Super Mario Bros.: [TAS] "Arbitrary Code Execution" in

  Рет қаралды 46,871

100th Coin

100th Coin

Күн бұрын

Пікірлер: 114
@Bismuth9
@Bismuth9 Жыл бұрын
The words "open bus" trigger PTSD I didn't know I had
@RozeeVeritas
@RozeeVeritas Жыл бұрын
Good to know i'm not the only one (joke)
@CristianConsonni
@CristianConsonni Жыл бұрын
It's not the same bus!
@Bismuth9
@Bismuth9 Жыл бұрын
@@CristianConsonni I was referring to Super Mario World.
@Patashu
@Patashu Жыл бұрын
Imagine an open bus...
@matthewdrury6443
@matthewdrury6443 Жыл бұрын
Imagine an `void open(*bus)`.
@Patashu
@Patashu Жыл бұрын
I love how cheeky this ACE is. I also love how hilariously useful SMB3 is for making payloads. You literally couldn't ask for better.
@MrCheeze
@MrCheeze Жыл бұрын
Well, except for RTA viability. Not sure whether there even exists any setup game that would be any good for RTA or not.
@Patashu
@Patashu Жыл бұрын
@@MrCheeze 'shell code' in SMW comes to mind, off the top of my head I'm not sure if there's an NES game that good
@Pascal-eu2oe
@Pascal-eu2oe Жыл бұрын
@@MrCheeze Probably 7-1 ACE in Mario 3 could do it, but it'd probably be pretty tedious, time-consuming, and really easy to mess up. And it'd almost certainly be slower than just playing Mario 1 normally.
@Ryusuta
@Ryusuta 6 ай бұрын
To be honest, one of the most fascinating things about this for me was seeing a version of 8-4 that didn't have loops in it. Kinda cool how it actually flows pretty seamlessly.
@MrCheeze
@MrCheeze Жыл бұрын
Extremely cool find! Love me some payloads stored in uninitialized ram. Honestly, I'm surprised this could exist without being found already... SMB1 is one of those games known for being so well studied that undiscovered ACE couldn't possibly exist. (Admittedly, most people were probably not checking for logic that runs only in out-of-bounds world numbers and requires uninitialized RAM setup.) Anyway, great work!
@MrCheeze
@MrCheeze Жыл бұрын
Alternative comment: This really puts the N in Stop 'N' Swop.
@negativeseven
@negativeseven Жыл бұрын
I discovered this exploit several years back. Indeed, needing to rely on initialized RAM as well as inaccurate emulation were both rather discouraging for most people to pursue actually running a useful payload.
@Storster
@Storster Жыл бұрын
It's amazing seeing such a thing become possible in a game that most people consider completely ripped apart already. Entertaining stuff!
@alkali99
@alkali99 Жыл бұрын
this is amazing work. its cool how simply it recovers from executing in open bus. awesome
@a1d3n_isme
@a1d3n_isme Жыл бұрын
"Use < and > to look at explanations" Me using a phone: 💀
@zboredskilled
@zboredskilled 9 ай бұрын
just connect a keyboard to your phone, simple.
@autumnshinespark
@autumnshinespark 7 ай бұрын
Same
@tonyacatlett3683
@tonyacatlett3683 6 ай бұрын
Lucky, I mostly use console and only have wired keyboards and mouses.
@l3onardomgbr
@l3onardomgbr 5 ай бұрын
@@tonyacatlett3683 mad respect
@Blankult
@Blankult 5 ай бұрын
I just put it at 0.25 speed and did quick play/pauses lol
@Scrimsion
@Scrimsion Жыл бұрын
Legendary acomplishment for smb1 even though it's with a cart swap. Amazing video and amazing find! :)
@crescendo755
@crescendo755 Жыл бұрын
This is amazing congrats! So cool to see ACE in this game
@SuperDorrie994
@SuperDorrie994 Жыл бұрын
Wow! Never would have thought of this. Great work!
@dillthepill08
@dillthepill08 Жыл бұрын
this is friggin awesome i have been waiting for smb1 ace for as long as i remember
@cobaltguyyyyy
@cobaltguyyyyy 6 ай бұрын
Pov: todd rodgers most accurate speedrun
@kargaroc386
@kargaroc386 10 ай бұрын
The way this is worded kinda implies that "open bus" is a sort of state that the CPU can be within. But as far as I know, *the* open bus is any memory region that isn't mapped, and this is what happens when you jump there. Its kinda like saying "during unmapped memory, such and such happens"
@100thCoin
@100thCoin 10 ай бұрын
Ah, good catch. My choice of words was a bit poor. I was trying to find the best way to phrase "During an instance where the PC is located at an unmapped address" and assumed "During open bus" would be a pretty good umbrella for that. Perhaps I meant to write "During open bus execution".
@AlbertTheGamer-gk7sn
@AlbertTheGamer-gk7sn Жыл бұрын
Now, you can recreate Marionaires's create account TAS using arbitrary code execution, where you will create an account on Super Mario Bros., play World 0, and start playing the game revealing the hidden locations.
@aureliassong
@aureliassong 3 ай бұрын
Wow amazing, congrats on ACE’ing a new game!
@NtQueryInformationProcess
@NtQueryInformationProcess Жыл бұрын
I knew something like this was possible, good job! I believe glitch enemies in some worlds let you execute arbitrary code, I remember playing a glitch level and getting far enough resulted in jumping to somewhere in work RAM and I think I remember it jumping to open bus as well, so this could be even faster
@Selicre
@Selicre Жыл бұрын
Well that is utterly insane. Congrats on getting this accomplished. Is this the first smb1 ACE? Now, fingers crossed for an ACE without a cart swap.. though that might be a very tall order.
@100thCoin
@100thCoin Жыл бұрын
As far as I am aware, this is the first time ACE has been used in SMB1.
@ethanfranzen8684
@ethanfranzen8684 Жыл бұрын
This is awesome! I doubt much is possible in SMB1 with ACE, given the amount of memory you can access, but, at least, you can use it to legitimately force things to be interesting! I kind of want to see a proper analysis for exactly what happens, instruction by instruction, in the game's code, as you stall for time with conflicting button inputs and when the IRQ interferes. I infer that the SRE instruction shifts the bits of a target byte in the zero page.
@Alexs23743
@Alexs23743 11 ай бұрын
FUN FACT: In this TAS, Mario is doing the Mario. ~swing your arms from side to side...~
@mataloger
@mataloger Жыл бұрын
Great work! I hope you get to perform it with a tas-bot sometime 🙂.
@100thCoin
@100thCoin Жыл бұрын
Oh hey, sorry I took two months to reply. This was console verified by Alyosha before I even uploaded my own video. If I recall, this might be an earlier version of the TAS, but it still executes the payload, thus completing the game in 8-4. kzbin.info/www/bejne/lYLWYXqVnLF4r80
@DaVince21
@DaVince21 6 ай бұрын
I was not ready for that onslaught of explanations in the first second. Nice and detailed though.
@Fritzafella
@Fritzafella Жыл бұрын
ACE in smb1?? Open bus manip combined with a variant of the Tennis x Mario glitch?? This game hasn't been totally torn apart yet it seems!
@autumnshinespark
@autumnshinespark 7 ай бұрын
Whoa cool, i understood that ASM ^^ Awesome job!
@flibidydibidy
@flibidydibidy Жыл бұрын
Very cool!
@KabAudio
@KabAudio Жыл бұрын
Amazing work as always 100th coin!!!!!
@MrLlama-gl2hk
@MrLlama-gl2hk Жыл бұрын
Retro Video Game Mechanics has a pretty good video on how an open bus works: kzbin.info/www/bejne/mYHHnXmLm6qBpc0 It's part of a larger video about a Super Mario World glitch but it's still a very solid 15-minute explanation. The best tl;dr summary I can give is that CPU is asking for memory that doesn't exist. Instead of getting an actual response, it merely sees an echo of the memory request itself or the response to a previous request.
@Abyssoft
@Abyssoft Жыл бұрын
This is amazing, what gave you the idea to try this?
@100thCoin
@100thCoin Жыл бұрын
I've been playing around with ACE in SMB3 for a while, so I decided to look for ACE in SMB1. I knew killing Bowser beyond world 8 could lead to game crashes, and I decided to investigate it. As it turns out, Negative7 did a lot of research on this topic and found that killing bowser in world $FC jumps to address $3D0. That region of RAM is far too useless to manipulate into a meaningful payload (or even a jump instruction to somewhere better) so I decided to chart every world in the game to see what killing bowser would do. At the time I started this, I wasn't very familiar with open bus, but I found that world $16 (world N) jumped there. I left it as a comment and moved along. I was modifying bizhawk at this time to allow for cart swapping mid-TAS. I had the goal of making a stop 'n' swop tas for TASVideo's april fools shenanigans. The original idea was just going to start the game in world 8 by playing Tennis, but I really wanted to see if I could use ACE to some degree. After learning a bit more about open bus, I took another look at world N, and to my surprise, I could easily manipulate an RTI instruction into existence, and this jumps to uninitialized RAM. All I needed to do was initialize it, and that's where my SMB3 TAS comes in. I figured the fastest way to initialize that would be through subframe inputs. I think this takes about 2 seconds? On a bit of a tangent, I've been considering making a stop 'n' swop TAS of dragon quest 3. You have a really good video about that run, and it would be cool to see it TASed.
@CristianConsonni
@CristianConsonni Жыл бұрын
Very nice! If you press B then you go to regular "second quest" or something different happens?
@100thCoin
@100thCoin Жыл бұрын
It's a valid completion of the game. Going to the second quest works as usual.
@sirgog
@sirgog Жыл бұрын
This is incredible. How does it change from N-2 to 8-4 at around 1:15?
@100thCoin
@100thCoin Жыл бұрын
The game changing from N-2 to 8-4 was the entire purpose of running the arbitrary code (which happened by killing Bowser in world N). This was achieved by storing a value of 7 in address $75F (This sets the game in world 8), a value of 3 at address $7FC (This sets the game in level 4), and running JSR $865A, as the code at $865A updates the HUD to display the current world-level.
@juliano__proencio3374
@juliano__proencio3374 3 күн бұрын
Im 100% sure kosmic is talking about this TAS is his latest video
@100thCoin
@100thCoin Күн бұрын
The video also included my total control "Travelling Salesman" TAS, in case you needed a bit more confirmation.
@juliano__proencio3374
@juliano__proencio3374 Күн бұрын
@@100thCoin alright, thank you
@BLGHA
@BLGHA 2 ай бұрын
Can you make a non L+R TAS of this?
@100thCoin
@100thCoin 2 ай бұрын
A non L+R TAS of this could certainly exist. For this TAS specifically, I only did the series of SMB3 inputs at the start of the video, as optimal SMB1 gameplay isn't my strong suit, and some friends of mine in the SMB speedrunning discord (Seraphmlll and Mizumaririn) did the SMB1 inputs. If I were to make that TAS myself it would likely be suboptimal.
@BLGHA
@BLGHA 2 ай бұрын
@@100thCoin Ah, ok. I was only wondering because I wanted to see what the best run could be.
@denelson83
@denelson83 5 ай бұрын
You need to put the elements of your video above the timeline that KZbin puts at the bottom of the video when paused. I am having trouble reading the text behind the controls at the bottom-right corner of the video.
@100thCoin
@100thCoin 5 ай бұрын
That's definitely something I hadn't considered when I made this video, and something I'll be making an effort to fix in future videos. Thanks for the feedback!
@TheOfficialDorianelevator
@TheOfficialDorianelevator 11 ай бұрын
i have a french keyboard (azerty keyboard) and due to that the , key works but the . key dosen't since french keyboards use shift+; for the . character, so due to that i can't frame advance forward, if anyone with a azerty keyboard can tell me how to frame advance then please reply to this comment with the answer.
@Roro_2338
@Roro_2338 3 ай бұрын
late reply, but try the Windows On-Screen Keyboard. you should be able to toggle to QWERTY layout on that.
@TheOfficialDorianelevator
@TheOfficialDorianelevator 3 ай бұрын
@@Roro_2338 i still remember this video and thank you for the answer, i might try that soon to be able to step frame by frame.
@six_buck_dlc
@six_buck_dlc 4 ай бұрын
i don’t understand anything you said but i feel smart reading it
@BHSilver
@BHSilver 5 ай бұрын
Question, when jumping, the "A" being showed on execute load screen being pressed, - is the reason why there is a Line of A's is because its a button being held down the whole time, or is it being pressed every time its shown on the execute load? I've never programmed a TAS b4, so this coding is new to me.
@100thCoin
@100thCoin 5 ай бұрын
If the A Button is shown multiple times in a row, you can think of it as being held down.
@BHSilver
@BHSilver 5 ай бұрын
@@100thCoin Thank you, thought so, but wasn't 100% sure.
@crescendo755
@crescendo755 Жыл бұрын
I wonder if this concept could be used with OOT/SM64 to start SM64 with the upstairs key and go straight to the final Bowser.
@casultaser
@casultaser 5 ай бұрын
And how could you use ACE in SMB3 before evwn starting the game? Normally in SMB3 ACE you would clear 1-1 and 1-2 normally, grab the 2 warp whistles in 1-3 and 1-Fortress, warp to world 7, enter 7-1, place some Koopa shells in very specific spots, and clip into one of the pipes, entering it from the wrong direction, leading to you going Out of Bounds and with a few more inputs warp to the credits,
@100thCoin
@100thCoin 5 ай бұрын
At SGDQ 2016, there was a TAS showcased that completes Mario 3 in 2 seconds. In 2018, Masterjun made improvements (so the credits don't softlock) and submitted a TAS beats the game in 0.78 seconds. I optimized that further down to 0.22 seconds. It's a lot to explain (and I plan to explain how those work in a future video) but to summarize: A hardware issue can lead to DPCM audio samples corrupting the data read from the controller. SMB3 uses DPCM audio for drums in the music, so the developers needed a way to prevent the samples from corruptign the controller. Their solution is to read the controller in a loop until two consecutive reads match. If any of them don't match, it's assumed to be because the DPCM audio bug occurred, but in the world of TASing, I could maliciously mas hthe A button so fast that it never matches for two consecutive reads. Due to the order of events in the NMI of SMB3, an IRQ is scheduled for 193 scanlines, ROM banks are swapped out for updating graphics, the controllers are read, then the banks are swapped back. If the IRQ occurs before the banks are swapped back, a jump to address $A826, expecting bank 24, but bank 26 is loaded instead. An RTS instruction pulls unrelated data off the stack and we begin executing RAM from address $0001. The game stored the buttons held + newly pressed buttons in address $17 and $18, and addresses $F5 through $F8. Using those bytes that I can control, I can create instructions for the CPU to process. In my 13 frame TAS, these instructions are TAX (X now equals $F4), TSX (I need the stack pointer to be greater than $30), JSR $0000, JSR $9000. In my TAS that sets things up for ACE in SMB1, I use the btyes I can manipulate to write a function that gives me more control, then I use that to write everything I need before swapping carts. This function is mostly written by loading X with whatever byte I need, then storing it somewhere. I can't use the A or Y registers, since lots of other bytes on the zero page will change the values, but the X register can remain unchanged between frames, allowing me to swiftly LDX and STX to write code.
@jayburstin3462
@jayburstin3462 Жыл бұрын
Are you planning to submit this to TASVideos? Hopefully switching games is allowed, because this TAS is awesome 🤞
@100thCoin
@100thCoin Жыл бұрын
I initially submitted a less optimized version on April first, and it seemed to have some incredibly positive feedback. It failed console verification, which lead to us discovering the open bus inaccuracy in the current release of Bizhawk (2.9). That's been fixed for the next release, so I'll probably try submitting this after Bizhawk's next release? There is still the issue of swapping carts in the middle of the TAS. My current modification to Bizhawk to make cart swapping work is a little sloppy, so I doubt that pull request will go smoothly.I'll be asking the judges of TASVideos what to do before I submit, that's for sure.
@Creative_YT
@Creative_YT 5 ай бұрын
I’m going to make an fnf chart of those controller inputs
@CloudCarry
@CloudCarry Жыл бұрын
legendary
@zszushi
@zszushi 3 ай бұрын
How do I display keystrokes? I would like to see it displayed in Bad Apple videos as well.
@100thCoin
@100thCoin 3 ай бұрын
in the Bizhawk emulator, under "View" is an option for "Display Input" which shown on screen the buttons being pressed. It's not very intuitive to display inputs like that for a subframe TAS though, as there are hundreds of inputs per frame.
@zszushi
@zszushi 3 ай бұрын
@@100thCoin tysm
@mariofan12361
@mariofan12361 3 ай бұрын
niftski has competition
@Halely-j4j
@Halely-j4j 5 ай бұрын
so if we get ace we can skip to bowser and win in less than a minute
@TheNoSwearGuy
@TheNoSwearGuy Жыл бұрын
You do know TAS timing ends when Mario touches the axe and not on the last input for both SMB and SMB2J, right? Those two games are the only exceptions to the "timing ends on the last input" rule. This TAS is actually a 1:1​5.725, not a 1:1​5.442
@nehuensio
@nehuensio 5 ай бұрын
acctually, tases have the same time rule for all games, time starts when the console or emulator is powered on/started and ends on the last input
@TheNoSwearGuy
@TheNoSwearGuy 5 ай бұрын
@@nehuensio TAS timing is different for SMB and SMB2J. For those two games, TAS timing ends when the player touches the axe
@kriller3771
@kriller3771 Жыл бұрын
Bro what, I don’t know what else to say that just what
@kriller3771
@kriller3771 Жыл бұрын
This is insane, so far beyond me
@gameboyadvance45
@gameboyadvance45 Жыл бұрын
0:02 super Mario 3 intro?
@100thCoin
@100thCoin Жыл бұрын
The first two seconds of this TAS happen inside Mario 3. There's some wild exploits where you press mismatched inputs 100 times in a single frame leading to an ACE exploit 11 frames after the console boots. I use that to write the payload that is executed in SMB1, as well as set up RAM so SMB1 will start in world 'N'.
@Mabi19
@Mabi19 Жыл бұрын
Cartswap TASes are really cool. Unfortunately you still need an exploit in both games; I guess you could write enough code to patch around the initialisation routine and achieve more control that way, but that seems sketchy.
@chair547
@chair547 6 ай бұрын
rta viable when? with like... tennis or smth idk
@superofsrb2196
@superofsrb2196 5 ай бұрын
you could do the save state thing to save the second it takes to walk to the axe
@NCXDKG
@NCXDKG 5 ай бұрын
Question: where are the < and > keys *on a phone?*
@nehuensio
@nehuensio 5 ай бұрын
there is none, sorry
@burritoman2k
@burritoman2k Жыл бұрын
Oh wow
@c7fab
@c7fab Жыл бұрын
cool cool
@RozeeVeritas
@RozeeVeritas Жыл бұрын
Can i download the TAS file?
@100thCoin
@100thCoin Жыл бұрын
Sure! I mention in the description, that the TAS was made in a modified version of bizhawk. This was done for 2 reasons: Cartridge swapping, and fixing incorrect open bus emulation. The solution for console verification was to send two separate TAS files. They can be found here: SMB3 Inputs: tasvideos.org/UserFiles/Info/638160503431898737 SMB1 Inputs: tasvideos.org/UserFiles/Info/638179553100801346 The SMB3 run sets up the RAM, then the SMB1 run begins from a "savestate" that boots the game with the RAM the SMB3 TAS ends with. Keep in mind, if you are using the current latest version of bizhawk (2.9) the SMB1 run will have incorrect open bus behavior, leading to the game rebooting at the end of the movie. If you would prefer to have a single TAS file, that requires compiling my custom fork of Bizhawk that adds cart swapping. Let me know and I can link you to my fork of bizhawk, along with a single TAS file.
@Charcoal190
@Charcoal190 Жыл бұрын
Holy shit.
@Snooty4835
@Snooty4835 4 ай бұрын
Bro why are people so hung up on 4:54 being the limit? Haven’t they seen this! /j
@Judge_Zion
@Judge_Zion Жыл бұрын
some of us are stuck on mobile.
@SamiSaba2
@SamiSaba2 8 күн бұрын
1:15 in smb1 was possible?
@misterdoctorprofessorpatrick
@misterdoctorprofessorpatrick 7 ай бұрын
see guys it is possible to get below 4:54
@thejazzo3595
@thejazzo3595 5 ай бұрын
impress
@damin9913
@damin9913 5 ай бұрын
So the thumbnail was a lie no blue mario😢
@100thCoin
@100thCoin 5 ай бұрын
Ah, my bad. The colors on the thumbnail are mimicking the "TAStudio" icon's color palette. In hindsight, as my channel grows, fewer and fewer people would get that reference. I've started to just leave the thumbnails with normal colors, since more people would understand. Sorry for the confusion.
@lior_haddad
@lior_haddad Жыл бұрын
smb1 ACE :0
@genblinko7801
@genblinko7801 Жыл бұрын
WHAT?!
TAS Explained: Super Mario Bros. 3 in 0.2 seconds
19:39
100th Coin
Рет қаралды 373 М.
Человек паук уже не тот
00:32
Miracle
Рет қаралды 2,5 МЛН
Try Not To Laugh 😅 the Best of BoxtoxTv 👌
00:18
boxtoxtv
Рет қаралды 6 МЛН
啊?就这么水灵灵的穿上了?
00:18
一航1
Рет қаралды 102 МЛН
[TAS] Pokémon Yellow - Arbitrary Code Execution
7:45
MrWint
Рет қаралды 503 М.
How People Reprogram Games...with a CONTROLLER
18:42
GlitchDoctor
Рет қаралды 226 М.
Arbitrary Code Execution in Animal Crossing
24:22
Hunter R.
Рет қаралды 331 М.
SNES Code Injection -- Flappy Bird in SMW
6:31
SethBling
Рет қаралды 2,8 МЛН
Everything you need to know about BLJs
10:31
Kaze Emanuar
Рет қаралды 72 М.
Mario Sunshine can be Beaten in Under 10 Minutes. Here's How
16:38
Speedrunners Break Paper Mario by Using Ocarina of Time!
29:31
Super Mario Bros. 3: ACE by kicking the goal around
16:50
100th Coin
Рет қаралды 8 М.
AI Learns to Play Tag (and breaks the game)
10:29
AI Warehouse
Рет қаралды 4,1 МЛН