Download subtitle and video from Youtube

Quicky way to download subtitle and video from Youtube: go to https://thetv.info/[youtube-id]
E.g. Change https://youtu.be/6I2BnX32qNQ to https://thetv.info/6I2BnX32qNQ

Video TASBot at DEF CON 24 - Robot Hacks Video Games full talk

TheTV.info
41:57   |   17K+ views   |   08/20/2018 at 23:57

Transcription

  • good afternoon everybody I was already
  • doing sauce so uh how many people know
  • what this thing is that's on the stage
  • okay I only ask that because wandering
  • through the halls yesterday after
  • getting the badges I heard a bunch of
  • 20-somethings talking about what the
  • Konami code was and they were listing it
  • off wrong so if you are that of that age
  • you're going to get a little bit of a
  • history lesson I've seen this demo this
  • is awesome
  • get excited let's give out on a big hand
  • thank you very much this is a very very
  • technically challenging series of live
  • demos I have immense number of things on
  • the stage that can and will go wrong so
  • please feel free to make fun of the
  • equipment when that happens the
  • equipment not me hello everyone I am
  • Alan Cecil I'm also known as Durango AC
  • I am the president of the North Bay
  • Linux users group I'm also a senior
  • engineer at Siena and I am a
  • tool-assisted speedrun advocate and an
  • ambassador for TAS videos org so I want
  • to talk about speedrunning and why is it
  • okay the real speedrunning with human
  • limits so early on people wanted to play
  • games fast because after you've beaten
  • the game it's a lot of fun to try to
  • beat it again faster right and some
  • games like Metroid especially Super
  • Metroid reward you for playing faster if
  • you complete Super Metroid in less than
  • three hours she ends up wearing a bikini
  • for some reason we had I didn't do it so
  • there are now categories that people
  • tried to speedrun games in everything
  • from any percent to 100 percent get
  • every item in the game as fast as you
  • can to esoteric categories like low
  • percentage no major glitches and now
  • most of these demos are most of these
  • records are stored on a website named
  • speed demos archive and there's some
  • other websites like that that also track
  • the fastest completion times now there's
  • a lot of strict rules there's peer
  • review of videos to make sure that no
  • one is cheating that no one is using
  • keyboard macros or any kind of anything
  • other than the human of their own human
  • ability and I have to tell you they're
  • really entertaining now one of the
  • places that these are widely shown is at
  • games then quick events games done
  • 'quick calm there's an awesome games
  • done quick and the winner that benefits
  • the prevent Cancer Foundation and and a
  • summer games done quick every summer
  • that benefits Doctors Without Borders
  • and there's usually some crazy stuff
  • going on there
  • for instance here we have Mario Kart 64
  • you can see he's kind of out of bounds
  • that's because he's tricking the lap
  • counter so that he only has to go around
  • the course one full time in the deccan
  • trip the black count lap counter after
  • you can
  • that's it here's Super Metroid he's
  • sorry Metroid the original Metroid he's
  • lured or she technically it's Samus has
  • lured an enemy from an adjacent screen
  • and is using it to to freeze it to use
  • it as a platform to sequence break the
  • game get someplace you're not supposed
  • to be at that point with the items you
  • have now there's all kinds of other
  • things that happen again stun quick
  • events that are absolutely insane this
  • is half coordinated he cannot use for
  • the most part he can't use the right
  • side of his body so he completes games
  • using only one hand on the controller
  • and it's insane watching him play
  • there's also been some crazy things like
  • this guy completing all the way up to
  • Mike Tyson in Mike Tyson's punch-out
  • blindfolded just listening to the game
  • audio just insane so this is clearly
  • beyond the standard limits of what most
  • humans can do but tool assisted
  • speedruns or tool-assisted superplay go
  • a step further we're not really
  • interested in human limits anymore now
  • we're interested in what can this piece
  • of hardware really do if you pushed it
  • to the limits of what the hardware is
  • capable of and TAS is used as a noun and
  • verb I task this this person is a great
  • passer you'll hear me to say the word
  • tasks throughout the whole talk now the
  • history of tool assisted speedruns is
  • kind of interesting back in the 90s the
  • game Doom came out and it had a quick
  • save button in a quick load button
  • because let's face it it was kind of a
  • hard game and you were likely to die a
  • lot
  • well they added re-recording tools and
  • that allowed you to play through a game
  • and record your progress and at a
  • certain point somebody figured out you
  • could do it in slow motion and keep
  • loading the savestates over and over
  • again until you get a pretty good
  • completion and in 1999 roughly Doom done
  • quick came out and completed the entire
  • first game in 19 minutes and 41 seconds
  • this was followed up by a couple of
  • other ones there's a 14 minute
  • two-second completion of doom 2 for
  • instance so it's it's it's definitely
  • been one of the the first widely known
  • tool assisted speedruns now in 2003 a
  • video surfaced online from somebody
  • named Morimoto and it was a little bit
  • let's just described it as controversial
  • because mario was flirting with death
  • getting an insane number of 1ups
  • literally walking through
  • and there was no context for where that
  • video came from now it had been posted
  • on a Japanese website with appropriate
  • annotations to describe that it was done
  • with an emulator in slow motion with
  • savestates but it was the context of the
  • video was missing when the WMV file in
  • 2003 pre-youtube days got circulated
  • around the internet and the problem was
  • that it was in human skill and display
  • and really tools meant Hardware limits
  • became the only limits but if you don't
  • say that you're testing the hardware
  • limits people get really upset so taxing
  • it's kind of like the doped Olympics I
  • mean let's just be honest here
  • competitors should admit to doping let's
  • just be honest here and videos made with
  • test tools should be labeled and there's
  • a getting bisquit that in 2004 created
  • nes videos to track tool assisted
  • speedruns the same way speed demos
  • archive was tracking in-game human
  • completion times now there's that's now
  • gone beyond just the Nintendo
  • Entertainment System this console here
  • it's now moved on to many many consoles
  • and there's now everything from modern
  • consoles like the Nintendo Wii through
  • handhelds at TAS videos org so I know a
  • live demo like we're only a few minutes
  • at the top but let's do a live demo I'll
  • talk about the console verification part
  • in a little bit but just know that we
  • made a game in an emulator we set up a
  • sequence of button presses and I'm going
  • to show you what those button presses
  • are using tas bot so this is where the
  • video might go completely haywire and I
  • don't know what's going to happen if you
  • see somebody running from the side of
  • the room yeah it's a bear with it who
  • anybody can you hurt it down thank you
  • whoa I said turn it down not crash it I
  • said that there was going to be at least
  • one catastrophic thing I wasn't kidding
  • I don't even know what happened there
  • I've never seen that happen before and
  • that is something you can quote me on
  • because it happens all the time
  • alright let's do this again it's still
  • pretty loud but whoa what
  • uh yeah I don't think blowing in the car
  • will work but hey they worked last time
  • but I do want to make absolutely certain
  • that I don't have like wires crossed or
  • something funny going on with power
  • because uh obviously if there's not a
  • good round things could be worried but
  • let's just try the there I kind of want
  • this one to work this one should work
  • the only thing I've been a double check
  • just to make sure nothing else got funny
  • the only other thing I can think of
  • might be power but we'll try this one
  • more time oh and we lost the signal too
  • remember I said live demos at least one
  • of them was going to go completely
  • haywire well I don't know where our tech
  • guy is to fix this and I'm not about to
  • go touch it so at least it's
  • yeah I'm a little bit concerned here so
  • uh what's up yeah sides this thing's
  • durable well welcome to the first live
  • demo that goes wrong that's okay I'm
  • going to do the rest of the demos
  • entirely on the Super Nintendo but of
  • course we will have to get somebody in
  • the room to to fix the the scrolling but
  • I'm very confused by that behavior I've
  • never seen it before
  • welcome to doing something from the phil
  • alive audience but that's okay we'll
  • just move on this is going to cause a
  • brief audio pop i apologize in advance
  • alright so with any luck
  • so okay so we probably are going to have
  • rolling video at first or apparently no
  • video okay well can barely see it so I'm
  • going to keep going through some slides
  • here this was made with one of a number
  • of emulators so several emulators out
  • there fceux there's l SNES which this
  • run was made with this is the Super
  • Mario World game for the Super Nintendo
  • it is it is a very good emulator with a
  • lot of useful tools on it and I know
  • that's going to be impossible to see
  • what the scrolling but Mario is doing
  • some really unusual things right now yes
  • he just got about four Yoshi's so it's
  • kind of hard to see right now but what
  • basically what's happening is we have
  • the ability to back up and try things as
  • many times as we like and that means we
  • can do things with frame frame precision
  • and right now what we're doing is lining
  • up the object attribute map to be
  • exactly the way we want it to be Wow
  • that's getting worse there we go okay
  • unfortunately I think you're gonna have
  • to do that every single time sorry okay
  • so a to heck with the slides there's
  • other be recording frameworks I made one
  • called nethack tax tools that we've used
  • before there's hourglass for Windows
  • things everybody's looking at this video
  • anyway it doesn't really matter so this
  • was a done with a BS NES core which was
  • very very accurate and that's incredibly
  • important because in just one second
  • look at these visualization boards right
  • here and right there that's the actual
  • button presses we're sending to the
  • console there we go
  • so yes tas bot plays super mario world
  • um yeah I'm just gonna skip all that
  • we'll come back that's on my time so tas
  • bot plays super mario wet oh oh I'm
  • sorry it's super mario brothers in
  • supermarket it I said this was a live
  • demo if somebody wants to come up here
  • you can definitely play this if you
  • wanted to except I forgot to bring the
  • controller sorry that won't work so well
  • this is fully playable so we took Super
  • Mario Brothers a game from the original
  • Nintendo and placed it on the Super
  • Nintendo which was never designed to
  • have it so we took a previous console
  • run from here game and programmed it
  • through the consulted controller ports
  • on completely unmodified Hardware now
  • this was done by master Jun who set up
  • the button presses and by somebody in ap
  • 4+2 and it's a really complex series of
  • events but there's a really good YouTube
  • video by dots are cool that value was
  • kind of loud but that's okay just ignore
  • it so what you're basically seeing is he
  • was going back and forth and rearranging
  • objects in the object attribute map to
  • basically white opcodes in ram in such a
  • way that when we did certain things it
  • it treated the location and memory that
  • the controller is stored in as something
  • it should execute and it did exactly
  • that it ran what we put on the
  • controller and allowed us to well you
  • can either check it
  • or you can take it one step further and
  • do crazy stuff um but that's not not
  • good enough this one was this ran at 184
  • kilobits per second which is nice you
  • know it's it's it's cool but we can do
  • better and we're going to so I need to
  • restart which means that it's probably
  • gonna mess up the video one of the
  • interesting things about the about the
  • original consoles is that they are
  • running at a resolution best described
  • as 240p they played trickery with CRT
  • TVs so we have had a lot of trouble
  • getting capture to work it's actually
  • been a bit of a pain so I just erased
  • the save game and that's going to
  • prepare me for doing a another run let's
  • see alright here we go
  • so this is the same game and this time
  • oh good the video isn't rolling right
  • off the top okay this is good we're
  • lucky it'll stick with us unless we can
  • switch consoles so this is the exact
  • same game but if you're able to see it
  • you'll notice that the video is is going
  • to be using slightly different technique
  • this is a different exploit than the
  • first one
  • yes there are more than one there's more
  • than one way to blow up Super Mario
  • World and this one is going to use a
  • slightly different technique so one of
  • my earlier slides I was talking about
  • the different devices that we have well
  • the newest device we have is from as a
  • board called a slick board and has a
  • very high data rate the previous boards
  • made by somebody named true who's
  • actually a def con regular trues board
  • was able to hit 184 kilobits per second
  • based on his multi replay board this one
  • is using an FPGA from papilio and we're
  • able to achieve data rates of much
  • higher than that which you'll see here
  • in a second as soon as it gets done
  • screwing around this charging check
  • right about here I love the scene right
  • here just just watch what he does to
  • this check
  • there we go
  • that is an image that was written to the
  • consul at 900 and I want to say 920
  • kilobits per second keep in mind that
  • the maximum rate that these consoles
  • usually ran at was about three I'm sorry
  • about 480 bytes per second and that was
  • like that most so for us to shove that
  • much data throat is kind of impressive
  • I'm amazed that this console manages to
  • hold up I need to actually back up a
  • little bit and cover a few things that I
  • skipped over so I'll just go to here
  • there were a bunch of early console
  • devices true was the first person to
  • attach a a console and and get get it to
  • to do button presses and it's actually a
  • very simple protocol especially for the
  • original Nintendo and one of things I
  • was going to talk about during the
  • original video I planned there's only
  • five wires there's just five volts and
  • ground there's a latch wire that says
  • latch hey controller I'm about to ask
  • you what buttons you're pressing o'clock
  • give me the first button is a being
  • pressed 1 or high voltage if yes none or
  • zero for now and the only other line is
  • a serial data line out from the
  • controller sending that information back
  • to the console so what this guy here
  • does is pays attention to that that feed
  • and sends appropriate responses so the
  • first device that this was tested with
  • was all the way back in 2009 and aboard
  • from true but in 2011 someone named Mike
  • Rowe 500 who built also this this
  • tasseling board micro 500 made a device
  • called the NES but that based on a
  • breadboard you can see here in the lower
  • lower corner that was able to complete
  • Super Mario Brothers 1 and it was used
  • at one of the very early summer games
  • done quick events to complete wizards
  • and warriors 3 and Super Mario Brothers
  • 2 although somewhat comically and by the
  • way that what you see on the screen if I
  • know it's really tiny but there there's
  • just a very few number of people in the
  • audience this was one of the early
  • summer games done quick events I didn't
  • have Rea many people now this room would
  • be looking a little bit more like Def
  • Con here but there were a couple of
  • other boards there was a droid 64 but
  • they could do n64 games and micro 500
  • made one of his own in 2012 using a
  • propeller board but at a spot this this
  • guy here a Rob holding
  • device with Legos on it that kind of
  • happened a little bit later so in 2013
  • we had an opportunity to to again go to
  • summer games or awesome games done quick
  • and present and true built a device from
  • scratch based on a microchip advice and
  • it was it was a very very good device in
  • the sense that it was streaming capable
  • very inexpensive a little bit fidgety
  • with wiring because of the punch down of
  • the screw down blocks that we used and
  • it had somewhat limited data rates but
  • we were able to do some really
  • impressive things on that one of the
  • first things we did was a snake and pong
  • on top of Super Mario World well I took
  • a eventually this is like the first
  • prototype I just zip tied in together
  • I took some some Legos eventually shoved
  • them together and I called it Rob berry
  • pie because at that point it was being
  • fed by a Raspberry Pi posted this run on
  • awesome games done quick saying hey I
  • want to want to go to the event and
  • immediately mecharichter says hey I want
  • to see some of that TAS BOTS action
  • exploded I never called this guy TAS
  • BOTS it just happened so TAS BOTS is
  • nothing more than Rob robot from the
  • 1980s that was shipped with the original
  • Nintendo consoles so that it didn't look
  • like an old Atari video game console
  • with some Legos and replay device and
  • that's pretty much it
  • now the multi replay device is one I
  • mentioned earlier that was capable of
  • putting Super Mario Brothers inside of
  • Super Mario World and there was also
  • some other really interesting
  • developments there's a gameboy player
  • player and there's one I haven't
  • mentioned here that's able to play DS
  • games so we already went through all
  • this I'm going to fast-forward but I
  • really want to oh and by the way the
  • faster data rates also allowed us to
  • play Super Mario Brothers 1 2 3 and lost
  • levels at the same time with the exact
  • same sequence of button presses
  • completing at about the same second it
  • was really quite impressive very very
  • crazy we just did that a few weeks ago
  • at Summer Games done quick
  • so I want to step back for a bit I don't
  • know how I'm doing on time ok I'm doing
  • all right I'm actually doing just fine
  • on time I want to really step through
  • and go in a deep dive into one of these
  • exploits and really break it down so
  • that you kind of understand some of the
  • sequences we go through so I'm going to
  • start with a game called pokemon red now
  • pokemon red is a really broken game
  • you'll see how how broken like it's
  • really broken but a handheld gameboy is
  • kind of difficult to wire into now we've
  • done it but it's not exactly a lot of
  • fun so this is a super Game Boy
  • cartridge this has an entire Gameboy
  • processor a z80 processor codenamed a
  • dmg inside of this card and it
  • communicates with the Super Nintendo and
  • allows us to oh great
  • right when I need to swap video I don't
  • know where he went all right well I hope
  • it works so that allows it to use the
  • controllers which is great for us means
  • it means I don't have to touch anything
  • now I have a wire here and this wire is
  • is kind of an interesting little thing
  • there we go
  • alright that's already fully baked this
  • wire has a little expansion board
  • connector on the underside of the
  • console there is this not very often
  • used expansion board they eventually
  • used it for an a cancel project that
  • connected a CD drive to this thing but
  • it was never really implemented now
  • we're using it because it exposes a
  • reset pen that we kind of want to play
  • with a play with yeah I'll go with play
  • with so and hopefully my video signal
  • stays any luck yay all right we're good
  • and we don't really need a lot of audio
  • for this one it's a there's not really
  • but I like the game audio but I've got
  • to tell you when I was testing this I
  • listened to it over and over and over
  • again and I got really tired of it so
  • what's happening right now we're going
  • to delete the contents that was there
  • previously and there we go
  • and we're going to start a new game and
  • we're going to set very specific
  • parameters so unfortunately just it's
  • kind of slow menuing it takes a while to
  • get there so I'll kind of explain in
  • advance we're going to name the players
  • character red and we're going to name
  • the rival a very unusual name we're
  • going to name him RX RX PK there's
  • actually PK symbol and the reason we do
  • this is we need to pre setup certain
  • memory values to be in our
  • that we'll be using again later
  • so he said yeah we're about to start our
  • adventure except we're not going to
  • bother getting very far into it before
  • we save so we're going to save and bam
  • so what we just did is we reset while we
  • were saving the game now I don't need
  • this wire anywhere so I'm going to pull
  • it out that allowed us to write a
  • completely valid game header that said
  • yes you your player's name is this your
  • rival is this you have you have wait how
  • many pokemons did we have oh we left ffs
  • in there oh well so you can have to see
  • where we're going here all right so now
  • we're going to start and load the save
  • game we just used so again this is kind
  • of slow it'll take a little while to get
  • here I'm going to get it I'm going to
  • get ahead of myself because this
  • protection goes rather quickly there's
  • just a lot to explain so what we're
  • going to do is load the save game we
  • just created and it is a valid save game
  • but the list of how many pokemon we have
  • says we have 255 long and that allows us
  • to go beyond the area of memory we would
  • normally be able to go to and right here
  • you'll see us we swapped Pokemon over
  • the area of memory that contains our
  • items now that means that we have to a
  • couple of the switches so that we don't
  • crash the game by the way but I'll get
  • to that in a second that means that we
  • can now delve into our item list and you
  • can see here there are some items that
  • are stored as a 2-byte pair one byte to
  • say what the items name is and one byte
  • to say what the quantity of it is so we
  • just tossed
  • well now we're swatching switching where
  • items already move them in memory but we
  • just tossed some of an item we're going
  • to do it here so TM 25 we're going to
  • toss 24 of those well whatever value we
  • started with in memory we've just thrown
  • out a bunch of items and we've reduced
  • that memory by 24 in in in RAM so this
  • allows us to directly manipulate memory
  • but we can only manipulate every other
  • byte fortunately if we go back and swap
  • Pokemon like we're doing right here it
  • offsets memory by an odd number so what
  • used to be an identifier is now a value
  • that are a quantity value that we
  • then throw away so now we can write
  • everything in memory but we have to be
  • very careful because some items if you
  • throw them away every item of that
  • category you can never touch again some
  • items if you throw them away will crash
  • the game and some items will crash the
  • game simply if you look at not so
  • helpful so there's also another thing
  • that we're doing here we're we're
  • obviously writing bytes in memory in
  • order to in a in order to create an
  • routine that will allow us to read from
  • what's on the controller and store it in
  • memory the problem is the super Gameboy
  • cancels up and down and left and right
  • so if you try to press both but both
  • those buttons at the same time they just
  • get zeroed out so to get around that the
  • routine we're writing right now we're
  • literally writing a program as you see
  • it reads stores that in memory reads
  • again stores that a memory does a
  • subtract between the two stores the
  • result in RAM in ones one position and
  • then keeps writing in it one after
  • another and when it gets to the end it
  • writes over a jump sequence to go
  • execute what it just wrote and what it's
  • writing right now which you'll be able
  • to see on these visualization boards is
  • a rather substantial payload and it
  • takes quite a while to write at all
  • BAM
  • all right so anybody recognize that as
  • anybody ever been to twitch.tv well get
  • your smartphones ready this is the live
  • demo part this is the part I like the
  • most
  • oh you know it really really helps so it
  • really helps if you actually have an
  • internet connection when you try this so
  • we have to take a quick pause and hope
  • that this cable reaches without causing
  • anybody too much pain so yes we really
  • are going to connect a 25 year old
  • console to the Internet and you get to
  • ask your Q&A over the chat session if it
  • works
  • nice we've already got some action here
  • alright somebody type something and it
  • will appear on the screen
  • I assure you so what you need to do is
  • let me quickly get here
  • I will actually type out the address oh
  • you can't type URLs and there's a swear
  • filter on here
  • have fun defeating that it can be hacked
  • this code is all on PPT IRC on git you
  • can find the swear filter in there and
  • defeat it to your heart's content this
  • is DEFCON have fun knock yourselves out
  • so here's what we're going to do I'm
  • going to talk to about a couple other
  • things do you see if I can find the
  • channel that everybody is in I know I've
  • got it in here somewhere
  • there it is
  • oh wait a minute I know what's happening
  • we're playing back a screen play because
  • I never moved the file over so what
  • you're actually seeing on screen because
  • I couldn't see it on Mon down here
  • you're seeing the exact text that we we
  • put on screen at awesome games done
  • quick 2015 it was a it was an entire
  • screen play of conversation I'm just
  • going to let it run because it's
  • actually kind of stupid poorly written
  • and then hilarious I had my own script
  • of things I was supposed to say and I
  • never did because it was just too
  • awkward so yes we did a full article on
  • this on on the in the journal proof of
  • concept to get the fuck out I did name
  • the honor article journal article but
  • the the journal is absolutely fantastic
  • you can find a full write-up written by
  • myself Allari the author of the emulator
  • and p4 plus to the author of the chat
  • interface at POC gtfo issue 10 just
  • search google for that it's mirrored all
  • over the place it is there's a lot more
  • details on what I covered here by the
  • time we get done doing all of this we
  • escape the super Gameboy we tell the the
  • super Gameboy that we want to execute
  • something in the super Nintendos memory
  • space and it lets us do it because
  • there's actually a date there's a
  • command that lets you do
  • that there were only there's only one or
  • two games that ever actually took
  • advantage of that feature but that's
  • there once we get to the Super Nintendo
  • were no longer limited to one byte per
  • frame in fact we were at one point only
  • able to do a nibble of frame because we
  • had to subtract them together to get
  • around the button limitations so what we
  • ended up doing is after we get to the
  • Super Nintendo we get to a data rate of
  • two bytes per controller and we tell it
  • oh you you actually have a multi-tap
  • attached so you have two controllers on
  • the first controller court and two on
  • the second so you get eight bytes per
  • frame and sixty frames per second so
  • that gets us about 480 bytes
  • a second if I did my mouth right but
  • that still wasn't enough so we told it
  • oh and don't just read eight once per
  • frame read eight times for frame sixty
  • times a second so that gets us to a data
  • rate of three point eight K per second
  • or so de D de f fo for for well we're in
  • somewhere I just don't know where rep oh
  • yeah there's me I just type test and it
  • worked so so there's there's all kinds
  • of crazy going on but that's okay this
  • is going to be at the end of the of the
  • the pre-recorded input in just a second
  • here
  • while that's playing through there's so
  • many more details of this
  • there's a block loader B program and
  • afterwards it's just a really really
  • intense technically challenging process
  • that we had to go through to do this
  • did Franco Z come through Wow so it
  • looks like because I ran the wrong
  • script it's getting some characters out
  • of order like hilariously out of order
  • hack the planet huh wow that's like
  • hilariously funny
  • this wouldn't be a live demo without
  • things failing let's keep going
  • it's also my call to action if you want
  • to join in on the fun you can go to
  • twitch.tv slash Durango AC I am going to
  • go ahead and well that's a lot of
  • frankerz e twitch the twitch well it's a
  • little bit a little bit messed up but I
  • can at least see it on my screen here
  • even if it's not completely correct
  • there oh well
  • go ahead and ask any Q any questions you
  • have in the chat so again you can go to
  • twitch TV slash Dewayne go AC subscribe
  • while you're there if you like I don't
  • care but there's there's one other thing
  • I want to talk about we recently found a
  • very very interesting glitch in super my
  • brothers 3 that I wish I could show you
  • on the real console what we found out is
  • that it is possible to go from boot to
  • the ending of the game in literally 16
  • frames I'm not kidding it does take
  • quite a few button presses per second to
  • do it
  • and it doesn't exactly treat the pallets
  • very nicely not everything gets loaded
  • into Ram but it is a valid completion of
  • the game it properly goes to the end
  • credits so this happens because of an
  • interesting choice they made 10 minutes
  • got so when they released this Nintendo
  • hardware the original NES in America
  • they had a problem they've released the
  • hardware and then discovered that if a
  • game used dpcm audio and that the
  • controller was asked for what values it
  • was holding at the same time there was a
  • collision on the bus and the controller
  • input may or may not be dropped so to
  • get around it
  • they ask for ask the controller for
  • input two milliseconds later they ask
  • the controller for input again and if
  • it's different they ask again and if
  • it's different from the previous I ask
  • again and if it's different from the
  • previous date you can kind of see where
  • this is going right infinitely this
  • allowed us to keep giving the the the
  • console a different response for what
  • buttons we were holding every other time
  • that we did it ask for input and
  • eventually it tied it up until the next
  • frames processing started for the raster
  • input that displays a status bar at the
  • bottom of the screen and it was still
  • doing this that we were still keeping a
  • busy with this other loop so what ends
  • up happening is it drops execution right
  • at the bottom of the stack and slides
  • across a series of breaks and no
  • opposite directed to the addresses where
  • the controller the controller data is
  • stored so on the second frame instead of
  • screwing with it giving a different
  • input we correctly give it input like
  • it's expecting the first byte is stored
  • as an opcode in memory or else stored as
  • a byte in memory and treated as an
  • opcode and we type the value that says
  • jump to and on the second controller we
  • type the value of that says and credits
  • or the address of the end credits
  • so in fact we literally tell it to jump
  • to the end credits 16 frames or less
  • than around a quarter of a second after
  • starting the game now this is possible
  • because of tools like binary ninja and I
  • had had plans to do a full demo and I'm
  • being told I've only got 10 minutes so
  • I'm kind of running out of time there
  • but binary ninja is definitely a lot
  • more flexible than Ida because there's
  • some some ability to add in other
  • mappers it can handle the 6502 it can
  • show all kinds of useful things and we
  • were able to find the actual program
  • code where the where the controller was
  • being pulled and figure out what it was
  • doing and find the exploit so am i
  • cheating mmm no I'm not really cheating
  • I'm just looking for technical challenge
  • and visual entertainment and all of us
  • are I'm the presenter I'm the organizer
  • of the games done quick events but this
  • is so much more difficult than anything
  • I could do on my own there's one person
  • who's really good at hardware there's
  • one person that's really good at
  • emulation there's one person who's
  • really good at making the actual replay
  • movie files there's one person who is a
  • really great glitch finder you know it
  • takes a lot of different people and why
  • do we do it because we've been able to
  • raise over $200,000 for charity between
  • the five different events we've done at
  • games done quick events and just the
  • summer yeah
  • that's really what motivates us just
  • this summer we had an hour block of time
  • at summer games done quick 2016 and in
  • an hour we raised $40,000 for Doctors
  • Without Borders and the marathon as a
  • whole raised 1.3 million and that's a
  • huge success so
  • so I'd like to thank micro 500 he made
  • the the TAS link board here a Lhari made
  • the LSTs emulator and also heavily
  • contributed to the black loader and a
  • lot of other things that worked for
  • pokemon plays twitch which is what
  • you're seeing here this is pokemon red
  • playing a twitch chat P 4+2 wrote that
  • actual twitch chat master Jin is the one
  • that figured out the exact sequence of
  • orders of placing everything through of
  • course made the earlier devices total is
  • the one that found the Super Mario
  • Brothers 3 glitch cipher text is behind
  • and rust here behind binary ninja a is 5
  • 2 3 helped with the dpcm glitch info and
  • was hugely helpful in getting these
  • slides put together and helped them the
  • proof-of-concept article green fly
  • helped me set up today there's a lot of
  • other people a test videos that work
  • that I don't even have remotely enough
  • time to mention so now let's see if
  • there's actually any sanity in this chat
  • and see if there's an actual question I
  • can answer
  • it's twitch now they oh I am error gone
  • kappa so if you do want to ask a
  • question I have exactly five minutes I
  • believe five minutes Wow somebody's got
  • some potty mouth
  • pretty good latency yep I imagine how
  • many viewers do I have now anyway I'm
  • just looking I'm looking at twitch chat
  • via IRC because that's how the spot
  • works let's see are there any serious
  • questions have you ever seen a zombie
  • come to tea no that's a very interesting
  • is this easy mood not exactly what's
  • your favorite sandwich I have no idea
  • probably chicken pesto what the heck
  • okay when I said QA I met QA about like
  • this drinks later
  • yes drinks later definitely I'll be I'll
  • be standing over there I'm going to need
  • one after this doc do I know no I am
  • what I am doing now sort of are they
  • under the truck how does the bot work
  • with timing okay this is a very good
  • question this is a first serious
  • question of scene so on the original
  • Nintendo I mentioned that it actually
  • asks for input more than once per frame
  • because it has to make sure that it's
  • not running into this dpcm glitch on
  • minigames not all but many any of that
  • use dpcm audio so that means that we
  • have to put it in a windowed mode and we
  • have to ourselves keep track of which
  • frame were on and in fact that's the
  • secret to all of these runs anyway is a
  • tool-assisted speedrun which is
  • typically run on an emulator rather than
  • the on the original hardware is nothing
  • more and nothing less than a series of
  • button presses showing every frames
  • worth of input one frame after another
  • so we're able to convert that to run on
  • a console but we do have to pay
  • attention to the little nuances that the
  • console is going to ask more than once
  • so we have to keep track of which frame
  • Iran and send it only the right input
  • save or kill the animals test spot
  • always kills the animals if any you guys
  • know what that reference is so there's
  • save the frames or save the animals or
  • vice versa
  • agdq events they always play Super
  • Metroid with usually a 2 to 4 player
  • race and inevitably there's up to
  • $200,000 contributed if people watching
  • and donating on either side for the
  • donation incentive if you if they decide
  • to kill the animals because more
  • donations went to that they bypass going
  • to release some animals that are trapped
  • on the planet we
  • or they leave the game which is faster
  • and saves frames if they have to save
  • the animals at waist time so can you use
  • this for malicious use yes that's the
  • whole point in fact one of the reasons
  • that we want to do this and I'm going to
  • see if I can find this I'm gonna have to
  • go back like crazy because I've got some
  • of these slides here the primary point I
  • will actually wanted to make and I'm
  • really glad that somebody reminded me of
  • this is that the difference between the
  • tool assisted speedrun community and the
  • InfoSec reverse engineering community
  • really isn't that substantial a save
  • state and an emulator is nothing more
  • than the VM snapshot the glitch is just
  • a vulnerability waiting to be exploited
  • an arbitrary code exploitation execution
  • is doing just that console verification
  • and a lot of ways it's kind of like an
  • evil maid attack we are acting like a
  • normal controller but we don't exactly
  • have the best intentions so a
  • tool-assisted speedrun because the
  • emulators have so many tools to be able
  • to step forward look deep into memory
  • look at all the aspects of the cpu
  • registers every last iota what's going
  • on and the ability to try things over
  • and over again it is a fantastic place
  • to start looking for glitches and games
  • and start looking for and refining
  • techniques for reverse engineering so I
  • encourage you go to tests videos or go
  • check that out I'm just going to hold
  • this down until I get to the end if
  • there's one last serious question I
  • might answer that but I have a funny
  • feeling there's not going to be much
  • where can I catch Mewtwo I have no idea
  • more games soon yes we'll be doing
  • another round at awesome games done
  • quick 2017 more information at games
  • done 'quick calm and I think I'm just
  • going to wrap up with this last question
  • how do you mind for fish what the heck
  • do i play pokemon go no i don't but i
  • think it would be really funny if tas
  • bot did let's see has used tasks to fuzz
  • um sort of not really the
  • we'll get back to you than that can I
  • can you do something useful yes I can do
  • lots of useful things he can do all
  • kinds even beat games really fast when
  • when everything works technically what
  • is my favorite tas bot exploit i have to
  • say it's got to be this one I mean I
  • know it's kind of other future consoles
  • so I mean it's kind of DEFCON is great
  • now can we all agree on that all right
  • yeah pokemon plays twitch by far is my
  • favorite I actively was involved in
  • making the movie for that and had a deep
  • part in the technical aspects of that so
  • definitely my favorite hey I want to
  • thank everybody for participating I'll
  • leave the chat up you guys can continue
  • to talk thank you very much
  • you

Download subtitle

Description

This presentation was delivered by Allan Cecil (dwangoAC) at DEF CON 24 on August 5th, 2016 as described at https://www.defcon.org/html/defcon-24/dc-24-speakers.html#Cecil - the talk slides can be found at https://docs.google.com/presentation/d/1hA4zq6d5NmTkFMCSCeqPrq9Mtm6DSXQpWxZQdSlIT2I/edit?usp=sharing

Keywords

TASBot TASVideos TAS Tool Assisted Speedrun Console Verification Robot DEFCON DEF CON DEF CON 24 SMW SMB3 Pokemon Twitch Twitch Chat Pokemon Plays Twitch

Popular this week

Related videos

TheTV in 90 countries


16 main categories