This is what society gets for not using open knowledge: some of its best minds will be bound to waste endless hours reversing some useless technology.
With that said, even when you do have the source code, reading run logs and using debuggers are a sort of reverse engineering at heart.
One of the most jaw dropping reverse engineering projects Ciro has ever seen is the Super Mario 64 reverse engineering project.
OMG, both of those just fucking work on Ubuntu 20.04 with README instructions, it is unbelievable, those people don't have lives. And it builds the ROM byte by byte equal from source!
There are a few different versions:
- github.com/n64decomp/sm64 for emulator (i.e. or real hardware), tested at 9214dddabcce4723d9b6cda2ebccbac209f6447d
- github.com/sm64-port/sm64-port Ubuntu native, tested at 6b47859f757a40096fedd6237f2bc3573d0bc2a4Full screen with F10.
- github.com/sm64pc/sm64ex: fork of sm64-port, untested by Ciro Santilli, but more new amazing usability features, notably:
--skip-intro: skips the annoying pipe intro and the need to wait for Lakitu to bring Peaches message!- in-game menu:
- cheats:
- hide HUD!
- no level selection yet, but a matter of time?
Also reported to work on ARM: www.reddit.com/r/linux/comments/ityg6w/pinephone_playing_super_mario_64_30fps/They also ported to browser with Emscripten: github.com/sm64pc/sm64ex/wiki/Compiling-for-the-web
Tested with the USA ROM at sha1sum 9bef1128717f958171a4afac3ed78ee2bb4e86ce (you need a ROM to extract assets, which the project automates), which is also documented in the project itself: github.com/sm64-port/sm64-port/blob/6b47859f757a40096fedd6237f2bc3573d0bc2a4/sm64.us.sha1. Disclaimer: Ciro Santilli owns a copy of Super Mario 64.
The only dependency missing from Ubuntu packages is the IRIX QEMU user mode which they need for their tooling. The project also has a QEMU fork for that, and provide a working deb.
From this project it was also noticed that certain ROM releases were not compiled with optimizations enabled, presumably because as a release title the compiler had optimization bugs! www.resetera.com/threads/so-apparently-the-ntsc-build-of-mario-64-didnt-use-any-compiler-optimizations.166277/ But now they do have a working compiler, and by turning that switch FPS increases in certain levels!!!
It is good to know that this game will "never die".
Some quick stupid patches:
- jump really high:
diff --git a/src/game/mario.c b/src/game/mario.c index 5b103fa..83c9f40 100644 --- a/src/game/mario.c +++ b/src/game/mario.c @@ -826,7 +826,7 @@ static u32 set_mario_action_airborne(struct MarioState *m, u32 action, u32 actio case ACT_JUMP: case ACT_HOLD_JUMP: m->marioObj->header.gfx.unk38.animID = -1; - set_mario_y_vel_based_on_fspeed(m, 42.0f, 0.25f); + set_mario_y_vel_based_on_fspeed(m, 200.0f, 0.25f); m->forwardVel *= 0.8f; break;
Interesting entry points:
src/game/game_init.c
TODO: enable the level select debug feature! tcrf.net/Super_Mario_64_(Nintendo_64)/Debug_Content#Classic_Debug_Display They actually shipped quite a few debug features into the retail game, and they have been reversed too. I tried this but it didn't work (or I don't know how to enable the level select menu):
diff --git a/src/game/main.c b/src/game/main.c
index 9e53e50..b7443a8 100644
--- a/src/game/main.c
+++ b/src/game/main.c
@@ -65,7 +65,7 @@ s8 sAudioEnabled = 1;
u32 sNumVblanks = 0;
s8 gResetTimer = 0;
s8 D_8032C648 = 0;
-s8 gDebugLevelSelect = 0;
+s8 gDebugLevelSelect = 1;
s8 D_8032C650 = 0;
s8 gShowProfiler = FALSE;The
enhancements/ folder contains a few sample patches.
Screenshot of mupen64Plus running on Ubuntu 20.04 emulating Super Mario 64 with the title screen hacked by Ciro Santilli based on the Super Mario 64 reverse engineering project
. The title was on a string, so the hack was trivial! The patch used was:diff --git a/include/text_strings.h.in b/include/text_strings.h.in
index 749179b..626f87e 100644
--- a/include/text_strings.h.in
+++ b/include/text_strings.h.in
@@ -131,7 +131,7 @@
*/
// Main Screens
#define TEXT_MARIO _("MARIO") // View Score Menu
-#define TEXT_SELECT_FILE _("SELECT FILE")
+#define TEXT_SELECT_FILE _("HACKED BY CIRO")
#define TEXT_CHECK_FILE _("CHECK FILE")
#define TEXT_COPY_FILE _("COPY FILE")
#define TEXT_ERASE_FILE _("ERASE FILE")Some tutorials of hacking it:
- www.youtube.com/watch?v=Jkb7Naczoww SM64 Decomp Tutorial 1: Setting Up and First Code Changes by Bitlytic (2021)
- www.youtube.com/watch?v=IuIpqX4neWg Rovert Decomp Tech Demo by Rovert (2019) Metal cap makes Mario huge.
- www.youtube.com/watch?v=5aG1Iyjo20w Is it Possible to Beat Super Mario 64 as Tiny Mario? (Mini Mario Challenge) coverts the obvious make Mario huge/tiny hack. Huge mario verion: www.youtube.com/watch?v=pR_gol6zlIo. There was a pre-decompilation ROM hack doing that trivial change already: Tiny Huge Mario 64. Sample tool-assisted speedrun: www.youtube.com/watch?v=C7BjzZ_Nkk0
To some extent, the ultimate achievement of a TAS is to achieve arbitrary code execution (ACE) on a game, although this has been becoming rarer and rarer in newer consoles. The Nintendo 64 is the current interesting ACE discovery frontier as of 2020.
Post ACE, you then get into more subtle categories which tend to be more geometric clipping through wall glitches, but those can still be fun.
The most beautiful TAS content ever made are:
- Super Mario 64
- Super Mario 64 A press challenge
- 1-key any percent run:
- 2016 emulator run: www.youtube.com/watch?v=TkOkJvLKxUY
- AGDQ 2018 commented TASBOT console verification: www.youtube.com/watch?v=xvWOLT9G6tM
- Why we need one key: gaming.stackexchange.com/questions/249969/in-mario-64-speedruns-why-are-the-keys-necessary/351595#351595
- related: Super Mario 64 reverse engineering project
- Super Mario World for the SNES arbitrary code execution
- www.youtube.com/watch?v=OPcV9uIY5i4 with in-game programmed Pong and Snake, 2014
- www.youtube.com/watch?v=HxFh1CJOrTU Seth Bling does the credit warp manually in about 3 minutes, 2015. Later reduced to less than 1 minute: www.youtube.com/watch?v=Jf9i7MjViCE
- www.youtube.com/watch?v=voL3e0iqugo ACE was initially not forbidden in 11 exit rules, so Seth made an in-game manual ACE that programs an in-game accessible "exit stage now" functionality!!! This was later forbidden of course, but it was fun while it lasted.
- then he injected a Flappy Bird clone manually!!! www.youtube.com/watch?v=hB6eY73sLV0, 2016
- Ocarina of Time
- 2020 ACE via use after free including a non-TAS credit warp faster than the 2016 wrong glitch: www.polygon.com/2020/1/24/21080568/zelda-ocarina-of-time-arwing-spawn-video-speedrun-credits-ace-cheat-code ACE later reproduced in Majora's Mask, which has a similar game engine.
- 2016 Zelda Ocarina of Time wrong warp glitch:
- www.youtube.com/watch?v=uCO0jU66g3g 2016 video
- www.youtube.com/watch?v=Gso4MuNSuV8 EZScape explains the glitch, 2016
- Zelda Majora's Mask debug menu
- www.youtube.com/watch?v=2wdchm5Uwp4&t=2086s first video
- www.youtube.com/watch?v=CCubcEgnD6A overview
It is also amusing to see console verification of emulations, e.g.: Video 1. "Super Mario 64 '120 Stars' in 1:20:41.52 Console Verified by Soul Umbreon (2012)".
Super Mario 64 '120 Stars' in 1:20:41.52 Console Verified by Soul Umbreon (2012)
Source.