Hacker News new | past | comments | ask | show | jobs | submit login
Super Mario World "Executes Arbitrary Code" [video] (youtube.com)
234 points by ingenter on Jan 13, 2014 | hide | past | web | favorite | 26 comments



Here's the basic technique:

http://tasvideos.org/3957S.html

I can't read this without thinking that I have wasted a life that could have been better spent synthesizing shell code out of the precise contents of Yoshi's mouth.


real hackers use KoopaShell


> shell code

I see what you did there.


This is not responsible disclosure. The person who discovered this vulnerability should have notified nintendo and given them enough time to respond with a patch.

Think about how many hard-earned coins and power ups could potentially be lost due to malware that takes advantage of this vulnerability.


Heh, after I read your first two sentences and was ready to downvote you (having had "bad experiences" with "responsible disclosure").

After I read the last sentence, I imagined 10-year-old me playing Super Mario Brothers and suddenly freaking out because all my coins were just hacked and stolen.

"MOOOOOOOM!"


This appears to be the same as what was shown at AGDQ 2014 (Awesome Games Done Quick): http://gamesdonequick.com/

Here's their live run with them explaining what is happening: http://www.twitch.tv/speeddemosarchivesda/b/492923053?t=10h2...


I love stuff like this. It's been posted a few times here, but the Pokemon Yellow code execution is amazing to watch also:

http://tasvideos.org/3767S.html


What are we looking at here? Would this hypothetically work with a cartridge, or is this exploiting a bug in the emulator?


This was actually done live with a real cartridge last week at AGDQ: http://www.youtube.com/watch?v=ioQmbEoYL0M


A note, to ward off confusion: This was done with a real cartridge, but with a computer hooked up to the controller ports; it wasn't done unassisted.


This is impressive. Emulators have nuances that make me wonder when watching TASs if they would actually work on the game itself.

Are all 'accepted' TASs tested in a similar way?


Not all of them. Here are the rules: http://tasvideos.org/MovieRules.html


No.


So pong and snake where already in SMW?


No. They weren't. That's the idea. By exploiting some bugs, they managed to make the game execute arbitrary code. The menu, the two games and the victory screen were all programmed by manipulating the RAM using nothing but controller input.

This is why it's so bloody impressive.


He's using dual multitab to connect 8 controllers and then programming game through control ports, more here http://hackaday.com/2014/01/10/teaching-mario-to-play-pong-a...


For the uninitiated, can anyone explain what's going on ? What does this video show me ?


TAS stands for Tool ASsisted, basically scripts pressing the buttons on the controller

On the right side of the screen each letter lighting up represents a controller input (l is left, r is right etc)

Each line represents a gamepad controller (virtual in this case). When you see multiple lines it means multiple controllers (I am assuming this, as later there is more than 8 contollers active which is strange)

Whats happening is a script running to glitch the game from the start into a certain state, beginning of the video until 1:40, then it looks like an exploit happens of the previous glitches in memory, followed quickly after by a massive data load that is the code for the pong/snake demos that follow.


TAS stands for Tool Assisted Speedruns. There's a huge history of gamers competing to complete games as quickly as possible. Eventually tools were created that allowed people to simulate key presses in such a way that previously impossible feats became a reality. For example, many game quirks rely on pixel perfect or frame perfect executions of button presses. Also, some sequences of button presses are simply too quick or elaborate for the human hand to reproduce. Thus, the TAS scene emerged and took speedrunning to a whole new level. It's unfair to compare a human speedrun with a TAS speedrun, so it is necessary to specify the "TAS" acronym whenever a run is shown having been created with the use of tools. Human and TAS speedruns are completely different to watch and both highly interesting.


Thanks for the correction, I should've known that but missed it in my brief check.


From the tasvideos link:

> This run uses two multitaps in port 1 and port 2 which allows for 8 controllers (1-1, 1-2 ,1-3, 1-4, 2-1, 2-2, 2-3, 2-4) of which 4 are used (1-1, 1-2, 2-1, 2-2) for the last input.


In general, Super Mario World is being played back on a Super Nintendo emulator using prerecorded inputs (a file exists that says which buttons should be held down on each frame). But these inputs aren't a recording of someone actually playing; these button presses were constructed frame-by-frame very carefully to produce these specific effects. Theoretically, if you could manipulate a Super Nintendo controller with perfect precision 60 times per second you could reproduce this.

Specifically, some objects in-game have pointers to code associated with them ("what to do if this block gets hit by a turtle shell", that sort of thing). The P-switch has one of these pointers assigned to a very special value by coincidence: its pointer points to the memory location where button presses are mapped. This pointer is never supposed to be followed, but by making a bunch of objects very carefully the authors can glitch the game into jumping to that memory address. Once execution is there, they can write a bootloader by making sure the button inputs on each frame correspond to the correct opcodes, letting them execute arbitrary code that they write in on the controller port.

I wasn't involved in the production of this TAS, so I'm not an expert, but that's my understanding of what's going on.


Matrix reboot starring Mario as Neo, and instead of escaping the Matrix, he just changes it to play pong.


Relevant xkcd: http://xkcd.com/117/


Funny. I remember calling the Dutch Nintendo help-line (from a land-line no less) to find out how to get to the final castle's backdoor. This is back when I was about 10 years old.

Now, there's people coding games in that game by playing it.

I thought myself a gamer.


AGDQ 2014 https://www.youtube.com/watch?v=OPcV9uIY5i4 starting at 31:49




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: