Submission #9675: CasualPokePlayer's GB Fushigi no Dungeon: Fuurai no Shiren GB: Tsukikage Mura no Kaibu "arbitrary code execution" in 04:06.51

(Link to video)
Game Boy
arbitrary code execution
(Submitted: arbitrary code execution)
(Submitted: Fushigi no Dungeon - Fuurai no Shiren GB - Tsukikage Mura no Kaibutsu (Japan) (SGB Enhanced).gb JPN)
BizHawk 2.10
28839804 (cycle count 516969510)
116992.30122528503
2326
PowerOn
920ef94c05ac741047a266cb1668c881eab2937c
Submitted by CasualPokePlayer on 4/25/2025 5:36 PM
Discuss and Vote Queue All by submitter Download
Submission Comments
Bad Apple, for Shiren GB1.
The initial payload is rather simple, it simply switches the SRAM bank to 3, then proceeds to jump to $A006. This uses the following payload: 
; save file name
ld hl,$5003
ld [hl],l
; rng bytes
add hl,hl
jp hl ; jump to $A006
The next payload is in SRAM, in bank 3. This game keeps a "replay" of the last room done. This is stored within bank 3 of SRAM. This gives some leeway towards writing a larger payload, but ultimately it's just barely good enough to write a better payload. Here's a tracelog of this "large" payload: 
A006:  01 8B 00  ld bc, $008B        A:01 F:00 B:28 C:01 D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792318
A009:  44        ld b, h             A:01 F:00 B:00 C:8b D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792324
A00A:  0B        dec bc              A:01 F:00 B:a0 C:8b D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792326
A00B:  00        nop                 A:01 F:00 B:a0 C:8a D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792330
A00C:  84        add a, h            A:01 F:00 B:a0 C:8a D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792332
A00D:  84        add a, h            A:a1 F:00 B:a0 C:8a D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792334
A00E:  07        rlca                A:41 F:10 B:a0 C:8a D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792336
A00F:  07        rlca                A:82 F:00 B:a0 C:8a D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792338
A010:  2B        dec hl              A:05 F:10 B:a0 C:8a D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792340
A011:  20 03     jr nz, $A016        A:05 F:10 B:a0 C:8a D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792344
A016:  02        ld [bc], a          A:05 F:10 B:a0 C:8a D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792350
A017:  00        nop                 A:05 F:10 B:a0 C:8a D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792354
A018:  0B        dec bc              A:05 F:10 B:a0 C:8a D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792356
A019:  07        rlca                A:05 F:10 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792360
A01A:  07        rlca                A:0a F:00 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792362
A01B:  00        nop                 A:14 F:00 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792364
A01C:  84        add a, h            A:14 F:00 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792366
A01D:  84        add a, h            A:b4 F:00 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792368
A01E:  07        rlca                A:54 F:10 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792370
A01F:  07        rlca                A:a8 F:00 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792372
A020:  07        rlca                A:51 F:10 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792374
A021:  84        add a, h            A:a2 F:00 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792376
A022:  2B        dec hl              A:42 F:10 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792378
A023:  20 03     jr nz, $A028        A:42 F:10 B:a0 C:89 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792382
A028:  02        ld [bc], a          A:42 F:10 B:a0 C:89 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792388
A029:  00        nop                 A:42 F:10 B:a0 C:89 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792392
A02A:  0B        dec bc              A:42 F:10 B:a0 C:89 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792394
A02B:  00        nop                 A:42 F:10 B:a0 C:88 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792398
A02C:  84        add a, h            A:42 F:10 B:a0 C:88 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792400
A02D:  84        add a, h            A:e2 F:00 B:a0 C:88 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792402
A02E:  84        add a, h            A:82 F:10 B:a0 C:88 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792404
A02F:  84        add a, h            A:22 F:10 B:a0 C:88 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792406
A030:  2B        dec hl              A:c2 F:00 B:a0 C:88 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792408
A031:  20 03     jr nz, $A036        A:c2 F:00 B:a0 C:88 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792412
A036:  02        ld [bc], a          A:c2 F:00 B:a0 C:88 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792418
A037:  00        nop                 A:c2 F:00 B:a0 C:88 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792422
A038:  0B        dec bc              A:c2 F:00 B:a0 C:88 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792424
A039:  07        rlca                A:c2 F:00 B:a0 C:87 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792428
A03A:  84        add a, h            A:85 F:10 B:a0 C:87 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792430
A03B:  84        add a, h            A:25 F:10 B:a0 C:87 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792432
A03C:  2B        dec hl              A:c5 F:00 B:a0 C:87 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792434
A03D:  20 03     jr nz, $A042        A:c5 F:00 B:a0 C:87 D:cb E:08 H:a0 L:02 LY:2e SP:dfdd  Cy:56792438
A042:  02        ld [bc], a          A:c5 F:00 B:a0 C:87 D:cb E:08 H:a0 L:02 LY:2e SP:dfdd  Cy:56792444
A043:  00        nop                 A:c5 F:00 B:a0 C:87 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792448
A044:  0B        dec bc              A:c5 F:00 B:a0 C:87 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792450
A045:  00        nop                 A:c5 F:00 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792454
A046:  84        add a, h            A:c5 F:00 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792456
A047:  07        rlca                A:65 F:10 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792458
A048:  84        add a, h            A:ca F:00 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792460
A049:  07        rlca                A:6a F:10 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792462
A04A:  07        rlca                A:d4 F:00 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792464
A04B:  84        add a, h            A:a9 F:10 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792466
A04C:  07        rlca                A:49 F:10 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792468
A04D:  84        add a, h            A:92 F:00 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792470
A04E:  2B        dec hl              A:32 F:10 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792472
A04F:  20 03     jr nz, $A054        A:32 F:10 B:a0 C:86 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792476
A054:  02        ld [bc], a          A:32 F:10 B:a0 C:86 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792482
A055:  00        nop                 A:32 F:10 B:a0 C:86 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792486
A056:  0B        dec bc              A:32 F:10 B:a0 C:86 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792488
A057:  00        nop                 A:32 F:10 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792492
A058:  84        add a, h            A:32 F:10 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792494
A059:  84        add a, h            A:d2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792496
A05A:  84        add a, h            A:72 F:10 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792498
A05B:  84        add a, h            A:12 F:10 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792500
A05C:  84        add a, h            A:b2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792502
A05D:  84        add a, h            A:52 F:10 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792504
A05E:  2B        dec hl              A:f2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792506
A05F:  20 03     jr nz, $A064        A:f2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792510
A064:  02        ld [bc], a          A:f2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792516
A065:  00        nop                 A:f2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792520
A066:  0B        dec bc              A:f2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792522
A067:  07        rlca                A:f2 F:00 B:a0 C:84 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792526
A068:  07        rlca                A:e5 F:10 B:a0 C:84 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792528
A069:  24        inc h               A:cb F:10 B:a0 C:84 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792530
A06A:  84        add a, h            A:cb F:10 B:a0 C:84 D:cb E:08 H:a1 L:00 LY:2f SP:dfdd  Cy:56792532
A06B:  07        rlca                A:6c F:10 B:a0 C:84 D:cb E:08 H:a1 L:00 LY:2f SP:dfdd  Cy:56792534
A06C:  07        rlca                A:d8 F:00 B:a0 C:84 D:cb E:08 H:a1 L:00 LY:2f SP:dfdd  Cy:56792536
A06D:  84        add a, h            A:b1 F:10 B:a0 C:84 D:cb E:08 H:a1 L:00 LY:2f SP:dfdd  Cy:56792538
A06E:  84        add a, h            A:52 F:10 B:a0 C:84 D:cb E:08 H:a1 L:00 LY:2f SP:dfdd  Cy:56792540
A06F:  2B        dec hl              A:f3 F:00 B:a0 C:84 D:cb E:08 H:a1 L:00 LY:2f SP:dfdd  Cy:56792542
A070:  20 03     jr nz, $A075        A:f3 F:00 B:a0 C:84 D:cb E:08 H:a0 L:ff LY:2f SP:dfdd  Cy:56792546
A075:  02        ld [bc], a          A:f3 F:00 B:a0 C:84 D:cb E:08 H:a0 L:ff LY:2f SP:dfdd  Cy:56792552
A076:  00        nop                 A:f3 F:00 B:a0 C:84 D:cb E:08 H:a0 L:ff LY:2f SP:dfdd  Cy:56792556
A077:  2B        dec hl              A:f3 F:00 B:a0 C:84 D:cb E:08 H:a0 L:ff LY:2f SP:dfdd  Cy:56792558
A078:  20 0B     jr nz, $A085        A:f3 F:00 B:a0 C:84 D:cb E:08 H:a0 L:fe LY:2f SP:dfdd  Cy:56792562
All this is actually rather simple: write a small payload at $A084 which writes in the next payload: 
di ; timer interrupt changes SRAM banks, so a di needs to happen before such
ldh a,[c] ; c = $84, $FF84 holds joypad routine input byte
ld [hl-],a ; writes backwards starting from $A0FE, only $A08B-$A09E have the actual next payload here
push bc ; bc = $A084, the start of this routine
jp nz,$0542 ; joypad routine, returns back to the pushed $A084, jump doesn't occur if no buttons are pressed
The next payload is another small payload which writes in the final payload as fast as it can. That next payload along with the final payload main payload is (mostly) the as ones in Red, with minor adjustments to deal with game specific details: https://tasvideos.org/9604S
Actual movie is too big, what's submitted is a truncated movie, full movie can be found here: https://mega.nz/file/ttlQ3Q5I#ZcF4etI-2MdXm_R1jSxlaAyAem6nXnan_Ir1yWGpjHE
feos: Replacing the submission with the full file.
feos: Claiming for judging.
feos: I discussed this with staff and we agreed to split movies with non-speed-oriented ACE into playarounds and non-playarounds. For speed-oriented ones it's quite clear, we just assign branch label according to whatever ACE is used for - in most cases for a "game end glitch". There's no ambiguity in that. But in the Alternative class we now have several goals that use ACE for something else:
Playaround and glitchfest are kinda clear in what they aim for: maximizing entertainment through creative antics, and since it's ACE, manipulating game code for the same purpose too. But some movies don't do that, instead they just replay a video directly and nothing else.
Initially it looked like a problem because #9565: iXce's GB Pokémon: Yellow Version "arbitrary code execution" in 05:24.41 would have to compete with [3358] GBC Pokémon: Yellow Version "arbitrary code execution, playaround" by MrWint in 05:48.282 for entertainment, which is a somewhat impossible challenge. We just treated a non-speed-oriented ACE movie as a playaround, so these two kinda had to compete. But then we'd have to reject that submission, which would be really bad. Because it'd imply that the very fact that somebody pulled off such a technical marvel is not good enough on its own to be published, which would in turn discourage people from trying, which is the worst kind of curation.
A workaround would have been to put that movie into Playground, but even that wasn't considered good enough by staff. We talked about redefining entertainment instead, so less conventional goals could also reach Alternative without having to compete with the best of the best every time.
Instead we decided to just accept that "Bad Apple" movie as a new branch based on payload being different. And yesterday I had an idea how to actually showcase their difference!
So yeah if the goal of the movie is using payload to present something that isn't interactive, and therefore does not consist of entertaining gameplay antics, we just label it as "ACE", period. And when it does contain those antics, we assess how entertaining it is, because it's still the only way to judge such things. "ACE" alone would now be separate. And moreover, judging such payloads by our playaround standards would be a disservice, so if we want to encourage more of those technical marvels, we want to remove the entertainment requirement from them.
So according to all of the above, I'm accepting this movie as just "ACE", because that goal is quite clear and the payload is non-trivial.
inconsistent: Processing...
Last Edited by inconsistent on 6/3/2025 10:33 PM
Page History Latest diff List referrers Change Log