Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 85642 times)

0 Members and 1 Guest are viewing this topic.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #180 on: October 26, 2017, 11:15:34 am »
None of that really bothers me. The most tedious part has to be done either way (typing in the code). I could see the advantages though, either way I'll probably be forced into using it as support for coin case wavers.
TM25 is also much more convenient when developing code, since you don't have to fix the stack - which also requires SMC'ing an `inc sp` in. Thus more boxes can be used, leading to more powerful codes.

Speaking of fixing the stack, I wonder why this wouldn't work :
Code: [Select]
xor a
ld [$F199], a ; Menu lag-less
add sp, $FF ; dec sp
pop de ; Incurs an additional pop
pop de
pop de
pop de
or a
ret nc
instead of the classic
Code: [Select]
xor a
ld [$F199],a
pop de
pop de
inc sp
pop de
or a
ret nc
(Note : if for some reason "add sp, $FF" is infeasible, "ld hl, sp+$FF" followed by "ld sp, hl" should be possible)

The point of this setup is that it still fixes the stack, but doesn't require SMC anymore. So it could be moved to a later box ?
« Last Edit: October 26, 2017, 11:15:58 am by ISSOtm »
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #181 on: October 26, 2017, 11:22:15 am »
That's helpful! I'll try it out when I get the chance.
grouchy

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #182 on: October 26, 2017, 03:25:50 pm »
Over 99 glitch blocks for items:
They don't seem to change based on location or anything it seems.


spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #183 on: October 26, 2017, 04:03:05 pm »
None of that really bothers me. The most tedious part has to be done either way (typing in the code). I could see the advantages though, either way I'll probably be forced into using it as support for coin case wavers.
TM25 is also much more convenient when developing code, since you don't have to fix the stack - which also requires SMC'ing an `inc sp` in. Thus more boxes can be used, leading to more powerful codes.

Speaking of fixing the stack, I wonder why this wouldn't work :
Code: [Select]
xor a
ld [$F199], a ; Menu lag-less
add sp, $FF ; dec sp
pop de ; Incurs an additional pop
pop de
pop de
pop de
or a
ret nc
instead of the classic
Code: [Select]
xor a
ld [$F199],a
pop de
pop de
inc sp
pop de
or a
ret nc
(Note : if for some reason "add sp, $FF" is infeasible, "ld hl, sp+$FF" followed by "ld sp, hl" should be possible)

The point of this setup is that it still fixes the stack, but doesn't require SMC anymore. So it could be moved to a later box ?

Aren't you forgetting a (LD [$83ff], A)?
Never tried without it, but I thought this one was necessary.

Edit:
Just tried a do-nothing-then-return-to-game code and it worked:
Code: [Select]
Box 1: ppéD9éZ×     (XOR A; XOR A; LD [83ff], A; LD [f199], A)
Box 2: .9'l'l'l'lx'd (ADD SP, ff; POP DE; POP DE; POP DE; POP DE; OR A; RET NC)
Should work as a footer in any box for Coin Case ACE (fill out the space before with 5s).

Always viewed the stack-pointer as a "don't touch" object so my knowledge in this regard is very limited. Great job finding this.

Edit²:
Turns out (LD [$83ff], A) isn't only not required, but removing it also removes the part that turns the player character invisible.
Using these as the final 2 box names works without problems (at least nothing obvious).   :)
Code: [Select]
Box n-1: pppppéZ×       (XOR A; LD [f199], A)
Box n  : .9'l'l'l'lx'd  (ADD SP, ff; POP DE; POP DE; POP DE; POP DE; OR A; RET NC)
« Last Edit: November 03, 2017, 03:37:50 pm by spamviech »

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #184 on: October 26, 2017, 06:14:04 pm »
Over 99 glitch blocks for items:
They don't seem to change based on location or anything it seems.



These glitch tiles stay the same across locations because this the default VRAM for the bag. Once an item exceeds a quantity of x99 , the higher section of the quantity is displayed with tiles of the current VRAM, starting at VRAM tile $00
grouchy

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #185 on: October 26, 2017, 10:35:42 pm »
Thanks for the testing, spamviech ! Hopefully this will make Coin Case a bit easier to work with.

As for sp, remember that every time you push and pop, you're modifying sp :p
One pop implying incrementing sp twice, and one push decrementing it twice. This new approach basically decrements once and pops 4 times instead of incrementing and pop-ing 3 times.

By the way, the write to $F199 instead of $FF83 (not the other way around, I guarantee) was because of an above post suggesting the use of F199 instead to avoid the menu lag. I didn't test this, so I didn't know what the side-effects were. Anyways, thank you for making this small adjustment !
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Dragon Arbock

  • Oldschool Glitch Hobbyist
  • GCLF Member
  • Offline Offline
  • Charizard 'M is best Charizard
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #186 on: October 27, 2017, 12:00:18 am »
Caved, got TM 25. Lots and lots of wild shiny Sneasel.
Now the question is how to change my existing codes into TM 25 format? Otherwise just stick with coin case for them, I guess.

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #187 on: October 27, 2017, 03:00:57 am »
Thanks for the testing, spamviech ! Hopefully this will make Coin Case a bit easier to work with.

As for sp, remember that every time you push and pop, you're modifying sp :p
One pop implying incrementing sp twice, and one push decrementing it twice. This new approach basically decrements once and pops 4 times instead of incrementing and pop-ing 3 times.

Knew that one already (kind of), that's why I didn't really touch these instructions as well (aside from "you need this as a footer").

Quote
By the way, the write to $F199 instead of $FF83 (not the other way around, I guarantee) was because of an above post suggesting the use of F199 instead to avoid the menu lag. I didn't test this, so I didn't know what the side-effects were. Anyways, thank you for making this small adjustment !
Think that was my post, but I only added it there. Didn't know you can completely replace it.

Nostalgia

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • ?
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #188 on: October 27, 2017, 03:43:29 am »
So I haven't had a chance to test yet, but are both the wild encounter any Pokemon and shiny encounter any Pokemon TM25 only codes, or is it just the shiny encounter one? If it's both then I'll have to cave in and get TM25 too like Dragon Arbock lol.

And great video Torchickens, though I wish you showed the caught Celebi's moves to show the start moves. :)

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #189 on: October 27, 2017, 04:20:30 am »
They look like TM25 codes (no bunch of 'l at the end).

I've successfully combined my two prior codes! Here's the outcome:

All encountered Pokemon are <insert x Pokemon here> and shiny:
Box 1:  Ap'v8é'm25
Box 2:  p0(male)55555
Box 3:  'vAé52p0'm
Box 4:  éJ9p0(female)55
Box 5:  éK9p0255
Box 6:  éL9p'd555
Box 7:  p0?yyéA'd
Box 8:  p0éé(female)'dyy
Box 9:  p0ké0'dp'd

Replace ? with the species index

To access species indexes that are lower than $7f, than replace Box 7 with:

Box 7: p0?'v(space)éA'd

Then replace ? with SpeciesIndex + $7f

Due to the way the game generates wild Pokemon, most Pokemon obtained this way are 100% legitimate. This means they will probably be able to be moved to Pokébank when such services become available. There might still be OT issues with Mew, but these can easily be resolved with an OT editor, and I can make one if needs be.

Nintendo's going to have a real headache on their hands :)

For Coin Case, this adaptation should work:
Edit: Need to take a closer look at this. There appears to be sth. else going on compare to usual.
Edit²: Still don't know how this OAM DMA loop thingy works, but at least this code does:
Code: [Select]
Box 1:  Ap'v8é'm25
Box 2:  péZ(mult)0(male).9
Box 3:  'v'vé52p0'm
Box 4:  éJ9p0(female)'l'l
Box 5:  éK9p02'l'l
Box 6:  éL9p'd555
Box 7:  p0?yyéé'd
Box 8:  p0éé(female)'dyy
Box 9:  p0ké0'dp'd
« Last Edit: October 29, 2017, 07:49:34 am by spamviech »

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #190 on: October 27, 2017, 06:06:23 am »
For Coin Case, this adaptation should work:
Code: [Select]
Box 1:  Ap'v8é'm25
Box 2:  p0(male)55555
Box 3:  'vAé52p0'm
Box 4:  éJ9p0(female)55
Box 5:  éK9p0255
Box 6:  éL9p'd555
Box 7:  p0[b]?[/b]yyéA'd
Box 8:  p0éé(female)'dyy
Box 9:  p0ké0'd55
Box10: pppppéZ× (× is the multiplication character)
Box11: .9'l'l'l'lx'd

Nice work! I'll add this to my video when I release it.

Edit: Make sure to replace 55 with yy, enabling interrupts during a Pokemon encounter crashes the game.
« Last Edit: October 27, 2017, 07:59:52 am by Couldntthinkofaname »
grouchy

Nostalgia

  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • ?
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #191 on: October 27, 2017, 07:03:37 am »
Thanks, will test later. Though I'll probably only get Celebi with this method. More challenging to get the rest the normal way, even though 1% and 5% Pokemon are so annoying to find sometimes. Currently post Elite Four searching for Furret and Pikachu on Routes 1 and 2.

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #192 on: October 27, 2017, 07:29:12 am »
Insta-Death exploit

Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL955
Box 4: pé12p'd55
Box 5-6: (Doesn't Matter)
Box 7: péA'lé9'dy
Box 8: p'dyyyyyy

After using, all trainer/wild Pokemon will immediately faint on the first turn (move,item,etc.), and any Pokemon the trainer sends out afterwards will immediately faint upon being sent out.

Insta-death exploit (Coin case version, thanks ISSOtm and spamveich!)
Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL955
Box 4: pé125555
Box 5: pppppéZ(mult)
Box 6: .9'l'l'l'lp'd
Box 7: péA'lé9'dy
Box 8: p'dyyyyyy
« Last Edit: October 27, 2017, 08:42:37 am by Couldntthinkofaname »
grouchy

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #193 on: October 27, 2017, 02:06:15 pm »
May make a video of it like Nostalgia suggested, and if you make one too I'll add a link to it in my video description.

Torchickens, could you also link to it using cards? :) They appear on the top-right side of the video player and automatically hide under a circular i button.

I already have the AVI and WAV ready, but I can't combine them yet, i've been scrambling for a video editor that can do this to no avial.

Any suggestions?

Code: [Select]
ffmpeg -i "/path/to/my-awesome-video.avi" -i "/path/to/its-dope-audio.wav" -c copy "/path/to/yay-we-have-sound-now.avi"
 :P

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #194 on: October 27, 2017, 07:19:00 pm »
Video is finally up. Curse ye slow internet speeds

I might make more videos for codes like Insta-Death exploit and some other codes i've written.

Like I mentioned earlier, definitely not Torchickens or Crystal_ quality.
« Last Edit: October 27, 2017, 07:21:58 pm by Couldntthinkofaname »
grouchy