Good afternoon, everybody. How's everybody doing?
Good.
Awesome. So, um,
how many people know what this thing is that's on the stage?
Okay. I only ask that because
wandering through the halls yesterday after getting the badges, I heard a bunch of 20-somethings
talking about what the Konami code was. And they were listing it off wrong.
Uh, so, um, if you are that
of that age, you're gonna get a little bit of a history lesson. I've seen this demo. This is awesome.
Get excited. Let's give Alan a big hand.
Thank you.
Well, thank you very much. Uh, this is a very, very
technically challenging series of live demos. I have an immense
number of things on the stage that can and will go wrong, so please feel free to make
fun of the equipment when that happens. The equipment, not me.
Um, hello, everyone. I am Alan Cecil. I'm also known as DuangoAC.
Uh, I am the president of the North Bay Linux Users Group. I'm also a senior
engineer at Ciena. Uh, and I am a tool-assisted speedrun advocate
and an ambassador for taskvideos.org. Um, so I want
to talk about speedrunning and why is that? Okay, there we go. Uh, speedrunning
with human limits. So, early on,
um, people wanted to play games fast, because after you've beaten a game,
it's a lot of fun to try to beat it again, uh, faster, right? And some
games like Metroid, especially Super Metroid, reward you for playing faster.
If you complete Super Metroid in less than three hours, uh, she ends up wearing a bikini
for some reason. Well, I didn't do it. Um,
so there are now categories, uh, that people try to speedrun games in. Everything
from any percent to, uh, 100 percent, get every item in the game as fast as you
can, to esoteric categories like
low percentage, no major glitches. And now most of these demos are, most of these
records are stored on a website named, uh, Speed Demos Archive.
And there's some other websites like that that also track the fastest completion times.
Um, now, there's a lot of strict rules. There's
peer review of videos to make sure that no one is cheating, that no one is using
keyboard macros or any kind of, uh, anything other than the human,
their own human ability. And I have to tell you, they're
really entertaining. Now, one of the places that these are, uh,
widely shown is at Games Done Quick events, uh, gamesdonequick.com.
There's an awesome Games Done Quick in the winter that benefits the Prevent Cancer Foundation
and, and a summer Games Done Quick, uh, every summer that benefits Doctors
Without Borders. And there's usually some crazy stuff going on
there. Uh, for instance, here we have, uh, Mario Kart 64.
Um, you can see he's kind of out of bounds. Um, that's because
he's tricking the lap counter so that he only has to go around the course, uh,
one full time and then he can trip the lap counter after he completes it. Um,
here's Super Metroid. He's, uh, I'm sorry, Metroid, the original Metroid. He's lured,
or she, technically, it's Samus, has lured an enemy from an adjacent
screen and is using it to, uh, to freeze it, to use it as a platform
to sequence break the game, get someplace you're not supposed to be at that point with the items
you have. Now, there's all kinds of other things, uh, that happen at Games Done Quick
events that are absolutely insane. Uh, this is half coordinated.
Uh, he cannot use, for the most part, he can't use the right side of his body.
So he completes games using only one hand on the controller. And it's insane
watching him play. Uh, there's also been some crazy things like, uh, this guy
completing all the way up to Mike Tyson, uh, in Mike Tyson's Punch Out
blindfolded, just listening to the game audio. Just insane. So,
this is clearly beyond the standard limits of what most humans can do.
But tool-assisted speedruns, or tool-assisted superplays, go
a step further. We're not really interested in human limits
anymore. Now we're interested in, what can this piece of hardware really do if you
pushed it to the limits of what the hardware is capable of? And task is used as a noun,
a verb. I tasked this. This person's a great taster. You'll hear me say the word
task throughout the whole talk. Now, the history of tool-assisted speedruns
is kind of interesting. Uh, back in, uh, the 90s, the game Doom
came out, and it had a quick-save button and a quick-load button, because let's face it, it was kind of a hard
game, and you were likely to die a lot. Well, they added re-recording tools,
and that allowed you to, uh, play through a game and record your progress.
And at a certain point, somebody figured out you could do it in slow motion, and
keep loading the save states over and over again until you got a pretty good completion, and
in 1999, roughly, uh, Doom Done Quick came out, uh,
and completed the entire first, uh, game in 19 minutes and 41 seconds.
Uh, this was followed up by a couple of other ones
from, uh, there's a 14-minute and 2-second completion of Doom 2, for instance.
So it's, it's, it's definitely been one of the, uh,
the first widely known, uh, tool-assisted speedruns. Now, in 2003,
a video surfaced online from somebody named Morimoto,
and it was a little bit, uh, let's just describe it as controversial,
because Mario was flirting with death, getting an insane
number of 1-ups, literally walking through walls, and there was no context
for where that video came from. Now, it had been posted on a Japanese website
with appropriate annotations to describe that it was done with an
emulator in slow motion with save states. But, uh, it
was, the context of the video was missing
when the WMV file in 2003, pre-YouTube days, got circulated
around the Internet. Um, and the problem was that it was in human skill and display.
And, and, and really, tools meant hardware limits became
the only limits. But if you don't say that you're
testing the hardware limits, people get really upset. So,
tasking, it's kind of like the Dope Olympics. I mean, let's just be honest here.
Competitors should admit to doping. Let's just be honest here.
Um, and videos made with task tools should be labeled. And there was a guy named Bizquit that
in 2004 created NES videos to track tool-assisted
speedruns the same way Speed Demos Archive was tracking in-game human completion
times. Now,
there's, that's now gone beyond just the Nintendo Entertainment System, this console here.
It's now moved on to many, many consoles. Uh, and there's now
everything from modern consoles like the Nintendo Wii through handhelds
at taskvideos.org. So,
I know, live demo, like, we're only a few minutes into the talk, but let's do a live demo. I'll talk about the console
verification part in a little bit, but just know that we made a
game in an emulator. We set up a sequence of button presses, and I'm going
to show you what those button presses are using Taskbot. So, this is where the video
might go completely haywire, and I don't know what's going to happen. If you see somebody running from the side
of the room, yeah, just bear with it.
Woo!
Anybody?
Can you turn it down? Thank you.
Whoa! I said turn it down, not crash it.
I said that there was going to be at least
one catastrophic thing. I wasn't kidding. I don't even know
what happened there. I've never seen that happen before. And that is something you can quote me on, because it happens
all the time.
Alright, let's do this again.
That's better. It's still pretty loud,
but, uh,
whoa.
What?
Yeah, I don't think blowing in the car will work,
but hey, it worked last time. But I do want to make absolutely certain that I don't have, like, wires
crossed or something funny going on with power, because obviously if there's not
good ground, things could be weird. But let's just try the
There!
There!
I kind of want this one to work. This one should work.
The only other thing I'm going to double check, just to make sure nothing else got funny.
The only other thing I can think of might be power, but we'll try this one more time.
Oh, and we lost the signal, too.
Hmm.
Remember how I said live demos? At least one of them was going to go completely haywire?
Well, I don't know where our tech guy is to fix this,
and I'm not about to go touch it, so...
At least it's...
Yeah, I'm a little bit concerned here.
So, uh, what's that?
Nah.
Besides, this thing's durable. Well, welcome
to the first live demo that goes wrong. That's okay.
I'm going to do the rest of the demos entirely on the Super Nintendo, but of course
we will have to get somebody in the room
to fix the scrolling. But I'm very
confused by that behavior. I've never seen it before. Welcome to doing something in front of the
live audience. But that's okay. We'll just move on. This is going to cause a brief audio
pop. I apologize in advance.
...
...
...
All right. So.
With any luck...
...
Okay. So we probably are going to have rolling video at first.
...
Or apparently no video. Okay, we can barely see it.
So I'm going to keep going through some slides here.
This was made with one of a number of emulators. There's several
emulators out there. FCEUX. There's LSNES, which this run was made
with. This is the Super Mario World game for the Super Nintendo.
It is
a very good emulator with a lot of useful tools on it. And I know that
it's going to be impossible to see with the scrolling. But Mario is doing
some really unusual things right now.
Yes, he just got about four Yoshis.
So it's kind of hard to
see right now. But basically what's happening is we have the
ability to back up and try things as many times as we like.
And that means we can do things with frame precision. And right now what we're doing is
lining up the object attribute map to be exactly the way we want it to be.
...
Wow, that's getting worse. There we go. Good.
Unfortunately, I think you're going to have to do that every single time.
Sorry.
Okay, so. Ah, to heck with the slides. There's other
recording frameworks. I made one called NetHack. Tax tools that we've used before.
There's Hourglass for Windows things.
I'm going to get this video anyway. It doesn't really matter.
So this was done with a BSNES core, which was very, very accurate. And that's incredibly important
because in just one second, look at these visualization boards right here and
right there. That's the actual button presses we're sending
to the console.
There we go.
...
...
So, yes, TASBOT plays Super Mario World.
Yeah, I'm just going to skip all that. We'll come back to that some other time.
So, TASBOT plays Super Mario... what?
Oh, I'm sorry. It's Super Mario Bros. in Super Mario... I get it.
I said this was a live demo. If somebody wants to come up here, you can definitely play this if you wanted to.
Except I forgot to bring the controller. Sorry, that won't work so well.
This is fully playable. So we took Super Mario Bros.,
a game from the original Nintendo, and placed it on
the Super Nintendo, which was never designed to have it. So we took a
previous console run from here game and programmed it through the
controller ports on completely unmodified hardware. Now, this was done by
Masterjune, who set up the button presses, and by somebody named P4Plus2.
And it's a really complex series of events, but
there's a really good YouTube video by Dotsercool.
That volume's kind of loud, but that's okay. Just ignore it.
So, what you're basically seeing is he was
going back and forth and rearranging objects in the object attribute map
to basically write opcodes in RAM
in such a way that when we did certain things,
it treated the location and memory that the controller
is stored in as something it should execute. And it did exactly that. It ran what we put
on the controller and allowed us to, well, you can either trigger the credits or
you can take it one step further and do crazy stuff. But that's
not good enough. This ran at 184 kilobits
per second, which is nice. It's cool. But
we can do better. And we're going to. So I'll need
to restart, which means that it's probably going to mess up the video. One of the
interesting things about the
original consoles
is that they are running at a resolution best described as
240p. They played trickery with CRT TVs.
So, we have had a lot of trouble getting capture to work. It's actually been
a bit of a pain. So I just erased the save game.
And that's going to prepare me for
doing another run.
Let's see.
Alright, here we go.
So this is the same game, and this time, oh good, the video isn't rolling right off the top.
Okay, this is good. If we're lucky, it'll stick with us unless we
switch consoles. So this is the exact same game, but if you're
able to see it, you'll notice that the video is going to be using slightly
different technique. This is a different exploit than the first one. Yes, there's
more than one way to blow up Super Mario World. And this one is going to
use a slightly different technique. So, one of my earlier slides,
I was talking about the different devices that we have. Well,
the newest device we have is a board called TASLINK Board, and it has
a very high data rate. The previous boards made by somebody named True, who's actually
a DefCon regular, True's board was able to hit 184 kilobits
per second based on his multi-replay board. This one
is using an FPGA from Papilio, and we're able
to achieve data rates of much higher than that, which you'll see here in a second
as soon as he gets done screwing around with this charging check. Right about here.
I love this scene right here. Just watch what he does to this check.
There we go.
.
That is an image that was written to
the console at 900, and I want to say 920 kilobits per second.
Keep in mind that the maximum rate that these consoles usually
ran at was about three, I'm sorry, about
480 bytes per second, and that was like the most.
So, for us to shove that much data through it is kind of impressive.
I'm amazed that this console manages to hold up. I need to actually
back up a little bit and cover a few things that I skipped over.
So, I'll just go to here.
There were a bunch of early console devices. True was the first person to
attach a console and get it to
do button presses, and it's actually a very simple protocol, especially for the original
Nintendo. One of the things I was going to talk about
in the original video I planned, there's only five wires. There's just five volts and ground.
There's a latch wire that says, latch, hey controller, I'm about to ask you what buttons
you're pressing. Clock, give me the first button. Is A being pressed?
One or high voltage if yes, none or zero for no.
And the only other line is a serial data line out from the controller sending that information back to the
console. So, what this guy here does is pays attention to
that feed and sends appropriate responses. So, the first
device that this was tested with was all the way back in 2009 in a board from True.
But in 2011, someone named Micro500 who built also
this task link board, Micro500 made a device called
the NESBot based on a breadboard, you can see here in the lower corner,
that was able to complete Super Mario Brothers 1. And it was
used at one of the very early Summer Games Done Quick events to complete
Wizards and Warriors 3 and Super Mario Brothers 2, although somewhat comically.
And by the way, what you see on the screen,
I know it's really tiny, but there's just a very few number of people in the audience.
This was one of the early Summer Games Done Quick events that didn't have very many people. Now this room would be
looking a little bit more like DEFCON here. There were a couple of other
boards. There was a Droid64 bot that could do N64 games and
Micro500 made one of his own in 2012 using a propeller board.
But TaskBot, this guy here, a rob holding
a random device with Legos on it. That kind of happened a little bit
later. So in 2013, we had an opportunity
to again go to Awesome Games Done Quick
and present. And True built a device from scratch based on a microchip
device. And it was a very, very good device in the sense that it was streaming capable,
very inexpensive, a little bit fidgety with wiring
because of the screw down blocks that we used. And it had somewhat limited data
rates. But we were able to do some really impressive things on that. One of the first things we did was
Snake and Pong on top of Super Mario World. Well, I
took a, I eventually, this was like the first prototype. I just
zip tied them together. I took some Legos eventually, shoved them together
and I called it Rob Berry Pie because at that point it was being fed by a raspberry pie. Posted this
run on Awesome Games Done Quick saying, hey, I want to go to the event. And immediately
MechaRichter says, hey, I want to see some of that TaskBot action. Exploded.
I never called this guy TaskBot. It just happened. So TaskBot is nothing more
than a Rob robot from the 1980s that was shipped with the original Nintendo
console so that it didn't look like an old Atari video game console.
With some Legos and a replay device. And that's pretty much it. Now the multi
replay device is one I mentioned earlier that was capable of putting Super Mario Brothers inside of
Super Mario World. And there was also some other really interesting developments. There's a Game Boy
Player player and there's one I haven't mentioned here that's able to play DS games.
So we already went through all of this.
I'm going to fast forward. But I really want to, oh and by the way
the faster data rates also allowed us to play Super Mario Brothers 1,
2, 3 and Lost Levels at the same time with the exact same sequence
of button presses completing at about the same second. It was
really quite impressive. Very, very crazy. We just did that a few weeks ago at
Summer Games Done Quick. So I want to step back
for a bit. I don't know how I'm doing on time. Okay I'm doing alright. I'm actually doing just
fine on time. I want to really step through and go in a
deep dive into one of these exploits and really break it down so that you can kind of
understand some of the sequences we go through. So I'm going to start with
a game called Pokemon Red. Now
Pokemon Red is a really broken game.
You'll see how broken. Like it's really broken.
But a handheld Game Boy is kind of difficult to
wire into. Now we've done it but it's not exactly a lot of fun. So this is a
Super Game Boy cartridge. This has an entire Game Boy
processor, a Z80 processor, code named a DMG
inside of this cart. And it communicates with the Super Nintendo
and allows us to, oh great. Right when I need to
swap video. I don't know where he went. Alright well I hope it works.
So that allows it to use the controllers.
Which is great for us. It means I don't have to touch anything. Now I have a wire
here. And this wire is kind of an interesting little thing.
There we go. Alright that's already fully baked.
This wire has a little expansion board connector.
On the underside of the console there is this not very often
used expansion board. They eventually used it for a cancelled project that
connected a CD drive to this thing but it was never really implemented. Now
we're using it because it exposes a reset pen that we kind of want to play with.
Play with. Yeah I'll go with
play with.
So and hopefully my video signal stays.
Any luck? Yay alright we're good.
And we don't really need a lot of audio for this one. There's not really
I like the game audio but I've
got to tell you when I was testing this I listened to it over and over and over again and I got really tired of it.
So what's happening right now? We're going to delete the contents that was there
previously. And there we go.
And we're going to start a new game and we're going to set very specific
parameters. So unfortunately this is kind of slow menuing it takes a while
to get there so I'll kind of explain in advance. We're going to name the player's character
Red and we're going to name the rival a very unusual name. We're going to name him
RXRXPK. There's actually a PK symbol. And the reason
we do this is we need to preset up certain memory values to be in
our advantage that we'll be using again later.
So yeah we're about to start our adventure
except we're not going to bother getting very far into it before we
save. So we're going to save and
bam. So what we just did is we reset
while we were saving the game. Now I don't need this wire anymore so I'm going to pull it out.
That allowed us to write a completely
valid game header that said yes your player's name is
this, your rival is this, you have
wait how many
Pokemon did we have? Oh we left FFs in there. Oh well.
So you can kind of see where we're going here.
Alright. So now we're going to start and load the save game
we just used. So
again this is kind of slow it'll take a little while to get here. I'm going to get ahead of myself because this
section goes rather quickly. There's just a lot to explain.
So what we're going to do is load the save game we just created and it
is a valid save game but the list of how many Pokemon we have says we have
255 long and that allows us to go beyond the area
of memory we would normally be able to go to and right here
you'll see we swapped Pokemon over the area of memory that contains our items. Now
that means that we have to do a couple of other switches so that we don't crash the game
by the way but I'll get to that in a second. That means that we can now delve into our
item list and you can see here there are some items that are
stored as a two byte pair. One byte to say what the item's name is and one
byte to say what the quantity of it is. So we just tossed
well now we're switching where items are to move them in memory but we just tossed
some of an item. We're going to do it here. So tm25 we're going to
toss 24 of those. Well whatever value we started with in memory
we've just thrown out a bunch of items and we've reduced that memory by 24
in RAM. So this allows us to directly manipulate
memory but we can only manipulate every other byte. Fortunately if we go back
and swap Pokemon like we're doing right here it offsets memory
by an odd number. So what used to be an identifier is now a value or
quantity value that we can then throw away. So now we can write everything in memory
but we have to be very careful because some items if you throw them away
every item of that category you can never touch again. Some items if you
throw them away will crash the game and some items will crash the game simply if you look at them.
Not so helpful.
So there's also another thing that we're doing here. We're obviously writing bytes
in memory in order to create
a routine that will allow us to read from what's on the controller and store it in memory.
The problem is the Super Game Boy cancels up and down and left and right.
So if you try to press both those buttons at the same time they just get zeroed out.
So to get around that the routine we're writing right now, we're literally writing
a program as you see. It reads
stores it in memory, reads again, stores it in memory, does a subtract
between the two, stores the result in RAM in one position and then keeps writing
one after another. And when it gets to the end it writes
over a jump sequence to go execute what it just wrote. And what it's writing right now
which you'll be able to see on these visualization boards, is a rather substantial payload.
And it takes quite a while to write it all.
Bam. Alright.
So, anybody recognize that? Has anybody
ever been to Twitch.tv? Well,
get your smartphones ready.
This is the live demo part. This is the part I like the most.
Oh, you know what really, really helps?
So, it really helps if you actually have an internet connection when you try this.
So we have to take a quick pause and hope that this cable reaches.
Without causing anybody too much pain.
So, yes,
we really are going to connect a 25 year old console
to the internet.
And you get to ask your Q&A
over the chat session if it works.
Nice. We've already got some action here.
Alright, somebody type something and it will appear on the screen, I assure you.
So, what you need to do is
let me quickly get here.
I will actually type out the address.
Oh, you can't type URLs and there's a
swear filter on here. Have fun defeating that.
It can be hacked. This code is all
on PPTIRC on Git.
You can find the swear filter in there and
defeat it to your heart's content. This is
DEF CON. Have fun. Knock yourselves out.
So, here's
what we're going to do.
I'm going to talk
about a couple other things.
Let's see
if I can find the channel.
That everybody is in.
I know I've got it in here somewhere.
There it is.
Oh, wait a minute. I know what's happening.
We're playing back a screenplay.
Because I never moved the file over.
So, what you're
actually seeing on screen, because I couldn't see it
down here. You're seeing the
exact text that we put on
screen at Awesome Games
Done Quick 2015.
It was an entire screenplay
of conversation. I'm just going to let it
run because it's actually kind of stupid.
Poorly written and then hilarious.
I had my own script of things I was
supposed to say and I never did because it was just too awkward.
So, yes.
We did a full article on this
in the journal Proof of Concept
or Get the Fuck Out. I didn't name the
journal article but
the journal is absolutely fantastic.
You can find a full write up written
by myself, Ilari, the author of the
emulator and P4plus2, the author of
the chat interface at
POC GTFO issue 10.
Just search Google for that. It's
mirrored all over the place.
There's a lot more details than what
I covered here. By the time we get done
doing all of this, we escape
the Super Game Boy. We
tell the
Super Game Boy that we want
to execute something in the
Super Nintendo's memory space and it lets
us do it because there's actually a
command that lets you do that.
There's only one or two games
that ever actually took advantage
of that feature, but it's there.
Once we get to the Super Nintendo, we're no longer
limited to one byte per frame.
In fact, we were at one point
only able to do a nibble a frame because we had to
subtract them together to get around the button limitations.
So,
what we ended up doing is
after we get to the Super Nintendo,
we get to a data rate of
two bytes per controller and we
tell it, oh, you actually have a multitap
attached, so you have two controllers
on the first controller port and two on the second,
so you get eight bytes per frame and 60
frames per second. So that gets us about
480 bytes a second if I did my mouth
right. But that still wasn't enough, so we
told it, oh, and don't just read
once per frame, read
eight times per frame, 60 times a second.
So that gets us to a data rate of 3.8
k per second or so.
Um,
DDEFFO44.
Well, we're in somewhere, I just don't know
where we're at.
Oh yeah, there's me.
I just typed test and it worked.
So there's
all kinds of crazy going on, but that's okay.
This is going to be at the end of
the, uh, of the
pre-recorded input in just
a second here.
Um, while that's playing through,
um, there's so
many more details of this. There's
a block loader we program in afterwards.
It's just a really, really intense,
uh, technically
challenging, uh, process that
we had to go through to do this.
Did Frank or Z come through?
Wow. So,
it looks like because I ran
the wrong script,
it's getting some characters
out of order.
Like, hilariously out of order.
Hack the planet, huh?
Uh,
...
Wow.
That's, like, hilariously funny.
This wouldn't be a live demo without things failing.
So let's keep going. Um,
so this is my call to action. If you want to join in on the fun,
you can go to twitch.tv
or doangoac. I am going to go ahead
and, um, well,
that's a lot of Frank or Z.
Twitch the Twitch.
Well, it's a little bit,
little bit messed up, but
I can at least see it on my screen here,
even if it's not completely correct there.
Oh well. Uh, go ahead and ask
any Q&A questions you have
in the chat. So again, you can go
to twitch.tv slash doangoac.
Uh, subscribe while you're there if you like.
I don't care. Um,
uh, but there's one other thing I want to
talk about. Um,
we recently found a very,
very interesting glitch
in Super Mario Bros. 3 that I wish I could
show you on the real console.
Um, what we found out is that it is
possible to go from boot
to the ending of the game
in literally 16 frames.
I'm not kidding.
It does take quite a few button presses per second to do it.
Um, and it doesn't exactly
treat the palettes very nicely.
Not everything gets loaded into RAM.
But it is a valid completion of the game.
It goes to the end credits.
Um, so this happens
because of an interesting choice
they made.
Ten minutes?
Got it. Um,
so, uh, when they
released this Nintendo hardware,
the original NES in America,
they had a problem.
Uh, they released the hardware and then discovered
that if a game used DPCM audio
and the controller
was asked for what values it was
holding at the same time there was a
collision on the bus and the controller input
may or may not be dropped.
So to get around it, they asked for,
asked the controller for input.
Two milliseconds later, they asked the controller for input again.
And if it's different, they ask again.
And if it's different from the previous, they ask again.
And if it's different from the previous, they,
you can kind of see where this is going, right?
Um, infinitely.
Um, this allowed us to keep giving the,
the, uh, the console a different response
for what buttons we were holding
every other time that we, uh,
that it asked for input.
We tied it up until the next frame's processing started,
uh, for the raster input that,
that displays a, a status bar
at the bottom of the screen.
Um, and it was still doing this,
we were still keeping it busy with this other loop.
So what ends up happening is it drops execution
right at the bottom of the stack
and slides across a series of breaks and no-ops
directly into the addresses
where the controller,
uh, uh, the controller data is stored.
So on the second frame, instead of screwing with it
and giving it different input,
we correctly give it input like it's expecting.
So what happens is that the value
is stored as an opcode in memory,
or is stored as a byte in memory and treated as an opcode
and we type the value that says jump to
and on the second controller,
we type the value that says end credits
or the address of the end credits.
So in fact, we literally tell it to jump to the end credits
16 frames or less than,
around a quarter of a second after starting the game.
Now, this is possible because of tools
like Binary Ninja.
Um, and I, I had plans to, uh,
to do a full demo and I'm,
I'm being told I've only got 10 minutes,
but, um, Binary Ninja
is definitely, uh, a lot more flexible
than IDA because there's some, uh,
some ability to add in other mappers,
it can handle the 6502,
uh, it can show all kinds of, uh,
of useful things. And we were able to find
the actual program code where
the, uh, where the controller was being pulled
and figure out what it was doing and find the exploit.
Um, so,
am I cheating?
No, I'm not really cheating. I'm just looking for
technical challenge and visual entertainment.
And all of us are. I'm the presenter,
I'm the organizer of the Games Done Quick events,
but this is so much
more difficult than anything I could do on my own.
There's one person who's really good at
hardware, there's one person who's really good at emulation,
there's one person who's really good at
making the actual replay movie files.
There's one person who's a really great glitch finder.
You know, it takes a lot of different people.
Um,
and why do we do it?
Because we've been able to raise over $200,000
for charity between the five different events
we've done at Games Done Quick events.
And just this summer, yeah.
.
That's really what motivates us.
Just this summer we had an hour block of time
at Summer Games Done Quick 2016
and in an hour
we raised $40,000 for Doctors
Without Borders and the marathon as a whole
raised $1.3 million
and that's a huge success.
.
Um, so I'd like to thank
Mike from Micro500.
He made the task link board here.
Ilari made the LS and ES emulator
and also heavily contributed
to the block loader and a lot of other things
that worked for Pokemon Plays Twitch.
Which is what you're seeing here.
This is Pokemon Red playing a Twitch chat.
Um, P4 Plus 2
wrote that actual Twitch chat.
Mastergen is the one that figured out the exact sequence
of orders of placing everything.
Drew, of course, made the earlier devices.
Total is the one that found the Super Mario Brothers 3 glitch.
Ciphertext is behind, uh,
and Rusty are behind Binary Ninja.
AIS523
helped with the
DPCM glitch info.
Ange was hugely helpful
in getting these slides put together
and helped on the proof of concept article.
Greenfly helped me set up today.
There's a lot of other people at taskvideos.org
that I don't even have remotely enough time to mention.
Um, so now,
let's see if there's actually any sanity
in this chat and see if there's an actual question
I can answer.
It's Twitch! No, they can't...
Oh, I am error. Gone kappa.
So if you do want to ask a question, I have
exactly five minutes?
I believe?
Five minutes?
Wow, somebody's got some potty mouth.
Pretty good latency. Yep, I imagine.
How many viewers do I have now anyway?
I'm looking at Twitch chat via IRC
because that's how this bot works.
Uh, let's see.
Are there any serious questions?
Um, have you ever seen a zombie
come to tea? No.
That's a very interesting...
Is this easy mode? Not exactly.
Uh, what's your favorite sandwich?
I have no idea. Probably chicken pesto.
What the heck?
Okay, when I said Q&A, I meant Q&A
about, like, this?
Drinks later. Yes!
Drinks later, definitely.
I'll be standing over there. I'm gonna need one
after this talk.
Um,
um, do I know
what I am doing? No, sort of.
Um,
are they under the truck?
Um, how does the bot work with timing?
Okay, this is a very good question.
This is the first serious question I've seen.
So, on the original Nintendo, I mentioned that
it actually asks for input more than once
per frame, because it has to make sure that
it's not running into this DPCM glitch.
On many games, not all, but many, any that use
DPCM audio. So that means that we have to
put it in a windowed mode, and we have to ourselves
keep track of which frame we're on.
And in fact, that's the secret to all of these
runs anyway, is a tool-assisted
speedrun, which is typically run on an
emulator rather than on the original hardware,
is nothing more and nothing less than
a series of button presses
showing every frame's worth of input,
one frame after another.
So,
we're able to convert that to
run on a console, but we do have to pay attention
to the little nuances that the console is going to ask
more than once. So we have to keep track of which frame
we're on and send it only the right input.
Save or kill the animals.
Task bot always kills the animals.
If any of you guys know what that reference is.
So there's save the frames, or save the animals,
or vice versa.
At GDQ events, they always play Super Metroid
with usually a two to four player race,
and inevitably, there's
up to $200,000
contributed of people watching and donating
on either side for the donation incentive.
If they decide to kill
the animals because more donations went to that,
they bypass going to release
some animals that are trapped on the planet
before they leave the game,
which is faster and saves frames.
If they have to save the animals, it wastes time.
Can you use this for malicious use?
Yes, that's the whole point.
In fact, one of the reasons
that we want to do this,
and I'm going to see if I can find this,
I'm going to have to go back like crazy
because I've got so many slides here.
The primary point I actually wanted to make,
and I'm really glad that somebody reminded me of this,
is that the difference between the
tool-assisted speedrun community
and the InfoSec reverse engineering community
really isn't that substantial.
A saved state in an emulator is nothing more than
a VM snapshot. A glitch is just a
vulnerability waiting to be exploited.
An arbitrary code execution is doing just that.
Console verification, in a lot of ways,
it's kind of like an evil maid attack.
We're acting like a normal controller,
but we don't exactly have
the best intentions.
So, a tool-assisted speedrun,
because the emulators have so many tools
to be able to step forward,
look deep into memory,
look at all the aspects of the CPU registers,
every last iota of what's going on,
and the ability to try things over and over again,
it is a fantastic place
to start looking for
glitches in games
and start looking for
and refining techniques
for reverse engineering.
So I encourage you, go to taskvideos.org,
check that out. I'm just going to hold this down
until I get to the end.
If there's one last serious question,
I might answer that, but I have a funny feeling
about this.
Where can I catch Mewtwo? I have no idea.
More games soon, yes.
We'll be doing another round
at Awesome Games Done Quick 2017.
More information at gamesdonequick.com.
And I think I'm just going to wrap up
with this last question.
How do you mine for fish?
Do I play Pokemon Go?
No, I don't, but I think it would be
really funny if Taskbot did.
Let's see.
Has it used tasks as to fuzz?
Sort of, not really.
We'll get back to you on that.
Can you do something useful?
Yes, I can do lots of useful things.
He can do all kinds of things.
He can beat games really fast
when everything works technically.
What is my favorite Taskbot exploit?
I have to say it's got to be this one.
I mean, I know it's kind of
other future consoles.
Defcon is great now.
Can we all agree on that?
Alright.
Alright.
Yeah, Pokemon Plays Twitch
by far is my favorite.
I actively was involved in making the movie for that
and had a deep part in the technical aspects of that.
It's definitely my favorite.
Hey, I want to thank everybody for participating.
I'll leave the chat up.
You guys can continue to talk.
Thank you very much.