Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
AreaDex
DexDex
ItemDex
TMHMDex
TypeDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
SRAM glitch
Buffer overflow techniques
Pomeg glitch data corruption (Glitzer Popping)
Tweaking
Pokémon cloning
Select glitches (Japan)
Time Capsule exploit
Arbitrary code execution
More

Other Glitch Categories
Glitches by generation
Japan-only/language specific glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Recurring glitches
More

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Error traps
Non-glitch exploits
Pokémon glitch terminology
Unused content and prerelease information
More

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Re: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 665 times)

0 Members and 1 Guest are viewing this topic.

pigdevil2010

  • Member+
  • Offline Offline
  • Gender: Male
  • Welcome to the 40 ERROR.
    • View Profile
I'm going to find the another stable way to make the code jump to the third item in pocket like 8F and w sm. Since the third party Pokémon's IV and friendship can still have a chance to alter the code and these values are hard to control. Can anybody explain how sp work so that it make pc go to another place?

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
[DELETED]
« Reply #1 on: September 01, 2015, 02:46:00 pm »
[DELETED]
« Last Edit: February 29, 2016, 05:59:25 pm by SatoMew »

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #2 on: September 28, 2017, 06:17:34 pm »
other people in the description said it crashes before gs vc came out so there maybe something wrong with the code

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #3 on: September 29, 2017, 07:51:14 am »
Also OAM DMA doesn't rely on any obscure detail, only on a simple feature used by almost all games. It couldn't be emulated incorrectly, no matter how crappy the emulator.
And god knows the VC is a crappy one.
any way to make toggle able ace i tried to make a one that lets you catch trainers pokemon but it just causes the game to glitch because the game thinks its a wild battle before you are in battle

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #4 on: November 08, 2017, 04:17:10 pm »
Hello folks,

I've been working on day to attempt translating this code from Couldntthinkofaname that allows to get any Pokémon in the wild:
http://forums.glitchcity.info/index.php?topic=6716.msg207555#msg207555 so it becomes compatible with french games (no characters from $D0 to $D6, but $D8 to $DE are available).

From what I understood of the code, I thought this could have done the job:

Code: [Select]
WRAM1:D8C0 AF XOR A => A=00 : C=0
WRAM1:D8C1 F6 81 OR $81 => A=81
WRAM1:D8C3 DE AF SBC $AF => A=D2
WRAM1:D9C5 7F LD A,A
WRAM1:D9C6 7F LD A,A
WRAM1:D9C7 50 LD D,B

WRAM1:D8C8 AF XOR A => A=00 : C=0
WRAM1:D8C9 F6 81 OR $81 => A=81
WRAM1:D8CB DE 94 SBC $94 => A=ED
WRAM1:D8CD EA EF F8 LD $F8EF,A => $(F8EF)=ED
WRAM1:D8D0 50 LD D,B

WRAM1:D8D1 EA 89 FF LD $FF89,A => $(FF89)=D2
WRAM1:D8D4 AF XOR A => A=00 : C=0
WRAM1:D8D5 F6 F5 OR $F5 => A=F5
WRAM1:D8D7 7F LD A,A
WRAM1:D8D8 7F LD A,A
WRAM1:D8D9 50 LD D,B

WRAM1:D8DA EA 8A FF LD $FF8A,A => $(FF8A)=F5
WRAM1:D8DD AF XOR A => A=00 : C=0
WRAM1:D8DE 7F LD A,A
WRAM1:D8DF F6 F8 OR $F8 => A=F8
WRAM1:D8E1 7F LD A,A
WRAM1:D8E2 50 LD D,B

WRAM1:D8E3 EA 8B FF LD $FF8B,A => $(FF8B)=F8
WRAM1:D8E6 AF XOR A => A=00 : C=0
WRAM1:D8E7 F6 XX OR $XX => A=XX
WRAM1:D8E9 7F LD A,A
WRAM1:D8EA 7F LD A,A
WRAM1:D8EB 50 LD D,B

WRAM1:D8EC 7F LD A,A
WRAM1:D8ED 7F LD A,A
WRAM1:D8EE EA (whatever) D0 LD $D0ED,A => $(D0ED)=XX
WRAM1:D8F1 AF XOR A => A=00 : C=0
WRAM1:D8F2 F6 D8 OR $D8 => A=D8
WRAM1:D8F4 50 LD D,B

WRAM1:D8F5 DE 7F SBC $7F => A=59
WRAM1:D8F7 DE 89 SBC $89 => A=D0
WRAM1:D8F9 EA FE F8 LD $F8FE,A => $(F8FE)=D0
WRAM1:D8FC AF XOR A => A=00 : C=0
WRAM1:D8FD 50 LD D,B

WRAM1:D8FE (whatever) RET NC

Surprisingly to me (hopefully not to you) even before I try to use the Wrong Pocket TM, at the very moment I finish writing the last box name ($D8F5 to $D8FD) the game freezes, so I can't use my code. Do you know why? Thanks to anyone who can help!
« Last Edit: November 08, 2017, 04:17:34 pm by Krys3000 »

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #5 on: November 08, 2017, 04:21:47 pm »
Hello folks,

I've been working on day to attempt translating this code from Couldntthinkofaname that allows to get any Pokémon in the wild:
http://forums.glitchcity.info/index.php?topic=6716.msg207555#msg207555 so it becomes compatible with french games (no characters from $D0 to $D6, but $D8 to $DE are available).

From what I understood of the code, I thought this could have done the job:

Code: [Select]
WRAM1:D8C0 AF XOR A => A=00 : C=0
WRAM1:D8C1 F6 81 OR $81 => A=81
WRAM1:D8C3 DE AF SBC $AF => A=D2
WRAM1:D9C5 7F LD A,A
WRAM1:D9C6 7F LD A,A
WRAM1:D9C7 50 LD D,B

WRAM1:D8C8 AF XOR A => A=00 : C=0
WRAM1:D8C9 F6 81 OR $81 => A=81
WRAM1:D8CB DE 94 SBC $94 => A=ED
WRAM1:D8CD EA EF F8 LD $F8EF,A => $(F8EF)=ED
WRAM1:D8D0 50 LD D,B

WRAM1:D8D1 EA 89 FF LD $FF89,A => $(FF89)=D2
WRAM1:D8D4 AF XOR A => A=00 : C=0
WRAM1:D8D5 F6 F5 OR $F5 => A=F5
WRAM1:D8D7 7F LD A,A
WRAM1:D8D8 7F LD A,A
WRAM1:D8D9 50 LD D,B

WRAM1:D8DA EA 8A FF LD $FF8A,A => $(FF8A)=F5
WRAM1:D8DD AF XOR A => A=00 : C=0
WRAM1:D8DE 7F LD A,A
WRAM1:D8DF F6 F8 OR $F8 => A=F8
WRAM1:D8E1 7F LD A,A
WRAM1:D8E2 50 LD D,B

WRAM1:D8E3 EA 8B FF LD $FF8B,A => $(FF8B)=F8
WRAM1:D8E6 AF XOR A => A=00 : C=0
WRAM1:D8E7 F6 XX OR $XX => A=XX
WRAM1:D8E9 7F LD A,A
WRAM1:D8EA 7F LD A,A
WRAM1:D8EB 50 LD D,B

WRAM1:D8EC 7F LD A,A
WRAM1:D8ED 7F LD A,A
WRAM1:D8EE EA (whatever) D0 LD $D0ED,A => $(D0ED)=XX
WRAM1:D8F1 AF XOR A => A=00 : C=0
WRAM1:D8F2 F6 D8 OR $D8 => A=D8
WRAM1:D8F4 50 LD D,B

WRAM1:D8F5 DE 7F SBC $7F => A=59
WRAM1:D8F7 DE 89 SBC $89 => A=D0
WRAM1:D8F9 EA FE F8 LD $F8FE,A => $(F8FE)=D0
WRAM1:D8FC AF XOR A => A=00 : C=0
WRAM1:D8FD 50 LD D,B

WRAM1:D8FE (whatever) RET NC

Surprisingly to me (hopefully not to you) even before I try to use the Wrong Pocket TM, at the very moment I finish writing the last box name ($D8F5 to $D8FD) the game freezes, so I can't use my code. Do you know why? Thanks to anyone who can help!

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Azarokkusu

  • GCLF Member
  • Offline Offline
  • 8F enthusiast
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #6 on: February 25, 2018, 03:24:03 am »
I'll be keeping that in mind~ how many steps does it take for the mon to develop its happiness value? And does it decrease if left in the box?

I'm curious, the box codes that let you change one mon to another, if you have an egg that is shiny (let's say it's a Wooper for example) and you alter it into a different mon (like Zapdos) via the box codes, would the egg result in a shiny Zapdos?

Happiness won't decrease if left in the box. And I'm not sure, but I think if the slide Pokemon gets any noticeable happiness increase then it will mess up the code, because the slide Pokemon has to be freshly caught or hatched with no stat experience and happiness is another one of those factors I guess.

However, I was using the coin case a lot yesterday with the same slide Pokemon and walking from the PC in Cherrygrove to outside the mart in Cherrygrove for coin cases glitches, when you repeat that enough times you're certainly walking a good number of steps, but still my slide Pokemon still worked. And today I was using the hatched Togepi as a slide Pokemon as a test and it worked, so I would certainly recommend freshly hatched Pokemon.

As for your question, I haven't messed around with shiny codes yet but if the first code changed the egg to shiny and then you changed the Pokemon species then it should still be shiny as that is determined by the DV's which are made when you use you shiny code.
Not quite. Even if your slide's happiness value increases, it doesn't matter too much unless it reaches a malicious opcode. What I mean by that is, any opcode that changes code flow (call,ret,jp,jr), any opcode that stops the cpu (stop, and MAYBE halt, I'm not quite sure), any op that messes with the stack (inc sp,push,pop,ld sp,rst,etc.), any invalid ops ($D3,$DB,$DD,$E3,$E4,$EB,$EC,$ED,$F4,$FC,$FD), and "di".

The Happiness value increments upon walking 256 steps, and when freshly caught, has a value of $00. The first "malicious" opcode it encounters first is "stop", which is hex $10. So, a freshly caught slide pokemon is considered "broken" after 4096 steps. However, you can easily set this value to $11 (ld de,$xxyy) by walking 256 more steps. So if you find that your slide has stopped working, walk 256 more steps and see if that fixes it.

Also, it is worth noting that happiness is not the only thing that affects slide pokemon.
Here's a list of all factors that affect slide pokemon:

Attack EV
Defense Ev
Speed EV
Special EV
Attack/Defense IV
Speed/special IV
PP of current moveset
Happiness/Hatch Time
Pokerus
Caught Information
Level
Status
Hp
Max Hp
Attack
Defense
Speed
Special Defense
Special Attack - Must correspond to an instruction that is one byte long, otherwise the jump instruction that executes your code will be absorbed!

I was also wondering about this. What values or value ranges of each of these would be needed to make a suitable slide pokémon? As in, just a regular working slide pokémon, not a specific one like the special coin case one which jumps over a lot of these factors.