At the beginning of this year, we share the story how a classic NES Tetris The player reached the game’s “over screen” for the first time, triggering a crash after an incredible 40-minute, 1,511-line performance. Now, some players are using that death screen (and some complicated memory manipulations it allows) to code new behaviors into versions of Tetris running on unmodified hardware and cartridges.
We’ve covered similar “arbitrary code execution” bugs in games like Super Mario world, paper marioand The Legend of Zelda: Ocarina of Time in the past. And the basic method to introduce external code into NES. Tetris has been publicly theorized since at least 2021 when the players were investigating the decompiled code of the game. (HydrantDude, which has deepened Tetris accidents in the pastalso says The community has long had a privately known method of taking full control of Tetris‘RAM.)
But a recent video of displaced players takes the idea from private theory to public execution, going into minute detail on how to get NES Tetris to start reading game high score tables as machine code instructions.
Fun with controller ports
Purchase a copy of NES Tetris This is possible mainly because of the specific way the game crashes. without entering too many detailsan accident on NES Tetris This occurs when the game’s scoring controller takes too long to calculate a new score between frames, which can occur after level 155. When this delay occurs, a portion of the control code is interrupted by the new frame writing routine. , causing it to jump to an unwanted portion of the game’s RAM to fetch the next instruction.
Typically, this unexpected interruption causes the code to jump to the beginning of RAM, where garbage data is read as code and often causes a quick failure. But players can manipulate this jump thanks to a little-known quirk about how Tetris handles potential inputs when running on the Japanese version of the console, Famicom.
Unlike the American Nintendo Entertainment System, the Japanese Famicom featured two controllers connected to the unit. Players who wanted to use third-party controllers could connect them via an expansion port on the front of the system. He Tetris The game code reads inputs from this “additional” controller port, which may include two additional standard NES controllers. by using an adapter (This is true even though the Famicom I got a completely different version of Tetris of bulletproof software).
It just so happens that the RAM area that Tetris used to process this additional controller input is also used for the memory location of that jump routine we discussed earlier. Therefore, when that jump routine is interrupted by a crash, that RAM will contain data representing the buttons that are pressed on those controllers. This gives players a potential way to precisely control where the game code goes after the lock is activated.
Coding in high score table
For Displaced Gamers’ jump control method, the player must hold “up” on the third controller and right, left, and down on the fourth controller (this last combination requires some controller manipulation to allow left and right directional input). simultaneous right ). Doing so sends the jump code to an area of RAM that contains the names and scores for the game’s high score list, providing an even larger surface area of RAM that the player can directly manipulate.
By putting “(G” in the specific part of the type B high score table, we can force the game to jump to other area of the high score table, where you will begin to read the names and scores sequentially as what Displaced Gamers calls “bare metal” code, where the letters and numbers represent operation codes for the NES CPU.
Unfortunately, there are only 43 possible symbols that can be used in the name entry area and 10 different digits that can be part of a high score. That means that only a small portion of NES available opcode instructions can be “scrambled” into the highscore table using the available attack surface.