Bad Apple but it's played inside Super Mario Bros

Summary

Happy ACEVideos day! Last year, I submitted an unoptimized (almost working) TAS of Super Mario Bros. that demonstrates executing arbitrary code. Due to emulator inaccuracies with “Open Bus”, the run did not sync on console. One pull request and a year later, I’ll be executing a larger payload inside Super Mario Bros. which syncs on console! (Thank you Alyosha for verifying this!) This tool assisted demonstration uses pretty much everything I know about the NES. Enjoy! (This link is for the abridged version that skips the setup, and starts at the important part) In these submission comments, I will explain how I created this run, how it works, the limitations I had to work with, and the ideas I used to make it *just* a bit nicer. This TAS was made in Bizhawk 2.9.1. Objectives: Do a little tomfoolery Execute arbitrary code Play the Bad Apple!! music video Earn the maximum score Beat the game in 4:53 What is Arbitrary Code Execution? Before I dive into the details, I thought I would explain what an “Arbitrary Code Execution” exploit is. Let’s ignore the word “Arbitrary” here, and focus on how the NES executes code in general. The programmers for a NES game write code in “6502 Assembly”, where an instruction may look like “LDA #$80”. Converting assembly code to machine code is remarkably simple, as every possible instruction corresponds to a different value for a byte. For instance, this “LDA” instruction would become the byte “A9”. The full instruction, “LDA #$80” would include that operand, “80” as well, so written as bytes, that entire instruction is simply “A9 80”. A slightly different topic: This is a sentence. As you read this sentence, you’re probably not keeping an exact count of how many words have appeared on this page up to this point. If every word on this page was assigned an ID in order of appearance, you probably wouldn’t correctly guess the ID of this sentence’s last word. The NES on the other hand, needs to know exactly which byte should be processed ne...