Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 18

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-03 07:03:07
The new version of my code writes to both addresses, thus preventing a hybrid. :)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Scotteh
Date: 2017-11-03 10:46:22
It's not extremely useful, but I made a small modification to one of Couldntthinkofaname's codes to turn all wild Pokémon Level 100.

1: Ap0'méJ95
2: p0-éK955
3: p02éL9p'd
4: (anything)
5: p0,'vQé6'd
6: p'd

Notably, it doesn't affect the wild Pokémon's stats, which remain at the normal ones for their old level until caught.


EDIT: I came up with a better one which hooks elsewhere, earlier on in the wild Pokémon generation routine. This time the moveset and stats match the level.

1: Ap0'méJ95 
2: p0-éK95p
3: 02éL9p0Pk
4: 'vbé&25p'd
5: p0,'vQé6'd
6: p'd

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-03 16:44:45
I have a suggestion to use TM count instead of Box names.
First use this box name code (which i ruthlessly stole for Torchickens before slightly adjusting it) to give you 255 of each TM/HM.

1)Ap'vCé025
2)'vj'vué25
3)'v.é32p'v9
4)é22pé425
5)'vué62'v 5
6)'v:é72p09
7)55555's5
8)x'd

Coin Case variant (untested):

1)Ap'vCé025
2)'vj'vué25
3)'v.é32p'v9
4)é22pé425
5)'vué62'v 5
6)'v:é72p09
7)55555's5
8)pppppéZ
9).9'l'l'l'lx'd


Then write your code by depositing to the desired opcode/number (be carefull when tossing above a stack of 255 from pc, since it seems to have the similar effects as in Gen 1).
Use this picture from Skeef to make depositing the right number slightly easier.

Over 99 glitch blocks for items:
They don't seem to change based on location or anything it seems.

[IMG]http://i63.tinypic.com/k2e4z.png[/img]


To execute either use a Quagsire holding a Lucky Egg (can be stolen from wild Chanceys, but glitching one is probably easier) with Attract (TM45) as its first move, or use the following box name code and start your code with the item count of TM03.
1)A  x 'm  A  OR A; JP NC, [80f5]
Coin Case Variant (the new Quagsire won't work without adjustment of the code, so you have to use this one; untested):

1)  A  p  p  é  Z    .  9 XOR A; LD [f199], A; ADD SP, ff
2) 'l 'l 'l 'l  x 'm  A  POP DE; POP DE; POP DE; POP DE; OR A; JP NC, [80f5]


Advantage of this method is that you have acces to every Gameboy opcode. Also input of lower numbers is easier.

As a proof of concept (still in development, supposed to do more when finished) a code to change species, held item, and moves of the first Pokémon of your current box.
You can get the id for species, etc. from the big HEX list (be sure to use the Gen2 columns).
Fill them in as count for TM17, TM24, TM27, TM30, TM33, TM36.

format: keep/deposit code
TM01 3/252 inc bc/ignored
TM02 3/252 inc bc/ignored
TM03 62/193 LD A, 0a
TM04 10/245
TM05 234/21 LD [ff00], A | A->0a
TM06 255/0
TM07 0/255
TM08 62/193 LD A, 00
TM09 0/255
TM10 234/21 LD [ff40], A | A->00
TM11 255/0
TM12 64/191
TM13 33/222 LD HL, 6dad | HL->ad6d
TM14 109/146
TM15 173/82
TM16 62/193 LD A, (species)
TM17 (species)/
TM18 34/221 LD [HLI], A
TM19 33/222 LD HL, 82ad | HL->ad82
TM20 130/125
TM21 173/82
TM22 34/221 LD [HLI], A
TM23 62/193 LD A, (item)
TM24 (item)/
TM25 34/221 LD [HLI], A
TM26 62/193 LD A, (move1)
TM27 (move1)/
TM28 34/221 LD [HLI], A
TM29 62/193 LD A, (move2)
TM30 (move2)/
TM31 34/221 LD [HLI], A
TM32 62/193 LD A, $(move3)
TM33 (move3)/
TM34 34/221 LD [HLI], A
TM35 62/193 LD A, $(move4)
TM36 (move4)/
TM37 34/221 LD [HLI], A
TM38 201/54 RET


Since I managed to kill my VC-savegame this is (so far kind of) untested.
The parts presented here worked without killing my savegame, but there were some other parts in it which I cut out for this one (such as setting your box Pokémon count to 20).

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Skeef
Date: 2017-11-03 17:16:39
Nice!  O_o Never even reaslised that the memory only used the quantities in the TM pocket.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2017-11-03 17:23:21
Wow, excellent idea spamviech! :D Thank you. :)

So you could alternate between the box names Quagsire whenever you want to fill the pockets and the TM/HM pocket Quagsire for anything else up to 55 bytes long.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-03 17:44:27

Wow, excellent idea spamviech! :D Thank you. :)

So you could alternate between the box names Quagsire whenever you want to fill the pockets and the TM/HM pocket Quagsire for anything else up to 55 bytes long.


Up to 57 bytes long, but you need to write the hm-quantities e.g. using box names (all available). You can even start with box name code and then jump to TM03 with a final x'mA.

Since withdrawing more than 99 seems to be impossible you need to run the 255-code every time as part of changing code though.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-04 08:45:18
I like this new medium, Spamveich!

I just got my cart yesterday so I probably wont test it out right now, but this seems interesting!

The only potential problem I can see arise is that in order to wtite a new code, you must reset each quantity to 255. A workaround I thought of was using "call nc" as opposed to "jp nc", that way you can execute the x255 TM code immeadiatly after the TM quantity code.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-06 05:12:48

I like this new medium, Spamveich!

I just got my cart yesterday so I probably wont test it out right now, but this seems interesting!

The only potential problem I can see arise is that in order to wtite a new code, you must reset each quantity to 255. A workaround I thought of was using "call nc" as opposed to "jp nc", that way you can execute the x255 TM code immeadiatly after the TM quantity code.


Think it depends on the code. Some you might want to execute multiple times.


Another thing I found:
using péZ(mult) instead of péD9 for Coin Case codes seem to change your options (text speed to mid, battle style to switch, maybe something else I missed).

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-06 07:08:33
I'm suprised no one has done this yet:

Get all Johto Badges:
Box 1: Ap'vEé'm25
Box 2: 09555555
Box 3: éA(female)p'd555

Untested for the time being.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-06 08:26:13
(Super-Apologies for double-posting again)

Using Spamveich's new medium, I have created a walk-through walls code.

First, use Torchicken's code that grants you x255 of every TM:

1)Ap'vCé025
2)'vj'vué25
3)'v.é32p'v9
4)é22pé425
5)'vué62'v 5
6)'v:é72p09
7)55555's5
8)x'd


Then, spell the following opcodes with TM quantities:

Keep/Deposit (starting from TM 01):

62/193
8/247
33/222
163/92
206/49
34/221
34/221
34/221
119/136
201/54


Finally, use this code:

Box 1: Ap0'méJ95
Box 2: p'vCéK955
Box 3: p0(female)éL9p'd

(Coin case variant)

Box 1: Ap0'méJ95
Box 2: p'vCéK955
Box 3: p0(female)éL955
Box 4: péZ(mult).9'l'l
Box 5: 'l'lp'd5555

You should be able to walk through almost any wall. Try not to go out of bounds, this will crash the game.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2017-11-06 09:57:08
That's all right Couldntthinkofaname. :)

We don't really mind about double-posts here as long as the information adds to the discussion.

Thanks for your writing and sharing your new code. ^^*

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-06 14:21:49

Nice!  O_o Never even reaslised that the memory only used the quantities in the TM pocket.


Same. Found it by accident after realizing almost all my code I was working on had to be self-modified so I was looking for a place which could be accessed without problems and luckily found TM location.  ;D

Another thing I found:
using péZ(mult) instead of péD9 for Coin Case codes seem to change your options (text speed to mid, battle style to switch, maybe something else I missed).


To add to that:
It also enables battle animations. Returning them back (I had fast text speed, no battle animations, battle style set) before saving and resetting causes you to have a laggy menu again.



Regarding TM execution, here's a box name code to start execution from TM01 quantity (if you don't want to switch Quagsires):


1)  5  5  5  5  5  5  5  5
2)  5  5  5  p  0(spc)?  8 XOR A; OR 7f; AND fe | A->7e (spc means space)
3)  é 'v  2  x 'm 'm  LD [d6f8], A; OR A; JP NC, [{7e}f5]

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-06 15:33:33

To add to that:
It also enables battle animations. Returning them back (I had fast text speed, no battle animations, battle style set) before saving and resetting causes you to have a laggy menu again.


This is due to $D199 being in control of settings. The default settings are $03. When $D199 is set to $00, it returns the settings to default except "Menu Account", which is turned off.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-06 19:15:13


To add to that:
It also enables battle animations. Returning them back (I had fast text speed, no battle animations, battle style set) before saving and resetting causes you to have a laggy menu again.


This is due to $D199 being in control of settings. The default settings are $03. When $D199 is set to $00, it returns the settings to default except "Menu Account", which is turned off.


Oh, right. Missed that. I wonder what values of non-crashing game, but with fast text-speed and non-laggy menu are possible.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-06 19:28:09



To add to that:
It also enables battle animations. Returning them back (I had fast text speed, no battle animations, battle style set) before saving and resetting causes you to have a laggy menu again.


This is due to $D199 being in control of settings. The default settings are $03. When $D199 is set to $00, it returns the settings to default except "Menu Account", which is turned off.


Oh, right. Missed that. I wonder what values of non-crashing game, but with fast text-speed and non-laggy menu are possible.

If you set $D199 to $01, fast text speed will be active and laggy menu will be fixed.

To do this, end coin case codes with:

p'v9éZ(mult)55
.9'l'l'l'lp'd