Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 86895 times)

0 Members and 1 Guest are viewing this topic.

Nostalgia

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • ?
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #120 on: October 21, 2017, 08:22:32 pm »
You can easily create box name code to give it the moves one by one. Goal of this one was to have one do it all code though.
Also me confirming if it works like I think it does. :)

On the topic of teaching moves, do you know how to teach a Pokemon Ice Beam, Flamethrower or Thunderbolt? I asked this in another thread, but these moves are unobtainable in Gold/Silver - and were only move tutor moves in Crystal. So for a lot of people like me who are playing VC Gold or Silver, with no way to trade, the only way to get them would be through Coin Case.

Dragon Arbock

  • Oldschool Glitch Hobbyist
  • GCLF Member
  • Offline Offline
  • Charizard 'M is best Charizard
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #121 on: October 21, 2017, 09:15:19 pm »
What I've been doing is using ACE to change my pokemon into a pokemon that learns the move, leveling it to the appropriate level, learning the move, then using ACE again to change it back. Obviously this isn't very efficient, but I'm not capable of working out a code to replace moves myself.

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #122 on: October 22, 2017, 07:21:12 am »
You can easily create box name code to give it the moves one by one. Goal of this one was to have one do it all code though.
Also me confirming if it works like I think it does. :)

On the topic of teaching moves, do you know how to teach a Pokemon Ice Beam, Flamethrower or Thunderbolt? I asked this in another thread, but these moves are unobtainable in Gold/Silver - and were only move tutor moves in Crystal. So for a lot of people like me who are playing VC Gold or Silver, with no way to trade, the only way to get them would be through Coin Case.

Here's a quick-and-dirty TM 25 Ball Pocket code that I made to teach Ice Beam to Pokemon 5. Due to character limitations, I was restricted to the fourth move, so make sure Pokemon 5 has at least 3 moves before using.

Box 1: Ap0?'vm55
Box 2: é(male)4p'd555

Here's the same code, but for use with the Coin Case (ensure to use FMK's one-off code)
Box 1: Ap0?'vm55
Box 2: é(male)455555
Box 3+ :55555555
Box 13: Leave Unchanged (FMK's Code)
Box 14: Leave Unchanged (FMK's Code)

I have not tested the Coin Case version (I prefer to use TM 25), but it should work as described. If it doesn't, please let me know.
grouchy

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #123 on: October 22, 2017, 08:42:36 am »
For Flamethrower and Thunderbolt you only need to change Box 1.

Flamethrower:
Code: [Select]
Ap0v'vA55 XOR A; OR b5; SUB 80
Thunderbolt:
Code: [Select]
Ap0't'vA55 XOR A; OR d5; SUB 80
Icebeam:
Code: [Select]
Ap0?'vm55 XOR A; OR e6; SUB ac

Nostalgia

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • ?
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #124 on: October 22, 2017, 09:18:19 am »
Thanks, I was mostly interested in Thunderbolt for my Jolteon. I'll test it later.

So is it possible to teach any move through these methods, or are there some character limitations for certain moves?

Also it's worth noting that Gold/Silver has some unique event moves for certain Pokemon and I've seen some people have expressed interest in obtaining them on their pokes. I'm personally not that interested in event moves, but stuff like Belly Drum Quagsire and Lovely Kiss Snorlax is kinda cool, I guess.

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #125 on: October 22, 2017, 09:29:13 am »
Thanks, I was mostly interested in Thunderbolt for my Jolteon. I'll test it later.

So is it possible to teach any move through these methods, or are there some character limitations for certain moves?

Also it's worth noting that Gold/Silver has some unique event moves for certain Pokemon and I've seen some people have expressed interest in obtaining them on their pokes. I'm personally not that interested in event moves, but stuff like Belly Drum Quagsire and Lovely Kiss Snorlax is kinda cool, I guess.

With enough changes of box 1, it is possible to teach any move, probably even glitch moves, though I haven't tried this for myself.
grouchy

hobgoblinpie

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #126 on: October 22, 2017, 09:53:50 am »
Thanks Couldntthinkofaname and spamviech for explaining it, I really appreciate it. It's pretty incredible how blown open the games are thanks to a simple lack of valid terminator.

Things like Extremespeed Dragonite would be cool, at least until Crystal comes out (even then you'd need two 3DS's or a friend in order to trade).
« Last Edit: October 22, 2017, 09:54:05 am by hobgoblinpie »

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #127 on: October 22, 2017, 10:19:07 am »
So, I decided to make a box code that makes the 5th Pokemon's 4th move be glitch move $ff

Box 1: A09é(male)4p'd

The results were interesting to say the least.
« Last Edit: October 22, 2017, 10:21:10 am by Couldntthinkofaname »
grouchy

Dragon Arbock

  • Oldschool Glitch Hobbyist
  • GCLF Member
  • Offline Offline
  • Charizard 'M is best Charizard
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #128 on: October 22, 2017, 02:20:47 pm »
I'm not a fan of the TM ace. I'd rather keep using the coin case and changing box 2's name instead of box 1. And box 1 sounds limited, like you have to change the name more than once to get what you want.
But everyone seems to love TM ace so now I'm not gonna have any more coincase formatted codes to work with.
(I guess I don't need move-changing codes in the old format, but it would be easier than changing a pokemon's species to learn moves).

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #129 on: October 22, 2017, 02:48:25 pm »
I'm not a fan of the TM ace. I'd rather keep using the coin case and changing box 2's name instead of box 1. And box 1 sounds limited, like you have to change the name more than once to get what you want.
But everyone seems to love TM ace so now I'm not gonna have any more coincase formatted codes to work with.
(I guess I don't need move-changing codes in the old format, but it would be easier than changing a pokemon's species to learn moves).

I can reformat my code if you would like: (make sure to use FMK's one off code prior)

Pokemon 5 has glitch move $ff in move slot 4:
Box 1: A09é(male)455
Box 2+: 55555555
Box 13: Unchanged from FMK's code
Box 14: Unchanged from FMK's code

I'll start formatting my codes in both ways for ease of use to both parties

If you see a TM 25 code you would like to use, usually reformatting can be done with these steps:

1. Use FMK's one-off code (if you haven't prior)
2. At the end of the code you wish to use, replace the final 'd with 5, and fill in the rest of that box name with 5
3. Fill in any unused box names with 5 (except Box 13 and 14)
4. Make sure box 13 and 14 are unchanged from FMK's one-off code

Hope this is useful!  :)
grouchy

Dragon Arbock

  • Oldschool Glitch Hobbyist
  • GCLF Member
  • Offline Offline
  • Charizard 'M is best Charizard
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #130 on: October 22, 2017, 03:05:06 pm »
I guess really, if I have a code to work with I just need to figure out what to change to get the move I want. With enough examples I could reverse engineer the pokemon formula and the DV formula, but this seems to be different (not targeting the first pokemon in the party, and changing the code for box 1 as opposed to box 2). I don't really speak programming, so any drastic change in the format is confusing.
As I understood with the other codes, box 1 was basically telling the code what to target, and box 2 was telling it what to change it to, but this is box 1 doing the changing somehow.
In Ap0?'vm55, is Ap[xxxx]55 what I am to be changing? I suppose that would make sense since 230 - 172 = 58 (ice beam).

From a technical standpoint though, what does FMK's code do? What's the advantage to filling the rest of the pc with 5's then writing that for box 13 and 14 as opposed to using the 'return to game' code?
(Sorry I'm generally rambling and being confused while understanding stuff only as I start to type).

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #131 on: October 22, 2017, 03:53:43 pm »
I guess really, if I have a code to work with I just need to figure out what to change to get the move I want. With enough examples I could reverse engineer the pokemon formula and the DV formula, but this seems to be different (not targeting the first pokemon in the party, and changing the code for box 1 as opposed to box 2). I don't really speak programming, so any drastic change in the format is confusing.
As I understood with the other codes, box 1 was basically telling the code what to target, and box 2 was telling it what to change it to, but this is box 1 doing the changing somehow.
In Ap0?'vm55, is Ap[xxxx]55 what I am to be changing? I suppose that would make sense since 230 - 172 = 58 (ice beam).

From a technical standpoint though, what does FMK's code do? What's the advantage to filling the rest of the pc with 5's then writing that for box 13 and 14 as opposed to using the 'return to game' code?
(Sorry I'm generally rambling and being confused while understanding stuff only as I start to type).

Here's a breakdown of Box 1:

A ;Useless char that does nothing
p ; XOR a, so a = $00
0? ; OR $e6, so a = $e6
'vm ; SUB $ac so a - $ac = $3a (Ice beam)
5; ei, Interupts are already enabled so this does nothing
5 ; ei, same deal
(end terminator) ; ld d,b

And then Box 2 proceeds to load a into the desired location (In this case, $faef)

So if you wanted to make alterations to this code, you would replace ? and m with two values that you wish to subtract. Essentially, we are taking 2 values that can be represented as valid characters and subtracting them to get a value we would not have been able to type with characters.

As for FMK's code, I'm not sure. It loads different values into a and then into three different addresses, none of which i know anything about. What i do know is that Box 13 and 14 are required in every use because they repair the stack to a playable state.

Hope this helped!
« Last Edit: October 22, 2017, 03:54:29 pm by Couldntthinkofaname »
grouchy

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #132 on: October 22, 2017, 04:38:56 pm »
Here's a breakdown of Box 1:

A ;Useless char that does nothing

More like an ignored character. With the usual setup (Quagsire holding TM02 with Return as first move) execution starts at the second character of the first box name.
You can literally put whatever character you want here. It's just A as a default, since that's where the cursor starts.

Quote
From a technical standpoint though, what does FMK's code do? What's the advantage to filling the rest of the pc with 5's then writing that for box 13 and 14 as opposed to using the 'return to game' code?
(Sorry I'm generally rambling and being confused while understanding stuff only as I start to type).
As for FMK's code, I'm not sure. It loads different values into a and then into three different addresses, none of which i know anything about. What i do know is that Box 13 and 14 are required in every use because they repair the stack to a playable state.

Hope this helped!

FMK's code puts the 'return to game' code into Box 13 and 14.
Filling the boxes with 5's just is a save passing code so execution reaches the return to game part.
The advantage is you don't have to engineer it yourself everytime you write a new code since you have to use a character normally not available. And you also have to figure out where to put it.
Otherwise part of the code always has to be "put the instruction for INC SP at the right place before it is executed". Due to limited charset (in most cases) this also restricts your available space to write code to a bit more than 8 box names, part of which is the 'return to game' code.

Hope this wasn't too techy.


Quote
With enough examples I could reverse engineer the pokemon formula and the DV formula, but this seems to be different (not targeting the first pokemon in the party, and changing the code for box 1 as opposed to box 2).
Targeting the fourth move of Pokémon 5 is simply because we can reach it directly with available characters. Therefore Box 1 can be used to get the ID for the desired move. The code of Box 2 then writes it.
« Last Edit: October 22, 2017, 04:51:26 pm by spamviech »

Dragon Arbock

  • Oldschool Glitch Hobbyist
  • GCLF Member
  • Offline Offline
  • Charizard 'M is best Charizard
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #133 on: October 22, 2017, 05:24:32 pm »

Quote
With enough examples I could reverse engineer the pokemon formula and the DV formula, but this seems to be different (not targeting the first pokemon in the party, and changing the code for box 1 as opposed to box 2).
Targeting the fourth move of Pokémon 5 is simply because we can reach it directly with available characters. Therefore Box 1 can be used to get the ID for the desired move. The code of Box 2 then writes it.

Oh, so you simply can't target pokemon 1?
And if we're using the FMK setup now, how do you convert old codes like this to work with that set up?
Quote
Box 1:  A  p  0  k 'v  A  5  5
Box 2:  é 'm  2  p  p  0  5  5
Box 3:  é  A  4  p 'v  7 'v 'd
Box 4:  é  ♂  2  p  é  D  9 'l
Box 5: 'l  5  5  5  5  5  5  5
Box 6:  5  5  5  A 'l  x 'd  5
Cause when I used a code that needed FMK's code (The give all TMs code), I ended up renaming all my boxes after so I could go back to using the other codes I'd been using.
« Last Edit: October 22, 2017, 05:25:44 pm by Dragon Arbock »

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #134 on: October 22, 2017, 06:35:16 pm »
(Apologies for late reply)

If you wish to convert the code to work with the TM 25 setup, then this should work:

Box 1: Ap0k'vA55
Box 2: é'm2pp055
Box 3: éA4p'v7'v'd
Box 4: é(male)2péD95
Box 5: p'd555555

If you're meaning to use this with coin case, then it should already work as is, provided you executed the one-off code prior.

Oh, so you simply can't target pokemon 1?

Nope (at least not with moveset data). Pokemon 1's lower byte is not able to be represented with characters. However, some code developers have written self-modifying box name codes as a workaround. Still, it's much easier to just use addresses that can be represented as is, so we target pokemon 5, move 4, as both the high byte and low byte are able to be represented with 4 and (male) respectively.
« Last Edit: October 22, 2017, 06:39:07 pm by Couldntthinkofaname »
grouchy