Hacking 8-Bit Video Games… By Playing Them! (and Snowden/FPF, is JYA ex-CIA?, badBIOS related stuff)

Here’s a CLASSIC example of the “hacker mindset.” Also known as, when systems are pedantic — like all computers are — knowledge is truly power.

If you want to read the assembly-language level summary, scroll down and click some of the links.

Otherwise, here’s my attempt at a plain-English version. When you play a video game, every action has an effect on the memory. The environment reacts according to a set of algorithms.

Now, in older video games (like Super Mario World) the algorithms are simple enough that you can predict how they’ll react. In fact, you can predict them well enough you can — kind of like solving a Rubik’s cube — line them up in ways that do things they were never intended to do.

You start by known cases of them not quite working as designed. Using your knowledge of the underlying program architecture, you use these little glitches to (indirectly) poke and prod things in the memory.

Eventually, it just so happens that you’ve jumped, bumped, and knocked enough objects around in exactly the right way, that there’s now a fully-formed program in the game console’s memory. A program that “just happened” to appear because of the order in which the game wrote to memory the steps you performed.

All it takes now is using another bug to cause the game console to think it should start executing code exactly where your in-memory program starts… and voila, you’ve just written a new program and executed it, by playing the game!

It helps to have a robot playing the game for you.

Snowden joins the Freedom of the Press Foundation board of directors, saying he looks forward to “using my experience to help find a solution” to allowing journalists to communicate safely with their sources. Good news all around, I think.

Is JYA ex-CIA? He recently posted this obscene and bizarre story, a close reading of which suggests he’s the protagonist — an ex-CIA black ops guy named John, dropped into Vietnam in 1964. I’ve heard JYA is around 70, so the date fits. And he’s hinted that he’s himself compromised in some unstated fashion, which is consistent with the “former Chekist rule.” http://cryptome.org/jya/mud-love.htm

#badBIOS chat: chat with people over ultrasound. https://github.com/Katee/quietnet

Have #badBIOS tactics filtered down to the 4chan/random criminal hacking set? http://www.reddit.com/r/AskNetsec/comments/1uz0re/please_help_me_all_of_my_electronic_devices_with/


“In short: I manipulate where the moving objects (sprites) are located or where they despawn, then I swap the item in Yoshi’s mouth with a flying ?-block (thus the yellow glitched shell) and using a glitch (stunning) to spawn a sprite which isn’t used by SMW and since it tries to jump to the sprite routine location, it indexes everything wrong and jumps to a place I manipulated earlier with the sprites (OAM) and because of the P-Switch it jumps to controller registers and from there the arbitrary code execution is started. ”


“The place we are accessing ($0322) is at the start of OAM for the sprites. The first 4 bytes are for sprite #A, the next 4 byte are for sprite #B and then every sprite from #0 – #9 has 5 * 4 bytes. Every block of 4 bytes has a format like this: x positon, y position, tile, property. The tile and properties of a sprite are almost impossible to manipulate so we have the x and y position left to use. Problem #1 – Y Positions
Every frame, all y positions are reset to 0xF0 and they update from the top to the bottom, which means #9, #8, #7…#1, #0, #B, #A. That means when handling sprite #5, you already have the y position of #6 but not of #4.

“So then why not spawn the 0xFA sprite in slot #0 to have many positions already updated?” Because to spawn that sprite we need a shell which goes into slot #0 when taken to the underground in yi2.

“Then use slot #1!” This is what we do.
The glorious P-Switch
We want to manipulate the values to show the credits, right? So how do we do that? We could manipulate 11 bytes to be perfect, but that is very hard and might not even be possible. So let’s just jump to the controller input data and execute from there. The input is at $4218 so we need a JMP $4218 which is 4C 18 42. Only x and y position aren’t enough so we need a sprite which uses tile 0x42… P-SWITCH!

So let’s just go to the end of the level and get the P-Switch and, oh wait… Problem #2 – Slots
Every new sprite that spawns will use the highest slot that is free (#A and #B are reserved slots for special sprites like sprites from boxes). Since we want to be as close as possible to our start position ($0322), we have to get a small slot for the p-switch. So we need to fill the higher slots to get a small slot for our P-Switch.

Most sprites despawn when they go offscreen so we need better sprites. When you cancel-eat a berry it will turn into a sprite which won’t despawn when going offscreen so that is what we do.

Now that we have the P-Switch in the right spot we just stun a flying ? block, but how do we that actually? Stunning
To stun a sprite you have to have a sprite that Yoshi won’t swallow (like a shell), another sprite which Yoshi can lick and a place to get hit (like a koopa). You also have to get a powerup to do the double-tongue glitch with Yoshi. Grab the first sprite with the first tongue, then lick the second tongue and quickly get hit by the third sprite, so that Yoshi cancel-eats the second sprite. Problem #3 – We need sprites!
How do we get these sprites into the underground? Ok, we can use a throwblock as the second sprite, but how do we get the other two? We can bring a green shell into the underground when doublegrabbing the P-Switch and the shell while sitting on Yoshi (yes, this is possible). With the green shell we can spawn a naked koopa (stomping on the green shell and licking it at the same time, then quickly spitting it out), which then is our third sprite.

Now we need a powerup. We can use the midpoint to be big but we still need a mushroom for the reserve box. When you eat 10 red berries with Yoshi, he will give you a mushroom. Thanks Yoshi!

We can spawn an 1up by duplicating the vine block to the left. We use that to manipulate the x position and the tile so that we jump a bit forward in the code (to $034F, which is in the middle of #1 OAM, so we are almost at our P-Switch in #2). The code unfortunately jumps away just before we reach the P-Switch bytes, so we have to change the last few bytes of the slot #1 bytes. Problem #4 – Bigger sprites!
Since most sprites (like the shells) are only 16×16 pixels big they only use one block of 4 bytes for their slot. Koopas are 16×32 pixels big, they use two blocks of 4 bytes, that is still not enough to reach the last blocks. So what are big sprites… Chucks! They use all 5 blocks.

There are not enough berries at the start to spawn the first chuck in slot #1 so it would be better to use the one later in the level, right? …”

%d bloggers like this: