HN Theater @HNTheaterMonth

The most interesting speedrun I've ever seen is the Super Mario World credits warp, which requires the player to write + execute arbitrary code in game by carefully positioning koopa shells. At first thought to only be possible with tools in an emulator, this has been done on an actual console!

Summoning Salt video about the overall history of SMW speedruns: https://www.youtube.com/watch?v=USBboeK7oDA

Detailed explanation of how the credits warp exploit works: https://www.youtube.com/watch?v=vAHXK2wut_I

⬐ glaberficken

OMG, mind blown by the assembly code manipulation in the credits warp! Thank you for linking this

⬐ crtasm

And since people learned how to inject custom code into the game you get amazing creations like a full level editor running inside SMW:

https://arstechnica.com/gaming/2016/01/how-a-game-playing-ro...

⬐ Klathmon

I'm on mobile and don't have a link right now, but there was a guy a while back that did a TAS speedrun of I think Pokemon red/blue, and got a full RCE exploit to work, rewrote the cartridge to the play the opening to the next game in the series (Pokemon gold), and after playing that for a bit hit the endgame credits of the first game breaking the world record at the time.

There are some games where you can modify the program state to glitch to the end, like Super Mario World: https://youtu.be/vAHXK2wut_I The explanation for the glitch is really interesting.

But something like this has to be given its own category. There's a Super Mario World category that allows for that "Credits Warp" glitch. The other categories have different rules for what you can and can't do.

So it's possible that Todd did something funky, but that would still make his scores illegitimate.

this one is also pretty crazy:

Super Mario World Credits Warp Explained

https://www.youtube.com/watch?v=vAHXK2wut_I

this one is also pretty crazy:

Super Mario World Credits Warp Explained

https://www.youtube.com/watch?v=vAHXK2wut_I

⬐ pontifier

This glitch is far too interesting.

⬐ ddingus

This is crazy! And I second too interesting...

⬐ haberman

Unbelievable. I had watched the glitch itself too many times to count. But seeing it explained makes it even more impressive.

I would love to hear the story of who figured out how to do this and how much trial/error it took.

I'd also love to see a similar explanation of the mario pong/snake glitch. It seems it goes even further and is able to actually input large amounts of arbitrary code. http://www.polygon.com/2014/1/14/5309662/bizarre-super-mario...

⬐ steckerbrett

Probably not as awful as it sounds on the surface, with an emulator you can sit and stare at the current state of the machine quite handily. It would be essentially impossible to work this sort of thing out without the aid of tools.

⬐ haberman

Totally, but even with an emulator, the number of obscure glitches that have to be strung together in just the right way to make this work is staggering.

⬐ Mahn

I would guess the games are disassembled and dissected first in order to identify potential exploit paths/bugs.

⬐ JoshTriplett

> I'd also love to see a similar explanation of the mario pong/snake glitch. It seems it goes even further and is able to actually input large amounts of arbitrary code.

The video showed how to use sprite positions and similar to construct a small amount of code, and then the bug in Yoshi's eating to jump to that code. As hinted at in the video, there's a jump table for what happens when Yoshi eats various things, and if you eat something you "shouldn't" be able to, you jump to an unexpected location, which with care can be used to jump to the code you wrote in the sprite table.

In the video, this is used to write to a state value that determines what the game is doing, jumping directly to the last bit of the credits. That requires quite a bit of precision, but with enough practice, a player can do it in real-time, just as players can learn to perform tricks that require frame-precise inputs.

For the arbitrary-code variant, as with other "total control" hacks (exploiting a game to execute arbitrary code), the goal is to code a tiny loop that rapidly reads controller input into memory and then executes it. Sometimes the initial read-and-execute loop is simplified and only reads a few bits from the controller at a time, but is then used to bootstrap a more complex loop that can input code from the controller(s) more rapidly. For instance, SNES total control hacks often bootstrap into a loop that reads from 8 controllers (two multitaps of four controllers each) simultaneously, once per frame.

In the case of the TAS you mentioned, that input loop reads and executes code implementing games of Pong and Snake using sprites already available in memory, which minimizes the amount of data required. The original Total Control hack, for Pokémon Yellow (https://www.youtube.com/watch?v=p5T81yHkHtI), took a while because it read in an image and music, input 8 bits at a time using the single Gameboy controller (four directions, start, select, A, and B, for 8 bits). To improve entertainment value, it bootstrapped into a loop that displayed values as they were read, as well as reading an appropriate message from the original game first ("It's the game program! Messing with it could bug out the game!").

See https://www.youtube.com/watch?v=p5T81yHkHtI#t=10m25s to skip to the point where it starts entering code via the controller, and notice the displayed controller inputs at the bottom inputting a byte at a time. If you watch carefully after the code starts being displayed, you'll notice that the inputs match the displayed code, such as all the buttons being pressed or released at once to input FF or 00.

And the use of an image and music from something that didn't exist at the time Pokémon Yellow was released made the magnitude of the original Total Control hack clearer even to non-programmers: brand new data was being input into the game.

A more recent hack for Super Mario World put a faithful recreation of the original NES Super Mario Bros into memory and executed it, which you could actually play. (It input and used the graphics from Super Mario Bros, but reused sounds such as jumping and collecting coins from Super Mario World, both to reduce the "download" size and to simplify the code, since the sound hardware on the SNES is drastically different.)

All total control hacks for current games follow the same general pattern: find a way to jump to any user-controlled data that can be formed into useful machine-code instructions (an item list with item indexes and quantities, character stats, sprite positions, etc), use those (possibly constrained) instructions to read controller input into memory and jump to it, bootstrap into a more efficient (and entertaining) read-and-execute loop if necessary, read piles of arbitrary code into memory, and jump to it.

⬐ striking

IIRC, the sound sample thing was just a happy accident. They had no intention of adding sound, but they left in the sound playing code and discovered that Nintendo used the exact same sound lookup table. Which is perhaps even cooler.

⬐ Mahn

Thereby proving that Super Mario World was built off the original Super Mario Bros. Neat.

⬐ chinpokomon

For the Pong and Snake games, the code that is written is a bootstrap to read values from the controllers and write them to memory. Then it jumps to those routines.

It uses similar techniques to write code to different locations of memory, just like this game credit warp. After the bootstrap code is written, Yoshi eats another Chuck, and the code executes the bootstrap. At this time, the NES reads from the controllers.

The controls aren't just your typical controller, as I recall, they are actually multiplexed controller cables plugged in, allowing more bits to be read and thereby written. The code at this point can be anything. Including this [https://youtu.be/bu4Z_-1K_Gw].

⬐ emiliobumachar

Just forwarded the link to my work email. This is the ultimate answer to any objection to security efforts on the grounds that "the vulnerability is too complex for anyone to bother exploiting".

⬐ paulkon

This was awesome! Any recommended introductory books for assembly programming and reverse engineering to appreciate this hack even more?

⬐ peterfirefly

There's stuff like this:

http://www.phrack.org/issues/56/1.html

⬐ Luc

Go old school and dowload this book: http://www.romhacking.net/documents/615/

'Programming the 6502', by Rodnay Zaks.

⬐ peterfirefly

His Z80 book is pretty good, too. In fact, I don't remember a single bad book from the old Sybex (Zaks' publishing company).

⬐ chjj

Manufacturing shellcode with shells. I like it.

⬐ MrBuddyCasino

Programming with koopas - it truly is turtles all the way down.

⬐ yoha

The hack looks insanely contrived but this video has a very well paced, well explained, and well illustrated explanation.

⬐ smaili

Just out of curiosity, anyone know why only 12 sprites can be loaded at a time into memory? Is that a hardware limitation or a design decision by the developers?

⬐ duskwuff

The SNES graphics chip supports up to 32 sprites per line; this must be a limitation of the game.

⬐ SchizoDuckie

These are the chess grandmasters of our time.

If you can fit all of that in your head and understand what you're doing here while you're doing it, you're a god to me

⬐ SixSigma

It's nothing like as complex as you think, it's all very logical and once you can code 6502 assembler, it's just lining up ducks.

⬐ duskwuff

Or, in this case... lining up Koopa shells. :)

⬐ None

None

⬐ pdkl95

I believe it's been posted before, but sethbling (of vanilla-minecraft-hacks fame) pulled off the impossible and did the credit warp on an actual SNES, live[1]. As this video very-nicely explains, this required incredible amounts of pixel-perfect accuracy.

Lining up the line of koopa shells on exact x-offsets and very narrow heights mid jump (!) to write the landing-sled - using a controller, realtime - is utterly insane.

As a side note sethbling's latest project is teaching[2] (using neuro-evolution) his machine learning bot to play SMW[2], SMB1[3], and Mario Kart (original)[4]. While he machine learning is simple by today's standards, his brief videos give a really nice introduction to the topic that should be accessible to most people.

[1] https://www.youtube.com/watch?v=14wqBA5Q1yc

[2] https://www.youtube.com/watch?v=qv6UVOQ0F44

[3] https://www.youtube.com/watch?v=iakFfOmanJU

[4] https://www.youtube.com/watch?v=S9Y_I9vY8Qw

⬐ hayd

Someone apparently did a run in 42seconds ! https://www.youtube.com/watch?v=FkQdwUns7H8

Edit: Ah, that's "tool assisted".

⬐ yoha

Those videos are really great and worth watching!

⬐ Pewqazz

Note that this video is of SethBling pulling off the credits warp for the very first time, when the current setup for the warp was unknown. Here is a video of Seth performing the warp that was explained in the posted video, which is faster by over four minutes:

https://www.youtube.com/watch?v=KADhybyjOEo

Here's the author taking the world record (now superseded) at glitching mario world into the credits to "win" the game in 3:07:

https://www.youtube.com/watch?v=HxFh1CJOrTU

This is on a real console, not an emulator. They overflow the snes into the controller registers to achieve arbitrary code execution by hand. They do this by placing koopa shells at pixel-perfect locations to spell out ASM, overflow to the controller registers, and press a specific combination of buttons to jump to the sprite table and their literal shellcode.

At the start of this year there was a crazy few weeks where different speedrunners were competing to execute the "credits warp" in the quickest and most efficient way. It started at around 6 minutes, now it's down to around 2 I think, most of which is the game's intro. Fun stuff. SethBling was the first person to ever execute it on a real console.

Here's a video explaining it, from a different speedrunner: https://www.youtube.com/watch?v=vAHXK2wut_I

⬐ cheald

"literal shellcode" made me chortle. What a delightfully wonderful hack.

⬐ MrValdez

The exploit in action: https://youtu.be/zjUn7DvM5Fc?t=11m22s