%n Bug, technically known as M.U.G.E.N's Uncontrolled Format String Attack, is an exploit in WinMUGEN that allows a character to write arbitrary data to an arbitrarily specified location. It was one of the first exploits abused within the engine.
Exploit Details[]
This exploit takes advantage of, as implied by its technical name, a string format specifier in the routine WinMUGEN uses to parse the DisplayToClipboard/AppendToClipboard text strings, sprintf. One of these format specifiers, %n or %hn, can be used to write data into predetermined memory regions.
Initially, it was used for the sake of simulating the pressing of debug keys, such as F1 to set an opponent's life to 0 and F5 to cause the match to end through the timer reaching 0. As time passed, it began to be used to write arbitrary code for other exploits, such as the %f bug or Void method, to execute. Modern nukes also use a variant of this bug in 512-Overflow states to adjust their own data at a region of interest, such as Alive or ParentID, for the sake of impersonation and more consistent ParentChange at a smaller filesize cost; this use case is known as "Persistent Byte Tampering."
1.0/1.1[]
M.U.G.E.N 1.0 and higher perform a format string control when parsing the DisplayToClipboard/AppendToClipboard state controllers, which causes this exploit to no longer work. In addition, attempting to circumvent this control through the use of %%n will consistently result in a crash due to it being disabled during compilation.