1 2
13 14
Joined: 8/28/2006
Posts: 50
Is the warp stack overflow glitch powerful enough to lead to a code execution exploit along the lines of Super Mario World and Pokemon Yellow?
Joined: 4/6/2013
Posts: 9
I've been messing around with mid-frame resets in lsnes with this game. The idea was to shift my map location horizontally by resetting right after the map's X position was written to in the save slot. Unfortunately it isn't working out. There is a mid-frame reset that has the data written to the X value and not the Y value, but after the reset the save slot appears as a new game and clears all data when you select it. The exact number of cycles varies depending on the situation, but there are three phases to mid-frame resets during a save frame: 1-X : No data is being written into the save slot, and after the reset the save is the same. X-Y : Data is being written into the save slot, but after the reset the slot appears as a new game. Y-Z : The data has been fully written, and the save slot has the complete new data. I suspect the game has a 'completed save' flag that if not triggered will treat any incomplete save as a new game. There might be a way to get corrupted data with the mid-frame resets, but my vanilla experiments haven't produced anything yet.
Joined: 4/6/2013
Posts: 9
pirohiko wrote:
You can get over an obstacle when you reset it between X and Y when you do overwrite of the SRAM. But prior adjustment is necessary because there is check sum. The check sum is 2 bytes, but gets off with only adjustment for 1 byte if even a central character agrees. If a central character does not agree, it never succeeds. If Cecil in the fight with Zeromus is not Paradin, he does not revive.
Oh I just read this a little more closely and it seems my complete save flag idea was off. Do you know anything about what affects the checksum or how it is calculated?
Joined: 4/6/2013
Posts: 9
After further investigation, the X coordinate teleport is definitely feasible using the mid-frame reset. The real question is how to have the right party members and flags set to advance the story. It's possible to teleport to the dark elf cave right after the earthquake, but even if you talk to Edward and get the Twinharp, the game won't let you fight the dark elf. Even if you could fight him, when you get back you wouldn't have an airship to use to advance the story. Other story points like returning to Baron also require specific conditions to advance. Using mid-frame resets we could manipulate party members a bit. If for instance, you kept Kain past the earthquake, but needed to get rid of him before Mt Hobs, you could save, move him to a different slot so that his previous slot was empty, and then save with a mid-frame reset ending right after the character flag. This would take him out of the party, and potentially let you advance the story. Using that method you could also give better stats to the party members you kept, or even duplicate party members so you could have three DK Cecils at Octomamm. This is still just theory though, so I'm going to keep checking this out and see what's possible.
Joined: 6/19/2005
Posts: 180
Do we know what sort of flags are required at what times? Having three Dark Knights for the Octomamm fight would be interesting, but what if you used the X-coordinate teleport to jump between parts of the storyline? If the flagging requirements work out properly, then perhaps you could jump ahead in the story and jump backward to complete a required flag for another event; for example, jumping from the earthquake up to the Dark Elf cave, then back to Fabul, then forward again to Mt. Hobbs. Just as an example, of course; I can't imagine that would work in any real way, unless someone REALLY managed to destroy the game's code.
Joined: 4/6/2013
Posts: 9
There is one definite time saver over the previous run here. If you skip the earthquake and re-enter the Mist village from the right you can grab Rydia's gear and then trigger the earthquake sequence. This would remove Kain from the party and allow you to play normally except with some high-level gear. If however, you keep Kain, Tellah does not appear, which means you can't get Edward or the hovercraft. You can use the X teleport to get to the Antlion cave and even fight him with whatever party you have. The nice thing about Kain is that he doesn't trigger Antlion's counterattack with his jump. You get the Sand Ruby, but without the hovercraft there is no way to get back to Kaipo and wake Rosa. You can get to Mt Hobs with the X teleport, but without Rosa in your party there isn't a way to get rid of the ice. I don't see a way to get past Mt Hobs with the teleport using lsnes, but by RAM poking I did that to see how things would work. First of all, if you go back and try to get Yang from the other side, the game crashes. If you progress to Fabul, all the cutscenes play out and you get to defend against Baron, except with only Kain and Cecil. After the boat crash you still have Kain and can get Palom and Porom in your party, but when Tellah joins he is just a copy of DK Cecil with 0 hp, presumably because it read his data from where he left off after his fight with Edward, which is empty. This is as far as I've gotten, but I'm hoping that once you get the airship you can go back and trigger any events you need to complete the story.
Joined: 4/6/2013
Posts: 9
Another time-saver over the previous run: It take 761 frames to play out the bombardment sequence vs about 580 for the sliding trick to skip the sequence. There is also encounter manipulation that should further save some frames. This could also be used for the tank sequence underground, but there are three tiles and each one is so short that it would take longer to do the reset. The current run does a reset on the way to that very sequence to switch up the encounters, so it could probably be done at one of those tiles instead and save a few seconds as well. If Tellah was never picked up, the zero-stat Tellah that joins in Mystidia never goes away and doesn't count as Tellah for the automated battles he needs to fight. This makes him hog a slot which keeps you from getting Yang in Baron and probably screws up other character joins as well. Tellah is more useful than Kain early on, so ideally one would keep the first Tellah all the way to Golbez. That would require finding a way past Mt Hobs and also completing the game without the Hovercraft. It also might make Yang join as a zero-stat character which would create the same problem as the zero-stat Tellah. Another thing is that X teleporting works across world maps or even inside a dungeon from a save spot, but I'm not sure where that would be of any use yet.
Joined: 4/6/2013
Posts: 9
I'm not seeing this counter for the floors anywhere. What RAM address are you guys looking at?
Sir_VG
He/Him
Player (40)
Joined: 10/9/2004
Posts: 1913
Location: Floating Tower
GoldFibre wrote:
I'm not seeing this counter for the floors anywhere. What RAM address are you guys looking at?
I believe it's this: 7E: 1700 map type (: above ground, 1: underground, 2 months, 3: 0 Dungeon) 7E: 1701 map number (upper) (* 6) 7E: 1702 map number (lower)
Taking over the world, one game at a time. Currently TASing: Nothing
Joined: 3/25/2010
Posts: 34
Is anyone working on a run of this lately? Like, the non-TAS WR is an hour faster than the current TAS thanks to the new bugs in FF4
Joined: 4/12/2014
Posts: 3
Hi, I am a streamer of US FF4 speedruns with 64 door glitch strats - nocashnocash and I have currently gotten the time down to sub 2:06. With godlike encounter (and boss) luck a low-mid 2:03 would be possible but the chance to get that happens quite rarely. Just a question - What triggers random encounters? I thought there was a script (if the US version is the same as the J version) for determining random encounters on certain steps that is completely dependent on how long you wait between powering on and starting/loading a game. Was thinking about doing the mist skip, then hard resetting and trying to manipulate a good encounter pattern with either a lower amount of battles or at least fewer battles from the underground waterway to Valvalis (guessing there is more chance of surprise attacks as I am low level). Not really sure if it is possible but thought I'd at least ask. If this is in the wrong section or website I apologise.
Do the MEATEO
Active player (429)
Joined: 9/7/2007
Posts: 329
If I recall correctly, there is a counter that decrements on each step. There are some areas that don't decrement the counter. I think that was used in Eblan cave in the TAS. How the value that gets set for the counter is calculated, I do not know.
Former player
Joined: 2/19/2007
Posts: 424
Location: UK
This is briefly mentioned in the last submission, including an encounter calculator and a lua script.
Joined: 4/12/2014
Posts: 3
No worries, thanks. I missed the script and the calculator when going through pirohiko's notes. Guess the only question to ask is does loading up different save files at exactly the same time after hard resetting cause encounters to occur on the same squares for each file... Will try to make sense of the script/calculator anyway, so thanks guys.
Do the MEATEO
Joined: 4/12/2014
Posts: 3
Been thinking about this: http://www.twitch.tv/crumps2/c/1919137 Could this be replicated and under what conditions? Don't know enough about TASing to test this but I guess characters' ATB is held for a small while after dying. If Rydia dies vs Octomamm for example I have gotten her action immediately after reviving her (she is really slow at lvl 1 so her turn should take a while) so maybe this is a similar thing.
Do the MEATEO
Joined: 4/10/2015
Posts: 1
I found the double casting. Each character has an ATB progress bar like ff5 and ff6 but hidden from the user. Once this bar fills up, it is put into a queue. If a person dies and was already in that queue then he will remain in that queue. You can revive the person before he gets his turn and he'll get the turn that he was supposed to get before dying. However, his ATB resets so he can rejoin the queue while casting/attacking. This works on any character. I found this by looking at address 00D0 which decides who is acting. So I searched the code for LDA $#D0 and found this bit of code:
a_3a3e3_3a439:
		m_LDA $#d0             // PC[3a439]={a5 d0      }  s0
		m_CMP #ff              // PC[3a43b]={c9 ff      }  s0
		▼▼BEQ $#=_a463         // PC[3a43d]={f0 24      }  s0


a_3a3e3_3a463:
		m_LDA $#352d           // PC[3a463]={ad 2d 35   }  s0
		▼▼BNE $#=_a4c7         // PC[3a466]={d0 5f      }  s0
		m_LDA $#3929           // PC[3a468]={ad 29 39   }  s0
		m_CMP #ff              // PC[3a46b]={c9 ff      }  s0
		▼▼BEQ $#=_a4c7         // PC[3a46d]={f0 58      }  s0
		m_PHA                  // PC[3a46f]={48         }  s1
		m_TDC                  // PC[3a470]={7b         }  s1
		m_TAX                  // PC[3a471]={aa         }  s1
a_3a3e3_3a472:
		m_LDA $#392a,X         // PC[3a472]={bd 2a 39   }  s1
		m_STA $#3929,X         // PC[3a475]={9d 29 39   }  s1
		__INX                  // PC[3a478]={e8         }  s1
		__CPX #0005            // PC[3a479]={e0 05 00   }  s1
		▲▲BNE $#=_a472         // PC[3a47c]={d0 f4      }  s1
		m_DEC $#392f           // PC[3a47e]={ce 2f 39   }  s1
At the end of this code is the loop removing someone from the queue as he gets his turn. The last element in the array doesn't get changed afterward so if it's possible to get the same person twice into the queue then we can get infinite turn on one character but unfortunately the game prevents one character from being put into the queue twice.
Fortranm
He/Him
Editor, Experienced player (879)
Joined: 10/19/2013
Posts: 1121
http://www.speedrun.com/ff4#any_SNES It's possible to warp to the credits now.
Fortranm
He/Him
Editor, Experienced player (879)
Joined: 10/19/2013
Posts: 1121
I got the notes for the credit warp from the_roth, the holder of WR of this route.
BUYING/ITEM PLACEMENT ROUTE FOR ACE Pre Mist - Don't Unequip Iron Glove Mist - Buy 2 x 13 Dancing Daggers (Should have 9 or 10 at end of game) Octomamm - Dupe Tellah's rod Before Damcyan - Dupe Change Rod (Equip x 3) At Fabul, Dupe Yang's Fire Claw fully and equip to have 255 Fire Claws left after Gauntlet At Mysidia, sell 52 FireClaw x 2, then buy 52 of things Buy 1 Paladin Shield, Arms At Baron town before Waterway BUY 72 Thunder Rod x 2 96 Thunder Rod 99 Ice Claw 1 Thunder Claw 1 Fire Claw SELL 65 Change Rod x 2 After Kainazzo, fly to Silvera BUY 1 Silver Hammer 17 Silver Hammers 97 Silver Hammers Before you start the Dolls, save and reset. You need to save before doing the 64 door glitch and killing the dolls/golbez as the credits warp requires that you fight an encounter. If you have to reset, you will need to grab the crystal after fighting golbez, otherwise ignore it. By end of Golbez, arrange items like this (starting on the 10th row) 9th Row is empty Ice Claw x 99 Rod x 2 -Sort- Change Rod x 123 Silver x 97 Thunder x 72 Silver x 17 Dancing x 9 or 10 Thunder x 72 Thunder x 96 Empty Empty At the very bottom of inventory, put anything/nothing Dancing x 13 Fire Claw x 151 FireClaw x 1 After killing Golbez, cast Warp, Head to 64 door glitch, second black spot down (with Sylvian Cave music), and enter pink room with falling sound. Face RIGHT, press A and hope to activate the ending credits. It isn't guaranteed to work.
He also said:
I completed my only attempt but have seen it fail on emulator. Others have failed a few times on snes. I managed to complete my inventory management during valvalis though, and didn't have to do any swapping during Golbez, maybe that was the difference. We're not sure sadly.
I also got two links from Pirohiko through PM about save corruption:
http://i.imgur.com/tIUqhkL.png http://x11.s11.xrea.com/dist/ff4/ff4_sram.txt
If save corruption and credit warp work well together, the result will probably be similar to Keylie & Kadmony's rejected FF6 run.
Active player (261)
Joined: 12/13/2016
Posts: 352
Found this interesting page regarding step routes for this game that may be useful to anyone who wants to work on the TAS for this game https://ff4.aexoden.com/routes/
Joined: 12/31/2017
Posts: 1
It's now known that it's possible to trigger a sprite overflow with the Nuke/Crystal animation by multi-targeting it with the Mimic glitch. By doing this you pick up a Dummy item (Silver Apple), and the game goes haywire and sends you to a glitched room depending on where you were able to initiate the glitch. Here's one example from the_roth where he winds up fighting Kainazzo in the Waterway, then is warped afterwards to the cutscene where you first enter the underworld, skipping Baigan, Toroia/Dark Elf, and Tower of Zot: https://www.twitch.tv/videos/214119426?t=01h56m52s No idea how far this leads or if it has a chance to unseat current TAS, but it's worth putting out there in case anybody else wants to work on it.
1 2
13 14