Arbitrary Code Execution data readout - Paper Mario (N64)
HTML-код
- Опубликовано: 8 сен 2024
- In case you are unaware, ACE (Arbitrary Code Execution) has been achieved within Paper Mario. This means that, by taking advantage of glitches (Refight Goomba King and Menu Storage), we can cause the game to jump execution to data we are able to manipulate (the controller inputs) to run our own instructions on the CPU.
The gist of how this works is that after refighting Goomba King, we can achieve Menu Storage, which allows Mario to move even though he is considered to be in a cutscene and has a menu open. In this state, particles are buffered, but do not actually "spawn", so by overflowing the particle table with a large amount of particles, we end up writing into memory for existing instructions. We are able to load data over these instructions that jumps the CPU execution elsewhere by precisely adjusting where Mario stands when he creates landing and walking particles, ending up with execution right where the controller inputs are stored.
On Player 1 and Player 3, nearly any instruction is possible. The 10th and 11th bit are inaccessible because they're not bound, but in MIPS this ends up being the 2nd and 3rd bit of the rs register for I-instructions and R-instructions, which isn't particularly limiting, and in J-instructions it's so high in the offset it generally will never be used. If it ever were to turn up as a problem, we could always run instructions that writes code to get around it elsewhere in memory.
We don't have as total access to the instructions covered by Player 2 and Player 4's inputs, so barring some rare occasions, there is no real reason to use them. Since we only get access to either the higher or lower short of the instruction, we usually either can only control the opcode, or only the operands, making the actual possible instruction set very slim.
For the basic setup, we just have Player 3 be a jump instruction back to Player 1's input. This locks the game in a small loop in which we can use Player 1's input to execute custom instructions. One disadvantage is that the loop executes many times per frame, but input is only polled once per frame, so any instruction used in Player 1's slot must be executable many times in sequence without side effects. For this reason, the safe approach is to use LUI, ORI, and then SW/SH/SB to store data elsewhere in memory, and then set up that stored memory to be executed once the ACE ends, as these instructions can be individually ran multiple times with the same registers with no iterative effects.
It is through the amazing work of the people in the Paper Mario Speedrunning Discord that this was possible. Here are some of their posts regarding ACE:
Fray's proof of concept with position hacking - • (Proof of Concept) ACE...
Rain's proof of concept without position hacking - • Pm64 ACE
Rain's tweet - / 1363071307521265664
JCog's RTA ACE writeup using OOT "Stop 'n' Swop" - pastebin.com/E...
imglower's RTA ACE Any% run using OOT "Stop 'n' Swop" - • Paper Mario Any% (Stop...
If you want to see the high quality encode of this TAS without all of the overlays, I have a version uploaded here:
• [TAS] Paper Mario ACE ...
I probably won't do much further coverage of ACE unless some big changes in methodology or capability occurs. While ACE is exciting, it is pretty much a "catchall" as far as TAS runs go. All it means is that now, what was possible through editing RAM in an emulator, is technically possible on a real console, using nothing more than inputs. This doesn't let us really learn anything new about the game though, it's just a cooler way of using what we already know.
![[TAS] NES Super Mario Bros. 3 "arbitrary code execution" by Lord_Tom in 08:16.23](http://i.ytimg.com/vi/oWbwmxVpqVI/mqdefault.jpg)
And OOT is _beating_ down Pokemon, trying to steal the title of "Most exploitable game of all time-"
*AND HERE COMES PAPER MARIO WITH THE STEEL CHAIR!*
also first i guess but :P nobody cares
@@XJ-0641 I care
@@XJ-0641 i care also, you should reach out and say first more often, lots of folks care
^I disagree with everyone above me except for XJ-0641
whale there it is.
Pm64 speedrunners before blue house skip