How an emulator-fueled robot reprogrammed Super Mario World on the fly

In the world of personal computing, hacks that exploit memory errors to allow for the execution of arbitrary (and often malicious) code are far from surprising anymore. What’s more surprising is that such “arbitrary code” bugs are also present on the relatively locked-down computers inside of video game consoles.

This was demonstrated quite dramatically last week at Awesome Games Done Quick (AGDQ), an annual marathon fundraiser that this year raised over $1 million for the Prevent Cancer foundation. The event focuses on live speedruns of classic games by human players and included a blindfolded Mike Tyson’s Punch-Out!! run that ranks among the most impressive live video game playing performances I have ever seen. The most remarkable moment of the weeklong marathon, though, came when a robotic player took “total control” of an unmodified Super Mario World cartridge, reprogramming it on the fly to run simple versions of Pong and Snake simply by sending a precise set of inputs through the standard controller ports on the system.

The two-and-a-half minute video of this incredible exploit is pretty tough to follow if you’re not intimately familiar with the state of emulator-assisted speedruns. At first, it looks like the game must have been hacked in some way to allow for things like multiple on-screen Yoshis, item boxes that spawn multiple 1-ups, and the ability for Mario to carry items while riding on Yoshi. In actuality, these seeming impossibilities are just glitches that have been discovered over the years through painstaking emulated playthroughs by the community at TASVideos (short for tool-assisted speedrun videos).

Most of these glitches are impossible or near-impossible for a human to perform in the course of standard gameplay since they require intricate patterns of inputs that have to be entered precisely at specific frames of in-game video (i.e. within 1/30th of a second). It’s only through the emulators that allow for input recording and single frame pausing and advancement (not to mention sometimes intense Lua scripting) that these glitches were discoverable and replicable. Still, it’s important to clarify that everything happening in the video is the result of the standard Super Mario World software responding to conventional button inputs—this isn’t the result of Game Genie-style external memory editing or the like.

Massaging the memory

It’s at 1:39 in the video where things really start going pear-shaped, as the fabric of the game’s reality comes apart at the seams for a few seconds before inexplicably transitioning to Mario-themed versions of Pong and Snake. Understanding what’s going on here requires some deep knowledge of the Super NES’ internal sprite and memory management, which is explained in detail here and here.

Suffice it to say that the first minute-and-a-half or so of this TAS is merely an effort to spawn a specific set of sprites into the game’s Object Attribute Memory (OAM) buffer in a specific order. The TAS runner then uses a stun glitch to spawn an unused sprite into the game, which in turn causes the system to treat the sprites in that OAM buffer as raw executable code. In this case, that code has been arranged to jump to the memory location for controller data, in essence letting the user insert whatever executable program he or she wants into memory by converting the binary data for precisely ordered button presses into assembly code (interestingly, this data is entered more quickly by simulating the inputs of eight controllers plugged in through simulated multitaps on each controller port).

This same general method of using memory addressing errors and tool-assisted controller inputs to alter the way a game plays has been demonstrated on a number of other titles, including Battletoads, Kirby’s Adventure, and Crash Bandicoot 2. In fact, the essential proof-of-concept for the Super Mario World “arbitrary code” glitch was first demonstrated and confirmed by the TASVideos community last April.

For the most part, though, these memory-corruption efforts are used to simply jump the game’s state to the “ending” movie, thereby “completing” it in a much shorter time than is usually possible. This new Super Mario World TAS sets itself apart by using its total control of the system to actually program a new game on top of the existing one (this TAS of Pokemon Yellow does something similar, using the game as a stage to choreograph a pi-themed song-and-dance number).