Why do people not just update? - Some versions after 1.6 came bundled with adware/malware and have a 30 second nag screen asking you to donate before you can play games. (But nowadays the ad/malware is gone, so if you don't mind the nagscreen, go for it) What emulator should I use now? - Parallel Launcher is a good option and take 2 minutes to set up. Here is a guide; ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-CTNhulgpH6Y.html I'm using Version ... of this emulator, am I safe? - If it is newer than 1.7, you are safe. I want to emphasize that exploits like this can happen in any emulator and have been found in others as well. This wouldnt be an issue if they were patched and people updated, but for a ~20 year old emulator thats still used, this is not realistic.
I used the older version of Project64 because Ocarina of Time mods crashed on the newer version. I think that's why many people prefer the older version.
Except they don't? I use Project64 2.3 and so long as you don't have an attention span of a TikTok child you can just opt out of the adware in the installation menu. You will be left with the nagging, but it's easily disabled in the configuration files. I never had any issues with Project64.
I think it's always good to remind everyone using Linux that Wine and Proton (Steam) aren't emulators and also aren't sandboxing your system. There's been demonstrated attacks how malicious code can escape and gain root access to host system.
Yep, they're compatibility layers to allow windows programs to run as if they're linux ones, and as such, you should only run programs you trust in them
Heck, even Windows malware can oftentimes do their job under Wine. By default, Wine mirrors your user folders inside the simulated Windows filesystem, so ransomware has no trouble finding your data and encrypting it. Stay safe out there, folks. It's a lot more inconvenient, but simply installing the flatpak version of Wine under a different user and switching to it to run Windows software, while inconvenient and tough to set up, will do a great job to keep your OS safe.
Yes, and while they absolutely shouldn't be seen as any kind of security tool, it can take additional work from a malware developer for non-trivial things. You have to check if the system is actual Windows or Wine, then write Linux-specific functionality to actually damage the host system (enable auto-starting, infecting system files, etc). I find it unlikely someone would go through that extra effort unless they had reason to believe it would be very easy to deliver to Linux users.
Joke’s on that, I couldn’t figure out how to make Wine work in the first place. And frankly I’ve gotten so used to sticking to Linux for the Deck that I don’t care about learning anymore.
After that donate screen appeared for the first time for me I just gave up and used another emulator, I agreed those guys deserved to receive donations but forcing you to wait 30 seconds to use the software was just an asshole move. I guess this security risk was just the final nail on the coffin. R.I.P Project 64 - You won't be missed.
@@Crazy_Gamer_OGThat is objectively untrue. In fact it's made worse that the intro sequences happen only after the 30 second waiting period. Don't stick to PJ64. It's actually awful at emulating the N64 accurately and is the bane of most decomp romhackers for its many issues with displaying materials wrong. Pleasure just use Parallel Launcher, you have so many more options and plugins for emulating N64 games.
@@Crazy_Gamer_OGagreed. I haven't used PJ64 as much recently, but I accepted it's just part of using it. Besides, they put in a lot of work to get games working at all. It's a small price to pay for being able to use it. Besides, I would support emulator devs if I could, I just don't have money to.
In fact you don't need to wait 30s, when you launch the emulator at the beginning you just have to right click on PJ64 in the taskbar and then click on Project 64, the emulator will restart without displaying the donation screen!
These hackers and scammers are starting to become more dangerous than I have ever imagined, It happened with RU-vidrs, Discord, steam, Playstation, (One of my friends told me), Instagram and other social media platforms. We need to be more careful out there to prevent hackers from hacking into our stuff
Hello Kaze, I really I appreciate you putting out this video, but I just have one question. I don’t know if you’ve heard the Mario Party Netplay emulator, but it’s just a modified version of project 64 that comes with everything needed to play Mario Party 1-3 with netplay. As such, those are the only games running on the emulator. Is it safe to continue using this modified version of Project 64. If it will help, I would like to add that I got the roms from Vimm’s lair.
if there is a checksum verification, it should be fine (since that'd mean noone could have edited the official rom). but if it says unknown checksum, it is not 100% safe. though i dont think anyone would have put the exploit into a rom this fast.
Very good video. Used PJ64 for a long time and have always been too casual with downloading tons of ROMs online. Thanks for putting this out there. That nag screen is super weird so I’ll probably download GlideN. That Anti-piracy screen was amazing btw lmao
An efficient way to handle this without checks is just have two tables, one for reading and one for writing. Unmapped write entries go to a dummy page in memory that's never read. Unmapped read entries go to another dummy page that's filled with whatever open-bus value gets read.
That's what I did in my ancient emulator years ago. The lookup tables got huge but ram was getting plentiful in the early 2000s. I am guessing zil didn't want the increased ram requirements
I don't mind the nag screen on the newer versions of P64. I don't see an issue with them asking if someone wants to pay them for the application they made and support future developments.
PJ64 1.6 always fills me with so much nostalgia, so I'm very sad to find out it's not safe to use anymore. But, I'm glad we're at the point that the emulator is no longer needed anyways, because communities around the N64 and SM64 are constantly changing and improving. There's so much more resources and tools than there were before since PJ64 1.6's inception. For making SM64 machinima, 1.6 can still be used, but there's already a fork of Project64 specifically for that purpose. Like always, thank you for making this video and spreading awareness about this!
After watching this video I did switch from PJ64 1.6 to Parallel because I'd rather be safe than my entire computer getting fucked up accidentally. Only thing I don't like about Parallel so far is the analog stick feels much different compared to PJ64, and I wanted to know if I could get the old Jabo's DirectInput working somehow.
I am actually amazed that this isn't supposed to be the case. I was always quite certain that any malicious ROM could do absolutely anything with my PC on every emulator...
While I also see the risk of this, I also see the potential this also has, mabye someone makes a mod with some form of ARG elements that requires you to go to a website
Man project 64 has to be the worst N64 emulator cuz this isn't even the first time they had dangerous stuff on your pc, some older version of pj64 would start downloading a bunch of applications that you didn't want if you didn't read everything carefully and some of those applications were dangerous from what I heard.
There's one of these vulerabilities for SNES aswell with the ZSNES emulator. But thankfully everyone had already moved on from ZSNES when this was discovered. Some romhacks still use it to detect the presence of that emulator and refuse to start lol.
Years ago i downloaded a p64 version on my old laptop, and it was one of the newer versions of the emulator. It worked fine at first, but not long after playing a game i realized my browser was infected by adware and spyware. Eventually it spread to the rest of my computer to the point where task manager couldn't help out, so I had no choice but to factory reset to fix it. Good to know that PJ64 is still unsafe and I won't be downloading it anymore.
Pretty glad I use Linux, and Linux has it’s own set of great N64 emulators that are not Project 64. I’m glad to know I have finally learned about this. You never know what emulators might do, so stick with the very safe stuff when it comes to emulators. The alternatives have their own great features too!
I just want to add many years ago when i first tried this emu the installer came bundled with adware, never been a fan of this emu and i feel bad most people have no choice but to use it. really hoping for MESS to catch up
Cant win with PJ64, huh? Its a security concern because of this exploit, or its a security concern because of the embedded malware. Bleh, PJ64 always left a bad taste in my mouth, even a decade ago, because of the developers crappy ethics.
Dear foreigners, "Project 64," despite being pronounced as if spelt "Project sixty-four," is not supposed to be spelt with "S." Therefore, Project 64 is not secure.
A similar vulnerability exists in an old GBA emulator called VBA. I don't know the technical details, but basically the emulator could execute ELF files, but there is an unchecked strcpy() in the ELF header parser which leads to RCE. Programmers, please, check buffer write bounds, or at the very least compile with -fstack-protector. Edit: The ELF file is supposed to run on the emulated GBA like a ROM, not on the host computer like another program.
@@kodicraft The ELF files are supposed to be executed as GBA binaries within the emulator sandbox, not host binaries running outside the emulator. Should have clarified.
I'm a bit confused. It's been awhile since I dabbled with emulators, and VBA used to be the chosen one akin to P64. So... did someone figure out the Dolphin compatibility for the GBA Link up functions for the systems? I thought that was the main reason people kept using it.
I have been learning GBA homebrew and sent a demo to a friend; she said she didn't trust the file, to which I said "nah mate, that's not a problem unless someone figured out a way to install a virus through an emulator" This conversation was two weeks ago
@@gluttonousmaximus9048 my mate is kinda paranoid about those things (good reason too, people on discord get hacked all the time, so if my account had been compromised that could be a way in)
Kaze confirmed that there's a team of people working on a version 1.6.2 to fix the vulnerability, so you'll be still getting to play PJ64 1.6 without this issue if released
@@medhathobo That's already done, it's called Luna's Project 64 and it's the cross-platform Win-Linux fork. It's forked from 2.4 and it removed the nagware and has a bundle of pre-config'd plugins
@@notalostnumber8660 this exploit has no effect at all on real hardware.. and most likely no effect on any other emulators. So basically automatically detects PJ64 bc it will only work on there.
Unrelated, but LUA scripts used to mod/compatibility patch ROMs are essentially EXE files and can do anything. People are very willing to download and run random ones
@@v0xl yes, but it still opens a window for vulnerability, if the sandbox implementation is flawed. A high profile sandboxing flaw are what led both PS4 and PS5 to be jailbroken from a web exploit, for instance.
@@v0xl Lua in emulators have kept the ability to load compiled C libraries as a useful tool for script creators. Most popular C library is probably LuaSocket which works great in emulators that didn't already include a socket library.
People are still talking about those? One of the dumbest "recent" trends. Creepypasta are classics but if you try to do it nowadays its just laughable.
@@SilentOnion Most of the mario 64 creepypasta hacks have died out The only reason why B3313 is actually like popular, is because of how massive the romhack actually is It's like 420 worlds btw, and it does great montage to the Greenio ARG series, while doing the most insane things
Me: I wonder what kind of arcane combination of obscure glitches they used to break out of the virtual machine Kaze: So yea the emulator doesn't validate the store instruction correctly 🤦♀
It's a pretty basic issue I'm seriously questioning how hasn't been brought up until now. Certainly he can't be the first to realize this exploit. Chances are most rom hackers of back then would stay quiet on this...
@@nicklespale22 It's probably been brought up repeatedly every few years, these things usually are when they date back that far in the history of less-than-entirely-accepted programming. Trying to find out who's personally responsible for oversights like this is next to impossible and almost as impossible as finding out who first discovered the vulnerability, described it in an online post somewhere and was ignored by everyone else. It sure wasn't me.
same thing happened to the SNES emulator ZSNES back in the day. luckily most romhackers had already switched to a more accurate emulator by then but ZSNES was still the mainstream emulator people used when they didnt know better
Isn't ZSnes still the major emulator for experimental romhacking-enhancements like widescreen? I don't remember because I admit, I always only used Snes9X.
I still don't understand why the speedrun community only allow PJ64 1.6 and some Mupen fork with the same timing as PJ64 1.6 instead of an accurate emulator. I just get the impression that they're afraid of change.
@@Spax_well that and newer emulators have much higher system requirements than pj64 and I assume the speedrunning communities for most n64 games want to make it as accessible as possible, but at the same time project 64 isnt particularly accurate which is why emulator and real console always have to be separate categories for n64 speedruns so maybe n64 speedrunners should just tell people to git gud and "just buy a better pc", idk
Used PJ64 since forever. It was my very first emulator. Ever since updating to the newer versions, I would always get a nag screen bypass and they would usually work, but last time I tried, it didn't. So I said goodbye old friend and moved to mupen. Honestly just a better experience overall. I'm definitely gonna try out this parallel launcher, I'd never heard of it before now, sounds sweet.
Really sad news to hear regarding PJ64. I used it like a decade and a half ago already to play my N64 games and loved how easy it was to setup compared to others.
How did nobody notice this vulnerability for so long?! It's a textbook bounds-checking bug, and nobody even thought that it might be in an emulator until now? Shit, now we need to look at all the other emulators for _other_ consoles, to make sure such a problem doesn't _also_ exist in _them_!
@@KazeN64 can you share that information? Where did you first read about this issue with pj64? I am curious as to which forums can people read to be properly informed.
I guess that obnoxious support us screen that precedes using Project 64, and that sent me over to Mupen64 and Parallel for RA, turned out to be a blessing in disguise.
Ended up doing much the same, though the move was less for that reason and just, well, Retroarch. “Wait, so this is a ton of emulators wrapped into one? Sign me up!” Of course, the problem there is that it’s harder to adjust settings for individual emulators in Retroarch. Bit me in the @$$ recently when DSemue decided that pressing B on Deck/A on DS force quits the emulation.
Mupen64 is the way! As soon as Project64 started looking sus, I switched over and never looked back. No Retroarch for me though - I like the concept, but in practice it just gives me a headache. I run Rosalie's Mupen GUI, it does a nice impression of PJ64.
@@lpfan4491 Learned something along those lines when my Zelda Randomizer journey got to Wind Waker. WW Rando just about worked on Retroarch, but photos with the Picto Box wouldn’t show up (though they’d still count for triggers) and it was prone to crashing. And I think it was JUST Wind Waker I could get running. Ultimately I just got Dolphin standalone, and the big emulator bunch I got for Steam Deck has Dolphin separate too.
I just downloaded a rom a few hours ago and thought "at least no one is messing with roms, like putting viruses in them or something". I guess I jinxed it.
At this point I just assume hackers can use pretty much any file type to execute an attack. You know it's bad when you've gotten paranoid about downloading image files, like me, because maybe some hacker found some ultra obscure vulnerability in the photos app or smth.
@@MultiCool55 And you wouldn't even be far off. At one point, people were hacking people's computers through Team Fortress 2 sprays and Minecraft skins by hiding code in the image files. More recently, a libpng vulnerability was discovered that affected everything that has ever used libpng, including most browsers, apps, and Discord. Sooner or later they'll probably be able to poison you by hacking the Apple Water Bottle™️ and injecting poison.bin into your liquid.
I saw that in one of the Romhacks for Simple's comp had like a shared database for images that it could pull from so Simple drawing in one hack could be used in another, and as soon as I saw that I was like "DAMN THATS SO SICK" and "oh that's DEFINETLY a vulnerability"
This is so sad to see, pj64 1.6 has served me well for a long time, and the newer versions have long been known to be major downgrades. Ah well, sadly bugs like this are inevitable sooner or later, glad Aglab caught it before any nefarious people did!
Really, downgrades is never a great reason not to update an emulator because the improvements are going to outshine it over time. Especially considering it's still open source and you can potentially get someone who knows code to restore cut features.
This is a bit of a strange take. You can still use 1.6 if you want to, just don't run untested/untrustworthy ROM's on it, keep it to strictly only ROM's you've checked the SHA-256 on. It's not like you can't have multiple emulators installed if you really want to try the latest and greatest random modded ROM from user25832.
First updated versions of PJ64 comes bundled with malware and now the "safe" versions of the emulator can install malware if you use the wrong roms. Glad I dropped PJ64 years ago.
It almost feels like the Project64 developers have completely lost any sort of passion for making the emulator & now see it as nothing more than a paycheck.
I use the project 64 version recommended by B3313 in one of their video descriptions, which seems like a modified version of the emulator, I think it's lunar's or smth? Is that one safe?
@@mariotheundying Luna's Project 64 is a good one. From the dev's site on what's different from normal PJ64 "This is a build of Project64 3.0.1 that I made to have a Linux compatible alternative to 2.4 (Yes, it works on Windows too). It removes the nagware and adds all of the good plugins for SM64 romhacks with good settings. Read the info below, then download it by clicking the icon on the left." Kaze says the vulnerability isn't present in PJ64 versions past 1.7, so this is safe (it's using a fork from PJ64 2.4 that's intended to work on both Linux and Windows and it's currently on version 3.0.1)
yep - imagine a Mario 64 ROM that acts like it's haunted by screwing with your computer as you play it could kill explorer or minimize all other applications, although you'd have to be careful because there's a point where the game straight-up becomes a virus if you go too far with this concept :P
Insane timing, I recently got back into my childhood games and decided that I'd take a look at Majora's Mask since I always love OoT and always wanted to see what Majora's Mask is like. I was cautiously looking for the best most reliable N64 Emulator and saw that the public opinion was a mix of "Project64 is the best/standard" and "Project64 is one of the worse N64 emulators", so I held back from making a choice for the time being and wowie was my patience rewarded with crucial knowledge.
MM has SO MANY GRAPHICS BUGS in emulation. Currently funnily enough the best way to go emulate it is to get citra and play the 3DS version. I'm not messing with you, the 3DS version has less issues than the N64 version emulation wise. (if you have a Gamecube IRL that can play disc ISOs, get the Zelda Collector's Edition disc that came with Wind Waker, it has the least broken version of MM that's emulated).
@@neoqwertyThe 3DS version is NOT the best version, unless you're also using a mod in Citra that fixes a few things. Sure it looks great, but a lot of stuff they did is really bizzare (especially the swimming)
@@neoqwerty this hasn't been true for a very long time, you can just use parallel launcher OR ares if you have a decent pc, the latter being the most accurate n64 (and snes!) emulator out right now. if you want qol features then you can use majora's mask redux, which is a much better qol improvement than even the 3ds version
@@neoqwerty dolphin works too as an emulator for the GC Collectors Edition version which is what I do, can do graphical enhancements like upscaling and texture replacements and all that jazz, though the decompile project for MM is 93% done (OOT is already 100%, and has been ported to run on PC natively by someone else, moddable and running at 60fps) so I'll be swapping to that once it's finished. only downside with the dolphin version is the FPS - since the game's physics are tied to the framerate, it needs to be modified on the code level for it to not break so I'd advise against the 30/60FPS hacks. the PC porters should fix that like they did with OOT
Parallel Launcher is a godsend if you're not on a Windows machine. I'm glad you and Vinny mentioned it. I really recomended it for how easy it is to install mods and for the graphics plugins Kaze mentioned.
I was blown away when I was watching a video on the history of SM64 hacks and got a look at what Parallel could really do. I have it through Retroarch…and mainly play on the Steam Deck. So that potential is shackled twice over with how I have access to it. I could get it separately on my laptop, but that’s Windows. Not sure what the problem would be, but doesn’t sound like you recommend it.
@ami7810 the steamdeck is just running a modified version of Arch Linux isn't it? should be able to access the AUR to install it if that's the case (but arch being arch something might break if you're not paying attention lol). and there's no problem with the windows version, it's just one of the only cross-platform ones whereas others are windows ONLY (linux wasn't as big 20 years ago except for server stuff so was never developed for it). robomike said Vinny mentioned it, and he's a windows user, so yeah edit: just did a quick sanity check and apparently the steamdeck has flatpak compatibility built in, so you could just grab parallels off the flathub (or the Discovery app in case of steamdeck) and go that route since it has no chance of breaking (flatpaks are containerised, nothing on your system gets installed/modified, so they don't risk breaking your system)
I know this going to sound crazy but I remember a long but long time ago when I was playing Mario Kart 64 the emulator suddenly crashed with a error message saying "WTF" and after that I swear Mario Kart 64 never worked again.
I need to give a shoutout to the ares emulator which is the go-to for homebrew developers (not ROM hacks) on the N64. Thanks to the work of developers like Rasky, LuigiBlood, Luke Usher, and others, ares' N64 core boasts the highest accuracy of any current N64 emulator including very accurate DMA timings, FPU exceptions, cache coherency, basically perfect RSP timings, and others; more than I can name. Of course, with high accuracy also come higher requirements so it's not the best for people who just want to play something but I can't recommend it enough for developers, testers, and enthusiasts.
With the newest version Project64 turned into garbageware. The hard 30 seconds nagging, and locking the app while doing it, is the worst!😞 I use simple64 now. The very accurate visuals with possible SSAA are sublime.
With the amount of N64 emulators we have today, there's no damn good excuse for anyone to use PJ64 1.6 Take 5 minutes of your time and setup Mupen or Parallel
@@based980 Does that care? Why people play NFS MW on PS2 when its on PC? Why people play Big Rigs if we all know is a piece of trash? Why people use emulators when they have the original hardware? Sometimes there is not a clear answer. The only thing that matters is the actual solution.
@@sebastiankulcheWhich is absolutely worth pursuing, but I think the point being made is that *most* people who use PJ64 would be better off on a different emulator. There will be a few people who have very specific use-cases as always with existing software. Hell, some people still use MS DOS
Tbf there was once a similar exploit in re-recording versions of Mupen (known as "Queuecrush") but the code was triggered by loading a corrupted savestate, though later versions have patched it now thankfully
Lol we've known about this since early 2010s. It's just nobody has ever given a fuck nor was it a credible problem because literally nobody is trying to exploit the emulator in a round about way. Way easier to just bundle the emulator with something FUD at the time. I'm actually surprised it took this long for anyone to really bring it up on youtube.
Holy shit this is terrifying Though I _will_ say that in a bright side, being able to BSOD Windows from within the emulator _does_ open up for some great ideas with horror-based content creation, as manipulating one's system could be really effective
you mean like Eternal Darkness on the GameCube? The first time it did that video input lost I panicked lmao. It did NOT help the font they used was basically exactly like the one one the TV I had.
As long as you aren't downloading new roms it's not an issue. I will not stop using it. I have all my games for the 64 I ever wanted, in physical and rom form.
@@cronodoug Just launch the emulator, right click on it in the taskbar, click on Project 64, the emulator will restart without displaying the donation screen!