Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation I Glitch Discussion

Invalid sound banks examination - Page 1

Invalid sound banks examination

Posted by: ISSOtm
Date: 2016-07-18 09:29:58
I wrote a bot that runs through a given ROM and tries to find how the corresponding sound bank would behave.
Here is the bot's source (in C) : http://pastebin.com/DzFuWzz9
Here is the report for Pokémon Yellow : http://pastebin.com/RpEDNEyX

Obviously, it is extremely bulky, and is often wrong when the bank doesn't immediately crash, but at least it helps.

Pokémon Yellow results :
[table]
[tr]
[td]Bank #[/td][td]Effect / Commentary[/td]
[/tr]
[tr]
[td]00 / 01[/td][td]TheZZAZZGlitch pointed out : it tries to learn an invalid move forever.[/td]
[/tr]
[tr]
[td]03[/td][td]Crashes (STOP).[/td]
[/tr]
[tr]
[td]04[/td][td]Crashes (invalid opcode F4).[/td]
[/tr]
[tr]
[td]05[/td][td]To investigate.[/td]
[/tr]
[tr]
[td]06[/td][td]NOP slides into VRAM. High chances to crash.[/td]
[/tr]
[tr]
[td]07[/td][td]NOP slides into VRAM. High chances to crash.[/td]
[/tr]
[tr]
[td]09[/td][td]Does a bunch of stuff. Should be investigated.[/td]
[/tr]
[tr]
[td]0A[/td][td]To investigate.[/td]
[/tr]
[tr]
[td]0B[/td][td]Writes ((a OR h + c) XOR $FF) to hl + 1, then returns. (UNSURE)[/td]
[/tr]
[tr]
[td]0C[/td][td]Crashes (rst 38h).[/td]
[/tr]
[tr]
[td]0D[/td][td]If the Z flag is set, returns. Otherwise crashes (rst 18h).[/td]
[/tr]
[tr]
[td]0E[/td][td]Maybe returns, otherwise crashes (invalid opcode D3). (To investigate)[/td]
[/tr]
[tr]
[td]0F[/td][td]Returns nicely.[/td]
[/tr]
[tr]
[td]10[/td][td]NOP slides into VRAM. High chances to crash.[/td]
[/tr]
[tr]
[td]11[/td][td]Does some memory writes, HALTs a lot, returns if D72C bit 4 is nonzero, otherwise does stuff that should be investigated.[/td]
[/tr]
[tr]
[td]12[/td][td]NOP slides into VRAM. High chances to crash.[/td]
[/tr]
[tr]
[td]13[/td][td]Crashes (rst 30h).[/td]
[/tr]
[tr]
[td]14 to 18[/td][td]NOP slides into VRAM. High chances to crash.[/td]
[/tr]
[tr]
[td]19[/td][td]Crashes (rst 38h).[/td]
[/tr]
[tr]
[td]1A[/td][td]To investigate, but does a bunch of lds.[/td]
[/tr]
[tr]
[td]1B[/td][td]Decrements sp, does a bunch of stuff, to investigate.[/td]
[/tr]
[tr]
[td]1C[/td][td]Crashes (rst 38h).[/td]
[/tr]
[tr]
[td]1D[/td][td]NOP slides into VRAM. High chances to crash.[/td]
[/tr]
[tr]
[td]1E[/td][td]To investigate.[/td]
[/tr]
[tr]
[td]21 and 22[/td][td]NOP slide to VRAM. High chances of crashing.[/td]
[/tr]
[tr]
[td]23[/td][td]Runs a RRA, sends that value to FF3F (some sound thing), then returns if that RRA was nonzero (I guess it is ?).[/td]
[/tr]
[tr]
[td]24[/td][td]NOP slides into VRAM. High chances to crash.[/td]
[/tr]
[tr]
[td]25[/td][td]Crashes (rst 38h).[/td]
[/tr]
[tr]
[td]26[/td][td]Crashes (rst 20h).[/td]
[/tr]
[tr]
[td]27[/td][td]Crashes (invalid opcode F4).[/td]
[/tr]
[tr]
[td]28 to 2A[/td][td]Crash (rst 20h).[/td]
[/tr]
[tr]
[td]2B[/td][td]Crashes (invalid opcode F4).[/td]
[/tr]
[tr]
[td]2C[/td][td]Crashes (rst 20h).[/td]
[/tr]
[tr]
[td]2D[/td][td]Does a lot of stuff (including adding $A8 to SP), then possibly slides into VRAM. To investigate.[/td]
[/tr]
[tr]
[td]2E[/td][td]Crashes (invalid opcode F4).[/td]
[/tr]
[tr]
[td]2F[/td][td]Sexually harasses a memory address (writes the same value to it 200+ times in a row), writes loads of stuff to some I/O ports, then calls 3082. Should be investigated.[/td]
[/tr]
[tr]
[td]30[/td][td]Crashes (rst 38h).[/td]
[/tr]
[tr]
[td]31[/td][td]Does a RRCA, and returns if that is nonzero. If it is, add 0F to SP, and returns if the RRCA + b is nonzero. Otherwise crashes (invalid opcode FC).[/td]
[/tr]
[tr]
[td]32[/td][td]Crashes (rst 38h).[/td]
[/tr]
[tr]
[td]33[/td][td]Crashes (invalid opcode FC).[/td]
[/tr]
[tr]
[td]34[/td][td]NOP slides into VRAM. High chances of crashing.[/td]
[/tr]
[tr]
[td]35[/td][td]Crashes (rst 28h).[/td]
[/tr]
[tr]
[td]36 to 38[/td][td]Crash (rst 38h).[/td]
[/tr]
[tr]
[td]39[/td][td]Crashes (invalid opcode FC).[/td]
[/tr]
[tr]
[td]3A and 3B[/td][td]NOP slide into VRAM. High chances of crashing.[/td]
[/tr]
[tr]
[td]3C[/td][td]ret nc, otherwise crashes.[/td]
[/tr]
[tr]
[td]3D[/td][td]NOP slides into VRAM. High chances of crashing.[/td]
[/tr]
[tr]
[td]3E[/td][td]To investigate.[/td]
[/tr]
[tr]
[td]3F[/td][td]Crashes (invalid opcode FC)[/td]
[/tr]
[tr]
[td]40 to 7F[/td][td]Crashes (rst 38h).[/td]
[/tr]
[/table]

To summarize, here are the banks that do not crash or NOP slide :
00/01, 05, 09, 0B, 0D, 0E, 0F, 11, 1A, 1B, 1E, 23, 2D, 2F, 31, 3C and 3E.

Here are the banks that should be investigated :
05, 09, 0B, 0E, 11, 1A, 1B, 23, 2D, 2F, and 3E.

Re: Invalid sound banks examination

Posted by: ISSOtm
Date: 2016-07-18 17:36:34
I know this is double-posting, but I felt it was justified.

TheZZAZZGlitch found that invalid sound banks jumped to 0x6BD4.
After struggling a bit with the Red ROM, I found that invalid sound banks jump at 0x58EA.
That jump occurs at 0x2408 in the ROM (the bytes there are CD EA 58), and the code doesn't check for the correct bank either. So, I ran the same bot as previously, only I edited the offset.

[table]
[tr]
[td]Bank #[/td][td]Effect[/td]
[/tr]
[tr]
[td]00/01[/td][td]Jumps in the middle of some code. To investigate.[/td]
[/tr]
[tr]
[td]03[/td][td]Crashes (rst 08h).[/td]
[/tr]
[tr]
[td]04[/td][td]Crashes (STOP).[/td]
[/tr]
[tr]
[td]05[/td][td]Crashes (invalid opcode FC).[/td]
[/tr]
[tr]
[td]06[/td][td]Jumps in the middle of some code. To investigate.[/td]
[/tr]
[tr]
[td]07[/td][td]Loads hl into sp, then jumps to 3C49. This has few chances of going well, but should be investigated anyways.[/td]
[/tr]
[tr]
[td]09[/td][td]Writes C to (hl), loads h into d, XOR d, then calls (nc) 187C. To investigate.[/td]
[/tr]
[tr]
[td]0A[/td][td]Tries to decrement $1CXX (XX being the ID of the sound), the does stuff. To investigate.[/td]
[/tr]
[tr]
[td]0B[/td][td]Crashes (invalid opcode FC)[/td]
[/tr]
[tr]
[td]0C[/td][td]Crashes (invalid opcode ED)[/td]
[/tr]
[tr]
[td]0D[/td][td]Does stuff, should be investigated.[/td]
[/tr]
[tr]
[td]0E[/td][td]Crashes (STOP).[/td]
[/tr]
[tr]
[td]0F[/td][td]Calls 3C49. To investigate.[/td]
[/tr]
[tr]
[td]10[/td][td]Calls 10:5807. To investigate.[/td]
[/tr]
[tr]
[td]11[/td][td]To investigate.[/td]
[/tr]
[tr]
[td]12[/td][td]Calls 103E. To investigate.[/td]
[/tr]
[tr]
[td]13[/td][td]Crashes (rst 38h).[/td]
[/tr]
[tr]
[td]14[/td][td]Seems to jump in the audio caller. To investigate.[/td]
[/tr]
[tr]
[td]15[/td][td]Loads $24D6 into hl, then returns.[/td]
[/tr]
[tr]
[td]16[/td][td]Crashes (invalid opcode ED).[/td]
[/tr]
[tr]
[td]17[/td][td]Messes with the registers, then calls 31CC. To investigate.[/td]
[/tr]
[tr]
[td]18[/td][td]Crashes (rst 10h).[/td]
[/tr]
[tr]
[td]19 and 1A[/td][td]Crash (rst 38h).[/td]
[/tr]
[tr]
[td]1B[/td][td]Crashes (invalid opcode FC).[/td]
[/tr]
[tr]
[td]1C[/td][td]Calls 3E6D. To investigate.[/td]
[/tr]
[tr]
[td]1D[/td][td]To investigate.[/td]
[/tr]
[tr]
[td]1E[/td][td]Crashes (STOP).[/td]
[/tr]
[tr]
[td]20 to 22[/td][td]Crash (rst 20h).[/td]
[/tr]
[tr]
[td]23[/td][td]Crashes (invalid opcode E4).[/td]
[/tr]
[tr]
[td]24 to 27[/td][td]Crash (rst 20h).[/td]
[/tr]
[tr]
[td]28[/td][td]Crashes (invalid opcode F4).[/td]
[/tr]
[tr]
[td]29[/td][td]Crashes (rst 20h).[/td]
[/tr]
[tr]
[td]2A[/td][td]NOP slides into VRAM. High chances of crashing.[/td]
[/tr]
[tr]
[td]2B[/td][td]Crashes (rst 30h).[/td]
[/tr]
[tr]
[td]2C to 3F[/td][td]NOP slides into VRAM. High chances of crashing.[/td]
[/tr]
[tr]
[td]40 to 7F[/td][td]Crashes (rst 38h).[/td]
[/tr]
[/table]

Here are the non-crashing / NOP sliding banks in Red (unconfirmed for Blue, though) :
00/01, 06, 07, 09, 0A, 0D, 0F, 10, 11, 12, 14, 17, and 1C.
All of these should also be investigated for their effects, but there possibly is a chance that we will find ACE. Maybe.

Re: Invalid sound banks examination

Posted by: TheUnReturned
Date: 2016-07-19 07:21:43

[table][tr][td]2F[/td][td]Sexually harasses a memory address (writes the same value to it 200+ times in a row), writes loads of stuff to some I/O ports, then calls 3082. Should be investigated.
ok[/td][/tr][/table]

Re: Invalid sound banks examination

Posted by: Torchickens
Date: 2016-07-19 10:01:25
Nice research!

Re: Invalid sound banks examination

Posted by: ISSOtm
Date: 2016-07-19 10:31:28
It's unfinished, though, as my bot was tood dumb to properly analyze code.
If you look at its source, you will notice it always follows conditional branches, even when they cannot be met.
Example, taken from the Red file :

ROM09:58EC xor d AA
ROM09:58ED call nc, $187C D4 7C 18
Jumping to 187C.
ROM09:187C add a, $CD C6 CD

This call always occurs (due to the xor resetting the c flag)

ROM09:187E xor a AF
ROM09:187F jr nz, 79 20 79
Jumping to FA.
ROM09:18FA xor a AF

Because xor a always sets the z flag, this jump never occurs. The bot followed it, though.

Also, I forgot to mention Red's file : http://pastebin.com/n0Yn0PtX

Re: Invalid sound banks examination

Posted by: Yeniaul
Date: 2016-07-19 18:43:20
Lots of NOP sleds, huh? Reminds me of when I made the memcpy function (between-pointer copy) slide into the beginning of the ROM… you'd load a savestate, do, well, anything besides moving within the area, and the ROM would suddenly restart… and restart when the copyright screen tries to disappear (so infinitely) as execution jumped back to $B4, and hit my 37-byte NOP sled, sliding to boot code. And then call memcpy for the battle cutscene, jumping back to $B4, the sled. :P

Re: Invalid sound banks examination

Posted by: ISSOtm
Date: 2016-07-19 19:44:48
Here, I believe it's just that developers that padded ROM banks with zeroes.

For both Yellow and Red, there is a final, large group of banks that all crash with rst 38h. For these, I believe that the developers filled unused ROM banks with FFs. Just like they did for the rst vectors. Boy, what a pack of dummies… even I fitted a FillMemory function in there, so… meh. Game Freak + 1st Gen = (crappy code)^n, with n steadily increasing over time.

Re: Invalid sound banks examination

Posted by: Aldrasio
Date: 2016-07-19 22:23:25

Here, I believe it's just that developers that padded ROM banks with zeroes.

For both Yellow and Red, there is a final, large group of banks that all crash with rst 38h. For these, I believe that the developers filled unused ROM banks with FFs. Just like they did for the rst vectors. Boy, what a pack of dummies… even I fitted a FillMemory function in there, so… meh. Game Freak + 1st Gen = (crappy code)^n, with n steadily increasing over time.


Banks 40-7F aren't filled with anything, because they don't exist on the RBY carts. The carts are all 1MB, meaning they only have banks up to 3F. If the MBC's told to read from a bank that doesn't exist, it just pulls all 1's. This isn't unique to Pokemon, all Gameboy games with a ROM smaller than 2MB do this.

Hell, give this a shot on the original Japanese Red/Green carts with banks 20 and up. The same thing will happen, because they're 512kB carts.

The NOP sleds aren't surprising for the banks above 20 since they generally contain international (non-Japanese) script data and don't have code.

Re: Invalid sound banks examination

Posted by: Yeniaul
Date: 2016-07-19 22:32:04
My father asked me why I like watching games go down in a hellish firestorm of fuck injection corruptions so I exposed him to the harmonious noises of textbox $FE on Route <whatever the hell the route Nugget Bridge is on>. Through his car. At 6 AM. On Volume 99. With my amp as a middleman.

Re: Invalid sound banks examination

Posted by: TheZZAZZGlitch
Date: 2016-07-20 01:15:24


Here, I believe it's just that developers that padded ROM banks with zeroes.

For both Yellow and Red, there is a final, large group of banks that all crash with rst 38h. For these, I believe that the developers filled unused ROM banks with FFs. Just like they did for the rst vectors. Boy, what a pack of dummies… even I fitted a FillMemory function in there, so… meh. Game Freak + 1st Gen = (crappy code)^n, with n steadily increasing over time.


Banks 40-7F aren't filled with anything, because they don't exist on the RBY carts. The carts are all 1MB, meaning they only have banks up to 3F. If the MBC's told to read from a bank that doesn't exist, it just pulls all 1's. This isn't unique to Pokemon, all Gameboy games with a ROM smaller than 2MB do this.

Hell, give this a shot on the original Japanese Red/Green carts with banks 20 and up. The same thing will happen, because they're 512kB carts.

The NOP sleds aren't surprising for the banks above 20 since they generally contain international (non-Japanese) script data and don't have code.


On several emulators I observed a different behavior; the bank number has its two most significant bits truncated, so switching to bank 0x41 actually loads bank 0x01. I have no idea how the real console should behave. Also, if the virtual console emulator and real console behave differently, we could get some exclusive behavior.

If someone has an 8F setup on real hardware/VC, we can try to find out with this item list.

[tt]8F
(Any)
Lemonade    x65
Repel        x32
X Speed      x79
Ultra Ball  x198
Fire Stone  x71
Moon Stone  x35
Water Stone  x201[/tt]

ld a,41
ld e,20
ld b,e
ld c,a
ld (bc),a
add 20
ld b,a
ld a,(bc)
inc hl
ldi (hl),a
ret

If after executing this code the second item's quantity changes to 124 - target console/emulator takes bank numbers modulo 0x40.
If the second item's quantity changes to 255 - target console/emulator grabs blank data from nonexistent banks.

Re: Invalid sound banks examination

Posted by: ISSOtm
Date: 2016-07-20 07:14:38
I have, I'm gonna try that out on a Rouge (FR Red) VC.

Re: Invalid sound banks examination

Posted by: Spoink
Date: 2016-07-23 20:20:16
I don't get why the developers didn't hook some common code on an RST vector. In Yellow, the address $3E7E is referenced a lot.

Re: Invalid sound banks examination

Posted by: ISSOtm
Date: 2016-07-24 06:46:33
Gen I programming, man. Gen II uses rst instructions a lot. I guess the devs just did infinitely crappy code ><.
This also means the wasted several bytes on bank 0 - the most precious bytes in the entire ROM ! - but heh, they did also waste some RAM bytes while using unimaginable trickery to save others.

I don't think the development of Gen I was taken seriously by the devs. Really.

Re: Invalid sound banks examination

Posted by: Bert
Date: 2016-07-24 16:32:29

My father asked me why I like watching games go down in a hellish firestorm of f**k injection corruptions so I exposed him to the harmonious noises of textbox $FE on Route <whatever the hell the route Nugget Bridge is on>. Through his car. At 6 AM. On Volume 99. With my amp as a middleman.


THE ABSOLUTE MADMAN.
H
E

A
B
S
O
L
U
T
E

M
A
D
M
A
N.

Re: Invalid sound banks examination

Posted by: Flandre Scarlet
Date: 2016-07-24 17:11:00

My father asked me why I like watching games go down in a hellish firestorm of f**k injection corruptions so I exposed him to the harmonious noises of textbox $FE on Route <whatever the hell the route Nugget Bridge is on>. Through his car. At 6 AM. On Volume 99. With my amp as a middleman.

What exactly is this and how would I find/recreate it?