Hacker News Comments on
[TAS] Super Mario World "Arbitrary Code Execution" in 02:25.19 by Masterjun
Masterjun3
·
Youtube
·
239
HN points
·
6
HN comments
- This course is unranked · view top recommended courses
Hacker News Stories and Comments
All the comments and stories posted to Hacker News that reference this video.That's wild because Super Mario Bros contains a built-in code editor (via arbitrary code execution easter eggs), and Nintendo is OK with that.
⬐ webdevatlurkMy favorite example of this is the time it was used it to inject flappy bird.⬐ WowfunhappyThat's arbitrary code execution, but it's not by any stretch a "built-in code editor".⬐ politician⬐ naikrovekYou say potato, I say potato.⬐ WowfunhappyIt's a significant distinction, in this case!Nintendo did not intentionally build a way to create and execute arbitrary code in Super Mario World. It happens as a consequence of various unintentional bugs.
The existence of this phenomenon does not tell us anything about what Nintendo is "okay" with on their platforms, because it wasn't created purposefully.
If Super Mario World contained a "code editor", that would be a very different story. You can't very well create a code editor by accident.
⬐ politicianFair enough.Nintendo doesn't write code, people do; we can't say for sure this wasn't intentional. We don't know whether a developer left a trail of backdoors as a protest against Nintendo's well-known policy of tight editorial control of game developers, for example.
However, given the existence of this editorial policy, it's reasonable that they did not intend to include these backdoors in Super Mario World. Perhaps they didn't claw back this title because these backdoors were not known until recently.
⬐ Wowfunhappy> Nintendo doesn't write code, people doThis is fair, too. However, if you read about how these particular glitches worked, I find it extremely hard to believe that they would be implemented on purpose.
They're a consequence of a series of run-of-the-mill memory errors across the game's code. There would have needed to be a group of developers conspiring to make this possible... and for what? So a very dedicated player can spend hours painstakingly inputting a flappy bird game that will be lost when the system is turned off?
That is "Super Mario World".I don't think you know what "built-in" means.
Arbitrary code execution and bugs are not "Easter eggs".
Almost every word in your comment is wrong.
⬐ politician⬐ DerekLHere's an upvote.The Switch eShop also has the programming game Human Resource Machine.http://www.nintendolife.com/reviews/switch-eshop/human_resou...
⬐ httpsterioIsn't that a bug though and not a feature? Also running the inputs to generate compileable code isn't feasible on the original console because of the required precision of the inputs and only possible on emulators?⬐ NoneNone⬐ ihumanNo, a person can do it on a real console https://www.youtube.com/watch?v=hB6eY73sLV0⬐ vermilinguaSaying SethBling can do it, does not mean that ordinary people can do it. He is a very talented and focused individual.⬐ httpsterioThank you, I stand corrected.
https://www.youtube.com/watch?v=OPcV9uIY5i4Video is about exploiting Super Mario world, on SNES. The result is that the exploiter then proceeds to make 2 new games inside SMW: Pong and Snake.
Those games don't exist inside SMW. They were uploaded using controller inputs. All it takes is 1 hack.
⬐ eridiusDoesn't that hack allow you to write to arbitrary memory? Being able to write to attacker-controlled memory is a serious problem. That's not what the kill(-1) bug lets you do though.⬐ crankylinuxuserThe attack was a buffer overflow on handling objects in the "saved item" area at the top. By manipulating objects as done in the video, one can set RAM up as needed to construct the "program". Then when the overflow is executed, it jumps to the invalid place in memory, thus executing the code you seeded.This is also done in Pokemon Yellow with a link cable. The last time I saw this being done, a TAS hacker was able to inject a TCP stack over the link cable, and build an IRC client on top, and chat using the game boy.
And I realize that's not the immediate action that bug has, regarding kill(-1). But I've seen what people thought were innocuous bugs that ended up being "gimmee root" kind of bugs.
One of the most brilliant applications of this concept is the Pokémon Yellow Total Control Hack: http://aurellem.org/vba-clojure/html/total-control.htmlSimilarly, arbitrary code execution in Super Mario World: https://www.youtube.com/watch?v=OPcV9uIY5i4
It's like transforming a chess game into Mikado just by playing it.
⬐ nebabyteTo be fair, that seems to require turning off in the middle of a save. Not entirely by the rules of the game.⬐ AsookaOne thing I've often wanted to do, but didn't have the time to, was to take Turing Drawings: https://github.com/maximecb/Turing-Drawings ( faster asm.js variant here: https://github.com/darius/Turing-Drawings ), which runs a random Turing machine to generate abstract art and put the machine description in the image itself, so it could self-modify.⬐ 7373737373The links you gave are fascinating! Believe it or not, I have done something like that, too: http://imgur.com/gallery/sRUrI
He's pointing out that although this type of thing has already been done before by automated inputs (such as this video https://www.youtube.com/watch?v=OPcV9uIY5i4 ), this is the first time a human has done it.
Similar deal with super mario world, using programmed controllers to poke arbitrary code into memory and execute it. https://www.youtube.com/watch?v=OPcV9uIY5i4
⬐ gcrYou no longer need a special controller: a person has abused this glitch to skip straight to the credits on real hardware on an actual SNES controller.
⬐ peterkellyThis is not responsible disclosure. The person who discovered this vulnerability should have notified nintendo and given them enough time to respond with a patch.Think about how many hard-earned coins and power ups could potentially be lost due to malware that takes advantage of this vulnerability.
⬐ jlgaddis⬐ zetxHeh, after I read your first two sentences and was ready to downvote you (having had "bad experiences" with "responsible disclosure").After I read the last sentence, I imagined 10-year-old me playing Super Mario Brothers and suddenly freaking out because all my coins were just hacked and stolen.
"MOOOOOOOM!"
This appears to be the same as what was shown at AGDQ 2014 (Awesome Games Done Quick): http://gamesdonequick.com/Here's their live run with them explaining what is happening: http://www.twitch.tv/speeddemosarchivesda/b/492923053?t=10h2...
⬐ joshschreuderI love stuff like this. It's been posted a few times here, but the Pokemon Yellow code execution is amazing to watch also:⬐ batmansbeltWhat are we looking at here? Would this hypothetically work with a cartridge, or is this exploiting a bug in the emulator?⬐ sputnikus⬐ noselasdHe's using dual multitab to connect 8 controllers and then programming game through control ports, more here http://hackaday.com/2014/01/10/teaching-mario-to-play-pong-a...⬐ NoneNone⬐ panicThis was actually done live with a real cartridge last week at AGDQ: http://www.youtube.com/watch?v=ioQmbEoYL0M⬐ jaladaThis is impressive. Emulators have nuances that make me wonder when watching TASs if they would actually work on the game itself.Are all 'accepted' TASs tested in a similar way?
⬐ enneff⬐ w-llNo.⬐ AndyKelleyNot all of them. Here are the rules: http://tasvideos.org/MovieRules.htmlSo pong and snake where already in SMW?⬐ pilif⬐ SniffnoyNo. They weren't. That's the idea. By exploiting some bugs, they managed to make the game execute arbitrary code. The menu, the two games and the victory screen were all programmed by manipulating the RAM using nothing but controller input.This is why it's so bloody impressive.
A note, to ward off confusion: This was done with a real cartridge, but with a computer hooked up to the controller ports; it wasn't done unassisted.For the uninitiated, can anyone explain what's going on ? What does this video show me ?⬐ bvk⬐ richforresterIn general, Super Mario World is being played back on a Super Nintendo emulator using prerecorded inputs (a file exists that says which buttons should be held down on each frame). But these inputs aren't a recording of someone actually playing; these button presses were constructed frame-by-frame very carefully to produce these specific effects. Theoretically, if you could manipulate a Super Nintendo controller with perfect precision 60 times per second you could reproduce this.Specifically, some objects in-game have pointers to code associated with them ("what to do if this block gets hit by a turtle shell", that sort of thing). The P-switch has one of these pointers assigned to a very special value by coincidence: its pointer points to the memory location where button presses are mapped. This pointer is never supposed to be followed, but by making a bunch of objects very carefully the authors can glitch the game into jumping to that memory address. Once execution is there, they can write a bootloader by making sure the button inputs on each frame correspond to the correct opcodes, letting them execute arbitrary code that they write in on the controller port.
I wasn't involved in the production of this TAS, so I'm not an expert, but that's my understanding of what's going on.
⬐ IvyMikeMatrix reboot starring Mario as Neo, and instead of escaping the Matrix, he just changes it to play pong.⬐ notthemessiah⬐ NoneRelevant xkcd: http://xkcd.com/117/None⬐ meyTAS stands for Tool ASsisted, basically scripts pressing the buttons on the controllerOn the right side of the screen each letter lighting up represents a controller input (l is left, r is right etc)
Each line represents a gamepad controller (virtual in this case). When you see multiple lines it means multiple controllers (I am assuming this, as later there is more than 8 contollers active which is strange)
Whats happening is a script running to glitch the game from the start into a certain state, beginning of the video until 1:40, then it looks like an exploit happens of the previous glitches in memory, followed quickly after by a massive data load that is the code for the pong/snake demos that follow.
⬐ city41From the tasvideos link:> This run uses two multitaps in port 1 and port 2 which allows for 8 controllers (1-1, 1-2 ,1-3, 1-4, 2-1, 2-2, 2-3, 2-4) of which 4 are used (1-1, 1-2, 2-1, 2-2) for the last input.
⬐ TheSisb2TAS stands for Tool Assisted Speedruns. There's a huge history of gamers competing to complete games as quickly as possible. Eventually tools were created that allowed people to simulate key presses in such a way that previously impossible feats became a reality. For example, many game quirks rely on pixel perfect or frame perfect executions of button presses. Also, some sequences of button presses are simply too quick or elaborate for the human hand to reproduce. Thus, the TAS scene emerged and took speedrunning to a whole new level. It's unfair to compare a human speedrun with a TAS speedrun, so it is necessary to specify the "TAS" acronym whenever a run is shown having been created with the use of tools. Human and TAS speedruns are completely different to watch and both highly interesting.⬐ meyThanks for the correction, I should've known that but missed it in my brief check.Funny. I remember calling the Dutch Nintendo help-line (from a land-line no less) to find out how to get to the final castle's backdoor. This is back when I was about 10 years old.Now, there's people coding games in that game by playing it.
I thought myself a gamer.
⬐ kylekAGDQ 2014 https://www.youtube.com/watch?v=OPcV9uIY5i4 starting at 31:49⬐ tptacekHere's the basic technique:http://tasvideos.org/3957S.html
I can't read this without thinking that I have wasted a life that could have been better spent synthesizing shell code out of the precise contents of Yoshi's mouth.
⬐ raldi> shell codeI see what you did there.
⬐ hmsimhareal hackers use KoopaShell