The idea of using video games as a way to achieve some form of Arbitrary Code Execution (ACE) on classic hardware has come a long way since seven years ago, when TASbot publicly reprogrammed a Super NES on the fly via Super Mario World. There are now dozens of examples of similar glitches that use nothing but controller inputs to insert new programming instructions into classic games, including many that can be performed by humans (and not just button-mashing robots).
Even given all that history, though, we’re still a bit wowed by the speedrunning community that found a way to insert new code into Paper Mario for the N64, leading to a new record-setting speedrun of the game. Their new method requires some extremely careful character positioning, the exploitation of “junk” memory in the N64’s RAM expansion pack and, amazingly, playing a couple of games of The Legend of Zelda: Ocarina of Time.
Enter the effects matrix
The story of how this incredible method was discovered goes back two months, when a Paper Mario speedrunner who goes by Morpheus stumbled on a mysterious game crash in the middle of a livestreamed run. Players eventually discovered that Morpheus had accidentally triggered a situation where the game was storing too much data in the “effects matrix,” a data structure the game uses to store details of visual effects like smoke from Mario’s hammer blows.
By using a menu glitch to permanently store what are usually temporary effects, a player can overflow that matrix and enter a portion of unrelated memory, which the game interprets as “garbage” machine code, leading to a crash.
From there, players got to work figuring out how to use the overloaded effects matrix to run useful code rather than game-breaking junk. Doing that meant careful manipulation of Mario’s position in the game’s three-dimensional coordinate system so those positional values could be inserted into precise positions in the effects matrix. This was made harder because Mario’s vertical position in the in-game world is heavily limited by, uh, gravity.
By mid-February, though, Paper Mario runner Fray had done the positional calculations and shown off a code execution proof of concept that could be performed with the assistance of emulation tools. A few days later, another runner, Rain, showed off a complete tool-assisted speedrun that warps the player to the game’s credits scene much faster than even the fastest glitch-exploiting speedruns could do previously.
Unfortunately, the extremely precise positioning required for this method means a human would have no chance of replicating it. And that’s where Ocarina of Time and the N64 RAM expansion pak come into play.
Stopping and “Swopping”
Remember that buffer overflow crash Morpheus discovered in January? It turns out that “by sheer crazy coincidence, this [buffer overflow] jumps execution to a part of memory where there are player flags and an idle timer,” explained Paper Mario streamer JCog. “If we let that idle timer reach anywhere from 0x810 to 0x81f, which is 69 seconds (nice), before releasing the stored effects, then execution jumps to expansion pak memory, which Paper Mario doesn’t use, and then it crashes from garbage data.”
Going from one set of garbage data to another doesn’t seem very useful, unless you also have a way to edit that expansion pak memory first. Fortunately, another ACE method in Ocarina of Time gives us a way in there. We won’t discuss the intricate steps necessary for that glitch here, but the process is broadly similar to the one used to insert Star Fox Arwings into the game, as we described in detail last year. By repeating this method twice (using a couple of carefully constructed file names), an Ocarina of Time runner can load a specific assembly instruction into that area of expansion pak memory.
You might think that expansion RAM memory would become unusable after you turn the system off. But early editions of the N64 hardware actually have a quirk where that memory persists for a few seconds after the system powers down. That idiosyncrasy was actually key to Rare’s plans for a “Stop n Swop” system, which would have let players unlock items and content in one Rare game by playing a different game and then quickly swapping the cartridges. Unfortunately, later revisions to the hardware changed that unintended memory persistence and forced Rare to abandon those plans.
Today, though, players can still exploit the vagaries of early N64 hardware to move memory from one game to another. As JCog explained, “If we quickly turn off the console, swap cartridges to Paper Mario, and turn the console back on, that instruction will still be there in memory (luckily when [Ocarina of Time] boots, it clears the expansion pak memory, but Paper Mario just ignores it).”
With the Ocarina-inserted instruction still stored in expansion pak memory, Morpheus’ glitch doesn’t crash the system but instead jumps the game to the credits cut scene, making for a human-repeatable speedrun solution. You can see the cartridge swap involved at 45:00 in this video, followed by the Paper Mario glitch that takes advantage of that leftover Ocarina of Time memory.
JCog noted that this extreme method probably shouldn’t count for the Paper Mario speedrun leaderboards, since it requires setup from outside the game. Still, the fact that it’s possible at all is a testament to the research, ingenuity, and hacking chops of a dedicated group of players determined to unlock the inner workings of classic gaming hardware.
Let’s block ads! (Why?)