Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 22

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: ISSOtm
Date: 2017-11-14 18:47:37
You can set b and d by using pushing and popping cleverly. I agree it doesn't add much, but it still has potential if a large script is ever needed, such as a GUI memory editor (offgao's being the reference for this in Gen I)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-15 11:19:34
Hey all, I remade my Catch 'em all code into a TM quantity script. It is considerably more lengthy, but it has some benefits over the original.

First, use Evie's x255 TM code.

After which, spell the following opcodes with TM quantities:

Keep/Deposit:
62/193
(SpeciesId)/(255 - SpeciesId)    // This quantity will be reset to 255 after Wrong Pocket is executed
234/21
247/8
248/7
62/193
237/18
234/21
249/6
248/7
175/80
61/194
234/21
127/128
245/10
201/54

Then, write the following box name code:

Box 1: Ap0'méJ95
Box 2: p0(female)éK955
Box 3: p02éL955
Box 4: p'vCé?255
Box 5: 5p'mA(female)555
Box 6: (Doesn't matter)
Box 7: p0AéA'dyy
Box 8: p0éé(female)'dyy
Box 9: p0ké0'dp'd
Box 10: p0A'vxéJ9
Box 11: p'dyyyyyy

Finally, execute wrong pocket. Your desired Pokémon will be found in the wild with 100% encounter rate.

With the old code, if the desired Pokémon's ID is lower than $7f, you had to change a box name and add $7f to the species id. With the new code, no special adaptions are necessary for any Pokemon. Another flaw that plagued the old code was that is was required to SAVE/RESET to shut it off. To shut off the new code, simply replace Box 9 with:

yyyyyyyy

After this, the OAM DMA will patch itself thanks to code written at Box 10-11, and it will be safe to write other box name codes in the Box 7-12 region.

The old code may be preferable due to length, but this is here if one would rather use it. :)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Krys3000
Date: 2017-11-16 03:55:12
It's good to have many possibilities to do the same thing :)

Regarding the old code, even by doing your trick for Pokémon with hex ID lower than $7F, some Pokémon cannot be caught because we don't have access to the character. For the french version, I had to use 5 different variations of the code (basically the original one, the 'sub 7f' one, and three other subs with different values) to get them all. I'm assuming it can be improved to 4 codes somehow. It would be great anyway to have the full coverage for the english version too  :)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-16 06:54:26
Thank you! :)


Regarding the old code, even by doing your trick for Pokémon with hex ID lower than $7F, some Pokémon cannot be caught because we don't have access to the character.


Yep. There were some Pokemon (Hex $d8, to name one) that couldn't be obtained with the $7f trick. Any Pokemon who fit into that category had to be obtained with clever use of integer underflow (For example, Hex $d8 could be obtained using $80 - $a8). That was a pain, so hopefully this new code fixes that. :)

As for French translations, it may take me a while to translate this new code, but i'm certain it should still work.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-19 15:07:47
Needed a break from playing Ultra Moon, so here is a new code to actually use Mail data.
So far this code is only able to use one Mail since for fore you'd need to also skip trainer name data.

The code is an item code, so I can also use it on german version. This also enables text based codes, even though they are still complicated (no sub/add instruction).
To execute item codes use a Quagsire holding a HP Up with Sleep talk as its first move after your Slide-Pokémon.

First, here are two short item codes to get the required items:

Box Item 1 quantity changed to 255:

Any x Any
Any x 03 INC BC
Full Restore x 01 LD C, 01
Paralyz Heal x 13 DEC C; DEC C
Energypowder x 03 LD A, C; INC BC
TM42 x 24 LD [18d6], A
TM23 x 03 INC BC
TM10 x Any RET


Change Box Item 1 to any item you want:

Any x Any
Any x 03 INC BC
PP-Up x {item} LD A, {item}
TM42 x 23 LD [17d6], A
TM23 x 03 INC BC
TM10 x Any RET


And now to the big one:
Copy the message of the first mail in your PC to the end of box names and execute them. If you only want to copy them without execution replace the final TM41 (JP [HL]) with TM10 (RET).

Any x Any
Any x 62 LD A, 0a
Burn Heal x 234 LD [1201], A
Potion x 01
Full Restore x 01 LD C, 01
Paralyz Heal x 121 DEC C; LD A, C
TM42 x 01 LD [0140], A
Max Ether x 03 INC BC
X-Accuracy x 60 LD HL, 3cd9
TM26 x 17 LD DE, 55a8
Red Apricorn x 168
Brightpowder x 06 INC BC; LD B, 01
Master Ball x 14 LD C, 10
Hyper Potion x 26 LD A, [DE]
Protein x 50 DEC DE; LD [HLD], A
Paralyz Heal x 32 DEC C; JR NZ, fa
HM08 x 27 DEC DE
Poké Ball x 32 DEC B; JR NZ, f4
HM02 x 01 LD BC, ...
Any x Any
Great Ball x 35 INC B; INC HL
TM41 x Any JP [HL]


Note that box name terminators are also overwritten, so the copied box names probably look glitchy.
All codes from this post are for wrong-pocket-TM execution, since they are mostly meant for non-english games where Coin Case ACE is not possible.



Edit:
Looked into it some more.
After the mail message there are 10 bytes (including 50h terminator if name is shorter (which it should be)) which appear to be used for the name of the sender.
Afterwards are 4 bytes with info on the type of the mail. A surf mail produces F3 74 F9 B5 while a flower mail gives F3 74 A3 9E.
Afterwards, the next mail starts with its message.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-26 10:37:03
Here is a code to copy the messages of your first four mails in your mailbox/pc into box names (and a few bytes after) and execute them afterwards. (Edit: turns out VC doesn't like execution) (Edit²: turns out me being stupid doesn't help avoiding VC pecularities)
With this execution of text-based code for german version is at least possible (yay for é; ignore the fact that using clever use of call it might have been already), even though it's still difficult (no sub/add).

TM quantity code for wrong-pocket-TM execution (Quagsire, Lucky Egg, Attract):

Copy content of Mail 1-4 to box names (and a few bytes after) and execute it
format: keep/deposit code
TM01 62/193 ld a, 0a
TM02 10/245
TM03 234/21 ld [0000], a
TM04 0/255
TM05 0/255
TM06 175/80 xor a
TM07 234/21 ld [0040], a
TM08 0/255
TM09 64/191
TM10 1/254 ld bc, f0a8 (Mail Data End; before start of Message 5)
TM11 240/15
TM12 168/87
TM13 33/222 ld hl, 3ef9 (a bit after box names)
TM14 62/192
TM15 249/6
TM16 22/233 ld d, 04
TM17 4/251
TM18 205/50 call 97f5 (.copymail)
TM19 151/104
TM20 245/10
TM21 21/234 dec d
TM22 32/223 jr nz, fa (TM18)
TM23 250/5
TM24 35/220 inc hl
TM25 233/22 jp [hl]
TM26 30/225 ld e, 0e | .copymail -> d597
TM27 14/241
TM28 11/244 dec bc
TM29 29/226 dec e
TM30 32/223 jr nz, fc (TM28)
TM31 252/3
TM32 205/50 call a5f5 (.copyline)
TM33 165/90
TM34 245/10
TM35 11/244 dec bc
TM36 205/50 call a5f5 (.copyline)
TM37 165/90
TM38 245/10
TM39 201/54 ret
TM40 30/225 ld e, 10 | .copyline -> d5a5
TM41 16/239
TM42 10/245 ld a, [bc]
TM43 50/205 ld [hld], a
TM44 11/244 dec bc
TM45 29/226 dec e
TM46 32/223 jr nz, fa (TM42)
TM47 250/5
TM48 201/54 ret


As a quick proof of concept, this message for your first mail changes the beginning character of Box 7 to ¥ (pokédollar symbol; used as replacement here).

p0¥é2

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Krys3000
Date: 2017-11-26 11:55:30
That's very nice, we could add that to the newcomers guide!

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-11-26 12:28:13
Currently testing this a bit and VC doesn't seem to like the execution part of this code. It restarts with wonky colors, changes your options and mailbook upon reloading. Also I apparently beat the elite 4 once which was the 80th time with a bunch of slowbros and a zapdos.  :o
I changed the jp [hl] instruction with a ret statement to simply copy it towards box names which then can be executed as normal (or with the Quagsire holding TM01 instead of TM02 to start with character 1).

At least for now I didn't notice any negative side effects.


If you add this to the beginners guide you should also include the part about how to maximize TM/HM count
presented here.
And maybe include the ability to increase/decrease deposit quantities by 10 via left/right input. I totally forgot about it and re-finding it made things way easier.
TM-codes are still a pain to set up ingame, though.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-11-26 16:48:50
VC probably wont like anything that involves SRAM

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-12-10 13:30:23
luckytyphlosion told me about a temporary mail buffer and after poking I found it to be at $ceed (same for english and german, probably other european version as well).

It is reset after reloading and contains the data from the mail last written or read (maybe also on transfer to PC, forgot to test this one).
For most shorter codes this is probably the preferred way to write text-based code. You only have to account for a 4e character after the first line (16 bytes) of text.
This also allows to store a few different codes and circle them without constant rewriting.

To execute you would either have to teach your Quagsire False Swipe as a first move (can't learn naturally) and give it a TM45 or use this box item code:

Any x Any
Any x 195
TM45 x 206

For english version (possibly others) there also exists this box name code:

1) A p 0 z'v 1 5 5 XOR A; OR b9; SUB f7; EI; EI; LD D, B | A->ce
2) é'r 2'vPk é'm 2 LD [d3f8], A; SUB e1; LD [d2f8], A; LD D, B | A->ed
3)'m ^ ^ JP NC, {edce}



Also to note about my previous code:
I swapped registers for some reason, so it still was execution in SRAM. Direct execution after copying might be possible after all.
Will add results once I've tested this with corrected registers.

Edit:
Using the right registers direct execution works. I'll edit my original post.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Storyreader21
Date: 2017-12-13 12:54:21
Hey, I have a question I have a code from a video for getting to level 98 with bag items:

- [Any Item] x[Any Amount]
- [Any Item] x[Any Amount]
- Super Potion x14
- Ultra Ball x26
- X Accuracy x53
- TM27 x1
- Awakening x[Any Amount]
- Escape Rope x34
- Repel x20
- Paralyz Heal x32
- HM07
- [Any Item] x[Any Amount]
- Fresh Water x73
- Full Restore x49
- TM12 x1
- Spell Tag x1
- [Any Item] x[Any Amount]
- Poke Ball x46
- HM03 x1
- X Speed x1
- Full Heal x18
- Flower Main x51
- TM06 x1
- [Any Item] x[Any Amount]
- TM41 x[Any Amount]

Or level 99 with:

- [Any Item] x[Any Amount]
- [Any Item] x[Any Amount]
- Super Potion x14
- Ultra Ball x26
- X Accuracy x53
- TM27 x1
- Awakening x[Any Amount]
- Escape Rope x34
- Repel x20
- Paralyz Heal x32
- HM07
- [Any Item] x[Any Amount]
- Fresh Water x73
- Full Restore x99
- Spell Tag x1
- [Any Item] x[Any Amount]
- Poke Ball x46
- HM03 x1
- X Speed x1
- Full Heal x18
- Flower Main x51
- TM06 x1
- [Any Item] x[Any Amount]
- TM41 x[Any Amount]

The problem is, I can't use these on Unown, due to the code changing DVs as well, and that what the Unown shapes are based off, so how do I modify these code to get to level 98/99 without changing DVs so my Unown remain the same letters, and I can level up them all?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Storyreader21
Date: 2017-12-13 12:55:49

Hey, I have a question I have a code from a video for getting to level 98 with bag items:

- [Any Item] x[Any Amount]
- [Any Item] x[Any Amount]
- Super Potion x14
- Ultra Ball x26
- X Accuracy x53
- TM27 x1
- Awakening x[Any Amount]
- Escape Rope x34
- Repel x20
- Paralyz Heal x32
- HM07
- [Any Item] x[Any Amount]
- Fresh Water x73
- Full Restore x49
- TM12 x1
- Spell Tag x1
- [Any Item] x[Any Amount]
- Poke Ball x46
- HM03 x1
- X Speed x1
- Full Heal x18
- Flower Main x51
- TM06 x1
- [Any Item] x[Any Amount]
- TM41 x[Any Amount]

Or level 99 with:

- [Any Item] x[Any Amount]
- [Any Item] x[Any Amount]
- Super Potion x14
- Ultra Ball x26
- X Accuracy x53
- TM27 x1
- Awakening x[Any Amount]
- Escape Rope x34
- Repel x20
- Paralyz Heal x32
- HM07
- [Any Item] x[Any Amount]
- Fresh Water x73
- Full Restore x99
- Spell Tag x1
- [Any Item] x[Any Amount]
- Poke Ball x46
- HM03 x1
- X Speed x1
- Full Heal x18
- Flower Main x51
- TM06 x1
- [Any Item] x[Any Amount]
- TM41 x[Any Amount]

The problem is, I can't use these on Unown, due to the code changing DVs as well, and that what the Unown shapes are based off, so how do I modify these code to get to level 98/99 without changing DVs so my Unown remain the same letters, and I can level up them all?


make that pc items for coin case.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2017-12-13 14:03:08
Hi. :)

I'm unsure how to modify it as the parts that modify the other addresses seem to take up a significant portion of the code.

I have this though for the Sleep Talk as move 1 Quagsire holding a Protein:

(ANY ITEM) x(ANY)
(ANY ITEM) x(ANY)
X Accuracy x73
TM27 x1
(ANY ITEM) x(ANY)
Great Ball x62
Wht Apricorn x1
(ANY ITEM) x(ANY)
Leaf Stone x1
(ANY ITEM) x(ANY)
Great Ball x38
TM22 x1
(ANY ITEM) x(ANY)
Great Ball x46
Lovely Mail x1
(ANY ITEM) x(ANY)
Poké Ball x5
Poké Ball x62
X Accuracy x5
Super Rod x1
(ANY ITEM) x(ANY)
Poké Ball x9
Poké Ball x46
HM03 x1
X Speed x1
Full Heal x18
Flower Mail x51
TM06 x1
(ANY ITEM) x(ANY)
TM41 x1

This code will set your first Pokémon's level to 97 and replace item 1 with Rare Candies, and do nothing else.

Raw bytes in case anybody wants them:
@D61B:

21 49 DA 01 01 01 04 3E 61 01 01 01 22 01 01 01 04 26 D5 01 01 01 04 2E B8 01 01 01 05 05 05 3E 21 05 3D 01 01 01 05 77 05 2E F5 01 34 01 26 12 9E 33 C5 01 01 01 E9

Hope this helps!

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Storyreader21
Date: 2017-12-13 18:09:44

Hi. :)

I'm unsure how to modify it as the parts that modify the other addresses seem to take up a significant portion of the code.

I have this though for the Sleep Talk as move 1 Quagsire holding a Protein:

(ANY ITEM) x(ANY)
(ANY ITEM) x(ANY)
X Accuracy x73
TM27 x1
(ANY ITEM) x(ANY)
Great Ball x62
Wht Apricorn x1
(ANY ITEM) x(ANY)
Leaf Stone x1
(ANY ITEM) x(ANY)
Great Ball x38
TM22 x1
(ANY ITEM) x(ANY)
Great Ball x46
Lovely Mail x1
(ANY ITEM) x(ANY)
Poké Ball x5
Poké Ball x62
X Accuracy x5
Super Rod x1
(ANY ITEM) x(ANY)
Poké Ball x9
Poké Ball x46
HM03 x1
X Speed x1
Full Heal x18
Flower Mail x51
TM06 x1
(ANY ITEM) x(ANY)
TM41 x1

This code will set your first Pokémon's level to 97 and replace item 1 with Rare Candies, and do nothing else.

Raw bytes in case anybody wants them:
@D61B:

21 49 DA 01 01 01 04 3E 61 01 01 01 22 01 01 01 04 26 D5 01 01 01 04 2E B8 01 01 01 05 05 05 3E 21 05 3D 01 01 01 05 77 05 2E F5 01 34 01 26 12 9E 33 C5 01 01 01 E9

Hope this helps!


Hey, in this, the great balls and pokeballs, are in multiple spots, how do I get them there?

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-12-13 18:14:29

Hey, in this, the great balls and pokeballs, are in multiple spots, how do I get them there?


Either by other ACE shenanigans or by depositing 99 of said item and then deposit some more. Afterwards withdraw to the desired amount and be careful while swapping to not merge them (swap next to another stack of the same item).