Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation IV Glitch Discussion

ASLR scripts/overlays confirmed on hardware! - Page 1

ASLR scripts/overlays confirmed on hardware!

Posted by: RETIRE
Date: 2018-03-13 17:19:08
Edit: After nearly a year I decided to revisit this subject and was able to get the Hall of Fame script working on Hardware
Here's the video evidence:
https://www.youtube.com/watch?v=d740tdPTTDM&feature=youtu.be

Also a long video showing off how to do this on hardware / explaining this a bit more in depth
https://youtu.be/z5taufgobuA

I said Map 168 but it was Map ID 163.

For anyone who has not read the HoO document, out of bounds scripts (oob scripts for short) are scripts and overlays loaded
via RETIRE, when there aren't at least 4 scripts in runtime in the current map id.
For nearly a year, it was unknown as to how to recreate it, even on an emulator, however, while testing a different glitch I accidentally stumbled
upon it.

ASLR

When you start up your console, Address Space Layout Randomization kicks into action.
It does what the name implies, it randomises address space for memory.
Because of this, it's supposed to be harder to use action replay codes, and other hacking tools.
From the looks of it, there are 64 different randomisations that you could get on startup.
As you might have guessed by now, the section of memory used by RETIRE if there are less than 4 scripts, will be randomised.
This means that there are 64 different results/map id you could potentially get from using RETIRE. Before we go further, let's show some examples.

[img]https://i.imgur.com/PjZyw3T.png[/img] [img]https://i.imgur.com/5kB1331.png[/img] [img]https://i.imgur.com/48RnYqS.png[/img]

Odd continuous surfing script: https://www.youtube.com/watch?v=9HR-yCyEuLo
Changing player name: https://www.youtube.com/watch?v=hp2TKubjBC0&t=18s
Changing map width/coordinates/void: https://www.youtube.com/watch?v=2LkBXYXW_Xk,
Chosing new starters: https://www.youtube.com/watch?v=CzuMAdM_kPA

These are just some examples, and I'll show more later in the thread.

As you can see, the results can be quite spectacular.
As far as I've noticed, these scripts only activate if the map id has some kind of script in it's runtime.
If it does not, it doesn't do anything. This might mean that RETIRE reads this as the data needed.
But, remember when I said that there are only 64 randomisations?
While this is in fact true, it doesn't mean we can't get more results/map.

In the void, there's a specific set of map's that are used in the battle tower.
These Battle tower map's move bytes by about 8000. This also influences the results heavily, and actually gives you 2x64, or 128 results/map!

We have been actively looking for ways to get some kind of ACE with this.
To end off, I'll add some more fun scripts!

[img]https://i.imgur.com/T05CGu9.png[/img] [img]https://i.imgur.com/HYAdWtK.png[/img] [img]https://i.imgur.com/vKxm0Tl.png[/img] [img]https://i.imgur.com/qqZjpcK.png[/img] [img]https://i.imgur.com/mRuSPPd.png[/img] [img]https://i.imgur.com/lqYLooN.png[/img]

Re: ASLR scripts/overlays confirmed on hardware!

Posted by: RETIRE
Date: 2018-08-28 07:47:31
I will also edit the post above, I was finally able to get an ASLR script working on hardware.
Gen 4 is closer to ACE than ever before.

https://www.youtube.com/watch?v=d740tdPTTDM&feature=youtu.be

Re: ASLR scripts/overlays confirmed on hardware!

Posted by: Torchickens
Date: 2018-08-28 09:15:09
Instant win script. Wow! :O Great find. :)

So these ASLR scripts, is there a chance for certain invalid scripts that they could land in RAM? (not sure how DS memory works)

Re: ASLR scripts/overlays confirmed on hardware!

Posted by: RETIRE
Date: 2018-08-28 10:07:25
It should be possible to get some invalid script that then ends up in RAM, or a valid script but utilising invalid data (Like the battles but with the enemy Pokémondata being read from unrelated RAM-addresses. Depending on what scripts are accesible on hardware without straight up crashing, landing in RAM that can be manipulated should be feasible.

Re: ASLR scripts/overlays confirmed on hardware!

Posted by: RETIRE
Date: 2018-10-02 09:16:53
Update; found a script that seems to be causing an overflow somewhere, besides that, alt-RETIRE gives access to different ASLR based scripts, and different languages of the game have different ASLR seeds and therefore there could be scripts (that might give acces to ACE) that are exclusive to one language of the game. I also wrote a setup for hardware testing of ASLR scripts by combining wrong warp and the retire trick, allowing you to reset the game and spawn in front of a house with the menu. Then you simply enter and press RETIRE hoping you get the desired script once you hit the seed.

This is the route: (open to modification/improvement?)

Use explorer kit under the house for ASLR scriptcalling
(Or between addresses Base+22ADA and Base+41ADA, the range of accesible addresses with wrong warps)

1) setup fast wrongwarp
Tweak into Poketch Co.

1 S
20 E
480 N
sr
14 N
188 E
sr
214 W
479 S
graphic reload
full speed south
graphic reload

2 S
3 W

Talk to NPC from above
Reset after saved game
Fly to jubilife city

Tweak into Poketch Co.

1 S
17 W
14 N
510 W
sr
32 W
2737 S
33 W
1 E
78 S
128 E
1 S cutscene if first time entering
17 S
63 E if cutscene / 64 E if no cutscene
177 N
1 N cutscene

18 S
96 W
114 N
1 W
1 E mapscript cynthia battle

Intentionally lose battle

Enter top floor of any Pokémoncenter

4 W
15 N
6 E

graphic reload
full speed south
graphic reload

2 S
2 E

Talk to NPC from above
Reset after saved game

This puts you where you explorer kit earlier, with the
Pal Park menu accesible :)