Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 21

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2017-11-12 11:17:57

Didn't try it, but judging from the name maybe it is possible to change available charset while typing. Since you can't access menu there it would have to be done via OAM DMA loop.


I came across that address in the past too. It indeed allows you to change the available characters but it seems 05 and up work as if you're nicknaming a Pokémon (so it will say (POKéMON)'s nickname, display a menu sprite and bring up the characters you can input while nicknaming one), and box names (04) happens to be the best menu in terms of available characters. I may be wrong though.

03 is the unused menu for naming your mother.

[img]https://i.imgur.com/Nputhrt.png[/img]

Mother's name is stored at D1AE and can be returned with the hex:49 control character, but since the Dude's demonstration overwrites it it may come up as your player's name.

C5D0 appears to look for where the characters are, and moves them to the other buffer/destination like D8BF (box 1 name). In box names the pointer is CEED. Changing values in the buffer at CEED will print characters on the screen.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-12 11:44:23

03 is the unused menu for naming your mother.

[img]https://i.imgur.com/Nputhrt.png[/img]

Mother's name is stored at D1AE and can be returned with the hex:49 control character, but since the Dude's demonstration overwrites it it may come up as your player's name.


Normally this should go the other way around. :XD:


Mail charset appears to have the most characters. Was hoping to get it available to name boxes.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2017-11-12 11:53:28

Mail charset appears to have the most characters. Was hoping to get it available to name boxes.


Oh, I overlooked the mail character set. Thanks! Yeah. C5D4 was 48 while on the mail naming screen, but sadly attempting to name a box came up with the Pokémon nickname screen when 0148D4C5 was enabled instead. :(

In theory though, with some work we can bring up the mail menu with a custom destination with OAM DMA hijacking to execute with TM17, TM25 etc. upon pressing a button (e.g. B) instead. It may not be worth it, but would be interesting to do.

Thinking about it, it would be good to port offgao's memory editor from Generation I over to Generation II.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-12 13:09:38

Thinking about it, it would be good to port offgao's memory editor from Generation I over to Generation II.


I was toying around with the idea of a memory editor GUI for gen 2. In fact, this project was originally meant for G/S, but for whatever reason I ditched the idea and made it for R/B instead.

I don't see why it wouldn't work, but we would need to find a large portion of unused/mostly unused data, similar to $D901 from R/B/Y.

Also, it's worth noting that the tilemap in G/S works differently from it's gen 1 counterpart. Rather than accepting direct writes to $C3A0 and onward, it is required to call internal subroutine $0F74, with the pointer to the desired tiles into register "de".

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-12 15:24:45


As a resident german person here is a pc item code to give you 255 of every TM/HM so you can use them to write your code.
Don't know if this will work on every european language, but it was the same for german and english so there is a good chance that it will work.


Kind of confused here.
To get enough money for 44 Dire Hits I continued playing (up to defeating Red) and the code suddenly stopped working.
Also, using a Lucky Egg-Attract-Quagsire with a simple return code (201 of TM01) crashed my game.

To me this looks like the memory address for TM quantities was changed, but I somehow doubt Nintendo would do this. Need to look a bit more into this one. I'm using VC version so far btw., will try on emulator to check what's going on here.


I think I screwed up somewhere on my first try. Probably deposited an additional TM22 or something.
Anyway, beat up red again and the Box Item Code to maximize TMs still worked without problems.  :)


Edit:
Successfully executed my code to fill your box on german VC version. :)
Note: Be careful when withdrawing/releasing a pokémon created this way. For a previously empty box it shifted some bytes for the remaining pokémon in the box (item becomes species, etc.) and I'm not sure when it stops.
I'll try to improve the code so this effect vanishes. [size=8pt]Successfully fixed that bug. :) Still trying to improve the code.[/size]

Since box name codes aren't available, first use this TM quantity code (Quagsire, Lucky Egg, Attract) to set HM01-HM03 quantities:

TM01 62/193 LD A, 20
TM02 32/223
TM03 234/21 LD [b0f5], A
TM04 176/79
TM05 245/10
TM06 62/193 LD A, eb
TM07 235/20
TM08 234/21 LD [b1f5], A
TM09 177/79
TM10 245/10
TM11 62/193 LD A, c9
TM12 201/54
TM13 234/21 LD [b2f5], A
TM14 178/79
TM15 245/10
TM16 201/54 RET

Afterwards, use this slightly adjusted box item code (Quagsire, HP-UP, Sleep Talk) to maximize quantities for TM01-TM49 (leave HM-quantities untouched):

Any x Any
Any x 03 INC BC
Full Restore x 01 LD C, 01
Paralyz Heal x 13 DEC C; DEC C
Energypowder x 30 LD A, C; LD E, 31
X-Attack x 01 LD BC, ...
Any x Any
Great Ball x 38 INC B; LD H, d5
TM22 x 01 LD BC, ...
Any x Any
Poké Ball x 46 DEC B; LD L, 7c
Revival Herb x 03 INC BC
Dire Hit x 44 INC L; INC L
Awakening x 34 INC C; LD [HL+], A
Ice Heal x 03 DEC BC; INC BC
Carbos x 32 DEC E; JR NZ, f9
HM07 x 01 LD BC, ...
Any x Any
TM10 x Any RET

Finally, use this TM quantity code to fill your box:

TM01 62/193 LD A, 0a
TM02 10/245
TM03 234/21 LD [ff00], A | A->0a
TM04 255/0
TM05 0/255
TM06 62/193 LD A, 01
TM07 01/254
TM08 234/21 LD [ff40], A | A->00
TM09 255/0
TM10 64/191
TM11 33/222 LD HL, 6cad | HL->ad6c
TM12 108/147
TM13 173/82
TM14 1/254 LD BC, 1a00 | BC->001a
TM15 26/229
TM16 0/255
TM17 62/193 LD A, 14 | A->14
TM18 20/235
TM19 87/168 LD D, A
TM20 95/160 LD E, A
TM21 34/221 LD [HLI], A
TM22 62/193 LD A, (species)
TM23 (species)/
TM24 34/221 LD [HLI], A
TM25 21/234 DEC D
TM26 32/223 JR NZ, fc | (Loop back to last LD [HLI], A)
TM27 252/3
TM28 54/201 LD [HL], ff
TM29 255/0
TM30 35/220 INC HL
TM31 87/168 LD D, A
TM32 122/133 LD A, D
TM33 34/221 LD [HLI], A
TM34 62/193 LD A, (item)
TM35 (item)/
TM36 34/221 LD [HLI], A
TM37 62/193 LD A, (move1)
TM38 (move1)/
TM39 34/221 LD [HLI], A
TM40 62/193 LD A, (move2)
TM41 (move2)/
TM42 34/221 LD [HLI], A
TM43 62/193 LD A, $(move3)
TM44 (move3)/
TM45 34/221 LD [HLI], A
TM46 62/193 LD A, $(move4)
TM47 (move4)/
TM48 34/221 LD [HLI], A
TM49 9/246 ADD HL, BC
TM50 29/226 DEC E
HM01 32/223 JR NZ, eb | (Loop Back to LD A, D)
HM02 235/20
HM03 201/54 RET

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-13 08:23:06
I believe I have successfully translated my "Get All Badges" code into French. If anyone wouldn't mind testing this, please tell me if it works.

Get All Badges (French version):
Apu'Dés'25
pu'Eéu'209
55555555
éA(female)éA(female)08
u'9m'55555

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Krys3000
Date: 2017-11-13 08:42:00
It works, thank you very much as it spares me from doing this translation for PRAMA  ;D!

It does only give Johto badges though, but that was also in the original code, right?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-13 09:18:39

It works, thank you very much as it spares me from doing this translation for PRAMA  ;D!

It does only give Johto badges though, but that was also in the original code, right?


Yes, this was the original code.

It was intended to grant all badges but for whatever reason this doesn't work, on the English version or otherwise.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-13 10:33:02
Provided the OAM DMA is in the same place as in English, this code should work for French versions as well.

All Wild Pokemon have flawless DVs (French version):
ApAu'oéJ9
p0(female)éK955
p02éL955
p0Au'qé62
é32u'9m'55
55555555
09é(female)Aé0A
pu'9m'5555

If you would like to test this on emulator, wild Pokemon DVs are located at $D0F5-$D0F6. If both these values are $FF, then the code was successful.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-13 11:16:39


The mail might be stored in SRAM, but can't you make a setup that copies mail data into WRAM and executes it ?
For extra easiness, copy backwards.

ld de, MailDataEnd
ld hl, TempStorage
ld c, length
.loop
ld a, [de]
dec de
ld [hld], a
dec c
jr nz, .loop
inc hl
jp [hl]



Need to unlock SRAM and find mail data there first, but should be possible.
You'd also need a large enough space of temp data to store your code without destroying everything.
Had the same idea, but didn't bother to code it so far. Might look into it a bit more.


According to some BGB testing mailbox data starts in SRAM bank 0 at $a834 with the current mailbox count (consistent with the crystal sram disassembly).
Afterwards the first message starts. Between Message 1 and 2 there are some bytes which probably hold extra data like mail type and source name.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: ISSOtm
Date: 2017-11-13 15:06:09
For the large space, you should check, but IIRC the space at DF00-DF80 is left unused. 128 bytes is still a neat quantity, isn't it ?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-13 15:36:05

For the large space, you should check, but IIRC the space at DF00-DF80 is left unused. 128 bytes is still a neat quantity, isn't it ?


Quite a neat quantity, thank you for finding it!

Unfortunately, my memory editor exceeded 200 bytes. I'm certain I can take some liberties here and there but it's still quite the task.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: ISSOtm
Date: 2017-11-13 18:07:30
Try checking a bit before. Maybe some memory before DF00 is also unused.
If your editor's size is less than 256 bytes, that's better ('cause it could be copied using a 1-byte length loop, which is slightly easier to program)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Krys3000
Date: 2017-11-14 04:32:31

Provided the OAM DMA is in the same place as in English, this code should work for French versions as well.


AFAIK it does (otherwise my translation of your catch 'em all code wouldn't have worked, right?) but I'll test your code today, just to be sure :p

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-14 06:46:12
Made a quick test with available mail characters. Inputting basically every special character (see attachment) yielded the following memory in SRAM:
E1 E2 70 71 EA EF F5 F0 75 F1 E7 E6 F4 7F E8 E3 4E F3 72 73 9E 9F E0 9C 9D D0 D1 D2 D3 D4 D5 D6 E9 86 8E 8B 83 50
Note: Player Name is Gold.
It appears as long as you use every character the mail is not terminated by a 50h, but is directly followed by its type and the name of the sender.
Also, there is a 4e in the middle to cause a line break.
Aside from various commands to load the different registers into (hl) (the 7x bunch) I don't see anything useful added. And even those are hard to use, since you can't influence these registers with character code.  :-\

Edit:
oh, accidentally attached twice.  ::) Sorry.