Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 46300 times)

0 Members and 1 Guest are viewing this topic.

Dragon Arbock

  • Oldschool Glitch Hobbyist
  • GCLF Member
  • Offline Offline
  • Charizard 'M is best Charizard
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #135 on: October 22, 2017, 08:22:13 pm »
I wanted to know if I could use it with FMK's code, or if I have to erase FMK's code to use the shiny code. Because that sounds tedious and defeats the purpose.

Also, don't know if anyone needs this, but I went ahead and made a quick reference for the codes for every move;
https://pastebin.com/XSth40BV

And proof, used it to get an Extremespeed Dratini.
« Last Edit: October 22, 2017, 08:28:34 pm by Dragon Arbock »

Who remembers TRsRockin?

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #136 on: October 22, 2017, 08:29:42 pm »
I wanted to know if I could use it with FMK's code, or if I have to erase FMK's code to use the shiny code. Because that sounds tedious and defeats the purpose.

Also, don't know if anyone needs this, but I went ahead and made a quick reference for the codes for every move;
https://pastebin.com/XSth40BV

And proof, used it to get an Extremespeed Dratini.

Yeah, you can probably use your code along with FMK's one-off code. I haven't tried it for myself, but I don't see any reason why it wouldn't work.

Thanks for the reference!
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Dragon Arbock

  • Oldschool Glitch Hobbyist
  • GCLF Member
  • Offline Offline
  • Charizard 'M is best Charizard
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #137 on: October 22, 2017, 09:57:51 pm »
'welcome.

And well, I trial and errored my way into what I wanted to know.
I took a shiny code, and cut off the bottom three Box names so it looks like this;
Ap0'd'vR55
é'm2pp0é5       
éA4p0'd'vQ
é?2p0k55       
55éA4ppp
Then the rest was taken up by 5s and FMK's code at the bottom. It turned my Ditto shiny, but still corrupted box 3's name. But I'm assuming (cause I don't know), the last relevant bit of code is éA4p, then the rest was terminating code?
I actually tried it the first time without 55éA4ppp (so only 4 Box names) and that didn't change the special and speed, so that's why I'm guessing.

Edit;
Seems like it. Shortened the modify pokemon code down to work as such
Quote
Box 1:  A  p  0  k 'v  A  5  5
Box 2:  é 'm  2  p [x  x  x  x]
Box 3:  é  A  4  p '5  5  5  5   
[filler 5s]
[box 13 and 14 unchanged from FMK's]
« Last Edit: October 23, 2017, 12:13:07 am by Dragon Arbock »

Who remembers TRsRockin?

FMK

  • GCLF Member
  • Offline Offline
  • Mysterious
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #138 on: October 23, 2017, 12:33:24 am »
'welcome.

And well, I trial and errored my way into what I wanted to know.
I took a shiny code, and cut off the bottom three Box names so it looks like this;
Ap0'd'vR55
é'm2pp0é5       
éA4p0'd'vQ
é?2p0k55       
55éA4ppp
Then the rest was taken up by 5s and FMK's code at the bottom. It turned my Ditto shiny, but still corrupted box 3's name. But I'm assuming (cause I don't know), the last relevant bit of code is éA4p, then the rest was terminating code?
I actually tried it the first time without 55éA4ppp (so only 4 Box names) and that didn't change the special and speed, so that's why I'm guessing.

That's correct, yeah.

As a general rule of thumb, é*2 (Where * can be anything) will usually mean box names are being modified. éA* (Where * can, again, be anything; But most of the time is 4) is also, usually, the target of the prior name change.

So in this case, é'm2 of Box 2 is changing the éA4's A of Box 3, and é?2 of Box 4 is changing the éA4's A of Box 5. (While the modified éA4's are changing values elsewhere, of course)


As an additional rule of thumb, for codes not designed with my one-off code in mind, if you ignore all the 5's in Box names, once you see p 'v 7 'v 'd é * 2 p é D 9 'l 'l A 'l x 'd (Where * can be anything), that's where you can usually stop inputting the written box names, and just use 5's, if you've already used my one-off code.

But to confirm, yes, all Coin Case codes work after using my one-off code without modification, even if they weren't specifically made for it.


On a related note, to modify a TM25 code to work with Coin Case (If you've used my one-off code), it's as simple as replacing the final 'd of a code with a 5.

Dragon Arbock

  • Oldschool Glitch Hobbyist
  • GCLF Member
  • Offline Offline
  • Charizard 'M is best Charizard
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #139 on: October 23, 2017, 12:41:03 am »
Alright thanks, I'll try to keep that in mind when adapting things to fit with your code.
(Been wondering too, is there any place we should be compiling all this information in a more organized manner?)

Also completely frivolous, but I saw someone did this in gen 1 and I was wondering if it would work here- can I modify a pokemon's type? If I wanted to make a pokemon with one type a secondary dragon type, how would I go about doing that- and would it remain if I put it in a PC? Cause if not, probably not worth the trouble.
« Last Edit: October 23, 2017, 12:41:33 am by Dragon Arbock »

Who remembers TRsRockin?

spamviech

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #140 on: October 23, 2017, 03:31:36 am »
I wanted to know if I could use it with FMK's code, or if I have to erase FMK's code to use the shiny code. Because that sounds tedious and defeats the purpose.

Also, don't know if anyone needs this, but I went ahead and made a quick reference for the codes for every move;
https://pastebin.com/XSth40BV

And proof, used it to get an Extremespeed Dratini.

Great work.  :)

Also completely frivolous, but I saw someone did this in gen 1 and I was wondering if it would work here- can I modify a pokemon's type? If I wanted to make a pokemon with one type a secondary dragon type, how would I go about doing that- and would it remain if I put it in a PC? Cause if not, probably not worth the trouble.

Don't think it's possible Doesn't look like typing is stored seperately for each single Pokémon.

Nostalgia

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • ?
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #141 on: October 23, 2017, 06:00:16 am »
Here's a quick-and-dirty TM 25 Ball Pocket code that I made to teach Ice Beam to Pokemon 5. Due to character limitations, I was restricted to the fourth move, so make sure Pokemon 5 has at least 3 moves before using.

Box 1: Ap0?'vm55
Box 2: é(male)4p'd555

Here's the same code, but for use with the Coin Case (ensure to use FMK's one-off code)
Box 1: Ap0?'vm55
Box 2: é(male)455555
Box 3+ :55555555
Box 13: Leave Unchanged (FMK's Code)
Box 14: Leave Unchanged (FMK's Code)

I have not tested the Coin Case version (I prefer to use TM 25), but it should work as described. If it doesn't, please let me know.

Thanks it worked. Though I used your code first before I read spamviech's post so I ended up teaching my Jolteon Ice Beam instead of Thunderbolt, but I quickly fixed that haha.

The only other moves I was interested in was Double-Edge and Rock slide, but seeing as Dragon Arbock has post codes for all moves I'll guess I'll follow that.

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #142 on: October 23, 2017, 06:03:56 am »
^Glad I could help  :)
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

spamviech

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #143 on: October 24, 2017, 04:09:12 am »
As a general rule of thumb, é*2 (Where * can be anything) will usually mean box names are being modified. éA* (Where * can, again, be anything; But most of the time is 4) is also, usually, the target of the prior name change.

Just for reference I have a small list of directly reachable box name characters. Since it could become confusing with later used codes I left out terminator characters, since I don't know how they are handeled. Terminator characters (normally 0x50 or 80 in decimal (LD D,B) are written after the | character).
To use it load the desired value into register A using XOR A (p), SUB ('v), OR (0) and AND (?) instructions and then use é*2 where you replace * with the desired character in the list below.
Places with _ are not directly reachable.

Code: [Select]
Box 1($D8BF to $D8C7): _ _ _ _ _ _ _ _|_
Box 2($D8C8 to $D8D0): _ _ _ _ _ _ _ _|'d
Box 3($D8D1 to $D8D9):'l'm'r's't'v _ _|_
Box 4($D8DA to $D8E2): _ _ _ _ _ _ _Pk|Mn
Box 5($D8E3 to $D8EB): - _ _ ? ! . & é|_
Box 6($D8EC to $D8F4): _ _ _ ♂ _ × _ /|,
Box 7($D8F5 to $D8FD): ♀ 0 1 2 3 4 5 6|7
Box 8($D8FE to $D906): 8 9 _ _ _ _ _ _|_
Box 9($D907 to $D90F): _ _ _ _ _ _ _ _|_
Box10($D910 to $D918): _ _ _ _ _ _ _ _|_
Box11($D919 to $D921): _ _ _ _ _ _ _ _|_
Box12($D922 to $D92A): _ _ _ _ _ _ _ _|_
Box13($D92B to $D933): _ _ _ _ _ _ _ _|_
Box14($D934 to $D93C): _ _ _ _ _ _ _ _|_


Edit:
Something else I found after poking around a bit:
Though Coin Case gives you a corrupted stack and the game would glitch dimension/freeze after ret, you can solve the issue by using the following edits as part of a footer in your code.

Code: [Select]
xor a
ld (ff83),a
pop de
pop de
inc sp
pop de
or a
ret nc

(Found from deconstructing the box name code here).

There is one catch and something you need to know:

inc sp (hex:33) cannot normally be represented by box characters. However, you can get the ID for inc sp with the following: xor a;  sub fd; sub d0 and then use ld (xxyy),a to self-modify your code to add an inc sp.

This method also has a bad side effect of slowing menus down to an extreme, but after closing the menu if you hold down A and tap down you will be able to move the cursor to SAVE, mash A to save the game and reset the game to bring things back to normal.
If you check the box name code on the speedrun page you may notice a version for less laggy credits. The only difference is éZ× (LD [f199], A; A is still at value 0).
If you incorporate this in your code the menu lag is no longer present. Only thing which might require a reset is that the player character is still invisible.

To include this into FMK's one-off code it would then look like this:
Code: [Select]
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: ppéD9éZ×     (XOR A; XOR A; LD [83ff], A; LD [f199], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)
Usage stays the same as before.
« Last Edit: November 03, 2017, 08:17:46 am by spamviech »

Evie ✿

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #144 on: October 24, 2017, 06:50:56 am »
If you check the box name code on the speedrun page you may notice a version for less laggy credits. The only difference is éZ× (LD [f199], A; A is still at value 0).
If you incorporate this in your code the menu lag is no longer present. Only thing which might require a reset is that the player character is still invisible.

To include this into FMK's one-off code it would then look like this:
Code: [Select]
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: ppéD9éZ×     (XOR A; XOR A; LD [83ff], A; LD [f199], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)
Usage stays the same as before.
Ah that's great. I wasn't aware of that. Thanks! :)
Hi! I identify as transgender female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.



Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

I like to collect interesting video games.
https://www.vgcollect.com/Torchickens

The psychology of birth (including spiritual birth): pain>acceptance/courage in face of pain>embracement>unconditional love and strength

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #145 on: October 24, 2017, 01:26:23 pm »
Say, does anyone know how to enable walk through walls in gen 2? Or know what adress to edit for it?

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #146 on: October 24, 2017, 02:43:24 pm »
Say, does anyone know how to enable walk through walls in gen 2? Or know what adress to edit for it?

Unfortunatly, there doesn't appear to be an in-game address that disables collisions.
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Evie ✿

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #147 on: October 24, 2017, 03:30:09 pm »
If you change addresses CEA3-CEA6 to 08 (or apparently all values 08-0E), it will allow you to walk through almost any wall. However these addresses will be reset after taking a step, so if you want to do this with arbitrary code execution it must be done with something like many uses of wrong pocket TM/HM code execution (as Coin Case requires moving in a specific pattern), or "real time arbitrary code execution".
« Last Edit: October 24, 2017, 03:31:10 pm by Torchickens »
Hi! I identify as transgender female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.



Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

I like to collect interesting video games.
https://www.vgcollect.com/Torchickens

The psychology of birth (including spiritual birth): pain>acceptance/courage in face of pain>embracement>unconditional love and strength

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Couldntthinkofaname

  • Zeta
  • GCLF Member
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #148 on: October 24, 2017, 05:29:45 pm »
If you change addresses CEA3-CEA6 to 08 (or apparently all values 08-0E), it will allow you to walk through almost any wall. However these addresses will be reset after taking a step, so if you want to do this with arbitrary code execution it must be done with something like many uses of wrong pocket TM/HM code execution (as Coin Case requires moving in a specific pattern), or "real time arbitrary code execution".


Usually when I try writing to the OAM DMA, the game ends up crashing.

Maybe i'm missing something.

EDIT: Just tried it again, worked fine. Can't recall what I did wrong initially.
« Last Edit: October 24, 2017, 05:35:03 pm by Couldntthinkofaname »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #149 on: October 24, 2017, 05:31:59 pm »
If you change addresses CEA3-CEA6 to 08 (or apparently all values 08-0E), it will allow you to walk through almost any wall.

I usually set those addresses to 00 out of habit and it works but I'm not sure of how exactly different are the various values.