The explanation (or just about any warp glitch) requires some understanding of how the hardware works. There's a bunch of videos and articles regarding that. I recommend looking at those first. Those concepts also apply to game boy games for example. Therefore you can also gain some understanding from game boy resources.
You’re in a level, you mess with how the enemies work, you grab a turtle and go inside a pipe backwards, the game crashes, you throw the turtle away as you hit the block, you hit the block, the game ends
So: A bad note block outside 7-1's level bounds can be reached. It causes the block bounce code to swap itself out accidentally with an unintended routine that returns to yet another unintended routine, that returns again, even though there's nothing to return to. The hardware freaks the everloving fuck out, wrapping around the counter that tracks how many levels deep of code execution we're on and reacting as though we're 255 levels deep in subroutines, and accidentally reading out the level scrolling mode as the location to return execution to, because that number happens to sit where the 255th place in the area where subroutines are tracked would be if there was a 255th place, causing the console to stop reading code from the cartridge, and instead treating the system RAM as code, and running that instead. And within the area of RAM that is mistakenly reinterpreted as game code because of this, loaded enemy data is normally tracked, and here, people manipulate the positions of the koopa shells that normally spawn in the level to write machine language instructions creating a trigger for the Princess's chamber that will activate with the glitch. So many planets aligned...
Well, all they're doing is reading volatile, numeric data as instructions, to execute code in an unintended way. It was probably figured out that the pipe to under-map OOB and hitting the noteblock did some fucky shit, and I guess someone traced it through an emulator to see that the thing that reads instructions landed in graphical data. From there it was simply manipulating the graphic data.
@@haydenz0 In essence, this glitch begins with an array indexed out of bounds error, when trying to write to the loaded map data to remove the note block and temporarily replace it with the animated version of it. Except that, computers being that much slower, the performance penalty to ensuring that arrays were always indexed in bounds mattered, so most games, having to be efficient over running safe, didn't do the check to save on crucial processing power. Probably they discovered the glitch pipe entry first (might've been on some other map too) and then later discovered that OOB note blocks would pretty consistently make the console spit fireworks when hit. If it didn't crash, obvious memory corruption was present. When every time you reproduce a game-breaking glitch, the effects that occur right after are completely all over the place and random-looking, you know something fucked is happening with the machine. And the moment somebody fired that up in an emulator debugger, and caught the execution jumping to RAM, they were like "Oh yeah, we might be able to ACE with this"
> There are many different kinds of NES ROM mappers. All of them act a little bit differently. I won't talk too much about them, because that topic could be its own video. Please, please make that video.
I tried doing this glitch. So far I made the console draw what I can only describe as a croissant, rotated the screen 90°, and moved the hud to the top of the screen. I don't know what I'm doing
Oh my god I appreciate the TAS way more now. Seriously?! Pirahna plant, thrown shell, and bouncing shell ALL syncing up at the right x-position at the SAME TIME???!?!!?!!! OKAY, TAS. SURE. Fucking godly.
Voxel Fox That's what makes it so impressive! TAS is literally god in the game world. TAS can even do all it does *blind* and *deaf!* Imagine a human do that.
Doesn't make it any less respectable. 8+ hours just to get a 2 minute segment perfect (only to be obsoleted when something new shows up) is crazy for any one to do, yet they do. The amount of effort and time put towards finding insane glitches, programming, math calculations and viewing the same small part of a game over and over is just amazing to behold.
It his not me who found out how to do it, I only found out how he found out how to do this after I did the Wrong warp to the credit in Super Mario world for the WiiU the one that works on the Wiiu. In Super Mario world, you have 10 sprite slot for enemies to work with from slot 0 to 9, and they spond at 9 first, In Super Mario World you wright the entired algorithum in slot 0, to slot 6 the code you right by spiting shell with yoshi the shell become fire, the algorythim in the X cordinated of the shell, from sprite slot 0 to 6 his A9,1C, 92, 3D, 68, 68, 60. That stand for LDA, 1C, that stand for load game mode credit that start yoshi arrive home to accumulator, the 92, 3D, Stand for Store accumulator to 3D, the two 68 stand for a pulling out data PLS, and the 60 stand for RTS meaning Return to game mode that his store in the accumulator 3D which =1C so then the game knows to runs 1C as the credit. the 1 on the left means there his 1X16, and the C on the right stand for +12, since it his in hexadisimal so that means the unit are 16 unit long instead of the digit system which are 10 digit long. so that his why if you see 68, it does not equal 68 as the real number it acctually equal (6x16) +8= this his a visiual of what it look like in Super Mario world, it only begin after the power incrementation glitch his done because of the weird diffrence that the Virtual console have compare to the console version ua-cam.com/video/dJp1XLmw9Jg/v-deo.html How does have anything to do with the Super Mario bros.3 wrong warp to princess, since there his only slot 5 to slot 1, there his no way to wright the entire algorythm, so with the shell he wright $20, E3, 8F, in slot 3 to slot 5 X cordinated of the koopa shell, and that stand for JSR: $8F, E3 that means jump to subrutine princess room, while checking in the emulator in debug mode I decided to take a look at memmory $8FE3 and the entire algorythm for the princess room was there because it started with LDA: $19
This is probably the best way to present programming stuff (hex values, memory map...) I have ever seen in video. It's clear, pleasing to hears and eyes. The topic is also very interesting. I would love to see more of such well made video for anything. I hope this channel will attract as much people as possible, it deserves it.
EZScape hi, fun fact, jsr stands for jump straight to ram and 8f e3 is the address it must jump to in order to load the right crash value, I read the dev commentary on tasvideos.org
As a developer, this was extremely interesting. By far the best video I've ever seen on an arbitrary code execution exploit. Thanks for the awesome video! :D
uh i'm pretty sure you did something wrong have you hit the music block which replaces a $4G69 ROM mapping function 18 screens under the main stuff or the question block which replaces the $4G79 Control function 17.5 screens under the main stuff?
i think i know why you hit 1010010101010101010101001100101010101 in bi or a5 55 54 ca 15 in hex at the time that you did that there was data that was from super mario 64 in parallel universe so the game swaped the banks with 64sh banks bk the one koppa was one bit off so the game ran 10101010010101010100101010111111111 in bi or the thing telling nes what game your playing bye looking at the ram and seeing the data and runing the game that go with the data in 1st biyt and 64s data was in there so it rad 64 that good
The fact that you go so in depth graphically instead of just randomly spouting your values is fantastic! Keep it up! I imagine the production work takes tons of time, but I love it!
+Retro Game Mechanics Explained: I used a different method call the easy method, and when you said sometimes it does not work even if you got the shell in the right spot, because it sometimes lock-up on something, but I found a way to always line-up does value, and this his how. When the paratroopa his moving up boob it with the tail when his tip of his feat are line up with the first lip of the pipe, using the easy method, and the closer you are to the correct frame the better the credit will look, that same shell placement his for the positioning of the credit screen, once I boop the paratroopa at the right spot, but I put it one pixel to far to the left, that cause the credit to play 100% perfect, but it played to far to the left of my TV. The koopa in slot 3 never reboop it with the tail. When you mention the address 20 for the jump code, the 10th digit in this case 2, this his when the values are aligne, but not just that one the 10th digit can also be 1 through 10, and that his cause by booping the koopa at slot 3 at the correct position, and when he moves the correct direction, and if you reboob it with the tail by accident the 10th digit will return to 0. The placement of the shell in slot 3 determine the unit, and the unit determine the screen position, so 0 his always perfect screen placement. When the paratroopa start moving-up the 10th digit goes from 0,1,0,2,0,3,0,4,0,5,0,6,0,7,0,8,0,9,0,10: The higher up the koopatroopa goes the quicker does value switch, and when he start to move down the 10th digit his always 0 which his bad. And if the bit codes his like this 100 8F E3 the credit are 100% perfect the credit that shows the world will run with the checked floor. Once I boob the koopa a fraction off of the 10, 10th digit, when I hit the note block on the 19 screen it flicker 4X before playing the credit 100% perfect. Take a look at my video for the easy set-up, it his not me who found the easy set-up, but it his me who found out about the correct alignment of the previously uncontrollable value. When I film this I did not know about this at the time, and after placing the shell in slot 3 at the correct spot, if you take the pipe to the far right, make sure to walk-of to the right to quickly dispond the shell in slot 3. The koopa in slot 4, and slot 5, does one you can reboob it with the tail as mush as you like since E3 counts as one unit, and as well as 8F. ua-cam.com/video/701sO-YxhGM/v-deo.html When you place slot 5 at the correct position you don't have to walk of to dispond it, since it will be flooting above the pipe, it will dispond right away when you return to the start of the level.
Well done! It really tracked with a lot of the thought processes that went into figuring out the exploit for the TAS, and is accurate while still being more accessible than a text-only explanation.
What I'd really like to know is how TASBot manages to program Mario Maker inside Super Mario 3 (or World, I don't remember). My guess is jumping in memory where there is the ram that deals with input from the controller and programming it that way? I'm not sure what you can do with only about 10 memory locations. Unless there are more detailed ways to execute that.
What's even better is the end credits warp in Super Mario Land 2, Six Golden Coins: Mario glitches through the floor, ending up in the game's code (which is rendered onscreen as graphic tiles), and literally hits a block to set the "roll end credits" flag to TRUE.
Luigi: So mario, how did you come back after defeating darkion? Mario: to answer that, we need to talk about *parallel universes* *hazy maze from mario 64 starts playing* Tell me if I spelled darkion right? This joke was from something about super mario world, right at the start of the video, made by terminal montage
It's not often someone does this deep an amount of research, basically never do they then pack it into something this easy to digest and understand. My humblest thanks, will be sharing with my friends tomorrow.
This was incredible! For years I've wanted to do the wrong warp in SMB3. I've trying to decode what I need to do from people's PBs but haven't understood it. This video explained it so well that not only I did it, but that my friend that doesn't speedrun also got hooked on it and we did it together. It was such a great experience trying and then being happy when we finally succeeded with the wrong warps! :D We ended up doing it on emulator though because trying it on console with no practice was haaaaaaaaaaard! :)
Mario: Princess, I'm finally here. Peach: Did you beat Bowser? Mario: Well...uh... Peach: Don't tell me you used the pipe glitch. Mario: I mean, it's a little "easier" to do/accomplish. Peach: *sighs* Ugh...
Yep! The NES CPU was the Ricoh 2A03. It was just basically just a 6502 without a decimal mode and with an audio processing unit and IO controller for the controllers welded onto it.
Great video! I have tried this shell down technique many many times and haven't yet got to princess. Mostly game crashes and sometimes to world 7 castle's king with wand.
Finding out glitches is one thing but stuff that messes with how the game runs is something totally different. And using this knowledge ingame is again on another new level. This is so amazing.
Definitely, reverse engineered. A hacker studied the code, attempted to find a way to do code injection on an SNES, made a tool that showed those values in real time. This isn't the first time code injections been done, and they probably could have stolen your identity with just as much effort... assuming they are only going to use a SNES control to do so. Stealing your identity with a laptop and Wi-Fi decrypter would be trivial.
tasvideos.org/4288S.html This is the first known instance of the glitch being used in that way. The aforementioned RAT926 (a japanese player) was apparently already investigating weird behavior with block changes causing odd behavior (he turned both a used-up brick and a muncher into inactive invisible music blocks back around 2013). The bad pipe behavior (where phantom pipes happen) was well-known by speedrunners by then already. Some assembly guy then took a look and figured out how to write code that would lead to the ending. So in short, it was found because one guy was glitch hunting, and the TAS community took notice and fell on the game like code-munching piranhas because they're always after the fastest technically possible times.
I've seen the glitch done for Super Mario World, and the glitchers would explain it a bit. However this vid makes a lot more sense then someone explaining while doing it. I especially liked the graphic at the side that showed the unit values, and the checks as you went through it. Nice work.
Excellent video! Even though, I don't understand it, I still sorta understand it because you explained it really really well. Like a great teacher would. Of course this leads me to ponder if requests is something you'd be interested in doing because, there's a very interesting glitch in *Ys: The Vanished Omens* for the Sega Master System ( _I perform it on my playthrough in part 1_ ) where if you attempt to buy the Mirror from Pim in Minea a couple of times, really strange effects can occur. Such as you can be teleported to a glitch area that plays the Tower of Dahm's theme, the game can crash, you'll get a random amount of gold usually in the thousands, you can get gold and items, you can be leveled to max level instantly and many more stuff, I am convinced that there might just be a way to glitch it to the ending from there. Another thing I am interested in, but this is admittedly something I've tried to understand on my own more, is that in many old school games ( _in this case Shadowrun on Sega Genesis_ ) they have palette swap enemies / allies. I've been trying to use a hex editor to swap the palette of the character but to no real success.. One day I'll succeed I believe. But just what that change is.. Is interesting.
I think that I finally understand how controlling memory mappers works. You send a write command to what would normally be a ROM location. However, because there's a memory mapper and not just the bare ROM the mapper can catch that write command and then perform some other command. Clever that.
Nice! I found out about your channel through UA-cam recommendations, and before this video, I didn't know NES/Famicom games were written in what looks like Assembly.
love how the first thing you see in the glitchy mess is coins resembling the ^^ face. always found it oddly fitting, like, yep youve glitched down here good job
Dots: Love this video, amazing! However, I wanted to point out a small error. At time marker 5:52 , you show where the RTS instruction returned us to. However, this is not PRG1E (Bank 30) as you have labeled, but PRG1D (Bank 29). PRG1E (Bank 30) is meant to be at $8000, however, when the value #$80 is written to $9C70, the MMC3 immediately does a bank switch - changing $8000 to PRG1D (Bank 29), $A000 to PRG07 (Bank 7), $C000 to PRG1E (Bank 30) (Meant to be at $8000!!!) and $E000 stays at PRG1F (Bank 31). Furthermore, the stack IS meant to be empty when returning to $8F4D, because in normal execution, we would be within the main game level loop within PRG1E (Bank 30). However, due to PRG07 (Bank 7) now being loaded in at $8000, we land in the middle of a routine for drawing the player - hence the eventual RTS instruction, and subsequent jump to RAM at $0081. So I guess it's not an unintended empty stack, it's a return to an address that now holds the wrong bank. This bank mix up is only fixed up when a BRK is executed, since the IRQ routine calls a bank swap. Because bank swaps in SMB3 are set for $A000 and $C000, this returns our static banks PRG1E (Bank 30) and PRG1F (Bank 31) to $8000 and $E000 respectively. Indeed the wrong warp wouldn't be possible without at least one IRQ before the JSR to $8FE3!!! -KabAudio
Thank you for this great explanation! I was led here by tetrabitgamings video but I was disappoint there by a lack of real reasoning. Now this topic is way more clear to me. Thank you!
It took me this long to realize it but basically: We are using that invisible note block after we wrong warped to execute an address we made with the shells to teleport us to peach's room. What the fuck.
Fantastic video, dude. Kinda reminds me of when they have an Engineer or Scientist come to your school, then kids ask them a question and they answer it in wtf-level detail and just blow everyone's mind. That's about where I am right now watching this lol
It's wild what ACE can do when game designers and their programmer counterparts had to compact an entire game down to capacities such as 256kB for SMB3 or even smaller as you look back in time. It's a lot easier to jackhammer the stack or violate some mechanic to attempt a bad read or write to somewhere illegal when the programmers were worried more about simply making the game work correctly within the hardware's confines than fretting about drawing 35 gigabytes worth of textures. Programmers were a lot more resourceful back then and had a nearly intimate relationship with their target hardware. Knowing how to bend the rules could help you implement your current mechanic in 450 bytes rather than 600 bytes; add up all that memory or program space saved over time while utilizing these methods, and your game has the space to add more levels, features, mechanics, secrets, or anything else that might have your design be the smash hit of the day. If I had a list of things I'd do with a time machine, taking a modern IDE and hardware development tools back to these days would be on my list. Not like... in the top 100 or anything... but it would be on there. :)
This is one of the best gaming videos I have ever seen! We need more game spec videos like this out there. I was watching a video on how the Sega Saturn processes 2d and 3d games a while ago on someone's channel. If it wasn't for the fact the guy was heavily japenese and hard to hear his English through his japenese accent, I would have a 110% clear explanation of the hardware that entails the Saturn. I love learning stuff like that! Keep it up man. I'm subscribing right now
so if i understand, the game crashes while trying to create that invisible note block to repel mario while the actual note block is going up because everything is so out of index because you went so out of bounds? but why does the game execute the code you injected? is it like a failsafe kind of thing where they knew the game was gonna crash and they just execute any command they have as a last resort? i got the part where the code says jump to subroutine 8F E3 and the game crashes when you hit the note block but then everything was just too complicated for me
It's not a failsafe or a last resort, the game is so out of index at that moment that it just start executing code from locations it shouldn't and ends up executing the injected code.
The whole exploit is possible because of the 6502's Von Neumann architecture. The cpu is interpreting the sprite location _data_ as instructions. The rest of the procedures performed after placing the sprites down are to move the instruction pointer/PC to the address where the sprite location data is kept
@Crasy Fingers: This his just a summary of what he said above, and something that he miss to be more clear on what happen, Warning the summary his kind of long. The reason it works, when you go out of bounce, the note bock that crash the game acctually exist in the real part of the level, but when you hit it in the real part of the level, it works properly, this his just an example it may not be exactly correct, that note block his normaly on 6261 and when you hit it it goes 6261+0F to make 6270, nothing goes wrong here, and DD1A works fine to update the sprite animation and then the game return to the note block bouncing animation, and save the X cordinated of that bouncing animation in $0097, and its Y cordinated save in $009F, the X and Y value are only overwriten if another block bounce. So when you go out of bounce the block that was in 6261, gets incorrectly place everytime on 9C61, but since it his the same block it still have +0F to fine the sprite animation, so it will go 9C61+0F=9C70, and that tells the game to write to Read only memory, and since that his not possible the game look in open bus, to fine out what to do with 9C70, and found valid garbage code to update in DD1A, the garbage code are too long by one bite, that it overflow the stack buffer, so you will see in Debbug menu Address $0100: JSR:$0080, that means it already overflow, that it jump to that Addres that addres got that instruction $0080:RTS-1 so it will go to Addres $0081, then it need to go through allot of address before reaching The X cordinated of sprites, that Start on $0090, Enemies X position start on $0091, and end with $0095. Enemies spond on the highest slot first that his still available, so we right at $0093:$20, and at $0094: E3, or E1, and $0095: 8F, in Debug menu this will show as $0093: JSR: $8FE3, or JSR: 8FE1, you will see in debug menu that $0094, and $0095 does not show anymore, and Address $0096 still shows because that his the X cordinated for power-up. Mario X position his in $0090 mario X position need to be correct when hitting the note block that crash the game, to make it work because he can go to an Upcode with enemies in $0091, and $0092, with the easy method nothing spond on $0091, since nothing spond its X value his $00. Most of mario X cordinated are ok, just a few that would guarantee a fail, and that what cause the diffrent sounds before it transition to the rescue the princess. And it does work on WiiU virtual console, and all other Virtual console, Except for NES mini, and also it does not work on the Japanese version and the PAL version, Does not work in all version of All-stars. If you need more information on why it works, and why the Virtual console his banned for speedruning that category just contact me in here.
Can you imagine someone doing this in the early 90's with a console version of SMB3, during a speedrunning competition? It would probably make national news.
Seriously though, this is the channel where I post my quality videos (RGME series), and pretty much everything else I want to upload goes on my dotsarecool channel.
I hope to one day fundamentally and truly understand the level you explained everything that happened here. For now I simply have the general method the trick is done and the idea we are taking advantage of the system's quirks of reading the code as typed that does not feature error catching for the shown situations. How anyone would find routes like this by mistake without actually digging into the code itself seems incredibly improbable and might be worth a video in itself of how it was discovered in the first place.
Loved the explanations! You're very well documented and the diagrams and drawings you make are so sensible and just right that anyone can understand what's been up; as well as your more advanced users not get too bored. Good luck with future movies. Got yourself a subscriber. :)
2:36 I hate to be direct, but it would actually be one pixel to the left, because the koopa would unload sooner. Also three things: walking enemies move by half a pixel every frame, a koopa’s subpixel position doesn’t change when it’s in Mario’s hands, and koopas move by half a pixel when they wake up in Mario’s hands. In this setup’s case, the koopa move by half a pixel to the right. This means that depending on the subpixel value the koopa last had before grabbing it, you have to stand where the koopa’s X position is at either #$B7 or #$B8. If the koopa’s subpixel value is 0-7 before waking up, then you have to stand where the koopa’s X position is at #$B8. If the koopa’s subpixel value is 8-F before waking up, you have to stand where the koopa’s X position is at #$B7. This means that this “simple” #$8F setup yields a 50/50 chance at working.
I sent me.
*_That’s pretty funny._*
You also sent me. What a coincidence!
Summoning Salt whyd u stop making vidz man. You’re videos on speed running are intoxicating. PLEASE make more
Why aren't you verified???
Same
You explained it..I don't understand any of it..but you explained it.
The explanation (or just about any warp glitch) requires some understanding of how the hardware works. There's a bunch of videos and articles regarding that. I recommend looking at those first.
Those concepts also apply to game boy games for example. Therefore you can also gain some understanding from game boy resources.
You’re in a level, you mess with how the enemies work, you grab a turtle and go inside a pipe backwards, the game crashes, you throw the turtle away as you hit the block, you hit the block, the game ends
Yeah wasn’t much of an explanation
@@thebeanmaster4358
That’s not an explanation.
Then try the bismuth explanation. Bismuth did a really good job...
So: A bad note block outside 7-1's level bounds can be reached. It causes the block bounce code to swap itself out accidentally with an unintended routine that returns to yet another unintended routine, that returns again, even though there's nothing to return to. The hardware freaks the everloving fuck out, wrapping around the counter that tracks how many levels deep of code execution we're on and reacting as though we're 255 levels deep in subroutines, and accidentally reading out the level scrolling mode as the location to return execution to, because that number happens to sit where the 255th place in the area where subroutines are tracked would be if there was a 255th place, causing the console to stop reading code from the cartridge, and instead treating the system RAM as code, and running that instead. And within the area of RAM that is mistakenly reinterpreted as game code because of this, loaded enemy data is normally tracked, and here, people manipulate the positions of the koopa shells that normally spawn in the level to write machine language instructions creating a trigger for the Princess's chamber that will activate with the glitch.
So many planets aligned...
I bet the whole Mario galaxy aligned
Yes.
Yes. I could read long form explanations from you. Well done
Well, all they're doing is reading volatile, numeric data as instructions, to execute code in an unintended way. It was probably figured out that the pipe to under-map OOB and hitting the noteblock did some fucky shit, and I guess someone traced it through an emulator to see that the thing that reads instructions landed in graphical data. From there it was simply manipulating the graphic data.
@@haydenz0 In essence, this glitch begins with an array indexed out of bounds error, when trying to write to the loaded map data to remove the note block and temporarily replace it with the animated version of it. Except that, computers being that much slower, the performance penalty to ensuring that arrays were always indexed in bounds mattered, so most games, having to be efficient over running safe, didn't do the check to save on crucial processing power.
Probably they discovered the glitch pipe entry first (might've been on some other map too) and then later discovered that OOB note blocks would pretty consistently make the console spit fireworks when hit. If it didn't crash, obvious memory corruption was present. When every time you reproduce a game-breaking glitch, the effects that occur right after are completely all over the place and random-looking, you know something fucked is happening with the machine. And the moment somebody fired that up in an emulator debugger, and caught the execution jumping to RAM, they were like "Oh yeah, we might be able to ACE with this"
This was like learning physics. I'm fucking lost and yet intrigued and focused and can't stop learning. Great video.
The wave function is a description of an electron. and when you view that function you are forcing the collapse of the wave function.
> There are many different kinds of NES ROM mappers. All of them act a little bit differently. I won't talk too much about them, because that topic could be its own video.
Please, please make that video.
I second the motion.
isnt it notion
Mr.Sheepington possibly.
Both are correct!!
Kirby Banman WHERE IS THIS VIDEO?
I hardly understood a thing but watched it all the way through. Fascinating stuff.
Margaret Mansell: Neither me, until I watched other videos from this channel lol
Ethan youre not a technician.
I don't understand it either lol, but I enjoy watching videos like this.
I wish I understood whatever computer language this guy was speaking. Still liked it.
@@EverSinceMyExorcism he's talking about assembly in this case. Which is basically just binary converted to an easier to read format for us humans.
I tried doing this glitch. So far I made the console draw what I can only describe as a croissant, rotated the screen 90°, and moved the hud to the top of the screen. I don't know what I'm doing
You rotated the screen 324˚?
he did a barrel roll
Reds an aileron roll?(game theory)
WOAH.
You need to find a way to record your failures, dood, these sound amazing for being fails.
incredible explanation and graphics to support it...this is how computer science should be taught...kudos!
Oh my god I appreciate the TAS way more now. Seriously?! Pirahna plant, thrown shell, and bouncing shell ALL syncing up at the right x-position at the SAME TIME???!?!!?!!! OKAY, TAS. SURE.
Fucking godly.
Thank you :).
Voxel Fox That's what makes it so impressive! TAS is literally god in the game world. TAS can even do all it does *blind* and *deaf!* Imagine a human do that.
Voxel Fox Wow you're very smart. Look at my channel for more smart things like Tool Assisted Speedruns videos of La-Mulana!
Neither, I'm just shilling. Here, I'll add another comment, so my shill comment disappears up the comment thread.
Doesn't make it any less respectable. 8+ hours just to get a 2 minute segment perfect (only to be obsoleted when something new shows up) is crazy for any one to do, yet they do. The amount of effort and time put towards finding insane glitches, programming, math calculations and viewing the same small part of a game over and over is just amazing to behold.
How did anyone figure that out?
3D Printing Professor exactly
ROM hackers trying to make their own levels probably found it. Thats how a lot of games secrets get found. Pokemon is a great example.
They asked the NES what it was doing xD
It his not me who found out how to do it, I only found out how he found out how to do this after I did the Wrong warp to the credit in Super Mario world for the WiiU the one that works on the Wiiu. In Super Mario world, you have 10 sprite slot for enemies to work with from slot 0 to 9, and they spond at 9 first, In Super Mario World you wright the entired algorithum in slot 0, to slot 6 the code you right by spiting shell with yoshi the shell become fire, the algorythim in the X cordinated of the shell, from sprite slot 0 to 6 his A9,1C, 92, 3D, 68, 68, 60. That stand for LDA, 1C, that stand for load game mode credit that start yoshi arrive home to accumulator, the 92, 3D, Stand for Store accumulator to 3D, the two 68 stand for a pulling out data PLS, and the 60 stand for RTS meaning Return to game mode that his store in the accumulator 3D which =1C so then the game knows to runs 1C as the credit. the 1 on the left means there his 1X16, and the C on the right stand for +12, since it his in hexadisimal so that means the unit are 16 unit long instead of the digit system which are 10 digit long. so that his why if you see 68, it does not equal 68 as the real number it acctually equal (6x16) +8= this his a visiual of what it look like in Super Mario world, it only begin after the power incrementation glitch his done because of the weird diffrence that the Virtual console have compare to the console version ua-cam.com/video/dJp1XLmw9Jg/v-deo.html How does have anything to do with the Super Mario bros.3 wrong warp to princess, since there his only slot 5 to slot 1, there his no way to wright the entire algorythm, so with the shell he wright $20, E3, 8F, in slot 3 to slot 5 X cordinated of the koopa shell, and that stand for JSR: $8F, E3 that means jump to subrutine princess room, while checking in the emulator in debug mode I decided to take a look at memmory $8FE3 and the entire algorythm for the princess room was there because it started with LDA: $19
@@SuperNickid i'm sorry what
7:35 - Yes that's right. I know exactly what is going on now.
This is probably the best way to present programming stuff (hex values, memory map...) I have ever seen in video. It's clear, pleasing to hears and eyes. The topic is also very interesting. I would love to see more of such well made video for anything.
I hope this channel will attract as much people as possible, it deserves it.
This is an awesome example of assembly level 'hacking' and understanding.
Great video man!
EZScape hello!
EZScape hi, fun fact, jsr stands for jump straight to ram and 8f e3 is the address it must jump to in order to load the right crash value, I read the dev commentary on tasvideos.org
@@Symmetry_Obsessed_Freak wow, really?
As a developer, this was extremely interesting. By far the best video I've ever seen on an arbitrary code execution exploit. Thanks for the awesome video! :D
I did this as instructed, but it warped me to a parallel universe in Super Mario 64.
instructions unclear: Dick stuck in Mario 64
@Kadir Garip he cramshed: 💀
uh i'm pretty sure you did something wrong
have you hit the music block which replaces a $4G69 ROM mapping function 18 screens under the main stuff or the question block which replaces the $4G79 Control function 17.5 screens under the main stuff?
i think i know why you hit 1010010101010101010101001100101010101 in bi or a5 55 54 ca 15 in hex at the time that you did that there was data that was from super mario 64 in parallel universe so the game swaped the banks with 64sh banks bk the one koppa was one bit off so the game ran 10101010010101010100101010111111111 in bi or the thing telling nes what game your playing bye looking at the ram and seeing the data and runing the game that go with the data in 1st biyt and 64s data was in there so it rad 64 that good
This game was made years before Super Mario 64.
You deserve more subscribers
No he doesn't because he is a cheater
-_- He's not competing in anything. He's explaining how the glitch works.
ken m's pregony is all growen up
+filecabinet coffee
You are an idiot.
Progeny? Or pregnant? 9__9
The fact that you go so in depth graphically instead of just randomly spouting your values is fantastic! Keep it up! I imagine the production work takes tons of time, but I love it!
+Retro Game Mechanics Explained: I used a different method call the easy method, and when you said sometimes it does not work even if you got the shell in the right spot, because it sometimes lock-up on something, but I found a way to always line-up does value, and this his how. When the paratroopa his moving up boob it with the tail when his tip of his feat are line up with the first lip of the pipe, using the easy method, and the closer you are to the correct frame the better the credit will look, that same shell placement his for the positioning of the credit screen, once I boop the paratroopa at the right spot, but I put it one pixel to far to the left, that cause the credit to play 100% perfect, but it played to far to the left of my TV. The koopa in slot 3 never reboop it with the tail. When you mention the address 20 for the jump code, the 10th digit in this case 2, this his when the values are aligne, but not just that one the 10th digit can also be 1 through 10, and that his cause by booping the koopa at slot 3 at the correct position, and when he moves the correct direction, and if you reboob it with the tail by accident the 10th digit will return to 0. The placement of the shell in slot 3 determine the unit, and the unit determine the screen position, so 0 his always perfect screen placement. When the paratroopa start moving-up the 10th digit goes from 0,1,0,2,0,3,0,4,0,5,0,6,0,7,0,8,0,9,0,10: The higher up the koopatroopa goes the quicker does value switch, and when he start to move down the 10th digit his always 0 which his bad. And if the bit codes his like this 100 8F E3 the credit are 100% perfect the credit that shows the world will run with the checked floor. Once I boob the koopa a fraction off of the 10, 10th digit, when I hit the note block on the 19 screen it flicker 4X before playing the credit 100% perfect. Take a look at my video for the easy set-up, it his not me who found the easy set-up, but it his me who found out about the correct alignment of the previously uncontrollable value. When I film this I did not know about this at the time, and after placing the shell in slot 3 at the correct spot, if you take the pipe to the far right, make sure to walk-of to the right to quickly dispond the shell in slot 3. The koopa in slot 4, and slot 5, does one you can reboob it with the tail as mush as you like since E3 counts as one unit, and as well as 8F. ua-cam.com/video/701sO-YxhGM/v-deo.html When you place slot 5 at the correct position you don't have to walk of to dispond it, since it will be flooting above the pipe, it will dispond right away when you return to the start of the level.
Well done! It really tracked with a lot of the thought processes that went into figuring out the exploit for the TAS, and is accurate while still being more accessible than a text-only explanation.
What I'd really like to know is how TASBot manages to program Mario Maker inside Super Mario 3 (or World, I don't remember). My guess is jumping in memory where there is the ram that deals with input from the controller and programming it that way? I'm not sure what you can do with only about 10 memory locations. Unless there are more detailed ways to execute that.
yeah controller registers. from there you can write a bootloader
2020: Hack your bank account by playing Mario 3
2022: Control your car with Mario 64
2024: Set off grenades with an SNES controller
i would probably crash lol
2016 launch a rocket with an n64 controller
I hope that never happens.
@@AUA-camChannelwithNoName: if you're talking about FBIAgent's comment i totally agree
Do not try and enter the pipe, that's impossible. Instead, only try to realize the truth...there is no pipe.
Whoa.
Ceci n'est pas une pipe!
dude, yes
Matrix reference yay
Don' t be naff. There's a pipe right there.
What's even better is the end credits warp in Super Mario Land 2, Six Golden Coins: Mario glitches through the floor, ending up in the game's code (which is rendered onscreen as graphic tiles), and literally hits a block to set the "roll end credits" flag to TRUE.
I feel so good about days when there was no memory segmentation and running instructions from heap didn't caused segfault.
I tried to do this glitch but everytime I try I always end up summoning the devil
Coming to your screen in 2017: But first let's talk about NES Parallel Universes!
A warp is a warp, you can't call it a half.
What im doing is called Koopa Troopa Raising
building up warps for 12 hours
But First Lets Talk About How To Jump Without Pressing A.
Luigi: So mario, how did you come back after defeating darkion?
Mario: to answer that, we need to talk about *parallel universes* *hazy maze from mario 64 starts playing*
Tell me if I spelled darkion right?
This joke was from something about super mario world, right at the start of the video, made by terminal montage
That's a great analysis of locations on the screen. An x-position exposition.
Great production value mate. Keep it up.
It's not often someone does this deep an amount of research, basically never do they then pack it into something this easy to digest and understand. My humblest thanks, will be sharing with my friends tomorrow.
3:05 *Well, it's actually souprisingly simple..."*
This was incredible! For years I've wanted to do the wrong warp in SMB3. I've trying to decode what I need to do from people's PBs but haven't understood it.
This video explained it so well that not only I did it, but that my friend that doesn't speedrun also got hooked on it and we did it together. It was such a great experience trying and then being happy when we finally succeeded with the wrong warps! :D
We ended up doing it on emulator though because trying it on console with no practice was haaaaaaaaaaard! :)
This is one of the coolest videos I've ever seen on UA-cam. Keep up the great work!!!'
So much fun to be had as soon as code starts reading out of the proper index...
This video is so amazing that you sir have gained another subscriber. I want to see more videos like this.
This video did a very good job at explaining this trick. I, however, did not do a very good job understanding it. 10/10
Mario: Princess, I'm finally here.
Peach: Did you beat Bowser?
Mario: Well...uh...
Peach: Don't tell me you used the pipe glitch.
Mario: I mean, it's a little "easier" to do/accomplish.
Peach: *sighs* Ugh...
This kind of glitch always fascinates me because it's the best example to describe the idea of "code is data".
Love your work!
Well, huh! I never realized that the NES CPU used the same instruction set as the Commodore 64, but then again, both were from the 8-bit era...
They both use the 6502, so that's why.
Yep! The NES CPU was the Ricoh 2A03. It was just basically just a 6502 without a decimal mode and with an audio processing unit and IO controller for the controllers welded onto it.
@@mariostar13 to be precise, the 64 used a derivative of the 6502, the 6510.
@@Renville80 Yeah, but I didn't know that at the time. Also, from a programming perspective, they're exactly the same.
Great video! I have tried this shell down technique many many times and haven't yet got to princess. Mostly game crashes and sometimes to world 7 castle's king with wand.
brilliant! just subbed. cant wait for more videos
Finding out glitches is one thing but stuff that messes with how the game runs is something totally different.
And using this knowledge ingame is again on another new level. This is so amazing.
I like your editing style
I just love your channel. You are not only intelligent; but patient, thorough, and excellent at explaining things. I wish you great success!
How the hell did someone figure this out?
It's astonishing to see how this can be done and even more astonishing knowing how it works
I am in awe.
lol your avatar picture is in awe
Blue Boy! Stay off the pills, man! Friday and Gannon can't save you, I've seen that episode! XD
lol, fits your avatar hahahah
Ok, this is now my favourite channel. Your explanations are amazing and the editing is superb.
How was this discovered? I always see videos explaining how to do it, but was this found accidentally? Seems unlikely. Was this reverse engineered?
Definitely, reverse engineered. A hacker studied the code, attempted to find a way to do code injection on an SNES, made a tool that showed those values in real time. This isn't the first time code injections been done, and they probably could have stolen your identity with just as much effort... assuming they are only going to use a SNES control to do so. Stealing your identity with a laptop and Wi-Fi decrypter would be trivial.
tasvideos.org/4288S.html This is the first known instance of the glitch being used in that way. The aforementioned RAT926 (a japanese player) was apparently already investigating weird behavior with block changes causing odd behavior (he turned both a used-up brick and a muncher into inactive invisible music blocks back around 2013). The bad pipe behavior (where phantom pipes happen) was well-known by speedrunners by then already. Some assembly guy then took a look and figured out how to write code that would lead to the ending.
So in short, it was found because one guy was glitch hunting, and the TAS community took notice and fell on the game like code-munching piranhas because they're always after the fastest technically possible times.
Rom hackers probably. Just like pokemon how Id #0 in pokemon was discovered
I've seen the glitch done for Super Mario World, and the glitchers would explain it a bit. However this vid makes a lot more sense then someone explaining while doing it. I especially liked the graphic at the side that showed the unit values, and the checks as you went through it. Nice work.
That was very, very cool.... Awesome work on this guys. #WeAreNotWorthy
When you said wrong warp I thought you were talking about a different one, I didn’t know other mario games had these. Fascinating
Nice video! Never heard of this channel before, subscribed
I sort of understand what's going on. I'm so glad to have this channel in my life now
quick question:
WHO THE FUCK HAS ENOUGH SPARE TIME TO FIND A GLITCH THAT INSTANTLY BEATS SUPER MARIO 3
the TAS Speedrunning community.
those guys are god like in reverse programming
I've watched almost all of your videos. But now I'm really speechless. You are a genius
Question: what?
Toad: What is Mario doing?
Luigi: He's beginning to believe...
Beautiful video! =)
Oh hey Tompa!
Excellent video! Even though, I don't understand it, I still sorta understand it because you explained it really really well.
Like a great teacher would.
Of course this leads me to ponder if requests is something you'd be interested in doing because, there's a very interesting glitch in *Ys: The Vanished Omens* for the Sega Master System ( _I perform it on my playthrough in part 1_ ) where if you attempt to buy the Mirror from Pim in Minea a couple of times, really strange effects can occur. Such as you can be teleported to a glitch area that plays the Tower of Dahm's theme, the game can crash, you'll get a random amount of gold usually in the thousands, you can get gold and items, you can be leveled to max level instantly and many more stuff, I am convinced that there might just be a way to glitch it to the ending from there.
Another thing I am interested in, but this is admittedly something I've tried to understand on my own more, is that in many old school games ( _in this case Shadowrun on Sega Genesis_ ) they have palette swap enemies / allies. I've been trying to use a hex editor to swap the palette of the character but to no real success.. One day I'll succeed I believe. But just what that change is.. Is interesting.
this video is great mate, i rate it 8 out of 8
r8 mi gr8 b8 m8.
With 8 thumbs up as well
👍👍👍👍👍👍👍👍
I give it 8 bags of popcorn 🍿🍿🍿🍿🍿🍿🍿🍿🍿🍿🍿🍿
I think that I finally understand how controlling memory mappers works. You send a write command to what would normally be a ROM location. However, because there's a memory mapper and not just the bare ROM the mapper can catch that write command and then perform some other command.
Clever that.
excellent quality video! than you!
Nice! I found out about your channel through UA-cam recommendations, and before this video, I didn't know NES/Famicom games were written in what looks like Assembly.
Nice video mate!
love how the first thing you see in the glitchy mess is coins resembling the ^^ face. always found it oddly fitting, like, yep youve glitched down here good job
Can you please make more videos like this.
God like editing, the colored lines and graph on the left helped greatly. The best video I've seen that explains memory manipulation, good job!
Dots: Love this video, amazing! However, I wanted to point out a small error.
At time marker 5:52 , you show where the RTS instruction returned us to. However, this is not PRG1E (Bank 30) as you have labeled, but PRG1D (Bank 29). PRG1E (Bank 30) is meant to be at $8000, however, when the value #$80 is written to $9C70, the MMC3 immediately does a bank switch - changing $8000 to PRG1D (Bank 29), $A000 to PRG07 (Bank 7), $C000 to PRG1E (Bank 30) (Meant to be at $8000!!!) and $E000 stays at PRG1F (Bank 31).
Furthermore, the stack IS meant to be empty when returning to $8F4D, because in normal execution, we would be within the main game level loop within PRG1E (Bank 30). However, due to PRG07 (Bank 7) now being loaded in at $8000, we land in the middle of a routine for drawing the player - hence the eventual RTS instruction, and subsequent jump to RAM at $0081. So I guess it's not an unintended empty stack, it's a return to an address that now holds the wrong bank.
This bank mix up is only fixed up when a BRK is executed, since the IRQ routine calls a bank swap. Because bank swaps in SMB3 are set for $A000 and $C000, this returns our static banks PRG1E (Bank 30) and PRG1F (Bank 31) to $8000 and $E000 respectively. Indeed the wrong warp wouldn't be possible without at least one IRQ before the JSR to $8FE3!!!
-KabAudio
How the fuck did you have time to fix the "bank" problem??? Holy shit geniune 31/49
Thanks for explaining this! I saw it done on a speedrun, and I had no idea what he did!
I love the fact that I'm not the only person into old NES 6502 assembly code.
Thank you for this great explanation! I was led here by tetrabitgamings video but I was disappoint there by a lack of real reasoning. Now this topic is way more clear to me. Thank you!
*obligatory "here from summoning salts channel"*
Amazing videos man, well done.
Chris Thorn summoning salts is the reason I found dotsarecool also, and thus this channel as well
'fg' kuk
It took me this long to realize it but basically:
We are using that invisible note block after we wrong warped to execute an address we made with the shells to teleport us to peach's room. What the fuck.
No point in trying this anymore, Nintendo patched it.
Duracelpupu: For the NES classic mini? Anyways, we still have the unpatched original version!
..and roms, I'd guess...
Just play on an NES. That doesn't get patched.
G U Y S H E W A S J O K I N G
Apparently only one person can detect a joke
Fantastic video, dude. Kinda reminds me of when they have an Engineer or Scientist come to your school, then kids ask them a question and they answer it in wtf-level detail and just blow everyone's mind. That's about where I am right now watching this lol
I HAVE NO FUCKING IDEA WHAT THE FUCK JUST FUCKING HAPPENED!
helmet098 Simple, this guy is a genius!
he just explained about fucking the in game ram in smb3
explaining something doesn't mean that someone will understand it.
No shame to be had.
I only understood that because I've studied processor design and architecture.
I likely wouldn't have either if i hadn't tbh
Nice explanation of what's going on in the stack and rom mapper. 👍👍
great video mate
AldiePezeh FUCKIN MASTER ROSHI
It's wild what ACE can do when game designers and their programmer counterparts had to compact an entire game down to capacities such as 256kB for SMB3 or even smaller as you look back in time. It's a lot easier to jackhammer the stack or violate some mechanic to attempt a bad read or write to somewhere illegal when the programmers were worried more about simply making the game work correctly within the hardware's confines than fretting about drawing 35 gigabytes worth of textures. Programmers were a lot more resourceful back then and had a nearly intimate relationship with their target hardware. Knowing how to bend the rules could help you implement your current mechanic in 450 bytes rather than 600 bytes; add up all that memory or program space saved over time while utilizing these methods, and your game has the space to add more levels, features, mechanics, secrets, or anything else that might have your design be the smash hit of the day.
If I had a list of things I'd do with a time machine, taking a modern IDE and hardware development tools back to these days would be on my list. Not like... in the top 100 or anything... but it would be on there. :)
7:06 IGN
This is one of the best gaming videos I have ever seen! We need more game spec videos like this out there. I was watching a video on how the Sega Saturn processes 2d and 3d games a while ago on someone's channel. If it wasn't for the fact the guy was heavily japenese and hard to hear his English through his japenese accent, I would have a 110% clear explanation of the hardware that entails the Saturn. I love learning stuff like that! Keep it up man. I'm subscribing right now
so if i understand, the game crashes while trying to create that invisible note block to repel mario while the actual note block is going up because everything is so out of index because you went so out of bounds? but why does the game execute the code you injected? is it like a failsafe kind of thing where they knew the game was gonna crash and they just execute any command they have as a last resort? i got the part where the code says jump to subroutine 8F E3 and the game crashes when you hit the note block but then everything was just too complicated for me
It's not a failsafe or a last resort, the game is so out of index at that moment that it just start executing code from locations it shouldn't and ends up executing the injected code.
The whole exploit is possible because of the 6502's Von Neumann architecture. The cpu is interpreting the sprite location _data_ as instructions.
The rest of the procedures performed after placing the sprites down are to move the instruction pointer/PC to the address where the sprite location data is kept
@Crasy Fingers: This his just a summary of what he said above, and something that he miss to be more clear on what happen, Warning the summary his kind of long. The reason it works, when you go out of bounce, the note bock that crash the game acctually exist in the real part of the level, but when you hit it in the real part of the level, it works properly, this his just an example it may not be exactly correct, that note block his normaly on 6261 and when you hit it it goes 6261+0F to make 6270, nothing goes wrong here, and DD1A works fine to update the sprite animation and then the game return to the note block bouncing animation, and save the X cordinated of that bouncing animation in $0097, and its Y cordinated save in $009F, the X and Y value are only overwriten if another block bounce. So when you go out of bounce the block that was in 6261, gets incorrectly place everytime on 9C61, but since it his the same block it still have +0F to fine the sprite animation, so it will go 9C61+0F=9C70, and that tells the game to write to Read only memory, and since that his not possible the game look in open bus, to fine out what to do with 9C70, and found valid garbage code to update in DD1A, the garbage code are too long by one bite, that it overflow the stack buffer, so you will see in Debbug menu Address $0100: JSR:$0080, that means it already overflow, that it jump to that Addres that addres got that instruction $0080:RTS-1 so it will go to Addres $0081, then it need to go through allot of address before reaching The X cordinated of sprites, that Start on $0090, Enemies X position start on $0091, and end with $0095. Enemies spond on the highest slot first that his still available, so we right at $0093:$20, and at $0094: E3, or E1, and $0095: 8F, in Debug menu this will show as $0093: JSR: $8FE3, or JSR: 8FE1, you will see in debug menu that $0094, and $0095 does not show anymore, and Address $0096 still shows because that his the X cordinated for power-up. Mario X position his in $0090 mario X position need to be correct when hitting the note block that crash the game, to make it work because he can go to an Upcode with enemies in $0091, and $0092, with the easy method nothing spond on $0091, since nothing spond its X value his $00. Most of mario X cordinated are ok, just a few that would guarantee a fail, and that what cause the diffrent sounds before it transition to the rescue the princess. And it does work on WiiU virtual console, and all other Virtual console, Except for NES mini, and also it does not work on the Japanese version and the PAL version, Does not work in all version of All-stars. If you need more information on why it works, and why the Virtual console his banned for speedruning that category just contact me in here.
I don't know why I found this so fascinating, but man you did an amazing job on this video!
My brain hurts...
I love the weird red upside down glitch pipe that appears, it’s just pure magic.
You lost me after "In Super Mario Brothers 3 ..."
I was confused when he called it Brothers.
lmao
Made it farther than me... I got confused reading the title.
Can you imagine someone doing this in the early 90's with a console version of SMB3, during a speedrunning competition? It would probably make national news.
lmao
in case you dont know mitch flower did it on tv
This is the first video I’ve ever watched on ANY subject that made me feel dumb.
I love how every video that tries to explain a glitch ends up being 82x longer than the actual execution of said glitch
Why do you sound like dotsarecool
We're twins.
Retro Game Mechanics Explained Really?
Well I guess I'm not really my own twin, so not exactly.
***** Lol ok
Seriously though, this is the channel where I post my quality videos (RGME series), and pretty much everything else I want to upload goes on my dotsarecool channel.
I tried to learn...
I didn't. But I liked his voice. And the presentation was slick.
Will watch again.
i've been falling asleep to videos like these for about a week. so relaxing and soft,,
this is awesome. I never looked at a games assembly. you are a wonderful wizard.
I hope to one day fundamentally and truly understand the level you explained everything that happened here. For now I simply have the general method the trick is done and the idea we are taking advantage of the system's quirks of reading the code as typed that does not feature error catching for the shown situations.
How anyone would find routes like this by mistake without actually digging into the code itself seems incredibly improbable and might be worth a video in itself of how it was discovered in the first place.
I've done this a few times, maybe three or four, always by accident, though. It's great to know there's a logic behind it!
Loved the explanations! You're very well documented and the diagrams and drawings you make are so sensible and just right that anyone can understand what's been up; as well as your more advanced users not get too bored.
Good luck with future movies. Got yourself a subscriber. :)
2:36 I hate to be direct, but it would actually be one pixel to the left, because the koopa would unload sooner. Also three things: walking enemies move by half a pixel every frame, a koopa’s subpixel position doesn’t change when it’s in Mario’s hands, and koopas move by half a pixel when they wake up in Mario’s hands. In this setup’s case, the koopa move by half a pixel to the right. This means that depending on the subpixel value the koopa last had before grabbing it, you have to stand where the koopa’s X position is at either #$B7 or #$B8. If the koopa’s subpixel value is 0-7 before waking up, then you have to stand where the koopa’s X position is at #$B8. If the koopa’s subpixel value is 8-F before waking up, you have to stand where the koopa’s X position is at #$B7. This means that this “simple” #$8F setup yields a 50/50 chance at working.
big props for the editing and structure of this video
The graphical overlay of what's going on is amazing...