still better than using punchcards tho
March 28, 2016 1:29 PM   Subscribe

Internet person SethBling has successfully coded Flappy Bird inside of Super Mario World, by hand, by playing SMW on actual Super Nintendo hardware in a very peculiar way. Full hour-long process. SethBling's notes for the process. (Previously, on MetaFilter: injecting code in SMW; glitching SMW.)
posted by cortex (37 comments total) 69 users marked this as a favorite
 
The SMW code injection glitch continues to be the greatest glitch in the history of games, and maybe computing.
posted by Holy Zarquon's Singing Fish at 1:36 PM on March 28, 2016 [16 favorites]


Prediction: It's only a matter of time until someone codes Flappy Bird inside of Super Mario World inside of Minecraft.
posted by oulipian at 1:41 PM on March 28, 2016 [12 favorites]


It's Flappy Bird inside of Bank of America I'm concerned about.
posted by gwint at 1:45 PM on March 28, 2016 [6 favorites]


Right, but I know how to get to the Warp Pipe on SMB 1-2 by using the elevator and running over the top of bricks.
posted by leotrotsky at 1:52 PM on March 28, 2016 [15 favorites]


This is amazing.
posted by kenko at 1:56 PM on March 28, 2016


Phenomenal and decadent.
posted by Nelson at 1:57 PM on March 28, 2016 [7 favorites]


So wrong that it overflowed the wrong counter and ended up right.
posted by eriko at 2:15 PM on March 28, 2016 [13 favorites]


Unbelievable. So frigging cool
posted by DLWM at 2:16 PM on March 28, 2016


How did JHarris get Cortex's password? : 0
posted by DoctorFedora at 2:54 PM on March 28, 2016 [5 favorites]


It was hidden under a lodestone at the bottom of the Gnomish Mines.
posted by cortex at 2:55 PM on March 28, 2016 [12 favorites]


That this is even possible blows my mind. It seems like one of those things that you'd point out in a cheesy movie with computer wizards that you can't really "hack" in real life, but it ends up you can.
posted by SpacemanStix at 3:11 PM on March 28, 2016 [3 favorites]


Mario performs a lengthy, inexplicable dance, and the world changes.

Ritual magic in action.
posted by egypturnash at 3:36 PM on March 28, 2016 [53 favorites]


This sort of thing will never seize to amaze me.
What I'm curious about: If SethBling would have made a wrong move somewhen in that hour long video, he would have needed to start over, right? (Or is there also some way to undo your last step or otherwise correct a wrong "entry"?)
posted by bigendian at 3:44 PM on March 28, 2016 [1 favorite]


You can reprogram the game -- and not some shoddy third-party game, a Mario game -- from inside the game, on the original hardware, in under an hour? Every aspect of this is amazing.
posted by Sibrax at 4:01 PM on March 28, 2016 [6 favorites]


So, uh, at what point does SethBling teach MAR/IO to inject code? Because that'll be quite the event...
posted by bonje at 4:13 PM on March 28, 2016 [5 favorites]


You can reprogram the game -- from inside the game

Super Mario World is an acceptable lisp?
posted by postcommunism at 4:30 PM on March 28, 2016 [3 favorites]


I love the environment bootstrapping with the modifying of the coin counter to report your x-coordinate.
posted by invitapriore at 4:35 PM on March 28, 2016 [12 favorites]


First thing I do after I build my time machine is go back to 1990 and show myself how to do this.
posted by aaronetc at 5:54 PM on March 28, 2016 [3 favorites]


The best part is this exceeds the wildest "my uncle works for Nintendo" rumors of the day. Who at the time would have believed it was possible to put in a code that would allow you to do literally anything just by pushing buttons in a very specific way?
posted by Mr.Encyclopedia at 6:29 PM on March 28, 2016 [8 favorites]


SethBling's YouTube and Twitch are absolutely fascinating. I'm psyched about watching this.
posted by defenestration at 6:32 PM on March 28, 2016 [1 favorite]


> Who at the time would have believed it was possible to put in a code that would allow you to do literally anything just by pushing buttons in a very specific way?

To be fair, most computers work like that.
posted by ardgedee at 6:44 PM on March 28, 2016 [16 favorites]


so, Neo "hacking the matrix" would involve him spending an hour in the park picking up mushrooms and throwing rocks at pixel-exact locations...
posted by ennui.bz at 7:21 PM on March 28, 2016 [22 favorites]


You can reprogram the game -- from inside the game

Oh my god, I just realized that this is basically in-band signalling.

This isn't video game hacking. This is video game PHREAKING.
posted by Pope Guilty at 7:27 PM on March 28, 2016 [41 favorites]


Hard. Core.
posted by Mrs. Davros at 8:08 PM on March 28, 2016 [2 favorites]


This is amazing so so many levels, but I think the coolest part of the whole thing is the way it gets bootstrapped by first injecting a goddamn development environment (making the coin counter display the byte you would write and making the score display show the target address).

Pope Guilty: This isn't video game hacking. This is video game PHREAKING.

*mind explodes* Damn straight!
posted by Soi-hah at 9:44 PM on March 28, 2016 [4 favorites]


There's a trope in science fiction I used to scoff at where a sufficiently advanced civilization or transcendent AI is able to reprogram some everyday device to do something seemingly beyond the capabilities of the hardware by interacting with it in some ridiculous way like flipping a switch on and off or squealing modem noises at it. Stuff like this or some of the modern C64 demos sure makes it easier to suspend my disbelief for those stories.
posted by straight at 10:15 PM on March 28, 2016 [5 favorites]


This somehow manages to be both unbelievably awesome and mind-numbingly tedious at the same time.

Which is actually a pretty good description of Flappy Bird.
posted by jacquilynne at 11:06 PM on March 28, 2016 [4 favorites]


Can someone ELI5 this? Because WHUTTT. You can write code to whatever's processing SMW by doing particular jumps?!
posted by divabat at 11:40 PM on March 28, 2016


This reminds me of The Story Of Mel.
posted by user92371 at 12:09 AM on March 29, 2016 [5 favorites]


Can someone ELI5 this? Because WHUTTT. You can write code to whatever's processing SMW by doing particular jumps?!

That's pretty much the ELI5 right there. Particular jumps, and having some other controllers plugged in to multi-taps while their buttons are taped down.
posted by radwolf76 at 12:36 AM on March 29, 2016


The FLAPPY BIRD is coming from INSIDE THE HOUSE!
posted by plinth at 2:53 AM on March 29, 2016 [4 favorites]


This is definitely really cool, but it is essentially just lauching a software exploit in an unusual way. There are people doing similarly awesome things in the infosec world, which you should check out if you find this interesting (if you aren't already). Have a read through some issues of PoC||GTFO, the spiritual successor of Phrack (The latest issue is a polyglot file that is at once a HTML file, PDF file, ZIP file, and a Ruby program that runs a web server serving the same file).

It's what good hacking is about; start with a small error and slowly rewriting the whole universe with it.
posted by destrius at 5:52 AM on March 29, 2016 [2 favorites]


Can someone ELI5 this? Because WHUTTT. You can write code to whatever's processing SMW by doing particular jumps?!

Old video games were programmed under very strict memory constraints. The developers would use a lot of clever methods to preload and cache various game instructions. In particular, the location of game objects (in SMW: the blocks, enemies, powerups, etc.) in the memory might be squeezed in next to the snippet of code that, say, saves the player's score to another location in memory.

By finding a glitch in the programming, you can cause the game to access the wrong part of the memory, causing it to execute the cache of game objects as programming, rather than information on drawing the object on screen. If you've manipulated the game objects that are in the cache, you can get the game to do all sorts of weird things; one of them, as SethBling demonstrates here, is directing you to a location in memory where your button inputs will be directly saved as executable code. (Again, the fact that "interpret the player's button input" code is right next to the "save this snipped of information for later access
code is a result of the developers squeezing as much data as they could on very small chips).

(That's my best effort -- not an expert here.)

This article describes a similar hack done on another old console, but automated: http://arstechnica.com/gaming/2016/01/how-a-game-playing-robot-coded-super-mario-maker-onto-an-snes-live-on-stage/
posted by .holmes at 7:51 AM on March 29, 2016 [3 favorites]


The craziest part to me is that the game continued to function as a game, with Mario still moving and jumping and whatnot in response to controller input, while the Flappy Bird code accrued, byte by byte, in memory alongside it. TASBot's exploits are amazing too, but they also work by freezing the game and causing the SNES to read controller inputs as code to be executed rather than commands to move a sprite around the screen.
posted by Holy Zarquon's Singing Fish at 8:08 AM on March 29, 2016


I've not read how the exploit works in detail, but from what I can figure out, the initial bug/glitch they use lets him set the power-up status to a larger value than it normally should be. The way the code for power-ups seems to be implemented is that is uses the value of the power-up status to decide where in the game code it should jump to, i.e. a jump table. With an overly large status, the game ends up jumping to regions beyond where it is supposed to jump, and it seems like it jumps into an area of memory where sprite information is stored. In the SNES (and almost all modern day computers), code and data are the same, just bytes in memory. So if you jump to memory holding sprite data thinking it is code, you will execute whatever code happens to be represented by the sprite data there.

(Beyond this point I am purely speculating and am possibly totally wrong) I think he arranges things in the game such that the sprite data that ends up being jumped to represents code that does something he needs. Possibly, it sets things up to allow him to write a series of bytes to a specific address (the multi-byte write described in the notes). I believe the value being written is based on the X-coordinate of Mario, and only gets written when he does a jump (or press a button, I'm not sure). So now he has the ability to write stuff into memory.

He uses this new ability to write a bootloader into memory, as well as some code that makes writing easier (changing the coin display to show the x-coordinates, i.e. the value being written). Finally he writes the payload to a different location, which contains the actual Flappy Bird game. At this point stuff has been setup both to make writing easier, and also to validate both the bootloader (by changing the colours if it was correctly written) and the payload (there's a checksum, which if incorrect will reset the payload writing phase). Once the payload has been written fully, things are setup such that code execution will immediately go to the bootloader, which will then load the payload and start Flappy Bird.

So essentially you start with a primitive that lets you set the instruction pointer to point to a region of memory you somewhat control. You then use this to give you a write primitive, which you can use to write more stuff into memory, including overwriting important values in the game to cause further glitches that can be to your advantage. At each stage you escalate the privileges you have, in order to finally achieve your goal.

This is essentially the same process in exploiting other kinds of software. For example, the well-known Stagefright vulnerability starts with an integer overflow, which if you setup properly, leads to a heap overflow, which allows you to write some bytes into regions of memory where you shouldn't. You use a specially constructed media file to shape the heap into the form you want (just like setting up the sprite data), such that when the overflow triggers, it ends up corrupting the state in a specific way that ultimately leads to code that you injected (via the media file) to be executed.

I guess you could think of it as a Rube Goldberg machine in software.
posted by destrius at 8:15 PM on March 29, 2016 [2 favorites]


Pretty much, yeah. He explains the process in some detail during the full 90-minute video, but the long and short of it is:

First he glitches Mario's powerup state. Then he glitches it again with sprite manipulation in level 1-1.

Then he glitches/manipulates enemy sprites in level 1-1 such that Yoshi and a P-switch are occupying spots in the sprite data table that the double-glitched powerup state will interact with. At this point every time he picks up a mushroom it writes a single byte to the game's memory based on Mario's position, the P-switch's position, and Yoshi's position. He uses that first to extend the level's timer to three hours and then to write the bootloader.

That switches the palate, makes the score and coin counters display his X-coordinate and the current line of code being written, and most importantly lets him write a new byte corresponding to Mario's location just by hitting the spin-jump button, so it gets rid of the Yoshi and P-switch fiddling. Writing 300+ bytes with the bootloader takes as long as writing 30-odd bytes without it, so that user-friendliness is a big deal. The bootloader automatically runs the injected code once it reaches the expected length and passes the checksum; no further trigger is needed to start Flappy Bird.
posted by Holy Zarquon's Singing Fish at 8:30 PM on March 29, 2016 [2 favorites]


This reminds me of this article, about an AI-controlled Tron game lightcycle literally escaping the game grid and driving around in the computer's memory until everything crashed.
posted by rifflesby at 11:02 PM on March 29, 2016 [2 favorites]


« Older Go to bed, sheeple, it's late!   |   Can I help you? Newer »


This thread has been archived and is closed to new comments