Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 84320 times)

0 Members and 1 Guest are viewing this topic.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #315 on: November 14, 2017, 06:47:37 pm »
You can set b and d by using pushing and popping cleverly. I agree it doesn't add much, but it still has potential if a large script is ever needed, such as a GUI memory editor (offgao's being the reference for this in Gen I)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #316 on: November 15, 2017, 11:19:34 am »
Hey all, I remade my Catch 'em all code into a TM quantity script. It is considerably more lengthy, but it has some benefits over the original.

First, use Evie's x255 TM code.

After which, spell the following opcodes with TM quantities:

Keep/Deposit:
62/193
(SpeciesId)/(255 - SpeciesId)     // This quantity will be reset to 255 after Wrong Pocket is executed
234/21
247/8
248/7
62/193
237/18
234/21
249/6
248/7
175/80
61/194
234/21
127/128
245/10
201/54

Then, write the following box name code:

Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL955
Box 4: p'vCé?255
Box 5: 5p'mA(female)555
Box 6: (Doesn't matter)
Box 7: p0AéA'dyy
Box 8: p0éé(female)'dyy
Box 9: p0ké0'dp'd
Box 10: p0A'vxéJ9
Box 11: p'dyyyyyy

Finally, execute wrong pocket. Your desired Pokémon will be found in the wild with 100% encounter rate.

With the old code, if the desired Pokémon's ID is lower than $7f, you had to change a box name and add $7f to the species id. With the new code, no special adaptions are necessary for any Pokemon. Another flaw that plagued the old code was that is was required to SAVE/RESET to shut it off. To shut off the new code, simply replace Box 9 with:

yyyyyyyy

After this, the OAM DMA will patch itself thanks to code written at Box 10-11, and it will be safe to write other box name codes in the Box 7-12 region.

The old code may be preferable due to length, but this is here if one would rather use it. :)
grouchy

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #317 on: November 16, 2017, 03:55:12 am »
It's good to have many possibilities to do the same thing :)

Regarding the old code, even by doing your trick for Pokémon with hex ID lower than $7F, some Pokémon cannot be caught because we don't have access to the character. For the french version, I had to use 5 different variations of the code (basically the original one, the 'sub 7f' one, and three other subs with different values) to get them all. I'm assuming it can be improved to 4 codes somehow. It would be great anyway to have the full coverage for the english version too  :)

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #318 on: November 16, 2017, 06:54:26 am »
Thank you! :)

Regarding the old code, even by doing your trick for Pokémon with hex ID lower than $7F, some Pokémon cannot be caught because we don't have access to the character.

Yep. There were some Pokemon (Hex $d8, to name one) that couldn't be obtained with the $7f trick. Any Pokemon who fit into that category had to be obtained with clever use of integer underflow (For example, Hex $d8 could be obtained using $80 - $a8). That was a pain, so hopefully this new code fixes that. :)

As for French translations, it may take me a while to translate this new code, but i'm certain it should still work.
grouchy

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #319 on: November 19, 2017, 03:07:47 pm »
Needed a break from playing Ultra Moon, so here is a new code to actually use Mail data.
So far this code is only able to use one Mail since for fore you'd need to also skip trainer name data.

The code is an item code, so I can also use it on german version. This also enables text based codes, even though they are still complicated (no sub/add instruction).
To execute item codes use a Quagsire holding a HP Up with Sleep talk as its first move after your Slide-Pokémon.

First, here are two short item codes to get the required items:

Box Item 1 quantity changed to 255:
Code: [Select]
Any x Any
Any x 03 INC BC
Full Restore x 01 LD C, 01
Paralyz Heal x 13 DEC C; DEC C
Energypowder x 03 LD A, C; INC BC
TM42 x 24 LD [18d6], A
TM23 x 03 INC BC
TM10 x Any RET

Change Box Item 1 to any item you want:
Code: [Select]
Any x Any
Any x 03 INC BC
PP-Up x {item} LD A, {item}
TM42 x 23 LD [17d6], A
TM23 x 03 INC BC
TM10 x Any RET

And now to the big one:
Copy the message of the first mail in your PC to the end of box names and execute them. If you only want to copy them without execution replace the final TM41 (JP [HL]) with TM10 (RET).
Code: [Select]
Any x Any
Any x 62 LD A, 0a
Burn Heal x 234 LD [1201], A
Potion x 01
Full Restore x 01 LD C, 01
Paralyz Heal x 121 DEC C; LD A, C
TM42 x 01 LD [0140], A
Max Ether x 03 INC BC
X-Accuracy x 60 LD HL, 3cd9
TM26 x 17 LD DE, 55a8
Red Apricorn x 168
Brightpowder x 06 INC BC; LD B, 01
Master Ball x 14 LD C, 10
Hyper Potion x 26 LD A, [DE]
Protein x 50 DEC DE; LD [HLD], A
Paralyz Heal x 32 DEC C; JR NZ, fa
HM08 x 27 DEC DE
Poké Ball x 32 DEC B; JR NZ, f4
HM02 x 01 LD BC, ...
Any x Any
Great Ball x 35 INC B; INC HL
TM41 x Any JP [HL]

Note that box name terminators are also overwritten, so the copied box names probably look glitchy.
All codes from this post are for wrong-pocket-TM execution, since they are mostly meant for non-english games where Coin Case ACE is not possible.



Edit:
Looked into it some more.
After the mail message there are 10 bytes (including 50h terminator if name is shorter (which it should be)) which appear to be used for the name of the sender.
Afterwards are 4 bytes with info on the type of the mail. A surf mail produces F3 74 F9 B5 while a flower mail gives F3 74 A3 9E.
Afterwards, the next mail starts with its message.
« Last Edit: November 21, 2017, 09:16:50 am by spamviech »

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #320 on: November 26, 2017, 10:37:03 am »
Here is a code to copy the messages of your first four mails in your mailbox/pc into box names (and a few bytes after) and execute them afterwards. (Edit: turns out VC doesn't like execution) (Edit²: turns out me being stupid doesn't help avoiding VC pecularities)
With this execution of text-based code for german version is at least possible (yay for é; ignore the fact that using clever use of call it might have been already), even though it's still difficult (no sub/add).

TM quantity code for wrong-pocket-TM execution (Quagsire, Lucky Egg, Attract):
Code: [Select]
Copy content of Mail 1-4 to box names (and a few bytes after) and execute it
format: keep/deposit code
TM01 62/193 ld a, 0a
TM02 10/245
TM03 234/21 ld [0000], a
TM04 0/255
TM05 0/255
TM06 175/80 xor a
TM07 234/21 ld [0040], a
TM08 0/255
TM09 64/191
TM10 1/254 ld bc, f0a8 (Mail Data End; before start of Message 5)
TM11 240/15
TM12 168/87
TM13 33/222 ld hl, 3ef9 (a bit after box names)
TM14 62/192
TM15 249/6
TM16 22/233 ld d, 04
TM17 4/251
TM18 205/50 call 97f5 (.copymail)
TM19 151/104
TM20 245/10
TM21 21/234 dec d
TM22 32/223 jr nz, fa (TM18)
TM23 250/5
TM24 35/220 inc hl
TM25 233/22 jp [hl]
TM26 30/225 ld e, 0e | .copymail -> d597
TM27 14/241
TM28 11/244 dec bc
TM29 29/226 dec e
TM30 32/223 jr nz, fc (TM28)
TM31 252/3
TM32 205/50 call a5f5 (.copyline)
TM33 165/90
TM34 245/10
TM35 11/244 dec bc
TM36 205/50 call a5f5 (.copyline)
TM37 165/90
TM38 245/10
TM39 201/54 ret
TM40 30/225 ld e, 10 | .copyline -> d5a5
TM41 16/239
TM42 10/245 ld a, [bc]
TM43 50/205 ld [hld], a
TM44 11/244 dec bc
TM45 29/226 dec e
TM46 32/223 jr nz, fa (TM42)
TM47 250/5
TM48 201/54 ret

As a quick proof of concept, this message for your first mail changes the beginning character of Box 7 to ¥ (pokédollar symbol; used as replacement here).
Code: [Select]
p0¥é♀2Ä
« Last Edit: December 10, 2017, 02:20:22 pm by spamviech »

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #321 on: November 26, 2017, 11:55:30 am »
That's very nice, we could add that to the newcomers guide!

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #322 on: November 26, 2017, 12:28:13 pm »
Currently testing this a bit and VC doesn't seem to like the execution part of this code. It restarts with wonky colors, changes your options and mailbook upon reloading. Also I apparently beat the elite 4 once which was the 80th time with a bunch of slowbros and a zapdos.  :o
I changed the jp [hl] instruction with a ret statement to simply copy it towards box names which then can be executed as normal (or with the Quagsire holding TM01 instead of TM02 to start with character 1).

At least for now I didn't notice any negative side effects.


If you add this to the beginners guide you should also include the part about how to maximize TM/HM count
presented here.
And maybe include the ability to increase/decrease deposit quantities by 10 via left/right input. I totally forgot about it and re-finding it made things way easier.
TM-codes are still a pain to set up ingame, though.
« Last Edit: November 26, 2017, 12:34:36 pm by spamviech »

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #323 on: November 26, 2017, 04:48:50 pm »
VC probably wont like anything that involves SRAM
grouchy

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #324 on: December 10, 2017, 01:30:23 pm »
luckytyphlosion told me about a temporary mail buffer and after poking I found it to be at $ceed (same for english and german, probably other european version as well).

It is reset after reloading and contains the data from the mail last written or read (maybe also on transfer to PC, forgot to test this one).
For most shorter codes this is probably the preferred way to write text-based code. You only have to account for a 4e character after the first line (16 bytes) of text.
This also allows to store a few different codes and circle them without constant rewriting.

To execute you would either have to teach your Quagsire False Swipe as a first move (can't learn naturally) and give it a TM45 or use this box item code:
Code: [Select]
Any x Any
Any x 195
TM45 x 206
For english version (possibly others) there also exists this box name code:
Code: [Select]
1) A p 0 z'v 1 5 5 XOR A; OR b9; SUB f7; EI; EI; LD D, B | A->ce
2) é'r 2'vPk é'm 2 LD [d3f8], A; SUB e1; LD [d2f8], A; LD D, B | A->ed
3)'m ^ ^ JP NC, {edce}


Also to note about my previous code:
I swapped registers for some reason, so it still was execution in SRAM. Direct execution after copying might be possible after all.
Will add results once I've tested this with corrected registers.

Edit:
Using the right registers direct execution works. I'll edit my original post.
« Last Edit: December 10, 2017, 02:16:27 pm by spamviech »

Storyreader21

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #325 on: December 13, 2017, 12:54:21 pm »
Hey, I have a question I have a code from a video for getting to level 98 with bag items:

- [Any Item] x[Any Amount]
- [Any Item] x[Any Amount]
- Super Potion x14
- Ultra Ball x26
- X Accuracy x53
- TM27 x1
- Awakening x[Any Amount]
- Escape Rope x34
- Repel x20
- Paralyz Heal x32
- HM07
- [Any Item] x[Any Amount]
- Fresh Water x73
- Full Restore x49
- TM12 x1
- Spell Tag x1
- [Any Item] x[Any Amount]
- Poke Ball x46
- HM03 x1
- X Speed x1
- Full Heal x18
- Flower Main x51
- TM06 x1
- [Any Item] x[Any Amount]
- TM41 x[Any Amount]

Or level 99 with:

- [Any Item] x[Any Amount]
- [Any Item] x[Any Amount]
- Super Potion x14
- Ultra Ball x26
- X Accuracy x53
- TM27 x1
- Awakening x[Any Amount]
- Escape Rope x34
- Repel x20
- Paralyz Heal x32
- HM07
- [Any Item] x[Any Amount]
- Fresh Water x73
- Full Restore x99
- Spell Tag x1
- [Any Item] x[Any Amount]
- Poke Ball x46
- HM03 x1
- X Speed x1
- Full Heal x18
- Flower Main x51
- TM06 x1
- [Any Item] x[Any Amount]
- TM41 x[Any Amount]

The problem is, I can't use these on Unown, due to the code changing DVs as well, and that what the Unown shapes are based off, so how do I modify these code to get to level 98/99 without changing DVs so my Unown remain the same letters, and I can level up them all?

Storyreader21

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #326 on: December 13, 2017, 12:55:49 pm »
Hey, I have a question I have a code from a video for getting to level 98 with bag items:

- [Any Item] x[Any Amount]
- [Any Item] x[Any Amount]
- Super Potion x14
- Ultra Ball x26
- X Accuracy x53
- TM27 x1
- Awakening x[Any Amount]
- Escape Rope x34
- Repel x20
- Paralyz Heal x32
- HM07
- [Any Item] x[Any Amount]
- Fresh Water x73
- Full Restore x49
- TM12 x1
- Spell Tag x1
- [Any Item] x[Any Amount]
- Poke Ball x46
- HM03 x1
- X Speed x1
- Full Heal x18
- Flower Main x51
- TM06 x1
- [Any Item] x[Any Amount]
- TM41 x[Any Amount]

Or level 99 with:

- [Any Item] x[Any Amount]
- [Any Item] x[Any Amount]
- Super Potion x14
- Ultra Ball x26
- X Accuracy x53
- TM27 x1
- Awakening x[Any Amount]
- Escape Rope x34
- Repel x20
- Paralyz Heal x32
- HM07
- [Any Item] x[Any Amount]
- Fresh Water x73
- Full Restore x99
- Spell Tag x1
- [Any Item] x[Any Amount]
- Poke Ball x46
- HM03 x1
- X Speed x1
- Full Heal x18
- Flower Main x51
- TM06 x1
- [Any Item] x[Any Amount]
- TM41 x[Any Amount]

The problem is, I can't use these on Unown, due to the code changing DVs as well, and that what the Unown shapes are based off, so how do I modify these code to get to level 98/99 without changing DVs so my Unown remain the same letters, and I can level up them all?

make that pc items for coin case.

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. 🦋 ✿
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #327 on: December 13, 2017, 02:03:08 pm »
Hi. :)

I'm unsure how to modify it as the parts that modify the other addresses seem to take up a significant portion of the code.

I have this though for the Sleep Talk as move 1 Quagsire holding a Protein:

(ANY ITEM) x(ANY)
(ANY ITEM) x(ANY)
X Accuracy x73
TM27 x1
(ANY ITEM) x(ANY)
Great Ball x62
Wht Apricorn x1
(ANY ITEM) x(ANY)
Leaf Stone x1
(ANY ITEM) x(ANY)
Great Ball x38
TM22 x1
(ANY ITEM) x(ANY)
Great Ball x46
Lovely Mail x1
(ANY ITEM) x(ANY)
Poké Ball x5
Poké Ball x62
X Accuracy x5
Super Rod x1
(ANY ITEM) x(ANY)
Poké Ball x9
Poké Ball x46
HM03 x1
X Speed x1
Full Heal x18
Flower Mail x51
TM06 x1
(ANY ITEM) x(ANY)
TM41 x1

This code will set your first Pokémon's level to 97 and replace item 1 with Rare Candies, and do nothing else.

Raw bytes in case anybody wants them:
@D61B:

21 49 DA 01 01 01 04 3E 61 01 01 01 22 01 01 01 04 26 D5 01 01 01 04 2E B8 01 01 01 05 05 05 3E 21 05 3D 01 01 01 05 77 05 2E F5 01 34 01 26 12 9E 33 C5 01 01 01 E9

Hope this helps!
« Last Edit: December 13, 2017, 03:42:39 pm by Princess Torchic ❤ »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Storyreader21

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #328 on: December 13, 2017, 06:09:44 pm »
Hi. :)

I'm unsure how to modify it as the parts that modify the other addresses seem to take up a significant portion of the code.

I have this though for the Sleep Talk as move 1 Quagsire holding a Protein:

(ANY ITEM) x(ANY)
(ANY ITEM) x(ANY)
X Accuracy x73
TM27 x1
(ANY ITEM) x(ANY)
Great Ball x62
Wht Apricorn x1
(ANY ITEM) x(ANY)
Leaf Stone x1
(ANY ITEM) x(ANY)
Great Ball x38
TM22 x1
(ANY ITEM) x(ANY)
Great Ball x46
Lovely Mail x1
(ANY ITEM) x(ANY)
Poké Ball x5
Poké Ball x62
X Accuracy x5
Super Rod x1
(ANY ITEM) x(ANY)
Poké Ball x9
Poké Ball x46
HM03 x1
X Speed x1
Full Heal x18
Flower Mail x51
TM06 x1
(ANY ITEM) x(ANY)
TM41 x1

This code will set your first Pokémon's level to 97 and replace item 1 with Rare Candies, and do nothing else.

Raw bytes in case anybody wants them:
@D61B:

21 49 DA 01 01 01 04 3E 61 01 01 01 22 01 01 01 04 26 D5 01 01 01 04 2E B8 01 01 01 05 05 05 3E 21 05 3D 01 01 01 05 77 05 2E F5 01 34 01 26 12 9E 33 C5 01 01 01 E9

Hope this helps!

Hey, in this, the great balls and pokeballs, are in multiple spots, how do I get them there?

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #329 on: December 13, 2017, 06:14:29 pm »
Hey, in this, the great balls and pokeballs, are in multiple spots, how do I get them there?

Either by other ACE    shenanigans or by depositing 99 of said item and then deposit some more. Afterwards withdraw to the desired amount and be careful while swapping to not merge them (swap next to another stack of the same item).