Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 23

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-12-28 21:19:23
Little helper code which might be useful to someone else as well:
Maximize all PC items (quantity x 255) while leaving the item type unchanged.

1)  A  p  'v  5  é  4  2  5 XOR A; SUB fb; LD [faf8], A | A->05
2)  'v  9  é  /  2  p  'v  . SUB ff; LD [f3f8], A; XOR A; SUB e8 | A->06; A->18
3)  é  0  2  'v  2  é  5  2 LD [f6f8], A; SUB f8; LD [fbf8], A | A->20
4)  'v  9  é    2  'v  9  5 SUB ff; LD [f5f8], A; SUB ff | A->21; A->22
5)  é  2  2  'v  9  é  3  2 LD [f8f8], A; SUB ff; LD [f9f8], A | A->23
6)  'v    é  ,  2  0  9  9 SUB f1; LD [f4f8], A; OR ff; LD B, 32 | A->32
7)  0  0  0  5  5  5  5  5 LD HL, 18f6; LD [HLI], A; INC HL; DEC B; JR NZ, fb | HL->f618
8)  x  'd OR A; RET NC


Fun little thing about x0 quantity (at least in the PC):
You can withdraw/toss any quantity you want, it won't change the quantity of the item. While tossing obviously does nothing, withdrawing works without problems (creates items).
Depositing an additional item of the type simply adds the amount which restores normal functionality.
Possibly also works in the inventory to give you an infinite amount of an item, but I didn't test that.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2018-01-19 08:27:21
Here, have a CartSwap setup!


A p é 7 2 é ? 2

é & 2 'v 9 é 8 2

p 'v * é (male) 2 / /

é * 2 / / / / p

0 (pk) é A 9 4 A 9

/ / ? A 8 A / /

'm (pk) 2 p 's A (female) 'm


This is compatible with either the Coin case setup or Wrong Pocket

In gbz80, that's:

xor a ; a = 0
ld ($f8fd),a ; self-mod
ld ($f8e6),a ; self-mod
ld d,b ; end-terminator
ld ($f8e9),a ; self-mod
sub $FF ; a = 1
ld ($f8fe),a ; self-mod
ld d,b ; end-termiantor
xor a ; a = 0
sub $F1 ; a = $0f
ld ($f8ef),a ; self-mod
di ; Disable ints. If they are active during cartswap, and an int is requested, unwanted code may be executed
di ; padding
ld d,b
ld ($f8f1),a ; self-mod
di ; padding
di ; padding
di ; padding
di ; padding
.loop:
xor a ; a = 0
ld d,b ; end-terminator
or $e1 ; a = $e1
ld ($ff00),a ;  Enable polling for Directional buttons. Didn't use "ldh", as it isn't char-representable
ld a,($ff00) ; Recieve results of poll
ld d,b ; end-terminator
di ; padding
di ; padding
and $0f ; I don't care about the upper nibble
cp $0f ; Compare with $0f
di ; padding
di ; padding
ld d,b ; end-terminator
jp nc, .loop ; If the carry flag wasn't set by the compare, jump back. (Didn't use "jr", not char-representable)
xor a ; a = 0, reset flags
call nc,$F580 ; Call the third TM quantity. ENSURE THE CARRY FLAG IS NOT SET IN YOUR FUNCTION
jp nc,$0100 ; Boot into whatever game is loaded now


Basically what this does is it waits for any button on the D-Pad to be pressed, call a function written starting at TM03, and then reboots the game. During this time, you can swap the cartridges and write to SRAM.

"So what do I write to TM03?" - That's where you come in!

In gen2, TM quantities (Starting from TM03) grants you 48 bytes to write your own code to alter the SRAM of other games.

Not sure what to do? Here's an example:

TMs    Keep/Deposit
TM01  Any
TM02  Any
TM03  38/217
TM04  10/245
TM05  116/139
TM06  38/217
TM07  64/191
TM08  46/209
TM09  1/254
TM10  117/138
TM11  62/193
TM12  21/234
TM13  234/21
TM14  193/62
TM15  176/79
TM16  234/21
TM17  211/44
TM18  176/79
TM19  22/233
TM20  1/254
TM21  21/234
TM22  1/254
TM23  139/116
TM24  15/240
TM25  33/222
TM26  152/103
TM27  165/90
TM28  42/213
TM29  130/125
TM30  87/168
TM31  11/244
TM32  120/135
TM33  177/78
TM34  32/223
TM35  248/7
TM36  122/133
TM37  47/208
TM38  234/21
TM39  35/220
TM40  181/74
TM41  201/54


Raw bytes:

$D580 / 26 0a 74 26 40 2e 01 75 3e 15 ea c1 b0 ea d3 b0
16 01 15 01 8b 0f 21 98 a5 2a 82 57 0b 78 b1 20
f8 7a 2f ea 23 b5 c9


To use:

1. In Pokemon Red/Blue, ensure you have the first pokemon in your current box be a disposable one
2. Setup your box name and TM quantities as above
3. Use the coin case or wrong pocket
4. (On BGB, this is accomplished with "Load ROM without reset") Swap into Pokemon Red/Blue (maybe Yellow, i'm not sure)
5. Press any button on the D-Pad

When you boot into Pokemon R/B, the first Pokemon in your box should now be Mew. (The name will remain unchanged)

In my opinion, this is a bit easier to deal with then Gen 1 cartswap.

Enjoy!

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Torchickens
Date: 2018-01-19 11:22:12
Amazing :)

So, a couple of questions as I've never done much cartswapping before.

If you were to modify an SRAM address other than B0C1 or B0D3 (stored Pokémon), would you need to modify the code in any other way for Red/Blue (I notice you have to adjust the B523 checksum)? How would you do this for Yellow and Crystal?

Thanks.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2018-01-19 11:34:19

Amazing :)


Thanks!


If you were to modify an SRAM address other than B0C1 or B0D3 (stored Pokémon), would you need to modify the code in any other way for Red/Blue (I notice you have to adjust the B523 checksum)


Modifiying $A598-$B522 would require a checksum fix at $B523. Though i'm not certain if this is checked, the box data in banks 2-3 have their own checksums. These need not be modified if you only care about the current box, however.


How would you do this for Yellow and Crystal?


In Yellow, I believe SRAM data is not shifted.Don't quote me on that, though, because I'm not 100% certain. I just checked Pokeyellow, and it seems my setup for Mew will still work! :)

As for Crystal, i'm not certain. I don't think data is shifted in Crystal to an extent that would prevent this from working but once more i'm not 100% certain as I currently lack a crystal ROM

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Krys3000
Date: 2018-01-23 12:31:47
The shift only applies to WRAM (starting at $CF00). Everything before that point is just the same in all non-japanese Red, Blue and Yellow :)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: hobgoblinpie
Date: 2018-01-26 14:03:15
Is there a TM25 box name config for Perfect DVs for a party pokémon? Couldn't seem to find one - thanks! The coin case one is as follows, but can't seem to modify it correctly:

Box 1: Ap0'd'vR55
Box 2: é'm2pp095
Box 3: éA4p0'd'vQ
Box 4: é?2p0955
Box 5: 55éA4ppp
Box 6: 'v7'v'dé42p
Box 7: éD9'l'lA'lx
Box 8: 'd5555555

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2018-01-26 14:11:27

Is there a TM25 box name config for Perfect DVs for a party pokémon? Couldn't seem to find one - thanks! The coin case one is as follows, but can't seem to modify it correctly:

Box 1: Ap0'd'vR55
Box 2: é'm2pp095
Box 3: éA4p0'd'vQ
Box 4: é?2p0955
Box 5: 55éA4ppp
Box 6: 'v7'v'dé42p
Box 7: éD9'l'lA'lx
Box 8: 'd5555555


Replace box 7 with "p'd"

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: hobgoblinpie
Date: 2018-01-26 15:15:32
Perfect, thanks!

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Azarokkusu
Date: 2018-02-21 23:56:39


This should give you 255 of the first item in your item pack.

Box1: A p 0 9 é z 't x
Box2: 'd



Been trying to do this on english VC and for the life of me I can't get it to work for me. I even did spamviech's slider pokemon method and I still just crash every time. I have no idea what I've done wrong here… assuming this is a tm25 code of course. I have done ones I know are TM25 codes and I can't get any of them to work, though.

If I use them with Sanqui (my old slide pokemon that worked for coin case ACE, named after Sanqui of course) the game freezes on the item screen with no change and the music still playing (softlock), but if I do it with the other  slider 'mon, it resets into a glitch dimension

edit: the glitch dimension thing is because Quagsire needs to be in slot 4 with spamviech's slider pokemon method I believe. When I do tht it freezes the same way as it does with Sanqui. Whoops! That's one question answered.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2018-02-22 06:51:11
Skeef's code was to be be used with TM25. You are probably attempting to do this with the Coin Case.

The same code for use with the coin case is

A 0 9 é z 't p 5
é Z (mult) . 9 'l 'l 'l
'l p 'd

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Azarokkusu
Date: 2018-02-23 02:43:58

Skeef's code was to be be used with TM25. You are probably attempting to do this with the Coin Case.

The same code for use with the coin case is

A 0 9 é z 't p 5
é Z (mult) . 9 'l 'l 'l
'l p 'd




I said assuming it was a TM25 code - I WAS using it with TM25. Just TM25 refuses to work properly for me it seems.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2018-02-23 06:03:31
The issue is not with Skeef's code. It translates to the following ASM:

xor a
or a,$ff
ld ($d5b9),a
or a
ret nc


…which does it's intended job of giving x255 of the first item. All i can say is ensure you have setup your bootstrapper correctly. It's
AnyPkmn
SlidePkmn
Quagsire (Holding TM02, Return as first move)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2018-02-23 09:03:12
The slide-Pokémon I provided works specifically for Coin Case. If you`re using TM25 not only does execution start at the second pokémon (compared to the third for Coin Case/first for TM17), but also at a different Place in its data.
I didn't check it, but it might even guarantee a failure when used with TM25. To my knowledge there's no setup which doesn't involve ACE to guarantee a working TM25-slide-pokémon, so you either have to use to Coin Case or try your luck with random low levels.



The issue is not with Skeef's code. It translates to the following ASM:

xor a
or a,$ff
ld ($d5b9),a
or a
ret nc


…which does it's intended job of giving x255 of the first item. All i can say is ensure you have setup your bootstrapper correctly. It's
AnyPkmn
SlidePkmn
Quagsire (Holding TM02, Return as first move)


Don't forget the terminator character at the end of box name 1 which is a "ld d,b" instruction. Here it doesn't really change anything (maybe set 0 flag), but still could add confusion when you forget it.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2018-02-23 09:43:26

Don't forget the terminator character at the end of box name 1 which is a "ld d,b" instruction. Here it doesn't really change anything (maybe set 0 flag), but still could add confusion when you forget it.


ld instructions do not update flags, so the $50 terminator "ld d,b" isn't really worth mentioning in this context.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Azarokkusu
Date: 2018-02-25 02:48:56

The slide-Pokémon I provided works specifically for Coin Case. If you`re using TM25 not only does execution start at the second pokémon (compared to the third for Coin Case/first for TM17), but also at a different Place in its data.
I didn't check it, but it might even guarantee a failure when used with TM25. To my knowledge there's no setup which doesn't involve ACE to guarantee a working TM25-slide-pokémon, so you either have to use to Coin Case or try your luck with random low levels.



The issue is not with Skeef's code. It translates to the following ASM:

xor a
or a,$ff
ld ($d5b9),a
or a
ret nc


…which does it's intended job of giving x255 of the first item. All i can say is ensure you have setup your bootstrapper correctly. It's
AnyPkmn
SlidePkmn
Quagsire (Holding TM02, Return as first move)


Don't forget the terminator character at the end of box name 1 which is a "ld d,b" instruction. Here it doesn't really change anything (maybe set 0 flag), but still could add confusion when you forget it.


That's what I suspected. I REALLY should get around to learning the assembly code for this… but I'm lazy. Though, I'd like to have the ACE for a working tm-25 slide pokémon. 'Till then I'm gonna go find myself a temporary slide pokémon until then since that's the only thing I can see in my case that could be wrong here (I wrote the box name code correctly and put the Quagsire [holding TM02 and with Return as the first move] and slide pokémon in the correct places in slots 3 and 2 respectively).

Thanks!




I'll be keeping that in mind~ how many steps does it take for the mon to develop its happiness value? And does it decrease if left in the box?

I'm curious, the box codes that let you change one mon to another, if you have an egg that is shiny (let's say it's a Wooper for example) and you alter it into a different mon (like Zapdos) via the box codes, would the egg result in a shiny Zapdos?


Happiness won't decrease if left in the box. And I'm not sure, but I think if the slide Pokemon gets any noticeable happiness increase then it will mess up the code, because the slide Pokemon has to be freshly caught or hatched with no stat experience and happiness is another one of those factors I guess.

However, I was using the coin case a lot yesterday with the same slide Pokemon and walking from the PC in Cherrygrove to outside the mart in Cherrygrove for coin cases glitches, when you repeat that enough times you're certainly walking a good number of steps, but still my slide Pokemon still worked. And today I was using the hatched Togepi as a slide Pokemon as a test and it worked, so I would certainly recommend freshly hatched Pokemon.

As for your question, I haven't messed around with shiny codes yet but if the first code changed the egg to shiny and then you changed the Pokemon species then it should still be shiny as that is determined by the DV's which are made when you use you shiny code.

Not quite. Even if your slide's happiness value increases, it doesn't matter too much unless it reaches a malicious opcode. What I mean by that is, any opcode that changes code flow (call,ret,jp,jr), any opcode that stops the cpu (stop, and MAYBE halt, I'm not quite sure), any op that messes with the stack (inc sp,push,pop,ld sp,rst,etc.), any invalid ops ($D3,$DB,$DD,$E3,$E4,$EB,$EC,$ED,$F4,$FC,$FD), and "di".

The Happiness value increments upon walking 256 steps, and when freshly caught, has a value of $00. The first "malicious" opcode it encounters first is "stop", which is hex $10. So, a freshly caught slide pokemon is considered "broken" after 4096 steps. However, you can easily set this value to $11 (ld de,$xxyy) by walking 256 more steps. So if you find that your slide has stopped working, walk 256 more steps and see if that fixes it.

Also, it is worth noting that happiness is not the only thing that affects slide pokemon.
Here's a list of all factors that affect slide pokemon:

Attack EV
Defense Ev
Speed EV
Special EV
Attack/Defense IV
Speed/special IV
PP of current moveset
Happiness/Hatch Time
Pokerus
Caught Information
Level
Status
Hp
Max Hp
Attack
Defense
Speed
Special Defense
Special Attack - Must correspond to an instruction that is one byte long, otherwise the jump instruction that executes your code will be absorbed!


I was also wondering about this. What values or value ranges of each of these would be needed to make a suitable slide pokémon? As in, just a regular working slide pokémon, not a specific one like the special coin case one which jumps over a lot of these factors.