Jump to content

Breakpoint: Difference between revisions

Breakpoint (view source)

Revision as of 00:02, 10 January 2021

8 bytes added ,  3 years ago
m
Text replacement - "~" to "–"
VisualWikitext
>Bbbbbbbbba
(Added a sprinkle of Wiki Magic powder. More is needed.)
m (Text replacement - "~" to "–")
 
Line 3:
Since instruction breakpoints are the most common kind of breakpoints, the word "breakpoint" may mean "instruction breakpoint" by default. For example, "a breakpoint at $0040" is understood as a breakpoint that triggers when $0040 is ''executed''. Breakpoints are often set at the entry points of subroutines, in order to analyze their inner workings.
 
For a Game Boy system, there are two ways to specify the location of a breakpoint. One way is to simply use the [http://gameboy.mongenel.com/dmg/asmmemmap.html Game Boy memory space] of $0000~0000–$FFFF; however, if a two-byte memory address is in the range $4000~4000–$7FFF (switchable [[ROM]]) or $A000~BFFFA000–BFFF ([[SRAM]]), it may refer to multiple actual memory locations, due to those memory ranges being banked (i.e. switchable). Therefore, to remove ambiguity, a three-byte pointer in the form of (Bank):(Pointer) may be used, such as 03:55C7. <!-- Does this paragraph really belong here? It is more like "a generally useful note on the Game Boy address space". -->
 
When the execution is paused by the debugger, the user is free to use available features of the debugger to inspect the program state at that point, such as the hardware registers, the assembly code around the program counter, and the contents of the [[RAM]].
Line 18:
 
==Special applications in glitching==
An easy trick to find potential [[arbitrary code execution]] (ACE) exploits is to set a breakpoint on execution of ''any'' address in the range of $8000~8000–$FEFF (such a breakpoint can be set in BGB as an access breakpoint). Whenever such a breakpoint is hit, it means that the control flow must have reached the RAM area, indicating a potential ACE exploit.
 
In the below image, the debugger has automatically paused execution and highlighted WRA1:D163 following the use of the [[glitch item]] [[ItemDex/RB:093|8F (0x5D)]]. This means that the game is executing code from $D163, which is a RAM address. By looking in a RAM map, one can see that [https://datacrystal.romhacking.net/wiki/Pok%C3%A9mon_Red/Blue:RAM_map#Player the values here] are the party Pokémon data. Since party Pokémon data are highly controllable by the player, this is indeed an ACE exploit.
Retrieved from "https://glitchcity.wiki/wiki/Special:MobileDiff/13356"
Cookies help us deliver our services. By using our services, you agree to our use of cookies.
More information