Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

Viet Crystal: ACE with Mobile System GB? - Page 1

Viet Crystal: ACE with Mobile System GB?

Posted by: MarcinTVP8
Date: 2016-12-19 08:42:44
Looks like I found a glitch in Viet Crystal.

When you select MOBILE and try to access the Card Folder, there is a big chance that the game will crash and restart in "glitch dimension' mode.

I'm not sure if it works in English Crystal, because the save file form Japanense Crystal crashed the game when loading the map. I saw that there is no Mobile option here, either…

Will it be a new method for ACE?

I included a save file with Mobile option enabled for somene to test it out.

Re: Viet Crystal: ACE with Mobile System GB?

Posted by: Charmy
Date: 2016-12-19 09:41:14
A) this isn't Viet Crystal, (unless you used just a save from Bing Crystal).
B)Just a translation error.

Re: Viet Crystal: ACE with Mobile System GB?

Posted by: camper
Date: 2016-12-19 09:52:07
Well, in fact there are probably lots of arbitrary crashes in Viet Crystal that can be used for ACE…

Re: Viet Crystal: ACE with Mobile System GB?

Posted by: MarcinTVP8
Date: 2016-12-19 10:04:45
I have patched BingCrystal with Viet Crystal patch, then patched again, this time for enabling a debug menu from where enabled the Mobile function.

I did not change the name of the ROM.

We need to know the address from where the code would be executed to create programs.

Re: Viet Crystal: ACE with Mobile System GB?

Posted by: Torchickens
Date: 2016-12-19 10:09:12

Looks like I found a glitch in Viet Crystal.

When you select MOBILE and try to access the Card Folder, there is a big chance that the game will crash and restart in "glitch dimension' mode.

I'm not sure if it works in English Crystal, because the save file form Japanense Crystal crashed the game when loading the map. I saw that there is no Mobile option here, either…

Will it be a new method for ACE?

I included a save file with Mobile option enabled for somene to test it out.


This sounds nice.

If you load the game on BGB, open the debugger and go to debug>access breakpoints you can set a breakpoint to A000-FDFF by entering A000-FDFF in the address box, ticking 'on write' and adding it. This way if there is any arbitrary code execution the emulator will open up the debugger at the place it's executing the code. Good luck!

Re: Viet Crystal: ACE with Mobile System GB?

Posted by: MarcinTVP8
Date: 2016-12-19 11:23:15
Results:

1. result:
ROM0:2FF7 12                          ld    (de),a                              ;2  2
2. result:
ROM0:3011 22                          ldi  (hl),a                                ;2  13
ROM5:402B EA 00 A0                ld    (A000),a                          ;4  22
3. result (invalid opcode):
ECH0:E0CF EC                          -                                            ;0  8
4. result (invalid opcode):
ECH0:E139 D3                          -                                            ;0  7

Re: Viet Crystal: ACE with Mobile System GB?

Posted by: Háčky
Date: 2016-12-19 13:04:44
Youd need some way of activating the mobile features in Viet Crystal. Simply plugging in a Mobile Adapter GB doesnt work.

The reason is that Viet Crystal altered a byte at 01:6594, changing the call to function 5B:4000 (which is used to check for the Mobile Adapter GB on startup) into a call to 01:4000 (which displays the string Waiting! during a link cable connection?).

Re: Viet Crystal: ACE with Mobile System GB?

Posted by: SatoMew
Date: 2016-12-19 13:32:38

Youd need some way of activating the mobile features in Viet Crystal. Simply plugging in a Mobile Adapter GB doesnt work.

The reason is that Viet Crystal altered a byte at 01:6594, changing the call to function 5B:4000 (which is used to check for the Mobile Adapter GB on startup) into a call to 01:4000 (which displays the string Waiting! during a link cable connection?).


Was that the only change regarding the Mobile System GB? Perhaps all that's necessary is to revert it and set the equivalent addresses to the ones in a Japanese Crystal save file ($E800, $9000).

Re: Viet Crystal: ACE with Mobile System GB?

Posted by: TheZZAZZGlitch
Date: 2016-12-19 14:07:50

If you load the game on BGB, open the debugger and go to debug>access breakpoints you can set a breakpoint to A000-FDFF by entering A000-FDFF in the address box, ticking 'on write' and adding it. This way if there is any arbitrary code execution the emulator will open up the debugger at the place it's executing the code.


I think you meant 'on execute'.

Also, Viet Crystal has a lot of crashes caused by invalid text commands. All of them could potentially be exploitable, similar to the Coin Case glitch.

Re: Viet Crystal: ACE with Mobile System GB?

Posted by: Torchickens
Date: 2016-12-21 16:01:02


If you load the game on BGB, open the debugger and go to debug>access breakpoints you can set a breakpoint to A000-FDFF by entering A000-FDFF in the address box, ticking 'on write' and adding it. This way if there is any arbitrary code execution the emulator will open up the debugger at the place it's executing the code.


I think you meant 'on execute'.

Also, Viet Crystal has a lot of crashes caused by invalid text commands. All of them could potentially be exploitable, similar to the Coin Case glitch.


Oops, yeah my mistake. Thanks TheZZAZZGlitch.

MartinTVP8, if you still want find the first execution from RAM try 'on execute' instead of 'on write'. Sorry for giving you wrong instructions.

The parameters I shared are for RAM locations, and in case you don't know the Game Boy writable memory allocation is like this.

$FF80-$FFFE Zero Page - 127 bytes
$FF00-$FF7F Hardware I/O Registers
$FEA0-$FEFF Unused
$FE00-$FE9F OAM - Object Attribute Memory
$E000-$FDFF Echo RAM
$D000-$DFFF Internal RAM - Bank 1-7 (switchable - CGB only)
$C000-$CFFF Internal RAM - Bank 0 (fixed)
$A000-$BFFF Cartridge RAM (If Available)
$9C00-$9FFF BG Map Data 2
$9800-$9BFF BG Map Data 1
$8000-$97FF Character RAM

If the debugger comes up at one of these locations, you may be able to write to those addresses (right click on the value; modify code/data) and this will be your code to execute. Then; if you have code written the only obstacle is writing code there and executing it without cheating.

Note many times you will come across execution at memory addresses that aren't the most manipulable, or that could be overwritten. Arbitrary code execution may in fact be common when the game is confronted with a bad operation, and also for undefined things (like glitch items) but is not as often manipulable.

E0CF and E139 (which would be 01xxCFE0 and 01xx39E1 in a GameShark code) are not documented on our list of GameShark codes (containing Japanese Crystal addresses) but if luck is good hopefully we can find a unique way of executing arbitrary code in this version.

Hope that helps. :)