Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 90626 times)

0 Members and 1 Guest are viewing this topic.

Nostalgia

  • GCLF Member
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #225 on: October 31, 2017, 06:40:21 am »
Nice work!


When I get my cart, i'll probably release a code that grants you any Pokemon you wish with flawless IVs. I don't know the full extent of IVs effect on stats, but it might be of some use to those who are stuck on Red (or Whitney's Miltank lol)

Thanks. Flawless DV's helps, but it still takes awhile to max out the stat experience as well. Though if anyone struggles with Whitney's Miltank or Red, they really are not good players haha, I did struggle when I was like 12, but when you play the games enough you realise the games are really not challenging and it's very easy to sweep through the game, the fact you can beat Red's team of level 70 and 80 Pokemon with a team of level 50's is proof of that.

Even if you had a really awful, low-levelled team going against Whitney, you could still buy X items and set up on the Clefairy and then easily defeat the Miltank, that's provided the RNG doesn't screw you over with Clefairy's Metronome.

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #226 on: October 31, 2017, 07:08:14 am »
Here's the code:

All wild Pokemon have perfect IVs:
Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL9p'd
Box 4-6: (Doesn't matter)
Box 7: 09é(female)'dé0'd
Box 8: p'dyyyyyy

Effects trainer Pokemon as
well, so make sure to SAVE/RESET after catching your Pokemon.

In coin case, that's:
Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL9p5
Box 4: éZ(mult).9'l'l'l
Box 5: 'lp'd55555
Box 6: (Doesn't matter)
Box 7: 09é(female)'dé0'd
Box 8: p'dyyyyyy
« Last Edit: October 31, 2017, 07:59:05 am by Couldntthinkofaname »
grouchy

Evie (retired from head adminship)

  • Veteran Contributor
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #227 on: October 31, 2017, 09:12:25 am »
Well that's VC Gold 100% completed. Shoutouts to those who helped me with various Coin Case tricks: Torchickens, Dragon Arbock, ISSOtm, SpunkyBandy, spamviech and Couldntthinkofaname.

Red fight was super easy, more easier then usual as my Houndoom hard counters Espeon which is Red's biggest threat. Even though I've had countless gen II files over the years, it was fun to play with Pokemon I have never used in a run before like Houndoom and Scizor. It was also great to use perfect Hidden Powers for the first time ever, helped give my Scizor necessary STAB and helped Jolteon with necessary coverage against Rock/Ground Pokemon with Hidden Power Water. Biggest highlight of the fight was My Level 50, 7HP DV, Jolteon surviving a Rain Dance boosted Surf from Red's Level 77 Blastoise. :L Also my Scizor OHKO'ed Red's Snorlax with a +6 Hidden Power Bug, but it did crit though. Something also nice with this run is when I caught a Chansey it was holding a Lucky Egg and I don't think I've got one of those before, 1% for Chansey to appear and 8% chance for it to be holding a Lucky Egg. Lucky Egg certainly helped with training during those last few levels.

My team and ending stats:



With Yellow, Crystal, Emerald and now VC Gold that's 4 Pokemon playthroughs I've completed this year. Maybe I should play other games now, but Pokemon is just so damn fun. :'D

Congratulations Nostalgia! and I'm glad I helped you on your quest. :)

I've got 251 no glitches (except for Coin Case Mew and Celebi) too, but your play time is a lot faster than mine.
« Last Edit: October 31, 2017, 09:13:27 am by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory) Sorry I don't know who made the Eevee butterfly fan art :(

✿ Hi, I'm Evie. No longer active here other than to answer questions, messages. Sorry I've had to step down and have demoted myself (will explain later). I suggest contacting Photon-Phoenix/Yuzihax, and Abwayax.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

Nostalgia

  • GCLF Member
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #228 on: October 31, 2017, 10:20:45 am »
Congratulations Nostalgia! and I'm glad I helped you on your quest. :)

I've got 251 no glitches (except for Coin Case Mew and Celebi) too, but your play time is a lot faster than mine.

Thanks. It was the VC release and your videos that made me want to play gen II again. :) 251 with only using Coin Case for Mew and Celebi and no other glitches is what I did for my Crystal playthrough on Gameboy, by trading over a Mew and Celebi obtained on a Gold cartridge with Coin Case. However on VC Gold, because I had no one to trade with, I needed all the R/B/Y and Silver exclusives and the only way I could get them was with the Coin Case. I also used other glitches such as your DV code, Master Ball and Rare Candy codes to get through the Pokedex quicker, so that makes up for the time. My Crystal file is probably similar in time to yours, I think it was around 60 or 70 hours iirc, but on that file I trained my Pokemon to level 70 and I did (I think) four Battle Tower runs at level 40, 50, 60, 70.

I don't mind using a few extra glitches to make some of the tedious stuff quicker, for example getting a Larvitar and a Dratini all the way up to a Tyranitar and a Dragonite through training or the daycare takes ages and I've done it before and I wasn't particularly looking forward to doing that again. :P


Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #229 on: October 31, 2017, 01:44:47 pm »
If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file

The risk wouldn't be that great, the game would have to miraculously unlock SRAM before any save corruption would take place.

Nothing too terribly intresting would occur, the game would probably Glitch Dimension before anything noticable happened.

Can you unlock SRAM maunually? Wondering if you can use TM25 to edit pokémon in the box.

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #230 on: October 31, 2017, 03:45:48 pm »
SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.
grouchy

Parzival

  • The Laziest Malware Enthusiast
  • Banned
  • *
  • Offline Offline
  • Gender: Male
  • who posted nudes in upstream
    • View Profile
    • (null)
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #231 on: October 31, 2017, 04:15:56 pm »
SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.
If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file

The risk wouldn't be that great, the game would have to miraculously unlock SRAM before any save corruption would take place.

Nothing too terribly intresting would occur, the game would probably Glitch Dimension before anything noticable happened.

Can you unlock SRAM maunually? Wondering if you can use TM25 to edit pokémon in the box.
Write 0Ah or anything else ending in A to ROM addresses 0000-1FFF to unlock SRAM.

i'm also on keybase and bitchute but i don't have nifty buttons for those. Bitchute isn't ready yet, but will be eventually.

mood

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #232 on: October 31, 2017, 04:33:48 pm »
To then switch SRAM banks, write the desired number to $4000-$5FFF. (Avoid writing too high values, results will differ based on platform.)
The selected SRAM bank will then be available in range A000-BFFF...

By the way, to lock SRAM again, write a value that wouldn't unlock it to the same address range.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #233 on: October 31, 2017, 05:15:03 pm »
SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.
If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file

The risk wouldn't be that great, the game would have to miraculously unlock SRAM before any save corruption would take place.

Nothing too terribly intresting would occur, the game would probably Glitch Dimension before anything noticable happened.

Can you unlock SRAM maunually? Wondering if you can use TM25 to edit pokémon in the box.
Write 0Ah or anything else ending in A to ROM addresses 0000-1FFF to unlock SRAM.

Thank you! This should be helpful. I bet something like this would work:

Code: [Select]
Ld hl,0000
Ld bc,01ff
.loop
Ld a,0a
ldi (hl),a
dec bc
ld a,b
or c
jr nz,.loop
...

Although, writing this as a box name code may be difficult. But with enough adjustments and self-modding, I can probably make it work. :)
« Last Edit: October 31, 2017, 05:38:39 pm by Couldntthinkofaname »
grouchy

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #234 on: November 01, 2017, 12:33:06 am »
I tired this in an emulator but where the pokemon in boxes are stored its still all 0s

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #235 on: November 01, 2017, 04:29:06 am »
SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.
If you could make the game corrupt itself with ace that would be cool but there would be a risk of also corrupting your save file

The risk wouldn't be that great, the game would have to miraculously unlock SRAM before any save corruption would take place.

Nothing too terribly intresting would occur, the game would probably Glitch Dimension before anything noticable happened.

Can you unlock SRAM maunually? Wondering if you can use TM25 to edit pokémon in the box.
Write 0Ah or anything else ending in A to ROM addresses 0000-1FFF to unlock SRAM.

I thought ROM was read only.  O_o Anyways, I found this online and apparently the memory in range 0000-7FFF is used for both reading from ROM, and for writing to the MBCs Control Registers. So how does that work? Reading it is always ROM and writing to it is always RAM?

http://bgb.bircd.org/pandocs.htm#mbc1max2mbyteromandor32kbyteram

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #236 on: November 01, 2017, 04:57:59 am »
I tired this in an emulator but where the pokemon in boxes are stored its still all 0s

Are you executing this code in a debugger? If so, make sure to execute the code while viewing the bag, pokemon party, etc.

SRAM in gen 2 works a lot differently than in gen 1. In my copy of gold, the SRAM immediatly locks itself if unlocked in the overworld.


I thought ROM was read only.  O_o Anyways, I found this online and apparently the memory in range 0000-7FFF is used for both reading from ROM, and for writing to the MBCs Control Registers. So how does that work? Reading it is always ROM and writing to it is always RAM?

http://bgb.bircd.org/pandocs.htm#mbc1max2mbyteromandor32kbyteram

That sounds about right. Editing ROM in-game is impossible, so it makes sense than ROM addresses could be used for other parts of RAM when written to.
grouchy

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #237 on: November 01, 2017, 05:32:33 am »
SRAM probably can be unlocked manually, but how this would be accomplished is beyond me.
(...)
Write 0Ah or anything else ending in A to ROM addresses 0000-1FFF to unlock SRAM.

Thank you! This should be helpful. I bet something like this would work:

Code: [Select]
Ld hl,0000
Ld bc,01ff
.loop
Ld a,0a
ldi (hl),a
dec bc
ld a,b
or c
jr nz,.loop
...

Although, writing this as a box name code may be difficult. But with enough adjustments and self-modding, I can probably make it work. :)
You don't have to write to all of these addresses, only to one of them. Same for all other writes.
Code: [Select]
ld a, $0A
ld [$0000], a
That's enough.

I tired this in an emulator but where the pokemon in boxes are stored its still all 0s
You probably didn't switch SRAM banks. If SRAM was locked, you'd see $FF, not $00.

(...)

I thought ROM was read only.  O_o Anyways, I found this online and apparently the memory in range 0000-7FFF is used for both reading from ROM, and for writing to the MBCs Control Registers. So how does that work? Reading it is always ROM and writing to it is always RAM?

http://bgb.bircd.org/pandocs.htm#mbc1max2mbyteromandor32kbyteram
ROM is read-only. And you aren't writing to any kind of RAM either. It's attempting to write to ROM that triggers the operation.
On original hardware, the Game Boy simply forwarded ROM and SRAM read AND write orders to the cartridge ; the MBC chips simply intercepted write orders that targeted some areas of ROM, and processed them as internal commands (switching ROM banks, SRAM banks, unlocking SRAM, etc.)

Also, side note, you should refer to this document instead. It's also the Pan Docs, but wikified and corrected. Also the Pokémon games all use MBC3 (except the Japanese games, which use MBC1), which is why this document will be more accurate. Note that the Gen I games don't have RTC support, so don't try to use the RTC clock, it's not there.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #238 on: November 01, 2017, 05:46:18 am »
Super-sorry for my ignorance on the subject; SRAM is a new concept for me.

So, allow me to get this straight, editing box Pomemon is as simple as:
1: Unlock SRAM
2: Switch into respective bank
3: Write
4: Relock

If so, is there any list I can access for SRAM banks?

Thanks in advance! :)


Edit: Nevermind, box Pokemon is in SRAM bank 1.

I wrote an SRAM hack that turns your first box Pokemon into Celebi. I'll convert it to a box name code and have it up sometime today.
« Last Edit: November 01, 2017, 07:01:57 am by Couldntthinkofaname »
grouchy

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #239 on: November 01, 2017, 07:19:03 am »
Relocking is optional, even more so if the game automatically re-locks it in the overworld. I'm not sure about not switching back to the original bank, but I can bet it's harmless.


SRAM "maps" :

http://github.com/PikalaxALT/pokegold/blob/master/sram.asm
Quite incomplete [last time I checked].

http://github.com/pret/pokecrystal/blob/master/sram.asm
Should be mostly the same as G/S.
« Last Edit: November 01, 2017, 07:20:39 am by ISSOtm »
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)