I'm not a gamer myself but I have come across several of these types on hacks... I am always impressed with the dedication of gamers to understand the execution to this extent. Really is a cool aspect to video games.
The explanation on the "water level overflow" is marvelous...
> I had been wondering if raising/lowering the water level could help me collect this star in 0 A presses, and then it suddenly hit me: what if I raised the water level to the maximum possible value? I theorized that if I did this, then the water level would actually overflow onto the lowest possible water level. Using hacks, I tested this and found it to be true. Consequently, I then raised the water level using TAS until it reached a very special water level, which I'm naming the "overflow water level," at which the water level oscillates between the highest water level and the lowest water level. I make use of this to ascend and descend in the town, thereby allowing me to collect the star in 0 A presses.
> To raise the water, I make use of a glitch, which works as follows. The water in the town raises and lowers periodically. Whatever water level you unload the town on becomes the median water level for the next time you load the town. So if you consistently unload the town while the water is at the top of its cycle, then the water will gradually rise, and that's what I do in the video.
The thing I've always loved about games like these is that they have a perfect balance of being complex enough to be fun and interesting to investigate, but not so complex that you have layer upon layer of stuff to get through to figure out what's going on.
Oner of my recent favourite things has been watching people do these tricks live. Here's another AGDQ video, the guy executes an elaborate buffer overflow in mario 3 by hand to make it skip to the credits. It's called a 'wrong warp' or a 'credits skip' and it's completely ridiculous.
Same, I pretty much leave AGDQ open on a secondary monitor for the whole duration.
I didn't see Mario 3 live but it seems pretty insane. In a similar technique of wrong wraps is the glitch run of Zelda 2 (https://www.youtube.com/watch?v=IXEx9zIEoJw#t=288) - the speedrunning community has an insane level of dedication, there are so many of these frame perfect tricks/exploits and it's just like... how do you even discover it!?
No matter how many times I encounter this it never ceases to amaze me. Maybe it's because I played these games growing up, or maybe it's just my interest in low level bit twiddling like this, but probably a bit of both. The process he uses to figure it all out is just as impressive as the hack itself.
Try Matasano's Microcorruption CTF. It is designed for people with no experience. You will do the same things the author of the post did.
uctf strips away the layers of complexity related to a specific environment, giving you a clean place to learn the first principles. Whereas, if you tried this on a Gameboy, you must learn a lot of domain specific things, and learn how a computer works at a rather low level. For example: once you have built an exploit payload or two, it isn't so magical how using an inventory of items that are represented with integers can become code.
I discovered Microcorruption thanks to another HN post and I love it. It's one thing to read about things like buffer overruns and stack smashing, but another thing entirely to do them yourself.
I've gotten to the second or 3rd level with it. I just wish they gave a little more hints as to what I could learn about to help progress along with the levels.
Usually if you can figure out the type of vulnerability you are going after, you can search for it and then use the first principles of that bug type and apply it to the current level.
The first few levels are just to get you used to thinking in machine code, reading and thinking in hex, and used to reversing. They are a little tougher for some, depending on your background.
That's good to know! My background is in CS, so I've done a bit of computer architecture and assembly(been quite awhile though). Very new to reversing; I've tried out Lena's tutorials and decided to give this a shot instead. I'll keep that in mind :)
Reminds me of the trick that was first used to make a TI-85 execute arbitrary assembly code. Someone disassembled a ROM and found that the CUSTOM menu was actually implemented by an unchecked jump to (presumably) the code of the function the user selected. Normally, the interface will only let you select built in functions, but by hacking a RAM backup, it was possible to make it jump to the data held in a STRING variable and execute it as code. Typically, this was populated with a bootloader that executed a shell stored within a PRGM. That shell provided a menu to execute arbitrary other code also stored in PRGM data.
You no longer need a special controller: a person has abused this glitch to skip straight to the credits on real hardware on an actual SNES controller.
There's a cool story of a guy who beat Mario 64 without ever jumping... http://kotaku.com/the-man-who-does-the-impossible-in-super-m...