 good afternoon everybody how's everybody doing? So um how many people know what this thing is that's on the stage? I only asked that because wandering through the halls yesterday after getting the badges I heard a bunch of 20 somethings talking about what the Konami code was and they were listing it off wrong. So um if you are that of that age you're going to get a little bit of a history lesson. I've seen this demo, this is awesome. Get excited. Let's give Alan a big hand. Thank you. Well thank you very much. This is a very very technically challenging series of live demos. I have an immense number of things on the stage that can and will go wrong so please feel free to make fun of the equipment when that happens. The equipment not me. Um hello everyone I am Alan Cecil. I'm also known as Duango AC. I am the president of the North Bay Linux users group. I'm also a senior engineer at Sienna. Uh and I am a tool assisted speedrun advocate and an ambassador for taskvideos.org. Um so I want to talk about uh speedrunning and why is it okay there we go. Uh speedrunning with human limits. So early on um people wanted to play games fast because after you've beaten a game it's a lot of fun to try to beat it again. Uh faster right and some games like Metroid especially Super Metroid reward you for playing faster if you complete Super Metroid in less than three hours. Uh she ends up wearing a bikini for some reason. I didn't do it. Um so there are now categories uh that people tried to speedrun games in. Everything from any percent to uh 100 percent get every item in the game as fast as you can. To esoteric categories like low percentage no major glitches. And now most of these demos are most of these records are stored on a website named uh SpeedDemosArchive and there's some other websites like that that also track the fastest completion times. Um now there's a lot of strict rules. There's peer review of videos to make sure that no one is cheating that no one is using keyboard macros or any kind of uh anything other than the human uh their own human ability. And I have to tell you they're really entertaining. Now one of the places that these are uh widely shown is at Games Done Quick events uh Games Done Quick dot com. There's an awesome Games Done Quick and the winner that benefits the Prevent Cancer Foundation and and a Summer Games Done Quick uh every summer that benefits doctors without borders. And there's usually some crazy stuff going on there. Uh for instance here we have Mario Kart 64. Um you can see he's kind of out of bounds. Um that's because he's tricking the lap counter so that he only has to go around the course uh one full time and then he can trip the lap counter after he completes it. Um here's Super Metroid he's uh I'm sorry Metroid the original Metroid. He's Lured or she technically it's Samus. Has Lured an enemy from an adjacent screen and is using it to uh to freeze it to use it as a platform to sequence break the game. Get someplace you're not supposed to be at that point with the items you have. Now there's all kinds of other things that happen at Games Done Quick events that are absolutely insane. Uh this is half coordinated. Uh he cannot use for the most part he can't use the right side of his body. So he completes games using only one hand on the controller. And it's insane watching him play. Uh there's also been some crazy things like uh this guy completing all the way up to Mike Tyson uh in Mike Tyson's Punch Out blindfolded. Just listening to the game audio. Just insane. So this is clearly beyond the standard limits of what most humans can do. But tool assisted speed runs or tool assisted super plays go a step further. We're not really interested in human limits anymore. Now we're interested in what can this piece of hardware really do. If you pushed it to the limits of what the hardware is capable of. And TAS is used as a noun, a verb. I passed this. This person's a great passer. You'll hear me say the word TAS throughout the whole talk. Now the history of tool assisted speed runs is kind of interesting. Uh back in the 90s the game Doom came out and it had a quick save button and a quick load button because let's face it it was kind of a hard game and you were likely to die a lot. Well they added re-recording tools and that allowed you to play through a game and record your progress. And at a certain point somebody figured out you could do it in slow motion and keep loading the save states over and over again until you got a pretty good completion and in 1999 roughly Doom done quick came out and completed the entire first game in 19 minutes and 41 seconds. This was followed up by a couple of other ones. There's a 14 minute and 2 second completion of Doom 2 for instance. So it's it's it's definitely been one of the the first widely known tool assisted speed runs. Now in 2003 a video surfaced online from somebody named Morimoto and it was a little bit let's just describe it as controversial because Mario was flirting with death, getting an insane number of one ups, literally walking through walls and there was no context for where that video came from. Now it had been posted on a Japanese website with appropriate annotations to describe that it was done with an emulator in slow motion with save states. But it was the context of the video was missing when the WMV file in 2003 pre YouTube days got circulated around the Internet. And the problem was that it was in human skill and display and really tools meant hardware limits became the only limits. But if you don't say that you're testing the hardware limits, people get really upset. So passing. It's kind of like the doped Olympics. I mean, let's just be honest here. Competitors should admit to doping. Let's just be honest here and videos made with test tool should be labeled. And there's a guy named Bizquit that in 2004 created NES videos to track tool assisted speed runs the same way speed demos archive was tracking in game human completion times. Now there's that's now gone beyond just the Nintendo Entertainment System. This console here it's now moved on to many, many consoles. And there's now everything from modern consoles like the Nintendo we through handhelds at task videos.org. So I know live demo like we're only a few minutes of the talk, but let's do a live demo. I'll talk about the console verification part in a little bit, but just know that we made a game in an emulator. We set up a sequence of button presses. And I'm going to show you what those button presses are using taskbot. So this is where the video might go completely haywire. And I don't know what's going to happen. If you see somebody running from the side of the room. Yeah, just bear with it. Thank you. I said turn it down not crash it. I said that there was going to be at least one catastrophic thing. I wasn't kidding. I don't even know what happened there. I've never seen that happen before. And that is something you can quote me on because it happens all the time. All right, let's do this again. It's still pretty loud, but I don't think blowing in the car to work. But hey, it worked last time. But I do want to make absolutely certain that I don't have like wires crossed or something funny going on with power. Because obviously if there's not a good ground, things could be weird. But let's just try the there. I kind of want this one to work. This one should work. The only thing I'm going to double check just to make sure nothing else got funny. The only other thing I can think of might be power, but we'll try this one more time. Oh, and we lost the signal too. Remember I said live demos, at least one of them was going to go completely haywire. Well, I don't know where our tech guy is to fix this. And I'm not about to go touch it. At least it's... Yeah, I'm a little bit concerned here. So what's up? Besides, this thing's durable. Well, welcome to the first live demo that goes wrong. That's okay. I'm going to do the rest of the demos entirely on the Super Nintendo. But of course, we will have to get somebody in the room to fix the scrolling. But I'm very confused by that behavior. I've never seen it before. Welcome to doing something in front of the fellow live audience. But that's okay. We'll just move on. This is going to cause a brief audio pop. I apologize in advance. So with any luck. So we probably are going to have rolling video at first. Apparently no video. Okay, we can barely see it. So I'm going to keep going through some slides here. This was made with one of a number of emulators. There's several emulators out there. FCEUX, there's LS&ES, which this run was made with. This is the Super Mario World Game for the Super Nintendo. It is a very good emulator with a lot of useful tools on it. And I know that it's going to be impossible to see with the scrolling. But Mario is doing some really unusual things right now. Yes, he just got about four Yoshi's. So it's kind of hard to see right now. But basically what's happening is we have the ability to back up and try things as many times as we like. And that means we can do things with frame precision. And right now what we're doing is lining up the object attribute map to be exactly the way we want it to be. There we go, our good. Unfortunately I think you're going to have to do that every single time. Okay, so that's a heck with the slides. There's other re-recording frameworks. I made one called NetHack uh, tax tools that we've used before. There's hourglass for windows things. Everybody's looking at this video anyway. It doesn't really matter. Um, so this was uh, done with a BS NES core which was very very accurate. And that's incredibly important because in just one second, look at these visualization boards right here and right there. That's the actual button presses we're sending to the console. So yes, Taskbot plays Super Mario World. Um, yeah, I'm just going to skip all that. We'll come back to that some time. So, Taskbot plays Super Mario, what? Oh, oh, I'm sorry. It's Super Mario Brothers in Super Mario. I get it. Um, I said this was a live demo. If somebody wants to come up here, you can definitely play this if you wanted to, uh, except I forgot to bring the controller. Sorry, that won't work so well. Um, this is fully playable. So we took Super Mario Brothers, a game from the original Nintendo, and placed it on the Super Nintendo, which was never designed to have it. So we took a previous console run from here game and programmed it through the controller ports on completely unmodified hardware. Now, this was done by Master June who set up the button presses and by somebody named P4 plus two. And it's a really complex series of events. But there's a really good YouTube video by dots are cool. Um, uh, that value is kind of loud, but that's okay. Just ignore it. Uh, so what you're basically seeing is, uh, he was going back and forth and rearranging objects in the object attribute map to basically write op codes in RAM in such a way that when we did certain things, it treated the location and memory that the controller is stored in as something it should execute. And it did exactly that. It ran what we put on the controller and allowed us to, well, you can either trigger the credits or you can take it one step further and do crazy stuff. Um, but that's not not good enough. This one was this ran at 184 kilobits per second, which is nice. You know, it's it's cool, but we can do better and we're going to. So I need I'll need to restart, which means that it's probably going to mess up the video. Uh, one of the interesting things about the, uh, about the original, uh, consoles is that they are running at a resolution best described as 240p. They played trickery with CRT TVs. So, um, we have had a lot of trouble getting captured to work. It's actually been a bit of a pain. So I just erased the save game and that's going to prepare me for, uh, doing a, uh, another run. Let's see. Alright, here we go. So this is the same game and this time, oh good, the video isn't rolling right off the top. Okay, this is good. If we're lucky it'll, it'll stick with us unless we can switch consoles. Um, so this is the exact same game, but if you're able to see it, you'll notice that the video is, is going to be using slightly different technique. This is a different exploit than the first one. Yes, there are more than one, there's more than one way to blow up Super Mario World. Um, and this one is going to use a slightly different technique. So, one of my earlier slides I was talking about, uh, the different devices that we have. Well, the newest device we have is from, uh, is a board called, uh, Tasselink board and has a very high data rate. The previous boards made by somebody named Tru, who's actually a DEF CON regular, uh, Tru's board was able to hit 184 kilobits per second, uh, based on his, uh, multi replay board. This one is using an FPGA from Papilio and we're able to achieve data rates of, uh, much higher than that, which you'll see here in a second as soon as he gets done screwing around with a charging check. Right about here. I love the scene right here. Just, just watch what he does to this check is an image that was written to the console at 900 and I want to say 920 kilobits per second. Um, keep in mind that the maximum rate that these consoles usually ran at was about three, I'm sorry, about 480 bytes per second. And that was like that most. So for us to shove that much data through it is, is kind of impressive. I'm, I'm amazed that this console manages to hold up. Um, I need to actually back up a little bit and, uh, cover a few things that I skipped over. So I'll just go to here. Uh, there were a bunch of early console devices. Uh, Tru was the first person to attach a, a console and, uh, and get, get it to, to do button presses. And it's actually a very simple protocol, especially for the original Nintendo. And one of the things I was going to talk about during the original video I planned, there's only five wires. There's just five volts in ground. There's a latch wire that says latch, hey controller, I'm about to ask you what buttons you're pressing. Clock, give me the first button is a being pressed. Uh, one or high voltage if yes, none or zero for no. And the only other line is a serial data line out from the controller sending that information back to the console. So what this guy here does is pays attention to that, that feed and sends appropriate responses. So the first device that this was tested with was all the way back in 2009 and a board from true. But in 2011, somebody micro 500 who built also this, this tassel board, micro 500 made a device called the NES bot that based on a breadboard, you can see here in the lower, lower corner, that was able to complete Super Mario Brothers one. And it was used at one of the very early summer games done quick events to complete Wizards and Warriors 3 and Super Mario Brothers 2, although somewhat comically. And by the way, that what you see on the screen if I know it's really tiny, but there's just a very few number of people in the audience. This was one of the early summer games done quick events that didn't have very many people. Now this room would be looking a little bit more like Defconn here. But there were a couple of other boards. There was a Droid 64 bot that could do N64 games and micro 500 made one of his own in 2012 using a propeller board. But the task spot, this, this guy here, a Rob holding a random device with Legos on it. That kind of happened a little bit later. So in 2013, we had an opportunity to to again go to summer games or awesome games done quick and present and true built a device from scratch based on a micro chip device. And it was it was a very, very good device in the sense that it was streaming capable, very inexpensive, a little bit fidgety with wiring because of the punch down of the screw down blocks that we used. And it had somewhat limited data rates, but we were able to do some really impressive things on that. One of the first things we did was a snake and Pong on top of Super Mario World. Well, I took a I eventually this was like the first prototype, I just zipped item together. I took some, some Legos eventually shoved them together and I called it Robberry Pi because at that point it was being fed by a Raspberry Pi posted this run on awesome games done quick saying, Hey, I want to want to go to the event. And immediately Mecha Rector says, Hey, I want to see some of that task bot action exploded. I never called this guy task bot. It just happened. So task bot is nothing more than a Rob robot from the 1980s that was shipped with the original Nintendo console so that it didn't look like an old Atari video game console with some Legos and a replay device. And that's pretty much it. Now the multi replay device is when I mentioned earlier that was capable of putting Super Mario Brothers inside a Super Mario World. And there was also some other really interesting developments. There's a Game Boy player player and there's one I haven't mentioned here that's able to play DS games. So we already went through all of this. I'm going to fast forward. But I really want to. Oh, and by the way the faster data rates also allowed us to play Super Mario Brothers one, two, three and lost levels at the same time with the exact same sequence of button presses completing at about the same second. It was. Really quite impressive. Very, very crazy. We just did that a few weeks ago at Summer Games done quick. So I want to step back for a bit. I don't know how I'm doing on time. Okay, I'm doing all right. I'm actually doing just fine on time. I want to really step through and go in a deep dive into one of these exploits and really break it down so that you kind of understand some of the sequences we go through. So I'm going to start with a game called Pokemon Red. Now. Pokemon Red is a really broken game. You'll see how broken like it's really broken. But a handheld Game Boy is kind of difficult to wire into. Now we've done it, but it's not exactly a lot of fun. So this is a Super Game Boy cartridge. This has an entire Game Boy processor, a Z80 processor, a code named a DMG inside of this card. And it communicates with the Super Nintendo and allows us to, oh great, right when I need to swap video and I don't know where he went. All right, well I hope it works. So that allows it to use the controllers, which is great for us. It means I don't have to touch anything. Now I have a wire here. And this wire is kind of an interesting little thing. There we go. All right, that's already full of bake. This wire has a little expansion board connector. On the underside of the console there is this not very often used expansion board. They eventually used it for a cancelled project that connected the CD drive to this thing, but it was never really implemented. Now we're using it because it exposes a reset pen that we kind of want to play with. A play with. Yeah, I'll go with play with. So and hopefully my video signal stays. Any luck? Yay. All right, we're good. And we don't really need a lot of audio for this one. It's there's not really, I like the game audio, but I've got to tell you when I was testing this I listened to it over and over and over again and I got really tired of it. So what's happening right now? We're going to delete the contents that was there previously. And there we go. And we're going to start a new game and we're going to set very specific parameters. So unfortunately, it's kind of slow menuing. It takes a while to get there. So I'll kind of explain it in advance. We're going to name the player's character red. And we're going to name the rival a very unusual name. We're going to name him RxRxPK. There's actually a PK symbol. And the reason we do this is we need to preset up certain memory values to be in our advantage that we'll be using again later. So he said, yeah, we're about to start our adventure. Except we're not going to bother getting very far into it before we save. So we're going to save and bam. So what we just did is we reset while we were saving the game. Now I don't need this wire anymore so I'm going to pull it out. That allowed us to write a completely valid game header that said, yes, your player's name is this, your rival is this. You have, wait, how many Pokemon did we have? Oh, we left FFs in there. Oh, well. So you can kind of see where we're going here. All right. So now we're going to start and load the save game we just used. So again, this is kind of slow. It'll take a little while to get here. I'm going to get it. I'm going to get ahead of myself because this section goes rather quickly. There's just a lot to explain. So what we're going to do is load the save game we just created and it is a valid save game. But the list of how many Pokemon we have says we have 255 long. And that allows us to go beyond the area of memory we would normally be able to go to. And right here, you'll see we swapped Pokemon over the area of memory that contains our items. Now that means that we have to do a couple of other switches so that we don't crash the game, by the way, but I'll get to that in a second. That means that we can now delve into our item list. And you can see here there are some items that are stored as a two byte pair, one byte to say what the item's name is and one byte to say what the quantity of it is. So we just tossed, well now we're switching where items are to move them in memory, but we just tossed some of an item. We're going to do it here. So TN 25, we're going to toss 24 of those. Well, whatever value we started with in memory, we've just thrown out a bunch of items and we've reduced that memory by 24 in RAM. So this allows us to directly manipulate memory, but we can only manipulate every other byte. Fortunately, if we go back and swap Pokemon like we're doing right here, it offsets memory by an odd number. So what used to be an identifier is now a value, or a quantity value that we can then throw away. So now we can write everything in memory, but we have to be very careful because some items, if you throw them away, every item of that category, you can never touch again. Some items, if you throw them away, will crash the game. And some items will crash the game simply if you look at them. Not so helpful. So there's also another thing that we're doing here. We're obviously writing bytes in memory in order to, in order to create a routine that will allow us to read from what's on the controller and store it in memory. The problem is the Super Game Boy cancels up and down and left and right. So if you try to press both, both those buttons at the same time, they just get zeroed out. So to get around that, the routine we're writing right now, we're literally writing a program as you see. It reads, stores it in memory, reads again, stores it in memory, does a subtract between the two, stores the result in RAM in one position and then keeps writing in one after another. And when it gets to the end, it writes over a jump sequence to go execute what it just wrote. And what it's writing right now, which you'll be able to see on these visualization boards, is a rather substantial payload. And it takes quite a while to write it all. So anybody recognize that? Has anybody ever been to twitch.tv? Well, get your smartphones ready. This is the live demo part. This is the part I like the most. Ooh, you know, it really, really helps. So it really helps if you actually have an internet connection when you try this. So we have to take a quick pause and hope that this cable reaches without causing anybody too much pain. So yes, we really are going to connect a 25 year old console to the internet. And you get to ask your Q&A over the chat session if it works. Nice. We've already got some action here. All right, somebody typed something and it will appear on the screen. I assure you. So what you need to do is let me quickly get here. I will actually type out the address. Oh, you can't type URLs and there's a swear filter on here. Have fun defeating that. It can be hacked. This code is all on PPT IRC on Git. You can find the swear filter in there and defeat it to your heart's content. This is Defcon. Have fun. Knock yourselves out. So here's what we're going to do. I'm going to talk about a couple other things. See if I can find the channel that everybody is in. I know I've got it in here somewhere. There it is. Oh, wait a minute. I know what's happening. We're playing back a screenplay because I never moved the file over. So what you're actually seeing on screen because I couldn't see it on down here, you're seeing the exact text that we put on screen at awesome games done quick 2015. It was an entire screenplay of conversation. I'm just going to let it run because it's actually kind of stupid, poorly written and hilarious. I had my own script of things I was supposed to say and it never did because it was just too awkward. So yes, we did a full article on this on the in the journal proof of concept or get the fuck out. I didn't name the article journal article, but the journal is absolutely fantastic. You can find a full write up written by myself Ellari, the author of the emulator and P4 plus to the author of the chat interface at POC GTFO issue 10. Just search Google for that. It's mirrored all over the place. It is there's a lot more details than what I covered here. By the time we get done doing all of this, we escape the Super Game Boy. We tell the Super Game Boy that we want to execute something in the Super Nintendo's memory space and it lets us do it because there's actually a there's a command that lets you do that. There were only there's only one or two games that ever actually took advantage of that feature, but that's there. Once we get to the Super Nintendo, we're no longer limited to one byte per frame. In fact, we were at one point only able to enable the frame because we had to subtract them together to get around the button limitations. So what we ended up doing is after we get to the Super Nintendo, we get to a data rate of two bytes per controller and we tell it, oh, you actually have a multi-tap attached. So you have two controllers on the first controller port and two on the second. So you get eight bytes per frame and 60 frames per second. So it gets us about 480 bytes a second if I did my mouth right. But that still wasn't enough. So we told it, oh, and don't just read once per frame. Read eight times per frame, 60 times a second. So that gets us to a data rate of 3.8K per second or so. Oh, four, four. Well, we're in somewhere. I just don't know where we're at. Oh, yeah. There's me. I just typed test and it worked. So there's all kinds of crazy going on, but that's OK. This is going to be at the end of the pre-recorded input in just a second here. While that's playing through, there's so many more details of this. There's a block loader we program in afterwards. It's just a really, really intense, technically challenging process that we had to go through to do this. Did Frank or Z come through? Wow. So it looks like because I ran the wrong script, it's getting some characters out of order, like hilariously out of order. Hack the planet, huh? Uh, that's like hilariously funny. This wouldn't be a live demo without things failing. So let's keep going. So this is my call to action. If you want to join in on the fun, you can go to twitch.tv slash to Wango AC. I am going to go ahead and, well, that's a lot of Frank or Z. Twitch the twitch. Well, it's a little bit, a little bit messed up, but I can at least see it on my screen here, even if it's not completely correct there. Oh, well, go ahead and ask any Q and A questions you have in the chat. So again, you can go to twitch.tv slash to Wango AC. Subscribe while you're there if you like, I don't care. But there's one other thing I want to talk about. We recently found a very, very interesting glitch in Super Mario Brothers 3 that I wish I could show you on the real console. What we found out is that it is possible to go from boot to the ending of the game in literally 16 frames. I'm not kidding, it does take quite a few button presses per second to do it, and it doesn't exactly treat the pallets very nicely. Not everything gets loaded into RAM, but it is a valid completion of the game. It properly goes to the end credits. So this happens because of an interesting choice they made. 10 minutes? Got it. So when they released this Nintendo hardware, the original NES in America, they had a problem. They released the hardware and then discovered that if a game used DPCM audio and the controller was asked for what values it was holding, at the same time that there was a collision on the bus and the controller input may or may not be dropped. So to get around it, they asked the controller for input. Two milliseconds later, they asked the controller for input again. And if it's different, they ask again. And if it's different from the previous, they ask again. And if it's different from the previous, you can kind of see where this is going, right? Infinitely. This allowed us to keep giving the console a different response for what buttons we were holding every other time that it asked for input. And eventually, it tied it up until the next frame's processing started for the raster input that displays a status bar at the bottom of the screen. And it was still doing this, that we were still keeping it busy with this other loop. So what ends up happening is it drops execution right at the bottom of the stack and slides across a series of breaks and no ops directly into the addresses where the controller data is stored. So on the second frame, instead of screwing with it and giving it different input, we correctly give it input like it's expecting. The first byte is stored as an opcode in memory or is stored as a byte in memory and treated as an opcode. And we type the value that says jump to. And on the second controller, we type the value that says end credits or the address of the end credits. So in fact, we literally tell it to jump to the end credits, 16 frames or around a quarter of a second after starting the game. Now, this is possible because of tools like Binary Ninja. And I had plans to do a full demo and I'm being told I've only got 10 minutes, so I'm kind of running out of time there. But Binary Ninja is definitely a lot more flexible than Ida because there's some ability to add in other mappers. It can handle the 6502. It can show all kinds of useful things. We were able to find the actual program code where the controller was being pulled and figure out what it was doing and find the exploit. So am I cheating? No, I'm not really cheating. I'm just looking for technical challenge and visual entertainment and all of us are. I'm the presenter. I'm the organizer of the games and quick events. But this is so much more difficult than anything I could do on my own. There's one person who's really good at hardware. There's one person that's really good at emulation. There's one person who's really good at making the actual replay movie files. There's one person who's a really great glitch finder. It takes a lot of different people. And why do we do it? Because we've been able to raise over $200,000 for charity between the five different events we've done at Games Done Quick events. And just this summer, yeah. That's really what motivates us. Just this summer we had an hour block of time at Summer Games Done Quick 2016. And in an hour we raised $40,000 for Doctors Without Borders and the marathon as a whole raised $1.3 million. And that's a huge success. So I'd like to thank Micro 500. He made the task link board here. Ellari made the LS and ES emulator and also heavily contributed to the block loader and a lot of other things that worked for Pokemon Play's Twitch, which is what you're seeing here. This is Pokemon Red playing a Twitch chat. P4 plus two wrote that actual Twitch chat. Masterjin is the one that figured out the exact sequence of orders of placing everything. Tru, of course, made the earlier devices. Total is the one that found the Super Mario Brothers three glitch. Cypher Text is behind, and Rusty are behind Binary Ninja. AIS 523 helped with the DPCM glitch info. And was hugely helpful in getting these slides put together and helped in the proof of concept article. Greenfly helped me set up today. There's a lot of other people at taskvideos.org that I don't even have remotely enough time to mention. So now, let's see if there's actually any sanity in this chat and see if there's an actual question I can answer. It's Twitch. It's Twitch. No, I am error. Gun cap up. So if you do want to ask a question, I have exactly five minutes, I believe? Five minutes? Wow, somebody's got some potty now. Pretty good latency. Yep, I imagine. How many viewers do I have now? Anyway, I'm just looking. I'm looking at Twitch chat via IRC because that's how the spot works. Let's see, are there any serious questions? Have you ever seen a zombie come to tea? No. That's a very interesting. Is this easy mode? Not exactly. What's your favorite sandwich? I have no idea. Probably chicken pesto. What the heck? Okay, when I said Q&A, I meant Q&A about like this. Drinks later. Yes! Drinks later, definitely. I'll be standing over there. I'm gonna need one after this talk. Do I know what I am doing? No, sort of. Are they under the truck? How does the bot work with timing? Okay, this is a very good question. This is the first serious question I've seen. So on the original Nintendo, I mentioned that it actually asks for input more than once per frame because it has to make sure that it's not running into this DPCM glitch. On many games, not all but many, any that use DPCM audio. So that means that we have to put it in a windowed mode and we have to ourselves keep track of which frame we're on. And in fact, that's the secret to all of these runs anyway, is a tool-assisted speed run, which is typically run on an emulator rather than on the original hardware, is nothing more or nothing less than a series of button presses showing every frame's worth of input, one frame after another. So we're able to convert that to run on a console, but we do have to pay attention to the little nuances that the console is going to ask more than once. So we have to keep track of which frame we're on and send it only the right input. Save or kill the animals. TaskSpot always kills the animals. If any of you guys know what that reference is. So there's save the frames or save the animals or vice versa. At GDQ events, they always play Super Metroid with usually a two to four player race and inevitably there's up to $200,000 contributed of people watching and donating on either side for a donation incentive. If they decide to kill the animals because more donations went to that, they bypass going to release some animals that are trapped on the planet before they leave the game, which is faster and saves frames if they have to save the animals that waste time. Can you use this for malicious use? Yes, that's the whole point. In fact, one of the reasons that we wanna do this, and I'm gonna see if I can find this, I'm gonna have to go back like crazy because I've got so many slides here. The primary point I actually wanted to make and I'm really glad that somebody reminded me of this is that the difference between the tool assisted speed run community and the InfoSec reverse engineering community really isn't that substantial. A save state and an emulator is nothing more than a VM snapshot. A glitch is just a vulnerability waiting to be exploited. An arbitrary code execution is doing just that. Console verification in a lot of ways, it's kind of like an evil made attack. We're acting like a normal controller but we don't exactly have the best intentions. So a tool assisted speed run because the emulators have so many tools to be able to step forward, look deep into memory, look at all the aspects of the CPU registers, every last iota of what's going on and the ability to try things over and over again, it is a fantastic place to start looking for glitches and games and start looking for and refining techniques for reverse engineering. So I encourage you, go to taskvideos.org, check that out. I'm just gonna hold this down until I get to the end. If there's one last serious question, I might answer that, but I have a funny feeling there's not gonna be much. Where can I catch him, you two, I have no idea. More games soon, yes. We'll be doing another round at Austin Games Done Quick 2017. More information at gamesdonequick.com. And I think I'm just gonna wrap up with this last question. How do you mine for fish? What the heck? Do I play Pokemon Go? No, I don't, but I think it would be really funny if Taskbot did. Let's see. Has used tasks as to fuzz. Sort of, not really. We'll get back to you on that. Can I, can you do something useful? Yes, I can do lots of useful things. He can do all kinds of, he can beat games really fast when everything works technically. What is my favorite Taskbot exploit? I have to say it's gotta be this one. I mean, I know it's kind of, other future console, I mean it's kind of, DEF CON is great now. Can we all agree on that? All right. Yeah, Pokemon Play Switch by far is my favorite. I actively was involved in making the movie for that and had a deep part in the technical aspects of that. So definitely my favorite. Hey, I wanna thank everybody for participating. I'll leave the chat up. You guys can continue to talk. Thank you very much.