comparison org/total-control.org @ 611:d9f991cddad9

spellcheck
author Robert McIntyre <rlm@mit.edu>
date Thu, 22 Nov 2012 11:24:52 -0600
parents 4dd5ebf224cd
children 00c5cdfb9da7
comparison
equal deleted inserted replaced
610:4dd5ebf224cd 611:d9f991cddad9
48 items and switching and dropping them, he can make the door from his 48 items and switching and dropping them, he can make the door from his
49 house take him directly to the end of the game. 49 house take him directly to the end of the game.
50 50
51 When I first saw that speedrun, I was amazed at how fast pokemon 51 When I first saw that speedrun, I was amazed at how fast pokemon
52 yellow could be beaten, and that it was possible to manipulate the 52 yellow could be beaten, and that it was possible to manipulate the
53 game from the inside, using only the item list. I wondeered how far I 53 game from the inside, using only the item list. I wondered how far I
54 could extend the techniques found in p4wn3r's run. 54 could extend the techniques found in p4wn3r's run.
55 55
56 The gameboy is an 8 bit computer. That means that ultimately, anything 56 The gameboy is an 8 bit computer. That means that ultimately, anything
57 that happens in pokemon is a result of the gameboy's CPU reading a 57 that happens in pokemon is a result of the gameboy's CPU reading a
58 stream of 8 bit numbers and doing whatever those numbers mean. For 58 stream of 8 bit numbers and doing whatever those numbers mean. For
63 mean to check which buttons are currently pressed and copy that result 63 mean to check which buttons are currently pressed and copy that result
64 into the "A" register. With enough numbers, you can spell out an 64 into the "A" register. With enough numbers, you can spell out an
65 interactive program that reads input from the buttons and allows you 65 interactive program that reads input from the buttons and allows you
66 to write any program you want to the gameboy. Once you have assembled 66 to write any program you want to the gameboy. Once you have assembled
67 such a program and forced the game to run it, you have won, since you 67 such a program and forced the game to run it, you have won, since you
68 can use that program to write any other program (like tetirs or 68 can use that program to write any other program (like Tetris or
69 pacman) over pokemon yellow's code. I call a program that allows you 69 Pacman) over pokemon yellow's code. I call a program that allows you
70 to write any other program a "bootstrapping program". So, the goal is 70 to write any other program a "bootstrapping program". So, the goal is
71 to somehow get a bootstrapping program into pokemon yellow and then 71 to somehow get a bootstrapping program into pokemon yellow and then
72 force yellow to run that program instead of its own. 72 force yellow to run that program instead of its own.
73 73
74 How can we spell out such a program? Everything in the game is 74 How can we spell out such a program? Everything in the game is
75 ultimately nunbers, including all items, pokemon, levels, etc. In 75 ultimately numbers, including all items, pokemon, levels, etc. In
76 particular, the item list looks like: 76 particular, the item list looks like:
77 77
78 #+begin_example 78 #+begin_example
79 item-one-id (0-255) 79 item-one-id (0-255)
80 item-one-quantity (0-255) 80 item-one-quantity (0-255)
110 The final part of the hack is getting pokemon yellow to execute the 110 The final part of the hack is getting pokemon yellow to execute the
111 new program after it has been assembled with items. Fortunately, 111 new program after it has been assembled with items. Fortunately,
112 pokemon keeps a number called a function pointer within easy reach of 112 pokemon keeps a number called a function pointer within easy reach of
113 the corrupted item list. This function pointer is the starting point 113 the corrupted item list. This function pointer is the starting point
114 (address) of a program which the game runs every so often to check for 114 (address) of a program which the game runs every so often to check for
115 poison and do general maintaiance. By shifting an item over this 115 poison and do general maintenance. By shifting an item over this
116 function pointer, I can rewrite that address to point to the 116 function pointer, I can rewrite that address to point to the
117 bootstrapping program, and make the game execute it. Without this 117 bootstrapping program, and make the game execute it. Without this
118 function pointer, it would not be possible to take over the game. 118 function pointer, it would not be possible to take over the game.
119 119
120 * The Run 120 * The Run
121 121
122 I start off and name my rival Lpk. These characters will eventually be 122 I start off and name my rival Lp/k. These characters will eventually be
123 treated as items and shifted over the function pointer, causing it to 123 treated as items and shifted over the function pointer, causing it to
124 execute the bootstrapping program that will soon be constructed. I 124 execute the bootstrapping program that will soon be constructed. I
125 start the run the same as p4wn3r's and restart the game while saving, 125 start the run the same as p4wn3r's and restart the game while saving,
126 so that the pokemon list is corrupted. By switching the 8th and 10th 126 so that the pokemon list is corrupted. By switching the 8th and 10th
127 pokemon, I corrupt the item list and can now scroll down past the 20th 127 pokemon, I corrupt the item list and can now scroll down past the 20th
128 item. I shift items around to increase the text speed to maximum and 128 item. I shift items around to increase the text speed to maximum and
129 rewrite the warp point of my house to Celadon Dept. Store. (p4wn3r 129 rewrite the warp point of my house to Celadon Dept. Store. (p4wn3r
130 used this to go directly to the hall of fame and win the game in his 130 used this to go directly to the hall of fame and win the game in his
131 run.) I deposit many 0x00 glitch items into the PC from my corrupted 131 run.) I deposit many 0x00 glitch items into the PC from my corrupted
132 inventory for later use. Then, I widthdraw the potion from the 132 inventory for later use. Then, I withdraw the potion from the
133 PC. This repairs my item list by overflowing the item counter from 133 PC. This repairs my item list by overflowing the item counter from
134 0xFF back to 0x00, though the potion is obliterated in the process. I 134 0xFF back to 0x00, though the potion is obliterated in the process. I
135 then take 255 glitch items with ID 0x00 from the computer into my 135 then take 255 glitch items with ID 0x00 from the computer into my
136 personal items. 136 personal items.
137 137
173 directly to what it just wrote. In my run, I use this program to write 173 directly to what it just wrote. In my run, I use this program to write
174 another bootstrapping program that can write to any number of bytes to 174 another bootstrapping program that can write to any number of bytes to
175 any location in memory, and then jump to any location in memory. This 175 any location in memory, and then jump to any location in memory. This
176 new program also can write 8 bits per frame by using all the 176 new program also can write 8 bits per frame by using all the
177 buttons. Using this new bootstrap program, I write a final 177 buttons. Using this new bootstrap program, I write a final
178 bootstrapping program that does everything the provious bootstrapping 178 bootstrapping program that does everything the previous bootstrapping
179 program does except it also displays the bytes it is writing to memory 179 program does except it also displays the bytes it is writing to memory
180 on the screen. 180 on the screen.
181 181
182 After completing this bootstrapping program, I go to the celadon 182 After completing this bootstrapping program, I go to the Celadon
183 mansion, because I find the metaness of that building to be 183 mansion, because I find the metaness of that building to be
184 sufficiently high to serve as an exit point for the pokemon 184 sufficiently high to serve as an exit point for the pokemon
185 universe. I corrupt my item list again by switching corrupted pokemon, 185 universe. I corrupt my item list again by switching corrupted pokemon,
186 scroll down to my rival's name and discard untill it is equal to the 186 scroll down to my rival's name and discard until it is equal to the
187 address of my bootstrapping program, and then swap it with the 187 address of my bootstrapping program, and then swap it with the
188 function pointer. Once the menu is closed, the boostrapping program 188 function pointer. Once the menu is closed, the bootstrapping program
189 takes over, and I write the payload.... 189 takes over, and I write the payload....
190 190
191 * Infrastructure 191 * Infrastructure
192 192
193 The entire video was completely produced by bots --- I didn't manually 193 The entire video was completely produced by bots --- I didn't manually
194 play the game at all to produce this speedrun. Here is a brief account 194 play the game at all to produce this speedrun. Here is a brief account
195 of the infrastructure I build to make the video. The entire source of 195 of the infrastructure I build to make the video. The entire source of
196 the project is available at http://hg.bortreb.com/vba-clojure 196 the project is available at http://hg.bortreb.com/vba-clojure
197 197
198 The first step was to build a programatic interface to pokemon 198 The first step was to build a programmatic interface to pokemon
199 yellow. So, I downloaded vba-rerecording from 199 yellow. So, I downloaded vba-rerecording from
200 http://code.google.com/p/vba-rerecording/. After repairing their 200 http://code.google.com/p/vba-rerecording/. After repairing their
201 broken auto-tools scripts so that it would compile on GNU/Linux, I 201 broken auto-tools scripts so that it would compile on GNU/Linux, I
202 added a low level C interface that I could call from Java via 202 added a low level C interface that I could call from Java via
203 JNI. This C interface gives me basic control over the emulator: I can 203 JNI. This C interface gives me basic control over the emulator: I can
210 entirely functional interface to vba-rerecording. This interface 210 entirely functional interface to vba-rerecording. This interface
211 treats state of the emulator as an immutable object, and allows me to 211 treats state of the emulator as an immutable object, and allows me to
212 do everything I could do with the lower level C interface in a 212 do everything I could do with the lower level C interface in a
213 functional manner. Using this functional code, I wrote search programs 213 functional manner. Using this functional code, I wrote search programs
214 that take a particular game-state and try out different combinations 214 that take a particular game-state and try out different combinations
215 of button prosses to get any desired effect. By combining different 215 of button presses to get any desired effect. By combining different
216 styles of search with different initial conditions, I created high 216 styles of search with different initial conditions, I created high
217 level functions that could each accomplish a certain general task, 217 level functions that could each accomplish a certain general task,
218 like walking and buying items. For example, here is some actual code: 218 like walking and buying items. For example, here is some actual code:
219 219
220 #+begin_src clojure 220 #+begin_src clojure
243 (do-nothing 1)))) 243 (do-nothing 1))))
244 #+end_src 244 #+end_src
245 245
246 This script walks from the Viridian City pokemon store to Oak's 246 This script walks from the Viridian City pokemon store to Oak's
247 Lab in the most efficient way possible. The walk-thru-grass function 247 Lab in the most efficient way possible. The walk-thru-grass function
248 gaurantees that no wild battles will happen by manipulating the game's 248 guarantees that no wild battles will happen by manipulating the game's
249 random number generator. 249 random number generator.
250 250
251 #+begin_src clojure 251 #+begin_src clojure
252 (defn-memo hacking-10 252 (defn-memo hacking-10
253 ([] (hacking-10 (hacking-9))) 253 ([] (hacking-10 (hacking-9)))
266 (deposit-held-item-named :TM09 1) 266 (deposit-held-item-named :TM09 1)
267 close-menu))) 267 close-menu)))
268 #+end_src 268 #+end_src
269 269
270 This script calculates the fastest sequence of key presses to deposit 270 This script calculates the fastest sequence of key presses to deposit
271 the requested items into a pc, assuming that the character starts out 271 the requested items into a PC, assuming that the character starts out
272 in front of a computer. 272 in front of a computer.
273 273
274 I also wrote functions that coudl grovel through the game's memory and 274 I also wrote functions that could grovel through the game's memory and
275 present the internal data structures in useable ways. For example, the 275 present the internal data structures in usable ways. For example, the
276 function =print-inventory= returns the current inventory in a human 276 function =print-inventory= returns the current inventory in a human
277 readable format. 277 readable format.
278 278
279 #+begin_src clojure :results output 279 #+begin_src clojure :results output
280 (com.aurellem.gb.items/print-inventory) 280 (com.aurellem.gb.items/print-inventory)
297 297
298 #+end_example 298 #+end_example
299 299
300 300
301 Armed with these functions, I constructed a bootstrapping program that 301 Armed with these functions, I constructed a bootstrapping program that
302 could be expressed as items. This is particurally hard, since many 302 could be expressed as items. This is particularly hard, since many
303 useful opcodes do not correspond any item, and the item quantities 303 useful opcodes do not correspond any item, and the item quantities
304 must all be less than 99. 304 must all be less than 99.
305 305
306 Here is the first bootstrapping program in all its glory. 306 Here is the first bootstrapping program in all its glory.
307 307
434 434
435 #+end_src 435 #+end_src
436 436
437 I use the glitch items 0x00 and 0xFF to great effect in my run. 0x00 437 I use the glitch items 0x00 and 0xFF to great effect in my run. 0x00
438 sells for almost half of max_money, and I use just 3 of them to 438 sells for almost half of max_money, and I use just 3 of them to
439 finance the purchace of all the other items I need. 0x00 is also a 439 finance the purchase of all the other items I need. 0x00 is also a
440 NO-OP in the gameboy's machine language, which means that I can stick 440 NO-OP in the gameboy's machine language, which means that I can stick
441 them anywhere where I need to break up an other wise illegal pair of 441 them anywhere where I need to break up an other wise illegal pair of
442 opcodes. 0xFF is also extremely useful because it is the end-of-list 442 opcodes. 0xFF is also extremely useful because it is the end-of-list
443 sentinel. Normally, the game will "compact" your items whenever you 443 sentinel. Normally, the game will "compact" your items whenever you
444 make a purchase or deposit. For example, if you deposit a pokeball, 444 make a purchase or deposit. For example, if you deposit a pokeball,
461 The final payload program is actually multiple programs. I created a 461 The final payload program is actually multiple programs. I created a
462 reduced form of MIDI and implemented it in gameboy machine 462 reduced form of MIDI and implemented it in gameboy machine
463 language. Then I translated a midi file from 463 language. Then I translated a midi file from
464 http://www.everyponysings.com/ into this reduced MIDI language. The 464 http://www.everyponysings.com/ into this reduced MIDI language. The
465 payload program contains both the music data and the MIDI interpreter 465 payload program contains both the music data and the MIDI interpreter
466 to play that data. The picture works in a similiar way. There is code 466 to play that data. The picture works in a similar way. There is code
467 to translate a png file into a form that can be displayed on a 467 to translate a png file into a form that can be displayed on a
468 gameboy, and other code to actually display that image. Both the image 468 gameboy, and other code to actually display that image. Both the image
469 and the display code are also written by the final bootstrapping 469 and the display code are also written by the final bootstrapping
470 program. Even though my final payload is rather simple, you can write 470 program. Even though my final payload is rather simple, you can write
471 any program at all as the payload. The source for the sound and image 471 any program at all as the payload. The source for the sound and image