
Pokemon Yellow hack recodes the game from within - Luc
http://tasvideos.org/forum/viewtopic.php?p=332488&sid=1d8670bd80327418d202b6608e5cd2a9#332488
======
apawloski
This is a great example of Bratus et al refer to as a "weird machine" [1], in
which an attacker uses crafted input to create a new and unexpected
computational environment. That is, by using special input, the attacker
manipulates pieces of the target program to act like a CPU that processes
"weird commands" (ie more special inputs are used as assembly instructions
that run on the weird machine).

Anyway, there is a rising field ("language-theoretic security") that studies
this phenomenon. If this Pokemon example interests you, then you should give
it a look.

[1]<http://www.cs.dartmouth.edu/~sergey/langsec/>

~~~
anextio
A fantastic talk by Meredith L. Patterson on this very topic at 28c3:

<http://www.youtube.com/watch?v=3kEfedtQVOY>

~~~
drudru11
Wow - excellent link. I've been thinking about this lately. I'm not alone in
thinking that languages are going to be important here. This is a great
resource for further study! Thanks!

------
CKKim
Fascinating. I always wondered if this sort of thing was possible when I
noticed as a child that pressing multiple buttons at the same time on my
parents calculator made the screen show stuff that wasn't actually real
numbers (things like a 2 with a part missing, etc.). Likewise seeing which
buttons on the VCR have precedence (e.g. if I hold down "play" and press
"stop" then what happens? And vice versa?). I always assumed the device
wouldn't be designed comprehensively to handle all possible inputs like that,
so there was a chance some of them would allow you to do funky unintended
stuff.

Given the complexity and freedom of access that a videogame has, I'm not
surprised that this hack is technically possible, but it is very impressive
that someone's managed to do it!

~~~
vidarh
There's this kind of unintended effects all over the place in tech.

A particularly interesting one for programmers might be the M6502 CPU.

All opcodes on the M6502 are 8 bits. Due to the way it was implemented in
order to keep transistor count low, various patterns will trigger specific
functionality at specific stages of execution (you can find a javascript
emulation of it that displays the execution in excruciating detail as the
result of creating a transistor exact clone of the design by decapping an
actual 6502 CPU and scanning it...).

These were arranged so that the documented instructions present a suitably
useful instruction set. But all of the remaining opcodes still does
_something_ that was simply deemed pointless by the designers.

Some have been found useful by demo writers in particular as a way of saving
cycles. Some are just totally bizarre and/or unstable. Some does fun stuff
like putting more than one value on the memory bus at the same time. Some even
locks the CPU up so solid it needs to be power cycled to recover...

Here's an overview of the nitty gritty details from someone who actually knows
what they're talking about: <http://www.pagetable.com/?p=39>

------
jamesmiller5
"This script walks from the Viridian City pokemon store to Oak's Lab in the
most efficient way possible. The walk-thru-grass function guarantees that no
wild battles will happen by manipulating the game's random number generator."

I've noticed similar behavior before in the Fire Emblem series.
<http://m.ign.com/walkthroughs/520430>

~~~
minimaxir
Most tool-assisted speedruns (TASes) for old-school video games, usually RPGs
like Pokemon, include a "manipulates luck" clause. The emulator uses save-
states, and if there's a random encounter, the player reverts to an earlier
state. Repeat until successful.

Some games have naturally exploitable RNGs too. The GBA RPG Golden Sun and its
sequel, for example, had a RNG that was completely reverse-engineered for
players to get the top items that normally only randomly drop extremely
rarely.

~~~
shabble
see also: Nethack RNG trickery: [http://taeb-
nethack.blogspot.co.uk/2009/03/predicting-and-co...](http://taeb-
nethack.blogspot.co.uk/2009/03/predicting-and-controlling-nethacks.html)

------
Almaviva
The next step is to find a vulnerable seam like this in the real universe.

~~~
derefr
Yudkowsky Ambition scale (<http://news.ycombinator.com/item?id=4510702>):

> 10) We think we've figured out how to hack into the computer our universe is
> running on.

It seems Software Engineering still has a long ways to go as a discipline:
games like this fall to exploits by a small community after only a few years,
while somehow the universe we live in has survived our civilization (and maybe
others) banging on it for billions without any noticeable hiccups. ;)

~~~
gizmo686
I think the issue is most software is not designed with security as a primary
concern, so a determined users can produce a convoluted input that breaks a
system. Having said that, if you take out buffer overflow exploits, how many
games would still be hacked?

------
MichaelGG
Note that a key part of the hack requires the hardware to reset while a save
game write is in progress. This causes the file to have invalid data -- an
inventory list count is set to an "impossible" value.

Then, within the game, the invalid-length-list is used to overwrite other
arbitrary locations, including a function pointer to an update procedure. Once
that's overwritten he can jump to his own code and it's "game over" as in, he
completely controls the hardware.

But from what I can see, it wouldn't be possible without the initial hardware
resetting during a write. Not that it diminishes the awesomeness, it'd just be
a bit purer if it was a software-only hack.

~~~
raldi
The reset button is software-only. On most games, you can do a reset by
holding down all four buttons.

------
VonGuard
If you're really into this, spend some more time on tasvideos.org

The guys that do these tool-assisted speed runs are incredible. One fellow
plays 4 Mega Mans all at once with a single controller doing input for all 4
games at the same time.

This Pokemon hack is insane, but was inspired by a guy who uses it to beat the
game in around 2 minutes. That particular speed run abuses the fact that
everything in the game has a simple identifier. So, what he does is inserts a
warp point into his inventory, drops it in front of himself, and walks through
it to the end of the game.

~~~
heed
Here's a Chrono Trigger TAS that uses similar types of hacks as this Pokemon
one:

[http://www.youtube.com/watch?v=OgVVcnGm0eM&sns=em](http://www.youtube.com/watch?v=OgVVcnGm0eM&sns=em)

------
pepsi
His blog post goes into a little more detail about the actual "code" that runs
than the forum post

<http://aurellem.org/vba-clojure/html/total-control.html>

~~~
bbq
It's quite interesting:

    
    
        I built a layer of clojure code on top of the JNI bindings to get
        an entirely functional interface to vba-rerecording. This
        interface treats state of the emulator as an immutable object, and
        allows me to do everything I could do with the lower level C
        interface in a functional manner. Using this functional code, I
        wrote search programs that take a particular game-state and try
        out different combinations of button presses to get any desired
        effect. By combining different styles of search with different
        initial conditions

------
flixic
One more aspect to this is how the game becomes interesting _because it has
bugs_ , not because it is bug-free.

~~~
darkstalker
One popular game bug in the Quake series was "strafe jumping" [1]. It became a
canonical movement technique that got ported into other games.

[1] <http://en.wikipedia.org/wiki/Strafe-jumping>

~~~
sliverstorm
Another one is "wavedashing" in Smash Melee. Not really a _bug_ , but
certainly strange behavior that became vital in competitive play.

~~~
err
so many exploits in that game.. so many days i'll never get back.. anyone down
for a quickie?

------
minimaxir
If you're interested in seeing what happens when you _really_ want to hack the
game though glitching/RAM abuse via cheat codes, check out this Let's Play of
Pokemon Blue.

<http://lparchive.org/Pokemon-Blue/Update%2001/>

~~~
ekimekim
Sigh... you know, I really could've used those 4 hours.

------
lutze
This is really clever. Figuring out the first bootstrapping program with such
a limited instruction set must have been a pain though.

------
brennenHN
It's hilarious how much the My Little Pony reference derailed their
conversation and excitement about the awesome hack.

------
kanzure
Or you can just rewrite the game from source code :)

<https://github.com/kanzure/pokecrystal>

<https://bitbucket.org/iimarckus/pokered>

(Red is fairly close to being the same as Yellow. But there are definitely
differences.)

------
bbq
Now I might get stuck reading the author's blog all day:
<http://aurellem.org/>

The Cortex project they having going is stellar and there are some _great_
examples of Clojure-java interop.

------
JonnieCache
I wonder how many job offers this guy's going to get from security companies
over the next 24 hours...

~~~
gizmo686
Probably not many. He used a buffer overflow exploit (found by someone else)
to achieve arbitrary code execution (in a program not designed for security).
That is not a trivial task (given the limited number of op-codes he was able
to use), but not something that deserves job offers.

~~~
JonnieCache
I think you overestimate how easy it is to hire people capable of overflowing
buffers on their own initiative.

~~~
homedog
I think you underestimate how easy it is to exploit buffer overflows on
systems with no exploit mitigations. Come back when you have ASLR and DEP
running on the gameboy.

------
mwally
Just another reminder that anything is possible.

For those that are wondering if something like this is possible outside of
computers/video games, I would recommend a study of Lucid Dreaming. If brain
hacking is possible, this has to be the best method of entry into the system.

------
dools
So am I correct in my understanding that this sort of hack is made possible
only because the Gameboy uses an 8080 derived chip with Von Neumann
architecture? ie. if it used a Z8 (or any other Harvard Arch chip) it wouldn't
be possible to "bootstrap" like this?

------
shocks
I have nothing but admiration for people that do this.

Wow!

------
Roelven
Holy f this completely blew my mind

------
gailees
Beautifully done.

------
teeray
Oh, that's how you beat the game...

------
chii
wow, this is amazing.

