Posts for Spikeman

Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
I feel like if not all endings give credits, then just triggering credits with ACE should not count as finishing the game. And if we have to trigger an ending might as well aim for the best one...
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
Are we trying to trigger credits or trigger the good ending? Either way, could you post a savestate just before the ending? I was trying to figure out how to trigger it by debugging other cut scenes but it turned out to be kind of a pain in the ass. I think it's best to find some ASM to trigger whatever, rather than trying to overwrite a particular RAM location - we'll probably have better luck overwriting the stack pointer to some general region and then executing from there. Manipulating 4 bytes to appear exactly at C162, vs. manipulating one byte of the return address to be, say, CFxx, where your code is at any address in CFxx and the bytes before don't crash the game. Then you have a whole memory region you can try to manipulate to be valid code. My first thought was to try and execute code from the player's name - I've tested it, and the 100 or so bytes before the name are usually all harmless. So if we could find a CALL or a JP to a function that triggers credits... that can be made out of a players name, that would be ideal. Anyway, if you can post a savestate I'll take a look at how to trigger the ending.
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
I've been doing a little research on the text glitch in the hut... couldn't stay away from another ACE opportunity. So what it looks like is happening is the game expects the first time you enter the hut to be part of that first cutscene, so it expects the text pointer (and ROM bank) to be set to an exact value. By triggering another cutscene (that's what I'm calling the text that sets the text pointer - it includes a bunch of normal things like using an item), you change the value of the pointer so it reads from whatever address was after the text box you triggered. After just skipping the cutscene, the text pointer is set to a valid address, so it just reads off normal text. (I'm not sure yet what causes it to read a certain number of texts, there doesn't seem to be a control code in the text itself, so it must be stored elsewhere.) With stuff like the Whip or Thin Grass, the pointer is set to data that isn't supposed to be displayed as text. The buffer that text is copied to is 0x80 bytes in size, and text is copied until an end character is found (0xAD or 0xAE). Since some of these invalid texts are longer than 0x80 bytes, there is a buffer overflow and RAM data is overwritten. For some of these (like the Whip) it overwrites so much that it actually loops back and starts overwriting the beginning of the RAM as well (by writing to the echo area). What's interesting about this is that it can overwrite data in the stack... This is why the game crashes after the Whip text, the buffer overflow rewrites the return address, so after the copy function is over, it returns to invalid code. The upshot of this is... if we can control what gets written to the stack pointer, we could have the game return into some area of RAM we can manipulate, and boom, ACE. Haven't looked into it too much yet, but the characters name at CB4D seems promising. You can even jump almost anywhere before it in the CBxx range and it's all valid code. Not sure if we'll be able to trigger the credits with the 4 bytes in the characters name, but 4 bytes worked for SML2! The hard part then will be figuring out if we can easily manipulate text gets written to the stack. If there isn't anything a player can do to influence that, we might just have to get lucky and find the exact textbox that will work. I'm not really sure how to begin testing this, but will post results when I have them. Addresses of interest: CB47 = text pointer - expected to be 592f by hut cutscene* CB4D = your name - text, up to 4 chars CBA5 = current ROM bank - expected to be 2D by hut cutscene CC40 = text buffer - looks like most text in the game uses this to print, but some don't (eg. "Nothing here.") C700 = your inventory, items of note: whip (0x72), flint (0x65), jump rope (0x62), big rock (0x42) * note: address is 2 bytes, but stored in big-endian, eg. 59 2F = 592F (not 2F 59 as you might be used to)
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
I'm super late to this party, but man was I psyched when I found out this exists! I thought everyone had given up on this glitch, and was considering giving exploiting it another shot when I found this. Incredible job MUGG! Maybe a Total Control run is possible after all... --- Also, I'm pretty confident this glitch would work on an actual Gameboy, unless for some reason VBlank timing is implemented incorrectly in both VBA and BGB. (The glitch works in both emulators.)
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
MUGG wrote:
If I take the koopa shell to the breakable blocks with a koopa on them, and spinjump through the whole thing, I get a lot of lag and many results, but I haven't seen A201 (or is it 4201 , I don't know).
It's 4067 that we're looking for, however there are a few other addresses that work: I have confirmed that 405B-406A lead to A201 execution, however only 4067-406A will not crash game after code at A201 is executed. (It seems like 4067 is the most common of these addresses, but it's good to be aware of the others. For our run we should focus on 4067-6A, but for a total control hack the earlier addresses will work too.)
If it's not too much trouble, I suggest you try making a test run, just entering the first level without optimizing your movement but still going at a steady pace. If you then manage to do 'something' in the testrun, then I can make an optimized VBM. Ok?
Okay, I'll work on that. Do you mean like an actual exploitation of the glitch (like by a bot)? I'm not sure if I did something like that it'd be optimizable - since the return address of the glitch is heavily timing dependent. Also probably a stupid question, but how do I record over a vbm I've already saved? I've only been able to re-record using savestates, but once I save the movie I'm not able to record any more. Not sure what I've been doing wrong.
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
MUGG wrote:
You say executing A201 code is difficult, because it's hard to manipulate. Did you try entering custom values into those addresses at the right frame to see if it does something desireable? So that we know we're on the right track? I hope that you don't give up. Finalfighter has done crazy things to Rockman, he ran bots over 2 weeks to brute force something and put I-don't-know-how-much-time into that game. Other TASers accomplished crazy things in other games, see the glitched Pokemon Yellow TAS... or the recent one that runs custom code (Control Hack or what it's called). Please keep going!
Yeah actually I did try that, and I was able to get it to jump to the credits screen. I was also able to do a simple proof of concept Total Control hack (like the Pokemon Yellow thing), but that would be much harder to manipulate. I think it will be possible, but there are some restrictions, for example, several of the values from A201-A210 change at the same time and depend on the same thing (eg. where you are on the screen), so there are certain pairs of values that must be used, where one of the values is something like FF which results in a freeze. This ends up giving us weird restrictions like mario must be facing right when the glitch is executed, he must be at a certain height of his jump, etc. But anyway, thanks for the encouragement, I'll take another look and see what I can do. :) If you've found a place earlier in the first level where the glitch is easily repeatable could you upload a vbm? My guess is if I make a bot that successfully manipulates the A201 values and executes the glitch we won't have much chance to optimize the start afterwards.
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
I wasn't able to exploit it any further, except that I was able to get reproduce the level corruption glitch in the first level of the game (returning to 4067) and confirm that it executed code at A201. This is good news, since we should be able to perform the glitch in the first level. Unfortunately, I had a really hard time manipulating the values around A201 into meaningful code, and further, figuring out how to get it to return to 4067 while also manipulating those values. I get the sense that you would need an extraordinary amount of luck to get the proper values. I considered the possibility of coding some sort of bot to brute force the manipulation, but there didn't really seem to be enough interest in the posts I'd made here for me to put that much work into exploiting this. Also, I found an easy method of manipulating the glitch in the first level: run to the part of the level that has the star, hit the heart, then get the star, and run around the without getting the heart. If you jump (or better, spin jump) near the edge of the screen the glitch is triggered pretty easily. (Using my script to auto pause when there is lag.) Here's the latest version of the script, not sure I posted it here: http://slexy.org/view/s202A5h2BW
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
I've been doing some testing and debugging of the pause glitch, and I seem to have figured out how it works! The reason it happens is a bit technical, so bear with me:
  • Every frame the normal program flow is "interrupted" by the VBlank interrupt, which draws the graphics to the screen. The code that does this is called the VBlank interrupt.
  • After the VBlank interrupt, the program normally returns exactly to where it left off.
  • Sometimes a bank can be switched during the VBlank interrupt. Normally this isn't a problem, because the VBlank normally only occurs when code in bank 0 (code from 0000-3FFF) is being executed. It looks like normally the game tries to switch back the bank to what it was, but fails sometimes.
  • Notably, the bank is always switched from 4 -> 1 during VBlank when the game is paused.
  • In certain situations, the game will return to the the wrong bank, and resume execution in the wrong place -- this is how the glitch occurs!
  • I haven't quite figured out why this occurs, but it seems to have to do with lag caused by having too many objects on screen.
So in short, some situations, notably pausing, cause the game to switch banks during VBlank. Sometimes, the game will return to the wrong code (this happens when the return address is >=0x4000) and glitches will happen. I made a Lua script to investigate the glitch. It will constantly spit out information about the VBlank in the debug menu and will pause VBA when the glitch occurs. (Try it on some of the vbm's mugg posted!) pause_glitch.lua: http://slexy.org/view/s2aZxMaoKS I also did a more in-depth analysis of the video MUGG posted where it corrupted the level (http://dehacked.2y.net/microstorage.php/info/767390219/lightning%2C%20glitched%20up%20row%20inside%20level.vbm): Using my Lua script, you can see that the glitch occurs when the game should be returning to 4:4067, but returns to 1:4067. The code at 1:4067 just happens to jump to A201 and execute the code there. This is remarkable because A201 is in SRAM and is manipulable by the object duplication glitch! Strangely enough, this isn't even what causes the level to be corrupted - that has to do with the next VBlank, and doesn't really seem important to me. The code that the game actually runs at A201 mostly doesn't do anything and then hits a STOP instruction, which causes it to wait until the next VBlank. This is important because it stops the game from running a bunch of garbage code and crashing. Sorry if that's all too technical, so let me summarize: We can use the pause glitch to run arbitrary code from an area of RAM we can control! I think a with a little more testing and cleverness we could easily use this to set A2D5. (One final note: an alternative to setting A2D5 is setting FFB9 to 12,13, or 23 -- this will skip to the credits directly without having to die first. 13 hits the cutscene two frames before 23 and one frame before 12 - although I'm not sure that matters if last input is how movie length is counted.) Edit: Seems obvious in retrospect, but what's causing the the glitch is a VBlank happening before the previous VBlank is finished. This is probably caused by lag - possibly it trying to draw too many objects and taking too long to finish. In practical terms, this means the only possible return addresses we can exploit are inside VBlank - which is good, because it should make manipulation a bit less of a guessing game. Summary of return addresses of various glitch executions: 4067 - this runs code at A201 - the holy grail is being able to hit this after manipulating A201 to the code we want to run 5911 - causes a coin to appear 51D5 - freezes game 5916 - causes block to appear 4035 - glitched graphics (may be exploitable?) Edit 2: New version of the Lua script: http://slexy.org/view/s2PmJh4Gdv This one assists in automatically triggering the pause glitch. Simple create a savestate in an area with lots of lag (I use the macro zone - wait just offscreen by the ant until the timer is ~333, and the game will be really laggy when you scroll the rocks on screen), then hold G to trigger the glitch. Here's some more return addresses I was able to trigger: 4074 - soft reset 51C1,51C5,51D4,51D6,51D7 - freeze 58F7 - soft reset 590E,5914 - coin 5916 - break a block (glitch block appears) triggered this twicem, only one time a block appeared 7FED,7FEF,7FFC - soft reset Edit 3: Unfortunately I didn't record a movie of this, but I was spin jumping while running the Lua script and this happened - I zipped upwards into glitch world, fell back down and the level was corrupted. Note that the pause glitch didn't trigger this. So it looks like the level corruption glitch is actually separate from the pause glitch.
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
Ahh, I was under the assumption that the rings from Gasha's and Maple were completely random. Another question: Have you considered using the switch hook to progress rooms faster (especially after level 2), enemies positions could be manipulated to be optimal. You could switch hook off the Dark Links in the final battle for cool looks and possible benefits.
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
I have a suggestion, sorry if it's been mentioned before since I haven't read the entire topic. Have you guys thought about manipulating to get the Pegasus ring? It lengthens the duration of Pegasus seeds' effect.
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
Dwedit wrote:
Does anything in the recently accepted DW3 speedrun count as "pinpoint corruption"? Granted it does not create and execute ASM code, but still...
It's ALMOST as cool. ;) Now only if that game executed code from RAM...
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
Warp wrote:
I don't think the idea was "find a bug which corrupts memory in different ways and see if by chance it produces runnable code". I think the idea was "find a bug which corrupts memory in *predictable* ways and then abuse this on order to write machine code (byte values of some routine you have written and compiled beforehand) which produces some runnable routine".
Exactly what I was wanting to do. Also the GBA and several games dwedit mentioned run code in RAM so overwriting those could possible lead to what I am looking for. Can anyone recommend a good resource for glitches/bugs in games?
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
Kejardon wrote:
::edit:: On the topic of ROM and RAM, there is no way to rewrite existing codes in ROM. Using RAM as program space is a bit unorthodox (I don't know if the NES can do it at all), but IIRC FF6 does actually do so a few times, and pointers to code are often stored in RAM. In a LoROM game it'd be easy to hijack such pointers to a bit of unused RAM in 7E:0000 - 7E:1FFF, and if necessary, JML from there to a larger chunk of unused RAM. Finding a good unused chunk of RAM may likely be the hardest thing to do, actually.
I don't know about other systems, but I've seen many games on the GBA that run code in RAM. I actually got the idea for this technique by looking at a codebreaker code for GBA. I couldn't figure out how it was modifying the code, turns out it was modifying a routine that was run in RAM. After thinking about it for awhile, this idea seems less doable than I thought before, but still not impossible. Kejardon, mind directing me to some info about the Super Metroid and FF6 glitches you mentioned?
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
This may have been discussed before, but why didn't you set the bicycle to select in the run?
Post subject: Pinpoint Corruption
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
Even though this technically isn't a speedrun, I think it would be incredibly cool to watch. Basically the idea I'm having works like this: 1) Find a bug in a game that "randomly" corrupts memory in the game. 2) Program (in assembly) a mod to a game, say one that makes Mega Man shoot Mario fireballs. 3) Luck manipulate the bug to insert the modifications in the game. This technique could also be used just to overwrite random memory addresses to whatever you want, say a counter that says what levels are unlocked, you could skip levels. The general idea is you need to be able to exploit a variable that is an address the game loads to and another variable that is written there. It could be tough to find an exploit of this kind, but I'd say they've even been found already. Besides making a sweet speedrun and or impressive video, people could implement these techniques on the actual system to hugely impress friends. Is this at all feasible, or am I crazy?
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
Wow impressive, it's cool because at one point I starting doing a non-tool-assisted run of this and my route in the first stage was pretty much the same. The only thing is I didn't know about the walk through walls thing. With that and remote bombs you go pretty darn fast. I do have one suggestion, you wait for the skate in the second level, I think it would be faster just to scrap it and maybe get the skate in one of the later levels.
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
I had a crazy idea today. What if you mix the trainer-fly glich and glitch city? As in talk to the Safari Zone guy, fly/teleport near a trainer, do the trainer-fly glitch, then walk around until the timer goes off. I know it probably wont be useful in a speedrun, but who knows, it may allow you to do something crazy. Edit: I just tested it out. It doesn't really seem to do anything, I was hoping it would work as the NPC message and return something cool. One interesting thing is that instead of appearing in glitch city, I came out of a house in Cerulean, only the sound was gone.
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
Someone on SDA thought of this: When you activate the trainer-fly glitch, a bunch of events are disabled. Could you skip a bunch of trainers/events doing this?
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
Just making sure, but you are going to level it to level 100 aren't you? Despite the time lost from the six Growls it will take and maybe time lost from starting with Charmander, I think it will definitely make it up by OHKOing everything and only having one level up message.
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
I just tested this out on my actual gameboy and was able to catch a level 100 Mew and a level 100 Nidoqueen, both in Cerulean city. Mew really isn't any good unless you teach it TMs because it only knows Pound. Also, Nidoqueen didn't start with or learn Thrash (it knew Body Slam though, if that helps), but it did have a decent amount of moves.
Post subject: New Super Mario Bros. (DS)
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
I picked up this game yesterday and it seems like it would be a great game to speedrun. There are many cool elements that could be taken advantage of, such as blue shells, mega mushrooms, and mini mushrooms. Also if you grab the flag at certain times it will make toad houses appear, allowing you to get more good items. The only problem is that I have no idea how to do a TAS on the DS. Any suggestions?
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
I'm still not sure about the Hadoken, I heard you can't use it on Sigma, but maybe you can on bosses like Bosspider. I still need to do some testing. Here's my proposed stage order (X): Flame Mammoth (Foot Parts), Chill Penguin (Head Parts), Launch Octopus, Boomerang Kuwanger, Sting Chameleon (Arm Parts?), Storm Eagle (Body Parts), Spark Mandrill, Armored Armadillo (Hadoken) EDIT: I did some tests with the Hadoken and it can kill both Sigma and Final Sigma in one hit so I think it would be worth it.
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
Yes, there is a hard mode for Vile. I just unlocked him today so I am still playing his normal mode. For X's 100% run should I get the Hadoken? It may help beat the Sigma stages faster.
Post subject: Megaman Maverick Hunter X
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
What do you guys think the best run for this game would be? I was thinking starting with no data, getting 100% on X Hard Mode and going on to beat Vile Hard Mode and getting 100%. Also is there any preferred way to take videos of handhelds? I'm kind of a noob at speed running.
Experienced Forum User
Joined: 1/18/2006
Posts: 27
Location: Samsara
I believe the super nerd at the end of Mt. Moon will give you a mew. Have you tried him?