Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 85638 times)

0 Members and 1 Guest are viewing this topic.

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #240 on: November 01, 2017, 01:37:41 pm »
Thanks for the explanation. It's all making more sence now. And its working nicely on a rom to. Should make a bootstrap on my silver cart.

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #241 on: November 01, 2017, 02:13:09 pm »
Here's the code:

Stored Pokemon 1 is <insert x Pokemon here>
Box 1: Apé'm2é'r2
Box 2: é&2'v0555
Box 3: éAAp0'd'vQ
Box 4: éé2p'v955
Box 5: 55555éAA
Box 6: 09'vSé525
Box 7: p0?55éAn
Box 8: éCnp'd555

Replace ? with the Species Index.

If you wish to access Species indexes lower than $7f, replace 55 with 'v(space). Then, take the desired species id, add $7f, and use that as ??

I will release a video of this working as soon as the chance hits me. :)

What the code does:
Self-mods. A lot.
Unlocks SRAM
Switches to SRAM bank 1
Loads $?? Into $AD6D

What the code does not do:
Load $?? Into $AD82, meaning the name on the stats page stays the same (fixed)
Fix SRAM bank (shouldn't matter)
Re-lock SRAM (overworld does this anyway)
« Last Edit: November 02, 2017, 07:45:30 am by Couldntthinkofaname »
grouchy

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #242 on: November 01, 2017, 02:56:49 pm »
To execute ace you have to go into the over world though to get into the bag to use tm 25

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #243 on: November 01, 2017, 03:16:28 pm »
To execute ace you have to go into the over world though to get into the bag to use tm 25

...????

Please elaborate.
« Last Edit: November 01, 2017, 03:19:12 pm by Couldntthinkofaname »
grouchy

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #244 on: November 01, 2017, 03:53:01 pm »
Thats not an issue since you go to your item pack before unlocking SRAM.

Also

What the code does:
Self-mods. A lot.
Unlocks SRAM
Switches to SRAM bank 1
Loads $?? Into $ADCD

$ADCD is the third pokémon first HP EV adress. I hope thats just a typo.

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #245 on: November 01, 2017, 03:54:57 pm »
Thats not an issue since you go to your item pack before unlocking SRAM.

Also

What the code does:
Self-mods. A lot.
Unlocks SRAM
Switches to SRAM bank 1
Loads $?? Into $ADCD

$ADCD is the third pokémon first HP EV adress. I hope thats just a typo.

Whoops my bad, thanks for catching that!
grouchy

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #246 on: November 01, 2017, 11:32:39 pm »
Can't get it to work the adresss where pc box pokemon are stored is still all 0s when i unlock the sram and switch banks. Also doesn't the 3ds vc emulator not emulate sram locking if it doesn't why won't the memmory editor let me write to the sram.
« Last Edit: November 01, 2017, 11:55:09 pm by forsyz »

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #247 on: November 02, 2017, 04:27:42 am »
Can't get it to work the adresss where pc box pokemon are stored is still all 0s when i unlock the sram and switch banks. Also doesn't the 3ds vc emulator not emulate sram locking if it doesn't why won't the memmory editor let me write to the sram.

What emulator are you using? This probably wont work on VBA.

I'm using BGB and it's working fine. I'm unsure about VC.
grouchy

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #248 on: November 02, 2017, 04:43:17 am »
What the code does not do:
Load $?? Into $AD82, meaning the name on the stats page stays the same (AFAIK this affects nothing)
Writing to only one address instead of two will make the Pokémon an unstable hybrid. You should load to $AD62, because the generated hybrid could then be fixed by depositing it into the Daycare then back.

Can't get it to work the adresss where pc box pokemon are stored is still all 0s when i unlock the sram and switch banks. Also doesn't the 3ds vc emulator not emulate sram locking if it doesn't why won't the memmory editor let me write to the sram.
I'm not sure about SRAM locking on VC, tbh, but you should follow the procedure anyways.
If you're getting all zeroes, make sure you do NOT go into the overworld or save in the middle of the procedure. The locking and bankswitching AND access must be done in one go.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #249 on: November 02, 2017, 04:50:26 am »
What the code does not do:
Load $?? Into $AD82, meaning the name on the stats page stays the same (AFAIK this affects nothing)
Writing to only one address instead of two will make the Pokémon an unstable hybrid. You should load to $AD62, because the generated hybrid could then be fixed by depositing it into the daycare and back

What's $AD62? Can't find it on the RAM map.

Edit: You're likely referring to $AD82. Do you mean to load it with or as opposed to $AD6D? If it's the forward, it may not be possible due to the heavy amount of SMC.
« Last Edit: November 02, 2017, 05:26:44 am by Couldntthinkofaname »
grouchy

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #250 on: November 02, 2017, 05:22:01 am »
How would you add the sram unlocking and bank switching code to the box name memory editor by crystal_

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #251 on: November 02, 2017, 06:40:12 am »
Has any one tested this since the vc emulator does not emulate sram locking so it mean you only need to switch banks?

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #252 on: November 02, 2017, 06:50:13 am »
@ISSOtm, I believe I have fixed my code to produce a non-glitch hybrid. However, I have little time to test this code. If one could test this for me and ensure the Pokemon produced is stable, that would be wondrous.

Edit: Code has been tested, Pokemon is stable :)

Has any one tested this since the vc emulator does not emulate sram locking so it mean you only need to switch banks?

I only have the emulator and the cartridge version, sorry. :(
« Last Edit: November 02, 2017, 07:43:41 am by Couldntthinkofaname »
grouchy

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #253 on: November 02, 2017, 05:52:06 pm »
(Super apologies for double-posting)


Stored Pokemon 1 is shiny:
Box 1: Apé'm2é'r2
Box 2: é&2'v0555
Box 3: éAAp0'd'vQ
Box 4: éé2p'v955
Box 5: 55555éAA
Box 6: p0ééXn55
Box 7: p0kéYnp'd


(Coin case version)
Box 1: Apé'm2é'r2
Box 2: é&2'v0555
Box 3: éAAp0'd'vQ
Box 4: éé2p'v955
Box 5: 55555éAA
Box 6: p0ééXn55
Box 7: p0kéYn55
Box 8: péZ(mult).9'l'l
Box 9: 'l'lp'd5555
grouchy

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #254 on: November 03, 2017, 04:12:29 am »
What the code does not do:
Load $?? Into $AD82, meaning the name on the stats page stays the same (AFAIK this affects nothing)
Writing to only one address instead of two will make the Pokémon an unstable hybrid. You should load to $AD62, because the generated hybrid could then be fixed by depositing it into the daycare and back

What's $AD62? Can't find it on the RAM map.

Edit: You're likely referring to $AD82. Do you mean to load it with or as opposed to $AD6D? If it's the forward, it may not be possible due to the heavy amount of SMC.
I was indeed referring to $AD82 ; writing to AD82 only produces a hybrid that can be stabilized, writing to both produce no hybrid.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)