Skilled player (1743)
Joined: 9/17/2009
Posts: 4986
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
I just realized somewhat late that despite all the talk about this, I can't seem to find a list of games with this ability. There's a category for this, but some runs don't exactly seem to be added for whatever reason, and other games don't even use it due to being slower, so I tried:
Name/Movie Platform What it executes as code How was ending triggered
Battle Dodge Ball SNES Password characters Call cutscene function
Battletoads NES Not sure; see post Jumps to ending function? See https://tasvideos.org/GameResources/NES/Battletoads#GameEnd
Castlevania: Symphony of the Night PSX Inventory menu ????
Final Fantasy NES Character name ????
Final Fantasy II NES Character name? Call cutscene function
Final Fantasy V SNES Input? Call cutscene function
Final Fantasy VI SNES Money + window color configuration Call cutscene function
Harry Potter and the Sorcerer's Stone GBC Player sprite location + Inventory Set state to ending
Keitai Denjū Telefang GBC Position + Character name Set event variables to ending
Kirby Super Star SNES Input Set game mode to cutscene
Mother 2 SNES Save data + input? ???
Pokémon: Silver/Gold/Crystal Version GBC Input Warps to last area + auto-input
Pokémon: Red/Blue/Green/Yellow Version GB Item + Input? Change current map id + pointer of map script
Pokémon Card GB2: GR-dan Sanjou! GBC Character name + deck Call cutscene function
Pokémon Trading Card Game GBC Deck Call cutscene function
Pokemon Emerald GBA Box name Warps to last area + auto-input
Romance of the Three Kingdoms II NES Input Call cutscene function
Super Mario Bros. 3 NES DPCM exploit, Pipe glitch Call cutscene function
Super Mario Land 2: 6 Golden Coins GB Input Set state to credits
Super Mario World SNES Input Set cutscene to ending
Super Mario World 2: Yoshi's Island SNES Input ???
Super Metroid SNES Position + Input Call cutscene function
The Legend of Zelda NES File name + Input Change current map id + pointer of map script
The Legend of Zelda: Link to the Past SNES Input Set game state to credits
The Legend of Zelda: Majora's Mask N64 File name + Input Call cutscene function
The Legend of Zelda: Ocarina of Time N64 File name + Input Call cutscene function
Trials of Mana SNES Input? Call cutscene function
* Wario Land: Super Mario Land 3 Games without movies of this: * Addams Family Values (http://tasvideos.org/forum/viewtopic.php?p=457322#457322) * Donkey Kong Country 2 * Golden Sun 1, 2 * Open Tournament Golf (DPCM exploit) * Mega Man (Apparently, it's still possible) * Pokemon Stadium * Super Mario Brothers 2 (DPCM exploit) * Super Mario Sunshine * The Legend of Zelda: Oracle of Ages Not sure if those wii exploits count as well.
Emulator Coder
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
No Battletoads? :(
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
Player (41)
Joined: 1/22/2014
Posts: 38
Location: Sweden
You can add Super Metroid to the list as well. Edit: Oh, and NES Open Tournament Golf as well (has a way to get into an ACE state using the NES DPCM glitch). There are probably a bunch more NES titles that allow this using the same glitch as well, but none that I have confirmed it for.
Editor, Expert player (2364)
Joined: 5/15/2007
Posts: 3940
Location: Germany
Maybe in that listing you can differentiate between total control type of ACE, and non-total control. Super Mario Land 2 would be non-total control since the things you can do in that game ACE-wise are very limited. It barely manages to execute some pre-aligned bytes to jump into ROM to somehow trigger the ending, but it's not like you get to write your own program like you can in Super Mario World or Pokemon Yellow (which I'd deem total control type of ACE games).
Patashu
He/Him
Joined: 10/2/2005
Posts: 4045
I think games that have ACE only using DPCM glitch should be listed separately. ACE is ACE, but DPCM glitch related ACE is so far removed from any semblance of having to follow the game and its programming that it feels unfair to the game. (Similarly, ACE that requires modifying save data separately, or sending invalid data along a link cable or similar device, should be listed but as a separate category)
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Joined: 7/28/2005
Posts: 339
How many games have that DPCM exploit?
Patashu
He/Him
Joined: 10/2/2005
Posts: 4045
Kles wrote:
How many games have that DPCM exploit?
AFAIK: -Every NES game that uses DPCM has a high likelihood of having DPCM glitch ACE -Only a few games have been confirmed to have it work, among them SMB2 and Open Tournament Golf
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Joined: 7/28/2005
Posts: 339
Sheesh. Yeah, I'd definitely be okay with considering DPCM to be its own category, or at the very least, a sub-category of ACE.
Editor, Player (69)
Joined: 1/18/2008
Posts: 663
Patashu wrote:
Kles wrote:
How many games have that DPCM exploit?
AFAIK: -Every NES game that uses DPCM has a high likelihood of having DPCM glitch ACE
I assume you are talking about controller read workaround, and if so, then no, this isn't the case. There have been a few tested routines so far and it turns out not as many as previously imagined are vulnerable.
MUGG wrote:
Maybe in that listing you can differentiate between total control type of ACE, and non-total control.
wat If you can't load your own code, it isn't arbitrary. If you are limited in what you can enter (not length, but content), it isn't arbitrary. As I understand it, SML2 doesn't allow execution of arbitrary code / specific opcodes, only some subset. The old MM1 glitch wasn't ACE even though it jumped to credits. The glitch demonstrated at AGDQ is ACE.
true on twitch - lsnes windows builds 20230425 - the date this site is buried
Editor, Expert player (2364)
Joined: 5/15/2007
Posts: 3940
Location: Germany
True wrote:
MUGG wrote:
Maybe in that listing you can differentiate between total control type of ACE, and non-total control.
wat If you can't load your own code, it isn't arbitrary. If you are limited in what you can enter (not length, but content), it isn't arbitrary. As I understand it, SML2 doesn't allow execution of arbitrary code / specific opcodes, only some subset. The old MM1 glitch wasn't ACE even though it jumped to credits. The glitch demonstrated at AGDQ is ACE.
SML2 uses a glitch that makes the PC jump into RAM and execute some bytes there, and that's where the TAS executes a jump to ROM (and that's why it qualifies as ACE). You can't directly write your own bytes, but you can influence the addresses to some extent to have favorable values. Which is what the TAS did. I was just thinking this kind of limited ACE is present in other games, not just SML2. I would be interested to know them.
Alyosha
He/Him
Editor, Emulator Coder, Expert player (3827)
Joined: 11/30/2014
Posts: 2834
Location: US
What is the ACE set up for Battletoads? I was only aware of the game end glitch of loading incorrect objects. And yeah as True says DPCM will not always lead to ACE. Some games don't even use the vulnerable read routine (i.e. Ninja Gaiden) and those that do it is only happenstance of coding that would lead to ACE, it's more likely you'd just get a crash due to the stack corruption.
Joined: 10/28/2013
Posts: 130
Location: United States
Patashu wrote:
-Only a few games have been confirmed to have it work, among them [...] Open Tournament Golf
Where can I find a run with the ACE? Sounds like a great opportunity to mess with the physics and make the par 5 holes into holes-in-one. :)
Patashu
He/Him
Joined: 10/2/2005
Posts: 4045
Thanks for the new information on the DPCM glitch. (I don't have a good source to read about it yet.)
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Former player
Joined: 2/19/2007
Posts: 424
Location: UK
MUGG wrote:
SML2 uses a glitch that makes the PC jump into RAM and execute some bytes there, and that's where the TAS executes a jump to ROM (and that's why it qualifies as ACE). You can't directly write your own bytes, but you can influence the addresses to some extent to have favorable values. Which is what the TAS did.
If you can't execute whatever code you want, then it doesn't qualify as Arbitrary Code Execution. ACE isn't a more limited form of "total control". ACE is total control. What you're describing sounds like a more limited form of memory corruption.
MESHUGGAH
Other
Skilled player (1919)
Joined: 11/14/2009
Posts: 1353
Location: 𝔐𝔞𝔤𝑦𝔞𝔯
NES Battletoads is a "limited ACE", the published TAS manipulates specific values to be written in to to available object slots while advancing the config pointer. The thing it makes look like an ACE (or at least the technique to corrupt more heavily) is the structure of the input: - pressing buttons on P1 to manipulate next object (limited possibilities) - wait 1 frame - press ABSTUDLR (0xFF) that lets you make another manipulation - wait 1 frame, go step 1 You can't (with current knowledge) make a payload and play snake/whatever because of cpu cycle dependency and the big time differences between inputs are crucial (and impossible so far).
PhD in TASing 🎓 speedrun enthusiast ❤🚷🔥 white hat hacker ▓ black box tester ░ censorships and rules...
Site Admin, Skilled player (1255)
Joined: 4/17/2010
Posts: 11495
Location: Lake Char­gogg­a­gogg­man­chaugg­a­gogg­chau­bun­a­gung­a­maugg
In battletoads the method used is arbitrary data manipulation, not arbitrary code execution. There's some period where battletoads executes open bus, which can theoretically be manipulated to look like it's executing sensible commands, but it's very hard and no one feels like doing it.
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
Experienced player (942)
Joined: 9/18/2008
Posts: 154
Location: Japan
NES Double Moon Densetsu may have an ACE vulnerability, because you can probably overwrite stack area (see "Saving/loading with illegal character id" section). In NES Aces Iron Eagle 3 (Japanese port of Ultimate Air Combat), I had experienced a sudden freeze. It happened when I was playing air-to-air combat (3-D shooter) in "CRUDE&RUDE" mission using F-14 Tomcat on FCEUX. Unfortunately I did not record a movie, so I don't know the detail of the freeze.
Alyosha
He/Him
Editor, Emulator Coder, Expert player (3827)
Joined: 11/30/2014
Posts: 2834
Location: US
feos wrote:
In battletoads the method used is arbitrary data manipulation, not arbitrary code execution. There's some period where battletoads executes open bus, which can theoretically be manipulated to look like it's executing sensible commands, but it's very hard and no one feels like doing it.
Would you mind sharing the details of this feos? It sounds interesting.
Site Admin, Skilled player (1255)
Joined: 4/17/2010
Posts: 11495
Location: Lake Char­gogg­a­gogg­man­chaugg­a­gogg­chau­bun­a­gung­a­maugg
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
Joined: 3/15/2012
Posts: 70
Location: Canada
Addams Family Values. I jumped to the controllers. I held down some buttons to call the credits after but I'm sure somebody could think of something more creative to do... Link to video I'm still looking for an RTA-viable method so I can get back to running this game. Feel free to solve that for me if you're feeling bored, lol.
TiKevin83
He/Him
Ambassador, Moderator, Site Developer, Player (155)
Joined: 3/17/2018
Posts: 358
Location: Holland, MI
These gamecube games all have total control save data exploits: Animal Crossing BMX XXX F-Zero GX James Bond 007: Agent Under Fire The Legend of Zelda: Twilight Princess The Legend of Zelda: The Wind Waker Pokémon Colosseum Pokémon XD: Gale of Darkness Super Smash Bros. Melee Tom Clancy's Ghost Recon 2 Tom Clancy's Splinter Cell Tom Clancy's Splinter Cell: Pandora Tomorrow Phantasy Star Online Episode I & II is also vulnerable to ACE via PSOLoad (broadband adapter game update exploit)
MESHUGGAH
Other
Skilled player (1919)
Joined: 11/14/2009
Posts: 1353
Location: 𝔐𝔞𝔤𝑦𝔞𝔯
^ This is a list of games that can be hacked using a specifically crafted files you have to download before hand. So this isn't really possible to pull off within a TAS movie. edit: as long as you can't start writing these programs while the TAS is running. Examples: https://github.com/FIX94/ghostrecon2-exploit-gc/releases https://www.youtube.com/watch?v=1qk92SZXXws https://github.com/FIX94/twilight-hack-gc/releases https://www.youtube.com/watch?v=BO89dmKzBw4
PhD in TASing 🎓 speedrun enthusiast ❤🚷🔥 white hat hacker ▓ black box tester ░ censorships and rules...
Spikestuff
They/Them
Editor, Publisher, Expert player (2656)
Joined: 10/12/2011
Posts: 6449
Location: The land down under.
WebNations/Sabih wrote:
+fsvgm777 never censoring anything.
Disables Comments and Ratings for the YouTube account. Something better for yourself and also others.
Joined: 4/19/2022
Posts: 1
Location: ny
I think that Final Fantasy VI is best game the this list MOD EDIT: Removed quote of the whole first post, as it's unnecessary. ThunderAxe31
Experienced player (942)
Joined: 9/18/2008
Posts: 154
Location: Japan
NES Adventures of Lolo 3 might also have a DPCM exploit. I was able to cause a CPU stack overflow with subframe inputs (though I haven't investigated whether it leads to credit warp, etc.).