nesfuzz/README.md

# nesfuzz 

nesfuzz is a fuzzer for Nes Games by [@SarahJamieLewis](https://twitter.com/sarahjamielewis)

nessfuzz built on top of the [nestur](https://github.com/spieglt/nestur) emulator by [@spieglt](https://github.com/spieglt).

## Usage & Methodology 

To begin fuzzing you will need a rom file, and a sample input file. For sample inputs see [TasVids](http://tasvideos.org/).

`nessfuzz <rom> <tas file>` 
`nessfuzz smb.rom happylee-supermariobros,warped.fm2`

nesfuzz uses the same input to see novel RAM configurations and search the possible input space. It will also
tile 28 (by default), windows to allow you to see the fuzzing happen.

![](./fuzzimages/screenshot.png)

## Parameters

Found at the top of `main.rs` a few parameters control the types and effectiveness of fuzzing.

    // The number of cpu instances to spawn..
    const NUM_THREADS: usize = 28;
    
    // The number of frames to fuzz and process
    // A small number exploits the current point more at the expense of
    // large exploration - and vice versa.
    const FRAMES_TO_CONSIDER: usize = 400;
    
    // Same input should generate the same output...
    // (I make no guarantee of that at the moment)
    const RNG_SEED: u32 = 0x5463753;
    
    // If set to a low number, this disables start presses after the given frame
    // Useful for some games where pausing does nothing to advance the game...
    const DISABLE_START_PRESSES_AFTER: usize = 50;
    
    // The rate at which seed inputs become corrupted..
    const MUTATION_RATE: f64 = 0.1;
    
    // The rate at which seed inputs may become soft resets..
    const MUTATION_RATE_SOFT_RESET: f64 = 0.000;


## Known Issues

The only game that really works as expected is Super Mario Bros. with the `happylee-supermariobros,warped.fm2` input.
This is probably because of issues in the underlying emulator / differences in the expected behaviour of the system the
tas inputs are produced for v.s. the emulator.

Other games like Legend of Zelda, Megaman, Super Mario Bros. 3, Final Fantasy II etc. will run, but I have had any
tas inputs from them quickly become out of sync with the actual gameplay. Further research is needed to as to why
that is. Help appreciated.
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`# nesfuzz`
init 2019-11-12 00:04:07 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`nesfuzz is a fuzzer for Nes Games by [@SarahJamieLewis](https://twitter.com/sarahjamielewis)`
init 2019-11-12 00:04:07 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`nessfuzz built on top of the [nestur](https://github.com/spieglt/nestur) emulator by [@spieglt](https://github.com/spieglt).`
readme 2020-01-03 00:00:18 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`## Usage & Methodology`
working on drag and drop to load games 2020-03-01 20:17:09 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`To begin fuzzing you will need a rom file, and a sample input file. For sample inputs see [TasVids](http://tasvideos.org/).`
multiple state saving and loading working 2020-03-01 18:36:34 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`nessfuzz <rom> <tas file>`
			`nessfuzz smb.rom happylee-supermariobros,warped.fm2`
multiple state saving and loading working 2020-03-01 18:36:34 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`nesfuzz uses the same input to see novel RAM configurations and search the possible input space. It will also`
			`tile 28 (by default), windows to allow you to see the fuzzing happen.`
readme 2020-03-02 00:38:31 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`![](./fuzzimages/screenshot.png)`
readme 2020-03-02 00:38:31 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`## Parameters`
readme 2020-03-02 00:38:31 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			Found at the top of `main.rs` a few parameters control the types and effectiveness of fuzzing.
experimenting with more mappers, nametable adjustment, four screen mirroring 2020-01-16 01:27:53 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`// The number of cpu instances to spawn..`
			`const NUM_THREADS: usize = 28;`

			`// The number of frames to fuzz and process`
			`// A small number exploits the current point more at the expense of`
			`// large exploration - and vice versa.`
			`const FRAMES_TO_CONSIDER: usize = 400;`

			`// Same input should generate the same output...`
			`// (I make no guarantee of that at the moment)`
			`const RNG_SEED: u32 = 0x5463753;`

			`// If set to a low number, this disables start presses after the given frame`
			`// Useful for some games where pausing does nothing to advance the game...`
			`const DISABLE_START_PRESSES_AFTER: usize = 50;`

			`// The rate at which seed inputs become corrupted..`
			`const MUTATION_RATE: f64 = 0.1;`

			`// The rate at which seed inputs may become soft resets..`
			`const MUTATION_RATE_SOFT_RESET: f64 = 0.000;`
experimenting with more mappers, nametable adjustment, four screen mirroring 2020-01-16 01:27:53 +00:00
init 2019-11-12 00:04:07 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`## Known Issues`
Update README.md 2020-01-07 04:45:42 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			The only game that really works as expected is Super Mario Bros. with the `happylee-supermariobros,warped.fm2` input.
			`This is probably because of issues in the underlying emulator / differences in the expected behaviour of the system the`
			`tas inputs are produced for v.s. the emulator.`
readme 2020-08-09 17:16:08 +00:00
Initial Commit of nesfuzz 2021-11-22 07:20:04 +00:00			`Other games like Legend of Zelda, Megaman, Super Mario Bros. 3, Final Fantasy II etc. will run, but I have had any`
			`tas inputs from them quickly become out of sync with the actual gameplay. Further research is needed to as to why`
			`that is. Help appreciated.`