The SIMS 2 (Nintendo DS) buffer overflow exploit. Part 2: Spawning unused game items (Arcade-Copter)

Рет қаралды 2,559

Күн бұрын

I've heard about a buffer overflow bug in one of The SIMS 2 for DS minigames named "Alien Autopsy" causing save games to become corrupt.
On the internet forums it was recomended to not to play that game at all to prevent corruption.
Probably at that time, emulators were not as popular as today, because once I open my emulator debugger and see what the bug did, I got surprissed that it allows to write data at desired memory addresses!
In this second part, I take advantage, not of the fact of being able to write object IDs on memory addresses, but the fact of being able to shift data after the item memory, to the item memory by selling items when pocket size exceeds the item memory size.
Since the next data after the item memory is a timestamp, it can be manipulated by changing the calendar and time on the DS, so we can get any object ID we want!
On a real DS this second exploit is not as simple!! the first 4 bytes of that unused block are copied from the DS firmware (DS verification or something?) when you create a new game, and since they can be converted to non-valid object IDs, it can make it crash when showing that items on the pocket or shop. Additionally, it seems that selling objects when pocket size is bigger than 6 also makes real DS to crash for whatever reason, that doesn't do on emulator.
A working solution for real DS (tested by me) is to, after getting a 11 sized pocket, to get an alien (ID=0131 at 24/03/22 10:14:13) and then, with that alien on the last slot, you will be able to play the minigame 11 times (if got correct item) to get pocket size=0 while overriding that "unused" block with Alien valid items, shifting that invalid item IDs to the pocket items. Then you must get some items on the pocket and alien on the 6th slot to replace that invalid IDs and to repeat the minigame process to get pocket size 11 again, but this time to get the item you want: play minigame at least 5 times to get pocket size from 11 to less or equal 6 instead of going to the shop, and then you will be able to open pocket and see your item!
On real DS is extremely dificult and time consuming as you might notice, so I don't recomend you to try it outside emulator. Remember: I'm crazy, but you probably not.

Пікірлер: 25

@CheatFreak47 2 жыл бұрын

I figured out this memory manipulation tech too but it's rather difficult to do this with the level of required precision on hardware so I never really bothered trying it on hardware or really mentioning it anywhere cool to see someone demonstrating it like this in a video though

@0906gv Жыл бұрын

How do I fix if I played the game and saved with corrupted pockets now 😢

@swannentwhistle 2 жыл бұрын

Thanks for making these two videos. I'm really interested by all the secrets of this game, specially by this glitch. When I discovered it while playing, I was really hoping to find a legit solution. Your videos helped me to understand it and now, I want to try it on emulator to see all that I can do with it. I wanted to know which emulator did you use to show variables and items ID in live ? Thanks 👍

@averagejoeyo 5 ай бұрын

I have no clue what the numbers mean cause I’m not that smart yet, but this is a wild breakthrough 🔥 Great find

@Robciomixxnfs Ай бұрын

I just recently found out that one of the savefiles on my copy of Sims 2 is corrupted- the game crashes when selecting the pocket menu. But here's the weird part. The stat panel in manager's suite says that the previous owner of the game (or one of them) has vanquished 679,608,320 aliens, and captured 589,824 goons. I wonder if it's also the effect of memory overflow or someone played with action replay too much.

@ddrkingjb 8 ай бұрын

Wondering if something like this works in other Sims like Urbz DS

@송춘식색소폰 11 ай бұрын

Thank you for sharing. Very good. Have a nice day. See you again. 🎁🔔👍♥️🍀

@joaoconterraneo3640 11 ай бұрын

Boa Noite jadei joinha

@Mysda_ Жыл бұрын

Thats weirdly very cool

@Rekoware 2 жыл бұрын

Very interesting stuff

@MrFelonystreet 10 ай бұрын

I wanna do this on ds so bad it’s gonna suck trying to get that exact second

@eliididaspeedrun 11 ай бұрын

Hi! Can I use some of your video in my video? Of course with credits 😊

@juanmv94 11 ай бұрын

Sure, you can 😊

@eliididaspeedrun 11 ай бұрын

@@juanmv94 Thanks!

@diskyf6332 Жыл бұрын

Holaaaa???

@yawningmoon8040 Жыл бұрын

I got accidentally stuck with this glitch and I don't how how to get it out 😭 could someone help me please ?

@juanmv94 Жыл бұрын

I don't think it's possible to fix a savegame in a real cartridge without using Action Replay or similar hardware devices. You can still start a new game and save it in that slot, and that new savegame will work fine.

@yawningmoon8040 Жыл бұрын

@@juanmv94 Thanks for your answer, I thought as much... Ugh. I can always start a new game, but I'm so maaaaaad cause I'd gotten so far in the game :')

@goldren9605 Жыл бұрын

I'm in HxD and i can't find the position of this inventory stuff, I want to clear it to access (I'm stuff with the glitch..) Did you know where is the position of the line you watch ?

@juanmv94 Жыл бұрын

Sure, I can probably help you, but you must tell me more details like the ROM region (USA/Europe) if you are using emulator with RAM access, or dumped cartridge savedata somehow, the save slot (1-3),... That kind of things

@goldren9605 Жыл бұрын

@@juanmv94 thanks for your kind Reply ! I'm on a EUR version and i've the .sav from the original gamecard ! (Checkpoint on 3DS) I've already test somethings and I've solved my trouble, I Can open the inventory but... The first slot is locked by the cowbell (quest item I already do) so I need the position of the first slot to remove it (I'm french ahah)

@juanmv94 Жыл бұрын

@@goldren9605 Just for curiosity, how did you managed to fix it? Anyway, you can definitely change any item from your savestate with an hex editor 😄 there are 5 save slots on offsets 0x0000, 0x1000, 0x2000, 0x3000, and 0x4000 that includes in-game 3 slots + 2 special slots. At least one is a backup for the last played slot when checksum fails. Pocket data starts at 0xS0C3 where S is 0-4 slot. But as you might already noticed, changing slot data without fixing the 4-byte checksum at 0xS00E will break your savegame, and it might be restored to the last save, or deleted. I didn't reversed the 2 checksum routines, but I do the following mess with DS debugger and hex editor to fix it: * Set 4-byte checksum at 0xS00E to 0x00000000 and save it. * BRK at 0x204DEDC: If r00, 1st checksum routine fails for that slot. Calculate (0x10000 - r0 value) and set it to first 2 bytes at 0xS00E. Save it, 1st checksum routine will now pass. * BRK at 0x204DC8C: If r00, 2st checksum routine fails for that slot. Set last 2 bytes at 0xS010 with r0 value, and decrease first 2 bytes at 0xS00E with r0 value. Both checksums will pass now.