00:00:00.467,00:00:01.802 >>Good afternoon everybody [Super Mario coin sound] how's 00:00:01.802,00:00:03.136 everybody doing? [game music] yeah [game music] this is 00:00:03.136,00:00:08.141 awesome so um how many people know what this thing is, that’s 00:00:13.614,00:00:19.586 on the stage? [crowd cheer] ok, I only asked that because 00:00:19.586,00:00:21.622 wandering through the halls yesterday after getting the 00:00:21.622,00:00:24.324 badges I heard a bunch of twenty somethings talking about what 00:00:24.324,00:00:29.429 the Konami code was and they were listing it off wrong [crowd 00:00:29.429,00:00:32.599 laughter] uh, so um, if you are that of that age you are going 00:00:32.599,00:00:34.968 to get a little bit of a history lesson I have seen this demo 00:00:34.968,00:00:38.238 which is awesome get excited let's give Allan a big hand 00:00:41.341,00:00:45.546 [crowd cheer and applause] Allan >>Thank you, well thank you very 00:00:45.546,00:00:49.917 much uh this is a very very technically challenging series 00:00:49.917,00:00:52.853 of live demos I have an immense number of things on the stage 00:00:52.853,00:00:56.356 that can and will go wrong so please feel free to make fun of 00:00:56.356,00:01:00.027 the equipment when that happens the equipment not me um 00:01:00.027,00:01:02.930 [laughter] um hello everyone I am Allan Cecil I'm also known as 00:01:02.930,00:01:06.166 dwangoAC uh I am the president of the North Bay Linux users 00:01:06.166,00:01:10.070 group I'm also a senior engineer at Ciena and I am a tool 00:01:10.070,00:01:13.307 assisted speed run advocate and a a bachelors for test 00:01:13.307,00:01:17.844 videos.org um so I want to talk uh about speed running and uh 00:01:17.844,00:01:23.183 why is that ok there we go speed running with human limits so 00:01:23.183,00:01:26.954 early on um people wanted to play games fast because after 00:01:26.954,00:01:30.424 you beat the game it's a lot of fun to try to beat it again uh 00:01:30.424,00:01:33.026 faster right and some games like Metroid, especially Super 00:01:33.026,00:01:36.830 Metroid rewards you for playing faster if you complete Super 00:01:36.830,00:01:39.333 Metroid in in less than three hours uh she ends up wearing a 00:01:39.333,00:01:44.004 bikini for some reason [grumbles] I didn't do it um 00:01:44.004,00:01:46.139 [chuckle] there are now categories uh that people try to 00:01:46.139,00:01:50.410 speed run games in anything from any percent to uh 100% get every 00:01:50.410,00:01:53.847 item in the game as fast as you can to categories like low 00:01:53.847,00:01:57.250 percentage no major glitches and then most of these demos are 00:01:57.250,00:02:00.053 lists of these records are stored on a website named uh uh 00:02:00.053,00:02:02.990 speed demos archive and there are some other websites like 00:02:02.990,00:02:07.227 that also track the fastest completion times um now theres 00:02:07.227,00:02:11.231 are a lot of strict rules theres peer reviewed videos to make 00:02:11.231,00:02:13.867 sure that no one is cheating that no one is using keyboard 00:02:13.867,00:02:17.371 macros or any kind of uh [grumble] any anything other the 00:02:17.371,00:02:21.408 human their own human ability and I have to tell you there 00:02:21.408,00:02:25.312 really entertaining now one of the places that these are uh 00:02:25.312,00:02:27.948 widely shown is uh games done quick events uh 00:02:27.948,00:02:31.118 gamesdonequick.com theres an awesome games done quick and the 00:02:31.118,00:02:34.187 winner that benefits the prevent cancer foundation and an a 00:02:34.187,00:02:37.224 summer games done quick uh every summer that benefits doctors 00:02:37.224,00:02:41.161 without borders and [th] theres usually some crazy stuff going 00:02:41.161,00:02:45.966 on there uh for instance here we have uh Mario Cart 64 uhm you 00:02:45.966,00:02:50.103 can see his kinda out of bounds um thats because his tricking 00:02:50.103,00:02:53.607 the lap counter so that he only to go around the the course uh 00:02:53.607,00:02:55.575 one full time and then he can trip the lap count lap counter 00:02:55.575,00:02:59.046 after he completes it um heres Super Metroid he's uh I'm sorry 00:02:59.046,00:03:02.282 Metroid the original Metroid his lured or she technically it's 00:03:02.282,00:03:06.653 Sammus has lured an enemy from an adjacent screen and is using 00:03:06.653,00:03:10.290 it to uh to freeze it to use it as a platform to sequence break 00:03:10.290,00:03:12.559 the game to get to someplace you not supposed to be at that point 00:03:12.559,00:03:15.328 with the items you have now there is all kinds of other 00:03:15.328,00:03:17.898 things uh that happen at game done quick events that are 00:03:17.898,00:03:21.902 absolutely insane uh this is half co-ordinated uh he cannot 00:03:21.902,00:03:24.638 use [pause] for the most part he can't use the right side of his 00:03:24.638,00:03:27.841 body so he completes games using only one hand on the controller 00:03:27.841,00:03:31.778 and it's insane watching him play uh there's also been some 00:03:31.778,00:03:34.581 crazy things like uh this guy completing all the way up to 00:03:34.581,00:03:38.118 Mike Tyson uh in uh Mike Tyson's Punch-Out blind folded just 00:03:38.118,00:03:41.855 listening to the game audio just insane so [pause] this is 00:03:41.855,00:03:44.491 clearly beyond the standard limits of what most humans can 00:03:44.491,00:03:49.296 do but tool assisted speedruns or tool assisted superplays go 00:03:49.296,00:03:52.532 [pause] a step further we are not really interested in human 00:03:52.532,00:03:55.235 limits anymore now we're interested in what can this 00:03:55.235,00:03:57.771 hardware really do if you pushed it to the limits of what the 00:03:57.771,00:04:01.775 hardware's capable of and TAS is used as a noun a verb I TAS'ed 00:04:01.775,00:04:03.910 this, this person is a great TAS'er you will hear me [mumble] 00:04:03.910,00:04:06.980 say the word TAS throughout the whole talk and now the history 00:04:06.980,00:04:11.151 of tool assisted speedruns is kind of interesting uh back in 00:04:11.151,00:04:14.354 uh the 90's the game Doom came out and it had a quick save 00:04:14.354,00:04:16.089 button and a quick load button because let's face it it was 00:04:16.089,00:04:19.392 kind of a hard game and you were likely to die a lot well they 00:04:19.392,00:04:23.330 added rerecording tools and that allowed you to uh play through 00:04:23.330,00:04:25.699 the game and record your progress and at a certain point 00:04:25.699,00:04:28.802 somebody figured out you can do it in slow motion and keep 00:04:28.802,00:04:31.004 loading the save states over and over again until you got a 00:04:31.004,00:04:35.108 pretty good completion and in 1999 roughly uh doom done quick 00:04:35.108,00:04:39.379 came out uh and completed the entire first uh game in 19 00:04:39.379,00:04:42.015 minutes and 41 seconds uh this was followed up by a couple of 00:04:42.015,00:04:45.218 other ones uh there's uh 40 minute and 2 second completion 00:04:45.218,00:04:49.222 of Doom 2 for instance so it's uh it's it's definitely been one 00:04:49.222,00:04:53.527 of the uh the first widely known uh tool assisted speed runs now 00:04:53.527,00:04:59.432 in 2003 a video surfaced online from somebody named Morimoto and 00:04:59.432,00:05:02.669 it was a little bit let's just describe it as controversial 00:05:02.669,00:05:07.174 because Mario was flirting with death getting insane number one 00:05:07.174,00:05:10.310 ups literally walking through walls and there was no context 00:05:10.310,00:05:13.246 for where that video cane from now it had been posted on a 00:05:13.246,00:05:16.349 Japanese website with appropriate annotations to 00:05:16.349,00:05:19.986 describe that it was done with and emulator in slow motion with 00:05:19.986,00:05:25.192 save states but uh it was [mumbles] the context of the 00:05:25.192,00:05:29.563 video was missing when the WMV file in 2003 for YouTube days 00:05:29.563,00:05:32.566 got circulated around the internet um and the problem was 00:05:32.566,00:05:36.870 that it was inhuman skill and display at and and really tools 00:05:36.870,00:05:41.808 meant hardware limits became the only limits but if you don't say 00:05:41.808,00:05:45.145 that you're testing the hardware limits people get really upset 00:05:45.145,00:05:48.315 so TAS'ing it's kind of like the doped Olympics I mean let's just 00:05:48.315,00:05:51.851 be honest here [laughter] competitors should admit to 00:05:51.851,00:05:55.822 doping let's just be honest here um and videos made with test 00:05:55.822,00:05:58.124 tools should be labeled and there's a getting? Bisqwit that 00:05:58.124,00:06:02.762 in 2004 created NES videos to track tool assisted speedruns 00:06:02.762,00:06:05.699 the same way speed demos archive was tracking in-game human 00:06:05.699,00:06:10.070 completion times now uh there's that's now gone beyond just the 00:06:10.070,00:06:12.472 nintendo entertainment system this console here it's now moved 00:06:12.472,00:06:17.577 on to many many consoles uh and there's uh everything from 00:06:17.577,00:06:22.349 modern consoles like the nintendo wii through handhelds 00:06:22.349,00:06:25.585 at tasvideos.org so I know live demo like we're only a few 00:06:25.585,00:06:27.887 minutes of the top but let's do a live demo I'll talk about the 00:06:27.887,00:06:31.891 console verification part in a little bit but just know that we 00:06:31.891,00:06:35.495 made a game an emulator we set up a sequence of button presses 00:06:35.495,00:06:39.199 and I'm going to show you what those button presses are TASbot 00:06:39.199,00:06:41.434 so this where the video video might go completely haywire and 00:06:41.434,00:06:43.403 I don't know what's going to happen if you see somebody 00:06:43.403,00:06:48.408 running from the side of the room yeah just bear with it 00:06:50.744,00:06:55.749 [game sound] whoo [game sounds] anybody can you turn it down, 00:06:58.818,00:07:03.757 thank you whoa I said turn it down not crash it I said that 00:07:05.892,00:07:09.362 there was going to be at least one catastrophic thing I wasn't 00:07:09.362,00:07:11.898 kidding I don't even know what happened there I've never seen 00:07:11.898,00:07:14.234 that happen before and that is something you can quote me on 00:07:14.234,00:07:19.239 because it happens all the time alright lets do this again [game 00:07:25.178,00:07:30.183 sounds] that's better it's still pretty loud but uh [game crash 00:07:36.690,00:07:41.695 sound] whoa what [laughter] uh yeah I don't think blowing in 00:07:44.631,00:07:47.033 the card will work but hey they worked last time but I do want 00:07:47.033,00:07:49.569 to make absolutely certain that I don't have wires crossed or 00:07:49.569,00:07:52.605 something funny going on with power because uh obviously if 00:07:52.605,00:07:55.642 there's not a uh good ground things could be but let's just 00:07:55.642,00:08:02.082 try the [Allan blowing on the cartridge] [cheer] there 00:08:02.082,00:08:05.118 [applause] I kinda want this one to work this one should work uh 00:08:05.118,00:08:07.821 the only thing I'm gonna double-check just to make sure 00:08:07.821,00:08:12.225 nothing else got funny um the only other thing I can think of 00:08:12.225,00:08:16.196 might be power but we'll try this one more time [game sounds] 00:08:16.196,00:08:22.102 oh and we lost the signal too [game sounds] hmm remember how I 00:08:22.102,00:08:24.504 said live demos at least one of them is going to go completely 00:08:24.504,00:08:29.776 haywire well I don't know where out tech guy is to fix this and 00:08:29.776,00:08:34.781 I'm not about to go touch it so [chuckle] at least it's [game 00:08:39.919,00:08:41.287 stopped making sounds] [crowd shouting comments] yeah I'm a 00:08:41.287,00:08:45.759 little bit concerned here so uh what's that [someone from the 00:08:45.759,00:08:49.596 crowed talking to Allan - inaudible] pfft nah sides this 00:08:49.596,00:08:53.933 thing is durable well welcome to the first live demo that goes 00:08:53.933,00:08:58.605 wrong um that's okay I'm going to do the rest of the demos 00:08:58.605,00:09:02.075 entirely on the Super Nintendo but of course um we'll have to 00:09:02.075,00:09:08.348 get um somebody in the room to to fix the scrolling but um I'm 00:09:08.348,00:09:11.451 very confused by that behavior I've never seen it before 00:09:11.451,00:09:13.186 welcome to doing something in front of a live audience but 00:09:13.186,00:09:16.489 that's okay we'll just move on this is going to cause a brief 00:09:16.489,00:09:21.494 audio pop I apologize in advance [changing audio cables] alright 00:09:29.469,00:09:34.474 so with any luck ok so we probably are going to have 00:09:44.651,00:09:50.590 rolling video at first [console sound] or apparently no video ok 00:09:50.590,00:09:54.928 we can barely see it [game sounds] um so I'm uh uh keep uh 00:09:54.928,00:09:58.798 going through some slides here um this was made with uh one of 00:09:58.798,00:10:01.701 a number of emulators theres several emulators out there FCUX 00:10:01.701,00:10:05.405 there's uh LSNES which this run was made with uh this is the 00:10:05.405,00:10:12.145 Super Mario World game for the Super Nintendo um it is uh it is 00:10:12.145,00:10:15.582 a uh very good emulator with a lot of useful tools on it um and 00:10:15.582,00:10:18.351 I know that's going to be impossible to see with the 00:10:18.351,00:10:23.356 scrolling but Mario is doing some really unusual things right 00:10:25.658,00:10:31.197 now [game sounds] uh yes he just got about four Yoshi's um so 00:10:31.197,00:10:34.567 it's kind of hard to see right now but um basically what's 00:10:34.567,00:10:38.071 happening is we have the ability to back up and try things as 00:10:38.071,00:10:41.441 many times as we like and uh that means we can do things with 00:10:41.441,00:10:43.676 frame per frame decision? and right now what we're doing is 00:10:43.676,00:10:46.312 winding up the object attribute map to be exactly the way we 00:10:46.312,00:10:52.185 want it to be uh it's getting worse uh there we go good [crowd 00:10:52.185,00:10:57.490 cheer] unfortunately I think you going to have to do that every 00:10:57.490,00:11:03.196 single time sorry [chuckle] ok so and let's get back to the 00:11:03.196,00:11:08.034 slides so there are other recoding frameworks I made one 00:11:08.034,00:11:11.404 called nethack uh tax tools that we've used before those 00:11:11.404,00:11:13.706 hourglass for windows things everybody's looking at this 00:11:13.706,00:11:17.777 video anyway it doesn't really matter um so this was uh done 00:11:17.777,00:11:20.413 with the SNES core which was very very accurate and that's 00:11:20.413,00:11:23.383 incredibly important in just one second look at these visual 00:11:23.383,00:11:28.288 visualizations boards right here and right there that's the 00:11:28.288,00:11:33.293 actual button presses we're sending to the console there we 00:11:39.332,00:11:46.005 go [applause] [game sounds] so yes TASBot plays Super Mario 00:11:46.005,00:11:50.810 World um yeah I'm just gonna skim all that we'll come back to 00:11:50.810,00:11:54.914 that sometime so TASBot plays Super Mario World with what oh 00:11:54.914,00:11:58.251 oh I'm sorry it's Super Mario Brothers in Super I get it um I 00:11:58.251,00:12:00.453 said this is a live demo if somebody wants to come up here 00:12:00.453,00:12:04.157 you can definitely play this if you wanted to uh except I forgot 00:12:04.157,00:12:06.426 to bring the controllers sorry that won't work so well um this 00:12:06.426,00:12:10.563 is fully playable so we took Super Mario Brothers a game from 00:12:10.563,00:12:15.868 the original nintendo and placed it on the Super Nintendo which 00:12:15.868,00:12:19.238 was never designed to have it so we took a previous console run 00:12:19.238,00:12:22.208 from here game and programmed it through the console's controller 00:12:22.208,00:12:25.511 ports on completely unmodified hardware now this was done by 00:12:25.511,00:12:28.982 master Jin who set up the button presses and by somebody named 00:12:28.982,00:12:35.121 P4+2 and it's a really complex series of events but there's a 00:12:35.121,00:12:39.325 really good youtube video by dotsocool uh that volume is 00:12:39.325,00:12:43.162 kinda loud but that's okay just ignore it um so what you're 00:12:43.162,00:12:46.699 basically seeing is uh he was going back and forth and 00:12:46.699,00:12:50.470 rearranging objects in the object attribute map to 00:12:50.470,00:12:56.042 basically right opcodes in RAM in such a way that when we did 00:12:56.042,00:13:00.980 certain things uh it it treaded the location in memory that the 00:13:00.980,00:13:03.349 the controller is stored in as something that should execute 00:13:03.349,00:13:06.519 and it did exactly that it ran what we put on the controller 00:13:06.519,00:13:09.355 and allowed us to well you can either trigger the credits or 00:13:09.355,00:13:13.559 you can take it one step further and do crazy stuff um but that's 00:13:13.559,00:13:16.562 not not good enough this one this was this ran a hundred and 00:13:16.562,00:13:20.033 eighty-four kilobits per second which is nice you know it's it's 00:13:20.033,00:13:24.871 it's cool but we can do better and we're going to so I need 00:13:24.871,00:13:28.307 need to uh restart which means that it's probably gonna mess up 00:13:28.307,00:13:32.412 the video uh one of the interesting things about the uh 00:13:32.412,00:13:37.684 about the uh original consoles is that they are running at a 00:13:37.684,00:13:41.921 resolution best described as 240p they played trickery with 00:13:41.921,00:13:46.959 CRT TV's so uh we have had a lot of trouble getting captured work 00:13:46.959,00:13:50.596 it's actually been a bit of a pain so I just erased the same 00:13:50.596,00:13:55.601 game and that's going to prepare me for doing uh a uh another run 00:14:01.207,00:14:07.246 let's see all right here we go so this is the same game and 00:14:07.246,00:14:09.816 this time oh good the video isn't rolling right off the top 00:14:09.816,00:14:13.286 okay this is good now if we're lucky it'll stick with us unless 00:14:13.286,00:14:16.556 we can switch consoles um so this is the exact same game but 00:14:16.556,00:14:20.526 if you're able to see it you'll notice that the video is is 00:14:20.526,00:14:22.695 going to be using slightly different technique this is a 00:14:22.695,00:14:25.865 different exploit than the first one yes there are more than one 00:14:25.865,00:14:28.901 there's more than one way to blow up Super Mario World and 00:14:28.901,00:14:31.904 this one is going to use a slightly different technique so 00:14:31.904,00:14:35.007 one of my earlier slides I was talking about uh the different 00:14:35.007,00:14:39.345 devices that we have well the newest device we have is from uh 00:14:39.345,00:14:42.115 is a uh board uh called TASLink board and has a very high data 00:14:42.115,00:14:45.184 rate the previous boards made by somebody named true who's 00:14:45.184,00:14:48.588 actually a DEFCON regular uh true's board was able to hit a 00:14:48.588,00:14:51.891 hundred eighty-four kilobits per second uh based on his multi 00:14:51.891,00:14:57.396 replay board this one is using an FPGA from Papilio and were 00:14:57.396,00:15:00.700 able to achieve data rates of much higher than that which will 00:15:00.700,00:15:02.702 see here in a second as soon as he gets done screwing around the 00:15:02.702,00:15:06.873 starting check right here I love the scene right here just just 00:15:06.873,00:15:11.878 watch what he does to this Chuck there we go [applause] that is 00:15:20.520,00:15:25.525 an image that was written to the console 900 and I want to say 00:15:31.564,00:15:36.035 920 kilobits per second um keep in mind that the maximum rate 00:15:36.035,00:15:41.107 that these consoles usually ran at was about three I'm sorry 00:15:41.107,00:15:45.945 about 480 bytes per second and that was like the most [chuckle] 00:15:45.945,00:15:48.181 so for us to shove that much data throw this is kind of 00:15:48.181,00:15:51.250 impressive I'm I'm amazed that this console manages to hold up 00:15:51.250,00:15:55.188 um I need to actually back up a little bit and uh cover a few 00:15:55.188,00:16:00.626 things that I skipped over so I'll just go to hear there were 00:16:00.626,00:16:04.297 a bunch of early console devices true was the first person to 00:16:04.297,00:16:08.835 attach a a console and uh and get get it to to do button 00:16:08.835,00:16:11.971 presses and it's actually very simple protocol especially for 00:16:11.971,00:16:13.973 the original nintendo and one of the things that's going to talk 00:16:13.973,00:16:16.576 about during the original video I plan there's only five wires 00:16:16.576,00:16:19.679 there's just five volts and ground there's a latch wire it 00:16:19.679,00:16:22.481 says latch hey controller and about to ask you what buttons 00:16:22.481,00:16:25.451 you're pressing clock give me the first button is A being 00:16:25.451,00:16:30.656 pressed uh one or high voltage if yes none or 0 for no and the 00:16:30.656,00:16:33.159 only other line is a serial data line out from the controller 00:16:33.159,00:16:36.262 sending that information back to the console so what this guy 00:16:36.262,00:16:40.333 here does is pays attention to that that feed and sends 00:16:40.333,00:16:43.970 appropriate responses so the first device that this was 00:16:43.970,00:16:46.906 tested with all the way back in 2009 and a board from true but 00:16:46.906,00:16:52.044 in 2011 something micro 500 who built also this this task board 00:16:52.044,00:16:56.148 micro 500 made a device called the NESBot that based on a 00:16:56.148,00:16:59.418 breadboard you can see here in the lower lower corner uh that 00:16:59.418,00:17:02.655 was able to complete Super Mario Brothers one and it was used at 00:17:02.655,00:17:05.458 one of the very early summer games done quick events to 00:17:05.458,00:17:08.094 complete uh Wizards and Warriors three and Super Mario Brothers 00:17:08.094,00:17:11.998 two although somewhat comically um and by the way uh that what 00:17:11.998,00:17:14.367 you see on the screen if if I know it's really tiny but there 00:17:14.367,00:17:17.270 there is just a very few number of people in the audience this 00:17:17.270,00:17:19.005 was one of the early summer games done quick events that 00:17:19.005,00:17:21.507 didn't have very many people now this room would be looking a 00:17:21.507,00:17:24.944 little bit more like DEFCON here but um there were a couple of 00:17:24.944,00:17:27.747 other boards uh there was a droid 64 bot that could do in 64 00:17:27.747,00:17:32.051 games and uh micro 500 made one of his own in 2012 using a uh 00:17:32.051,00:17:37.490 propeller board um but at TASBot this this guy here Rob holding 00:17:37.490,00:17:40.826 um random device with legos on it um that kind of happened a 00:17:40.826,00:17:45.831 little bit later so in 2013 we uh had an opportunity to to 00:17:45.831,00:17:49.168 again go to uh summer games are awesome games done quick and 00:17:49.168,00:17:52.071 present and true built a device from scratch based on a 00:17:52.071,00:17:55.174 microchip uh device and it was it was a very very good device 00:17:55.174,00:17:57.810 uh in the sense that it was streaming capable very 00:17:57.810,00:18:01.247 inexpensive um a little bit fidgety with wiring because of 00:18:01.247,00:18:04.550 the punch down uh the screw down blocs that we used and had some 00:18:04.550,00:18:06.285 unlimited data rates but we were able to do some really 00:18:06.285,00:18:09.255 impressive things on that one of the first things we did was a uh 00:18:09.255,00:18:15.027 snake and pong on top of Super Mario World well I took a uh uh 00:18:15.027,00:18:17.430 I eventually this is like the first prototype I just zip tied 00:18:17.430,00:18:20.633 them together I took some uh some legos eventually showed? 00:18:20.633,00:18:22.702 them together and called it Rob Berry Pie because at that point 00:18:22.702,00:18:26.005 was being fed by Raspberry Pi posted this run on awesome games 00:18:26.005,00:18:28.574 done quick saying hey I want to want to go to the event and 00:18:28.574,00:18:31.344 immediately the director says hey I want to see some of that 00:18:31.344,00:18:34.680 TASBot action exploded I never called this guy TASbot it just 00:18:34.680,00:18:39.285 happened so TASbot is nothing more than uh Rob robot from the 00:18:39.285,00:18:40.886 nineteen eighties that was shipped with the original 00:18:40.886,00:18:43.122 nintendo consoles so that it would look didn't look like an 00:18:43.122,00:18:46.392 old Atari video game console with some Legos and replay 00:18:46.392,00:18:49.895 device and that's pretty much it um now the multi replay device 00:18:49.895,00:18:51.864 uh is what I mentioned earlier that was capable of putting 00:18:51.864,00:18:54.767 Super Mario Brothers inside of Super Mario World and there was 00:18:54.767,00:18:56.535 also some other really interesting developments there's 00:18:56.535,00:18:58.904 a gameboy player player and there's one I haven't mentioned 00:18:58.904,00:19:03.542 here that's able to play DS games um so we already went 00:19:03.542,00:19:06.612 through all of this I'm going to fast forward but I really want 00:19:06.612,00:19:10.182 to oh and by the way the the faster data rates also allowed 00:19:10.182,00:19:14.854 us to play Super Mario Brothers 1 2 3 and lost levels at the 00:19:14.854,00:19:17.757 same time with the exact same sequence of button presses 00:19:17.757,00:19:20.926 completing it about the same second it was really quite 00:19:20.926,00:19:24.030 impressive uh very very crazy we just did that a few weeks ago at 00:19:24.030,00:19:29.435 Summer Games done quick um so I want to step back for a bit uh I 00:19:29.435,00:19:32.171 don't have doing on time ok I'm doing alright I'm actually doing 00:19:32.171,00:19:36.175 just fine on time I want to really step through and go in a 00:19:36.175,00:19:39.245 deep dive into one of these exploits and really break it 00:19:39.245,00:19:41.547 down so that you can kind of understand some of the sequences 00:19:41.547,00:19:46.485 we go through so I'm gonna start with a game called Pokemon red 00:19:46.485,00:19:51.490 now Pokemon red is a really broken game um you'll see how 00:19:54.760,00:19:58.564 how broken like it's really broken but a handheld game boy 00:19:58.564,00:20:01.934 is kind of difficult to wire into now we've done it but it's 00:20:01.934,00:20:05.104 not exactly a lot of fun so this is a super Gameboy cartridge 00:20:05.104,00:20:10.276 this has an entire game boy processor a Z80 processor um 00:20:10.276,00:20:14.980 codenamed DEMG inside of this card and it communicates with 00:20:14.980,00:20:20.319 the super nintendo and allows us to um great right when I need to 00:20:20.319,00:20:22.621 start video I don't know where he went alright well I hope it 00:20:22.621,00:20:26.892 works um so that allows it to use the controllers which is 00:20:26.892,00:20:29.962 great for us means it means I don't have to touch anything now 00:20:29.962,00:20:33.499 I have a wire here and this wire is is kind of an interesting 00:20:33.499,00:20:38.070 little thing there we go um alright that's already fully 00:20:38.070,00:20:43.309 baked this wire has a little expansion board connector on the 00:20:43.309,00:20:46.946 underside of the console there is this not very often use 00:20:46.946,00:20:50.583 expansion board they eventually used it for an canceled project 00:20:50.583,00:20:52.785 that connected a CD drive to this thing but it was never 00:20:52.785,00:20:56.355 really implemented now we're using it because it exposes a 00:20:56.355,00:21:02.061 reset pin and that we kind of want to play with a play with 00:21:02.061,00:21:07.066 yeah I'll? play with so and hopefully my video signal stays 00:21:10.870,00:21:16.008 any luck yay all right we're good um and we don't really need 00:21:16.008,00:21:18.911 a lot of audio for this one it's uh there's not really uh that I 00:21:18.911,00:21:21.213 like like the game audio but I've I've got to tell you when I 00:21:21.213,00:21:23.916 was testing it I was listened to it over and over and over again 00:21:23.916,00:21:27.153 and I got really tired of it um so what's happening right now 00:21:27.153,00:21:28.788 we're going to delete the contents that was there 00:21:28.788,00:21:34.527 previously and uh there we go and we're going to start a new 00:21:34.527,00:21:38.397 game and we're going to set very specific parameters so 00:21:38.397,00:21:40.933 unfortunately this is kind of slow menuing it takes a while to 00:21:40.933,00:21:43.202 get there so I'll kind of explain in advance uh we're 00:21:43.202,00:21:45.738 going to name the players character red and we're going to 00:21:45.738,00:21:48.407 rate name the rival a very unusual name going to name him 00:21:48.407,00:21:53.012 RX RX PK there's actually PK symbol and the reason we do this 00:21:53.012,00:21:56.415 is we need to pre set up certain memory values to be in our 00:21:56.415,00:22:01.353 advantage that will be using again later [game sounds] so he 00:22:14.600,00:22:17.369 said yeah we're about to start our adventure um except we're 00:22:17.369,00:22:21.607 not going to bother getting very far into it before we uh save 00:22:21.607,00:22:28.380 we're gonna save and am so what we just did is we reset while we 00:22:28.380,00:22:30.282 were saving the game and I don't need this wire anywhere I'm 00:22:30.282,00:22:35.855 going to pull it out um that allowed us to write a completely 00:22:35.855,00:22:39.892 valid game header that said yes you have your players name is 00:22:39.892,00:22:42.428 this your arrival is this you have uh you have [pfft] wait how 00:22:42.428,00:22:47.433 many Pokemon did we have oh we have we left FF's in there oh 00:22:51.670,00:22:57.776 well so you can see where we're going here alright so now we're 00:22:57.776,00:23:04.216 going to start and load the save game we just used so again this 00:23:04.216,00:23:05.718 is kind of slow it'll take a little while to get here I'm 00:23:05.718,00:23:07.553 gonna get it I'm gonna get ahead of myself because this 00:23:07.553,00:23:12.391 production goes rather quickly there's just a lot to explain so 00:23:12.391,00:23:15.494 what we're going to do is load the save game we just created 00:23:15.494,00:23:18.931 and it is a valid save game but the list of how many Pokemon we 00:23:18.931,00:23:23.669 have says we have 255 long and that allows us to go beyond the 00:23:23.669,00:23:27.840 area of memory would normally be able to go to and right here 00:23:27.840,00:23:30.609 you'll see is we swapped Pokemon over the area of memory that 00:23:30.609,00:23:34.046 contains our items now that means that uh we have to look 00:23:34.046,00:23:36.348 couple of switches so that we don't crash the game by the way 00:23:36.348,00:23:38.951 but I'll get to that in a second uh that that means that we can 00:23:38.951,00:23:42.922 now delve into our item list uh and uh what you can see here 00:23:42.922,00:23:45.524 there are some items that are stored as a two byte pair one 00:23:45.524,00:23:48.360 byte to say what the items name is and one byte to say what the 00:23:48.360,00:23:52.665 quantity of it is so we just tossed uh now we are swatching 00:23:52.665,00:23:55.501 uh switching our items are moving in memory but we just 00:23:55.501,00:23:59.438 tossed some of an item we're going to hear so TN25 we're 00:23:59.438,00:24:03.075 going to toss 24 of those well whatever value we started with a 00:24:03.075,00:24:06.145 memory we have just thrown out a bunch of of items and we've 00:24:06.145,00:24:10.949 reduced that memory by 24 in in uh RAM so this allows us to 00:24:10.949,00:24:13.986 directly manipulate memory but we can only manipulate every 00:24:13.986,00:24:17.389 other bite fortunately if we go back and swap Pokemon like we're 00:24:17.389,00:24:21.160 doing right here it offsets memory by an odd number so what 00:24:21.160,00:24:24.697 used to be an identifier is now a value that or quantity value 00:24:24.697,00:24:27.733 that we can then throw away so now we can write everything in 00:24:27.733,00:24:30.536 memory but we have to be very careful because some items if 00:24:30.536,00:24:33.906 you throw them away every item of that category you can never 00:24:33.906,00:24:36.909 touch again some items if you throw them away will crash the 00:24:36.909,00:24:40.946 game and some items will crash the game simply if you look at 00:24:40.946,00:24:43.949 not so helpful so there's uh also another thing we're doing 00:24:43.949,00:24:46.919 here we're we're obviously writing bytes in memory in order 00:24:46.919,00:24:51.623 to in in any in order to create an uh routine that will allow us 00:24:51.623,00:24:54.126 to read from what's on the controller and stored in memory 00:24:54.126,00:24:57.830 the problem is the super Gameboy cancels up and down and left and 00:24:57.830,00:25:01.033 right so if you try to press both buttons buttons at the same 00:25:01.033,00:25:03.902 time they just get zero doubt it will get around that the routine 00:25:03.902,00:25:06.638 we're writing right now we're literally writing a program as 00:25:06.638,00:25:10.642 you see it reads stories of the memory reads again stories of 00:25:10.642,00:25:15.180 memory does a subtract between the two stores the result in RAM 00:25:15.180,00:25:17.883 and ones one position and then keeps writing in it uh one after 00:25:17.883,00:25:21.120 another um and when it gets to the end it rights over a jump 00:25:21.120,00:25:24.490 sequence to go execute what it just wrote and what it's writing 00:25:24.490,00:25:26.692 right now which you'll be able to see on these visualization 00:25:26.692,00:25:31.730 boards is a rather substantial payload and it takes quite a 00:25:31.730,00:25:36.735 while to write it all BAM alright so anybody recognize 00:25:45.377,00:25:51.083 that it has anybody ever been to twitch.tv well get your 00:25:51.083,00:25:57.022 smartphone's ready this is the live demo part this is the part 00:25:57.022,00:26:01.960 I like the most oh you know what really really helps so I I it 00:26:10.736,00:26:12.771 really helps if you actually have an internet connection when 00:26:12.771,00:26:16.775 you try this so we have to take a quick pause and hope that this 00:26:16.775,00:26:21.780 cable reaches without causing anybody too much pain so yes we 00:26:25.717,00:26:32.591 really are going to connect a 25-year old console to the 00:26:32.591,00:26:37.596 internet and you get to ask a QnA over the chat session if it 00:26:44.970,00:26:50.642 works nice we've already got some action here [whistle] all 00:26:50.642,00:26:52.845 right somebody type something and it will appear on the screen 00:26:52.845,00:26:57.116 I assure you so what you need to do is uh let me uh quickly get 00:26:57.116,00:27:00.552 here I will actually type out the address uh oh you can't type 00:27:00.552,00:27:03.622 urls and there's a swear filter on here have fun defeating that 00:27:03.622,00:27:07.759 it can be hacked this code is all on ppt IRC on git where you 00:27:07.759,00:27:10.429 can find the swear filter in there and defeated to your 00:27:10.429,00:27:14.733 heart's content this is def con have fun knock yourselves out uh 00:27:14.733,00:27:19.671 so here's what we're gonna do um I'm going to talk to about a 00:27:19.671,00:27:25.043 couple other things uh [mumble] lets see if I can find the 00:27:25.043,00:27:30.315 channel that everybody is in I know I've got it in here 00:27:30.315,00:27:35.320 somewhere there it is oh wait a minute I know what's happening 00:27:40.292,00:27:43.562 we're playing back a screenplay because I never move the file 00:27:43.562,00:27:46.598 over [laughter] so what you're actually seeing on screen 00:27:46.598,00:27:49.434 because I couldn't see it on on down here you're seeing the 00:27:49.434,00:27:53.839 exact text that we we put on screen at uh awesome games done 00:27:53.839,00:27:57.876 quick 2015 uh it was a it was an entire screenplay of of uh 00:27:57.876,00:28:00.245 conversation I'm just gonna let it run because it's actually 00:28:00.245,00:28:04.583 kind of stupid uh poorly written and and hilarious I had my own 00:28:04.583,00:28:06.618 script of things I was supposed to say I never did because it 00:28:06.618,00:28:11.623 was just too awkward so yes uh we did a full article on this on 00:28:15.494,00:28:18.130 uh on the in the journal proof-of-concept to get the fuck 00:28:18.130,00:28:21.767 out I didn't name the article journal article uh but the uh 00:28:21.767,00:28:24.670 the journal is absolutely fantastic you can find a full 00:28:24.670,00:28:27.906 write-up written by myself LRA the author of the emulator and 00:28:27.906,00:28:32.844 p4+2 to the author of the chat interface at a uh uh POC GTFO 00:28:32.844,00:28:35.948 issue 10 just search google for that it smeared all over the 00:28:35.948,00:28:40.452 place it is there's a lot more details on what I covered here 00:28:40.452,00:28:43.455 by the time we get done doing all of this um we escaped the 00:28:43.455,00:28:49.261 super game boy we tell the uh the uh super Gameboy that we 00:28:49.261,00:28:53.031 want to execute something in the super Nintendo's memory space 00:28:53.031,00:28:55.867 and it lets us do it because there's actually there's a 00:28:55.867,00:28:58.704 command that lets you do that there are only there's only one 00:28:58.704,00:29:02.207 or two games that ever actually took advantage of that feature 00:29:02.207,00:29:04.843 but that's there once we get to the Super Nintendo were no 00:29:04.843,00:29:09.247 longer limited to one byte per frame uh in fact we were at one 00:29:09.247,00:29:11.083 point only able to do a nibble of frame because we had to 00:29:11.083,00:29:14.219 subtract them together to get around the button limitations um 00:29:14.219,00:29:18.490 so what we ended up doing is after we get to this this the 00:29:18.490,00:29:22.761 super nintendo uh we get to a data rate of two bytes per 00:29:22.761,00:29:25.330 controller and we tell it oh you you actually have a multi-tap 00:29:25.330,00:29:27.699 attached so you have two controllers on the first 00:29:27.699,00:29:30.202 controller port and two on the second so you get eight bytes 00:29:30.202,00:29:33.839 per frame and 60 frames per second so I gets us about 480 00:29:33.839,00:29:36.575 bytes per second if I did my math right uh but it still 00:29:36.575,00:29:40.012 wasn't enough so we told it oh and don't just read eight uh 00:29:40.012,00:29:43.281 once per frame read eight times for frame 60 times a second so 00:29:43.281,00:29:48.286 that gets us to a data rate of 3.8k per second or so um [mumble 00:29:57.029,00:30:00.198 letters] well we're in somewhere I just don't know where at oh 00:30:00.198,00:30:06.405 yeah there's me I just type test and it worked [chuckle] so there 00:30:06.405,00:30:08.640 [chuckle] there's all kinds of crazy going on but that's ok 00:30:08.640,00:30:13.779 this is going to be at the end of the uh of the pre-recorded 00:30:13.779,00:30:19.985 input in just a second here um well that's playing through um 00:30:19.985,00:30:23.088 there's so many more details of this it is there's a block 00:30:23.088,00:30:25.624 loader we programed in afterwards it's just a really 00:30:25.624,00:30:30.629 really intense of uh technically challenging uh process that that 00:30:30.629,00:30:35.634 we had to go through to do this did franker Z just come through 00:30:41.339,00:30:46.344 wow so it looks like because I ran the wrong script it's 00:30:49.448,00:30:53.785 getting some characters out of order like hilariously out of 00:30:53.785,00:30:58.790 order hack the planet huh uh wow that's like hilariously funny 00:31:06.765,00:31:11.002 this would be a live demo without thanks failing let's 00:31:11.002,00:31:14.172 keep going um so my call to action if you want to join in on 00:31:14.172,00:31:18.176 the fun you can go to twitch.tv/dwangoAC I am going to 00:31:18.176,00:31:22.748 go ahead and um well that's a lot of franker z [laugh] twitch 00:31:22.748,00:31:28.920 the twitch well it's a little bit little bit messed up but I 00:31:28.920,00:31:31.423 can at least see it on my screen here even if it's not completely 00:31:31.423,00:31:35.460 correct there oh well uh go ahead and ask any Q&A questions 00:31:35.460,00:31:40.365 you have in the chat so again you can go to twitch.tv/dwangoAC 00:31:40.365,00:31:44.669 uh subscribe while you're there if you like I don't care um um 00:31:44.669,00:31:48.240 but there's one other thing I want to talk about um we 00:31:48.240,00:31:53.178 recently found a very very interesting glitch in Super 00:31:53.178,00:31:55.313 Mario Brothers three that I wish I could show you on the Real 00:31:55.313,00:31:59.785 console um what we found out is that it is possible to go from 00:31:59.785,00:32:05.657 boot to the ending of the game in literally 16 frames I'm not 00:32:05.657,00:32:08.393 kidding it does take quite a few button presses per second to do 00:32:08.393,00:32:12.764 it um and it doesn't exactly treat the pallets very nicely 00:32:12.764,00:32:15.500 not everything gets loaded into ram but it is a valid completion 00:32:15.500,00:32:19.738 of the game it properly goes to the end credits um so this 00:32:19.738,00:32:22.574 happens because of an interesting choice they made 00:32:25.477,00:32:27.279 [whisper] 10 minutes got it um so um when they released this 00:32:27.279,00:32:28.947 Nintendo hardware uh the original NES in America they had 00:32:28.947,00:32:34.419 a problem they released the hardware and then discovered 00:32:34.419,00:32:39.424 that if a game use DPCM audio and the controller was asked for 00:32:43.528,00:32:46.064 uh what values that was holding at the same time that there was 00:32:46.064,00:32:48.834 a collision on the bus and the controller input may or may not 00:32:48.834,00:32:51.837 be dropped so to get around it they asked for that's the 00:32:51.837,00:32:53.872 controller for input two milliseconds later they asked 00:32:53.872,00:32:56.441 the controller for input again when and if it's different they 00:32:56.441,00:32:58.643 asked again and if it's different from the previous ask 00:32:58.643,00:33:00.712 again and if it's different from the previous day at you can kind 00:33:00.712,00:33:06.418 of see where this is going right um infinitely um this allowed us 00:33:06.418,00:33:09.788 to keep giving the the the uh console a different response for 00:33:09.788,00:33:13.258 what buttons we were holding every other time that we didn't 00:33:13.258,00:33:17.596 ask for input and eventually it tied up until the next phrase 00:33:17.596,00:33:21.499 processing started for the raster input that displays a 00:33:21.499,00:33:26.504 status bar at the bottom of the screen um and it was still doing 00:33:26.504,00:33:28.807 this that we're still keeping busy with this loop so what ends 00:33:28.807,00:33:31.076 up happening is it drops execution right at the bottom of 00:33:31.076,00:33:34.446 the stack and slides across a series of breaks and noops 00:33:34.446,00:33:39.517 directly into the addresses where the controller uh uh uh 00:33:39.517,00:33:41.653 the controller data is stored so on the second frame instead of 00:33:41.653,00:33:43.922 screwing with it and giving a different input we correctly 00:33:43.922,00:33:47.592 give input like it's expecting the first bite is stored as not 00:33:47.592,00:33:50.595 code in memory or else is stored as invited memory and treated as 00:33:50.595,00:33:53.565 an opcode and we type the value that says jump to and on the 00:33:53.565,00:33:57.135 second controller we type the value that says and credits or 00:33:57.135,00:34:00.238 the address of the end credits so in fact we literally tell it 00:34:00.238,00:34:03.275 to jump to the end credits 16 frames or less than around a 00:34:03.275,00:34:06.878 quarter of a second after starting the game now this is 00:34:06.878,00:34:10.815 possible because of tools like binary ninja um and I had had 00:34:10.815,00:34:14.786 plans to to do a full demo and I'm I'm being told only got 10 00:34:14.786,00:34:18.123 minutes so I'm kind of running out of time there but um binary 00:34:18.123,00:34:21.059 ninja is definitely uh a lot more flexible than IDA because 00:34:21.059,00:34:24.696 there's some uh uh some ability to add in other mappers it can 00:34:24.696,00:34:29.167 handle the 6502 uh you can show all kinds of uh useful things 00:34:29.167,00:34:32.037 that we were able to find the actual program code where the 00:34:32.037,00:34:35.473 where the controller was being polled and figure out what was 00:34:35.473,00:34:41.313 doing and find the exploit um so am I cheating no I'm not really 00:34:41.313,00:34:43.515 cheating I'm just looking for technical challenge and visual 00:34:43.515,00:34:46.217 entertainment and all of us are I'm the presenter and the 00:34:46.217,00:34:50.388 organizer of the games done quick events but this is so much 00:34:50.388,00:34:53.658 more difficult than anything I could do on my own there's one 00:34:53.658,00:34:55.493 person who's really good at hardware there's one person 00:34:55.493,00:34:57.696 that's really good emulation there's one person is really 00:34:57.696,00:35:01.800 good at making the actual replay movie files there's one person 00:35:01.800,00:35:04.436 who's a really great glitch finder you know it takes a lot 00:35:04.436,00:35:08.840 of different people um and why do we do it because we've been 00:35:08.840,00:35:11.543 able to raise over two hundred thousand dollars for charity 00:35:11.543,00:35:13.578 between the five different events we've done in games done 00:35:13.578,00:35:17.148 quick events and just the summer [applause] yeah [applause] 00:35:17.148,00:35:22.153 that's that's really what motivates us just the summer we 00:35:24.990,00:35:28.927 had an hour block of time at Summer Games done quick 2016 and 00:35:28.927,00:35:32.564 in an hour we raised forty thousand dollars for doctors 00:35:32.564,00:35:36.301 without borders and the marathon as a whole raised 1.3 million 00:35:36.301,00:35:41.306 and that's a huge success so [applause] um so I'd like to 00:35:46.111,00:35:50.348 thank micro 500 he made the uh the TASlink board here ALARIE 00:35:50.348,00:35:54.986 made the LSNES emulator and also uh heavily uh contributed to the 00:35:54.986,00:35:57.322 black um loader and a lot of other things that worked for 00:35:57.322,00:35:59.991 Pokemon plays twitch which is what you're seeing here this is 00:35:59.991,00:36:04.796 Pokemon red playing in twitch chat um P4+2 wrote that actual 00:36:04.796,00:36:07.766 twitch chat master jin is one that figured out the exact 00:36:07.766,00:36:10.468 sequence of orders of placing everything through of course 00:36:10.468,00:36:13.505 made the earlier devices total is the one that found the Super 00:36:13.505,00:36:17.308 Mario Bros 3 glitch uh ciphertext is behind uh uh and 00:36:17.308,00:36:23.648 rust behind binary ninja AIS 523 uh helped with uh the uh DPC 00:36:23.648,00:36:27.585 input info ANG and was hugely helpful in getting slides put 00:36:27.585,00:36:30.155 together and help them the proof-of-concept article uh 00:36:30.155,00:36:32.824 greenfly help me setup today there's a lot of other people at 00:36:32.824,00:36:35.393 test videos.org that I don't even have remotely enough time 00:36:35.393,00:36:40.065 to mention um so now let's see if there's actually any sanity 00:36:40.065,00:36:44.235 in this chat and see if there's an actual question I can answer 00:36:44.235,00:36:48.973 it's twitch no they [mumbles] oh IO error gone kappa so if you do 00:36:48.973,00:36:54.112 want to ask questions i have exactly five minutes I believe 00:36:54.112,00:36:59.117 five minutes Wow somebody's got some potty mouth pretty good 00:37:04.289,00:37:07.692 latency yep I imagine how many viewers do I have now anyway I'm 00:37:07.692,00:37:10.261 just looking I'm looking at twitch chat via IRC because 00:37:10.261,00:37:16.034 that's how the spot works uh let's see there any serious 00:37:16.034,00:37:20.772 questions um have you ever seen a zombie come to tea no that's a 00:37:20.772,00:37:25.110 very interesting is this easy mode not exactly what's your uh 00:37:25.110,00:37:29.147 favorite sandwich I have no idea probably chicken pesto what the 00:37:29.147,00:37:35.920 heck okay when I said Q&A I met Q&A about like this drinks later 00:37:35.920,00:37:39.424 yes drinks later definitely I'll be standing over there I'm gonna 00:37:39.424,00:37:44.429 need one after this time um [laugh] um do I know um know 00:37:44.429,00:37:49.434 what I am doing no sort of um are they under the truck um how 00:37:51.703,00:37:53.972 does the bot work with timing ok this is a very good question 00:37:53.972,00:37:56.274 this is the first serious question I've seen so on the 00:37:56.274,00:37:59.444 original nintendo I mentioned that uh it it actually asks for 00:37:59.444,00:38:02.113 input more than once per frame uh because it has to make sure 00:38:02.113,00:38:04.949 that it's not running into this DPCM glitch on many games not 00:38:04.949,00:38:07.752 all but many any of them that use DPCM audio so that means 00:38:07.752,00:38:09.788 that we have to put it in a windowed mode and we have to 00:38:09.788,00:38:12.724 ourselves keep track of which frame we're on and in fact 00:38:12.724,00:38:16.461 that's the secret to all these runs anyway is a tool-assisted 00:38:16.461,00:38:20.064 speedrun which is typically run on an emulated rather than on on 00:38:20.064,00:38:22.867 the original hardware is nothing more nothing less than a series 00:38:22.867,00:38:27.438 of button presses showing every frame's worth of input one frame 00:38:27.438,00:38:33.044 after another so we're able to convert that to run on a console 00:38:33.044,00:38:35.613 but we do have to pay attention to the little nuances that the 00:38:35.613,00:38:37.715 console is going to ask more than once so we have to keep 00:38:37.715,00:38:39.984 track of which frame we're on and send it only the right input 00:38:39.984,00:38:44.289 um safer killed the animals TASbot always kills the animals 00:38:44.289,00:38:48.660 if any of you guys know what that references is um [laughter 00:38:48.660,00:38:51.029 and cheer] so there's save the frames or save the animals or 00:38:51.029,00:38:54.666 vice versa um at GDQ events they always play Super Metroid with 00:38:54.666,00:38:58.903 usually a two to four player race and inevitably uh there's 00:38:58.903,00:39:01.172 up to two hundred thousand dollars contributed of people 00:39:01.172,00:39:04.542 watching and donating on either side for the donation incentive 00:39:04.542,00:39:07.111 if you if they uh decide to kill the animals because more 00:39:07.111,00:39:10.415 donations went to that they bypass going to release some 00:39:10.415,00:39:12.483 animals that are trapped on the planet before they they leave 00:39:12.483,00:39:15.353 the game which is faster and save frames uh if they have to 00:39:15.353,00:39:18.790 save the animals that wastes time so uh can use this for 00:39:18.790,00:39:23.661 malicious use yes that's the whole uh point uh in fact uh one 00:39:23.661,00:39:25.430 of the reasons that we want to do this and I'm going to see if 00:39:25.430,00:39:27.498 I can find this I'm going to go back like crazy because I've got 00:39:27.498,00:39:30.868 so many of the slides here uh the primary point I will 00:39:30.868,00:39:33.538 actually wanted to make and I'm really glad that somebody 00:39:33.538,00:39:36.407 reminded me of this is that the difference between the tool 00:39:36.407,00:39:40.144 assisted uh speedrun community and the infosec uh reverse 00:39:40.144,00:39:42.547 engineering community really isn't that substantial a safe 00:39:42.547,00:39:45.350 state and emulators nothing more than a VM snapshot the glitches 00:39:45.350,00:39:47.952 just a vulnerability waiting to be exploited an arbitrary code 00:39:47.952,00:39:51.756 expectation execution is doing just that console verification 00:39:51.756,00:39:54.626 and a lot of ways it's kind of like an evil maid attack we are 00:39:54.626,00:39:58.296 acting like a normal controller but we don't exactly have the 00:39:58.296,00:40:02.166 best intentions um so a tool assisted speedrun because the 00:40:02.166,00:40:06.437 emulators have so many tools to be able to step forward look 00:40:06.437,00:40:10.608 deep into memory look at all the aspects of the cpu registers 00:40:10.608,00:40:13.978 every last iota what's going on and the ability to try things 00:40:13.978,00:40:18.016 over and over again it is a fantastic place to start looking 00:40:18.016,00:40:23.321 for glitches and games and start looking for a uh uh and refining 00:40:23.321,00:40:26.324 techniques for reverse engineering so I encourage you 00:40:26.324,00:40:29.427 go to tasvideos dot org check that out uh I'm just gonna hold 00:40:29.427,00:40:32.130 this down until you get to the end um if there's one last 00:40:32.130,00:40:35.300 serious question I might answer that that I have a funny feeling 00:40:35.300,00:40:38.703 there's not going to be much um where can I catch Mewtwo I have 00:40:38.703,00:40:43.141 no idea uh more game soon yes we'll be doing another round at 00:40:43.141,00:40:46.277 awesome games done quick 2017 more information at 00:40:46.277,00:40:50.882 gamesdonequick dot com uh and I think I'm just going to wrap up 00:40:50.882,00:40:55.053 with this last question how do you mine for fish what the heck 00:40:55.053,00:40:59.257 do I play Pokemon go no I don't but I think it would be really 00:40:59.257,00:41:03.561 funny if TASbot did [laugh] uh let's see uh has used TAS to 00:41:03.561,00:41:08.866 fuzz uh sort of not really uh uh but will get back to you on that 00:41:08.866,00:41:11.369 can I can you do something useful yes I can do lots of 00:41:11.369,00:41:13.037 useful things he can do all kinds he can even beat games 00:41:13.037,00:41:17.275 really fast when when everything works technically uh what is my 00:41:17.275,00:41:20.945 favorite TASBot exploit I have to say it's got to be this one I 00:41:20.945,00:41:23.514 mean I know it's kind of uh other future console [laughter] 00:41:23.514,00:41:29.821 so I mean it's kind of [laughter] Def Con is great now 00:41:29.821,00:41:34.258 can we all agree on that alright yeah uh my Pokemon plays twitch 00:41:34.258,00:41:38.730 by far as my favorite I actively was involved in making the movie 00:41:38.730,00:41:41.933 for that and had a deep part in the technical aspects of that so 00:41:41.933,00:41:44.235 definitely my favorite hey I want to thank everybody for 00:41:44.235,00:41:46.871 participating I'll leave the chat up you guys can continue to 00:41:46.871,00:41:51.876 talk thank you very much [applause]