Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
StatDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg data corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Arbitrary code execution in Gold/Silver UE using the Coin Case  (Read 54300 times)

0 Members and 1 Guest are viewing this topic.

spamviech

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #330 on: December 28, 2017, 09:19:23 pm »
Little helper code which might be useful to someone else as well:
Maximize all PC items (quantity x 255) while leaving the item type unchanged.
Code: [Select]
1)   A   p  'v   5   é   4   2   5 XOR A; SUB fb; LD [faf8], A | A->05
2)  'v   9   é   /   2   p  'v   . SUB ff; LD [f3f8], A; XOR A; SUB e8 | A->06; A->18
3)   é   0   2  'v   2   é   5   2 LD [f6f8], A; SUB f8; LD [fbf8], A | A->20
4)  'v   9   é   ♀   2  'v   9   5 SUB ff; LD [f5f8], A; SUB ff | A->21; A->22
5)   é   2   2  'v   9   é   3   2 LD [f8f8], A; SUB ff; LD [f9f8], A | A->23
6)  'v   ×   é   ,   2   0   9   9 SUB f1; LD [f4f8], A; OR ff; LD B, 32 | A->32
7)   0   0   0   5   5   5   5   5 LD HL, 18f6; LD [HLI], A; INC HL; DEC B; JR NZ, fb | HL->f618
8)   x  'd OR A; RET NC

Fun little thing about x0 quantity (at least in the PC):
You can withdraw/toss any quantity you want, it won't change the quantity of the item. While tossing obviously does nothing, withdrawing works without problems (creates items).
Depositing an additional item of the type simply adds the amount which restores normal functionality.
Possibly also works in the inventory to give you an infinite amount of an item, but I didn't test that.

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #331 on: January 19, 2018, 08:27:21 am »
Here, have a CartSwap setup!

Code: [Select]
A p é 7 2 é ? 2

é & 2 'v 9 é 8 2

p 'v * é (male) 2 / /

é * 2 / / / / p

0 (pk) é A 9 4 A 9

/ / ? A 8 A / /

'm (pk) 2 p 's A (female) 'm

This is compatible with either the Coin case setup or Wrong Pocket

In gbz80, that's:
Code: [Select]
xor a ; a = 0
ld ($f8fd),a ; self-mod
ld ($f8e6),a ; self-mod
ld d,b ; end-terminator
ld ($f8e9),a ; self-mod
sub $FF ; a = 1
ld ($f8fe),a ; self-mod
ld d,b ; end-termiantor
xor a ; a = 0
sub $F1 ; a = $0f
ld ($f8ef),a ; self-mod
di ; Disable ints. If they are active during cartswap, and an int is requested, unwanted code may be executed
di ; padding
ld d,b
ld ($f8f1),a ; self-mod
di ; padding
di ; padding
di ; padding
di ; padding
.loop:
xor a ; a = 0
ld d,b ; end-terminator
or $e1 ; a = $e1
ld ($ff00),a ;  Enable polling for Directional buttons. Didn't use "ldh", as it isn't char-representable
ld a,($ff00) ; Recieve results of poll
ld d,b ; end-terminator
di ; padding
di ; padding
and $0f ; I don't care about the upper nibble
cp $0f ; Compare with $0f
di ; padding
di ; padding
ld d,b ; end-terminator
jp nc, .loop ; If the carry flag wasn't set by the compare, jump back. (Didn't use "jr", not char-representable)
xor a ; a = 0, reset flags
call nc,$F580 ; Call the third TM quantity. ENSURE THE CARRY FLAG IS NOT SET IN YOUR FUNCTION
jp nc,$0100 ; Boot into whatever game is loaded now

Basically what this does is it waits for any button on the D-Pad to be pressed, call a function written starting at TM03, and then reboots the game. During this time, you can swap the cartridges and write to SRAM.

"So what do I write to TM03?" - That's where you come in!

In gen2, TM quantities (Starting from TM03) grants you 48 bytes to write your own code to alter the SRAM of other games.

Not sure what to do? Here's an example:
Code: [Select]
TMs    Keep/Deposit
TM01   Any
TM02   Any
TM03   38/217
TM04   10/245
TM05   116/139
TM06   38/217
TM07   64/191
TM08   46/209
TM09   1/254
TM10   117/138
TM11   62/193
TM12   21/234
TM13   234/21
TM14   193/62
TM15   176/79
TM16   234/21
TM17   211/44
TM18   176/79
TM19   22/233
TM20   1/254
TM21   21/234
TM22   1/254
TM23   139/116
TM24   15/240
TM25   33/222
TM26   152/103
TM27   165/90
TM28   42/213
TM29   130/125
TM30   87/168
TM31   11/244
TM32   120/135
TM33   177/78
TM34   32/223
TM35   248/7
TM36   122/133
TM37   47/208
TM38   234/21
TM39   35/220
TM40   181/74
TM41   201/54

Raw bytes:
Code: [Select]
$D580 / 26 0a 74 26 40 2e 01 75 3e 15 ea c1 b0 ea d3 b0
16 01 15 01 8b 0f 21 98 a5 2a 82 57 0b 78 b1 20
f8 7a 2f ea 23 b5 c9

To use:

1. In Pokemon Red/Blue, ensure you have the first pokemon in your current box be a disposable one
2. Setup your box name and TM quantities as above
3. Use the coin case or wrong pocket
4. (On BGB, this is accomplished with "Load ROM without reset") Swap into Pokemon Red/Blue (maybe Yellow, i'm not sure)
5. Press any button on the D-Pad

When you boot into Pokemon R/B, the first Pokemon in your box should now be Mew. (The name will remain unchanged)

In my opinion, this is a bit easier to deal with then Gen 1 cartswap.

Enjoy!
« Last Edit: January 19, 2018, 09:27:07 am by Epsilon »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Princess Torchic ❤

  • Administrator
  • *****
  • Online Online
  • Gender: Female
  • ⛄🦋
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #332 on: January 19, 2018, 11:22:12 am »
Amazing :)

So, a couple of questions as I've never done much cartswapping before.

If you were to modify an SRAM address other than B0C1 or B0D3 (stored Pokémon), would you need to modify the code in any other way for Red/Blue (I notice you have to adjust the B523 checksum)? How would you do this for Yellow and Crystal?

Thanks.
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Give love, receive love, repeat. But in order to love others you must first love yourself unconditionally, even if it means abandoning pressure from projects or taking time off work and empathise with the self as you are your own best friend. The key often is simply to follow your heart, your urges and have faith they are valid; use them to do what you want to do as long as it doesn't harm anyone, and/or sympathise and respect it as we all have bad days (even the prettiest rose has thorns but is still beautiful).

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #333 on: January 19, 2018, 11:34:19 am »
Amazing :)

Thanks!

If you were to modify an SRAM address other than B0C1 or B0D3 (stored Pokémon), would you need to modify the code in any other way for Red/Blue (I notice you have to adjust the B523 checksum)

Modifiying $A598-$B522 would require a checksum fix at $B523. Though i'm not certain if this is checked, the box data in banks 2-3 have their own checksums. These need not be modified if you only care about the current box, however.

How would you do this for Yellow and Crystal?

In Yellow, I believe SRAM data is not shifted.Don't quote me on that, though, because I'm not 100% certain. I just checked Pokeyellow, and it seems my setup for Mew will still work! :)

As for Crystal, i'm not certain. I don't think data is shifted in Crystal to an extent that would prevent this from working but once more i'm not 100% certain as I currently lack a crystal ROM
« Last Edit: January 19, 2018, 11:46:17 am by Epsilon »
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Online Online
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #334 on: January 23, 2018, 12:31:47 pm »
The shift only applies to WRAM (starting at $CF00). Everything before that point is just the same in all non-japanese Red, Blue and Yellow :)

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

hobgoblinpie

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #335 on: January 26, 2018, 02:03:15 pm »
Is there a TM25 box name config for Perfect DVs for a party pokémon? Couldn't seem to find one - thanks! The coin case one is as follows, but can't seem to modify it correctly:

Code: [Select]
Box 1: Ap0'd'vR55
Box 2: é'm2pp095
Box 3: éA4p0'd'vQ
Box 4: é?2p0955
Box 5: 55éA4ppp
Box 6: 'v7'v'dé42p
Box 7: éD9'l'lA'lx
Box 8: 'd5555555
« Last Edit: January 26, 2018, 02:04:15 pm by hobgoblinpie »

Epsilon

  • Zeta
  • Member+
  • *
  • Offline Offline
  • The default personal text makes no sense
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #336 on: January 26, 2018, 02:11:27 pm »
Is there a TM25 box name config for Perfect DVs for a party pokémon? Couldn't seem to find one - thanks! The coin case one is as follows, but can't seem to modify it correctly:

Code: [Select]
Box 1: Ap0'd'vR55
Box 2: é'm2pp095
Box 3: éA4p0'd'vQ
Box 4: é?2p0955
Box 5: 55éA4ppp
Box 6: 'v7'v'dé42p
Box 7: éD9'l'lA'lx
Box 8: 'd5555555

Replace box 7 with "p'd"
"What's a stack? Can you eat that?"

"Sure, just POP it into your mouth!" (someoneplskillme)

Clash Royale profile: #LYQC9LLV. Join our clan because we're lonely.

Does anybody really know what time it is?

Does anybody really care?
- Chicago

hobgoblinpie

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Arbitrary code execution in Gold/Silver UE using the Coin Case
« Reply #337 on: January 26, 2018, 03:15:32 pm »
Perfect, thanks!