Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Tuesday May 14, @01:38PM   Printer-friendly
from the games-with-easter-eggs dept.

New method could help high-score chasers trying to avoid game-ending crashes:

Earlier this year, we shared the story of how a classic NES Tetris player hit the game's "kill screen" for the first time, activating a crash after an incredible 40-minute, 1,511-line performance. Now, some players are using that kill screen—and some complicated memory manipulation it enables—to code new behaviors into versions of Tetris running on unmodified hardware and cartridges.

[...] But a recent video from Displaced Gamers takes the idea from private theory to public execution, going into painstaking detail on how to get NES Tetris to start reading the game's high score tables as machine code instructions.

Taking over a copy of NES Tetris is possible mostly due to the specific way the game crashes. Without going into too much detail, a crash in NES Tetris happens when the game's score handler takes too long to calculate a new score between frames, which can happen after level 155. When this delay occurs, a portion of the control code gets interrupted by the new frame-writing routine, causing it to jump to an unintended portion of the game's RAM to look for the next instruction.

Usually, this unexpected interrupt leads the code to jump to address the very beginning of RAM, where garbage data gets read as code and often leads to a quick crash. But players can manipulate this jump thanks to a little-known vagary in how Tetris handles potential inputs when running on the Japanese version of the console, the Famicom.

Unlike the American Nintendo Entertainment System, the Japanese Famicom featured two controllers hard-wired to the unit. Players who wanted to use third-party controllers could plug them in through an expansion port on the front of the system. [...]

As it happens, the area of RAM that Tetris uses to process this extra controller input is also used for the memory location of that jump routine we discussed earlier. Thus, when that jump routine gets interrupted by a crash, that RAM will be holding data representing the buttons being pushed on those controllers. This gives players a potential way to control precisely where the game code goes after the crash is triggered.

For Displaced Gamers' jump-control method, the player has to hold down "up" on the third controller and right, left, and down on the fourth controller (that latter combination requires some controller fiddling to allow for simultaneous left and right directional input). Doing so sends the jump code to an area of RAM that holds the names and scores for the game's high score listing, giving an even larger surface of RAM that can be manipulated directly by the player.

By putting "(G" in the targeted portion of the B-Type high score table, we can force the game to jump to another area of the high score table, where it will start reading the names and scores sequentially as what Displaced Gamers calls "bare metal" code, with the letters and numbers representing opcodes for the NES CPU.

[...] Of course, the lack of a battery-backed save system means hackers need to achieve these high scores manually (and enter these complicated names) every time they power up Tetris on a stock NES. The limited space in the high score table also doesn't leave much room for direct coding of complex programs on top of Tetris' actual code. But there are ways around this limitation; HydrantDude writes of a specific set of high-score names and numbers that "build[s] another bootstrapper which builds another bootstrapper that grants full control over all of RAM."


Original Submission

This discussion was created by hubie (1068) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Insightful) by looorg on Tuesday May 14, @03:09PM (5 children)

    by looorg (578) on Tuesday May 14, @03:09PM (#1356935)

    As much fun as I do find this, mostly for nostalgia reasons, it also seems somewhat convoluted.

    If you are going to ROM hack then ROM hack. Get a hexeditor and just do the changes. Burn a new eprom and you are done. Forever. OR if this is done via emulation then there is normally a machine code monitor there already. Skip all those other steps and just go straight to memory access.

    I don't recall now if there was some Action Replay, Game Genie or some such cartridge or system for the NES. Or one of them cartridges that can slot another cartridge into them, usually for cheating but they also tended to include a way to interrupt the system and give direct memory access via a built in machine code monitor.

    In some regard this is a fairly ordinary hack technique. Find someway to interrupt code execution. Make it jump someplace else in memory to where there is room to put your own instruction to do something, then jump back again and keep executing. In your own instructions you fix something or change whatever you like. Somewhat similar to how cracking and training was down in ye olden days.

    I guess the fun thing here as noted is that they found a way to do it via the high-score list and they can do it on "unmodified hardware and cartridges". Even tho one method apparently requires a third and forth controller -- and that you are some kind of squid to press all these things to cause the interrupt. As far as I can recall the NES only came with two controllers, and two ports so you would need some kind of four controller adapter to use more. So is it really "unmodified" in that regard? If I require extra hardware then I might as well just start attaching clips to legs and points on the board and take it from there. Or is the machine virginity somehow sullied if I remove some screws?

    Unfortunately, there are only 43 possible symbols that can be used in the name entry area and 10 different digits that can be part of a high score.

    10 different digits, considering it's a high-score input that would be all of them then as in 0-9 or are they referring to a way to present a 10 digit number? The machine is so old that you cold reach all memory with 10 digits on these systems, certainly in HEX. You only need a select few actual letters (all letters are not equal when it comes to instructions), some punctuation characters and symbols .,()$. Questions is just what was included. If you use the high-score system in game to insert it with that that might be a very limited selection of chars -- no need to include everything since that takes up memory when you only need a few chars and numbers.

    • (Score: 4, Interesting) by JoeMerchant on Tuesday May 14, @05:05PM

      by JoeMerchant (3937) on Tuesday May 14, @05:05PM (#1356945)

      Somewhat convoluted? A practical implementation would involve something like an external "robot controller" playing the game to write the high scores to make the code to make the bootloader...

      With the point being? Because they can, I presume. Games are designed to be an enjoyable waste of time, this is certainly extends the play value of Tetris by orders of magnitude - for certain types of players.

      I see a Raspberry Pi programmed to play Tetris so long and so hard that it can program Pong into the console on top of it...

      --
      🌻🌻 [google.com]
    • (Score: 3, Interesting) by Mojibake Tengu on Tuesday May 14, @05:20PM (1 child)

      by Mojibake Tengu (8598) on Tuesday May 14, @05:20PM (#1356946) Journal

      This is invaluable as an exercise in way of thinking, not as result.

      Similar approach to indirection control can be applied to internally inaccessible platforms, like door locks, vehicles, satellites, weapons, ...

      --
      Respect Authorities. Know your social status. Woke responsibly.
      • (Score: 5, Funny) by pkrasimirov on Tuesday May 14, @08:11PM

        by pkrasimirov (3358) Subscriber Badge on Tuesday May 14, @08:11PM (#1356954)

        > Similar approach to indirection control can be applied to internally inaccessible platforms, like door locks

        WTF? :)

        Hearing mumbling noises in the night, I cautiously approached the door and peered through the peephole. There's a guy concentrating on a screen, playing a crazy level of Tetris. The screen is blurred, the colours are strange, barely visible and changing rapidly. I realise, thanks to the comment above, that he's about to hack my door lock! He probably has all the hacking code already loaded into the machine and is just a few levels away from fine-tuning my somewhat rusty mechanical lock. I devise a master plan: I suddenly scream at the top of my lungs! The evil hacker is startled for a microsecond, and that's all it takes to end the game. He's still trembling with concentration, but it's no use, I've countered his evil plan with some rather childish behaviour. Realising his failed mission, he bursts into tears and despair and slowly collapses next to my solid, formidable, unmoving door. He's finished, a shadow of the master player he was just seconds ago. I feel sorry for him. Knowing he could do better in life with his skills, I offer him some help: a glass of water and some evening snacks. He is unable to refuse and accepts me as a friend. We chat a little, I praise his quick reflexes and hacking skills. After a while he calms down and we both slowly stand up, stretching our legs from the uncomfortable position. He bids me farewell and slowly drifts off into the night. I go back to bed, thinking how creative some people can be with a simple game of Tetris. I try to sleep...

        I hear noises again. Go to the door. Oh no, some new guy there is playing Doom! I cannot jump scare him, it is part of the game. I'm doomed! I think quickly, but to no avail: he's already opened my lock with a fury only matched by my ex-wife. I panic and run for the stairs. Too late, the door bursts open and he crushes me with a BFG. I'm finished. If only I could have listened and put a chain around this door or something, or another door, but now it is too late. I've been robbed, by a 1337 haxxor.

        My tombstone reads 'Resistance is futile' and flickers softly in the night.

    • (Score: 5, Interesting) by bzipitidoo on Wednesday May 15, @03:14AM

      by bzipitidoo (4388) on Wednesday May 15, @03:14AM (#1356994) Journal

      Sure I did some hacking, but nothing as intense as this. I broke the copy protection on several Apple II games. Then, in one case, Dark Forest, I fixed a bug in the code. In several, I greatly improved the speed. Added playability enhancements to a few. In Ultima 4, I edited the graphics. (Then I decided I liked the original graphics better.) In Ultima 3, I figured out a minor, unstated challenge, that it is possible to kill Lord British, and I hacked the character data to give myself a crucial flag for which I'd tired of doing the needle-in-the-haystack hunt.

      About the most intricate thing I tried was another idea in Ultima 3: setting the decimal stats to the invalid value of hexadecimal FF, and, in one case, it worked brilliantly. Because the machine was programmed to use that byte in decimal mode, 0xFF was interpreted as 15*10+15 = 165. The amount of magic points the druid class is allowed is half the character's intelligence and wisdom, and putting 0xFF in those stats resulted in 165/2 = 82 magic points, enough to cast every spell in the game. Made the druid the hands down best spellcaster class, as druids can cast both cleric and wizard spells, and regenerate mana at twice the normal rate. This trick does not work in the emulators I've tried, presumably because the emulator's decimal math mode doesn't handle an invalid value the same way as the original hardware.

      This Tetris hacking goes way further than anything I'd ever even contemplated. I am flabbergasted at the lengths they've gone.

    • (Score: 3, Touché) by SomeRandomGeek on Wednesday May 15, @04:04PM

      by SomeRandomGeek (856) on Wednesday May 15, @04:04PM (#1357054)

      As much fun as I do find this, mostly for nostalgia reasons, it also seems somewhat convoluted.

      It is fun because it is convoluted. But also, it is fun because it takes Tetris high score one-upsmanship to a whole new level:
      "I'm so good at Tetris that I reached the kill screen!"
      "Oh yeah? Well, I'm so good at Tetris that I put exactly the scores I wanted on the high score screen! And then I used the kill screen to jump to the high score screen and execute it as a computer program!"

(1)