Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Arbitrary code execution in Gold/Silver UE using the Coin Case - Page 9

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Nostalgia
Date: 2017-10-21 21:22:32

You can easily create box name code to give it the moves one by one. Goal of this one was to have one do it all code though.
Also me confirming if it works like I think it does. :)


On the topic of teaching moves, do you know how to teach a Pokemon Ice Beam, Flamethrower or Thunderbolt? I asked this in another thread, but these moves are unobtainable in Gold/Silver - and were only move tutor moves in Crystal. So for a lot of people like me who are playing VC Gold or Silver, with no way to trade, the only way to get them would be through Coin Case.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Dragon Arbock
Date: 2017-10-21 22:15:19
What I've been doing is using ACE to change my pokemon into a pokemon that learns the move, leveling it to the appropriate level, learning the move, then using ACE again to change it back. Obviously this isn't very efficient, but I'm not capable of working out a code to replace moves myself.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-10-22 08:21:12


You can easily create box name code to give it the moves one by one. Goal of this one was to have one do it all code though.
Also me confirming if it works like I think it does. :)


On the topic of teaching moves, do you know how to teach a Pokemon Ice Beam, Flamethrower or Thunderbolt? I asked this in another thread, but these moves are unobtainable in Gold/Silver - and were only move tutor moves in Crystal. So for a lot of people like me who are playing VC Gold or Silver, with no way to trade, the only way to get them would be through Coin Case.


Here's a quick-and-dirty TM 25 Ball Pocket code that I made to teach Ice Beam to Pokemon 5. Due to character limitations, I was restricted to the fourth move, so make sure Pokemon 5 has at least 3 moves before using.

Box 1: Ap0?'vm55
Box 2: é(male)4p'd555

Here's the same code, but for use with the Coin Case (ensure to use FMK's one-off code)
Box 1: Ap0?'vm55
Box 2: é(male)455555
Box 3+ :55555555
Box 13: Leave Unchanged (FMK's Code)
Box 14: Leave Unchanged (FMK's Code)

I have not tested the Coin Case version (I prefer to use TM 25), but it should work as described. If it doesn't, please let me know.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-10-22 09:42:36
For Flamethrower and Thunderbolt you only need to change Box 1.

Flamethrower:
Ap0v'vA55 XOR A; OR b5; SUB 80

Thunderbolt:
Ap0't'vA55 XOR A; OR d5; SUB 80

Icebeam:
Ap0?'vm55 XOR A; OR e6; SUB ac

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Nostalgia
Date: 2017-10-22 10:18:19
Thanks, I was mostly interested in Thunderbolt for my Jolteon. I'll test it later.

So is it possible to teach any move through these methods, or are there some character limitations for certain moves?

Also it's worth noting that Gold/Silver has some unique event moves for certain Pokemon and I've seen some people have expressed interest in obtaining them on their pokes. I'm personally not that interested in event moves, but stuff like Belly Drum Quagsire and Lovely Kiss Snorlax is kinda cool, I guess.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-10-22 10:29:13

Thanks, I was mostly interested in Thunderbolt for my Jolteon. I'll test it later.

So is it possible to teach any move through these methods, or are there some character limitations for certain moves?

Also it's worth noting that Gold/Silver has some unique event moves for certain Pokemon and I've seen some people have expressed interest in obtaining them on their pokes. I'm personally not that interested in event moves, but stuff like Belly Drum Quagsire and Lovely Kiss Snorlax is kinda cool, I guess.


With enough changes of box 1, it is possible to teach any move, probably even glitch moves, though I haven't tried this for myself.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: hobgoblinpie
Date: 2017-10-22 10:53:50
Thanks Couldntthinkofaname and spamviech for explaining it, I really appreciate it. It's pretty incredible how blown open the games are thanks to a simple lack of valid terminator.

Things like Extremespeed Dragonite would be cool, at least until Crystal comes out (even then you'd need two 3DS's or a friend in order to trade).

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-10-22 11:19:07
So, I decided to make a box code that makes the 5th Pokemon's 4th move be glitch move $ff

Box 1: A09é(male)4p'd

The results were interesting to say the least.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Dragon Arbock
Date: 2017-10-22 15:20:47
I'm not a fan of the TM ace. I'd rather keep using the coin case and changing box 2's name instead of box 1. And box 1 sounds limited, like you have to change the name more than once to get what you want.
But everyone seems to love TM ace so now I'm not gonna have any more coincase formatted codes to work with.
(I guess I don't need move-changing codes in the old format, but it would be easier than changing a pokemon's species to learn moves).

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-10-22 15:48:25

I'm not a fan of the TM ace. I'd rather keep using the coin case and changing box 2's name instead of box 1. And box 1 sounds limited, like you have to change the name more than once to get what you want.
But everyone seems to love TM ace so now I'm not gonna have any more coincase formatted codes to work with.
(I guess I don't need move-changing codes in the old format, but it would be easier than changing a pokemon's species to learn moves).


I can reformat my code if you would like: (make sure to use FMK's one off code prior)

Pokemon 5 has glitch move $ff in move slot 4:
Box 1: A09é(male)455
Box 2+: 55555555
Box 13: Unchanged from FMK's code
Box 14: Unchanged from FMK's code

I'll start formatting my codes in both ways for ease of use to both parties

If you see a TM 25 code you would like to use, usually reformatting can be done with these steps:

1. Use FMK's one-off code (if you haven't prior)
2. At the end of the code you wish to use, replace the final 'd with 5, and fill in the rest of that box name with 5
3. Fill in any unused box names with 5 (except Box 13 and 14)
4. Make sure box 13 and 14 are unchanged from FMK's one-off code

Hope this is useful!  :)

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Dragon Arbock
Date: 2017-10-22 16:05:06
I guess really, if I have a code to work with I just need to figure out what to change to get the move I want. With enough examples I could reverse engineer the pokemon formula and the DV formula, but this seems to be different (not targeting the first pokemon in the party, and changing the code for box 1 as opposed to box 2). I don't really speak programming, so any drastic change in the format is confusing.
As I understood with the other codes, box 1 was basically telling the code what to target, and box 2 was telling it what to change it to, but this is box 1 doing the changing somehow.
In Ap0?'vm55, is Ap[xxxx]55 what I am to be changing? I suppose that would make sense since 230 - 172 = 58 (ice beam).

From a technical standpoint though, what does FMK's code do? What's the advantage to filling the rest of the pc with 5's then writing that for box 13 and 14 as opposed to using the 'return to game' code?
(Sorry I'm generally rambling and being confused while understanding stuff only as I start to type).

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-10-22 16:53:43

I guess really, if I have a code to work with I just need to figure out what to change to get the move I want. With enough examples I could reverse engineer the pokemon formula and the DV formula, but this seems to be different (not targeting the first pokemon in the party, and changing the code for box 1 as opposed to box 2). I don't really speak programming, so any drastic change in the format is confusing.
As I understood with the other codes, box 1 was basically telling the code what to target, and box 2 was telling it what to change it to, but this is box 1 doing the changing somehow.
In Ap0?'vm55, is Ap[xxxx]55 what I am to be changing? I suppose that would make sense since 230 - 172 = 58 (ice beam).

From a technical standpoint though, what does FMK's code do? What's the advantage to filling the rest of the pc with 5's then writing that for box 13 and 14 as opposed to using the 'return to game' code?
(Sorry I'm generally rambling and being confused while understanding stuff only as I start to type).


Here's a breakdown of Box 1:

A ;Useless char that does nothing
p ; XOR a, so a = $00
0? ; OR $e6, so a = $e6
'vm ; SUB $ac so a - $ac = $3a (Ice beam)
5; ei, Interupts are already enabled so this does nothing
5 ; ei, same deal
(end terminator) ; ld d,b

And then Box 2 proceeds to load a into the desired location (In this case, $faef)

So if you wanted to make alterations to this code, you would replace ? and m with two values that you wish to subtract. Essentially, we are taking 2 values that can be represented as valid characters and subtracting them to get a value we would not have been able to type with characters.

As for FMK's code, I'm not sure. It loads different values into a and then into three different addresses, none of which i know anything about. What i do know is that Box 13 and 14 are required in every use because they repair the stack to a playable state.

Hope this helped!

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: spamviech
Date: 2017-10-22 17:38:56

Here's a breakdown of Box 1:

A ;Useless char that does nothing


More like an ignored character. With the usual setup (Quagsire holding TM02 with Return as first move) execution starts at the second character of the first box name.
You can literally put whatever character you want here. It's just A as a default, since that's where the cursor starts.



From a technical standpoint though, what does FMK's code do? What's the advantage to filling the rest of the pc with 5's then writing that for box 13 and 14 as opposed to using the 'return to game' code?
(Sorry I'm generally rambling and being confused while understanding stuff only as I start to type).

As for FMK's code, I'm not sure. It loads different values into a and then into three different addresses, none of which i know anything about. What i do know is that Box 13 and 14 are required in every use because they repair the stack to a playable state.

Hope this helped!


FMK's code puts the 'return to game' code into Box 13 and 14.
Filling the boxes with 5's just is a save passing code so execution reaches the return to game part.
The advantage is you don't have to engineer it yourself everytime you write a new code since you have to use a character normally not available. And you also have to figure out where to put it.
Otherwise part of the code always has to be "put the instruction for INC SP at the right place before it is executed". Due to limited charset (in most cases) this also restricts your available space to write code to a bit more than 8 box names, part of which is the 'return to game' code.

Hope this wasn't too techy.


With enough examples I could reverse engineer the pokemon formula and the DV formula, but this seems to be different (not targeting the first pokemon in the party, and changing the code for box 1 as opposed to box 2).

Targeting the fourth move of Pokémon 5 is simply because we can reach it directly with available characters. Therefore Box 1 can be used to get the ID for the desired move. The code of Box 2 then writes it.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Dragon Arbock
Date: 2017-10-22 18:24:32


With enough examples I could reverse engineer the pokemon formula and the DV formula, but this seems to be different (not targeting the first pokemon in the party, and changing the code for box 1 as opposed to box 2).

Targeting the fourth move of Pokémon 5 is simply because we can reach it directly with available characters. Therefore Box 1 can be used to get the ID for the desired move. The code of Box 2 then writes it.


Oh, so you simply can't target pokemon 1?
And if we're using the FMK setup now, how do you convert old codes like this to work with that set up?
Box 1:  A  p  0  k 'v  A  5  5
Box 2:  é 'm  2  p  p  0  5  5
Box 3:  é  A  4  p 'v  7 'v 'd
Box 4:  é    2  p  é  D  9 'l
Box 5: 'l  5  5  5  5  5  5  5
Box 6:  5  5  5  A 'l  x 'd  5

Cause when I used a code that needed FMK's code (The give all TMs code), I ended up renaming all my boxes after so I could go back to using the other codes I'd been using.

Re: Arbitrary code execution in Gold/Silver UE using the Coin Case

Posted by: Couldntthinkofaname
Date: 2017-10-22 19:35:16
(Apologies for late reply)

If you wish to convert the code to work with the TM 25 setup, then this should work:

Box 1: Ap0k'vA55
Box 2: é'm2pp055
Box 3: éA4p'v7'v'd
Box 4: é(male)2péD95
Box 5: p'd555555

If you're meaning to use this with coin case, then it should already work as is, provided you executed the one-off code prior.


Oh, so you simply can't target pokemon 1?


Nope (at least not with moveset data). Pokemon 1's lower byte is not able to be represented with characters. However, some code developers have written self-modifying box name codes as a workaround. Still, it's much easier to just use addresses that can be represented as is, so we target pokemon 5, move 4, as both the high byte and low byte are able to be represented with 4 and (male) respectively.