Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 19

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-07 06:57:25
Finished my code I was working on.  :D
This one will fill your current box with 20 Pokémon of your chosing with same Item and Moveset. Be sure to remove any Pokémon you want to keep, since they will get overwritten (mostly).

First, use this box name code to give you 255 of every TM/HM:

1)Ap'vCé025
2)'vj'vué25
3)'v.é32p'v9
4)é22pé425
5)'vué62'v 5
6)'v:é72p09
7)55555's5
8)x'd


Coin Case Variant (untested):

1)Ap'vCé025
2)'vj'vué25
3)'v.é32p'v9
4)é22pé425
5)'vué62'v 5
6)'v:é72p09
7)55555's5
8)ppp'v9éZ
9).9'l'l'l'lx'd


Then write the code with TM quantities by keeping/depositing (you might need to toss inbetween to make space in the PC):

format: keep/deposit code
TM01 62/193 LD A, 0a
TM02 10/245
TM03 234/21 LD [ff00], A | A->0a
TM04 255/0
TM05 0/255
TM06 62/193 LD A, 01
TM07 01/254
TM08 234/21 LD [ff40], A | A->00
TM09 255/0
TM10 64/191
TM11 33/222 LD HL, 6cad | HL->ad6c
TM12 108/147
TM13 173/82
TM14 1/254 LD BC, 1a00 | BC->001a
TM15 26/229
TM16 0/255
TM17 62/193 LD A, 14 | A->14
TM18 20/235
TM19 87/168 LD D, A
TM20 95/160 LD E, A
TM21 34/221 LD [HLI], A
TM22 62/193 LD A, (species)
TM23 (species)/
TM24 34/221 LD [HLI], A
TM25 21/234 DEC D
TM26 32/223 JR NZ, fc | (Loop back to last LD [HLI], A)
TM27 252/3
TM28 54/201 LD [HL], ff
TM29 255/0
TM30 35/220 INC HL
TM31 87/168 LD D, A
TM32 122/133 LD A, D
TM33 34/221 LD [HLI], A
TM34 62/193 LD A, (item)
TM35 (item)/
TM36 34/221 LD [HLI], A
TM37 62/193 LD A, (move1)
TM38 (move1)/
TM39 34/221 LD [HLI], A
TM40 62/193 LD A, (move2)
TM41 (move2)/
TM42 34/221 LD [HLI], A
TM43 62/193 LD A, $(move3)
TM44 (move3)/
TM45 34/221 LD [HLI], A
TM46 62/193 LD A, $(move4)
TM47 (move4)/
TM48 34/221 LD [HLI], A
TM49 9/246 ADD HL, BC
TM50 29/226 DEC E
HM01 32/223 JR NZ, eb | (Loop Back to LD A, D)
HM02 235/20
HM03 201/54 RET


Now change your box names to the code below and execute via wrong pocket TM execution:

1)  5  5  5  p  0  A 'v  x XOR A; OR 80; SUB b7 | A->c9
2)  é  s    p  0  é 'v  9 LD [b2f5], A; XOR A; OR ea; SUB ff | A->eb
3)  é  r    p  0  a 'v  A LD [b1f5], A; XOR A; OR a0; SUB 80 | A-> 20
4)  é  q    p  0  8  ?  _ LD [b0f5], A; XOR A; LD OR fe; AND 7f | A->7e (_ is space)
5)  é  .  2  x 'm 'm  LD [e7f8], A; OR A; JP NC, [{7e}f5]


Coin Case Variant (untested):

1)  5  5  5  p  0  A 'v  x XOR A; OR 80; SUB b7 | A->c9
2)  é  s    p  0  é 'v  9 LD [b2f5], A; XOR A; OR ea; SUB ff | A->eb
3)  é  r    p  0  a 'v  A LD [b1f5], A; XOR A; OR a0; SUB 80 | A-> 20
4)  é  q    p  0  8  ?  _ LD [b0f5], A; XOR A; LD OR fe; AND 7f | A->7e (_ is space)
5)  é  1  2  p 'v  9  . 9 LD [f7f8], A; XOR A; SUB ff; ADD SP, ff | A->01
6)  é  Z  'l 'l 'l 'l  5 LD [99f1], A; POP DE; POP DE; POP DE; POP DE |  ( is mult)
7)  x 'm 'm  OR A; JP NC, [{7e}f5]


Execute using the usual Quagsire holding TM02 with Return as first move (start execution from second character of first box name).

Level, Nickname, OT, DV, etc. will be the same from the Pokémon who were in the place before (0/empty for a new box).
For Celebi with its Level 1 moveset use the following values at their appropriate place:

For Celebi use the following Quantities:

Species:
Celebi 251/4
Item:
Lucky Egg 126/129
Moveset Level 1:
Leech Seed 73/182
Recover 105/150
Confusion 93/162
Heal Bell 215/40


Edit: fixed a bug which would shift bytes upon releasing/withdrawing of Pokémon.


If you set $D199 to $01, fast text speed will be active and laggy menu will be fixed.

To do this, end coin case codes with:

p'v9éZ(mult)55
.9'l'l'l'lp'd


Neat. :)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-08 16:25:19
The likely issue is that the DMA OMA exploit was executed sometime during that particular boot of the game, and since these opcodes are executed once every frame, you may have overwritten the terminating ret, causing the OMA DMA to crash the game.

Simple answer, reboot and try again. If that doesn't work, please let me know, because that would be rather odd.

Edit: OP deleted his comment, please disregard this.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Krys3000
Date: 2017-11-08 16:30:26
Thanks for the answer, I realized there was some mistakes, but the good code has the issue too. I correct everything, retest, then if I still have trouble I'll post again  :P

EDIT: I localized the issue and don't have it anymore, but still have trouble translating for some opcodes. At least now I get it, and it may be possible to finish it…

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Krys3000
Date: 2017-11-08 18:20:51
Somehow, after 9 hours of eating asm, I did it. Many thanks to coffee and spotify!

This is the french translation to Couldntthinkofaname's code to get any Pokémon in the wild.
EDIT : It took me 5 codes to tame the beast. Maybe it can be done with 4 codes only, but I would be surprised if it can be done with 3.

_ means space
(ID) has to be replaced with the corresponding Pokémon

CODE 1
Ap0Bu'U__
é/2p0Bu'r
é,2é02p_
0Bu'péJ9p
0(male)éK9p02
éL9p0(ID)éA
pA

Commented ASM:

WRAM1:D8C0 AF XOR A \\ A=00 : C=0
WRAM1:D8C1 F6 81 OR $81 \\ A=81
WRAM1:D8C3 DE 94 SBC $94 \\ A=ED : C=1
WRAM1:D9C5 7F LD A,A
WRAM1:D9C6 7F LD A,A
WRAM1:D9C7 50 LD D,B

WRAM1:D8C8 EA F3 F8 LD $F8F3,A \\ $(F8F3)=ED
WRAM1:D8CB AF XOR A \\ A=00 : C=0
WRAM1:D8CC F6 81 OR $81 \\ A=81
WRAM1:D8CE DE B1 SBC $B1 \\ A=D0 : C=1
WRAM1:D8D0 50 LD D,B

WRAM1:D8D1 EA F4 F8 LD $F8F4,A \\ $(F8F4)=D0
WRAM1:D8D4 EA F6 F8 LD $F8F6,A \\ $(F8F6)=D0
WRAM1:D8D7 AF XOR A \\ A=00 : C=0
WRAM1:D9D8 7F LD A,A
WRAM1:D8D9 50 LD D,B

WRAM1:D8DA F6 81 OR $81 \\ A=81
WRAM1:D8EC DE AF SBC $AF \\ A=D2 : C=1
WRAM1:D8DE EA 89 FF LD $FF89,A \\ $(FF89)=D2
WRAM1:D8E1 AF XOR A \\ A=00 : C=0
WRAM1:D8E2 50 LD D,B

WRAM1:D8E3 F6 EF OR $EF \\ A=EF
WRAM1:D8E5 EA 8A FF LD $FF8A,A \\ $(FF8A)=EF
WRAM1:D8E8 AF XOR A \\ A=00 : C=0
WRAM1:D8E9 F6 F8 OR $F8 \\ A=F8
WRAM1:D8EB 50 LD D,B

WRAM1:D8EC EA 8B FF LD $FF8B,A \\ $(FF8B)=F8
WRAM1:D8EF AF XOR A \\ A=00 : C=0
WRAM1:D8F0 F6 XX OR $XX \\ A=XX
WRAM1:D8F2 EA 80 50 LD $D0ED,A \\ $(D0ED)=XX

WRAM1:D8F5 AF XOR A \\ A=00 : C=0
WRAM1:D8F6 80 RET NC


CODE 2
Ap0Bu'U__
é02p0Bu'r
é12é32p_
0Bu'péJ9p
0(male)éK9p02
éL9p0(ID)u'_
éAApA

Commented ASM:

WRAM1:D8C0 AF XOR A  \\ A=00 : C=0
WRAM1:D8C1 F6 81 OR $81 \\ A=81
WRAM1:D8C3 DE 94 SBC $94 \\ A=ED : C=1
WRAM1:D9C5 7F LD A,A
WRAM1:D9C6 7F LD A,A
WRAM1:D9C7 50 LD D,B

WRAM1:D8C8 EA F6 F8 LD $F8F3,A \\ $(F8F3)=ED
WRAM1:D8CB AF XOR A \\ A=00 : C=0
WRAM1:D8CC F6 81 OR $81 \\ A=81
WRAM1:D8CE DE B1 SBC $B1 \\ A=D0 : C=1
WRAM1:D8D0 50 LD D,B

WRAM1:D8D1 EA F7 F8 LD $F8F4,A \\ $(F8F4)=D0
WRAM1:D8D4 EA F9 F8 LD $F8F6,A \\ $(F8F6)=D0
WRAM1:D8D7 AF XOR A \\ A=00 : C=0
WRAM1:D9D8 7F LD A,A
WRAM1:D8D9 50 LD D,B

WRAM1:D8DA F6 81 OR $81 \\ A=81
WRAM1:D8EC DE AF SBC $AF \\ A=D2 : C=1
WRAM1:D8DE EA 89 FF LD $FF89,A \\ $(FF89)=D2
WRAM1:D8E1 AF XOR A \\ A=00 : C=0
WRAM1:D8E2 50 LD D,B

WRAM1:D8E3 F6 EF OR $EF \\ A=EF
WRAM1:D8E5 EA 8A FF LD $FF8A,A \\ $(FF8A)=EF
WRAM1:D8E8 AF XOR A \\ A=00 : C=0
WRAM1:D8E9 F6 F8 OR $F8 \\ A=F8
WRAM1:D8EB 50 LD D,B

WRAM1:D8EC EA 8B FF LD $FF8B,A \\ $(FF8B)=F8
WRAM1:D8EF AF XOR A \\ A=00 : C=0
WRAM1:D8F0 F6 XX OR $XX \\ A=XX
WRAM1:D8F2 DE 7F SBC $7F \\ A=XX-7F
WRAM1:D8F4 50 LD D,B

WRAM1:D8F5 EA 80 80 LD $D0ED,A  $(D0ED)=XX ; victoire !
WRAM1:D8F8 AF XOR A \\ A=00 : C=0
WRAM1:D8F9 80 RET NC


CODE 3:
Ap0Bu'U__
é02p0Bu'r
é12é32p_
0Bu'péJ9p
0(male)éK9p02
éL9p0zu'(ID)
éAApA

Commented ASM:

WRAM1:D8C0 AF XOR A \\ A=00 : C=0
WRAM1:D8C1 F6 81 OR $81 \\ A=81
WRAM1:D8C3 DE 94 SBC $94 \\ A=ED : C=1
WRAM1:D9C5 7F LD A,A
WRAM1:D9C6 7F LD A,A
WRAM1:D9C7 50 LD D,B

WRAM1:D8C8 EA F6 F8 LD $F8F3,A \\ $(F8F3)=ED
WRAM1:D8CB AF XOR A \\ A=00 : C=0
WRAM1:D8CC F6 81 OR $81 \\ A=81
WRAM1:D8CE DE B1 SBC $B1 \\ A=D0 : C=1
WRAM1:D8D0 50 LD D,B

WRAM1:D8D1 EA F7 F8 LD $F8F4,A \\ $(F8F4)=D0
WRAM1:D8D4 EA F9 F8 LD $F8F6,A \\ $(F8F6)=D0
WRAM1:D8D7 AF XOR A \\ A=00 : C=0
WRAM1:D9D8 7F LD A,A
WRAM1:D8D9 50 LD D,B

WRAM1:D8DA F6 81 OR $81 \\ A=81
WRAM1:D8EC DE AF SBC $AF \\ A=D2 : C=1
WRAM1:D8DE EA 89 FF LD $FF89,A \\ $(FF89)=D2
WRAM1:D8E1 AF XOR A \\ A=00 : C=0
WRAM1:D8E2 50 LD D,B

WRAM1:D8E3 F6 EF OR $EF \\ A=EF
WRAM1:D8E5 EA 8A FF LD $FF8A,A \\ $(FF8A)=EF
WRAM1:D8E8 AF XOR A \\ A=00 : C=0
WRAM1:D8E9 F6 F8 OR $F8 \\ A=F8
WRAM1:D8EB 50 LD D,B

WRAM1:D8EC EA 8B FF LD $FF8B,A =\\ $(FF8B)=F8
WRAM1:D8EF AF XOR A \\ A=00 : C=0
WRAM1:D8F0 F6 B9 OR $B9 \\ A=B9
WRAM1:D8F2 DE XX SBC $XX \\ A=B9-XX
WRAM1:D8F4 50 LD D,B

WRAM1:D8F5 EA 80 80 LD $D0ED,A \\ $(D0ED)=XX ; victoire !
WRAM1:D8F8 AF XOR A \\ A=00 : C=0
WRAM1:D8F9 80 RET NC


CODE 4:
Ap0Bu'U__
é02p0Bu'r
é12é32p_
0Bu'péJ9p
0(male)éK9p02
éL9p0Au'(ID)
éAApA

Commented ASM:

WRAM1:D8C0 AF XOR A \\ A=00 : C=0
WRAM1:D8C1 F6 81 OR $81 \\ A=81
WRAM1:D8C3 DE 94 SBC $94 \\ A=ED : C=1
WRAM1:D9C5 7F LD A,A
WRAM1:D9C6 7F LD A,A
WRAM1:D9C7 50 LD D,B

WRAM1:D8C8 EA F6 F8 LD $F8F3,A \\ $(F8F3)=ED
WRAM1:D8CB AF XOR A \\ A=00 : C=0
WRAM1:D8CC F6 81 OR $81 \\ A=81
WRAM1:D8CE DE B1 SBC $B1 \\ A=D0 : C=1
WRAM1:D8D0 50 LD D,B

WRAM1:D8D1 EA F7 F8 LD $F8F4,A \\ $(F8F4)=D0
WRAM1:D8D4 EA F9 F8 LD $F8F6,A \\ $(F8F6)=D0
WRAM1:D8D7 AF XOR A \\ A=00 : C=0
WRAM1:D9D8 7F LD A,A
WRAM1:D8D9 50 LD D,B

WRAM1:D8DA F6 81 OR $81 \\ A=81
WRAM1:D8EC DE AF SBC $AF \\ A=D2 : C=1
WRAM1:D8DE EA 89 FF LD $FF89,A \\ $(FF89)=D2
WRAM1:D8E1 AF XOR A \\ A=00 : C=0
WRAM1:D8E2 50 LD D,B

WRAM1:D8E3 F6 EF OR $EF \\ A=EF
WRAM1:D8E5 EA 8A FF LD $FF8A,A \\ $(FF8A)=EF
WRAM1:D8E8 AF XOR A \\ A=00 : C=0
WRAM1:D8E9 F6 F8 OR $F8 \\ A=F8
WRAM1:D8EB 50 LD D,B

WRAM1:D8EC EA 8B FF LD $FF8B,A \\ $(FF8B)=F8
WRAM1:D8EF AF XOR A \\ A=00 : C=0
WRAM1:D8F0 F6 80 OR $80 \\ A=80
WRAM1:D8F2 DE XX SBC $XX \\ A=80-XX
WRAM1:D8F4 50 LD D,B

WRAM1:D8F5 EA 80 80 LD $D0ED,A => $(D0ED)=XX ; victoire !
WRAM1:D8F8 AF XOR A \\ A=00 : C=0
WRAM1:D8F9 80 RET NC


CODE 5:
Ap0Bu'U__
é02p0Bu'r
é12é32p_
0Bu'péJ9p
0(male)éK9p02
éL9p0(male)u'(ID)
éAApA

Commented ASM:

WRAM1:D8C0 AF XOR A \\ A=00 : C=0
WRAM1:D8C1 F6 81 OR $81 \\ A=81
WRAM1:D8C3 DE 94 SBC $94 \\ A=ED : C=1
WRAM1:D9C5 7F LD A,A
WRAM1:D9C6 7F LD A,A
WRAM1:D9C7 50 LD D,B

WRAM1:D8C8 EA F6 F8 LD $F8F3,A \\ $(F8F3)=ED
WRAM1:D8CB AF XOR A \\ A=00 : C=0
WRAM1:D8CC F6 81 OR $81 \\ A=81
WRAM1:D8CE DE B1 SBC $B1 \\ A=D0 : C=1
WRAM1:D8D0 50 LD D,B

WRAM1:D8D1 EA F7 F8 LD $F8F4,A \\ $(F8F4)=D0
WRAM1:D8D4 EA F9 F8 LD $F8F6,A \\ $(F8F6)=D0
WRAM1:D8D7 AF XOR A \\ A=00 : C=0
WRAM1:D9D8 7F LD A,A
WRAM1:D8D9 50 LD D,B

WRAM1:D8DA F6 81 OR $81 \\ A=81
WRAM1:D8EC DE AF SBC $AF \\ A=D2 : C=1
WRAM1:D8DE EA 89 FF LD $FF89,A \\ $(FF89)=D2
WRAM1:D8E1 AF XOR A \\ A=00 : C=0
WRAM1:D8E2 50 LD D,B

WRAM1:D8E3 F6 EF OR $EF \\ A=EF
WRAM1:D8E5 EA 8A FF LD $FF8A,A \\ $(FF8A)=EF
WRAM1:D8E8 AF XOR A \\ A=00 : C=0
WRAM1:D8E9 F6 F8 OR $F8 => A=F8
WRAM1:D8EB 50 LD D,B

WRAM1:D8EC EA 8B FF LD $FF8B,A \\ $(FF8B)=F8
WRAM1:D8EF AF XOR A \\ A=00 : C=0
WRAM1:D8F0 F6 EF OR $EF \\ A=EF
WRAM1:D8F2 DE XX SBC $XX \\ A=EF-XX
WRAM1:D8F4 50 LD D,B

WRAM1:D8F5 EA 80 80 LD $D0ED,A => $(D0ED)=XX ; victoire !
WRAM1:D8F8 AF XOR A => A=00 : C=0
WRAM1:D8F9 80 RET NC


Here is the table of the Pokémon you can get per table. For codes 3 to 5 I only wrote the Pokémon that are not in the previous columns :
https://pastebin.com/W9Pe82uG

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-08 18:27:10
Glad everything worked out  :) 

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Krys3000
Date: 2017-11-09 05:36:24
Thanks Couldntthinkofaname! I've updated the previous post with the codes and asm.

Below is the variant of Crystal_'s OAM DMA Hijacking method adapted from MAP's pastebin. I cut it from the guide, and link it from there to here, so both methods are given with links.

Use 'IV.2: GET ANY TM/HM x255 CODE' to get TM09, unless you already have it.

Give TM09 to hold to Quagsire, instead of TM02, and save.

Rename Box 2 to Box 10 as follows:
p'va'vbé!2 (english game) or p°a°bé!2 (italian and spanish game)
'v[é?2'v85 (english game) or °[é?2°85 (italian and spanish game)
é22'v3é02 (english game) or é22°3é02 (italian and spanish game)
hhh222hh
's82hhhéé (english game) or ó82hhhéé (italian and spanish game)
'd2G2h'd (english game) or ì2G2hì (italian and spanish game)
's02hé,2h (english game) or ó02hé,2h (italian and spanish game)
's02hé/2h (english game) or ó02hé/2h (italian and spanish game)
's02'd (english game) or ó02ì (italian and spanish game)
NOTE: As of now, to my knowledge there is no equivalent to this for french games.

Save.

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow: !.22]]

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow: !.23__ while replacing __ by the characters corresponding to the wanted Pokémon in the following table (Pk and Mn are available symbols, not "P followed by k"):
AA ????? (n°000)
AB Bulbasaur
BB Ivysaur
BC Venusaur
CC Charmander
CD Charmeleon
DD Charizard
DE Squirtle
EE Wartortle
EF Blastoise
FF Caterpie
FG Metapod
GG Butterfree
GH Weedle
HH Kakuna
HI Beedrill
II Pidgey
IJ Pidgeotto
JJ Pidgeot
JK Rattata
KK Raticate
KL Spearow
LL Fearow
LM Ekans
MM Arbok
MN Pikachu
NN Raichu
NO Sandshrew
OO Sandslash
OP Nidoran
PP Nidorina
PQ Nidoqueen
QQ Nidoran
QR Nidorino
RR Nidoking
RS Clefairy
SS Clefable
ST Vulpix
TT Ninetales
TU Jigglypuff
UU Wigglytuff
UV Zubat
VV Golbat
VW Oddish
WW Gloom
WX Vileplume
XX Paras
XY Parasect
YY Venonat
YZ Venomoth
ZZ Diglett
Z( Dugtrio
(( Meowth
() Persian
)) Psyduck
): Golduck
:: Mankey
:; Primeape
;; Growlithe
;[ Arcanine
[[ Poliwag
[] Poliwhirl
]] Poliwrath
]a Abra
aa Kadabra
ab Alakazam
bb Machop
bc Machoke
cc Machamp
cd Bellsprout
dd Weepinbell
de Victreebel
ee Tentacool
ef Tentacruel
ff Geodude
fg Graveler
gg Golem
gh Ponyta
hh Rapidash
hi Slowpoke
ii Slowbro
ij Magnemite
jj Magneton
jk Farfetch'd
kk Doduo
kl Dodrio
ll Seel
lm Dewgong
mm Grimer
mn Muk
nn Shellder
no Cloyster
oo Gastly
op Haunter
pp Gengar
pq Onix
qq Drowzee
qr Hypno
rr Krabby
rs Kingler
ss Voltorb
st Electrode
tt Exeggcute
tu Exeggutor
uu Cubone
uv Marowak
vv Hitmonlee
vw Hitmonchan
ww Lickitung
wx Koffing
xx Weezing
xy Rhyhorn
yy Rhydon
yz Chansey
zz Tangela
?N Kangaskhan
?O Horsea
?P Seadra
?Q Goldeen
?R Seaking
?S Staryu
?T Starmie
?U Mr. Mime
?V Scyther
?W Jynx
?X Electabuzz
?Y Magmar
?Z Pinsir
?( Tauros
?) Magikarp
?: Gyarados
?; Lapras
?[ Ditto
?] Eevee
?a Vaporeon
?b Jolteon
?c Flareon
?d Porygon
?e Omanyte
?f Omastar
?g Kabuto
?h Kabutops
?i Aerodactyl
?j Snorlax
?k Articuno
?l Zapdos
?m Moltres
?n Dratini
?o Dragonair
?p Dragonite
?q Mewtwo
?r Mew
?s Chikorita
?t Bayleef
?u Meganium
?v Cyndaquil
?w Quilava
?x Typhlosion
?y Totodile
?z Croconaw
9b Feraligatr
9c Sentret
9d Furret
9e Hoothoot
9f Noctowl
9g Ledyba
9h Ledian
9i Spinarak
9j Ariados
9k Crobat
9l Chinchou
9m Lanturn
9n Pichu
9o Cleffa
9p Igglybuff
9q Togepi
9r Togetic
9s Natu
9t Xatu
9u Mareep
9v Flaaffy
9w Ampharos
9x Bellossom
9y Marill
9z Azumarill
'r? Sudowoodo
's? Politoed
't? Hoppip
'v? Skiploom
'v! Jumpluff
'v. Aipom
'v& Sunkern
'vé Sunflora
'm$ Yanma
PkPk Wooper
PkMn Quagsire
MnMn Espeon
Mn- Umbreon
– Murkrow
Pk? Slowking
Mn? Misdreavus
-? Unown
-! Wobbuffet
Mn& Girafarig
?? Pineco
?! Forretress
!! Dunsparce
!. Gligar
.. Steelix
.& Snubbull
&& Granbull
Mn Qwilfish
Pk/ Scizor
Pk, Shuckle
Pk Heracross
Pk0 Sneasel
Mn0 Teddiursa
?/ Ursaring
?, Slugma
? Magcargo
?0 Swinub
!0 Piloswine
.0 Corsola
.1 Remoraid
.2 Octillery
.3 Delibird
.4 Mantine
.5 Skarmory
.6 Houndour
.7 Houndoom
.8 Kingdra
.9 Phanpy
3 Donphan
4 Porygon2
5 Stantler
6 Smeargle
00 Tyrogue
01 Hitmontop
11 Smoochum
12 Elekid
22 Magby
23 Miltank
33 Blissey
34 Raikou
44 Entei
45 Suicune
55 Larvitar
56 Pupitar
66 Tyranitar
67 Lugia
77 Ho-oh
78 Celebi
88 ????? (n°252)
89 Egg
99 ????? (n°254)
A ????? (n°255) (Be careful, there's a space before A)

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow: !.335

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow: !.3401

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow: !.44..

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow: !.45-?

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow:  A?e22 (Be careful, there's a space before A)

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow:  A?f!. (Be careful, there's a space before A)

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case).

Rename Box 1 (using Wrong Pocket TM ACE) or Box 9 (using Coin Case ACE) as follow:  A?dPkMn (Be careful, there's a space before A ; Also, Pk and Mn are available symbols, not "P followed by k")

Use TM17 from the Wrong Pocket (or follow step 4 to 8 in chapter II if you use Coin Case) while making sure the 'Slide Pokémon' and Quagsire with RETURN and TM09 are placed in the right spots (1 and 2 for TM ACE, 3 and 4 for Coin Case). The wanted Pokémon can now be found in the wild with a 100% encounter rate.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-10 10:20:53
As a resident german person here is a pc item code to give you 255 of every TM/HM so you can use them to write your code.
Don't know if this will work on every european language, but it was the same for german and english so there is a good chance that it will work.
A bit expensive to set up (32 Carbos, etc.), you need TM10 and TM22 which you can only get once and one Lucky Egg which is awful to get without glitches, but at least you can get an easier medium to write Code with.

Location to find some of the more specific items:



Use wrong-pocket TM execution with a Quagsire holding HP-Up with Sleep Talk as its first move. To get a TM in the wrong pocket use this guide by luckytyphlosion.
Arrange the Items in your PC in the following way:

Any x Any
Any x 03
Full Restore x 01
Paralyz Heal x 13
Energypowder x 30
Exp_Share x 01
Any x Any
Poké Ball x 38
TM22 x 01
Any x Any
Great Ball x 46
Revival Herb x 03
Dire Hit x 44
Awakening x 34
Ice Heal x 03
Carbos x 32
HM07 x 01
Any x Any
TM10 x Any


German Item names:

Any x Any
Any x 03
Top Genesung x 01
Para-Heiler x 13
Energiestaub x 30
EP-Teiler x 01
Any x Any
Pokéball x 38
TM22 x 01
Any x Any
Superball x 46
Vitalkraut x 03
Angriffsplus x 44
Aufwecker x 34
Eisheiler x 03
Carbon x 32
VM07 x 01
Any x Any
TM10 x Any


Corresponding ASM code (everytime register b and/or c are used is filler code):

INC BC
LD C, 01
DEC C
DEC C
LD A, C
LD E, 39
LD BC, ...
DEC B
LD H, d5
LD BC, ...
INC B
LD L, 7c
INC L
INC L
INC C
LD [HL+], A
DEC BC
INC BC
DEC E
JR NZ, f9
LD BC, ...
RET


Afterwards, teach your Quagsire Attract (TM45) as its first move and make it hold a Lucky Egg. Your code will then be executed starting from the quantity of TM01 in your TM pocket. Write it by keeping/depositing the desired amount.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Nostalgia
Date: 2017-11-10 10:56:43
The only issue I see with that is the difficulty in obtaining the Lucky Egg. I managed to get one in my playthrough but that was like my first time ever getting it. In G/S, it's 1% for Chansey to appear and 8% chance for it to be holding a Lucky Egg.

Here's a tip though: On Route 13 in G/S, Chansey comes at level 25, the highest level of Pokemon you can find on this route is 25 (unlike Crystal where the highest is 27). So by putting a Pokemon level 25 at the top of the party and use a Max Repel, you avoid the low level encounters and increase the chances of encountering a Chansey. It's a good tip in general for hunting the annoying 1% encounter rate Pokemon.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-10 16:07:40
True, but I didn't find a way around it at first.
Looked into it again and found a way using Revival Herb (Vitalkraut; same place as energypowder) and Dire Hit (Angriffsplus). :)
I'll update the original post with the change.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-10 16:31:08
Would anyone happen to know of a reference to the German/French charset? I would be happy to assist with translations but unfortunately I only own the English copies of G/S.

From what I understand, it is increasingly difficult to code for the German charset due to a lack of certain characters, but I am uncertain.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-10 16:50:43
Here is one, but it doesn't account for non-input, but representable characters (e.g. é is not available in german, ' is not available in english).

I doubt box name codes are possible in German if they want to do more than calling/jumping to pre-existing code.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-10 17:10:50

Here is one, but it doesn't account for non-input, but representable characters (e.g. é is not available in german, ' is not available in english).

I doubt box name codes are possible in German if they want to do more than calling/jumping to pre-existing code.



Ah, I see. Thanks for the reference!

I may begin translating some of my codes to French as soon as wrap up my suprise released 8f project.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Krys3000
Date: 2017-11-10 18:11:20
The character set in french is available in this pastebin: https://pastebin.com/W9Pe82uG

Having spent a whole day translating your catch any Pokémon code to french, I can relate that it's annoying af. Most times you can replace sub by sbc because the carry flag is not set, but the lack of ret nc could be a problem (you'll have to use ret c or reti). Sometimes, there is no easy solution and the whole thing has to be remade. If you eventually find the courage to do it, that would be great for us frenchies :D 

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-10 18:23:12

As a resident german person here is a pc item code to give you 255 of every TM/HM so you can use them to write your code.
Don't know if this will work on every european language, but it was the same for german and english so there is a good chance that it will work.


Kind of confused here.
To get enough money for 44 Dire Hits I continued playing (up to defeating Red) and the code suddenly stopped working.
Also, using a Lucky Egg-Attract-Quagsire with a simple return code (201 of TM01) crashed my game.

To me this looks like the memory address for TM quantities was changed, but I somehow doubt Nintendo would do this. Need to look a bit more into this one. I'm using VC version so far btw., will try on emulator to check what's going on here.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-10 19:41:25
It's unlikely Nintendo would think to change TM addresses, and from what i've seen from the G/S disassembly there is no script capable of doing so.

Here are a few possibilites:

1. If you allowed mom to save your money, she likely bought an object that screwed up the opcodes.
2.Your slide stopped working due to happiness/EVs


Regarding the game crash, it's likely the latter issue. Slide Pokémon will eventually stop working once they reach a specific opcode, specifically $10 (stop command), and anything else that otherwise messes with the stack, jumps to unrelated code, etc.

Hope this helps resolve the issue :)

Edit: Disregard this, apparently memory does indeed shift in the UE releases.