 ?? ??         ld   bc,????   ; * do nothing
WRA1:D62F 0B               dec  bc        ; * do nothing
WRA1:D630 3E 27            ld   a,27      ; a = $27
WRA1:D632 07               rlca           ; a = $4E
WRA1:D633 B8               cp   b         ; * do nothing
WRA1:D634 3C               inc  a         ; a = $4F
WRA1:D635 02               ld   (bc),a    ; * do nothing
WRA1:D636 22               ldi  (hl),a    ; $DB8B = $4F, HL = $DB8C
WRA1:D637 9E               sbc  a,(hl)     ; * do nothing
WRA1:D638 33               inc  sp        ; bring the stack back to order
WRA1:D639 2B               dec  hl        ; hl = $DB8B
WRA1:D63A 2B               dec  hl        ; hl = $DB8A
WRA1:D63B E5               push hl        ; make the game read text from $DB8A
WRA1:D63C 01 ?? ??         ld   bc,????   ; * do nothing
WRA1:D63F 26 12            ld   h,12      ; hl = $128A
WRA1:D641 B7               or   a         ; * do nothing
WRA1:D642 2E F5            ld   l,F5      ; hl = $12F5
WRA1:D644 01 ?? ??         ld   bc,????   ; * do nothing
WRA1:D647 E9               jp   hl        ; jump to $12F5 (print the text and return control)
WRA1:D648 01 FF 01         ld   bc,01ff   ; leftovers (last item's qty and end of list marker)

Represented as items:

[ANY ITEM]                 x[ANY QUANTITY]
[ANY ITEM]                 x38
TM27                       x2
Nugget                     x1
[ANY ITEM]                 x[ANY QUANTITY]
Surf Mail                  x46
Charcoal                   x1
[ANY ITEM]                 x[ANY QUANTITY]
Squirtbottle               x1
[ANY ITEM]                 x[ANY QUANTITY]
Leaf Stone                 x1
[ANY ITEM]                 x[ANY QUANTITY]
Ice Heal                   x62
Revive                     x7
Lovely Mail                x60
Ultra Ball                 x34
Flower Mail                x51
Max Repel                  x43
TM37                       x1
[ANY ITEM]                 x[ANY QUANTITY]
Full Heal                  x18
Portraitmail               x46
HM03                       x1
[ANY ITEM]                 x[ANY QUANTITY]
TM41                       x1


A video here: http://www.youtube.com/watch?v=lB2ja6p-sjg
« Last Edit: July 11, 2013, 02:38:55 am by TheZZAZZGlitch »
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

Sanqui

  • Distinguished Member
  • Offline Offline
  • Also known as Sanky
    • View Profile
    • Sanky @ Rusted Logic
Quote
That's awesome. And I thought Gen II was written well.
It mostly is.  You can't blame the original programmers for this :P
Quote
First of all, it works. However, this is a lot more difficult to pull off and exploit. Mainly because of all those random factors - before the instruction pointer reaches its destination, it needs to go through many different addresses. Also, because there's no Missingno in G/S, there's no item duplication either, so the possibilities are severely restricted by player's money and item availability.
Indeed, but we may be able to use this exploit to duplicate items and generate new ones. 
Quote
A small thing about requirements: There is one necessity you forgot: Before using the Coin Case, it is required to change your bag pocket at least once
Nice catch!  This explains why I seemingly had to include the reset step: resetting the game makes the Bag start in the Items pocket.

Nice work about the hello world!  I was going to do one myself, but I got seriously annoyed by writing code in terms of items, even with the handy table I linked.  Maybe we could create some more useful bootstrapping routine?  I wonder if an exploit more similar to 8F could be found (one which could be ran always with less setup), since we can edit anything in WRAM.
« Last Edit: July 11, 2013, 09:44:56 am by Sanqui »

camper

  • aka GlitcherRed, azum4roll
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • 975642dx║'r DExsfoF▓1 error.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #3 on: July 11, 2013, 10:48:40 am »
Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.
Youtube
 

Guess where this is?

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #4 on: July 11, 2013, 01:38:03 pm »
—Sanqui/Sanky
P.S.: As a bonus, have this nifty table! http://pastebin.com/raw.php?i=arPmsvYu
P.P.S.: Have you people really got no real IRC channel I could hang out in?

Hi Sanqui, great work on discovering this! Glitch City has a temporary IRC that can be found here. (original thread)

Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.

Actually, both item mutation and item duplication is possible with the duplicate Key Items exploit, which occurs when swapping one Key Item with another of the same type directly below it.

When a Pokémon is holding a Key Item (available via the Celebi glitch), taking it places it into the Key Items pocket. You can only have quantities greater than 99 in the Key Items pocket though, as the only way of 'moving them into the Items pocket' is depositing them into the PC (note Key Item quantities never decrease) and withdrawing them.

For convenience, I'll re-post the important parts from the description.

There are two different kinds of effects which I'll label (1) and (2):

1) If the sum of the first Key Item's index number and the item below the second Key Item is less than or equal to 100, then the second item identifier becomes equal to the index number of the Key Item plus that of another item directly underneath the item swapped. Its quantity is determined by what was the item identifier of the third item.

For example, consider the following Key Items pack:

Lost Item (index no. 130)
Lost Item (index no. 130)
Card Key (index no. 127)
Basement Key (index no. 133)
CANCEL (index no. 255)

If we swap the first Lost Item with the second, we lose the original second Lost Item and the Card Key, but the second Lost Item will turn into a Master Ball with quantity 133 (Basement Key's index number). The reason why the second item turns into a Master Ball in this example is because the Card Key is index number 127 (7F) and the Lost Item is index number 130 (82). Adding these together gives 257, but since items are defined by one byte, this becomes 257 modulo 256 or 1, which is Master Ball's index number.

Therefore we get:

Lost Item (index no. 130)
Master Ball (index no. 257 == 1) x133
CANCEL (index no. 255)

2) If the sum of the first Key Item's index number and the item below the second Key Item is greater than 100, then the third item is not lost, but becomes a BLK Apricorn (index no. 99). The second item identifier becomes equal to that of the sum of the first Key Item index number and the original third item minus 99. Its quantity is derived from the new third item identifier.

For example, consider the following Key Items pack:

Lost Item (index no. 130)
Lost Item (index no. 130)
Master Ball (index no. 1) x7
Bicycle (index no. 7)
CANCEL

If we swap the first Key Item with the second this gives us:

Lost Item (index no. 130)
Rare Candy (index no. 32 [130+1-99] )
BLK Apricorn (index no. 99)
Bicycle (index no.7)
CANCEL (index no. 255)
« Last Edit: July 11, 2013, 01:50:38 pm by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

krynxe

  • Apparantly fairy
  • GCLF Member
  • Offline Offline
  • lurking since '06 \o/
    • View Profile
    • Twitch
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #5 on: October 03, 2013, 01:17:57 am »
Well, ZZAZZglitch posted a very interesting video. Always a pleasure to see what that guy comes up with next, haha

I'm glad to see some real practical use to the coin case here. And that phonecall to '999' that initiates the hall of fame is incredibly weird. This definitely piques my interest.

Also, I've noticed some videos posted here using machoke's cry instead of machop. They seem to yield the same results, but what about other cries?

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #6 on: October 03, 2013, 04:50:16 am »
Also, I've noticed some videos posted here using machoke's cry instead of machop. They seem to yield the same results, but what about other cries?

Certain cries give different effects. There is an incomplete list of typical effects here by Rsrdaman.
« Last Edit: October 03, 2013, 04:50:40 am by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

MrWint

  • Member+
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #7 on: October 03, 2013, 10:18:53 am »
Nice find, Sanqui, it has quite the potential.

I looked into the glitch a bit and want to share what I found out so far.

The RAM at $C112 and onwards belongs to the parameters of the SFX channels 5-8. These parameters are reset frequently (e.g. every time you enter a new area, including after trainer battles), so you can't store sound effects. Also, certain sounds only use certain channels, leaving the others untouched. For example, the menu opening sound and the item page switch sound only use channel 8. That's is why they don't override the cry and the trick works at all.
I tested all sound effects and cries, only very few are useful:
  • Bellsprout
  • Machop
  • Machoke
  • Omanyte
  • Celebi
All of them do the same thing, they corrupt the stack with "inc sp" and jump to $EB12. The content of the registers differs slightly depending on the Pokémon used and the data of channel 8.

From $CB12, the code proceeds to $CC20, where the next interesting RAM content is. In addresses $CC20-$CC48 background tiles are stored. More specifically, the tiles that are loaded whenever the player moves. Each time you go a step, the newly visible tiles need to be loaded, and this is the buffer they are stored in before copying them to VRAM. When moving vertically, these are 40 tiles (20x2) and when moving horizontally it is 36 tiles (2x18). Addresses $CC48-$CC70 contain the corresponding pallettes (tiles are 2bit, the pallette defines the color scheme). None of these are too interesting, the values are usually to small to change the code flow, the most interesting thing you can do here is calling "inc sp" or "dec sp" to fix the stack.

The real interesing data follows, $CC70-CC98 contains pointers to VRAM addresses where the newly loaded tiles are inserted in the BG map. The BG map is a 32x32 tile buffer located at $9800-$9C00 which holds the current background tiles. It features a "window", that defines the (20x18 tiles) portion of the buffer that is actually visible on screen. When moving, the new tiles are inserted at the respective edge of the window and then the window is moves smoothly to that side to create the moving effect. Each pointer describes a 2x1 tile area, so there are half as many pointers as tiles to insert. I saw in your screnshot that you are using BGB, it has a nice visualization of the BG map (look for "vram viewer" in the menu), it helps to see what is going on.
Fortunately, the window is reset very often, every time anything partially covers the screen (including battles, entering a map, opening the menu, talking to an NPC, ...), so it's easy to manipulate.
The addresses you used in your example are $98DA, $98FA, which spell out to "jp c,$FA98". You can get other addresses as well, but they all end on $98-$9B, since this these are the values the pointers can have.
The most important conclusion is that you can generate this jump everywhere, not just in New Bark. For example, you can just reset your window (e.g. by opening the menu) and then use the same choreography as in New Bark (1x down, 4x right) to get the same addresses and therefore the same jump. However, you need to make sure that the carry flag is set, otherwise you won't jump.

From there on, you have enough manipulation options to execute arbitrary code.

blahpy

  • Yeah! Pomeg Berry!
  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #8 on: December 09, 2013, 05:13:40 pm »
Gold version TAS in 59:36.02 by TheZZAZZGlitch: http://tasvideos.org/4126S.html

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #9 on: December 10, 2013, 09:40:30 am »
Gold version TAS in 59:36.02 by TheZZAZZGlitch: http://tasvideos.org/4126S.html

I enjoyed that. There are parts that could probably be improved, like getting better DVs on Totodile to score KOs earlier or resetting earlier while cloning (it's possible to clone Pokémon a bit after the yes/no box disappears) but I think you did a good job overall, ZZAZZ.
« Last Edit: December 10, 2013, 10:01:48 am by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #10 on: December 10, 2013, 11:56:31 am »
Btw, I just checked in European G/S and the bug is fixed (proper $50 terminator in all of FR/IT/DE/ES).

Figures.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Sanqui

  • Distinguished Member
  • Offline Offline
  • Also known as Sanky
    • View Profile
    • Sanky @ Rusted Logic
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #11 on: January 09, 2014, 07:33:12 am »
Pokémon Gold can now be beat in under 50 minutes with the route I came up with.  (I was kind of disappointed with the TASes, sorry!)

Here's a run in 49:49 by Dabomstew (WR at posting time): https://www.youtube.com/watch?v=c9EfVBGK-GU

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #12 on: January 09, 2014, 02:28:19 pm »
Quote
I was kind of disappointed with the TASes, sorry!

No need to sorry, I am aware that my TAS attempts sucked hairy balls. It's great that there is a person who knows way more about speedrunning than me - thanks to you, the 'coin case speedrunning' idea won't get completely forgotten about. Much thanks. Very happy. So amaze. Wow.

Return TM is available in Goldenrod Dept. Store only on Sundays, I think it should be included in the basic steps.

Also, I don't really know why is that particular piece of code helpful or required:
Code: [Select]
xor a
(...)
ld [$ff83], a ; kill OAM DMA

Other than that, everything looks awesome. One day I'll try this out, to see if it works.
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

Sanqui

  • Distinguished Member
  • Offline Offline
  • Also known as Sanky
    • View Profile
    • Sanky @ Rusted Logic
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #13 on: January 09, 2014, 05:13:22 pm »
It's great that there is a person who knows way more about speedrunning than me - thanks to you, the 'coin case speedrunning' idea won't get completely forgotten about. Much thanks. Very happy. So amaze. Wow.
Such coin case.
I have a very theoretical route for a TAS, too, but it's still in the works.  It would involve extremely heavy RNG abuse.  (And hopefully no boxes.)
Quote
Return TM is available in Goldenrod Dept. Store only on Sundays, I think it should be included in the basic steps.
Oh, right.  Thanks a bunch for reminding me of that person, by the way.  Not sure if I had remembered without having seen your TAS.
Quote
Also, I don't really know why is that particular piece of code helpful or required:
Code: [Select]
xor a
(...)
ld [$ff83], a ; kill OAM DMA

Other than that, everything looks awesome. One day I'll try this out, to see if it works.
I found that the fastest way to recover from coin case is popping thrice, after which a ret jumps into some vblank function, which calls the OAM DMA.  However, since it's performed outside of the proper time, the game accesses non-hram when it's forbidden to. and executes garbage data and most definitely crashes.  This is kind of unlucky since it's the ONLY thing I know of that bgb doesn't emulate, so I only figured out it does that when testing in Gambatte.  Anyway, obviously the simplest solution is to kill the DMA.
« Last Edit: January 09, 2014, 05:22:56 pm by Sanqui »

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #14 on: January 10, 2014, 09:08:51 am »
I found that the fastest way to recover from coin case is popping thrice, after which a ret jumps into some vblank function, which calls the OAM DMA.  However, since it's performed outside of the proper time, the game accesses non-hram when it's forbidden to. and executes garbage data and most definitely crashes.  This is kind of unlucky since it's the ONLY thing I know of that bgb doesn't emulate, so I only figured out it does that when testing in Gambatte.  Anyway, obviously the simplest solution is to kill the DMA.

Remember a ret pops whatever's on the top of the stack into pc.
So you can push the address of whatever you want onto the stack, and a ret would make the pc transfer there..
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016