Glitch City Laboratories Forums

Lab γ: Video Games and Glitches Discussion => Pokémon Glitch Discussion => Generation II Glitch Discussion => Topic started by: Sanqui on July 10, 2013, 06:46:32 am

Title: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Sanqui on July 10, 2013, 06:46:32 am
Hello all!  I was going to hold off releasing this until I make an actual "hello world"-like proof of concept, but I don't think you guys need one, and I bet you'll try to do some cool stuff with it yourself.

So, this exploit allows you to execute arbitrary code (i.e., jailbreak) the English version of Pokémon Gold.  Unfortunately, it is much more limited than the 8F item (http://forums.glitchcity.info/index.php/topic,6638.0.html) you have grown to like from Gen 1, but it's still pretty nifty, and might pave way to a better exploit!

Long explanation

To explain.  You have probably heard of the coin case glitch, where if you speak to the Machop in Vermilion and open the coin case, the game crashes.  But I haven't found anybody actually studying what the game does, so I traced it and figured out why it happens.
In short, I believe the translators messed up.  The text script for the Coin Case ("Coins: 1234") ends in a $57, which while a valid text ending byte, is not a valid text script byte.  (The correct one would've been $50.)  Since after printing the number, the game is in text script mode, the game reads an invalid pointer and, surprise, jumps into memory at $e112 (since that's ECHO RAM, it's essentially $c112).  This section of RAM is used by cries.  Most of the time, it's filled by zeroes, and by sheer luck ends in a ret.  But if you play a cry immediately before opening the Coin Case, the memory will be tainted.
Most cries don't do much, some return successfully, some mess with the text a bit.  Machop's cry is special, because it happens to contain inc sp.  This causes the ret to go elsewhere, specifically, $eb12, which contains some overworld stuff...  Specifically, as you move around, it has tile attributes for the window tilemap.  The contents are mostly unpredictable, but consistent if you move in a specific pattern, which will lead us, to $FA98 (again, ECHO RAM, so essentially $DA98).  This is in the middle of the third party Pokémon's data, which is already something we can sanely work with!  You could probably hunt a Pokémon with specific EVs and stats in order to construct some opcodes, but I opted for picking a Pokémon which's data doesn't do anything and slides through to the fourth Pokémon. 
The first three bytes of a Pokémon are species, item and first move.  Thus, we can construct a Pokémon which "jumps" somewhere useful.  I picked the PC box for this purpose: $D61A, which si the second boxed item's amount.
So, now we can get the game to execute what we can control.  Unfortunately, like I warned, this method is extremely limited.  Since the arbitrary code on the way tampered with the stack and random memory, one would have to carefully reconstruct these in order to return control *back* to the game after opening the Coin Case.  It should be possible, but I didn't explore this.  So, for now, this is an one-way trip.

Preparation
Get a Quagsire with HP Up and Sleep Talk as the first move.  Put it fourth in party.
Put a valid slide Pokémon in slot 3.  A low-level freshly caught or hatched Pokémon should work.  (The Pokémon's data CANNOT have code which changes code flow, such as jumps, calls or rets.)
Build the code you want to execute in the PC, starting from the second item's count.

Exploit
You MUST move in specific ways, though there may be other methods.
0. Prepare everything.
1. Save & Restart, or step through a warp.
2. Take a step down and four steps right.  (Three to the left might work, too?)
For example, if you were performing this trick from Elm's lab (the traditional method), you'd be standing here:
(http://sanqui.sweb.cz/screen/2013071014%3A44%3A34bgb-POKEMON_GLDAAUE-ab16.png)
3. Listen to Machop's cry (I used the Pokédex, but party should work too)
4. Open the bag and change pockets at least once
5. Open the Coin Case
At this point, the game does a ton of wacky stuff and eventually jumps to $D61A, which should contain your code!
The state is (but it might depend on your slide Pokémon):
af=2800  bc=0f0f  de=0600  hl=1c2f  sp=dfbc  pc=d61a  rom=66
Interrupts DISABLED (?)

Final words
I don't believe this exploit works the Japanese version, but I haven't tested.  It was definitely fixed in Crystal.  It also may have been fixed in other language revisions.

I hope to see some cool stuff done with this, but I do realize that the set up is kind of annoying.  Have fun, anyway.

—Sanqui/Sanky
P.S.: As a bonus, have this nifty table! http://pastebin.com/raw.php?i=arPmsvYu (http://pastebin.com/raw.php?i=arPmsvYu)
P.P.S.: Have you people really got no real IRC channel I could hang out in?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case Glitch
Post by: TheZZAZZGlitch on July 11, 2013, 02:37:14 am
That's awesome. And I thought Gen II was written well.
I did some more research into this, and I have a lot to say:

First of all, it works. However, this is a lot more difficult to pull off and exploit. Mainly because of all those random factors - before the instruction pointer reaches its destination, it needs to go through many different addresses. Also, because there's no Missingno in G/S, there's no item duplication either, so the possibilities are severely restricted by player's money and item availability.

A small thing about requirements: There is one necessity you forgot: Before using the Coin Case, it is required to change your bag pocket at least once, as in this example:

Bag opens and starts in the Items pocket: just go to Key Items and use Coin Case.
Bag opens and starts in the Key Items pocket: go to any pocket first, then go back to Key Items and use Coin Case.

This is required since playing the "pocket switch" sound changes bytes at $E162 to {0x08,0x00,0x00} - ld (0000),sp; otherwise, the bytes are left with values {0x20,0x10,0x00} - jr nz,E174 - which causes the game to skip important code parts.

About a "slide Pokemon": It seems that any low level Pokemon will do the trick. Those little critters will probably not have any stats/IVs bigger than 32, and thus, they should not be able to change the code flow.

Now it's time to end the boring part and do something amazing with it!

Doing something useful seems impossible, since after all this the stack is severely messed up. However, there is a small trick that will bring everything back to order:

Code: [Select]
inc  sp
ld   bc,$0134
push bc
jp   12f5

The first [inc sp] negates the effects of the previous [inc sp]. After this, the stack will look like this:

     Return address to the Coin Case script
SP-> Text loading routine: saved register AF
     *Text loading routine's saved register HL should be there*
     *Return address to the text reading routine should be there*


Then, I push a value $0134 into the location where text reading function's saved register HL was supposed to be, and I jump back where the text reading routine is located ($12F5). The game is now tricked into thinking it was reading text data from $0134. On a normal clean ROM, address $0134 always contains value $50 - so the text routine thinks that text data is over and returns control back to the game. Mission accomplished!

Hello World:

This is an example program, which will display first Pokemon's nickname instead of the amount of coins, as long this nickname is less than 10 characters:

(http://i40.tinypic.com/qo83nd.jpg)

Because of many restrictions, most of the code are just elaborate ways of doing nothing, just to pad the memory and make the program representable with items.

Code: [Select]
WRA1:D61A 26 DA            ld   h,DA      ; hl = $DA??
WRA1:D61C 02               ld   (bc),a    ; * do nothing
WRA1:D61D 24               inc  h         ; hl = $DB??
WRA1:D61E 01 ?? ??         ld   bc,????   ; * do nothing
WRA1:D621 B5               or   l         ; * do nothing
WRA1:D622 2E 8A            ld   l,8A      ; hl = $DB8A
WRA1:D624 01 ?? ??         ld   bc,????   ; * do nothing
WRA1:D627 AF               xor  a         ; a = $00
WRA1:D628 01 ?? ??         ld   bc,????   ; * do nothing
WRA1:D62B 22               ldi  (hl),a    ; $DB8A = $00, HL = $DB8B
WRA1:D62C 01 ?? ??         ld   bc,????   ; * do nothing
WRA1:D62F 0B               dec  bc        ; * do nothing
WRA1:D630 3E 27            ld   a,27      ; a = $27
WRA1:D632 07               rlca           ; a = $4E
WRA1:D633 B8               cp   b         ; * do nothing
WRA1:D634 3C               inc  a         ; a = $4F
WRA1:D635 02               ld   (bc),a    ; * do nothing
WRA1:D636 22               ldi  (hl),a    ; $DB8B = $4F, HL = $DB8C
WRA1:D637 9E               sbc  a,(hl)     ; * do nothing
WRA1:D638 33               inc  sp        ; bring the stack back to order
WRA1:D639 2B               dec  hl        ; hl = $DB8B
WRA1:D63A 2B               dec  hl        ; hl = $DB8A
WRA1:D63B E5               push hl        ; make the game read text from $DB8A
WRA1:D63C 01 ?? ??         ld   bc,????   ; * do nothing
WRA1:D63F 26 12            ld   h,12      ; hl = $128A
WRA1:D641 B7               or   a         ; * do nothing
WRA1:D642 2E F5            ld   l,F5      ; hl = $12F5
WRA1:D644 01 ?? ??         ld   bc,????   ; * do nothing
WRA1:D647 E9               jp   hl        ; jump to $12F5 (print the text and return control)
WRA1:D648 01 FF 01         ld   bc,01ff   ; leftovers (last item's qty and end of list marker)

Represented as items:

[ANY ITEM]                 x[ANY QUANTITY]
[ANY ITEM]                 x38
TM27                       x2
Nugget                     x1
[ANY ITEM]                 x[ANY QUANTITY]
Surf Mail                  x46
Charcoal                   x1
[ANY ITEM]                 x[ANY QUANTITY]
Squirtbottle               x1
[ANY ITEM]                 x[ANY QUANTITY]
Leaf Stone                 x1
[ANY ITEM]                 x[ANY QUANTITY]
Ice Heal                   x62
Revive                     x7
Lovely Mail                x60
Ultra Ball                 x34
Flower Mail                x51
Max Repel                  x43
TM37                       x1
[ANY ITEM]                 x[ANY QUANTITY]
Full Heal                  x18
Portraitmail               x46
HM03                       x1
[ANY ITEM]                 x[ANY QUANTITY]
TM41                       x1


A video here: http://www.youtube.com/watch?v=lB2ja6p-sjg (http://www.youtube.com/watch?v=lB2ja6p-sjg)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case Glitch
Post by: Sanqui on July 11, 2013, 09:41:40 am
Quote
That's awesome. And I thought Gen II was written well.
It mostly is.  You can't blame the original programmers for this :P
Quote
First of all, it works. However, this is a lot more difficult to pull off and exploit. Mainly because of all those random factors - before the instruction pointer reaches its destination, it needs to go through many different addresses. Also, because there's no Missingno in G/S, there's no item duplication either, so the possibilities are severely restricted by player's money and item availability.
Indeed, but we may be able to use this exploit to duplicate items and generate new ones. 
Quote
A small thing about requirements: There is one necessity you forgot: Before using the Coin Case, it is required to change your bag pocket at least once
Nice catch!  This explains why I seemingly had to include the reset step: resetting the game makes the Bag start in the Items pocket.

Nice work about the hello world!  I was going to do one myself, but I got seriously annoyed by writing code in terms of items, even with the handy table I linked.  Maybe we could create some more useful bootstrapping routine?  I wonder if an exploit more similar to 8F could be found (one which could be ran always with less setup), since we can edit anything in WRAM.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: camper on July 11, 2013, 10:48:40 am
Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on July 11, 2013, 01:38:03 pm
—Sanqui/Sanky
P.S.: As a bonus, have this nifty table! http://pastebin.com/raw.php?i=arPmsvYu (http://pastebin.com/raw.php?i=arPmsvYu)
P.P.S.: Have you people really got no real IRC channel I could hang out in?

Hi Sanqui, great work on discovering this! Glitch City has a temporary IRC that can be found here (http://client00.chat.mibbit.com/?server=irc.rizon.net&channel=%23desuempire). (original thread (http://forums.glitchcity.info/index.php/topic,6678.msg190041.html#msg190041))

Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.

Actually, both item mutation and item duplication is possible with the duplicate Key Items exploit (http://www.youtube.com/watch?v=FZrFMi6B0jQ), which occurs when swapping one Key Item with another of the same type directly below it.

When a Pokémon is holding a Key Item (available via the Celebi glitch), taking it places it into the Key Items pocket. You can only have quantities greater than 99 in the Key Items pocket though, as the only way of 'moving them into the Items pocket' is depositing them into the PC (note Key Item quantities never decrease) and withdrawing them.

For convenience, I'll re-post the important parts from the description.

There are two different kinds of effects which I'll label (1) and (2):

1) If the sum of the first Key Item's index number and the item below the second Key Item is less than or equal to 100, then the second item identifier becomes equal to the index number of the Key Item plus that of another item directly underneath the item swapped. Its quantity is determined by what was the item identifier of the third item.

For example, consider the following Key Items pack:

Lost Item (index no. 130)
Lost Item (index no. 130)
Card Key (index no. 127)
Basement Key (index no. 133)
CANCEL (index no. 255)

If we swap the first Lost Item with the second, we lose the original second Lost Item and the Card Key, but the second Lost Item will turn into a Master Ball with quantity 133 (Basement Key's index number). The reason why the second item turns into a Master Ball in this example is because the Card Key is index number 127 (7F) and the Lost Item is index number 130 (82). Adding these together gives 257, but since items are defined by one byte, this becomes 257 modulo 256 or 1, which is Master Ball's index number.

Therefore we get:

Lost Item (index no. 130)
Master Ball (index no. 257 == 1) x133
CANCEL (index no. 255)

2) If the sum of the first Key Item's index number and the item below the second Key Item is greater than 100, then the third item is not lost, but becomes a BLK Apricorn (index no. 99). The second item identifier becomes equal to that of the sum of the first Key Item index number and the original third item minus 99. Its quantity is derived from the new third item identifier.

For example, consider the following Key Items pack:

Lost Item (index no. 130)
Lost Item (index no. 130)
Master Ball (index no. 1) x7
Bicycle (index no. 7)
CANCEL

If we swap the first Key Item with the second this gives us:

Lost Item (index no. 130)
Rare Candy (index no. 32 [130+1-99] )
BLK Apricorn (index no. 99)
Bicycle (index no.7)
CANCEL (index no. 255)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: krynxe on October 03, 2013, 01:17:57 am
Well, ZZAZZglitch posted a very interesting video (http://www.youtube.com/watch?v=6MYSwy2_PUU). Always a pleasure to see what that guy comes up with next, haha

I'm glad to see some real practical use to the coin case here. And that phonecall to '999' that initiates the hall of fame is incredibly weird. This definitely piques my interest.

Also, I've noticed some videos posted here using machoke's cry instead of machop. They seem to yield the same results, but what about other cries?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on October 03, 2013, 04:50:16 am
Also, I've noticed some videos posted here using machoke's cry instead of machop. They seem to yield the same results, but what about other cries?

Certain cries give different effects. There is an incomplete list of typical effects here (http://bulbapedia.bulbagarden.net/wiki/Coin_Case_glitches#Glitches_caused_by_each_Pok.C3.A9mon_cry) by Rsrdaman.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: MrWint on October 03, 2013, 10:18:53 am
Nice find, Sanqui, it has quite the potential.

I looked into the glitch a bit and want to share what I found out so far.

The RAM at $C112 and onwards belongs to the parameters of the SFX channels 5-8. These parameters are reset frequently (e.g. every time you enter a new area, including after trainer battles), so you can't store sound effects. Also, certain sounds only use certain channels, leaving the others untouched. For example, the menu opening sound and the item page switch sound only use channel 8. That's is why they don't override the cry and the trick works at all.
I tested all sound effects and cries, only very few are useful:
All of them do the same thing, they corrupt the stack with "inc sp" and jump to $EB12. The content of the registers differs slightly depending on the Pokémon used and the data of channel 8.

From $CB12, the code proceeds to $CC20, where the next interesting RAM content is. In addresses $CC20-$CC48 background tiles are stored. More specifically, the tiles that are loaded whenever the player moves. Each time you go a step, the newly visible tiles need to be loaded, and this is the buffer they are stored in before copying them to VRAM. When moving vertically, these are 40 tiles (20x2) and when moving horizontally it is 36 tiles (2x18). Addresses $CC48-$CC70 contain the corresponding pallettes (tiles are 2bit, the pallette defines the color scheme). None of these are too interesting, the values are usually to small to change the code flow, the most interesting thing you can do here is calling "inc sp" or "dec sp" to fix the stack.

The real interesing data follows, $CC70-CC98 contains pointers to VRAM addresses where the newly loaded tiles are inserted in the BG map. The BG map is a 32x32 tile buffer located at $9800-$9C00 which holds the current background tiles. It features a "window", that defines the (20x18 tiles) portion of the buffer that is actually visible on screen. When moving, the new tiles are inserted at the respective edge of the window and then the window is moves smoothly to that side to create the moving effect. Each pointer describes a 2x1 tile area, so there are half as many pointers as tiles to insert. I saw in your screnshot that you are using BGB, it has a nice visualization of the BG map (look for "vram viewer" in the menu), it helps to see what is going on.
Fortunately, the window is reset very often, every time anything partially covers the screen (including battles, entering a map, opening the menu, talking to an NPC, ...), so it's easy to manipulate.
The addresses you used in your example are $98DA, $98FA, which spell out to "jp c,$FA98". You can get other addresses as well, but they all end on $98-$9B, since this these are the values the pointers can have.
The most important conclusion is that you can generate this jump everywhere, not just in New Bark. For example, you can just reset your window (e.g. by opening the menu) and then use the same choreography as in New Bark (1x down, 4x right) to get the same addresses and therefore the same jump. However, you need to make sure that the carry flag is set, otherwise you won't jump.

From there on, you have enough manipulation options to execute arbitrary code.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: blahpy on December 09, 2013, 05:13:40 pm
Gold version TAS in 59:36.02 by TheZZAZZGlitch: http://tasvideos.org/4126S.html
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on December 10, 2013, 09:40:30 am
Gold version TAS in 59:36.02 by TheZZAZZGlitch: http://tasvideos.org/4126S.html

I enjoyed that. There are parts that could probably be improved, like getting better DVs on Totodile to score KOs earlier or resetting earlier while cloning (it's possible to clone Pokémon a bit after the yes/no box disappears) but I think you did a good job overall, ZZAZZ.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Wack0 on December 10, 2013, 11:56:31 am
Btw, I just checked in European G/S and the bug is fixed (proper $50 terminator in all of FR/IT/DE/ES).

Figures.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Sanqui on January 09, 2014, 07:33:12 am
Pokémon Gold can now be beat in under 50 minutes with the route I came up with (http://www.pokemonspeedruns.com/index.php/User:Sanqui/Gold_Coin_Case%25).  (I was kind of disappointed with the TASes, sorry!)

Here's a run in 49:49 by Dabomstew (WR at posting time): https://www.youtube.com/watch?v=c9EfVBGK-GU
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: TheZZAZZGlitch on January 09, 2014, 02:28:19 pm
Quote
I was kind of disappointed with the TASes, sorry!

No need to sorry, I am aware that my TAS attempts sucked hairy balls. It's great that there is a person who knows way more about speedrunning than me - thanks to you, the 'coin case speedrunning' idea won't get completely forgotten about. Much thanks. Very happy. So amaze. Wow.

Return TM is available in Goldenrod Dept. Store only on Sundays, I think it should be included in the basic steps.

Also, I don't really know why is that particular piece of code helpful or required:
Code: [Select]
xor a
(...)
ld [$ff83], a ; kill OAM DMA

Other than that, everything looks awesome. One day I'll try this out, to see if it works.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Sanqui on January 09, 2014, 05:13:22 pm
It's great that there is a person who knows way more about speedrunning than me - thanks to you, the 'coin case speedrunning' idea won't get completely forgotten about. Much thanks. Very happy. So amaze. Wow.
Such coin case.
I have a very theoretical route for a TAS, too, but it's still in the works.  It would involve extremely heavy RNG abuse.  (And hopefully no boxes.)
Quote
Return TM is available in Goldenrod Dept. Store only on Sundays, I think it should be included in the basic steps.
Oh, right.  Thanks a bunch for reminding me of that person, by the way.  Not sure if I had remembered without having seen your TAS.
Quote
Also, I don't really know why is that particular piece of code helpful or required:
Code: [Select]
xor a
(...)
ld [$ff83], a ; kill OAM DMA

Other than that, everything looks awesome. One day I'll try this out, to see if it works.
I found that the fastest way to recover from coin case is popping thrice, after which a ret jumps into some vblank function, which calls the OAM DMA.  However, since it's performed outside of the proper time, the game accesses non-hram when it's forbidden to. and executes garbage data and most definitely crashes.  This is kind of unlucky since it's the ONLY thing I know of that bgb doesn't emulate, so I only figured out it does that when testing in Gambatte.  Anyway, obviously the simplest solution is to kill the DMA.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Wack0 on January 10, 2014, 09:08:51 am
I found that the fastest way to recover from coin case is popping thrice, after which a ret jumps into some vblank function, which calls the OAM DMA.  However, since it's performed outside of the proper time, the game accesses non-hram when it's forbidden to. and executes garbage data and most definitely crashes.  This is kind of unlucky since it's the ONLY thing I know of that bgb doesn't emulate, so I only figured out it does that when testing in Gambatte.  Anyway, obviously the simplest solution is to kill the DMA.

Remember a ret pops whatever's on the top of the stack into pc.
So you can push the address of whatever you want onto the stack, and a ret would make the pc transfer there..
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Sanqui on January 10, 2014, 11:29:15 am
Remember a ret pops whatever's on the top of the stack into pc.
So you can push the address of whatever you want onto the stack, and a ret would make the pc transfer there..
I'm well aware, but the only push available with box names is push de, and there's no way to put anything into d or e.  You could of course write on the stack manually, but at that point it would take like four times as much code as three pops.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Wack0 on January 10, 2014, 02:14:45 pm
Remember a ret pops whatever's on the top of the stack into pc.
So you can push the address of whatever you want onto the stack, and a ret would make the pc transfer there..
I'm well aware, but the only push available with box names is push de, and there's no way to put anything into d or e.  You could of course write on the stack manually, but at that point it would take like four times as much code as three pops.

Ah.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Hālian on January 14, 2014, 05:34:49 pm
Well, ZZAZZglitch posted a very interesting video (http://www.youtube.com/watch?v=6MYSwy2_PUU). Always a pleasure to see what that guy comes up with next, haha

I'm glad to see some real practical use to the coin case here. And that phonecall to '999' that initiates the hall of fame is incredibly weird. This definitely piques my interest.

Also, I've noticed some videos posted here using machoke's cry instead of machop. They seem to yield the same results, but what about other cries?

Video is private :(
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on January 15, 2014, 06:11:09 am
Well, ZZAZZglitch posted a very interesting video (http://www.youtube.com/watch?v=6MYSwy2_PUU). Always a pleasure to see what that guy comes up with next, haha

I'm glad to see some real practical use to the coin case here. And that phonecall to '999' that initiates the hall of fame is incredibly weird. This definitely piques my interest.

Also, I've noticed some videos posted here using machoke's cry instead of machop. They seem to yield the same results, but what about other cries?

Video is private :(

I think that was TheZZAZZGlitch's first TAS. You can still download the VBM file on the TASVideos submission page (http://tasvideos.org/4084S.html).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on April 26, 2014, 03:55:00 pm
*stickied*

I've found out how you can change TheZZAZZGlitch's alternative Celebi glitch (https://www.youtube.com/watch?v=SpfgOVfGVTo) to get ????? (FF) without the bad clone glitch so you can do the Johto guard glitch and other stuff!

It's actually a rather simple change. To understand it, use the old code and set a breakpoint for when the Game Boy jumps to D61A (item storage system item 2 quantity). Press F3 (or Fn+F3) multiple times, and then when the Game Boy jumps to WRA1:D626 (inc b), bc=FAF9, then next instruction [ld (hl),b] it's FB; Celebi's index number.

Basically, 'inc b' increments (increases 'b' by one), and in the items list there are two inc bs (Great Ball x4). All you need to do is have two more stacks of Great Ball x4 below it. That's 2x2 more addresses, and FB+4=FF.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Pirat3 on May 10, 2014, 06:43:47 am
Hey everyone,

how would you have to modify the arbitrary code if you wanted to collect not only Celebi but any Pokémon? Watching the video clips that shows how you get Celebi, I noticed that Celebi inherited the moves of Togepi. This would allow you to create some interesting move setups, as Pokémon could "learn" moves which they normally wouldn't.
While I'm familiar with arbitrary coding, I do not know which instructions are triggered by your stored items. If anyone seasoned could help me out I would appreciate it.
Also, while googling I noticed that there was a piece of code available ( http://tasvideos.org/4126S.html= ) that allowed your character to warp to mount Silver. If I wanted warp the character to Viridian City instead, how would the code have to modified?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: camper on May 10, 2014, 07:31:31 am
Hey everyone,

how would you have to modify the arbitrary code if you wanted to collect not only Celebi but any Pokémon?
Change HM07 to whatever index you need - 2, I think.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Crystal_ on June 26, 2014, 12:46:42 pm
My take on coin case arbitrary code execution: Since obtaining Celebi is obviously taken I decided to think of something else that could be interesting, and that is... making any Pokemon shiny! It basically consists on changing the DVs of the first party Pokemon to 14/10/10/10, so that the Pokemon becomes shiny.

The way to perform this trick is similar to the method to obtain Celebi (including the Quagsire jump) but the item list is obviously different:

Code: [Select]
I means Item and Q means Quantity. The number indicates the position where the item must be at.   

-------------------------- I1 = Q1 = I2 = ANY
ld a,EA ----- 3E EA ------ Q2 = 62 | I3 = TM42 (Dream Eater)
ld bc,XXXX -- 01 XX XX --- Q3 = 01 | I4 = Q4 = ANY
ld hl,DA3F -- 21 3F DA --- I5 = X Accuracy | Q5 = 63 | I6 = TM27 (Return)
ld bc,XXXX -- 01 XX XX --- Q6 = 01 | I7 = Q7 = ANY
ldi (hl),a -- 22 --------- I8 = Leaf Stone 
ld bc,XXXX -- 01 XX XX --- Q8 = 01 | I9 = Q9 = ANY
dec b ------- 05 --------- I10 = Pokeball
ld a,A9 ----- 3E A9 ------ Q10 = 62 | I11 = Sun Stone
ld bc,XXXX -- 01 XX XX --- Q11 = 01 | I12 = Q12 = ANY 
add a,1 ----- C6 01 ------ I13 = TM07 | Q13 = 01
ld (hl),a --- 77 --------- I14 = Focus Band
ld bc,F5XX -- 01 F5 XX --- Q14 = 01 | I15 = HM03 (Surf) | Q15 = ANY (01)
ld h,12 ----- 26 12 ------ I16 = Full Heal | Q16 = 18
ld l,b ------ 69 --------- I17 = Stick
ld bc,0133 -- 01 33 01 --- Q17 = Q18 = 01 | I18 = X Defend
inc b ------- 04 --------- I19 = Great Ball
inc sp ------ 33 --------- Q19 = 51
push bc ----- C5 --------- I20 = TM06 (Toxic)
ld bc,XXXX -- 01 XX XX --- Q20 = 01 | I21 = Q21 = ANY
jp (hl) ----- E9 --------- I22 = TM41 (ThunderPunch) | Q22 = ANY (01)

See this video for more information: https://www.youtube.com/watch?v=NADKp7PI2XY
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on June 26, 2014, 01:26:40 pm
That's really cool, thanks Crystal_. I recognize the EA (TM42) means 14 Attack/10 Defense, but to make your trick slightly better, couldn't you change it to FA (TM50) to get 15 Attack DVs/10 Defense, or am I missing something?

Edit: Oops, FA is the glitch item HM08 in Generation II, my bad.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Crystal_ on June 26, 2014, 01:40:28 pm
Yep, you called it. I guess I could've tried to fit ld a,F9 and inc a, but inc a as an item becomes Silver Leaf, so it's not easy. I just didn't think it was worth the extra effort and extra items. If you wanted better DVs for some reason, you'd probably be looking for FF FF anyway.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Crystal_ on June 28, 2014, 08:49:59 am
So it seems I got addicted to writing asm with pokemon items... Whatever.

Anyway, this time I will persent you the asm and corresponding item list required to make the first party Pokemon have perfect DVs and EVs and instantly reach level 100 (actually, level 98/99 + 2x/1x rare candy) via the coin case glitch. The only other notable difference is that it requires a Quagsire with Protein (instead of with HP Up).

Code: [Select]
------------------------------- I1 = Q1 = I2 = Q2 = ANY
ld de,020E ---- 11 0E 02 ------ I3 = Super Potion | Q3 = 14 | I4 = Ultra Ball
ld a,(de) ----- 1A ------------ Q4 = 26
ld hl,DA35 ---- 21 35 DA ------ I5 = X Accuracy | Q5 = 53 | I6 = TM27
ld bc,XX0C ---- 01 0C XX ------ Q6 = 01 | I7 = Awakening | Q7 = ANY
inc de -------- 13 ------------ I8 = Escape Rope
ldi (hl),a ---- 22 ------------ Q8 = 34
inc d --------- 14 ------------ I9 = Repel
inc d --------- 14 ------------ Q9 = 20
dec c --------- 0D ------------ I10 = Paralyz Heal
jr nz,F9 ------ 20 F9 --------- Q10 = 32 | I11 = HM07
ld bc,XXXX ---- 01 XX XX ------ Q11 = 01 | I12 = Q12 = ANY
ld l,49 ------- 2E 49 --------- I13 = Fresh Water | Q13 = 73
ld c,31 ------- 0E 31 --------- I14 = Full Restore | Q14 = 49
rlc c --------- CB 01 --------- I15 = TM12 (Sweet Scent) | Q15 = 01
ld (hl),c ----- 71 ------------ I16 = Spell Tag
ld bc,XXF5 ---- 01 F5 XX ------ Q16 = 01 | I17 = HM03 | Q17 = ANY (01)
ld h,12 ------- 26 12 --------- I18 = Full Heal | Q18 = 18
ld e,c -------- 59 ------------ I19 = Blu Apricorn
ld bc,XXXX ---- 01 XX XX ------ Q19 = 01 | I20 = Q20 = ANY
ld l,e -------- 6B ------------ I21 = NeverMeltIce
ld bc,0133 ---- 01 33 01 ------ Q21 = 01 | I22 = X Defend | Q22 = 01
inc b --------- 04 ------------ I23 = Great Ball
inc sp -------- 33 ------------ Q23 = 51
push bc ------- C5 ------------ I24 = TM06
ld bc,XXXX ---- 01 XX XX ------ Q24 = 01 | I25 = Q25 = ANY
jp hl --------- E9 ------------ I26 = TM41 | Q26 = ANY

Video here (contains very detailed information in the description): https://www.youtube.com/watch?v=JEOOCpNTx88
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Sanqui on June 29, 2014, 03:26:54 am
Check out Shenanagans' Pokémon Gold run at SGDQ, using the power of the coin case to beat the game in 40 minutes: https://www.youtube.com/watch?v=XaSg_mWVOUM
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on August 01, 2014, 04:22:25 pm
Here is code to activate the Pokémon color test menu with TheZZAZZGlitch's Celebi trick Pokémon set up; which is a freshly caught Pokémon in position 3 of the party, and a Quagsire holding a HP Up with Sleep Talk as its first move in the fourth position. Thanks to Tauwasser for the bank switch method, and this (http://hax.iimarck.us/topic/76/) Skeetendo thread:

Youtube video (https://www.youtube.com/watch?v=TRhDVeJTi4g).

Save states (https://mega.co.nz/#!dhsQBJ4C!l8qxU9aOKDsw63WF6LnGrZpGRWsvBeNDTOnkT4QQzdo) for Pokémon color test and Trainer color test (these may not work on all versions of VBA. I used vba-v24m-svn-r422).

inc b
ld a, 3F
inc b
ld hl, 52C9
rst $08 (CF)

04 3E 3F 04 21 C9 52 CF

In stored PC items starting from item 2, this is:

(ANYTHING)x 4
PP Up x63
Great Ball x33
TM10 x82

I'll try to make a new version of this code to enable the Trainer color menu tomorrow.

Edit: Here is Trainer color menu code.

inc b (04)
ld a, $3F (3E 3F)
inc b (04)
ld h, $CE (26 CE)
ld l, $ED (2E ED)
ld (hli), a (22)
dec b (05)
ld hl, 52C9 (21 C9 52)
rst $08 (CF)

04 3e 3f 04 26 ce 2e ed 22 05 21 c9 52 cf

In stored PC items from item 2, this is:
(ANYTHING)x4
PP Up x63
Great Ball x38
TM15 x46
TM45 x34
Poké Ball x33
TM10 x82
TM16 x(ANYTHING)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on August 03, 2014, 10:33:53 am
Code to activate the unused memory (card matching) game, same Pokémon set-up as above:

Youtube video (https://www.youtube.com/watch?v=Wk10O8lp5qQ)

Save state (https://mega.co.nz/#!Y9thmYAa!oDh2UV5GTOFk1R6tOiApOVu17da_mZFu8qa2GV36Nl8) for being in the game.

Code:
inc b
ld a,38
ld hl, 6663
inc l
inc l
inc l
inc l
inc l
rst 08

(04 3e 38 21 63 66 2c 2c 2c 2c 2c cf)

The reason for the many 'inc l's is that without them I would have required an item quantity of 104, while the normal limit is 99. The code is to make the game call 38:6668.

Items required from stored item 2:
(ANYTHING) x4
PP Up x56
X Accuracy x99
Blackglasses x44
Dire Hit x44
Dire Hit x44
TM16 x(ANYTHING)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on September 30, 2014, 06:41:29 am
Code to get effectively infinite Rare Candies, same Pokémon set-up as my second to last post. This puts a Rare Candy in the Balls pocket, and since it's in the wrong pocket, its quantity will never decrease.

Youtube video (https://www.youtube.com/watch?v=Q-KWRZc4tuA)

Requirements:
*A Quagsire in the 4th position holding a HP Up with Sleep Talk as the first move
*A freshly caught Pokémon in the third position

Items from item 2:

(ANYTHING)x62
Calcium x13
Great Ball x60
Paralyz Heal x13
Poké Ball x4
(ANYTHING)x(ANYTHING)
Awakening x38
TM22 x1
(ANYTHING)x(ANYTHING)
Leaf Stone x46
HM03 x1
X Speed x1
Full Heal x18
Flower Mail x51
TM06 x1
(ANYTHING)x(ANYTHING)
TM41 x1

Code:

@D61A

ld a, 1F    | 3E 1F ;a=Calcium
dec c       | 0D ; c=FF
inc b       | 04 ; junk code
inc a       | 3C; a+1=Rare Candy
dec c       | 0D ; c=FE
dec c       | 0D ; c=FD
dec b       | 05 ; junk code
inc b       | 04 ; junk code
ld l, c     | 69 ; address = XXFD
ld bc,$aabb | 01 ?? ?? ; junk code
inc c       | 0C ; junk code
ld h, D5    | 26 D5 ; address = D5FD
ld bc,$aabb | 01 ?? ?? ; junk code
ld (hli),a  | 22 ; Put Rare Candy into D5FD (Balls item 1)

@D62E; This is an adaption of TheZZAZZGlitch's messed up stack workaround made by Crystal_ . (Unfortunately you can't just ret)

ld l, F5
ld bc, 0134
ld h, 12
sbc a,(hl)
inc sp
push bc
ld bc, XXXX
jp hl

2E F5 01 34 01 26 12 9E 33 C5 01 XX XX E9



I have a bad feeling that register c is not always 00. If true, this code may not work.

I also tried testing this from a new game with the item requirements hacked in via memory viewer. It didn't work. It wasn't an item problem, because according to BGB diassembler the game never ended up at D61A.

Would anyone more experienced with this glitch than I am like to look at my save file and find out, please?

New save (doesn't work): here (https://mega.co.nz/#!MxUT3RQB!RrW9PviirQ9cqH6GybJtvaSi6UoVOXfS6mOpDtkV4ZI)
Working save: here (https://mega.co.nz/#!Zs0ABLRC!C2I5IbpES2dnRjPTO2kS6_2OQMzp77LuXzw35tp-_6A)

Remember, you have to step out the lab, walk right until you're one tile below the first tree, then listen to Machop's cry, then switch item pockets and use the Coin Case.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: danny on February 03, 2016, 08:35:04 am
Can anybody provide a completed save file that has all of the necessary requirements for the coin case glitch? I lost the old one, sadly.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: lowena on February 14, 2016, 04:43:59 pm
Does anyone have any ideas on how this glitch was fixed in Crystal? Is it just the text end byte for the Coin Case or is there more? I'm curious since we have a great disassembly of Crystal (https://github.com/pret/pokecrystal) but not Gold/Silver which can help a lot with glitching/hacking. I haven't looked at the disassembly yet though or tried this glitch so maybe it would be easy to "unfix" in Crystal to have the glitch working. Obviously it would only work on emulators unless you had a flash cart or something, but it would be cool to have working for fun. :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Krys3000 on February 15, 2016, 07:07:06 am
Well since this glitch is due to a translation mistake (the japanese terminator character was mistakenly not replaced by the english one) I'm guessing they just corrected it.

Using TM33 Code Execution might allow you to replace the japanese terminator in crystal games, thus reactivating the glitch, but I'm not an expert about this glitch so I'm not sure it can be done (Torchickens knows, maybe). If such, this would be the only way I could think of to legit create a Coin Case Glitch in either emulated or real game without any cheating device.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: lowena on February 15, 2016, 05:14:34 pm
Yeah, hopefully that's the case. I know nothing about Crystal's code or glitches, but I'm gonna take a look and see if I can find anything :)

EDIT: A quick look shows that the terminator was indeed changed from 0x57 to 0x50 from G/S to Crystal. Also I found that changing the code for the Coin Case from db "@@" to done changed the terminator from 50 50 00 to 57 00 so that's cool. ;p I'll put the code and hex/text for Crystal below for reference:

Code for Coin Case:
Code: [Select]
UnknownText_0x1c5c7b::
text "Coins:"
line "@"
deciram Coins, 2, 4
db "@@"

Hex and text for Coin Case:
Code: [Select]
82 AE A8 AD B2 9C 4F 50 09 55 D8 24 50 50 00
Coins:=($50)($09)+($D8)($24)($50)($50)($00)

2ND EDIT: I don't think this will work. :/ Changing the terminator to 57 does lead to an invalid pointer, but the invalid pointer goes to the middle of VRAM (8ccd), so it just crashes the game and restarts.

That's really disappointing. :'(
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: danny on February 18, 2016, 06:38:56 pm
I really need a completed save file with the glitch ready, as I want to search for cool effects?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: lowena on February 20, 2016, 04:16:02 pm
Here you go (http://forums.glitchcity.info/index.php/topic,6716.msg196595/topicseen.html#msg196595). Look at the bottom of this thread, and download the working one. It worked fine for me.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: danny on February 21, 2016, 01:42:02 pm
Got one:

Enter, exit, and re-enter radio tower in goldenrod (twss), then go:


Then do the glitch. The effect is similar to the pokecenter music box, but with more drums.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: bestgoldglitche on July 12, 2016, 03:26:06 am
Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.

I've been playing around with this glitch for a while now and recently found a way to produce any item.  The process is almost the same as what TheZZAZZGlitch laid out in his video where he explained how to get Celebi. 

https://www.youtube.com/watch?v=SpfgOVfGVTo

Basically, you place 43 Fresh Water in your PC instead of 42, and you'll jump to the item of the first Pokemon in your party instead of the ID number.  Given the normal set up that would yield HM09 I think which can be sold for about 19000 Pokebucks...

This happens because the stack of 4 Great balls increases the index number of the item where TheZZAZZGlitch placed HM07 in the video, so you don't just get back the same item that you put in the PC.  Also, using only 2 Great Balls increases the index number by 1 and using multiple stacks of Great Balls will increase the index number in the same manner.

This can be helpful for getting stray items by finding base items that have an index number before theirs as you can swap out HM07 with other base items to mutate.  This way you don't even lose the item you were initially working with.

I don't know much assembly, but I know enough to understand the concepts behind how the glitch works.  Given that 42 Fresh Water correspond to changing the ID number of the first Pokemon in your party, subsequently adding Fresh Water with move you one byte further into the Pokemon's data allowing you to overwrite things like moves by having 44 to 47 Fresh Waters or EXP by having 50 to 52. 

There's a simple list of the data structure here:
http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_structure_in_Generation_II

An interesting way to use this is getting a level 100 by changing the EXP of a Pokemon and simply knocking out one wild Pokemon.  I'm pretty sure this takes 50 Fresh Water.

So there's a rudimentary form of item mutation and also access to all the Pokemon's stats and their Attacks, EXP, Friendship etc.

Oh, and a nice list of Pokemon, Moves, and Items by index number courtesy of TheZZAZZGlitch's video:
http://pastebin.com/raw/arPmsvYu
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: TheUnReturned on July 12, 2016, 07:15:46 am
Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.

I've been playing around with this glitch for a while now and recently found a way to produce basically any item.  The process is basically the same as what TheZZAZZGlitch laid out in his video where he explained how to get Celebi. 

https://www.youtube.com/watch?v=SpfgOVfGVTo

Basically, you place 43 Fresh Water in your PC instead of 42, and you'll jump to the item of the first Pokemon in your party instead of the ID number.  Given the normal set up that would yield HM09 I think which can be sold for about 19000 Pokebucks...

This happens because the stack of 4 Great balls increases the index number of the item where TheZZAZZGlitch placed HM07 in the video, so you don't just get back the same item that you put in the PC.  Also, using only 2 Great Balls increases the index number by 1 and using multiple stacks of Great Balls will increase the index number in the same manner.

This can be helpful for getting stray items by finding base items that have an index number before theirs as you can swap out HM07 with other base items to mutate.  This way you don't even lose the item you were initially working with.

I don't know much assembly, but I know enough to understand the concepts behind how the glitch works.  Given that 42 Fresh Water correspond to changing the ID number of the first Pokemon in your party, subsequently adding Fresh Water with move you one byte further into the Pokemon's data allowing you to overwrite things like moves by having 44 to 47 Fresh Waters or EXP by having 50 to 52. 

There's a simple list of the data structure here:
http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_structure_in_Generation_II

An interesting way to use this is getting a level 100 by changing the EXP of a Pokemon and simply knocking out one wild Pokemon.  I'm pretty sure this takes 50 Fresh Water.

So there's a rudimentary form of item mutation and also access to all the Pokemon's stats and their Attacks, EXP, Friendship etc.

Oh, and a nice list of Pokemon, Moves, and Items by index number courtesy of TheZZAZZGlitch's video:
http://pastebin.com/raw/arPmsvYu
Really nice :9
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on July 12, 2016, 08:01:19 am
Neato! ^^
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on December 18, 2016, 06:12:30 pm
Adding a useful bit of information.

Although stored PC items have been a common requirement (with Crystal_ having a stored PC item RAM editor), you may want to use PC names instead of box items, like what is done in glitched speedruns because literally the only things you need are a Pokédex with Bellsprout in it, the slide Pokémon in slot 3 and a special Quagsire in slot 4 (no items other than TM02 and TM27 are required).

To do this, you may give Quagsire a TM02 (available from Goldenrod Department Store) instead of HP Up or Protein and have Return as its first move. This will redirect the code to PC box 1's name character 2 after you do the specific movements (e.g. the ones from Elm's Lab (https://www.youtube.com/watch?v=SpfgOVfGVTo) and from Cherrygrove City (https://www.youtube.com/watch?v=ffZjCabeNr4)).

The operations you can access via box names are highly limited (see Sanqui's Pastebin http://pastebin.com/raw/arPmsvYu) but fortunately it's still possible to do things like RAM editing (I do it using the xor a and sub xx operations to give 'a' a value and then the ld (xxyy),a operation to write 'a' into that address).

Though Coin Case gives you a corrupted stack and the game would glitch dimension/freeze after ret, you can solve the issue by using the following edits as part of a footer in your code.

Code: [Select]
xor a
ld (ff83),a
pop de
pop de
inc sp
pop de
or a
ret nc

(Found from deconstructing the box name code here (http://wiki.pokemonspeedruns.com/index.php?title=Pok%C3%A9mon_Gold/Silver/Any%25_Guide)).

There is one catch and something you need to know:

inc sp (hex:33) cannot normally be represented by box characters. However, you can get the ID for inc sp with the following: xor a;  sub fd; sub d0 and then use ld (xxyy),a to self-modify your code to add an inc sp.

This method also has a bad side effect of slowing menus down to an extreme, but after closing the menu if you hold down A and tap down you will be able to move the cursor to SAVE, mash A to save the game and reset the game to bring things back to normal.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on December 19, 2016, 01:28:51 am
So basically this would enable ACE stuff much earlier into the game then before? Because before with the item lists in the PC you would need stuff like TM06 (Toxic) which cannot be obtained until after beating the Elite Four.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on December 19, 2016, 07:17:13 am
So basically this would enable ACE stuff much earlier into the game then before? Because before with the item lists in the PC you would need stuff like TM06 (Toxic) which cannot be obtained until after beating the Elite Four.

Yeah you can conveniently do this early in game once you get the Coin Case (and TM02, TM27). I think it's also easier to set up.

Note I think Quagsire can possibly be replaced with Wooper (jp nz,$xxyy) like in the previously linked speedrunning route, and werster's 43:47 speedrun (https://www.youtube.com/watch?v=oklw2swIT4w) uses a particular path in the Pokémon Center with the starter Croconaw in slot 4 (possibly meaning a specific Croconaw could work too).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: asphere on July 01, 2017, 06:55:27 am
So basically this would enable ACE stuff much earlier into the game then before? Because before with the item lists in the PC you would need stuff like TM06 (Toxic) which cannot be obtained until after beating the Elite Four.

Yeah you can conveniently do this early in game once you get the Coin Case (and TM02, TM27). I think it's also easier to set up.

Note I think Quagsire can possibly be replaced with Wooper (jp nz,$xxyy) like in the previously linked speedrunning route, and werster's 43:47 speedrun (https://www.youtube.com/watch?v=oklw2swIT4w) uses a particular path in the Pokémon Center with the starter Croconaw in slot 4 (possibly meaning a specific Croconaw could work too).

Hey, is possible to change my ID number on Pokemon Silver? i need to change it on pokemon silver 2 gen ITALY...
thanks :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on July 01, 2017, 08:47:48 am
You're in the wrong topic for this, the Coin Case glitch doesn't work in European localizations of Gold/Silver. There are other methods to obtain ACE, but they are more complicated.
(I will continue replying in the "G/S/C glitch discussion")


(Also the post you quoted has no relation whatsoever to what you asked. Quoting a post should be done when you refer to it, please.)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: asphere on July 01, 2017, 09:04:55 am
You're in the wrong topic for this, the Coin Case glitch doesn't work in European localizations of Gold/Silver. There are other methods to obtain ACE, but they are more complicated.
(I will continue replying in the "G/S/C glitch discussion")


(Also the post you quoted has no relation whatsoever to what you asked. Quoting a post should be done when you refer to it, please.)
ok sorry i wrong section and mention xD
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on August 11, 2017, 05:21:06 am
has any one tried coin case ace on the gold sliver vc injects because i've heard coincase ace does not work on vba or the gb tower because of inaccurate emulation this may cause it not to work on gold sliver vc
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Flandre Scarlet on August 11, 2017, 06:06:25 am
has any one tried coin case ace on the gold sliver vc injects because i've heard coincase ace does not work on vba or the gb tower because of inaccurate emulation this may cause it not to work on gold sliver vc

Nobody has had a chance yet since Gen 2 VC doesn't come out until September 22nd.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on August 11, 2017, 07:16:14 pm
you can inject them into the vc if you have cfw and they just reuse the same emulator for all the games they changed a few things with the gen 1 vc emulator but it emulates just like the older one. edit tried it on the vc emulator and it does work so coin case stuff should work on the vc versions of gs as long as the terminator is not changed
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on August 12, 2017, 10:28:51 pm
Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.

I've been playing around with this glitch for a while now and recently found a way to produce any item.  The process is almost the same as what TheZZAZZGlitch laid out in his video where he explained how to get Celebi. 

https://www.youtube.com/watch?v=SpfgOVfGVTo

Basically, you place 43 Fresh Water in your PC instead of 42, and you'll jump to the item of the first Pokemon in your party instead of the ID number.  Given the normal set up that would yield HM09 I think which can be sold for about 19000 Pokebucks...

This happens because the stack of 4 Great balls increases the index number of the item where TheZZAZZGlitch placed HM07 in the video, so you don't just get back the same item that you put in the PC.  Also, using only 2 Great Balls increases the index number by 1 and using multiple stacks of Great Balls will increase the index number in the same manner.

This can be helpful for getting stray items by finding base items that have an index number before theirs as you can swap out HM07 with other base items to mutate.  This way you don't even lose the item you were initially working with.

I don't know much assembly, but I know enough to understand the concepts behind how the glitch works.  Given that 42 Fresh Water correspond to changing the ID number of the first Pokemon in your party, subsequently adding Fresh Water with move you one byte further into the Pokemon's data allowing you to overwrite things like moves by having 44 to 47 Fresh Waters or EXP by having 50 to 52. 

There's a simple list of the data structure here:
http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_structure_in_Generation_II

An interesting way to use this is getting a level 100 by changing the EXP of a Pokemon and simply knocking out one wild Pokemon.  I'm pretty sure this takes 50 Fresh Water.

So there's a rudimentary form of item mutation and also access to all the Pokemon's stats and their Attacks, EXP, Friendship etc.

Oh, and a nice list of Pokemon, Moves, and Items by index number courtesy of TheZZAZZGlitch's video:
http://pastebin.com/raw/arPmsvYu
tried to do it with 8 great balls but it just cases game to white screen looks like it only works with 2 or 4 great balls which mean you have you do the glitch twice if swap the items out in the pc if you want to change the item into one that's more then 2 index numbers away
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Parzival on August 12, 2017, 11:55:59 pm
You're dealing with Coin Case ACE here. You either did something wrong... or you need to switch to BGB. ;)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on August 13, 2017, 02:03:11 am
You're dealing with Coin Case ACE here. You either did something wrong... or you need to switch to BGB. ;)
i did do something wrong the first time i tried it with 8 great balls the Pokemon in first party slot was holding no item idk if that will affect it or you can only raise the index by 1 or 2 with 2 or 4 great balls I've tried 2 and 4 great balls and they work. edit: found out you have to use multiple stacks of great balls if you want to increase the index by more then 2
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on August 13, 2017, 04:28:28 am
forsyz, Coin Case ACE uses Echo RAM (since it basically runs code from there), and it didn't work with VBA because it didn't emulate Echo RAM.
The VC is known to emulate Echo RAM (as seen here (http://forums.glitchcity.info/index.php?topic=7559.0)), so Coin Case had to work.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Flandre Scarlet on September 23, 2017, 07:18:18 am
Is there any method to make a pokemon learn a specific move with the coin case? Mainly so that I could get Aeroblast on Lugia in Gold Version since that isn't possible otherwise. Using the method where you only use Box Names if possible similar to this video by Torchikens https://youtu.be/NeC36_MhSBA
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: FMK on September 25, 2017, 02:34:26 pm
Is there any method to make a pokemon learn a specific move with the coin case? Mainly so that I could get Aeroblast on Lugia in Gold Version since that isn't possible otherwise. Using the method where you only use Box Names if possible similar to this video by Torchikens https://youtu.be/NeC36_MhSBA

It's most certainly possible -- and actually extremely simple for Aeroblast in particular, though to use any of my Coin Case ACEs you need to do the following first:

Code: [Select]
[REQUIRED] One-off code so all future codes don't need the 'return to game' code:
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: 5555péD9     (XOR A; LD [83ff], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)

Pokemon 5, Move 4 Modifier (Aeroblast) - Box 1, change r to whatever and replace 5555 with 'v(Letter)55 or 'v(Letter)'v(Letter) when needed:
Box 1: Ap0r5555   (XOR A; OR b1)
Box 2: é♂455555   (LD [efda], A)
Box 3+: 55555555
Box 13 and 14: Should never be modified after using the required code.


Other simple, randomish codes, for any interested (All boxes not used for code should all be 5's, except 13 and 14):

Code: [Select]
255x Ball 1, Master Ball:
Box 1: Ap09é8't5  (XOR A; OR ff; LD [fed5], A)
Box 2: p0B'vAé7't (XOR A; OR 0x81; SUB 0x80; LD[fdd5], A)

Player Sprite Modifier - Permanent (Old Man; Change 's and A to different values for different results, can replace the 55 for Box 1 with 'v(Another Letter) too, if desired value is unobtainable):
Box 1: Ap0's'vA55 (XOR A; OR d4; SUB 0x80)
Box 2: é9'l55555  (LD [ffd1], A)

Tons of Money:
Box 1: Ap0/'vA55  (XOR A; OR f3; SUB 0x80)
Box 2: é'm2p0955  (LD [d2f8], A; XOR A; OR ff)
Box 3: éA't55555  (LD [80d5], A)

Tons of Coins:
Box 1: Ap04'vA55   (XOR A; OR fa; SUB 0x80)
Box 2: é'm2p0955   (LD [d2f8], A; XOR A; OR ff)
Box 3: éA't55555   (LD [80d5], A)


Kudos to Torchickens for the following, just stripped off the RTG code.

Turn Pokémon 1 Shiny:
Box 1: Ap0'd'vR55  (XOR A; OR d0; SUB 0x91)
Box 2: é'm2pp045   (LD [d2f8], A; XOR A; XOR A; OR fa)
Box 3: éA4p0'd'vQ  (LD [80fa], A; XOR A; OR d0; SUB 0x90)
Box 4: é?2p0k55    (LD [e6f8], A; XOR A; OR aa)
Box 5: 55éA4555    (LD [80fa], A)

Change Pokemon 1 (Celebi) - Box 2, change the first 5 to whatever and the last two 55's to 'v(Letter) when needed:
Box 1: Ap0k'vA55  (XOR A; OR aa; SUB 80)
Box 2: é'm2p0555  (LD [d2f8], A; XOR A; OR fb)
Box 3: éA455555   (LD [80fa], A)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Flandre Scarlet on September 25, 2017, 08:21:50 pm
The codes all worked very well, thank you so much for your hard work!
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on September 26, 2017, 07:16:54 am
a code that makes a pokemon hold any item using box names would be useful means you can still do some coincase item setups even if you have already used the tms and forgot to clone them
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on September 26, 2017, 02:07:15 pm
Is there any method to make a pokemon learn a specific move with the coin case? Mainly so that I could get Aeroblast on Lugia in Gold Version since that isn't possible otherwise. Using the method where you only use Box Names if possible similar to this video by Torchikens https://youtu.be/NeC36_MhSBA

It's most certainly possible -- and actually extremely simple for Aeroblast in particular, though to use any of my Coin Case ACEs you need to do the following first:

Code: [Select]
[REQUIRED] One-off code so all future codes don't need the 'return to game' code:
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: 5555péD9     (XOR A; LD [83ff], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)

Pokemon 5, Move 4 Modifier (Aeroblast) - Box 1, change r to whatever and replace 5555 with 'v(Letter)55 or 'v(Letter)'v(Letter) when needed:
Box 1: Ap0r5555   (XOR A; OR b1)
Box 2: é♂455555   (LD [efda], A)
Box 3+: 55555555
Box 13 and 14: Should never be modified after using the required code.


Other simple, randomish codes, for any interested (All boxes not used for code should all be 5's, except 13 and 14):

Code: [Select]
255x Ball 1, Master Ball:
Box 1: Ap09é8't5  (XOR A; OR ff; LD [fed5], A)
Box 2: p0B'vAé7't (XOR A; OR 0x81; SUB 0x80; LD[fdd5], A)

Player Sprite Modifier - Permanent (Old Man; Change 's and A to different values for different results, can replace the 55 for Box 1 with 'v(Another Letter) too, if desired value is unobtainable):
Box 1: Ap0's'vA55 (XOR A; OR d4; SUB 0x80)
Box 2: é9'l55555  (LD [ffd1], A)

Tons of Money:
Box 1: Ap0/'vA55  (XOR A; OR f3; SUB 0x80)
Box 2: é'm2p0955  (LD [d2f8], A; XOR A; OR ff)
Box 3: éA't55555  (LD [80d5], A)

Tons of Coins:
Box 1: Ap04'vA55   (XOR A; OR fa; SUB 0x80)
Box 2: é'm2p0955   (LD [d2f8], A; XOR A; OR ff)
Box 3: éA't55555   (LD [80d5], A)


Kudos to Torchickens for the following, just stripped off the RTG code.

Turn Pokémon 1 Shiny:
Box 1: Ap0'd'vR55  (XOR A; OR d0; SUB 0x91)
Box 2: é'm2pp045   (LD [d2f8], A; XOR A; XOR A; OR fa)
Box 3: éA4p0'd'vQ  (LD [80fa], A; XOR A; OR d0; SUB 0x90)
Box 4: é?2p0k55    (LD [e6f8], A; XOR A; OR aa)
Box 5: 55éA4555    (LD [80fa], A)

Change Pokemon 1 (Celebi) - Box 2, change the first 5 to whatever and the last two 55's to 'v(Letter) when needed:
Box 1: Ap0k'vA55  (XOR A; OR aa; SUB 80)
Box 2: é'm2p0555  (LD [d2f8], A; XOR A; OR fb)
Box 3: éA455555   (LD [80fa], A)

This is great, thank you FMK!  :)

I've come up with a code that allows you to obtain 49 of every TM/HM in the TM/HM pocket. It only just fit box 1-box 6, and the name for box 7 is completely changed. It is x49 because register a is still 0x31, the least significant byte of ByteFill.

First off use the one-off code in FMK's post.

Secondly, name the boxes from box 1-6 the following:

Ap'vCé025
'vj'vué♀25
'v.é32p'v9
é22pé425
'vué62'v 5
é52'v:é72
55♀55555

And use the Coin Case after following the usual steps.

What this code does is call $314C with parameters hl=D57E and bc= $0x39.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: DoubleNegative on September 26, 2017, 08:25:40 pm
No matter what I try, I keep getting a glitch dimension instead of box name code. My slide pokemon is the hatched togepi and I'm using a wooper holding sweet scent. It's a bit of a pain, but I can get headbutt, but I tried that once already.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on September 26, 2017, 09:24:04 pm
No matter what I try, I keep getting a glitch dimension instead of box name code. My slide pokemon is the hatched togepi and I'm using a wooper holding sweet scent. It's a bit of a pain, but I can get headbutt, but I tried that once already.

If you're using one of my or FMK's codes the TM12 Sweet Scent won't work as it would end up skipping the first twelve box name characters instead of only skipping the first character (for when you use TM02 Headbutt). I think it's easiest just to use the TM02 Headbutt.

I don't know how reliable Togepi are but if you haven't already try catching many Pokémon west of New Bark Town on Route 29 (even if you end up catching 20 or more and try each one, as some people have been really unlucky).

Wooper is used in speedruns instead of Quagsire, but because the jump is conditional (jp nz,$xxyy) to be safe it may be best to use Quagsire which has a jump without a conditional (jp, $xxyy).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on September 26, 2017, 09:33:43 pm
I discovered a way to get the transferrable GF Mew with Coin Case glitch.

First off you will need a Mew. The Mew can either be traded from Generation I or obtained with the following box names (Return Quagsire holding TM02):

Box 1: Ap0k'vA55
Box 2: é'm2pp0X5
Box 3: éA4p'v7'v'd
Box 4: é(male)2péD9'l
Box 5: 'l5555555
Box 6: 555A'lx'd5

Video demonstration:
https://www.youtube.com/watch?v=NeC36_MhSBA

Once you get a Mew, put it in slot 1 and use three more codes.

Get GF Mew (Return Quagsire holding TM02 box names method):

First use FMK's "required" code:

[REQUIRED] One-off code so all future codes don't need the 'return to game' code:
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: 5555péD9     (XOR A; LD [83ff], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)


After using it, enter and use the part 1 and part 2 codes below:

Part 1 - "GF" OT:

Box 1: Ap0'd'vG55
Box 2: é22'v9é(multiplication x)2
Box 3: 'v9é&2555
Box 4: 55555555
Box 5: p0'd'vAéA5
Box 6: 5p0FéA55
Box 7: 'v9éA5555

Part 2 GF 22796 ID number:

Box 1: Ap'v'dé's25
Box 2: 'v9é(multiplication x)2p09
Box 3: 'vgéA4p0M
Box 4: 'vA555555
Box 5: 55555555
Box 6: 5555éA45
Box 7: 'v9éA5555

Note: The 'multiplication x' is the "x" left of "(" on caps mode.

The Mew can be uploaded to Poké Transporter and Pokémon Bank if traded back to Generation I:
 
(https://i.imgur.com/csqN4MY.png)
(https://i.imgur.com/R0YSSML.png)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on September 26, 2017, 11:48:59 pm
I discovered a way to get the transferrable GF Mew with Coin Case glitch.

First off you will need a Mew. The Mew can either be traded from Generation I or obtained with the following box names (Return Quagsire holding TM02):

Box 1: Ap0k'vA55
Box 2: é'm2pp0X5
Box 3: éA4p'v7'v'd
Box 4: é(male)2péD9'l
Box 5: 'l5555555
Box 6: 555A'lx'd5

Video demonstration:
https://www.youtube.com/watch?v=NeC36_MhSBA

Once you get a Mew, put it in slot 1 and use three more codes.

Get GF Mew (Return Quagsire holding TM02 box names method):

First use FMK's "required" code:

[REQUIRED] One-off code so all future codes don't need the 'return to game' code:
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: 5555péD9     (XOR A; LD [83ff], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)


After using it, enter and use the part 1 and part 2 codes below:

Part 1 - "GF" OT:

Box 1: Ap0'd'vG55
Box 2: é22'v9é(multiplication x)2
Box 3: 'v9é&2555
Box 4: 55555555
Box 5: p0'd'vAéA5
Box 6: 5p0FéA55
Box 7: 'v9éA5555

Part 2 GF 22796 ID number:

Box 1: Ap'v'dé's25
Box 2: 'v9é(multiplication x)2p09
Box 3: 'vgéA4p0M
Box 4: 'vA555555
Box 5: 55555555
Box 6: 5555éA45
Box 7: 'v9éA5555

Note: The 'multiplication x' is the "x" left of "(" on caps mode.

The Mew can be uploaded to Poké Transporter and Pokémon Bank if traded back to Generation I:
 
(https://i.imgur.com/csqN4MY.png)
(https://i.imgur.com/R0YSSML.png)

would it work with celebi to. also a challenge would to make a memory editor with box names so you can do almost any thing with one box name setup
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on September 28, 2017, 08:12:40 am
can't get walkthough walls to work https://www.youtube.com/watch?v=1w2iQdAHPh4 it crashes the game
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on September 28, 2017, 11:14:29 am
can't get walkthough walls to work https://www.youtube.com/watch?v=1w2iQdAHPh4 it crashes the game

The reason for this may be a bad emulation problem on the 3DS Virtual Console. I think the OAM DMA exploit (used there for walk through walls) working relies on an obscure hardware detail that only platforms like real hardware or BGB emulator correctly emulate.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on September 29, 2017, 01:33:13 am
can't get walkthough walls to work https://www.youtube.com/watch?v=1w2iQdAHPh4 it crashes the game

The reason for this may be a bad emulation problem on the 3DS Virtual Console. I think the OAM DMA exploit (used there for walk through walls) working relies on an obscure hardware detail that only platforms like real hardware or BGB emulator correctly emulate.
i forgot to use the letters with the commas in front my bad it works now on the vc version
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on September 29, 2017, 04:44:51 am
Also OAM DMA doesn't rely on any obscure detail, only on a simple feature used by almost all games. It couldn't be emulated incorrectly, no matter how crappy the emulator.
And god knows the VC is a crappy one.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on September 29, 2017, 05:17:27 am
Is there any method to make a pokemon learn a specific move with the coin case? Mainly so that I could get Aeroblast on Lugia in Gold Version since that isn't possible otherwise. Using the method where you only use Box Names if possible similar to this video by Torchikens https://youtu.be/NeC36_MhSBA

It's most certainly possible -- and actually extremely simple for Aeroblast in particular, though to use any of my Coin Case ACEs you need to do the following first:

Code: [Select]
[REQUIRED] One-off code so all future codes don't need the 'return to game' code:
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: 5555péD9     (XOR A; LD [83ff], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)

Pokemon 5, Move 4 Modifier (Aeroblast) - Box 1, change r to whatever and replace 5555 with 'v(Letter)55 or 'v(Letter)'v(Letter) when needed:
Box 1: Ap0r5555   (XOR A; OR b1)
Box 2: é♂455555   (LD [efda], A)
Box 3+: 55555555
Box 13 and 14: Should never be modified after using the required code.

I'm having some trouble using your code.
Doing the Glitch with the required no further return-to-game code as my boxnames my Game freezes after using the Coin Case.
I'm using the same slide-Pokémon and Quagsire as with the (working) Shinify/Turn-Egg-to-Celebi codes from Torchickens' video.
Does anyone by chance have a Screenshot/Video of the box-names so I can check if I missed some ' flying around unnoticed.

I'm using Pokémon Silver VC if that matters.

Oh and out of curiosity:
Where on the slide-mon does the code start to run and can you use this to predict success just by looking at stats?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on September 29, 2017, 08:22:28 am
The first party address that the code starts to run is at FA98 (DA98). This is the second byte of the Attack stat experience of Pokémon 3 (the slide Pokémon).

Following this is Defense, Speed, Special stat experience as well as DVs, PPs, happiness, Pokérus, level, status, stats. You can probably predict whether the Pokémon will work by looking at the stats but I don't know the details sadly.

Since your slide Pokémon no longer works it's possible the problem could be due to one of the above variables changing, such as happiness increasing to a 'bad' opcode; the solution being to increase or decrease the happiness until it works. Another cause could be if you made your slide Pokémon gain some experience.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on September 29, 2017, 08:29:09 am
Also OAM DMA doesn't rely on any obscure detail, only on a simple feature used by almost all games. It couldn't be emulated incorrectly, no matter how crappy the emulator.
And god knows the VC is a crappy one.

I see. I was thinking about the "RNG Plays Pokémon" 8F code though. It's an OAM DMA exploit that works on BGB and real hardware but not VBA. However it's good that the walk through walls exploit works on VC.

http://forums.glitchcity.info/index.php?topic=7155.0
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on September 29, 2017, 03:04:54 pm
The first party address that the code starts to run is at FA98 (DA98). This is the second byte of the Attack stat experience of Pokémon 3 (the slide Pokémon).

Following this is Defense, Speed, Special stat experience as well as DVs, PPs, happiness, Pokérus, level, status, stats. You can probably predict whether the Pokémon will work by looking at the stats but I don't know the details sadly.
Since most of them are naturally hidden (statXP, happiness, etc.) prediction would be difficult I guess. At least statXP and happiness should be fixed at the start though, but I guess trial and error is good enough for now.

Quote
Since your slide Pokémon no longer works it's possible the problem could be due to one of the above variables changing, such as happiness increasing to a 'bad' opcode; the solution being to increase or decrease the happiness until it works. Another cause could be if you made your slide Pokémon gain some experience.

Thing is, it does still work for the shinify-Code for example, at least somewhat.
My sprite is vanishing and there's menu-lag (no freeze), but for whatever reason it doesn't turn the first mon shiny.
Also tried with a different slide-mon and same result, but box-names should be correct (checked multiple times).


Thanks for you time.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on September 29, 2017, 09:30:28 pm
what letters in the box code are the address and the value it changes i want to use it like a memory editor
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Storyreader21 on October 08, 2017, 06:39:05 pm
Hey, I have a question. I've seen coin case codes for getting shiny pokemon with an attack DV of 14 which is male, and a level 98 pokemon with perfect dvs, but is there one for getting shiny pokemon with an attack dv of 2 (thus female), and a code for getting to level 98 without effecting DVs (this is so I can get my Unown to a high level without changing what letter they are.  Either with an item list, or box name method, though if a box name then please explain how to set that up cause I'm a bit confused on that method. Thanks.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 09, 2017, 10:20:49 am
Is it possible to get the evolutionary stones with the Coin Case? In Gold/Silver you can't get Water Stones, Fire Stones etc - until after the Elite Four. I'm so used to playing Crystal where you can get them much earlier. Would be helpful to get the stones earlier for team choices and for filling out the Pokedex.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Lost-Paisley on October 10, 2017, 02:02:39 am
Torchickens I've still been trying to turn my Ditto shiny via the Coin Case+Box method from your vid and I'm still not getting anything.

Are you really sure there's nothing else other than a bad slide pokemon in slot 3 that could prevent the glitch from working? Do the mons in slots 2 and 5 have to work as well?
I've been doing the steps exactly with a few differences in the beginning, namely:


I've double checked my box names and everything and yet I still get either funky color resets or the game freezing on a white screen.  :-\ Someone else also seemed to mention to me that if a mon has a Special Defense/Speed stat of 9 it will never work too.

Here's a few pictures of my save position, mon in slots 2+5 and my box names: https://i.imgur.com/AWdmtyM.png
I've gone through at least 50+ mons for slot 3 and none of them worked...
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 10, 2017, 05:17:07 am
Torchickens I've still been trying to turn my Ditto shiny via the Coin Case+Box method from your vid and I'm still not getting anything.

Are you really sure there's nothing else other than a bad slide pokemon in slot 3 that could prevent the glitch from working? Do the mons in slots 2 and 5 have to work as well?
I've been doing the steps exactly with a few differences in the beginning, namely:

  • Saving outside a grass patch before catching the mon for slot 3 so I can catch a new one if the one in slot 3 fails to work and save having to buy more poke balls
  • Pokemon in slots 2 and 5 are clones of the same mon and they don't trigger the glitch if put in slot 3
  • Healing the party after catching the mon for slot 3

I've double checked my box names and everything and yet I still get either funky color resets or the game freezing on a white screen.  :-\ Someone else also seemed to mention to me that if a mon has a Special Defense/Speed stat of 9 it will never work too.

Here's a few pictures of my save position, mon in slots 2+5 and my box names: https://i.imgur.com/AWdmtyM.png
I've gone through at least 50+ mons for slot 3 and none of them worked...

Torchickens helped me with a code to change my trainer ID, but I can't get her rare candy video code to work. I assume it was because I needed a new slide pokemon, but like you I used a lot of slide Pokemon and nothing. :/ I was doing your steps too, saving near the grass to get a new slide Pokemon if it didn't work because it saved a bit of time. I remember in the originals messing around with the Coin Case a few years back, it seemed easier to get a working slide Pokemon then it does in the VC games. Idk why. And older videos on Coin Case glitches suggested a low level female Pokemon tend to work better, I assume it's because female Pokemon have a worse attack stat and therefore more likely a bad DV spread. I'm not sure if this 100% true, but I have messed around with the Coin Case a lot and it seemed a low level female Pokemon seemed to work better and when I started playing VC Gold and used the Coin Case to change my trainer ID, I used a female level 3 Sentret.

Weirdly though, the Sentret stopped working as a slide Pokemon, I assume because of a happiness increase from walking with it, but I fainted it twice to reset it happiness but it still didn't work. :/

Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on October 10, 2017, 08:30:41 am
Torchickens I've still been trying to turn my Ditto shiny via the Coin Case+Box method from your vid and I'm still not getting anything.

Are you really sure there's nothing else other than a bad slide pokemon in slot 3 that could prevent the glitch from working? Do the mons in slots 2 and 5 have to work as well?
I've been doing the steps exactly with a few differences in the beginning, namely:

  • Saving outside a grass patch before catching the mon for slot 3 so I can catch a new one if the one in slot 3 fails to work and save having to buy more poke balls
  • Pokemon in slots 2 and 5 are clones of the same mon and they don't trigger the glitch if put in slot 3
  • Healing the party after catching the mon for slot 3

I've double checked my box names and everything and yet I still get either funky color resets or the game freezing on a white screen.  :-\ Someone else also seemed to mention to me that if a mon has a Special Defense/Speed stat of 9 it will never work too.

Here's a few pictures of my save position, mon in slots 2+5 and my box names: https://i.imgur.com/AWdmtyM.png
I've gone through at least 50+ mons for slot 3 and none of them worked...


Hmm I had a look a few times and found a problem with your box names. It looks like you used a "d" instead of "'d". If you don't use the 'd the game doesn't create an inc sp opcode that is responsible for not freezing the game.

(https://i.imgur.com/VuttHvd.png)

Otherwise, I'm afraid I really don't know sorry. Somebody sent me a message saying they tried over 300 slide Pokémon with no success, which has affected my confidence in the glitch. It would be interesting if the Coin Case glitch does work slightly differently on 3DS Virtual Console, as unlikely as it appears.

I've just realized something. I wonder if OT names could be a problem (but I can't find anything that messes with the stack). The name TAYLOR seems to be fine, however. The Trainer ID shouldn't be a problem because the game doesn't read DA90, DA91 (it goes to DA98, so only Pokémon 3 addresses (https://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Gold_and_Silver:RAM_map#Pokemon 3 Settings) beyond that should matter).

Torchickens I've still been trying to turn my Ditto shiny via the Coin Case+Box method from your vid and I'm still not getting anything.

Are you really sure there's nothing else other than a bad slide pokemon in slot 3 that could prevent the glitch from working? Do the mons in slots 2 and 5 have to work as well?
I've been doing the steps exactly with a few differences in the beginning, namely:

  • Saving outside a grass patch before catching the mon for slot 3 so I can catch a new one if the one in slot 3 fails to work and save having to buy more poke balls
  • Pokemon in slots 2 and 5 are clones of the same mon and they don't trigger the glitch if put in slot 3
  • Healing the party after catching the mon for slot 3

I've double checked my box names and everything and yet I still get either funky color resets or the game freezing on a white screen.  :-\ Someone else also seemed to mention to me that if a mon has a Special Defense/Speed stat of 9 it will never work too.

Here's a few pictures of my save position, mon in slots 2+5 and my box names: https://i.imgur.com/AWdmtyM.png
I've gone through at least 50+ mons for slot 3 and none of them worked...

Torchickens helped me with a code to change my trainer ID, but I can't get her rare candy video code to work. I assume it was because I needed a new slide pokemon, but like you I used a lot of slide Pokemon and nothing. :/ I was doing your steps too, saving near the grass to get a new slide Pokemon if it didn't work because it saved a bit of time. I remember in the originals messing around with the Coin Case a few years back, it seemed easier to get a working slide Pokemon then it does in the VC games. Idk why. And older videos on Coin Case glitches suggested a low level female Pokemon tend to work better, I assume it's because female Pokemon have a worse attack stat and therefore more likely a bad DV spread. I'm not sure if this 100% true, but I have messed around with the Coin Case a lot and it seemed a low level female Pokemon seemed to work better and when I started playing VC Gold and used the Coin Case to change my trainer ID, I used a female level 3 Sentret.

Weirdly though, the Sentret stopped working as a slide Pokemon, I assume because of a happiness increase from walking with it, but I fainted it twice to reset it happiness but it still didn't work. :/



Interestingly that's the same trick somebody tried with over 300 slide Pokémon as well.

When I test both box name codes they work perfectly on my side, so the only thing I know might be wrong if the slide Pokémon persistently doesn't work on 3DS Virtual Console is to make sure you haven't made a small mistake in the box names (regardless of how small), to switch item pockets (underlined as it's easy to forget) before using the Coin Case and after listening to Bellsprout's cry, and to make the correct movements.

If you or Nostalgia have 3DS CFW and still can't get it to work you can send me your save file if you like and I'll try to see what's wrong. :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 10, 2017, 11:26:10 am
It worked yes! I too had written a d instead of a 'd in the box names haha.

And I used a freshly hatched Magby as my slide Pokemon, so maybe for those struggling with slide Pokemon try a freshly hatched egg Pokemon.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on October 10, 2017, 02:00:05 pm
It worked yes! I too had written a d instead of a 'd in the box names haha.

And I used a freshly hatched Magby as my slide Pokemon, so maybe for those struggling with slide Pokemon try a freshly hatched egg Pokemon.

Awesome! Congratulations :D

I relate. It's easily done. Often I make mistakes like this in glitching too, like when recording something I might forget something or mess something up.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Lost-Paisley on October 10, 2017, 04:16:32 pm
Hmm I had a look a few times and found a problem with your box names. It looks like you used a "d" instead of "'d". If you don't use the 'd the game doesn't create an inc sp opcode that is responsible for not freezing the game.

Otherwise, I'm afraid I really don't know sorry. Somebody sent me a message saying they tried over 300 slide Pokémon with no success, which has affected my confidence in the glitch. It would be interesting if the Coin Case glitch does work slightly differently on 3DS Virtual Console, as unlikely as it appears.

I've just realized something. I wonder if OT names could be a problem (but I can't find anything that messes with the stack). The name TAYLOR seems to be fine, however. The Trainer ID shouldn't be a problem because the game doesn't read DA90, DA91 (it goes to DA98, so only Pokémon 3 addresses (https://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Gold_and_Silver:RAM_map#Pokemon 3 Settings) beyond that should matter).

Interestingly that's the same trick somebody tried with over 300 slide Pokémon as well.

When I test both box name codes they work perfectly on my side, so the only thing I know might be wrong if the slide Pokémon persistently doesn't work on 3DS Virtual Console is to make sure you haven't made a small mistake in the box names (regardless of how small), to switch item pockets (underlined as it's easy to forget) before using the Coin Case and after listening to Bellsprout's cry, and to make the correct movements.

If you or Nostalgia have 3DS CFW and still can't get it to work you can send me your save file if you like and I'll try to see what's wrong. :)

Wow, I can't believe I didn't see that :-[

Tried again, and it seemed like it worked but the game froze/crashed to a white screen after I pressed B when it displayed my coins. At least I got somewhere :'D

Tired a second time and it worked!!! ;D
(https://i.imgur.com/tXFUDSJ.png)
That lag tho like wow

TAYLOR is one of the names to choose from in the beginning so who knows, it'd be interesting if player names did effect it in some degree.


So the box names are corrupted like you said, but if I wanted to do this again with another mon I don't have to rename them right? And there's no harm to any mons in the boxes either?

Weirdly though, the Sentret stopped working as a slide Pokemon, I assume because of a happiness increase from walking with it, but I fainted it twice to reset it happiness but it still didn't work. :/
Happiness can effect the glitch?  :???:
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Flandre Scarlet on October 10, 2017, 07:26:44 pm
So the box names are corrupted like you said, but if I wanted to do this again with another mon I don't have to rename them right? And there's no harm to any mons in the boxes either?
I am not sure but it would be best to just redo any corrupted box names. Normally its only 1-2 and the visual corruption from them makes it look like the others are corrupted but really aren't (just exiting and entering the menu again should let you know if anything is still corrupted) boxes 13-14 however should be kept the same if you are using that method.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 11, 2017, 05:51:35 am
Happiness can effect the glitch?  :???:

Yes, Torchickens informed me of that and recommended to not walk too much with your slide Pokemon and put it in the PC when not using it. Though it seems because I had a tiny error with the box names, there was probably nothing wrong with my slide Pokemon but I still ended up releasing it thinking it had become useless, RIP Sentret.

But got it working with a freshly hatched Pokemon so all is good. I was just working on my Pokedex and breeding a Magmar to get a Magby and it turned out the Magby worked perfectly as a slide Pokemon, which is great, better then wasting time on Route 29 catching 20 odd Pokemon they may not even work for the glitch.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Lost-Paisley on October 13, 2017, 02:19:34 am
Yes, Torchickens informed me of that and recommended to not walk too much with your slide Pokemon and put it in the PC when not using it.

I'll be keeping that in mind~ how many steps does it take for the mon to develop its happiness value? And does it decrease if left in the box?

I'm curious, the box codes that let you change one mon to another, if you have an egg that is shiny (let's say it's a Wooper for example) and you alter it into a different mon (like Zapdos) via the box codes, would the egg result in a shiny Zapdos?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 13, 2017, 11:58:23 am
I'll be keeping that in mind~ how many steps does it take for the mon to develop its happiness value? And does it decrease if left in the box?

I'm curious, the box codes that let you change one mon to another, if you have an egg that is shiny (let's say it's a Wooper for example) and you alter it into a different mon (like Zapdos) via the box codes, would the egg result in a shiny Zapdos?

Happiness won't decrease if left in the box. And I'm not sure, but I think if the slide Pokemon gets any noticeable happiness increase then it will mess up the code, because the slide Pokemon has to be freshly caught or hatched with no stat experience and happiness is another one of those factors I guess.

However, I was using the coin case a lot yesterday with the same slide Pokemon and walking from the PC in Cherrygrove to outside the mart in Cherrygrove for coin cases glitches, when you repeat that enough times you're certainly walking a good number of steps, but still my slide Pokemon still worked. And today I was using the hatched Togepi as a slide Pokemon as a test and it worked, so I would certainly recommend freshly hatched Pokemon.

As for your question, I haven't messed around with shiny codes yet but if the first code changed the egg to shiny and then you changed the Pokemon species then it should still be shiny as that is determined by the DV's which are made when you use you shiny code.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 13, 2017, 04:20:57 pm
I'll be keeping that in mind~ how many steps does it take for the mon to develop its happiness value? And does it decrease if left in the box?

I'm curious, the box codes that let you change one mon to another, if you have an egg that is shiny (let's say it's a Wooper for example) and you alter it into a different mon (like Zapdos) via the box codes, would the egg result in a shiny Zapdos?

Happiness won't decrease if left in the box. And I'm not sure, but I think if the slide Pokemon gets any noticeable happiness increase then it will mess up the code, because the slide Pokemon has to be freshly caught or hatched with no stat experience and happiness is another one of those factors I guess.

However, I was using the coin case a lot yesterday with the same slide Pokemon and walking from the PC in Cherrygrove to outside the mart in Cherrygrove for coin cases glitches, when you repeat that enough times you're certainly walking a good number of steps, but still my slide Pokemon still worked. And today I was using the hatched Togepi as a slide Pokemon as a test and it worked, so I would certainly recommend freshly hatched Pokemon.

As for your question, I haven't messed around with shiny codes yet but if the first code changed the egg to shiny and then you changed the Pokemon species then it should still be shiny as that is determined by the DV's which are made when you use you shiny code.
Not quite. Even if your slide's happiness value increases, it doesn't matter too much unless it reaches a malicious opcode. What I mean by that is, any opcode that changes code flow (call,ret,jp,jr), any opcode that stops the cpu (stop, and MAYBE halt, I'm not quite sure), any op that messes with the stack (inc sp,push,pop,ld sp,rst,etc.), any invalid ops ($D3,$DB,$DD,$E3,$E4,$EB,$EC,$ED,$F4,$FC,$FD), and "di".

The Happiness value increments upon walking 256 steps, and when freshly caught, has a value of $00. The first "malicious" opcode it encounters first is "stop", which is hex $10. So, a freshly caught slide pokemon is considered "broken" after 4096 steps. However, you can easily set this value to $11 (ld de,$xxyy) by walking 256 more steps. So if you find that your slide has stopped working, walk 256 more steps and see if that fixes it.

Also, it is worth noting that happiness is not the only thing that affects slide pokemon.
Here's a list of all factors that affect slide pokemon:

Attack EV
Defense Ev
Speed EV
Special EV
Attack/Defense IV
Speed/special IV
PP of current moveset
Happiness/Hatch Time
Pokerus
Caught Information
Level
Status
Hp
Max Hp
Attack
Defense
Speed
Special Defense
Special Attack - Must correspond to an instruction that is one byte long, otherwise the jump instruction that executes your code will be absorbed!

 
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 18, 2017, 08:21:08 am
what letters in the box code are the address and the value it changes i want to use it like a memory editor

Have a look at this post from torchickens (http://forums.glitchcity.info/index.php?topic=6716.msg203426#msg203426)
To construct the memory adress using Box names use the big hex list (http://glitchcity.info/wiki/The_Big_HEX_List) (doesn't contain GSC characters) linked Pastebin (http://pastebin.com/raw/arPmsvYu) or sth. similar.

The first party address that the code starts to run is at FA98 (DA98). This is the second byte of the Attack stat experience of Pokémon 3 (the slide Pokémon).

Following this is Defense, Speed, Special stat experience as well as DVs, PPs, happiness, Pokérus, level, status, stats. You can probably predict whether the Pokémon will work by looking at the stats but I don't know the details sadly.
Since most of them are naturally hidden (statXP, happiness, etc.) prediction would be difficult I guess. At least statXP and happiness should be fixed at the start though, but I guess trial and error is good enough for now.

Was tired of trial and error so I constructed a method to create a working slide-Pokémon. You basically get the right amount of stat-Exp to pass the atk-stat and use jr $1F in the Def-stat to jump right to your fourth Pokémon which should be the well-known Quagsire holding TM02 with Return as its first move.

To do this take one newly caught Pokémon and defeat exactly the following Pokémon:
This leaves your Pokémon at 870 ($0366) Atk stat-Exp and 6175 ($181F) Def stat-Exp (rest is skipped).

Starting at the second byte of the Atk stat-Exp this produces the following code:
Code: [Select]
ld h,(hl)
jr $1F
Which then continues at Pokémon 4 to jump to wherever you want.

Hope this helps anyone having trouble catching a working slide Pokémon. This way, as long as you don't defeat any Pokémon afterwards (Exp. Share counts) your Slide-Pokémon will continue working, regardless of Happiness, moves, or anything else.
Disadvantage obviously is the time it takes to set up, but this could in theory be improved (use always-available Pokémon instead of Sunkern, use Pokémon with higher Stat-Exp/Base stats in defence).
You could use 10 Geodude, 1 Magicarp and 2 Irons to achieve the same Def-Stat-Exp (and therefore the same jump), but it would produce a ld (hl), a in the executed Atk-byte so I would advice against it.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on October 18, 2017, 09:44:03 am
Wow, thanks for this spamviech. :) Yeah, the slide Pokémon has been a problem for lots of people. Will try it out later.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Skeef on October 18, 2017, 11:18:29 am
what letters in the box code are the address and the value it changes i want to use it like a memory editor

Have a look at this post from torchickens (http://forums.glitchcity.info/index.php?topic=6716.msg203426#msg203426)
To construct the memory adress using Box names use the big hex list (http://glitchcity.info/wiki/The_Big_HEX_List) (doesn't contain GSC characters) linked Pastebin (http://pastebin.com/raw/arPmsvYu) or sth. similar.

The first party address that the code starts to run is at FA98 (DA98). This is the second byte of the Attack stat experience of Pokémon 3 (the slide Pokémon).

Following this is Defense, Speed, Special stat experience as well as DVs, PPs, happiness, Pokérus, level, status, stats. You can probably predict whether the Pokémon will work by looking at the stats but I don't know the details sadly.
Since most of them are naturally hidden (statXP, happiness, etc.) prediction would be difficult I guess. At least statXP and happiness should be fixed at the start though, but I guess trial and error is good enough for now.

Was tired of trial and error so I constructed a method to create a working slide-Pokémon. You basically get the right amount of stat-Exp to pass the atk-stat and use jr $1F in the Def-stat to jump right to your fourth Pokémon which should be the well-known Quagsire holding TM02 with Return as its first move.

To do this take one newly caught Pokémon and defeat exactly the following Pokémon:
  • 1 Magicarp (use Old Rod anywhere)
  • 7 Geodude (most common Route 46)
  • 10 Sunkern (National Park, day time)
  • Give 2 Iron to your Pokémon
This leaves your Pokémon at 870 ($0366) Atk stat-Exp and 6175 ($181F) Def stat-Exp (rest is skipped).

Starting at the second byte of the Atk stat-Exp this produces the following code:
Code: [Select]
ld h,(hl)
jr $1F
Which then continues at Pokémon 4 to jump to wherever you want.

Hope this helps anyone having trouble catching a working slide Pokémon. This way, as long as you don't defeat any Pokémon afterwards (Exp. Share counts) your Slide-Pokémon will continue working, regardless of Happiness, moves, or anything else.
Disadvantage obviously is the time it takes to set up, but this could in theory be improved (use always-available Pokémon instead of Sunkern, use Pokémon with higher Stat-Exp/Base stats in defence).
You could use 10 Geodude, 1 Magicarp and 2 Irons to achieve the same Def-Stat-Exp (and therefore the same jump), but it would produce a ld (hl), a in the executed Atk-byte so I would advice against it.

I was looking into this aswell coincidently. My conclusion was 3 irons and 7 Exeggcutes.

Thats 280 att xp and 8240 def xp. Or $0118 att and $2030 def. Since the first byte of att doesnt matter that makes jr 20

4 slowpoke and 2 shuckle should also work.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 18, 2017, 11:34:52 am
Wow, thanks for this spamviech. :) Yeah, the slide Pokémon has been a problem for lots of people. Will try it out later.

Was a problem for me as well, so kind of necessary. Also I somewhat enjoyed poking around here a bit.

Another question:
in several codes presented here (i.e. the Celebi code) (http://forums.glitchcity.info/index.php?topic=6716.msg206982#msg206982) you change memory at the adress $fa2a, but according to the ram map from data crystal (http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Gold_and_Silver:RAM_map#Party_Pokemon) the species is stored at $da2a.
Is there a mismatch, or are the last two bits simply ignored?

I was looking into this aswell coincidently. My conclusion was 3 irons and 7 Exeggcutes.

Thats 280 att xp and 8240 def xp. Or $0118 att and $2030 def. Since the first byte of att doesnt matter that makes jr 20

4 slowpoke and 2 shuckle should also work.
Tried that first as well, but was tired of keeping track of two stats so I just fitted the Def-stat and hoped for the best with Atk.  ;D

7 Exeggcutes sounds like a pain. Isn't it pure headbutt-encounter?
4 Slowpoke and 2 Shuckle sounds doable, but requires Surf to get Slowpoke with >15% probability. Since it's not too far after Coin Case (story wise) I don't think it's a problem.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 18, 2017, 11:48:02 am
If i'm not mistaken, $fa2a is ECHO Ram for $da2a
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 18, 2017, 12:02:56 pm
So I can simply use whichever I like and achieve the same thing? (don't want to dive too deep into gameboy specifics)
Sounds really useful since da has no valid character whereas fa is easily usable with 4.

Thanks for the reply.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 18, 2017, 12:52:08 pm
7 Exeggcutes sounds like a pain. Isn't it pure headbutt-encounter?
4 Slowpoke and 2 Shuckle sounds doable, but requires Surf to get Slowpoke with >15% probability. Since it's not too far after Coin Case (story wise) I don't think it's a problem.

To be honest the whole process sounds like a pain.

I don't know if it's just me, but every Pokemon I have hatched from a egg has worked as a slide Pokemon and I find the Togepi you get especially useful as you can get it before you get to Goldenrod. So personally, I don't see the need for this long process to get the ultimate slide Pokemon. My egg-hatched slide Pokemon work perfectly after many many uses of the coin case.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 18, 2017, 01:07:02 pm
Because it's consistent and eliminates at least one source of error.

Obviously, this is nothing for a speedrun and if you prefer to roll the dice the option is still there.
This one is more for us fellows with large streaks of bad (rng-)luck. Like, I prefer doing such a tedious (but guaranteed) process compared to catching a bunch of mons without even the guarantee for it to succed.
Ultimately it probably comes down to personal preference which is perfectly fine with me.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 18, 2017, 01:13:25 pm
So I can simply use whichever I like and achieve the same thing? (don't want to dive too deep into gameboy specifics)
Sounds really useful since da has no valid character whereas fa is easily usable with 4.

Thanks for the reply.

No problem. Not every address can be represented with Echo Ram though. Thankfully, the main ones (Pokemon data,item data,etc.) are in ECHO Ram somewhere. I have yet to find an echo ram map, however.

Someone correct me if i'm wrong, but I believe any address from $d000 - $dfff is in echo ram somewhere.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 18, 2017, 01:43:32 pm
No problem. Not every address can be represented with Echo Ram though. Thankfully, the main ones (Pokemon data,item data,etc.) are in ECHO Ram somewhere. I have yet to find an echo ram map, however.

Someone correct me if i'm wrong, but I believe any address from $d000 - $dfff is in echo ram somewhere.

Nice, thanks.  :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Storyreader21 on October 18, 2017, 03:46:48 pm
Does it matter what level the freshly caught pokemon you defeat the magikarp, geodude, sunkern, and give the iron too is?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on October 18, 2017, 04:44:22 pm
No problem. Not every address can be represented with Echo Ram though. Thankfully, the main ones (Pokemon data,item data,etc.) are in ECHO Ram somewhere. I have yet to find an echo ram map, however.

Someone correct me if i'm wrong, but I believe any address from $d000 - $dfff is in echo ram somewhere.

Nice, thanks.  :)
Echo RAM is a quirk of the GB's hardware ; tl;dr : WRAM (the RAM mapped to C000-DFFF) is mirrored in range E000-FDFF, meaning accessing FAB0 (both reading and writing) is the same as accessing DAB0 !
The downside is that DE00-DFFF can't be accessed through Echo RAM (FEXX and FFXX are mapped to other things), but that doesn't really matter most of the time (stack space occupies DFXX, and DEXX isn't important afaik).

Also, VBA doesn't emulate Echo RAM.
VBA sucks.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 18, 2017, 05:14:30 pm
Does it matter what level the freshly caught pokemon you defeat the magikarp, geodude, sunkern, and give the iron too is?

No, just that it's stat-Exp is at 0 before the fights (i.e. didn't win a fight before).
I would advice for a level of ~15 or higher so it can solo the fights (don't know how stat-Exp behaves if you use switch tactics), but ultimately it doesn't matter. You only need to make sure that it doesn't have Pokérus, since it doubles aquired stat-Exp and messes up calculations.
For reference I used a lvl 13 Miltank.
The mentioned Pokémon are quite weak, so anything in that powerlevel should have no problems defeating them.

Echo RAM is a quirk of the GB's hardware ; tl;dr : WRAM (the RAM mapped to C000-DFFF) is mirrored in range E000-FDFF, meaning accessing FAB0 (both reading and writing) is the same as accessing DAB0 !
The downside is that DE00-DFFF can't be accessed through Echo RAM (FEXX and FFXX are mapped to other things), but that doesn't really matter most of the time (stack space occupies DFXX, and DEXX isn't important afaik).

Also, VBA doesn't emulate Echo RAM.
VBA sucks.

Yay, tl;dr. Love those.  ;D
Also nice hardware quirk. As if it was designed with box name ACE in mind.  ::)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 19, 2017, 06:30:43 am
VBA sucks.

I second that.

<rant>

I used to use VBA for glitch research, and it was a nightmare. Tons of glitches were Unavailable/Weren't working properly, including Dokashira door, Coin case,Glitch Dimension, and many others, not to mention the debugger was garbage (you couldn't write anything in the debugger, you had to write code from the Hex Editor)

If your "emulator" cannot accurately emulate the target hardware, then your software should not be considered a true emulator.

</rant>

I realize that in posting this I may have derailed the topic, so here's a code just to be safe:

Masterball in ball slot 2:
Box 1: Ap'v9é9't5
Box 2: p'd555555

This for use with TM25 in the ball slot, not the coin case. Tested and confirmed to work.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Storyreader21 on October 19, 2017, 12:15:13 pm
Hey I just did a coin case glitch for shiny pokemon I got from youtube with the item list:  

Any x1          
Any x62          
TM 42 x1           
Any x1          
X Accuracy x63      
TM 27 x1         
Any x1  
Leaf Stone x1   
Any x1          
Poke Ball x62          
Sun Stone x1  
Any x1          
TM 07 x1         
Focus Band x1     
HM 03          
Full Heal x18          
Blu Apricorn x1
Any Item x1
NeverMeltIce x1
Any Item x1    
X Defend x1          
Flower Mail x51          
TM 06 x1   
Any x1  
TM 41 x1  

when I did it it turned my female pokemon male, which means the attack dv was high, how can I modify the item list so the attack dv is 2 which makes most pokemon in Gold female, but is still shiny?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 19, 2017, 12:58:54 pm
Hey I just did a coin case glitch for shiny pokemon I got from youtube with the item list: 

Any x1         
Any x62         
TM 42 x1           
Any x1         
X Accuracy x63     
TM 27 x1         
Any x1 
Leaf Stone x1   
Any x1         
Poke Ball x62         
Sun Stone x1 
Any x1         
TM 07 x1         
Focus Band x1     
HM 03         
Full Heal x18         
Blu Apricorn x1
Any Item x1
NeverMeltIce x1
Any Item x1   
X Defend x1         
Flower Mail x51         
TM 06 x1   
Any x1 
TM 41 x1 

when I did it it turned my female pokemon male, which means the attack dv was high, how can I modify the item list so the attack dv is 2 which makes most pokemon in Gold female, but is still shiny?

Just change TM42 into Super Repel
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Storyreader21 on October 19, 2017, 02:26:08 pm
Thanks. That did it.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: hobgoblinpie on October 19, 2017, 04:52:02 pm
How would one go about modifying the EVs to maximum? Modifying the code for Rare Candies/Masterballs to place HP UP/Protein/Carbos etc. works up until 25600, but since EVs max out at 65535, it's still off by a way. I know there's one that exists already, but I think one that doesn't immediately boost to level 100 would be good too.

Also slightly strange, changing the Box 2 code from 'p0B'vAé7't' (255x Master Balls) to 'p0't'vAé7't' should yield PP Ups, but instead yields Red Aprikorns. Would a code to modify the quantity of an item in say bag slot 1, without modifying the item itself?

Appreciate all the work you guys do, it's really impressive.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 19, 2017, 06:21:43 pm
How would one go about modifying the EVs to maximum? Modifying the code for Rare Candies/Masterballs to place HP UP/Protein/Carbos etc. works up until 25600, but since EVs max out at 65535, it's still off by a way. I know there's one that exists already, but I think one that doesn't immediately boost to level 100 would be good too.

Also slightly strange, changing the Box 2 code from 'p0B'vAé7't' (255x Master Balls) to 'p0't'vAé7't' should yield PP Ups, but instead yields Red Aprikorns. Would a code to modify the quantity of an item in say bag slot 1, without modifying the item itself?

Appreciate all the work you guys do, it's really impressive.

Regarding question 1:
Box 1: A09é(female symbol)455
Box 2: é04é1455
Box 3: é24é3455
Box 4: é44é5455
Box 5: é64é7455
Box 6: é84p'd555

This is a slightly modified version of Torchicken's code.

Also, this doesn't work with the coin case, only TM25 in the balls pocket

Regarding question 2: Can you please post the entire box code? Box 2 loads register a into $f6af, but register a was defined in box 1.

Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 20, 2017, 07:04:35 am
Finished a code to create a Celebi with its usual egg moves (Leech Seed, Recover, Confusion, Heal Bell).
Just to make it easier to get a legal moveset once Pokémon Bank finally comes to Gold/Silver VC.

First you need to run FMK's one-off code (if you haven't done so already). (No longer required)

Afterwards, use the following code twice, which on the second run will change your first Pokémon into Celebi with the moves Leech Seed, Recover, Confusion & Heal Bell.
Code: [Select]

Box 1($D8BF to $D8C7): Ap0b'vA55 (XOR A; OR a1; SUB 80 | A->21)
Box 2($D8C8 to $D8D0): é'l2p0555 (LD [d1f8], A; XOR A; OR fb | A->fb)
Box 3($D8D1 to $D8D9): ^^4~__55 ({LD HL, [{2a}fa]}; {LD [HL], A}; {INC HL}; {INC HL} | HL->fa2a; HL->fa2c)
Box 4($D8DA to $D8E2): 55p0'd'vH~ (XOR A; OR d0; SUB 87; {LD [HL], A} | A->49)
Box 5($D8E3 to $D8EB): _p0/'vK~_ ({INC HL}; XOR A; OR f3; SUB 84; {LD [HL], A}; {INC HL} | HL->fa2d; A->69; HL->fa2e)
Box 6($D8EC to $D8F4): 55p'vd~5_ (XOR A; SUB a3; {LD [HL], A}; {INC HL} | A->5d; HL->fa2f)
Box 7($D8F5 to $D8FD): p0X0'd~'vu (XOR A; OR 97; OR d0; {LD [HL], A}; SUB b4 | A->d7; A->23)
Box 8($D8FE to $D906): é't2é'v255 (LD [d5f8], A; LD [d6f8], A)
Box 9($D907 to $D90F): é-2éé255 (LD [e3f8], A; LD [eaf8], A)
Box10($D910 to $D918): é/2'vmé's2 (LD [f3f8], A; SUB ac; LD [d4f8], A | A->77)
Box11($D919 to $D921): é(Pk)2é&255 (LD [e1f8], A; LD [e9f8], A)
Box12($D922 to $D92A): é×2é425p (LD [f2f8], A; LD [faf8], A; XOR A | A->00)
Box13($D92B to $D933): éZ×'v'vé'm2 (LD [99f1], A; SUB d6; LD [d2f8], A | A->2a)
Box14($D934 to $D93c): .9'l'l'l'lx'd (ADD SP, ff; POP DE; POP DE; POP DE; POP DE; OR A; RET NC)
You still need to give it to the day care/hatch the egg to get a "proper" Celebi.
Edit: changed to reduce menu-lag on execution and remove  requirement for one-off code.

Note:
Due to space requirements I changed the name of Box 13. You have to change it back to the one-off code name when using a different code.
Also: don't touch the name of Box 14!



Edit:
If you use TM25 (or TM17, I'm not discriminating) from the balls pocket use the following code instead:
Code: [Select]
Box 1($D8BF to $D8C7): Ap0b'vA55 (XOR A; OR a1; SUB 80 | A->21)
Box 2($D8C8 to $D8D0): é'l2p0555 (LD [d1f8], A; XOR A; OR fb | A->fb)
Box 3($D8D1 to $D8D9): ^^4~__55 ({LD HL, [{2a}fa]}; {LD [HL], A}; {INC HL}; {INC HL} | HL->fa2a; HL->fa2c)
Box 4($D8DA to $D8E2): 55p0'd'vH~ (XOR A; OR d0; SUB 87; {LD [HL], A} | A->49)
Box 5($D8E3 to $D8EB): _p0/'vK~_ ({INC HL}; XOR A; OR f3; SUB 84; {LD [HL], A}; {INC HL} | HL->fa2d; A->69; HL->fa2e)
Box 6($D8EC to $D8F4): 55p'vd~5_ (XOR A; SUB a3; {LD [HL], A}; {INC HL} | A->5d; HL->fa2f)
Box 7($D8F5 to $D8FD): p0X0'd~'vu (XOR A; OR 97; OR d0; {LD [HL], A}; SUB b4 | A->d7; A->23)
Box 8($D8FE to $D906): é't2é'v255 (LD [d5f8], A; LD [d6f8], A)
Box 9($D907 to $D90F): é-2éé255 (LD [e3f8], A; LD [eaf8], A)
Box10($D910 to $D918): é/2'vmé's2 (LD [f3f8], A; SUB ac; LD [d4f8], A | A->77)
Box11($D919 to $D921): é(Pk)2é&255 (LD [e1f8], A; LD [e9f8], A)
Box12($D922 to $D92A): é×2é425p (LD [f2f8], A; LD [faf8], A; XOR A | A->00)
Box13($D92B to $D933): 'v'vé'm25x'd (SUB d6; LD [d2f8], A; OR A; RET NC | A->2a)
Box14 can be left blank/doesn't matter.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 20, 2017, 07:22:37 am
That's good stuff, I found this video helpful for getting Celebi's egg moves though:

https://www.youtube.com/watch?v=KdpbBYio-T0
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 20, 2017, 08:04:54 am
Finished a code to create a Celebi with its usual egg moves (Leech Seed, Recover, Confusion, Heal Bell).
Just to make it easier to get a legal moveset once Pokémon Bank finally comes to Gold/Silver VC.

First you need to run FMK's one-off code (if you haven't done so already).
Code: [Select]
[REQUIRED] One-off code so all future codes don't need the 'return to game' code:
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: 5555péD9     (XOR A; LD [83ff], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)

Afterwards, use the following code twice, which on the second run will change your first Pokémon into Celebi with the moves Leech Seed, Recover, Confusion & Heal Bell.
Code: [Select]
Box 1($D8BF to $D8C7): Ap0b'vA55 (XOR A; OR a1; SUB 80 | A->21)
Box 2($D8C8 to $D8D0): é'l2p0555 (LD [d1f8], A; XOR A; OR fb | A->fb)
Box 3($D8D1 to $D8D9): 55455555 ({LD HL, [{2a}fa]}; {LD [HL], A}; {INC HL}; {INC HL} | HL->fa2a; HL->fa2c)
Box 4($D8DA to $D8E2): 55p0'd'vH5 (XOR A; OR d0; SUB 87; {LD [HL], A} | A->49)
Box 5($D8E3 to $D8EB): 5p0/'vK55 ({INC HL}; XOR A; OR f3; SUB 84; {LD [HL], A}; {INC HL} | HL->fa2d; A->69; HL->fa2e)
Box 6($D8EC to $D8F4): 55p'vd555 (XOR A; SUB a3; {LD [HL], A}; {INC HL} | A->5d; HL->fa2f)
Box 7($D8F5 to $D8FD): p0X0'd5'vu (XOR A; OR 97; OR d0; {LD [HL], A}; SUB b4 | A->d7; A->23)
Box 8($D8FE to $D906): é't2é'v255 (LD [d5f8], A; LD [d6f8], A)
Box 9($D907 to $D90F): é-2éé255 (LD [e3f8], A; LD [eaf8], A)
Box10($D910 to $D918): é/2'vmé's2 (LD [f3f8], A; SUB ac; LD [d4f8], A | A->77)
Box11($D919 to $D921): é(Pk)2é&255 (LD [e1f8], A; LD [e9f8], A | (Pk) is the character spelling Pk)
Box12($D922 to $D92A): é×2é425p (LD [f2f8], A; LD [faf8], A; XOR A | A->00 | × is the multiplication sign)
Box13($D92B to $D933): éD9'v'vé'm2 (LD [83ff], A; SUB d6; LD [d2f8], A | A->2a)
Box14($D934 to $D93c): 'l'lä'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC | LEAVE UNCHANGED!)
You still need to give it to the day care/hatch the egg to get a "proper" Celebi.

Note:
Due to space requirements I changed the name of Box 13. You have to change it back to the one-off code name when using a different code.
Also: don't touch the name of Box 14!

That's awesome! Nice work!

It's worth noting that if you use TM 25 in the balls pocket as opposed to the Coin case, it is not required to use FMK's one-off code. (At least, not for me)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: SatoMew on October 20, 2017, 08:10:08 am
VBA sucks.

I second that.

<rant>

I used to use VBA for glitch research, and it was a nightmare. Tons of glitches were Unavailable/Weren't working properly, including Dokashira door, Coin case,Glitch Dimension, and many others, not to mention the debugger was garbage (you couldn't write anything in the debugger, you had to write code from the Hex Editor)

If your "emulator" cannot accurately emulate the target hardware, then your software should not be considered a true emulator.

To add to what was already said, the original VBA was last updated in 2004 so it shouldn't come off as a surprise that better emulators have come out such as current releases of BGB (first public version was 0.3 (http://bgb.bircd.org/bgb03.zip) in 2001) and mGBA.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 20, 2017, 08:38:09 am
VBA sucks.

I second that.

<rant>

I used to use VBA for glitch research, and it was a nightmare. Tons of glitches were Unavailable/Weren't working properly, including Dokashira door, Coin case,Glitch Dimension, and many others, not to mention the debugger was garbage (you couldn't write anything in the debugger, you had to write code from the Hex Editor)

If your "emulator" cannot accurately emulate the target hardware, then your software should not be considered a true emulator.

To add to what was already said, the original VBA was last updated in 2004 so it shouldn't come off as a surprise that better emulators have come out such as current releases of BGB (first public version was 0.3 (http://bgb.bircd.org/bgb03.zip) in 2001) and mGBA.

BGB is my personal choice and recomendation. Wonderful debugger and accurate emulation.

What's mGBA? Never heard of it prior.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: SatoMew on October 20, 2017, 08:52:06 am
What's mGBA? Never heard of it prior.

A modern alternative to VBA, especially since it started as a GBA emulator.

https://mgba.io/ (https://mgba.io/)

The developer plans to rebrand mGBA as medusa in the near future because it will also emulate the DS. There is another new DS emulator as well called melonDS (http://melonds.kuribo64.net/) which supports Wi-Fi.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 20, 2017, 09:05:52 am
That's good stuff, I found this video helpful for getting Celebi's egg moves though:

https://www.youtube.com/watch?v=KdpbBYio-T0

You can easily create box name code to give it the moves one by one. Goal of this one was to have one do it all code though.
Also me confirming if it works like I think it does. :)

It's worth noting that if you use TM 25 in the balls pocket as opposed to the Coin case, it is not required to use FMK's one-off code. (At least, not for me)

You probably don't need Box14 and the name of Box13 should be changed to this
Code: [Select]
'v'vé'm25x'dAs far as I understood the code is there to recover the stack to a reasonable enough state so you can save & reset.

Now I'm not too familiar with the different methods, but as far as I'm aware the stack isn't corrupted by using TM25 in the balls pocket (I should glitch me one there  ;D).
Do you know any more specifics about this, like where the execution starts and what else is required? (i.e. do I even need the Quagsire and can the slide-mon be the same?)

Edited my initial post to add this as well.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 20, 2017, 09:17:14 am
Do you know any more specifics about this, like where the execution starts and what else is required? (i.e. do I even need the Quagsire and can the slide-mon be the same?)

I don't know precisely where it jumps first. When I get home, I'll breakpoint some addresses in BGB and see if I can find out what it does when used.

My guess is that when you use TM 25 in the balls pocket, it reads an invalid effect pointer (similar to 8f in R/B) and eventually reaches it's destination, but AFAIK it doesn't corrupt the stack.

Something worth pointing out is that it eventually leads to Pokemon slot 2, not 3. So if you decide to use this method, move your slide and Quagsire up one slot.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: hobgoblinpie on October 20, 2017, 01:14:33 pm
How would one go about modifying the EVs to maximum? Modifying the code for Rare Candies/Masterballs to place HP UP/Protein/Carbos etc. works up until 25600, but since EVs max out at 65535, it's still off by a way. I know there's one that exists already, but I think one that doesn't immediately boost to level 100 would be good too.

Also slightly strange, changing the Box 2 code from 'p0B'vAé7't' (255x Master Balls) to 'p0't'vAé7't' should yield PP Ups, but instead yields Red Aprikorns. Would a code to modify the quantity of an item in say bag slot 1, without modifying the item itself?

Appreciate all the work you guys do, it's really impressive.

Regarding question 1:
Box 1: A09é(female symbol)455
Box 2: é04é1455
Box 3: é24é3455
Box 4: é44é5455
Box 5: é64é7455
Box 6: é84p'd555

This is a slightly modified version of Torchicken's code.

Also, this doesn't work with the coin case, only TM25 in the balls pocket

Regarding question 2: Can you please post the entire box code? Box 2 loads register a into $f6af, but register a was defined in box 1.

Thanks, I really appreciate it! I modified it slightly so that it works with the Coin Case ACE (Ap09é♀45), only a minor change but I already have that one set up so it seemed worth doing.

In regards to the second point, this is the original code for 255x Master Balls in Ball Slot 1:

Ap09é8't5 
p0B'vAé7't
p555'v7'v'd
é(male)2péD9'l
'l5555555
555A'lx'd

With the third letter/number in Box 2's name changing the given item. Most seem to work, given that they are all offset to begin at 0x81, with 'v being the last usable character in that block (BF). Rare Candy is indexed 32 positions higher, so requires the letter 'a'. PP Up is indexed 30 positions after Rare Candy so should require the character 't, but using 't gives Red Apricon, which is a little strange.

Thanks again!
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 20, 2017, 01:46:00 pm
From my understanding, what the code does is take the character's hex value, subtract $80, and use the end result as the item.

't ($d5) - ($80) = $55, which should return Red Apricorns.

Unfortunately, The hex value of PP Ups ($3e) + ($80) = ($BE), which is not able to be represented as a valid character.

If you would like, i can alter the code to produce PP Ups.

Edit: Change box 2 to p0'v'vYé7't

Hope this helps!
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: hobgoblinpie on October 20, 2017, 02:22:10 pm
From my understanding, what the code does is take the character's hex value, subtract $80, and use the end result as the item.

't ($d5) - ($80) = $55, which should return Red Apricorns.

Unfortunately, The hex value of PP Ups ($3e) + ($80) = ($BE), which is not able to be represented as a valid character.

If you would like, i can alter the code to produce PP Ups.

Edit: Change box 2 to p0'v'vYé7't

Hope this helps!

Thanks man, you're a legend! I figured something was up with the offset, but my understanding of these codes is pretty basic but I'm trying to learn. If you don't mind, could you explain what the changed Box 2 does differently to the previous one?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 20, 2017, 02:59:55 pm
From my understanding, what the code does is take the character's hex value, subtract $80, and use the end result as the item.

't ($d5) - ($80) = $55, which should return Red Apricorns.

Unfortunately, The hex value of PP Ups ($3e) + ($80) = ($BE), which is not able to be represented as a valid character.

If you would like, i can alter the code to produce PP Ups.

Edit: Change box 2 to p0'v'vYé7't

Hope this helps!

Thanks man, you're a legend! I figured something was up with the offset, but my understanding of these codes is pretty basic but I'm trying to learn. If you don't mind, could you explain what the changed Box 2 does differently to the previous one?

Absolutely! The new box 2 code subtracts $D6 with $98 to get $3E, the hex for PP Ups.

Make sure to take this into account when adjusting the code for different items.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 20, 2017, 03:11:19 pm
Thanks man, you're a legend! I figured something was up with the offset, but my understanding of these codes is pretty basic but I'm trying to learn. If you don't mind, could you explain what the changed Box 2 does differently to the previous one?

Basically a different calculation. The é7't part present in both is writing the value currently in register A to the specified location which is the type of the first item (judging from the original  code in the balls pocket; you might need to adjust this, too).


Now for the calculations itself:
Code: [Select]
p0B'vA (XOR A; OR 81; SUB 80)

p0'v'vY (XOR A; OR d6; SUB 98)
All Instructions are evaluated against register A and you can look them up in Sanqui's Pastebin (http://pastebin.com/raw/arPmsvYu).
XOR A (character p) is basically an elaborate way to set register A to the value 0.
OR (character 0) takes the next character as argument and with A currently at the value of 0 the argument becomes the new value of A (here: 81 and d6).
SUB (character 'v) also takes the next character as argument and substracts it from A leaving the result as the new value (here: 01 and be).

Unfortunately ADD and XOR with argument are not represantable with characters, so getting some values can be a bit tricky. One trick here is to deliberately underflow in the calculation and use SUB to get to the desired value anyway. This way you can represent the required 01 for the Master Ball also in this way:
Code: [Select]
p'v9 (XOR A; SUB ff)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 20, 2017, 03:14:08 pm
Thanks man, you're a legend! I figured something was up with the offset, but my understanding of these codes is pretty basic but I'm trying to learn. If you don't mind, could you explain what the changed Box 2 does differently to the previous one?

Basically a different calculation. The é7't part present in both is writing the value currently in register A to the specified location which is the type of the first item (judging from the original  code in the balls pocket; you might need to adjust this, too).


Now for the calculations itself:
Code: [Select]
p0B'vA (XOR A; OR 81; SUB 80)

p0'v'vY (XOR A; OR d6; SUB 98)
All Instructions are evaluated against register A and you can look them up in Sanqui's Pastebin (http://pastebin.com/raw/arPmsvYu).
XOR A (character p) is basically an elaborate way to set register A to the value 0.
OR (character 0) takes the next character as argument and with A currently at the value of 0 the argument becomes the new value of A (here: 81 and d6).
SUB (character 'v) also takes the next character as argument and substracts it from A leaving the result as the new value (here: 01 and be).

Unfortunately ADD and XOR with argument are not represantable with characters, so getting some values can be a bit tricky. One trick here is to deliberately underflow in the calculation and use SUB to get to the desired value anyway. This way you can represent the required 01 for the Master Ball also in this way:
Code: [Select]
p'v9 (XOR A; SUB ff)
^This

Integer underflow is your friend
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 20, 2017, 04:11:17 pm
Do you know any more specifics about this, like where the execution starts and what else is required? (i.e. do I even need the Quagsire and can the slide-mon be the same?)

I don't know precisely where it jumps first. When I get home, I'll breakpoint some addresses in BGB and see if I can find out what it does when used.

My guess is that when you use TM 25 in the balls pocket, it reads an invalid effect pointer (similar to 8f in R/B) and eventually reaches it's destination, but AFAIK it doesn't corrupt the stack.

Something worth pointing out is that it eventually leads to Pokemon slot 2, not 3. So if you decide to use this method, move your slide and Quagsire up one slot.

Just found this (http://forums.glitchcity.info/index.php?topic=8100.0). (How could I be so blind  :o)
Reconstructing from the Slide-Mon requirement removal it start execution at $da9a (Second byte defense EV of the second Party Pokémon).

Switching to TM25 usage now. Soo much easier and without constant resetting.  ;D
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 20, 2017, 04:19:25 pm
Do you know any more specifics about this, like where the execution starts and what else is required? (i.e. do I even need the Quagsire and can the slide-mon be the same?)

I don't know precisely where it jumps first. When I get home, I'll breakpoint some addresses in BGB and see if I can find out what it does when used.

My guess is that when you use TM 25 in the balls pocket, it reads an invalid effect pointer (similar to 8f in R/B) and eventually reaches it's destination, but AFAIK it doesn't corrupt the stack.

Something worth pointing out is that it eventually leads to Pokemon slot 2, not 3. So if you decide to use this method, move your slide and Quagsire up one slot.

Just found this (http://forums.glitchcity.info/index.php?topic=8100.0). (How could I be so blind  :o)
Reconstructing from the Slide-Mon requirement removal it start execution at $da9a (Second byte defense EV of the second Party Pokémon).

Switching to TM25 usage now. Soo much easier and without constant resetting.  ;D

Indeed it is. Another thing I didn't like about the coin case is moving in a specific pattern, listing to Machop's cry, fixing the stack, etc.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 21, 2017, 07:11:41 am
Next code: Turn Pokémon 1 into an Egg, ready to be hatched (probably 256 steps left):
Code: [Select]
1)55555555
2)p0d'vAé!2 XOR A; OR a3; SUB 80; LD [e7f8], A | A->23
3)p0't'vQé♂2 XOR A; OR d5; SUB90; LD [eff8], A | A->45
4)55555555
5)p07éé45p XOR A; OR fd; LD [{23}fa], A; XOR A | A->fd; A->0
6)'v9éé4x'd SUB ff; LD [{45}fa], A; OR A; Ret NC | A->01

This is for use with TM25 in the balls bag. If you want to use Coin Case, use the one-off code from FMK and change the name of Box 6
Code: [Select]
6)'v9éé4555 XOR A; LD [{45}fa], A

And just in case you didn't know: Shiny Celebi looks awesome in Gen II.  ^-^
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 21, 2017, 08:22:32 pm
You can easily create box name code to give it the moves one by one. Goal of this one was to have one do it all code though.
Also me confirming if it works like I think it does. :)

On the topic of teaching moves, do you know how to teach a Pokemon Ice Beam, Flamethrower or Thunderbolt? I asked this in another thread, but these moves are unobtainable in Gold/Silver - and were only move tutor moves in Crystal. So for a lot of people like me who are playing VC Gold or Silver, with no way to trade, the only way to get them would be through Coin Case.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Dragon Arbock on October 21, 2017, 09:15:19 pm
What I've been doing is using ACE to change my pokemon into a pokemon that learns the move, leveling it to the appropriate level, learning the move, then using ACE again to change it back. Obviously this isn't very efficient, but I'm not capable of working out a code to replace moves myself.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 22, 2017, 07:21:12 am
You can easily create box name code to give it the moves one by one. Goal of this one was to have one do it all code though.
Also me confirming if it works like I think it does. :)

On the topic of teaching moves, do you know how to teach a Pokemon Ice Beam, Flamethrower or Thunderbolt? I asked this in another thread, but these moves are unobtainable in Gold/Silver - and were only move tutor moves in Crystal. So for a lot of people like me who are playing VC Gold or Silver, with no way to trade, the only way to get them would be through Coin Case.

Here's a quick-and-dirty TM 25 Ball Pocket code that I made to teach Ice Beam to Pokemon 5. Due to character limitations, I was restricted to the fourth move, so make sure Pokemon 5 has at least 3 moves before using.

Box 1: Ap0?'vm55
Box 2: é(male)4p'd555

Here's the same code, but for use with the Coin Case (ensure to use FMK's one-off code)
Box 1: Ap0?'vm55
Box 2: é(male)455555
Box 3+ :55555555
Box 13: Leave Unchanged (FMK's Code)
Box 14: Leave Unchanged (FMK's Code)

I have not tested the Coin Case version (I prefer to use TM 25), but it should work as described. If it doesn't, please let me know.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 22, 2017, 08:42:36 am
For Flamethrower and Thunderbolt you only need to change Box 1.

Flamethrower:
Code: [Select]
Ap0v'vA55 XOR A; OR b5; SUB 80
Thunderbolt:
Code: [Select]
Ap0't'vA55 XOR A; OR d5; SUB 80
Icebeam:
Code: [Select]
Ap0?'vm55 XOR A; OR e6; SUB ac
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 22, 2017, 09:18:19 am
Thanks, I was mostly interested in Thunderbolt for my Jolteon. I'll test it later.

So is it possible to teach any move through these methods, or are there some character limitations for certain moves?

Also it's worth noting that Gold/Silver has some unique event moves for certain Pokemon and I've seen some people have expressed interest in obtaining them on their pokes. I'm personally not that interested in event moves, but stuff like Belly Drum Quagsire and Lovely Kiss Snorlax is kinda cool, I guess.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 22, 2017, 09:29:13 am
Thanks, I was mostly interested in Thunderbolt for my Jolteon. I'll test it later.

So is it possible to teach any move through these methods, or are there some character limitations for certain moves?

Also it's worth noting that Gold/Silver has some unique event moves for certain Pokemon and I've seen some people have expressed interest in obtaining them on their pokes. I'm personally not that interested in event moves, but stuff like Belly Drum Quagsire and Lovely Kiss Snorlax is kinda cool, I guess.

With enough changes of box 1, it is possible to teach any move, probably even glitch moves, though I haven't tried this for myself.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: hobgoblinpie on October 22, 2017, 09:53:50 am
Thanks Couldntthinkofaname and spamviech for explaining it, I really appreciate it. It's pretty incredible how blown open the games are thanks to a simple lack of valid terminator.

Things like Extremespeed Dragonite would be cool, at least until Crystal comes out (even then you'd need two 3DS's or a friend in order to trade).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 22, 2017, 10:19:07 am
So, I decided to make a box code that makes the 5th Pokemon's 4th move be glitch move $ff

Box 1: A09é(male)4p'd

The results were interesting to say the least.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Dragon Arbock on October 22, 2017, 02:20:47 pm
I'm not a fan of the TM ace. I'd rather keep using the coin case and changing box 2's name instead of box 1. And box 1 sounds limited, like you have to change the name more than once to get what you want.
But everyone seems to love TM ace so now I'm not gonna have any more coincase formatted codes to work with.
(I guess I don't need move-changing codes in the old format, but it would be easier than changing a pokemon's species to learn moves).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 22, 2017, 02:48:25 pm
I'm not a fan of the TM ace. I'd rather keep using the coin case and changing box 2's name instead of box 1. And box 1 sounds limited, like you have to change the name more than once to get what you want.
But everyone seems to love TM ace so now I'm not gonna have any more coincase formatted codes to work with.
(I guess I don't need move-changing codes in the old format, but it would be easier than changing a pokemon's species to learn moves).

I can reformat my code if you would like: (make sure to use FMK's one off code prior)

Pokemon 5 has glitch move $ff in move slot 4:
Box 1: A09é(male)455
Box 2+: 55555555
Box 13: Unchanged from FMK's code
Box 14: Unchanged from FMK's code

I'll start formatting my codes in both ways for ease of use to both parties

If you see a TM 25 code you would like to use, usually reformatting can be done with these steps:

1. Use FMK's one-off code (if you haven't prior)
2. At the end of the code you wish to use, replace the final 'd with 5, and fill in the rest of that box name with 5
3. Fill in any unused box names with 5 (except Box 13 and 14)
4. Make sure box 13 and 14 are unchanged from FMK's one-off code

Hope this is useful!  :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Dragon Arbock on October 22, 2017, 03:05:06 pm
I guess really, if I have a code to work with I just need to figure out what to change to get the move I want. With enough examples I could reverse engineer the pokemon formula and the DV formula, but this seems to be different (not targeting the first pokemon in the party, and changing the code for box 1 as opposed to box 2). I don't really speak programming, so any drastic change in the format is confusing.
As I understood with the other codes, box 1 was basically telling the code what to target, and box 2 was telling it what to change it to, but this is box 1 doing the changing somehow.
In Ap0?'vm55, is Ap[xxxx]55 what I am to be changing? I suppose that would make sense since 230 - 172 = 58 (ice beam).

From a technical standpoint though, what does FMK's code do? What's the advantage to filling the rest of the pc with 5's then writing that for box 13 and 14 as opposed to using the 'return to game' code?
(Sorry I'm generally rambling and being confused while understanding stuff only as I start to type).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 22, 2017, 03:53:43 pm
I guess really, if I have a code to work with I just need to figure out what to change to get the move I want. With enough examples I could reverse engineer the pokemon formula and the DV formula, but this seems to be different (not targeting the first pokemon in the party, and changing the code for box 1 as opposed to box 2). I don't really speak programming, so any drastic change in the format is confusing.
As I understood with the other codes, box 1 was basically telling the code what to target, and box 2 was telling it what to change it to, but this is box 1 doing the changing somehow.
In Ap0?'vm55, is Ap[xxxx]55 what I am to be changing? I suppose that would make sense since 230 - 172 = 58 (ice beam).

From a technical standpoint though, what does FMK's code do? What's the advantage to filling the rest of the pc with 5's then writing that for box 13 and 14 as opposed to using the 'return to game' code?
(Sorry I'm generally rambling and being confused while understanding stuff only as I start to type).

Here's a breakdown of Box 1:

A ;Useless char that does nothing
p ; XOR a, so a = $00
0? ; OR $e6, so a = $e6
'vm ; SUB $ac so a - $ac = $3a (Ice beam)
5; ei, Interupts are already enabled so this does nothing
5 ; ei, same deal
(end terminator) ; ld d,b

And then Box 2 proceeds to load a into the desired location (In this case, $faef)

So if you wanted to make alterations to this code, you would replace ? and m with two values that you wish to subtract. Essentially, we are taking 2 values that can be represented as valid characters and subtracting them to get a value we would not have been able to type with characters.

As for FMK's code, I'm not sure. It loads different values into a and then into three different addresses, none of which i know anything about. What i do know is that Box 13 and 14 are required in every use because they repair the stack to a playable state.

Hope this helped!
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 22, 2017, 04:38:56 pm
Here's a breakdown of Box 1:

A ;Useless char that does nothing

More like an ignored character. With the usual setup (Quagsire holding TM02 with Return as first move) execution starts at the second character of the first box name.
You can literally put whatever character you want here. It's just A as a default, since that's where the cursor starts.

Quote
From a technical standpoint though, what does FMK's code do? What's the advantage to filling the rest of the pc with 5's then writing that for box 13 and 14 as opposed to using the 'return to game' code?
(Sorry I'm generally rambling and being confused while understanding stuff only as I start to type).
As for FMK's code, I'm not sure. It loads different values into a and then into three different addresses, none of which i know anything about. What i do know is that Box 13 and 14 are required in every use because they repair the stack to a playable state.

Hope this helped!

FMK's code puts the 'return to game' code into Box 13 and 14.
Filling the boxes with 5's just is a save passing code so execution reaches the return to game part.
The advantage is you don't have to engineer it yourself everytime you write a new code since you have to use a character normally not available. And you also have to figure out where to put it.
Otherwise part of the code always has to be "put the instruction for INC SP at the right place before it is executed". Due to limited charset (in most cases) this also restricts your available space to write code to a bit more than 8 box names, part of which is the 'return to game' code.

Hope this wasn't too techy.


Quote
With enough examples I could reverse engineer the pokemon formula and the DV formula, but this seems to be different (not targeting the first pokemon in the party, and changing the code for box 1 as opposed to box 2).
Targeting the fourth move of Pokémon 5 is simply because we can reach it directly with available characters. Therefore Box 1 can be used to get the ID for the desired move. The code of Box 2 then writes it.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Dragon Arbock on October 22, 2017, 05:24:32 pm

Quote
With enough examples I could reverse engineer the pokemon formula and the DV formula, but this seems to be different (not targeting the first pokemon in the party, and changing the code for box 1 as opposed to box 2).
Targeting the fourth move of Pokémon 5 is simply because we can reach it directly with available characters. Therefore Box 1 can be used to get the ID for the desired move. The code of Box 2 then writes it.

Oh, so you simply can't target pokemon 1?
And if we're using the FMK setup now, how do you convert old codes like this to work with that set up?
Quote
Box 1:  A  p  0  k 'v  A  5  5
Box 2:  é 'm  2  p  p  0  5  5
Box 3:  é  A  4  p 'v  7 'v 'd
Box 4:  é  ♂  2  p  é  D  9 'l
Box 5: 'l  5  5  5  5  5  5  5
Box 6:  5  5  5  A 'l  x 'd  5
Cause when I used a code that needed FMK's code (The give all TMs code), I ended up renaming all my boxes after so I could go back to using the other codes I'd been using.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 22, 2017, 06:35:16 pm
(Apologies for late reply)

If you wish to convert the code to work with the TM 25 setup, then this should work:

Box 1: Ap0k'vA55
Box 2: é'm2pp055
Box 3: éA4p'v7'v'd
Box 4: é(male)2péD95
Box 5: p'd555555

If you're meaning to use this with coin case, then it should already work as is, provided you executed the one-off code prior.

Oh, so you simply can't target pokemon 1?

Nope (at least not with moveset data). Pokemon 1's lower byte is not able to be represented with characters. However, some code developers have written self-modifying box name codes as a workaround. Still, it's much easier to just use addresses that can be represented as is, so we target pokemon 5, move 4, as both the high byte and low byte are able to be represented with 4 and (male) respectively.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Dragon Arbock on October 22, 2017, 08:22:13 pm
I wanted to know if I could use it with FMK's code, or if I have to erase FMK's code to use the shiny code. Because that sounds tedious and defeats the purpose.

Also, don't know if anyone needs this, but I went ahead and made a quick reference for the codes for every move;
https://pastebin.com/XSth40BV

And proof, used it to get an Extremespeed Dratini.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 22, 2017, 08:29:42 pm
I wanted to know if I could use it with FMK's code, or if I have to erase FMK's code to use the shiny code. Because that sounds tedious and defeats the purpose.

Also, don't know if anyone needs this, but I went ahead and made a quick reference for the codes for every move;
https://pastebin.com/XSth40BV

And proof, used it to get an Extremespeed Dratini.

Yeah, you can probably use your code along with FMK's one-off code. I haven't tried it for myself, but I don't see any reason why it wouldn't work.

Thanks for the reference!
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Dragon Arbock on October 22, 2017, 09:57:51 pm
'welcome.

And well, I trial and errored my way into what I wanted to know.
I took a shiny code, and cut off the bottom three Box names so it looks like this;
Ap0'd'vR55
é'm2pp0é5       
éA4p0'd'vQ
é?2p0k55       
55éA4ppp
Then the rest was taken up by 5s and FMK's code at the bottom. It turned my Ditto shiny, but still corrupted box 3's name. But I'm assuming (cause I don't know), the last relevant bit of code is éA4p, then the rest was terminating code?
I actually tried it the first time without 55éA4ppp (so only 4 Box names) and that didn't change the special and speed, so that's why I'm guessing.

Edit;
Seems like it. Shortened the modify pokemon code down to work as such
Quote
Box 1:  A  p  0  k 'v  A  5  5
Box 2:  é 'm  2  p [x  x  x  x]
Box 3:  é  A  4  p '5  5  5  5   
[filler 5s]
[box 13 and 14 unchanged from FMK's]
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: FMK on October 23, 2017, 12:33:24 am
'welcome.

And well, I trial and errored my way into what I wanted to know.
I took a shiny code, and cut off the bottom three Box names so it looks like this;
Ap0'd'vR55
é'm2pp0é5       
éA4p0'd'vQ
é?2p0k55       
55éA4ppp
Then the rest was taken up by 5s and FMK's code at the bottom. It turned my Ditto shiny, but still corrupted box 3's name. But I'm assuming (cause I don't know), the last relevant bit of code is éA4p, then the rest was terminating code?
I actually tried it the first time without 55éA4ppp (so only 4 Box names) and that didn't change the special and speed, so that's why I'm guessing.

That's correct, yeah.

As a general rule of thumb, é*2 (Where * can be anything) will usually mean box names are being modified. éA* (Where * can, again, be anything; But most of the time is 4) is also, usually, the target of the prior name change.

So in this case, é'm2 of Box 2 is changing the éA4's A of Box 3, and é?2 of Box 4 is changing the éA4's A of Box 5. (While the modified éA4's are changing values elsewhere, of course)


As an additional rule of thumb, for codes not designed with my one-off code in mind, if you ignore all the 5's in Box names, once you see p 'v 7 'v 'd é * 2 p é D 9 'l 'l A 'l x 'd (Where * can be anything), that's where you can usually stop inputting the written box names, and just use 5's, if you've already used my one-off code.

But to confirm, yes, all Coin Case codes work after using my one-off code without modification, even if they weren't specifically made for it.


On a related note, to modify a TM25 code to work with Coin Case (If you've used my one-off code), it's as simple as replacing the final 'd of a code with a 5.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Dragon Arbock on October 23, 2017, 12:41:03 am
Alright thanks, I'll try to keep that in mind when adapting things to fit with your code.
(Been wondering too, is there any place we should be compiling all this information in a more organized manner?)

Also completely frivolous, but I saw someone did this in gen 1 and I was wondering if it would work here- can I modify a pokemon's type? If I wanted to make a pokemon with one type a secondary dragon type, how would I go about doing that- and would it remain if I put it in a PC? Cause if not, probably not worth the trouble.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 23, 2017, 03:31:36 am
I wanted to know if I could use it with FMK's code, or if I have to erase FMK's code to use the shiny code. Because that sounds tedious and defeats the purpose.

Also, don't know if anyone needs this, but I went ahead and made a quick reference for the codes for every move;
https://pastebin.com/XSth40BV

And proof, used it to get an Extremespeed Dratini.

Great work.  :)

Also completely frivolous, but I saw someone did this in gen 1 and I was wondering if it would work here- can I modify a pokemon's type? If I wanted to make a pokemon with one type a secondary dragon type, how would I go about doing that- and would it remain if I put it in a PC? Cause if not, probably not worth the trouble.

Don't think it's possible Doesn't look like typing is stored seperately for each single Pokémon. (http://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Gold_and_Silver:RAM_map#Pokemon_1_Settings)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 23, 2017, 06:00:16 am
Here's a quick-and-dirty TM 25 Ball Pocket code that I made to teach Ice Beam to Pokemon 5. Due to character limitations, I was restricted to the fourth move, so make sure Pokemon 5 has at least 3 moves before using.

Box 1: Ap0?'vm55
Box 2: é(male)4p'd555

Here's the same code, but for use with the Coin Case (ensure to use FMK's one-off code)
Box 1: Ap0?'vm55
Box 2: é(male)455555
Box 3+ :55555555
Box 13: Leave Unchanged (FMK's Code)
Box 14: Leave Unchanged (FMK's Code)

I have not tested the Coin Case version (I prefer to use TM 25), but it should work as described. If it doesn't, please let me know.

Thanks it worked. Though I used your code first before I read spamviech's post so I ended up teaching my Jolteon Ice Beam instead of Thunderbolt, but I quickly fixed that haha.

The only other moves I was interested in was Double-Edge and Rock slide, but seeing as Dragon Arbock has post codes for all moves I'll guess I'll follow that.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 23, 2017, 06:03:56 am
^Glad I could help  :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 24, 2017, 04:09:12 am
As a general rule of thumb, é*2 (Where * can be anything) will usually mean box names are being modified. éA* (Where * can, again, be anything; But most of the time is 4) is also, usually, the target of the prior name change.

Just for reference I have a small list of directly reachable box name characters. Since it could become confusing with later used codes I left out terminator characters, since I don't know how they are handeled. Terminator characters (normally 0x50 or 80 in decimal (LD D,B) are written after the | character).
To use it load the desired value into register A using XOR A (p), SUB ('v), OR (0) and AND (?) instructions and then use é*2 where you replace * with the desired character in the list below.
Places with _ are not directly reachable.

Code: [Select]
Box 1($D8BF to $D8C7): _ _ _ _ _ _ _ _|_
Box 2($D8C8 to $D8D0): _ _ _ _ _ _ _ _|'d
Box 3($D8D1 to $D8D9):'l'm'r's't'v _ _|_
Box 4($D8DA to $D8E2): _ _ _ _ _ _ _Pk|Mn
Box 5($D8E3 to $D8EB): - _ _ ? ! . & é|_
Box 6($D8EC to $D8F4): _ _ _ ♂ _ × _ /|,
Box 7($D8F5 to $D8FD): ♀ 0 1 2 3 4 5 6|7
Box 8($D8FE to $D906): 8 9 _ _ _ _ _ _|_
Box 9($D907 to $D90F): _ _ _ _ _ _ _ _|_
Box10($D910 to $D918): _ _ _ _ _ _ _ _|_
Box11($D919 to $D921): _ _ _ _ _ _ _ _|_
Box12($D922 to $D92A): _ _ _ _ _ _ _ _|_
Box13($D92B to $D933): _ _ _ _ _ _ _ _|_
Box14($D934 to $D93C): _ _ _ _ _ _ _ _|_


Edit:
Something else I found after poking around a bit:
Though Coin Case gives you a corrupted stack and the game would glitch dimension/freeze after ret, you can solve the issue by using the following edits as part of a footer in your code.

Code: [Select]
xor a
ld (ff83),a
pop de
pop de
inc sp
pop de
or a
ret nc

(Found from deconstructing the box name code here (http://wiki.pokemonspeedruns.com/index.php?title=Pok%C3%A9mon_Gold/Silver/Any%25_Guide)).

There is one catch and something you need to know:

inc sp (hex:33) cannot normally be represented by box characters. However, you can get the ID for inc sp with the following: xor a;  sub fd; sub d0 and then use ld (xxyy),a to self-modify your code to add an inc sp.

This method also has a bad side effect of slowing menus down to an extreme, but after closing the menu if you hold down A and tap down you will be able to move the cursor to SAVE, mash A to save the game and reset the game to bring things back to normal.
If you check the box name code on the speedrun page (http://wiki.pokemonspeedruns.com/index.php?title=Pok%C3%A9mon_Gold/Silver/Any%25_Guide) you may notice a version for less laggy credits. The only difference is éZ× (LD [f199], A; A is still at value 0).
If you incorporate this in your code the menu lag is no longer present. Only thing which might require a reset is that the player character is still invisible.

To include this into FMK's one-off code it would then look like this:
Code: [Select]
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: ppéD9éZ×     (XOR A; XOR A; LD [83ff], A; LD [f199], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)
Usage stays the same as before.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on October 24, 2017, 06:50:56 am
If you check the box name code on the speedrun page (http://wiki.pokemonspeedruns.com/index.php?title=Pok%C3%A9mon_Gold/Silver/Any%25_Guide) you may notice a version for less laggy credits. The only difference is éZ× (LD [f199], A; A is still at value 0).
If you incorporate this in your code the menu lag is no longer present. Only thing which might require a reset is that the player character is still invisible.

To include this into FMK's one-off code it would then look like this:
Code: [Select]
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: ppéD9éZ×     (XOR A; XOR A; LD [83ff], A; LD [f199], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)
Usage stays the same as before.
Ah that's great. I wasn't aware of that. Thanks! :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Skeef on October 24, 2017, 01:26:23 pm
Say, does anyone know how to enable walk through walls in gen 2? Or know what adress to edit for it?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 24, 2017, 02:43:24 pm
Say, does anyone know how to enable walk through walls in gen 2? Or know what adress to edit for it?

Unfortunatly, there doesn't appear to be an in-game address that disables collisions.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on October 24, 2017, 03:30:09 pm
If you change addresses CEA3-CEA6 to 08 (or apparently all values 08-0E), it will allow you to walk through almost any wall. However these addresses will be reset after taking a step, so if you want to do this with arbitrary code execution it must be done with something like many uses of wrong pocket TM/HM code execution (as Coin Case requires moving in a specific pattern), or "real time arbitrary code execution" (https://www.youtube.com/watch?v=1w2iQdAHPh4).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 24, 2017, 05:29:45 pm
If you change addresses CEA3-CEA6 to 08 (or apparently all values 08-0E), it will allow you to walk through almost any wall. However these addresses will be reset after taking a step, so if you want to do this with arbitrary code execution it must be done with something like many uses of wrong pocket TM/HM code execution (as Coin Case requires moving in a specific pattern), or "real time arbitrary code execution" (https://www.youtube.com/watch?v=1w2iQdAHPh4).


Usually when I try writing to the OAM DMA, the game ends up crashing.

Maybe i'm missing something.

EDIT: Just tried it again, worked fine. Can't recall what I did wrong initially.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: SatoMew on October 24, 2017, 05:31:59 pm
If you change addresses CEA3-CEA6 to 08 (or apparently all values 08-0E), it will allow you to walk through almost any wall.

I usually set those addresses to 00 out of habit and it works but I'm not sure of how exactly different are the various values.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 24, 2017, 06:56:23 pm
Here's a new code:

All encountered Pokemon are shiny:
Box 1: Ap0'méJ95
Box 2: p0-éK955
Box 3: p02éL9p'd
Box 4: (Doesn't Matter)
Box 5: p0éé(male)'dyy
Box 6: p0ké0'dp'd

After executing, just walk around in the grass. Any Pokemon you encounter will be shiny!

Please note this does affect trainer Pokemon as well, meaning any trainer you encounter will have a full shiny team. Also, note that the only way to disable this code is by resetting the game.

As of right now, this is TM 25 only. I have yet to port this for coin case.

Enjoy!
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Dragon Arbock on October 24, 2017, 10:39:10 pm
Here's a new code:

All encountered Pokemon are shiny:
Box 1: Ap0'méJ95
Box 2: p0-éK955
Box 3: p02éL9p'd
Box 4: (Doesn't Matter)
Box 5: p0éé(male)'dyy
Box 6: p0ké0'dp'd

After executing, just walk around in the grass. Any Pokemon you encounter will be shiny!

Please note this does affect trainer Pokemon as well, meaning any trainer you encounter will have a full shiny team. Also, note that the only way to disable this code is by resetting the game.

As of right now, this is TM 25 only. I have yet to port this for coin case.

Enjoy!

Oh, this sounds cool. If this is possible, is it possible to use a code to alter the species of wild pokemon? I know with 8F you could.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 25, 2017, 04:36:13 am
Here's a new code:

All encountered Pokemon are shiny:
Box 1: Ap0'méJ95
Box 2: p0-éK955
Box 3: p02éL9p'd
Box 4: (Doesn't Matter)
Box 5: p0éé(male)'dyy
Box 6: p0ké0'dp'd

After executing, just walk around in the grass. Any Pokemon you encounter will be shiny!

Please note this does affect trainer Pokemon as well, meaning any trainer you encounter will have a full shiny team. Also, note that the only way to disable this code is by resetting the game.

As of right now, this is TM 25 only. I have yet to port this for coin case.

Enjoy!

Oh, this sounds cool. If this is possible, is it possible to use a code to alter the species of wild pokemon? I know with 8F you could.

Yes, and I will work on it as soon as I get home.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on October 25, 2017, 05:52:36 am
If you change addresses CEA3-CEA6 to 08 (or apparently all values 08-0E), it will allow you to walk through almost any wall. However these addresses will be reset after taking a step, so if you want to do this with arbitrary code execution it must be done with something like many uses of wrong pocket TM/HM code execution (as Coin Case requires moving in a specific pattern), or "real time arbitrary code execution" (https://www.youtube.com/watch?v=1w2iQdAHPh4).


Usually when I try writing to the OAM DMA, the game ends up crashing.

Maybe i'm missing something.

EDIT: Just tried it again, worked fine. Can't recall what I did wrong initially.
Since the OAM DMA routine is ran on every frame, you must overwrite the terminating RET last. Maybe that's what was going awry.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 25, 2017, 10:01:14 am
Took a lot longer than expected, but here it is!

All wild Pokemon are <inset x pokemon here>:
Box 1: Ap'v8é'm25
Box 2: p0(male)55555
Box 3: 'v'vé52p0'm
Box 4: éJ9p0(female)55
Box 5: éK9p0255
Box 6: éL9p'd555
Box 7: p0?yyéé'd
Box 8: p'dyyyyyy

Replace ? with the SpeciesID.

Now, obviously not every Pokemon is going to be able to be represented with valid characters. If you would like this code to work with a specific Pokemon, just let me know and i'll be happy to make an adaption.

Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 25, 2017, 12:07:15 pm
That's amazing, what level are the Pokemon? The same level as the Pokemon on the route that are replaced? And you said to get encounters back to normal you just reset the game? Also does a Celebi you catch with this glitch have its start moves of Leech Seed, Heal Bell, Confusion and Recover?

As for suggestions for other Pokemon - maybe the baby Pokemon (Cleffa, Igglybuff, Magby, Elekid, Pichu) as these Pokes are annoying to breed for because for whatever reason its takes ages for the daycare to produce a egg I'm finding in the VC versions, others have reported this too, you get there eventually, but it sometimes takes A LOT of biking just for them to produce one egg.

Also the legendary beasts would be useful too. :) Currently I have Suicune, but it's annoying trying to rely on luck finding the others especially when you don't have their Pokedex entries.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 25, 2017, 12:17:07 pm
That's amazing, what level are the Pokemon? The same level as the Pokemon on the route that are replaced? And you said to get encounters back to normal you just reset the game? Also does a Celebi you catch with this glitch have its start moves of Leech Seed, Heal Bell, Confusion and Recover?

As for suggestions for other Pokemon - maybe the baby Pokemon (Cleffa, Igglybuff, Magby, Elekid, Pichu) as these Pokes are annoying to breed for because for whatever reason its takes ages for the daycare to produce a egg I'm finding in the VC games, others have reported this too, you get there eventually, but it sometimes takes A LOT of biking just for them to produce one egg.

Also the legendary beasts would be useful too. :) Currently I have Suicune, but it's annoying trying to rely on luck finding the others especially when you don't have their Pokedex entries.

Thank you!

Regarding the levels, they are based on the route you used this exploit in. Regarding the moves, the Celebi I tried this with used Confusion and Heal Bell agianst me, but I only had time to test out 3 attacks (it used heal bell twice).

As for the other Pokemon you mentioned, I will make them as soon as I return to my computer. :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Dragon Arbock on October 25, 2017, 12:34:53 pm
That's really nice of you to do. I was gonna mess around with it when I have time, but  if you can, you should probably make it compatible with pokemon that don't match existing single characters (like Sneasel is 't'v8).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 25, 2017, 12:55:31 pm
Thank you!

Regarding the levels, they are based on the route you used this exploit in. Regarding the moves, the Celebi I tried this with used Confusion and Heal Bell agianst me, but I only had time to test out 3 attacks (it used heal bell twice).

As for the other Pokemon you mentioned, I will make them as soon as I return to my computer. :)

This seems the best way to get Celebi with it's start moves then. Other methods to obtain Celebi then have to do another glitch to teach it's start moves which takes a longer time. The only other way to get a Celebi with its start moves using one method is using the bad clone method to get a Celebi at level 0 then give it a Rare Candy to level 1 and it will learn it's start moves, but the bad clone method is more complicated, risky and time consuming, so your discovery is definitely the best method.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 25, 2017, 01:17:30 pm
That's really nice of you to do. I was gonna mess around with it when I have time, but  if you can, you should probably make it compatible with pokemon that don't match existing single characters (like Sneasel is 't'v8).

Thanks!

In box 7 I left room for a 'v and another value to do just that. I left it out of the code for use with the likes of Celebi.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 25, 2017, 01:31:07 pm
This would be a good video idea to make along with the all encountered Pokemon are shiny code you discovered, Torchickens I hope you're reading this.

Anyway I'm still curious about some of the other factors with this. Like, if you set all the wild encounters to Celebi, catch the Celebi and save, how does the encounters go back to normal upon resetting if you just saved with that code in place? The one thing I wouldn't want to happen with a glitch like this would be to permanently mess up the code of the wild encounters.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 25, 2017, 01:43:11 pm
This would be a good video idea to make along with the all encountered Pokemon are shiny code you discovered, Torchickens I hope you're reading this.

Anyway I'm still curious about some of the other factors with this. Like, if you set all the wild encounters to Celebi, catch the Celebi and save, how does the encounters go back to normal upon resetting if you just saved with that code in place? The one thing I wouldn't want to happen with a glitch like this would be to permanently mess up the code of the wild encounters.

I can make a video of it, provided I can figure out how lol

As to how the code resets upon saving/resetting, the game simply fixes the DMA OAM routine upon startup.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 25, 2017, 02:11:51 pm
Okay I understand.

But maybe Torchickens or Crystal_ might, they have both have made plenty of Coin Case videos in the past but this is something new to showcase and many people would find it useful.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 25, 2017, 02:13:19 pm
Glad to hear!

I'll combine this with my shiny code, and hopefully add a Pokèrus code as well.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 25, 2017, 02:31:40 pm
Speaking of videos, is it possible to use this code but with PP Ups instead? https://www.youtube.com/watch?v=CiDi5nb-uoc I just want to know if there is a easier way to get PP Ups instead of the slow cloning method.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: SatoMew on October 25, 2017, 02:55:02 pm
I can make a video of it, provided I can figure out how lol

BGB lets you capture both video and audio! :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 25, 2017, 03:04:12 pm
I can make a video of it, provided I can figure out how lol

BGB lets you capture both video and audio! :)
Wondrous! I'll have it made sometime today/tommorow.

I can't say it will be Torchickens or Crystal_ quality though
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Skeef on October 25, 2017, 04:10:25 pm
Speaking of videos, is it possible to use this code but with PP Ups instead? https://www.youtube.com/watch?v=CiDi5nb-uoc I just want to know if there is a easier way to get PP Ups instead of the slow cloning method.

This should give you 255 of the first item in your item pack.

Box1: A p 0 9 é z 't x
Box2: 'd

Thank you!

Regarding the levels, they are based on the route you used this exploit in. Regarding the moves, the Celebi I tried this with used Confusion and Heal Bell agianst me, but I only had time to test out 3 attacks (it used heal bell twice).

As for the other Pokemon you mentioned, I will make them as soon as I return to my computer. :)

This seems the best way to get Celebi with it's start moves then. Other methods to obtain Celebi then have to do another glitch to teach it's start moves which takes a longer time. The only other way to get a Celebi with its start moves using one method is using the bad clone method to get a Celebi at level 0 then give it a Rare Candy to level 1 and it will learn it's start moves, but the bad clone method is more complicated, risky and time consuming, so your discovery is definitely the best method.

You could run TM25 in a more 8F way. Setting up the item pack. This is a gen 2 version of the change any byte in ram code. The box code above can help you get items over 99.

Any <- I actually have TM25 here :D
Any
Fresh Water - ld l
Full Heal - ld h xx
PP Up - ld a xx
Focus Band x201 - ld (hl) a / Ret

So 44 Fresh Water and 218 Full Heal would point to your fist party pokémon. With PP Up quantity determining the move learned. Jumping to item 3 requires a slide pokémon and Quagsire with music mail and Attract as move 1.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 25, 2017, 05:32:46 pm
I've successfully combined my two prior codes! Here's the outcome:

All encountered Pokemon are <insert x Pokemon here> and shiny:
Box 1:  Ap'v8é'm25
Box 2:  p0(male)55555
Box 3:  'vAé52p0'm
Box 4:  éJ9p0(female)55
Box 5:  éK9p0255
Box 6:  éL9p'd555
Box 7:  p0?yyéA'd
Box 8:  p0éé(female)'dyy
Box 9:  p0ké0'dp'd

Replace ? with the species index

To access species indexes that are lower than $7f, than replace Box 7 with:

Box 7: p0?'v(space)éA'd

Then replace ? with SpeciesIndex + $7f

Due to the way the game generates wild Pokemon, most Pokemon obtained this way are 100% legitimate. This means they will probably be able to be moved to Pokébank when such services become available. There might still be OT issues with Mew, but these can easily be resolved with an OT editor, and I can make one if needs be.

Nintendo's going to have a real headache on their hands :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 25, 2017, 05:38:13 pm
This should give you 255 of the first item in your item pack.

Box1: A p 0 9 é z 't x
Box2: 'd

Is this a TM25 method? Because I'm only using the Coin Case for now.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 25, 2017, 05:51:39 pm
Yes, his code is for TM 25 only.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Dragon Arbock on October 25, 2017, 08:09:47 pm
Is your shiny and wild encounter modifier code TM 25? Cause I can't get it to work with coin case.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 25, 2017, 08:27:08 pm
Is your shiny and wild encounter modifier code TM 25? Cause I can't get it to work with coin case.

Yep. TM 25 only for the time being, an unfortunately, it's likely to stay that way.

My code needs to load $xx into $d0ed, but the problem is $ed isn't character-representable. To compensate, my code double self-mods in order to load $ed into it's necessary location. That, and the code used to derail OAM DMA, takes up 6 boxes. Since box 7 is the only box that allows self-modding on all character slots, the code must start there. Adding the coin-case setup would take up box 7, the only box I can use.

Sorry. :(
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Dragon Arbock on October 25, 2017, 08:34:31 pm
Ah, disappointing.. don't know if it's worth the trouble to update my setup to 25 or not.. and then the other codes I use would need to be updated too.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 25, 2017, 08:38:56 pm
I personally recommend TM 25 ACE, there's no hassle to fix the stack and you don't need to walk in a certain manner or listen to specific cry.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Dragon Arbock on October 25, 2017, 10:32:24 pm
None of that really bothers me. The most tedious part has to be done either way (typing in the code). I could see the advantages though, either way I'll probably be forced into using it as support for coin case wavers.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 26, 2017, 05:58:43 am
Just make sure that when you switch to TM 25, move your slide Pokèmon and quagsire up one slot.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on October 26, 2017, 10:28:34 am
Thanks for your work Couldntthinkofaname. :)

That wild Pokémon modifier and wild Pokémon are Shiny code looks awesome.

May make a video of it like Nostalgia suggested, and if you make one too I'll add a link to it in my video description.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 26, 2017, 10:31:07 am
Thanks for your work Couldntthinkofaname. :)

That wild Pokémon modifier and wild Pokémon are Shiny code looks awesome.

May make a video of it like Nostalgia suggested, and if you make one too I'll add a link to it in my video description.
Thanks agian!

I already have the AVI and WAV ready, but I can't combine them yet, i've been scrambling for a video editor that can do this to no avial.

Any suggestions?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on October 26, 2017, 10:43:17 am
Thanks for your work Couldntthinkofaname. :)

That wild Pokémon modifier and wild Pokémon are Shiny code looks awesome.

May make a video of it like Nostalgia suggested, and if you make one too I'll add a link to it in my video description.
Thanks agian!

I already have the AVI and WAV ready, but I can't combine them yet, i've been scrambling for a video editor that can do this to no avial.

Any suggestions?

You're welcome.

I'm unsure as I usually use Bandicam with Stereo Mix to record the audio at the same time (or VBA's built-in recorder however it probably won't emulate the OAM DMA exploit correctly) without having to combine video and audio.

I think FFMPEG can do that though (according to https://stackoverflow.com/questions/11779490/how-to-add-a-new-audio-not-mixing-into-a-video-using-ffmpeg), use cd [add path here] on Command Prompt to set the current directory.

Windows Movie Maker can do it too but I'm unsure how that would affect the quality.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on October 26, 2017, 11:15:34 am
None of that really bothers me. The most tedious part has to be done either way (typing in the code). I could see the advantages though, either way I'll probably be forced into using it as support for coin case wavers.
TM25 is also much more convenient when developing code, since you don't have to fix the stack - which also requires SMC'ing an `inc sp` in. Thus more boxes can be used, leading to more powerful codes.

Speaking of fixing the stack, I wonder why this wouldn't work :
Code: [Select]
xor a
ld [$F199], a ; Menu lag-less
add sp, $FF ; dec sp
pop de ; Incurs an additional pop
pop de
pop de
pop de
or a
ret nc
instead of the classic
Code: [Select]
xor a
ld [$F199],a
pop de
pop de
inc sp
pop de
or a
ret nc
(Note : if for some reason "add sp, $FF" is infeasible, "ld hl, sp+$FF" followed by "ld sp, hl" should be possible)

The point of this setup is that it still fixes the stack, but doesn't require SMC anymore. So it could be moved to a later box ?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 26, 2017, 11:22:15 am
That's helpful! I'll try it out when I get the chance.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Skeef on October 26, 2017, 03:25:50 pm
Over 99 glitch blocks for items:
They don't seem to change based on location or anything it seems.

(http://i63.tinypic.com/k2e4z.png)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 26, 2017, 04:03:05 pm
None of that really bothers me. The most tedious part has to be done either way (typing in the code). I could see the advantages though, either way I'll probably be forced into using it as support for coin case wavers.
TM25 is also much more convenient when developing code, since you don't have to fix the stack - which also requires SMC'ing an `inc sp` in. Thus more boxes can be used, leading to more powerful codes.

Speaking of fixing the stack, I wonder why this wouldn't work :
Code: [Select]
xor a
ld [$F199], a ; Menu lag-less
add sp, $FF ; dec sp
pop de ; Incurs an additional pop
pop de
pop de
pop de
or a
ret nc
instead of the classic
Code: [Select]
xor a
ld [$F199],a
pop de
pop de
inc sp
pop de
or a
ret nc
(Note : if for some reason "add sp, $FF" is infeasible, "ld hl, sp+$FF" followed by "ld sp, hl" should be possible)

The point of this setup is that it still fixes the stack, but doesn't require SMC anymore. So it could be moved to a later box ?

Aren't you forgetting a (LD [$83ff], A)?
Never tried without it, but I thought this one was necessary.

Edit:
Just tried a do-nothing-then-return-to-game code and it worked:
Code: [Select]
Box 1: ppéD9éZ×     (XOR A; XOR A; LD [83ff], A; LD [f199], A)
Box 2: .9'l'l'l'lx'd (ADD SP, ff; POP DE; POP DE; POP DE; POP DE; OR A; RET NC)
Should work as a footer in any box for Coin Case ACE (fill out the space before with 5s).

Always viewed the stack-pointer as a "don't touch" object so my knowledge in this regard is very limited. Great job finding this.

Edit²:
Turns out (LD [$83ff], A) isn't only not required, but removing it also removes the part that turns the player character invisible.
Using these as the final 2 box names works without problems (at least nothing obvious).   :)
Code: [Select]
Box n-1: pppppéZ×       (XOR A; LD [f199], A)
Box n  : .9'l'l'l'lx'd  (ADD SP, ff; POP DE; POP DE; POP DE; POP DE; OR A; RET NC)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 26, 2017, 06:14:04 pm
Over 99 glitch blocks for items:
They don't seem to change based on location or anything it seems.

(http://i63.tinypic.com/k2e4z.png)

These glitch tiles stay the same across locations because this the default VRAM for the bag. Once an item exceeds a quantity of x99 , the higher section of the quantity is displayed with tiles of the current VRAM, starting at VRAM tile $00
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on October 26, 2017, 10:35:42 pm
Thanks for the testing, spamviech ! Hopefully this will make Coin Case a bit easier to work with.

As for sp, remember that every time you push and pop, you're modifying sp :p
One pop implying incrementing sp twice, and one push decrementing it twice. This new approach basically decrements once and pops 4 times instead of incrementing and pop-ing 3 times.

By the way, the write to $F199 instead of $FF83 (not the other way around, I guarantee) was because of an above post suggesting the use of F199 instead to avoid the menu lag. I didn't test this, so I didn't know what the side-effects were. Anyways, thank you for making this small adjustment !
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Dragon Arbock on October 27, 2017, 12:00:18 am
Caved, got TM 25. Lots and lots of wild shiny Sneasel.
Now the question is how to change my existing codes into TM 25 format? Otherwise just stick with coin case for them, I guess.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 27, 2017, 03:00:57 am
Thanks for the testing, spamviech ! Hopefully this will make Coin Case a bit easier to work with.

As for sp, remember that every time you push and pop, you're modifying sp :p
One pop implying incrementing sp twice, and one push decrementing it twice. This new approach basically decrements once and pops 4 times instead of incrementing and pop-ing 3 times.

Knew that one already (kind of), that's why I didn't really touch these instructions as well (aside from "you need this as a footer").

Quote
By the way, the write to $F199 instead of $FF83 (not the other way around, I guarantee) was because of an above post suggesting the use of F199 instead to avoid the menu lag. I didn't test this, so I didn't know what the side-effects were. Anyways, thank you for making this small adjustment !
Think that was my post, but I only added it there. Didn't know you can completely replace it.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 27, 2017, 03:43:29 am
So I haven't had a chance to test yet, but are both the wild encounter any Pokemon and shiny encounter any Pokemon TM25 only codes, or is it just the shiny encounter one? If it's both then I'll have to cave in and get TM25 too like Dragon Arbock lol.

And great video Torchickens, though I wish you showed the caught Celebi's moves to show the start moves. :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 27, 2017, 04:20:30 am
They look like TM25 codes (no bunch of 'l at the end).

I've successfully combined my two prior codes! Here's the outcome:

All encountered Pokemon are <insert x Pokemon here> and shiny:
Box 1:  Ap'v8é'm25
Box 2:  p0(male)55555
Box 3:  'vAé52p0'm
Box 4:  éJ9p0(female)55
Box 5:  éK9p0255
Box 6:  éL9p'd555
Box 7:  p0?yyéA'd
Box 8:  p0éé(female)'dyy
Box 9:  p0ké0'dp'd

Replace ? with the species index

To access species indexes that are lower than $7f, than replace Box 7 with:

Box 7: p0?'v(space)éA'd

Then replace ? with SpeciesIndex + $7f

Due to the way the game generates wild Pokemon, most Pokemon obtained this way are 100% legitimate. This means they will probably be able to be moved to Pokébank when such services become available. There might still be OT issues with Mew, but these can easily be resolved with an OT editor, and I can make one if needs be.

Nintendo's going to have a real headache on their hands :)

For Coin Case, this adaptation should work:
Edit: Need to take a closer look at this. There appears to be sth. else going on compare to usual.
Edit²: Still don't know how this OAM DMA loop thingy works, but at least this code does:
Code: [Select]
Box 1:  Ap'v8é'm25
Box 2:  péZ(mult)0(male).9
Box 3:  'v'vé52p0'm
Box 4:  éJ9p0(female)'l'l
Box 5:  éK9p02'l'l
Box 6:  éL9p'd555
Box 7:  p0?yyéé'd
Box 8:  p0éé(female)'dyy
Box 9:  p0ké0'dp'd
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 27, 2017, 06:06:23 am
For Coin Case, this adaptation should work:
Code: [Select]
Box 1:  Ap'v8é'm25
Box 2:  p0(male)55555
Box 3:  'vAé52p0'm
Box 4:  éJ9p0(female)55
Box 5:  éK9p0255
Box 6:  éL9p'd555
Box 7:  p0[b]?[/b]yyéA'd
Box 8:  p0éé(female)'dyy
Box 9:  p0ké0'd55
Box10: pppppéZ× (× is the multiplication character)
Box11: .9'l'l'l'lx'd

Nice work! I'll add this to my video when I release it.

Edit: Make sure to replace 55 with yy, enabling interrupts during a Pokemon encounter crashes the game.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 27, 2017, 07:03:37 am
Thanks, will test later. Though I'll probably only get Celebi with this method. More challenging to get the rest the normal way, even though 1% and 5% Pokemon are so annoying to find sometimes. Currently post Elite Four searching for Furret and Pikachu on Routes 1 and 2.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 27, 2017, 07:29:12 am
Insta-Death exploit

Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL955
Box 4: pé12p'd55
Box 5-6: (Doesn't Matter)
Box 7: péA'lé9'dy
Box 8: p'dyyyyyy

After using, all trainer/wild Pokemon will immediately faint on the first turn (move,item,etc.), and any Pokemon the trainer sends out afterwards will immediately faint upon being sent out.

Insta-death exploit (Coin case version, thanks ISSOtm and spamveich!)
Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL955
Box 4: pé125555
Box 5: pppppéZ(mult)
Box 6: .9'l'l'l'lp'd
Box 7: péA'lé9'dy
Box 8: p'dyyyyyy
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: SatoMew on October 27, 2017, 02:06:15 pm
May make a video of it like Nostalgia suggested, and if you make one too I'll add a link to it in my video description.

Torchickens, could you also link to it using cards (https://support.google.com/youtube/answer/6140493)? :) They appear on the top-right side of the video player and automatically hide under a circular i button.

I already have the AVI and WAV ready, but I can't combine them yet, i've been scrambling for a video editor that can do this to no avial.

Any suggestions?

Code: [Select]
ffmpeg -i "/path/to/my-awesome-video.avi" -i "/path/to/its-dope-audio.wav" -c copy "/path/to/yay-we-have-sound-now.avi"
 :P
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 27, 2017, 07:19:00 pm
Video is finally up. (https://youtu.be/UNWtJBOzR6M) Curse ye slow internet speeds

I might make more videos for codes like Insta-Death exploit and some other codes i've written.

Like I mentioned earlier, definitely not Torchickens or Crystal_ quality.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 27, 2017, 09:22:19 pm
Player Sprite Modifier - Permanent (Old Man; Change 's and A to different values for different results, can replace the 55 for Box 1 with 'v(Another Letter) too, if desired value is unobtainable):
Code: [Select]
Box 1: Ap0's'vA55 (XOR A; OR d4; SUB 0x80)
Box 2: é9'l55555  (LD [ffd1], A)

Just tried out the code above (with slight adjustment for use with TM25 in balls pocket) on VC (english) and the results are quite interesting:
Moving up/down turns you into a male rocket moving sideways (random if left or right) while moving left/right turn you into one of the girls (think the sister from the one who gives you the squirtle bottle has the same model) looking down.
Getting on the bike doesn't change your model, but you still move faster.

Might try a few more numbers, but so far most restulted in glitchy graphics for the player character.
Just a note: the above code also looked glitchy while in the upper level of the pokémon center, so the sprite might be dependent on the map you're currently on. I was in Goldenrod City for reference.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: SatoMew on October 28, 2017, 10:49:14 am
Video is finally up. (https://youtu.be/UNWtJBOzR6M) Curse ye slow internet speeds

My recommendation is to convert to WebM before uploading.

https://trac.ffmpeg.org/wiki/Encode/VP8 (https://trac.ffmpeg.org/wiki/Encode/VP8)

https://trac.ffmpeg.org/wiki/Encode/VP9 (https://trac.ffmpeg.org/wiki/Encode/VP9)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 28, 2017, 06:19:29 pm
Video is finally up. (https://youtu.be/UNWtJBOzR6M) Curse ye slow internet speeds

My recommendation is to convert to WebM before uploading.

https://trac.ffmpeg.org/wiki/Encode/VP8 (https://trac.ffmpeg.org/wiki/Encode/VP8)

https://trac.ffmpeg.org/wiki/Encode/VP9 (https://trac.ffmpeg.org/wiki/Encode/VP9)

FFMPEG returns errors when converting BGB videos into WebM.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: SatoMew on October 28, 2017, 06:35:26 pm
FFMPEG returns errors when converting BGB videos into WebM.

That's strange! :( What is ffmpeg's output?

What I usually do after merging the AVI and WAV is encode the video to WebM with VP9 on Constant Quality mode. The following snippet is the command I recall using for that process:

Code: [Select]
ffmpeg -i "/path/to/video.avi" -c:v libvpx-vp9 -crf 0 -b:v 0 -c:a libopus -pix_fmt yuv420p "/path/to/video.webm"
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on October 28, 2017, 07:30:36 pm
how do you convert tm 27 and coincase codes to tm 17 codes
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 28, 2017, 08:47:12 pm
how do you convert tm 27 and coincase codes to tm 17 codes

There's no singular answer for that, it's entirely dependant on the code.

TM 17 are already TM 25 codes, no conversion is required.

Most, coin case codes can be converted by simply tacking p'd at the end of the main code. FMK's one-off code is not necessary for Wrong pocket TM codes.

If you are having difficulties coverting a specific code, just let me know.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 29, 2017, 06:56:30 am

For Coin Case, this adaptation should work:
Code: [Select]
Box 1:  Ap'v8é'm25
Box 2:  p0(male)55555
Box 3:  'vAé52p0'm
Box 4:  éJ9p0(female)55
Box 5:  éK9p0255
Box 6:  éL9p'd555
Box 7:  p0[b]?[/b]yyéA'd
Box 8:  p0éé(female)'dyy
Box 9:  p0ké0'dyy
Box10:  pppppéZ× (× is the multiplication character)
Box11:  .9'l'l'l'lx'd

Couldn't get this to work, getting sent into the glitch dimension. All box names are correct. I just want the wild Celebi code, I'm not interested in Shiny, and I don't know if this was the coin case adaption of the wild and shiny encounter or just the wild encounter.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 29, 2017, 07:01:46 am

For Coin Case, this adaptation should work:
Code: [Select]
Box 1:  Ap'v8é'm25
Box 2:  p0(male)55555
Box 3:  'vAé52p0'm
Box 4:  éJ9p0(female)55
Box 5:  éK9p0255
Box 6:  éL9p'd555
Box 7:  p0[b]?[/b]yyéA'd
Box 8:  p0éé(female)'dyy
Box 9:  p0ké0'dyy
Box10:  pppppéZ× (× is the multiplication character)
Box11:  .9'l'l'l'lx'd

Couldn't get this to work, getting sent into the glitch dimension. All box names are correct. I just want the wild Celebi code, I'm not interested in Shiny, and I don't know if this was the coin case adaption of the wild and shiny encounter or just the wild encounter.

Spamviech made an error with the adaption. The code has two portions, the entry point and the OAM DMA loop. Fixing the stack on the OAM DMA loop causes the stack pointer to go in the wrong position, causing a game crash.

I might be able to make a fix soon, but the amount of SMC may cause conflict

The entry point and the stack repair combined is 7 boxes. Box 7 is the only box I can use for SMC, which is required to load the species index into $d0ed

Sorry, TM 25 only.


Spamviech made a fix :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 29, 2017, 07:41:34 am
Spamviech made an error with the adaption. The code has two portions, the entry point and the OAM DMA loop. Fixing the stack on the OAM DMA loop causes the stack pointer to go in the wrong position, causing a game crash.

I might be able to make a fix soon, but the amount of SMC may cause conflict.

Yea, noticed that myself. Didn't look too closely when I wrote this.
Also, this is a code for a shiny encounter.

For just encounter manipulation with Coin Case use this Code (this time even tested  :-[):
Code: [Select]
Box 1: Ap'v8é'm25
Box 2: péZ(mult)0(male).9
Box 3: 'v'vé52p0'm
Box 4: éJ9p0(female)'l'l
Box 5: éK9p02'l'l
Box 6: éL9p'd555
Box 7: p0?yyéé'd
Box 8: p'dyyyyyy
You still need to replace ? in Box7-name with your preferred species. For Celebi this would be 5.

Edit:
Here for the shiny encounter. Also this time tested  :-[.
Code: [Select]
Box 1:  Ap'v8é'm25
Box 2:  péZ(mult)0(male).9
Box 3:  'v'vé52p0'm
Box 4:  éJ9p0(female)'l'l
Box 5:  éK9p02'l'l
Box 6:  éL9p'd555
Box 7:  p0?yyéé'd
Box 8:  p0éé(female)'dyy
Box 9:  p0ké0'dp'd

Still don't know how this OAM DMA loop thingy works, but at least this code does.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 29, 2017, 07:50:22 am
Okay it worked but I got wild Kingdra in the grass outside Cherrygrove instead of Celebi hahahaha.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 29, 2017, 07:51:40 am
You still need to replace ? in Box7-name with your preferred species. For Celebi this would be 5.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 29, 2017, 07:56:30 am
07 gave me a wild egg battle.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 29, 2017, 08:05:46 am
You`re too quick. Wait for me to edit my stupidity.  >:(
5 is for Celebi.  :-[
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 29, 2017, 08:12:35 am
(http://i.picresize.com/images/2017/10/29/jUn1l.jpg)
(http://i.picresize.com/images/2017/10/29/o71qX.jpg)

So it worked, many thanks. Also wanted to take pictures to show that this is the best method to obtain Celebi now, no need for eggs or a changing another Pokemon into Celebi. This method is quicker, registers in Pokedex and Celebi comes with its start moves. :)

I have almost finished the game now, 16 Badges and 209 Pokedex, but I want to complete the Pokedex before I beat Red and I've obtained every single in-game Pokemon except Entei and Raikou now, so all I need now is them, the R/B/Y and Silver exclusives which I can get from box names.

Edit: very strange, but performing this glitch made the Mystery gift option appear at the title screen when I never spoke to the girl in Goldenrod dept store. It also changed my text speed to medium, when I had it on fast before. o.o
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 29, 2017, 08:19:06 am
Congratulations.  ;D

I cheated a bit with Happiness evolutions (they are a pain in Gen2; did that enough as a kid) and with Evolution Stones, but aside from that had a blast with glitchless gameplay.

Glitched stuff is great as well, but that's for another copy.  8)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 29, 2017, 08:38:42 am
Congratulations.  ;D

I cheated a bit with Happiness evolutions (they are a pain in Gen2; did that enough as a kid) and with Evolution Stones, but aside from that had a blast with glitchless gameplay.

Glitched stuff is great as well, but that's for another copy.  8)

Well to complete the Pokedex you have to use glitches anyway - so you might as well go all out, G/S certainly gives you the options to unlike Crystal where it's much harder. I completed Crystal earlier this year with 251 Pokedex on cartridge, which involved lots of trading between my Red and Gold cartridges to get the exclusives and performing the Celebi glitch on my gold cartridge and trading it over. But in G/S, you can simply use the Coin Case to obtain those annoying version exclusive Pokemon and sell unlimited Rare Candies to buy a load of Vitamins to evolve those Happiness evolution Pokemon faster, also use those Rare Candies to level up those Pokemon needed for the Pokedex faster, but I never use Rare Candies on my in-game team because that's boring. So the Coin Case just makes some of the tedious stuff easier and quicker. So when I'm finished this Gold file, it will probably come in at around 30 hours less then my Crystal file, because as mentioned it's much faster to do stuff in G/S, and in Crystal I did end up training my team to level 70 and did several Battle Tower runs. I'm not trying to finish the game really fast, but after countless gen II files over the years, it's interesting to see how fast I can finish everything now. Gen II is my favourite Pokemon gen easily.

Also finished a 151 Yellow run earlier this year on cartridge, so after I've finished VC Gold I might move on to VC Yellow and do the same thing. I juut love the old Pokemon games. I've only owned a 3DS for a month and all I've played is VC Gold. Will have to get into the newer Pokemon games eventually, but I'm seriously out of the loop on things - as the last newest gen Pokemon game I played was Pokemon White and I have no knowledge on the any of the new Pokemon from gen 6 and gen 7.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 29, 2017, 08:44:41 am
I myself have ordered Pomemon Gold, can't wait to try this stuff on hardware!
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on October 29, 2017, 09:24:07 am
Player Sprite Modifier - Permanent (Old Man; Change 's and A to different values for different results, can replace the 55 for Box 1 with 'v(Another Letter) too, if desired value is unobtainable):
Code: [Select]
Box 1: Ap0's'vA55 (XOR A; OR d4; SUB 0x80)
Box 2: é9'l55555  (LD [ffd1], A)

Just tried out the code above (with slight adjustment for use with TM25 in balls pocket) on VC (english) and the results are quite interesting:
Moving up/down turns you into a male rocket moving sideways (random if left or right) while moving left/right turn you into one of the girls (think the sister from the one who gives you the squirtle bottle has the same model) looking down.
Getting on the bike doesn't change your model, but you still move faster.

Might try a few more numbers, but so far most restulted in glitchy graphics for the player character.
Just a note: the above code also looked glitchy while in the upper level of the pokémon center, so the sprite might be dependent on the map you're currently on. I was in Goldenrod City for reference.

Tried a few more numbers. Setting it to 0 (as well as flying anywhere) resets it to the usual player charater. Bike graphics work as well.

First interesting Number I found was 0xc (12 in decimal). Turns you into Nurse Joy in Pokémon Center, Old Man in Goldenrod City, Gym Leader in Gyms, etc.
Surfing is interesting in the regard that you become Jesus keep your sprite and just walk on water.
Code: [Select]
Box 1: Ap0m'va55 (XOR A; OR d4; SUB 0x80)
Box 2: é9'l55555  (LD [ffd1], A)
It appears that every 12th number results in a "complete transformation" with every fourth not looking glitchy but only replacing one direction (left/right, up, down) so you get a different sprite depending on your movement.

Congratulations.  ;D

I cheated a bit with Happiness evolutions (they are a pain in Gen2; did that enough as a kid) and with Evolution Stones, but aside from that had a blast with glitchless gameplay.

Glitched stuff is great as well, but that's for another copy.  8)

Well to complete the Pokedex you have to use glitches anyway - so you might as well go all out, G/S certainly gives you the options to unlike Crystal where it's much harder.

When I have to glitch I don't hold back as well, but in general I try to avoid glitching as much as possible.
Unless it's a save file dedicated to glitching/cheating/whatever is availabe in the specific game. Then I won't hold back.  ;D
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: SatoMew on October 29, 2017, 09:32:49 am
I'm not trying to finish the game really fast, but after countless gen II files over the years, it's interesting to see how fast I can finish everything now. Gen II is my favourite Pokemon gen easily.

I juut love the old Pokemon games. I've only owned a 3DS for a month and all I've played is VC Gold. Will have to get into the newer Pokemon games eventually, but I'm seriously out of the loop on things - as the last newest gen Pokemon game I played was Pokemon White and I have no knowledge on the any of the new Pokemon from gen 6 and gen 7.

The classic-era Pokémon games were all directed by Tajiri, except for Crystal, which was directed by Masuda as per the Japanese version credits (https://bulbapedia.bulbagarden.net/wiki/Staff_of_Pokémon_Crystal) and according to himself.

https://www.gamefreak.co.jp/blog/dir/?p=177 (https://www.gamefreak.co.jp/blog/dir/?p=177)

Quote from: Junichi Masuda
この辺りから本格的にディレクター業になり作曲が激減します。

https://www.gamefreak.co.jp/blog/dir_english/?p=143 (https://www.gamefreak.co.jp/blog/dir_english/?p=143)

Quote from: Junichi Masuda
Around this time, my main task changed to the director work. Therefore, the number of the composed music had drastically decreased.

Masuda also didn't originally work on Gold and Silver (https://www.wired.co.uk/article/pokemon-interview) despite being listed as the game's subdirector (https://bulbapedia.bulbagarden.net/wiki/Staff_of_Pokémon_Gold_and_Silver).

Tajiri's roles switched from director to executive director and executive producer, and he has alternated between the two ever since Ruby and Sapphire. This may explain the perception that the modern games are "different" and why so many of us are attached to the old games even if we like the new ones, too! :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 29, 2017, 09:42:37 am
Edit: very strange, but performing this glitch made the Mystery gift option appear at the title screen when I never spoke to the girl in Goldenrod dept store. It also changed my text speed to medium, when I had it on fast before. o.o

So any idea why this happened when I performed the wild encounter code?

I myself have ordered Pomemon Gold, can't wait to try this stuff on hardware!

Gold is the better choice of the two, better version exclusives (the only version exclusive Silver has better is Skarmory imo, the rest are better in Gold) and Gold has better sprites too.

Tajiri's roles switched from director to executive director and executive producer, and he has alternated between the two ever since Ruby and Sapphire. This may explain the perception that the modern games are "different" and why so many of us are attached to the old games even if we like the new ones, too! :)

Interesting. Though I am fond of the gen 3 games too. I realised this year after replaying Emerald that it is a very good game and the battle Frontier gave the game a lot of life and replay value (wow it makes me realise now I've played a lot of Pokemon this year, Yellow/Crystal/Emerald and now VC gold). I guess for me it's the Pokemon games that have been released on the Gameboy I have the most attachment too and I've played so many times. And now I've finally got a DS after all these years it's been around, I have a lot Pokemon games to catch up on. 
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 29, 2017, 04:54:53 pm
Edit: very strange, but performing this glitch made the Mystery gift option appear at the title screen when I never spoke to the girl in Goldenrod dept store. It also changed my text speed to medium, when I had it on fast before. o.o
So any idea why this happened when I performed the wild encounter code?

That's very odd. Say, did you happen to change Box 7's name anytime after using the code (during the same boot of the game)? If so, it is likely the OAM DMA changed an address somewhere.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on October 29, 2017, 11:44:09 pm
anyway we could do a catch a trainers pokemon code the problem is it needs to be activated in battle or it causes the battle to glitch.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 30, 2017, 02:21:31 am
That's very odd. Say, did you happen to change Box 7's name anytime after using the code (during the same boot of the game)? If so, it is likely the OAM DMA changed an address somewhere.

I must of done before I got Celebi as I was getting the wrong poke (first Kingdra then a wild egg lol) and having to change BOX7's name and I'm sure I didn't reset.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 30, 2017, 05:11:17 am
anyway we could do a catch a trainers pokemon code the problem is it needs to be activated in battle or it causes the battle to glitch.

Nope. Already tried. Results in glitch battle. Catching the trainers Pokemon ends up turning it into an ????? anyway.  :(
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 30, 2017, 09:37:43 am
Finished the Pokedex now but ended up with seen 252, caught 251. I think that might be due to wild encounter code and encountering a wild egg before I encountered Celebi, though that was a error with spamviech's codes at the time. :P Not fussed though, as Torchickens shows you can fill the Pokedex to 256 in G/S if you really want to: https://www.youtube.com/watch?v=JQq5BkSO3wI&safe=active

Just need to fight Red now and I'll be finished, but will do a tiny bit of training first, not because I need to but because my Houndoom hasn't even learnt Crunch yet which is annoying, so it seems I'll be getting my team all to level 52, beat Red and I'll be done with under 40 hours of playtime.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 30, 2017, 09:52:21 am
Nice work!

I should be getting my cartridge around Wednesday.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on October 31, 2017, 04:09:14 am
If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 31, 2017, 04:27:30 am
If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file

The risk wouldn't be that great, the game would have to miraculously unlock SRAM before any save corruption would take place.

Nothing too terribly intresting would occur, the game would probably Glitch Dimension before anything noticable happened.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 31, 2017, 06:06:53 am
Well that's VC Gold 100% completed. Shoutouts to those who helped me with various Coin Case tricks: Torchickens, Dragon Arbock, ISSOtm, SpunkyBandy, spamviech and Couldntthinkofaname.

Red fight was super easy, more easier then usual as my Houndoom hard counters Espeon which is Red's biggest threat. Even though I've had countless gen II files over the years, it was fun to play with Pokemon I have never used in a run before like Houndoom and Scizor. It was also great to use perfect Hidden Powers for the first time ever, helped give my Scizor necessary STAB and helped Jolteon with necessary coverage against Rock/Ground Pokemon with Hidden Power Water. Biggest highlight of the fight was My Level 50, 7HP DV, Jolteon surviving a Rain Dance boosted Surf from Red's Level 77 Blastoise. :L Also my Scizor OHKO'ed Red's Snorlax with a +6 Hidden Power Bug, but it did crit though. Something also nice with this run is when I caught a Chansey it was holding a Lucky Egg and I don't think I've got one of those before, 1% for Chansey to appear and 8% chance for it to be holding a Lucky Egg. Lucky Egg certainly helped with training during those last few levels.

My team and ending stats:
(http://i.picresize.com/images/2017/10/31/SyriX.jpg)
(http://i.picresize.com/images/2017/10/31/ZXOM0.jpg)

With Yellow, Crystal, Emerald and now VC Gold that's 4 Pokemon playthroughs I've completed this year. Maybe I should play other games now, but Pokemon is just so damn fun. :'D
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 31, 2017, 06:11:10 am
Nice work!


When I get my cart, i'll probably release a code that grants you any Pokemon you wish with flawless IVs. I don't know the full extent of IVs effect on stats, but it might be of some use to those who are stuck on Red (or Whitney's Miltank lol)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 31, 2017, 06:40:21 am
Nice work!


When I get my cart, i'll probably release a code that grants you any Pokemon you wish with flawless IVs. I don't know the full extent of IVs effect on stats, but it might be of some use to those who are stuck on Red (or Whitney's Miltank lol)

Thanks. Flawless DV's helps, but it still takes awhile to max out the stat experience as well. Though if anyone struggles with Whitney's Miltank or Red, they really are not good players haha, I did struggle when I was like 12, but when you play the games enough you realise the games are really not challenging and it's very easy to sweep through the game, the fact you can beat Red's team of level 70 and 80 Pokemon with a team of level 50's is proof of that.

Even if you had a really awful, low-levelled team going against Whitney, you could still buy X items and set up on the Clefairy and then easily defeat the Miltank, that's provided the RNG doesn't screw you over with Clefairy's Metronome.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 31, 2017, 07:08:14 am
Here's the code:

All wild Pokemon have perfect IVs:
Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL9p'd
Box 4-6: (Doesn't matter)
Box 7: 09é(female)'dé0'd
Box 8: p'dyyyyyy

Effects trainer Pokemon as
well, so make sure to SAVE/RESET after catching your Pokemon.

In coin case, that's:
Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL9p5
Box 4: éZ(mult).9'l'l'l
Box 5: 'lp'd55555
Box 6: (Doesn't matter)
Box 7: 09é(female)'dé0'd
Box 8: p'dyyyyyy
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on October 31, 2017, 09:12:25 am
Well that's VC Gold 100% completed. Shoutouts to those who helped me with various Coin Case tricks: Torchickens, Dragon Arbock, ISSOtm, SpunkyBandy, spamviech and Couldntthinkofaname.

Red fight was super easy, more easier then usual as my Houndoom hard counters Espeon which is Red's biggest threat. Even though I've had countless gen II files over the years, it was fun to play with Pokemon I have never used in a run before like Houndoom and Scizor. It was also great to use perfect Hidden Powers for the first time ever, helped give my Scizor necessary STAB and helped Jolteon with necessary coverage against Rock/Ground Pokemon with Hidden Power Water. Biggest highlight of the fight was My Level 50, 7HP DV, Jolteon surviving a Rain Dance boosted Surf from Red's Level 77 Blastoise. :L Also my Scizor OHKO'ed Red's Snorlax with a +6 Hidden Power Bug, but it did crit though. Something also nice with this run is when I caught a Chansey it was holding a Lucky Egg and I don't think I've got one of those before, 1% for Chansey to appear and 8% chance for it to be holding a Lucky Egg. Lucky Egg certainly helped with training during those last few levels.

My team and ending stats:
(http://i.picresize.com/images/2017/10/31/SyriX.jpg)
(http://i.picresize.com/images/2017/10/31/ZXOM0.jpg)

With Yellow, Crystal, Emerald and now VC Gold that's 4 Pokemon playthroughs I've completed this year. Maybe I should play other games now, but Pokemon is just so damn fun. :'D

Congratulations Nostalgia! and I'm glad I helped you on your quest. :)

I've got 251 no glitches (except for Coin Case Mew and Celebi) too, but your play time is a lot faster than mine.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on October 31, 2017, 10:20:45 am
Congratulations Nostalgia! and I'm glad I helped you on your quest. :)

I've got 251 no glitches (except for Coin Case Mew and Celebi) too, but your play time is a lot faster than mine.

Thanks. It was the VC release and your videos that made me want to play gen II again. :) 251 with only using Coin Case for Mew and Celebi and no other glitches is what I did for my Crystal playthrough on Gameboy, by trading over a Mew and Celebi obtained on a Gold cartridge with Coin Case. However on VC Gold, because I had no one to trade with, I needed all the R/B/Y and Silver exclusives and the only way I could get them was with the Coin Case. I also used other glitches such as your DV code, Master Ball and Rare Candy codes to get through the Pokedex quicker, so that makes up for the time. My Crystal file is probably similar in time to yours, I think it was around 60 or 70 hours iirc, but on that file I trained my Pokemon to level 70 and I did (I think) four Battle Tower runs at level 40, 50, 60, 70.

I don't mind using a few extra glitches to make some of the tedious stuff quicker, for example getting a Larvitar and a Dratini all the way up to a Tyranitar and a Dragonite through training or the daycare takes ages and I've done it before and I wasn't particularly looking forward to doing that again. :P

Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Skeef on October 31, 2017, 01:44:47 pm
If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file

The risk wouldn't be that great, the game would have to miraculously unlock SRAM before any save corruption would take place.

Nothing too terribly intresting would occur, the game would probably Glitch Dimension before anything noticable happened.

Can you unlock SRAM maunually? Wondering if you can use TM25 to edit pokémon in the box.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 31, 2017, 03:45:48 pm
SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Parzival on October 31, 2017, 04:15:56 pm
SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.
If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file

The risk wouldn't be that great, the game would have to miraculously unlock SRAM before any save corruption would take place.

Nothing too terribly intresting would occur, the game would probably Glitch Dimension before anything noticable happened.

Can you unlock SRAM maunually? Wondering if you can use TM25 to edit pokémon in the box.
Write 0Ah or anything else ending in A to ROM addresses 0000-1FFF to unlock SRAM.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on October 31, 2017, 04:33:48 pm
To then switch SRAM banks, write the desired number to $4000-$5FFF. (Avoid writing too high values, results will differ based on platform.)
The selected SRAM bank will then be available in range A000-BFFF...

By the way, to lock SRAM again, write a value that wouldn't unlock it to the same address range.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on October 31, 2017, 05:15:03 pm
SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.
If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file

The risk wouldn't be that great, the game would have to miraculously unlock SRAM before any save corruption would take place.

Nothing too terribly intresting would occur, the game would probably Glitch Dimension before anything noticable happened.

Can you unlock SRAM maunually? Wondering if you can use TM25 to edit pokémon in the box.
Write 0Ah or anything else ending in A to ROM addresses 0000-1FFF to unlock SRAM.

Thank you! This should be helpful. I bet something like this would work:

Code: [Select]
Ld hl,0000
Ld bc,01ff
.loop
Ld a,0a
ldi (hl),a
dec bc
ld a,b
or c
jr nz,.loop
...

Although, writing this as a box name code may be difficult. But with enough adjustments and self-modding, I can probably make it work. :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on November 01, 2017, 12:33:06 am
I tired this in an emulator but where the pokemon in boxes are stored its still all 0s
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Skeef on November 01, 2017, 04:29:06 am
SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.
If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file

The risk wouldn't be that great, the game would have to miraculously unlock SRAM before any save corruption would take place.

Nothing too terribly intresting would occur, the game would probably Glitch Dimension before anything noticable happened.

Can you unlock SRAM maunually? Wondering if you can use TM25 to edit pokémon in the box.
Write 0Ah or anything else ending in A to ROM addresses 0000-1FFF to unlock SRAM.

I thought ROM was read only.  O_o Anyways, I found this online and apparently the memory in range 0000-7FFF is used for both reading from ROM, and for writing to the MBCs Control Registers. So how does that work? Reading it is always ROM and writing to it is always RAM?

http://bgb.bircd.org/pandocs.htm#mbc1max2mbyteromandor32kbyteram
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 01, 2017, 04:57:59 am
I tired this in an emulator but where the pokemon in boxes are stored its still all 0s

Are you executing this code in a debugger? If so, make sure to execute the code while viewing the bag, pokemon party, etc.

SRAM in gen 2 works a lot differently than in gen 1. In my copy of gold, the SRAM immediatly locks itself if unlocked in the overworld.


I thought ROM was read only.  O_o Anyways, I found this online and apparently the memory in range 0000-7FFF is used for both reading from ROM, and for writing to the MBCs Control Registers. So how does that work? Reading it is always ROM and writing to it is always RAM?

http://bgb.bircd.org/pandocs.htm#mbc1max2mbyteromandor32kbyteram

That sounds about right. Editing ROM in-game is impossible, so it makes sense than ROM addresses could be used for other parts of RAM when written to.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on November 01, 2017, 05:32:33 am
SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.
(...)
Write 0Ah or anything else ending in A to ROM addresses 0000-1FFF to unlock SRAM.

Thank you! This should be helpful. I bet something like this would work:

Code: [Select]
Ld hl,0000
Ld bc,01ff
.loop
Ld a,0a
ldi (hl),a
dec bc
ld a,b
or c
jr nz,.loop
...

Although, writing this as a box name code may be difficult. But with enough adjustments and self-modding, I can probably make it work. :)
You don't have to write to all of these addresses, only to one of them. Same for all other writes.
Code: [Select]
ld a, $0A
ld [$0000], a
That's enough.

I tired this in an emulator but where the pokemon in boxes are stored its still all 0s
You probably didn't switch SRAM banks. If SRAM was locked, you'd see $FF, not $00.

(...)

I thought ROM was read only.  O_o Anyways, I found this online and apparently the memory in range 0000-7FFF is used for both reading from ROM, and for writing to the MBCs Control Registers. So how does that work? Reading it is always ROM and writing to it is always RAM?

http://bgb.bircd.org/pandocs.htm#mbc1max2mbyteromandor32kbyteram
ROM is read-only. And you aren't writing to any kind of RAM either. It's attempting to write to ROM that triggers the operation.
On original hardware, the Game Boy simply forwarded ROM and SRAM read AND write orders to the cartridge ; the MBC chips simply intercepted write orders that targeted some areas of ROM, and processed them as internal commands (switching ROM banks, SRAM banks, unlocking SRAM, etc.)

Also, side note, you should refer to this document (http://gbdev.gg8.se/wiki/articles/MBC3) instead. It's also the Pan Docs, but wikified and corrected. Also the Pokémon games all use MBC3 (except the Japanese games, which use MBC1), which is why this document will be more accurate. Note that the Gen I games don't have RTC support, so don't try to use the RTC clock, it's not there.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 01, 2017, 05:46:18 am
Super-sorry for my ignorance on the subject; SRAM is a new concept for me.

So, allow me to get this straight, editing box Pomemon is as simple as:
1: Unlock SRAM
2: Switch into respective bank
3: Write
4: Relock

If so, is there any list I can access for SRAM banks?

Thanks in advance! :)


Edit: Nevermind, box Pokemon is in SRAM bank 1.

I wrote an SRAM hack that turns your first box Pokemon into Celebi. I'll convert it to a box name code and have it up sometime today.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on November 01, 2017, 07:19:03 am
Relocking is optional, even more so if the game automatically re-locks it in the overworld. I'm not sure about not switching back to the original bank, but I can bet it's harmless.


SRAM "maps" :

http://github.com/PikalaxALT/pokegold/blob/master/sram.asm
Quite incomplete [last time I checked].

http://github.com/pret/pokecrystal/blob/master/sram.asm
Should be mostly the same as G/S.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Skeef on November 01, 2017, 01:37:41 pm
Thanks for the explanation. It's all making more sence now. And its working nicely on a rom to. Should make a bootstrap on my silver cart.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 01, 2017, 02:13:09 pm
Here's the code:

Stored Pokemon 1 is <insert x Pokemon here>
Box 1: Apé'm2é'r2
Box 2: é&2'v0555
Box 3: éAAp0'd'vQ
Box 4: éé2p'v955
Box 5: 55555éAA
Box 6: 09'vSé525
Box 7: p0?55éAn
Box 8: éCnp'd555

Replace ? with the Species Index.

If you wish to access Species indexes lower than $7f, replace 55 with 'v(space). Then, take the desired species id, add $7f, and use that as ??

I will release a video of this working as soon as the chance hits me. :)

What the code does:
Self-mods. A lot.
Unlocks SRAM
Switches to SRAM bank 1
Loads $?? Into $AD6D

What the code does not do:
Load $?? Into $AD82, meaning the name on the stats page stays the same (fixed)
Fix SRAM bank (shouldn't matter)
Re-lock SRAM (overworld does this anyway)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on November 01, 2017, 02:56:49 pm
To execute ace you have to go into the over world though to get into the bag to use tm 25
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 01, 2017, 03:16:28 pm
To execute ace you have to go into the over world though to get into the bag to use tm 25

...????

Please elaborate.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Skeef on November 01, 2017, 03:53:01 pm
Thats not an issue since you go to your item pack before unlocking SRAM.

Also

What the code does:
Self-mods. A lot.
Unlocks SRAM
Switches to SRAM bank 1
Loads $?? Into $ADCD

$ADCD is the third pokémon first HP EV adress. I hope thats just a typo.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 01, 2017, 03:54:57 pm
Thats not an issue since you go to your item pack before unlocking SRAM.

Also

What the code does:
Self-mods. A lot.
Unlocks SRAM
Switches to SRAM bank 1
Loads $?? Into $ADCD

$ADCD is the third pokémon first HP EV adress. I hope thats just a typo.

Whoops my bad, thanks for catching that!
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on November 01, 2017, 11:32:39 pm
Can't get it to work the adresss where pc box pokemon are stored is still all 0s when i unlock the sram and switch banks. Also doesn't the 3ds vc emulator not emulate sram locking if it doesn't why won't the memmory editor let me write to the sram.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 02, 2017, 04:27:42 am
Can't get it to work the adresss where pc box pokemon are stored is still all 0s when i unlock the sram and switch banks. Also doesn't the 3ds vc emulator not emulate sram locking if it doesn't why won't the memmory editor let me write to the sram.

What emulator are you using? This probably wont work on VBA.

I'm using BGB and it's working fine. I'm unsure about VC.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on November 02, 2017, 04:43:17 am
What the code does not do:
Load $?? Into $AD82, meaning the name on the stats page stays the same (AFAIK this affects nothing)
Writing to only one address instead of two will make the Pokémon an unstable hybrid. You should load to $AD62, because the generated hybrid could then be fixed by depositing it into the Daycare then back.

Can't get it to work the adresss where pc box pokemon are stored is still all 0s when i unlock the sram and switch banks. Also doesn't the 3ds vc emulator not emulate sram locking if it doesn't why won't the memmory editor let me write to the sram.
I'm not sure about SRAM locking on VC, tbh, but you should follow the procedure anyways.
If you're getting all zeroes, make sure you do NOT go into the overworld or save in the middle of the procedure. The locking and bankswitching AND access must be done in one go.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 02, 2017, 04:50:26 am
What the code does not do:
Load $?? Into $AD82, meaning the name on the stats page stays the same (AFAIK this affects nothing)
Writing to only one address instead of two will make the Pokémon an unstable hybrid. You should load to $AD62, because the generated hybrid could then be fixed by depositing it into the daycare and back

What's $AD62? Can't find it on the RAM map.

Edit: You're likely referring to $AD82. Do you mean to load it with or as opposed to $AD6D? If it's the forward, it may not be possible due to the heavy amount of SMC.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on November 02, 2017, 05:22:01 am
How would you add the sram unlocking and bank switching code to the box name memory editor by crystal_
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: forsyz on November 02, 2017, 06:40:12 am
Has any one tested this since the vc emulator does not emulate sram locking so it mean you only need to switch banks?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 02, 2017, 06:50:13 am
@ISSOtm, I believe I have fixed my code to produce a non-glitch hybrid. However, I have little time to test this code. If one could test this for me and ensure the Pokemon produced is stable, that would be wondrous.

Edit: Code has been tested, Pokemon is stable :)

Has any one tested this since the vc emulator does not emulate sram locking so it mean you only need to switch banks?

I only have the emulator and the cartridge version, sorry. :(
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 02, 2017, 05:52:06 pm
(Super apologies for double-posting)


Stored Pokemon 1 is shiny:
Box 1: Apé'm2é'r2
Box 2: é&2'v0555
Box 3: éAAp0'd'vQ
Box 4: éé2p'v955
Box 5: 55555éAA
Box 6: p0ééXn55
Box 7: p0kéYnp'd


(Coin case version)
Box 1: Apé'm2é'r2
Box 2: é&2'v0555
Box 3: éAAp0'd'vQ
Box 4: éé2p'v955
Box 5: 55555éAA
Box 6: p0ééXn55
Box 7: p0kéYn55
Box 8: péZ(mult).9'l'l
Box 9: 'l'lp'd5555
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on November 03, 2017, 04:12:29 am
What the code does not do:
Load $?? Into $AD82, meaning the name on the stats page stays the same (AFAIK this affects nothing)
Writing to only one address instead of two will make the Pokémon an unstable hybrid. You should load to $AD62, because the generated hybrid could then be fixed by depositing it into the daycare and back

What's $AD62? Can't find it on the RAM map.

Edit: You're likely referring to $AD82. Do you mean to load it with or as opposed to $AD6D? If it's the forward, it may not be possible due to the heavy amount of SMC.
I was indeed referring to $AD82 ; writing to AD82 only produces a hybrid that can be stabilized, writing to both produce no hybrid.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 03, 2017, 06:03:07 am
The new version of my code writes to both addresses, thus preventing a hybrid. :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Scotteh on November 03, 2017, 09:46:22 am
It's not extremely useful, but I made a small modification to one of Couldntthinkofaname's codes to turn all wild Pokémon Level 100.

1: Ap0'méJ95
2: p0-éK955
3: p02éL9p'd
4: (anything)
5: p0,'vQé6'd
6: p'd

Notably, it doesn't affect the wild Pokémon's stats, which remain at the normal ones for their old level until caught.


EDIT: I came up with a better one which hooks elsewhere, earlier on in the wild Pokémon generation routine. This time the moveset and stats match the level.

1: Ap0'méJ95 
2: p0-éK95p
3: 02éL9p0Pk
4: 'vbé&25p'd
5: p0,'vQé6'd
6: p'd
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 03, 2017, 03:44:45 pm
I have a suggestion to use TM count instead of Box names.
First use this box name code (which i ruthlessly stole for Torchickens (http://forums.glitchcity.info/index.php?topic=6716.msg206997#msg206997) before slightly adjusting it) to give you 255 of each TM/HM.
Code: [Select]
1)Ap'vCé025
2)'vj'vué♀25
3)'v.é32p'v9
4)é22pé425
5)'vué62'v 5
6)'v:é72p09
7)55♀555's5
8)x'd
Coin Case variant (untested):
Code: [Select]
1)Ap'vCé025
2)'vj'vué♀25
3)'v.é32p'v9
4)é22pé425
5)'vué62'v 5
6)'v:é72p09
7)55♀555's5
8)pppppéZ×
9).9'l'l'l'lx'd

Then write your code by depositing to the desired opcode/number (be carefull when tossing above a stack of 255 from pc, since it seems to have the similar effects as in Gen 1).
Use this picture from Skeef to make depositing the right number slightly easier.
Over 99 glitch blocks for items:
They don't seem to change based on location or anything it seems.

(http://i63.tinypic.com/k2e4z.png)

To execute either use a Quagsire holding a Lucky Egg (can be stolen from wild Chanceys, but glitching one is probably easier) with Attract (TM45) as its first move, or use the following box name code and start your code with the item count of TM03.
Code: [Select]
1)A  x 'm  A  ♀ OR A; JP NC, [80f5]Coin Case Variant (the new Quagsire won't work without adjustment of the code, so you have to use this one; untested):
Code: [Select]
1)  A  p  p  é  Z  ×  .  9 XOR A; LD [f199], A; ADD SP, ff
2) 'l 'l 'l 'l  x 'm  A  ♀ POP DE; POP DE; POP DE; POP DE; OR A; JP NC, [80f5]

Advantage of this method is that you have acces to every Gameboy opcode. Also input of lower numbers is easier.

As a proof of concept (still in development, supposed to do more when finished) a code to change species, held item, and moves of the first Pokémon of your current box.
You can get the id for species, etc. from the big HEX list (http://glitchcity.info/wiki/The_Big_HEX_List) (be sure to use the Gen2 columns).
Fill them in as count for TM17, TM24, TM27, TM30, TM33, TM36.
Code: [Select]
format: keep/deposit code
TM01 3/252 inc bc/ignored
TM02 3/252 inc bc/ignored
TM03 62/193 LD A, 0a
TM04 10/245
TM05 234/21 LD [ff00], A | A->0a
TM06 255/0
TM07 0/255
TM08 62/193 LD A, 00
TM09 0/255
TM10 234/21 LD [ff40], A | A->00
TM11 255/0
TM12 64/191
TM13 33/222 LD HL, 6dad | HL->ad6d
TM14 109/146
TM15 173/82
TM16 62/193 LD A, (species)
TM17 (species)/
TM18 34/221 LD [HLI], A
TM19 33/222 LD HL, 82ad | HL->ad82
TM20 130/125
TM21 173/82
TM22 34/221 LD [HLI], A
TM23 62/193 LD A, (item)
TM24 (item)/
TM25 34/221 LD [HLI], A
TM26 62/193 LD A, (move1)
TM27 (move1)/
TM28 34/221 LD [HLI], A
TM29 62/193 LD A, (move2)
TM30 (move2)/
TM31 34/221 LD [HLI], A
TM32 62/193 LD A, $(move3)
TM33 (move3)/
TM34 34/221 LD [HLI], A
TM35 62/193 LD A, $(move4)
TM36 (move4)/
TM37 34/221 LD [HLI], A
TM38 201/54 RET

Since I managed to kill my VC-savegame this is (so far kind of) untested.
The parts presented here worked without killing my savegame, but there were some other parts in it which I cut out for this one (such as setting your box Pokémon count to 20).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Skeef on November 03, 2017, 04:16:39 pm
Nice!  O_o Never even reaslised that the memory only used the quantities in the TM pocket.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on November 03, 2017, 04:23:21 pm
Wow, excellent idea spamviech! :D Thank you. :)

So you could alternate between the box names Quagsire whenever you want to fill the pockets and the TM/HM pocket Quagsire for anything else up to 55 bytes long.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 03, 2017, 04:44:27 pm
Wow, excellent idea spamviech! :D Thank you. :)

So you could alternate between the box names Quagsire whenever you want to fill the pockets and the TM/HM pocket Quagsire for anything else up to 55 bytes long.

Up to 57 bytes long, but you need to write the hm-quantities e.g. using box names (all available). You can even start with box name code and then jump to TM03 with a final x'mA♀.

Since withdrawing more than 99 seems to be impossible you need to run the 255-code every time as part of changing code though.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 04, 2017, 07:45:18 am
I like this new medium, Spamveich!

I just got my cart yesterday so I probably wont test it out right now, but this seems interesting!

The only potential problem I can see arise is that in order to wtite a new code, you must reset each quantity to 255. A workaround I thought of was using "call nc" as opposed to "jp nc", that way you can execute the x255 TM code immeadiatly after the TM quantity code.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 06, 2017, 05:12:48 am
I like this new medium, Spamveich!

I just got my cart yesterday so I probably wont test it out right now, but this seems interesting!

The only potential problem I can see arise is that in order to wtite a new code, you must reset each quantity to 255. A workaround I thought of was using "call nc" as opposed to "jp nc", that way you can execute the x255 TM code immeadiatly after the TM quantity code.

Think it depends on the code. Some you might want to execute multiple times.


Another thing I found:
using péZ(mult) instead of péD9 for Coin Case codes seem to change your options (text speed to mid, battle style to switch, maybe something else I missed).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 06, 2017, 07:08:33 am
I'm suprised no one has done this yet:

Get all Johto Badges:
Box 1: Ap'vEé'm25
Box 2: 09555555
Box 3: éA(female)p'd555

Untested for the time being.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 06, 2017, 08:26:13 am
(Super-Apologies for double-posting again)

Using Spamveich's new medium, I have created a walk-through walls code.

First, use Torchicken's code that grants you x255 of every TM:

1)Ap'vCé025
2)'vj'vué♀25
3)'v.é32p'v9
4)é22pé425
5)'vué62'v 5
6)'v:é72p09
7)55♀555's5
8)x'd


Then, spell the following opcodes with TM quantities:

Keep/Deposit (starting from TM 01):

62/193
8/247
33/222
163/92
206/49
34/221
34/221
34/221
119/136
201/54


Finally, use this code:

Box 1: Ap0'méJ95
Box 2: p'vCéK955
Box 3: p0(female)éL9p'd

(Coin case variant)

Box 1: Ap0'méJ95
Box 2: p'vCéK955
Box 3: p0(female)éL955
Box 4: péZ(mult).9'l'l
Box 5: 'l'lp'd5555

You should be able to walk through almost any wall. Try not to go out of bounds, this will crash the game.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on November 06, 2017, 09:57:08 am
That's all right Couldntthinkofaname. :)

We don't really mind about double-posts here as long as the information adds to the discussion.

Thanks for your writing and sharing your new code. ^^*
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 06, 2017, 02:21:49 pm
Nice!  O_o Never even reaslised that the memory only used the quantities in the TM pocket.

Same. Found it by accident after realizing almost all my code I was working on had to be self-modified so I was looking for a place which could be accessed without problems and luckily found TM location.  ;D

Another thing I found:
using péZ(mult) instead of péD9 for Coin Case codes seem to change your options (text speed to mid, battle style to switch, maybe something else I missed).

To add to that:
It also enables battle animations. Returning them back (I had fast text speed, no battle animations, battle style set) before saving and resetting causes you to have a laggy menu again.



Regarding TM execution, here's a box name code to start execution from TM01 quantity (if you don't want to switch Quagsires):
Code: [Select]

1)  5  5  5  5  5  5  5  5
2)  5  5  5  p  0(spc)?  8 XOR A; OR 7f; AND fe | A->7e (spc means space)
3)  é 'v  2  x 'm 'm  ♀ LD [d6f8], A; OR A; JP NC, [{7e}f5]
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 06, 2017, 03:33:33 pm
To add to that:
It also enables battle animations. Returning them back (I had fast text speed, no battle animations, battle style set) before saving and resetting causes you to have a laggy menu again.

This is due to $D199 being in control of settings. The default settings are $03. When $D199 is set to $00, it returns the settings to default except "Menu Account", which is turned off.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 06, 2017, 07:15:13 pm
To add to that:
It also enables battle animations. Returning them back (I had fast text speed, no battle animations, battle style set) before saving and resetting causes you to have a laggy menu again.

This is due to $D199 being in control of settings. The default settings are $03. When $D199 is set to $00, it returns the settings to default except "Menu Account", which is turned off.

Oh, right. Missed that. I wonder what values of non-crashing game, but with fast text-speed and non-laggy menu are possible.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 06, 2017, 07:28:09 pm
To add to that:
It also enables battle animations. Returning them back (I had fast text speed, no battle animations, battle style set) before saving and resetting causes you to have a laggy menu again.

This is due to $D199 being in control of settings. The default settings are $03. When $D199 is set to $00, it returns the settings to default except "Menu Account", which is turned off.

Oh, right. Missed that. I wonder what values of non-crashing game, but with fast text-speed and non-laggy menu are possible.
If you set $D199 to $01, fast text speed will be active and laggy menu will be fixed.

To do this, end coin case codes with:

p'v9éZ(mult)55
.9'l'l'l'lp'd
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 07, 2017, 06:57:25 am
Finished my code I was working on.  :D
This one will fill your current box with 20 Pokémon of your chosing with same Item and Moveset. Be sure to remove any Pokémon you want to keep, since they will get overwritten (mostly).

First, use this box name code to give you 255 of every TM/HM:
Code: [Select]
1)Ap'vCé025
2)'vj'vué♀25
3)'v.é32p'v9
4)é22pé425
5)'vué62'v 5
6)'v:é72p09
7)55♀555's5
8)x'd

Coin Case Variant (untested):
Code: [Select]
1)Ap'vCé025
2)'vj'vué♀25
3)'v.é32p'v9
4)é22pé425
5)'vué62'v 5
6)'v:é72p09
7)55♀555's5
8)ppp'v9éZ×
9).9'l'l'l'lx'd

Then write the code with TM quantities by keeping/depositing (you might need to toss inbetween to make space in the PC):
Code: [Select]
format: keep/deposit code
TM01 62/193 LD A, 0a
TM02 10/245
TM03 234/21 LD [ff00], A | A->0a
TM04 255/0
TM05 0/255
TM06 62/193 LD A, 01
TM07 01/254
TM08 234/21 LD [ff40], A | A->00
TM09 255/0
TM10 64/191
TM11 33/222 LD HL, 6cad | HL->ad6c
TM12 108/147
TM13 173/82
TM14 1/254 LD BC, 1a00 | BC->001a
TM15 26/229
TM16 0/255
TM17 62/193 LD A, 14 | A->14
TM18 20/235
TM19 87/168 LD D, A
TM20 95/160 LD E, A
TM21 34/221 LD [HLI], A
TM22 62/193 LD A, (species)
TM23 (species)/
TM24 34/221 LD [HLI], A
TM25 21/234 DEC D
TM26 32/223 JR NZ, fc | (Loop back to last LD [HLI], A)
TM27 252/3
TM28 54/201 LD [HL], ff
TM29 255/0
TM30 35/220 INC HL
TM31 87/168 LD D, A
TM32 122/133 LD A, D
TM33 34/221 LD [HLI], A
TM34 62/193 LD A, (item)
TM35 (item)/
TM36 34/221 LD [HLI], A
TM37 62/193 LD A, (move1)
TM38 (move1)/
TM39 34/221 LD [HLI], A
TM40 62/193 LD A, (move2)
TM41 (move2)/
TM42 34/221 LD [HLI], A
TM43 62/193 LD A, $(move3)
TM44 (move3)/
TM45 34/221 LD [HLI], A
TM46 62/193 LD A, $(move4)
TM47 (move4)/
TM48 34/221 LD [HLI], A
TM49 9/246 ADD HL, BC
TM50 29/226 DEC E
HM01 32/223 JR NZ, eb | (Loop Back to LD A, D)
HM02 235/20
HM03 201/54 RET

Now change your box names to the code below and execute via wrong pocket TM execution:
Code: [Select]
1)  5  5  5  p  0  A 'v  x XOR A; OR 80; SUB b7 | A->c9
2)  é  s  ♀  p  0  é 'v  9 LD [b2f5], A; XOR A; OR ea; SUB ff | A->eb
3)  é  r  ♀  p  0  a 'v  A LD [b1f5], A; XOR A; OR a0; SUB 80 | A-> 20
4)  é  q  ♀  p  0  8  ?  _ LD [b0f5], A; XOR A; LD OR fe; AND 7f | A->7e (_ is space)
5)  é  .  2  x 'm 'm  ♀ LD [e7f8], A; OR A; JP NC, [{7e}f5]

Coin Case Variant (untested):
Code: [Select]
1)  5  5  5  p  0  A 'v  x XOR A; OR 80; SUB b7 | A->c9
2)  é  s  ♀  p  0  é 'v  9 LD [b2f5], A; XOR A; OR ea; SUB ff | A->eb
3)  é  r  ♀  p  0  a 'v  A LD [b1f5], A; XOR A; OR a0; SUB 80 | A-> 20
4)  é  q  ♀  p  0  8  ?  _ LD [b0f5], A; XOR A; LD OR fe; AND 7f | A->7e (_ is space)
5)  é  1  2  p 'v   9  . 9 LD [f7f8], A; XOR A; SUB ff; ADD SP, ff | A->01
6)  é  Z  × 'l 'l 'l 'l  5 LD [99f1], A; POP DE; POP DE; POP DE; POP DE |  (× is mult)
7)  x 'm 'm  ♀ OR A; JP NC, [{7e}f5]

Execute using the usual Quagsire holding TM02 with Return as first move (start execution from second character of first box name).

Level, Nickname, OT, DV, etc. will be the same from the Pokémon who were in the place before (0/empty for a new box).
For Celebi with its Level 1 moveset use the following values at their appropriate place:

For Celebi use the following Quantities:
Code: [Select]
Species:
Celebi 251/4
Item:
Lucky Egg 126/129
Moveset Level 1:
Leech Seed 73/182
Recover 105/150
Confusion 93/162
Heal Bell 215/40

Edit: fixed a bug which would shift bytes upon releasing/withdrawing of Pokémon.

If you set $D199 to $01, fast text speed will be active and laggy menu will be fixed.

To do this, end coin case codes with:

p'v9éZ(mult)55
.9'l'l'l'lp'd

Neat. :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 08, 2017, 04:25:19 pm
The likely issue is that the DMA OMA exploit was executed sometime during that particular boot of the game, and since these opcodes are executed once every frame, you may have overwritten the terminating ret, causing the OMA DMA to crash the game.

Simple answer, reboot and try again. If that doesn't work, please let me know, because that would be rather odd.


Edit: OP deleted his comment, please disregard this.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Krys3000 on November 08, 2017, 04:30:26 pm
Thanks for the answer, I realized there was some mistakes, but the good code has the issue too. I correct everything, retest, then if I still have trouble I'll post again  :P

EDIT: I localized the issue and don't have it anymore, but still have trouble translating for some opcodes. At least now I get it, and it may be possible to finish it...
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Krys3000 on November 08, 2017, 06:20:51 pm
Somehow, after 9 hours of eating asm, I did it. Many thanks to coffee and spotify!

This is the french translation to Couldntthinkofaname's code to get any Pokémon in the wild.
EDIT : It took me 5 codes to tame the beast. Maybe it can be done with 4 codes only, but I would be surprised if it can be done with 3.

_ means space
(ID) has to be replaced with the corresponding Pokémon

CODE 1
Ap0Bu'U__
é/2p0Bu'r
é,2é02p_
0Bu'péJ9p
0(male)éK9p02
éL9p0(ID)éA
pA

Commented ASM:
Code: [Select]
WRAM1:D8C0 AF XOR A \\ A=00 : C=0
WRAM1:D8C1 F6 81 OR $81 \\ A=81
WRAM1:D8C3 DE 94 SBC $94 \\ A=ED : C=1
WRAM1:D9C5 7F LD A,A
WRAM1:D9C6 7F LD A,A
WRAM1:D9C7 50 LD D,B

WRAM1:D8C8 EA F3 F8 LD $F8F3,A \\ $(F8F3)=ED
WRAM1:D8CB AF XOR A \\ A=00 : C=0
WRAM1:D8CC F6 81 OR $81 \\ A=81
WRAM1:D8CE DE B1 SBC $B1 \\ A=D0 : C=1
WRAM1:D8D0 50 LD D,B

WRAM1:D8D1 EA F4 F8 LD $F8F4,A \\ $(F8F4)=D0
WRAM1:D8D4 EA F6 F8 LD $F8F6,A \\ $(F8F6)=D0
WRAM1:D8D7 AF XOR A \\ A=00 : C=0
WRAM1:D9D8 7F LD A,A
WRAM1:D8D9 50 LD D,B

WRAM1:D8DA F6 81 OR $81 \\ A=81
WRAM1:D8EC DE AF SBC $AF \\ A=D2 : C=1
WRAM1:D8DE EA 89 FF LD $FF89,A \\ $(FF89)=D2
WRAM1:D8E1 AF XOR A \\ A=00 : C=0
WRAM1:D8E2 50 LD D,B

WRAM1:D8E3 F6 EF OR $EF \\ A=EF
WRAM1:D8E5 EA 8A FF LD $FF8A,A \\ $(FF8A)=EF
WRAM1:D8E8 AF XOR A \\ A=00 : C=0
WRAM1:D8E9 F6 F8 OR $F8 \\ A=F8
WRAM1:D8EB 50 LD D,B

WRAM1:D8EC EA 8B FF LD $FF8B,A \\ $(FF8B)=F8
WRAM1:D8EF AF XOR A \\ A=00 : C=0
WRAM1:D8F0 F6 XX OR $XX \\ A=XX
WRAM1:D8F2 EA 80 50 LD $D0ED,A \\ $(D0ED)=XX

WRAM1:D8F5 AF XOR A \\ A=00 : C=0
WRAM1:D8F6 80 RET NC

CODE 2
Ap0Bu'U__
é02p0Bu'r
é12é32p_
0Bu'péJ9p
0(male)éK9p02
éL9p0(ID)u'_
éAApA

Commented ASM:
Code: [Select]
WRAM1:D8C0 AF XOR A  \\ A=00 : C=0
WRAM1:D8C1 F6 81 OR $81 \\ A=81
WRAM1:D8C3 DE 94 SBC $94 \\ A=ED : C=1
WRAM1:D9C5 7F LD A,A
WRAM1:D9C6 7F LD A,A
WRAM1:D9C7 50 LD D,B

WRAM1:D8C8 EA F6 F8 LD $F8F3,A \\ $(F8F3)=ED
WRAM1:D8CB AF XOR A \\ A=00 : C=0
WRAM1:D8CC F6 81 OR $81 \\ A=81
WRAM1:D8CE DE B1 SBC $B1 \\ A=D0 : C=1
WRAM1:D8D0 50 LD D,B

WRAM1:D8D1 EA F7 F8 LD $F8F4,A \\ $(F8F4)=D0
WRAM1:D8D4 EA F9 F8 LD $F8F6,A \\ $(F8F6)=D0
WRAM1:D8D7 AF XOR A \\ A=00 : C=0
WRAM1:D9D8 7F LD A,A
WRAM1:D8D9 50 LD D,B

WRAM1:D8DA F6 81 OR $81 \\ A=81
WRAM1:D8EC DE AF SBC $AF \\ A=D2 : C=1
WRAM1:D8DE EA 89 FF LD $FF89,A \\ $(FF89)=D2
WRAM1:D8E1 AF XOR A \\ A=00 : C=0
WRAM1:D8E2 50 LD D,B

WRAM1:D8E3 F6 EF OR $EF \\ A=EF
WRAM1:D8E5 EA 8A FF LD $FF8A,A \\ $(FF8A)=EF
WRAM1:D8E8 AF XOR A \\ A=00 : C=0
WRAM1:D8E9 F6 F8 OR $F8 \\ A=F8
WRAM1:D8EB 50 LD D,B

WRAM1:D8EC EA 8B FF LD $FF8B,A \\ $(FF8B)=F8
WRAM1:D8EF AF XOR A \\ A=00 : C=0
WRAM1:D8F0 F6 XX OR $XX \\ A=XX
WRAM1:D8F2 DE 7F SBC $7F \\ A=XX-7F
WRAM1:D8F4 50 LD D,B

WRAM1:D8F5 EA 80 80 LD $D0ED,A  $(D0ED)=XX ; victoire !
WRAM1:D8F8 AF XOR A \\ A=00 : C=0
WRAM1:D8F9 80 RET NC

CODE 3:
Ap0Bu'U__
é02p0Bu'r
é12é32p_
0Bu'péJ9p
0(male)éK9p02
éL9p0zu'(ID)
éAApA

Commented ASM:
Code: [Select]
WRAM1:D8C0 AF XOR A \\ A=00 : C=0
WRAM1:D8C1 F6 81 OR $81 \\ A=81
WRAM1:D8C3 DE 94 SBC $94 \\ A=ED : C=1
WRAM1:D9C5 7F LD A,A
WRAM1:D9C6 7F LD A,A
WRAM1:D9C7 50 LD D,B

WRAM1:D8C8 EA F6 F8 LD $F8F3,A \\ $(F8F3)=ED
WRAM1:D8CB AF XOR A \\ A=00 : C=0
WRAM1:D8CC F6 81 OR $81 \\ A=81
WRAM1:D8CE DE B1 SBC $B1 \\ A=D0 : C=1
WRAM1:D8D0 50 LD D,B

WRAM1:D8D1 EA F7 F8 LD $F8F4,A \\ $(F8F4)=D0
WRAM1:D8D4 EA F9 F8 LD $F8F6,A \\ $(F8F6)=D0
WRAM1:D8D7 AF XOR A \\ A=00 : C=0
WRAM1:D9D8 7F LD A,A
WRAM1:D8D9 50 LD D,B

WRAM1:D8DA F6 81 OR $81 \\ A=81
WRAM1:D8EC DE AF SBC $AF \\ A=D2 : C=1
WRAM1:D8DE EA 89 FF LD $FF89,A \\ $(FF89)=D2
WRAM1:D8E1 AF XOR A \\ A=00 : C=0
WRAM1:D8E2 50 LD D,B

WRAM1:D8E3 F6 EF OR $EF \\ A=EF
WRAM1:D8E5 EA 8A FF LD $FF8A,A \\ $(FF8A)=EF
WRAM1:D8E8 AF XOR A \\ A=00 : C=0
WRAM1:D8E9 F6 F8 OR $F8 \\ A=F8
WRAM1:D8EB 50 LD D,B

WRAM1:D8EC EA 8B FF LD $FF8B,A =\\ $(FF8B)=F8
WRAM1:D8EF AF XOR A \\ A=00 : C=0
WRAM1:D8F0 F6 B9 OR $B9 \\ A=B9
WRAM1:D8F2 DE XX SBC $XX \\ A=B9-XX
WRAM1:D8F4 50 LD D,B

WRAM1:D8F5 EA 80 80 LD $D0ED,A \\ $(D0ED)=XX ; victoire !
WRAM1:D8F8 AF XOR A \\ A=00 : C=0
WRAM1:D8F9 80 RET NC

CODE 4:
Ap0Bu'U__
é02p0Bu'r
é12é32p_
0Bu'péJ9p
0(male)éK9p02
éL9p0Au'(ID)
éAApA

Commented ASM:
Code: [Select]
WRAM1:D8C0 AF XOR A \\ A=00 : C=0
WRAM1:D8C1 F6 81 OR $81 \\ A=81
WRAM1:D8C3 DE 94 SBC $94 \\ A=ED : C=1
WRAM1:D9C5 7F LD A,A
WRAM1:D9C6 7F LD A,A
WRAM1:D9C7 50 LD D,B

WRAM1:D8C8 EA F6 F8 LD $F8F3,A \\ $(F8F3)=ED
WRAM1:D8CB AF XOR A \\ A=00 : C=0
WRAM1:D8CC F6 81 OR $81 \\ A=81
WRAM1:D8CE DE B1 SBC $B1 \\ A=D0 : C=1
WRAM1:D8D0 50 LD D,B

WRAM1:D8D1 EA F7 F8 LD $F8F4,A \\ $(F8F4)=D0
WRAM1:D8D4 EA F9 F8 LD $F8F6,A \\ $(F8F6)=D0
WRAM1:D8D7 AF XOR A \\ A=00 : C=0
WRAM1:D9D8 7F LD A,A
WRAM1:D8D9 50 LD D,B

WRAM1:D8DA F6 81 OR $81 \\ A=81
WRAM1:D8EC DE AF SBC $AF \\ A=D2 : C=1
WRAM1:D8DE EA 89 FF LD $FF89,A \\ $(FF89)=D2
WRAM1:D8E1 AF XOR A \\ A=00 : C=0
WRAM1:D8E2 50 LD D,B

WRAM1:D8E3 F6 EF OR $EF \\ A=EF
WRAM1:D8E5 EA 8A FF LD $FF8A,A \\ $(FF8A)=EF
WRAM1:D8E8 AF XOR A \\ A=00 : C=0
WRAM1:D8E9 F6 F8 OR $F8 \\ A=F8
WRAM1:D8EB 50 LD D,B

WRAM1:D8EC EA 8B FF LD $FF8B,A \\ $(FF8B)=F8
WRAM1:D8EF AF XOR A \\ A=00 : C=0
WRAM1:D8F0 F6 80 OR $80 \\ A=80
WRAM1:D8F2 DE XX SBC $XX \\ A=80-XX
WRAM1:D8F4 50 LD D,B

WRAM1:D8F5 EA 80 80 LD $D0ED,A => $(D0ED)=XX ; victoire !
WRAM1:D8F8 AF XOR A \\ A=00 : C=0
WRAM1:D8F9 80 RET NC

CODE 5:
Ap0Bu'U__
é02p0Bu'r
é12é32p_
0Bu'péJ9p
0(male)éK9p02
éL9p0(male)u'(ID)
éAApA

Commented ASM:
Code: [Select]
WRAM1:D8C0 AF XOR A \\ A=00 : C=0
WRAM1:D8C1 F6 81 OR $81 \\ A=81
WRAM1:D8C3 DE 94 SBC $94 \\ A=ED : C=1
WRAM1:D9C5 7F LD A,A
WRAM1:D9C6 7F LD A,A
WRAM1:D9C7 50 LD D,B

WRAM1:D8C8 EA F6 F8 LD $F8F3,A \\ $(F8F3)=ED
WRAM1:D8CB AF XOR A \\ A=00 : C=0
WRAM1:D8CC F6 81 OR $81 \\ A=81
WRAM1:D8CE DE B1 SBC $B1 \\ A=D0 : C=1
WRAM1:D8D0 50 LD D,B

WRAM1:D8D1 EA F7 F8 LD $F8F4,A \\ $(F8F4)=D0
WRAM1:D8D4 EA F9 F8 LD $F8F6,A \\ $(F8F6)=D0
WRAM1:D8D7 AF XOR A \\ A=00 : C=0
WRAM1:D9D8 7F LD A,A
WRAM1:D8D9 50 LD D,B

WRAM1:D8DA F6 81 OR $81 \\ A=81
WRAM1:D8EC DE AF SBC $AF \\ A=D2 : C=1
WRAM1:D8DE EA 89 FF LD $FF89,A \\ $(FF89)=D2
WRAM1:D8E1 AF XOR A \\ A=00 : C=0
WRAM1:D8E2 50 LD D,B

WRAM1:D8E3 F6 EF OR $EF \\ A=EF
WRAM1:D8E5 EA 8A FF LD $FF8A,A \\ $(FF8A)=EF
WRAM1:D8E8 AF XOR A \\ A=00 : C=0
WRAM1:D8E9 F6 F8 OR $F8 => A=F8
WRAM1:D8EB 50 LD D,B

WRAM1:D8EC EA 8B FF LD $FF8B,A \\ $(FF8B)=F8
WRAM1:D8EF AF XOR A \\ A=00 : C=0
WRAM1:D8F0 F6 EF OR $EF \\ A=EF
WRAM1:D8F2 DE XX SBC $XX \\ A=EF-XX
WRAM1:D8F4 50 LD D,B

WRAM1:D8F5 EA 80 80 LD $D0ED,A => $(D0ED)=XX ; victoire !
WRAM1:D8F8 AF XOR A => A=00 : C=0
WRAM1:D8F9 80 RET NC

Here is the table of the Pokémon you can get per table. For codes 3 to 5 I only wrote the Pokémon that are not in the previous columns :
https://pastebin.com/W9Pe82uG
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 08, 2017, 06:27:10 pm
Glad everything worked out  :)   

Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Krys3000 on November 09, 2017, 05:36:24 am
Thanks Couldntthinkofaname! I've updated the previous post with the codes and asm.

Below is the variant of Crystal_'s OAM DMA Hijacking method adapted from MAP's pastebin. I cut it from the guide, and link it from there to here, so both methods are given with links.

Quote
Use 'IV.2: GET ANY TM/HM x255 CODE' to get TM09, unless you already have it.

Give TM09 to hold to Quagsire, instead of TM02, and save.

Rename Box 2 to Box 10 as follows:
p'va'vbé!2 (english game) or p°a°bé!2 (italian and spanish game)
'v[é?2'v85 (english game) or °[é?2°85 (italian and spanish game)
é22'v3é02 (english game) or é22°3é02 (italian and spanish game)
hhh222hh
's82hhhéé (english game) or ó82hhhéé (italian and spanish game)
'd2G2h'd (english game) or ì2G2hì (italian and spanish game)
's02hé,2h (english game) or ó02hé,2h (italian and spanish game)
's02hé/2h (english game) or ó02hé/2h (italian and spanish game)
's02'd (english game) or ó02ì (italian and spanish game)
NOTE: As of now, to my knowledge there is no equivalent to this for french games.

Save.

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow: !.22]]

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow: !.23__ while replacing __ by the characters corresponding to the wanted Pokémon in the following table (Pk and Mn are available symbols, not "P followed by k"):
AA   ????? (n°000)
AB   Bulbasaur
BB   Ivysaur
BC   Venusaur
CC   Charmander
CD   Charmeleon
DD   Charizard
DE   Squirtle
EE   Wartortle
EF   Blastoise
FF   Caterpie
FG   Metapod
GG   Butterfree
GH   Weedle
HH   Kakuna
HI   Beedrill
II   Pidgey
IJ   Pidgeotto
JJ   Pidgeot
JK   Rattata
KK   Raticate
KL   Spearow
LL   Fearow
LM   Ekans
MM   Arbok
MN   Pikachu
NN   Raichu
NO   Sandshrew
OO   Sandslash
OP   Nidoran♀
PP   Nidorina
PQ   Nidoqueen
QQ   Nidoran♂
QR   Nidorino
RR   Nidoking
RS   Clefairy
SS   Clefable
ST   Vulpix
TT   Ninetales
TU   Jigglypuff
UU   Wigglytuff
UV   Zubat
VV   Golbat
VW   Oddish
WW   Gloom
WX   Vileplume
XX   Paras
XY   Parasect
YY   Venonat
YZ   Venomoth
ZZ   Diglett
Z(   Dugtrio
((   Meowth
()   Persian
))   Psyduck
):   Golduck
::   Mankey
:;   Primeape
;;   Growlithe
;[   Arcanine
[[   Poliwag
[]   Poliwhirl
]]   Poliwrath
]a   Abra
aa   Kadabra
ab   Alakazam
bb   Machop
bc   Machoke
cc   Machamp
cd   Bellsprout
dd   Weepinbell
de   Victreebel
ee   Tentacool
ef   Tentacruel
ff   Geodude
fg   Graveler
gg   Golem
gh   Ponyta
hh   Rapidash
hi   Slowpoke
ii   Slowbro
ij   Magnemite
jj   Magneton
jk   Farfetch'd
kk   Doduo
kl   Dodrio
ll   Seel
lm   Dewgong
mm   Grimer
mn   Muk
nn   Shellder
no   Cloyster
oo   Gastly
op   Haunter
pp   Gengar
pq   Onix
qq   Drowzee
qr   Hypno
rr   Krabby
rs   Kingler
ss   Voltorb
st   Electrode
tt   Exeggcute
tu   Exeggutor
uu   Cubone
uv   Marowak
vv   Hitmonlee
vw   Hitmonchan
ww   Lickitung
wx   Koffing
xx   Weezing
xy   Rhyhorn
yy   Rhydon
yz   Chansey
zz   Tangela
?N   Kangaskhan
?O   Horsea
?P   Seadra
?Q   Goldeen
?R   Seaking
?S   Staryu
?T   Starmie
?U   Mr. Mime
?V   Scyther
?W   Jynx
?X   Electabuzz
?Y   Magmar
?Z   Pinsir
?(   Tauros
?)   Magikarp
?:   Gyarados
?;   Lapras
?[   Ditto
?]   Eevee
?a   Vaporeon
?b   Jolteon
?c   Flareon
?d   Porygon
?e   Omanyte
?f   Omastar
?g   Kabuto
?h   Kabutops
?i   Aerodactyl
?j   Snorlax
?k   Articuno
?l   Zapdos
?m   Moltres
?n   Dratini
?o   Dragonair
?p   Dragonite
?q   Mewtwo
?r   Mew
?s   Chikorita
?t   Bayleef
?u   Meganium
?v   Cyndaquil
?w   Quilava
?x   Typhlosion
?y   Totodile
?z   Croconaw
9b   Feraligatr
9c   Sentret
9d   Furret
9e   Hoothoot
9f   Noctowl
9g   Ledyba
9h   Ledian
9i   Spinarak
9j   Ariados
9k   Crobat
9l   Chinchou
9m   Lanturn
9n   Pichu
9o   Cleffa
9p   Igglybuff
9q   Togepi
9r   Togetic
9s   Natu
9t   Xatu
9u   Mareep
9v   Flaaffy
9w   Ampharos
9x   Bellossom
9y   Marill
9z   Azumarill
'r?   Sudowoodo
's?   Politoed
't?   Hoppip
'v?   Skiploom
'v!   Jumpluff
'v.   Aipom
'v&   Sunkern
'vé   Sunflora
'm$   Yanma
PkPk   Wooper
PkMn   Quagsire
MnMn   Espeon
Mn-   Umbreon
--   Murkrow
Pk?   Slowking
Mn?   Misdreavus
-?   Unown
-!   Wobbuffet
Mn&   Girafarig
??   Pineco
?!   Forretress
!!   Dunsparce
!.   Gligar
..   Steelix
.&   Snubbull
&&   Granbull
Mn×   Qwilfish
Pk/   Scizor
Pk,   Shuckle
Pk♀   Heracross
Pk0   Sneasel
Mn0   Teddiursa
?/   Ursaring
?,   Slugma
?♀   Magcargo
?0   Swinub
!0   Piloswine
.0   Corsola
.1   Remoraid
.2   Octillery
.3   Delibird
.4   Mantine
.5   Skarmory
.6   Houndour
.7   Houndoom
.8   Kingdra
.9   Phanpy
♂3   Donphan
♂4   Porygon2
♂5   Stantler
♂6   Smeargle
00   Tyrogue
01   Hitmontop
11   Smoochum
12   Elekid
22   Magby
23   Miltank
33   Blissey
34   Raikou
44   Entei
45   Suicune
55   Larvitar
56   Pupitar
66   Tyranitar
67   Lugia
77   Ho-oh
78   Celebi
88   ????? (n°252)
89   Egg
99   ????? (n°254)
 A   ????? (n°255) (Be careful, there's a space before A)

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow: !.33♂5

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow: !.3401

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow: !.44..

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow: !.45-?

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow:  A?e22 (Be careful, there's a space before A)

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow:  A?f!. (Be careful, there's a space before A)

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow:  A?dPkMn (Be careful, there's a space before A ; Also, Pk and Mn are available symbols, not "P followed by k")

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case). The wanted Pokémon can now be found in the wild with a 100% encounter rate.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 10, 2017, 10:20:53 am
As a resident german person here is a pc item code to give you 255 of every TM/HM so you can use them to write your code.
Don't know if this will work on every european language, but it was the same for german and english so there is a good chance that it will work.
A bit expensive to set up (32 Carbos, etc.), you need TM10 and TM22 which you can only get once and one Lucky Egg which is awful to get without glitches, but at least you can get an easier medium to write Code with.

Location to find some of the more specific items:


Use wrong-pocket TM execution with a Quagsire holding HP-Up with Sleep Talk as its first move. To get a TM in the wrong pocket use this guide by luckytyphlosion (http://forums.glitchcity.info/index.php?topic=8109.0).
Arrange the Items in your PC in the following way:
Code: [Select]
Any x Any
Any x 03
Full Restore x 01
Paralyz Heal x 13
Energypowder x 30
Exp_Share x 01
Any x Any
Poké Ball x 38
TM22 x 01
Any x Any
Great Ball x 46
Revival Herb x 03
Dire Hit x 44
Awakening x 34
Ice Heal x 03
Carbos x 32
HM07 x 01
Any x Any
TM10 x Any

German Item names:
Code: [Select]
Any x Any
Any x 03
Top Genesung x 01
Para-Heiler x 13
Energiestaub x 30
EP-Teiler x 01
Any x Any
Pokéball x 38
TM22 x 01
Any x Any
Superball x 46
Vitalkraut x 03
Angriffsplus x 44
Aufwecker x 34
Eisheiler x 03
Carbon x 32
VM07 x 01
Any x Any
TM10 x Any

Corresponding ASM code (everytime register b and/or c are used is filler code):
Code: [Select]
INC BC
LD C, 01
DEC C
DEC C
LD A, C
LD E, 39
LD BC, ...
DEC B
LD H, d5
LD BC, ...
INC B
LD L, 7c
INC L
INC L
INC C
LD [HL+], A
DEC BC
INC BC
DEC E
JR NZ, f9
LD BC, ...
RET

Afterwards, teach your Quagsire Attract (TM45) as its first move and make it hold a Lucky Egg. Your code will then be executed starting from the quantity of TM01 in your TM pocket. Write it by keeping/depositing the desired amount.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Nostalgia on November 10, 2017, 10:56:43 am
The only issue I see with that is the difficulty in obtaining the Lucky Egg. I managed to get one in my playthrough but that was like my first time ever getting it. In G/S, it's 1% for Chansey to appear and 8% chance for it to be holding a Lucky Egg.

Here's a tip though: On Route 13 in G/S, Chansey comes at level 25, the highest level of Pokemon you can find on this route is 25 (unlike Crystal where the highest is 27). So by putting a Pokemon level 25 at the top of the party and use a Max Repel, you avoid the low level encounters and increase the chances of encountering a Chansey. It's a good tip in general for hunting the annoying 1% encounter rate Pokemon.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 10, 2017, 04:07:40 pm
True, but I didn't find a way around it at first.
Looked into it again and found a way using Revival Herb (Vitalkraut; same place as energypowder) and Dire Hit (Angriffsplus). :)
I'll update the original post with the change.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 10, 2017, 04:31:08 pm
Would anyone happen to know of a reference to the German/French charset? I would be happy to assist with translations but unfortunately I only own the English copies of G/S.

From what I understand, it is increasingly difficult to code for the German charset due to a lack of certain characters, but I am uncertain.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 10, 2017, 04:50:43 pm
Here (http://forums.glitchcity.info/index.php?topic=8097.msg207116#msg207116) is one, but it doesn't account for non-input, but representable characters (e.g. é is not available in german, ' is not available in english).

I doubt box name codes are possible in German if they want to do more than calling/jumping to pre-existing code.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 10, 2017, 05:10:50 pm
Here (http://forums.glitchcity.info/index.php?topic=8097.msg207116#msg207116) is one, but it doesn't account for non-input, but representable characters (e.g. é is not available in german, ' is not available in english).

I doubt box name codes are possible in German if they want to do more than calling/jumping to pre-existing code.


Ah, I see. Thanks for the reference!

I may begin translating some of my codes to French as soon as wrap up my suprise released (https://youtu.be/eouJy9poa20) 8f project.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Krys3000 on November 10, 2017, 06:11:20 pm
The character set in french is available in this pastebin: https://pastebin.com/W9Pe82uG

Having spent a whole day translating your catch any Pokémon code to french, I can relate that it's annoying af. Most times you can replace sub by sbc because the carry flag is not set, but the lack of ret nc could be a problem (you'll have to use ret c or reti). Sometimes, there is no easy solution and the whole thing has to be remade. If you eventually find the courage to do it, that would be great for us frenchies :D 
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 10, 2017, 06:23:12 pm
As a resident german person here is a pc item code to give you 255 of every TM/HM so you can use them to write your code.
Don't know if this will work on every european language, but it was the same for german and english so there is a good chance that it will work.

Kind of confused here.
To get enough money for 44 Dire Hits I continued playing (up to defeating Red) and the code suddenly stopped working.
Also, using a Lucky Egg-Attract-Quagsire with a simple return code (201 of TM01) crashed my game.

To me this looks like the memory address for TM quantities was changed, but I somehow doubt Nintendo would do this. Need to look a bit more into this one. I'm using VC version so far btw., will try on emulator to check what's going on here.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 10, 2017, 07:41:25 pm
It's unlikely Nintendo would think to change TM addresses, and from what i've seen from the G/S disassembly there is no script capable of doing so.

Here are a few possibilites:

1. If you allowed mom to save your money, she likely bought an object that screwed up the opcodes.
2.Your slide stopped working due to happiness/EVs


Regarding the game crash, it's likely the latter issue. Slide Pokémon will eventually stop working once they reach a specific opcode, specifically $10 (stop command), and anything else that otherwise messes with the stack, jumps to unrelated code, etc.

Hope this helps resolve the issue :)


Edit: Disregard this, apparently memory does indeed shift in the UE releases.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on November 10, 2017, 08:06:11 pm
The memory is shifted in UE releases. Not sure how exactly, though, but it's definitely shifted.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 10, 2017, 08:15:57 pm
That's very interesting, I have never seen anything similar on any other gameboy title. Maybe this was designed to discourage use of the GameShark?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on November 11, 2017, 05:31:22 am
No, it's actually very often that Europe releases have a slightly different memory layout than US releases. This is the case for all Pokémon games (at least until Gen IV), as well as other GB titles, which I'm not going to list because :p
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 11, 2017, 06:58:13 pm
What confuses me here is that it worked before (with the Lucky Egg, but even that version stopped working) and suddenly stopped after beating a bunch of gym leaders, elite 4 and red (iirc).
Also, from what I have seen with my limited knowledge using BGB TMs seem to be in the same location.

Anyway, here is an PC Item code (Quagsire, HP-Up, Sleep Talk) to give you lot's of money. Basically sets the first money byte ($d573) to ff.
Should make aquiring the Carbos a bit easier.
Code: [Select]
Any x Any
Any x 03
Full Restore x 01
Paralyz Heal x 13
Energypowder x 38
TM22 x 01
Any x Any
Poké Ball x 46
Rage Cany Bar x 44
Great Ball x 34
TM10 x Any

ASM representation:
Code: [Select]
INC BC
LD C, 01
DEC C
DEC C
LD A, C
LD H, d5
LD BC, ...
DEC B
LD L, 72
INC L
INC B; LD [HL+], A
RET


Reset my VC savegame (well, one of them) to test a bit more. This one worked on german Silver VC version.

Edit:
Maximize TM-quantities worked as well.
Guess it's time to beat up Red again and see if VC is weird and it will stop working again. ‾\(-_-)/‾
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 11, 2017, 08:41:57 pm
Just noticed, that you can input a lot more characters when writing a mail.
Since it is stored in SRAM (according to this (https://github.com/pret/pokecrystal/blob/master/sram.asm) at least in Crystal and I would assume it's similar in gold/silver) and I remember reading somewhere that there are some problems with in conserning VC I'm not too sure how useful this really is.
At least I found a place where I can input é in german version. I even found an ï character (two dots i for double the fun  8)).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Parzival on November 11, 2017, 09:27:14 pm
VC + SRAM exec = VC freaks the hell out, crashes, then erases your save next boot. Source: ISSOtm's testing.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Krys3000 on November 12, 2017, 05:52:39 am
As I've seen only matches between US memory addresses and european ones (as well as codes working in both) I'm interested in knowing exactly what is shifted, because I honestly didn't know that  :???:
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 12, 2017, 05:56:26 am
As I've seen only matches between US memory addresses and european ones (as well as codes working in both) I'm interested in knowing exactly what is shifted, because I honestly didn't know that  :???:

I'm also interested, as making code translations into French is going to be difficult if I can't pinpoint exactly what i'm editing.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 12, 2017, 06:02:28 am
VC + SRAM exec = VC freaks the hell out, crashes, then erases your save next boot. Source: ISSOtm's testing.

Ok, so utterly impossible to use this. Thanks.
I knew reading something like this before, but wasn't sure.

As I've seen only matches between US memory addresses and european ones (as well as codes working in both) I'm interested in knowing exactly what is shifted, because I honestly didn't know that  :???:

From what I've seen so far you have to be careful with codes that call something.
Party-Pokémon, Money, Items, PC-Items, etc. seem to be in the same location. So most codes that write stuff directly should be fine.
Had some issues with TM-quantities though, but I still need to confirm if that was just VC being weird, me being stupid or a real issue.
Also, stuff like Room decorations, Trainer-ID etc. might be different. Haven't looked into this one. Same for any OAM DMA loop codes.


Edit:
To add to my previous posts, here is an PC Item Code for wrong-pocket TM execution to change the Item of your first party pokémon to a Lucky Egg.
Code: [Select]
Give Lucky Egg to first Pokémon ($da2b):
Any x Any
Any x 3 INC BC
Poké Ball x 38 DEC B; LD H, da
TM27 x 3 INC BC
Fresh Water x 43 LD HL, 2b
Great Ball x 22 INC B; LD D, 7c
Revival Herb x 03 INC BC
Repel x 20 INC D; INC D
Energy Root x 34 LD A, D; LD [HL+], A
TM10 x Any RET
Tested on German VC version, but I don't see any reason why it shouldn't work on english version. Don't know about other european languages, but should be fine as well.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on November 12, 2017, 07:52:05 am
The mail might be stored in SRAM, but can't you make a setup that copies mail data into WRAM and executes it ?
For extra easiness, copy backwards.
Code: [Select]
ld de, MailDataEnd
ld hl, TempStorage
ld c, length
.loop
ld a, [de]
dec de
ld [hld], a
dec c
jr nz, .loop
inc hl
jp [hl]
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Krys3000 on November 12, 2017, 08:24:59 am
The OAM DMA thing of Crystal_ (and your version, Couldntthinkofaname) works in french and italian games, once adapted for character issues.

I've used codes to edit several points in WRAM before in french or italian games (Trainer ID, Items, Pokémon, etc.) using exactly the same addresses than english games, so maybe the whole WRAM is exactly the same in english and european games, and you can use OAM DMA the same way in both too, but things in other part of the memory are different.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 12, 2017, 09:08:38 am
The mail might be stored in SRAM, but can't you make a setup that copies mail data into WRAM and executes it ?
For extra easiness, copy backwards.
Code: [Select]
ld de, MailDataEnd
ld hl, TempStorage
ld c, length
.loop
ld a, [de]
dec de
ld [hld], a
dec c
jr nz, .loop
inc hl
jp [hl]

Need to unlock SRAM and find mail data there first, but should be possible.
You'd also need a large enough space of temp data to store your code without destroying everything.
Had the same idea, but didn't bother to code it so far. Might look into it a bit more.

The OAM DMA thing of Crystal_ (and your version, Couldntthinkofaname) works in french and italian games, once adapted for character issues.

I've used codes to edit several points in WRAM before in french or italian games (Trainer ID, Items, Pokémon, etc.) using exactly the same addresses than english games, so maybe the whole WRAM is exactly the same in english and european games, and you can use OAM DMA the same way in both too, but things in other part of the memory are different.

The code that is called in the box name variant to maximize TM quantities ($314c) is shifted to a few bytes earlier in german version. Easiest approach for now is probably to just try if the code adjusted for local charset with same memory adressed works. Chance seems to be reasonably high. :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Skeef on November 12, 2017, 09:37:35 am
The mail might be stored in SRAM, but can't you make a setup that copies mail data into WRAM and executes it ?
For extra easiness, copy backwards.
Code: [Select]
ld de, MailDataEnd
ld hl, TempStorage
ld c, length
.loop
ld a, [de]
dec de
ld [hld], a
dec c
jr nz, .loop
inc hl
jp [hl]

Need to unlock SRAM and find mail data there first, but should be possible.
You'd also need a large enough space of temp data to store your code without destroying everything.
Had the same idea, but didn't bother to code it so far. Might look into it a bit more.

Daycare memory? In gen 1 it does not reset when you turn off the game, not sure if it does so in gen 2 though.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on November 12, 2017, 09:42:37 am
I think Generation II Day Care memory stays.

The only potential difficulties I see is if the Day Care couple produce an Egg after walking around and this messes up your code (or you overload the party with ????? party overloading; corrupting this data). There are also values around this region that may increase or decrease every step (maybe experience and/or amount of steps left for an Egg).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 12, 2017, 10:32:09 am
According to this (https://github.com/PikalaxALT/pokegold/blob/master/wram.asm) time to creating a new egg is $dc78 which is right in the middle of day care data.

I think party pokémon OT and nicknames would be the best bet here. Unless you just want to overwrite box names.
Other than that, you can still use bag/pc items & quantities.
Code: [Select]
$DB4A to $DB54 = First Pokemon Name OT
$DB55 to $DB5F = Second Pokemon Name OT
$DB60 to $DB6A = Third Pokemon Name OT
$DB6B to $DB75 = Fourth Pokemon Name OT
$DB76 to $DB80 = Fifth Pokemon Name OT
$DB81 to $DB8B = Sixth Pokemon Name OT
$DB8C to $DB96 = First Pokemon Name
$DB97 to $DBA1 = Second Pokemon Name
$DBA2 to $DBAC = Third Pokemon Name
$DBAD to $DBB7 = Fourth Pokemon Name
$DBB8 to $DBC2 = Fifth Pokemon Name
$DBC3 to $DBCD = Sixth Pokemon Name

What is also interesting are these two adresses:
Code: [Select]
wNamingScreenDestinationPointer:: dw ; c5d0
wNamingScreenType:: ds 1 ; c5d4
Didn't try it, but judging from the name maybe it is possible to change available charset while typing. Since you can't access menu there it would have to be done via OAM DMA loop.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on November 12, 2017, 11:17:57 am
Didn't try it, but judging from the name maybe it is possible to change available charset while typing. Since you can't access menu there it would have to be done via OAM DMA loop.

I came across that address in the past too. It indeed allows you to change the available characters but it seems 05 and up work as if you're nicknaming a Pokémon (so it will say (POKéMON)'s nickname, display a menu sprite and bring up the characters you can input while nicknaming one), and box names (04) happens to be the best menu in terms of available characters. I may be wrong though.

03 is the unused menu for naming your mother.

(https://i.imgur.com/Nputhrt.png)

Mother's name is stored at D1AE and can be returned with the hex:49 control character, but since the Dude's demonstration overwrites it it may come up as your player's name.

C5D0 appears to look for where the characters are, and moves them to the other buffer/destination like D8BF (box 1 name). In box names the pointer is CEED. Changing values in the buffer at CEED will print characters on the screen.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 12, 2017, 11:44:23 am
03 is the unused menu for naming your mother.

(https://i.imgur.com/Nputhrt.png)

Mother's name is stored at D1AE and can be returned with the hex:49 control character, but since the Dude's demonstration overwrites it it may come up as your player's name.

Normally this should go the other way around. :XD:


Mail charset appears to have the most characters. Was hoping to get it available to name boxes.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on November 12, 2017, 11:53:28 am
Mail charset appears to have the most characters. Was hoping to get it available to name boxes.

Oh, I overlooked the mail character set. Thanks! Yeah. C5D4 was 48 while on the mail naming screen, but sadly attempting to name a box came up with the Pokémon nickname screen when 0148D4C5 was enabled instead. :(

In theory though, with some work we can bring up the mail menu with a custom destination with OAM DMA hijacking to execute with TM17, TM25 etc. upon pressing a button (e.g. B) instead. It may not be worth it, but would be interesting to do.

Thinking about it, it would be good to port offgao's memory editor from Generation I over to Generation II.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 12, 2017, 01:09:38 pm
Thinking about it, it would be good to port offgao's memory editor from Generation I over to Generation II.

I was toying around with the idea of a memory editor GUI for gen 2. In fact, this (http://forums.glitchcity.info/index.php?topic=8133.msg207680#msg207680) project was originally meant for G/S, but for whatever reason I ditched the idea and made it for R/B instead.

I don't see why it wouldn't work, but we would need to find a large portion of unused/mostly unused data, similar to $D901 from R/B/Y.

Also, it's worth noting that the tilemap in G/S works differently from it's gen 1 counterpart. Rather than accepting direct writes to $C3A0 and onward, it is required to call internal subroutine $0F74, with the pointer to the desired tiles into register "de".
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 12, 2017, 03:24:45 pm
As a resident german person here is a pc item code to give you 255 of every TM/HM so you can use them to write your code.
Don't know if this will work on every european language, but it was the same for german and english so there is a good chance that it will work.

Kind of confused here.
To get enough money for 44 Dire Hits I continued playing (up to defeating Red) and the code suddenly stopped working.
Also, using a Lucky Egg-Attract-Quagsire with a simple return code (201 of TM01) crashed my game.

To me this looks like the memory address for TM quantities was changed, but I somehow doubt Nintendo would do this. Need to look a bit more into this one. I'm using VC version so far btw., will try on emulator to check what's going on here.

I think I screwed up somewhere on my first try. Probably deposited an additional TM22 or something.
Anyway, beat up red again and the Box Item Code to maximize TMs still worked without problems.  :)


Edit:
Successfully executed my code to fill your box on german VC version. :)
Note: Be careful when withdrawing/releasing a pokémon created this way. For a previously empty box it shifted some bytes for the remaining pokémon in the box (item becomes species, etc.) and I'm not sure when it stops.
I'll try to improve the code so this effect vanishes.
Successfully fixed that bug. :) Still trying to improve the code.

Since box name codes aren't available, first use this TM quantity code (Quagsire, Lucky Egg, Attract) to set HM01-HM03 quantities:
Code: [Select]
TM01 62/193 LD A, 20
TM02 32/223
TM03 234/21 LD [b0f5], A
TM04 176/79
TM05 245/10
TM06 62/193 LD A, eb
TM07 235/20
TM08 234/21 LD [b1f5], A
TM09 177/79
TM10 245/10
TM11 62/193 LD A, c9
TM12 201/54
TM13 234/21 LD [b2f5], A
TM14 178/79
TM15 245/10
TM16 201/54 RET
Afterwards, use this slightly adjusted box item code (Quagsire, HP-UP, Sleep Talk) to maximize quantities for TM01-TM49 (leave HM-quantities untouched):
Code: [Select]
Any x Any
Any x 03 INC BC
Full Restore x 01 LD C, 01
Paralyz Heal x 13 DEC C; DEC C
Energypowder x 30 LD A, C; LD E, 31
X-Attack x 01 LD BC, ...
Any x Any
Great Ball x 38 INC B; LD H, d5
TM22 x 01 LD BC, ...
Any x Any
Poké Ball x 46 DEC B; LD L, 7c
Revival Herb x 03 INC BC
Dire Hit x 44 INC L; INC L
Awakening x 34 INC C; LD [HL+], A
Ice Heal x 03 DEC BC; INC BC
Carbos x 32 DEC E; JR NZ, f9
HM07 x 01 LD BC, ...
Any x Any
TM10 x Any RET
Finally, use this TM quantity code to fill your box:
Code: [Select]
TM01 62/193 LD A, 0a
TM02 10/245
TM03 234/21 LD [ff00], A | A->0a
TM04 255/0
TM05 0/255
TM06 62/193 LD A, 01
TM07 01/254
TM08 234/21 LD [ff40], A | A->00
TM09 255/0
TM10 64/191
TM11 33/222 LD HL, 6cad | HL->ad6c
TM12 108/147
TM13 173/82
TM14 1/254 LD BC, 1a00 | BC->001a
TM15 26/229
TM16 0/255
TM17 62/193 LD A, 14 | A->14
TM18 20/235
TM19 87/168 LD D, A
TM20 95/160 LD E, A
TM21 34/221 LD [HLI], A
TM22 62/193 LD A, (species)
TM23 (species)/
TM24 34/221 LD [HLI], A
TM25 21/234 DEC D
TM26 32/223 JR NZ, fc | (Loop back to last LD [HLI], A)
TM27 252/3
TM28 54/201 LD [HL], ff
TM29 255/0
TM30 35/220 INC HL
TM31 87/168 LD D, A
TM32 122/133 LD A, D
TM33 34/221 LD [HLI], A
TM34 62/193 LD A, (item)
TM35 (item)/
TM36 34/221 LD [HLI], A
TM37 62/193 LD A, (move1)
TM38 (move1)/
TM39 34/221 LD [HLI], A
TM40 62/193 LD A, (move2)
TM41 (move2)/
TM42 34/221 LD [HLI], A
TM43 62/193 LD A, $(move3)
TM44 (move3)/
TM45 34/221 LD [HLI], A
TM46 62/193 LD A, $(move4)
TM47 (move4)/
TM48 34/221 LD [HLI], A
TM49 9/246 ADD HL, BC
TM50 29/226 DEC E
HM01 32/223 JR NZ, eb | (Loop Back to LD A, D)
HM02 235/20
HM03 201/54 RET
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 13, 2017, 08:23:06 am
I believe I have successfully translated my "Get All Badges" code into French. If anyone wouldn't mind testing this, please tell me if it works.

Get All Badges (French version):
Apu'Dés'25
pu'Eéu'209
55555555
éA(female)éA(female)08
u'9m'55555
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Krys3000 on November 13, 2017, 08:42:00 am
It works, thank you very much as it spares me from doing this translation for PRAMA  ;D!

It does only give Johto badges though, but that was also in the original code, right?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 13, 2017, 09:18:39 am
It works, thank you very much as it spares me from doing this translation for PRAMA  ;D!

It does only give Johto badges though, but that was also in the original code, right?

Yes, this was the original code.

It was intended to grant all badges but for whatever reason this doesn't work, on the English version or otherwise.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 13, 2017, 10:33:02 am
Provided the OAM DMA is in the same place as in English, this code should work for French versions as well.

All Wild Pokemon have flawless DVs (French version):
ApAu'oéJ9
p0(female)éK955
p02éL955
p0Au'qé62
é32u'9m'55
55555555
09é(female)Aé0A
pu'9m'5555

If you would like to test this on emulator, wild Pokemon DVs are located at $D0F5-$D0F6. If both these values are $FF, then the code was successful.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 13, 2017, 11:16:39 am
The mail might be stored in SRAM, but can't you make a setup that copies mail data into WRAM and executes it ?
For extra easiness, copy backwards.
Code: [Select]
ld de, MailDataEnd
ld hl, TempStorage
ld c, length
.loop
ld a, [de]
dec de
ld [hld], a
dec c
jr nz, .loop
inc hl
jp [hl]

Need to unlock SRAM and find mail data there first, but should be possible.
You'd also need a large enough space of temp data to store your code without destroying everything.
Had the same idea, but didn't bother to code it so far. Might look into it a bit more.

According to some BGB testing mailbox data starts in SRAM bank 0 at $a834 with the current mailbox count (consistent with the crystal sram disassembly (https://github.com/pret/pokecrystal/blob/master/sram.asm)).
Afterwards the first message starts. Between Message 1 and 2 there are some bytes which probably hold extra data like mail type and source name.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on November 13, 2017, 03:06:09 pm
For the large space, you should check, but IIRC the space at DF00-DF80 is left unused. 128 bytes is still a neat quantity, isn't it ?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 13, 2017, 03:36:05 pm
For the large space, you should check, but IIRC the space at DF00-DF80 is left unused. 128 bytes is still a neat quantity, isn't it ?

Quite a neat quantity, thank you for finding it!

Unfortunately, my memory editor exceeded 200 bytes. I'm certain I can take some liberties here and there but it's still quite the task.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on November 13, 2017, 06:07:30 pm
Try checking a bit before. Maybe some memory before DF00 is also unused.
If your editor's size is less than 256 bytes, that's better ('cause it could be copied using a 1-byte length loop, which is slightly easier to program)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Krys3000 on November 14, 2017, 04:32:31 am
Provided the OAM DMA is in the same place as in English, this code should work for French versions as well.

AFAIK it does (otherwise my translation of your catch 'em all code wouldn't have worked, right?) but I'll test your code today, just to be sure :p
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 14, 2017, 06:46:12 am
Made a quick test with available mail characters. Inputting basically every special character (see attachment) yielded the following memory in SRAM:
Code: [Select]
E1 E2 70 71 EA EF F5 F0 75 F1 E7 E6 F4 7F E8 E3 4E F3 72 73 9E 9F E0 9C 9D D0 D1 D2 D3 D4 D5 D6 E9 86 8E 8B 83 50Note: Player Name is Gold.
It appears as long as you use every character the mail is not terminated by a 50h, but is directly followed by its type and the name of the sender.
Also, there is a 4e in the middle to cause a line break.
Aside from various commands to load the different registers into (hl) (the 7x bunch) I don't see anything useful added. And even those are hard to use, since you can't influence these registers with character code.  :-\

Edit:
oh, accidentally attached twice.  ::) Sorry.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on November 14, 2017, 06:47:37 pm
You can set b and d by using pushing and popping cleverly. I agree it doesn't add much, but it still has potential if a large script is ever needed, such as a GUI memory editor (offgao's being the reference for this in Gen I)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 15, 2017, 11:19:34 am
Hey all, I remade my Catch 'em all code into a TM quantity script. It is considerably more lengthy, but it has some benefits over the original.

First, use Evie's x255 TM code.

After which, spell the following opcodes with TM quantities:

Keep/Deposit:
62/193
(SpeciesId)/(255 - SpeciesId)     // This quantity will be reset to 255 after Wrong Pocket is executed
234/21
247/8
248/7
62/193
237/18
234/21
249/6
248/7
175/80
61/194
234/21
127/128
245/10
201/54

Then, write the following box name code:

Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL955
Box 4: p'vCé?255
Box 5: 5p'mA(female)555
Box 6: (Doesn't matter)
Box 7: p0AéA'dyy
Box 8: p0éé(female)'dyy
Box 9: p0ké0'dp'd
Box 10: p0A'vxéJ9
Box 11: p'dyyyyyy

Finally, execute wrong pocket. Your desired Pokémon will be found in the wild with 100% encounter rate.

With the old code, if the desired Pokémon's ID is lower than $7f, you had to change a box name and add $7f to the species id. With the new code, no special adaptions are necessary for any Pokemon. Another flaw that plagued the old code was that is was required to SAVE/RESET to shut it off. To shut off the new code, simply replace Box 9 with:

yyyyyyyy

After this, the OAM DMA will patch itself thanks to code written at Box 10-11, and it will be safe to write other box name codes in the Box 7-12 region.

The old code may be preferable due to length, but this is here if one would rather use it. :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Krys3000 on November 16, 2017, 03:55:12 am
It's good to have many possibilities to do the same thing :)

Regarding the old code, even by doing your trick for Pokémon with hex ID lower than $7F, some Pokémon cannot be caught because we don't have access to the character. For the french version, I had to use 5 different variations of the code (basically the original one, the 'sub 7f' one, and three other subs with different values) to get them all. I'm assuming it can be improved to 4 codes somehow. It would be great anyway to have the full coverage for the english version too  :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 16, 2017, 06:54:26 am
Thank you! :)

Regarding the old code, even by doing your trick for Pokémon with hex ID lower than $7F, some Pokémon cannot be caught because we don't have access to the character.

Yep. There were some Pokemon (Hex $d8, to name one) that couldn't be obtained with the $7f trick. Any Pokemon who fit into that category had to be obtained with clever use of integer underflow (For example, Hex $d8 could be obtained using $80 - $a8). That was a pain, so hopefully this new code fixes that. :)

As for French translations, it may take me a while to translate this new code, but i'm certain it should still work.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 19, 2017, 03:07:47 pm
Needed a break from playing Ultra Moon, so here is a new code to actually use Mail data.
So far this code is only able to use one Mail since for fore you'd need to also skip trainer name data.

The code is an item code, so I can also use it on german version. This also enables text based codes, even though they are still complicated (no sub/add instruction).
To execute item codes use a Quagsire holding a HP Up with Sleep talk as its first move after your Slide-Pokémon.

First, here are two short item codes to get the required items:

Box Item 1 quantity changed to 255:
Code: [Select]
Any x Any
Any x 03 INC BC
Full Restore x 01 LD C, 01
Paralyz Heal x 13 DEC C; DEC C
Energypowder x 03 LD A, C; INC BC
TM42 x 24 LD [18d6], A
TM23 x 03 INC BC
TM10 x Any RET

Change Box Item 1 to any item you want:
Code: [Select]
Any x Any
Any x 03 INC BC
PP-Up x {item} LD A, {item}
TM42 x 23 LD [17d6], A
TM23 x 03 INC BC
TM10 x Any RET

And now to the big one:
Copy the message of the first mail in your PC to the end of box names and execute them. If you only want to copy them without execution replace the final TM41 (JP [HL]) with TM10 (RET).
Code: [Select]
Any x Any
Any x 62 LD A, 0a
Burn Heal x 234 LD [1201], A
Potion x 01
Full Restore x 01 LD C, 01
Paralyz Heal x 121 DEC C; LD A, C
TM42 x 01 LD [0140], A
Max Ether x 03 INC BC
X-Accuracy x 60 LD HL, 3cd9
TM26 x 17 LD DE, 55a8
Red Apricorn x 168
Brightpowder x 06 INC BC; LD B, 01
Master Ball x 14 LD C, 10
Hyper Potion x 26 LD A, [DE]
Protein x 50 DEC DE; LD [HLD], A
Paralyz Heal x 32 DEC C; JR NZ, fa
HM08 x 27 DEC DE
Poké Ball x 32 DEC B; JR NZ, f4
HM02 x 01 LD BC, ...
Any x Any
Great Ball x 35 INC B; INC HL
TM41 x Any JP [HL]

Note that box name terminators are also overwritten, so the copied box names probably look glitchy.
All codes from this post are for wrong-pocket-TM execution, since they are mostly meant for non-english games where Coin Case ACE is not possible.



Edit:
Looked into it some more.
After the mail message there are 10 bytes (including 50h terminator if name is shorter (which it should be)) which appear to be used for the name of the sender.
Afterwards are 4 bytes with info on the type of the mail. A surf mail produces F3 74 F9 B5 while a flower mail gives F3 74 A3 9E.
Afterwards, the next mail starts with its message.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 26, 2017, 10:37:03 am
Here is a code to copy the messages of your first four mails in your mailbox/pc into box names (and a few bytes after) and execute them afterwards. (Edit: turns out VC doesn't like execution) (Edit²: turns out me being stupid doesn't help avoiding VC pecularities)
With this execution of text-based code for german version is at least possible (yay for é; ignore the fact that using clever use of call it might have been already), even though it's still difficult (no sub/add).

TM quantity code for wrong-pocket-TM execution (Quagsire, Lucky Egg, Attract):
Code: [Select]
Copy content of Mail 1-4 to box names (and a few bytes after) and execute it
format: keep/deposit code
TM01 62/193 ld a, 0a
TM02 10/245
TM03 234/21 ld [0000], a
TM04 0/255
TM05 0/255
TM06 175/80 xor a
TM07 234/21 ld [0040], a
TM08 0/255
TM09 64/191
TM10 1/254 ld bc, f0a8 (Mail Data End; before start of Message 5)
TM11 240/15
TM12 168/87
TM13 33/222 ld hl, 3ef9 (a bit after box names)
TM14 62/192
TM15 249/6
TM16 22/233 ld d, 04
TM17 4/251
TM18 205/50 call 97f5 (.copymail)
TM19 151/104
TM20 245/10
TM21 21/234 dec d
TM22 32/223 jr nz, fa (TM18)
TM23 250/5
TM24 35/220 inc hl
TM25 233/22 jp [hl]
TM26 30/225 ld e, 0e | .copymail -> d597
TM27 14/241
TM28 11/244 dec bc
TM29 29/226 dec e
TM30 32/223 jr nz, fc (TM28)
TM31 252/3
TM32 205/50 call a5f5 (.copyline)
TM33 165/90
TM34 245/10
TM35 11/244 dec bc
TM36 205/50 call a5f5 (.copyline)
TM37 165/90
TM38 245/10
TM39 201/54 ret
TM40 30/225 ld e, 10 | .copyline -> d5a5
TM41 16/239
TM42 10/245 ld a, [bc]
TM43 50/205 ld [hld], a
TM44 11/244 dec bc
TM45 29/226 dec e
TM46 32/223 jr nz, fa (TM42)
TM47 250/5
TM48 201/54 ret

As a quick proof of concept, this message for your first mail changes the beginning character of Box 7 to ¥ (pokédollar symbol; used as replacement here).
Code: [Select]
p0¥é♀2Ä
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Krys3000 on November 26, 2017, 11:55:30 am
That's very nice, we could add that to the newcomers guide!
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on November 26, 2017, 12:28:13 pm
Currently testing this a bit and VC doesn't seem to like the execution part of this code. It restarts with wonky colors, changes your options and mailbook upon reloading. Also I apparently beat the elite 4 once which was the 80th time with a bunch of slowbros and a zapdos.  :o
I changed the jp [hl] instruction with a ret statement to simply copy it towards box names which then can be executed as normal (or with the Quagsire holding TM01 instead of TM02 to start with character 1).

At least for now I didn't notice any negative side effects.


If you add this to the beginners guide you should also include the part about how to maximize TM/HM count
presented here (http://forums.glitchcity.info/index.php?topic=6716.msg207662#msg207662).
And maybe include the ability to increase/decrease deposit quantities by 10 via left/right input. I totally forgot about it and re-finding it made things way easier.
TM-codes are still a pain to set up ingame, though.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on November 26, 2017, 04:48:50 pm
VC probably wont like anything that involves SRAM
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on December 10, 2017, 01:30:23 pm
luckytyphlosion told me about a temporary mail buffer and after poking I found it to be at $ceed (same for english and german, probably other european version as well).

It is reset after reloading and contains the data from the mail last written or read (maybe also on transfer to PC, forgot to test this one).
For most shorter codes this is probably the preferred way to write text-based code. You only have to account for a 4e character after the first line (16 bytes) of text.
This also allows to store a few different codes and circle them without constant rewriting.

To execute you would either have to teach your Quagsire False Swipe as a first move (can't learn naturally) and give it a TM45 or use this box item code:
Code: [Select]
Any x Any
Any x 195
TM45 x 206
For english version (possibly others) there also exists this box name code:
Code: [Select]
1) A p 0 z'v 1 5 5 XOR A; OR b9; SUB f7; EI; EI; LD D, B | A->ce
2) é'r 2'vPk é'm 2 LD [d3f8], A; SUB e1; LD [d2f8], A; LD D, B | A->ed
3)'m ^ ^ JP NC, {edce}


Also to note about my previous code:
I swapped registers for some reason, so it still was execution in SRAM. Direct execution after copying might be possible after all.
Will add results once I've tested this with corrected registers.

Edit:
Using the right registers direct execution works. I'll edit my original post.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Storyreader21 on December 13, 2017, 12:54:21 pm
Hey, I have a question I have a code from a video for getting to level 98 with bag items:

- [Any Item] x[Any Amount]
- [Any Item] x[Any Amount]
- Super Potion x14
- Ultra Ball x26
- X Accuracy x53
- TM27 x1
- Awakening x[Any Amount]
- Escape Rope x34
- Repel x20
- Paralyz Heal x32
- HM07
- [Any Item] x[Any Amount]
- Fresh Water x73
- Full Restore x49
- TM12 x1
- Spell Tag x1
- [Any Item] x[Any Amount]
- Poke Ball x46
- HM03 x1
- X Speed x1
- Full Heal x18
- Flower Main x51
- TM06 x1
- [Any Item] x[Any Amount]
- TM41 x[Any Amount]

Or level 99 with:

- [Any Item] x[Any Amount]
- [Any Item] x[Any Amount]
- Super Potion x14
- Ultra Ball x26
- X Accuracy x53
- TM27 x1
- Awakening x[Any Amount]
- Escape Rope x34
- Repel x20
- Paralyz Heal x32
- HM07
- [Any Item] x[Any Amount]
- Fresh Water x73
- Full Restore x99
- Spell Tag x1
- [Any Item] x[Any Amount]
- Poke Ball x46
- HM03 x1
- X Speed x1
- Full Heal x18
- Flower Main x51
- TM06 x1
- [Any Item] x[Any Amount]
- TM41 x[Any Amount]

The problem is, I can't use these on Unown, due to the code changing DVs as well, and that what the Unown shapes are based off, so how do I modify these code to get to level 98/99 without changing DVs so my Unown remain the same letters, and I can level up them all?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Storyreader21 on December 13, 2017, 12:55:49 pm
Hey, I have a question I have a code from a video for getting to level 98 with bag items:

- [Any Item] x[Any Amount]
- [Any Item] x[Any Amount]
- Super Potion x14
- Ultra Ball x26
- X Accuracy x53
- TM27 x1
- Awakening x[Any Amount]
- Escape Rope x34
- Repel x20
- Paralyz Heal x32
- HM07
- [Any Item] x[Any Amount]
- Fresh Water x73
- Full Restore x49
- TM12 x1
- Spell Tag x1
- [Any Item] x[Any Amount]
- Poke Ball x46
- HM03 x1
- X Speed x1
- Full Heal x18
- Flower Main x51
- TM06 x1
- [Any Item] x[Any Amount]
- TM41 x[Any Amount]

Or level 99 with:

- [Any Item] x[Any Amount]
- [Any Item] x[Any Amount]
- Super Potion x14
- Ultra Ball x26
- X Accuracy x53
- TM27 x1
- Awakening x[Any Amount]
- Escape Rope x34
- Repel x20
- Paralyz Heal x32
- HM07
- [Any Item] x[Any Amount]
- Fresh Water x73
- Full Restore x99
- Spell Tag x1
- [Any Item] x[Any Amount]
- Poke Ball x46
- HM03 x1
- X Speed x1
- Full Heal x18
- Flower Main x51
- TM06 x1
- [Any Item] x[Any Amount]
- TM41 x[Any Amount]

The problem is, I can't use these on Unown, due to the code changing DVs as well, and that what the Unown shapes are based off, so how do I modify these code to get to level 98/99 without changing DVs so my Unown remain the same letters, and I can level up them all?

make that pc items for coin case.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on December 13, 2017, 02:03:08 pm
Hi. :)

I'm unsure how to modify it as the parts that modify the other addresses seem to take up a significant portion of the code.

I have this though for the Sleep Talk as move 1 Quagsire holding a Protein:

(ANY ITEM) x(ANY)
(ANY ITEM) x(ANY)
X Accuracy x73
TM27 x1
(ANY ITEM) x(ANY)
Great Ball x62
Wht Apricorn x1
(ANY ITEM) x(ANY)
Leaf Stone x1
(ANY ITEM) x(ANY)
Great Ball x38
TM22 x1
(ANY ITEM) x(ANY)
Great Ball x46
Lovely Mail x1
(ANY ITEM) x(ANY)
Poké Ball x5
Poké Ball x62
X Accuracy x5
Super Rod x1
(ANY ITEM) x(ANY)
Poké Ball x9
Poké Ball x46
HM03 x1
X Speed x1
Full Heal x18
Flower Mail x51
TM06 x1
(ANY ITEM) x(ANY)
TM41 x1

This code will set your first Pokémon's level to 97 and replace item 1 with Rare Candies, and do nothing else.

Raw bytes in case anybody wants them:
@D61B:

21 49 DA 01 01 01 04 3E 61 01 01 01 22 01 01 01 04 26 D5 01 01 01 04 2E B8 01 01 01 05 05 05 3E 21 05 3D 01 01 01 05 77 05 2E F5 01 34 01 26 12 9E 33 C5 01 01 01 E9

Hope this helps!
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Storyreader21 on December 13, 2017, 06:09:44 pm
Hi. :)

I'm unsure how to modify it as the parts that modify the other addresses seem to take up a significant portion of the code.

I have this though for the Sleep Talk as move 1 Quagsire holding a Protein:

(ANY ITEM) x(ANY)
(ANY ITEM) x(ANY)
X Accuracy x73
TM27 x1
(ANY ITEM) x(ANY)
Great Ball x62
Wht Apricorn x1
(ANY ITEM) x(ANY)
Leaf Stone x1
(ANY ITEM) x(ANY)
Great Ball x38
TM22 x1
(ANY ITEM) x(ANY)
Great Ball x46
Lovely Mail x1
(ANY ITEM) x(ANY)
Poké Ball x5
Poké Ball x62
X Accuracy x5
Super Rod x1
(ANY ITEM) x(ANY)
Poké Ball x9
Poké Ball x46
HM03 x1
X Speed x1
Full Heal x18
Flower Mail x51
TM06 x1
(ANY ITEM) x(ANY)
TM41 x1

This code will set your first Pokémon's level to 97 and replace item 1 with Rare Candies, and do nothing else.

Raw bytes in case anybody wants them:
@D61B:

21 49 DA 01 01 01 04 3E 61 01 01 01 22 01 01 01 04 26 D5 01 01 01 04 2E B8 01 01 01 05 05 05 3E 21 05 3D 01 01 01 05 77 05 2E F5 01 34 01 26 12 9E 33 C5 01 01 01 E9

Hope this helps!

Hey, in this, the great balls and pokeballs, are in multiple spots, how do I get them there?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on December 13, 2017, 06:14:29 pm
Hey, in this, the great balls and pokeballs, are in multiple spots, how do I get them there?

Either by other ACE    shenanigans or by depositing 99 of said item and then deposit some more. Afterwards withdraw to the desired amount and be careful while swapping to not merge them (swap next to another stack of the same item).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on December 28, 2017, 09:19:23 pm
Little helper code which might be useful to someone else as well:
Maximize all PC items (quantity x 255) while leaving the item type unchanged.
Code: [Select]
1)   A   p  'v   5   é   4   2   5 XOR A; SUB fb; LD [faf8], A | A->05
2)  'v   9   é   /   2   p  'v   . SUB ff; LD [f3f8], A; XOR A; SUB e8 | A->06; A->18
3)   é   0   2  'v   2   é   5   2 LD [f6f8], A; SUB f8; LD [fbf8], A | A->20
4)  'v   9   é   ♀   2  'v   9   5 SUB ff; LD [f5f8], A; SUB ff | A->21; A->22
5)   é   2   2  'v   9   é   3   2 LD [f8f8], A; SUB ff; LD [f9f8], A | A->23
6)  'v   ×   é   ,   2   0   9   9 SUB f1; LD [f4f8], A; OR ff; LD B, 32 | A->32
7)   0   0   0   5   5   5   5   5 LD HL, 18f6; LD [HLI], A; INC HL; DEC B; JR NZ, fb | HL->f618
8)   x  'd OR A; RET NC

Fun little thing about x0 quantity (at least in the PC):
You can withdraw/toss any quantity you want, it won't change the quantity of the item. While tossing obviously does nothing, withdrawing works without problems (creates items).
Depositing an additional item of the type simply adds the amount which restores normal functionality.
Possibly also works in the inventory to give you an infinite amount of an item, but I didn't test that.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on January 19, 2018, 08:27:21 am
Here, have a CartSwap setup!

Code: [Select]
A p é 7 2 é ? 2

é & 2 'v 9 é 8 2

p 'v * é (male) 2 / /

é * 2 / / / / p

0 (pk) é A 9 4 A 9

/ / ? A 8 A / /

'm (pk) 2 p 's A (female) 'm

This is compatible with either the Coin case setup or Wrong Pocket

In gbz80, that's:
Code: [Select]
xor a ; a = 0
ld ($f8fd),a ; self-mod
ld ($f8e6),a ; self-mod
ld d,b ; end-terminator
ld ($f8e9),a ; self-mod
sub $FF ; a = 1
ld ($f8fe),a ; self-mod
ld d,b ; end-termiantor
xor a ; a = 0
sub $F1 ; a = $0f
ld ($f8ef),a ; self-mod
di ; Disable ints. If they are active during cartswap, and an int is requested, unwanted code may be executed
di ; padding
ld d,b
ld ($f8f1),a ; self-mod
di ; padding
di ; padding
di ; padding
di ; padding
.loop:
xor a ; a = 0
ld d,b ; end-terminator
or $e1 ; a = $e1
ld ($ff00),a ;  Enable polling for Directional buttons. Didn't use "ldh", as it isn't char-representable
ld a,($ff00) ; Recieve results of poll
ld d,b ; end-terminator
di ; padding
di ; padding
and $0f ; I don't care about the upper nibble
cp $0f ; Compare with $0f
di ; padding
di ; padding
ld d,b ; end-terminator
jp nc, .loop ; If the carry flag wasn't set by the compare, jump back. (Didn't use "jr", not char-representable)
xor a ; a = 0, reset flags
call nc,$F580 ; Call the third TM quantity. ENSURE THE CARRY FLAG IS NOT SET IN YOUR FUNCTION
jp nc,$0100 ; Boot into whatever game is loaded now

Basically what this does is it waits for any button on the D-Pad to be pressed, call a function written starting at TM03, and then reboots the game. During this time, you can swap the cartridges and write to SRAM.

"So what do I write to TM03?" - That's where you come in!

In gen2, TM quantities (Starting from TM03) grants you 48 bytes to write your own code to alter the SRAM of other games.

Not sure what to do? Here's an example:
Code: [Select]
TMs    Keep/Deposit
TM01   Any
TM02   Any
TM03   38/217
TM04   10/245
TM05   116/139
TM06   38/217
TM07   64/191
TM08   46/209
TM09   1/254
TM10   117/138
TM11   62/193
TM12   21/234
TM13   234/21
TM14   193/62
TM15   176/79
TM16   234/21
TM17   211/44
TM18   176/79
TM19   22/233
TM20   1/254
TM21   21/234
TM22   1/254
TM23   139/116
TM24   15/240
TM25   33/222
TM26   152/103
TM27   165/90
TM28   42/213
TM29   130/125
TM30   87/168
TM31   11/244
TM32   120/135
TM33   177/78
TM34   32/223
TM35   248/7
TM36   122/133
TM37   47/208
TM38   234/21
TM39   35/220
TM40   181/74
TM41   201/54

Raw bytes:
Code: [Select]
$D580 / 26 0a 74 26 40 2e 01 75 3e 15 ea c1 b0 ea d3 b0
16 01 15 01 8b 0f 21 98 a5 2a 82 57 0b 78 b1 20
f8 7a 2f ea 23 b5 c9

To use:

1. In Pokemon Red/Blue, ensure you have the first pokemon in your current box be a disposable one
2. Setup your box name and TM quantities as above
3. Use the coin case or wrong pocket
4. (On BGB, this is accomplished with "Load ROM without reset") Swap into Pokemon Red/Blue (maybe Yellow, i'm not sure)
5. Press any button on the D-Pad

When you boot into Pokemon R/B, the first Pokemon in your box should now be Mew. (The name will remain unchanged)

In my opinion, this is a bit easier to deal with then Gen 1 cartswap.

Enjoy!
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Evie the Mother Hen ☽ ❤ on January 19, 2018, 11:22:12 am
Amazing :)

So, a couple of questions as I've never done much cartswapping before.

If you were to modify an SRAM address other than B0C1 or B0D3 (stored Pokémon), would you need to modify the code in any other way for Red/Blue (I notice you have to adjust the B523 checksum)? How would you do this for Yellow and Crystal?

Thanks.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on January 19, 2018, 11:34:19 am
Amazing :)

Thanks!

If you were to modify an SRAM address other than B0C1 or B0D3 (stored Pokémon), would you need to modify the code in any other way for Red/Blue (I notice you have to adjust the B523 checksum)

Modifiying $A598-$B522 would require a checksum fix at $B523. Though i'm not certain if this is checked, the box data in banks 2-3 have their own checksums. These need not be modified if you only care about the current box, however.

How would you do this for Yellow and Crystal?

In Yellow, I believe SRAM data is not shifted.Don't quote me on that, though, because I'm not 100% certain. I just checked Pokeyellow, and it seems my setup for Mew will still work! :)

As for Crystal, i'm not certain. I don't think data is shifted in Crystal to an extent that would prevent this from working but once more i'm not 100% certain as I currently lack a crystal ROM
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Krys3000 on January 23, 2018, 12:31:47 pm
The shift only applies to WRAM (starting at $CF00). Everything before that point is just the same in all non-japanese Red, Blue and Yellow :)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: hobgoblinpie on January 26, 2018, 02:03:15 pm
Is there a TM25 box name config for Perfect DVs for a party pokémon? Couldn't seem to find one - thanks! The coin case one is as follows, but can't seem to modify it correctly:

Code: [Select]
Box 1: Ap0'd'vR55
Box 2: é'm2pp095
Box 3: éA4p0'd'vQ
Box 4: é?2p0955
Box 5: 55éA4ppp
Box 6: 'v7'v'dé42p
Box 7: éD9'l'lA'lx
Box 8: 'd5555555
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on January 26, 2018, 02:11:27 pm
Is there a TM25 box name config for Perfect DVs for a party pokémon? Couldn't seem to find one - thanks! The coin case one is as follows, but can't seem to modify it correctly:

Code: [Select]
Box 1: Ap0'd'vR55
Box 2: é'm2pp095
Box 3: éA4p0'd'vQ
Box 4: é?2p0955
Box 5: 55éA4ppp
Box 6: 'v7'v'dé42p
Box 7: éD9'l'lA'lx
Box 8: 'd5555555

Replace box 7 with "p'd"
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: hobgoblinpie on January 26, 2018, 03:15:32 pm
Perfect, thanks!
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Azarokkusu on February 21, 2018, 11:56:39 pm

This should give you 255 of the first item in your item pack.

Box1: A p 0 9 é z 't x
Box2: 'd


Been trying to do this on english VC and for the life of me I can't get it to work for me. I even did spamviech's slider pokemon method and I still just crash every time. I have no idea what I've done wrong here... assuming this is a tm25 code of course. I have done ones I know are TM25 codes and I can't get any of them to work, though.

If I use them with Sanqui (my old slide pokemon that worked for coin case ACE, named after Sanqui of course) the game freezes on the item screen with no change and the music still playing (softlock), but if I do it with the other  slider 'mon, it resets into a glitch dimension

edit: the glitch dimension thing is because Quagsire needs to be in slot 4 with spamviech's slider pokemon method I believe. When I do tht it freezes the same way as it does with Sanqui. Whoops! That's one question answered.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on February 22, 2018, 06:51:11 am
Skeef's code was to be be used with TM25. You are probably attempting to do this with the Coin Case.

The same code for use with the coin case is
Code: [Select]
A 0 9 é z 't p 5
é Z (mult) . 9 'l 'l 'l
'l p 'd
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Azarokkusu on February 23, 2018, 02:43:58 am
Skeef's code was to be be used with TM25. You are probably attempting to do this with the Coin Case.

The same code for use with the coin case is
Code: [Select]
A 0 9 é z 't p 5
é Z (mult) . 9 'l 'l 'l
'l p 'd


I said assuming it was a TM25 code - I WAS using it with TM25. Just TM25 refuses to work properly for me it seems.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on February 23, 2018, 06:03:31 am
The issue is not with Skeef's code. It translates to the following ASM:
Code: [Select]
xor a
or a,$ff
ld ($d5b9),a
or a
ret nc

...which does it's intended job of giving x255 of the first item. All i can say is ensure you have setup your bootstrapper correctly. It's
AnyPkmn
SlidePkmn
Quagsire (Holding TM02, Return as first move)
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on February 23, 2018, 09:03:12 am
The slide-Pokémon I provided works specifically for Coin Case. If you`re using TM25 not only does execution start at the second pokémon (compared to the third for Coin Case/first for TM17), but also at a different Place in its data.
I didn't check it, but it might even guarantee a failure when used with TM25. To my knowledge there's no setup which doesn't involve ACE to guarantee a working TM25-slide-pokémon, so you either have to use to Coin Case or try your luck with random low levels.


The issue is not with Skeef's code. It translates to the following ASM:
Code: [Select]
xor a
or a,$ff
ld ($d5b9),a
or a
ret nc

...which does it's intended job of giving x255 of the first item. All i can say is ensure you have setup your bootstrapper correctly. It's
AnyPkmn
SlidePkmn
Quagsire (Holding TM02, Return as first move)

Don't forget the terminator character at the end of box name 1 which is a "ld d,b" instruction. Here it doesn't really change anything (maybe set 0 flag), but still could add confusion when you forget it.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on February 23, 2018, 09:43:26 am
Don't forget the terminator character at the end of box name 1 which is a "ld d,b" instruction. Here it doesn't really change anything (maybe set 0 flag), but still could add confusion when you forget it.

ld instructions do not update flags, so the $50 terminator "ld d,b" isn't really worth mentioning in this context.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Azarokkusu on February 25, 2018, 02:48:56 am
The slide-Pokémon I provided works specifically for Coin Case. If you`re using TM25 not only does execution start at the second pokémon (compared to the third for Coin Case/first for TM17), but also at a different Place in its data.
I didn't check it, but it might even guarantee a failure when used with TM25. To my knowledge there's no setup which doesn't involve ACE to guarantee a working TM25-slide-pokémon, so you either have to use to Coin Case or try your luck with random low levels.


The issue is not with Skeef's code. It translates to the following ASM:
Code: [Select]
xor a
or a,$ff
ld ($d5b9),a
or a
ret nc

...which does it's intended job of giving x255 of the first item. All i can say is ensure you have setup your bootstrapper correctly. It's
AnyPkmn
SlidePkmn
Quagsire (Holding TM02, Return as first move)

Don't forget the terminator character at the end of box name 1 which is a "ld d,b" instruction. Here it doesn't really change anything (maybe set 0 flag), but still could add confusion when you forget it.

That's what I suspected. I REALLY should get around to learning the assembly code for this... but I'm lazy. Though, I'd like to have the ACE for a working tm-25 slide pokémon. 'Till then I'm gonna go find myself a temporary slide pokémon until then since that's the only thing I can see in my case that could be wrong here (I wrote the box name code correctly and put the Quagsire [holding TM02 and with Return as the first move] and slide pokémon in the correct places in slots 3 and 2 respectively).

Thanks!

I'll be keeping that in mind~ how many steps does it take for the mon to develop its happiness value? And does it decrease if left in the box?

I'm curious, the box codes that let you change one mon to another, if you have an egg that is shiny (let's say it's a Wooper for example) and you alter it into a different mon (like Zapdos) via the box codes, would the egg result in a shiny Zapdos?

Happiness won't decrease if left in the box. And I'm not sure, but I think if the slide Pokemon gets any noticeable happiness increase then it will mess up the code, because the slide Pokemon has to be freshly caught or hatched with no stat experience and happiness is another one of those factors I guess.

However, I was using the coin case a lot yesterday with the same slide Pokemon and walking from the PC in Cherrygrove to outside the mart in Cherrygrove for coin cases glitches, when you repeat that enough times you're certainly walking a good number of steps, but still my slide Pokemon still worked. And today I was using the hatched Togepi as a slide Pokemon as a test and it worked, so I would certainly recommend freshly hatched Pokemon.

As for your question, I haven't messed around with shiny codes yet but if the first code changed the egg to shiny and then you changed the Pokemon species then it should still be shiny as that is determined by the DV's which are made when you use you shiny code.
Not quite. Even if your slide's happiness value increases, it doesn't matter too much unless it reaches a malicious opcode. What I mean by that is, any opcode that changes code flow (call,ret,jp,jr), any opcode that stops the cpu (stop, and MAYBE halt, I'm not quite sure), any op that messes with the stack (inc sp,push,pop,ld sp,rst,etc.), any invalid ops ($D3,$DB,$DD,$E3,$E4,$EB,$EC,$ED,$F4,$FC,$FD), and "di".

The Happiness value increments upon walking 256 steps, and when freshly caught, has a value of $00. The first "malicious" opcode it encounters first is "stop", which is hex $10. So, a freshly caught slide pokemon is considered "broken" after 4096 steps. However, you can easily set this value to $11 (ld de,$xxyy) by walking 256 more steps. So if you find that your slide has stopped working, walk 256 more steps and see if that fixes it.

Also, it is worth noting that happiness is not the only thing that affects slide pokemon.
Here's a list of all factors that affect slide pokemon:

Attack EV
Defense Ev
Speed EV
Special EV
Attack/Defense IV
Speed/special IV
PP of current moveset
Happiness/Hatch Time
Pokerus
Caught Information
Level
Status
Hp
Max Hp
Attack
Defense
Speed
Special Defense
Special Attack - Must correspond to an instruction that is one byte long, otherwise the jump instruction that executes your code will be absorbed!

I was also wondering about this. What values or value ranges of each of these would be needed to make a suitable slide pokémon? As in, just a regular working slide pokémon, not a specific one like the special coin case one which jumps over a lot of these factors.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on February 25, 2018, 09:51:33 am
Don't forget the terminator character at the end of box name 1 which is a "ld d,b" instruction. Here it doesn't really change anything (maybe set 0 flag), but still could add confusion when you forget it.

ld instructions do not update flags, so the $50 terminator "ld d,b" isn't really worth mentioning in this context.

Ah, so they don't.
I always forget since I never had to use them other then after specifically setting them (i.e. by dec statement).

I was also wondering about this. What values or value ranges of each of these would be needed to make a suitable slide pokémon? As in, just a regular working slide pokémon, not a specific one like the special coin case one which jumps over a lot of these factors.

Not contain any values that interrupt execution, jump somewhere else or set a random byte.
In general you're fine with values <10.
If you plan to look at values anyway I'd advice to use TM17 instead of TM25. IIRC it starts execution somewhere in the stats of Pokémon 1 (i.e. slide as first, quagsire as second) instead of some invisible value of pokémon 2.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Azarokkusu on March 01, 2018, 06:26:47 pm
So, avoiding things like unwanted SUB, ADD and JMP instructions for example then. Fair enough! The more I think about this the more I am convinced I need to learn the gameboy Assembly (modified version of Z80 iirc.)  Not like it'd even be the first assembly language i've learned.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Epsilon on March 01, 2018, 07:49:05 pm
Trust me, if you already understand assembly at least to an extent, Gbz80 will be a cakewalk.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Haircoolass on March 02, 2018, 05:41:40 am
Little helper code which might be useful to someone else as well:
Maximize all PC items (quantity x 255) while leaving the item type unchanged.
Code: [Select]
1)   A   p  'v   5   é   4   2   5 XOR A; SUB fb; LD [faf8], A | A->05
2)  'v   9   é   /   2   p  'v   . SUB ff; LD [f3f8], A; XOR A; SUB e8 | A->06; A->18
3)   é   0   2  'v   2   é   5   2 LD [f6f8], A; SUB f8; LD [fbf8], A | A->20
4)  'v   9   é   ♀   2  'v   9   5 SUB ff; LD [f5f8], A; SUB ff | A->21; A->22
5)   é   2   2  'v   9   é   3   2 LD [f8f8], A; SUB ff; LD [f9f8], A | A->23
6)  'v   ×   é   ,   2   0   9   9 SUB f1; LD [f4f8], A; OR ff; LD B, 32 | A->32
7)   0   0   0   5   5   5   5   5 LD HL, 18f6; LD [HLI], A; INC HL; DEC B; JR NZ, fb | HL->f618
8)   x  'd OR A; RET NC

Fun little thing about x0 quantity (at least in the PC):
You can withdraw/toss any quantity you want, it won't change the quantity of the item. While tossing obviously does nothing, withdrawing works without problems (creates items).
Depositing an additional item of the type simply adds the amount which restores normal functionality.
Possibly also works in the inventory to give you an infinite amount of an item, but I didn't test that.

Hey there im pretty now to the world of ACE-glitches in gen 2.

I used the wild shiny celebi-glitch yesterday and wanted to try this code to multiply some items.
My questions are: how do I use this code in the quote? Is it for CoinCase or TM25?
And in case of using tm 25 do I always need to have quagsire as my 3rd mon and my slide-Pokemon (I use the traded Onix "Rocky") on the 2nd slot?
Is there a way I can identify a code if it is used for tm 25 or coincase?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Krys3000 on March 02, 2018, 08:16:52 am
There is an explanation of the differences between Coin Case and TM codes in a few replies to the newcomers guide to G/S/C ACE (https://forums.glitchcity.info/index.php?topic=8126.0). You will basically read there what is needed in a Coin Case code compared to TM codes so you can see if a code is designed for Coin Case.

Also, I wonder why people keep doing the TM25 setup. Preparing TM17 for ACE is easier...
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Azarokkusu on March 23, 2018, 10:45:29 pm
add 1 to id of item 1 (early game viable version)
Uses stored items starting from stored item 3. Requires Quagsire with Sleep talk as first move and holding protein.

Item 3: poke ball x 38
Item 4: TM 23 x 04
Item 5: Fresh Water x 23
Item 6: X speed x 04
Item 7: TM10 x any

Code: [Select]
dec b
ld h,d6
inc b
ld l,17
inc (hl), inc b
ret

lots of filler but this way you don't require anything you can't easily get early game (use torchicken's get all tms and hms code, or the modified 255x version, first for the tms).

The best thing about this is it's easy to change to decrement, or to change to item 1 quantity. To make it decrement boxed item 1's id by 1, change x speed to x special. To make it increment item 1 quantity, make it Fresh Water x 24. To make it decrement item 1's quantity, do both. Note you can use this to get pretty much any item setup you will need, ever (withdraw all but 1 of item in slow 1, decrement twice, withdraw all but amount you need) However, I'd use it to get certain things and then do a more efficient setup once you had what you  needed for said more efficient setup.

For example:

Write to any byte in memory by Wack0, ported by Azarokkusu


Same Quagsire setup here.

Item 3: Full Heal x XX ; XX = higher byte of address you're going to write to
Item 4: Fresh Water x XX ; XX = lower byte of address you're going to write to
Item 5: PP up x XX ; XX is value you want to write
Item 6: Focus Band x 201


Code: [Select]
ld h,xx
ld l,xx
ld a,xx
ld (hl),a
ret

You could do 1 less item with coin case x (value you want to write) but then you can't see what that value is because key items.



Here's a sprawling code to set the quantity of all your items in your items and balls pockets to 0 AND all your hms and tms to a quantity of 255. Note you can't have 0 of a tm in your tm pocket or it doesn't show up, but you CAN have 0 of a tm in your box. This is due to it storing inventory TMs only as quantities, but box items as ID and quantity. Also, getting ? (id $0) is incredibly easy if you already underflowed your ball pocket, but is also doable with the above code.

Same Quagsire setup again

   item 3: X accuracy x 183
   item 4: TM22 x 6
   item 5: repel x 62
   item 6: master ball x 61
   item 7: dire hit x 44
   item 8: ? x 119
   item 9:poke ball x 184
   item 10: TM04 x 35
   item 11: TM23 x 0
   item 12: X accuracy x 252
   item 13: TM 22 x 6
   item 14: Awakening x 184
   item 15: dire hit x 44
   item 16: ? x 119
   item 17:poke ball x 184    
   item 18: TM04 x 51
   item 19: TM23 x 0
   item 20: X accuracy x 125
   item 21: TM 22 x 6
   item 22: X special x 4
   item 23: great ball x 04
   item 24: great ball x 184
   item 25: dire hit x 119
   item 26: X special x 5
   item 27: ? x 184
   item 28: TM04 x 71
   item 29: tm23 x 201

Note the tm04s here are the normal one ($c2), not the one that does nothing ($c3).

Code: [Select]
ld hl,d5b7
ld b,14
ld a,01
dec a
inc l
inc l
nop
ld (hl),a
dec b
cp b
jp nz,d623
nop
ld hl,d5fc
ld b,0c
cp b
inc l
inc l
nop
ld (hl),a
dec b
cp b
jp nz,d633
nop
ld hl,d57d
ld b,35
inc b
inc b
inc b
inc b
cp b
inc l
ld (hl),a
dec (hl)
dec b
nop
cp b
jp nz,d647
ret

The nops can be replaced with inc d, dec c etc etc (since we don't use c, d etc) but I used nop simply because 1 it's easy to get high amounts of ? and 2. I wasn't sure if I'd have to re-write the number of items in each inventory since I had a problem with that earlier where it wrote FF to the bytes you initially set hl to in each setup phase. However that problem is gone now.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Azarokkusu on March 24, 2018, 03:54:58 am
Something nice for y'all. Complete your pokedex (251 seen, 251 caught, and no glitched entries etc)

   item 3: X accuracy x 227
   item 4: TM28 x 6
   item 5: Ether x 62
   item 6: master ball x 61
   item 7: Dire hit x 189
   item 8: TM11 x 61
   item 9: TM23 x 119
   item 10: X special x 20
   item 11: pokeball x 184
   item 12: TM04 x 35
   item 13: TM23 x 46
   item 14: Brightpowder x54
   item 15: poke ball x 52
   item 16: X speed x 46
   item 17: Metal Powder x 54
   item 18: poke ball x 52
   item 19: X speed x 201
   item 20: nugget x 195
   item 21: Max revive x 214

Code: [Select]

;setup
ld hl,dbe3
ld b,3f
ld a,01
dec a
;execution
inc l
cp l
jp z,d63d
ld (hl),a
dec (hl)
inc d
dec b
cp b
jp nz,d623
ld l,03
ld (hl),05
inc (hl)
inc (hl)
ld l,23
ld (hl),05
inc (hl)
inc (hl)
ret
;increase h if l rolls over (first conditional jump)
inc h
jp d628
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: bestgoldglitche on May 11, 2018, 03:05:01 pm
Hey all, preemptive apologies if this is something that's already been done, but, I had a thought an it might prove useful.

Consider writing your assembly commands into the pokemon stats themselves. 

One of the first uses of this glitch was to get Celebi (https://www.youtube.com/watch?v=SpfgOVfGVTo).  If you increase the number of Fresh Water used in that video you traverse the data in the first pokemon in your party.  If you change HM07 to other items, and change the number of great balls.  That way you can write different bytes into the pokemon's stats. 

So, the thought is:
 - use that process to write data into the pokemon's stats
 - fill the current box with specially written pokemon
 - use the glitch to jump to the boxed pokemon's data

Voila, you have addressed $AD82 through $B001 in which to write code byte at a time instead of $D616 through $D67A.  Thoughts?

Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: ISSOtm on May 11, 2018, 04:50:38 pm
Coin Case is fairly obsolete, for starters. We tend to use box names instead, and Wrong Pocket TMs.
Using SRAM is a bad idea, for three reasons:
1. It's banked, so you have to ensure the correct bank is loaded
2. It has to be unlocked, then ideally re-locked
3. 3DS VC cannot execute from SRAM

Corrupting Pokémon data is also a rather bad idea, since it's prone to lots of corruptions.

If you need to write large payloads, you can instead use luckytyphlosion's Mail execution setup.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Pablo on October 21, 2018, 03:33:12 pm
 Ive been reading on this subject for about a week now, reading and reading and reading, headace inducing. I get the basic concept of it, but i dont believe my knowledge of it is good enough to start executing it or experimenting with it. More like an infant to this code writing stuff at the moment, i really dont want to run the risk of currupting my save file beyond repair.
 
Well to my point, is there a way to use this code to

1. Warp to Mt silver, or possibly walk through walls to get there, i really would like to catch a Larvitar (train/evolve there as well)

2. Change another bag Item, held item, or be able to edit PokeMart inventory to get a Scope Lens (not enough games to Mystery Gift it)

3. Get 250+ of protein, Iron, calcium, carbos, pp-up, and hp-up, or any other items that matter, balls,tms,ect... tired of cloning over and over

4. And eventually Start editing pokemons IV’s and or Attacks


There is a catch though, i havent recieved the item Pass yet, havent even beat the Elite Four, or havent even gotten the Eighth Gym badge, but what i am doing is working on all of the pokedex before i beat the Elite Four.
Is there a way before i go to kanto? Everything else ive been reading show post E4 and 16 badges.There are a few that show before, but they arent very clear and dont include the most important codes i would like to perform on my list (#1 & #2).

 Ive seen speed runs jump to Mt Silver but they use a Flag (i think)to allow Red to be shown or to instantly win that battle or some sort, i dont care about that or dont want to beat Red early. So i cant follow their codes to the T. Plus they rely heavily on luck IV manipulation (i think) which i wouldnt begin to know how to perform from the beginning.
The first two are really more important to me than the last two, at least for now, but i would really appreciate some help from somebody who has more experience with ACE and has done this more than a few times.

Im playing on 3DS Virtual Console with Pokemon Silver Version.  Thanks again.

Ps i have lots of pokecash so buying items isnt a problem, as long as they are available to me at the moment.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: spamviech on December 02, 2018, 06:33:11 am
Ive been reading on this subject for about a week now, reading and reading and reading, headace inducing. I get the basic concept of it, but i dont believe my knowledge of it is good enough to start executing it or experimenting with it. More like an infant to this code writing stuff at the moment, i really dont want to run the risk of currupting my save file beyond repair.
 
Well to my point, is there a way to use this code to

1. Warp to Mt silver, or possibly walk through walls to get there, i really would like to catch a Larvitar (train/evolve there as well)

2. Change another bag Item, held item, or be able to edit PokeMart inventory to get a Scope Lens (not enough games to Mystery Gift it)

3. Get 250+ of protein, Iron, calcium, carbos, pp-up, and hp-up, or any other items that matter, balls,tms,ect... tired of cloning over and over

4. And eventually Start editing pokemons IV’s and or Attacks


There is a catch though, i havent recieved the item Pass yet, havent even beat the Elite Four, or havent even gotten the Eighth Gym badge, but what i am doing is working on all of the pokedex before i beat the Elite Four.
Is there a way before i go to kanto? Everything else ive been reading show post E4 and 16 badges.There are a few that show before, but they arent very clear and dont include the most important codes i would like to perform on my list (#1 & #2).

 Ive seen speed runs jump to Mt Silver but they use a Flag (i think)to allow Red to be shown or to instantly win that battle or some sort, i dont care about that or dont want to beat Red early. So i cant follow their codes to the T. Plus they rely heavily on luck IV manipulation (i think) which i wouldnt begin to know how to perform from the beginning.
The first two are really more important to me than the last two, at least for now, but i would really appreciate some help from somebody who has more experience with ACE and has done this more than a few times.

Im playing on 3DS Virtual Console with Pokemon Silver Version.  Thanks again.

Ps i have lots of pokecash so buying items isnt a problem, as long as they are available to me at the moment.

What you want is most certainly possible.
For setup (even prior to Elite 4) check out this guide (https://forums.glitchcity.info/index.php?topic=8126.0), section III. WRONG POCKET TM ACE EXPLAINED (use Ctrl+F to find it).

To multiply items Ctrl+F for VI.3: INCREASE/DECREASE THE QUANTITY OF AN ITEM CODE (Items, G/S/C)

Morphing to specific items is directly below that VI.4: GET ANY ITEM CODE (Items, G/S/C)

For DV/Attack editing, it's probably easiest to use VI.5: MEMORY EDITOR CODE, A.K.A. GAMESHARK SIMULATOR (Items or Box, G/S/C)
Except adding/changing a single move, then look here (https://forums.glitchcity.info/index.php?topic=6716.msg207357#msg207357) (Box Name Code)


Teleporting to Mt. Silver is more difficult, but this Box Name Code for Coin Case should work (untested; simply removed the party count 0 part of the speedrun-code):
Code: [Select]
Box 1 pppppppp
Box 2 pppppppp XOR A
BOX 3 'v,'véé72'l SUB f4; SUB ea; LD [Box7,terminator], A (22h); POP DE
BOX 4 'v♂é,2p SUB ef; LD [Box6,terminator], A (33h); XOR A
BOX 5 é♂2'v9é22 LD [Box6,char4], A (00h); SUB ff; LD [Box7,char4], A (01h)
BOX 6 'v8éé4'v't'l SUB fe; LD [{00}fa], A (03h); SUB d5; POP DE; {INC SP}
BOX 7 'vééé4p'lé SUB ea; LD [{01}fa], A (44h); XOR A; POP DE; LD [{22}fa], A (0h)
BOX 8 4éd2'd LD [a3f8], A (0h); RET NC
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Pablo on February 14, 2019, 07:03:34 pm
Ok thanks man I’ll start messing with it.
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Link_enfant on February 28, 2019, 10:30:54 am
I've successfully combined my two prior codes! Here's the outcome:

All encountered Pokemon are <insert x Pokemon here> and shiny:
Box 1:  Ap'v8é'm25
Box 2:  p0(male)55555
Box 3:  'vAé52p0'm
Box 4:  éJ9p0(female)55
Box 5:  éK9p0255
Box 6:  éL9p'd555
Box 7:  p0?yyéA'd
Box 8:  p0éé(female)'dyy
Box 9:  p0ké0'dp'd

Replace ? with the species index

To access species indexes that are lower than $7f, than replace Box 7 with:

Box 7: p0?'v(space)éA'd

Then replace ? with SpeciesIndex + $7f

Due to the way the game generates wild Pokemon, most Pokemon obtained this way are 100% legitimate. This means they will probably be able to be moved to Pokébank when such services become available. There might still be OT issues with Mew, but these can easily be resolved with an OT editor, and I can make one if needs be.

Nintendo's going to have a real headache on their hands :)

Awesome job! I've been looking for this kind of code :)

What changes would it require to make it work on a French Silver ROM using Wrong Pocket TM17?

It seems the RAM maps are the same across all versions but I might be wrong.
If that's the case, then would the box names need to be adapted or could they be used as such, which would only require a different setup with the slide Pokémon and Quagsire to work with TM17?
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Sherkel on February 28, 2019, 01:20:29 pm
I think the difference is with the text character values, not the memory locations. This (https://pastebin.com/dW4dPyGp) is a table for which corresponds to each (which you can compare with the Big List).
Title: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
Post by: Link_enfant on March 01, 2019, 05:31:33 am
I think the difference is with the text character values, not the memory locations. This (https://pastebin.com/dW4dPyGp) is a table for which corresponds to each (which you can compare with the Big List).
You're right! I quickly realized I couldn't even input the code anyway, because of that.

I've tried this other code, also posted by Epsilon, but it doesn't seem to work at least on VC (freezes on white screen right after using TM17):

All wild Pokémon have flawless DVs (French versions):
ApAu'oéJ9
p0(female)éK955
p02éL955
p0Au'qé62
é32u'9m'55
55555555
09é(female)Aé0A
pu'9m'5555

I'll probably try to contact him, but I'm not sure what would be the easier:

- convert the already working "All wild Pokémon are shiny" code to French versions
- alter the code above to both make it work, and have a way to choose different DV values by replacing some characters (which would then allow to force shiny Pokémon to appear, which is one of the few things I'd really want to try on French VC)