Glorious Super Mario World Hack

I’m a huge fan of hacking, which should be made obvious by my yearly pilgrimages to Defcon. Although I’ve seen many hacks that have impressed me few have impressed me as thoroughly as this one:

It’s at 1:39 in the video where things really start going pear-shaped, as the fabric of the game’s reality comes apart at the seams for a few seconds before inexplicably transitioning to Mario-themed versions of Pong and Snake. Understanding what’s going on here requires some deep knowledge of the Super NES’ internal sprite and memory management, which is explained in detail here and here.

Suffice it to say that the first minute-and-a-half or so of this TAS is merely an effort to spawn a specific set of sprites into the game’s Object Attribute Memory (OAM) buffer in a specific order. The TAS runner then uses a stun glitch to spawn an unused sprite into the game, which in turn causes the system to treat the sprites in that OAM buffer as raw executable code. In this case, that code has been arranged to jump to the memory location for controller data, in essence letting the user insert whatever executable program he or she wants into memory by converting the binary data for precisely ordered button presses into assembly code (interestingly, this data is entered more quickly by simulating the inputs of eight controllers plugged in through simulated multitaps on each controller port).

What makes this hack so impressive is that it didn’t rely on any emulator glitches. Instead the hack was performed on an actual Super Nintendo using only a standard controller as an input device:

Last week’s Awesome Games Done Quick “total control” demo is also notable for being run on actual, bare-bones SNES hardware rather than on an emulator (as is standard with most TAS videos). The robotic player at the event was powered by a Raspberry Pi hooked up to a special adapter (mounted amusingly to an NES R.O.B. controller) that let the computer send its preprogrammed controller inputs into the controller ports at superhuman, frame-level speed. Thus, the demonstration proved that this exploit was present in the actual system and cartridge released by Nintendo and not some sort of artifact of faulty emulation. That isn’t a foregone conclusion, either, as syncing up the vagaries of split-second timing and memory management between real and emulated hardware are not trivial (this is yet another area where the idea of perfect emulation accuracy might come in handy).

I can only tip my hat in awe at the sheer quality of this hack. Here is a video of the hack: