Tool-assisted game movies
When human skills are just not enough

Arbitrary Code Execution How To

Arbitrary Code Execution is the new way to really show off an impressive TAS. This concept exploded in popularity thanks to Masterjun and his [2513] SNES Super Mario World (USA) "arbitrary code execution" by Masterjun in 02:25.19, which was first showcased live at Awesome Games Done Quick 2014.

To create an ACE TAS it helps knowing about the game and the console. Basic understanding of reverse engineering is useful, too.

1. How does code execution work?

Each system has an "instruction pointer" that points to the current portion of the program that is being executed. This is a location in memory that you will need to track down. The contents of that piece of memory are an instruction; for example a 1 might mean "add these two values together", and a 15 might mean "load this value from storage". Depending on the system, the instruction pointer will interpret different values as different operations. Thus you will need to know what operations the system supports and how those operations are represented in memory, so that you can figure out what exactly the system is doing.

Realistically, you will need to learn to program in the assembly language that the system you are TASing uses. The NES is different from the SNES is different from the Genesis, etc.

2. How do I execute arbitrary code in this game?

It might not be possible. To execute arbitrary code, you need to convince the instruction pointer to point to a section of memory that is under your control. By controlling that section of memory, then, you control what operations the system performs. Ultimately, you usually want to get the instruction pointer to point to the area of memory that represents the controller's inputs. Once you have achieved this, you can write any program you like by simply changing your inputs; different inputs represent different operations.

3. Executing RAM

ACE requires you to be able to move the instruction pointer. This is where glitches come in, and will thus be different for every game. If you can corrupt the instruction pointer, then a common (indeed, by far the most likely) result is that the game will crash -- because the pointer is pointing to an area of memory that does not represent a valid operation.

As a general rule, the program code is in ROM (Read-Only Memory), while the parts of the program you can manipulate are in RAM (Random Access Memory). ROM is immutable (barring changing the program using a cheat device). Thus, your first goal is to get the instruction pointer to point to somewhere that's in RAM, not ROM.

Of course, having the instruction pointer in RAM only helps you if you are able to manipulate the contents of that RAM. One reason why games with large inventory systems are so amenable to ACE exploits is that they have large sections of RAM that the player can easily manipulate, by rearranging their inventory. In games that don't have such large inventory systems, you may be forced to use more subtle techniques. For example, if you can glitch the instruction pointer into the part of memory that tracks the locations of sprites on the screen, then you may be able to "program" different instructions into the game by invoking the glitch when sprites are at different locations, or when there's a different number of them.

This process, of figuring out how you can insert the appropriate values "underneath" the instruction pointer, is the most difficult aspect of making an ACE TAS.

TODO: Add SNES specific ways to execute arbitrary code by using controller registers

Combined RSS Feed
ArbitraryCodeExecutionHowTo last edited by mugg on 2015-01-06 09:39:22
Page info and history | Latest diff | List referrers | View Source