# HG changeset patch # User Robert McIntyre # Date 1353605092 21600 # Node ID d9f991cddad97f29972be7014336954de48278e0 # Parent 4dd5ebf224cdb71674b931f055ca4cff673d9a37 spellcheck diff -r 4dd5ebf224cd -r d9f991cddad9 org/total-control.org --- a/org/total-control.org Thu Nov 22 11:21:05 2012 -0600 +++ b/org/total-control.org Thu Nov 22 11:24:52 2012 -0600 @@ -50,7 +50,7 @@ When I first saw that speedrun, I was amazed at how fast pokemon yellow could be beaten, and that it was possible to manipulate the -game from the inside, using only the item list. I wondeered how far I +game from the inside, using only the item list. I wondered how far I could extend the techniques found in p4wn3r's run. The gameboy is an 8 bit computer. That means that ultimately, anything @@ -65,14 +65,14 @@ interactive program that reads input from the buttons and allows you to write any program you want to the gameboy. Once you have assembled such a program and forced the game to run it, you have won, since you -can use that program to write any other program (like tetirs or -pacman) over pokemon yellow's code. I call a program that allows you +can use that program to write any other program (like Tetris or +Pacman) over pokemon yellow's code. I call a program that allows you to write any other program a "bootstrapping program". So, the goal is to somehow get a bootstrapping program into pokemon yellow and then force yellow to run that program instead of its own. How can we spell out such a program? Everything in the game is -ultimately nunbers, including all items, pokemon, levels, etc. In +ultimately numbers, including all items, pokemon, levels, etc. In particular, the item list looks like: #+begin_example @@ -112,14 +112,14 @@ pokemon keeps a number called a function pointer within easy reach of the corrupted item list. This function pointer is the starting point (address) of a program which the game runs every so often to check for -poison and do general maintaiance. By shifting an item over this +poison and do general maintenance. By shifting an item over this function pointer, I can rewrite that address to point to the bootstrapping program, and make the game execute it. Without this function pointer, it would not be possible to take over the game. * The Run -I start off and name my rival Lpk. These characters will eventually be +I start off and name my rival Lp/k. These characters will eventually be treated as items and shifted over the function pointer, causing it to execute the bootstrapping program that will soon be constructed. I start the run the same as p4wn3r's and restart the game while saving, @@ -129,7 +129,7 @@ rewrite the warp point of my house to Celadon Dept. Store. (p4wn3r used this to go directly to the hall of fame and win the game in his run.) I deposit many 0x00 glitch items into the PC from my corrupted -inventory for later use. Then, I widthdraw the potion from the +inventory for later use. Then, I withdraw the potion from the PC. This repairs my item list by overflowing the item counter from 0xFF back to 0x00, though the potion is obliterated in the process. I then take 255 glitch items with ID 0x00 from the computer into my @@ -175,17 +175,17 @@ any location in memory, and then jump to any location in memory. This new program also can write 8 bits per frame by using all the buttons. Using this new bootstrap program, I write a final -bootstrapping program that does everything the provious bootstrapping +bootstrapping program that does everything the previous bootstrapping program does except it also displays the bytes it is writing to memory on the screen. -After completing this bootstrapping program, I go to the celadon +After completing this bootstrapping program, I go to the Celadon mansion, because I find the metaness of that building to be sufficiently high to serve as an exit point for the pokemon universe. I corrupt my item list again by switching corrupted pokemon, -scroll down to my rival's name and discard untill it is equal to the +scroll down to my rival's name and discard until it is equal to the address of my bootstrapping program, and then swap it with the -function pointer. Once the menu is closed, the boostrapping program +function pointer. Once the menu is closed, the bootstrapping program takes over, and I write the payload.... * Infrastructure @@ -195,7 +195,7 @@ of the infrastructure I build to make the video. The entire source of the project is available at http://hg.bortreb.com/vba-clojure -The first step was to build a programatic interface to pokemon +The first step was to build a programmatic interface to pokemon yellow. So, I downloaded vba-rerecording from http://code.google.com/p/vba-rerecording/. After repairing their broken auto-tools scripts so that it would compile on GNU/Linux, I @@ -212,7 +212,7 @@ do everything I could do with the lower level C interface in a functional manner. Using this functional code, I wrote search programs that take a particular game-state and try out different combinations -of button prosses to get any desired effect. By combining different +of button presses to get any desired effect. By combining different styles of search with different initial conditions, I created high level functions that could each accomplish a certain general task, like walking and buying items. For example, here is some actual code: @@ -245,7 +245,7 @@ This script walks from the Viridian City pokemon store to Oak's Lab in the most efficient way possible. The walk-thru-grass function -gaurantees that no wild battles will happen by manipulating the game's +guarantees that no wild battles will happen by manipulating the game's random number generator. #+begin_src clojure @@ -268,11 +268,11 @@ #+end_src This script calculates the fastest sequence of key presses to deposit -the requested items into a pc, assuming that the character starts out +the requested items into a PC, assuming that the character starts out in front of a computer. -I also wrote functions that coudl grovel through the game's memory and -present the internal data structures in useable ways. For example, the +I also wrote functions that could grovel through the game's memory and +present the internal data structures in usable ways. For example, the function =print-inventory= returns the current inventory in a human readable format. @@ -299,7 +299,7 @@ Armed with these functions, I constructed a bootstrapping program that -could be expressed as items. This is particurally hard, since many +could be expressed as items. This is particularly hard, since many useful opcodes do not correspond any item, and the item quantities must all be less than 99. @@ -436,7 +436,7 @@ I use the glitch items 0x00 and 0xFF to great effect in my run. 0x00 sells for almost half of max_money, and I use just 3 of them to -finance the purchace of all the other items I need. 0x00 is also a +finance the purchase of all the other items I need. 0x00 is also a NO-OP in the gameboy's machine language, which means that I can stick them anywhere where I need to break up an other wise illegal pair of opcodes. 0xFF is also extremely useful because it is the end-of-list @@ -463,7 +463,7 @@ language. Then I translated a midi file from http://www.everyponysings.com/ into this reduced MIDI language. The payload program contains both the music data and the MIDI interpreter -to play that data. The picture works in a similiar way. There is code +to play that data. The picture works in a similar way. There is code to translate a png file into a form that can be displayed on a gameboy, and other code to actually display that image. Both the image and the display code are also written by the final bootstrapping