GLITCH.LOL
First-Ever Arbitrary Code Execution Glitch Found in Super Mario Bros. After 40 Years
BACK TO NEWS
Discovery

First-Ever Arbitrary Code Execution Glitch Found in Super Mario Bros. After 40 Years

Anonymous
Anonymous
Unknown date
5 min read

Four decades in, you'd be forgiven for assuming the well had run dry on Super Mario Bros. secrets. It hadn't. A months-long collaborative investigation led by Kosmic — arguably the most accomplished Super Mario Bros. speedrunner alive — has produced the first known instance of Arbitrary Code Execution in the 1985 NES original. Using nothing but a controller, the team can now hijack the game's CPU and feed it instructions they wrote themselves.

A Random Crash That Wouldn't Stay Random

The trail started on X, where user @LuigiSidekick was streaming clips from a documented playthrough of Super Mario Bros.: The Lost Levels (known in Japan as Super Mario Bros. 2J) on Nintendo Switch Online. He already had a reputation for bumping into weird engine corners — earlier in the same run he'd managed to despawn a moving platform in 7-2. But the moment that mattered happened in 8-4, the final level, deep inside its looping maze. He made his way through as usual and the game simply crashed.

It looked like a Switch Online hiccup. To the SMB community it read as something else entirely. NES games don't crash on a whim: if the 6502 halted, something had fed it a bad instruction, and that meant data was being written somewhere it shouldn't. Community members Takuika Ninja flagged the clip as promising, and Simplistic began reverse-engineering what had actually happened.

The Bug at the Bottom of It

What Simplistic found is the kind of engine oddity that only exists because cartridge-era developers counted cycles, not safety nets. Super Mario Bros. tracks active enemies and objects using two parallel lists: an occupancy-flag list and an enemy-ID list. There are five normal object slots plus a sixth "special" slot reserved for power-ups and flagpoles.

Two enemies in the game take up more than one slot: long fire bars, and Bowser. The second half of one of those multi-part enemies writes a marker byte — 84 — into the next available slot. If every slot is already full, including the special slot, that 84 walks off the end of the occupancy list, looking for a zero.

The first time it overflows, it lands in an unused byte sitting between the two lists. Harmless. The second time it happens in the same state, the write skips that cushion entirely and lands inside the enemy-ID list — specifically into the slot occupied by a green Koopa, whose enemy ID is 0.

From there the game does exactly what it was written to do: it takes the enemy ID (which now reads 84) and uses it as an index into a jump table. The real table has 36 entries. Index 84 reads far past the end of it, returning a jump target built from whatever bytes happen to be sitting in that region of memory. The CPU obediently jumps there and begins executing — now running arbitrary bytes as 6502 instructions. Because many of those bytes are things the player indirectly controls (positions, lives, timers, inputs), the door to ACE is open.

What ACE Actually Buys You

Arbitrary Code Execution is the speedrunning endgame. Instead of exploiting a specific bug to skip a room or dupe an item, ACE lets a player feed the game instructions they wrote themselves — effectively turning a controller into a tiny compiler. The famous Pokémon Red and Blue item duplication trick, where a hyper-specific menu dance rewrites memory to multiply inventory, is the same class of exploit.

Once a community finds an ACE vector in a game, everything downstream of it tends to break wide open. Warp to the credits? Sure. Spawn a level that doesn't exist? Also on the menu. For a title as studied as Super Mario Bros., it's the kind of discovery that rewrites the map.

Porting the Trick to the 1985 Original

Confirming ACE in The Lost Levels was one thing. Reproducing it on the original Super Mario Bros. — a different ROM with its own memory layout and fewer exploitable enemies — took a second, far longer effort. The standard levels offer only a single long fire bar (in 5-4), which makes the natural overflow chain impossible. The whole setup has to live somewhere stranger.

What the team landed on is a detour through the Minus World — specifically the Famicom Disk System version, which is a genuinely different glitched stage from the more famous NES Minus World. Unlike its NES cousin, the FDS Minus World has real content past the flagpole, including two permanently-loaded Princess Peach objects and a first Bowser who never unloads. Add the star flag parked in the special slot and you already have five object slots locked down before you even start the exploit.

The run also requires Quest 2 to be active — the game's harder second loop, unlocked by beating it once. The fastest way to turn Quest 2 on is to finish the FDS Minus World itself, which is already where the team needed to be. Quest 2 matters because it changes all Goombas into Buzzy Beetles, and that single substitution makes one of the otherwise-impossible AI interactions work. The route also requires playing as Luigi, achieved by dying as Mario in 2-player mode — Luigi opens up extra possible outcome values when the glitch resolves.

From there the chain looks roughly like this:

  • Power up through 1-1 and 1-2 to stock the right items
  • Enter the FDS Minus World and progress past the flagpole, where the two Peach objects and Bowser #1 will permanently occupy four of the six slots
  • Trigger the first overflow on Bowser #1 by killing him with fireballs rather than the lava floor — falling into lava clears all active objects and ruins the setup; fireballs leave the special slot untouched
  • Manipulate a Quest-2 Buzzy Beetle (the one that used to be a Goomba) into turning around and locking into place, filling the slot that blocks a needed Koopa from spawning later
  • Reach Bowser #2, where the second overflow finally lands its 84 byte — this time into Luigi's own action-state variable while he's standing on the ground

That state byte now points into a second out-of-bounds jump table that resolves into the PPU registers — the NES's picture processing unit — rather than into main RAM. Kosmic's team refers to this whole structure affectionately as "bisected Bowsers": the first Bowser arms the glitch, the second detonates it.

From PPU Chaos to Infinite Time

Jumping into PPU register space is, on paper, a disaster — the registers are whatever the graphics hardware happens to be doing that frame, and they change constantly. The team turned that constraint into a feature by leaning on something only the Famicom Disk System can do: reset the console while keeping RAM changes intact (a trick SBDWolf, who previously cracked ACE in Castlevania, suggested).

With careful timing, a single PPU-register instruction corrupts the routine that draws HUD digits. That same routine happens to be the one that ticks down the timer. Corrupt it in the right way and you get infinite time. The team's reaction on camera — "No way. It never ticks down. This is the infinite time trick we've been looking for." — is one of the video's emotional peaks.

Infinite time comes with its own problem: you also can't finish levels, because the game waits for the timer to reach zero on completion. The workaround is the hold-A-on-title-screen continue feature, which drops Luigi back at the furthest world reached — the Minus World — so the full chain can run again.

A second corruption target, discovered by 3Creepio and only reachable as Luigi, hijacks the power-up routine. Once that's rewritten, popping a power-up block redirects execution into RAM — and RAM is where controller inputs can be used to deliver arbitrary 6502 instructions, byte by byte. At that point the exploit is a true ACE payload pipeline, confirmed to run on completely original FDS hardware.

Don't Expect the Any% Record to Fall

There's an obvious question — does this topple Kosmic's own sub-five Any% world record? For now, no. The current setup takes roughly 5 minutes and 15 seconds, about 20 seconds slower than a standard Any% run. The equivalent trick in The Lost Levels saved the same 20 seconds, so the structure is there; it just hasn't been optimized yet.

Kosmic has been upfront with outlets including Polygon that the inputs are punishingly precise and would be brutal to land live. If a faster execution is ever found — a Quest-1 path, or a route that skips the power-up collection — ACE could eventually threaten the Any% record, though it would most likely live in its own category rather than compete with traditional runs.

"I guess it's 'for fun,' but it's more so about the achievement of making it possible and solving it. And for example, if you want, you can now access not just the Minus World, but any world or level you want. With no hacks or cheats. It's a glitch that makes anything possible." — Kosmic

The People Who Made It Happen

Kosmic is explicit in the video that this isn't a solo discovery. The core contributors:

  • @LuigiSidekick — original crash in The Lost Levels that kicked everything off
  • Takuika Ninja — spotted that the crash looked like a real exploit, not a console hiccup
  • Simplistic — reverse-engineered the object-list overflow
  • 3Creepio — Quest-2 Goomba-to-Buzzy-Beetle insight and the Luigi-only power-up corruption
  • 100thCoin — PPU expertise; also improved emulator PPU accuracy so tests matched real hardware
  • SBDWolf — proposed the FDS reset trick, pulled from their earlier Castlevania ACE work
  • Luki, Nipsky, Hitskrits — earlier real-time 2J ACE setup that the 1985 work built on

There's a running joke across the video about "this Buzzy Beetle and this Princess who've been ruining our lives for months," which captures the rhythm of the whole project: near-misses, reversed assumptions, and one very specific enemy doing critical work at one very specific frame.

Why It Matters

Super Mario Bros. now joins the short list of classics — Pokémon Red/Blue, Super Mario World, Ocarina of Time — that have been cracked open to the point of running player-written code. That changes what future runners can search for. Faster ACE triggers, new category splits, memory setups nobody had reason to look at before: all of it is suddenly fair game.

It's the first meaningful push against the theoretical ceiling of this game in roughly fifteen years. Forty years on, the speedrun scene just found a new room in a house it thought it had fully mapped.

TAGS:speedrunningglitchesnewssuper-mario-brosaceneskosmic
SHARE:
VIEW ALL NEWS

DISCUSSION (...)

LOADING DISCUSSION
ACCESSING DATA...

> Sign in to join the discussion