Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Arbitrary Code Execution Discussion

New Viridian Forest arbitrary code execution method - Page 1

New Viridian Forest arbitrary code execution method

Posted by: Torchickens
Date: 2017-09-11 18:01:03
It looks like an interesting new arbitrary code execution has been discovered, which with luck manipulation might be the fastest (and A-pressless) method so far. I don't know who discovered it though.

This method involves death-warping at the final Bug-Catcher in Viridian Forest. If you then return to the forest without pressing Start, it will trigger a battle with the Bug-Catcher again and activate meta-map script 06 (D618=06). Defeating him will trigger yet another battle, but if you win this one you're free to walk around with glitch script initiation active.


Then for some reason if you proceed to mash A in front of and defeat this Bug-Catcher;

[img]http://i.imgur.com/Yje5Nd7.png[/img]

The game will execute F8FF in Echo RAM, which falls through to F9AC (D9AC); a copy of your player's name. Then if your player's name is mMna.tF (ac e2 a0 f2 f5 b3 85 50), with some specific other requirements it is yet another way of entering the Hall of Fame.

I only just found out about this method today, but there is more information about this glitch in this document:
https://docs.google.com/document/d/1l10apKvZgTeOSEKeuhgHVGC73z9-f2FTkuUKHZaPVEA/edit

If we can modify this glitch for non-speedrunning purposes perhaps it could be useful for those wanting to do other things or obtain the expanded items pack without MissingNo.

Video by entrpntr:
https://www.youtube.com/watch?v=rhvyKspOsoo

Re: New Viridian Forest arbitrary code execution method

Posted by: Krys3000
Date: 2017-09-12 05:04:06
Very interesting! I'll work on this asap. There should be a way to use it smoothly. Ways to get the expanded item packs without MissingNo. are game changers for all those games who can't do it :)

Re: New Viridian Forest arbitrary code execution method

Posted by: TheZZAZZGlitch
Date: 2017-09-12 07:22:32
I analyzed how this works:
- The deathwarp and the two trainer battles advance the map script index to 0x06 (three trainer encounters in total, each one advances the index twice; Crystal_ once did a nice video explaining how trainer battles affect the script index values).
- Viridian Forest script 0x06 happens to point to $5180, bank 0x18.
- At this address we have some accidental code, created by interpreting the trainer encounter text (ViridianForestText4) as CPU instructions:
[tt]ViridianForestText4:
  ld ($5A21), sp
  ld d, c
  call TalkToTrainer
  jp TextScriptEnd[/tt]
Which triggers a glitch textbox, but thankfully, does nothing harmful to the game.
- Then, we trigger another trainer battle in Viridian Forest, which advances the current map script to index 0x08.
- Viridian Forest script 0x08 happens to point to $24F4.
- Again some accidental code, but this time, it was sourced from the item pick up text (PickUpItemText):
[tt]PickUpItemText:
  ld ($5C3E), sp
  call Predef
  jp TextScriptEnd[/tt]
This one however isn't so nice to the game, since it executes an invalid predefined function 0xF4 (calling Predef with A=0xF4).
- Predef 0xF4 happens to execute code from $F808. Which is the echo RAM equivalent of $D808
- Arbitrary code execution magic happens

Any trainer can be fought as the last one - I believe the only reason they chose the Bug Catcher closest to the entrance is because he would be the fastest to get to in a speedrun.

Adapting this exact method for general use is most likely impossible, since it requires insane levels of luck manipulation, and planning for it from the very beginning of the game. But a similar procedure can most likely be applied to any other map - so there should be a way to find a different route with different trainers, where the code execution happens from a more predictable location (like Pokemon boxes or inventory data).

Also, it's funny to look how a strategy originally meant for the A Button Challenge has inspired a new speedrun route, along with a new way of achieving arbitrary code execution.

Re: New Viridian Forest arbitrary code execution method

Posted by: Charmy
Date: 2017-09-12 10:11:02
So, how many A presses does this take?
but, can it be done in 0.5 A presses

Re: New Viridian Forest arbitrary code execution method

Posted by: Torchickens
Date: 2017-09-12 11:19:58

Very interesting! I'll work on this asap. There should be a way to use it smoothly. Ways to get the expanded item packs without MissingNo. are game changers for all those games who can't do it :)


Yeah :) at the very least it's a nice curiosity you can beat the game this early.


Adapting this exact method for general use is most likely impossible, since it requires insane levels of luck manipulation, and planning for it from the very beginning of the game. But a similar procedure can most likely be applied to any other map - so there should be a way to find a different route with different trainers, where the code execution happens from a more predictable location (like Pokemon boxes or inventory data).


Thanks for your research TheZZAZZGlitch! I thought so too in regards to game completion, but turns out if you have a Link Cable and a game with the 61896 (F1C8) ID (available from item 30's quantity and item 31 in item underflow) you could in theory trade it over to the other game. The 61896 manip for a real console/BGB as well might not be too hard.

I don't understand the FFF1 (Charmander) and FEF0 (Bulbasaur) Spearow manips though. Maybe those aren't needed if you're not speedrunning and just give Spearow with high enough stats to survive the battles.

I did some tests on BGB and I was able to replicate what they did in the speedrun (without the manips and a cheat code to apply the right ID) and the glitch worked, sending me to the Hall of Fame.  I think it's amazing how they could manipulate that with just two instances of the player's name and the F1C8.

When I tried the glitch on VBA though multiple times it didn't work, so maybe VBA doesn't emulate it correctly or I was just really unlucky.

Re: New Viridian Forest arbitrary code execution method

Posted by: Caveat
Date: 2017-09-12 14:34:23
Cool! This could REALLY decrease the amount of A-presses!

It still amazes me that we can still find things in these games.

Re: New Viridian Forest arbitrary code execution method

Posted by: ISSOtm
Date: 2017-09-12 18:58:39
If it uses Echo RAM it's not going to work in VBA lel

Re: New Viridian Forest arbitrary code execution method

Posted by: Parzival
Date: 2017-09-13 10:00:30
Another one? C'mon…

Re: New Viridian Forest arbitrary code execution method

Posted by: jfb1337
Date: 2017-09-17 10:38:25
So that makes like 14 or 15 now?

Re: New Viridian Forest arbitrary code execution method

Posted by: ISSOtm
Date: 2017-09-17 10:54:11
I think 14

Re: New Viridian Forest arbitrary code execution method

Posted by: Parzival
Date: 2017-09-17 15:51:38

I think 14
I thought this make like 25 or something. Isn't there a list floating around somewhere?

Re: New Viridian Forest arbitrary code execution method

Posted by: Torchickens
Date: 2017-09-18 07:56:30

If it uses Echo RAM it's not going to work in VBA lel


This was done on a version of VBA that supports Echo RAM. The problem may have been related to how the code changes HRAM and/or incorrect VRAM inaccessibility emulation (which apparently means the execution is done at F8FF instead of F80F according to entrpntr in the above video's comments).

Re: New Viridian Forest arbitrary code execution method

Posted by: ISSOtm
Date: 2017-09-21 10:04:08
Let's just point out that VBA doesn't correctly emulate multi-byte read instructions, i.e. it reads sooner than it should. The implication here is that maybe the timing until VRAM locks is tight enough to be that.
Also is VRAM locking emulated at all ?

Re: New Viridian Forest arbitrary code execution method

Posted by: entrpntr
Date: 2017-09-23 22:09:38

I don't understand the FFF1 (Charmander) and FEF0 (Bulbasaur) Spearow manips though. Maybe those aren't needed if you're not speedrunning and just give Spearow with high enough stats to survive the battles.


Just to clarify, Spearow's purpose in the speedrun is indeed entirely unrelated to the ACE. It is the fastest Pokémon to beat the endgame bug catcher boss rush, and attack/speed/defense/HP are to make the fights as efficient/safe as can be. The bad special is to die to Pikachu faster, and Spearow's nickname is part of luck manipulation that yields a Pika Thundershock crit to OHKO Spearow. (EDIT: Successfully catching Spearow is also manipulated, but this requires different setups for Charmander vs Bulbasaur, which is why multiple manipulations were listed in the route document.)

Re: New Viridian Forest arbitrary code execution method

Posted by: Torchickens
Date: 2018-03-23 14:27:22
Gifvex did a TAS of this glitch, which was published on the TASVideos website yesterday.

http://tasvideos.org/5859S.html
https://www.youtube.com/watch?v=7MI_s3xcE-c