Hacking Flappy Bird By Playing Mario

This is a hacking and gaming tour de force! [Seth Bling] executed a code injection hack in Super Mario World (SMW) that not only glitches the game, but re-programs it to play a stripped-down version of “Flappy Bird”. And he did this not with a set of JTAG probes, but by using the game’s own controller.

There are apparently a bunch of people working on hacking Super Mario World from within the game, and a number of these hacks use modified controllers to carry out the sequence of codes. The craziest thing about our hack here is that [Seth] did this entirely by hand. The complete notes are available here, but we’ll summarize the procedure for you. Or you can go watch the video below. It’s really incredible.

First, there’s a “powerup incrementation glitch” that lets you get Mario into an undefined powerup state. Then [Seth] executed another hack to stop the game’s timer, so that he would have plenty of time to play around.

2016-03-30-123215_1366x1792_scrotFrom here, he could enter bytes directly into RAM by positioning Mario in exactly the right place and dropping a mushroom. Mario’s x-coordinate value was written to memory. [Seth] had to get Mario on exactly the right pixel just by comparing his position against the background. That’s so incredibly tedious and requires such precision that the first few bytes of code he entered were a routine that displayed Mario’s position in the coin counter. You can see this working around 3:30.

The next trick is to add in a bootloader that lets him enter bytes by spin-jumping. This lets him enter bytes relatively easily — move to the right position indicated in the coin display, and then spin-jump. By this point, the graphics are all messed up, but he’s live-patching a running system at the byte level, so what do you expect? The coolest feature of the bootloader? A checksum at the end verifies the code so that you can pick up again at the code entry phase, rather than having to re-do a half hour’s worth of “up-up-down-down-left-right-left-right-B-A”.

In the end, a rudimentary “Flappy Bird” game is loaded into the system. It only took [Seth] an hour to pull this off, but the early parts of the chain are so critical that he can’t make any mistakes. The next time you’re sitting around with your disassembler/debugger and type backspace, imagine having to restart over again from the beginning. This is high-wire hacking without a net. Amazing!

Thanks [gudenau] and [Le Samourai] for the tip!

24 thoughts on “Hacking Flappy Bird By Playing Mario

    1. He’s just pressing buttons, and anyway the real hack (being able to insert random bytes) has been known for years now. So basically this is just “it is possible to program flappy bird for SNES, and I had a lot of time to waste”. Totally not a hack.

    1. I understand the “hardness” aspect of doing this all manually and I have a great deal of respect for the amount of effort this actually takes but why doesn’t he at least script this if he absolutely has to do it without “programming” it? Or is the process part of the enjoyment here?

      1. It’s been scripted before, in fact many many times. Search for “TasBot”. It connects to the SNES controller port and plays back pre-recorded input events and can even pretend to be a multitap to input many bytes in ram at once.

        No human has ever done this manually by hand with a real game pad before Seth, and it is quite a claim to fame to add to his already amazingly huge list.

        1. Ahh, yes. I have seen TASBot before, notably when it raises money for AGDQ the last few years. They even had a segment this year with four people trying to speed run Super Mario World in real time. One of the people competing was Seth.

          I agree, this particular trick done manually has probably not been done before. Just curious what the motivation is, if any? Different strokes, maybe.

          1. Far be it for me to speak for Seth, but I assumed it’s no different than “Why would you spend all that time building X when you can buy one on Amazon?” sort of thing.
            Perhaps even a “first” thing as well, as in why climb that mountain or beat that record.

            Seth has been doing this sort of stuff for some time (8 years I’ve known of him at least) so clearly he loves doing it too.

            But ultimately no, I don’t know his answer to that.

      2. I see it as a) programming as recreation, and b) sort of like Paganini’s caprices: less music in the normal sense than an elaborate demonstration of untouchable swag. Really, it’s as much about finesse as the end result.

  1. A truly awesome feat! I’ve seen some arbitrary code execution in Super Mario World and Pokemon before, but they were all done using some kind of bot or automated input device. While most of these hacks are theoretically possible, I’d never thought I’d see someone performing this manually! Awesome work!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s