These TAS runs are pretty cool, but from a pure coding standpoint, I think the Dream Devourer healing trick in Chrono Trigger for the Nintendo DS is more interesting because it relies on nothing other than a common variety bug that can be reproduced by a human user without external tools and on the real device:
The bosses' hit points are close to the limit of a 16-bit integer, so you can cast a healing spell on it, overflow the int to get him to negative hit points and then kill him with any successful attack.
PS. I've been seeing these CloudFlare error messages all over the place the past week, doesn't really paint a great picture of CloudFlare when I'm constantly trying to view content and seeing an error message with strong CloudFlare branding telling me I can't see it, regardless of whether or not it is CloudFlare's fault that I can't currently see it.
Speaking of overflows, the original Quake stored kills as a signed 16 bit integer, and there's no minimum time delay between typing 'kill' in the console (though, IIRC, the network code syncs at 10 hz, which may be the effective ceiling).
At an overnight LAN party in my youth, I bound every key to kill and sat there for an hour hammering the keyboard; the overflow worked as expected and my kills turned positive, much to my delight.
But I recommend either taking my word for it, or reading the source!
Not that it often seemed to work very well, but you could bind aliases into simple loops (IIRC, this has been a number of years!) which may have made things faster for you.
I made loops that would make the letters in my name capital and lower case repeatedly (not knowing how to do this 'properly'). The result was an animated name, and usually a hung server :)
There's an infamous underflow glitch in Pokemon R/B/Y.
The minimum level for a Pokemon in the game is lv. 2. If you get a lv. 1 Pokemon (need to use another cool glitch for that), and that Pokemon gains EXP that's not enough to hit lv. 2, underflow occurs and it gets billions of EXP, and hits lv. 100 immediately.
In Lufia 2, a SNES JRPG, there is a boss called the Giant Jelly, which disappears after three rounds. If you don't kill it in this time, you don't get the reward. However the ending condition isn't defeating the jelly, it's just the battle ending. So if you kill all your characters, the battle will end and you'll get the reward. One of the unique things about this is it's in a special 'battle tower' called the ancient cave, so dying after the final battle doesn't trigger the normal "game over" state.
I guess the boss battles are much longer in X and X2, and X2 also has the shoryuken instant-kill attack, making the games more "synced up" so to speak. So it makes for an overall more entertaining video, even if it was perhaps easier to do.
Controls are also much tighter on Megaman X and X2, so its much easier to see that the everything is synced up.
That's fantastic. I'd love to see something like this for Metroid: ZM and Super Metroid. Be especially interesting if they also managed to sync up areas at some point.
Only related to the original topic because they both are part of the series but seeing that video..When I was younger we played Lost Levels on the SNES (Mario All-Stars had it) and I remember it being too hard to get anywhere. I hadn't even seen most of those levels.
I never beat the first SMB either but I have to wonder if they had made the original as crazy as Lost Levels if it would still be so popular. I know other games had insanity (Battle Toads) and people beat them but they don't seem to have Mario status.
The real SMB 2 (a.k.a. Lost Levels) wasn't released in the US precisely because of its difficulty. Nintendo of America knew that US audiences wouldn't appreciate it (but Japanese audiences did). That's why instead they did a sprite-change on Yume Kōjō: Doki Doki Panic, and released that as SMB 2 in the US.
That's explained in one of the threads linked: "I spawned two Yoshi's by hitting the block with Mario and the p-switch at the same time. I jumped on one Yoshi, got the p-switch in his mouth and let him die, so the second - invisible - Yoshi becomes visible and have a null sprite in his mouth."
Most emulators are not accurate. This makes some game's behavior quite unexpected. Here is an article describing the issues and how so much processing power has to be devoted to achieve full rendering
They have, but note the corollary to 'perfect emulation takes huge amounts of computing power': imperfect emulation can often be done cheaply.
The question for WBE is whether brains are the very rare SNES game which must be perfectly emulated to work at all... or one of the others. The success of machine learning stuff like deep belief networks, while using a fraction of the brain's computing power and minimal biological plausibility, suggests human brains aren't very special snowflakes.
Far from it. Many emulators over the years have had small but important quirks, and although they generally don't affect normal gameplay they _may_ affect this sort of thing, after all this is depending on the precise behaviour of the PRNG and how many times it has been called.
There are techniques out there for running TAS input files against real hardware for most of the common platforms. Some of the TASes on tasvideos.org are specifically flagged as "console verified" [1], indicating that someone's confirmed that they don't depend on emulator quirks.
though a word in my defense, it's not specifically a re-post. The one listed here and the one I posted deliver a PI Day package in 3 minutes and 14 seconds.
All these TAS videos make me jealous I never recorded my corrupted speedrun of Willow for the NES. The game was similar to Zelda 1, a tile-based world. There was a code[1] that allowed you access and change what tile willow was on at any given moment. Basically teleport to any room in the game. The on screen enemies would teleport with you. A crazy mixture of moving to certain rooms with certain enemies would trigger the game's final battle sequence with an easy-to-defeat weak monster, causing you to beat the game in under 10 minutes.
If anyone here on HN knows of anyone out there making a vid of this, please tell me. :) I can't remember how to do it anymore.
Not sure whether you mean the debug mode or the Game Genie code here, but both of these would be considered off-limits to most TASes. The former because it involves starting with a password (equivalent to starting from a save game, if I understand correctly?), and the latter because GG codes modify the game you're playing.
I knew about that code, but I never knew you could use it to jump to the end.
Come to think of it, I never actually got very far with that game. I should re-play it. I always got bored and started warping around the game at random.
Japanese communities tend not to be as coherent (to the best of my knowledge), comprising mostly independent, anonymous runners posting on http://www.nicovideo.jp/ or other sites.
That's a nifty run. I like the similar one for Super Mario Land 2 on the Game Boy: http://www.youtube.com/watch?v=fZqEcVg8Ei8 . Mario busts out of the level boundaries and punches out the block that holds the "victory?" flag.
That one I hadn't seen before. It appears to use a similar technique, except much more simple. (not surprising, given that the GB has much less ram than the SNES.)
I wouldn't really call this "corrupting the RAM". It's not "corrupting" it more than running any other code; it's just taking advantage of certain states.
(I'm not saying it's not extremely impressive. It is. It's just slightly misleading wording)
Edit: Downvoters: Did I misunderstand something? I read it again along with the original forum post, and it seems pretty clear that this could theoretically be done on an original SNES, without any tools, it's just impossibly hard in practice. So how is it "corrupting"? You wouldn't call a buffer overflow attack "corrupting RAM", even though it's based on exactly the same principles. And you certainly wouldn't call playing the game normally "corrupting the RAM", even though it's manipulating the RAM in the same way.
Memory corruption is generally defined as occurring when the contents of RAM are modified in a way not intended by the original programmers. [1] Under this definition, buffer overflow attacks would certainly qualify, as would this exploit.
But the memory contents aren't actually being modified in an unintended way. They're only being used in an unintended way. The random number generator is supposed to tick this way, and the sprite data is supposed to work this way. The key exploit is in getting the game to run a subroutine at the wrong time, so that it uses the valid memory contents as code and skips to the end.
There are other mario games where you can go out of bounds into memory and start flipping bits. That is memory corruption. Here I don't think the term applies.
I disagree this exploit is like a buffer overflow. It is more like uploading code to a buffer within its bounds (no overflow), and then triggering a jump to that buffer. The only corruption part is getting Yoshi to wrongly think he has something in his mouth, which wasn't the novel part.
I don't see the word `corrupt` putting us that far afield than using `manipulate`.
Merriam-Webster defines corrupt as "to alter from the original or correct form or version".
You're probably getting downvoted for what's become a common attitude on HN: overly critical for no reason. At best, your only contribution was to correct "slightly misleading wording" (in your opinion).
When I think about it, I guess my reaction was mostly because the title says Super Mario was completed "by Corrupting the RAM" (the keyword being "by"). To me, that sounds like the exploit was done by corrupting the memory outside of the game. Like an external program that would modify the RAM or by going in on the physical layer somehow.
This feels more like it was completed "by exploiting corrupted memory". So I was a bit confused when reading the article at first. But I'm fine now :)
Pokemon yellow one in more intereseting. Somehow player (programmer?) removes the item limit in his backpack and his back pack overflows and shows the program code as item list.
Then he reprograms the game by rearranging items. He even buys new items for different OP codes!
Have an NES game you're particularly fond of? Load it up in the latest fceuxdsp and start playing around with the debugger, RAM/ROM/PPU viewers, trace logger, etc. Try to figure out where the level data is stored in the ROM, how it's loaded into RAM and converted into name tables, how the game logic works, etc.
The NES uses basically a 6502, which is 8-bit and has a limited instruction set, so it's totally grokkable. It's fun since it's a real game, too, instead of some toy example from the web.
I've been spending a few weekend dissecting MCKids[1], trying to dump level images for TCRF, with great results. It's my first time doing this, so it's hard, slow work, but the breakthrough moments are absolutely worth it.
I'll bet the details took a lot of work but conceptually it isn't hard to understand at all. There is a bug which causes the game to jump into a bad address. The goal then becomes to manipulate the game so that this bad address happens to contain valid code, then trigger the bug.
You don't really need to know how RAM works to understand that. How assembly programming or Von Neumann architecture works perhaps. Or basic knowledge of buffer overflows and similar concepts.
Yeah sure. I guess what I really meant was I don't know how to even start to debug the ram to understand where the addresses are, and what each part does.
It depends on your definition of "properly," since SMW coincidentally also has a massive shortcut (the Star Road) that lets you beat the game very quickly without bending the Matrix. A TAS of such a playthrough is only 10 minutes.
There's also a TAS of 100% completion playthrough of SMW's 96 exits, which takes considerably longer. (about 1.5 hours)
This isn't about beating the game in 3 minutes. It's about exploiting a bug. Not just fiddling with code either, but actually doing it through the game itself. That's what makes it really interesting to see.
A better analogy would be a guy taking a taxi 26.2 miles and you coming along and saying, "I hate it when people move a marathon distance by any mode except running" for no discernable reason.
It's the difference between a baseball game and a home-run derby. Nobody's complaining that home-run derby is "cheating" because all the pitches are ideal. It's a different game altogether.
The tool-assisted speedrun people are simply playing a different game.
http://chrono.wikia.com/wiki/Dream_Devourer
The bosses' hit points are close to the limit of a 16-bit integer, so you can cast a healing spell on it, overflow the int to get him to negative hit points and then kill him with any successful attack.
PS. I've been seeing these CloudFlare error messages all over the place the past week, doesn't really paint a great picture of CloudFlare when I'm constantly trying to view content and seeing an error message with strong CloudFlare branding telling me I can't see it, regardless of whether or not it is CloudFlare's fault that I can't currently see it.