Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 46082 times)

0 Members and 1 Guest are viewing this topic.

Nostalgia

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • ?
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #90 on: October 18, 2017, 12:52:08 pm »
7 Exeggcutes sounds like a pain. Isn't it pure headbutt-encounter?
4 Slowpoke and 2 Shuckle sounds doable, but requires Surf to get Slowpoke with >15% probability. Since it's not too far after Coin Case (story wise) I don't think it's a problem.

To be honest the whole process sounds like a pain.

I don't know if it's just me, but every Pokemon I have hatched from a egg has worked as a slide Pokemon and I find the Togepi you get especially useful as you can get it before you get to Goldenrod. So personally, I don't see the need for this long process to get the ultimate slide Pokemon. My egg-hatched slide Pokemon work perfectly after many many uses of the coin case.

spamviech

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #91 on: October 18, 2017, 01:07:02 pm »
Because it's consistent and eliminates at least one source of error.

Obviously, this is nothing for a speedrun and if you prefer to roll the dice the option is still there.
This one is more for us fellows with large streaks of bad (rng-)luck. Like, I prefer doing such a tedious (but guaranteed) process compared to catching a bunch of mons without even the guarantee for it to succed.
Ultimately it probably comes down to personal preference which is perfectly fine with me.

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #92 on: October 18, 2017, 01:13:25 pm »
So I can simply use whichever I like and achieve the same thing? (don't want to dive too deep into gameboy specifics)
Sounds really useful since da has no valid character whereas fa is easily usable with 4.

Thanks for the reply.

No problem. Not every address can be represented with Echo Ram though. Thankfully, the main ones (Pokemon data,item data,etc.) are in ECHO Ram somewhere. I have yet to find an echo ram map, however.

Someone correct me if i'm wrong, but I believe any address from $d000 - $dfff is in echo ram somewhere.
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

spamviech

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #93 on: October 18, 2017, 01:43:32 pm »
No problem. Not every address can be represented with Echo Ram though. Thankfully, the main ones (Pokemon data,item data,etc.) are in ECHO Ram somewhere. I have yet to find an echo ram map, however.

Someone correct me if i'm wrong, but I believe any address from $d000 - $dfff is in echo ram somewhere.

Nice, thanks.  :)

Storyreader21

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #94 on: October 18, 2017, 03:46:48 pm »
Does it matter what level the freshly caught pokemon you defeat the magikarp, geodude, sunkern, and give the iron too is?

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #95 on: October 18, 2017, 04:44:22 pm »
No problem. Not every address can be represented with Echo Ram though. Thankfully, the main ones (Pokemon data,item data,etc.) are in ECHO Ram somewhere. I have yet to find an echo ram map, however.

Someone correct me if i'm wrong, but I believe any address from $d000 - $dfff is in echo ram somewhere.

Nice, thanks.  :)
Echo RAM is a quirk of the GB's hardware ; tl;dr : WRAM (the RAM mapped to C000-DFFF) is mirrored in range E000-FDFF, meaning accessing FAB0 (both reading and writing) is the same as accessing DAB0 !
The downside is that DE00-DFFF can't be accessed through Echo RAM (FEXX and FFXX are mapped to other things), but that doesn't really matter most of the time (stack space occupies DFXX, and DEXX isn't important afaik).

Also, VBA doesn't emulate Echo RAM.
VBA sucks.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

spamviech

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #96 on: October 18, 2017, 05:14:30 pm »
Does it matter what level the freshly caught pokemon you defeat the magikarp, geodude, sunkern, and give the iron too is?

No, just that it's stat-Exp is at 0 before the fights (i.e. didn't win a fight before).
I would advice for a level of ~15 or higher so it can solo the fights (don't know how stat-Exp behaves if you use switch tactics), but ultimately it doesn't matter. You only need to make sure that it doesn't have Pokérus, since it doubles aquired stat-Exp and messes up calculations.
For reference I used a lvl 13 Miltank.
The mentioned Pokémon are quite weak, so anything in that powerlevel should have no problems defeating them.

Echo RAM is a quirk of the GB's hardware ; tl;dr : WRAM (the RAM mapped to C000-DFFF) is mirrored in range E000-FDFF, meaning accessing FAB0 (both reading and writing) is the same as accessing DAB0 !
The downside is that DE00-DFFF can't be accessed through Echo RAM (FEXX and FFXX are mapped to other things), but that doesn't really matter most of the time (stack space occupies DFXX, and DEXX isn't important afaik).

Also, VBA doesn't emulate Echo RAM.
VBA sucks.

Yay, tl;dr. Love those.  ;D
Also nice hardware quirk. As if it was designed with box name ACE in mind.  ::)

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #97 on: October 19, 2017, 06:30:43 am »
VBA sucks.

I second that.

<rant>

I used to use VBA for glitch research, and it was a nightmare. Tons of glitches were Unavailable/Weren't working properly, including Dokashira door, Coin case,Glitch Dimension, and many others, not to mention the debugger was garbage (you couldn't write anything in the debugger, you had to write code from the Hex Editor)

If your "emulator" cannot accurately emulate the target hardware, then your software should not be considered a true emulator.

</rant>

I realize that in posting this I may have derailed the topic, so here's a code just to be safe:

Masterball in ball slot 2:
Box 1: Ap'v9é9't5
Box 2: p'd555555

This for use with TM25 in the ball slot, not the coin case. Tested and confirmed to work.
« Last Edit: October 19, 2017, 06:34:12 am by Couldntthinkofaname »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Storyreader21

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #98 on: October 19, 2017, 12:15:13 pm »
Hey I just did a coin case glitch for shiny pokemon I got from youtube with the item list:  

Any x1          
Any x62          
TM 42 x1           
Any x1          
X Accuracy x63      
TM 27 x1         
Any x1  
Leaf Stone x1   
Any x1          
Poke Ball x62          
Sun Stone x1  
Any x1          
TM 07 x1         
Focus Band x1     
HM 03          
Full Heal x18          
Blu Apricorn x1
Any Item x1
NeverMeltIce x1
Any Item x1    
X Defend x1          
Flower Mail x51          
TM 06 x1   
Any x1  
TM 41 x1  

when I did it it turned my female pokemon male, which means the attack dv was high, how can I modify the item list so the attack dv is 2 which makes most pokemon in Gold female, but is still shiny?

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #99 on: October 19, 2017, 12:58:54 pm »
Hey I just did a coin case glitch for shiny pokemon I got from youtube with the item list: 

Any x1         
Any x62         
TM 42 x1           
Any x1         
X Accuracy x63     
TM 27 x1         
Any x1 
Leaf Stone x1   
Any x1         
Poke Ball x62         
Sun Stone x1 
Any x1         
TM 07 x1         
Focus Band x1     
HM 03         
Full Heal x18         
Blu Apricorn x1
Any Item x1
NeverMeltIce x1
Any Item x1   
X Defend x1         
Flower Mail x51         
TM 06 x1   
Any x1 
TM 41 x1 

when I did it it turned my female pokemon male, which means the attack dv was high, how can I modify the item list so the attack dv is 2 which makes most pokemon in Gold female, but is still shiny?

Just change TM42 into Super Repel
« Last Edit: October 19, 2017, 01:50:04 pm by Couldntthinkofaname »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Storyreader21

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #100 on: October 19, 2017, 02:26:08 pm »
Thanks. That did it.

hobgoblinpie

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #101 on: October 19, 2017, 04:52:02 pm »
How would one go about modifying the EVs to maximum? Modifying the code for Rare Candies/Masterballs to place HP UP/Protein/Carbos etc. works up until 25600, but since EVs max out at 65535, it's still off by a way. I know there's one that exists already, but I think one that doesn't immediately boost to level 100 would be good too.

Also slightly strange, changing the Box 2 code from 'p0B'vAé7't' (255x Master Balls) to 'p0't'vAé7't' should yield PP Ups, but instead yields Red Aprikorns. Would a code to modify the quantity of an item in say bag slot 1, without modifying the item itself?

Appreciate all the work you guys do, it's really impressive.
« Last Edit: October 19, 2017, 04:57:41 pm by hobgoblinpie »

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #102 on: October 19, 2017, 06:21:43 pm »
How would one go about modifying the EVs to maximum? Modifying the code for Rare Candies/Masterballs to place HP UP/Protein/Carbos etc. works up until 25600, but since EVs max out at 65535, it's still off by a way. I know there's one that exists already, but I think one that doesn't immediately boost to level 100 would be good too.

Also slightly strange, changing the Box 2 code from 'p0B'vAé7't' (255x Master Balls) to 'p0't'vAé7't' should yield PP Ups, but instead yields Red Aprikorns. Would a code to modify the quantity of an item in say bag slot 1, without modifying the item itself?

Appreciate all the work you guys do, it's really impressive.

Regarding question 1:
Box 1: A09é(female symbol)455
Box 2: é04é1455
Box 3: é24é3455
Box 4: é44é5455
Box 5: é64é7455
Box 6: é84p'd555

This is a slightly modified version of Torchicken's code.

Also, this doesn't work with the coin case, only TM25 in the balls pocket

Regarding question 2: Can you please post the entire box code? Box 2 loads register a into $f6af, but register a was defined in box 1.

« Last Edit: October 19, 2017, 06:48:19 pm by Couldntthinkofaname »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

spamviech

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #103 on: October 20, 2017, 07:04:35 am »
Finished a code to create a Celebi with its usual egg moves (Leech Seed, Recover, Confusion, Heal Bell).
Just to make it easier to get a legal moveset once Pokémon Bank finally comes to Gold/Silver VC.

First you need to run FMK's one-off code (if you haven't done so already). (No longer required)

Afterwards, use the following code twice, which on the second run will change your first Pokémon into Celebi with the moves Leech Seed, Recover, Confusion & Heal Bell.
Code: [Select]

Box 1($D8BF to $D8C7): Ap0b'vA55 (XOR A; OR a1; SUB 80 | A->21)
Box 2($D8C8 to $D8D0): é'l2p0555 (LD [d1f8], A; XOR A; OR fb | A->fb)
Box 3($D8D1 to $D8D9): ^^4~__55 ({LD HL, [{2a}fa]}; {LD [HL], A}; {INC HL}; {INC HL} | HL->fa2a; HL->fa2c)
Box 4($D8DA to $D8E2): 55p0'd'vH~ (XOR A; OR d0; SUB 87; {LD [HL], A} | A->49)
Box 5($D8E3 to $D8EB): _p0/'vK~_ ({INC HL}; XOR A; OR f3; SUB 84; {LD [HL], A}; {INC HL} | HL->fa2d; A->69; HL->fa2e)
Box 6($D8EC to $D8F4): 55p'vd~5_ (XOR A; SUB a3; {LD [HL], A}; {INC HL} | A->5d; HL->fa2f)
Box 7($D8F5 to $D8FD): p0X0'd~'vu (XOR A; OR 97; OR d0; {LD [HL], A}; SUB b4 | A->d7; A->23)
Box 8($D8FE to $D906): é't2é'v255 (LD [d5f8], A; LD [d6f8], A)
Box 9($D907 to $D90F): é-2éé255 (LD [e3f8], A; LD [eaf8], A)
Box10($D910 to $D918): é/2'vmé's2 (LD [f3f8], A; SUB ac; LD [d4f8], A | A->77)
Box11($D919 to $D921): é(Pk)2é&255 (LD [e1f8], A; LD [e9f8], A)
Box12($D922 to $D92A): é×2é425p (LD [f2f8], A; LD [faf8], A; XOR A | A->00)
Box13($D92B to $D933): éZ×'v'vé'm2 (LD [99f1], A; SUB d6; LD [d2f8], A | A->2a)
Box14($D934 to $D93c): .9'l'l'l'lx'd (ADD SP, ff; POP DE; POP DE; POP DE; POP DE; OR A; RET NC)
You still need to give it to the day care/hatch the egg to get a "proper" Celebi.
Edit: changed to reduce menu-lag on execution and remove  requirement for one-off code.

Note:
Due to space requirements I changed the name of Box 13. You have to change it back to the one-off code name when using a different code.
Also: don't touch the name of Box 14!


Edit:
If you use TM25 (or TM17, I'm not discriminating) from the balls pocket use the following code instead:
Code: [Select]
Box 1($D8BF to $D8C7): Ap0b'vA55 (XOR A; OR a1; SUB 80 | A->21)
Box 2($D8C8 to $D8D0): é'l2p0555 (LD [d1f8], A; XOR A; OR fb | A->fb)
Box 3($D8D1 to $D8D9): ^^4~__55 ({LD HL, [{2a}fa]}; {LD [HL], A}; {INC HL}; {INC HL} | HL->fa2a; HL->fa2c)
Box 4($D8DA to $D8E2): 55p0'd'vH~ (XOR A; OR d0; SUB 87; {LD [HL], A} | A->49)
Box 5($D8E3 to $D8EB): _p0/'vK~_ ({INC HL}; XOR A; OR f3; SUB 84; {LD [HL], A}; {INC HL} | HL->fa2d; A->69; HL->fa2e)
Box 6($D8EC to $D8F4): 55p'vd~5_ (XOR A; SUB a3; {LD [HL], A}; {INC HL} | A->5d; HL->fa2f)
Box 7($D8F5 to $D8FD): p0X0'd~'vu (XOR A; OR 97; OR d0; {LD [HL], A}; SUB b4 | A->d7; A->23)
Box 8($D8FE to $D906): é't2é'v255 (LD [d5f8], A; LD [d6f8], A)
Box 9($D907 to $D90F): é-2éé255 (LD [e3f8], A; LD [eaf8], A)
Box10($D910 to $D918): é/2'vmé's2 (LD [f3f8], A; SUB ac; LD [d4f8], A | A->77)
Box11($D919 to $D921): é(Pk)2é&255 (LD [e1f8], A; LD [e9f8], A)
Box12($D922 to $D92A): é×2é425p (LD [f2f8], A; LD [faf8], A; XOR A | A->00)
Box13($D92B to $D933): 'v'vé'm25x'd (SUB d6; LD [d2f8], A; OR A; RET NC | A->2a)
Box14 can be left blank/doesn't matter.
« Last Edit: November 03, 2017, 08:08:49 am by spamviech »

Nostalgia

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • ?
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #104 on: October 20, 2017, 07:22:37 am »
That's good stuff, I found this video helpful for getting Celebi's egg moves though:

https://www.youtube.com/watch?v=KdpbBYio-T0