Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
StatDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg data corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: New Viridian Forest arbitrary code execution method  (Read 819 times)

0 Members and 1 Guest are viewing this topic.

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • ⛄🦋
    • View Profile
New Viridian Forest arbitrary code execution method
« on: September 11, 2017, 05:01:03 pm »
It looks like an interesting new arbitrary code execution has been discovered, which with luck manipulation might be the fastest (and A-pressless) method so far. I don't know who discovered it though.

This method involves death-warping at the final Bug-Catcher in Viridian Forest. If you then return to the forest without pressing Start, it will trigger a battle with the Bug-Catcher again and activate meta-map script 06 (D618=06). Defeating him will trigger yet another battle, but if you win this one you're free to walk around with glitch script initiation active.


Then for some reason if you proceed to mash A in front of and defeat this Bug-Catcher;



The game will execute F8FF in Echo RAM, which falls through to F9AC (D9AC); a copy of your player's name. Then if your player's name is mMna.♀tF (ac e2 a0 f2 f5 b3 85 50), with some specific other requirements it is yet another way of entering the Hall of Fame.

I only just found out about this method today, but there is more information about this glitch in this document:
https://docs.google.com/document/d/1l10apKvZgTeOSEKeuhgHVGC73z9-f2FTkuUKHZaPVEA/edit

If we can modify this glitch for non-speedrunning purposes perhaps it could be useful for those wanting to do other things or obtain the expanded items pack without MissingNo.

Video by entrpntr:
https://www.youtube.com/watch?v=rhvyKspOsoo
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Give love, receive love, repeat. But in order to love others you must first love yourself unconditionally, even if it means abandoning pressure from projects or taking time off work and empathise with the self as you are your own best friend. The key often is simply to follow your heart, your urges and have faith they are valid; use them to do what you want to do as long as it doesn't harm anyone, and/or sympathise and respect it as we all have bad days (even the prettiest rose has thorns but is still beautiful).

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: New Viridian Forest arbitrary code execution method
« Reply #1 on: September 12, 2017, 04:04:06 am »
Very interesting! I'll work on this asap. There should be a way to use it smoothly. Ways to get the expanded item packs without MissingNo. are game changers for all those games who can't do it :)

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
Re: New Viridian Forest arbitrary code execution method
« Reply #2 on: September 12, 2017, 06:22:32 am »
I analyzed how this works:
- The deathwarp and the two trainer battles advance the map script index to 0x06 (three trainer encounters in total, each one advances the index twice; Crystal_ once did a nice video explaining how trainer battles affect the script index values).
- Viridian Forest script 0x06 happens to point to $5180, bank 0x18.
- At this address we have some accidental code, created by interpreting the trainer encounter text (ViridianForestText4) as CPU instructions:
ViridianForestText4:
  ld ($5A21), sp
  ld d, c
  call TalkToTrainer
  jp TextScriptEnd

Which triggers a glitch textbox, but thankfully, does nothing harmful to the game.
- Then, we trigger another trainer battle in Viridian Forest, which advances the current map script to index 0x08.
- Viridian Forest script 0x08 happens to point to $24F4.
- Again some accidental code, but this time, it was sourced from the item pick up text (PickUpItemText):
PickUpItemText:
  ld ($5C3E), sp
  call Predef
  jp TextScriptEnd

This one however isn't so nice to the game, since it executes an invalid predefined function 0xF4 (calling Predef with A=0xF4).
- Predef 0xF4 happens to execute code from $F808. Which is the echo RAM equivalent of $D808
- Arbitrary code execution magic happens

Any trainer can be fought as the last one - I believe the only reason they chose the Bug Catcher closest to the entrance is because he would be the fastest to get to in a speedrun.

Adapting this exact method for general use is most likely impossible, since it requires insane levels of luck manipulation, and planning for it from the very beginning of the game. But a similar procedure can most likely be applied to any other map - so there should be a way to find a different route with different trainers, where the code execution happens from a more predictable location (like Pokemon boxes or inventory data).

Also, it's funny to look how a strategy originally meant for the A Button Challenge has inspired a new speedrun route, along with a new way of achieving arbitrary code execution.
« Last Edit: September 12, 2017, 06:23:38 am by TheZZAZZGlitch »
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

Charmy

  • A guy who likes glitchyness.
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • "NIDOQUEEN THOMAS wants to battle!"
    • View Profile
Re: New Viridian Forest arbitrary code execution method
« Reply #3 on: September 12, 2017, 09:11:02 am »
So, how many A presses does this take?
but, can it be done in 0.5 A presses
"Time is mone
Go along then" - Old Man


TMZ4 is the BEST TM while the sucky Channel is the best channel.

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • ⛄🦋
    • View Profile
Re: New Viridian Forest arbitrary code execution method
« Reply #4 on: September 12, 2017, 10:19:58 am »
Very interesting! I'll work on this asap. There should be a way to use it smoothly. Ways to get the expanded item packs without MissingNo. are game changers for all those games who can't do it :)

Yeah :) at the very least it's a nice curiosity you can beat the game this early.

Adapting this exact method for general use is most likely impossible, since it requires insane levels of luck manipulation, and planning for it from the very beginning of the game. But a similar procedure can most likely be applied to any other map - so there should be a way to find a different route with different trainers, where the code execution happens from a more predictable location (like Pokemon boxes or inventory data).

Thanks for your research TheZZAZZGlitch! I thought so too in regards to game completion, but turns out if you have a Link Cable and a game with the 61896 (F1C8) ID (available from item 30's quantity and item 31 in item underflow) you could in theory trade it over to the other game. The 61896 manip for a real console/BGB as well might not be too hard.

I don't understand the FFF1 (Charmander) and FEF0 (Bulbasaur) Spearow manips though. Maybe those aren't needed if you're not speedrunning and just give Spearow with high enough stats to survive the battles.

I did some tests on BGB and I was able to replicate what they did in the speedrun (without the manips and a cheat code to apply the right ID) and the glitch worked, sending me to the Hall of Fame.  I think it's amazing how they could manipulate that with just two instances of the player's name and the F1C8.

When I tried the glitch on VBA though multiple times it didn't work, so maybe VBA doesn't emulate it correctly or I was just really unlucky.
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Give love, receive love, repeat. But in order to love others you must first love yourself unconditionally, even if it means abandoning pressure from projects or taking time off work and empathise with the self as you are your own best friend. The key often is simply to follow your heart, your urges and have faith they are valid; use them to do what you want to do as long as it doesn't harm anyone, and/or sympathise and respect it as we all have bad days (even the prettiest rose has thorns but is still beautiful).

Caveat

  • The Metropolitan Mutant of Ark
  • GCLF Member
  • *
  • Offline Offline
  • Wrrrooooooaaaar! Peeko!
    • View Profile
Re: New Viridian Forest arbitrary code execution method
« Reply #5 on: September 12, 2017, 01:34:23 pm »
Cool! This could REALLY decrease the amount of A-presses!

It still amazes me that we can still find things in these games.
HOLD ME, I'M A PALE MACHINE
LIFE IS JUST OKAY OUT HERE, ANYONE CAN SEE
I'M LONELY, WITH MY PALE MACHINE
EYES WILL RUN WITH TIRED TEARS, LIVING LIKE A DREAM


Japanese Glitchdex
Petscop Thread

Twitter
(warning: contains bad grammar and copious rambling)

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: New Viridian Forest arbitrary code execution method
« Reply #6 on: September 12, 2017, 05:58:39 pm »
If it uses Echo RAM it's not going to work in VBA lel
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Parzival

  • Buyer beware: House comes with 3 free skeletons in a closet of your choice.
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • This box intentionally left blank. ...wait...
    • View Profile
Re: New Viridian Forest arbitrary code execution method
« Reply #7 on: September 13, 2017, 09:00:30 am »
Another one? C'mon...
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

ALERT: WE ONLY NEED ONE MORE VOTE TO GAIN BACK NET NEUTRALITY! CLICK THE BANNER BELOW TO JOIN THE FIGHT!

jfb1337

  • ACE trainer
  • GCLF Member
  • Offline Offline
    • View Profile
Re: New Viridian Forest arbitrary code execution method
« Reply #8 on: September 17, 2017, 09:38:25 am »
So that makes like 14 or 15 now?

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: New Viridian Forest arbitrary code execution method
« Reply #9 on: September 17, 2017, 09:54:11 am »
I think 14
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Parzival

  • Buyer beware: House comes with 3 free skeletons in a closet of your choice.
  • GCLF Member
  • *
  • Offline Offline
  • Gender: Male
  • This box intentionally left blank. ...wait...
    • View Profile
Re: New Viridian Forest arbitrary code execution method
« Reply #10 on: September 17, 2017, 02:51:38 pm »
I think 14
I thought this make like 25 or something. Isn't there a list floating around somewhere?
Ask me about betrayal.
Ask me about depression.
Ask me about death.
Ask me about destruction.
Ask me about hardship.
I've been through s**t.
If you need to talk to someone, my PM inbox is always open.

ALERT: WE ONLY NEED ONE MORE VOTE TO GAIN BACK NET NEUTRALITY! CLICK THE BANNER BELOW TO JOIN THE FIGHT!

Princess Torchic ❤

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • ⛄🦋
    • View Profile
Re: New Viridian Forest arbitrary code execution method
« Reply #11 on: September 18, 2017, 06:56:30 am »
If it uses Echo RAM it's not going to work in VBA lel

This was done on a version of VBA that supports Echo RAM. The problem may have been related to how the code changes HRAM and/or incorrect VRAM inaccessibility emulation (which apparently means the execution is done at F8FF instead of F80F according to entrpntr in the above video's comments).
Hi! I identify as female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.

Ah.. koucha ga oishii ♪





Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:
If you like, please contact me by private message here on the forums as I no longer check other places very often.

YouTube: http://www.youtube.com/user/ChickasaurusGL

I like to collect interesting video games. ^_^
https://www.vgcollect.com/Torchickens

Give love, receive love, repeat. But in order to love others you must first love yourself unconditionally, even if it means abandoning pressure from projects or taking time off work and empathise with the self as you are your own best friend. The key often is simply to follow your heart, your urges and have faith they are valid; use them to do what you want to do as long as it doesn't harm anyone, and/or sympathise and respect it as we all have bad days (even the prettiest rose has thorns but is still beautiful).

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: New Viridian Forest arbitrary code execution method
« Reply #12 on: September 21, 2017, 09:04:08 am »
Let's just point out that VBA doesn't correctly emulate multi-byte read instructions, i.e. it reads sooner than it should. The implication here is that maybe the timing until VRAM locks is tight enough to be that.
Also is VRAM locking emulated at all ?
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

entrpntr

  • GCLF Member
  • Offline Offline
  • $FF The Police
    • View Profile
Re: New Viridian Forest arbitrary code execution method
« Reply #13 on: September 23, 2017, 09:09:38 pm »
I don't understand the FFF1 (Charmander) and FEF0 (Bulbasaur) Spearow manips though. Maybe those aren't needed if you're not speedrunning and just give Spearow with high enough stats to survive the battles.

Just to clarify, Spearow's purpose in the speedrun is indeed entirely unrelated to the ACE. It is the fastest Pokémon to beat the endgame bug catcher boss rush, and attack/speed/defense/HP are to make the fights as efficient/safe as can be. The bad special is to die to Pikachu faster, and Spearow's nickname is part of luck manipulation that yields a Pika Thundershock crit to OHKO Spearow. (EDIT: Successfully catching Spearow is also manipulated, but this requires different setups for Charmander vs Bulbasaur, which is why multiple manipulations were listed in the route document.)
« Last Edit: September 23, 2017, 09:21:22 pm by entrpntr »