How Does Videogame Console Code Injection Even Works?
A couple of days ago I watched on reddit a video of a guy playing Flappy Bird and doing some random stuff inside the Super Mario World (SNES) game, then soon after I found out he was actually injecting assembly code into the system’s memory. He was using nothing but the console itself, the game cartridge, and several controllers. I immediately wondered, how does this even work? I knew none of my CS courses could explain how he was doing that, but I was ready to find out...
One important thing to clarify is that this was done on the actual unmodified Super Nintendo console as well as the game cartridge, so there is - quite a difference with such mods made on emulators and computer-assisted coding.
After doing some research, I found that this exploit can be done basically because of some glitches inside the game. When these glitches are combined under very specific conditions (such as the game level, or Mario’s position on the screen), they allow the modification of values inside the system memory, thus entering a new program into the game.
So, let’s talk about glitches. The first glitch is called Null Sprite Glitch, which basically occurs when the game thinks Yoshi has something in his mouth, but there is actually nothing in it(according to the values in the memory that keep track of this). The second glitch is called Brown Platform Glitch, which occurs when Mario is on one of the swinging brown platforms (the ones found on levels with high hills).
The combination of these two glitches allows changing values on the program’s stack, which is basically a table where the return values for subroutines of the game are stored. So how can you input custom values into the system memory with a 12-button videogame controller? Well, by using Mario and Yoshi’s position on the X coordinate of the screen.
The PowerUp Incrementation Glitch consists in incrementing the value that represents the current state of Mario, where 0 = small Mario, 1 = big Mario, 2 = cape Mario, 3 = Fire Power. So, when you increment this value to a number greater than 3, it produces some odd behavior on the game, resulting in the glitch itself. This allows to run code from places other than the game cartridge; specifically, you can store new code on a memory section known as the Sprite Coordinates Table.
The first thing to write onto the memory is the BootLoader. This is a piece of code itself that allows to copy Mario’s X coordinate onto contiguous locations of an unused part of the memory, so with BootLoader you have basically coded an input interface, making it possible to write a new program into the system.
331 bytes of assembly code were written into the system’s RAM, and what is that? A stripped-down version of the source code for Flappy Bird. Amazing.
You can see the original exploit video performed and explained by Seth Bling here. Also, the original reddit thread.