Topic by TASVideoAgent

Bad Apple, for Shiren GB1.

The initial payload is rather simple, it simply switches the SRAM bank to 3, then proceeds to jump to $A006. This uses the following payload:

; save file name
ld hl,$5003
ld [hl],l
; rng bytes
add hl,hl
jp hl ; jump to $A006

The next payload is in SRAM, in bank 3. This game keeps a "replay" of the last room done. This is stored within bank 3 of SRAM. This gives some leeway towards writing a larger payload, but ultimately it's just barely good enough to write a better payload. Here's a tracelog of this "large" payload:

A006:  01 8B 00  ld bc, $008B        A:01 F:00 B:28 C:01 D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792318
A009:  44        ld b, h             A:01 F:00 B:00 C:8b D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792324
A00A:  0B        dec bc              A:01 F:00 B:a0 C:8b D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792326
A00B:  00        nop                 A:01 F:00 B:a0 C:8a D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792330
A00C:  84        add a, h            A:01 F:00 B:a0 C:8a D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792332
A00D:  84        add a, h            A:a1 F:00 B:a0 C:8a D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792334
A00E:  07        rlca                A:41 F:10 B:a0 C:8a D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792336
A00F:  07        rlca                A:82 F:00 B:a0 C:8a D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792338
A010:  2B        dec hl              A:05 F:10 B:a0 C:8a D:cb E:08 H:a0 L:06 LY:2e SP:dfdd  Cy:56792340
A011:  20 03     jr nz, $A016        A:05 F:10 B:a0 C:8a D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792344
A016:  02        ld [bc], a          A:05 F:10 B:a0 C:8a D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792350
A017:  00        nop                 A:05 F:10 B:a0 C:8a D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792354
A018:  0B        dec bc              A:05 F:10 B:a0 C:8a D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792356
A019:  07        rlca                A:05 F:10 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792360
A01A:  07        rlca                A:0a F:00 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792362
A01B:  00        nop                 A:14 F:00 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792364
A01C:  84        add a, h            A:14 F:00 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792366
A01D:  84        add a, h            A:b4 F:00 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792368
A01E:  07        rlca                A:54 F:10 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792370
A01F:  07        rlca                A:a8 F:00 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792372
A020:  07        rlca                A:51 F:10 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792374
A021:  84        add a, h            A:a2 F:00 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792376
A022:  2B        dec hl              A:42 F:10 B:a0 C:89 D:cb E:08 H:a0 L:05 LY:2e SP:dfdd  Cy:56792378
A023:  20 03     jr nz, $A028        A:42 F:10 B:a0 C:89 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792382
A028:  02        ld [bc], a          A:42 F:10 B:a0 C:89 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792388
A029:  00        nop                 A:42 F:10 B:a0 C:89 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792392
A02A:  0B        dec bc              A:42 F:10 B:a0 C:89 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792394
A02B:  00        nop                 A:42 F:10 B:a0 C:88 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792398
A02C:  84        add a, h            A:42 F:10 B:a0 C:88 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792400
A02D:  84        add a, h            A:e2 F:00 B:a0 C:88 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792402
A02E:  84        add a, h            A:82 F:10 B:a0 C:88 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792404
A02F:  84        add a, h            A:22 F:10 B:a0 C:88 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792406
A030:  2B        dec hl              A:c2 F:00 B:a0 C:88 D:cb E:08 H:a0 L:04 LY:2e SP:dfdd  Cy:56792408
A031:  20 03     jr nz, $A036        A:c2 F:00 B:a0 C:88 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792412
A036:  02        ld [bc], a          A:c2 F:00 B:a0 C:88 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792418
A037:  00        nop                 A:c2 F:00 B:a0 C:88 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792422
A038:  0B        dec bc              A:c2 F:00 B:a0 C:88 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792424
A039:  07        rlca                A:c2 F:00 B:a0 C:87 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792428
A03A:  84        add a, h            A:85 F:10 B:a0 C:87 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792430
A03B:  84        add a, h            A:25 F:10 B:a0 C:87 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792432
A03C:  2B        dec hl              A:c5 F:00 B:a0 C:87 D:cb E:08 H:a0 L:03 LY:2e SP:dfdd  Cy:56792434
A03D:  20 03     jr nz, $A042        A:c5 F:00 B:a0 C:87 D:cb E:08 H:a0 L:02 LY:2e SP:dfdd  Cy:56792438
A042:  02        ld [bc], a          A:c5 F:00 B:a0 C:87 D:cb E:08 H:a0 L:02 LY:2e SP:dfdd  Cy:56792444
A043:  00        nop                 A:c5 F:00 B:a0 C:87 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792448
A044:  0B        dec bc              A:c5 F:00 B:a0 C:87 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792450
A045:  00        nop                 A:c5 F:00 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792454
A046:  84        add a, h            A:c5 F:00 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792456
A047:  07        rlca                A:65 F:10 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792458
A048:  84        add a, h            A:ca F:00 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792460
A049:  07        rlca                A:6a F:10 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792462
A04A:  07        rlca                A:d4 F:00 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792464
A04B:  84        add a, h            A:a9 F:10 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792466
A04C:  07        rlca                A:49 F:10 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792468
A04D:  84        add a, h            A:92 F:00 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792470
A04E:  2B        dec hl              A:32 F:10 B:a0 C:86 D:cb E:08 H:a0 L:02 LY:2f SP:dfdd  Cy:56792472
A04F:  20 03     jr nz, $A054        A:32 F:10 B:a0 C:86 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792476
A054:  02        ld [bc], a          A:32 F:10 B:a0 C:86 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792482
A055:  00        nop                 A:32 F:10 B:a0 C:86 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792486
A056:  0B        dec bc              A:32 F:10 B:a0 C:86 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792488
A057:  00        nop                 A:32 F:10 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792492
A058:  84        add a, h            A:32 F:10 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792494
A059:  84        add a, h            A:d2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792496
A05A:  84        add a, h            A:72 F:10 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792498
A05B:  84        add a, h            A:12 F:10 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792500
A05C:  84        add a, h            A:b2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792502
A05D:  84        add a, h            A:52 F:10 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792504
A05E:  2B        dec hl              A:f2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:01 LY:2f SP:dfdd  Cy:56792506
A05F:  20 03     jr nz, $A064        A:f2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792510
A064:  02        ld [bc], a          A:f2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792516
A065:  00        nop                 A:f2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792520
A066:  0B        dec bc              A:f2 F:00 B:a0 C:85 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792522
A067:  07        rlca                A:f2 F:00 B:a0 C:84 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792526
A068:  07        rlca                A:e5 F:10 B:a0 C:84 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792528
A069:  24        inc h               A:cb F:10 B:a0 C:84 D:cb E:08 H:a0 L:00 LY:2f SP:dfdd  Cy:56792530
A06A:  84        add a, h            A:cb F:10 B:a0 C:84 D:cb E:08 H:a1 L:00 LY:2f SP:dfdd  Cy:56792532
A06B:  07        rlca                A:6c F:10 B:a0 C:84 D:cb E:08 H:a1 L:00 LY:2f SP:dfdd  Cy:56792534
A06C:  07        rlca                A:d8 F:00 B:a0 C:84 D:cb E:08 H:a1 L:00 LY:2f SP:dfdd  Cy:56792536
A06D:  84        add a, h            A:b1 F:10 B:a0 C:84 D:cb E:08 H:a1 L:00 LY:2f SP:dfdd  Cy:56792538
A06E:  84        add a, h            A:52 F:10 B:a0 C:84 D:cb E:08 H:a1 L:00 LY:2f SP:dfdd  Cy:56792540
A06F:  2B        dec hl              A:f3 F:00 B:a0 C:84 D:cb E:08 H:a1 L:00 LY:2f SP:dfdd  Cy:56792542
A070:  20 03     jr nz, $A075        A:f3 F:00 B:a0 C:84 D:cb E:08 H:a0 L:ff LY:2f SP:dfdd  Cy:56792546
A075:  02        ld [bc], a          A:f3 F:00 B:a0 C:84 D:cb E:08 H:a0 L:ff LY:2f SP:dfdd  Cy:56792552
A076:  00        nop                 A:f3 F:00 B:a0 C:84 D:cb E:08 H:a0 L:ff LY:2f SP:dfdd  Cy:56792556
A077:  2B        dec hl              A:f3 F:00 B:a0 C:84 D:cb E:08 H:a0 L:ff LY:2f SP:dfdd  Cy:56792558
A078:  20 0B     jr nz, $A085        A:f3 F:00 B:a0 C:84 D:cb E:08 H:a0 L:fe LY:2f SP:dfdd  Cy:56792562

All this is actually rather simple: write a small payload at $A084 which writes in the next payload:

di ; timer interrupt changes SRAM banks, so a di needs to happen before such
ldh a,[c] ; c = $84, $FF84 holds joypad routine input byte
ld [hl-],a ; writes backwards starting from $A0FE, only $A08B-$A09E have the actual next payload here
push bc ; bc = $A084, the start of this routine
jp nz,$0542 ; joypad routine, returns back to the pushed $A084, jump doesn't occur if no buttons are pressed

The next payload is another small payload which writes in the final payload as fast as it can. That next payload along with the final payload main payload is (mostly) the as ones in Red, with minor adjustments to deal with game specific details: https://tasvideos.org/9604S

Actual movie is too big, what's submitted is a truncated movie, full movie can be found here: https://mega.nz/file/ttlQ3Q5I#ZcF4etI-2MdXm_R1jSxlaAyAem6nXnan_Ir1yWGpjHE

Forum

Workbench

#9675: CasualPokePlayer's GB Fushigi no Dungeon: Fuurai no Shiren GB: Tsukikage Mura no Kaibu "arbitrary code execution" in 00:27.26

Show more

Hide

TASVideoAgent

ThunderAxe31

Spikestuff

andypanther

jlun2

CasualPokePlayer

jlun2

Patashu

CasualPokePlayer

AquaBat

CoolHandMike

CasualPokePlayer

AquaBat

Randomno

Forum Workbench #9675: CasualPokePlayer's GB Fushigi no Dungeon: Fuurai no Shiren GB: Tsukikage Mura no Kaibu "arbitrary code execution" in 00:27.26

Show more

Hide

Forum

Workbench

#9675: CasualPokePlayer's GB Fushigi no Dungeon: Fuurai no Shiren GB: Tsukikage Mura no Kaibu "arbitrary code execution" in 00:27.26