Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 96006 times)

0 Members and 1 Guest are viewing this topic.

CasualPokePlayer

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • My name is a lie
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #375 on: March 09, 2020, 08:51:44 pm »
How many ACE mode has Pokémon Gold and Silver?

Umm, for Gold/Silver we have the following ACE methods;

1. Coin Case
2. Wrong pocket TMs
3. Move 0x00's type 0xD0 arbitrary code execution

ACE within ACE: FF80 ACE

Crystal has a few more:

1. 0x15 control character ACE
2. Burned Tower Silver wrong side glitches

Edit: Ah, also remote code execution :) https://www.youtube.com/watch?v=e8CO_e_rKd8 and https://www.youtube.com/watch?v=exbS3yO45k0

Edit 2:

Stack smash ACE
Glitch Pokédex mode ACE
CartSwap ACE

https://forums.glitchcity.info/index.php?topic=8126.msg207521#msg207521

Hope this helps :)

Also wrong pocket TM ACE, also depositing the terminator into a box (possible with temp view corruption from friendly clones).

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #376 on: March 10, 2020, 08:07:01 am »
Thanks ^^ (not sure if knew the latter one)
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

yntzl

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • jack of all trades, master of none
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #377 on: April 05, 2020, 07:30:22 am »
Little helper code which might be useful to someone else as well:
Maximize all PC items (quantity x 255) while leaving the item type unchanged.
Code: [Select]
1)   A   p  'v   5   é   4   2   5 XOR A; SUB fb; LD [faf8], A | A->05
2)  'v   9   é   /   2   p  'v   . SUB ff; LD [f3f8], A; XOR A; SUB e8 | A->06; A->18
3)   é   0   2  'v   2   é   5   2 LD [f6f8], A; SUB f8; LD [fbf8], A | A->20
4)  'v   9   é   ♀   2  'v   9   5 SUB ff; LD [f5f8], A; SUB ff | A->21; A->22
5)   é   2   2  'v   9   é   3   2 LD [f8f8], A; SUB ff; LD [f9f8], A | A->23
6)  'v   ×   é   ,   2   0   9   9 SUB f1; LD [f4f8], A; OR ff; LD B, 32 | A->32
7)   0   0   0   5   5   5   5   5 LD HL, 18f6; LD [HLI], A; INC HL; DEC B; JR NZ, fb | HL->f618
8)   x  'd OR A; RET NC

Fun little thing about x0 quantity (at least in the PC):
You can withdraw/toss any quantity you want, it won't change the quantity of the item. While tossing obviously does nothing, withdrawing works without problems (creates items).
Depositing an additional item of the type simply adds the amount which restores normal functionality.
Possibly also works in the inventory to give you an infinite amount of an item, but I didn't test that.

This code works with TM17 or TM25, but it also corrupted my save file lol.

The player sprite changed (fixed when using surf or fly), opening the Pokédex crash the game (hear the Bellsprout cry from the party as a possible workaround), I can't get off the train when travelling between Johto and Kanto and possibly some more stuff is broken that I haven't noticed yet.
 
Now I'm looking for a cheap cart reader to backup and fix the save on a PC.

(Super apologies for double-posting)


Stored Pokemon 1 is shiny:
Box 1: Apé'm2é'r2
Box 2: é&2'v0555
Box 3: éAAp0'd'vQ
Box 4: éé2p'v955
Box 5: 55555éAA
Box 6: p0ééXn55
Box 7: p0kéYnp'd


(Coin case version)
Box 1: Apé'm2é'r2
Box 2: é&2'v0555
Box 3: éAAp0'd'vQ
Box 4: éé2p'v955
Box 5: 55555éAA
Box 6: p0ééXn55
Box 7: p0kéYn55
Box 8: péZ(mult).9'l'l
Box 9: 'l'lp'd5555

Very nice fam, worked flawlessly with TM25.
« Last Edit: April 05, 2020, 12:42:10 pm by yntzl »
life sucks and then you die

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #378 on: April 06, 2020, 12:16:34 pm »
To fix the Pokédex, you'll need to change Gold's last mode Pokédex mode RAM address if it got corrupted, which is D67E (D959 in Crystal). You should be able to do this with Crystal_'s generic purpose method, or the following TM17 code (assuming your bootstrap goes to box names at box 1 character 2 [TM02 and Return]).

Box 1: Ap09'vB55 (number 0 and number 5)
Box 2: é'm255px5 (not multiply but lowercase x, and number 5s)
Box 3: éA0'd

The Magnet Train flag may be at a different address, which I'm unsure of sorry.
« Last Edit: April 06, 2020, 12:17:06 pm by Evie the Bird Mother 🌸 ☽ »
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

yntzl

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • jack of all trades, master of none
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #379 on: April 10, 2020, 08:15:41 pm »
Little helper code which might be useful to someone else as well:
Maximize all PC items (quantity x 255) while leaving the item type unchanged.
Code: [Select]
1)   A   p  'v   5   é   4   2   5 XOR A; SUB fb; LD [faf8], A | A->05
2)  'v   9   é   /   2   p  'v   . SUB ff; LD [f3f8], A; XOR A; SUB e8 | A->06; A->18
3)   é   0   2  'v   2   é   5   2 LD [f6f8], A; SUB f8; LD [fbf8], A | A->20
4)  'v   9   é   ♀   2  'v   9   5 SUB ff; LD [f5f8], A; SUB ff | A->21; A->22
5)   é   2   2  'v   9   é   3   2 LD [f8f8], A; SUB ff; LD [f9f8], A | A->23
6)  'v   ×   é   ,   2   0   9   9 SUB f1; LD [f4f8], A; OR ff; LD B, 32 | A->32
7)   0   0   0   5   5   5   5   5 LD HL, 18f6; LD [HLI], A; INC HL; DEC B; JR NZ, fb | HL->f618
8)   x  'd OR A; RET NC

Fun little thing about x0 quantity (at least in the PC):
You can withdraw/toss any quantity you want, it won't change the quantity of the item. While tossing obviously does nothing, withdrawing works without problems (creates items).
Depositing an additional item of the type simply adds the amount which restores normal functionality.
Possibly also works in the inventory to give you an infinite amount of an item, but I didn't test that.

This code works with TM17 or TM25, but it also corrupted my save file lol.

The player sprite changed (fixed when using surf or fly), opening the Pokédex crash the game (hear the Bellsprout cry from the party as a possible workaround), I can't get off the train when travelling between Johto and Kanto and possibly some more stuff is broken that I haven't noticed yet.
 
Now I'm looking for a cheap cart reader to backup and fix the save on a PC.



Just noticed more broken stuff, when interacting with the receptionist at the Trainer House or with Cal I get the following dialog "Object event."



Sadly the Mystery Gift doesn't seem to work between the 3DS VC and GBC to see if that would fix.
« Last Edit: April 10, 2020, 08:19:16 pm by yntzl »
life sucks and then you die

Evie the Bird Mother 🌸 ☽

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
  • ああ、紅茶がおいしい。 ~ ^^
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #380 on: April 11, 2020, 12:13:11 am »
Nice. (Object Event is known. I don't know why it happened at the Trainer House, though).
(I was former joint head admin but stepped down)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post. ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Love, faith, hope are free. If all is lost friends save us.
Thanks fans for lovely Torchic artwork. ♡ First image thanks Nyapon.

yntzl

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • jack of all trades, master of none
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #381 on: April 11, 2020, 11:12:22 am »
It is being a wild ride with the save on this state because I don't know what else is broken and I can become stuck. Another thing that I noticed is that the boat between Johto and Kanto don't work -- the missing girl event is partially reset (her gramps bumps into me) but she is nowhere to be found and the boat never arrives at Vermilion.

I think some flags regarding the post game where reset, which would explain the "Object event." in the Trainer House I guess?

Can't wait for my cart reader to arrive so I can dive deeper into this mess, this is being a great opportunity for me to get into some ASM, kinda nice.
life sucks and then you die