This was also streamed live at AGDQ 2014 on a real console: • AGDQ 2014 - TASBot pla... Publication: tasvideos.org/2... Submission (Explanation): tasvideos.org/4...
The human equivalent of this would be like poking someone with a stick in seemingly random places on their body and then suddenly they start singing Italian opera.
I wasn't that impressed until I realized that he didn't hack the rom directly but glitched it to the point that he could inject code via controller inputs. That's just astonishing.
@@NomeCreativo by clipping out of bounds mario can reach areas of RAM corresponding to the game states, edit them with his feet and cause the game to enter the credits state (after entering a level)
I wonder, if this was actually done in-real-time, done with fingers actually pressing buttons, maybe it would theoretically set the surrounding air on fire and break everything.
Mind = blown. I did code assembly before, which by itself is hard, but coding pure machine code with specific move set while in game itself to write a program in the ram then executing it is mind-blowing.
As I said in my post, this is all very complicated, but in layman terms, his moves are like lines of codes, which he writes in the memory of the consoles in a specific place/order. Then, he forces the game to execute the first line of code which leads to the other ones, making a program.
RemX405 Yeah, I heard that the specifics of the actions pre-total control are him shifting bits in memory around with the weird-looking double-fruit-eating antics and whatnot. The last pre-total control action shifted the final bits around to completely break the game - inputs after that proceeded to act as arbitrary code, resulting in him being able to program Pong and Snake in.
@@flyforce16 Assembly/machine code explanation: We write code in various programming languages that we can read. However, the CPU cannot read what we write directly. It has to be translated into machine code, which the CPU can read. The most basic 'programming language' is Assembly, which is actually just a more readable version of machine code. Some examples of Assembly instructions are MOV, [move from here to somewhere else], ADD [add two values together], and JMP [start executing somewhere else]. Every instruction corresponds to a specific value in machine code. For example, we can give MOV a value of 0 and ADD a value of 1, so that when the CPU comes across a 0, it knows it should move something, and when it comes across a 1, it should add two values instead. How ACE (Arbitrary Code Execution) works: When programs are written, the machine code generated is very specific and fragile. If one instruction or value is out of place, the entire program can come crashing down. So that's why extra care is taken to make the code as solid as possible, and that is also why higher-level programming languages are used, so that we don't have to deal with machine code. However, everything in a computer is bytes. Textures, sounds, levels, and machine code are all the same. The only difference is how they're interpreted. The CPU is never supposed to execute an image as if it were machine code, and vice versa. But, if we carefully set up Super Mario World in a very specific way, we can set up a JMP instruction to go somewhere it isn't supposed to. Now, instead of interpreting an image as an image, we instead start executing it's bytes as if it were machine code. If we set up the game to start executing the information of the objects in the level as machine code specifically, then we can move those objects to very precise positions, and when we do the ACE glitch, those positions are executed as machine code. How the games are constructed: We can execute a few instructions, but not Snake and Pong. Those object positions allow us to form a program that will read the controller's input and write them to memory, one after another. Since the controller's input is also read as bytes, we can input any sequence of instructions we want. Now we have the full system within our grasp, we can do whatever we want. We can make Pong, Snake, Flappy Bird (which SethBling has done in a real-time run with a different setup), and literally anything else.
For those who are wondering, the glitch set up with 8 controllers put into a computer. The people who made this made a hack to put all the controllers together btw. In the frames after this glitch is completed the code of smw can be re wrote to anything they can code in the few frames. The original idea for that glitch was that they would write the code of the original super mario bros game and then TAS that. Thanks for reading :3
I only barely followed the technical memory layouts that were required for this, but I definitely got the gist, making this, as a computer science student, the coolest thing I've ever seen.
The short version: There is a hole in the logic when Yoshi is commanded to send out its tongue to eat something. The game design uses offsets from these pointers to represent the code to be executed, say when you spit out a turtle so a turtle is created and goes flying away. There is a list of acceptable things to eat. Each of those have an entry that points to valid code. However, it turns out it's possible to very exactly time what gets eaten so you can eat something that isn't allowed, such as a P block. This will point to a location outside of the valid code. If you can get code at that location, you will cause the machine to execute it. It also turns out that the game does some cute programmer tricks to represent other events in the game right nearby where that code is executed. You would never know this unless you decompiled the game and watched it execute. It is possible to manipulate events in the game so that you end up with just enough machine code in a location that when you spit out the correct illegal item at the exact right time, you are now executing arbitrary code. It won't be much, but just enough to "demand load" code from somewhere else and then allow it to execute. Beautiful engineering.
And *that* code can be used to open the game up to more code being injected into it, such as with the "jailbreak" that Sethbling made a few videos about.
CoatlessEskimo9 I thought someone found a code execution glitch for Yoshi's Island, but if not, OK. I was just saying Yoshi's Island because it's one of only two games that uses the Super FX 2 Chip that was used to make the SNES port of Doom, the other one being said port.
Python, step the fuck aside, C++? more like C--...Java? you ain't got shit, here comes mothafuckin' SUPER MARIO WORLD....SUPER..... *SUPER MARIO WORLD++!*
So let me get this straight: The game glitches he caused alternated/added in game code And he managed to take that game code and execute Pong and Snake out of it. Did I hit that straight on the head?
TLuigi003 Well i heard about varius code injection methods, so this does not shock me. What is interesting that it come out of speedrun community, which are more interested in result of code rether then code inside reason why it's happening.
ethanwdp Price Ok mr programmer "How does somebody CODING PONG INTO SUPER MARIO WORLD using a controller with SIX BUTTONS on TWENTY YEAR OLD HARDWARE by TAKING ADVANTAGE OF THE INNER WORKINGS OF THE GAME not surprise you? In theory you can inject anything in to memory once you know where is "rabbit hole", it is one of basics of hacking and aspecially cracking and there a lot of of methods that use that. "TWENTY YEAR OLD HARDWARE" makes this a lot easier, because back then CPU and it's code as result was way more simplistic and written in assebler where you care more about making things to work then careing about security, thats why old games are more glitchy then modern games where simple bugs in game are more ambrasing for programer. "Who sat down to play Super Mario World, and then thought "What if I use arbitrary code execution to play snake and pong?" I think you have 0 idea what console hacking community do on daily basis if you saying something like that. "He had to carefully plan out this run, and then actually completes it. Do you know how fucking INSANE this is? This guy did this on real fucking hardware. He wrote code by jumping on sprites in a very specific order." He does not use 100% physics, i remind you he used scripted speedrun bot (which is whole point of his project?) and you can see button indicators go wild when his hack result started which i assume was actual moment of code injection. I assume in first stage he use memoery states to build simple code that create the access point for actual injection, if he was to inject the program of this size it with that method it would probably take a lot longer. I also think he studied memoery states and actual SMW code to predict this behavior, making this out of random is near to impossible and besides you need to write that albitery game first right? Indeed it is a lot of work but it's not shock to me, for me it's not insane, for me it something that i could see being possible via methods he used, i seen and read about a hell a lot more things, so this does not supprice me. "It's so mind bogglingly complex that I don't see how you just scoff and say "pfft, I've seen code injections via interfaces.", while COMPLETELY IGNORING THE FACT HE DID THIS ON FRACKING SUPER MARIO WORLD." If this is "mind bogglingly complex" for you, i'm assume you are higher language programmer, like those guys who come to UE4 forums and cry about lack of C# support and and say that it's a future of software development and say how C++ is full of shit and super hard, then came here and say how this is "mind bogglingly complex" and how they are mind blowned. Once you know deeper about software and hardware, the foundations of it, is not "mind bogglingly complex", but something you could see happen with some effort put in to it, which i don't deny. And again SMW is not first software with holes that let you inject code, PSP-3000 hacking was all about it because if you flash firmware in it bricks it the console, so code injection to memory was only valid method. "You can't even piece together a sentence. Could you stop tipping your god damn fedora and appreciate something for once?" 1. Sorry i'm not native english speaker 2. I don't deny his hard work on this project, i'm just saying it is very natural to understand this once you got some knowlage.
I feel like the first part of this was just showing off for the sake of showing off. After that you made my jaw drop in 30 seconds. How the hell did you do that?
The first part of this was doing the first part of the hack, where with some glitches with stunning blocks/yousi/grabbing (don't know exactly, it's beyond my mind) they altered some sprites in memory and even added sprites with invalid IDs, that somehow jumped into another code becase of how the SNES hardware works. Now this first series of glitches would make preety painful, maybe impossible to write the games they did. But using this explot, they jump in another piece of the code having to do with the input, so now after that it's much faster to send bytes of code and execute, I guess every frame of the TAS your input sends a byte or so, although they use some multitap thing I don't know what it is, for more controllers to send more data per frame, and that would be on their TAS tools at home. But now there is the live TAS to prove theoritically it would work on real SNES, you must be flash to be able to play that much, so of course they use that kinda of robot accessory I don't know what it does, somewhere I read they might have hooked a Raspberry PI in it (that would I guess send the precalced succesion of input, timed with the game refresh), so they can show it on an actual SNES in realtime and not as a preprocessed TAS movie. Nothing is showing off, it's just so many levels of hackery, I am not sure I have grapsed everything.
He's actually spawning tiles in a specific order to manipulate a table in memory to write code that will allow him to use inputs to write the code instead. At the end he glitches the game into executing the table he manipulated allowing him to write the code and then a part of the code executed it when all of the code was done.
All the steps are needed because the setup is really complicated, and it also depends of the POSITIONS in the sprite's table : for example if you need a sprite in the 7th position, you need to manipulate ennemies in order to have exactly 6 sprites before spawning the one you need (and then carrying it across the level, of course) A *french* RU-vid show has explained this TAS : /watch?v=dcbdhDqBx_g&t=26m14s The end of the video contains an awful quantity of glitches. For example in order to spawn a (pink) inexistant sprite, he hurt Mario while making Yoshi hold two objects at the same time! Then this pink sprite who in spawns another unknown sprite... Then this new sprite allow to create the Total Control Glitch by making the game read the list of loaded-on-screen sprites as executable code (so you need an half-dozen perfectly ordered sprites to have the good code!). And this glitched executable code ask to the game... to read controllers input as executable code! In other words, the TAS creator can now execute all the code he wants because, by definition, controller inputs allow a player to make any input ^^
When I first saw this, I went "eh, I did already see advanced uses of ASM to do totally different things in SMW", so I underestimated its ingenuity of this video. Now, getting that result by inputting the code via controller inputs is amazing, so kudos for achieving such a result using a more complex way to reach it.
IIRC it's an off-by-one bug in an array - there's some exact location in the where if you hit it just right it looks up a struct like: sprite_array[SPRITE_ARRAY_SIZE] (i.e. one over the limit) That struct contains function pointers, which (as they're never initialized as a valid struct would have been) jump to a specific location in the memory storing the game's state. All the movements before that move are setting up that memory location to act as shellcode which will allow arbitrary executable data to be entered via the gamepad. I assume that 1:40 is the executable code for the three mini-games being loaded into memory. I can't find the reference now, but IIRC the bug in the game was discovered by someone who had written an optimisation algorithm to try and attempt to (automatically) run the perfect speed-run of mario. Their fastest technique found the bug and inserted shellcode to set the level as completed. The origional paper is worth reading if you can find it - it's got some interesting ideas in it about trying to optimise games like this based on short recordings of real users IIRC.
after 193812782382220912610126191102028920110100298292696901289292379201 years in development we hope its been worth the wait, thanks and protect your wallets this summer -gaben
I was watching the AGDQ stream when they did this live. Ppl in chat shit brix, and the audience was having a carnival. It was something to remember. A lot of the viewers had no idea what they had just seen, though.
Regarding the Matrix, I used to think it made no sense that Neo could hack the program, since he's just a "player" in it. He only has user input, which has limited ability to influence the code itself. But now I understand. This Mario is Neo.
the amazing thing is that they did it on the ACTUAL HARDWARE (snes + super mario game cardridge) using only controller inputs. oh, and this should be in the description: arstechnica.com/gaming/2014/01/how-an-emulator-fueled-robot-reprogrammed-super-mario-world-on-the-fly/
4k's been around for a while. It's just nobody wants to spend $500-1000 on a monitor just to use it. It's basically the new 1080p. 4k TVs are also in the $5k+ range MINIMUM. Shit's expensive.
bagelhunt yeah, so youre going to buy all that shit to watch 16 bit Mario videos? theres a time and a PLACE for everything, and this is NOT the place for a 4K monitor
interviewer: so what is the simplest coding language you can think of? me: scratch interviewer: so what is the hardest coding language you can think of? me: super mario world
1:44 1:57 What the hell is this?! I've never seen this before. How many times i played Super Mario World and i see this in first time. It's completely out of the ordinary
I remember slashdot some time ago made a poll about the best hacks of all time. I am pretty sure if they did that again, this one will be on the list. Even as an assembly programmer, it took me some layers to understand what's going on, I must have seen this video some time ago in a haste and didn't understood it then and skipped it, came back now and read some more info in their site, this is beyond.
Luigi understands his bro no more, mario thinks he can do unthinkable things like teleporting yoshi, and transforming the world into pong. It's been tough ever since he took that overdose of 1-ups, the doctor says he might never be the same again
The button inputs were done by human hands only while being recorded onto the raspberry bot. The inputs were performed across 8 controllers utilized by the bot to reprogram SMW on the fly; this was done legitimately on a SNES, but everything was handled by a bot.
1990 Nintendo : We're going to create a game on Mario, a big, very, very long sequel! 2014 Masterjun3 : I'd like to play snake but it's too expensive! 'Turns on the SNES' MOM : What are you going to play? Masterjun3: SNAKE MARIO WORLD, why?
quick explanation for the confused. because the way the Sprites are programmed into the game, as well as x and y variables, when one exploits the locations of certain sprites they are writing arbitory code into the super Nintendo's ram memory.
![[TAS] Super Mario World "Arbitrary Code Execution" in](/img/logo.svg){kind=logo}
