In the world of personal computing, hacks that exploit memory errors to allow for the execution of arbitrary (and often malicious) code are far from surprising anymore. What's more surprising is that such "arbitrary code" bugs are also present on the relatively locked-down computers inside of video game consoles.

This was demonstrated quite dramatically last week at Awesome Games Done Quick (AGDQ), an annual marathon fundraiser that this year raised over $1 million for the Prevent Cancer foundation. The event focuses on live speedruns of classic games by human players and included a blindfolded Mike Tyson's Punch-Out!! run that ranks among the most impressive live video game playing performances I have ever seen. The most remarkable moment of the weeklong marathon, though, came when a robotic player took "total control" of an unmodified Super Mario World cartridge, reprogramming it on the fly to run simple versions of Pong and Snake simply by sending a precise set of inputs through the standard controller ports on the system.

The two-and-a-half minute video of this incredible exploit is pretty tough to follow if you're not intimately familiar with the state of emulator-assisted speedruns. At first, it looks like the game must have been hacked in some way to allow for things like multiple on-screen Yoshis, item boxes that spawn multiple 1-ups, and the ability for Mario to carry items while riding on Yoshi. In actuality, these seeming impossibilities are just glitches that have been discovered over the years through painstaking emulated playthroughs by the community at TASVideos (short for tool-assisted speedrun videos).

Most of these glitches are impossible or near-impossible for a human to perform in the course of standard gameplay since they require intricate patterns of inputs that have to be entered precisely at specific frames of in-game video (i.e. within 1/30th of a second). It's only through the emulators that allow for input recording and single frame pausing and advancement (not to mention sometimes intense Lua scripting) that these glitches were discoverable and replicable. Still, it's important to clarify that everything happening in the video is the result of the standard Super Mario World software responding to conventional button inputs—this isn't the result of Game Genie-style external memory editing or the like.

Massaging the memory

It's at 1:39 in the video where things really start going pear-shaped, as the fabric of the game's reality comes apart at the seams for a few seconds before inexplicably transitioning to Mario-themed versions of Pong and Snake. Understanding what's going on here requires some deep knowledge of the Super NES' internal sprite and memory management, which is explained in detail here and here.

Suffice it to say that the first minute-and-a-half or so of this TAS is merely an effort to spawn a specific set of sprites into the game's Object Attribute Memory (OAM) buffer in a specific order. The TAS runner then uses a stun glitch to spawn an unused sprite into the game, which in turn causes the system to treat the sprites in that OAM buffer as raw executable code. In this case, that code has been arranged to jump to the memory location for controller data, in essence letting the user insert whatever executable program he or she wants into memory by converting the binary data for precisely ordered button presses into assembly code (interestingly, this data is entered more quickly by simulating the inputs of eight controllers plugged in through simulated multitaps on each controller port).

This same general method of using memory addressing errors and tool-assisted controller inputs to alter the way a game plays has been demonstrated on a number of other titles, including Battletoads, Kirby's Adventure, and Crash Bandicoot 2. In fact, the essential proof-of-concept for the Super Mario World "arbitrary code" glitch was first demonstrated and confirmed by the TASVideos community last April.

For the most part, though, these memory-corruption efforts are used to simply jump the game's state to the "ending" movie, thereby "completing" it in a much shorter time than is usually possible. This new Super Mario World TAS sets itself apart by using its total control of the system to actually program a new game on top of the existing one (this TAS of Pokemon Yellow does something similar, using the game as a stage to choreograph a pi-themed song-and-dance number).

Last week's Awesome Games Done Quick "total control" demo is also notable for being run on actual, bare-bones SNES hardware rather than on an emulator (as is standard with most TAS videos). The robotic player at the event was powered by a Raspberry Pi hooked up to a special adapter (mounted amusingly to an NES R.O.B. controller) that let the computer send its preprogrammed controller inputs into the controller ports at superhuman, frame-level speed. Thus, the demonstration proved that this exploit was present in the actual system and cartridge released by Nintendo and not some sort of artifact of faulty emulation. That isn't a foregone conclusion, either, as syncing up the vagaries of split-second timing and memory management between real and emulated hardware are not trivial (this is yet another area where the idea of perfect emulation accuracy might come in handy).

Running this exploit on actual hardware also turns the usually sterile, disconnected Internet file sharing of tool-assisted speed runs into a thrilling live performance in front of a crowd of dozens at the AGDQ ballroom and thousands watching the marathon online. There's something about watching the video archive of that stream—hearing the disbelieving laughter, the applause, and the cries of "Oh my god" from a crowd seeing a Super NES transformed into a fully programmable computer before their eyes—that makes the feat all the more impressive. That surprised reaction was apparently genuine, too, as the TGASVideos team says the crowd had no idea what was coming from a submission that had been tested and approved just the night before.

More than anything, though, this demo is a testament to the power of an Internet community and to the desire of that community to achieve total understanding and mastery of a game that started as a simple, child-focused amusement over 20 years ago.