Arbitrary code execution in games

Arbitrary code execution in games

Investigative gamers tend to search for glitches and exploits.
Sometimes for fun, sometimes for speedrunning, but sometimes they want to break a game.
Some games can be broken with arbitrary code execution.

What is arbitrary code execution (ACE)?

This is when you trick the game into reading from RAM instead of ROM.
You do some glitch to make the game read from RAM.
Then you input the code instructions (varies from game to game).
This tells the game what RAM address to access and with what values.
Typical result: warp to the credits, or any other crazy stuff.

Here are some examples.

tl;dr = small summary of the technical info
Technical = technical info on how and why of the glitch and arbitrary code execution

#########################################

Super Mario World

tl;dr:
touching a coin with both Yoshi's tongue and Mario creates a nonexistent chunk. The game can't handle it and thus uses whatever info it has to free the game.

Technical:
When Mario collects a powerup, a routine is loaded that changes his sprite and property.
Yoshi can eat powerups.
Touching a coin with both Yoshi's tongue and Mario confuses the game.
What is created is a nonexistent chunk. The game thinks this chunck is a powerup.
Because this nonexistent powerup can't change Mario, the routine jumps to Open Bus.
Open Bus means that no device answers the request from the console.
This means that the console will execute the last value placed on the data bus.
All the manipulation you do before the coin collecting gives you this value.
With this value you can warp to the end credits.

Programming some games into SMW

Technical detailing of more code injection.

#########################################

Super Mario World 2: Yoshi's Island

tl;dr:
Glitching Yoshi's tongue causes it to overwrite game memory, eventually getting to the control registers.

Technical:
When Yoshi eats something, he has that object in its mouth.
Activating a checkpoint ring with something in Yoshi's mouth turns it into a star.
The game fixes this by making Yoshi stick out his tongue.
When Yoshi sticks out his tongue and gets hit, the values (state and position) are reset.
However when Yoshi has something in his mouth and is hit, the tongue's position isn't reset.
If you get hit before Yoshi's tongue returns to him, it misses him.
His tongue will be growing larger in memory, wiping out the onscreen sprites.
Eventually the tongue corrupts the control registers.
With control of the control registers, one can input the instructions via controller.
Viola, end credits.

#########################################

Super Mario Bros. 3

tl;dr:
entering a pipe from the wrong direction in level 7-1 makes the game start executing instructions
from RAM.

Technical:
The RAM instruction needed is JSR $8FE1.
This can be accomplished with the X coordinates of enemies.
The koopers must be placed in the right spots at the right time and in the right order.
This ensures that they are in the correct X axis positions, ergo correct code.
Then jump into the pipe from the wrong direction with a walljump.
This loads Mario into an area with garbage tiles.
Stand in the right spot and let the Kooper wake up in your hands.
Drop it offscreen and the code will be executed.
Seriously, watch the video below for the real technical.

Color a Yoshi, and Super Duper Mario

#########################################

Super Mario Land 2: 6 Golden Coins

tl;dr:
Using a pause glitch, one can run arbitrary code from a chosen area of RAM.

Technical:
The process of drawing the graphics on every frame is called the VBlank interrupt.
The arbitrary code execution occurs when the VBlank interrupts a previous VBlank.
This can be done by lagging the screen with objects.
Once the screen is lagging, the game must be rapidly paused.
This causes the game to switch banks during VBlank.
If the execution up to this point is doing right, the wrong code will be read.
This code will then be executed.
Mario's X position and coins collected are the code instructions.
With the correct input you will be warped to the credits.

#########################################

Mega Man

tl;dr:
By glitching the game into loading from the wrong ROM bank, the game can be tricked into reading instructions to jump to the credits.

Technical:
At certain parts in maps, an invisible object numbered 0xFF may appear.
This object maps the graphics to draw them for scrolling.
By killing enemies and pausing you create slowdown.
This is a NMI (non-maskable interrupt).
This NMI will make the game load from a different bank (bank 6 instead of bank 2)
Now the game will start loading from enemy number data.
Doing this will make 0xFF appear.
Overlaying music and lags frames will generate objects that don't exist in the game.
The objects waiting to be spawned are from the DelayObject list.
By manipulating Mega Man's y coordinate and shots, a specific object AI # is spawned.
This creates a jump destination address.
An AI number of 55 execute $600 as the address.
This jumps you to the end credits.

You can do something similar in Guts Man's stage with the magnet beam.
By shooting your blaster and magnet beam in specific spots, you write the game's memory.
This method uses the DoubleObjectFF glitch instead of the DelayObject glitch.
It's slower but seems to be possible by human hands (not TAS only).


#########################################

Final Fantasy

tl;dr:
Walking up and down stairs enough times causes a stack overflow. Then talking to an NPC triggers
the final boss fight.

Technical:
Continuously going up and down stairs adds registers to a stack.
This stack tracks where you have gone.
Get to around 63 and then you can stack overflow without crashing the game.
Opening the menu causes the stack overflow.
This causes the game to read from the character's names as memory.
Due to stack overflow, this makes your character's levels absurdly high.
Then you talk to a nearby NPC to jump the game to the final boss, Chaos.
Since you are such a high level, running away is possible and counts as winning.

#########################################

Final Fantasy II

tl;dr;
By continuously entering and leaving and reentering a room 45 times and the entering a battle, a stack overflow occurs. Attacking an enemy triggers a jump command to the credits.

Technical:
Entering a room adds 5 bytes to the stack, however it is restricted to 45 occurrences.
This only occurs in certain places, such as dungeons with multiple entrances.
Entering a battle after those 45 occurrences causes a stack overflow.
This stack overflow causes JMP data to be executed.
With the correct setup you can have the JMP value send you to the credits.

#########################################

Legend of Zelda (FDS)

tl;dr:
Filling up all the sprite slots and then trying to spawn a new sprite causes the value to
underflow and read the file names as code.

Technical:
On the Famicom Disk System of the game, the game glitches when the sprite slots are full.
When the stack is full and you try to spawn another sprite, the value underflows.
It jumps to the music data, but soon settles on the code for the file names.
It will read the file names as code.
Naming the files in a specific way will make the game jump to the credits.
For one, the first file is named ZELDA for the 2nd quest.
Get the warp whistle and go to the graveyard.
Make sure you haven't died twice or are at low health.
The graveyard is a good spot to execute the glitch due to many sprites present.
Executing the glitch at a certain point in the music results in it landing on safe code.
From there the game pulls data from the file names and executes those values.
The game code puts Link in a hybrid of the first and second quests.
The game doesn't know where to put Link, so the values put him in Zelda's room.
The technical video below details what the code specifically does.

#########################################

Pokémon Yellow

tl;dr:
Resetting the GameBoy at the right frame when saving the game corrupts the item menu. Tossing items and switching out Pokemon writes code, allowing one to take total control over the GameBoy.

Technical:
Resetting the GameBoy on the correct frame as you are saving the game corrupts the game.
The game will think you have 255 Pokemon.
This overflows the Pokemon menu, overflowing into the item menu, corrupting it.
The item menu has 20 slots. This corruption allows you to manipulate data past them.
The memory beyond the 20 slots is the map warp data.
Ergo, manipulating the items via the item menu changes the map warp data.
Tossing glitch items at certain values changes those values in RAM.
With this you can change the first door to lead straight to the end of the game.

#########################################

Pokémon Gold/Silver

tl;dr:
Coin Case + Machop's cry = RAM jumps. With the right Pokemon setup, it can jump anywhere one chooses.

Technical:
The text for the Coin Case ends in the incorrect text byte.
This causes the RAM to jump into memory reserved for Pokemon cries.
Playing a cry immediately after opening the Coin Case corrupts the memory.
Machop's cry contains an instruction that makes the RAM jump to overworld data.
The game reads your Pokemon data, such as species, item and first move, as values.
With the correct setup, the game will execute whatever, such as jumping to the credits.

#########################################

Pokémon Stadium

tl;dr:
Importing a glitched save file overflows the trade system.

Technical:
Achieving arbitrary code execution on the save file for the GameBoy Pokemon game is a start.
The save file needs to be arbitrarily instructed to have more than 20 pokemon in a box.
This will cause the buffer to overflow.
If the second GB Pokemon save file has 23 pokemon in box 21, the code pointer will be overwritten.
With other variables, the code pointer can point to specific places within the GB save data.
As you can see in the video below, you can warp to the final boss and have its attack hurt itself, resulting in a very quick game completion.

#########################################

Kirby Super Star

tl;dr:
Climbing up and down a ladder on the same frame makes the game jump into SRAM.

Technical:
When one climbs up and down a ladder on the same frame, the game freaks out.
The game indexes a wrong location and jumps the code to SRAM.
Once the SRAM fills up, the CPU gains control of the control registers.
Now you can input via controller the instructions.
Changing the gamemode to cutscene and that cutscene to the credits, the game is won.

#########################################

Castlevania: Symphony of the Night

tl;dr:
By corrupting your save file, you can exploit the item menu with glitched items to executed code to jump straight to the end credits.

Technical:
Obtain the Faerie Card and begin saving the game.
Talk to the fairy as you are saving.
Since both the save point and the fairy open the menu, the save file will get corrupted.
Exit back to the main menu and load the save.
Head to the Long Library.
Summon the fairy prior to going in the room with the Master Librarian.
Opening the shop menu and the faerie card talk at the same time will create glitch items.
These glitch items allow for manipulation of values beyond the inventory.
Rewriting a music pointer will allow one to delve deeper into the code.
The sort of the inventory items will instruct the game with code.
Total control over the game. Easy warp to the end credits.

#########################################

Super Metroid

tl;dr:
Glitching out of bounds and holding button presses during pause screens, and then touching a specific block will glitch the game into reading from control registers.

Technical:
Moonwalk Doorskip is when you pause and unpause, moving a half pixel each unpause.
This allows Samus to bypass through a door without triggering the next room.
During the pauses, buttons are pressed. These set up the Jump command value instructions.
Then you bypass through the floor and hit the 0F 44 block at a good speed.
This will make the game read from the buttons held on previous frame.
With the right buttons held, the game will executing from control registers.
Then the instruction are written to make the game jump to the credits.

#########################################

The Legend of Zelda: A Link to the Past

tl;dr:
Getting stuck in a wall makes the game load room data from somewhere else, which we can determine.

Technical:
The fortune teller's house is a one-door room.
Getting stuck in the southern wall makes it load room data from garbage memory values.
One of the corrupted values makes the game jump to Open Bus and a jump command in the code.
This is nearby the control input values.
Now the code is writing by hitting buttons on the four SNES controllers.
The game will execute these inputs as code.
Result: jumping us to the end credits.

#########################################

Trials of Mana

tl;dr:
Interrupting the level-up window allows you to launch a routine that takes in controller input to launch a new script: the end credits.

Technical:
Leveling up and then going back and forth between rooms delays the level-up routine.
Doing this back-and-forth screen transition moves values around in the data bank stacks.
Doing 82 screen transfers will point the script pointer towards some opcodes.
Having the correct camera angle and memory counter values will point us towards control register.
After a few controller inputs, the script to play the end credits is executed.

#########################################

Final Fantasy V

tl;dr:
Loading a saved game after a battle does not flush the memory, which can lead to jumps in the game code.

Technical:
Using different save slots, you move to different X and Y coordinates on the world map.
These will be the code to the executed for the code-jump.
Little inputs made with the four SNES controller ports are added before the menu is brought up.
This shifts the bits as they aren't flushed out of memory, enabling the code-jump.
With all code written, you get off your chocobo to enable encounters.
Encounter an enemy and run away.
Then examine a helmet in your inventory to execute the code jump.
This will take you partway into the end credits.

#########################################

Secret of Evermore

tl;dr:
By flooding the screen with projectiles, the memory is overflown, corrupting some values that can be exploited to input controls.

Technical:
There are eight Alchemy slots but no restrictions on projectiles onscreen.
Firing a 9th projectile corrupts the first alchemy memory, making the data wrap-around the data bank.
This lands at the default bank, with access to the WRAM.
The address the 9th projectile jumps to is pretty random but can be manipulated by onscreen entities.
This allows us to point to end credits address to jump to.

#########################################

The Legend of Zelda: Twilight Princess

tl;dr:
Using a custom save file with an overly long name for Epona causes a stack overflow, allowing the Wii to be accessed at the root level. Custom firmware, baby~

Technical:
When Epona's name is overly long, the Wii crashes when it tries to load the name.
With the crash, the Wii will run a loader program from the front SD card slot.
This is because the Wii fills in the blank region, as told by the save file.
Any file name with the 'boot.elf' filename will run.
This allows custom firmware to run.
This cannot be done on System Menu 4.0 and up.

Okay fine, this example doesn't really belong on the list due to being a hack.
Still, it enables custom firmware on your Wii. That's pretty cool.
With the hacked save file you can warp straight to the credits, though it doesn't count.
Notice: do not attempt to do this without proper research and precautions.

#########################################

Pokemon: Trading Card Game 

tl;dr:
By moving the cursor out of bounds and hitting down + A on the exact frame it's out of bounds, the game switches memory banks. Set up some values, do the glitch, and instant credits warp.

Technical:
During a duel, move the cursor into the bottom left corner until it's out of bounds and hit A.

If timed correctly the match will end. This is because the game executes unintended data.

In this case, the game executes the first instruction it can do, which is the win duel function.

With the right set up, we can change memory banks and execute different functions.

During a duel your pokemon can be affected by moves like Whirlwind.

Doing the glitch after the move hits us will cause the game to switch from memory bank 20 to 06.

The resulting memory address is $C300, which is close to $C400, which is the contents of our deck.

Changing our deck affects the input values for the arbitrary code execution.

Now we fight Joseph and hope he uses Pidgey and uses Whirlwind on his first turn.

This is better achieved by resetting the game to restart the RNG counter to manipulate his moves.

Once Joseph's Pidgey uses Whirlwind, do the down + A glitch, and you'll be warped to the credits.

The above tutorial is for real-time attempts. The TAS below uses Tech Aaron's Rhyhorn. 

Half the time the down + A glitch can result in an infinite party glitch, a loop requiring a reset.

This is caused by interrupts in the memory bank addresses that can return in illogical returns.

There is around a 50/50 split of legit and illegitimate addresses. 

#########################################

Pokemon Card GB2 - GR Dan Sanjou!

tl;dr:
Changing the name of our deck creates the input data for the instructions to jump to the end credits.

Technical:
This ACE works rather the same as the first game (see above entry).

The main difference is that editing the deck contents no longer works, but the deck name does work.

The down + A glitch is moving the cursor in a corner and hitting A on the frame it is out of bounds.

This makes the game reads data outside the intended range, sometimes even switching banks.

Doing the down + A glitch in a specific menu points the data at our deck name.

Our deck's name is the payload, so specific characters are used for code input.

The resulting data is the end credits memory address plus the byte to jump to said address.

#########################################

TO DO: 

* Golden Sun

* more games

#########################################

NOTE: I am sure that I may have explained something incorrectly somewhere.
Please comment any corrections below. Thank you.