Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 95914 times)

0 Members and 1 Guest are viewing this topic.

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #300 on: November 12, 2017, 11:17:57 am »
Didn't try it, but judging from the name maybe it is possible to change available charset while typing. Since you can't access menu there it would have to be done via OAM DMA loop.

I came across that address in the past too. It indeed allows you to change the available characters but it seems 05 and up work as if you're nicknaming a Pokémon (so it will say (POKéMON)'s nickname, display a menu sprite and bring up the characters you can input while nicknaming one), and box names (04) happens to be the best menu in terms of available characters. I may be wrong though.

03 is the unused menu for naming your mother.



Mother's name is stored at D1AE and can be returned with the hex:49 control character, but since the Dude's demonstration overwrites it it may come up as your player's name.

C5D0 appears to look for where the characters are, and moves them to the other buffer/destination like D8BF (box 1 name). In box names the pointer is CEED. Changing values in the buffer at CEED will print characters on the screen.
« Last Edit: November 12, 2017, 11:28:56 am by Evie ✿ »
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #301 on: November 12, 2017, 11:44:23 am »
03 is the unused menu for naming your mother.



Mother's name is stored at D1AE and can be returned with the hex:49 control character, but since the Dude's demonstration overwrites it it may come up as your player's name.

Normally this should go the other way around. :XD:


Mail charset appears to have the most characters. Was hoping to get it available to name boxes.

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #302 on: November 12, 2017, 11:53:28 am »
Mail charset appears to have the most characters. Was hoping to get it available to name boxes.

Oh, I overlooked the mail character set. Thanks! Yeah. C5D4 was 48 while on the mail naming screen, but sadly attempting to name a box came up with the Pokémon nickname screen when 0148D4C5 was enabled instead. :(

In theory though, with some work we can bring up the mail menu with a custom destination with OAM DMA hijacking to execute with TM17, TM25 etc. upon pressing a button (e.g. B) instead. It may not be worth it, but would be interesting to do.

Thinking about it, it would be good to port offgao's memory editor from Generation I over to Generation II.
« Last Edit: November 12, 2017, 12:00:50 pm by Evie ✿ »
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #303 on: November 12, 2017, 01:09:38 pm »
Thinking about it, it would be good to port offgao's memory editor from Generation I over to Generation II.

I was toying around with the idea of a memory editor GUI for gen 2. In fact, this project was originally meant for G/S, but for whatever reason I ditched the idea and made it for R/B instead.

I don't see why it wouldn't work, but we would need to find a large portion of unused/mostly unused data, similar to $D901 from R/B/Y.

Also, it's worth noting that the tilemap in G/S works differently from it's gen 1 counterpart. Rather than accepting direct writes to $C3A0 and onward, it is required to call internal subroutine $0F74, with the pointer to the desired tiles into register "de".
« Last Edit: November 12, 2017, 01:38:21 pm by Couldntthinkofaname »
grouchy

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #304 on: November 12, 2017, 03:24:45 pm »
As a resident german person here is a pc item code to give you 255 of every TM/HM so you can use them to write your code.
Don't know if this will work on every european language, but it was the same for german and english so there is a good chance that it will work.

Kind of confused here.
To get enough money for 44 Dire Hits I continued playing (up to defeating Red) and the code suddenly stopped working.
Also, using a Lucky Egg-Attract-Quagsire with a simple return code (201 of TM01) crashed my game.

To me this looks like the memory address for TM quantities was changed, but I somehow doubt Nintendo would do this. Need to look a bit more into this one. I'm using VC version so far btw., will try on emulator to check what's going on here.

I think I screwed up somewhere on my first try. Probably deposited an additional TM22 or something.
Anyway, beat up red again and the Box Item Code to maximize TMs still worked without problems.  :)


Edit:
Successfully executed my code to fill your box on german VC version. :)
Note: Be careful when withdrawing/releasing a pokémon created this way. For a previously empty box it shifted some bytes for the remaining pokémon in the box (item becomes species, etc.) and I'm not sure when it stops.
I'll try to improve the code so this effect vanishes.
Successfully fixed that bug. :) Still trying to improve the code.

Since box name codes aren't available, first use this TM quantity code (Quagsire, Lucky Egg, Attract) to set HM01-HM03 quantities:
Code: [Select]
TM01 62/193 LD A, 20
TM02 32/223
TM03 234/21 LD [b0f5], A
TM04 176/79
TM05 245/10
TM06 62/193 LD A, eb
TM07 235/20
TM08 234/21 LD [b1f5], A
TM09 177/79
TM10 245/10
TM11 62/193 LD A, c9
TM12 201/54
TM13 234/21 LD [b2f5], A
TM14 178/79
TM15 245/10
TM16 201/54 RET
Afterwards, use this slightly adjusted box item code (Quagsire, HP-UP, Sleep Talk) to maximize quantities for TM01-TM49 (leave HM-quantities untouched):
Code: [Select]
Any x Any
Any x 03 INC BC
Full Restore x 01 LD C, 01
Paralyz Heal x 13 DEC C; DEC C
Energypowder x 30 LD A, C; LD E, 31
X-Attack x 01 LD BC, ...
Any x Any
Great Ball x 38 INC B; LD H, d5
TM22 x 01 LD BC, ...
Any x Any
Poké Ball x 46 DEC B; LD L, 7c
Revival Herb x 03 INC BC
Dire Hit x 44 INC L; INC L
Awakening x 34 INC C; LD [HL+], A
Ice Heal x 03 DEC BC; INC BC
Carbos x 32 DEC E; JR NZ, f9
HM07 x 01 LD BC, ...
Any x Any
TM10 x Any RET
Finally, use this TM quantity code to fill your box:
Code: [Select]
TM01 62/193 LD A, 0a
TM02 10/245
TM03 234/21 LD [ff00], A | A->0a
TM04 255/0
TM05 0/255
TM06 62/193 LD A, 01
TM07 01/254
TM08 234/21 LD [ff40], A | A->00
TM09 255/0
TM10 64/191
TM11 33/222 LD HL, 6cad | HL->ad6c
TM12 108/147
TM13 173/82
TM14 1/254 LD BC, 1a00 | BC->001a
TM15 26/229
TM16 0/255
TM17 62/193 LD A, 14 | A->14
TM18 20/235
TM19 87/168 LD D, A
TM20 95/160 LD E, A
TM21 34/221 LD [HLI], A
TM22 62/193 LD A, (species)
TM23 (species)/
TM24 34/221 LD [HLI], A
TM25 21/234 DEC D
TM26 32/223 JR NZ, fc | (Loop back to last LD [HLI], A)
TM27 252/3
TM28 54/201 LD [HL], ff
TM29 255/0
TM30 35/220 INC HL
TM31 87/168 LD D, A
TM32 122/133 LD A, D
TM33 34/221 LD [HLI], A
TM34 62/193 LD A, (item)
TM35 (item)/
TM36 34/221 LD [HLI], A
TM37 62/193 LD A, (move1)
TM38 (move1)/
TM39 34/221 LD [HLI], A
TM40 62/193 LD A, (move2)
TM41 (move2)/
TM42 34/221 LD [HLI], A
TM43 62/193 LD A, $(move3)
TM44 (move3)/
TM45 34/221 LD [HLI], A
TM46 62/193 LD A, $(move4)
TM47 (move4)/
TM48 34/221 LD [HLI], A
TM49 9/246 ADD HL, BC
TM50 29/226 DEC E
HM01 32/223 JR NZ, eb | (Loop Back to LD A, D)
HM02 235/20
HM03 201/54 RET
« Last Edit: November 13, 2017, 07:20:44 am by spamviech »

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #305 on: November 13, 2017, 08:23:06 am »
I believe I have successfully translated my "Get All Badges" code into French. If anyone wouldn't mind testing this, please tell me if it works.

Get All Badges (French version):
Apu'Dés'25
pu'Eéu'209
55555555
éA(female)éA(female)08
u'9m'55555
grouchy

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #306 on: November 13, 2017, 08:42:00 am »
It works, thank you very much as it spares me from doing this translation for PRAMA  ;D!

It does only give Johto badges though, but that was also in the original code, right?

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #307 on: November 13, 2017, 09:18:39 am »
It works, thank you very much as it spares me from doing this translation for PRAMA  ;D!

It does only give Johto badges though, but that was also in the original code, right?

Yes, this was the original code.

It was intended to grant all badges but for whatever reason this doesn't work, on the English version or otherwise.
grouchy

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #308 on: November 13, 2017, 10:33:02 am »
Provided the OAM DMA is in the same place as in English, this code should work for French versions as well.

All Wild Pokemon have flawless DVs (French version):
ApAu'oéJ9
p0(female)éK955
p02éL955
p0Au'qé62
é32u'9m'55
55555555
09é(female)Aé0A
pu'9m'5555

If you would like to test this on emulator, wild Pokemon DVs are located at $D0F5-$D0F6. If both these values are $FF, then the code was successful.
« Last Edit: November 13, 2017, 10:58:02 am by Couldntthinkofaname »
grouchy

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #309 on: November 13, 2017, 11:16:39 am »
The mail might be stored in SRAM, but can't you make a setup that copies mail data into WRAM and executes it ?
For extra easiness, copy backwards.
Code: [Select]
ld de, MailDataEnd
ld hl, TempStorage
ld c, length
.loop
ld a, [de]
dec de
ld [hld], a
dec c
jr nz, .loop
inc hl
jp [hl]

Need to unlock SRAM and find mail data there first, but should be possible.
You'd also need a large enough space of temp data to store your code without destroying everything.
Had the same idea, but didn't bother to code it so far. Might look into it a bit more.

According to some BGB testing mailbox data starts in SRAM bank 0 at $a834 with the current mailbox count (consistent with the crystal sram disassembly).
Afterwards the first message starts. Between Message 1 and 2 there are some bytes which probably hold extra data like mail type and source name.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #310 on: November 13, 2017, 03:06:09 pm »
For the large space, you should check, but IIRC the space at DF00-DF80 is left unused. 128 bytes is still a neat quantity, isn't it ?
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #311 on: November 13, 2017, 03:36:05 pm »
For the large space, you should check, but IIRC the space at DF00-DF80 is left unused. 128 bytes is still a neat quantity, isn't it ?

Quite a neat quantity, thank you for finding it!

Unfortunately, my memory editor exceeded 200 bytes. I'm certain I can take some liberties here and there but it's still quite the task.
grouchy

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #312 on: November 13, 2017, 06:07:30 pm »
Try checking a bit before. Maybe some memory before DF00 is also unused.
If your editor's size is less than 256 bytes, that's better ('cause it could be copied using a 1-byte length loop, which is slightly easier to program)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #313 on: November 14, 2017, 04:32:31 am »
Provided the OAM DMA is in the same place as in English, this code should work for French versions as well.

AFAIK it does (otherwise my translation of your catch 'em all code wouldn't have worked, right?) but I'll test your code today, just to be sure :p

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #314 on: November 14, 2017, 06:46:12 am »
Made a quick test with available mail characters. Inputting basically every special character (see attachment) yielded the following memory in SRAM:
Code: [Select]
E1 E2 70 71 EA EF F5 F0 75 F1 E7 E6 F4 7F E8 E3 4E F3 72 73 9E 9F E0 9C 9D D0 D1 D2 D3 D4 D5 D6 E9 86 8E 8B 83 50Note: Player Name is Gold.
It appears as long as you use every character the mail is not terminated by a 50h, but is directly followed by its type and the name of the sender.
Also, there is a 4e in the middle to cause a line break.
Aside from various commands to load the different registers into (hl) (the 7x bunch) I don't see anything useful added. And even those are hard to use, since you can't influence these registers with character code.  :-\

Edit:
oh, accidentally attached twice.  ::) Sorry.
« Last Edit: November 14, 2017, 07:07:38 am by spamviech »