Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 17

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Skeef
Date: 2017-11-01 14:37:41
Thanks for the explanation. It's all making more sence now. And its working nicely on a rom to. Should make a bootstrap on my silver cart.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-01 15:13:09
Here's the code:

Stored Pokemon 1 is <insert x Pokemon here>
Box 1: Apé'm2é'r2
Box 2: é&2'v0555
Box 3: éAAp0'd'vQ
Box 4: éé2p'v955
Box 5: 55555éAA
Box 6: 09'vSé525
Box 7: p0?55éAn
Box 8: éCnp'd555

Replace ? with the Species Index.

If you wish to access Species indexes lower than $7f, replace 55 with 'v(space). Then, take the desired species id, add $7f, and use that as ??

I will release a video of this working as soon as the chance hits me. :)

What the code does:
Self-mods. A lot.
Unlocks SRAM
Switches to SRAM bank 1
Loads $?? Into $AD6D

What the code does not do:
Load $?? Into $AD82, meaning the name on the stats page stays the same (fixed)
Fix SRAM bank (shouldn't matter)
Re-lock SRAM (overworld does this anyway)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: forsyz
Date: 2017-11-01 15:56:49
To execute ace you have to go into the over world though to get into the bag to use tm 25

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-01 16:16:28

To execute ace you have to go into the over world though to get into the bag to use tm 25


…????

Please elaborate.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Skeef
Date: 2017-11-01 16:53:01
Thats not an issue since you go to your item pack before unlocking SRAM.

Also


What the code does:
Self-mods. A lot.
Unlocks SRAM
Switches to SRAM bank 1
Loads $?? Into $ADCD


$ADCD is the third pokémon first HP EV adress. I hope thats just a typo.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-01 16:54:57

Thats not an issue since you go to your item pack before unlocking SRAM.

Also


What the code does:
Self-mods. A lot.
Unlocks SRAM
Switches to SRAM bank 1
Loads $?? Into $ADCD


$ADCD is the third pokémon first HP EV adress. I hope thats just a typo.


Whoops my bad, thanks for catching that!

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: forsyz
Date: 2017-11-02 00:32:39
Can't get it to work the adresss where pc box pokemon are stored is still all 0s when i unlock the sram and switch banks. Also doesn't the 3ds vc emulator not emulate sram locking if it doesn't why won't the memmory editor let me write to the sram.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-02 05:27:42

Can't get it to work the adresss where pc box pokemon are stored is still all 0s when i unlock the sram and switch banks. Also doesn't the 3ds vc emulator not emulate sram locking if it doesn't why won't the memmory editor let me write to the sram.


What emulator are you using? This probably wont work on VBA.

I'm using BGB and it's working fine. I'm unsure about VC.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: ISSOtm
Date: 2017-11-02 05:43:17

What the code does not do:
Load $?? Into $AD82, meaning the name on the stats page stays the same (AFAIK this affects nothing)
Writing to only one address instead of two will make the Pokémon an unstable hybrid. You should load to $AD62, because the generated hybrid could then be fixed by depositing it into the Daycare then back.


Can't get it to work the adresss where pc box pokemon are stored is still all 0s when i unlock the sram and switch banks. Also doesn't the 3ds vc emulator not emulate sram locking if it doesn't why won't the memmory editor let me write to the sram.

I'm not sure about SRAM locking on VC, tbh, but you should follow the procedure anyways.
If you're getting all zeroes, make sure you do NOT go into the overworld or save in the middle of the procedure. The locking and bankswitching AND access must be done in one go.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-02 05:50:26


What the code does not do:
Load $?? Into $AD82, meaning the name on the stats page stays the same (AFAIK this affects nothing)
Writing to only one address instead of two will make the Pokémon an unstable hybrid. You should load to $AD62, because the generated hybrid could then be fixed by depositing it into the daycare and back


What's $AD62? Can't find it on the RAM map.

Edit: You're likely referring to $AD82. Do you mean to load it with or as opposed to $AD6D? If it's the forward, it may not be possible due to the heavy amount of SMC.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: forsyz
Date: 2017-11-02 06:22:01
How would you add the sram unlocking and bank switching code to the box name memory editor by crystal_

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: forsyz
Date: 2017-11-02 07:40:12
Has any one tested this since the vc emulator does not emulate sram locking so it mean you only need to switch banks?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-02 07:50:13
@ISSOtm, I believe I have fixed my code to produce a non-glitch hybrid. However, I have little time to test this code. If one could test this for me and ensure the Pokemon produced is stable, that would be wondrous.

Edit: Code has been tested, Pokemon is stable :)


Has any one tested this since the vc emulator does not emulate sram locking so it mean you only need to switch banks?


I only have the emulator and the cartridge version, sorry. :(

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-02 18:52:06
(Super apologies for double-posting)


Stored Pokemon 1 is shiny:
Box 1: Apé'm2é'r2
Box 2: é&2'v0555
Box 3: éAAp0'd'vQ
Box 4: éé2p'v955
Box 5: 55555éAA
Box 6: p0ééXn55
Box 7: p0kéYnp'd


(Coin case version)
Box 1: Apé'm2é'r2
Box 2: é&2'v0555
Box 3: éAAp0'd'vQ
Box 4: éé2p'v955
Box 5: 55555éAA
Box 6: p0ééXn55
Box 7: p0kéYn55
Box 8: péZ(mult).9'l'l
Box 9: 'l'lp'd5555

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: ISSOtm
Date: 2017-11-03 05:12:29



What the code does not do:
Load $?? Into $AD82, meaning the name on the stats page stays the same (AFAIK this affects nothing)
Writing to only one address instead of two will make the Pokémon an unstable hybrid. You should load to $AD62, because the generated hybrid could then be fixed by depositing it into the daycare and back


What's $AD62? Can't find it on the RAM map.

Edit: You're likely referring to $AD82. Do you mean to load it with or as opposed to $AD6D? If it's the forward, it may not be possible due to the heavy amount of SMC.

I was indeed referring to $AD82 ; writing to AD82 only produces a hybrid that can be stabilized, writing to both produce no hybrid.