Earlier this year, We told the story of a classic NES Tetris The player hit the game’s “kill screen” for the first time, triggering a crash after an incredible 40-minute, 1,511-line performance. Now some players are using this kill screen – and some complicated memory manipulations it enables – to encode new behaviors into versions of Tetris runs on unchanged hardware and cassettes.
We’ve reported similar arbitrary code execution bugs in games like… Super Mario World, Paper MarioAnd The Legend of Zelda: Ocarina of Time in the past. And the basic method of introducing external code into NES Tetris has been publicly theorized since at least 2021, when players examined the game’s decompiled code. (HydrantDude, who has delved deep into the subject Tetris Crashes in the past also says the community has long had a privately known method for taking full control Tetris‘ RAM.)
But a recent video from Displaced Gamers takes the idea from private theory to public implementation, going into great detail about how to get the NES Tetris to start reading the game’s high score tables as machine code instructions.
Having fun with controller ports
Acquisition of an NES copy Tetris is possible primarily due to the specific way the game crashes. Without going into too much detail, a crash in the NES Tetris happens when the game’s score handler takes too long to calculate a new score between frames, which can happen after level 155. When this delay occurs, some of the control code is interrupted by the new frame writing routine, causing it to jump to an unintended portion of the game’s RAM to look for the next instruction.
Typically, this unexpected interrupt causes the code to jump to the top of RAM, where garbage data is read as code, often leading to a quick crash. But players can manipulate this jump thanks to a little-known capriciousness Tetris handles potential input when running on the Japanese version of the console, the Famicom.
In contrast to the American Nintendo Entertainment System, the Japanese Famicom had two controllers permanently connected to the device. Players who wanted to use third-party controllers could connect them via an expansion port on the front of the system. The Tetris The game code reads input from this “extra” controller port, which can hold two additional standard NES controllers using an adapter (this is true even if the Famicom has a completely different version of it). Tetris from Bullet Proof Software).
Coincidentally, this is the area of RAM Tetris The location used to process this additional controller input is also used for the location of the jump routine we discussed earlier. So when this jump routine is interrupted by a crash, this RAM stores data representing the keys pressed on these controllers. This gives players the ability to control exactly where the game code goes after the crash is triggered.
Coding in the high score table
Displaced Gamers’ jump control method requires the player to hold down “up” on the third controller and right, left, and down on the fourth controller (the latter combination requires some controller fiddling to allow simultaneous left and right directional input). ). This sends the jump code to an area of RAM that contains the names and points for the game’s high score list, creating an even larger surface area of RAM that can be manipulated directly by the player.
By putting “(G” in the target part of the B-type high score table, we can force the game to jump there another Area of the high score table where the names and scores are read in sequence as what Displaced Gamers calls a “bare metal” code, with the letters and numbers representing opcodes for the NES CPU.
Unfortunately, there are only 43 possible symbols that can be used in the name entry area and 10 different digits that can be part of a high score. This means that only a small portion of the NES’s available opcode instructions can be “encoded” into the high score table using the available attack surface.