Arbitrary code execution on SMW

This guy found an exploit on the game Super Mario World for the SNES that allowed him to run code on memory. Giving certain input for the game he manages to program the pong & snake games inside super mario world and then play them.

Video: http://www.youtube.com/watch?v=OPcV9uIY5i4
Article: http://arstechnica.com/gaming/2014/01/how-an-emulator-fueled-robot-reprogrammed-super-mario-world-on-the-fly/

I thought it was damn impressive!

Here's the whole presentation on AGDQ 2014, http://www.youtube.com/watch?v=Uep1H_NvZS0 there's also an explanation here. Enjoy

>>1,2
holy shit

Is this supposed to be impressive?

>>4
You understand how it works right? This is incredible.

>>5
If you consider this to be incredible then the kind of things I am aiming for must be considered as pure fantasy and impossible.

>>6
Really? You aren't impressed by turning a SNES into a programmable computer using only the controller? I guess you aren't into hacking then.

>>7
I believe this has already been done with one of the first versions of Pokemon.

>>1
This is old, and not super impressive. It was good though. Sprite slot exploits for SMW have been known for a long time, this is just a variation on the ones that jump directly to the end. More impressive was the machine they built to do it on a real console at AGDQ, but even that lost sync on several games and seemed to be only moderately well done.

>>8
The Pokemon exploit is different. It relies on turning the game off during a save while standing at the right position. When the corrupted save is loaded, most of the file is full of 0xFF or something, so the game things that you have 255 of every possible thing in your inventory. Since you can't normal have, for example, a Pokemon in your inventory, by rearranging them you can access raw memory. By rearranging them in certain orders, you can reprogram the game. But really, almost everything about Pokemon is broken and exploitable.

The SMW exploit is different (SMW is much better programmed). It relies on the fact that sprites are spawned in certain slots, and some slots are reserved for certain sprites (Yoshi, P-Switch, etc) that can kick other sprites out. It also uses a second glitch where blocks can be duplicated. The studdering in the game when Mario mounts Yoshi is because he is actually mounting several invisible Yoshi's at the same time. Also, anything that is moved is a sprite, so when they grabs the blocks, the are deleted from the background and a new sprite spawns. Total control is achieved here by fucking with the sprite slots in such a way that they overwrite other memory (difficult, because each frame is a new cycle in which all the game logic executes (also why the timer passes slower hen Mario is moving faster, in case you never noticed), so sprites must either be spawned or destroyed in the exact same frame) and jump to it that causes it to read the next 65k or so of controller inputs in to memory and execute them.

>>8
I'm not surprised. It would be nice to know some human-reproducible arbitrary code execution hacks so I could use a gameboy as a lisp calculator.

>>10
Why not write a lisp calculator directly for the Gameboy architecture rather than using exploits in some game? The Gameboy architecture is well understood (it's not hard to write a complete emulator for it) so therefore, it won't be hard to write code for this architecture. You could write the code using an emulator for development and you then when you're ready, you can load the code to a Gameboy cartridge with an SD card slot.

>>1

Wont work with modern consoles, because the shitty Linux OS doesn't allow execution in data segments.

>>9

More impressive was the machine they built to do it on a real console at AGDQ, but even that lost sync on several games and seemed to be only moderately well done.

If the controller runs 2 times the frequency of controlled device, then you should be okey.

http://en.wikipedia.org/wiki/Nyquist_rate

>>13
In case I wasn't clear before, the (most) games only polls in between frames, and if there is a lost of processing needed (things are moving fast), then the framerate drops, meaning the the polling frequency drops. The 6502 has no threading.

Not that that matters with the emulated version.

>>10
Vita (or PSP) can emulate GB as well as an HP-48, which is basically a cross between forth and lisp. Though personally I'd like to port the HP-15C just because it has a horizontal button layout and wouldn't force you to rotate the damn screen.