Human-feasible, hardware-verified, Arbitrary Code Execution (ACE) in the Japanese version of Crash Bash (クラッシュ・バンディクー カーニバル). This route uses ACE to skip to the end-game credits without playing a single mini-game. This technique relies on a series of a few hundred precise D-Pad inputs to modify the game's code allowing the player to skip to the final credits. This route does not rely on any pixel-prefect setups nor time-sensitive inputs. It does, however, require multiple buttons (up to all 4) on the D-Pad to be pressed simultaneously on the same frame. The route takes roughly 35 seconds RTA to complete (from the player spawning in the Warp Room until the credits begin to roll).
Emulator: BizHawk 2.9.1
The ROM checksums(SHA1) are:
SCPH5500.BIN = b05def971d8ec59f346f2d9ac21fb742e3eb6917
Crash Bandicoot Carnival (Japan).bin = cd4636cebb580f4adcd6334879fdaf401d13768f
Online checksum SHA1: (https://emn178.github.io/online-tools/sha1_checksum.html)
The ROM checksums(SHA1) are:
SCPH5500.BIN = b05def971d8ec59f346f2d9ac21fb742e3eb6917
Crash Bandicoot Carnival (Japan).bin = cd4636cebb580f4adcd6334879fdaf401d13768f
Online checksum SHA1: (https://emn178.github.io/online-tools/sha1_checksum.html)
Hardware Verification
https://www.youtube.com/watch?v=B50j4zk_VxI&t=87s
An earlier, slightly less optimized version. This submitted version saves a couple of frames by pressing circle and directional buttons at the same time where possible. Along with the gameplay and TAS inputs, this video also shows the two memory regions of interest and visualizes how memory is navigated.
https://youtu.be/XHBzD3LvANY
What follows is a high-level overview of this run/technique. For a more rigorous and technical explanation, I would strongly recommend taking a look at the accompanying writeup on my github. https://github.com/lazycurler/CrashBashResearchACE/tree/main/writeup
The run begins after the player has selected a new character and enters the Warp Room for the first time. The player heads straight to Save Station and enters the "Enter Name" Menu. From here, the cursor is navigated out of the intended menu space by pressing multiple directional buttons at once. This exploit was found by BetaM back in 2017 and is the foundation for the existing Memory Manipulation category and, indeed, this new route. Without going into too much detail, when outside of the intended bounds of the menu it is possible to write NOPs every 168 bytes. The location of a given NOP is dependent on the cursor location.
The first part of code to be modified is used to increase the number of addresses in memory that can be changed. The cursor is then navigated to a new area that changes what happens when the "Enter Name" menu is accessed. The game's code is then further modified to allow a (practically) unlimited number of characters to be written. This change takes effect only after the player exists and re-enters the menu.
When the menu is re-entered, the cursor is again navigated off the screen. Specific characters, not normally accessible from the menu, are selected to begin writing new code. This code is designed such that, when run, it will modify the existing game's code further. The target of this modification is the code responsible for preventing a player from warping to a new Warp Room without first collecting a specified number of collectables. Once this new code (or payload) has been written the cursor is again moved to a new location to NOP out another piece of code, this time modifying where new characters will be inserted.
Once characters can be written to a new region, more characters are written using the menu's regular name writing functionality. This change tricks the game into running the code that was written in the previous section; the payload. Once the payload has been run, the collectable check is removed and the player can safely exit the "Enter Name" menu. From there, the player can simply walk to the Warp Room selector and select Warp Room 5. The first time the player goes to Warp Room 5 the end credits are played. This marks the end of the run.
Darkman425: Claiming for judging.
Darkman425: First of all, replacing the input file with one that has the correct cycle count, and changing the branch label to "game end glitch" to keep in line with other publications on the site.
The technical writeup on how the exploit works and how the payload is setup was incredibly helpful for understanding what's going on under the hood. Neat that the specific payload works on real console. Nice work navigating the unstable space of offscreen name entering! Who knew that going off of the intended menu space could be so unstable?
Accepting to Standard.
Spikestuff: Processing...