Way cool: Mario World code injection w/ SNES controller

Toggle sidebar Toggle sidebar
Ichinisan

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
They use TAS (Tool Assisted Speedrun) utilities to pull this off using using only the controller inputs.

So they have a programmable controller to send input events with precise timing. It starts out glitching the game like mad using controller #1 input events. While it looks like random glitching, but they're actually loading graphics tiles into an area of memory (OAM table or "object attribute map"). The x/y coordinate values of those objects would later be interpreted as code. When the actual code vulnerability is triggered and the code executes, it simulates 8 controllers (2 multitaps) for maximum bandwidth to insert even more code.

Then, their code runs... :biggrin:

Jump to 38s because they had the wrong cartridge inserted at first (had to swap with one that had the save file erased).
https://www.youtube.com/watch?v=jnZ2NNYySuE#t=38s

This one shows the input events:
https://www.youtube.com/watch?v=OPcV9uIY5i4
Jump to 1m38s to see the 8 virtual controllers entering data.

[edit]
The original concept was to load a pixel-accurate playable version of the original Super Mario Bros (which they actually accomplished earlier this year).

https://www.youtube.com/watch?v=RHlGY40XU_o#t=7m7s
(jump to 7m7s)

At the presentation, the graphics were a little glitchy (they never saw it do that before). They also had to wrap-up the presentation because there wasn't much time.

From what I understand, it's supposed to be a pixel-accurate version of SMB with perfect play control and the wanted to have an SMB speed-runner play it.
 
Last edited:
SlitheryDee

SlitheryDee

Lifer
Feb 2, 2005
17,252
19
81
So wait. If you press a certain combination of buttons in a certain part of super Mario world, you can write a program and execute it within the game with nothing but the controller? Is that what just happened?

Pretty interesting stuff.
 
Ichinisan

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
SlitheryDee said:
So wait. If you press a certain combination of buttons in a certain part of super Mario world, you can write a program and execute it within the game with nothing but the controller? Is that what just happened?

Pretty interesting stuff.
Click to expand...

That's exactly what happened. You can exploit a vulnerability in the game to create and execute game code using only controller input.
 
HeXen

HeXen

Diamond Member
Dec 13, 2009
7,832
37
91
Yeah i don't understand, what purpose does writing a program in this game serve or how could programming using the gamepad exist unless the devs put it there? Also what does a speed run assisted tool do exactly? Auto play the game or something? Also how do you create a program using controller....Hell I don't even know what I'm asking here.
 
Ichinisan

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
HeXen said:
Yeah i don't understand, what purpose does writing a program in this game serve
Click to expand...
Blowing minds.

HeXen said:
or how could programming using the gamepad exist unless the devs put it there?
Click to expand...
The devs didn't. These guys basically disassembled the game on a computer to find vulnerabilities in the game's engine. Using simulated controller input on a real SNES, they could build their code in memory by glitching the game in certain ways that load values into an area of memory. Every button on the gamepad is just an on/off data bit that can be polled for a 1 or 0 state. That means you can read 12 bits at a time from each controller, or 96 bits by polling all 8 controllers. So, once they glitch the game to copy that data stream, they can insert their own code and resource data.

HeXen said:
Also what does a speed run assisted tool do exactly? Auto play the game or something? Also how do you create a program using controller....Hell I don't even know what I'm asking here.
Click to expand...

They have a device that connects to the controller ports and simulates button presses with precise timing. They developed the button sequences and timing on a highly-accurate SNES emulator on PC (which lets you abuse save-states to perfect the timing) then tested the sequences on a real SNES.

I just saw the follow-up from this year: They went through with their original idea and re-created Super Mario Bros 1, which was re-created with pixel-accurate graphics and play control.

Their presentation was poor, though. I want to find a better video of that.
 
CPA

CPA

Elite Member
Nov 19, 2001
30,322
4
0
How the hell did these guys even come up with this? I mean, how did they know that glitching the graphics would open up these tables allowing them to program within the game?
 
Ichinisan

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
CPA said:
How the hell did these guys even come up with this? I mean, how did they know that glitching the graphics would open up these tables allowing them to program within the game?
Click to expand...

I'm sure they first used an emulator with a memory tracer and TAS utilities on a PC to work it all out.
 
Homerboy

Homerboy

Lifer
Mar 1, 2000
30,890
5,001
126
nerds-ogre.jpg






(but pretty cool)
 
S

steppinthrax

Diamond Member
Jul 17, 2006
3,990
6
81
Early game consoles had a primitive method of managing memory. You're settings and actions in the game were loaded into memory. If you had a way to modify the RAM you could practically do anything in the game. This is why Game Genie was so successful.
 
purbeast0

purbeast0

No Lifer
Sep 13, 2001
53,475
6,316
126
steppinthrax said:
Early game consoles had a primitive method of managing memory. You're settings and actions in the game were loaded into memory. If you had a way to modify the RAM you could practically do anything in the game. This is why Game Genie was so successful.
Click to expand...

i remember after weeks/months of searching for a pro action replay in the USA we finally found one, and we only wanted it to play as the bosses in SF2, only to see that it was a glitchy version of the bosses :(
 
Ichinisan

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
purbeast0 said:
steppinthrax said:
Early game consoles had a primitive method of managing memory. You're settings and actions in the game were loaded into memory. If you had a way to modify the RAM you could practically do anything in the game. This is why Game Genie was so successful.
Click to expand...
i remember after weeks/months of searching for a pro action replay in the USA we finally found one, and we only wanted it to play as the bosses in SF2, only to see that it was a glitchy version of the bosses :(
Click to expand...

If I understand correctly, Game Genie intercepts ROM address reading, PAR can set+freeze any value in RAM (life bar, lives, etc).

Loved hacking my own PAR codes in ZSNES.
 
Ichinisan

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
steppinthrax said:
Early game consoles had a primitive method of managing memory. You're settings and actions in the game were loaded into memory. If you had a way to modify the RAM you could practically do anything in the game. This is why Game Genie was so successful.
Click to expand...

If I understand correctly, ROM and RAM are mapped together in one big addressable block.

GG = ROM read intercept
PAR = RAM read/write intercept

Not sure why a single device didn't do both.
 
purbeast0

purbeast0

No Lifer
Sep 13, 2001
53,475
6,316
126
Ichinisan said:
If I understand correctly, ROM and RAM are mapped together in one big addressable block.

GG = ROM read intercept
PAR = RAM read/write intercept

Not sure why a single device didn't do both.
Click to expand...

didn't gameshark actually end up being the "winner" of those devices? i remember them being around a lot longer. i remember having one for psx that owned too. it plugged into the expansion port on the rear of hte console.
 
mmntech

mmntech

Lifer
Sep 20, 2007
17,501
12
0
Saw this posted on some gaming site awhile back. All just math, or rather breaking math.

You can do similar things in other games too. Sonic the Hedgehog has level wrap glitches that put you at the end of the stage in seconds. Each zone is built on an X-Y grid that's used to track your position. Wraps work by making the game think your grid position is a negative number, which shouldn't be possible. The game just goes haywire and dumps you out at the maximum possible value.
https://www.youtube.com/watch?v=O_6a-BJC0O8
 
slag

slag

Lifer
Dec 14, 2000
10,473
81
101
BoberFett said:
LOL, you bozos actually think this was all about playing snake or pong.
Click to expand...

no, I get it, but who cares..

the end result is what matters... yay, pong or snake.. show me something cool. What they did was not cool.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom