Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
AreaDex
DexDex
ItemDex
TMHMDex
TypeDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
SRAM glitch
Buffer overflow techniques
Pomeg glitch data corruption (Glitzer Popping)
Tweaking
Pokémon cloning
Select glitches (Japan)
Time Capsule exploit
Arbitrary code execution
More

Other Glitch Categories
Glitches by generation
Japan-only/language specific glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Recurring glitches
More

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Error traps
Non-glitch exploits
Pokémon glitch terminology
Unused content and prerelease information
More

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 62826 times)

0 Members and 1 Guest are viewing this topic.

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #345 on: February 25, 2018, 09:51:33 am »
Don't forget the terminator character at the end of box name 1 which is a "ld d,b" instruction. Here it doesn't really change anything (maybe set 0 flag), but still could add confusion when you forget it.

ld instructions do not update flags, so the $50 terminator "ld d,b" isn't really worth mentioning in this context.

Ah, so they don't.
I always forget since I never had to use them other then after specifically setting them (i.e. by dec statement).

I was also wondering about this. What values or value ranges of each of these would be needed to make a suitable slide pokémon? As in, just a regular working slide pokémon, not a specific one like the special coin case one which jumps over a lot of these factors.

Not contain any values that interrupt execution, jump somewhere else or set a random byte.
In general you're fine with values <10.
If you plan to look at values anyway I'd advice to use TM17 instead of TM25. IIRC it starts execution somewhere in the stats of Pokémon 1 (i.e. slide as first, quagsire as second) instead of some invisible value of pokémon 2.

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #346 on: March 01, 2018, 06:26:47 pm »
So, avoiding things like unwanted SUB, ADD and JMP instructions for example then. Fair enough! The more I think about this the more I am convinced I need to learn the gameboy Assembly (modified version of Z80 iirc.)  Not like it'd even be the first assembly language i've learned.

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #347 on: March 01, 2018, 07:49:05 pm »
Trust me, if you already understand assembly at least to an extent, Gbz80 will be a cakewalk.
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Haircoolass

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #348 on: March 02, 2018, 05:41:40 am »
Little helper code which might be useful to someone else as well:
Maximize all PC items (quantity x 255) while leaving the item type unchanged.
Code: [Select]
1)   A   p  'v   5   é   4   2   5 XOR A; SUB fb; LD [faf8], A | A->05
2)  'v   9   é   /   2   p  'v   . SUB ff; LD [f3f8], A; XOR A; SUB e8 | A->06; A->18
3)   é   0   2  'v   2   é   5   2 LD [f6f8], A; SUB f8; LD [fbf8], A | A->20
4)  'v   9   é   ♀   2  'v   9   5 SUB ff; LD [f5f8], A; SUB ff | A->21; A->22
5)   é   2   2  'v   9   é   3   2 LD [f8f8], A; SUB ff; LD [f9f8], A | A->23
6)  'v   ×   é   ,   2   0   9   9 SUB f1; LD [f4f8], A; OR ff; LD B, 32 | A->32
7)   0   0   0   5   5   5   5   5 LD HL, 18f6; LD [HLI], A; INC HL; DEC B; JR NZ, fb | HL->f618
8)   x  'd OR A; RET NC

Fun little thing about x0 quantity (at least in the PC):
You can withdraw/toss any quantity you want, it won't change the quantity of the item. While tossing obviously does nothing, withdrawing works without problems (creates items).
Depositing an additional item of the type simply adds the amount which restores normal functionality.
Possibly also works in the inventory to give you an infinite amount of an item, but I didn't test that.

Hey there im pretty now to the world of ACE-glitches in gen 2.

I used the wild shiny celebi-glitch yesterday and wanted to try this code to multiply some items.
My questions are: how do I use this code in the quote? Is it for CoinCase or TM25?
And in case of using tm 25 do I always need to have quagsire as my 3rd mon and my slide-Pokemon (I use the traded Onix "Rocky") on the 2nd slot?
Is there a way I can identify a code if it is used for tm 25 or coincase?

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #349 on: March 02, 2018, 08:16:52 am »
There is an explanation of the differences between Coin Case and TM codes in a few replies to the newcomers guide to G/S/C ACE. You will basically read there what is needed in a Coin Case code compared to TM codes so you can see if a code is designed for Coin Case.

Also, I wonder why people keep doing the TM25 setup. Preparing TM17 for ACE is easier...

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #350 on: March 23, 2018, 10:45:29 pm »
add 1 to id of item 1 (early game viable version)
Uses stored items starting from stored item 3. Requires Quagsire with Sleep talk as first move and holding protein.

Item 3: poke ball x 38
Item 4: TM 23 x 04
Item 5: Fresh Water x 23
Item 6: X speed x 04
Item 7: TM10 x any

Code: [Select]
dec b
ld h,d6
inc b
ld l,17
inc (hl), inc b
ret

lots of filler but this way you don't require anything you can't easily get early game (use torchicken's get all tms and hms code, or the modified 255x version, first for the tms).

The best thing about this is it's easy to change to decrement, or to change to item 1 quantity. To make it decrement boxed item 1's id by 1, change x speed to x special. To make it increment item 1 quantity, make it Fresh Water x 24. To make it decrement item 1's quantity, do both. Note you can use this to get pretty much any item setup you will need, ever (withdraw all but 1 of item in slow 1, decrement twice, withdraw all but amount you need) However, I'd use it to get certain things and then do a more efficient setup once you had what you  needed for said more efficient setup.

For example:

Write to any byte in memory by Wack0, ported by Azarokkusu


Same Quagsire setup here.

Item 3: Full Heal x XX ; XX = higher byte of address you're going to write to
Item 4: Fresh Water x XX ; XX = lower byte of address you're going to write to
Item 5: PP up x XX ; XX is value you want to write
Item 6: Focus Band x 201


Code: [Select]
ld h,xx
ld l,xx
ld a,xx
ld (hl),a
ret

You could do 1 less item with coin case x (value you want to write) but then you can't see what that value is because key items.



Here's a sprawling code to set the quantity of all your items in your items and balls pockets to 0 AND all your hms and tms to a quantity of 255. Note you can't have 0 of a tm in your tm pocket or it doesn't show up, but you CAN have 0 of a tm in your box. This is due to it storing inventory TMs only as quantities, but box items as ID and quantity. Also, getting ? (id $0) is incredibly easy if you already underflowed your ball pocket, but is also doable with the above code.

Same Quagsire setup again

   item 3: X accuracy x 183
   item 4: TM22 x 6
   item 5: repel x 62
   item 6: master ball x 61
   item 7: dire hit x 44
   item 8: ? x 119
   item 9:poke ball x 184
   item 10: TM04 x 35
   item 11: TM23 x 0
   item 12: X accuracy x 252
   item 13: TM 22 x 6
   item 14: Awakening x 184
   item 15: dire hit x 44
   item 16: ? x 119
   item 17:poke ball x 184    
   item 18: TM04 x 51
   item 19: TM23 x 0
   item 20: X accuracy x 125
   item 21: TM 22 x 6
   item 22: X special x 4
   item 23: great ball x 04
   item 24: great ball x 184
   item 25: dire hit x 119
   item 26: X special x 5
   item 27: ? x 184
   item 28: TM04 x 71
   item 29: tm23 x 201

Note the tm04s here are the normal one ($c2), not the one that does nothing ($c3).

Code: [Select]
ld hl,d5b7
ld b,14
ld a,01
dec a
inc l
inc l
nop
ld (hl),a
dec b
cp b
jp nz,d623
nop
ld hl,d5fc
ld b,0c
cp b
inc l
inc l
nop
ld (hl),a
dec b
cp b
jp nz,d633
nop
ld hl,d57d
ld b,35
inc b
inc b
inc b
inc b
cp b
inc l
ld (hl),a
dec (hl)
dec b
nop
cp b
jp nz,d647
ret

The nops can be replaced with inc d, dec c etc etc (since we don't use c, d etc) but I used nop simply because 1 it's easy to get high amounts of ? and 2. I wasn't sure if I'd have to re-write the number of items in each inventory since I had a problem with that earlier where it wrote FF to the bytes you initially set hl to in each setup phase. However that problem is gone now.
« Last Edit: March 24, 2018, 01:21:58 am by Azarokkusu »

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #351 on: March 24, 2018, 03:54:58 am »
Something nice for y'all. Complete your pokedex (251 seen, 251 caught, and no glitched entries etc)

   item 3: X accuracy x 227
   item 4: TM28 x 6
   item 5: Ether x 62
   item 6: master ball x 61
   item 7: Dire hit x 189
   item 8: TM11 x 61
   item 9: TM23 x 119
   item 10: X special x 20
   item 11: pokeball x 184
   item 12: TM04 x 35
   item 13: TM23 x 46
   item 14: Brightpowder x54
   item 15: poke ball x 52
   item 16: X speed x 46
   item 17: Metal Powder x 54
   item 18: poke ball x 52
   item 19: X speed x 201
   item 20: nugget x 195
   item 21: Max revive x 214

Code: [Select]

;setup
ld hl,dbe3
ld b,3f
ld a,01
dec a
;execution
inc l
cp l
jp z,d63d
ld (hl),a
dec (hl)
inc d
dec b
cp b
jp nz,d623
ld l,03
ld (hl),05
inc (hl)
inc (hl)
ld l,23
ld (hl),05
inc (hl)
inc (hl)
ret
;increase h if l rolls over (first conditional jump)
inc h
jp d628
« Last Edit: March 24, 2018, 03:57:18 am by Azarokkusu »

bestgoldglitche

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #352 on: May 11, 2018, 03:05:01 pm »
Hey all, preemptive apologies if this is something that's already been done, but, I had a thought an it might prove useful.

Consider writing your assembly commands into the pokemon stats themselves. 

One of the first uses of this glitch was to get Celebi (https://www.youtube.com/watch?v=SpfgOVfGVTo).  If you increase the number of Fresh Water used in that video you traverse the data in the first pokemon in your party.  If you change HM07 to other items, and change the number of great balls.  That way you can write different bytes into the pokemon's stats. 

So, the thought is:
 - use that process to write data into the pokemon's stats
 - fill the current box with specially written pokemon
 - use the glitch to jump to the boxed pokemon's data

Voila, you have addressed $AD82 through $B001 in which to write code byte at a time instead of $D616 through $D67A.  Thoughts?


ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #353 on: May 11, 2018, 04:50:38 pm »
Coin Case is fairly obsolete, for starters. We tend to use box names instead, and Wrong Pocket TMs.
Using SRAM is a bad idea, for three reasons:
1. It's banked, so you have to ensure the correct bank is loaded
2. It has to be unlocked, then ideally re-locked
3. 3DS VC cannot execute from SRAM

Corrupting Pokémon data is also a rather bad idea, since it's prone to lots of corruptions.

If you need to write large payloads, you can instead use luckytyphlosion's Mail execution setup.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)