Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 95954 times)

0 Members and 2 Guests are viewing this topic.

greentyphlosion

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #360 on: December 25, 2019, 06:18:03 pm »
I haven't read through the whole thread so please forgive me if this has been covered already, but is it possible, using ACE, to change a Pokemon's location data? I got wondering recently after noticing that there is a special text entry for Pokemon obtained from events when speaking with the PokeSeer in Cianwood City ("What!? Incredible! I don't how understand how, but it is incredible! You are special. I can't tell where you met it, but it was at [level].) which is completely inaccessible in the Virtual Console versions due to there not being any event Pokemon; it would be nifty if this could be unlocked. The only other way I can think of is transplanting cartridge save data to the 3DS (I've seen it done before) and taking a Pokemon obtained from Stadium or a real-world event.

dsteel23

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #361 on: March 09, 2020, 06:23:13 am »
From my understanding, what the code does is take the character's hex value, subtract $80, and use the end result as the item.

't ($d5) - ($80) = $55, which should return Red Apricorns.

Unfortunately, The hex value of PP Ups ($3e) + ($80) = ($BE), which is not able to be represented as a valid character.

If you would like, i can alter the code to produce PP Ups.

Edit: Change box 2 to p0'v'vYé7't

Hope this helps!

I'm very new to this. Any chance you could help me with the code for Twisted Spoon ? Would be much appreciated! Thanks

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #362 on: March 09, 2020, 07:06:54 am »
From my understanding, what the code does is take the character's hex value, subtract $80, and use the end result as the item.

't ($d5) - ($80) = $55, which should return Red Apricorns.

Unfortunately, The hex value of PP Ups ($3e) + ($80) = ($BE), which is not able to be represented as a valid character.

If you would like, i can alter the code to produce PP Ups.

Edit: Change box 2 to p0'v'vYé7't

Hope this helps!

I'm very new to this. Any chance you could help me with the code for Twisted Spoon ? Would be much appreciated! Thanks



[REQUIRED] One-off code so all future codes don't need the 'return to game' code:
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: 5555péD9     (XOR A; LD [83ff], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)


Let's modify this to change Pokémon 3's held item:
Quote
Pokemon 5, Move 4 Modifier (Aeroblast) - Box 1, change r to whatever and replace 5555 with 'v(Letter)55 or 'v(Letter)'v(Letter) when needed:
Box 1: Ap0r5555   (XOR A; OR b1)
Box 2: é♂455555   (LD [efda], A)
Box 3+: 55555555
Box 13 and 14: Should never be modified after using the required code.

^ This becomes;


(Bold means change)

> Box 1: Ap0?5555 (XOR A OR e6 ) ; xor A or E6 basically means reset to 0 and add E6 (?).
> Box 2: 'vGéG4555               ; 'vA is subtract 86 because e6-86 is 60 (TwistedSpoon; see https://glitchcity.info/wiki/The_Big_HEX_List) (LD [dA8C], a). E6 is a ? mark. The bold M is taken from 8C in DA8C. 4 is FA; but FA8C is the basically the same as DA and works on VC.
> Box 3-12: 55555555
; As usual Box 13/14 remain the same
 

We also can refer to http://pastebin.com/raw/arPmsvYu by Sanqui

This code will change the held item of Pokémon 3 (the same as doing the GameShark code 01xx8CDA once). This should let you get TwistedSpoon. Hope this helps. Feel free to ask if you have any questions. :)

(edit: I messed up something fixed post now.)
« Last Edit: March 09, 2020, 07:55:55 am by Evie (retired from head adminship) »
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

dsteel23

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #363 on: March 09, 2020, 07:32:25 am »
Thank you so much for helping out. Pardon my ignorance but how do you input Apostrophe into the box name? It doesn't show up as a character. I'm on Pokemon Gold on the Gameboy and using the coin case .

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #364 on: March 09, 2020, 07:42:30 am »
Thank you so much for helping out. Pardon my ignorance but how do you input Apostrophe into the box name? It doesn't show up as a character. I'm on Pokemon Gold on the Gameboy and using the coin case .
You're welcome. I'm sorry I overlooked this too.  :-[ Changed it again this might help
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

dsteel23

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #365 on: March 09, 2020, 07:55:04 am »
> Box 1: Ap0?5555 (XOR A OR e6 ) ; xor A or E6 basically means reset to 0 and add E6 (?).
> Box 2: 'vGéG4555               ; 'vA is subtract 86 because e6-86 is 60 (TwistedSpoon; see https://glitchcity.info/wiki/The_Big_HEX_List) (LD [dA8C], a). E6 is a ? mark. The bold M is taken from 8C in DA8C. 4 is FA; but FA8C is the basically the same as DA and works on VC.
> Box 3-12: 55555555
; As usual Box 13/14 remain the same

My game restarts with a different colour. My 3rd 'slide' Pokemon now knows solarbeam as its first move, not sure if that's the result ? hah
« Last Edit: March 09, 2020, 08:24:46 am by dsteel23 »

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #366 on: March 09, 2020, 08:43:02 am »
> Box 1: Ap0?5555 (XOR A OR e6 ) ; xor A or E6 basically means reset to 0 and add E6 (?).
> Box 2: 'vGéG4555               ; 'vA is subtract 86 because e6-86 is 60 (TwistedSpoon; see https://glitchcity.info/wiki/The_Big_HEX_List) (LD [dA8C], a). E6 is a ? mark. The bold M is taken from 8C in DA8C. 4 is FA; but FA8C is the basically the same as DA and works on VC.
> Box 3-12: 55555555
; As usual Box 13/14 remain the same

My game restarts with a different colour. My 3rd 'slide' Pokemon now knows solarbeam as its first move, not sure if that's the result ? hah


Oh nooo Evie you idiot!! -_- (note to self before writing codes always test them) OK can you try this in box 1 and 2 please?

Ap0?5555 (? is the character not something to change and 0 is zero)
'vGéL4555
« Last Edit: March 09, 2020, 08:48:12 am by Evie (retired from head adminship) »
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

dsteel23

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #367 on: March 09, 2020, 09:12:06 am »
Oh nooo Evie you idiot!! -_- (note to self before writing codes always test them) OK can you try this in box 1 and 2 please?

Ap0?5555 (? is the character not something to change and 0 is zero)
'vGéL4555


The one off code works fine, however when I change the box names to the ones you gave me the game freezes or restarts in a new colour.
FYI: I've got 5 Pokes in my party
Pokemon 3 is a slide HootHoot and is carrying Max Repel as the change item

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #368 on: March 09, 2020, 09:33:22 am »
Sorry to hear that it still didn't work. I see. Sometimes, in addition to doing the movement pattern and listening to Bellsprout/Machop's cry, you need to switch bag pockets before using the Coin Case. The issue might be if you open the bag on that pocket without switching pockets it won't work, resulting in the colours reset (called a Glitch Dimension). Another issue might be if boxes 3-12 were changed after using the one-off code, and when the one-off code works, you can save and reset to secure that future codes work because you have to execute it again otherwise. Additionally re: getting Solarbeam, are you using the same slide Pokémon as when you got it?
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

dsteel23

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #369 on: March 09, 2020, 09:53:09 am »
I have used the coin case exploit for a while now and I am familiar with the bag pocket switching and usual bugs.

"Another issue might be if boxes 3-12 were changed after using the one-off code" - regarding this, the one off code has Box 3 set as éA355555, so you would have to change it to 55555555 in order to make it work right? As the code only requires the name change of boxes 1 and 2.

So I am a little confused as to what the underlying issue may be.

The slide pokemon works for the One off code so surely it would work for the next code? I'll try with a new slide and update this.

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #370 on: March 09, 2020, 10:21:10 am »
Sorry, yes change it to 55555555. Yeah if the slide Pokémon works it should work again. I got it to happen on a video hope this might clear some things up. :) Otherwise I don't know sorry. :( https://www.youtube.com/watch?v=x-uM9PJUDwc&feature=youtu.be
« Last Edit: March 09, 2020, 10:23:42 am by Evie (retired from head adminship) »
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

dsteel23

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #371 on: March 09, 2020, 10:36:43 am »
It worked! It had to do with the fact that you were turning off menu account in settings? I had no idea that was a thing to do. Thank you so much for the video. You are a legend.

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #372 on: March 09, 2020, 10:46:50 am »
It worked! It had to do with the fact that you were turning off menu account in settings? I had no idea that was a thing to do. Thank you so much for the video. You are a legend.

Yay! You're welcome. ^^ Glad it worked and sorry for me taking such a long time. You can do it with menu account on too, but the menu will lag even more, repeating the menu descriptions letter by letter on loop. So still unsure, but I get freezes like you if I don't change box 3 to 55555555
« Last Edit: March 09, 2020, 10:47:20 am by Evie (retired from head adminship) »
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

Unused Trainer

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #373 on: March 09, 2020, 01:23:12 pm »
How many ACE mode has Pokémon Gold and Silver?

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #374 on: March 09, 2020, 03:04:13 pm »
How many ACE mode has Pokémon Gold and Silver?

Umm, for Gold/Silver we have the following ACE methods;

1. Coin Case
2. Wrong pocket TMs
3. Move 0x00's type 0xD0 arbitrary code execution

ACE within ACE: FF80 ACE

Crystal has a few more:

1. 0x15 control character ACE
2. Burned Tower Silver wrong side glitches

Edit: Ah, also remote code execution :) https://www.youtube.com/watch?v=e8CO_e_rKd8 and https://www.youtube.com/watch?v=exbS3yO45k0

Edit 2:

Stack smash ACE
Glitch Pokédex mode ACE
CartSwap ACE

https://forums.glitchcity.info/index.php?topic=8126.msg207521#msg207521

Hope this helps :)
« Last Edit: March 09, 2020, 03:16:29 pm by Evie (retired from head adminship) »
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.