Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: ASLR scripts/overlays confirmed on hardware!  (Read 1042 times)

0 Members and 1 Guest are viewing this topic.

RETIRE

  • Master of tilewriting
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • The Gen 4 dude
    • View Profile
ASLR scripts/overlays confirmed on hardware!
« on: March 13, 2018, 04:19:08 pm »
Edit: After nearly a year I decided to revisit this subject and was able to get the Hall of Fame script working on Hardware
Here's the video evidence:
https://www.youtube.com/watch?v=d740tdPTTDM&feature=youtu.be

Also a long video showing off how to do this on hardware / explaining this a bit more in depth
https://youtu.be/z5taufgobuA

I said Map 168 but it was Map ID 163.

For anyone who has not read the HoO document, out of bounds scripts (oob scripts for short) are scripts and overlays loaded
via RETIRE, when there aren't at least 4 scripts in runtime in the current map id.
For nearly a year, it was unknown as to how to recreate it, even on an emulator, however, while testing a different glitch I accidentally stumbled
upon it.

ASLR

When you start up your console, Address Space Layout Randomization kicks into action.
It does what the name implies, it randomises address space for memory.
Because of this, it's supposed to be harder to use action replay codes, and other hacking tools.
From the looks of it, there are 64 different randomisations that you could get on startup.
As you might have guessed by now, the section of memory used by RETIRE if there are less than 4 scripts, will be randomised.
This means that there are 64 different results/map id you could potentially get from using RETIRE. Before we go further, let's show some examples.



Odd continuous surfing script: https://www.youtube.com/watch?v=9HR-yCyEuLo
Changing player name: https://www.youtube.com/watch?v=hp2TKubjBC0&t=18s
Changing map width/coordinates/void: https://www.youtube.com/watch?v=2LkBXYXW_Xk,
Chosing new starters: https://www.youtube.com/watch?v=CzuMAdM_kPA

These are just some examples, and I'll show more later in the thread.

As you can see, the results can be quite spectacular.
As far as I've noticed, these scripts only activate if the map id has some kind of script in it's runtime.
If it does not, it doesn't do anything. This might mean that RETIRE reads this as the data needed.
But, remember when I said that there are only 64 randomisations?
While this is in fact true, it doesn't mean we can't get more results/map.

In the void, there's a specific set of map's that are used in the battle tower.
These Battle tower map's move bytes by about 8000. This also influences the results heavily, and actually gives you 2x64, or 128 results/map!

We have been actively looking for ways to get some kind of ACE with this.
To end off, I'll add some more fun scripts!

 
« Last Edit: October 28, 2018, 11:14:59 am by RETIRE »
Hey, I mainly focus on generation 4 glitches and specialise in voidspecific glitches.

If you'd like to see progress on gen 4 research you can watch my videos here:
https://www.youtube.com/c/RETIREglitch

Feel free to send me pms on the forum or add me on discord by tagging me in the glitchcity laboratories server ^•^

RETIRE

  • Master of tilewriting
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • The Gen 4 dude
    • View Profile
Re: ASLR scripts/overlays confirmed on hardware!
« Reply #1 on: August 28, 2018, 06:47:31 am »
I will also edit the post above, I was finally able to get an ASLR script working on hardware.
Gen 4 is closer to ACE than ever before.

https://www.youtube.com/watch?v=d740tdPTTDM&feature=youtu.be
Hey, I mainly focus on generation 4 glitches and specialise in voidspecific glitches.

If you'd like to see progress on gen 4 research you can watch my videos here:
https://www.youtube.com/c/RETIREglitch

Feel free to send me pms on the forum or add me on discord by tagging me in the glitchcity laboratories server ^•^

Princess Torchic Owl Lover ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I want to be a mother. 🦋 ✿
    • View Profile
Re: ASLR scripts/overlays confirmed on hardware!
« Reply #2 on: August 28, 2018, 08:15:09 am »
Instant win script. Wow! :O Great find. :)

So these ASLR scripts, is there a chance for certain invalid scripts that they could land in RAM? (not sure how DS memory works)

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post ^^
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Sex male, and spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman. Call me whichever pronouns you like. :)

War does not determine who is right or wrong; only who is loudest.
Athena follower. I know that some people view it as idolism, but I follow the spirit in relation to her and God too.

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

RETIRE

  • Master of tilewriting
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • The Gen 4 dude
    • View Profile
Re: ASLR scripts/overlays confirmed on hardware!
« Reply #3 on: August 28, 2018, 09:07:25 am »
It should be possible to get some invalid script that then ends up in RAM, or a valid script but utilising invalid data (Like the battles but with the enemy Pokémondata being read from unrelated RAM-addresses. Depending on what scripts are accesible on hardware without straight up crashing, landing in RAM that can be manipulated should be feasible.
Hey, I mainly focus on generation 4 glitches and specialise in voidspecific glitches.

If you'd like to see progress on gen 4 research you can watch my videos here:
https://www.youtube.com/c/RETIREglitch

Feel free to send me pms on the forum or add me on discord by tagging me in the glitchcity laboratories server ^•^

RETIRE

  • Master of tilewriting
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • The Gen 4 dude
    • View Profile
Re: ASLR scripts/overlays confirmed on hardware!
« Reply #4 on: October 02, 2018, 08:16:53 am »
Update; found a script that seems to be causing an overflow somewhere, besides that, alt-RETIRE gives access to different ASLR based scripts, and different languages of the game have different ASLR seeds and therefore there could be scripts (that might give acces to ACE) that are exclusive to one language of the game. I also wrote a setup for hardware testing of ASLR scripts by combining wrong warp and the retire trick, allowing you to reset the game and spawn in front of a house with the menu. Then you simply enter and press RETIRE hoping you get the desired script once you hit the seed.

This is the route: (open to modification/improvement?)

Use explorer kit under the house for ASLR scriptcalling
(Or between addresses Base+22ADA and Base+41ADA, the range of accesible addresses with wrong warps)

1) setup fast wrongwarp
Tweak into Poketch Co.

1 S
20 E
480 N
sr
14 N
188 E
sr
214 W
479 S
graphic reload
full speed south
graphic reload

2 S
3 W

Talk to NPC from above
Reset after saved game
Fly to jubilife city

Tweak into Poketch Co.

1 S
17 W
14 N
510 W
sr
32 W
2737 S
33 W
1 E
78 S
128 E
1 S cutscene if first time entering
17 S
63 E if cutscene / 64 E if no cutscene
177 N
1 N cutscene

18 S
96 W
114 N
1 W
1 E mapscript cynthia battle

Intentionally lose battle

Enter top floor of any Pokémoncenter

4 W
15 N
6 E

graphic reload
full speed south
graphic reload

2 S
2 E

Talk to NPC from above
Reset after saved game

This puts you where you explorer kit earlier, with the
Pal Park menu accesible :)
 
Hey, I mainly focus on generation 4 glitches and specialise in voidspecific glitches.

If you'd like to see progress on gen 4 research you can watch my videos here:
https://www.youtube.com/c/RETIREglitch

Feel free to send me pms on the forum or add me on discord by tagging me in the glitchcity laboratories server ^•^