
Super Mario World "Completed" in Under 3 Minutes by Corrupting the RAM - minimaxir
http://minimaxir.com/2013/03/127-yoshis-in-slot-6/
======
georgemcbay
These TAS runs are pretty cool, but from a pure coding standpoint, I think the
Dream Devourer healing trick in Chrono Trigger for the Nintendo DS is more
interesting because it relies on nothing other than a common variety bug that
can be reproduced by a human user without external tools and on the real
device:

<http://chrono.wikia.com/wiki/Dream_Devourer>

The bosses' hit points are close to the limit of a 16-bit integer, so you can
cast a healing spell on it, overflow the int to get him to negative hit points
and then kill him with any successful attack.

PS. I've been seeing these CloudFlare error messages all over the place the
past week, doesn't really paint a great picture of CloudFlare when I'm
constantly trying to view content and seeing an error message with strong
CloudFlare branding telling me I can't see it, regardless of whether or not it
is CloudFlare's fault that I can't currently see it.

~~~
minimaxir
There's an infamous underflow glitch in Pokemon R/B/Y.

The minimum level for a Pokemon in the game is lv. 2. If you get a lv. 1
Pokemon (need to use another cool glitch for that), and that Pokemon gains EXP
that's not enough to hit lv. 2, underflow occurs and it gets billions of EXP,
and hits lv. 100 immediately.

~~~
arcatek
Not on every pokemon species. It depends of their growth rate[1], which need
to be "medium slow".

It has been corrected starting from the gen 3 (and it explains why your
starters & eggs starts at level 5 instead of 1).

[1]
[http://bulbapedia.bulbagarden.net/wiki/Experience#Relation_t...](http://bulbapedia.bulbagarden.net/wiki/Experience#Relation_to_level)

~~~
minimaxir
Ah, you're right. The link on that page under Experience underflow clarifies
it.

------
cpeterso
My favorite Mario hack is the TAS run beating Super Mario Brothers 1, 2, 2
Japan (aka The Lost Levels), and 3 _simultaneously_ with the _same_
controller:

[http://www.geekologie.com/2011/04/super-mario-magic-
beating-...](http://www.geekologie.com/2011/04/super-mario-magic-beating-
four.php)

~~~
dragontamer
Impressive. I always liked multiple games with one controller.

I'll have to say that the Megaman X and Megaman X2 double-speedrun was more
entertaining however.

<http://www.youtube.com/watch?v=9AHVSamD5WQ>

I guess the boss battles are much longer in X and X2, and X2 also has the
shoryuken instant-kill attack, making the games more "synced up" so to speak.
So it makes for an overall more entertaining video, even if it was perhaps
easier to do.

Controls are also much tighter on Megaman X and X2, so its much easier to see
that the everything is synced up.

~~~
stormbrew
That's fantastic. I'd love to see something like this for Metroid: ZM and
Super Metroid. Be especially interesting if they also managed to sync up areas
at some point.

------
minimaxir
It looks like the traffic killed my website (I apoligize, it looks like my
backend cache may have been misconfigured).

The Google cache is here:
[http://webcache.googleusercontent.com/search?q=cache:minimax...](http://webcache.googleusercontent.com/search?q=cache:minimaxir.com/2013/03/127-yoshis-
in-slot-6/)

~~~
aardvark179
It's impressive, but would the same input timings work on a real SNES, or does
it depend on emulator inaccuracies?

~~~
kafkaesque
I don't know much about RAM corruption, but at 2:10 in the video Mario _loses_
Yoshi then magically brings him back. Is this video stitched in some way?

I used to be infatuated/obsessed with the Mario series. But right now I don't
recall if it was possible to call Yoshi back like this.

Any clarification?

~~~
kamkha
That's explained in one of the threads linked: "I spawned two Yoshi's by
hitting the block with Mario and the p-switch at the same time. I jumped on
one Yoshi, got the p-switch in his mouth and let him die, so the second -
invisible - Yoshi becomes visible and have a null sprite in his mouth."

------
mlex
There's a Pokemon Yellow run which finishes the game in under a minute,
without leaving the starting room:
<http://www.youtube.com/watch?v=ry72jYferEo>

There's also a run where someone executes arbitrary code in Pokemon Yellow:
<http://www.youtube.com/watch?v=3UnB1fomvAw>

~~~
GhotiFish
I figured everyone in hacker news would of being all over the arbitrary code
execution. Never got any attention when I posted it though :(

~~~
unimpressive
That's because it was a repost. Give me a minute or two and I'll find the one
that made the front page.

EDIT: Found it.

<https://news.ycombinator.com/item?id=4891879>

~~~
GhotiFish
ah thanks, I didn't know about that

though a word in my defense, it's not specifically a re-post. The one listed
here and the one I posted deliver a PI Day package in 3 minutes and 14
seconds.

------
smtddr
All these TAS videos make me jealous I never recorded my corrupted speedrun of
Willow for the NES. The game was similar to Zelda 1, a tile-based world. There
was a code[1] that allowed you access and change what tile willow was on at
any given moment. Basically teleport to any room in the game. The on screen
enemies would teleport with you. A crazy mixture of moving to certain rooms
with certain enemies would trigger the game's final battle sequence with an
easy-to-defeat weak monster, causing you to beat the game in under 10 minutes.
If anyone here on HN knows of anyone out there making a vid of this, please
tell me. :) I can't remember how to do it anymore.

1\. <http://tcrf.net/Willow_%28NES%29>

~~~
duskwuff
Not sure whether you mean the debug mode or the Game Genie code here, but both
of these would be considered off-limits to most TASes. The former because it
involves starting with a password (equivalent to starting from a save game, if
I understand correctly?), and the latter because GG codes modify the game
you're playing.

~~~
mpclark
Odd factoid: I wrote the manual for the Game Genie

~~~
sneak
Odd factoid: You are responsible for my not being afraid of hexadecimal when I
first encountered it in computer science literature.

------
jrajav
It's linked in the article, but if anyone is interested in more runs like
these, here again is the primary Western community for TASing:

<http://tasvideos.org/>

And these are the two primary Western communities for human speedrunning,
whose members usually post videos on Youtube and stream on Twitch:

<http://speeddemosarchive.com/>

<http://speedrunslive.com/>

Japanese communities tend not to be as coherent (to the best of my knowledge),
comprising mostly independent, anonymous runners posting on
<http://www.nicovideo.jp/> or other sites.

~~~
ysangkok
This glitch was discovered by あんた

------
endgame
That's a nifty run. I like the similar one for Super Mario Land 2 on the Game
Boy: <http://www.youtube.com/watch?v=fZqEcVg8Ei8> . Mario busts out of the
level boundaries and punches out the block that holds the "victory?" flag.

~~~
minimaxir
That one I hadn't seen before. It appears to use a similar technique, except
much more simple. (not surprising, given that the GB has much less ram than
the SNES.)

------
bajsejohannes
I wouldn't really call this "corrupting the RAM". It's not "corrupting" it
more than running any other code; it's just taking advantage of certain
states.

(I'm not saying it's not extremely impressive. It is. It's just slightly
misleading wording)

Edit: Downvoters: Did I misunderstand something? I read it again along with
the original forum post, and it seems pretty clear that this could
theoretically be done on an original SNES, without any tools, it's just
impossibly hard in practice. So how is it "corrupting"? You wouldn't call a
buffer overflow attack "corrupting RAM", even though it's based on exactly the
same principles. And you certainly wouldn't call playing the game normally
"corrupting the RAM", even though it's manipulating the RAM in the same way.

~~~
pindi
Memory corruption is generally defined as occurring when the contents of RAM
are modified in a way not intended by the original programmers. [1] Under this
definition, buffer overflow attacks would certainly qualify, as would this
exploit.

[1] <http://en.wikipedia.org/wiki/Memory_corruption>

~~~
Dylan16807
But the memory contents aren't actually being _modified_ in an unintended way.
They're only being _used_ in an unintended way. The random number generator is
supposed to tick this way, and the sprite data is supposed to work this way.
The key exploit is in getting the game to run a subroutine at the wrong time,
so that it uses the _valid_ memory contents as code and skips to the end.

There are other mario games where you can go out of bounds into memory and
start flipping bits. _That_ is memory corruption. Here I don't think the term
applies.

------
bradleybuda
This strikes me as a very neat analogy to Neo "taking the red pill" in the
first Matrix movie.

------
bitwize
We need a name for game glitches that can be used to your advantage.

I propose "vanellopes".

~~~
sbierwagen
<http://tvtropes.org/pmwiki/pmwiki.php/Main/GoodBadBugs>

------
kunil
Pokemon yellow one in more intereseting. Somehow player (programmer?) removes
the item limit in his backpack and his back pack overflows and shows the
program code as item list.

Then he reprograms the game by rearranging items. He even buys new items for
different OP codes!

Here is the video, there is a shorter one but this one is much more
interesting <http://www.youtube.com/watch?v=aYQpl8Jj6Yg>

------
randall
Not knowing enough about RAM makes me feel like I haven't done enough work in
my life in CS. I want to know how this works! It's so cool!

~~~
asveikau
I'll bet the details took a lot of work but conceptually it isn't hard to
understand at all. There is a bug which causes the game to jump into a bad
address. The goal then becomes to manipulate the game so that this bad address
happens to contain valid code, then trigger the bug.

You don't really need to know how RAM works to understand that. How assembly
programming or Von Neumann architecture works perhaps. Or basic knowledge of
buffer overflows and similar concepts.

~~~
randall
Yeah sure. I guess what I really meant was I don't know how to even start to
debug the ram to understand where the addresses are, and what each part does.

------
RockofStrength
Brilliant. The fish segment is comic gold.

------
loeg
For the curious / lazy with youtube-dl, the video id is "Syo5sI-iOgY".

------
torya
i dislike these speed runs, if they are going to do one they should at least
play through the game properly.

~~~
mikeash
You can find plenty of non-exploit speed runs if you prefer them. If you don't
like this kind, might I suggest not watching them?

~~~
torya
i get what you mean. everyone has their preference and thier right to it.

an analogy would be like a runner taking a taxi during a marathon.

~~~
unimpressive
More like materializing a taxi out of thin air and then riding it through
buildings to the finish line.

At that point the focus is no longer on the running aspect of the race.

