Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Other glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Interactive tools
Reference documents
Terminology

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 85625 times)

0 Members and 1 Guest are viewing this topic.

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #255 on: November 03, 2017, 06:03:07 am »
The new version of my code writes to both addresses, thus preventing a hybrid. :)
grouchy

Scotteh

  • GCLF Member
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #256 on: November 03, 2017, 09:46:22 am »
It's not extremely useful, but I made a small modification to one of Couldntthinkofaname's codes to turn all wild Pokémon Level 100.

1: Ap0'méJ95
2: p0-éK955
3: p02éL9p'd
4: (anything)
5: p0,'vQé6'd
6: p'd

Notably, it doesn't affect the wild Pokémon's stats, which remain at the normal ones for their old level until caught.


EDIT: I came up with a better one which hooks elsewhere, earlier on in the wild Pokémon generation routine. This time the moveset and stats match the level.

1: Ap0'méJ95 
2: p0-éK95p
3: 02éL9p0Pk
4: 'vbé&25p'd
5: p0,'vQé6'd
6: p'd
« Last Edit: November 03, 2017, 12:21:39 pm by Scotteh »

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #257 on: November 03, 2017, 03:44:45 pm »
I have a suggestion to use TM count instead of Box names.
First use this box name code (which i ruthlessly stole for Torchickens before slightly adjusting it) to give you 255 of each TM/HM.
Code: [Select]
1)Ap'vCé025
2)'vj'vué♀25
3)'v.é32p'v9
4)é22pé425
5)'vué62'v 5
6)'v:é72p09
7)55♀555's5
8)x'd
Coin Case variant (untested):
Code: [Select]
1)Ap'vCé025
2)'vj'vué♀25
3)'v.é32p'v9
4)é22pé425
5)'vué62'v 5
6)'v:é72p09
7)55♀555's5
8)pppppéZ×
9).9'l'l'l'lx'd

Then write your code by depositing to the desired opcode/number (be carefull when tossing above a stack of 255 from pc, since it seems to have the similar effects as in Gen 1).
Use this picture from Skeef to make depositing the right number slightly easier.
Over 99 glitch blocks for items:
They don't seem to change based on location or anything it seems.



To execute either use a Quagsire holding a Lucky Egg (can be stolen from wild Chanceys, but glitching one is probably easier) with Attract (TM45) as its first move, or use the following box name code and start your code with the item count of TM03.
Code: [Select]
1)A  x 'm  A  ♀ OR A; JP NC, [80f5]Coin Case Variant (the new Quagsire won't work without adjustment of the code, so you have to use this one; untested):
Code: [Select]
1)  A  p  p  é  Z  ×  .  9 XOR A; LD [f199], A; ADD SP, ff
2) 'l 'l 'l 'l  x 'm  A  ♀ POP DE; POP DE; POP DE; POP DE; OR A; JP NC, [80f5]

Advantage of this method is that you have acces to every Gameboy opcode. Also input of lower numbers is easier.

As a proof of concept (still in development, supposed to do more when finished) a code to change species, held item, and moves of the first Pokémon of your current box.
You can get the id for species, etc. from the big HEX list (be sure to use the Gen2 columns).
Fill them in as count for TM17, TM24, TM27, TM30, TM33, TM36.
Code: [Select]
format: keep/deposit code
TM01 3/252 inc bc/ignored
TM02 3/252 inc bc/ignored
TM03 62/193 LD A, 0a
TM04 10/245
TM05 234/21 LD [ff00], A | A->0a
TM06 255/0
TM07 0/255
TM08 62/193 LD A, 00
TM09 0/255
TM10 234/21 LD [ff40], A | A->00
TM11 255/0
TM12 64/191
TM13 33/222 LD HL, 6dad | HL->ad6d
TM14 109/146
TM15 173/82
TM16 62/193 LD A, (species)
TM17 (species)/
TM18 34/221 LD [HLI], A
TM19 33/222 LD HL, 82ad | HL->ad82
TM20 130/125
TM21 173/82
TM22 34/221 LD [HLI], A
TM23 62/193 LD A, (item)
TM24 (item)/
TM25 34/221 LD [HLI], A
TM26 62/193 LD A, (move1)
TM27 (move1)/
TM28 34/221 LD [HLI], A
TM29 62/193 LD A, (move2)
TM30 (move2)/
TM31 34/221 LD [HLI], A
TM32 62/193 LD A, $(move3)
TM33 (move3)/
TM34 34/221 LD [HLI], A
TM35 62/193 LD A, $(move4)
TM36 (move4)/
TM37 34/221 LD [HLI], A
TM38 201/54 RET

Since I managed to kill my VC-savegame this is (so far kind of) untested.
The parts presented here worked without killing my savegame, but there were some other parts in it which I cut out for this one (such as setting your box Pokémon count to 20).
« Last Edit: November 03, 2017, 04:57:06 pm by spamviech »

Skeef

  • GCLF Member
  • *
  • Offline Offline
  • Eek!
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #258 on: November 03, 2017, 04:16:39 pm »
Nice!  O_o Never even reaslised that the memory only used the quantities in the TM pocket.

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody ✿(not really a mum but wanna be)
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #259 on: November 03, 2017, 04:23:21 pm »
Wow, excellent idea spamviech! :D Thank you. :)

So you could alternate between the box names Quagsire whenever you want to fill the pockets and the TM/HM pocket Quagsire for anything else up to 55 bytes long.
« Last Edit: November 03, 2017, 04:24:38 pm by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #260 on: November 03, 2017, 04:44:27 pm »
Wow, excellent idea spamviech! :D Thank you. :)

So you could alternate between the box names Quagsire whenever you want to fill the pockets and the TM/HM pocket Quagsire for anything else up to 55 bytes long.

Up to 57 bytes long, but you need to write the hm-quantities e.g. using box names (all available). You can even start with box name code and then jump to TM03 with a final x'mA♀.

Since withdrawing more than 99 seems to be impossible you need to run the 255-code every time as part of changing code though.

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #261 on: November 04, 2017, 07:45:18 am »
I like this new medium, Spamveich!

I just got my cart yesterday so I probably wont test it out right now, but this seems interesting!

The only potential problem I can see arise is that in order to wtite a new code, you must reset each quantity to 255. A workaround I thought of was using "call nc" as opposed to "jp nc", that way you can execute the x255 TM code immeadiatly after the TM quantity code.
« Last Edit: November 04, 2017, 08:23:35 am by Couldntthinkofaname »
grouchy

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #262 on: November 06, 2017, 05:12:48 am »
I like this new medium, Spamveich!

I just got my cart yesterday so I probably wont test it out right now, but this seems interesting!

The only potential problem I can see arise is that in order to wtite a new code, you must reset each quantity to 255. A workaround I thought of was using "call nc" as opposed to "jp nc", that way you can execute the x255 TM code immeadiatly after the TM quantity code.

Think it depends on the code. Some you might want to execute multiple times.


Another thing I found:
using péZ(mult) instead of péD9 for Coin Case codes seem to change your options (text speed to mid, battle style to switch, maybe something else I missed).

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #263 on: November 06, 2017, 07:08:33 am »
I'm suprised no one has done this yet:

Get all Johto Badges:
Box 1: Ap'vEé'm25
Box 2: 09555555
Box 3: éA(female)p'd555

Untested for the time being.
grouchy

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #264 on: November 06, 2017, 08:26:13 am »
(Super-Apologies for double-posting again)

Using Spamveich's new medium, I have created a walk-through walls code.

First, use Torchicken's code that grants you x255 of every TM:

1)Ap'vCé025
2)'vj'vué♀25
3)'v.é32p'v9
4)é22pé425
5)'vué62'v 5
6)'v:é72p09
7)55♀555's5
8)x'd


Then, spell the following opcodes with TM quantities:

Keep/Deposit (starting from TM 01):

62/193
8/247
33/222
163/92
206/49
34/221
34/221
34/221
119/136
201/54


Finally, use this code:

Box 1: Ap0'méJ95
Box 2: p'vCéK955
Box 3: p0(female)éL9p'd

(Coin case variant)

Box 1: Ap0'méJ95
Box 2: p'vCéK955
Box 3: p0(female)éL955
Box 4: péZ(mult).9'l'l
Box 5: 'l'lp'd5555

You should be able to walk through almost any wall. Try not to go out of bounds, this will crash the game.
« Last Edit: November 06, 2017, 09:06:51 am by Couldntthinkofaname »
grouchy

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody ✿(not really a mum but wanna be)
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #265 on: November 06, 2017, 09:57:08 am »
That's all right Couldntthinkofaname. :)

We don't really mind about double-posts here as long as the information adds to the discussion.

Thanks for your writing and sharing your new code. ^^*

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #266 on: November 06, 2017, 02:21:49 pm »
Nice!  O_o Never even reaslised that the memory only used the quantities in the TM pocket.

Same. Found it by accident after realizing almost all my code I was working on had to be self-modified so I was looking for a place which could be accessed without problems and luckily found TM location.  ;D

Another thing I found:
using péZ(mult) instead of péD9 for Coin Case codes seem to change your options (text speed to mid, battle style to switch, maybe something else I missed).

To add to that:
It also enables battle animations. Returning them back (I had fast text speed, no battle animations, battle style set) before saving and resetting causes you to have a laggy menu again.



Regarding TM execution, here's a box name code to start execution from TM01 quantity (if you don't want to switch Quagsires):
Code: [Select]

1)  5  5  5  5  5  5  5  5
2)  5  5  5  p  0(spc)?  8 XOR A; OR 7f; AND fe | A->7e (spc means space)
3)  é 'v  2  x 'm 'm  ♀ LD [d6f8], A; OR A; JP NC, [{7e}f5]
« Last Edit: November 06, 2017, 02:27:55 pm by spamviech »

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #267 on: November 06, 2017, 03:33:33 pm »
To add to that:
It also enables battle animations. Returning them back (I had fast text speed, no battle animations, battle style set) before saving and resetting causes you to have a laggy menu again.

This is due to $D199 being in control of settings. The default settings are $03. When $D199 is set to $00, it returns the settings to default except "Menu Account", which is turned off.
grouchy

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #268 on: November 06, 2017, 07:15:13 pm »
To add to that:
It also enables battle animations. Returning them back (I had fast text speed, no battle animations, battle style set) before saving and resetting causes you to have a laggy menu again.

This is due to $D199 being in control of settings. The default settings are $03. When $D199 is set to $00, it returns the settings to default except "Menu Account", which is turned off.

Oh, right. Missed that. I wonder what values of non-crashing game, but with fast text-speed and non-laggy menu are possible.

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #269 on: November 06, 2017, 07:28:09 pm »
To add to that:
It also enables battle animations. Returning them back (I had fast text speed, no battle animations, battle style set) before saving and resetting causes you to have a laggy menu again.

This is due to $D199 being in control of settings. The default settings are $03. When $D199 is set to $00, it returns the settings to default except "Menu Account", which is turned off.

Oh, right. Missed that. I wonder what values of non-crashing game, but with fast text-speed and non-laggy menu are possible.
If you set $D199 to $01, fast text speed will be active and laggy menu will be fixed.

To do this, end coin case codes with:

p'v9éZ(mult)55
.9'l'l'l'lp'd
« Last Edit: November 06, 2017, 07:29:32 pm by Couldntthinkofaname »
grouchy