The human equivalent of this would be like poking someone with a stick in seemingly random places on their body and then suddenly they start singing Italian opera.
I wasn't that impressed until I realized that he didn't hack the rom directly but glitched it to the point that he could inject code via controller inputs. That's just astonishing.
@@NomeCreativo by clipping out of bounds mario can reach areas of RAM corresponding to the game states, edit them with his feet and cause the game to enter the credits state (after entering a level)
I wonder, if this was actually done in-real-time, done with fingers actually pressing buttons, maybe it would theoretically set the surrounding air on fire and break everything.
Mind = blown. I did code assembly before, which by itself is hard, but coding pure machine code with specific move set while in game itself to write a program in the ram then executing it is mind-blowing.
As I said in my post, this is all very complicated, but in layman terms, his moves are like lines of codes, which he writes in the memory of the consoles in a specific place/order. Then, he forces the game to execute the first line of code which leads to the other ones, making a program.
RemX405 Yeah, I heard that the specifics of the actions pre-total control are him shifting bits in memory around with the weird-looking double-fruit-eating antics and whatnot. The last pre-total control action shifted the final bits around to completely break the game - inputs after that proceeded to act as arbitrary code, resulting in him being able to program Pong and Snake in.
@@flyforce16 Assembly/machine code explanation: We write code in various programming languages that we can read. However, the CPU cannot read what we write directly. It has to be translated into machine code, which the CPU can read. The most basic 'programming language' is Assembly, which is actually just a more readable version of machine code. Some examples of Assembly instructions are MOV, [move from here to somewhere else], ADD [add two values together], and JMP [start executing somewhere else]. Every instruction corresponds to a specific value in machine code. For example, we can give MOV a value of 0 and ADD a value of 1, so that when the CPU comes across a 0, it knows it should move something, and when it comes across a 1, it should add two values instead. How ACE (Arbitrary Code Execution) works: When programs are written, the machine code generated is very specific and fragile. If one instruction or value is out of place, the entire program can come crashing down. So that's why extra care is taken to make the code as solid as possible, and that is also why higher-level programming languages are used, so that we don't have to deal with machine code. However, everything in a computer is bytes. Textures, sounds, levels, and machine code are all the same. The only difference is how they're interpreted. The CPU is never supposed to execute an image as if it were machine code, and vice versa. But, if we carefully set up Super Mario World in a very specific way, we can set up a JMP instruction to go somewhere it isn't supposed to. Now, instead of interpreting an image as an image, we instead start executing it's bytes as if it were machine code. If we set up the game to start executing the information of the objects in the level as machine code specifically, then we can move those objects to very precise positions, and when we do the ACE glitch, those positions are executed as machine code. How the games are constructed: We can execute a few instructions, but not Snake and Pong. Those object positions allow us to form a program that will read the controller's input and write them to memory, one after another. Since the controller's input is also read as bytes, we can input any sequence of instructions we want. Now we have the full system within our grasp, we can do whatever we want. We can make Pong, Snake, Flappy Bird (which SethBling has done in a real-time run with a different setup), and literally anything else.
I only barely followed the technical memory layouts that were required for this, but I definitely got the gist, making this, as a computer science student, the coolest thing I've ever seen.
For those who are wondering, the glitch set up with 8 controllers put into a computer. The people who made this made a hack to put all the controllers together btw. In the frames after this glitch is completed the code of smw can be re wrote to anything they can code in the few frames. The original idea for that glitch was that they would write the code of the original super mario bros game and then TAS that. Thanks for reading :3
The short version: There is a hole in the logic when Yoshi is commanded to send out its tongue to eat something. The game design uses offsets from these pointers to represent the code to be executed, say when you spit out a turtle so a turtle is created and goes flying away. There is a list of acceptable things to eat. Each of those have an entry that points to valid code. However, it turns out it's possible to very exactly time what gets eaten so you can eat something that isn't allowed, such as a P block. This will point to a location outside of the valid code. If you can get code at that location, you will cause the machine to execute it. It also turns out that the game does some cute programmer tricks to represent other events in the game right nearby where that code is executed. You would never know this unless you decompiled the game and watched it execute. It is possible to manipulate events in the game so that you end up with just enough machine code in a location that when you spit out the correct illegal item at the exact right time, you are now executing arbitrary code. It won't be much, but just enough to "demand load" code from somewhere else and then allow it to execute. Beautiful engineering.
And *that* code can be used to open the game up to more code being injected into it, such as with the "jailbreak" that Sethbling made a few videos about.
CoatlessEskimo9 I thought someone found a code execution glitch for Yoshi's Island, but if not, OK. I was just saying Yoshi's Island because it's one of only two games that uses the Super FX 2 Chip that was used to make the SNES port of Doom, the other one being said port.
When I first saw this, I went "eh, I did already see advanced uses of ASM to do totally different things in SMW", so I underestimated its ingenuity of this video. Now, getting that result by inputting the code via controller inputs is amazing, so kudos for achieving such a result using a more complex way to reach it.
Python, step the fuck aside, C++? more like C--...Java? you ain't got shit, here comes mothafuckin' SUPER MARIO WORLD....SUPER..... *SUPER MARIO WORLD++!*
after 193812782382220912610126191102028920110100298292696901289292379201 years in development we hope its been worth the wait, thanks and protect your wallets this summer -gaben
I was watching the AGDQ stream when they did this live. Ppl in chat shit brix, and the audience was having a carnival. It was something to remember. A lot of the viewers had no idea what they had just seen, though.
Regarding the Matrix, I used to think it made no sense that Neo could hack the program, since he's just a "player" in it. He only has user input, which has limited ability to influence the code itself. But now I understand. This Mario is Neo.
I feel like the first part of this was just showing off for the sake of showing off. After that you made my jaw drop in 30 seconds. How the hell did you do that?
The first part of this was doing the first part of the hack, where with some glitches with stunning blocks/yousi/grabbing (don't know exactly, it's beyond my mind) they altered some sprites in memory and even added sprites with invalid IDs, that somehow jumped into another code becase of how the SNES hardware works. Now this first series of glitches would make preety painful, maybe impossible to write the games they did. But using this explot, they jump in another piece of the code having to do with the input, so now after that it's much faster to send bytes of code and execute, I guess every frame of the TAS your input sends a byte or so, although they use some multitap thing I don't know what it is, for more controllers to send more data per frame, and that would be on their TAS tools at home. But now there is the live TAS to prove theoritically it would work on real SNES, you must be flash to be able to play that much, so of course they use that kinda of robot accessory I don't know what it does, somewhere I read they might have hooked a Raspberry PI in it (that would I guess send the precalced succesion of input, timed with the game refresh), so they can show it on an actual SNES in realtime and not as a preprocessed TAS movie. Nothing is showing off, it's just so many levels of hackery, I am not sure I have grapsed everything.
He's actually spawning tiles in a specific order to manipulate a table in memory to write code that will allow him to use inputs to write the code instead. At the end he glitches the game into executing the table he manipulated allowing him to write the code and then a part of the code executed it when all of the code was done.
All the steps are needed because the setup is really complicated, and it also depends of the POSITIONS in the sprite's table : for example if you need a sprite in the 7th position, you need to manipulate ennemies in order to have exactly 6 sprites before spawning the one you need (and then carrying it across the level, of course) A *french* UA-cam show has explained this TAS : /watch?v=dcbdhDqBx_g&t=26m14s The end of the video contains an awful quantity of glitches. For example in order to spawn a (pink) inexistant sprite, he hurt Mario while making Yoshi hold two objects at the same time! Then this pink sprite who in spawns another unknown sprite... Then this new sprite allow to create the Total Control Glitch by making the game read the list of loaded-on-screen sprites as executable code (so you need an half-dozen perfectly ordered sprites to have the good code!). And this glitched executable code ask to the game... to read controllers input as executable code! In other words, the TAS creator can now execute all the code he wants because, by definition, controller inputs allow a player to make any input ^^
IIRC it's an off-by-one bug in an array - there's some exact location in the where if you hit it just right it looks up a struct like: sprite_array[SPRITE_ARRAY_SIZE] (i.e. one over the limit) That struct contains function pointers, which (as they're never initialized as a valid struct would have been) jump to a specific location in the memory storing the game's state. All the movements before that move are setting up that memory location to act as shellcode which will allow arbitrary executable data to be entered via the gamepad. I assume that 1:40 is the executable code for the three mini-games being loaded into memory. I can't find the reference now, but IIRC the bug in the game was discovered by someone who had written an optimisation algorithm to try and attempt to (automatically) run the perfect speed-run of mario. Their fastest technique found the bug and inserted shellcode to set the level as completed. The origional paper is worth reading if you can find it - it's got some interesting ideas in it about trying to optimise games like this based on short recordings of real users IIRC.
So let me get this straight: The game glitches he caused alternated/added in game code And he managed to take that game code and execute Pong and Snake out of it. Did I hit that straight on the head?
TLuigi003 Well i heard about varius code injection methods, so this does not shock me. What is interesting that it come out of speedrun community, which are more interested in result of code rether then code inside reason why it's happening.
ethanwdp Price Ok mr programmer "How does somebody CODING PONG INTO SUPER MARIO WORLD using a controller with SIX BUTTONS on TWENTY YEAR OLD HARDWARE by TAKING ADVANTAGE OF THE INNER WORKINGS OF THE GAME not surprise you? In theory you can inject anything in to memory once you know where is "rabbit hole", it is one of basics of hacking and aspecially cracking and there a lot of of methods that use that. "TWENTY YEAR OLD HARDWARE" makes this a lot easier, because back then CPU and it's code as result was way more simplistic and written in assebler where you care more about making things to work then careing about security, thats why old games are more glitchy then modern games where simple bugs in game are more ambrasing for programer. "Who sat down to play Super Mario World, and then thought "What if I use arbitrary code execution to play snake and pong?" I think you have 0 idea what console hacking community do on daily basis if you saying something like that. "He had to carefully plan out this run, and then actually completes it. Do you know how fucking INSANE this is? This guy did this on real fucking hardware. He wrote code by jumping on sprites in a very specific order." He does not use 100% physics, i remind you he used scripted speedrun bot (which is whole point of his project?) and you can see button indicators go wild when his hack result started which i assume was actual moment of code injection. I assume in first stage he use memoery states to build simple code that create the access point for actual injection, if he was to inject the program of this size it with that method it would probably take a lot longer. I also think he studied memoery states and actual SMW code to predict this behavior, making this out of random is near to impossible and besides you need to write that albitery game first right? Indeed it is a lot of work but it's not shock to me, for me it's not insane, for me it something that i could see being possible via methods he used, i seen and read about a hell a lot more things, so this does not supprice me. "It's so mind bogglingly complex that I don't see how you just scoff and say "pfft, I've seen code injections via interfaces.", while COMPLETELY IGNORING THE FACT HE DID THIS ON FRACKING SUPER MARIO WORLD." If this is "mind bogglingly complex" for you, i'm assume you are higher language programmer, like those guys who come to UE4 forums and cry about lack of C# support and and say that it's a future of software development and say how C++ is full of shit and super hard, then came here and say how this is "mind bogglingly complex" and how they are mind blowned. Once you know deeper about software and hardware, the foundations of it, is not "mind bogglingly complex", but something you could see happen with some effort put in to it, which i don't deny. And again SMW is not first software with holes that let you inject code, PSP-3000 hacking was all about it because if you flash firmware in it bricks it the console, so code injection to memory was only valid method. "You can't even piece together a sentence. Could you stop tipping your god damn fedora and appreciate something for once?" 1. Sorry i'm not native english speaker 2. I don't deny his hard work on this project, i'm just saying it is very natural to understand this once you got some knowlage.
the amazing thing is that they did it on the ACTUAL HARDWARE (snes + super mario game cardridge) using only controller inputs. oh, and this should be in the description: arstechnica.com/gaming/2014/01/how-an-emulator-fueled-robot-reprogrammed-super-mario-world-on-the-fly/
4k's been around for a while. It's just nobody wants to spend $500-1000 on a monitor just to use it. It's basically the new 1080p. 4k TVs are also in the $5k+ range MINIMUM. Shit's expensive.
bagelhunt yeah, so youre going to buy all that shit to watch 16 bit Mario videos? theres a time and a PLACE for everything, and this is NOT the place for a 4K monitor
1:441:57 What the hell is this?! I've never seen this before. How many times i played Super Mario World and i see this in first time. It's completely out of the ordinary
interviewer: so what is the simplest coding language you can think of? me: scratch interviewer: so what is the hardest coding language you can think of? me: super mario world
I remember slashdot some time ago made a poll about the best hacks of all time. I am pretty sure if they did that again, this one will be on the list. Even as an assembly programmer, it took me some layers to understand what's going on, I must have seen this video some time ago in a haste and didn't understood it then and skipped it, came back now and read some more info in their site, this is beyond.
Luigi understands his bro no more, mario thinks he can do unthinkable things like teleporting yoshi, and transforming the world into pong. It's been tough ever since he took that overdose of 1-ups, the doctor says he might never be the same again
The button inputs were done by human hands only while being recorded onto the raspberry bot. The inputs were performed across 8 controllers utilized by the bot to reprogram SMW on the fly; this was done legitimately on a SNES, but everything was handled by a bot.
B = B button Y = Y button s = select S = Start u,d,l,r = up, down, left, right A = A button X = X button L = the L button, on top of the controller R = the R button on top of the controller numbers 0 to 3 = no idea
I understand how this was done but I still don't understand how this was done
11 років тому
Their mail goal was to code Super Mario World inside Super Mario World, and then TAS it. But there wasn't enough input/frame possible for so much code.
![[TAS] NES Super Mario Bros. 3 "arbitrary code execution" by Lord_Tom in 08:16.23](http://i.ytimg.com/vi/oWbwmxVpqVI/mqdefault.jpg)
![[TAS] NES Super Mario Bros. 3 "arbitrary code execution" by Lord_Tom in 08:16.23](/img/tr.png)
The human equivalent of this would be like poking someone with a stick in seemingly random places on their body and then suddenly they start singing Italian opera.
+Zane Whitney Yep
"You are already a soprano"
ima try this
+Just a youtube commenter ROFLMAO You freaking win
Randomly poking at someone's brain and suddenly they're Einstein.
I wasn't that impressed until I realized that he didn't hack the rom directly but glitched it to the point that he could inject code via controller inputs. That's just astonishing.
reminds me to that súper mario land 2 bug
@@witchymaoki5165 what bug?
@@NomeCreativo by clipping out of bounds mario can reach areas of RAM corresponding to the game states, edit them with his feet and cause the game to enter the credits state (after entering a level)
this is why TAS is such a cracked gamer
Killed your 666 likes, sorry.
If those inputs were made by a real person on a keyboard, it would look like hacking in a cheesy Hollywood movie.
yes
+artman40 seth bling actually made a video injecting code for flappy bird in smw
I wonder, if this was actually done in-real-time, done with fingers actually pressing buttons, maybe it would theoretically set the surrounding air on fire and break everything.
+DeRockProject & the Attack of the Really Long Channel Name it was done by hand the very first time
game4life12 but not in real time.
Super Mario World should be taught as a new programming language
toasterman3000 THE FACTS
101th liker
@@islilyyagirl woow i am 300th and now
that's a game idiot
And Mario 3
Mind = blown. I did code assembly before, which by itself is hard, but coding pure machine code with specific move set while in game itself to write a program in the ram then executing it is mind-blowing.
You sound very knowledgeable... how does this all work, exactly?
As I said in my post, this is all very complicated, but in layman terms, his moves are like lines of codes, which he writes in the memory of the consoles in a specific place/order. Then, he forces the game to execute the first line of code which leads to the other ones, making a program.
RemX405 Yeah, I heard that the specifics of the actions pre-total control are him shifting bits in memory around with the weird-looking double-fruit-eating antics and whatnot. The last pre-total control action shifted the final bits around to completely break the game - inputs after that proceeded to act as arbitrary code, resulting in him being able to program Pong and Snake in.
@@flyforce16 Assembly/machine code explanation: We write code in various programming languages that we can read. However, the CPU cannot read what we write directly. It has to be translated into machine code, which the CPU can read. The most basic 'programming language' is Assembly, which is actually just a more readable version of machine code. Some examples of Assembly instructions are MOV, [move from here to somewhere else], ADD [add two values together], and JMP [start executing somewhere else]. Every instruction corresponds to a specific value in machine code. For example, we can give MOV a value of 0 and ADD a value of 1, so that when the CPU comes across a 0, it knows it should move something, and when it comes across a 1, it should add two values instead.
How ACE (Arbitrary Code Execution) works: When programs are written, the machine code generated is very specific and fragile. If one instruction or value is out of place, the entire program can come crashing down. So that's why extra care is taken to make the code as solid as possible, and that is also why higher-level programming languages are used, so that we don't have to deal with machine code. However, everything in a computer is bytes. Textures, sounds, levels, and machine code are all the same. The only difference is how they're interpreted. The CPU is never supposed to execute an image as if it were machine code, and vice versa. But, if we carefully set up Super Mario World in a very specific way, we can set up a JMP instruction to go somewhere it isn't supposed to. Now, instead of interpreting an image as an image, we instead start executing it's bytes as if it were machine code. If we set up the game to start executing the information of the objects in the level as machine code specifically, then we can move those objects to very precise positions, and when we do the ACE glitch, those positions are executed as machine code.
How the games are constructed: We can execute a few instructions, but not Snake and Pong. Those object positions allow us to form a program that will read the controller's input and write them to memory, one after another. Since the controller's input is also read as bytes, we can input any sequence of instructions we want. Now we have the full system within our grasp, we can do whatever we want. We can make Pong, Snake, Flappy Bird (which SethBling has done in a real-time run with a different setup), and literally anything else.
I only barely followed the technical memory layouts that were required for this, but I definitely got the gist, making this, as a computer science student, the coolest thing I've ever seen.
For those who are wondering, the glitch set up with 8 controllers put into a computer. The people who made this made a hack to put all the controllers together btw. In the frames after this glitch is completed the code of smw can be re wrote to anything they can code in the few frames. The original idea for that glitch was that they would write the code of the original super mario bros game and then TAS that. Thanks for reading :3
your explanation is not completely correct, they did not discover ace on smb1, it does not have the capabilities to allow ace in the first place
This...
*This..*
I am genuinely confused, and awe'd in amazement on how this was even REMOTELY possible...
*Now this, is the definition of talent.*
this is some next level shit
this is the hardest you can dominate a game
As a programmer, this nearly brought me to tears.
Its.. so.. beautiful...
Them: are you a computer programmer
Me: yes
Them: what you use
Me: super Mario world
more like 65c816 assembly
and if we switch to gamemode 3, you can See the armor stands
xdxdxdxdxdxd
Matta's Account
It’s called a JOKE.
Matta's Account
Yes
That's the joke
@@mattasaccount1663 fucking idiot
@@kiaydemir you're the fucking idiot he was joking dumbass
Need more TAS's where the game is re-programmed entirely haha.
They did twitch chat in pokemon or something
@@knuti27 that's something completely different
@@skapaloka222 They did something similar for Pokémon Yellow though, where they play Zelda and other games.
@@Oscar97o yea that one was amazing
The short version: There is a hole in the logic when Yoshi is commanded to send out its tongue to eat something. The game design uses offsets from these pointers to represent the code to be executed, say when you spit out a turtle so a turtle is created and goes flying away. There is a list of acceptable things to eat. Each of those have an entry that points to valid code. However, it turns out it's possible to very exactly time what gets eaten so you can eat something that isn't allowed, such as a P block. This will point to a location outside of the valid code. If you can get code at that location, you will cause the machine to execute it.
It also turns out that the game does some cute programmer tricks to represent other events in the game right nearby where that code is executed. You would never know this unless you decompiled the game and watched it execute. It is possible to manipulate events in the game so that you end up with just enough machine code in a location that when you spit out the correct illegal item at the exact right time, you are now executing arbitrary code. It won't be much, but just enough to "demand load" code from somewhere else and then allow it to execute.
Beautiful engineering.
And *that* code can be used to open the game up to more code being injected into it, such as with the "jailbreak" that Sethbling made a few videos about.
Now THIS is "beating the game"
*****
sethbling did this with one controller one a real console!
ua-cam.com/video/14wqBA5Q1yc/v-deo.html
+Silas Reel no that is credits warp
It's more of "beating up" the game
@@franciscop.3279 yep. Into a pulp. And then fashioning into something else.
I legitimately want to see someone use Arbitrary Code Execution in Yoshi's Island to recreate Doom.
That isn't possible. This exists because of an exploit specific to this game.
That would be another level of "It Runs Doom!"
Optimus6128 That is exactly what I was thinking.
CoatlessEskimo9 I thought someone found a code execution glitch for Yoshi's Island, but if not, OK. I was just saying Yoshi's Island because it's one of only two games that uses the Super FX 2 Chip that was used to make the SNES port of Doom, the other one being said port.
MrCrazyToad Wait. I'll look it up.
TAS of the year already? Absolutely brilliant!
Next thing is someone programming Fallout 4 into A Link to the Past.
Can't wait for the G.E.C.K.
brb doing
Someone HAS to program Sonic Mania into Super Mario World.
I've just seen this live on AGDQ and it's so awesome!
This is without a doubt the most impressive thing I have ever seen come out of TASing, and I've seen some crazy shit.
next episode-masterjun turns Super Mario World in Sonic the Hedgehog with the same glitch.
Bitch please I turned it into Halo 6 and that game isn't even out yet.
Brendan Harward not funny at all..
was pretty funny to me
He originally wanted to program super mario bros 3 into it and TAS that but he found out that there wasn't enough memory to do this.
7mario6 Yeah you're right. Sometimes my brain likes to switch things around for no reason... :/
All I could thing of was, "WTF IS GOING ON?!"
soon we can play smw in smw
in smw
Or maybe GTA V in SMW
in SMW
+Alter Kühlschrank smw on smw on smw on windows virtual machine on windows virtual machine on a mac
+Ego Probably not
& Knuckles
@@ego9939 smw on smw on smw on virtual console on wii emulator on windows virtual machine on windows virtual machine on a Mac
When I first saw this, I went "eh, I did already see advanced uses of ASM to do totally different things in SMW", so I underestimated its ingenuity of this video. Now, getting that result by inputting the code via controller inputs is amazing, so kudos for achieving such a result using a more complex way to reach it.
Python, step the fuck aside, C++? more like C--...Java? you ain't got shit, here comes mothafuckin' SUPER MARIO WORLD....SUPER..... *SUPER MARIO WORLD++!*
YAY I WISH IT WAS A REAL LANGUAGE...exept this looks much harder than c# :(
Gaming Dudester
Real talk, i'd rather stab myself with a fork than try to program anything in SMW XD
+Gaming Dudester its just writing processor instructions, not that hard XD
Robert Stafford
Yeah but it's writing processor instructions using fucking Super Mario World, dude...
That's batshit!
Winston Payne yeh.
I'm crying
>Hey man can you code?
>yeah
>what language?
>Super Mario World
Great. Now can you turn it into Half Life 3?
after 193812782382220912610126191102028920110100298292696901289292379201 years in development we hope its been worth the wait, thanks and protect your wallets this summer
-gaben
I did this the other day using Super Mario World++ but all I got was a card game
ok which one of yall fucked it up
I was watching the AGDQ stream when they did this live. Ppl in chat shit brix, and the audience was having a carnival. It was something to remember. A lot of the viewers had no idea what they had just seen, though.
Expert: Which programming language you use?
Masterjun3: _Super Mario World_
Regarding the Matrix, I used to think it made no sense that Neo could hack the program, since he's just a "player" in it. He only has user input, which has limited ability to influence the code itself. But now I understand.
This Mario is Neo.
I feel like the first part of this was just showing off for the sake of showing off. After that you made my jaw drop in 30 seconds.
How the hell did you do that?
He programmed a game by playing a game... basically.
+SayFuzzyPickles it's not purely showing off, it's part of the setup with some funny things to complement.
The first part of this was doing the first part of the hack, where with some glitches with stunning blocks/yousi/grabbing (don't know exactly, it's beyond my mind) they altered some sprites in memory and even added sprites with invalid IDs, that somehow jumped into another code becase of how the SNES hardware works. Now this first series of glitches would make preety painful, maybe impossible to write the games they did. But using this explot, they jump in another piece of the code having to do with the input, so now after that it's much faster to send bytes of code and execute, I guess every frame of the TAS your input sends a byte or so, although they use some multitap thing I don't know what it is, for more controllers to send more data per frame, and that would be on their TAS tools at home. But now there is the live TAS to prove theoritically it would work on real SNES, you must be flash to be able to play that much, so of course they use that kinda of robot accessory I don't know what it does, somewhere I read they might have hooked a Raspberry PI in it (that would I guess send the precalced succesion of input, timed with the game refresh), so they can show it on an actual SNES in realtime and not as a preprocessed TAS movie. Nothing is showing off, it's just so many levels of hackery, I am not sure I have grapsed everything.
He's actually spawning tiles in a specific order to manipulate a table in memory to write code that will allow him to use inputs to write the code instead. At the end he glitches the game into executing the table he manipulated allowing him to write the code and then a part of the code executed it when all of the code was done.
All the steps are needed because the setup is really complicated, and it also depends of the POSITIONS in the sprite's table : for example if you need a sprite in the 7th position, you need to manipulate ennemies in order to have exactly 6 sprites before spawning the one you need (and then carrying it across the level, of course)
A *french* UA-cam show has explained this TAS : /watch?v=dcbdhDqBx_g&t=26m14s
The end of the video contains an awful quantity of glitches.
For example in order to spawn a (pink) inexistant sprite, he hurt Mario while making Yoshi hold two objects at the same time!
Then this pink sprite who in spawns another unknown sprite...
Then this new sprite allow to create the Total Control Glitch by making the game read the list of loaded-on-screen sprites as executable code (so you need an half-dozen perfectly ordered sprites to have the good code!).
And this glitched executable code ask to the game... to read controllers input as executable code!
In other words, the TAS creator can now execute all the code he wants because, by definition, controller inputs allow a player to make any input ^^
I personally prefer java...
Or just play it online
What?
Nah, Unity is better
Nice programming reference.
NOOOOOO Super mario world is the second best tool for making videogames, the best one is Game maker. 100% true.
This is the first 2160p video I have seen on youtube. I'm glad that it was SNES Mario.
This is beyond incredible. You seriously programmed games inside another game by feeding input into that game. You deserve one free internet.
THIS IS WHAT HAPPENS WHEN YOU DIVIDE BY ZERO
It didn't work, here's the error code. Exception in thread "main" java.lang.ArithmeticException: / by zero
@Hawk Deal with it.
I'm not sure a game can be broken more than this.
definetly more broken than OoT ;D
Vetras Fckyougooglplus I'm pretty sure there's an arbitrary code exploit for OoT somewhere.
We will use it to gain access to the 4th dimension
@@keiyakins YOU PREDICTED THE FUTURE!
@@keiyakins bruh nice guess
I don't even understand how this is possible!
Nice. ...
wut?
IIRC it's an off-by-one bug in an array - there's some exact location in the where if you hit it just right it looks up a struct like:
sprite_array[SPRITE_ARRAY_SIZE] (i.e. one over the limit)
That struct contains function pointers, which (as they're never initialized as a valid struct would have been) jump to a specific location in the memory storing the game's state.
All the movements before that move are setting up that memory location to act as shellcode which will allow arbitrary executable data to be entered via the gamepad.
I assume that 1:40 is the executable code for the three mini-games being loaded into memory.
I can't find the reference now, but IIRC the bug in the game was discovered by someone who had written an optimisation algorithm to try and attempt to (automatically) run the perfect speed-run of mario. Their fastest technique found the bug and inserted shellcode to set the level as completed.
The origional paper is worth reading if you can find it - it's got some interesting ideas in it about trying to optimise games like this based on short recordings of real users IIRC.
Tim Wintle Couldn't find the paper, but there's a little more explanation here: minimaxir.com/2013/03/127-yoshis-in-slot-6/
Very cool..
I'm dying so hard. Seeing this unfold live was amazing.
I've seen all kinds of crazy things in Super Mario World but this takes the cake. Excellent job.
Kudos to Masterjun3 and everybody that helped, was simply awesome saw it live aswell.
greets
So let me get this straight:
The game glitches he caused alternated/added in game code
And he managed to take that game code and execute Pong and Snake out of it.
Did I hit that straight on the head?
Ryan S. He basically figured out how to code in Assembly and have the game run it using only controller inputs/glitches. Insane.
Deathbrewer Not really insane, code injections via interfaces are nothing new :p
+Shadowriver Well, using control input and sprites positions to create pong using a Mario game is really insane
TLuigi003 Well i heard about varius code injection methods, so this does not shock me. What is interesting that it come out of speedrun community, which are more interested in result of code rether then code inside reason why it's happening.
ethanwdp Price Ok mr programmer "How does somebody CODING PONG INTO SUPER MARIO WORLD using a controller with SIX BUTTONS on TWENTY YEAR OLD HARDWARE by TAKING ADVANTAGE OF THE INNER WORKINGS OF THE GAME not surprise you?
In theory you can inject anything in to memory once you know where is "rabbit hole", it is one of basics of hacking and aspecially cracking and there a lot of of methods that use that. "TWENTY YEAR OLD HARDWARE" makes this a lot easier, because back then CPU and it's code as result was way more simplistic and written in assebler where you care more about making things to work then careing about security, thats why old games are more glitchy then modern games where simple bugs in game are more ambrasing for programer.
"Who sat down to play Super Mario World, and then thought "What if I use arbitrary code execution to play snake and pong?"
I think you have 0 idea what console hacking community do on daily basis if you saying something like that.
"He had to carefully plan out this run, and then actually completes it. Do you know how fucking INSANE this is? This guy did this on real fucking hardware. He wrote code by jumping on sprites in a very specific order."
He does not use 100% physics, i remind you he used scripted speedrun bot (which is whole point of his project?) and you can see button indicators go wild when his hack result started which i assume was actual moment of code injection. I assume in first stage he use memoery states to build simple code that create the access point for actual injection, if he was to inject the program of this size it with that method it would probably take a lot longer. I also think he studied memoery states and actual SMW code to predict this behavior, making this out of random is near to impossible and besides you need to write that albitery game first right? Indeed it is a lot of work but it's not shock to me, for me it's not insane, for me it something that i could see being possible via methods he used, i seen and read about a hell a lot more things, so this does not supprice me.
"It's so mind bogglingly complex that I don't see how you just scoff and say "pfft, I've seen code injections via interfaces.", while COMPLETELY IGNORING THE FACT HE DID THIS ON FRACKING SUPER MARIO WORLD."
If this is "mind bogglingly complex" for you, i'm assume you are higher language programmer, like those guys who come to UE4 forums and cry about lack of C# support and and say that it's a future of software development and say how C++ is full of shit and super hard, then came here and say how this is "mind bogglingly complex" and how they are mind blowned. Once you know deeper about software and hardware, the foundations of it, is not "mind bogglingly complex", but something you could see happen with some effort put in to it, which i don't deny. And again SMW is not first software with holes that let you inject code, PSP-3000 hacking was all about it because if you flash firmware in it bricks it the console, so code injection to memory was only valid method.
"You can't even piece together a sentence. Could you stop tipping your god damn fedora and appreciate something for once?"
1. Sorry i'm not native english speaker 2. I don't deny his hard work on this project, i'm just saying it is very natural to understand this once you got some knowlage.
1:42 the fact that he used 24 controllers to code the games is just awesome.
the amazing thing is that they did it on the ACTUAL HARDWARE (snes + super mario game cardridge) using only controller inputs. oh, and this should be in the description: arstechnica.com/gaming/2014/01/how-an-emulator-fueled-robot-reprogrammed-super-mario-world-on-the-fly/
I like how you used the secret exit sound effect for the menu. Works well.
Can't wait to see the replay of this from AGDQ, as I sadly missed it. Incredible stuff!
Masterjun, I love you.
After seeing this live, I have to say, "This was incredible!" Great job! :D
Holy cow. I never knew how possible it is to manipulate a game into making some minigames. That is so awesome.
Am I the only one around here who noticed the 1440p and 2160p and the 4K thing? WHAT NEW KIND OF HD SORCERY IS THIS!?
That might be my favorite part of the whole video.
4k's been around for a while. It's just nobody wants to spend $500-1000 on a monitor just to use it. It's basically the new 1080p. 4k TVs are also in the $5k+ range MINIMUM. Shit's expensive.
bagelhunt yeah, so youre going to buy all that shit to watch 16 bit Mario videos? theres a time and a PLACE for everything, and this is NOT the place for a 4K monitor
Pretty sure it's for the lolz in this case, guys.
Bram Swarr I'm not saying get 4k to watch this video, I'm saying it's nothing to freak out about.
This reminds me of a fever dream I had when I was eight.
I loved the audience reaction at AGDQ.
*****! What kind of drug you put into that game? Cocaine!?
No, it's a glitch to get a game of pong, snake, and the end with a blue smiley face
Yes I know
Which is the same as weed, not cocaine
+Sendy Lie (Lv.? Freelancer) Shrooms. Lots of fucking shrooms.
+TheMighty Pikachu You ruined her/his joke...
That was the coolest thing I've ever seen. Congratulations amigo:)
I really have no idea what to say. This is completely mind blowing.
I saw'r it live on AGDQ and was incredibly amazed then I became dizzy and almost fainted. :3
Scientists: “All dreams have meanings.”
My dreams:
some of the highest resolution pixels i have ever seen
Speedrunner is caually paying nostalgic games, although this is a TAS.
Legend has it that all games are made with SMW arbitrary code execution.
Even SMW itself was created this way.
1:44 1:57 What the hell is this?! I've never seen this before. How many times i played Super Mario World and i see this in first time. It's completely out of the ordinary
I saw this video debut live on AGDQ 14' and it was fucking beautiful
Imagine if this was an actual easter egg left in the game and someone randomly discovered this
interviewer: so what is the simplest coding language you can think of?
me: scratch
interviewer: so what is the hardest coding language you can think of?
me: super mario world
Really? I constantly get spaghetti code in Scratch when trying to make a space shooter!
Tux Mux simplest not easiest
This exploit is genius.. very well done. Kudos to you for discovering it. Liked & subbed.
More like speed hacking than a traditional speed run. This is amazing.
This should've been in the ads for this game. IT'S 3 GAMES IN 1!
Stunning.
That unknown sprite behind mario is actually what u first see when you try doing item icremation with yoshi in item box
Who still needs Lunar Magic?
this game is pretty glitchy
Not as glitchy as Sonic 06 or Donkey Kong 64 though....
This is the only game in the world that can be glitched so hard it becomes other games.
This is completely next level.
I was busy watching the Button Inputs and I look back to find a shell just vibrating.
Ah, this is the Super Mario World that I remember from my childhood!
Amazing man. Just fucking amazing.
This is the same run and person who made the run for the AGDQ 2014 TAS Block. Masterjun3 is awesome.
I remember slashdot some time ago made a poll about the best hacks of all time. I am pretty sure if they did that again, this one will be on the list. Even as an assembly programmer, it took me some layers to understand what's going on, I must have seen this video some time ago in a haste and didn't understood it then and skipped it, came back now and read some more info in their site, this is beyond.
I feel like this is what Mario would do if he found out he was in a game.
is it just me or did Yoshi’s eyes at 1:20 look like he just woke up at 3 AM
this is the clearest hd i have ever seen in my life
I originally saw this being done with Pokemon Yellow but never with Super Mario World. Either way, what the hell is this black magic.
So you basically Rick'ed that simulation but with extra steps. Beautiful
THIS GUY IS A GENIUS
imagine this but from the Enemy's/Yoshi's point of view lol
When they tried this again at AGDQ 2018, Luigi showed up.
Grand POOBear was very surprised.
man this is crazy!! good stuff man
Why I'm not surprised with this? Anyway, amazing TAS!
Luigi understands his bro no more, mario thinks he can do unthinkable things like teleporting yoshi, and transforming the world into pong.
It's been tough ever since he took that overdose of 1-ups, the doctor says he might never be the same again
The button inputs were done by human hands only while being recorded onto the raspberry bot. The inputs were performed across 8 controllers utilized by the bot to reprogram SMW on the fly; this was done legitimately on a SNES, but everything was handled by a bot.
See this in the AGDQ event, and this incredible
0:32 remix baby
Am I the only one who thought BYsSudlrAXLR0123 was a username at first glance?
B = B button
Y = Y button
s = select
S = Start
u,d,l,r = up, down, left, right
A = A button
X = X button
L = the L button, on top of the controller
R = the R button on top of the controller
numbers 0 to 3 = no idea
that's friggin sick dude!
my brain still hurts from this
Holy crap.
It still surprises me what can be done with this game.
lex fridman and andrej karpathy mentioning this brought me here. very nice
I understand how this was done but I still don't understand how this was done
Their mail goal was to code Super Mario World inside Super Mario World, and then TAS it. But there wasn't enough input/frame possible for so much code.
I'm more amazed by the seemingly custom apple sprite in Snake