Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 20

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: ISSOtm
Date: 2017-11-10 20:06:11
The memory is shifted in UE releases. Not sure how exactly, though, but it's definitely shifted.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-10 20:15:57
That's very interesting, I have never seen anything similar on any other gameboy title. Maybe this was designed to discourage use of the GameShark?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: ISSOtm
Date: 2017-11-11 05:31:22
No, it's actually very often that Europe releases have a slightly different memory layout than US releases. This is the case for all Pokémon games (at least until Gen IV), as well as other GB titles, which I'm not going to list because :p

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-11 18:58:13
What confuses me here is that it worked before (with the Lucky Egg, but even that version stopped working) and suddenly stopped after beating a bunch of gym leaders, elite 4 and red (iirc).
Also, from what I have seen with my limited knowledge using BGB TMs seem to be in the same location.

Anyway, here is an PC Item code (Quagsire, HP-Up, Sleep Talk) to give you lot's of money. Basically sets the first money byte ($d573) to ff.
Should make aquiring the Carbos a bit easier.

Any x Any
Any x 03
Full Restore x 01
Paralyz Heal x 13
Energypowder x 38
TM22 x 01
Any x Any
Poké Ball x 46
Rage Cany Bar x 44
Great Ball x 34
TM10 x Any


ASM representation:

INC BC
LD C, 01
DEC C
DEC C
LD A, C
LD H, d5
LD BC, ...
DEC B
LD L, 72
INC L
INC B; LD [HL+], A
RET



Reset my VC savegame (well, one of them) to test a bit more. This one worked on german Silver VC version.

Edit:
Maximize TM-quantities worked as well.
Guess it's time to beat up Red again and see if VC is weird and it will stop working again. \(-_-)/

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-11 20:41:57
Just noticed, that you can input a lot more characters when writing a mail.
Since it is stored in SRAM (according to this at least in Crystal and I would assume it's similar in gold/silver) and I remember reading somewhere that there are some problems with in conserning VC I'm not too sure how useful this really is.
At least I found a place where I can input é in german version. I even found an ï character (two dots i for double the fun  8)).

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Parzival
Date: 2017-11-11 21:27:14
VC + SRAM exec = VC freaks the hell out, crashes, then erases your save next boot. Source: ISSOtm's testing.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Krys3000
Date: 2017-11-12 05:52:39
As I've seen only matches between US memory addresses and european ones (as well as codes working in both) I'm interested in knowing exactly what is shifted, because I honestly didn't know that  :???:

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-12 05:56:26

As I've seen only matches between US memory addresses and european ones (as well as codes working in both) I'm interested in knowing exactly what is shifted, because I honestly didn't know that  :???:


I'm also interested, as making code translations into French is going to be difficult if I can't pinpoint exactly what i'm editing.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-12 06:02:28

VC + SRAM exec = VC freaks the hell out, crashes, then erases your save next boot. Source: ISSOtm's testing.


Ok, so utterly impossible to use this. Thanks.
I knew reading something like this before, but wasn't sure.


As I've seen only matches between US memory addresses and european ones (as well as codes working in both) I'm interested in knowing exactly what is shifted, because I honestly didn't know that  :???:


From what I've seen so far you have to be careful with codes that call something.
Party-Pokémon, Money, Items, PC-Items, etc. seem to be in the same location. So most codes that write stuff directly should be fine.
Had some issues with TM-quantities though, but I still need to confirm if that was just VC being weird, me being stupid or a real issue.
Also, stuff like Room decorations, Trainer-ID etc. might be different. Haven't looked into this one. Same for any OAM DMA loop codes.


Edit:
To add to my previous posts, here is an PC Item Code for wrong-pocket TM execution to change the Item of your first party pokémon to a Lucky Egg.

Give Lucky Egg to first Pokémon ($da2b):
Any x Any
Any x 3 INC BC
Poké Ball x 38 DEC B; LD H, da
TM27 x 3 INC BC
Fresh Water x 43 LD HL, 2b
Great Ball x 22 INC B; LD D, 7c
Revival Herb x 03 INC BC
Repel x 20 INC D; INC D
Energy Root x 34 LD A, D; LD [HL+], A
TM10 x Any RET

Tested on German VC version, but I don't see any reason why it shouldn't work on english version. Don't know about other european languages, but should be fine as well.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: ISSOtm
Date: 2017-11-12 07:52:05
The mail might be stored in SRAM, but can't you make a setup that copies mail data into WRAM and executes it ?
For extra easiness, copy backwards.

ld de, MailDataEnd
ld hl, TempStorage
ld c, length
.loop
ld a, [de]
dec de
ld [hld], a
dec c
jr nz, .loop
inc hl
jp [hl]

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Krys3000
Date: 2017-11-12 08:24:59
The OAM DMA thing of Crystal_ (and your version, Couldntthinkofaname) works in french and italian games, once adapted for character issues.

I've used codes to edit several points in WRAM before in french or italian games (Trainer ID, Items, Pokémon, etc.) using exactly the same addresses than english games, so maybe the whole WRAM is exactly the same in english and european games, and you can use OAM DMA the same way in both too, but things in other part of the memory are different.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-12 09:08:38

The mail might be stored in SRAM, but can't you make a setup that copies mail data into WRAM and executes it ?
For extra easiness, copy backwards.

ld de, MailDataEnd
ld hl, TempStorage
ld c, length
.loop
ld a, [de]
dec de
ld [hld], a
dec c
jr nz, .loop
inc hl
jp [hl]



Need to unlock SRAM and find mail data there first, but should be possible.
You'd also need a large enough space of temp data to store your code without destroying everything.
Had the same idea, but didn't bother to code it so far. Might look into it a bit more.


The OAM DMA thing of Crystal_ (and your version, Couldntthinkofaname) works in french and italian games, once adapted for character issues.

I've used codes to edit several points in WRAM before in french or italian games (Trainer ID, Items, Pokémon, etc.) using exactly the same addresses than english games, so maybe the whole WRAM is exactly the same in english and european games, and you can use OAM DMA the same way in both too, but things in other part of the memory are different.


The code that is called in the box name variant to maximize TM quantities ($314c) is shifted to a few bytes earlier in german version. Easiest approach for now is probably to just try if the code adjusted for local charset with same memory adressed works. Chance seems to be reasonably high. :)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Skeef
Date: 2017-11-12 09:37:35


The mail might be stored in SRAM, but can't you make a setup that copies mail data into WRAM and executes it ?
For extra easiness, copy backwards.

ld de, MailDataEnd
ld hl, TempStorage
ld c, length
.loop
ld a, [de]
dec de
ld [hld], a
dec c
jr nz, .loop
inc hl
jp [hl]



Need to unlock SRAM and find mail data there first, but should be possible.
You'd also need a large enough space of temp data to store your code without destroying everything.
Had the same idea, but didn't bother to code it so far. Might look into it a bit more.


Daycare memory? In gen 1 it does not reset when you turn off the game, not sure if it does so in gen 2 though.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2017-11-12 09:42:37
I think Generation II Day Care memory stays.

The only potential difficulties I see is if the Day Care couple produce an Egg after walking around and this messes up your code (or you overload the party with ????? party overloading; corrupting this data). There are also values around this region that may increase or decrease every step (maybe experience and/or amount of steps left for an Egg).

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-12 10:32:09
According to this time to creating a new egg is $dc78 which is right in the middle of day care data.

I think party pokémon OT and nicknames would be the best bet here. Unless you just want to overwrite box names.
Other than that, you can still use bag/pc items & quantities.

$DB4A to $DB54 = First Pokemon Name OT
$DB55 to $DB5F = Second Pokemon Name OT
$DB60 to $DB6A = Third Pokemon Name OT
$DB6B to $DB75 = Fourth Pokemon Name OT
$DB76 to $DB80 = Fifth Pokemon Name OT
$DB81 to $DB8B = Sixth Pokemon Name OT
$DB8C to $DB96 = First Pokemon Name
$DB97 to $DBA1 = Second Pokemon Name
$DBA2 to $DBAC = Third Pokemon Name
$DBAD to $DBB7 = Fourth Pokemon Name
$DBB8 to $DBC2 = Fifth Pokemon Name
$DBC3 to $DBCD = Sixth Pokemon Name


What is also interesting are these two adresses:

wNamingScreenDestinationPointer:: dw ; c5d0
wNamingScreenType:: ds 1 ; c5d4

Didn't try it, but judging from the name maybe it is possible to change available charset while typing. Since you can't access menu there it would have to be done via OAM DMA loop.