Joined: 12/29/2007
Posts: 489
Let me attempt to make this clear: Arbitrary code execution is defined as causing the game's program counter to jump somewhere it is not supposed to go. If the PC doesn't do this, ACE has not occurred. It doesn't matter how ****ed up the rest of the game's memory becomes; it's not ACE unless the game actually runs an instruction not programmed into it. As far as I know, several 'extreme' glitches such as item underflow, save corruption, and ZZAZZ do heavily corrupt the game's memory, but they do not ever cause the game to run an instruction that was never programmed into it. Therefore, they are not ACE. Even several easy and well-known glitches such as encountering Missingno. and performing Trainer/Fly corrupt the memory, changing values in the game that weren't meant to be changed that way. But they do not perform ACE. Using the "Cooltrainer" move in battle is ACE since it immediately causes the game to run instructions starting from the stored data of the last opponent's party. The PC was never supposed to go there. Similarly, in English Gold/Silver, opening the Coin Case at all (ever) is ACE, since it immediately causes the game to run instructions from a sound bank. As for the current Cooltrainer glitch used in the real time "catch 'em all" speedrun, I do not know whether it is ACE or not. It doesn't ever select the move; it only displays the move's name on screen a bunch of times. I don't know whether the PC ever jumps to an invalid location. But if it doesn't, then it's not ACE.
Joined: 9/15/2013
Posts: 154
Zowayix wrote:
Let me attempt to make this clear: Arbitrary code execution is defined as causing the game's program counter to jump somewhere it is not supposed to go. If the PC doesn't do this, ACE has not occurred. It doesn't matter how ****ed up the rest of the game's memory becomes; it's not ACE unless the game actually runs an instruction not programmed into it. As far as I know, several 'extreme' glitches such as item underflow, save corruption, and ZZAZZ do heavily corrupt the game's memory, but they do not ever cause the game to run an instruction that was never programmed into it. Therefore, they are not ACE. Even several easy and well-known glitches such as encountering Missingno. and performing Trainer/Fly corrupt the memory, changing values in the game that weren't meant to be changed that way. But they do not perform ACE. Using the "Cooltrainer" move in battle is ACE since it immediately causes the game to run instructions starting from the stored data of the last opponent's party. The PC was never supposed to go there. Similarly, in English Gold/Silver, opening the Coin Case at all (ever) is ACE, since it immediately causes the game to run instructions from a sound bank. As for the current Cooltrainer glitch used in the real time "catch 'em all" speedrun, I do not know whether it is ACE or not. It doesn't ever select the move; it only displays the move's name on screen a bunch of times. I don't know whether the PC ever jumps to an invalid location. But if it doesn't, then it's not ACE.
Interesting post, but how can Cooltrainer be considered ACE and item underflow (caused by various things, whether its triggered by ZZAZZ or other sources) isn't? Item underflow can very easily cause the game to do things that were never, ever intended through methods it never accounted for.
Noxxa
They/Them
Moderator, Expert player (4124)
Joined: 8/14/2009
Posts: 4089
Location: The Netherlands
Dyshonest wrote:
Interesting post, but how can Cooltrainer be considered ACE and item underflow (caused by various things, whether its triggered by ZZAZZ or other sources) isn't? Item underflow can very easily cause the game to do things that were never, ever intended through methods it never accounted for.
Because item underflow, as outlined in that exact post you quoted, never causes the game to run an arbitrary instruction. Yes, you can screw the game up good afterwards with the overflowed inventory counter, but by itself it doesn't do any ACE. If the glitch by itself doesn't do ACE, it's not ACE. Simple as that.
http://www.youtube.com/Noxxa <dwangoAC> This is a TAS (...). Not suitable for all audiences. May cause undesirable side-effects. May contain emulator abuse. Emulator may be abusive. This product contains glitches known to the state of California to cause egg defects. <Masterjun> I'm just a guy arranging bits in a sequence which could potentially amuse other people looking at these bits <adelikat> In Oregon Trail, I sacrificed my own family to save time. In Star trek, I killed helpless comrades in escape pods to save time. Here, I kill my allies to save time. I think I need help.
Joined: 9/15/2013
Posts: 154
Using the then-glitched inventory (which is now nothing more than a memory editor quite literally) to magically transport yourself from one map to another is no more complicated than using it to write programs to do things that weren't intended or accounted for (catching Pokemon at levels that can't happen/catching Pokemon that can't be wild period, etc). Arbitrary code execution: - an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process Considering item underflow literally lets you do anything you want with the game, I think it's appropriate to consider it ACE.
Noxxa
They/Them
Moderator, Expert player (4124)
Joined: 8/14/2009
Posts: 4089
Location: The Netherlands
Let me try to explain it again. Item underflow glitch does exactly 1 thing: it corrupts the item counter to an erroneous value (255) by underflow. That's all it does. It does nothing else. It does not execute code; in fact, it doesn't do anything more than memory corruption on just 1 byte of data. Since item underflow does not do anything other than modify the item counter byte, it is no more than a (technically minor) memory corruption glitch. Item underflow in itself does not execute any arbitrary code, so it is not ACE. If you do the item underflow glitch in a run, then after you have done that, you've messed up the item counter, but nothing else has changed. That is what you do later, but then the item underflow glitch was already done and finished. Now, when the item counter is set to 255, you can do all kinds of fun stuff, such as poking around and moving around all kinds of memory data, or, yes, arbitrary code execution. However, that has nothing to do anymore with the item underflow glitch. It's been done, and you've already gone off to do something else that is not underflowing the item counter (something else being e.g. changing some memory around or executing arbitrary code). Item underflow is something you do before you do anything involving ACE; it's a setup step for ACE. It is as much ACE as "walk to a Saffron guard (with fresh water and item counter at 0)" or "toss a stack of items (above a slot with a quantity of 255 items)" is ACE. It is setup for ACE glitches; that's very different from being an ACE glitch itself.
http://www.youtube.com/Noxxa <dwangoAC> This is a TAS (...). Not suitable for all audiences. May cause undesirable side-effects. May contain emulator abuse. Emulator may be abusive. This product contains glitches known to the state of California to cause egg defects. <Masterjun> I'm just a guy arranging bits in a sequence which could potentially amuse other people looking at these bits <adelikat> In Oregon Trail, I sacrificed my own family to save time. In Star trek, I killed helpless comrades in escape pods to save time. Here, I kill my allies to save time. I think I need help.
Joined: 12/29/2007
Posts: 489
Dyshonest wrote:
Using the then-glitched inventory (which is now nothing more than a memory editor quite literally) to magically transport yourself from one map to another is no more complicated than using it to write programs to do things that weren't intended or accounted for (catching Pokemon at levels that can't happen/catching Pokemon that can't be wild period, etc). Arbitrary code execution: - an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process Considering item underflow literally lets you do anything you want with the game, I think it's appropriate to consider it ACE.
There's no "appropriate" or "consider" in the definition. ACE stands for "arbitrary code execution", not "arbitrary memory editing". Item underflow allows the latter, but not the former except with much more elaborate setups (and if that setup isn't performed, no ACE for you). Basically, it boils down to this one question: Has the PC jumped somewhere it wasn't supposed to? No? It isn't ACE. Simple as that.
Editor
Joined: 11/3/2013
Posts: 506
If you're here, MrWint, how many Pokemon are you up to at the moment?
Player (42)
Joined: 12/27/2008
Posts: 873
Location: Germany
Zowayix wrote:
The current real-time record is about 3:29, only 9 minutes short of the current TAS record. This was done using the help of several glitches which were undiscovered at the time, such as item underflow and the CoolTrainer move. This makes me believe that the current TAS record could be massively improved using these new glitches.
Wow, it seems people were pretty busy while I was away xD
Zowayix wrote:
Arbitrary code execution is defined as causing the game's program counter to jump somewhere it is not supposed to go.
You can get all the effects of ACE without ever taking the PC to a forbidden position, this is known as ROP: https://en.wikipedia.org/wiki/Return-oriented_programming To do this attack, you send the PC to perfectly valid sections of the game code and chain them together to do something evil. Of course, if someone decided to submit a run using ROP, people would obviously qualify it as ACE, but I pointed this out because defining ACE as "don't let the PC go where it's not supposed to" leads to loopholes.
Patashu
He/Him
Joined: 10/2/2005
Posts: 4043
p4wn3r wrote:
Zowayix wrote:
Arbitrary code execution is defined as causing the game's program counter to jump somewhere it is not supposed to go.
You can get all the effects of ACE without ever taking the PC to a forbidden position, this is known as ROP: https://en.wikipedia.org/wiki/Return-oriented_programming To do this attack, you send the PC to perfectly valid sections of the game code and chain them together to do something evil. Of course, if someone decided to submit a run using ROP, people would obviously qualify it as ACE, but I pointed this out because defining ACE as "don't let the PC go where it's not supposed to" leads to loopholes.
There's also a third possibility, memory corrupting places in memory that the game uses as code. Plus an even more diabolical fourth possibility - if a program deliberately uses self-modifying code, and you trick it into self-modifying in a way that produces ACE. There's no way to automatically detect such a situation as ACE that wouldn't flag the program's normal execution too!
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Skilled player (1741)
Joined: 9/17/2009
Posts: 4981
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
I'm not sure if this is the place to post, but I recalled asking whether or not pokemon Green can use similar save corruption akin to pokemon Yellow that would obsolete the door trick thing (since it's a vault run). I recalled getting conflicting answers. Can anyone at least make an unoptimized proof of concept that it's possible so this can be settled?
Joined: 9/15/2013
Posts: 154
jlun2 wrote:
I'm not sure if this is the place to post, but I recalled asking whether or not pokemon Green can use similar save corruption akin to pokemon Yellow that would obsolete the door trick thing (since it's a vault run). I recalled getting conflicting answers. Can anyone at least make an unoptimized proof of concept that it's possible so this can be settled?
It would be fairly redundant to have two runs showcase the same glitch and be of a similar (probably off by a second/two at best) length. Regardless I don't really know why it wouldn't work as R/G/B/Y use very similar engines and it works for R/B/Y. It's possible in R/B but it isn't used so that other glitches for ACE/methods to beat the game may be showcased.
Editor
Joined: 11/3/2013
Posts: 506
Dyshonest wrote:
It would be fairly redundant to have two runs showcase the same glitch and be of a similar (probably off by a second/two at best) length. Regardless I don't really know why it wouldn't work as R/G/B/Y use very similar engines and it works for R/B/Y. It's possible in R/B but it isn't used so that other glitches for ACE/methods to beat the game may be showcased.
That's not the point here. The point is that the current Green run shouldn't exist at all because it's a vault run with a non-vault goal. Then it gets messy - I guess you could call it obsoleted by the current yellow run? But yeah, this discussion should probably moved to that movie's talk page.
Joined: 12/29/2007
Posts: 489
p4wn3r wrote:
Zowayix wrote:
The current real-time record is about 3:29, only 9 minutes short of the current TAS record. This was done using the help of several glitches which were undiscovered at the time, such as item underflow and the CoolTrainer move. This makes me believe that the current TAS record could be massively improved using these new glitches.
Wow, it seems people were pretty busy while I was away xD
Zowayix wrote:
Arbitrary code execution is defined as causing the game's program counter to jump somewhere it is not supposed to go.
You can get all the effects of ACE without ever taking the PC to a forbidden position, this is known as ROP: https://en.wikipedia.org/wiki/Return-oriented_programming To do this attack, you send the PC to perfectly valid sections of the game code and chain them together to do something evil. Of course, if someone decided to submit a run using ROP, people would obviously qualify it as ACE, but I pointed this out because defining ACE as "don't let the PC go where it's not supposed to" leads to loopholes.
Hmm, if you're limited to various sections of code already existing in the game, that's no longer truly arbitrary execution anymore, right?
Joined: 9/15/2013
Posts: 154
Well, that depends. To the program/game, what you're doing is indeed arbitrary to it as it seemingly has no rhyme or reason. Some other definitions: - done without concern for what is fair or right (ACE is done with no regards to what is proper behavior for the program/game) - depending on individual discretion (as of a judge) and not fixed by law - based on or determined by individual preference or convenience rather than by necessity or the intrinsic nature of something Some of those apply.
Patashu
He/Him
Joined: 10/2/2005
Posts: 4043
Zowayix wrote:
Hmm, if you're limited to various sections of code already existing in the game, that's no longer truly arbitrary execution anymore, right?
You'd think so, but return oriented programming is as strong a programming model as the original program (e.g. arbitrary execution is possible) and has been used to get root access in a lot of real life programs.
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Joined: 12/29/2007
Posts: 489
Then maybe we can define ACE as "corrupting the portion of memory where control data (ROM, code, PC, stack pointer, etc.) is stored"?
Joined: 9/15/2013
Posts: 154
"In computer security, arbitrary code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process." It does not have to be a specific method of doing so. Tampering with the program counter is just a common method of ACE. Pretty sure (stack) buffer overflows don't interfere with the program counter and are very much a method of ACE. Similarly, if you're not going to consider item underflow (and to an extent, the associated Pokemon list underflow, though this is to my knowledge only available via save corruption), what does define ACE? Something that's purely using new inputs as code, like Masterjun's SMW TASes? You can do pretty much anything you want with item underflow... beating the game with it is honestly pretty mundane.
Joined: 12/29/2007
Posts: 489
Good point; however, using the definition you just wrote... "...execute any commands of the attacker's choice..." Item underflow does not execute any commands of choice. The user is limited to the commands already programmed within, namely "every overworld tick, look at this memory location and run the code it points to" or "when the player steps on a warp tile, the current map changes to the one stored in this memory location". The user can arbitrarily edit memory so that these (already existing and not chosen) commands end up doing what the user wants. But item underflow cannot be used directly to run a command of choice.
Patashu
He/Him
Joined: 10/2/2005
Posts: 4043
I feel like we went over this argument about a page ago... Deja vu?
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Joined: 12/29/2007
Posts: 489
^Right, but p4wn3r brought up an excellent point that voided part of my argument, so I'm trying to come up with an alternate definition.
Chamale
He/Him
Player (182)
Joined: 10/20/2006
Posts: 1355
Location: Canada
Has anyone seen the trick used in this Youtube video? The first use is at 8:12 and it shows up repeatedly, it's a variant of the Brock glitch that gives the player the ability to walk through walls. I haven't managed to replicate it yet, I tweeted at the uploaded asking how it works. It's a very impressive run, and using that glitch to encounter Ditto sooner could shave more minutes off the possible improvement to the current TAS. It could even be used to enter Cerulean Cave and directly catch a wild Ditto, although I'm not certain that's faster than catching level 7 Mew and raising it a few levels.
ALAKTORN
He/Him
Former player
Joined: 10/19/2009
Posts: 2527
Location: Italy
^well he does link the VBM in the description…
Editor
Joined: 11/3/2013
Posts: 506
^^It might be a Japan-only glitch. Did you use the right ROM? Also, is 0xwas on Youtube the same person as was0x on tasvideos?
Patashu
He/Him
Joined: 10/2/2005
Posts: 4043
thatguy wrote:
^^It might be a Japan-only glitch. Did you use the right ROM? Also, is 0xwas on Youtube the same person as was0x on tasvideos?
He is also the 0xwas/was0x on SDA, twitch and twitter.
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Skilled player (1741)
Joined: 9/17/2009
Posts: 4981
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
So....is save corruption that leads to game end glitch in 1 minute possible in the orginal Green/Red?