Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
AreaDex
DexDex
ItemDex
MetascriptDex
TMHMDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man glitch
Celebi Egg glitch
SRAM glitch
Buffer overflow techniques
Pomeg glitch data corruption (Glitzer Popping)
Tweaking
Pokémon cloning
Select glitches (Japan)
Time Capsule exploit
Arbitrary code execution
More

Other Glitch Categories
Glitches by generation
Japan-only/language specific glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Recurring glitches
More

References
Pokémon GameShark codes
Pokémon Game Genie codes
Disassembly projects
The Big HEX List
GB programming
Curiosities
Debugging features
Error traps
Non-glitch exploits
Pokémon glitch terminology
Unused content and prerelease information
More

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 67369 times)

0 Members and 1 Guest are viewing this topic.

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #330 on: December 28, 2017, 09:19:23 pm »
Little helper code which might be useful to someone else as well:
Maximize all PC items (quantity x 255) while leaving the item type unchanged.
Code: [Select]
1)   A   p  'v   5   é   4   2   5 XOR A; SUB fb; LD [faf8], A | A->05
2)  'v   9   é   /   2   p  'v   . SUB ff; LD [f3f8], A; XOR A; SUB e8 | A->06; A->18
3)   é   0   2  'v   2   é   5   2 LD [f6f8], A; SUB f8; LD [fbf8], A | A->20
4)  'v   9   é   ♀   2  'v   9   5 SUB ff; LD [f5f8], A; SUB ff | A->21; A->22
5)   é   2   2  'v   9   é   3   2 LD [f8f8], A; SUB ff; LD [f9f8], A | A->23
6)  'v   ×   é   ,   2   0   9   9 SUB f1; LD [f4f8], A; OR ff; LD B, 32 | A->32
7)   0   0   0   5   5   5   5   5 LD HL, 18f6; LD [HLI], A; INC HL; DEC B; JR NZ, fb | HL->f618
8)   x  'd OR A; RET NC

Fun little thing about x0 quantity (at least in the PC):
You can withdraw/toss any quantity you want, it won't change the quantity of the item. While tossing obviously does nothing, withdrawing works without problems (creates items).
Depositing an additional item of the type simply adds the amount which restores normal functionality.
Possibly also works in the inventory to give you an infinite amount of an item, but I didn't test that.

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #331 on: January 19, 2018, 08:27:21 am »
Here, have a CartSwap setup!

Code: [Select]
A p é 7 2 é ? 2

é & 2 'v 9 é 8 2

p 'v * é (male) 2 / /

é * 2 / / / / p

0 (pk) é A 9 4 A 9

/ / ? A 8 A / /

'm (pk) 2 p 's A (female) 'm

This is compatible with either the Coin case setup or Wrong Pocket

In gbz80, that's:
Code: [Select]
xor a ; a = 0
ld ($f8fd),a ; self-mod
ld ($f8e6),a ; self-mod
ld d,b ; end-terminator
ld ($f8e9),a ; self-mod
sub $FF ; a = 1
ld ($f8fe),a ; self-mod
ld d,b ; end-termiantor
xor a ; a = 0
sub $F1 ; a = $0f
ld ($f8ef),a ; self-mod
di ; Disable ints. If they are active during cartswap, and an int is requested, unwanted code may be executed
di ; padding
ld d,b
ld ($f8f1),a ; self-mod
di ; padding
di ; padding
di ; padding
di ; padding
.loop:
xor a ; a = 0
ld d,b ; end-terminator
or $e1 ; a = $e1
ld ($ff00),a ;  Enable polling for Directional buttons. Didn't use "ldh", as it isn't char-representable
ld a,($ff00) ; Recieve results of poll
ld d,b ; end-terminator
di ; padding
di ; padding
and $0f ; I don't care about the upper nibble
cp $0f ; Compare with $0f
di ; padding
di ; padding
ld d,b ; end-terminator
jp nc, .loop ; If the carry flag wasn't set by the compare, jump back. (Didn't use "jr", not char-representable)
xor a ; a = 0, reset flags
call nc,$F580 ; Call the third TM quantity. ENSURE THE CARRY FLAG IS NOT SET IN YOUR FUNCTION
jp nc,$0100 ; Boot into whatever game is loaded now

Basically what this does is it waits for any button on the D-Pad to be pressed, call a function written starting at TM03, and then reboots the game. During this time, you can swap the cartridges and write to SRAM.

"So what do I write to TM03?" - That's where you come in!

In gen2, TM quantities (Starting from TM03) grants you 48 bytes to write your own code to alter the SRAM of other games.

Not sure what to do? Here's an example:
Code: [Select]
TMs    Keep/Deposit
TM01   Any
TM02   Any
TM03   38/217
TM04   10/245
TM05   116/139
TM06   38/217
TM07   64/191
TM08   46/209
TM09   1/254
TM10   117/138
TM11   62/193
TM12   21/234
TM13   234/21
TM14   193/62
TM15   176/79
TM16   234/21
TM17   211/44
TM18   176/79
TM19   22/233
TM20   1/254
TM21   21/234
TM22   1/254
TM23   139/116
TM24   15/240
TM25   33/222
TM26   152/103
TM27   165/90
TM28   42/213
TM29   130/125
TM30   87/168
TM31   11/244
TM32   120/135
TM33   177/78
TM34   32/223
TM35   248/7
TM36   122/133
TM37   47/208
TM38   234/21
TM39   35/220
TM40   181/74
TM41   201/54

Raw bytes:
Code: [Select]
$D580 / 26 0a 74 26 40 2e 01 75 3e 15 ea c1 b0 ea d3 b0
16 01 15 01 8b 0f 21 98 a5 2a 82 57 0b 78 b1 20
f8 7a 2f ea 23 b5 c9

To use:

1. In Pokemon Red/Blue, ensure you have the first pokemon in your current box be a disposable one
2. Setup your box name and TM quantities as above
3. Use the coin case or wrong pocket
4. (On BGB, this is accomplished with "Load ROM without reset") Swap into Pokemon Red/Blue (maybe Yellow, i'm not sure)
5. Press any button on the D-Pad

When you boot into Pokemon R/B, the first Pokemon in your box should now be Mew. (The name will remain unchanged)

In my opinion, this is a bit easier to deal with then Gen 1 cartswap.

Enjoy!
« Last Edit: January 19, 2018, 09:27:07 am by Epsilon »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Evie Torchic the Glitch Scientist

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • Thank you for this lovely artwork Nyapon!
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #332 on: January 19, 2018, 11:22:12 am »
Amazing :)

So, a couple of questions as I've never done much cartswapping before.

If you were to modify an SRAM address other than B0C1 or B0D3 (stored Pokémon), would you need to modify the code in any other way for Red/Blue (I notice you have to adjust the B523 checksum)? How would you do this for Yellow and Crystal?

Thanks.
Hi!

I'm Evie.

I'm a transgender person, but any pronouns are fine. She/her preferred.

Unfortunately due to legal concerns I won't be using emulators and unauthorised copies of ROMs anymore, just real hardware with official cartridges and a cheating device (Xploder) to aid research, sorry.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thanks Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).




Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Faith (which doesn't have to be religious) and a positive attitude/optimism is half the battle for well-being.

Fun times come and go, we may argue what is the point if nothing in this world is permanent; and all energy is believed to be subject to transformation. I guess in the temporary absence of it though, we value those times more and even though some things seem to be lost, they return in other forms.

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #333 on: January 19, 2018, 11:34:19 am »
Amazing :)

Thanks!

If you were to modify an SRAM address other than B0C1 or B0D3 (stored Pokémon), would you need to modify the code in any other way for Red/Blue (I notice you have to adjust the B523 checksum)

Modifiying $A598-$B522 would require a checksum fix at $B523. Though i'm not certain if this is checked, the box data in banks 2-3 have their own checksums. These need not be modified if you only care about the current box, however.

How would you do this for Yellow and Crystal?

In Yellow, I believe SRAM data is not shifted.Don't quote me on that, though, because I'm not 100% certain. I just checked Pokeyellow, and it seems my setup for Mew will still work! :)

As for Crystal, i'm not certain. I don't think data is shifted in Crystal to an extent that would prevent this from working but once more i'm not 100% certain as I currently lack a crystal ROM
« Last Edit: January 19, 2018, 11:46:17 am by Epsilon »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #334 on: January 23, 2018, 12:31:47 pm »
The shift only applies to WRAM (starting at $CF00). Everything before that point is just the same in all non-japanese Red, Blue and Yellow :)

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

hobgoblinpie

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #335 on: January 26, 2018, 02:03:15 pm »
Is there a TM25 box name config for Perfect DVs for a party pokémon? Couldn't seem to find one - thanks! The coin case one is as follows, but can't seem to modify it correctly:

Code: [Select]
Box 1: Ap0'd'vR55
Box 2: é'm2pp095
Box 3: éA4p0'd'vQ
Box 4: é?2p0955
Box 5: 55éA4ppp
Box 6: 'v7'v'dé42p
Box 7: éD9'l'lA'lx
Box 8: 'd5555555
« Last Edit: January 26, 2018, 02:04:15 pm by hobgoblinpie »

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #336 on: January 26, 2018, 02:11:27 pm »
Is there a TM25 box name config for Perfect DVs for a party pokémon? Couldn't seem to find one - thanks! The coin case one is as follows, but can't seem to modify it correctly:

Code: [Select]
Box 1: Ap0'd'vR55
Box 2: é'm2pp095
Box 3: éA4p0'd'vQ
Box 4: é?2p0955
Box 5: 55éA4ppp
Box 6: 'v7'v'dé42p
Box 7: éD9'l'lA'lx
Box 8: 'd5555555

Replace box 7 with "p'd"
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

hobgoblinpie

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #337 on: January 26, 2018, 03:15:32 pm »
Perfect, thanks!

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #338 on: February 21, 2018, 11:56:39 pm »

This should give you 255 of the first item in your item pack.

Box1: A p 0 9 é z 't x
Box2: 'd


Been trying to do this on english VC and for the life of me I can't get it to work for me. I even did spamviech's slider pokemon method and I still just crash every time. I have no idea what I've done wrong here... assuming this is a tm25 code of course. I have done ones I know are TM25 codes and I can't get any of them to work, though.

If I use them with Sanqui (my old slide pokemon that worked for coin case ACE, named after Sanqui of course) the game freezes on the item screen with no change and the music still playing (softlock), but if I do it with the other  slider 'mon, it resets into a glitch dimension

edit: the glitch dimension thing is because Quagsire needs to be in slot 4 with spamviech's slider pokemon method I believe. When I do tht it freezes the same way as it does with Sanqui. Whoops! That's one question answered.
« Last Edit: February 22, 2018, 12:19:20 am by Azarokkusu »

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #339 on: February 22, 2018, 06:51:11 am »
Skeef's code was to be be used with TM25. You are probably attempting to do this with the Coin Case.

The same code for use with the coin case is
Code: [Select]
A 0 9 é z 't p 5
é Z (mult) . 9 'l 'l 'l
'l p 'd
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #340 on: February 23, 2018, 02:43:58 am »
Skeef's code was to be be used with TM25. You are probably attempting to do this with the Coin Case.

The same code for use with the coin case is
Code: [Select]
A 0 9 é z 't p 5
é Z (mult) . 9 'l 'l 'l
'l p 'd


I said assuming it was a TM25 code - I WAS using it with TM25. Just TM25 refuses to work properly for me it seems.

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #341 on: February 23, 2018, 06:03:31 am »
The issue is not with Skeef's code. It translates to the following ASM:
Code: [Select]
xor a
or a,$ff
ld ($d5b9),a
or a
ret nc

...which does it's intended job of giving x255 of the first item. All i can say is ensure you have setup your bootstrapper correctly. It's
AnyPkmn
SlidePkmn
Quagsire (Holding TM02, Return as first move)
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #342 on: February 23, 2018, 09:03:12 am »
The slide-Pokémon I provided works specifically for Coin Case. If you`re using TM25 not only does execution start at the second pokémon (compared to the third for Coin Case/first for TM17), but also at a different Place in its data.
I didn't check it, but it might even guarantee a failure when used with TM25. To my knowledge there's no setup which doesn't involve ACE to guarantee a working TM25-slide-pokémon, so you either have to use to Coin Case or try your luck with random low levels.


The issue is not with Skeef's code. It translates to the following ASM:
Code: [Select]
xor a
or a,$ff
ld ($d5b9),a
or a
ret nc

...which does it's intended job of giving x255 of the first item. All i can say is ensure you have setup your bootstrapper correctly. It's
AnyPkmn
SlidePkmn
Quagsire (Holding TM02, Return as first move)

Don't forget the terminator character at the end of box name 1 which is a "ld d,b" instruction. Here it doesn't really change anything (maybe set 0 flag), but still could add confusion when you forget it.
« Last Edit: February 23, 2018, 09:05:34 am by spamviech »

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #343 on: February 23, 2018, 09:43:26 am »
Don't forget the terminator character at the end of box name 1 which is a "ld d,b" instruction. Here it doesn't really change anything (maybe set 0 flag), but still could add confusion when you forget it.

ld instructions do not update flags, so the $50 terminator "ld d,b" isn't really worth mentioning in this context.
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #344 on: February 25, 2018, 02:48:56 am »
The slide-Pokémon I provided works specifically for Coin Case. If you`re using TM25 not only does execution start at the second pokémon (compared to the third for Coin Case/first for TM17), but also at a different Place in its data.
I didn't check it, but it might even guarantee a failure when used with TM25. To my knowledge there's no setup which doesn't involve ACE to guarantee a working TM25-slide-pokémon, so you either have to use to Coin Case or try your luck with random low levels.


The issue is not with Skeef's code. It translates to the following ASM:
Code: [Select]
xor a
or a,$ff
ld ($d5b9),a
or a
ret nc

...which does it's intended job of giving x255 of the first item. All i can say is ensure you have setup your bootstrapper correctly. It's
AnyPkmn
SlidePkmn
Quagsire (Holding TM02, Return as first move)

Don't forget the terminator character at the end of box name 1 which is a "ld d,b" instruction. Here it doesn't really change anything (maybe set 0 flag), but still could add confusion when you forget it.

That's what I suspected. I REALLY should get around to learning the assembly code for this... but I'm lazy. Though, I'd like to have the ACE for a working tm-25 slide pokémon. 'Till then I'm gonna go find myself a temporary slide pokémon until then since that's the only thing I can see in my case that could be wrong here (I wrote the box name code correctly and put the Quagsire [holding TM02 and with Return as the first move] and slide pokémon in the correct places in slots 3 and 2 respectively).

Thanks!

I'll be keeping that in mind~ how many steps does it take for the mon to develop its happiness value? And does it decrease if left in the box?

I'm curious, the box codes that let you change one mon to another, if you have an egg that is shiny (let's say it's a Wooper for example) and you alter it into a different mon (like Zapdos) via the box codes, would the egg result in a shiny Zapdos?

Happiness won't decrease if left in the box. And I'm not sure, but I think if the slide Pokemon gets any noticeable happiness increase then it will mess up the code, because the slide Pokemon has to be freshly caught or hatched with no stat experience and happiness is another one of those factors I guess.

However, I was using the coin case a lot yesterday with the same slide Pokemon and walking from the PC in Cherrygrove to outside the mart in Cherrygrove for coin cases glitches, when you repeat that enough times you're certainly walking a good number of steps, but still my slide Pokemon still worked. And today I was using the hatched Togepi as a slide Pokemon as a test and it worked, so I would certainly recommend freshly hatched Pokemon.

As for your question, I haven't messed around with shiny codes yet but if the first code changed the egg to shiny and then you changed the Pokemon species then it should still be shiny as that is determined by the DV's which are made when you use you shiny code.
Not quite. Even if your slide's happiness value increases, it doesn't matter too much unless it reaches a malicious opcode. What I mean by that is, any opcode that changes code flow (call,ret,jp,jr), any opcode that stops the cpu (stop, and MAYBE halt, I'm not quite sure), any op that messes with the stack (inc sp,push,pop,ld sp,rst,etc.), any invalid ops ($D3,$DB,$DD,$E3,$E4,$EB,$EC,$ED,$F4,$FC,$FD), and "di".

The Happiness value increments upon walking 256 steps, and when freshly caught, has a value of $00. The first "malicious" opcode it encounters first is "stop", which is hex $10. So, a freshly caught slide pokemon is considered "broken" after 4096 steps. However, you can easily set this value to $11 (ld de,$xxyy) by walking 256 more steps. So if you find that your slide has stopped working, walk 256 more steps and see if that fixes it.

Also, it is worth noting that happiness is not the only thing that affects slide pokemon.
Here's a list of all factors that affect slide pokemon:

Attack EV
Defense Ev
Speed EV
Special EV
Attack/Defense IV
Speed/special IV
PP of current moveset
Happiness/Hatch Time
Pokerus
Caught Information
Level
Status
Hp
Max Hp
Attack
Defense
Speed
Special Defense
Special Attack - Must correspond to an instruction that is one byte long, otherwise the jump instruction that executes your code will be absorbed!

I was also wondering about this. What values or value ranges of each of these would be needed to make a suitable slide pokémon? As in, just a regular working slide pokémon, not a specific one like the special coin case one which jumps over a lot of these factors.
« Last Edit: February 25, 2018, 03:25:02 am by Azarokkusu »