Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 32462 times)

0 Members and 1 Guest are viewing this topic.

Sanqui

  • Distinguished Member
  • Offline Offline
  • Also known as Sanky
    • View Profile
    • Sanky @ Rusted Logic
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #15 on: January 10, 2014, 11:29:15 am »
Remember a ret pops whatever's on the top of the stack into pc.
So you can push the address of whatever you want onto the stack, and a ret would make the pc transfer there..
I'm well aware, but the only push available with box names is push de, and there's no way to put anything into d or e.  You could of course write on the stack manually, but at that point it would take like four times as much code as three pops.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #16 on: January 10, 2014, 02:14:45 pm »
Remember a ret pops whatever's on the top of the stack into pc.
So you can push the address of whatever you want onto the stack, and a ret would make the pc transfer there..
I'm well aware, but the only push available with box names is push de, and there's no way to put anything into d or e.  You could of course write on the stack manually, but at that point it would take like four times as much code as three pops.

Ah.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Hālian

  • That worldbuilding/micronations/MTG guy
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • For a better world
    • View Profile
    • Hoennese Realm
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #17 on: January 14, 2014, 05:34:49 pm »
Well, ZZAZZglitch posted a very interesting video. Always a pleasure to see what that guy comes up with next, haha

I'm glad to see some real practical use to the coin case here. And that phonecall to '999' that initiates the hall of fame is incredibly weird. This definitely piques my interest.

Also, I've noticed some videos posted here using machoke's cry instead of machop. They seem to yield the same results, but what about other cries?

Video is private :(
Hoennese Realm



All sprites made by Naitekiakki, except:
MissingNo. egg made by Reimoni
Recolored Gardevoir made by me

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #18 on: January 15, 2014, 06:11:09 am »
Well, ZZAZZglitch posted a very interesting video. Always a pleasure to see what that guy comes up with next, haha

I'm glad to see some real practical use to the coin case here. And that phonecall to '999' that initiates the hall of fame is incredibly weird. This definitely piques my interest.

Also, I've noticed some videos posted here using machoke's cry instead of machop. They seem to yield the same results, but what about other cries?

Video is private :(

I think that was TheZZAZZGlitch's first TAS. You can still download the VBM file on the TASVideos submission page.
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #19 on: April 26, 2014, 03:55:00 pm »
*stickied*

I've found out how you can change TheZZAZZGlitch's alternative Celebi glitch to get ????? (FF) without the bad clone glitch so you can do the Johto guard glitch and other stuff!

It's actually a rather simple change. To understand it, use the old code and set a breakpoint for when the Game Boy jumps to D61A (item storage system item 2 quantity). Press F3 (or Fn+F3) multiple times, and then when the Game Boy jumps to WRA1:D626 (inc b), bc=FAF9, then next instruction [ld (hl),b] it's FB; Celebi's index number.

Basically, 'inc b' increments (increases 'b' by one), and in the items list there are two inc bs (Great Ball x4). All you need to do is have two more stacks of Great Ball x4 below it. That's 2x2 more addresses, and FB+4=FF.
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Pirat3

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #20 on: May 10, 2014, 06:43:47 am »
Hey everyone,

how would you have to modify the arbitrary code if you wanted to collect not only Celebi but any Pokémon? Watching the video clips that shows how you get Celebi, I noticed that Celebi inherited the moves of Togepi. This would allow you to create some interesting move setups, as Pokémon could "learn" moves which they normally wouldn't.
While I'm familiar with arbitrary coding, I do not know which instructions are triggered by your stored items. If anyone seasoned could help me out I would appreciate it.
Also, while googling I noticed that there was a piece of code available ( http://tasvideos.org/4126S.html= ) that allowed your character to warp to mount Silver. If I wanted warp the character to Viridian City instead, how would the code have to modified?

camper

  • aka GlitcherRed, azum4roll
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • 975642dx║'r DExsfoF▓1 error.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #21 on: May 10, 2014, 07:31:31 am »
Hey everyone,

how would you have to modify the arbitrary code if you wanted to collect not only Celebi but any Pokémon?
Change HM07 to whatever index you need - 2, I think.
Youtube
 

Guess where this is?

Crystal_

  • Distinguished Member
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #22 on: June 26, 2014, 12:46:42 pm »
My take on coin case arbitrary code execution: Since obtaining Celebi is obviously taken I decided to think of something else that could be interesting, and that is... making any Pokemon shiny! It basically consists on changing the DVs of the first party Pokemon to 14/10/10/10, so that the Pokemon becomes shiny.

The way to perform this trick is similar to the method to obtain Celebi (including the Quagsire jump) but the item list is obviously different:

Code: [Select]
I means Item and Q means Quantity. The number indicates the position where the item must be at.   

-------------------------- I1 = Q1 = I2 = ANY
ld a,EA ----- 3E EA ------ Q2 = 62 | I3 = TM42 (Dream Eater)
ld bc,XXXX -- 01 XX XX --- Q3 = 01 | I4 = Q4 = ANY
ld hl,DA3F -- 21 3F DA --- I5 = X Accuracy | Q5 = 63 | I6 = TM27 (Return)
ld bc,XXXX -- 01 XX XX --- Q6 = 01 | I7 = Q7 = ANY
ldi (hl),a -- 22 --------- I8 = Leaf Stone 
ld bc,XXXX -- 01 XX XX --- Q8 = 01 | I9 = Q9 = ANY
dec b ------- 05 --------- I10 = Pokeball
ld a,A9 ----- 3E A9 ------ Q10 = 62 | I11 = Sun Stone
ld bc,XXXX -- 01 XX XX --- Q11 = 01 | I12 = Q12 = ANY 
add a,1 ----- C6 01 ------ I13 = TM07 | Q13 = 01
ld (hl),a --- 77 --------- I14 = Focus Band
ld bc,F5XX -- 01 F5 XX --- Q14 = 01 | I15 = HM03 (Surf) | Q15 = ANY (01)
ld h,12 ----- 26 12 ------ I16 = Full Heal | Q16 = 18
ld l,b ------ 69 --------- I17 = Stick
ld bc,0133 -- 01 33 01 --- Q17 = Q18 = 01 | I18 = X Defend
inc b ------- 04 --------- I19 = Great Ball
inc sp ------ 33 --------- Q19 = 51
push bc ----- C5 --------- I20 = TM06 (Toxic)
ld bc,XXXX -- 01 XX XX --- Q20 = 01 | I21 = Q21 = ANY
jp (hl) ----- E9 --------- I22 = TM41 (ThunderPunch) | Q22 = ANY (01)

See this video for more information: https://www.youtube.com/watch?v=NADKp7PI2XY

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #23 on: June 26, 2014, 01:26:40 pm »
That's really cool, thanks Crystal_. I recognize the EA (TM42) means 14 Attack/10 Defense, but to make your trick slightly better, couldn't you change it to FA (TM50) to get 15 Attack DVs/10 Defense, or am I missing something?

Edit: Oops, FA is the glitch item HM08 in Generation II, my bad.
« Last Edit: June 26, 2014, 01:31:51 pm by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Crystal_

  • Distinguished Member
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #24 on: June 26, 2014, 01:40:28 pm »
Yep, you called it. I guess I could've tried to fit ld a,F9 and inc a, but inc a as an item becomes Silver Leaf, so it's not easy. I just didn't think it was worth the extra effort and extra items. If you wanted better DVs for some reason, you'd probably be looking for FF FF anyway.
« Last Edit: June 26, 2014, 01:41:12 pm by Crystal_ »

Crystal_

  • Distinguished Member
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #25 on: June 28, 2014, 08:49:59 am »
So it seems I got addicted to writing asm with pokemon items... Whatever.

Anyway, this time I will persent you the asm and corresponding item list required to make the first party Pokemon have perfect DVs and EVs and instantly reach level 100 (actually, level 98/99 + 2x/1x rare candy) via the coin case glitch. The only other notable difference is that it requires a Quagsire with Protein (instead of with HP Up).

Code: [Select]
------------------------------- I1 = Q1 = I2 = Q2 = ANY
ld de,020E ---- 11 0E 02 ------ I3 = Super Potion | Q3 = 14 | I4 = Ultra Ball
ld a,(de) ----- 1A ------------ Q4 = 26
ld hl,DA35 ---- 21 35 DA ------ I5 = X Accuracy | Q5 = 53 | I6 = TM27
ld bc,XX0C ---- 01 0C XX ------ Q6 = 01 | I7 = Awakening | Q7 = ANY
inc de -------- 13 ------------ I8 = Escape Rope
ldi (hl),a ---- 22 ------------ Q8 = 34
inc d --------- 14 ------------ I9 = Repel
inc d --------- 14 ------------ Q9 = 20
dec c --------- 0D ------------ I10 = Paralyz Heal
jr nz,F9 ------ 20 F9 --------- Q10 = 32 | I11 = HM07
ld bc,XXXX ---- 01 XX XX ------ Q11 = 01 | I12 = Q12 = ANY
ld l,49 ------- 2E 49 --------- I13 = Fresh Water | Q13 = 73
ld c,31 ------- 0E 31 --------- I14 = Full Restore | Q14 = 49
rlc c --------- CB 01 --------- I15 = TM12 (Sweet Scent) | Q15 = 01
ld (hl),c ----- 71 ------------ I16 = Spell Tag
ld bc,XXF5 ---- 01 F5 XX ------ Q16 = 01 | I17 = HM03 | Q17 = ANY (01)
ld h,12 ------- 26 12 --------- I18 = Full Heal | Q18 = 18
ld e,c -------- 59 ------------ I19 = Blu Apricorn
ld bc,XXXX ---- 01 XX XX ------ Q19 = 01 | I20 = Q20 = ANY
ld l,e -------- 6B ------------ I21 = NeverMeltIce
ld bc,0133 ---- 01 33 01 ------ Q21 = 01 | I22 = X Defend | Q22 = 01
inc b --------- 04 ------------ I23 = Great Ball
inc sp -------- 33 ------------ Q23 = 51
push bc ------- C5 ------------ I24 = TM06
ld bc,XXXX ---- 01 XX XX ------ Q24 = 01 | I25 = Q25 = ANY
jp hl --------- E9 ------------ I26 = TM41 | Q26 = ANY

Video here (contains very detailed information in the description): https://www.youtube.com/watch?v=JEOOCpNTx88
« Last Edit: June 28, 2014, 08:52:03 am by Crystal_ »

Sanqui

  • Distinguished Member
  • Offline Offline
  • Also known as Sanky
    • View Profile
    • Sanky @ Rusted Logic
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #26 on: June 29, 2014, 03:26:54 am »
Check out Shenanagans' Pokémon Gold run at SGDQ, using the power of the coin case to beat the game in 40 minutes: https://www.youtube.com/watch?v=XaSg_mWVOUM

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #27 on: August 01, 2014, 04:22:25 pm »
Here is code to activate the Pokémon color test menu with TheZZAZZGlitch's Celebi trick Pokémon set up; which is a freshly caught Pokémon in position 3 of the party, and a Quagsire holding a HP Up with Sleep Talk as its first move in the fourth position. Thanks to Tauwasser for the bank switch method, and this Skeetendo thread:

Youtube video.

Save states for Pokémon color test and Trainer color test (these may not work on all versions of VBA. I used vba-v24m-svn-r422).

inc b
ld a, 3F
inc b
ld hl, 52C9
rst $08 (CF)

04 3E 3F 04 21 C9 52 CF

In stored PC items starting from item 2, this is:

(ANYTHING)x 4
PP Up x63
Great Ball x33
TM10 x82

I'll try to make a new version of this code to enable the Trainer color menu tomorrow.

Edit: Here is Trainer color menu code.

inc b (04)
ld a, $3F (3E 3F)
inc b (04)
ld h, $CE (26 CE)
ld l, $ED (2E ED)
ld (hli), a (22)
dec b (05)
ld hl, 52C9 (21 C9 52)
rst $08 (CF)

04 3e 3f 04 26 ce 2e ed 22 05 21 c9 52 cf

In stored PC items from item 2, this is:
(ANYTHING)x4
PP Up x63
Great Ball x38
TM15 x46
TM45 x34
Poké Ball x33
TM10 x82
TM16 x(ANYTHING)
« Last Edit: August 03, 2014, 10:36:15 am by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #28 on: August 03, 2014, 10:33:53 am »
Code to activate the unused memory (card matching) game, same Pokémon set-up as above:

Youtube video

Save state for being in the game.

Code:
inc b
ld a,38
ld hl, 6663
inc l
inc l
inc l
inc l
inc l
rst 08

(04 3e 38 21 63 66 2c 2c 2c 2c 2c cf)

The reason for the many 'inc l's is that without them I would have required an item quantity of 104, while the normal limit is 99. The code is to make the game call 38:6668.

Items required from stored item 2:
(ANYTHING) x4
PP Up x56
X Accuracy x99
Blackglasses x44
Dire Hit x44
Dire Hit x44
TM16 x(ANYTHING)
« Last Edit: August 03, 2014, 10:34:52 am by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #29 on: September 30, 2014, 06:41:29 am »
Code to get effectively infinite Rare Candies, same Pokémon set-up as my second to last post. This puts a Rare Candy in the Balls pocket, and since it's in the wrong pocket, its quantity will never decrease.

Youtube video

Requirements:
*A Quagsire in the 4th position holding a HP Up with Sleep Talk as the first move
*A freshly caught Pokémon in the third position

Items from item 2:

(ANYTHING)x62
Calcium x13
Great Ball x60
Paralyz Heal x13
Poké Ball x4
(ANYTHING)x(ANYTHING)
Awakening x38
TM22 x1
(ANYTHING)x(ANYTHING)
Leaf Stone x46
HM03 x1
X Speed x1
Full Heal x18
Flower Mail x51
TM06 x1
(ANYTHING)x(ANYTHING)
TM41 x1

Code:

@D61A

ld a, 1F    | 3E 1F ;a=Calcium
dec c       | 0D ; c=FF
inc b       | 04 ; junk code
inc a       | 3C; a+1=Rare Candy
dec c       | 0D ; c=FE
dec c       | 0D ; c=FD
dec b       | 05 ; junk code
inc b       | 04 ; junk code
ld l, c     | 69 ; address = XXFD
ld bc,$aabb | 01 ?? ?? ; junk code
inc c       | 0C ; junk code
ld h, D5    | 26 D5 ; address = D5FD
ld bc,$aabb | 01 ?? ?? ; junk code
ld (hli),a  | 22 ; Put Rare Candy into D5FD (Balls item 1)

@D62E; This is an adaption of TheZZAZZGlitch's messed up stack workaround made by Crystal_ . (Unfortunately you can't just ret)

ld l, F5
ld bc, 0134
ld h, 12
sbc a,(hl)
inc sp
push bc
ld bc, XXXX
jp hl

2E F5 01 34 01 26 12 9E 33 C5 01 XX XX E9



I have a bad feeling that register c is not always 00. If true, this code may not work.

I also tried testing this from a new game with the item requirements hacked in via memory viewer. It didn't work. It wasn't an item problem, because according to BGB diassembler the game never ended up at D61A.

Would anyone more experienced with this glitch than I am like to look at my save file and find out, please?

New save (doesn't work): here
Working save: here

Remember, you have to step out the lab, walk right until you're one tile below the first tree, then listen to Machop's cry, then switch item pockets and use the Coin Case.
« Last Edit: September 30, 2014, 06:48:27 am by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.