MrCheeze | SMW Arbitrary Code Execution: Instant Bowser Kill @MrCheeze | Uploaded 8 years ago | Updated 1 hour ago
I recently discovered something very interesting about the game. The marathon-safe credits warp, as seen at AGDQ 2016, works because touching a 1-up with Powerup Increment 6 causes a certain very specific crash, allowing us to get arbitrary code execution. The exact same crash is triggered by touching a mushroom with Creamsicle Mario (PI 22), but doing so *also* gives Mario another mushroom in his item box. This means we can activate the ACE again a moment later. By editing the sprite positions between each ACE trigger, we can write as much data to RAM as we want, and this data can be executed as code. The upshot of this is that it is possible to modify as much RAM and code as we like, much like a total control TAS, rather than just whatever few bytes of code we can fit into a sprite table.
In this video, I demonstrate using this method to warp to Bowser and kill him instantly.
0:00 - 0:30 : Setup. I glitch two berries so that items dropped from the item box will appear in slot 9, the same one the 1up appears in. I also grab a midway point which will be kept even when we enter Back Door.
0:30 - 1:00 : I use a short three-byte ACE to skip from PI 6 up to PI 22. By chance, this value is already loaded in a register, so this only takes 3 bytes. (STY $19 : RTS).
1:00 - 2:00 : I setup another ACE of the form LDA #?? STA $7F80?? RTS. The question marks represent values that we will modify by moving two shells between each time we run the code. The general purpose of this code is to overwrite a graphics subroutine the game stores in RAM, to have some entirely different effects.
2:00 - 4:00 : Repeatedly trigger the ACE by touching the mushroom as Creamsicle Mario with the right position. Each time we reposition the shells to modify a different part of the code in memory. In this video I used shells as the sprites I repositioned, but if time is not an issue then using permanent sprites (Yoshi & P-Switch) would be a better choice.
4:00 - 4:30 : Suddenly, Bowser. Suddenly, dead Bowser. The effect of the code we wrote is to edit the overworld so that Bowser's Castle is where Yoshi's Island 2 should be, and Bowser can be killed almost instantly. (LDA #$32 STA $7ED489 ; LDA $73 TSB $1525).
4:30 - 12:40 : The routine we overwrote essentially had a purpose of cleaning up the graphics, so enjoy the glitched ending.
Note that like all routes involving the marathon-safe arbitrary code execution, this requires the use of a multitap. The exact method used here requires two.
Movie file: dl.dropboxusercontent.com/u/183608682/smw-rta-ace.lsmv
I recently discovered something very interesting about the game. The marathon-safe credits warp, as seen at AGDQ 2016, works because touching a 1-up with Powerup Increment 6 causes a certain very specific crash, allowing us to get arbitrary code execution. The exact same crash is triggered by touching a mushroom with Creamsicle Mario (PI 22), but doing so *also* gives Mario another mushroom in his item box. This means we can activate the ACE again a moment later. By editing the sprite positions between each ACE trigger, we can write as much data to RAM as we want, and this data can be executed as code. The upshot of this is that it is possible to modify as much RAM and code as we like, much like a total control TAS, rather than just whatever few bytes of code we can fit into a sprite table.
In this video, I demonstrate using this method to warp to Bowser and kill him instantly.
0:00 - 0:30 : Setup. I glitch two berries so that items dropped from the item box will appear in slot 9, the same one the 1up appears in. I also grab a midway point which will be kept even when we enter Back Door.
0:30 - 1:00 : I use a short three-byte ACE to skip from PI 6 up to PI 22. By chance, this value is already loaded in a register, so this only takes 3 bytes. (STY $19 : RTS).
1:00 - 2:00 : I setup another ACE of the form LDA #?? STA $7F80?? RTS. The question marks represent values that we will modify by moving two shells between each time we run the code. The general purpose of this code is to overwrite a graphics subroutine the game stores in RAM, to have some entirely different effects.
2:00 - 4:00 : Repeatedly trigger the ACE by touching the mushroom as Creamsicle Mario with the right position. Each time we reposition the shells to modify a different part of the code in memory. In this video I used shells as the sprites I repositioned, but if time is not an issue then using permanent sprites (Yoshi & P-Switch) would be a better choice.
4:00 - 4:30 : Suddenly, Bowser. Suddenly, dead Bowser. The effect of the code we wrote is to edit the overworld so that Bowser's Castle is where Yoshi's Island 2 should be, and Bowser can be killed almost instantly. (LDA #$32 STA $7ED489 ; LDA $73 TSB $1525).
4:30 - 12:40 : The routine we overwrote essentially had a purpose of cleaning up the graphics, so enjoy the glitched ending.
Note that like all routes involving the marathon-safe arbitrary code execution, this requires the use of a multitap. The exact method used here requires two.
Movie file: dl.dropboxusercontent.com/u/183608682/smw-rta-ace.lsmv
![[S] Act 7 redubbed with more fitting music.](https://i.ytimg.com/vi/y6aNr2MAGzQ/hqdefault.jpg "[S] Act 7 redubbed with more fitting music.
The Lyrist (Cherubim) - EidolonOrpheus
Bilious (Genesis Frog) - Alexander Rosetti
The Lordling (Cherubim) - Toby Radiation Fox
Creata (Volume 10) - Beatfox
I dont think its possible for a single song to suit the flash better than Overture, but putting different songs with different parts of the animation actually works pretty well. Bilious in particular seems to line up surprisingly well with the Green Sun and Lord English parts of it.")
