Difference between revisions of "Bughunting"

From SDA Knowledge Base

Jump to: navigation, search
m (very minor wording)
m (maybe i should hit preview this time)
 
Line 27: Line 27:
 
==RPGs==
 
==RPGs==
 
===Integer Underflow===
 
===Integer Underflow===
Games which need to store values do so based on how large that value might possibly need to become. A standard way of doing this on old games is by using one byte, which gives an unsigned range of 0..255, or a signed range of -128..127. Unless the game ensures that the value cannot go below the minimum, you can often cause the value to wrap around to its maximum. This can be very useful if the value in question is your character's Strength or Level. With Baldur's Gate you can use an [[Infinity_Engine#Inventory_Stack_Underflow|item-swapping trick]] to wrap an item's quantity value around to 65535, the two byte unsigned maximum. With Suikoden II you can use the Kindness Rune to add 255 Attack by making your Kindness value lower than 0.
+
Games which need to store values do so based on how large that value might need to become. A standard way of doing this on old games is by using one byte, which gives an unsigned range of 0..255, or a signed range of -128..127. Unless the game ensures that the value cannot go below the minimum, you can often cause the value to wrap around to its maximum. This can be very useful if the value in question is your character's Strength or Level. With Baldur's Gate you can use an [[Infinity_Engine#Inventory_Stack_Underflow|item-swapping trick]] to wrap an item's quantity value around to 65535, the two byte unsigned maximum. With Suikoden II you can use the Kindness Rune to add 255 Attack by making your Kindness value lower than 0.
  
 
===Memory Corruption===
 
===Memory Corruption===
 
Memory corruption can be used to completely break open a game. This volatile type of bug can have profound effects on the stability and state of the game. A well-known corruption bug occurs on Final Fantasy VI when Relm uses Sketch after Vanish, causing it to miss the target. The program will then attempt to read an area of memory that does not contain any enemy data, with potentially exploitable results.
 
Memory corruption can be used to completely break open a game. This volatile type of bug can have profound effects on the stability and state of the game. A well-known corruption bug occurs on Final Fantasy VI when Relm uses Sketch after Vanish, causing it to miss the target. The program will then attempt to read an area of memory that does not contain any enemy data, with potentially exploitable results.

Latest revision as of 22:42, 30 August 2009

No program is perfect. By extension, no game is bug-free. The techniques here will help you find bugs, if none are already known. Hopefully the bugs you find will be useful, and you will then add them to this wiki on the appropriate game page!

See also: Generic techniques.

All Games

Pausing

In many cases, especially with older games, you can exploit quirks with how a game handles pausing. Most commonly they confuse timed events such as reloading or hitstun. You can use this trick with Mega Man 1 to repeatedly hit bosses with the Lightning weapon, by pausing each time it hits and waiting a short duration for the boss's hitstun to reset before un-pausing. Pausing could also reset the character's vertical velocity to zero, allowing you to make extra-long jumps.

Hidden Worlds

Where the world is made up of discrete rooms, there must be some mechanic whereby the game decides which room to place you in next, usually occurring when you reach a boundary. If this mechanic were confused, perhaps by another event happening at the same instant the boundary is triggered, then it may send you to the wrong place. Alternately, you might try facing the wrong direction when triggering a boundary. This can lead to completely un-navigable areas or empty copies of other rooms. The Pokemon series' 'Glitch Cities' can be entered by exiting the Safari Zone in an unintended fashion.

Scrolling

When games scroll in any direction, they must decide what to put on the screen next. As with the Hidden Worlds bugs, confusing this decision process can have strange results. By hitting Select at appropriate times during Metroid II, entire lines of wall can be skipped out when the engine scrolls them on screen. This allows you to enter glitchy areas and skip vast sections of the map. The 4th-generation Pokemon games have a tweaking trick with much the same effect.


Action Games

Physics

Let's say the game you are playing runs at 60Hz. In most modern-ish PC games you can change this as long as your monitor supports it. While this frequency only tells you how many frames the graphics engine outputs per second, it also tends to be how many 'game ticks' the engine runs per second. When combined with a little understanding about how games implement physics, it can blow the game wide open.

Almost all games with physics will go with some kind of simplified Newtonian method. What this means is that your character (and possibly other actors in the game world) will have at least position and velocity. Most of these engines boil down to running "NewPosition = OldPosition + Velocity" every game tick, which has some interesting consequences. If you are going so fast that on consecutive game ticks you are either side of a wall, the game may not register a collision. This is used with Half-Life to go through a barrier and with countless other games to occasionally ignore corners.

Bunnyhopping

How do you reach such ludicrous speeds in the first place? A common technique (at least in First-Person Shooters) is to jump repeatedly. This technique works because many engines calculate "If Player on Ground: NewVelocity = OldVelocity - Friction" every tick. The more time you spend off the ground, the less friction will be applied to you. However, in order to actually gain speed rather than maintain it, you will need to do something else. The 'something else' depends entirely on the game's engine. Quake runners continually move the mouse from side-to-side whilst using the strafe keys; Half-Life 2 mandates that you use alternate strafe keys as you land. Experiment.

Some games consciously implement bunnyhopping: Painkiller and Quake 3 let you just jumping while holding forward.


RPGs

Integer Underflow

Games which need to store values do so based on how large that value might need to become. A standard way of doing this on old games is by using one byte, which gives an unsigned range of 0..255, or a signed range of -128..127. Unless the game ensures that the value cannot go below the minimum, you can often cause the value to wrap around to its maximum. This can be very useful if the value in question is your character's Strength or Level. With Baldur's Gate you can use an item-swapping trick to wrap an item's quantity value around to 65535, the two byte unsigned maximum. With Suikoden II you can use the Kindness Rune to add 255 Attack by making your Kindness value lower than 0.

Memory Corruption

Memory corruption can be used to completely break open a game. This volatile type of bug can have profound effects on the stability and state of the game. A well-known corruption bug occurs on Final Fantasy VI when Relm uses Sketch after Vanish, causing it to miss the target. The program will then attempt to read an area of memory that does not contain any enemy data, with potentially exploitable results.

Personal tools