Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

Verifying console/emulator behavior with 8F - Page 1

Verifying console/emulator behavior with 8F

Posted by: TheZZAZZGlitch
Date: 2016-07-20 02:50:32
I planned to do this for a long time. In Gen I, we have a lot of glitches that exploit certain obscure details of the GB hardware or rely on undefined behavior, yet it still isn't exactly clear what behavior is exhibited by certain emulators and the real console. Thankfully, we have an easy way to execute any code we want with 8F. It's a good opportunity to test if everything works exactly as we think it works. I welcome everyone with working 8F setups on VC/console/mobile emulators/other devices to run the following 8F scripts and see if we have 100% accuracy for our glitching purposes.

If my request gets some interest, this table will be filled with data regarding the most important systems.
Also let me know if someone thinks of another relevant test to add.

Last updated 2016-07-22

[table]
[tr]
[td]Platform[/td][td]UnknownOpcodes[/td][td]InvalidBanks[/td][td]VRAMAccess[/td][td]EchoRAM[/td][td]InvalidStop[/td]
[/tr]

[tr][td]Game Boy Color (CGB-001) [/td]
[td]PASS4[/td]
[td]PASS[/td]
[td]PASS[/td]
[td]PASS[/td]
[td]PASS[/td][/tr]
[tr][td]Game Boy Advance SP (AGS-001) [/td]
[td]PASS4[/td]
[td]PASS[/td]
[td]PASS[/td]
[td]PASS[/td]
[td]PASS[/td][/tr]
[tr][td]Game Boy Player [/td]
[td]PASS4[/td]
[td]PASS[/td]
[td]PASS[/td]
[td]PASS[/td]
[td]PASS[/td][/tr]

[tr][td]3DS Virtual Console [/td]
[td]FAIL5[/td]
[td]FAIL6[/td]
[td]PASS[/td]
[td]PASS[/td]
[td]FAIL[/td][/tr]

[tr][td]Stadium 2 GB Tower [/td]
[td]PASS7[/td]
[td]PASS[/td]
[td]FAIL8[/td]
[td]FAIL9[/td]
[td]FAIL[/td][/tr]

[tr][td]bgb 1.4.1 [/td]
[td]PASS1[/td]
[td]PASS[/td]
[td]PASS[/td]
[td]PASS[/td]
[td]PASS[/td][/tr]
[tr][td]VBA-RR v24 svn440 [/td][td]PASS2[/td][td]PASS[/td][td]PASS[/td][td]PASS[/td][td]FAIL[/td][/tr]
[tr][td]VBA 1.7.2 [/td][td]PASS2[/td][td]FAIL3[/td][td]FAIL[/td][td]FAIL[/td][td]FAIL[/td][/tr]

[tr][td]MyOldBoy v1.1.0 [/td]
[td]FAIL[/td]
[td]PASS[/td]
[td]PASS[/td]
[td]PASS[/td]
[td]FAIL[/td][/tr]

[tr][td]LameboyDS v0.12 [/td]
[td]FAIL[/td]
[td]PASS[/td]
[td]PASS[/td]
[td]PASS[/td]
[td]PASS10[/td][/tr]

[/table]

1 - the emulator breaks into a debugger every time an undefined opcode is encountered
2 - brings up the infamous message "unknown opcode xx at yyyy"
3 - the result is 127 instead of 124 - this behavior needs to be more thoroughly investigated
4 - the game hangs without any message
5 - unknown opcodes are ignored, most likely because of the emulator hooking them to communicate with the hardware
6 - (probably) always returns 0
7 - displays a message: "The saved data has been corrupted, so it is impossible to CONTINUE. Please reset the game and choose NEW GAME", the save is not corrupted though
8 - (probably) always returns 255 - so VRAM access is enabled not during the V-Blank period, but during the V-Blank interrupt, which changes things dramatically
9 - some other data seems to be stored in the echo RAM area
10 - some corrupted stops work, some not - this is to be expected with undefined behavior

The tests themselves:

UnknownOpcodes

Self-explanatory. This is intended to test whether the target system ignores invalid opcodes, or crashes/halts when they are executed. This behavior could potentially affect any glitches that execute data as code (invalid sound banks, invalid item/move effect pointers).

[tt]8F
(Any)
TM27        x201[/tt]

opcode_e3
ret

If the game continues running after executing the script - FAIL
If the system brings up an error message or the game hangs or crashes - PASS

InvalidBanks

This checks how the system handles switching to non-existent ROM banks. This determines the behavior of glitches that cause invalid bank switches - most commonly invalid sound banks or invalid predefined commands.

[tt]8F
(Any)
Lemonade    x65
Repel        x32
X Speed      x79
Ultra Ball  x198
Fire Stone  x71
Moon Stone  x35
Water Stone  x201[/tt]

ld a,41
ld e,20
ld b,e
ld c,a
ld (bc),a
add 20
ld b,a
ld a,(bc)
inc hl
ldi (hl),a
ret

The third item's quantity changes to 124 - PASS.
Third item's quantity changes to something other than 124, like 255 or 0 - FAIL.
Remember to reset item 3's quantity if you want to repeat the test.

VRAMAccess

VRAM data can only be read or written during V-Blank, H-Blank, or when the LCD screen is turned off. Otherwise, the write operation will be ignored, and all read operations will return FF. This test checks this behavior. Emulation of VRAM inaccessibility is essential for correct behavior of a lot of popular glitches, including Cooltrainer, Super Glitch, Brock Through Walls and any other glitches that attempt to "search through the entire address space".

[tt]8F
(Any)
Lemonade    xAny
Repel        x144
X Speed      x175
PP Up        x35
Moon Stone  x34
TM01        xAny[/tt]

ld a,??
ld e,90
ld b,e
xor a
ld c,a
inc hl
ld a,(bc)
ldi (hl),a
ret

Run the script multiple times in a row and observe the quantity of the third item.
If it changes seemingly randomly between 255 and any other value - PASS
If it never becomes 255, even after trying multiple times - FAIL

EchoRAM

Because of how GB's address line works, RAM addresses $C000~$DDFF are mirrored at $E000~$FDFF. This repeated section of memory is called the echo RAM. Because this feature was hardly used by anyone, several emulators don't support it. This test is intended to verify whether echo RAM is emulated correctly. Emulation of this feature changes the behavior of glitches that cause extensive memory corruption, like Pokemon beyond the sixth slot, or Dokokashira Door Glitch. Also, Coin Case arbitrary code execution won't work without echo RAM emulation.

[tt]8F
(Any)
Lemonade    xAny
Repel        x241
X Speed      x44
Fresh Water  x175
TM06        x88
PP Up        x10
Water Stone  x201[/tt]

ld a,00
ld e,f1
ld b,e
inc l
inc a
xor a
adc a,58
ld c,a
ld a,(bc)
ldi (hl),a
ret

Run the script and check the quantity of item 3.
If it changes to the code of the first letter in the player's name - PASS
If it doesn't change, or changes to a wrong value, like FF or 00 - FAIL

InvalidStop

This is to test how the system reacts to invalid STOP opcodes. This behavior could affect some of the non-ACE Coin Case glitches, along with all glitches that execute data as code (invalid sound banks, invalid item/move effect pointers)

[tt]8F
(Any)
Full Restore x??
TM01        xAny[/tt]

stop ??
ret

Start with an arbitrary amount of Full Restores.
Run the 8F script. If the game crashes/halts whenever the script is executed - PASS
If not, try running the script with a different amount of Full Restores and repeat the process.
If after several tries the game is still running - FAIL.

Re: Verifying console/emulator behavior with 8F

Posted by: TheUnReturned
Date: 2016-07-20 03:01:59

I planned to do this for a long time. In Gen I, we have a lot of glitches that exploit certain obscure details of the GB hardware or rely on undefined behavior, yet it still isn't exactly clear what behavior is exhibited by certain emulators and the real console. Thankfully, we have an easy way to execute any code we want with 8F. It's a good opportunity to test if everything works exactly as we think it works. I welcome everyone with working 8F setups on VC/console/mobile emulators/other devices to run the following 8F scripts and see if we have 100% accuracy for our glitching purposes.

If my request gets some interest, this table will be filled with data regarding the most important systems.
Also let me know if someone thinks of another relevant test to add.

[table]
[tr]
[td]Platform[/td][td]UnknownOpcodes[/td][td]InvalidBanks[/td][td]VRAMAccess[/td][td]EchoRAM[/td][td]InvalidStop[/td]
[/tr]
[tr][td]?[/td][td]?[/td][td]?[/td][td]?[/td][td]?[/td][td]?[/td][/tr]
[/table]

The tests themselves:

UnknownOpcodes

Self-explanatory. This is intended to test whether the target system ignores invalid opcodes, or crashes/halts when they are executed. This behavior could potentially affect any glitches that execute data as code (invalid sound banks, invalid item/move effect pointers).

[tt]8F
(Any)
TM27        x201[/tt]

opcode_e3
ret

If the game continues running after executing the script - PASS
If the system brings up an error message or the game hangs or crashes - FAIL

InvalidBanks

This checks how the system handles switching to non-existent ROM banks. This determines the behavior of glitches that cause invalid bank switches - most commonly invalid sound banks or invalid predefined commands.

[tt]8F
(Any)
Lemonade    x65
Repel        x32
X Speed      x79
Ultra Ball  x198
Fire Stone  x71
Moon Stone  x35
Water Stone  x201[/tt]

ld a,41
ld e,20
ld b,e
ld c,a
ld (bc),a
add 20
ld b,a
ld a,(bc)
inc hl
ldi (hl),a
ret

The third item's quantity changes to 124 - PASS.
Third item's quantity changes to something other than 124, like 255 or 0 - FAIL.
Remember to reset item 3's quantity if you want to repeat the test.

VRAMAccess

VRAM data can only be read or written during V-Blank, H-Blank, or when the LCD screen is turned off. Otherwise, the write operation will be ignored, and all read operations will return FF. This test checks this behavior. Emulation of VRAM inaccessibility is essential for correct behavior of a lot of popular glitches, including Cooltrainer, Super Glitch, Brock Through Walls and any other glitches that attempt to "search through the entire address space".

[tt]8F
(Any)
Lemonade    xAny
Repel        x144
X Speed      x175
PP Up        x35
Moon Stone  x34
TM01        xAny[/tt]

ld a,??
ld e,90
ld b,e
xor a
ld c,a
inc hl
ld a,(bc)
ldi (hl),a
ret

Run the script multiple times in a row and observe the quantity of the third item.
If it changes seemingly randomly between 255 and any other value - PASS
If it never becomes 255, even after trying multiple times - FAIL

EchoRAM

Because of how GB's address line works, RAM addresses $C000~$DDFF are mirrored at $E000~$FDFF. This repeated section of memory is called the echo RAM. Because this feature was hardly used by anyone, several emulators don't support it. This test is intended to verify whether echo RAM is emulated correctly. Emulation of this feature changes the behavior of glitches that cause extensive memory corruption, like Pokemon beyond the sixth slot, or Dokokashira Door Glitch. Also, Coin Case arbitrary code execution won't work without echo RAM emulation.

[tt]8F
(Any)
Lemonade    xAny
Repel        x241
X Speed      x44
Fresh Water  x175
TM06        x88
PP Up        x10
Water Stone  x201[/tt]

ld a,00
ld e,f1
ld b,e
inc l
inc a
xor a
adc a,58
ld c,a
ld a,(bc)
ldi (hl),a
ret

Run the script and check the quantity of item 3.
If it changes to the code of the first letter in the player's name - PASS
If it doesn't change, or changes to a wrong value, like FF or 00 - FAIL

InvalidStop

This is to test how the system reacts to invalid STOP opcodes. This behavior could affect some of the non-ACE Coin Case glitches, along with all glitches that execute data as code (invalid sound banks, invalid item/move effect pointers)

[tt]8F
(Any)
Full Restore x??
TM01        xAny[/tt]

stop ??
ret

Start with an arbitrary amount of Full Restores.
Run the 8F script. If the game crashes/halts whenever the script is executed - PASS
If not, try running the script with a different amount of Full Restores and repeat the process.
If after several tries the game is still running - FAIL.

Whoa, this could expand our understanding on how different glitches work on console
This could open up a loads of possibilities for console-only glitches!
Awesome~
Keep up the good work :D

Re: Verifying console/emulator behavior with 8F

Posted by: Flandre Scarlet
Date: 2016-07-20 06:44:14
Before I attempt these do you think they could damage one's save file after performing?

Re: Verifying console/emulator behavior with 8F

Posted by: ISSOtm
Date: 2016-07-20 07:34:43
None of these tests should have the slightest chance to corrupt save files. There's still the slight chance we missed something, or an unexpected behavior will occur, but that cannot be foreseen. I'm ready to risk my save file, as far as I'm concerned.

I'd also like to point out a useful 8F code for item duplication :

8F
Item to dupe x1 <-- And I MEAN x1 !
Poké Ball x43
Revive x4
TM01x (any)

OR
(...)
Revive x201

That gives you 0 items of the second slot. Throw away X items, and you end up with 256-X items. This allows
1. to get x0 item stacks
2. to bypass Missingno item duping (and since I'm using en EU R/B…)


I ran the InvalidBanks test on a EU R/B 3DS VC, and I got 0 Lemonades.

I tried invalid opcode E4 using TM27 x201, and I got nothing. No crash whatsoever.

I also tried :

8F
Nugget x255 (It was there at the time, meh)
Full Restore x3 (in case the opcode is 1 byte long in this emulation)
TM01 x01
Stuff

And the game just kept running fine !
To check whether the opcode was 1 or 2 bytes wide, I used the following setup :

8F
Revive x4 (shouldn't matter)
Full Restore x1
TM27 x201
Nugget x255
Water Stone x201

Assuming a 1-byte large STOP :

stop
ld bc, $C9E4
ld sp, $22FF
ret

This sets SP in ROM, and that has chances to be deadly to the code flow.
However, assuming a 2-byte STOP :

stop (absorbs the 01)
ret
(doesn't matter)

Which returns fine (according to the above).
Running 8F had the game continue to run fine. So I assume STOP is 2-bytes wide, unless $22FF is a very lucky stack pointer (*cough cough*).

I will be running VRAM and ERAM tests later.

Re: Verifying console/emulator behavior with 8F

Posted by: Stackout
Date: 2016-07-20 10:25:16
…wow.

I knew 3DSVC gb emu hooked some invalid opcodes, but ignoring them all? dafuq?

now, i wonder if they actually do something or if they just act as nops.

Re: Verifying console/emulator behavior with 8F

Posted by: Flandre Scarlet
Date: 2016-07-20 11:44:59
Reporting for US English VC. Tested the opcode and VRAM codes. After opcode nothing happened. VRAM only went to 255 and 0 favoring 255. I use walking in random areas of celadon if that counts for anything.

Re: Verifying console/emulator behavior with 8F

Posted by: Háčky
Date: 2016-07-20 13:49:09
A while back, I noticed that echo RAM doesnt work in GB Tower (in either Pokémon Stadium or Stadium 2). There seemed to be other data at those addresses but I couldnt tell anything about what it was.

I tried running these tests in Stadium 2:

UnknownOpcodes: Fail (The saved data has been corrupted, so it is impossible to CONTINUE. Please reset the game and choose NEW GAME. No, it didnt actually corrupt my save file.)
InvalidBanks: Pass (124)
VRAMAccess: ? (always 255)
EchoRAM: Fail (30)
InvalidStop: Fail

Re: Verifying console/emulator behavior with 8F

Posted by: Torchickens
Date: 2016-07-20 16:17:45
This was fun to do! I will try to perform these tests on English Stadium 1's Game Boy Tower soon. I don't know if I have a DMG anymore, it may be hidden at our old house.

When I tried to set up either 8F or ws m in the EU Virtual Console versions, I had my save file destroyed (no message, only the Continue option removed) by accidentally pressing A on an unterminated name glitch item. It also got erased in Yellow when I used ws m in the wrong box by mistake. Both freezes may have been due to a rst $38. On an emulator (VBA v24 svn422), the erased save behaviour doesn't always occur but I wonder whether it is more likely on the VC versions.

Game Boy Color (CGB-001):
UnknownOpcodes - Pass (game locks-up, music hangs)
InvalidBanks -  Pass (item 3's quantity changes to 124)
VRAMAccess - Pass (item 3's quantity changes to either 0 or 255, seemingly randomly)
EchoRAM - Pass (item 3's quantity changed to 225; the index number for "Pk" (the first character of my name) as expected
InvalidStop  - Pass (I used item 3 quantities of 255 and 254. The game froze with a black screen, one time it froze without a black screen/hanged on selection and music lingered with one of these quantities, I believe it may have been 254)

Game Boy Advance SP (AGS-001):
UnknownOpcodes - Pass (game locks-up, music hangs)
InvalidBanks - Pass (item 3's quantity changes to 124)
VRAMAccess - Pass (item 3's quantity changes to either 0 or 255, seemingly randomly)
EchoRAM - Pass (item 3's quantity changed to 225; the index number for "Pk" (the first character of my name) as expected
InvalidStop - Pass (I used item 3 quantities of 255 and 254, and the game froze with a black screen and music lingering)

Game Boy Player (a GameCube peripheral that can play Game Boy games):

UnknownOpcodes - Pass (game locks-up, music hangs)
InvalidBanks - Pass (item 3's quantity changes to 124)
VRAMAccess - Pass (item 3's quantity changes to either 0 or 255, seemingly randomly)
EchoRAM. - Pass (item 3's quantity changed to 225; the index number for "Pk" (the first character of my name) as expected. I thought this would work because giginet's video of the dokokashira door glitch uses a Game Boy Player.
InvalidStop - Pass (I used item 3 quantities of 255 and 254, and the game would freeze either with a black screen or hang with the music lingering. Is the black screen less likely here? Possibly but it could very well be confirmation bias)

Re: Verifying console/emulator behavior with 8F

Posted by: ISSOtm
Date: 2016-07-20 17:49:49
Torchickens, for the Invalidstop test, could you please also try with item #3 quantity being 3 ? Because FF causes a rst 38h (which always crashes), and FE uses the following byte as an operand. 3 is inc bc, so it would properly return.

Also, gbdev wiki points out the invalid opcodes hang the GB's CPU when executed, so the emulation crahsing should probabbly marked as PASS, no ?

Re: Verifying console/emulator behavior with 8F

Posted by: naf102
Date: 2016-07-20 19:49:09
I tested MyOldBoy (an Android GameBoy emulator):

UnknownOpCodes- Pass (game continues to function)
InvalidBanks- Pass (Item 3's (Lemonade) quantity changes to 124)
VRAM Access- Pass (Item 3's quantity (Lemonade) changes to 255)
EchoRAM-  Pass (Item 3's quantity changes to 129 (which is 81, which is the letter B and my Trainer's  name is BIG M)
InvalidStop-  Failure (No matter how many Full Restores I had in inventory (first I tried 97, then 43, then 143 then 267) the game would not stop running)

Re: Verifying console/emulator behavior with 8F

Posted by: Yeniaul
Date: 2016-07-20 20:05:52
LameboyDS:
UnknownOpCodes: PASS
InvalidBanks: PASS
EchoRAM: PASS
VRAMAccess: PASS
InvalidStop: PASS…? (Some invalid stops work, some don't. Um…?)
Seems to pass with flying colors. The InvalidStop test kinda passed… some worked right, some didn't.
Odd, but okay.

Re: Verifying console/emulator behavior with 8F

Posted by: TheZZAZZGlitch
Date: 2016-07-21 00:53:43
Thank you for all of your responses! I updated the table with all the information you submitted.

I originally didn't know undefined opcodes actually hang the CPU, I expected something similar to the behavior of 6502, where invalid opcodes actually do something - sometimes useful, sometimes not.
Therefore, I will now consider the test to be passed if the game doesn't keep running after executing an invalid instruction, since that's the behavior on real hardware. I updated the test accordingly.

Already we see that some of the glitches will be version exclusive - most importantly, 3DS VC seems to have pretty inaccurate emulation (although most of this stuff is undefined behavior, so they have the right to format my SD card if I try to do this). Some random facts as of now:
- The "MISSINGNO. is trying to learn effect" is 4 times less likely to be seen on 3DS VC.
- Coin Case ACE will not work on Stadium 2's GB Tower.
- 3DS VC most likely ignores invalid opcodes, which means that some crashing glitch items could potentially be more useful there.

Also, superscript inside tables looks weird.

Re: Verifying console/emulator behavior with 8F

Posted by: Yeniaul
Date: 2016-07-21 01:07:47

I originally didn't know undefined opcodes actually hang the CPU, I expected something similar to the behavior of 6502, where invalid opcodes actually do something - sometimes useful, sometimes not.
Therefore, I will now consider the test to be passed if the game doesn't keep running after executing an invalid instruction, since that's the behavior on real hardware.

LameboyDS DID NOT hang with unknown opcodes, it will hop over the instruction and continue. Should probably update that in the table if it's still labeled PASS. :P whoops

And it's LameboyDS version 0.12 if I remember correctly… pretty good for an infant port, right?

Re: Verifying console/emulator behavior with 8F

Posted by: ISSOtm
Date: 2016-07-21 08:02:05
After some item index decrementation (man, I threw that TM06 when I beat Koga a year ago ><), I tested Echo RAM on the Virtual Console, and realized I am on a EU version, so I had to get 5 more TM06. Dumb me.

8F
Super Ball x?6
Lemonade x254
Repel x241
X Speed x44
Fresh Water x175
TM06 x93
PP Up x10
Water Stone x201
Stuff

This gave me 136 Lemonades. My trainer's named ISSOtm, so I guess this is a PASS.


I wanted to give a shot to the Gambatte emulator, so I launched BizHawk on a US Red ROM. Here are the results :


GBDevWiki's description of the STOP instruction is
" stop          10 00        ? —- low power standby mode (VERY low power)"
Actually, STOP behaves like a HALT (do nothing until an interrupt occurs), but this actually disables the LCD driver and enters very low power mode.
This setup (starting from item #3) should do the job of really testing the opcode :

Poké Ball x243
Full Restore x255
Super Ball x251
TM01 x(any)

Code :
inc b
di
stop
inc bc
ei
ret

If the game hangs, the opcode is correctly interpreted -> PASS.
If the game continues, the opcode isn't interpreted correctly -> FAIL.
If the game crashes (in a rst 38h style), the opcode isn't the correct length.
Try again, this time with only 1 .

Re: Verifying console/emulator behavior with 8F

Posted by: naf102
Date: 2016-07-21 16:56:24
Oh and by the way, the version of My OldBoy I tested was v 1.1.0.