[TAS] NES Super Mario Bros. "arbitrary code execution" by OnehundredthCoin in
ฝัง
- เผยแพร่เมื่อ 2 ต.ค. 2024
- This is a tool-assisted speedrun. For more information, see tasvideos.org/...
TAS originally published on 2024-06-22
The current Super Mario Bros. speed record ( tasvideos.org/... ) executes precise movements for a highly technical title.
This movie by OnehundredthCoin ( tasvideos.org/... ) achieves total control by setting up modified RAM within Super Mario Bros. 3 ( tasvideos.org/... ) in less than a second, switches carts around and proceeds to play a normal run of Super Mario Bros. at least on the surface. For a more technical explanation please read the submission comments ( tasvideos.org/... ) or watch the author's explanation on TH-cam ( • How Bad Apple was play... ). For more runs that involve arbitrary code execution, see our published list of movies which execute arbitrary code ( tasvideos.org/... ) as well as discussion in our forum ( tasvideos.org/... ).
--------
This video includes the song "Bad Apple!!" from Touhou Gensoukyou ~ Lotus Land Story (東方幻想郷 ~ Lotus Land Story). The song was originally composed by ZUN then arranged by Masayoshi Minoshima (Alstroemeria Records). It was sung by nomico with lyrics from Haruka.
The music video shown was created by あにら (Anira).
If you've enjoyed what you've watched, you can view the original music video on TH-cam ( • [Alstroemeria Records]... ) and purchase the 10th Anniversary Album from Alstroemeria Records vendors ( alst.net/arcd0... ).
--------
You can watch this movie played back on real hardware here ( • TAS - Super Mario Bros... ) or watch back a live hardware capture here ( • SMB Bad Apple live rec... ).
#tas #tasvideos #toolassisted #toolassistedspeedrun #speedrun
![[TAS] SNES Super Mario World "arbitrary code execution" by IgorOliveira666 in 42:49.44](http://i.ytimg.com/vi/A585IdIWz1Q/mqdefault.jpg)
![[TAS] SNES Super Mario World "arbitrary code execution" by IgorOliveira666 in 42:49.44](/img/tr.png)
![[TAS] Pokémon Yellow - Arbitrary Code Execution](http://i.ytimg.com/vi/Vjm8P8utT5g/mqdefault.jpg)
Every visual interface eventually runs Bad Apple and every control interface eventually runs Doom
If it runs, it runs Doom.
If it renders, it renders Bad Apple.
If it produces audio, it produces Through The Fire And Flames.
That's the golden media rule.
If it can render two colours, it can play bad apple.
@@finalman9930if it exist, it can be recreated in geometry dash
@@finalman9930I thought it was Megalovania for audio
@@EMLtheViewer a mix of both, perhaps?
Those speedrunners weren't lying, that arbitrary code can execute
that nose can smell
If you wish to run this category yourself RTA, all you need to do is memorize the 5.8 million inputs, and press the buttons at a rate around 25 kilohertz.
Unrelated, I absolutely need full documentation on how audio works on this
I refuse to believe that a 1.79mhz 6502 without an advanced mapper is capable of running this kind of audio, heck not even mmc5 could do it
@@ssg-eggunner The NES is capable of playing 7-bit PCM samples but it's almost never used because you need to constantly feed it data, it takes up almost all of the CPU time
Sethbling: challenge accepted!
@@ssg-eggunnerThe guy that made the tas has a video explaining how he did it (didn't realise the comment was from "the guy" lmao)
@@samkostka126 and yeah that's the thing
It eats up too many cpu cycles and yet it still manages to run alongside the smooth animation
It's still unbeliavable since all this has is controller inputs and a 1.79mhz 6502 to run it
You might have missed it, but he's actually playing mario bros 3 for the first tiny bit of the tas.
It's for entering the world N
The original creator did a video about it explaining how SMB3 cart swap ACE works.
I'm just confused how he got a movie file that is able to swap between two different ROMs.
@@MrCheeze He made a modified build of Bizhawk to do that in the middle of making TAS
@@ЕленаЗахматова-ц1зmakes me wonder when they will add that to the stable version.
The speedrun clocking in at 4:52 is just the icing on the cake for an incredible ACE showcase.
Mario actually hits the axe at 4:53, though I guess the timing here ended at final input.
Kosmic’s gonna be so maaaaaaad!
The idea that it's possible to turn one game into something wholly different just by hitting specific button combinations at an inhuman rate baffles me
You might enjoy the pokemon yellow pijack version then
-start
-collect a mushroom then a fire flower
-hop all your way through everything, enemies and obstacles
-reach to the castle
-run towards Bowser and take damage
-everything turns dark for a second
-badapple.mp4
-everything returns to normal
-cut the bridge and defeat bowser
-walk slowly towards the pricess
-refuse to elaburate any further
"Everything returns to normal"
Relatively speaking.
@@michaelgoff4504 he doesn't know about hard mode.
Bad Mushroom
Very bad one 😮
Also known as Poison Mushroom
Peach: "Mario, what the heck was that?"
“abeepadabopatabopataboodu!” (bljs into the sky with the princess in tow)
That was the effect of eating a bad apple.
Well excuse-me princess
I would've laughed a lot harder if Bad Apple wasn't the thumbnail. I love unexpected Touhou hijack moments.
Arbitrary code TASes never cease to amaze me. Extra hilarious how it returns to the game as normal afterwards 🤣🤣
The fact that N-2 was just 8-4 without the loop and then cutting to Bad Apple got me good.
You've gotta be KIDDING ME.
"A game for kids and grow-ups"
@@CronoTrapTV *"Nobody said you can't join us Arthur."*
The references in this reply section
Is this using the Nes's 7-bit audio? If so, then that's pretty impressive.
I’d assume so
Yes it is!
Indeed it is! The creator has a TH-cam channel called 100th Coin where they uploaded an explanation video, and I could be misremembering but they might be preparing to make another video going more in-depth on the audio? In short, they're streaming data one bit at a time to the DPCM channel from the controllers.
I assume it uses the controllers as input, which doesn't require a *massive* memory bank in the NES, instead coming from whatever inputs the TAS has stored, which is much more reasonable.
What an odd data transfer protocol.
The last version of Bad Apple on NES I've seen used a soundchip appropriate remix, but wow, the audio is so clean here!
the audio isn't from the nes, it was edited in. if the audio came from the nes it would take hours or even days to run the arbitrary code
@@nmac101 no, it's coming from the nes. the hardware can play samples, it just takes absurd storage and lots of processor time. of course when the processor is doing nothing but reading the controller as fast as it can and shoving data into the ppu and audio subsystem, it's a lot more possible.
@@keiyakinsSo you're telling me we can make a music player within the confines of Super Mario Bros. 3?
@BetterCallBigShotAutos its more like mario 3 is the needle to a record player and you're actively scrarching in the audio (and video) right behind the needle. the only actual storage on the NES is the RAM because that's the only thing to read and write to.
That wasn't even a nes. Just an edit.
The result is a throwback to the demo scene :-) excellent !
It took me longer than it should to realize that it's using sprites and letters to approximate the curved areas of each frame that can't be represented with just the fully white and fully black squares
Same, it’s so much more impressive once you do!
The Bad Apple!! Meme has been getting stronger as of late. From DOOM to Bad Apple!!, we are getting the full course of "but can it run this?"
can doom run bad apple
can bad apple run doom
任意コード実行でPCMまで再生するのすごいですね
聖なるうんこ
取ってつけたようなホーリーシッ好き
聖なるうん子で草
そうですわ。このファミコムの音楽はコンプレーショーンなしで聴くます。時々ファミコムの音楽はローファイ的ですが、それがかっこよくてカセット的よね。
I'm amazed that Miyamoto managed to keep this whole sequence hidden in the game for nearly forty years. Excellent find!
Me too!!!!!!
Me too
I love how it is allowed to change cartridges, that's galaxy brain type of moves
didnt know the NEW was capable of this sound quality. must be really quick to switch game carts (from a hacked smb3 to smb1) in less than a second IRL
it is indeed, however as you might imagine it is EXTREMELY power intensive
It is capable
The thing is, its very CPU intensive
So it boggles my mind that with a 1.79mhz 6502 & 2kb of RAM, this kind of audio could be done
*the NES
IIRC there is a video of behind the scenes. The Wave samples are streamed via the controller inputs in addition to the sprite ID’s used for the graphics
@@ssg-eggunner Bit depth vs sample rate. I kind of understood that sample rate tends to be more important, but this really blows it out of the water.
This is an amazing achievement. If you want to support the author, he also made a game that deserves some extra visibility. _Fantastic Fist_ was made over 8 years and it's a unique-mechanic pixel platformer like _Celeste._
Starts as Super Mario Moonwalker, then turns into Bad Koopa.
You know, this doesn't look like the copy I had for Super Mario Bros.
Every copy is personalized! ^^
@@Alexs23743 yep
Imagine a kid playing smb1 on 1985 and they suddenly see bad apple play on-screen
while they accidentally precisely input button presses at an inhuman rate
@@fry_fr the child is from one of those "my 2 year old child just said" twitter posts
@@thecatacombhimself lmfao
This is at the same level as the Pokemom Yellow TAS made by MrWint
Awesome
Was that SMB3 at around 0:02?
Yes it was
I've seen arbitrary code executions before but this one somehow seems a cut above.
🍎
Yes
Yes
🍏
@@XanthinZarda 🍎🍎🍏🍏🍏🍎🍎🍏🍎🍏🍏🍏🍎🍎🍎🍏🍏🍏
🧙
imagine pulling off ACE in a modern game like Pokemon Sw/Sh or Odyssey
The switch is gonna blow that's for sure
sadly not possible due to hardware restrictions, but you could theoretically find a way to execute pre-existing code snippets (also known as "gadgets") by jumping to them in a way that allows something useful to happen
Hey i know you!
When Bad Apple shows up, I show up hahah. God tier TAS.
TAS, Mario and Touhou
Three of my huge hyper fixations in one!
Starting from a completely different game is no different from starting from SRAM tbh.
To be fair, SMB3 doesn't have SRAM, and the bootstrapping game still needs to be played from power-on as well. iirc cartswaps were allowed in some categories since Pokemon Gen 1 started to be used for cartswap exploits on the Game Boy. You don't even need to hurry with the swap on that console, you leave a payload in RAM that waits a while for you to do the swap. The NES CIC will reset the console if a cart isn't present for around half a second, which is why those are almost required to be TASed.
@@parzivalwolfram7084 Resetting doesn't clear RAM though I don't think, it's up to the game to do it. There's a human-viable cart swap going from Tennis to SMB1 to start at an arbitrary world number
For a bit of extra context, this TAS was originally submitted as "starting with SRAM" since the current build of bizhawk doesn't natively support cartridge swapping.
Super Mario bros. still runs the routine that clears RAM, it just missed a few spots. The payload is written entirely in uninitialized RAM.
@@samkostka126 It doesn't reset it all at once, true, but the CIC reset period is plenty long enough for some bits to decay, which ones and how many is down to individual consoles.
...I don't know what to believe anymore
bad apple censored edition
heeeeeeeeeeEEEEEEEEEEeeeeeeeeel naw
1:17 - 4:52 Audio Is Played On PCM
Bad Apple in SMB1
But can it run Doom though?
it can play a video of doom
Someone needs to figure out how to escape the emulator sandbox from super Mario bros and pass controller inputs into an actual copy of doom
@@DogsRNice
Id imagine the cve like this:
CVE-N3SD00M3D-2024
Emulator Virtual Machine escape exploit that can be used to load a program (doom used in example) using Ricoh 2A03 Bytecode and interact with the outside OS
@@fluoriteByte For NES, that happened in 2016, look up "[0day] [exploit] Compromising a Linux desktop using... 6502 processor opcodes on the NES?!" by Chris Evans. For N64, a similar exploit was unveiled in multiple popular N64 emulators this year, as an April Fool's Day TASVideos submission of a TAS of Paper Mario which escapes the emulator and blue-screens the Windows PC.
Funny enough I've never seen anyone attempt to make an nes version of doom, I guess the hardware is just incapable of running a ray casting engine?? However there is doom on zx spectrum
Ok this is the funniest shit I’ve seen the video is being played inside of a actual game and you can see the video if you take a look at it is using the tile sprites to render the whole video
Saw that thumbnail, immediately clicked. Had to see that in SMB.
That's another Bad Apple engine checked off!
The fact that its is theoretically possible to do this shit is fucking hilarious to me. Beautiful TAS
That ending made me laugh hard. Superb!
We got Bad Apple in Super Mario Bros before GTA 6
Anime jumpscare
Touhou is not an anime
Did you just called Touhou “anime?”
@@okuu_utsuho yes
@@Just_an_random_who_likes_stuff I don't watch touhou I just like the cute fumoa
@@Just_an_random_who_likes_stuffok but the art style is anime
This is the most technically impressive run I have ever seen, holy
We have now smb1, smb2, smb3, smw, smw2:yi, sms. Next is Super Mario 64!!!
I can't wait to see speedrunners play Bad Apple in OoT using SRM, that'll be fun
Yea this happened to me once when I was fighting bowser
this happened to my buddy eric
dude, I almost knocked My chair over when I read "4:52" I thought it was a kind of wrong warp 💀
We're approaching levels of Mario not meant to be experienced by mortal man
People in the 80s seeing this be like: What the hell, I was trying to play Super Mario Bros. What is this
I love arbitrary code execution tas!
the end of the video is practically a punchline after the whole thing. Just, blipping right the fuck in to normal-ass SMB like none of that shit even happened. Hit me like a sack of bricks.
bad goomba
Now run Doom
Funny thing is that user “Coin 100th already done that before via. the demonstration video.
i refuse to believe the animation is running on this game...
I’m more surprised about the audio instead of the animation tbh
There’s a console verification link in the description to prove that it’s possible on console
@@jeroenboth167 Same here, is that audio actually coming from the NES? I can't imagine the little 2A03 chip is doing all that work. It's gotta be constant DPCM samples or something for the video to be able to play over it at all, but even then, I'd expect the quality to suck.
It's so cool for that music to be playing on a NES that I'm not sure if it's actually happening or not, haha.
@@ImSquiggs The audio is indeed coming from the NES, the author made a TH-cam video explaining how it all works if you're interested
@@Vexxter I am very interested and will be hunting that down right now, great shoutout, thanks friend!
Eu estava esperando de tudo menos bad apple
HOW the audio is THIS CLEAN???
A lot of effort went into the audio for this TAS, specifically finding ways to continuously play audio while updating the graphics in order to avoid clicks. The bulk of the audio playing code happens in a 25 Kilohertz loop, which explains most of why the audio is as good as it is. 25 Khz audio is pretty good coming out of the NES.
How is it possible to store the video on a NES? I think that the tas injects inputs during the video playing to transfer the frames.
Yes, Exactly.
Not just the frames. It's inputting the audio too.
I'll ask a very simple question. How does a vanilla copy of SMB3 and SMB1 play that video? Stuff like this is what made me believe the Triforce % in OoT was fake because in credits it had the names of the people who made those outfits & the Twitch chat thing.
In short, what i'm saying is.. imagine the Bad Apple YT video didn't exist yet and Twitch didn't exist also. Are you saying that these are still possible, in vanilla software and games?
Simple questions can sometimes have unfortunately complex answers.
To make a long story short, yes this is possible with an unmodified cartridge of Super Mario Bros.
"How does a vanilla copy of SMB3 and SMB1 play that video?"
The biggest point of confusion here is "where is the music video coming from?" Obviously the original cartridge doesn't have that video there, and the video is way too large to fit into the NES's 2 Kib RAM.
You probably noticed this run was in World 'N'. When you defeat bowser with fireballs, he gets replaced with a different object depending on what world you are in. In the case of world 'N', bowser's object is replaced with an "invalid object ID", but the game still tries to execute whatever code that object would execute. This ends up executing RAM as code. The specific bytes that get executes are never written to inside SMB1, so if I use another game to manipulate those bytes (in this case, I used Super Mario Bros. 3) I could write anything there and execute it.
The code that I write while running SMB3, and execute after defeating bowser is a loop that reads data from the controller ports, and stores it at a target location in RAM. After defeating bowser, this allows me to completely overwrite everything in RAM with my own custom code. I write code for reading the controller some more and interpreting the button presses as graphical and audio data. I actually have a video on my youtube channel breaking down how this run works, and specifically how I'm interpreting button presses as graphical and audio data if you're interested.
Keep in mind, the NES controller can be read way more than just once per frame. During the music video, I think I read the controller on average 500 times per frame. About 100 of those are graphical data, and the remaining 400 would be audio. In order to play the entire music video, I read the controller around 5.8 million times.
In summary, any exploit allowing a loop of controller data to be stored at a target address can allow for pretty much anything to happen as long as it's within the hardware restrictions of the console. Triforce% works in pretty much the same way. There's a great explanation of that run by Retro Game Mechanics Explained that talks about how they got twitch chat to be streamed through the controller ports. In fact, the Games Done Quick TASBlock has streamed data from twich chat through the controller ports on several occasions.
@@100thCoin Thank you for the explanation!
this is unreal to see on an NES
YESS!!! WE TECHNICALLY BEAT THE WR!!!!!!!
now this is peak content
mfs in 2050 when their heart monitors play bad apple
This looks like something from a dream lmao
Hay que hackear literalmente el juego para integrale el Bad Apple 😊
Bowser: that blasted plumber has foiled my plans for the last time! Now I know all his tricks and am prepared for anything.
Bowser: ...
Don’t you just hate it when you’re at WR pace then suddenly Bad Apple plays right before you stop timer?
This is fucking amazing
1:15 how to defeat Bowser in World 23-2
So this is what mario sees when he eats a poison mushroom?
Wow, does this work on actual hardware on only in an emulator?
Check the description for a console playback.
@@Spikechive Thanks, I must be blind.
Of all of the Bad Apple!! videos I've seen and collected, this will go down as the pinnacle.
Does anybody know if the music was added in or somehow played?
it was played yea
dear god.
741 views in 1 hour? They cooked
Why is it called arbitrary code execution, when it's obviously thoroughly planned out?
The arbitraty part, from what i remember, refers to "things not originally programmed into the game" so pretty much anything different from what the game's supposed to do counts.
It can be thoroughly planned out *because* it's arbitrary. If it's not arbitrary, i.e. the code that can be executed is limited / predetermined, there would be nothing to plan out.
Since when does smb1 have ace??
Almost all Nes, snes and N64 have ace
It's only a matter of time to discover them and pulling out the most unbelieveable sht ever
hell yeah
NOWS YOUR CHANCE TO BE A [[BAD APPLE]]
I never imagined that a speedrun would end up with this ending, basically this video invented the bad apple status in a game.
It started in World N instead of World 1. How? Why?
There's a very brief 47 frame TAS of Super Mario Bros. 3 that runs immediately before swapping cartridges to Super Mario Bros.
The SMB3 TAS is used to manipulate RAM such that SMB1 can begin in world 'N', and and it's also used to store a payload in uninitialized RAM, which will execute after Bowser is defeated.
@@100thCoin I loved your video explaining the tas!!! Great work
Hey, i also just installed bad apple on my vita
At this point Bad Apple better play on my goddamn tombstone
I see bad apple I click
The audio is okay, but sounds like it's being played by... Oh... Oh my God... 😮
Mario: I’m-a gonna throw this-a apple in the air in order to defeat-a Bowser.
Peach: *WHAT THE HELL? IS THE BUTTERFLY EFFECT GONNA WORK NOW, MARIO? AN APPLE IS SIMPLY-*
The apple:
wtf happend to my mario
what is happening
what the fuck, and you’re saying he did all this with the 8 buttons provided to you not even like hacking or sum
this is certainly one of the bad apples of all time
now execute the TAS on real hardware
Description. It's been done on real hardware.
He didn't wanted to Speedrun super Mario bros., he actually wanted to play a music video on it!
I swear that the day the community of the wonderful creative human minds that manipulate compuer hardware and code and execute arbitrary code within it in unconventional ways just for research and fun dies, is the day that te entire purpose of compuers dies.
Was incredible up until the techno song became some anime weeaboo nonsense
wait until you learn that the techno song in question is also anime weeaboo nonsense
Who invited the Touhou Project into Super Mario Bros. 1, and is this how the video ultimately landed on my sidebar, even though I've also seen many non-TH arbitrary code videos before on this channel? xD
And then, Mario has a score of 9,999,990 despite the lack of Cirno in the video. That's one weird way to flex on Bowser!
N of Netherrealm?
And so a new portal to Gensokyo was opened, by colliding with Bowser
Touhou X Mario