HN Theater @HNTheaterMonth

That's wild because Super Mario Bros contains a built-in code editor (via arbitrary code execution easter eggs), and Nintendo is OK with that.

https://www.youtube.com/watch?v=OPcV9uIY5i4

⬐ webdevatlurk

My favorite example of this is the time it was used it to inject flappy bird.

https://www.youtube.com/watch?v=hB6eY73sLV0

⬐ Wowfunhappy

That's arbitrary code execution, but it's not by any stretch a "built-in code editor".

⬐ politician

You say potato, I say potato.

⬐ Wowfunhappy

It's a significant distinction, in this case!

Nintendo did not intentionally build a way to create and execute arbitrary code in Super Mario World. It happens as a consequence of various unintentional bugs.

The existence of this phenomenon does not tell us anything about what Nintendo is "okay" with on their platforms, because it wasn't created purposefully.

If Super Mario World contained a "code editor", that would be a very different story. You can't very well create a code editor by accident.

⬐ politician

Fair enough.

Nintendo doesn't write code, people do; we can't say for sure this wasn't intentional. We don't know whether a developer left a trail of backdoors as a protest against Nintendo's well-known policy of tight editorial control of game developers, for example.

However, given the existence of this editorial policy, it's reasonable that they did not intend to include these backdoors in Super Mario World. Perhaps they didn't claw back this title because these backdoors were not known until recently.

⬐ Wowfunhappy

> Nintendo doesn't write code, people do

This is fair, too. However, if you read about how these particular glitches worked, I find it extremely hard to believe that they would be implemented on purpose.

They're a consequence of a series of run-of-the-mill memory errors across the game's code. There would have needed to be a group of developers conspiring to make this possible... and for what? So a very dedicated player can spend hours painstakingly inputting a flappy bird game that will be lost when the system is turned off?

⬐ naikrovek

That is "Super Mario World".

I don't think you know what "built-in" means.

Arbitrary code execution and bugs are not "Easter eggs".

Almost every word in your comment is wrong.

⬐ politician

Here's an upvote.

⬐ DerekL

The Switch eShop also has the programming game Human Resource Machine.

http://www.nintendolife.com/reviews/switch-eshop/human_resou...

⬐ httpsterio

Isn't that a bug though and not a feature? Also running the inputs to generate compileable code isn't feasible on the original console because of the required precision of the inputs and only possible on emulators?

⬐ None

None

⬐ ihuman

No, a person can do it on a real console https://www.youtube.com/watch?v=hB6eY73sLV0

⬐ vermilingua

Saying SethBling can do it, does not mean that ordinary people can do it. He is a very talented and focused individual.

⬐ httpsterio

Thank you, I stand corrected.

https://www.youtube.com/watch?v=OPcV9uIY5i4

Video is about exploiting Super Mario world, on SNES. The result is that the exploiter then proceeds to make 2 new games inside SMW: Pong and Snake.

Those games don't exist inside SMW. They were uploaded using controller inputs. All it takes is 1 hack.

⬐ eridius

Doesn't that hack allow you to write to arbitrary memory? Being able to write to attacker-controlled memory is a serious problem. That's not what the kill(-1) bug lets you do though.

⬐ crankylinuxuser

The attack was a buffer overflow on handling objects in the "saved item" area at the top. By manipulating objects as done in the video, one can set RAM up as needed to construct the "program". Then when the overflow is executed, it jumps to the invalid place in memory, thus executing the code you seeded.

This is also done in Pokemon Yellow with a link cable. The last time I saw this being done, a TAS hacker was able to inject a TCP stack over the link cable, and build an IRC client on top, and chat using the game boy.

And I realize that's not the immediate action that bug has, regarding kill(-1). But I've seen what people thought were innocuous bugs that ended up being "gimmee root" kind of bugs.

One of the most brilliant applications of this concept is the Pokémon Yellow Total Control Hack: http://aurellem.org/vba-clojure/html/total-control.html

Similarly, arbitrary code execution in Super Mario World: https://www.youtube.com/watch?v=OPcV9uIY5i4

It's like transforming a chess game into Mikado just by playing it.

⬐ nebabyte

To be fair, that seems to require turning off in the middle of a save. Not entirely by the rules of the game.

⬐ Asooka

One thing I've often wanted to do, but didn't have the time to, was to take Turing Drawings: https://github.com/maximecb/Turing-Drawings ( faster asm.js variant here: https://github.com/darius/Turing-Drawings ), which runs a random Turing machine to generate abstract art and put the machine description in the image itself, so it could self-modify.

⬐ 7373737373

The links you gave are fascinating! Believe it or not, I have done something like that, too: http://imgur.com/gallery/sRUrI

He's pointing out that although this type of thing has already been done before by automated inputs (such as this video https://www.youtube.com/watch?v=OPcV9uIY5i4 ), this is the first time a human has done it.

Similar deal with super mario world, using programmed controllers to poke arbitrary code into memory and execute it. https://www.youtube.com/watch?v=OPcV9uIY5i4

⬐ gcr

You no longer need a special controller: a person has abused this glitch to skip straight to the credits on real hardware on an actual SNES controller.

⬐ peterkelly

This is not responsible disclosure. The person who discovered this vulnerability should have notified nintendo and given them enough time to respond with a patch.

Think about how many hard-earned coins and power ups could potentially be lost due to malware that takes advantage of this vulnerability.

⬐ jlgaddis

Heh, after I read your first two sentences and was ready to downvote you (having had "bad experiences" with "responsible disclosure").

After I read the last sentence, I imagined 10-year-old me playing Super Mario Brothers and suddenly freaking out because all my coins were just hacked and stolen.

"MOOOOOOOM!"

⬐ zetx

This appears to be the same as what was shown at AGDQ 2014 (Awesome Games Done Quick): http://gamesdonequick.com/

Here's their live run with them explaining what is happening: http://www.twitch.tv/speeddemosarchivesda/b/492923053?t=10h2...

⬐ joshschreuder

I love stuff like this. It's been posted a few times here, but the Pokemon Yellow code execution is amazing to watch also:

http://tasvideos.org/3767S.html

⬐ batmansbelt

What are we looking at here? Would this hypothetically work with a cartridge, or is this exploiting a bug in the emulator?

⬐ sputnikus

He's using dual multitab to connect 8 controllers and then programming game through control ports, more here http://hackaday.com/2014/01/10/teaching-mario-to-play-pong-a...

⬐ None

None

⬐ panic

This was actually done live with a real cartridge last week at AGDQ: http://www.youtube.com/watch?v=ioQmbEoYL0M

⬐ jalada

This is impressive. Emulators have nuances that make me wonder when watching TASs if they would actually work on the game itself.

Are all 'accepted' TASs tested in a similar way?

⬐ enneff

No.

⬐ AndyKelley

Not all of them. Here are the rules: http://tasvideos.org/MovieRules.html

⬐ w-ll

So pong and snake where already in SMW?

⬐ pilif

No. They weren't. That's the idea. By exploiting some bugs, they managed to make the game execute arbitrary code. The menu, the two games and the victory screen were all programmed by manipulating the RAM using nothing but controller input.

This is why it's so bloody impressive.

⬐ Sniffnoy

A note, to ward off confusion: This was done with a real cartridge, but with a computer hooked up to the controller ports; it wasn't done unassisted.

⬐ noselasd

For the uninitiated, can anyone explain what's going on ? What does this video show me ?

⬐ bvk

In general, Super Mario World is being played back on a Super Nintendo emulator using prerecorded inputs (a file exists that says which buttons should be held down on each frame). But these inputs aren't a recording of someone actually playing; these button presses were constructed frame-by-frame very carefully to produce these specific effects. Theoretically, if you could manipulate a Super Nintendo controller with perfect precision 60 times per second you could reproduce this.

Specifically, some objects in-game have pointers to code associated with them ("what to do if this block gets hit by a turtle shell", that sort of thing). The P-switch has one of these pointers assigned to a very special value by coincidence: its pointer points to the memory location where button presses are mapped. This pointer is never supposed to be followed, but by making a bunch of objects very carefully the authors can glitch the game into jumping to that memory address. Once execution is there, they can write a bootloader by making sure the button inputs on each frame correspond to the correct opcodes, letting them execute arbitrary code that they write in on the controller port.

I wasn't involved in the production of this TAS, so I'm not an expert, but that's my understanding of what's going on.

⬐ IvyMike

Matrix reboot starring Mario as Neo, and instead of escaping the Matrix, he just changes it to play pong.

⬐ notthemessiah

Relevant xkcd: http://xkcd.com/117/

⬐ None

None

⬐ mey

TAS stands for Tool ASsisted, basically scripts pressing the buttons on the controller

On the right side of the screen each letter lighting up represents a controller input (l is left, r is right etc)

Each line represents a gamepad controller (virtual in this case). When you see multiple lines it means multiple controllers (I am assuming this, as later there is more than 8 contollers active which is strange)

Whats happening is a script running to glitch the game from the start into a certain state, beginning of the video until 1:40, then it looks like an exploit happens of the previous glitches in memory, followed quickly after by a massive data load that is the code for the pong/snake demos that follow.

⬐ city41

From the tasvideos link:

> This run uses two multitaps in port 1 and port 2 which allows for 8 controllers (1-1, 1-2 ,1-3, 1-4, 2-1, 2-2, 2-3, 2-4) of which 4 are used (1-1, 1-2, 2-1, 2-2) for the last input.

⬐ TheSisb2

TAS stands for Tool Assisted Speedruns. There's a huge history of gamers competing to complete games as quickly as possible. Eventually tools were created that allowed people to simulate key presses in such a way that previously impossible feats became a reality. For example, many game quirks rely on pixel perfect or frame perfect executions of button presses. Also, some sequences of button presses are simply too quick or elaborate for the human hand to reproduce. Thus, the TAS scene emerged and took speedrunning to a whole new level. It's unfair to compare a human speedrun with a TAS speedrun, so it is necessary to specify the "TAS" acronym whenever a run is shown having been created with the use of tools. Human and TAS speedruns are completely different to watch and both highly interesting.

⬐ mey

Thanks for the correction, I should've known that but missed it in my brief check.

⬐ richforrester

Funny. I remember calling the Dutch Nintendo help-line (from a land-line no less) to find out how to get to the final castle's backdoor. This is back when I was about 10 years old.

Now, there's people coding games in that game by playing it.

I thought myself a gamer.

⬐ kylek

AGDQ 2014 https://www.youtube.com/watch?v=OPcV9uIY5i4 starting at 31:49

⬐ tptacek

Here's the basic technique:

http://tasvideos.org/3957S.html

I can't read this without thinking that I have wasted a life that could have been better spent synthesizing shell code out of the precise contents of Yoshi's mouth.

⬐ raldi

> shell code

I see what you did there.

⬐ hmsimha

real hackers use KoopaShell