Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: Viet Crystal: ACE with Mobile System GB?  (Read 440 times)

0 Members and 1 Guest are viewing this topic.

MarcinTVP8

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Viet Crystal: ACE with Mobile System GB?
« on: December 19, 2016, 08:42:44 am »
Looks like I found a glitch in Viet Crystal.

When you select MOBILE and try to access the Card Folder, there is a big chance that the game will crash and restart in "glitch dimension' mode.

I'm not sure if it works in English Crystal, because the save file form Japanense Crystal crashed the game when loading the map. I saw that there is no Mobile option here, either...

Will it be a new method for ACE?

I included a save file with Mobile option enabled for somene to test it out.

Charmy

  • A guy who likes glitchyness.
  • Member+
  • *
  • Online Online
  • Gender: Male
  • "NIDOQUEEN THOMAS wants to battle!"
    • View Profile
Re: Viet Crystal: ACE with Mobile System GB?
« Reply #1 on: December 19, 2016, 09:41:14 am »
A) this isn't Viet Crystal, (unless you used just a save from Bing Crystal).
B)Just a translation error.
"Time is mone
Go along then" - Old Man


TMZ4 is the BEST TM while the sucky Channel is the best channel.

camper

  • aka GlitcherRed, azum4roll
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • 975642dx║'r DExsfoF▓1 error.
    • View Profile
Re: Viet Crystal: ACE with Mobile System GB?
« Reply #2 on: December 19, 2016, 09:52:07 am »
Well, in fact there are probably lots of arbitrary crashes in Viet Crystal that can be used for ACE...
Youtube
 

Guess where this is?

MarcinTVP8

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Viet Crystal: ACE with Mobile System GB?
« Reply #3 on: December 19, 2016, 10:04:45 am »
I have patched BingCrystal with Viet Crystal patch, then patched again, this time for enabling a debug menu from where enabled the Mobile function.

I did not change the name of the ROM.

We need to know the address from where the code would be executed to create programs.

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Viet Crystal: ACE with Mobile System GB?
« Reply #4 on: December 19, 2016, 10:09:12 am »
Looks like I found a glitch in Viet Crystal.

When you select MOBILE and try to access the Card Folder, there is a big chance that the game will crash and restart in "glitch dimension' mode.

I'm not sure if it works in English Crystal, because the save file form Japanense Crystal crashed the game when loading the map. I saw that there is no Mobile option here, either...

Will it be a new method for ACE?

I included a save file with Mobile option enabled for somene to test it out.

This sounds nice.

If you load the game on BGB, open the debugger and go to debug>access breakpoints you can set a breakpoint to A000-FDFF by entering A000-FDFF in the address box, ticking 'on write' and adding it. This way if there is any arbitrary code execution the emulator will open up the debugger at the place it's executing the code. Good luck!
« Last Edit: December 19, 2016, 10:10:49 am by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

MarcinTVP8

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Viet Crystal: ACE with Mobile System GB?
« Reply #5 on: December 19, 2016, 11:23:15 am »
Results:

1. result:
ROM0:2FF7 12                          ld    (de),a                               ;2  2
2. result:
ROM0:3011 22                          ldi   (hl),a                                ;2  13
ROM5:402B EA 00 A0                ld    (A000),a                           ;4  22
3. result (invalid opcode):
ECH0:E0CF EC                          -                                             ;0  8
4. result (invalid opcode):
ECH0:E139 D3                          -                                             ;0  7

Háčky

  • Distinguished Member
  • *
  • Offline Offline
  • Pick which packet as an error?
    • View Profile
Re: Viet Crystal: ACE with Mobile System GB?
« Reply #6 on: December 19, 2016, 01:04:44 pm »
You’d need some way of activating the mobile features in Viet Crystal. Simply plugging in a Mobile Adapter GB doesn’t work.

The reason is that Viet Crystal altered a byte at 01:6594, changing the call to function 5B:4000 (which is used to check for the Mobile Adapter GB on startup) into a call to 01:4000 (which displays the string “Waiting…!” during a link cable connection?).

SatoMew

  • Member+
  • *
  • Offline Offline
    • View Profile
Re: Viet Crystal: ACE with Mobile System GB?
« Reply #7 on: December 19, 2016, 01:32:38 pm »
You’d need some way of activating the mobile features in Viet Crystal. Simply plugging in a Mobile Adapter GB doesn’t work.

The reason is that Viet Crystal altered a byte at 01:6594, changing the call to function 5B:4000 (which is used to check for the Mobile Adapter GB on startup) into a call to 01:4000 (which displays the string “Waiting…!” during a link cable connection?).

Was that the only change regarding the Mobile System GB? Perhaps all that's necessary is to revert it and set the equivalent addresses to the ones in a Japanese Crystal save file ($E800, $9000).

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
Re: Viet Crystal: ACE with Mobile System GB?
« Reply #8 on: December 19, 2016, 02:07:50 pm »
If you load the game on BGB, open the debugger and go to debug>access breakpoints you can set a breakpoint to A000-FDFF by entering A000-FDFF in the address box, ticking 'on write' and adding it. This way if there is any arbitrary code execution the emulator will open up the debugger at the place it's executing the code.

I think you meant 'on execute'.

Also, Viet Crystal has a lot of crashes caused by invalid text commands. All of them could potentially be exploitable, similar to the Coin Case glitch.
« Last Edit: December 19, 2016, 02:08:42 pm by TheZZAZZGlitch »
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Viet Crystal: ACE with Mobile System GB?
« Reply #9 on: December 21, 2016, 04:01:02 pm »
If you load the game on BGB, open the debugger and go to debug>access breakpoints you can set a breakpoint to A000-FDFF by entering A000-FDFF in the address box, ticking 'on write' and adding it. This way if there is any arbitrary code execution the emulator will open up the debugger at the place it's executing the code.

I think you meant 'on execute'.

Also, Viet Crystal has a lot of crashes caused by invalid text commands. All of them could potentially be exploitable, similar to the Coin Case glitch.

Oops, yeah my mistake. Thanks TheZZAZZGlitch.

MartinTVP8, if you still want find the first execution from RAM try 'on execute' instead of 'on write'. Sorry for giving you wrong instructions.

The parameters I shared are for RAM locations, and in case you don't know the Game Boy writable memory allocation is like this.

$FF80-$FFFE   Zero Page - 127 bytes
$FF00-$FF7F   Hardware I/O Registers
$FEA0-$FEFF   Unused
$FE00-$FE9F   OAM - Object Attribute Memory
$E000-$FDFF   Echo RAM
$D000-$DFFF   Internal RAM - Bank 1-7 (switchable - CGB only)
$C000-$CFFF   Internal RAM - Bank 0 (fixed)
$A000-$BFFF   Cartridge RAM (If Available)
$9C00-$9FFF   BG Map Data 2
$9800-$9BFF   BG Map Data 1
$8000-$97FF   Character RAM

If the debugger comes up at one of these locations, you may be able to write to those addresses (right click on the value; modify code/data) and this will be your code to execute. Then; if you have code written the only obstacle is writing code there and executing it without cheating.

Note many times you will come across execution at memory addresses that aren't the most manipulable, or that could be overwritten. Arbitrary code execution may in fact be common when the game is confronted with a bad operation, and also for undefined things (like glitch items) but is not as often manipulable.

E0CF and E139 (which would be 01xxCFE0 and 01xx39E1 in a GameShark code) are not documented on our list of GameShark codes (containing Japanese Crystal addresses) but if luck is good hopefully we can find a unique way of executing arbitrary code in this version.

Hope that helps. :)
« Last Edit: December 21, 2016, 04:29:11 pm by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Myri for my avatar! Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.