This is a hacking and gaming tour de force! [Seth Bling] executed a code injection hack in Super Mario World (SMW) that not only glitches the game, but re-programs it to play a stripped-down version of “Flappy Bird”. And he did this not with a set of JTAG probes, but by using the game’s own controller.
There are apparently a bunch of people working on hacking Super Mario World from within the game, and a number of these hacks use modified controllers to carry out the sequence of codes. The craziest thing about our hack here is that [Seth] did this entirely by hand. The complete notes are available here, but we’ll summarize the procedure for you. Or you can go watch the video below. It’s really incredible.
First, there’s a “powerup incrementation glitch” that lets you get Mario into an undefined powerup state. Then [Seth] executed another hack to stop the game’s timer, so that he would have plenty of time to play around.
From here, he could enter bytes directly into RAM by positioning Mario in exactly the right place and dropping a mushroom. Mario’s x-coordinate value was written to memory. [Seth] had to get Mario on exactly the right pixel just by comparing his position against the background. That’s so incredibly tedious and requires such precision that the first few bytes of code he entered were a routine that displayed Mario’s position in the coin counter. You can see this working around 3:30.
The next trick is to add in a bootloader that lets him enter bytes by spin-jumping. This lets him enter bytes relatively easily — move to the right position indicated in the coin display, and then spin-jump. By this point, the graphics are all messed up, but he’s live-patching a running system at the byte level, so what do you expect? The coolest feature of the bootloader? A checksum at the end verifies the code so that you can pick up again at the code entry phase, rather than having to re-do a half hour’s worth of “up-up-down-down-left-right-left-right-B-A”.
In the end, a rudimentary “Flappy Bird” game is loaded into the system. It only took [Seth] an hour to pull this off, but the early parts of the chain are so critical that he can’t make any mistakes. The next time you’re sitting around with your disassembler/debugger and type backspace, imagine having to restart over again from the beginning. This is high-wire hacking without a net. Amazing!
Thanks [gudenau] and [Le Samourai] for the tip!