Hacker News new | past | comments | ask | show | jobs | submit login
Manual arbitrary code injection in Super Mario World [video] (youtube.com)
145 points by bendykstra on Mar 28, 2016 | hide | past | web | favorite | 11 comments

Really scary stuff. I hope the SNES Security team is taking this seriously and gets a patch out to customers quickly.

Really impressive job by SethBling and p4plus2.

The notes for how to replicate it can also be found in this Google Document[1] and the payload for the injected game itself is also available[2].

[1]: https://docs.google.com/document/d/1TJ6W7TI9fH3qXb2GrOqhtDAb...

[2]: http://paste.ofcode.org/EiTmWXkmqJ4eAcJBvqEDwz

this one is also pretty crazy:

Super Mario World Credits Warp Explained


Reminds me of what it takes to debug a dozen microservices talking to each other.

Just out of curiosity, are there any risks of corrupting the cartridge?

The game code itself is in ROM, so there's no risk there. There is some nonvolatile storage on the cartridge used to save games, which could potentially be corrupted. The save state is so simple that I don't think there's any risk of trouble from that, besides losing (or gaining!) saved progress.

The game also stores a checksum of the nonvolatile storage, so even if you do corrupt it, it will be detected and cleared.

Actually, you could in theory craft save-data that softlocks the game when the save-data names are displayed. If the game isn't programmed to wipe bad save data you'd be in trouble.

Not saying this is the case for SMW, but there are certain cartridge games where this can happen naturally.

There are exploits used by speedrunners in Donkey Kong Country 2 that can cause corruption to the nonvolatile save state which will "brick" the cart. It can be fixed by opening the cart up and disconnecting the battery.

I hope someone eventually finds a way to perform arbitrary code execution based on SRAM.

Probably not on SMW, but Pokemon is getting broken enough that it may some day be possible. There's already inventory-based exploits that can get saved across resets, but someone still has to play the game and open up the inventory screen for that.

My 9 year old son, a SethBling fan (like me), got home from school right when I clicked on this. I had to explain why I was watching YouTube while "working." Great video for us to watch together!

Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact