Beat the game as quickly as possible by exploiting a glitch in World 8-4 that allows controller inputs to be read as arbitrary code.
Background
LuigiSidekick first discovered a bug where they accidentally crashed the game in 8-4 during a casual playthrough of SMB2 and posted about it on Twitter in March. Simplistic6502 then discovered this post in the NESdev Discord server on March 28th and investigated the reasoning behind the crash. The crash occurs due to a logic error in the DuplicateEnemyObj subroutine, which is used by long firebars and Bowser. If all enemy slots are occupied, the object falls out of bounds into memory beyond the object slot flags ($0F to $14 in RAM), storing values at the slot corresponding to the first $00 byte found. The first occurrence results in the object flag being stored at address $15, which is an unused memory location.
However, if this happens a second time, the first slot to contain a green Koopa Troopa (a requirement as they have the ID $00) in the object slot list is overwritten by a glitched object. The enemy ID which has replaced the first green Koopa Troopa will jump to a memory address corresponding to the slot available to the first half of the long firebar or Bowser and execute its contents as instructions.
Method
The game-end glitch method used in this TAS was discovered by Threecreepio and involves loading enemy ID $84 into any object slot other than slot 0. The code that processes enemy ID $84 jumps to $0747 (TimerControl) in RAM, which can be manipulated by taking damage. Initially, it executes a BRK opcode ($00), triggering SMB2’s IRQ handler.
Since this functions as a 2-byte opcode, the program counter moves to $0749 once completed, which is also a BRK opcode. The values at $074A and $074B are determined by the controller inputs of Players 1 and 2, allowing full control over two bytes.
Until damage is taken to manipulate TimerControl, the game must be prevented from crashing by holding B + Select on Controller 2 to create an RTS instruction ($60). Once damage is taken, TimerControl changes to $FE, a 3-byte opcode that moves the program counter to $074A upon execution.
At this point, the payload can be executed. The inputs from Controllers 1 and 2 result in the instruction JMP ($008D), an indirect jump to the address stored in locations $8D and $8E. Addresses $8D and $8E store the X-position of fireballs shot by Mario, which can be freely manipulated. In this case, the stored values are $81 and $AA, forming the address $AA81, which is part of the HandleAxeMetatile subroutine. This subroutine sets OperMode ($0770) to $02, signaling the game to prepare the ending sequence.
Alternate Methods
It is theoretically possible to gain total control using a stop 'n' swap approach. A significant portion of SMB2's stack ($0160-$01E4) is not cleared by the Disk System BIOS, and SMB2 explicitly skips clearing this region when running the InitializeMemory subroutine. This method also relies on an indirect jump but uses only Controller 2 to jump to the address stored in $00 and $01, requiring camera-scroll manipulation. A smaller-scale version of this method, which does not require swapping cartridges, leverages the X-position of the FloateyNumber variables. This was discovered by Simplistic6502 and OnehundredthCoin.
Another alternative method, developed by SBDWolf and threecreepio, involves setting the coin count to 96 ($60) to create an RTS instruction and execute controller inputs as code across multiple frames. This approach requires having a life count other than 3, as this prevents the game from encountering a STP opcode and freezing when executing NumberOfLives. Threecreepio has created a demonstration video showcasing this method.
Are Other SMB1-Engine Games Vulnerable to This Exploit?
Yes. All Night Nippon Super Mario Bros. shares a nearly identical 8-4 level layout with SMB2, allowing this exploit to be used there as well. However, the enemy ID which must be loaded into memory to transfer execution to RAM is enemy ID $83. While SMB1 and Vs. SMB have the same logic error in DuplicateEnemyObj, no level layouts exist that allow a glitched enemy ID to spawn. Additionally, even if a glitched enemy could be spawned in SMB1, the game would likely crash on the cartridge release due to the BRK opcode causing an infinite loop.
feos: Hard to believe but more than 10 years ago I was the one pushing for "game end glitch" movies not obsoleting regular completion! It even happened to one of my movies!
But for all these years a certain aspect was so frequent in "game end glitch" branches (and other major skip glitch ones too) that it started feeling like a natural part of then and one of the reasons they are separate branches - enormous time difference!
Quoting adelikat
actually, I did the math, and I calculated that when Masterjun aims for fastest time, his movie is on average 3395.25% faster than another author's movie
Back in the times of tiers we aimed to have strict and clear rules for Vault, because the goal of that then-new tier was to have clear cuts, and if something doesn't clearly fit then it has to be entertaining enough for Moons. SPOILER: that goal was completely pointless, because no game was made with any kind of clear rules in mind, on the contrary - games aimed to be as varied as possible! That resulted in years of pain when we were trying to make make ends meet (literally) between games and policies. The class system was introduced as a white flag on our part, and we instead decided to start focusing on authors more than on policies.
Then we started allowing more and more goals to be published without any feedback requirements, which constitutes the standard class. "Forgoes major skip glitch" was the first new standard goal after "fastest completion" and "full completion". Then a whole bunch of others.
Now more quotes:
Quoting feos
I personally think that whether major skip glitch is caused by memory corruption or breaking in-game physics, exact borderline will always need to be defined as a case-by-case consensus, depending on the game, how severe the skip is, and what the nature of the technique is. There can't be a simple clear-cut rule that resolves every known scenario nicely.
Quoting feos
The decision should resolve the community consensus, not limit it
Quoting MovieRules
The definition of a major skip varies from game to game, but is generally defined as an unintended skip of otherwise unavoidable gameplay.
Most of the time, more than half of the game is skipped, compared to the fastest movie that avoids this technique.
but that's 1) old, 2) not a rule at all, and 3) even it says "most of the time" and refers to pure statistics.
So after the discussion in this thread happened, we've also had a staff talk, and the agreement was the same: this movie shouldn't obsolete anything. To a lot of staff members, my initial claim that it would obsolete the current record didn't make sense at all, neither before explanation nor after.
In the end, the only reason for obsoletion is if we ignore everything but the time difference. But nobody wanted that, and we depend on the community when resolving edge cases.
And the reason to not obsolete was that major skip glitch is not necessarily major in time, but it can also be major in its nature and not in time.
That's a fair point. Indeed if there are continuous improvements to the "game end glitch" branch, and we now obsolete because the time difference is too small, at which point exactly will we decide that it should stop obsoleting the main movie?
Again if we ignore everything else but time, we'd have to obsolete "for now" and then when the "game end glitch" branch becomes "short enough", we'd unobsolete the regular movie and only keep "game end glitch" ones in their own obsoletion chain. The only problem is when exactly does "for now" end? There's no good answer for that, because it's all subjective anyway. The only real criterion we have is community consensus. And it'd be weird to ignore it until a certain time difference is reached, and then suddenly consider it after. Maybe at that point we wouldn't even have any audience left, because we'd be rendered irrelevant by the community at large.
Bottomline: Everyone wants this, so we just rely on community consensus and accept this movie as a separate goal, because skipping straight to the end is big enough difference on its own regardless of time.
ACE in SMB2J is obviously a great discovery. Props to everyone involved. Yes vote for sure. :)
Recent projects: SMB warpless TAS (2018), SMB warpless walkathon (2019), SMB something never done before (2019), Extra Mario Bros. (best ending) (2020).
Joined: 4/17/2010
Posts: 11657
Location: Lake Chargoggagoggmanchauggagoggchaubunagungamaugg
Awesome glitch, congrats!
Patashu wrote:
Is this the record for 'game end glitch closest to the intended game end'?
The closest one I've seen so far. Which is interesting, because most of the time a game end glitch skips at least half of the game, which is when we call it a major skip glitch and make it a separate branch in the standard class. But in this case it can't be considered a major skip glitch, so avoiding it can't be a separate standard branch. As a result this would simply obsolete [3348] FDS Super Mario Bros. 2 "warps, Mario" by HappyLee in 08:04.83 and share the same branch label.
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
I'm strongly against that.
Normally the goal of an any% TAS would be avoiding ACE. Check out the "warps" TAS of SMB3 and Super Mario World. ACE or "game end glitch" is usually a standalone category.
The time difference is not that huge, so what? The goal of touching the final axe and saving the princess is clearly not the same as using ACE to end this game in a glitch.
Recent projects: SMB warpless TAS (2018), SMB warpless walkathon (2019), SMB something never done before (2019), Extra Mario Bros. (best ending) (2020).
I also think that this movie should not obsolete the current warps TAS due to ending on a glitch rather than ending normally, despite the time difference being minimal.
I'm seeing this run as a showcase of the glitch more than a true Any% TAS (even if it is faster).
Joined: 4/17/2010
Posts: 11657
Location: Lake Chargoggagoggmanchauggagoggchaubunagungamaugg
HappyLee wrote:
Normally the goal of an any% TAS would be avoiding ACE. Check out the "warps" TAS of SMB3 and Super Mario World. ACE or "game end glitch" is usually a standalone category.
It usually is, because the time difference is huge between the fastest movie that uses a major skip glitch and the fastest one that avoids it.
HappyLee wrote:
The time difference is not that huge, so what?
Time is the key metric in the major skip glitch definition. The most straightforward way to define it is that "it's a single glitch allows skipping majority of the game". Of course it's not always that simple, for example sometimes such a glitch skips less than 50% of gameplay, which is when we have a community discussion and decide whether to count it as such. And if it is, then the 2 branches can co-exist in the standard class. If the decision is that it's not a major skip glitch, then there are 2 options: obsoletion and moving the movie that avoids it to the Alternative class if it meets the requirements.
The main requirement of Alternative branches is to be different in gameplay from the standard ones and from each other. A movie that is similar to fastest completion but skips a part of the final level instead of completing it, is unlikely to be considered different enough to go to Alternative. Well I'm not saying that it's impossible, but it'd be up to the audience. At the very least we removed the entertainment requirement from that class (formerly known as Moons), so that part of feedback is not involved.
HappyLee wrote:
The goal of touching the final axe and saving the princess is clearly not the same as using ACE to end this game in a glitch.
It's indeed not the same but we have some categorization system in place that attempts to organize all the endless variants of goals into something digestible, and we use certain guidelines when deciding how to branch things. For example it can also be argued that the goal here is beating the game as fast as possible, and the current publication's goal is the same, this movie just uses a new timesave technique, so it's technically an improvement.
Best we can do is assessing the nature of that improvement to see if we can turn it into a separate branch, but that is based on visible difference in gameplay and in overall duration.
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
Yeah... I'm gonna have to agree with McBobX and HappyLee on this one in that it shouldn't obsolete the existing "warps" run.
Yes, it ends a little earlier (comparatively, even if it's 20 seconds), but it aims for a different method of beating the game by executing a payload or arbitrary code (I tried to put the premise of this submission in a nutshell), which I believe is an entirely different goal than touching the final axe and saving Princess Peach; that involves having to encounter the final Bowser, either by killing him or getting past him.
I understand that both runs are very similar up until World 8-4 and that this run isn't a major skip glitch (as the glitch only occurs on the very last level), but I feel like simply obsoleting the "warps" run would be unfair as it doesn't follow suit with the normal TAS-time ending scenario of touching the final axe. Not many examples from this category were all that useful to me for supporting my case; a majority of runs listed there include a major skip glitch and a final boss skip glitch (combined or separate), some games had a final boss skip glitch as its only branch, and other runs obsoleted existing ones that didn't make use of those glitches while sharing similar gameplay lengths. I doubt there's anything more I can provide to defend this case.
I feel like the TAS authors would like some clarification on the obsoletion case too. Other than that, do as you please; I can only say that we have to respect and support your decisions.
And please no flame wars :c I don't want another argument here...(That said, I voted Yes, since I enjoyed watching it yesterday.)
Yaaay, I'm an active player now! :D (as of 11/9/2024) Thanks to TASVideos for the support, they're awesome.
I'm Asumeh, semi-expert SMB1 TASer. :)
Check out some of the TASes I don't submit/upload to TASVideos on my YouTube channel, if you'd like.
In progress:
- Extra Mario Bros. (redo) (with HappyLee and w7n) - I'm currently assisting with finding improvements before the boss. On hold; we're currently struggling to confirm that we have the fastest route. Some debugging may also help with finding glitch exits, but neither of us are experts in that field.
- Record my older TASes (excluding any obsolete TASes) and upload to YouTube.
- Pretty busy at the moment...
Check out my other links here. (Mostly WIP hehe)
After reading what feos, HappyLee, McBobX and Asumeh have said, I thought I would provide some input.
95% of the "game end glitch" TAS is the same route as [3348] FDS Super Mario Bros. 2 "warps, Mario" by HappyLee in 08:04.83, so I myself would not view this submission as a major skip glitch. However, I personally would not feel comfortable with this replacing HappyLee's TAS, as the means to the end goal is different between each movie.
I believe a community decision on how to categorize this submission would be ideal, however I will respect any decision which is made regarding categorization of this submission.
it doesn't follow suit with the normal TAS-time ending scenario of touching the final axe.
I have no strong feelings one way or the other here, but i think it's best not to use "it doesn't touch the axe" as the reason that it doesn't obsolete the current TAS. Better in that case to say that ACE by itself is enough to separate as it's significantly different from playing the game as a normal player would.
Because while *this* TAS triggers the credits scene, that's only because it's the very fastest way to end the game, we do have a full 20 seconds to create a nearby axe to touch and still save time. :) And if the end result is there being 2 active tracks that both end with different ACE inputs then that seems a bit silly.
Joined: 11/13/2006
Posts: 2842
Location: Northern California
This won't be obsoleting the published run.
TASvideos' Third Strongest Site Admin 💙 Currently unable to dedicate a lot of time to the site, taking care of family.
Now infrequently posting on BlueskywarmCabin wrote:
You shouldn't need a degree in computer science to get into this hobby.
I think people made a joke before how SMB is so optimized that the only thing possible to improve it would be ACE, but I never thought it would actually happen. Congrats on the find! Is there any other level with this bug?
I would love to have a split branch for this, because I'm fascinated by arbitrary code glitches, and would love to have them as a separate branch for documentation purposes (instead of having the chance of getting obsolete by a non ACE bug, although I don't think that would happen for this particular game).
