The explanation (or just about any warp glitch) requires some understanding of how the hardware works. There's a bunch of videos and articles regarding that. I recommend looking at those first. Those concepts also apply to game boy games for example. Therefore you can also gain some understanding from game boy resources.
You’re in a level, you mess with how the enemies work, you grab a turtle and go inside a pipe backwards, the game crashes, you throw the turtle away as you hit the block, you hit the block, the game ends
So: A bad note block outside 7-1's level bounds can be reached. It causes the block bounce code to swap itself out accidentally with an unintended routine that returns to yet another unintended routine, that returns again, even though there's nothing to return to. The hardware freaks the everloving fuck out, wrapping around the counter that tracks how many levels deep of code execution we're on and reacting as though we're 255 levels deep in subroutines, and accidentally reading out the level scrolling mode as the location to return execution to, because that number happens to sit where the 255th place in the area where subroutines are tracked would be if there was a 255th place, causing the console to stop reading code from the cartridge, and instead treating the system RAM as code, and running that instead. And within the area of RAM that is mistakenly reinterpreted as game code because of this, loaded enemy data is normally tracked, and here, people manipulate the positions of the koopa shells that normally spawn in the level to write machine language instructions creating a trigger for the Princess's chamber that will activate with the glitch. So many planets aligned...
Well, all they're doing is reading volatile, numeric data as instructions, to execute code in an unintended way. It was probably figured out that the pipe to under-map OOB and hitting the noteblock did some fucky shit, and I guess someone traced it through an emulator to see that the thing that reads instructions landed in graphical data. From there it was simply manipulating the graphic data.
@@haydenz0 In essence, this glitch begins with an array indexed out of bounds error, when trying to write to the loaded map data to remove the note block and temporarily replace it with the animated version of it. Except that, computers being that much slower, the performance penalty to ensuring that arrays were always indexed in bounds mattered, so most games, having to be efficient over running safe, didn't do the check to save on crucial processing power. Probably they discovered the glitch pipe entry first (might've been on some other map too) and then later discovered that OOB note blocks would pretty consistently make the console spit fireworks when hit. If it didn't crash, obvious memory corruption was present. When every time you reproduce a game-breaking glitch, the effects that occur right after are completely all over the place and random-looking, you know something fucked is happening with the machine. And the moment somebody fired that up in an emulator debugger, and caught the execution jumping to RAM, they were like "Oh yeah, we might be able to ACE with this"
> There are many different kinds of NES ROM mappers. All of them act a little bit differently. I won't talk too much about them, because that topic could be its own video. Please, please make that video.
I tried doing this glitch. So far I made the console draw what I can only describe as a croissant, rotated the screen 90°, and moved the hud to the top of the screen. I don't know what I'm doing
Oh my god I appreciate the TAS way more now. Seriously?! Pirahna plant, thrown shell, and bouncing shell ALL syncing up at the right x-position at the SAME TIME???!?!!?!!! OKAY, TAS. SURE. Fucking godly.
Voxel Fox That's what makes it so impressive! TAS is literally god in the game world. TAS can even do all it does *blind* and *deaf!* Imagine a human do that.
Doesn't make it any less respectable. 8+ hours just to get a 2 minute segment perfect (only to be obsoleted when something new shows up) is crazy for any one to do, yet they do. The amount of effort and time put towards finding insane glitches, programming, math calculations and viewing the same small part of a game over and over is just amazing to behold.
It his not me who found out how to do it, I only found out how he found out how to do this after I did the Wrong warp to the credit in Super Mario world for the WiiU the one that works on the Wiiu. In Super Mario world, you have 10 sprite slot for enemies to work with from slot 0 to 9, and they spond at 9 first, In Super Mario World you wright the entired algorithum in slot 0, to slot 6 the code you right by spiting shell with yoshi the shell become fire, the algorythim in the X cordinated of the shell, from sprite slot 0 to 6 his A9,1C, 92, 3D, 68, 68, 60. That stand for LDA, 1C, that stand for load game mode credit that start yoshi arrive home to accumulator, the 92, 3D, Stand for Store accumulator to 3D, the two 68 stand for a pulling out data PLS, and the 60 stand for RTS meaning Return to game mode that his store in the accumulator 3D which =1C so then the game knows to runs 1C as the credit. the 1 on the left means there his 1X16, and the C on the right stand for +12, since it his in hexadisimal so that means the unit are 16 unit long instead of the digit system which are 10 digit long. so that his why if you see 68, it does not equal 68 as the real number it acctually equal (6x16) +8= this his a visiual of what it look like in Super Mario world, it only begin after the power incrementation glitch his done because of the weird diffrence that the Virtual console have compare to the console version ruclips.net/video/dJp1XLmw9Jg/видео.html How does have anything to do with the Super Mario bros.3 wrong warp to princess, since there his only slot 5 to slot 1, there his no way to wright the entire algorythm, so with the shell he wright $20, E3, 8F, in slot 3 to slot 5 X cordinated of the koopa shell, and that stand for JSR: $8F, E3 that means jump to subrutine princess room, while checking in the emulator in debug mode I decided to take a look at memmory $8FE3 and the entire algorythm for the princess room was there because it started with LDA: $19
This is probably the best way to present programming stuff (hex values, memory map...) I have ever seen in video. It's clear, pleasing to hears and eyes. The topic is also very interesting. I would love to see more of such well made video for anything. I hope this channel will attract as much people as possible, it deserves it.
EZScape hi, fun fact, jsr stands for jump straight to ram and 8f e3 is the address it must jump to in order to load the right crash value, I read the dev commentary on tasvideos.org
As a developer, this was extremely interesting. By far the best video I've ever seen on an arbitrary code execution exploit. Thanks for the awesome video! :D
uh i'm pretty sure you did something wrong have you hit the music block which replaces a $4G69 ROM mapping function 18 screens under the main stuff or the question block which replaces the $4G79 Control function 17.5 screens under the main stuff?
i think i know why you hit 1010010101010101010101001100101010101 in bi or a5 55 54 ca 15 in hex at the time that you did that there was data that was from super mario 64 in parallel universe so the game swaped the banks with 64sh banks bk the one koppa was one bit off so the game ran 10101010010101010100101010111111111 in bi or the thing telling nes what game your playing bye looking at the ram and seeing the data and runing the game that go with the data in 1st biyt and 64s data was in there so it rad 64 that good
The fact that you go so in depth graphically instead of just randomly spouting your values is fantastic! Keep it up! I imagine the production work takes tons of time, but I love it!
Well done! It really tracked with a lot of the thought processes that went into figuring out the exploit for the TAS, and is accurate while still being more accessible than a text-only explanation.
What's even better is the end credits warp in Super Mario Land 2, Six Golden Coins: Mario glitches through the floor, ending up in the game's code (which is rendered onscreen as graphic tiles), and literally hits a block to set the "roll end credits" flag to TRUE.
Mario: Princess, I'm finally here. Peach: Did you beat Bowser? Mario: Well...uh... Peach: Don't tell me you used the pipe glitch. Mario: I mean, it's a little "easier" to do/accomplish. Peach: *sighs* Ugh...
This was incredible! For years I've wanted to do the wrong warp in SMB3. I've trying to decode what I need to do from people's PBs but haven't understood it. This video explained it so well that not only I did it, but that my friend that doesn't speedrun also got hooked on it and we did it together. It was such a great experience trying and then being happy when we finally succeeded with the wrong warps! :D We ended up doing it on emulator though because trying it on console with no practice was haaaaaaaaaaard! :)
It's not often someone does this deep an amount of research, basically never do they then pack it into something this easy to digest and understand. My humblest thanks, will be sharing with my friends tomorrow.
What I'd really like to know is how TASBot manages to program Mario Maker inside Super Mario 3 (or World, I don't remember). My guess is jumping in memory where there is the ram that deals with input from the controller and programming it that way? I'm not sure what you can do with only about 10 memory locations. Unless there are more detailed ways to execute that.
+Retro Game Mechanics Explained: I used a different method call the easy method, and when you said sometimes it does not work even if you got the shell in the right spot, because it sometimes lock-up on something, but I found a way to always line-up does value, and this his how. When the paratroopa his moving up boob it with the tail when his tip of his feat are line up with the first lip of the pipe, using the easy method, and the closer you are to the correct frame the better the credit will look, that same shell placement his for the positioning of the credit screen, once I boop the paratroopa at the right spot, but I put it one pixel to far to the left, that cause the credit to play 100% perfect, but it played to far to the left of my TV. The koopa in slot 3 never reboop it with the tail. When you mention the address 20 for the jump code, the 10th digit in this case 2, this his when the values are aligne, but not just that one the 10th digit can also be 1 through 10, and that his cause by booping the koopa at slot 3 at the correct position, and when he moves the correct direction, and if you reboob it with the tail by accident the 10th digit will return to 0. The placement of the shell in slot 3 determine the unit, and the unit determine the screen position, so 0 his always perfect screen placement. When the paratroopa start moving-up the 10th digit goes from 0,1,0,2,0,3,0,4,0,5,0,6,0,7,0,8,0,9,0,10: The higher up the koopatroopa goes the quicker does value switch, and when he start to move down the 10th digit his always 0 which his bad. And if the bit codes his like this 100 8F E3 the credit are 100% perfect the credit that shows the world will run with the checked floor. Once I boob the koopa a fraction off of the 10, 10th digit, when I hit the note block on the 19 screen it flicker 4X before playing the credit 100% perfect. Take a look at my video for the easy set-up, it his not me who found the easy set-up, but it his me who found out about the correct alignment of the previously uncontrollable value. When I film this I did not know about this at the time, and after placing the shell in slot 3 at the correct spot, if you take the pipe to the far right, make sure to walk-of to the right to quickly dispond the shell in slot 3. The koopa in slot 4, and slot 5, does one you can reboob it with the tail as mush as you like since E3 counts as one unit, and as well as 8F. ruclips.net/video/701sO-YxhGM/видео.html When you place slot 5 at the correct position you don't have to walk of to dispond it, since it will be flooting above the pipe, it will dispond right away when you return to the start of the level.
Luigi: So mario, how did you come back after defeating darkion? Mario: to answer that, we need to talk about *parallel universes* *hazy maze from mario 64 starts playing* Tell me if I spelled darkion right? This joke was from something about super mario world, right at the start of the video, made by terminal montage
I did this and depending if I'm whether holding B and/or a certain direction on the D pad, the game crashed, skipped to the scene where you return the wand to world 7's king or the game was reset with a little glitchy colors. All but the princess' room.
Definitely, reverse engineered. A hacker studied the code, attempted to find a way to do code injection on an SNES, made a tool that showed those values in real time. This isn't the first time code injections been done, and they probably could have stolen your identity with just as much effort... assuming they are only going to use a SNES control to do so. Stealing your identity with a laptop and Wi-Fi decrypter would be trivial.
tasvideos.org/4288S.html This is the first known instance of the glitch being used in that way. The aforementioned RAT926 (a japanese player) was apparently already investigating weird behavior with block changes causing odd behavior (he turned both a used-up brick and a muncher into inactive invisible music blocks back around 2013). The bad pipe behavior (where phantom pipes happen) was well-known by speedrunners by then already. Some assembly guy then took a look and figured out how to write code that would lead to the ending. So in short, it was found because one guy was glitch hunting, and the TAS community took notice and fell on the game like code-munching piranhas because they're always after the fastest technically possible times.
It took me this long to realize it but basically: We are using that invisible note block after we wrong warped to execute an address we made with the shells to teleport us to peach's room. What the fuck.
Yep! The NES CPU was the Ricoh 2A03. It was just basically just a 6502 without a decimal mode and with an audio processing unit and IO controller for the controllers welded onto it.
Finding out glitches is one thing but stuff that messes with how the game runs is something totally different. And using this knowledge ingame is again on another new level. This is so amazing.
I've seen the glitch done for Super Mario World, and the glitchers would explain it a bit. However this vid makes a lot more sense then someone explaining while doing it. I especially liked the graphic at the side that showed the unit values, and the checks as you went through it. Nice work.
This is one of the best gaming videos I have ever seen! We need more game spec videos like this out there. I was watching a video on how the Sega Saturn processes 2d and 3d games a while ago on someone's channel. If it wasn't for the fact the guy was heavily japenese and hard to hear his English through his japenese accent, I would have a 110% clear explanation of the hardware that entails the Saturn. I love learning stuff like that! Keep it up man. I'm subscribing right now
Dots: Love this video, amazing! However, I wanted to point out a small error. At time marker 5:52 , you show where the RTS instruction returned us to. However, this is not PRG1E (Bank 30) as you have labeled, but PRG1D (Bank 29). PRG1E (Bank 30) is meant to be at $8000, however, when the value #$80 is written to $9C70, the MMC3 immediately does a bank switch - changing $8000 to PRG1D (Bank 29), $A000 to PRG07 (Bank 7), $C000 to PRG1E (Bank 30) (Meant to be at $8000!!!) and $E000 stays at PRG1F (Bank 31). Furthermore, the stack IS meant to be empty when returning to $8F4D, because in normal execution, we would be within the main game level loop within PRG1E (Bank 30). However, due to PRG07 (Bank 7) now being loaded in at $8000, we land in the middle of a routine for drawing the player - hence the eventual RTS instruction, and subsequent jump to RAM at $0081. So I guess it's not an unintended empty stack, it's a return to an address that now holds the wrong bank. This bank mix up is only fixed up when a BRK is executed, since the IRQ routine calls a bank swap. Because bank swaps in SMB3 are set for $A000 and $C000, this returns our static banks PRG1E (Bank 30) and PRG1F (Bank 31) to $8000 and $E000 respectively. Indeed the wrong warp wouldn't be possible without at least one IRQ before the JSR to $8FE3!!! -KabAudio
Great video! I have tried this shell down technique many many times and haven't yet got to princess. Mostly game crashes and sometimes to world 7 castle's king with wand.
I actually managed to pull off this glitch, make the game reset by using the noteblock incorrectly, come back to the glitch zone, and it let me down to the 25th screen before sending me back up.
It's wild what ACE can do when game designers and their programmer counterparts had to compact an entire game down to capacities such as 256kB for SMB3 or even smaller as you look back in time. It's a lot easier to jackhammer the stack or violate some mechanic to attempt a bad read or write to somewhere illegal when the programmers were worried more about simply making the game work correctly within the hardware's confines than fretting about drawing 35 gigabytes worth of textures. Programmers were a lot more resourceful back then and had a nearly intimate relationship with their target hardware. Knowing how to bend the rules could help you implement your current mechanic in 450 bytes rather than 600 bytes; add up all that memory or program space saved over time while utilizing these methods, and your game has the space to add more levels, features, mechanics, secrets, or anything else that might have your design be the smash hit of the day. If I had a list of things I'd do with a time machine, taking a modern IDE and hardware development tools back to these days would be on my list. Not like... in the top 100 or anything... but it would be on there. :)
2:36 I hate to be direct, but it would actually be one pixel to the left, because the koopa would unload sooner. Also three things: walking enemies move by half a pixel every frame, a koopa’s subpixel position doesn’t change when it’s in Mario’s hands, and koopas move by half a pixel when they wake up in Mario’s hands. In this setup’s case, the koopa move by half a pixel to the right. This means that depending on the subpixel value the koopa last had before grabbing it, you have to stand where the koopa’s X position is at either #$B7 or #$B8. If the koopa’s subpixel value is 0-7 before waking up, then you have to stand where the koopa’s X position is at #$B8. If the koopa’s subpixel value is 8-F before waking up, you have to stand where the koopa’s X position is at #$B7. This means that this “simple” #$8F setup yields a 50/50 chance at working.
so if i understand, the game crashes while trying to create that invisible note block to repel mario while the actual note block is going up because everything is so out of index because you went so out of bounds? but why does the game execute the code you injected? is it like a failsafe kind of thing where they knew the game was gonna crash and they just execute any command they have as a last resort? i got the part where the code says jump to subroutine 8F E3 and the game crashes when you hit the note block but then everything was just too complicated for me
It's not a failsafe or a last resort, the game is so out of index at that moment that it just start executing code from locations it shouldn't and ends up executing the injected code.
The whole exploit is possible because of the 6502's Von Neumann architecture. The cpu is interpreting the sprite location _data_ as instructions. The rest of the procedures performed after placing the sprites down are to move the instruction pointer/PC to the address where the sprite location data is kept
@Crasy Fingers: This his just a summary of what he said above, and something that he miss to be more clear on what happen, Warning the summary his kind of long. The reason it works, when you go out of bounce, the note bock that crash the game acctually exist in the real part of the level, but when you hit it in the real part of the level, it works properly, this his just an example it may not be exactly correct, that note block his normaly on 6261 and when you hit it it goes 6261+0F to make 6270, nothing goes wrong here, and DD1A works fine to update the sprite animation and then the game return to the note block bouncing animation, and save the X cordinated of that bouncing animation in $0097, and its Y cordinated save in $009F, the X and Y value are only overwriten if another block bounce. So when you go out of bounce the block that was in 6261, gets incorrectly place everytime on 9C61, but since it his the same block it still have +0F to fine the sprite animation, so it will go 9C61+0F=9C70, and that tells the game to write to Read only memory, and since that his not possible the game look in open bus, to fine out what to do with 9C70, and found valid garbage code to update in DD1A, the garbage code are too long by one bite, that it overflow the stack buffer, so you will see in Debbug menu Address $0100: JSR:$0080, that means it already overflow, that it jump to that Addres that addres got that instruction $0080:RTS-1 so it will go to Addres $0081, then it need to go through allot of address before reaching The X cordinated of sprites, that Start on $0090, Enemies X position start on $0091, and end with $0095. Enemies spond on the highest slot first that his still available, so we right at $0093:$20, and at $0094: E3, or E1, and $0095: 8F, in Debug menu this will show as $0093: JSR: $8FE3, or JSR: 8FE1, you will see in debug menu that $0094, and $0095 does not show anymore, and Address $0096 still shows because that his the X cordinated for power-up. Mario X position his in $0090 mario X position need to be correct when hitting the note block that crash the game, to make it work because he can go to an Upcode with enemies in $0091, and $0092, with the easy method nothing spond on $0091, since nothing spond its X value his $00. Most of mario X cordinated are ok, just a few that would guarantee a fail, and that what cause the diffrent sounds before it transition to the rescue the princess. And it does work on WiiU virtual console, and all other Virtual console, Except for NES mini, and also it does not work on the Japanese version and the PAL version, Does not work in all version of All-stars. If you need more information on why it works, and why the Virtual console his banned for speedruning that category just contact me in here.
Excellent video! Even though, I don't understand it, I still sorta understand it because you explained it really really well. Like a great teacher would. Of course this leads me to ponder if requests is something you'd be interested in doing because, there's a very interesting glitch in *Ys: The Vanished Omens* for the Sega Master System ( _I perform it on my playthrough in part 1_ ) where if you attempt to buy the Mirror from Pim in Minea a couple of times, really strange effects can occur. Such as you can be teleported to a glitch area that plays the Tower of Dahm's theme, the game can crash, you'll get a random amount of gold usually in the thousands, you can get gold and items, you can be leveled to max level instantly and many more stuff, I am convinced that there might just be a way to glitch it to the ending from there. Another thing I am interested in, but this is admittedly something I've tried to understand on my own more, is that in many old school games ( _in this case Shadowrun on Sega Genesis_ ) they have palette swap enemies / allies. I've been trying to use a hex editor to swap the palette of the character but to no real success.. One day I'll succeed I believe. But just what that change is.. Is interesting.
Loved the explanations! You're very well documented and the diagrams and drawings you make are so sensible and just right that anyone can understand what's been up; as well as your more advanced users not get too bored. Good luck with future movies. Got yourself a subscriber. :)
Fantastic video, dude. Kinda reminds me of when they have an Engineer or Scientist come to your school, then kids ask them a question and they answer it in wtf-level detail and just blow everyone's mind. That's about where I am right now watching this lol
Thank you for this great explanation! I was led here by tetrabitgamings video but I was disappoint there by a lack of real reasoning. Now this topic is way more clear to me. Thank you!
I think that I finally understand how controlling memory mappers works. You send a write command to what would normally be a ROM location. However, because there's a memory mapper and not just the bare ROM the mapper can catch that write command and then perform some other command. Clever that.
Seriously though, this is the channel where I post my quality videos (RGME series), and pretty much everything else I want to upload goes on my dotsarecool channel.
Can you imagine someone doing this in the early 90's with a console version of SMB3, during a speedrunning competition? It would probably make national news.
I sent me.
*_That’s pretty funny._*
You also sent me. What a coincidence!
Summoning Salt whyd u stop making vidz man. You’re videos on speed running are intoxicating. PLEASE make more
Why aren't you verified???
Same
You explained it..I don't understand any of it..but you explained it.
The explanation (or just about any warp glitch) requires some understanding of how the hardware works. There's a bunch of videos and articles regarding that. I recommend looking at those first.
Those concepts also apply to game boy games for example. Therefore you can also gain some understanding from game boy resources.
You’re in a level, you mess with how the enemies work, you grab a turtle and go inside a pipe backwards, the game crashes, you throw the turtle away as you hit the block, you hit the block, the game ends
Yeah wasn’t much of an explanation
@@thebeanmaster4358
That’s not an explanation.
Then try the bismuth explanation. Bismuth did a really good job...
So: A bad note block outside 7-1's level bounds can be reached. It causes the block bounce code to swap itself out accidentally with an unintended routine that returns to yet another unintended routine, that returns again, even though there's nothing to return to. The hardware freaks the everloving fuck out, wrapping around the counter that tracks how many levels deep of code execution we're on and reacting as though we're 255 levels deep in subroutines, and accidentally reading out the level scrolling mode as the location to return execution to, because that number happens to sit where the 255th place in the area where subroutines are tracked would be if there was a 255th place, causing the console to stop reading code from the cartridge, and instead treating the system RAM as code, and running that instead. And within the area of RAM that is mistakenly reinterpreted as game code because of this, loaded enemy data is normally tracked, and here, people manipulate the positions of the koopa shells that normally spawn in the level to write machine language instructions creating a trigger for the Princess's chamber that will activate with the glitch.
So many planets aligned...
I bet the whole Mario galaxy aligned
Yes.
Yes. I could read long form explanations from you. Well done
Well, all they're doing is reading volatile, numeric data as instructions, to execute code in an unintended way. It was probably figured out that the pipe to under-map OOB and hitting the noteblock did some fucky shit, and I guess someone traced it through an emulator to see that the thing that reads instructions landed in graphical data. From there it was simply manipulating the graphic data.
@@haydenz0 In essence, this glitch begins with an array indexed out of bounds error, when trying to write to the loaded map data to remove the note block and temporarily replace it with the animated version of it. Except that, computers being that much slower, the performance penalty to ensuring that arrays were always indexed in bounds mattered, so most games, having to be efficient over running safe, didn't do the check to save on crucial processing power.
Probably they discovered the glitch pipe entry first (might've been on some other map too) and then later discovered that OOB note blocks would pretty consistently make the console spit fireworks when hit. If it didn't crash, obvious memory corruption was present. When every time you reproduce a game-breaking glitch, the effects that occur right after are completely all over the place and random-looking, you know something fucked is happening with the machine. And the moment somebody fired that up in an emulator debugger, and caught the execution jumping to RAM, they were like "Oh yeah, we might be able to ACE with this"
This was like learning physics. I'm fucking lost and yet intrigued and focused and can't stop learning. Great video.
The wave function is a description of an electron. and when you view that function you are forcing the collapse of the wave function.
> There are many different kinds of NES ROM mappers. All of them act a little bit differently. I won't talk too much about them, because that topic could be its own video.
Please, please make that video.
I second the motion.
isnt it notion
Mr.Sheepington possibly.
Both are correct!!
Kirby Banman WHERE IS THIS VIDEO?
I hardly understood a thing but watched it all the way through. Fascinating stuff.
Margaret Mansell: Neither me, until I watched other videos from this channel lol
Ethan youre not a technician.
I don't understand it either lol, but I enjoy watching videos like this.
I wish I understood whatever computer language this guy was speaking. Still liked it.
@@EverSinceMyExorcism he's talking about assembly in this case. Which is basically just binary converted to an easier to read format for us humans.
I tried doing this glitch. So far I made the console draw what I can only describe as a croissant, rotated the screen 90°, and moved the hud to the top of the screen. I don't know what I'm doing
You rotated the screen 324˚?
he did a barrel roll
Reds an aileron roll?(game theory)
WOAH.
You need to find a way to record your failures, dood, these sound amazing for being fails.
incredible explanation and graphics to support it...this is how computer science should be taught...kudos!
Oh my god I appreciate the TAS way more now. Seriously?! Pirahna plant, thrown shell, and bouncing shell ALL syncing up at the right x-position at the SAME TIME???!?!!?!!! OKAY, TAS. SURE.
Fucking godly.
Thank you :).
Voxel Fox That's what makes it so impressive! TAS is literally god in the game world. TAS can even do all it does *blind* and *deaf!* Imagine a human do that.
Voxel Fox Wow you're very smart. Look at my channel for more smart things like Tool Assisted Speedruns videos of La-Mulana!
Neither, I'm just shilling. Here, I'll add another comment, so my shill comment disappears up the comment thread.
Doesn't make it any less respectable. 8+ hours just to get a 2 minute segment perfect (only to be obsoleted when something new shows up) is crazy for any one to do, yet they do. The amount of effort and time put towards finding insane glitches, programming, math calculations and viewing the same small part of a game over and over is just amazing to behold.
How did anyone figure that out?
3D Printing Professor exactly
ROM hackers trying to make their own levels probably found it. Thats how a lot of games secrets get found. Pokemon is a great example.
They asked the NES what it was doing xD
It his not me who found out how to do it, I only found out how he found out how to do this after I did the Wrong warp to the credit in Super Mario world for the WiiU the one that works on the Wiiu. In Super Mario world, you have 10 sprite slot for enemies to work with from slot 0 to 9, and they spond at 9 first, In Super Mario World you wright the entired algorithum in slot 0, to slot 6 the code you right by spiting shell with yoshi the shell become fire, the algorythim in the X cordinated of the shell, from sprite slot 0 to 6 his A9,1C, 92, 3D, 68, 68, 60. That stand for LDA, 1C, that stand for load game mode credit that start yoshi arrive home to accumulator, the 92, 3D, Stand for Store accumulator to 3D, the two 68 stand for a pulling out data PLS, and the 60 stand for RTS meaning Return to game mode that his store in the accumulator 3D which =1C so then the game knows to runs 1C as the credit. the 1 on the left means there his 1X16, and the C on the right stand for +12, since it his in hexadisimal so that means the unit are 16 unit long instead of the digit system which are 10 digit long. so that his why if you see 68, it does not equal 68 as the real number it acctually equal (6x16) +8= this his a visiual of what it look like in Super Mario world, it only begin after the power incrementation glitch his done because of the weird diffrence that the Virtual console have compare to the console version ruclips.net/video/dJp1XLmw9Jg/видео.html How does have anything to do with the Super Mario bros.3 wrong warp to princess, since there his only slot 5 to slot 1, there his no way to wright the entire algorythm, so with the shell he wright $20, E3, 8F, in slot 3 to slot 5 X cordinated of the koopa shell, and that stand for JSR: $8F, E3 that means jump to subrutine princess room, while checking in the emulator in debug mode I decided to take a look at memmory $8FE3 and the entire algorythm for the princess room was there because it started with LDA: $19
@@SuperNickid i'm sorry what
This is probably the best way to present programming stuff (hex values, memory map...) I have ever seen in video. It's clear, pleasing to hears and eyes. The topic is also very interesting. I would love to see more of such well made video for anything.
I hope this channel will attract as much people as possible, it deserves it.
Great video man!
EZScape hello!
EZScape hi, fun fact, jsr stands for jump straight to ram and 8f e3 is the address it must jump to in order to load the right crash value, I read the dev commentary on tasvideos.org
@@Symmetry_Obsessed_Freak wow, really?
As a developer, this was extremely interesting. By far the best video I've ever seen on an arbitrary code execution exploit. Thanks for the awesome video! :D
7:35 - Yes that's right. I know exactly what is going on now.
2020: Hack your bank account by playing Mario 3
2022: Control your car with Mario 64
2024: Set off grenades with an SNES controller
i would probably crash lol
2016 launch a rocket with an n64 controller
I hope that never happens.
@@ARUclipsChannelwithNoName: if you're talking about FBIAgent's comment i totally agree
This is an awesome example of assembly level 'hacking' and understanding.
I did this as instructed, but it warped me to a parallel universe in Super Mario 64.
instructions unclear: Dick stuck in Mario 64
@Kadir Garip he cramshed: 💀
uh i'm pretty sure you did something wrong
have you hit the music block which replaces a $4G69 ROM mapping function 18 screens under the main stuff or the question block which replaces the $4G79 Control function 17.5 screens under the main stuff?
i think i know why you hit 1010010101010101010101001100101010101 in bi or a5 55 54 ca 15 in hex at the time that you did that there was data that was from super mario 64 in parallel universe so the game swaped the banks with 64sh banks bk the one koppa was one bit off so the game ran 10101010010101010100101010111111111 in bi or the thing telling nes what game your playing bye looking at the ram and seeing the data and runing the game that go with the data in 1st biyt and 64s data was in there so it rad 64 that good
@Caleb Hopkins r/whoosh
The fact that you go so in depth graphically instead of just randomly spouting your values is fantastic! Keep it up! I imagine the production work takes tons of time, but I love it!
You deserve more subscribers
No he doesn't because he is a cheater
-_- He's not competing in anything. He's explaining how the glitch works.
ken m's pregony is all growen up
+filecabinet coffee
You are an idiot.
Progeny? Or pregnant? 9__9
Well done! It really tracked with a lot of the thought processes that went into figuring out the exploit for the TAS, and is accurate while still being more accessible than a text-only explanation.
Do not try and enter the pipe, that's impossible. Instead, only try to realize the truth...there is no pipe.
Whoa.
Ceci n'est pas une pipe!
dude, yes
Matrix reference yay
Don' t be naff. There's a pipe right there.
What's even better is the end credits warp in Super Mario Land 2, Six Golden Coins: Mario glitches through the floor, ending up in the game's code (which is rendered onscreen as graphic tiles), and literally hits a block to set the "roll end credits" flag to TRUE.
Mario: Princess, I'm finally here.
Peach: Did you beat Bowser?
Mario: Well...uh...
Peach: Don't tell me you used the pipe glitch.
Mario: I mean, it's a little "easier" to do/accomplish.
Peach: *sighs* Ugh...
This was incredible! For years I've wanted to do the wrong warp in SMB3. I've trying to decode what I need to do from people's PBs but haven't understood it.
This video explained it so well that not only I did it, but that my friend that doesn't speedrun also got hooked on it and we did it together. It was such a great experience trying and then being happy when we finally succeeded with the wrong warps! :D
We ended up doing it on emulator though because trying it on console with no practice was haaaaaaaaaaard! :)
Great production value mate. Keep it up.
It's not often someone does this deep an amount of research, basically never do they then pack it into something this easy to digest and understand. My humblest thanks, will be sharing with my friends tomorrow.
What I'd really like to know is how TASBot manages to program Mario Maker inside Super Mario 3 (or World, I don't remember). My guess is jumping in memory where there is the ram that deals with input from the controller and programming it that way? I'm not sure what you can do with only about 10 memory locations. Unless there are more detailed ways to execute that.
yeah controller registers. from there you can write a bootloader
This video did a very good job at explaining this trick. I, however, did not do a very good job understanding it. 10/10
This is one of the coolest videos I've ever seen on RUclips. Keep up the great work!!!'
I've watched almost all of your videos. But now I'm really speechless. You are a genius
+Retro Game Mechanics Explained: I used a different method call the easy method, and when you said sometimes it does not work even if you got the shell in the right spot, because it sometimes lock-up on something, but I found a way to always line-up does value, and this his how. When the paratroopa his moving up boob it with the tail when his tip of his feat are line up with the first lip of the pipe, using the easy method, and the closer you are to the correct frame the better the credit will look, that same shell placement his for the positioning of the credit screen, once I boop the paratroopa at the right spot, but I put it one pixel to far to the left, that cause the credit to play 100% perfect, but it played to far to the left of my TV. The koopa in slot 3 never reboop it with the tail. When you mention the address 20 for the jump code, the 10th digit in this case 2, this his when the values are aligne, but not just that one the 10th digit can also be 1 through 10, and that his cause by booping the koopa at slot 3 at the correct position, and when he moves the correct direction, and if you reboob it with the tail by accident the 10th digit will return to 0. The placement of the shell in slot 3 determine the unit, and the unit determine the screen position, so 0 his always perfect screen placement. When the paratroopa start moving-up the 10th digit goes from 0,1,0,2,0,3,0,4,0,5,0,6,0,7,0,8,0,9,0,10: The higher up the koopatroopa goes the quicker does value switch, and when he start to move down the 10th digit his always 0 which his bad. And if the bit codes his like this 100 8F E3 the credit are 100% perfect the credit that shows the world will run with the checked floor. Once I boob the koopa a fraction off of the 10, 10th digit, when I hit the note block on the 19 screen it flicker 4X before playing the credit 100% perfect. Take a look at my video for the easy set-up, it his not me who found the easy set-up, but it his me who found out about the correct alignment of the previously uncontrollable value. When I film this I did not know about this at the time, and after placing the shell in slot 3 at the correct spot, if you take the pipe to the far right, make sure to walk-of to the right to quickly dispond the shell in slot 3. The koopa in slot 4, and slot 5, does one you can reboob it with the tail as mush as you like since E3 counts as one unit, and as well as 8F. ruclips.net/video/701sO-YxhGM/видео.html When you place slot 5 at the correct position you don't have to walk of to dispond it, since it will be flooting above the pipe, it will dispond right away when you return to the start of the level.
Ok, this is now my favourite channel. Your explanations are amazing and the editing is superb.
3:05 *Well, it's actually souprisingly simple..."*
This kind of glitch always fascinates me because it's the best example to describe the idea of "code is data".
Love your work!
I feel so good about days when there was no memory segmentation and running instructions from heap didn't caused segfault.
That's a great analysis of locations on the screen. An x-position exposition.
Coming to your screen in 2017: But first let's talk about NES Parallel Universes!
A warp is a warp, you can't call it a half.
What im doing is called Koopa Troopa Raising
building up warps for 12 hours
But First Lets Talk About How To Jump Without Pressing A.
Luigi: So mario, how did you come back after defeating darkion?
Mario: to answer that, we need to talk about *parallel universes* *hazy maze from mario 64 starts playing*
Tell me if I spelled darkion right?
This joke was from something about super mario world, right at the start of the video, made by terminal montage
I don't know why I found this so fascinating, but man you did an amazing job on this video!
How the hell did someone figure this out?
This video is so amazing that you sir have gained another subscriber. I want to see more videos like this.
I did this and depending if I'm whether holding B and/or a certain direction on the D pad, the game crashed, skipped to the scene where you return the wand to world 7's king or the game was reset with a little glitchy colors. All but the princess' room.
How was this discovered? I always see videos explaining how to do it, but was this found accidentally? Seems unlikely. Was this reverse engineered?
Definitely, reverse engineered. A hacker studied the code, attempted to find a way to do code injection on an SNES, made a tool that showed those values in real time. This isn't the first time code injections been done, and they probably could have stolen your identity with just as much effort... assuming they are only going to use a SNES control to do so. Stealing your identity with a laptop and Wi-Fi decrypter would be trivial.
tasvideos.org/4288S.html This is the first known instance of the glitch being used in that way. The aforementioned RAT926 (a japanese player) was apparently already investigating weird behavior with block changes causing odd behavior (he turned both a used-up brick and a muncher into inactive invisible music blocks back around 2013). The bad pipe behavior (where phantom pipes happen) was well-known by speedrunners by then already. Some assembly guy then took a look and figured out how to write code that would lead to the ending.
So in short, it was found because one guy was glitch hunting, and the TAS community took notice and fell on the game like code-munching piranhas because they're always after the fastest technically possible times.
Rom hackers probably. Just like pokemon how Id #0 in pokemon was discovered
It took me this long to realize it but basically:
We are using that invisible note block after we wrong warped to execute an address we made with the shells to teleport us to peach's room. What the fuck.
I tried to do this glitch but everytime I try I always end up summoning the devil
I just love your channel. You are not only intelligent; but patient, thorough, and excellent at explaining things. I wish you great success!
I like your editing style
So much fun to be had as soon as code starts reading out of the proper index...
brilliant! just subbed. cant wait for more videos
Toad: What is Mario doing?
Luigi: He's beginning to believe...
Well, huh! I never realized that the NES CPU used the same instruction set as the Commodore 64, but then again, both were from the 8-bit era...
They both use the 6502, so that's why.
Yep! The NES CPU was the Ricoh 2A03. It was just basically just a 6502 without a decimal mode and with an audio processing unit and IO controller for the controllers welded onto it.
@@mariostar13 to be precise, the 64 used a derivative of the 6502, the 6510.
@@Renville80 Yeah, but I didn't know that at the time. Also, from a programming perspective, they're exactly the same.
Finding out glitches is one thing but stuff that messes with how the game runs is something totally different.
And using this knowledge ingame is again on another new level. This is so amazing.
Nice video! Never heard of this channel before, subscribed
I've seen the glitch done for Super Mario World, and the glitchers would explain it a bit. However this vid makes a lot more sense then someone explaining while doing it. I especially liked the graphic at the side that showed the unit values, and the checks as you went through it. Nice work.
quick question:
WHO THE FUCK HAS ENOUGH SPARE TIME TO FIND A GLITCH THAT INSTANTLY BEATS SUPER MARIO 3
the TAS Speedrunning community.
those guys are god like in reverse programming
I sort of understand what's going on. I'm so glad to have this channel in my life now
I am in awe.
lol your avatar picture is in awe
Blue Boy! Stay off the pills, man! Friday and Gannon can't save you, I've seen that episode! XD
lol, fits your avatar hahahah
this is awesome. I never looked at a games assembly. you are a wonderful wizard.
That was very, very cool.... Awesome work on this guys. #WeAreNotWorthy
This is one of the best gaming videos I have ever seen! We need more game spec videos like this out there. I was watching a video on how the Sega Saturn processes 2d and 3d games a while ago on someone's channel. If it wasn't for the fact the guy was heavily japenese and hard to hear his English through his japenese accent, I would have a 110% clear explanation of the hardware that entails the Saturn. I love learning stuff like that! Keep it up man. I'm subscribing right now
Dots: Love this video, amazing! However, I wanted to point out a small error.
At time marker 5:52 , you show where the RTS instruction returned us to. However, this is not PRG1E (Bank 30) as you have labeled, but PRG1D (Bank 29). PRG1E (Bank 30) is meant to be at $8000, however, when the value #$80 is written to $9C70, the MMC3 immediately does a bank switch - changing $8000 to PRG1D (Bank 29), $A000 to PRG07 (Bank 7), $C000 to PRG1E (Bank 30) (Meant to be at $8000!!!) and $E000 stays at PRG1F (Bank 31).
Furthermore, the stack IS meant to be empty when returning to $8F4D, because in normal execution, we would be within the main game level loop within PRG1E (Bank 30). However, due to PRG07 (Bank 7) now being loaded in at $8000, we land in the middle of a routine for drawing the player - hence the eventual RTS instruction, and subsequent jump to RAM at $0081. So I guess it's not an unintended empty stack, it's a return to an address that now holds the wrong bank.
This bank mix up is only fixed up when a BRK is executed, since the IRQ routine calls a bank swap. Because bank swaps in SMB3 are set for $A000 and $C000, this returns our static banks PRG1E (Bank 30) and PRG1F (Bank 31) to $8000 and $E000 respectively. Indeed the wrong warp wouldn't be possible without at least one IRQ before the JSR to $8FE3!!!
-KabAudio
How the fuck did you have time to fix the "bank" problem??? Holy shit geniune 31/49
Great video! I have tried this shell down technique many many times and haven't yet got to princess. Mostly game crashes and sometimes to world 7 castle's king with wand.
Beautiful video! =)
Oh hey Tompa!
God like editing, the colored lines and graph on the left helped greatly. The best video I've seen that explains memory manipulation, good job!
this video is great mate, i rate it 8 out of 8
r8 mi gr8 b8 m8.
With 8 thumbs up as well
👍👍👍👍👍👍👍👍
I give it 8 bags of popcorn 🍿🍿🍿🍿🍿🍿🍿🍿🍿🍿🍿🍿
I actually managed to pull off this glitch, make the game reset by using the noteblock incorrectly, come back to the glitch zone, and it let me down to the 25th screen before sending me back up.
Question: what?
big props for the editing and structure of this video
excellent quality video! than you!
It's wild what ACE can do when game designers and their programmer counterparts had to compact an entire game down to capacities such as 256kB for SMB3 or even smaller as you look back in time. It's a lot easier to jackhammer the stack or violate some mechanic to attempt a bad read or write to somewhere illegal when the programmers were worried more about simply making the game work correctly within the hardware's confines than fretting about drawing 35 gigabytes worth of textures. Programmers were a lot more resourceful back then and had a nearly intimate relationship with their target hardware. Knowing how to bend the rules could help you implement your current mechanic in 450 bytes rather than 600 bytes; add up all that memory or program space saved over time while utilizing these methods, and your game has the space to add more levels, features, mechanics, secrets, or anything else that might have your design be the smash hit of the day.
If I had a list of things I'd do with a time machine, taking a modern IDE and hardware development tools back to these days would be on my list. Not like... in the top 100 or anything... but it would be on there. :)
Can you please make more videos like this.
It's astonishing to see how this can be done and even more astonishing knowing how it works
Nice video mate!
2:36 I hate to be direct, but it would actually be one pixel to the left, because the koopa would unload sooner. Also three things: walking enemies move by half a pixel every frame, a koopa’s subpixel position doesn’t change when it’s in Mario’s hands, and koopas move by half a pixel when they wake up in Mario’s hands. In this setup’s case, the koopa move by half a pixel to the right. This means that depending on the subpixel value the koopa last had before grabbing it, you have to stand where the koopa’s X position is at either #$B7 or #$B8. If the koopa’s subpixel value is 0-7 before waking up, then you have to stand where the koopa’s X position is at #$B8. If the koopa’s subpixel value is 8-F before waking up, you have to stand where the koopa’s X position is at #$B7. This means that this “simple” #$8F setup yields a 50/50 chance at working.
I HAVE NO FUCKING IDEA WHAT THE FUCK JUST FUCKING HAPPENED!
helmet098 Simple, this guy is a genius!
he just explained about fucking the in game ram in smb3
explaining something doesn't mean that someone will understand it.
No shame to be had.
I only understood that because I've studied processor design and architecture.
I likely wouldn't have either if i hadn't tbh
i've been falling asleep to videos like these for about a week. so relaxing and soft,,
so if i understand, the game crashes while trying to create that invisible note block to repel mario while the actual note block is going up because everything is so out of index because you went so out of bounds? but why does the game execute the code you injected? is it like a failsafe kind of thing where they knew the game was gonna crash and they just execute any command they have as a last resort? i got the part where the code says jump to subroutine 8F E3 and the game crashes when you hit the note block but then everything was just too complicated for me
It's not a failsafe or a last resort, the game is so out of index at that moment that it just start executing code from locations it shouldn't and ends up executing the injected code.
The whole exploit is possible because of the 6502's Von Neumann architecture. The cpu is interpreting the sprite location _data_ as instructions.
The rest of the procedures performed after placing the sprites down are to move the instruction pointer/PC to the address where the sprite location data is kept
@Crasy Fingers: This his just a summary of what he said above, and something that he miss to be more clear on what happen, Warning the summary his kind of long. The reason it works, when you go out of bounce, the note bock that crash the game acctually exist in the real part of the level, but when you hit it in the real part of the level, it works properly, this his just an example it may not be exactly correct, that note block his normaly on 6261 and when you hit it it goes 6261+0F to make 6270, nothing goes wrong here, and DD1A works fine to update the sprite animation and then the game return to the note block bouncing animation, and save the X cordinated of that bouncing animation in $0097, and its Y cordinated save in $009F, the X and Y value are only overwriten if another block bounce. So when you go out of bounce the block that was in 6261, gets incorrectly place everytime on 9C61, but since it his the same block it still have +0F to fine the sprite animation, so it will go 9C61+0F=9C70, and that tells the game to write to Read only memory, and since that his not possible the game look in open bus, to fine out what to do with 9C70, and found valid garbage code to update in DD1A, the garbage code are too long by one bite, that it overflow the stack buffer, so you will see in Debbug menu Address $0100: JSR:$0080, that means it already overflow, that it jump to that Addres that addres got that instruction $0080:RTS-1 so it will go to Addres $0081, then it need to go through allot of address before reaching The X cordinated of sprites, that Start on $0090, Enemies X position start on $0091, and end with $0095. Enemies spond on the highest slot first that his still available, so we right at $0093:$20, and at $0094: E3, or E1, and $0095: 8F, in Debug menu this will show as $0093: JSR: $8FE3, or JSR: 8FE1, you will see in debug menu that $0094, and $0095 does not show anymore, and Address $0096 still shows because that his the X cordinated for power-up. Mario X position his in $0090 mario X position need to be correct when hitting the note block that crash the game, to make it work because he can go to an Upcode with enemies in $0091, and $0092, with the easy method nothing spond on $0091, since nothing spond its X value his $00. Most of mario X cordinated are ok, just a few that would guarantee a fail, and that what cause the diffrent sounds before it transition to the rescue the princess. And it does work on WiiU virtual console, and all other Virtual console, Except for NES mini, and also it does not work on the Japanese version and the PAL version, Does not work in all version of All-stars. If you need more information on why it works, and why the Virtual console his banned for speedruning that category just contact me in here.
Excellent video! Even though, I don't understand it, I still sorta understand it because you explained it really really well.
Like a great teacher would.
Of course this leads me to ponder if requests is something you'd be interested in doing because, there's a very interesting glitch in *Ys: The Vanished Omens* for the Sega Master System ( _I perform it on my playthrough in part 1_ ) where if you attempt to buy the Mirror from Pim in Minea a couple of times, really strange effects can occur. Such as you can be teleported to a glitch area that plays the Tower of Dahm's theme, the game can crash, you'll get a random amount of gold usually in the thousands, you can get gold and items, you can be leveled to max level instantly and many more stuff, I am convinced that there might just be a way to glitch it to the ending from there.
Another thing I am interested in, but this is admittedly something I've tried to understand on my own more, is that in many old school games ( _in this case Shadowrun on Sega Genesis_ ) they have palette swap enemies / allies. I've been trying to use a hex editor to swap the palette of the character but to no real success.. One day I'll succeed I believe. But just what that change is.. Is interesting.
No point in trying this anymore, Nintendo patched it.
Duracelpupu: For the NES classic mini? Anyways, we still have the unpatched original version!
..and roms, I'd guess...
Just play on an NES. That doesn't get patched.
G U Y S H E W A S J O K I N G
Apparently only one person can detect a joke
9:35 amazing! what a precisely control!
8:04 when he was showing us how to do it the background music seemed to be missing for some reason
You lost me after "In Super Mario Brothers 3 ..."
I was confused when he called it Brothers.
lmao
Made it farther than me... I got confused reading the title.
Loved the explanations! You're very well documented and the diagrams and drawings you make are so sensible and just right that anyone can understand what's been up; as well as your more advanced users not get too bored.
Good luck with future movies. Got yourself a subscriber. :)
I love the fact that I'm not the only person into old NES 6502 assembly code.
Fantastic video, dude. Kinda reminds me of when they have an Engineer or Scientist come to your school, then kids ask them a question and they answer it in wtf-level detail and just blow everyone's mind. That's about where I am right now watching this lol
*obligatory "here from summoning salts channel"*
Amazing videos man, well done.
Chris Thorn summoning salts is the reason I found dotsarecool also, and thus this channel as well
'fg' kuk
Thank you for this great explanation! I was led here by tetrabitgamings video but I was disappoint there by a lack of real reasoning. Now this topic is way more clear to me. Thank you!
7:06 IGN
Thank you ! I had never seen a video which explains these thing so well !
great video mate
AldiePezeh FUCKIN MASTER ROSHI
I think that I finally understand how controlling memory mappers works. You send a write command to what would normally be a ROM location. However, because there's a memory mapper and not just the bare ROM the mapper can catch that write command and then perform some other command.
Clever that.
Why do you sound like dotsarecool
We're twins.
Retro Game Mechanics Explained Really?
Well I guess I'm not really my own twin, so not exactly.
***** Lol ok
Seriously though, this is the channel where I post my quality videos (RGME series), and pretty much everything else I want to upload goes on my dotsarecool channel.
When you said wrong warp I thought you were talking about a different one, I didn’t know other mario games had these. Fascinating
My brain hurts...
The explanation, visuals and sounds are more than professional. Keep this up! :D
This is the first video I’ve ever watched on ANY subject that made me feel dumb.
Thanks for explaining this! I saw it done on a speedrun, and I had no idea what he did!
This channel is so, so good. Thanks for all the work you do on it.
2:36 or throw the shell in the in the coordinate 8F and jump while crouching (be sure the shell doesn't despawn or crash)
Can you imagine someone doing this in the early 90's with a console version of SMB3, during a speedrunning competition? It would probably make national news.
lmao
in case you dont know mitch flower did it on tv
I love how every video that tries to explain a glitch ends up being 82x longer than the actual execution of said glitch