Скачать с ютуб Super Mario Bros.: [TAS] "Arbitrary Code Execution" in в хорошем качестве

Super Mario Bros.: [TAS] "Arbitrary Code Execution" in

Use the , and . keys to frame advance for the start of the video, as the commentary moves fairly fast. This is a tool assisted speedrun featuring a cartridge swap. The cartridge swap was performed on a modified version of Bizhawk 2.9, and was console verified by Alyosha. Furthermore, beyond requiring a modified version of the emulator to feature cartridge swapping, the development of this run had an another interesting roadblock. As it turns out, the most recent version of Bizhawk as of this video (version 2.9) has inaccurate open bus emulation during "write instructions". This lead to incorrect instructions executing after the "SRE ($53), Y", since SRE is a write instruction. Console verification of this TAS required me to discover the issue, and send Alyosha a TAS that didn't work in the emulator, but would work on console. Once the issue was discovered, I modified Bizhawk once more to fix the issue, and the issue has been fixed as of version 2.9.1. Cartridge swapping will likely take a while before that becomes an official feature. On the topic of console verification, you should know this will not work on an everdrive. Since everdrives support almost every memory mapper chip, they need to fake open bus behavior (and some won't even bother at all, leaving all bytes mapped there as 00's) This faked open bus behavior is inaccurate, and will not work for the purposes of this TAS. During the SMB3 gameplay at the start of this video, the commentary moves pretty fast, so allow me to recap what's going on. In world 'N' of SMB1, killing Bowser with fire jumps to open bus. This happens to be manipulable, and I can form an RTI instruction, jumping execution to address $0181. That particular region of memory isn't cleared when the game boots, so I'm able to write a payload there in another game and swap to SMB1, where the payload will remain, ready to be executed in world 'N'. SMB3 has the fastest known method of ACE through subframe inputs, and is fairly manageable. Writing a series of bytes at address $0181 is a bit tricky, though there are a few possible solutions. I could use a "Store absolute" instruction, or directly push the byte I want to the stack at the right place. I only have full control over the X register, so pushing to the stack is not ideal, and I can't write absolute store instructions as they would require conflicting dpad inputs, which SMB3 masks away. (SMB1 on the other hand, does not, and L+R is used to accelerate faster at the start of levels) Instead, I wrote a payload on the zero page through a series of "Store zero page" instructions that would give me the ability to write a "Store indirect" instruction using a custom pointer. This lets me write anything I want anywhere I want, and I use it to write the payload at address $0181. Once the second payload is fully written, it sets up the bytes for SMB1 that allow the game to start in world 'N', and Mizumaririn and SeraphmIII take it from there. A huge thanks to Mizumaririn and SeraphmIII for help optimizing the SMB1 gameplay and making it entertaining. Also a huge thanks to Alyosha and Bigbass for their help with console verification. Mizumaririn:    / @mizumaririn   SeraphmIII :    / @seraphmiii   Alyosha:    / @alyoshatas601   Bigbass:    / @bigbass1997