Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 85639 times)

0 Members and 1 Guest are viewing this topic.

asphere

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #45 on: July 01, 2017, 09:04:55 am »
You're in the wrong topic for this, the Coin Case glitch doesn't work in European localizations of Gold/Silver. There are other methods to obtain ACE, but they are more complicated.
(I will continue replying in the "G/S/C glitch discussion")


(Also the post you quoted has no relation whatsoever to what you asked. Quoting a post should be done when you refer to it, please.)
ok sorry i wrong section and mention xD

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #46 on: August 11, 2017, 05:21:06 am »
has any one tried coin case ace on the gold sliver vc injects because i've heard coincase ace does not work on vba or the gb tower because of inaccurate emulation this may cause it not to work on gold sliver vc

Flandre Scarlet

  • Mistress of Scarlet Devil Mansion
  • GCLF Member
  • *
  • Offline Offline
  • Role playing as my favorite character is fun
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #47 on: August 11, 2017, 06:06:25 am »
has any one tried coin case ace on the gold sliver vc injects because i've heard coincase ace does not work on vba or the gb tower because of inaccurate emulation this may cause it not to work on gold sliver vc

Nobody has had a chance yet since Gen 2 VC doesn't come out until September 22nd.
I am a fan of Pokemon, Glitches, Touhou, Yugioh, Smash, Mario, Sonic, Kirby, (2D) Metroid, and MORE!

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #48 on: August 11, 2017, 07:16:14 pm »
you can inject them into the vc if you have cfw and they just reuse the same emulator for all the games they changed a few things with the gen 1 vc emulator but it emulates just like the older one. edit tried it on the vc emulator and it does work so coin case stuff should work on the vc versions of gs as long as the terminator is not changed
« Last Edit: August 12, 2017, 08:22:27 am by forsyz »

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #49 on: August 12, 2017, 10:28:51 pm »
Item cloning is possible with Pokemon cloning. Now we need to find a way to do item mutation.

I've been playing around with this glitch for a while now and recently found a way to produce any item.  The process is almost the same as what TheZZAZZGlitch laid out in his video where he explained how to get Celebi. 

https://www.youtube.com/watch?v=SpfgOVfGVTo

Basically, you place 43 Fresh Water in your PC instead of 42, and you'll jump to the item of the first Pokemon in your party instead of the ID number.  Given the normal set up that would yield HM09 I think which can be sold for about 19000 Pokebucks...

This happens because the stack of 4 Great balls increases the index number of the item where TheZZAZZGlitch placed HM07 in the video, so you don't just get back the same item that you put in the PC.  Also, using only 2 Great Balls increases the index number by 1 and using multiple stacks of Great Balls will increase the index number in the same manner.

This can be helpful for getting stray items by finding base items that have an index number before theirs as you can swap out HM07 with other base items to mutate.  This way you don't even lose the item you were initially working with.

I don't know much assembly, but I know enough to understand the concepts behind how the glitch works.  Given that 42 Fresh Water correspond to changing the ID number of the first Pokemon in your party, subsequently adding Fresh Water with move you one byte further into the Pokemon's data allowing you to overwrite things like moves by having 44 to 47 Fresh Waters or EXP by having 50 to 52. 

There's a simple list of the data structure here:
http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_structure_in_Generation_II

An interesting way to use this is getting a level 100 by changing the EXP of a Pokemon and simply knocking out one wild Pokemon.  I'm pretty sure this takes 50 Fresh Water.

So there's a rudimentary form of item mutation and also access to all the Pokemon's stats and their Attacks, EXP, Friendship etc.

Oh, and a nice list of Pokemon, Moves, and Items by index number courtesy of TheZZAZZGlitch's video:
http://pastebin.com/raw/arPmsvYu
tried to do it with 8 great balls but it just cases game to white screen looks like it only works with 2 or 4 great balls which mean you have you do the glitch twice if swap the items out in the pc if you want to change the item into one that's more then 2 index numbers away
« Last Edit: August 12, 2017, 10:55:48 pm by forsyz »

Parzival

  • Buyer beware: House comes with 3 free skeletons in a closet of your choice.
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • This box intentionally left blank. ...wait...
    • View Profile
    • (null)
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #50 on: August 12, 2017, 11:55:59 pm »
You're dealing with Coin Case ACE here. You either did something wrong... or you need to switch to BGB. ;)


Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #51 on: August 13, 2017, 02:03:11 am »
You're dealing with Coin Case ACE here. You either did something wrong... or you need to switch to BGB. ;)
i did do something wrong the first time i tried it with 8 great balls the Pokemon in first party slot was holding no item idk if that will affect it or you can only raise the index by 1 or 2 with 2 or 4 great balls I've tried 2 and 4 great balls and they work. edit: found out you have to use multiple stacks of great balls if you want to increase the index by more then 2
« Last Edit: August 14, 2017, 12:50:54 am by forsyz »

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #52 on: August 13, 2017, 04:28:28 am »
forsyz, Coin Case ACE uses Echo RAM (since it basically runs code from there), and it didn't work with VBA because it didn't emulate Echo RAM.
The VC is known to emulate Echo RAM (as seen here), so Coin Case had to work.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Flandre Scarlet

  • Mistress of Scarlet Devil Mansion
  • GCLF Member
  • *
  • Offline Offline
  • Role playing as my favorite character is fun
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #53 on: September 23, 2017, 07:18:18 am »
Is there any method to make a pokemon learn a specific move with the coin case? Mainly so that I could get Aeroblast on Lugia in Gold Version since that isn't possible otherwise. Using the method where you only use Box Names if possible similar to this video by Torchikens https://youtu.be/NeC36_MhSBA
« Last Edit: September 23, 2017, 07:27:20 am by Flandre Scarlet »
I am a fan of Pokemon, Glitches, Touhou, Yugioh, Smash, Mario, Sonic, Kirby, (2D) Metroid, and MORE!

FMK

  • GCLF Member
  • Offline Offline
  • Mysterious
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #54 on: September 25, 2017, 02:34:26 pm »
Is there any method to make a pokemon learn a specific move with the coin case? Mainly so that I could get Aeroblast on Lugia in Gold Version since that isn't possible otherwise. Using the method where you only use Box Names if possible similar to this video by Torchikens https://youtu.be/NeC36_MhSBA

It's most certainly possible -- and actually extremely simple for Aeroblast in particular, though to use any of my Coin Case ACEs you need to do the following first:

Code: [Select]
[REQUIRED] One-off code so all future codes don't need the 'return to game' code:
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: 5555péD9     (XOR A; LD [83ff], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)

Pokemon 5, Move 4 Modifier (Aeroblast) - Box 1, change r to whatever and replace 5555 with 'v(Letter)55 or 'v(Letter)'v(Letter) when needed:
Box 1: Ap0r5555   (XOR A; OR b1)
Box 2: é♂455555   (LD [efda], A)
Box 3+: 55555555
Box 13 and 14: Should never be modified after using the required code.


Other simple, randomish codes, for any interested (All boxes not used for code should all be 5's, except 13 and 14):

Code: [Select]
255x Ball 1, Master Ball:
Box 1: Ap09é8't5  (XOR A; OR ff; LD [fed5], A)
Box 2: p0B'vAé7't (XOR A; OR 0x81; SUB 0x80; LD[fdd5], A)

Player Sprite Modifier - Permanent (Old Man; Change 's and A to different values for different results, can replace the 55 for Box 1 with 'v(Another Letter) too, if desired value is unobtainable):
Box 1: Ap0's'vA55 (XOR A; OR d4; SUB 0x80)
Box 2: é9'l55555  (LD [ffd1], A)

Tons of Money:
Box 1: Ap0/'vA55  (XOR A; OR f3; SUB 0x80)
Box 2: é'm2p0955  (LD [d2f8], A; XOR A; OR ff)
Box 3: éA't55555  (LD [80d5], A)

Tons of Coins:
Box 1: Ap04'vA55   (XOR A; OR fa; SUB 0x80)
Box 2: é'm2p0955   (LD [d2f8], A; XOR A; OR ff)
Box 3: éA't55555   (LD [80d5], A)


Kudos to Torchickens for the following, just stripped off the RTG code.

Turn Pokémon 1 Shiny:
Box 1: Ap0'd'vR55  (XOR A; OR d0; SUB 0x91)
Box 2: é'm2pp045   (LD [d2f8], A; XOR A; XOR A; OR fa)
Box 3: éA4p0'd'vQ  (LD [80fa], A; XOR A; OR d0; SUB 0x90)
Box 4: é?2p0k55    (LD [e6f8], A; XOR A; OR aa)
Box 5: 55éA4555    (LD [80fa], A)

Change Pokemon 1 (Celebi) - Box 2, change the first 5 to whatever and the last two 55's to 'v(Letter) when needed:
Box 1: Ap0k'vA55  (XOR A; OR aa; SUB 80)
Box 2: é'm2p0555  (LD [d2f8], A; XOR A; OR fb)
Box 3: éA455555   (LD [80fa], A)

Flandre Scarlet

  • Mistress of Scarlet Devil Mansion
  • GCLF Member
  • *
  • Offline Offline
  • Role playing as my favorite character is fun
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #55 on: September 25, 2017, 08:21:50 pm »
The codes all worked very well, thank you so much for your hard work!
I am a fan of Pokemon, Glitches, Touhou, Yugioh, Smash, Mario, Sonic, Kirby, (2D) Metroid, and MORE!

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #56 on: September 26, 2017, 07:16:54 am »
a code that makes a pokemon hold any item using box names would be useful means you can still do some coincase item setups even if you have already used the tms and forgot to clone them

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody ✿(not really a mum but wanna be)
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #57 on: September 26, 2017, 02:07:15 pm »
Is there any method to make a pokemon learn a specific move with the coin case? Mainly so that I could get Aeroblast on Lugia in Gold Version since that isn't possible otherwise. Using the method where you only use Box Names if possible similar to this video by Torchikens https://youtu.be/NeC36_MhSBA

It's most certainly possible -- and actually extremely simple for Aeroblast in particular, though to use any of my Coin Case ACEs you need to do the following first:

Code: [Select]
[REQUIRED] One-off code so all future codes don't need the 'return to game' code:
Box 1 : Ap0w'vA55    (XOR A; OR b6; SUB 0x80)
Box 2 : é'm2p'v7'v'd (LD [d2f8], A; XOR A; SUB fd; SUB d0)
Box 3 : éA355555     (LD [80f9], A)
Box 4+: 55555555     (Safe filler code)
Box 13: 5555péD9     (XOR A; LD [83ff], A)
Box 14: 'l'lA'lx'd55 (POP DE; POP DE; INC SP; POP DE; OR A; RET NC)

Pokemon 5, Move 4 Modifier (Aeroblast) - Box 1, change r to whatever and replace 5555 with 'v(Letter)55 or 'v(Letter)'v(Letter) when needed:
Box 1: Ap0r5555   (XOR A; OR b1)
Box 2: é♂455555   (LD [efda], A)
Box 3+: 55555555
Box 13 and 14: Should never be modified after using the required code.


Other simple, randomish codes, for any interested (All boxes not used for code should all be 5's, except 13 and 14):

Code: [Select]
255x Ball 1, Master Ball:
Box 1: Ap09é8't5  (XOR A; OR ff; LD [fed5], A)
Box 2: p0B'vAé7't (XOR A; OR 0x81; SUB 0x80; LD[fdd5], A)

Player Sprite Modifier - Permanent (Old Man; Change 's and A to different values for different results, can replace the 55 for Box 1 with 'v(Another Letter) too, if desired value is unobtainable):
Box 1: Ap0's'vA55 (XOR A; OR d4; SUB 0x80)
Box 2: é9'l55555  (LD [ffd1], A)

Tons of Money:
Box 1: Ap0/'vA55  (XOR A; OR f3; SUB 0x80)
Box 2: é'm2p0955  (LD [d2f8], A; XOR A; OR ff)
Box 3: éA't55555  (LD [80d5], A)

Tons of Coins:
Box 1: Ap04'vA55   (XOR A; OR fa; SUB 0x80)
Box 2: é'm2p0955   (LD [d2f8], A; XOR A; OR ff)
Box 3: éA't55555   (LD [80d5], A)


Kudos to Torchickens for the following, just stripped off the RTG code.

Turn Pokémon 1 Shiny:
Box 1: Ap0'd'vR55  (XOR A; OR d0; SUB 0x91)
Box 2: é'm2pp045   (LD [d2f8], A; XOR A; XOR A; OR fa)
Box 3: éA4p0'd'vQ  (LD [80fa], A; XOR A; OR d0; SUB 0x90)
Box 4: é?2p0k55    (LD [e6f8], A; XOR A; OR aa)
Box 5: 55éA4555    (LD [80fa], A)

Change Pokemon 1 (Celebi) - Box 2, change the first 5 to whatever and the last two 55's to 'v(Letter) when needed:
Box 1: Ap0k'vA55  (XOR A; OR aa; SUB 80)
Box 2: é'm2p0555  (LD [d2f8], A; XOR A; OR fb)
Box 3: éA455555   (LD [80fa], A)

This is great, thank you FMK!  :)

I've come up with a code that allows you to obtain 49 of every TM/HM in the TM/HM pocket. It only just fit box 1-box 6, and the name for box 7 is completely changed. It is x49 because register a is still 0x31, the least significant byte of ByteFill.

First off use the one-off code in FMK's post.

Secondly, name the boxes from box 1-6 the following:

Ap'vCé025
'vj'vué♀25
'v.é32p'v9
é22pé425
'vué62'v 5
é52'v:é72
55♀55555

And use the Coin Case after following the usual steps.

What this code does is call $314C with parameters hl=D57E and bc= $0x39.

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

DoubleNegative

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #58 on: September 26, 2017, 08:25:40 pm »
No matter what I try, I keep getting a glitch dimension instead of box name code. My slide pokemon is the hatched togepi and I'm using a wooper holding sweet scent. It's a bit of a pain, but I can get headbutt, but I tried that once already.

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody ✿(not really a mum but wanna be)
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #59 on: September 26, 2017, 09:24:04 pm »
No matter what I try, I keep getting a glitch dimension instead of box name code. My slide pokemon is the hatched togepi and I'm using a wooper holding sweet scent. It's a bit of a pain, but I can get headbutt, but I tried that once already.

If you're using one of my or FMK's codes the TM12 Sweet Scent won't work as it would end up skipping the first twelve box name characters instead of only skipping the first character (for when you use TM02 Headbutt). I think it's easiest just to use the TM02 Headbutt.

I don't know how reliable Togepi are but if you haven't already try catching many Pokémon west of New Bark Town on Route 29 (even if you end up catching 20 or more and try each one, as some people have been really unlucky).

Wooper is used in speedruns instead of Quagsire, but because the jump is conditional (jp nz,$xxyy) to be safe it may be best to use Quagsire which has a jump without a conditional (jp, $xxyy).

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3