nesfuzz/README.md

# nesfuzz 

nesfuzz is a fuzzer for Nes Games by [@SarahJamieLewis](https://twitter.com/sarahjamielewis)

nessfuzz built on top of the [nestur](https://github.com/spieglt/nestur) emulator by [@spieglt](https://github.com/spieglt).

## Usage & Methodology 

To begin fuzzing you will need a rom file, and a sample input file. For sample inputs see [TasVids](http://tasvideos.org/).

`nessfuzz <rom> <tas file>` 
`nessfuzz smb.rom happylee-supermariobros,warped.fm2`

nesfuzz uses the same input to see novel RAM configurations and search the possible input space. It will also
tile 28 (by default), windows to allow you to see the fuzzing happen.

![](./fuzzimages/screenshot.png)


## Parameters

Found at the top of `main.rs` a few parameters control the types and effectiveness of fuzzing.

    // The number of cpu instances to spawn..
    const NUM_THREADS: usize = 28;
    
    // The number of frames to fuzz and process
    // A small number exploits the current point more at the expense of
    // large exploration - and vice versa.
    const FRAMES_TO_CONSIDER: usize = 400;
    
    // Same input should generate the same output...
    // (I make no guarantee of that at the moment)
    const RNG_SEED: u32 = 0x5463753;
    
    // If set to a low number, this disables start presses after the given frame
    // Useful for some games where pausing does nothing to advance the game...
    const DISABLE_START_PRESSES_AFTER: usize = 50;
    
    // The rate at which seed inputs become corrupted..
    const MUTATION_RATE: f64 = 0.1;
    
    // The rate at which seed inputs may become soft resets..
    const MUTATION_RATE_SOFT_RESET: f64 = 0.000;


## Future Extensions

Right now novelty is driven by the hamming distance of the ram of the cpu compared to observed values. You can get
better performance by changing the novelty to focus on specific values / be more game specific.

There are also a number of possible extensions in the replacement algorithm. Right now the fuzzer makes no
attempt to "lock-in" good paths and so the engine is likely to reconsider all past values. This leads to the
queue of inputs growing without bound (eventually causing the application itself to be refused memory from the kernel).


## Emulator Tests

### CPU Timing Test

Pass

### Sprite Hit

| Test Name | Current Status |
|-----------|----------------|
| 01.basics.nes| Pass | 
| 02.alignment.nes| Pass|
| 03.corners.nes | Pass|
| 04.flip.nes| Pass|
| 05.left_clip.nes| Pass|
| 06.right_edge.nes| Pass|
| 07.screen_bottom.nes| Fail #4 - `y=255 should not hit`|
| 08.double height.nes| Pass |
| 09.timing basics.nes| Pass|
| 10.timing order.nes| Pass|
| 11.edge_timing.nes| Pass|
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`# nesfuzz`
init 2019-11-12 00:04:07 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`nesfuzz is a fuzzer for Nes Games by [@SarahJamieLewis](https://twitter.com/sarahjamielewis)`
init 2019-11-12 00:04:07 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`nessfuzz built on top of the [nestur](https://github.com/spieglt/nestur) emulator by [@spieglt](https://github.com/spieglt).`
readme 2020-01-03 00:00:18 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`## Usage & Methodology`
working on drag and drop to load games 2020-03-01 20:17:09 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`To begin fuzzing you will need a rom file, and a sample input file. For sample inputs see [TasVids](http://tasvideos.org/).`
multiple state saving and loading working 2020-03-01 18:36:34 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`nessfuzz <rom> <tas file>`
			`nessfuzz smb.rom happylee-supermariobros,warped.fm2`
multiple state saving and loading working 2020-03-01 18:36:34 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`nesfuzz uses the same input to see novel RAM configurations and search the possible input space. It will also`
			`tile 28 (by default), windows to allow you to see the fuzzing happen.`
readme 2020-03-02 00:38:31 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`![](./fuzzimages/screenshot.png)`
readme 2020-03-02 00:38:31 +00:00
Parameter Clean up, Single Shot Mode, Export stub 2021-11-22 22:45:52 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`## Parameters`
readme 2020-03-02 00:38:31 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			Found at the top of `main.rs` a few parameters control the types and effectiveness of fuzzing.
experimenting with more mappers, nametable adjustment, four screen mirroring 2020-01-16 01:27:53 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`// The number of cpu instances to spawn..`
			`const NUM_THREADS: usize = 28;`

			`// The number of frames to fuzz and process`
			`// A small number exploits the current point more at the expense of`
			`// large exploration - and vice versa.`
			`const FRAMES_TO_CONSIDER: usize = 400;`

			`// Same input should generate the same output...`
			`// (I make no guarantee of that at the moment)`
			`const RNG_SEED: u32 = 0x5463753;`

			`// If set to a low number, this disables start presses after the given frame`
			`// Useful for some games where pausing does nothing to advance the game...`
			`const DISABLE_START_PRESSES_AFTER: usize = 50;`

			`// The rate at which seed inputs become corrupted..`
			`const MUTATION_RATE: f64 = 0.1;`

			`// The rate at which seed inputs may become soft resets..`
			`const MUTATION_RATE_SOFT_RESET: f64 = 0.000;`
experimenting with more mappers, nametable adjustment, four screen mirroring 2020-01-16 01:27:53 +00:00
init 2019-11-12 00:04:07 +00:00
Parameter Clean up, Single Shot Mode, Export stub 2021-11-22 22:45:52 +00:00
			`## Future Extensions`

			`Right now novelty is driven by the hamming distance of the ram of the cpu compared to observed values. You can get`
			`better performance by changing the novelty to focus on specific values / be more game specific.`

			`There are also a number of possible extensions in the replacement algorithm. Right now the fuzzer makes no`
			`attempt to "lock-in" good paths and so the engine is likely to reconsider all past values. This leads to the`
			`queue of inputs growing without bound (eventually causing the application itself to be refused memory from the kernel).`

Emulation Fixes 2021-11-23 06:44:32 +00:00
			`## Emulator Tests`

			`### CPU Timing Test`

Remove note about player 2 controller. As this now works as expected. 2021-11-23 17:50:13 +00:00			`Pass`
Emulation Fixes 2021-11-23 06:44:32 +00:00
			`### Sprite Hit`

			`\| Test Name \| Current Status \|`
			`\|-----------\|----------------\|`
			`\| 01.basics.nes\| Pass \|`
			`\| 02.alignment.nes\| Pass\|`
			`\| 03.corners.nes \| Pass\|`
			`\| 04.flip.nes\| Pass\|`
			`\| 05.left_clip.nes\| Pass\|`
			`\| 06.right_edge.nes\| Pass\|`
			\| 07.screen_bottom.nes\| Fail #4 - `y=255 should not hit`\|
			`\| 08.double height.nes\| Pass \|`
			`\| 09.timing basics.nes\| Pass\|`
			`\| 10.timing order.nes\| Pass\|`
			`\| 11.edge_timing.nes\| Pass\|`