Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 84128 times)

0 Members and 1 Guest are viewing this topic.

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #345 on: February 25, 2018, 09:51:33 am »
Don't forget the terminator character at the end of box name 1 which is a "ld d,b" instruction. Here it doesn't really change anything (maybe set 0 flag), but still could add confusion when you forget it.

ld instructions do not update flags, so the $50 terminator "ld d,b" isn't really worth mentioning in this context.

Ah, so they don't.
I always forget since I never had to use them other then after specifically setting them (i.e. by dec statement).

I was also wondering about this. What values or value ranges of each of these would be needed to make a suitable slide pokémon? As in, just a regular working slide pokémon, not a specific one like the special coin case one which jumps over a lot of these factors.

Not contain any values that interrupt execution, jump somewhere else or set a random byte.
In general you're fine with values <10.
If you plan to look at values anyway I'd advice to use TM17 instead of TM25. IIRC it starts execution somewhere in the stats of Pokémon 1 (i.e. slide as first, quagsire as second) instead of some invisible value of pokémon 2.

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #346 on: March 01, 2018, 06:26:47 pm »
So, avoiding things like unwanted SUB, ADD and JMP instructions for example then. Fair enough! The more I think about this the more I am convinced I need to learn the gameboy Assembly (modified version of Z80 iirc.)  Not like it'd even be the first assembly language i've learned.

Epsilon

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #347 on: March 01, 2018, 07:49:05 pm »
Trust me, if you already understand assembly at least to an extent, Gbz80 will be a cakewalk.
grouchy

Haircoolass

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #348 on: March 02, 2018, 05:41:40 am »
Little helper code which might be useful to someone else as well:
Maximize all PC items (quantity x 255) while leaving the item type unchanged.
Code: [Select]
1)   A   p  'v   5   é   4   2   5 XOR A; SUB fb; LD [faf8], A | A->05
2)  'v   9   é   /   2   p  'v   . SUB ff; LD [f3f8], A; XOR A; SUB e8 | A->06; A->18
3)   é   0   2  'v   2   é   5   2 LD [f6f8], A; SUB f8; LD [fbf8], A | A->20
4)  'v   9   é   ♀   2  'v   9   5 SUB ff; LD [f5f8], A; SUB ff | A->21; A->22
5)   é   2   2  'v   9   é   3   2 LD [f8f8], A; SUB ff; LD [f9f8], A | A->23
6)  'v   ×   é   ,   2   0   9   9 SUB f1; LD [f4f8], A; OR ff; LD B, 32 | A->32
7)   0   0   0   5   5   5   5   5 LD HL, 18f6; LD [HLI], A; INC HL; DEC B; JR NZ, fb | HL->f618
8)   x  'd OR A; RET NC

Fun little thing about x0 quantity (at least in the PC):
You can withdraw/toss any quantity you want, it won't change the quantity of the item. While tossing obviously does nothing, withdrawing works without problems (creates items).
Depositing an additional item of the type simply adds the amount which restores normal functionality.
Possibly also works in the inventory to give you an infinite amount of an item, but I didn't test that.

Hey there im pretty now to the world of ACE-glitches in gen 2.

I used the wild shiny celebi-glitch yesterday and wanted to try this code to multiply some items.
My questions are: how do I use this code in the quote? Is it for CoinCase or TM25?
And in case of using tm 25 do I always need to have quagsire as my 3rd mon and my slide-Pokemon (I use the traded Onix "Rocky") on the 2nd slot?
Is there a way I can identify a code if it is used for tm 25 or coincase?

Krys3000

  • French living dexer
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - French Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #349 on: March 02, 2018, 08:16:52 am »
There is an explanation of the differences between Coin Case and TM codes in a few replies to the newcomers guide to G/S/C ACE. You will basically read there what is needed in a Coin Case code compared to TM codes so you can see if a code is designed for Coin Case.

Also, I wonder why people keep doing the TM25 setup. Preparing TM17 for ACE is easier...

Admin of the PRAMA Initiative, the main french Pokémon glitch website
https://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #350 on: March 23, 2018, 10:45:29 pm »
add 1 to id of item 1 (early game viable version)
Uses stored items starting from stored item 3. Requires Quagsire with Sleep talk as first move and holding protein.

Item 3: poke ball x 38
Item 4: TM 23 x 04
Item 5: Fresh Water x 23
Item 6: X speed x 04
Item 7: TM10 x any

Code: [Select]
dec b
ld h,d6
inc b
ld l,17
inc (hl), inc b
ret

lots of filler but this way you don't require anything you can't easily get early game (use torchicken's get all tms and hms code, or the modified 255x version, first for the tms).

The best thing about this is it's easy to change to decrement, or to change to item 1 quantity. To make it decrement boxed item 1's id by 1, change x speed to x special. To make it increment item 1 quantity, make it Fresh Water x 24. To make it decrement item 1's quantity, do both. Note you can use this to get pretty much any item setup you will need, ever (withdraw all but 1 of item in slow 1, decrement twice, withdraw all but amount you need) However, I'd use it to get certain things and then do a more efficient setup once you had what you  needed for said more efficient setup.

For example:

Write to any byte in memory by Wack0, ported by Azarokkusu


Same Quagsire setup here.

Item 3: Full Heal x XX ; XX = higher byte of address you're going to write to
Item 4: Fresh Water x XX ; XX = lower byte of address you're going to write to
Item 5: PP up x XX ; XX is value you want to write
Item 6: Focus Band x 201


Code: [Select]
ld h,xx
ld l,xx
ld a,xx
ld (hl),a
ret

You could do 1 less item with coin case x (value you want to write) but then you can't see what that value is because key items.



Here's a sprawling code to set the quantity of all your items in your items and balls pockets to 0 AND all your hms and tms to a quantity of 255. Note you can't have 0 of a tm in your tm pocket or it doesn't show up, but you CAN have 0 of a tm in your box. This is due to it storing inventory TMs only as quantities, but box items as ID and quantity. Also, getting ? (id $0) is incredibly easy if you already underflowed your ball pocket, but is also doable with the above code.

Same Quagsire setup again

   item 3: X accuracy x 183
   item 4: TM22 x 6
   item 5: repel x 62
   item 6: master ball x 61
   item 7: dire hit x 44
   item 8: ? x 119
   item 9:poke ball x 184
   item 10: TM04 x 35
   item 11: TM23 x 0
   item 12: X accuracy x 252
   item 13: TM 22 x 6
   item 14: Awakening x 184
   item 15: dire hit x 44
   item 16: ? x 119
   item 17:poke ball x 184    
   item 18: TM04 x 51
   item 19: TM23 x 0
   item 20: X accuracy x 125
   item 21: TM 22 x 6
   item 22: X special x 4
   item 23: great ball x 04
   item 24: great ball x 184
   item 25: dire hit x 119
   item 26: X special x 5
   item 27: ? x 184
   item 28: TM04 x 71
   item 29: tm23 x 201

Note the tm04s here are the normal one ($c2), not the one that does nothing ($c3).

Code: [Select]
ld hl,d5b7
ld b,14
ld a,01
dec a
inc l
inc l
nop
ld (hl),a
dec b
cp b
jp nz,d623
nop
ld hl,d5fc
ld b,0c
cp b
inc l
inc l
nop
ld (hl),a
dec b
cp b
jp nz,d633
nop
ld hl,d57d
ld b,35
inc b
inc b
inc b
inc b
cp b
inc l
ld (hl),a
dec (hl)
dec b
nop
cp b
jp nz,d647
ret

The nops can be replaced with inc d, dec c etc etc (since we don't use c, d etc) but I used nop simply because 1 it's easy to get high amounts of ? and 2. I wasn't sure if I'd have to re-write the number of items in each inventory since I had a problem with that earlier where it wrote FF to the bytes you initially set hl to in each setup phase. However that problem is gone now.
« Last Edit: March 24, 2018, 01:21:58 am by Azarokkusu »

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #351 on: March 24, 2018, 03:54:58 am »
Something nice for y'all. Complete your pokedex (251 seen, 251 caught, and no glitched entries etc)

   item 3: X accuracy x 227
   item 4: TM28 x 6
   item 5: Ether x 62
   item 6: master ball x 61
   item 7: Dire hit x 189
   item 8: TM11 x 61
   item 9: TM23 x 119
   item 10: X special x 20
   item 11: pokeball x 184
   item 12: TM04 x 35
   item 13: TM23 x 46
   item 14: Brightpowder x54
   item 15: poke ball x 52
   item 16: X speed x 46
   item 17: Metal Powder x 54
   item 18: poke ball x 52
   item 19: X speed x 201
   item 20: nugget x 195
   item 21: Max revive x 214

Code: [Select]

;setup
ld hl,dbe3
ld b,3f
ld a,01
dec a
;execution
inc l
cp l
jp z,d63d
ld (hl),a
dec (hl)
inc d
dec b
cp b
jp nz,d623
ld l,03
ld (hl),05
inc (hl)
inc (hl)
ld l,23
ld (hl),05
inc (hl)
inc (hl)
ret
;increase h if l rolls over (first conditional jump)
inc h
jp d628
« Last Edit: March 24, 2018, 03:57:18 am by Azarokkusu »

bestgoldglitche

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #352 on: May 11, 2018, 03:05:01 pm »
Hey all, preemptive apologies if this is something that's already been done, but, I had a thought an it might prove useful.

Consider writing your assembly commands into the pokemon stats themselves. 

One of the first uses of this glitch was to get Celebi (https://www.youtube.com/watch?v=SpfgOVfGVTo).  If you increase the number of Fresh Water used in that video you traverse the data in the first pokemon in your party.  If you change HM07 to other items, and change the number of great balls.  That way you can write different bytes into the pokemon's stats. 

So, the thought is:
 - use that process to write data into the pokemon's stats
 - fill the current box with specially written pokemon
 - use the glitch to jump to the boxed pokemon's data

Voila, you have addressed $AD82 through $B001 in which to write code byte at a time instead of $D616 through $D67A.  Thoughts?


ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #353 on: May 11, 2018, 04:50:38 pm »
Coin Case is fairly obsolete, for starters. We tend to use box names instead, and Wrong Pocket TMs.
Using SRAM is a bad idea, for three reasons:
1. It's banked, so you have to ensure the correct bank is loaded
2. It has to be unlocked, then ideally re-locked
3. 3DS VC cannot execute from SRAM

Corrupting Pokémon data is also a rather bad idea, since it's prone to lots of corruptions.

If you need to write large payloads, you can instead use luckytyphlosion's Mail execution setup.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Pablo

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #354 on: October 21, 2018, 03:33:12 pm »
 Ive been reading on this subject for about a week now, reading and reading and reading, headace inducing. I get the basic concept of it, but i dont believe my knowledge of it is good enough to start executing it or experimenting with it. More like an infant to this code writing stuff at the moment, i really dont want to run the risk of currupting my save file beyond repair.
 
Well to my point, is there a way to use this code to

1. Warp to Mt silver, or possibly walk through walls to get there, i really would like to catch a Larvitar (train/evolve there as well)

2. Change another bag Item, held item, or be able to edit PokeMart inventory to get a Scope Lens (not enough games to Mystery Gift it)

3. Get 250+ of protein, Iron, calcium, carbos, pp-up, and hp-up, or any other items that matter, balls,tms,ect... tired of cloning over and over

4. And eventually Start editing pokemons IV’s and or Attacks


There is a catch though, i havent recieved the item Pass yet, havent even beat the Elite Four, or havent even gotten the Eighth Gym badge, but what i am doing is working on all of the pokedex before i beat the Elite Four.
Is there a way before i go to kanto? Everything else ive been reading show post E4 and 16 badges.There are a few that show before, but they arent very clear and dont include the most important codes i would like to perform on my list (#1 & #2).

 Ive seen speed runs jump to Mt Silver but they use a Flag (i think)to allow Red to be shown or to instantly win that battle or some sort, i dont care about that or dont want to beat Red early. So i cant follow their codes to the T. Plus they rely heavily on luck IV manipulation (i think) which i wouldnt begin to know how to perform from the beginning.
The first two are really more important to me than the last two, at least for now, but i would really appreciate some help from somebody who has more experience with ACE and has done this more than a few times.

Im playing on 3DS Virtual Console with Pokemon Silver Version.  Thanks again.

Ps i have lots of pokecash so buying items isnt a problem, as long as they are available to me at the moment.

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #355 on: December 02, 2018, 06:33:11 am »
Ive been reading on this subject for about a week now, reading and reading and reading, headace inducing. I get the basic concept of it, but i dont believe my knowledge of it is good enough to start executing it or experimenting with it. More like an infant to this code writing stuff at the moment, i really dont want to run the risk of currupting my save file beyond repair.
 
Well to my point, is there a way to use this code to

1. Warp to Mt silver, or possibly walk through walls to get there, i really would like to catch a Larvitar (train/evolve there as well)

2. Change another bag Item, held item, or be able to edit PokeMart inventory to get a Scope Lens (not enough games to Mystery Gift it)

3. Get 250+ of protein, Iron, calcium, carbos, pp-up, and hp-up, or any other items that matter, balls,tms,ect... tired of cloning over and over

4. And eventually Start editing pokemons IV’s and or Attacks


There is a catch though, i havent recieved the item Pass yet, havent even beat the Elite Four, or havent even gotten the Eighth Gym badge, but what i am doing is working on all of the pokedex before i beat the Elite Four.
Is there a way before i go to kanto? Everything else ive been reading show post E4 and 16 badges.There are a few that show before, but they arent very clear and dont include the most important codes i would like to perform on my list (#1 & #2).

 Ive seen speed runs jump to Mt Silver but they use a Flag (i think)to allow Red to be shown or to instantly win that battle or some sort, i dont care about that or dont want to beat Red early. So i cant follow their codes to the T. Plus they rely heavily on luck IV manipulation (i think) which i wouldnt begin to know how to perform from the beginning.
The first two are really more important to me than the last two, at least for now, but i would really appreciate some help from somebody who has more experience with ACE and has done this more than a few times.

Im playing on 3DS Virtual Console with Pokemon Silver Version.  Thanks again.

Ps i have lots of pokecash so buying items isnt a problem, as long as they are available to me at the moment.

What you want is most certainly possible.
For setup (even prior to Elite 4) check out this guide, section III. WRONG POCKET TM ACE EXPLAINED (use Ctrl+F to find it).

To multiply items Ctrl+F for VI.3: INCREASE/DECREASE THE QUANTITY OF AN ITEM CODE (Items, G/S/C)

Morphing to specific items is directly below that VI.4: GET ANY ITEM CODE (Items, G/S/C)

For DV/Attack editing, it's probably easiest to use VI.5: MEMORY EDITOR CODE, A.K.A. GAMESHARK SIMULATOR (Items or Box, G/S/C)
Except adding/changing a single move, then look here (Box Name Code)


Teleporting to Mt. Silver is more difficult, but this Box Name Code for Coin Case should work (untested; simply removed the party count 0 part of the speedrun-code):
Code: [Select]
Box 1 pppppppp
Box 2 pppppppp XOR A
BOX 3 'v,'véé72'l SUB f4; SUB ea; LD [Box7,terminator], A (22h); POP DE
BOX 4 'v♂é,2p SUB ef; LD [Box6,terminator], A (33h); XOR A
BOX 5 é♂2'v9é22 LD [Box6,char4], A (00h); SUB ff; LD [Box7,char4], A (01h)
BOX 6 'v8éé4'v't'l SUB fe; LD [{00}fa], A (03h); SUB d5; POP DE; {INC SP}
BOX 7 'vééé4p'lé SUB ea; LD [{01}fa], A (44h); XOR A; POP DE; LD [{22}fa], A (0h)
BOX 8 4éd2'd LD [a3f8], A (0h); RET NC

Pablo

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #356 on: February 14, 2019, 07:03:34 pm »
Ok thanks man I’ll start messing with it.

Link_enfant

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #357 on: February 28, 2019, 10:30:54 am »
I've successfully combined my two prior codes! Here's the outcome:

All encountered Pokemon are <insert x Pokemon here> and shiny:
Box 1:  Ap'v8é'm25
Box 2:  p0(male)55555
Box 3:  'vAé52p0'm
Box 4:  éJ9p0(female)55
Box 5:  éK9p0255
Box 6:  éL9p'd555
Box 7:  p0?yyéA'd
Box 8:  p0éé(female)'dyy
Box 9:  p0ké0'dp'd

Replace ? with the species index

To access species indexes that are lower than $7f, than replace Box 7 with:

Box 7: p0?'v(space)éA'd

Then replace ? with SpeciesIndex + $7f

Due to the way the game generates wild Pokemon, most Pokemon obtained this way are 100% legitimate. This means they will probably be able to be moved to Pokébank when such services become available. There might still be OT issues with Mew, but these can easily be resolved with an OT editor, and I can make one if needs be.

Nintendo's going to have a real headache on their hands :)

Awesome job! I've been looking for this kind of code :)

What changes would it require to make it work on a French Silver ROM using Wrong Pocket TM17?

It seems the RAM maps are the same across all versions but I might be wrong.
If that's the case, then would the box names need to be adapted or could they be used as such, which would only require a different setup with the slide Pokémon and Quagsire to work with TM17?

Sherkel

  • Ringsome on the aquaface
  • Administrator
  • *****
  • Offline Offline
  • Gender: Male
  • PSYNCIN' IN THE VaiN
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #358 on: February 28, 2019, 01:20:29 pm »
I think the difference is with the text character values, not the memory locations. This is a table for which corresponds to each (which you can compare with the Big List).

I come and go. Apparently still more than most of the other regulars, so hard to say it's a semi-hiatus of some sort. Suggestions for wiki organization are appreciated here if you haven't seen this thread yet.
I don't have a habit of keeping Discord open, so direct inquiries are still preferred through here.

Link_enfant

  • GCLF Member
  • Offline Offline
  • Gender: Male
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #359 on: March 01, 2019, 05:31:33 am »
I think the difference is with the text character values, not the memory locations. This is a table for which corresponds to each (which you can compare with the Big List).
You're right! I quickly realized I couldn't even input the code anyway, because of that.

I've tried this other code, also posted by Epsilon, but it doesn't seem to work at least on VC (freezes on white screen right after using TM17):

All wild Pokémon have flawless DVs (French versions):
ApAu'oéJ9
p0(female)éK955
p02éL955
p0Au'qé62
é32u'9m'55
55555555
09é(female)Aé0A
pu'9m'5555

I'll probably try to contact him, but I'm not sure what would be the easier:

- convert the already working "All wild Pokémon are shiny" code to French versions
- alter the code above to both make it work, and have a way to choose different DV values by replacing some characters (which would then allow to force shiny Pokémon to appear, which is one of the few things I'd really want to try on French VC)